Embed Size (px)
Citation preview
Soundness And Completeness of Formal Logics of Symmetric Encryption
** Andre Scedrov ** University of Pennsylvania
**Gergei Bana **
University of Pennsylvania
*Pedro Adão *Center for Logic and Computation,Instituto Superior Técnico, Lisbon
* Partially supported by FCT ** Partially supported by ONR CIP/SW URI
The Problem
• Relationship between two different approaches to cryptography/security: formal and computational
• Formal approach• uses simple, manageable formal language to
describe cryptographic protocols• amenable to automatization, computer tools • its accuracy is unclear
• Computational approach • harder to handle mathematically• proofs by hand• seems more accurate, hence widely accepted
Bridging the Gap
• Much effort has been done to bridge the gap between the two views• Martin Abadi and Philip Rogaway 2000• Daniele Micciancio and Bogdan
Warinschi 2002• Several others (Jonathan etc.)
Abadi-Rogaway Approach
• Very simple formal language along with its interpretation by means of probabilistic ensembles in a computational cryptographic setting.
• Two notions of equivalence: one for the formal (via replacing undecryptable expressions with boxes), one for the computational setting (computational indistinguishability). Then, it makes sense to try to prove: • Soundness: if two formal expressions are
equivalent, then their computational interpretations are equivalent,
• Completeness: vice versa.
Previous Work
• Abadi and Rogaway 2000: soundness when • a single for all undecryptable ciphers• acyclicity
• Their cryptosystems were “type-0”, i.e., • conceal repetition of plaintext• conceal repetition of keys• conceal length of message
• Micciancio and Warinschi 2002: completeness in this case
• Horvitz and Gligor 2003: completeness for type-0 under strictly weaker assumptions
Our Work
• Last time: Considered expansions of the Abadi-Rogaway approach• Used labeled boxes for which-key and length revealing
cryptosystems• Besides computational interpretations, considered
information theoretic interpretations (One-Time Pad)
• Now: A more complete analysis of the original Abadi-Rogaway approach• Give a common framework for computational and
information theoretic views, and interpret the AR expressions in this framework
• Provide a general treatment of labeling the boxes• Show soundness and completeness• Cases discussed last time are special cases of these
A Probabilistic View• Combines info-theoretic and computational treatments
by • instead of considering ensembles of probability
distributions on strings in computational treatment, we can consider probability distributions on sequences of strings with independent components
• Basic components of symmetric encryptions:• Random variables take values in some abstract set of strings e.g.
{0,1}* (info-theoretic case), ({0,1}*)N (computational case)• Key generation algorithms: K1,K2,… random variables over K1, K2,
…, values in strings• Encryption algorithm Ek: encrypts with the key k strings, coin-
tossing allowed: Ek(x) is a random variable over E
• Decryption algorithm Dk: Dk( Ek (x) )=x
• Need an invertible pairing function: [ . , . ] : strings strings strings
Indistinguishability of Probability Distributions and of Random Variables
• Indistinguishability (denoted by ) of probability distributions over strings is an equivalence relation of such distributions. Indistiguishability of random variables (also denoted by ) taking values in strings holds iff their distributions are indistinguishable. We require the following:
• Random variables with identical distributions are indistinguishable• Constant r.v.’s are indistinguishable iff the constants agree• If F F’, then i [ . , . ]-1 F i [ . , . ]-1 F’ i = 1,2• If F F’, G G’, then [ F(), G() ] ’ [ F’(’), G’(’) ]
• Examples: • Computational indistinguishability• Indistinguishability iff probability distributions are identical
Symmetric Encryption Scheme
• is a quadruple ({Ki}iI , E , D , )• {Ki}iI is a set of key-generation algorithms• E is an encryption algorithm• D is a decryption algorithm• is an indistinguishability notion
• such that• Some technical conditions about domains of E and D hold,
and• Different key-generations are distinguishable• If F G, then
• (1, 2, 3) EK(1)( F(2) ) (3) and (1, 2, 3) EK(1)( G(2) ) (3) are indistingusable
• (1, 2) DK(1)( F(2) ) and (1, 2) DK(1)( G(2) ) are indistingusable
Formal Encryption
• The Logic of Formal Encryption defined in [Abadi, Rogaway 2000] is a logic defined in the classical Dolev-Yao style. Let• Keys : Infinte discrete set of symbols, K1, K2, K3,…• Blocks : Nonempty subset of finite bit-strings, {0,1}*• Expressions:
Exp ::= Blocks | Keys | (Exp, Exp) | {Exp}Keys • Ciphers ::= {Exp}Keys
• Example ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )
Formal Equivalence for Type-0
• Formal equivalence Two expressions are equivalent if replacing everything that is
indecipherable with , we obtain the same formal pattern up to key renaming
• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, ) , ( {({101}K2,K5)}K2, { }K5) ) same up to key renaming
( (K1, ) , ( {({101}K1,K5)}K1, { }K5) )
( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Formal Equivalence for Type-2
• Formal equivalence Up to key renaming, the same formal pattern is obtained if we
replace all indecipherable expressions of the form {M}K with K
• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, K3 ) , ( {({101}K2,K5)}K2, { K4 }K5) ) same up to key renaming
( (K1, K6 ) , ( {({101}K1,K5)}K1, { K7 }K5) )
( (K1,{K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
Formal Logic for Symmetric Encryption
• is a tripple (ExpV, K, C): • ExpV is a subset (of valid expressions) of Exp• K is an equivalence relation on Keys (key-renamings preserve
it)• C is an equivalence relation on CiphersV = ExpV Ciphers
• such that: • All keys and blocks are in ExpV
• If M is in ExpV then all subexpressions of M and their pairs are also in ExpV
• Equivalence classes of K and contain infinitely many elements• For any key-renaming and MExp, MExpV iff MExpV
• For any key-renaming and M,NCiphersV, M C N iff M C N • Replacing a cipher within a valid expression with another
equivalent valid cipher results a valid expression
Formal Equivalence • Formal equivalence
Two expressions are equivalent if replacing everything that is indecipherable with (where is the equivalence class of the replaced ciphers), we obtain the same formal pattern up to key renaming (key-renaming generates a renaming on the set of equivalence classes of K)
• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, 1 ) , ( {({101}K2,K5)}K2, { 2 }K5) ) same up to key renaming?
( (K1, 3 ) , ( {({101}K1,K5)}K1, { 4 }K5) )
( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )
?
with 1 = ({01}K3)
and 2 = ({K6}K4)
with 3 = ({K1}K7)
and 4 = ({K6}K7)
Interpretation of Formal Expressions
• Computational interpretation (M) is a random variable (with distibution ||M||), constructed as:• Fix interpretation of blocks: (B) strings• Fix interpretation of keys: (Ki) = Km such that (Ki) =(Kj)
iff Ki K Kj
• Construct (M) for any expression as the following example shows:
• Example:• { ( {101}K2 , K5 ) }K2 translates to a random variable over
E E (K2) (K5)
• To (1, 2, 3, 4), it assigns
E(K2)(3)( [ E(K2)(3) ( (101) )(2) , (K5)(4) ] )(1)
Reminder: Soundness Proof Method for Type-2
||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K3
||( (K2, {0}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K4
||( (K2, {0}K3) , ( {({101}K2,K5)}K2, { {0}K4 }K5) )||
||( (K1, {0}K6) , ( {({101}K1,K5)}K1, { {0}K7}K5) ) || K7
|| ( (K1, {0}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5) ) || K6
|| ( (K1, {K7}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )||
K7 disappears
as subexpression
{01}K3 is replaced by a
representative of itsequivalence class
Proper Equivalence of Formal Ciphers
• We say that C is proper, if for any finite set of keys S, and any equivalence class , • if contains an element of the form {M}K
with K S, • then contains an element C such that
Keys(C) S = , and K is not a subexpression of C
• Examples• Equivalence iff encrypting keys agree• Equivalence iff lengths agree• Equivalence iff the structures agree
Properties of Proper Equivalence• For any equivalence class , let
• key:= {K | there is an M valid expression with {M}K }
• If C is proper, then the followings hold:• For each equivalence class , key has either one or infinitely many elements
• For any key-renaming, |key| = |()key|
• Let C = {{Ni}L1, {Ni}L2, … {Ni}Ln } be a set of valid ciphers, S a finite set of
keys with Li S. Let (C) denote the set of all equivalence classes of
elements in C. Then, for each (C) there is a C , such that
• Keys(C) S = for all (C)
• Non of L1, L2, …, Ln, is a subexpression of C for any (C)
• If ’, then Keys(C) Keys(C’) iff key = ’key = {K} for some K key, and if key
= ’key = {K}, then Keys(C) Keys(C’) = {K}
• Let R(C , S) denote the set of all such {C} (C)
Soundness Theorem
• Let (ExpV, K, C) be a formal logic for symmetric encryption proper C and ({Ki}iI , E , D , ) be a symmetric encryption scheme an interpretation. Then,• if for any C = {{Ni}L1 , {Ni}L2 , … {Ni}Ln } set of valid ciphers,
and S finite set of keys with Li S, there is an element {C}(C) of R(C , S) such that
• if {Ni1}L , {Ni2}L , … {Nim}L C and MExpV are such that • {Ni1}L , {Ni2}L , … {Nim}L are subexpressions of M• all recoverable keys of M are in S • L does not occur anywhere else in M • BKeys(M) is not cyclic in M
• and if we denote by M’ the expression obtained by replacing in M each of {Ni1}L , {Ni2}L , … , {Nim}L by C1 , C2 , … , Cm respectively (where 1 = ( {Ni1}L ) , 2 = ( {Ni2}L ) , etc.)
• then ||M|| ||M’||,
• then for any M,NExpV, such that BKeys(M) and BKeys(M) are not cyclic in M and N respectively, ||M|| ||N|| holds.
Soundness for Special Cases
• Type-0 • For {Ni1}L , {Ni2}L , … , {Nim}L, C1 = C2 = Cm = {0}K
with some fixed K key
• Type-2 (which-key revealing)• For {Ni1}L , {Ni2}L , … , {Nim}L, C1 = C2 = Cm = {0}L
• One-Time Pad• For {Ni1}L , {Ni2}L , … , {Nim}L, C1 = {0l1}L, C2 = {0l2}L,
… , Cm = {0lm}L where l1 = length of Ni1 etc.
Soundness Proof Method ||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| 1
||( (K2, C1 ) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| 2
||( (K2, C1 ) , ( {({101}K2,K5)}K2, { C2 }K5) )|| ||( (K2, C1 ) , ( {({101}K2,K5)}K2, { C2 }K5) ) || 2
|| ( (K2, C1 ) , ( {({101}K2,K5)}K2, {{K6}K7}K5) ) || 1
|| ( (K2, {K7}K6) , ( {({101}K2,K5)}K1, {{K6}K7}K5 ) )|| K1 K2
|| ( (K1, {K7}K6) , ( {({101}K1,K5)}K2, {{K6}K7}K5 ) )||
By assumption
Independent K and C
• We say that K and C are independent if• for any finite set of keys S and for any finite set C of ciphers
such that no key of S appears in any element of C, • given any key renaming , • there is a key-renaming ’ such that
• ’(K) = K whenever K S• C C C’ whenever C C
• Examples• Equivalence C iff encrypting keys agree, trivial K • Equivalence C iff lengths agree, trivial K, or K iff lengths
of the keys agree• Equivalence C iff the structures agree, trivial K
Completeness Theorem
• Let (ExpV, K, C) be a formal logic for symmetric
encryption. and ({Ki}iI , E , D , ) be a symmetric
encryption scheme an interpretation. Assume that C
is proper and that K and C are independent. Then,
• completeness holds iff the following conditions are satisfied:
• for any K, K’, L, L’ Keys, B Blocks, M, M’, N, N’ ExpV:
• no pair of ||K||, ||B||, ||(M,N)||, ||{M’}K’||, are indistinguishable
• if ||(K, {M}L)|| ||(K’, {M’}K’)||, then K = L (decrypting with the
wrong key is detectable)
• if ||({M}K, {N}L)|| ||({M’}K’, {N’}L’)||, then
({M}K, {N}L) ({M’}K’, {N’}L’) (I.e. the boxes are chosen well)
Type-0 Encryption Schemes• In case of type-0 cryptosystems, any two ciphertexts are
computationally indistinguishable.
Type-0 Systems
F(x)xAEk1 (.), Ek2 (.)
AEk1(0), Ek1(0)
F
Type-2 case• If key repetition is detectable, the third condition is
satisfied.
F(x)xAEk1 (.), Ek2 (.)
AEk1(.), Ek1(.)
F
F(x)xAEk1 (.)
AEk1 (0)
F
Type-2 Systems
Completeness Proof Method
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) M
( , )
||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| ||M||
( ( , ) , ( , ) )
||K2|| ||K1|| ||{({101}K2,K5)}K2||
( ( K1 , ) , ( , ) )
||{ }K1||
( ( K1 , ) , ( { }K1 , ) )
K2K1
( ( K1 , ) , ( { ( , ) }K1 , ) )
||K5||||{101}K2|| ||K2||||{ }K1||
( ( K1 , ) , ( { ( { }K1 , K2 ) }K1 , ) )
K2
101
K1
101
( ( K1 , ) , ( { ( {101}K1 , K2 ) }K1 , ) )
||{{K6}K4}K5)|| ||{ }K2||K5
2
( ( K1 , ) , ( { ( {101}K1 , K2 ) }K1 , { }K2 )
K2
4
( ( K1 , ) , ( { ( {101}K1 , K2 ) }K1 , { 4 }K2 )
1 3
( ( K1 , 3 ) , ( { ( {101}K1 , K2 ) }K1 , { 4 }K2 )( (K2, 1 ) , ( {({101}K2,K5)}K2, { 2 }K5) )
Rest of Completeness
• To show that the boxes can be carried over with key-renaming, we need the third assumption of the theorem. • Two boxes: immediate• More boxes: tricky argument using
properness of C and independence of K and C
Independent K and C
• We say that K and C are independent if• for any finite set of keys S and for any finite set C of ciphers
such that no key of S appears in any element of C, • given any key renaming , • there is a key-renaming ’ such that
• ’(K) = K whenever K S• C C C’ whenever C C
• Examples• Equivalence C iff encrypting keys agree, trivial K • Equivalence C iff lengths agree, trivial K, or K iff lengths
of the keys agree• Equivalence C iff the structures agree, trivial K
Completeness Theorem
• Let (ExpV, K, C) be a formal logic for symmetric
encryption. and ({Ki}iI , E , D , ) be a symmetric
encryption scheme an interpretation. Assume that C
is proper and that K and C are independent. Then,
• completeness holds iff the following conditions are satisfied:
• for any K, K’, L, L’ Keys, B Blocks, M, M’, N, N’ ExpV:
• no pair of ||K||, ||B||, ||(M,N)||, ||{M’}K’||, are indistinguishable
• if ||(K, {M}L)|| ||(K’, {M’}K’)||, then K = L (decrypting with the
wrong key is detectable)
• if ||({M}K, {N}L)|| ||({M’}K’, {N’}L’)||, then
({M}K, {N}L) ({M’}K’, {N’}L’) (I.e. the boxes are chosen well)
Conclusions and Future Work
• Gave general treatment for expansions of logic via indexed boxes, interpretations, soundness and completeness
• Include new primitives, e.g., signature schemes and pseudo-random numbers generators
• Extend the formalism to include active adversaries
• Public-key encryption
References• [Abadi, Jürjens 2001] M. Abadi and J. Jürjens, Formal eavesdropping
and its computational interpretation in 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pages 82-94, 2001.
• [Abadi, Rogaway 2000] M. Abadi and P. Rogaway, Reconciling two views of cryptography: The computational soundness of formal encryption in 1st IFIP International Conference on Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science, pages 3-22, 2000.
• [Micciancio, Warinschi 2004a] D. Micciancio and B. Warinschi, Completeness Theorems for the Abadi-Rogaway Logic of Encrypted Expressions in Journal of Computer Security, 12(1), pages 99-129, 2004. Based on Extended Abstract in WITS 2002.
• [Micciancio, Warinschi 2004b] D. Micciancio and B. Warinschi, Soundness of Formal Encryption in the Presence of Active Adversaries in Theory of Cryptography Conference (TCC), Cambridge, Massachusetts, volume 2951 of Lecture Notes in Computer Science, pages 133-151, February 19-21 2004.
Interpretation in One-Time Pad
• Formal view: • Length is introduced for formal expressions• Encrypting twice with the same key is excluded• Equivalence is defined via boxes indexed by
formal notion of length: n
• Interpretation: • Key generation depends on formal key length• Encryption via the rules of OTP• Equivalence of interpretations holds if
probability distributions agree• Soundness and completeness are proven
