Handling Encryption in an Analysis for Secure Information Flow

Similar documents
On the computational soundness of cryptographically masked flows

Lecture 5, CPA Secure Encryption from PRFs

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 2: Perfect Secrecy and its Limitations

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPA-Security. Definition: A private-key encryption scheme

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Notes on Property-Preserving Encryption

CTR mode of operation

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture Notes 20: Zero-Knowledge Proofs

1 Indistinguishability for multiple encryptions

Lecture 4: Computationally secure cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 7: CPA Security, MACs, OWFs

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Computational security & Private key encryption

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lectures 2+3: Provable Security

Advanced Cryptography 03/06/2007. Lecture 8

On the CCA1-Security of Elgamal and Damgård s Elgamal

Chapter 2 : Perfectly-Secret Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

El Gamal A DDH based encryption scheme. Table of contents

Introduction to Cryptology. Lecture 3

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Evaluating 2-DNF Formulas on Ciphertexts

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Introduction to Cryptography

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

March 19: Zero-Knowledge (cont.) and Signatures

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture 13: Private Key Encryption

Modern Cryptography Lecture 4

Shai Halevi IBM August 2013

1 Number Theory Basics

1 Public-key encryption

6.892 Computing on Encrypted Data October 28, Lecture 7

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Block ciphers And modes of operation. Table of contents

Chosen-Ciphertext Security (I)

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

On the (Im)Possibility of Tamper-Resilient Cryptography: Using Fourier Analysis in Computer Viruses

Modern symmetric-key Encryption

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Notes for Lecture 16

Solutions to homework 2

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Dan Boneh. Stream ciphers. The One Time Pad

On The (In)security Of Fischlin s Paradigm

Lecture 2: Program Obfuscation - II April 1, 2009

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Lecture 9 - Symmetric Encryption

On The (In)security Of Fischlin s Paradigm

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Computer Science A Cryptography and Data Security. Claude Crépeau

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

Notes on BAN Logic CSG 399. March 7, 2006

1 Cryptographic hash functions

Lecture 18: Message Authentication Codes & Digital Signa

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Locally Decodable and Updatable Non-Malleable Codes and Their Applications

On Homomorphic Encryption and Secure Computation

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

non-trivial black-box combiners for collision-resistant hash-functions don t exist

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

Tamper and Leakage Resilience in the Split-State Model

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

1 Secure two-party computation

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Tamper and Leakage Resilience in the Split-State Model

Indistinguishability and Pseudo-Randomness

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XI

Non-malleability under Selective Opening Attacks: Implication and Separation

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Positive Results and Techniques for Obfuscation

a Course in Cryptography rafael pass abhi shelat

A survey on quantum-secure cryptographic systems

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Additive Conditional Disclosure of Secrets

Block Ciphers/Pseudorandom Permutations

Fully Homomorphic Encryption - Part II

Solution of Exercise Sheet 7

Transcription:

Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.-11.04.2003 p.1/15

Overview Some words about the overall approach. Definition of secure information flow. also in computational sense. Ideas behind the analysis. The domains that the analysis uses. The abstraction. Some examples. ESOP 2003, 7.-11.04.2003 p.2/15

Overall approach We have a program language containing encryption. We want to analyse programs for secure information flow. ESOP 2003, 7.-11.04.2003 p.3/15

Overall approach We have a program language containing encryption. We want to analyse programs for secure information flow. Use cryptographic definitions of secure encryption. Use the same domains in defining program semantics. Bit-strings as values. more... (the security parameter) Define secure information flow using cryptographic machinery. ESOP 2003, 7.-11.04.2003 p.3/15

Overall approach We have a program language containing encryption. We want to analyse programs for secure information flow. Use cryptographic definitions of secure encryption. Use the same domains in defining program semantics. Bit-strings as values. more... (the security parameter) Define secure information flow using cryptographic machinery. Devise the analysis. Its proof of correctness has cryptographic nature. ESOP 2003, 7.-11.04.2003 p.3/15

Program language The WHILE-language (simple imperative language). P ::= x := o(x 1,..., x k ) skip P 1 ; P 2 if b then P 1 else P 2 while b do P b, x, x 1,..., x k Var. o Op. Enc, Gen Op. Denotational semantics, defined over program structure. Maps initial state to final state. Program state maps variables to their values. ESOP 2003, 7.-11.04.2003 p.4/15

Security as independence Source of inputs defines a probability distribution D on inputs values of variables in Var S Var Secret inputs Inputs (initial state) Outputs final state) Program P Public outputs values of variables in Var P Var ESOP 2003, 7.-11.04.2003 p.5/15

Security as independence Source of inputs defines a probability distribution D on inputs values of variables in Var S Var Secret inputs Inputs (initial state) Secure information flow: independence of and Outputs final state) Program P Public outputs values of variables in Var P Var ESOP 2003, 7.-11.04.2003 p.5/15

Security as independence Source of inputs defines a probability distribution D on inputs values of variables in Var S Var Secret inputs Inputs (initial state) Secure information flow: independence of and Program P Outputs final state) { (S VarS, [P](S) VarP ) : S D } = { (S VarS, [P](S ) VarP ) : S, S D } Public outputs values of variables in Var P Var ESOP 2003, 7.-11.04.2003 p.5/15

Indistinguishability of distributions Let D 0, D 1 be two distributions over bit-strings. Let A be a class of algorithms. Let A A Consider the following experiment Let b R {0, 1}. Generate x D b. Run A(x). Let b be the output. Let Adv D0,D 1 A = Pr[b = b ] 1/2. D 0 and D 1 are ε- indistinguishable, if Adv D0,D 1 A all A A. ε for ESOP 2003, 7.-11.04.2003 p.6/15

Indistinguishability of distributions Let D 0 = {D 0 n} n N, D 1 = {D 1 n} n N be two families of distributions over bit-strings. Let A be the class of algorithms running in poly-time. Let A A Consider the following experiment Let b n R {0, 1}. Generate x D b n. Run A(n,x). Let b n be the output. Let Adv D0,D 1 A (n) = Pr[b n = b n] 1/2. D 0 and D 1 are indistinguishable, if Adv D0,D 1 A negligible for all A A. f is negligible def 1/f is superpolynomial. is ESOP 2003, 7.-11.04.2003 p.6/15

Definition of security Source of inputs n defines a family of probability distributions D on inputs values of variables in Var S Var Secret inputs Inputs (initial state) Secure information flow: independence of and Outputs final state) Program P n Public outputs { (S n VarS, [P] n (S n ) VarP ) : S n D n } { (S n VarS, [P] n (S n) VarP ) : values of variables in Var P Var S n, S n D n } ESOP 2003, 7.-11.04.2003 p.7/15

Program analysis approach Program text Secure Analysis or Desc. of inputs Maybe not secure Having secure information flow is uncomputable in general. Description of inputs whatever is known about D.... and expressible in the domain of the analysis. ESOP 2003, 7.-11.04.2003 p.8/15

Domain of the analysis Analysis maps the description of the input distribution to the description of the output distribution. Description of D = {D n } n N is (X, K) P(P(Var) P(Var)) P(Var). (X, Y ) X, if X and Y are independent in D. k K, if (the value of) k is distributed like a key. Assume the program does not change the variables in Var S. If (Var S, Var P ) X output, then the program has secure information flow. The analysis is defined inductively over the program structure. ESOP 2003, 7.-11.04.2003 p.9/15

Example: analysing assignments Consider the program x := o(x 1,..., x k ). If (X {x 1,..., x k }, Y ) X input then (X {x 1,..., x k, x}, Y ) X output. ESOP 2003, 7.-11.04.2003 p.10/15

Analysing encryptions problems Let k be distributed like a key in D input. Consider the program l := k + 1. Then {l} is not independent of {k} in D output. Consider the program x := Enc(k, y). Then {x} is not independent of {k} in D output. To check whether x and k come from the same or from different samples of D output, try to decrypt x with k. These two cases should be distinguished as l is usable for decryption but x is not. ESOP 2003, 7.-11.04.2003 p.11/15

Encrypting black boxes Let k Var. Let S be a program state. S([k] E ) denotes a black box that encrypts with k. I.e. S([k] E ) has an input tape and an output tape; When a bit-string w is written on the its tape, [Enc ](S(k), w) is invoked and the result written to the output tape. Indistinguishability can be defined for distributions over black boxes. Independence can be defined, too. Security of ([Gen ], [Enc ]) is defined as the indistinguishability of certain black boxes. ESOP 2003, 7.-11.04.2003 p.12/15

Modified domain of the analysis Let Ṽar = Var {[x] E : x Var}. Description of a distribution D is (X, K) P(P(Ṽar) P(Ṽar)) P(Var). (X, Y ) X if X and Y are independent in D. k K, if the distribution of [k] E according to D is indistinguishable from [[Gen ]()] E. ESOP 2003, 7.-11.04.2003 p.13/15

Analysing encryptions Consider the program x := Enc(k, y). If (X, Y ) X input and k K input and ({[k] E }, X Y {y}) X input then (X {x}, Y ) X output. Generally ({[k] E }, {[k] E }) X input, hence ({x}, {[k] E }) X output. If we have a program l := k + 1, then ({l}, {[k] E }) X output. For analysis of other program constructs see the article. ESOP 2003, 7.-11.04.2003 p.14/15

Concluding remarks Program analysis for computationally secure information flow. Based on abstracting the families of probability distributions over program states by pairs of sets of variables and encrypting black boxes that are independent of one another in it. No (non-trivial) constraints on program structure. Can be implemented. http://www.ut.ee/ peeter_l/research/csif ESOP 2003, 7.-11.04.2003 p.15/15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback