Soundness of Formal Encryption in the Presence of Key Cycles Gergei - - PowerPoint PPT Presentation

Soundness of Formal Encryption in the Presence of Key Cycles

Gergei Bana University of Pennsylvania

• P. Adão, J. Herzog, A Scedrov

Structure of the Talk

• The Abadi-Rogaway logic and its

computational interpretations

• The problem of key-cycles
• Standard notions of security and

KDM security

• KDM security as a solution to key-

cycles

Introduction

• Cryptographic protocols: two models
• Formal or Dolev-Yao model
• Computational model from complexity theory
• Much recent work relates the two
• Build formal-to-computational protocol

interpretation

• Map formal security goals to computational goals
• Prove soundness or completeness

Logic of Formal Encryption

• We define a very simple algebra of terms

that is a modified version of [AbadiRogaway00];

• Expressions represent the messages

exchanged during the protocol

• They might also include some prior knowledge

available to the adversary, eg., public keys.

• Patterns represent how an adversary can

look at an expression:

• If an adversary does not know a certain private

key he does not see a message in the same way as an adversary that posesses that key.

Logic of Formal Encryption

• Expressions are built from simple sets
• Keys = {K1, K2, K3,...}, Keys-1= {K1
• 1, K2
• 1, K3
• 1,...} and Blocks={0,1}*

via paring and encryption; Exp ::= Keys | Keys-1 | Blocks | (Exp,Exp) | {Exp}Keys

• Formal length. Let λ be a function symbol such that:
• For all blocks B1 and B2, λ(B1) = λ(B2) iff |B1| = |B2|;
• For all i and j, λ(Ki) = λ(Kj) and λ(Ki
• 1) = λ(Kj
• 1);
• If λ(M1) = λ(N1), λ(M2) = λ(N2) then λ((M1,M2)) = λ((N1,N2)),
• If λ(M) = λ(N), then for all Ki, λ({M}Ki) = λ({N}Ki).

( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )

Logic of Formal Encryption

• Patterns are built from expressions replacing

undecryptable terms {M}K by K,λ(M)

Pat ::= Keys | Keys-1 | Blocks | (Pat,Pat) | {Pat}Keys | Keys,λ(Keys) ( (K2-1, {01}K3 ) , ( {({101}K2,K5-1)}K2, { {K6}K4 }K5) ) ( (K2-1, K3,λ(01)) , ( {({101}K2,K5-1)}K2, { K4,λ(K6) }K5) )

• Two expressions M and N are defined to be

formally equivalent if pattern(M)=pattern(N)σ for some key-renaming function σ.

• We denote this by M≅N.

Computational Model

• In the computational world messages are

represented by bit-strings, strings= {0,1}*, and families of probability distributions

• ver strings;
• Fix an injective pairing function (length of
• utput depends only on lengths of inputs);
• Encryption schemes are probabilistic

(polynomial-time) algorithms, and encryptions are obtained by running the encryption alghorithm.

Computational View

• Basic components of symmetric encriptions:
• Key generation algorithm: K(1η), randomly

generates a pair of strings (e, d) (η is security parameter)

• Encryption algorithm: E(e,x), encrypts the

plaintext x with the key e, coin-tossing allowed (length of output depends only on the lengths of inputs).

• Decryption algorithm: D, D(d, E(e,x) )=x

Relating the Two Models

• Formal expressions are mapped to (interpreted

in) the computational model as follows:

• For each (K,K-1) generate a pair of keys using the key

generation algorithm;

• Each B block is mapped to B;
• Each pair (M,N) is interpreted as the pair of the

interpretations;

• Each encryption is interpreted by running the encryption

algorithm.

• Example:
• {({101}K2,K5-1)}K2 translates to the random variable

( E ( e2 ( E ( ( e2, 101 ) , d5 )

• The keys k2, k5 are randomly generated, and the two

encrypting functions have independent randomness as well.

Interpretation and Soundness Property

• To each expression M we have

assigned an array of probability distributions denoted by [[N]].

• Definition (Soundness) We say that

the interpretation is sound, if for any two expressions, M≅N implies that the interpretations [[M]] and [[N]] are computationally indistinguishable.

Known Results

• Theorem: If the expressions are interpreted in a

CPA secure encryption scheme, then for M and N acyclic expressions, M≅N implies that [[M]] and [[N]] are indistinguishable.

• Problem: This result does not apply to self-

encrypting keys, and cycles in more general;

• What do we propose: Possible to solve this

problem via a strong enough notion of security that has been around (KDM security);

• [Laud02] proposed a solution for the problem of

key-cycles by strengthening the formal adversary.

Known Results

AbadiRogaway00, AbadiJurgens01: soundness for indistinguishability properties MicciancioWarinschi02, HorvitzGligor03: completeness for indisitinguishability properties Bana04, AdãoBanaScedrov05: more general soundness, completeness properties Herzog04: soundness for non-malleability properties BackesPfitzmannWaidner03: soundness for general trace- based properties HerzogCanneti04, MicciancioWarinschi04: soundness, completeness for Message Authentication, Key-Exchange Laud02: soundness via strengthening the “formal adversary"

Proof Method 1

• Semantic Security (IND-CPA)

[GoldwasserMicali84]

• An Adversary A is given a public key e;
• A sends to an oracle two messages m1 and m2;
• The oracle choses randomly b ∈ {0,1} and sends to

A the value E(e,mb);

• A has to guess which of the plaintexts was

encrypted.

Proof Method 2

[[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]

⇓ K3,λ(01) [[( (K2-1, K3,λ(01) ) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]] ⇓ K4,λ(K6) [[( (K2-1, K3,λ(01)) , ( {({101}K2,K5-1)}K2, { K4,λ(K6) }K5) )]] ≈ [[( (K1-1, K6,λ(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,λ(1)}K5) ) ]] ⇑ K7,λ(1) [[ ( (K1-1, K6,λ(K7^-1)) , ( {({101}K1,K5-1)}K1, {{1}K7}K5) ) ]] ⇑ K6,λ(K7^-1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]] ≈ ≈ ≈ ≈

The problem of key-cycles

• Key cycles:
• K1 encrypts K2
• 1
• K2 encrypts K3
• 1 ......
• Kn encrypts K1
• 1
• Can actually occur in Dolev-Yao model
• Possible to interpret formal messages with

key cycles

• But soundness results do not hold
• [[{K1-1}K1]] does not have to be equivalent to [[{K2-1}K3]]
• [[ ( {K1-1}K2, {K2-1}K1 ) ]] does not have to be equivalent to

[[ ( {K1-1}K2, {K3-1}K1 ) ]]

Traditional Notions of Security

• Semantic Security (IND-CPA)
• Chosen Ciphertext Security - Lunchtime

Security (IND-CCA1) [NaorYung90]

• An Adversary A is given a public key e;
• A can send to the oracle polynomially many

ciphertexts and obtain the associated plaintexts;

• A sends to the oracle two messages m1 and m2 of

the same length

• The oracle choses randomly b ∈ {0,1} and sends to

A the value E(e,mb);

• A has to guess which of the plaintexts was

encrypted.

Traditional Notions of Security

• Adaptive Chosen Ciphertext Security (IND-

CCA2) [RackoffSimon91]

• An Adversary A is given a public key e;
• The oracle choses randomly b ∈ {0,1}.
• A can send to the oracle polynomially many ciphertexts and
• btain the associated plaintexts;
• A can send to the oracle any pairs of messages m1 and m2 of

the same length and receive the value E(e,mb);

• A can send to the oracle polynomially many ciphertexts (but

different from E(e,mb)) and obtain the associated plaintexts;

• A has to guess which of the plaintexts was encrypted.

CCA-2 is not Enough

• We show that the traditional security

definitions are not enough. Take as an example adaptive chosen-ciphertext security.

• Theorem: CCA-2 security does not enforce

soundness.

• Corollary: Soundness is not implied by any
• f the following: NM-CCA-1, IND-CCA-1,

NM-CPA, or IND-CPA

• Theorem: Soundness does not enforce

IND-CPA.

KDM-Security

• The notion of key-dependent message

security was introduced by Black et al. [BlackRogawayShrimpton02] and in a different form by [CamenischLysyanskaya01].

• In [CL01] the authors developed the notion
• f key-dependent encryption scheme and

use it in a credential revocation scheme. This scheme is realised in the RO-model.

• KDM security is defined through the

following game:

KDM Security

• Key Dependent Message Security [BRS02]
• An Adversary A is given a vector of public keys e.

The corresponding vector of private keys d is kept private;

• A creates a (plaintext construction) function f

(that might depend on e) and asks the oracle to encrypt f(d) with ei;

• The oracle encrypts either

– f(d) with ei (oracle Reald), or – 0|f(d)| with ei (oracle Faked);

• A has to guess which happened.

KDM Security

• An encryption scheme is KDM-secure if:
• Theorem: KDM-security does not imply

NM-CPA security, and neither IND-CCA-1,

• r IND-CCA-2 security. It does imply IND-

CPA.

Soundness for Key-Cycles

• Theorem: If the expressions are

interpreted in a KDM-secure system, then M, N expressions M≅N implies that [[M]] and [[N]] are indistinguishable.

• Corollary: CCA-2 security does not

imply KDM-security.

Proof Method

[[( (K2-1,{01}K3) , ( {({101}K2,K5-1)}K2, {{K6}K4}K5) )]]

⇓ K3,λ(01) K4,λ(K6) [[( (K2-1, K3,λ(01)) , ( {({101}K2,K5-1)}K2, { K4,λ(K6) }K5) )]] ≈ [[( (K1-1, K6,λ(K7^-1)) , ( {({101}K2,K5-1)}K2, { K7,,λ(1)}K5) ) ]] ⇑ K6,λ(K1) K7,λ(1) [[ ( (K1-1, {K7-1}K6) , ( {({101}K1,K5-1)}K1, {1}K7}K5 ) )]] ≈ ≈

Conclusions

• Inspite of the differences, and
• rigins, of the two models, several

properties can be carried over from

• ne to the other;
• KDM-security is orthogonal to the

previous security notions;

• We have soundness even in the

presence of key-cycles.

Relations among Different Notions

Plaintext-Awareness RCCA-2 NM-CCA-2 , IND-CCA-2 NM-CCA-1 NM-CPA IND-CPA IND-CCA-1 Soundness KDM