Presentation is loading. Please wait.

Presentation is loading. Please wait.

Soundness of Formal Encryption in the Presence of Key Cycles

Published bySophie Scholz Modified over 5 years ago

Similar presentations

Presentation on theme: "Soundness of Formal Encryption in the Presence of Key Cycles"— Presentation transcript:

1 Soundness of Formal Encryption in the Presence of Key Cycles
Gergei Bana University of Pennsylvania P. Adão, J. Herzog, A Scedrov

2 Structure of the Talk The Abadi-Rogaway logic and its computational interpretations The problem of key-cycles Standard notions of security and KDM security KDM security as a solution to key-cycles

3 Introduction Cryptographic protocols: two models
Formal or Dolev-Yao model Computational model from complexity theory Much recent work relates the two Build formal-to-computational protocol interpretation Map formal security goals to computational goals Prove soundness or completeness

4 Logic of Formal Encryption
We define a very simple algebra of terms that is a modified version of [AbadiRogaway00]; Expressions represent the messages exchanged during the protocol They might also include some prior knowledge available to the adversary, eg., public keys. Patterns represent how an adversary can look at an expression: If an adversary does not know a certain private key he does not see a message in the same way as an adversary that posesses that key.

5 Logic of Formal Encryption
Expressions are built from simple sets Keys = {K1, K2, K3,...}, Keys-1= {K1 -1, K2 -1, K3 -1,...} and Blocks={0,1}* via paring and encryption; Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys Formal length. Let  be a function symbol such that: For all blocks B1 and B2, l(B1) = l(B2) iff |B1| = |B2|; For all i and j, l(Ki) = l(Kj) and l(Ki-1) = l(Kj-1); If l(M1) = l(N1), l(M2) = l(N2) then l((M1,M2)) = l((N1,N2)), If l(M) = l(N), then for all Ki, l({M}Ki) = l({N}Ki). ( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )

6 Logic of Formal Encryption
Patterns are built from expressions replacing undecryptable terms {M}K by K,l(M) Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys | Keys,(Keys) ( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) ) ( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) ) Two expressions M and N are defined to be formally equivalent if pattern(M)=pattern(N)s for some key-renaming function s. We denote this by

7 Computational Model In the computational world messages are represented by bit-strings, strings= {0,1}*, and families of probability distributions over strings; Fix an injective pairing function (length of output depends only on lengths of inputs); Encryption schemes are probabilistic (polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.

8 Computational View Basic components of symmetric encriptions:
Key generation algorithm: K(1), randomly generates a pair of strings (e, d) ( is security parameter) Encryption algorithm: E(e,x), encrypts the plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs). Decryption algorithm: D, D(d, E(e,x) )=x

9 Relating the Two Models
Formal expressions are mapped to (interpreted in) the computational model as follows: For each (K,K-1) generate a pair of keys using the key generation algorithm; Each B block is mapped to B; Each pair (M,N) is interpreted as the pair of the interpretations; Each encryption is interpreted by running the encryption algorithm. Example: {({101}K2,K5-1)}K2 translates to the random variable ( E ( e2 ( E ( ( e2, 101 ) , d5 ) The keys e2, d5 are randomly generated, and the two encrypting functions have independent randomness as well.

10 Interpretation and Soundness Property
To each expression M we have assigned an array of probability distributions denoted by [[N]]. Definition (Soundness) We say that the interpretation is sound, if for any two expressions, implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.

11 Known Results Theorem: If the expressions are interpreted in a CPA secure encryption scheme, then for M and N acyclic expressions, implies that [[M]] and [[N]] are indistinguishable. Problem: This result does not apply to self-encrypting keys, and cycles in more general; What do we propose: Possible to solve this problem via a strong enough notion of security that has been around (KDM security); [Laud02] proposed a solution for the problem of key-cycles by strengthening the formal adversary.

12 Known Results AbadiRogaway00, AbadiJurgens01: soundness for indistinguishability properties MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties Bana04, AdãoBanaScedrov05: more general soundness, completeness properties Herzog04: soundness for non-malleability properties BackesPfitzmannWaidner03: soundness for general trace-based properties HerzogCanneti04, MicciancioWarinschi04: soundness, completeness for Message Authentication, Key-Exchange Laud02: soundness via strengthening the “formal adversary"

13 Proof Method 1 Semantic Security (IND-CPA) [GoldwasserMicali84]
An Adversary A is given a public key e; A sends to an oracle two messages m1 and m2 of the same length The oracle choses randomly b  {0,1} and sends to A the value E(e,mb); A has to guess which of the plaintexts was encrypted. Interpretation of a box: The ’th ( is security parameter) distribution of the interpretation of K,(M) is the ’th distribution of the interpretation of {0|[[M]]_|}K

14 Proof Method 2 [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]  K3,(01) [[( (K2-1, K3,(01) ) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]  K4,(K6) [[( (K2-1, K3,(01)) , ( {({101}K2,K5-1)}K2, { K4,(K6) }K5) )]] [[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]]  K7,(1) [[ ( (K1-1, K6,(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]]  K6,(K7^-1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]

15 The problem of key-cycles
K1 encrypts K2-1 K2 encrypts K Kn encrypts K1 -1 Can actually occur in Dolev-Yao model Possible to interpret formal messages with key cycles But soundness results do not hold [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]] Even if the above two are equivalent, [[ ( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to [[ ( {K1-1}K2, {K3-1}K1 ) ]],

16 Traditional Notions of Security
Semantic Security (IND-CPA) Chosen Ciphertext Security - Lunchtime Security (IND-CCA1) [NaorYung90] An Adversary A is given a public key e; A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; A sends to the oracle two messages m1 and m2 of the same length The oracle choses randomly b  {0,1} and sends to A the value E(e,mb); A has to guess which of the plaintexts was encrypted.

17 Traditional Notions of Security
Adaptive Chosen Ciphertext Security (IND-CCA2) [RackoffSimon91] An Adversary A is given a public key e; The oracle choses randomly b  {0,1}. A can send to the oracle polynomially many ciphertexts and obtain the associated plaintexts; A can send to the oracle any pair of messages m1 and m2 of the same length and receive the value E(e,mb); A can send to the oracle polynomially many ciphertexts (but different from E(e,mb)) and obtain the associated plaintexts; A has to guess which of the plaintexts was encrypted.

18 Traditional Notions of Security
Formally, we have where D1=D2=Id in the case of CPA; D1(x)=D(d,x) and D2=Id in the case of CCA1; D1(x)=D(d,x) and D2(x)=D(d,x), as long as x¹E(e,mb), in the case of CCA2.

19 CCA-2 is not Enough We showed that the traditional security definitions are not enough. Theorem: CCA-2 security does not enforce soundness. Corollary: Soundness is not implied by any of the following: NM-CCA-1, IND-CCA-1, NM-CPA, or IND-CPA Theorem: Soundness does not enforce IND-CPA.

20 KDM-Security The notion of key-dependent message security was introduced by Black et al. [BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01]. In [CL01] the authors developed the notion of key-dependent encryption scheme and use it in a credential revocation scheme. This scheme is realised in the RO-model. KDM security is defined through the following game:

21 KDM Security Key Dependent Message Security [BRS02]
An Adversary A is given a vector of public keys e. The corresponding vector of private keys d is kept private; A creates a (plaintext construction) function f (that might depend on e) and asks the oracle to encrypt f(d) with ei; The oracle encrypts either f(d) with ei (oracle Reald), or 0|f(d)| with ei (oracle Faked); A has to guess which happened.

22 KDM Security An encryption scheme is KDM-secure if:
Theorem: KDM-security does not imply NM-CPA security, and neither IND-CCA-1, or IND-CCA-2 security. It does imply IND-CPA.

23 Soundness for Key-Cycles
Theorem: If the expressions are interpreted in a KDM-secure system, then M, N expressions implies that [[M]] and [[N]] are indistinguishable. Corollary: CCA-2 security does not imply KDM-security.

24 Proof Method [[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]
[[( (K1-1, K6,(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,(1)}K5) ) ]]  K6,(K1) K7,(1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]]

25 Conclusions Inspite of the differences, and origins, of the two models, several properties can be carried over from one to the other; KDM-security is orthogonal to the previous security notions; We have soundness even in the presence of key-cycles.

26 Relations among Different Notions
Plaintext-Awareness RCCA-2 NM-CCA-2 , IND-CCA-2 Soundness NM-CCA-1 IND-CCA-1 NM-CPA IND-CPA KDM

Download ppt "Soundness of Formal Encryption in the Presence of Key Cycles"

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.

Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,

Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Similar presentations

Ads by Google