CS 395T. Probabilistic Polynomial-Time Calculus

Similar documents
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Introduction to Cryptography. Lecture 8

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Advanced Topics in Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

1 Number Theory Basics

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 17: Constructions of Public-Key Encryption

5.4 ElGamal - definition

Lecture 7: ElGamal and Discrete Logarithms

Lecture Note 3 Date:

14 Diffie-Hellman Key Agreement

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Notes for Lecture 17

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Advanced Cryptography 1st Semester Public Encryption

A PROBABILISTIC POLYNOMIAL-TIME PROCESS CALCULUS FOR THE ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Public-Key Encryption: ElGamal, RSA, Rabin

CPSC 467b: Cryptography and Computer Security

Advanced Cryptography 03/06/2007. Lecture 8

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Lecture 15 - Zero Knowledge Proofs

Lecture Notes, Week 6

Lecture 11: Key Agreement

Lossy Trapdoor Functions and Their Applications

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Provable security. Michel Abdalla

Modern symmetric-key Encryption

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Applications of Combinatorial Group Theory in Modern Cryptography

Notes on BAN Logic CSG 399. March 7, 2006

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Other Public-Key Cryptosystems

Introduction to Cybersecurity Cryptography (Part 4)

Public Key Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Introduction to Cybersecurity Cryptography (Part 4)

Short Exponent Diffie-Hellman Problems

Public-Key Cryptosystems CHAPTER 4

The Cramer-Shoup Cryptosystem

G Advanced Cryptography April 10th, Lecture 11

Cryptography IV: Asymmetric Ciphers

Lecture 7: CPA Security, MACs, OWFs

Elliptic Curve Cryptography

El Gamal A DDH based encryption scheme. Table of contents

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

6.080/6.089 GITCS Apr 15, Lecture 17

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Practice Assignment 2 Discussion 24/02/ /02/2018

Lectures 2+3: Provable Security

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture 1: Introduction to Public key cryptography

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

ECS 189A Final Cryptography Spring 2011

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Efficient Identity-based Encryption Without Random Oracles

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Cryptography and Security Midterm Exam

Introduction to Modern Cryptography. Benny Chor

Other Public-Key Cryptosystems

Computational security & Private key encryption

A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report)

Introduction to Modern Cryptography. Benny Chor

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

A SIMPLE GENERALIZATION OF THE ELGAMAL CRYPTOSYSTEM TO NON-ABELIAN GROUPS

Adaptive Security of Compositions

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Computer Science A Cryptography and Data Security. Claude Crépeau

Simple SK-ID-KEM 1. 1 Introduction

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture 4: Computationally secure cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CPSC 467: Cryptography and Computer Security

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Elliptic Curve Cryptography with Derive

Public-key Cryptography and elliptic curves

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

One can use elliptic curves to factor integers, although probably not RSA moduli.

MATH 158 FINAL EXAM 20 DECEMBER 2016

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

15 Public-Key Encryption

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

4-3 A Survey on Oblivious Transfer Protocols

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Lecture 13: Private Key Encryption

Lecture 2: Program Obfuscation - II April 1, 2009

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Computational Soundness

Transcription:

CS 395T Probabilistic Polynomial-Time Calculus

Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is indistinguishable from a perfectly secure ideal protocol Security is defined as observational equivalence between protocol and its ideal functionality Both formal methods and cryptography use this approach, but with different notions of what it means for the adversary to observe the protocol execution

Bridging the Gap Cryptography: observational equivalence is defined as computational indistinguishability No probabilistic poly-time algorithm can tell the difference between the real and the ideal protocol with more than negligible probability Formal methods: observational equivalence is defined as some form of process bisimulation No probabilitities, no computational bounds Goal: bridge the gap by explicitly supporting probability and complexity in process calculus

Standard Example: PRNG Pseudo-random sequence P n : let b = n k -bit sequence generated from n random bits ( seed ) in PUBLIC b end Truly random sequence Q n : let b = sequence of n k random bits in PUBLIC b end P is a cryptographically strong pseudo-random number generator if the two sequences are observationally equivalent P Q Equivalence is asymptotic in security parameter n

Process Calculus Approach Write protocol in process calculus For example, applied pi-calculus Express security using observational equivalence Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q] Inherently compositional (quantifies over all contexts) Context (environment) represents adversary [Abadi-Gordon and others] Use proof rules for to prove observational equivalence to the ideal protocol

Challenges Probabilistic formal model for crypto primitives Key generation, random nonces, randomized encryption Probabilistic attacker Replace nondeterminism with probability Need a formal way of representing complexity bounds Asymptotic form of observational equivalence Relate to polynomial-time statistical tests Proof rules for probabilistic observational equivalence

Nondeterminism Is Too Strong Alice encrypts message and sends to Bob A B: { msg } K Adversary nondeterministically guesses every bit of the key Process E 0 c 0 c 0 c 0 Process E 1 c 1 c 1 c 1 Process E c(b 1 ).c(b 2 )...c(b n ).decrypt(b 1 b 2...b n, msg) In reality, at most 2 -n chance to guess n-bit key

PPT Calculus: Syntax Bounded π-calculus with integer terms P :: = 0 c q( n ) T send up to q( n ) bits c q( n ) (x).p receive υc q( n ).P private channel [T=T] P test P P parallel composition! q( n ) P bounded replication Size of expressions is polynomial in n Terms may contain symbol n; channel width and replication bounded by polynomial of n

Probabilistic Operational Semantics Basic idea: alternate between terms & processes Probabilistic scheduling of parallel processes Probabilistic evaluation of terms (incl. rand) Outer term evaluation Evaluate all exposed terms, evaluate tests Communication Match up pairs send and receive actions If multiple pairs, schedule them probabilistically Probabilistic if multiple send-receive pairs alternate

Probabilistic Scheduling Outer term evaluation Evaluate all exposed terms in parallel Multiply probabilities Communication E(P) = set of eligible subprocesses S(P) = set of schedulable pairs Schedule private communication first Probabilistic poly-time computable scheduler that makes progress

Simple Example Process c rand+1 c(x).d x+1 d 2 d(y).e y+1 Outer evaluation c 1 c(x).d x+1 d 2 d(y). e y+1 c 2 c(x).d x+1 d 2 d(y). e y+1 Communication rand is 0 or 1 with prob. ½ c 1 c(x).d x+1 d 2 d(y). e y+1 Each with prob ½ Choose according to probabilistic scheduler

Complexity Bound on number of communications Count total number of inputs, multiplying by q( n ) to account for bounded replication! q( n ) P Bound on term evaluation Closed term T is evaluated in time q T ( n ) Bound on time for each communication step Example: c m c(x).p [m/x]p Bound on size of m; previous steps preserve # of x occurrences For each closed process P, there is a polynomial q(x) such that for all n, all probabilistic poly-time schedulers, evaluation of P halts in time q( n )

How To Define Process Equivalence? Intuition: P and Q are equivalent if no test by any context can distinguish them Prob{ C[P] yes } - Prob{ C[Q] yes } < ε How do we choose ε? Less than 1/2, 1/4,? (not an equivalence relation) Vanishingly small? As a function of what? Solution: asymptotic form of process equivalence Use security parameter (e.g., key length) Protocol is a family { P n } n>0 indexed by key length

Probabilistic Observat l Equivalence Asymptotic equivalence within f Families of processes { P n } n>0 { Q n } n>0 Family of contexts { C n } n>0 P f Q if context C[ ]. observation v. n 0. n>n 0 Prob(C n [P n ] v) Prob(C n [Q n ] v) < f(n) Asymptotic polynomial indistinguishability P Q if P f Q for every f(n) = 1/p(n) where p(n) is a polynomial function of n

Probabilistic Bisimulation Labeled transition system Evaluate process in a maximally benevolent context Process may read any input on public channel or send output even if no matching input exists in process Label with numbers resembling probabilities Bisimulation relation If P ~ Q and P P, then exists Q such that r r Q Q and P ~ Q, and vice versa Strong form of probalistic equivalence [van Glabbeek, Smolka, and Steffen] Implies probabilistic observational equivalence, but not vice versa

Provable Equivalences (1) Assume scheduler is stable under bisimulation P ~ Q C[P] ~ C[Q] P ~ Q P Q P (Q R) (P Q) R P Q Q P P 0 P

Provable Equivalences (2) P υc. (c<t> c(x).p) if x FV(P) P{a/x} υc.(c<a> c(x).p) if bandwidth of c large enough P 0 if no public channels in P P Q P{d/c} Q{d/c} if c, d have the same bandwidth, c<t> c<t > d is fresh if Prob[T a] = Prob[T a] for all a

Connection with Cryptography Can use probabilistic observational equivalence in process calculus to carry out proofs of protocol security Example: semantic security of ElGamal public-key cryptosystem is equivalent to Decisional Diffie- Hellman Reminder: semantic security is indistinguishability of encryptions enc k (m) is indistinguishable from enc k (m )

Review: Decisional Diffie-Hellman n is security parameter (e.g., key length) G n is cyclic group of prime order p, length of p is roughly n, g is generator of G n For random a, b, c {0,, p-1} g a, g b, g ab g a, g b, g c

ElGamal Cryptosystem n is security parameter (e.g., key length) G n is cyclic group of prime order p, length of p is roughly n, g is generator of G n Keys Private key = g, x, public key = g, g x Encryption of m G n is g k, m (g x ) k k {0,..., p-1} is random Decryption of v, w is w (v x ) -1 For v=g k, w=m (g x ) k get w (v x ) -1 = m g xk /g kx = m

DDH Semantic Security of ElGamal Start with g a, g b, g ab g a, g b, g c (random a,b,c) Build up statement of semantic security from this in(c, x,y ).out(c, g k, m g xk ) in(c, x,y ).out(c, g k, n g xk ) Use structural transformations Encryption of m is observationally equivalent to encryption of n E.g., out(c,t(r)) out(c,u(r)) (any random r) implies in(c,x).out(c,t(x)) in(c,x).out(c,u(x) ) Use domain-specific axioms E.g., out(c, g a,g b,g ab ) out(c, g a,g b,g c ) implies out(c, g a,g b,m g ab ) out(c, g a,g b,m g c ) (any M)

Semantic Security of ElGamal DDH Harder direction: break down vs. build up Want to go from in(c, x,y ).out(c, g k,m g xk ) in(c, x,y ).out(c, g k,n g xk ) to g x,g k,g kx g x,g k,g c Main idea: if m=1, then we essentially have DDH Proof constructs a DDH tuple Hide all public channels except output challenge Set the message to 1 Need structural rule equating a process with the term simulating the process Special case: process with 1 public output

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback