Symbolic Encryption with Pseudorandom Keys Daniele Micciancio - - PowerPoint PPT Presentation
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for
– (Enc) Encryption: E(k,m) – (PRG) Pseudorandom generators: G(k)
– Enc: Indistinguishability under chosen message
attack
– PRG: Indistinguishability from uniform
u
1
u
2
u
5
u
4
u
3
u
6
1 1 1 1 1 1 1 1 1 1 1 1 1 = G r
p m e m b e r = N
e m b e r
u
2
u
4
k
1
k
1
k
1
r e m ( u
2
) a d d ( u
4
) k
2
k
2
k
2
k
2
Center
– no adversary can guess b with prob. >> ½ – requires |m0| = |m1|
Adversary
m0 m1 b Enc mb b?
– Possible, offer strong security guarantees – Can be cumbersome and error prone
– Treat Enc, PRG, etc. as abstract operations – High level, easier to automate/verify
– Symbolic Security → Computational Security
– Symbolic model for the analysis of crypto protocols – Used to find many bugs, often automatically – Weak security guarantees
– Simple symbolic model for passive attacks – Computational Soundness Theorem
– Data := 0 | 1 | ... – Key := k0 | k1 | … – Exp : = Data | Key | (Exp,Exp) | Enc(Key,Exp)
– M = Enc(k1,(Enc(k2,0),Enc(k1,k2)))
– |[ M ]| : choose keys at random, and evaluate Enc
– P = (k1, Enc(k1,(Enc(k2,[?]),Enc(k1,0)), Enc(k2,[?]))) – [?]: unknown message, may leak size/shape info
– Determine set K of recoverable keys – Replace Enc(k,Exp) with Enc(k,[?]) for all k
Key\K ∈
– Specification: what can adversary legitimately learn – Analysis: what adversary learns from protocol
– If two expressions M1, M2 have the same
pattern(M1) = pattern(M2), then |[M1]|≈|[M2]| are computationally indistinguishable (for any secure crypto primitive)
– If |[M1]|≈|[M2]| (for any secure crypto primitive),
then pattern(M1) = pattern(M2)
– Rand := r0 | r1 | r2 – Keys := Rand | G0(Keys) | G1(Keys)
– Key distribution [Micciancio, Panjwani ‘05, ‘06, ’08] – XML security [Abadi, Warinschi ‘05] – Yao Garbled Circuits [Li, Micciancio ‘18]
– expressions using only PRG: G(k)=[G0(k),G1(k)] – no encryption, only keys
– Two keys {k,k’} are symbolically dependent if k =
Gw(k’) for some w
– K
Keys ⊂ is an independent set if no two keys k,k’ K are symbolically dependent ∈
– K={k1,…,kn} is independent if and only if – |[
|[{r {r1
1,…,r
,…,rn
n}
}]| ~ ]| ~ |[ |[K K]| ]|
– generalized hybrid argument – repeatedly replace [G0(r),G1(r)] with [r0,r1]
– Determine set K of recoverable keys – Replace Enc(k,Exp) with Enc(k,[?]) for all k
Key\K ∈
– Given k and Enc(k,M) can recover M – Given k, can recover G0(k) and G1(k) – Given Enc(k,M) and Gw(k), can recover k – Given Enc(k,M) and Enc(k’,M’), if k and k’ are
symbolically dependent then can recover k and k’
Rest of the talk: If pattern(M0)≠pattern(M1) then |[M0]| and |[M1]| can be distinguished for some Enc,PRG
– similar to previous work – not surprising, given strong key recovery adversary
– we show that this is the best possible
– Attacks should work for some secure Enc and PRG – If keys are unrelated, then ciphertexts are secure – Enough to recover k0 , then k1 = Gw(k0)
E’: E: k[0] k[0] k[1] k[1] k[0] k[1] G’: + +
E’: E: k[0] k[0] k[1] k[1] k[0] k[1] G’: + + k[0] k[0] k[1]
– A ciphertext E(k,m) and a related key G’b(k)
k[1] k[1] k[0] k[0]
E’: k[0] k[1] k[1] k[0] + + k[0] + + + +
E’: E: k[0] k[0] k[1] k[1] k[0] k[1] G’: + + k[0] k[0]
– E(k,m) and a related key E(Gb(k),m’)
E: k[0] k[1] k[0]
k[0] k[0] E’: k[0] k[1] k[1] k[0] k[1] + + k[0] + + + + + + + + + +
E’: k[0] k[0] k[1] k[0] k[1] G’: + + k[2] E: k[2] k[1] k[2] + +
k[2] k[2] k[0] k[1] G’: + + + + k[0] k[1] G’: + + + +
k[0] k[1] G’: + + k[2] + + G1 G1 G0 k[0] k[2]
– Key distribution, XML, Garbled Circuits, etc.