On the computational soundness of cryptographically masked flows

Similar documents
Handling Encryption in an Analysis for Secure Information Flow

CPA-Security. Definition: A private-key encryption scheme

Computational security & Private key encryption

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Notes on Property-Preserving Encryption

Lecture 9 - Symmetric Encryption

Lecture 2: Perfect Secrecy and its Limitations

Modern Cryptography Lecture 4

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Modern symmetric-key Encryption

Lecture 7: CPA Security, MACs, OWFs

Solution of Exercise Sheet 6

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

15 Public-Key Encryption

Lecture 5, CPA Secure Encryption from PRFs

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

1 Indistinguishability for multiple encryptions

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Symmetric Encryption

Lectures 2+3: Provable Security

Block ciphers And modes of operation. Table of contents

Jay Daigle Occidental College Math 401: Cryptology

Lecture Notes 20: Zero-Knowledge Proofs

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

1 Number Theory Basics

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Introduction to Cryptology. Lecture 3

CS 6260 Applied Cryptography

Semantic Security and Indistinguishability in the Quantum World

CS 6260 Applied Cryptography

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

8 Security against Chosen Plaintext

Perfectly-Secret Encryption

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

CTR mode of operation

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Cryptography 2017 Lecture 2

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

CPSC 467b: Cryptography and Computer Security

Provable security. Michel Abdalla

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Block Ciphers/Pseudorandom Permutations

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Advanced Topics in Cryptography

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

2 Message authentication codes (MACs)

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Introduction to Cybersecurity Cryptography (Part 4)

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

ASYMMETRIC ENCRYPTION

Introduction to Cybersecurity Cryptography (Part 4)

Chapter 2 : Perfectly-Secret Encryption

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

III. Pseudorandom functions & encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

5199/IOC5063 Theory of Cryptology, 2014 Fall

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Post-quantum security models for authenticated encryption

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

Historical cryptography. cryptography encryption main applications: military and diplomacy

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

CPSC 467b: Cryptography and Computer Security

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 12: Block ciphers

Lecture 15 - Zero Knowledge Proofs

Topics. Probability Theory. Perfect Secrecy. Information Theory

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Negative applications of the ASM thesis

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Cryptography CS 555. Topic 4: Computational Security

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Scribe for Lecture #5

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Chosen-Ciphertext Security (I)

Multiparty Computation

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

General Impossibility of Group Homomorphic Encryption in the Quantum World

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

10 Concrete candidates for public key crypto

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Transcription:

On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting, 05.-07.06.2007 p. 1/23

Motivation Usual non-interference too strong for programs with encryption. Cryptographic security definitions use complex domains, are notationally heavy. The definitions for computational non-interference suffer from the same problems. Could we abstract from these definitions? Is there some formalism, where the domain and the definition of non-interference were more traditional, NI for a program in this domain would mean computational NI for the same program in the real-world semantics? Mobius annual meeting, 05.-07.06.2007 p. 2/23

Cryptographically masked flows Aslan Askarov, Daniel Hedin, Andrei Sabelfeld. Cryptographically-Masked Flows. SAS 2006. A proposal for the formalism that abstracts away complexity-theoretic details, but leaves (most of) everything else intact. Encryption is modeled non-deterministically. Possibilistic non-interference with extra leniency for encrypted values. Does NI in this model imply computational NI? Are cryptographically masked flows computationally sound? Acknowledgement: the above question was asked by David Sands during our Dagstuhl-event. Mobius annual meeting, 05.-07.06.2007 p. 3/23

The programming language In this talk: The WHILE-language with extra operations: key generation, encryption, decryption pairing, projection In the [AHS06]-paper: more... Parallel processes with global variables and message channels Two encryption schemes (one for public values only) Mobius annual meeting, 05.-07.06.2007 p. 4/23

Semantics Big-step SOS from a configuration to a set of final states. The state consists of The memory mapping from variables to values; The key-stream the values of keys generated in the future. All operations, except encryption, are deterministic. Mobius annual meeting, 05.-07.06.2007 p. 5/23

Encryption Systems Three algorithms: K key generation, zero arguments, probabilistic; E encryption, two arguments, probabilistic; D decryption, two arguments, deterministic. Correctness: D(k,E(r;k,x)) = x for all keys k that can be output by K; possible random coins r used by E. The random coins used by E are called the initial vector. D may produce an error. Mobius annual meeting, 05.-07.06.2007 p. 6/23

Semantics Big-step SOS from a configuration to a set of final states. The state consists of The memory mapping from variables to values; The key-stream the values of keys generated (by K) in the future. All operations, except encryption, are deterministic. Encryption models the randomized encryption algorithms of the real world: To encrypt x with the key k, choose an initial vector r and compute E(r;k,x). In reality, r is chosen probabilistically, here it is modeled by non-deterministic choice. Mobius annual meeting, 05.-07.06.2007 p. 7/23

Low-equivalence of memories Let the variables be partitioned to Var H and Var L. Let the values be tagged with their types key, encryption, pair, other (integer). n L n; k L k; x 1 L y 1 x 2 L y 2 (x 1,x 2 ) L (y 1,y 2 ); E(r;k 1,x 1 ) L E(r;k 2,x 2 ) for all x 1,x 2,k 1,k 2. S 1 L S 2 if S 1 (x) L S 2 (x) for all x Var L. Mobius annual meeting, 05.-07.06.2007 p. 8/23

Possibilistic non-interference Program P is non-interfering if for all states S 1,S 2 and keystreams G 1,G 2, such that S 1 L S 2 let S i = {S (S i,g i ) (S,G )} for i {1, 2}, then for all S 1 S 1 there must exist S 2 S 2 such that S 1 L S 2. (and vice versa) Mobius annual meeting, 05.-07.06.2007 p. 9/23

Real-world semantics Big step SOS maps an initial configuration to a probability distribution over final states. Let us not consider non-termination. And assume that the program terminates in a reasonable number of steps. Initial state is distributed according to some D. The program P is non-interferent if no algorithm A using a reasonable amount of resources can guess b from b R {0, 1}, S 0,S 1 D S [P ](S b ) give (S 0 VarH,S VarL ) to A Mobius annual meeting, 05.-07.06.2007 p. 10/23

Soundness theorem If the program P satisfies the following conditions:... and the encryption system satisfies the following conditions IND-KDM-CPA- and INT-PTXT-security and P satisfies possibilistic non-interference then P satisfies computational non-interference. The conditions put on P should be verifiable in the possibilistic model. Otherwise we lose the modularity of the approach. Mobius annual meeting, 05.-07.06.2007 p. 11/23

Condition: ciphertexts only from E L s relaxed treatment of ciphertexts must be restricted to values produced by the encryption operation. Otherwise, consider the following program: k := newkey;p 1 := enc(k,s) r := getiv(p 1 );p 2 := ẽnc(r + 1;k,s) Initial state ({s v s },v k :: G) is mapped to { } {p 1 E(v r ;v k,v s ),p 2 E(v r + 1;v k,v s )} v r Coins that does not depend (for L ) on initial secrets. Mobius annual meeting, 05.-07.06.2007 p. 12/23

Counter mode of using a block cipher IV IV + 1 IV + 2 IV + 3 IV + 4 E k E k E k E k x 1 x 2 x 3 x 4 y 0 y 1 y 2 y 3 y 4 A good encryption system. If we used it on the previous slide, then we could learn v s1 v s2, v s2 v s3, v s3 v s4,... Mobius annual meeting, 05.-07.06.2007 p. 13/23

Security of encryption systems Let O 0 and O 1 be the following interactive machines: on initialization, generate k K(); on query x {0, 1} O 0 returns E(k,x), O 1 returns E(k, 0 x ). Encryption system is IND-CPA-secure if no reasonably powerful adversary A can guess b from the interaction with O b. IND-CPA with multiple keys: O 0 and O 1 on initialization generate k i K() for all i N; on query (i,x) use the key k i for x as before. IND-CPA with multiple keys is equivalent to IND-CPA. Mobius annual meeting, 05.-07.06.2007 p. 14/23

More security considerations Encryption cycles are not excluded, hence we must use encryption systems secure in the presence of key dependent messages. Our definition of possibilistic NI also hides the identities of keys, the length of messages. Mobius annual meeting, 05.-07.06.2007 p. 15/23

IND-KDM-CPA Let O 0 and O 1 be the following: On initialization O 0 generates keys k i, i N; O 1 generates the key k. On input (i,e) where e is an expression with free variables k j the machine O 0 evaluates e, letting k j refer to its keys, encrypts the result with k i and returns it; and the machine O 1 returns E(k, 0 const ). If no reasonably powerful adversary A can guess b from the interaction with O b then the encryption system is IND-CPA-secure, which-key concealing and length-concealing in the presence of key-dependent messages. Mobius annual meeting, 05.-07.06.2007 p. 16/23

Condition: keys used only at E and D...... and vice versa. Consider the program k 1 := newkey;if B(k 1 ) then k 2 := k 1 else k 2 := newkey fi;... Afterwards, k 2 is not distributed as coming from K. Mobius annual meeting, 05.-07.06.2007 p. 17/23

What may be decrypted The possibilistic semantics only allows to decrypt legitimate ciphertexts. We may phrase this as a condition on the programs. Or we may require that the encryption system provides integrity for plaintexts: Let O be the following: On initialization, it generates k K(); On query x, it returns E(k,x). No reasonably powerful adversary A interacting with O may be able to produce a ciphertext c, such that D(k,c) = m (i.e. D does not fail); A did not query O with m. Mobius annual meeting, 05.-07.06.2007 p. 18/23

Enforcing those conditions Give types to variables: the types τ are τ ::= int key enc(τ) (τ,τ) We may want to compute with ciphertexts, hence we subtype enc(τ) int. Types of operations: arithmetic operations: int k int; pairing: τ 1 τ 2 (τ 1,τ 2 ); i-th projection: (τ 1,τ 2 ) τ i ; key generation: 1 key; encryption: key τ enc(τ); decryption: key enc(τ) τ; guards: int. [AHS06] already has such a type system. Mobius annual meeting, 05.-07.06.2007 p. 19/23

Removing decryptions Change the real-world program: Give names to keys: replace each k := newkey with k := newkey;k name := c;c := c + 1 for each ciphertext record the key name and the plaintext in the auxiliary variables. Replace y := E(k,x) with y := E(k,x);y keyname := k name ;y ptext := x Replace the statements x := D(k,y) with if k name = y keyname then x := y ptext else x := fi The low-visible semantics does not change. Mobius annual meeting, 05.-07.06.2007 p. 20/23

Encryption random number gen.-tion Apply the definition of IND-KDM-CPA to the real-world program: Replace each E(k,y) with E(k 0, 0). E(k 0, 0) generates random numbers according to a certain distribution. In the possibilistic NI, we also treat encryption as random number generation. As only the initial vector matters. Mobius annual meeting, 05.-07.06.2007 p. 21/23

Possib. secrecy probab. secrecy Let h be a number from 1 to 100. Consider the following program if rnd({0, 1}) = 1 then l := h else l := rnd({1,...,100}) The possible values of l do not depend on h. But their distribution depends on h. We can come up with similiar examples in our language. Using E in place of rnd. Hence using ciphertexts in computations is questionable as well. Remove the subtyping enc(τ) int. Mobius annual meeting, 05.-07.06.2007 p. 22/23

The conditions for the program The variables are typed, as specified before. (no subtyping) τ ::= int key enc(τ) (τ,τ) The operations respect those types. Failures to decrypt are visible in the possibilistic semantics. Our theorem holds now. In a program point, two ciphertexts are either equal or independent. Mobius annual meeting, 05.-07.06.2007 p. 23/23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback