Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007
Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms Ordinary interactive algorithms 2 Background classes Motivation Definition Background for abstract cryptography 3 Abstract Model of cryptography Experiments as Structures Soundness Relation with Abadi-Rogaway languages Cyclic messages
Church Turing vs ASM Church Turing thesis defines an envelope for practically computable functions negative intended use noncomputability ASM thesis captures the notion of algorithm positive intended use specification abstract algorithms can be uncomputable Can the ASM thesis be used for negative results?
Negative applications of the thesis Negative results Given states X, Y and x X: no small step algorithm A can output x. no small step algorithm A can make transition from X to Y. no small step algorithm A can distinguish X from Y. Are there meaningful interpretations for negative results? Can we effectively use postulates to establish negative results? Example: abstract model of cryptography 1 PPT cryptographic algorithms abstract algorithms 2 no abstract algorithm can break security 3 conclude no PPT algorithm can break security?
Basic definitions Definition Let X, Y be structures and x X. Then: x is accessible in X if there is a term t s.t. Val(t, X) = x. Y is reachable from X if there is a small step algorithm A s.t. τ A (X) = Y. X, Y are distinguishable by a small step algorithm A if there is a term t s.t. Val(t, τ(x)) Val(t, τ(y )). An algorithm must complete its step to conclude anything!!!
Basic definitions Definition Let X, Y be structures and T a set of (ground) terms. Then: X and Y coincide over T, written X = T Y, if for every t T Val(t, X) = Val(t, Y ) X and Y are T -similar, written X T Y, if for every t 1, t 2 T Val(t 1, X) = Val(t 2, X) iff Val(t 2, Y ) = Val(t 2, Y ) Theorem (Factorization) If X T Y, then exists Z s.t. X = Z and Z = T Y.
Next value What is the value of a term t in the next state? T f (t 1,...,t n) = T { f (t 1,..., t n) t i T t i } { T t i i = 1,... n }. Theorem (Next value) Exists A X t T t s.t. Val( A X t, X) = Val(t, τ A(X)), X, Y coincide over T t Val(t, τ A (X)) = Val(t, τ A (Y )), X, Y are T t -similar Val( A X t, Y ) = Val(t, τ A(Y )).
Consequences of the Next value Corollary (Preservation of coincidence and similarity) X, Y coincide τ A (X), τ A (Y ) coincide X Y τ A (X) τ A (Y ) Theorem (Linear speedup) For every algorithm A, there is an algorithm B s.t. τ B (X) = τ A (τ A (X)) with T T as a b.e.w.
Consequences of the Next value Next value relates dynamic and static notions! Theorem X and Y are indistinguishable iff X and Y are similar.
Example Problem: {0, 1} K is indistinguishable from {n} K without K. States X and Y with vocabulary {decrypt, fst, snd, op, c, k}, and base set {Pri, Pub, C, P, N, true, false, undef }. X Y decrypt Pri, C P Pri, C N fst P true P T snd P false P F op Pri Pub Pri Pub c C C k Pub Pub States X and Y are indistinguishable by algorithms. x. fst(decrypt(x, c, )) = true distinguishes X, Y.
Ordinary interaction In addition to state X, there is an answer function α mapping queries into answers extended state X, α. In addition to vocabulary Υ, there is a disjoint vocabulary of query templates E. Extended terms are terms of vocabulary Υ E. The value of a possibly undefined extended term is Val(f (t 1,..., t n ), X, α) = f X (Val(t 1, X, α),..., Val(t n, X, α)) Val(ˆf (t 1,..., t n ), X, α) = α(ˆf [Val(t 1, X, α),..., Val(t n, X, α)]) if f Υ if f E
Definitions carry over to extended state Definition Let X, Y be structures, α, β answer functions, T set of extended terms, and x X. Then: X, α and Y, α coincide over T, written X, α = T Y, β, if for every t T Val(t, X, α) = Val(t, Y, β) X, α and Y, β are T -similar, written X, α T Y, β, if for every t 1, t 2 T Val(t 1, X, α) = Val(t 2, X, α) iff Val(t 2, Y, β) = Val(t 2, Y, β)
Definitions carry over to extended state Definition Let X, Y be structures, α, β answer functions, T set of extended terms, and x X. Then: x is accessible in X, α if there is an extended term t s.t. Val(t, X, α) = x. Y is reachable from X if there is a small step algorithm A s.t. τ A (X, α) = Y. X, Y are distinguishable by a small step algorithm A if there is a ground term t s.t. Val(t, τ(x, α)) Val(t, τ(y, β)).
Distinguishability and similarity under contract Definition Let A, B be sets of answer functions. Then X, A and Y, B are indistinguishable (T-similar) if for every α A exists β B such that X, α and Y, β are indistinguishable (T-similar). for every β B exists α A such that X, α and Y, β are indistinguishable (T-similar). A, B represents the degree of freedom an environment has in providing answers.
The main result caries over Theorem Similarity = Indistinguishability Remark Algorithms can learn by interaction: X Y X, α Y, β
Import and reserve Algorithms need to enlarge their working space between steps. Options: add new elements to the base set discover unused elements, don t change the base set Lipari guide every state X is equipped with an infinite reserve: elements of X not in domain or codomain of any function import rule denotes a reserve element exact choice of a reserve element imported in a state X is irrelevant: every permutation of reserve elements is an automorphism on X.
External structure on reserve Non-trivial applications often need some kind of structure on the reserve like pairs, lists, sets... Problems How to create fresh objects, without having to create pairs, lists,... related to it? What sort of structures can exists above the set of atoms, without putting any structure except equality on atoms themselves?
Intuition for backgrounds The basic idea split vocabulary into foreground and background parts make all background functions static import denotes atoms special elements of structure foreground function exposes an element active part of a state includes atoms necessary to denote exposed elements reserve of a state are all non-active atoms
Examples Pairs Background functions are binary pair and unary fst and snd. Structure X is freely generated by pair X from atoms {a, b, c, d,... }, while fst X and snd X are projections. Foreground function is nullary function f denoting a, b, c. The only exposed element is a, b, c. Active atoms are {a, b, c}. Reserve contains all atoms but {a, b, c}.
Examples Hereditary finite sets Background vocabulary contains unary singleton and binary union function symbols, and binary in relation symbol. The base set of X are all hereditary finite sets built from atoms {a, b, c, d,... }. Foreground function is nullary function f denoting {{a, b}, c}. The only exposed element is {{a, b}, c}. Active atoms are {a, b, c}. Reserve contains all atoms but {a, b, c}.
Examples class OneWay private subject as object public OneWay(me as object) subject := me public Accept(me as object) as boolean return subject = me One way function Background vocabulary contains the binary function OneWay and binary relation Accept. Base set of X is freely generated by OneWay X from atoms. Given elements x, y, you can determine if x = OneWay(a, y) for some atom a. Model of a one way function: from new OneWay(x) you cannot obtain the value of x
Background classes Definition (Blass, Gurevich 2000) A class of structures K of a fixed vocabulary is a background class if K is closed under isomorphisms For every U there is X K such that Atoms(X) = U for X, Y K, any embedding (of sets) ξ : Atoms(X) Atoms(Y ) uniquely extends to an embedding (of structures) ζ : X Y for X K, every x X has an envelope the smallest K -substructure of X containing x.
Background of an algorithm Definition (Background) Fix K, of vocabulary Υ 0. K is the background of an algorithm over Υ Υ 0 if no background function f Υ 0 is ever updated, the reduct of every state to Υ 0 is in K. Definition (Reserve) exposed elements: in domain or codomain of a foreground function active part of a state: the envelope of the set of exposed elements reserve ( heap ) of a state: atoms not in the active part
Background of an algorithm Theorem (Blass, Gurevich 2000) Every permutation of the reserve of a state X extends uniquely to an automorphism that is the identity on the active part of X.
Background for abstract cryptography So far, having a background with sets, pairs,... was a matter of convenience: when we extend the working space of an algorithm, we were too lazy to do all of the bookkeeping we could have easily imported as many elements we really need and define necessary functions on them The model of a one way function with a background indicates that we have something far more powerful in our hands. We will show how a natural ASM model of public key cryptography would not be possible without a background.
Abstract public key cryptography Creation denote constants 0, 1,... given two messages denote pairs create random values (nonces) and private keys given a private key denote the matching public key given a message and a public key create an encryption Analysis given a pair, make projections given an encryption and a matching private key, obtain an encrypted message
Abstract public key cryptography Attempt to model without background! Strategy only the analysis part in the vocabulary: decrypt, fst, snd created objects are imported from reserve and analysis functions are set Problem Creation of encryption: subject m and public key k are accessible in X private key K is not accessible in X in order to create encryption of m with k, we need to have (decrypt, e, K, m) A (X) for some fresh e K must be critical K must be accessible!!!
Background solves the problem!!! Constructors are the obvious ones. class PriKey { } struct PubKey { private PriKey key; public bool Accept(PriKey K) return key == K; } class Enc{ private object subject; private PubKey key; public object Decrypt(PriKey K) return (key.accept(k)? subject : } Any undergraduate student will understand! null);
What have we done?! We have defined the following background class: Background vocabulary contains unary functions PriKey, PubKey, Fst, Snd, binary functions Pair, Decrypt and ternary function Encrypt. PriKey and Encrypt are defined only if the first argument is an atom. PubKey, Fst, Snd and Pair are undefined only if any argument is an atom. The base set is freely generated by PriKey, Pair, PubKey, Encrypt from atoms. functions Fst, Snd and Decrypt are projections: Fst(Pair(x, y)) = x, Snd(Pair(x, y)) = y, Decrypt(Encrypt(a 1, PriKey(a 2 ), m)) = m.
Abstract cryptography Motivation simple reasoning automation insight Challenge Relate computational and abstract model: abstract security computational security.
Syntax of encryption scheme Definition (Syntax of encryption scheme) A symmetric encryption scheme is a triple of PPT algorithms Π = (K, E, D) K : Parameter Coins Key E : Key String Coins Ciphertext { } D : Key String Plaintext { } Pr[D(k, E(k, m, c)) = m] = 1 for every k $ K(1 η ), c Coins and m Plaintext. A pairing scheme is a triple of PPT algorithms Σ = (P, F, S). All messages are tagged.
Protocol example Notation A k {k s } k B k Interpretation Experiment R producing a concrete run [m]: R = [k $ K(η); m $ A k ; B k (m) : m] A k = [k s $ K(η); e $ E k (k s ) : e] B k (m) = [k s D k (m)]
Experiments as terms Experiment-representing vocabulary Each function symbol can be additionally marked as probabilistic parameterized Vocabulary for symmetric encryption Υ TYPE-0 nullary symbol undef and nullary constants unary symbols K, F, S binary symbols P, D ternary symbol E K and E are marked as probabilistic K is marked as parameterized
Experiments as terms Experiment-representing terms Experiment-representing terms of vocabulary Υ TYPE-0 over a set Coins, assuming t 1,..., t n are terms and c Coins, are if G is an n-ary symbol not marked as probabilistic, then G(t 1,..., t n ) is a term; if G is an n-ary probabilistic symbol, then G(t 1,..., t n 1, c) is a term; What is the computational interpretation of terms?
Computational interpretation of terms Let σ be an assignment of infinite strings to Coins. Fix η. undef is interpreted as a failure undef Π,Σ η,σ = G is an n-ary symbol not marked as probabilistic, then G(t 1,..., t n ) Π,Σ η,σ = G( t 1 Π,Σ η,σ,..., t n Π,Σ η,σ ) G is an n-ary probabilistic symbol, but not parameterized G(t 1,..., t n, c) Π,Σ η,σ = G( t 1 Π,Σ η,σ,..., t n Π,Σ η,σ, σ(c)) G is n-ary probabilistic and parameterized symbol G(t 1,..., t n, c) Π,Σ η,σ = G(1 η, t 1 Π,Σ η,σ,..., t n Π,Σ η,σ, σ(c))
Experiments as structures Represents experiments as structures Induced by the equivalence relations on terms: D(K (c 1 ), E(m, K (c 1 ), c 2 ) = m F(P(m 1, m 2 )) = m 1 S(P(m 1, m 2 )) = m 2 Definition (Interpretation of elements) Let t x be the unique term not containing D, F, S symbols such that Val(t x ) = x. Then x Π,Σ η,σ = G( t x Π,Σ η,σ )
Definition of the background Definition BC TYPE-0 is an isomorphism-closed class of structures of vocabulary Υ TYPE-0 freely generated by functions K, P, E from atoms. Lemma BC TYPE-0 is a background class, with Coins X = Atoms(X) for every X BC TYPE-0.
Abstract algorithms for cryptography Ordinary small-step algorithms with import operate over BC TYPE-0 background. Definition Let A a small-step algorithm with ASM program R and let X be a state with background BC TYPE-0. Then X Π,Σ η,σ R Π,Σ η A Π,Σ η is a concatenation of x Π,Σ η,σ for every exposed x; is a calculation of t Π,Σ η,σ for every t in a R; and is a PPT algorithm executing R Π,Σ η on X Π,Σ η,σ.
Completeness Equality and inequality of terms in X BC TYPE-0 is preserved with overwhelming probability. Theorem (Completeness) If an ordinary small-step algorithm with import A distinguishes states X and Y, then a PPT algorithm A Π,Σ η distinguishes X Π,Σ η,σ and Y Π,Σ η,σ with overwhelming probability. Algorithm A Π,Σ η X Y = X Π,Σ η,σ Y Π,Σ η,σ does not reconstruct the pattern.
Notions of security Computational notions of security indistinguishability as the goal variable attack model completely characterized with two oracles Definition (Notion of security) Let Π be an encryption scheme and IND-ATT a notion of security characterized by oracles O 0 and O 1. If Adv ind-att (A) = Pr[A O 1 = 1] Pr[A O 0 = 1] is negligible for every PPT algorithm A, then Π is IND-ATT secure.
Abadi-Rogaway variants of IND-CPA Definition (Abadi,Rogaway) Adv type-0 (A) = Pr[k 1, k 2 $ K(1 η ) : A E k 1 ( ),E k2 ( ) = 1] Type-0 oracles Pr[k $ K(1 η ) : A E k (0),E k (0) = 1] O 1 is associated with two freshly sampled keys k 1, k 2 O 0 is associated with a freshly sampled key k binary queries m 1, m 2 O 1 returns fresh encryptions E k1 (m 1 ), E k2 (m 2 ) O 0 returns fresh encryptions E k (0), E k (0)
Abstract notions of security Abstract block Such interaction can be represented abstractly with two sets of answer functions A, B over BC TYPE-0 background: α A iff α Π,Σ η,σ O 0 β B iff α Π,Σ η,σ O 1 Are A and B distinguishable by abstract algorithms?they re not: X, A X, B for every state X with background BC TYPE-0.
Reducibility induced by a security notion Reducibility relation Let A and B be the sets of answer functions characterizing IND-ATT and X and Y states with BC TYPE-0 background. If there is an algorithm A, α A and β B such that X = A(0 X, α) Y = A(0 Y, β) then X IND-ATT Y. Equivalence closure is IND-ATT =. Computational security is implied by oracles: Corollary If X IND-ATT = Y, then X Π,Σ η Y Π,Σ η.
Properties of Type-0 reduction Elimination of subjects If inaccessible key k is not used as a subject, we can reduce to a state where all subjects encrypted with that key are 0. {K(c 1 )} c 2 K(c 3 ), {0}c 4 K(c 5 ) {0}c 2 K(c 3 ), {0}c 4 K(c 5 ) Elimination of keys If two inaccessible keys k 1, k 2 are not used as subjects and they encrypt only zeros, we can reduce to a state where all such encryptions are now with the key k 1 only. {0} c 2 K(c 3 ), {0}c 4 K(c 5 ) {0}c 2 K(c 3 ), {0}c 4 K(c 3 )
Recap What do we have? X Y = X Π,Σ η Y Π,Σ η What is missing? If we could show that X IND-ATT = Y = X Π,Σ η Y Π,Σ η X Y = X IND-ATT = Y then X Y X IND-ATT = Y X Π,Σ η Y Π,Σ η Soundness proof doesn t need to involve probability!!!
Type-0 reduction Theorem (Abadi, Rogaway) If X is an acyclic state, then X reduces to a state with single inaccessible key used for encryptions of zeros only. Corollary Let X and Y be acyclic states with background BC TYPE-0. Then X Y X Π,Σ η Y Π,Σ η The argument is completely abstract it does not reason about probability and Turing machines.
Abadi-Rogaway languages Language of messages over Coins Accessibility relation m ::= K(c) Block m 1, m 2 {m} c 1 K(c 2 ) m 1, m 2 m 1, m 2 m 1 m 2 m 1 m 2 m 1, m 2 c 1 is fresh K(c 1 ) b Block b K(c 1 ) {m} c 2 K(c 1 ) m K(c 1 ) m {m} c 2 K(c 1 )
Abadi-Rogaway languages Pattern is assigned to each message p ::= K(c) Block p 1, p 2 {p} c 1 K(c 2 ) f i by substituting undecryptable encryptions with fi. Messages are equivalent iff their patterns are equal up to renaming of coins.
Relation X m is the first order structure with AR messages as a non-logical part of the base set and single foreground constant denoting m. Theorem X BC TYPE-i (for the usual indexing functions). m 1 m 2 iff m 2 is accessible (by small-step algorithms) in X m1 m 1 = m2 iff X m1 X m2
Acyclicity What if the states are not acyclic? Sometimes it doesn t matter {{k 1 } k2 } k1 {{0} k2 } k1 {0} k1 Sometimes it does! {k 1 } k2, {k 1 } k1 {k 1 } k2, {0} k1 {0} k2, {k 1 } k1 {0} k2, {0} k1 Both have the same cycle (k 1 k 1, k 2 k1)!
What should we do? 1 Ignore the problem, protocols do not use cyclic encryption. honest participants do not, but an intruder might 2 Use the equivalence induced by a security notion. declare the equivalence by patterns wrong provable soundness for all messages with just CPA does it really solve the problem? 3 Find new (stronger) security notions. computational notions are just proof devices when they diverge from our intentions, look for new ones
Key dependant messages Definition (Black, Rogaway, Shrimpton 2002) IND-KDM notions of security is characterized with the following two oracles: oracles independently sample keys k 1,..., k n input to the oracles is a PPT function f on n tuple and index i both oracles compute f (k 1,..., k n ) oracle O 1 outputs a fresh encryption of f (k 1,..., k n ) with the key k i oracle O 0 outputs a fresh encryption of 0 f (k 1,...,k n) with the key k i
Abstract IND-KDM security Definition (IND-KDM answer functions) answer functions are associated with n freshly sampled keys abstract queries encode arbitrary background terms and index oracles returns a fresh encryption of the value of the term with key k i Theorem Every state reduces to a state where inaccessible keys encrypt zeros only. Soundness for all messages follows.