Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.

Published byViolet Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech."— Presentation transcript:

1 Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech 2nd Canada-France Workshop on Foundations & Practice of Security June 27, 2009

2 Motivation Crypto protocol becoming increasingly complicated Verification is hard, and conditions are not always optimal Sometimes, mistakes get through e.g. OAEP

3 Why use Automated Provers Automated provers provide an alternate method for verifying the correctness of crypto protocols Individual rules easier to prove and verify than whole protocols Increase confidence in correctness of protocols

4 Methodology We propose a grammar that can be used to generate cryptographic protocols Determine properties (invariants) that are relevant for proving security of protocols Determine - and prove – rules to propagate invariants for each command in the grammar

5 Proving Confidentiality The traditional notion of security of encryption schemes is semantic security (indistinguishability of two chosen ciphertexts) Our prover does something stronger: prove that the ciphertexts are indistinguishable from random bits

6 Block Cipher vs Mode of Operation Block cipher: family of keyed functions with fixed input and output size

7 Block Cipher vs Mode of Operation Block cipher mode of operation: algorithm to encrypt arbitrary length messages using a block cipher

8 Our Grammar c ::= x U | x :=  (y) | x :=  -1 (y) | x := y z | x := y || z | x := y[n,m] | x := y + 1 | c 1 ; c 2

9 Invariants Indis( x;V): x is indistinguishable from random given the values in V E( ,x): the probability that x has been queried to  is negligible F(x): x is a ‘fresh’ random value Rcounter(x): x is the most recent value of a counter that started at a fresh random value

10 Rules Random Assignment (R1) {true} x U {F(x)} Lemma: F(x) implies Indis ( x;Var) and E( ,x) Increment (I1) {F(y)} x := y+1 {Rcounter(x)} and {E(e,x)} and {Indis( y;Var-x)} (I2) {RCounter(y)} x := y+1 {Rcounter(x)} and {E(e,x)}

11 Rules (continued) Xor Operator (X1) {Indis( y;V,y,z)} x := y z {Indis( x;V,x,z)} (X2) {Indis( y;V,x,z)} x := y z {Indis( y;V,z)} (X4) {F(y)} x := y z {E( ,x)} Block Cipher (B1) {E( ,y)} x :=  (y) {F(x)} Generic Preservation (G1) {Indis( t; V)} c {Indis( t; V)} If t is not in V, c is either x U, x := y||z, x := y z or x :=  (y) and t is not x, y or z

12 Example of Proof CBC encryption mode

13 Example of Proof Program for CBC (for 3 message blocks): IV U ; z 1 := IV m 1 ; c 1 :=  (z 1 ); z 2 := c 1 m 2 ; c 2 :=  (z 2 ); z 3 := c 2 m 3 ; c 3 :=  (z 3 );

14 Example of Proof

15 Conclusion and Future Directions We presented a grammar and logic rules that can be used to prove the security of many symmetric modes of operation (CBC, CFB, OFB, CTR) We intend to test this grammar and rules on more complex modes of operation. This may suggest new rules that we have not yet considered We may need to modify the grammar to include more operations and cryptographic primitives We could try to use our method to prove security properties other than confidentiality of encryption

16 Questions?

Download ppt "Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech."

Similar presentations

ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.

Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
CS470, A.SelcukModes of Operation1 Encrypting with Block Ciphers CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukModes of Operation1 Encrypting with Block Ciphers CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.

Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.

Similar presentations

Ads by Google