Code-Based Game-Playing Proofs and the Security of Triple Encryption

The game-playing technique is a powerful tool for analyzing cryptographic constructions. We illustrate this by using games as the central tool for proving security of three-key triple-encryption, a long-standing open problem. Our result, which is in the ideal-cipher model, demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary\u27s maximal advantage is small until it asks about $2^{78}$ queries. Beyond this application, we develop the foundations for game playing, formalizing a general framework for game-playing proofs and discussing techniques used within such proofs. To further exercise the game-playing framework we show how to use games to get simple proofs for the PRP/PRF Switching Lemma, the security of the basic CBC~MAC, and the chosen-plaintext-attack security of OAEP

On formal verification of arithmetic-based cryptographic primitives

Cryptographic primitives are fundamental for information security: they are used as basic components for cryptographic protocols or public-key cryptosystems. In many cases, their security proofs consist in showing that they are reducible to computationally hard problems. Those reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assistant Coq, we had implemented in previous work a toolbox for writing and checking game-based security proofs of cryptographic primitives. In this paper we describe its extension with number-theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic security of the public-key cryptographic scheme of Goldwasser and Micali.Comment: 13 page

Computer-aided proofs for multiparty computation with active security

Secure multi-party computation (MPC) is a general cryptographic technique that allows distrusting parties to compute a function of their individual inputs, while only revealing the output of the function. It has found applications in areas such as auctioning, email filtering, and secure teleconference. Given its importance, it is crucial that the protocols are specified and implemented correctly. In the programming language community it has become good practice to use computer proof assistants to verify correctness proofs. In the field of cryptography, EasyCrypt is the state of the art proof assistant. It provides an embedded language for probabilistic programming, together with a specialized logic, embedded into an ambient general purpose higher-order logic. It allows us to conveniently express cryptographic properties. EasyCrypt has been used successfully on many applications, including public-key encryption, signatures, garbled circuits and differential privacy. Here we show for the first time that it can also be used to prove security of MPC against a malicious adversary. We formalize additive and replicated secret sharing schemes and apply them to Maurer's MPC protocol for secure addition and multiplication. Our method extends to general polynomial functions. We follow the insights from EasyCrypt that security proofs can be often be reduced to proofs about program equivalence, a topic that is well understood in the verification of programming languages. In particular, we show that in the passive case the non-interference-based definition is equivalent to a standard game-based security definition. For the active case we provide a new NI definition, which we call input independence

Type Inference for a Cryptographic Protocol Prover Tool

Krüptograafia uurimisrühm Tartus arendab mängupõhiste krüptograafiliste protokollide tõestajat nimega ProveIt. Idee ProveIt’i taga on lihtsustada tõestamise protsessi. Tegemist ei ole automaatse tõestajaga, vaid abivahendiga krüptograafidele. ProveIt võimaldab teadlastel teha muudatusi koodina üleskirjutatud tõenäosuslikele mängudele ja teeb koodi ümberkirjutamise automaatselt. See aitab garanteerida korrektsuse, hoida kokku aega ja samas jätta tõestuse arusaadavaks. Üks võimalus kirjutada üles krüptograafilisi protokolle on kirjeldada neid programmeerimiskeelele sarnase pseudokoodiga, mida nimetatakse mänguks. Mängu muutmisel samm-sammult saame mõnikord jõuda teise mänguni, mille turvalisuse hinnangut me teame. Nende mängude jada ongi üks võimalik viis, kuidas saab anda protokolli turvalisuse tõestuse - seda nimetatakse mängupõhiseks tõestamiseks. Mängupõhine tõestamine on populaarne viis analüüsimaks protokollide turvalisust, sest see on võrdlemisi intuitiivne. Tavaliselt kasutatakse paberit ja pliiatsit, et kirjutada üles mänge, kuid kuna krüptograafiliste protokollide tõestamine ei ole just kõige lihtsam asi, mida teha, siis inimesed sageli lõpetavad suure kuhja paberitega igal pool, sealhulgas mitmete tupikute ja vigadega. Meie eesmärgiks on seda muuta ja anda krüptograafile võimalus mängu ümber kirjutamise asemel keskenduda järgmise sammu väljamõtlemisele. Kuigi krüptograafial on oluline roll selle bakalaureusetöö juures, siis põhi fookus lasub siiski tüübiteoorial. Nimelt on selle töö eesmärgiks luua tüübikontroll ProveIt’i jaoks. Mängupõhiseid tõestusi saab edukalt kirjutada ilma tüüpidest mi- dagi teadmata, aga tüüpide kasutamine ProveIt’is võimaldab tagada kindlamalt korrektsuse ja kasutajat paremini aidata. Tüübikontrolli abil saame näiteks veenduda, et krüptograaf ei ürita omavahel liita numbreid ja pesukarusid. Selle fakti ja vea asukoha teadmine võib kokku hoida palju kasutaja aega. Lihtne lahendus tüübikontrolli jaoks oleks nõuda kasutajalt kõigi muutujate tüüpide defineerimist, kuid see nõuaks temalt lisatööd, mis on aga vastuolus ProveIt’i eesmärgiga. Järelikult tuleb lisaks tüübikontrollile realiseerida ka tüübituletus ehk programm, mis üritab ise kõigi muutujate tüüpe määrata. Selleks, et teha tüübituletust defineerisime me kõigepealt tüübisüsteemi ProveIt’i keele jaoks. Andsime tüübireeglid aritmeetiliste avaldiste, juhuslikult hulgast valimise ja omistamise jaoks. Funktsioonide ja loogiliste avaldiste tüüpimine ei ole käesoleva bakalaureusetöö skoobis, kuid need on vajalikud osad ProveIt’ile täieliku tüüpija lisamiseks. Lisaks tüübisüsteemi ja tüübireeglite kirjeldamisele kuulus käesoleva bakalaureuse töö juurde aritmeetiliste avaldiste tüüpimise realiseerimine ja ProveIt’ile lisamine. Selle jaoks on töös antud kuus algoritmi. Arendusvahenditena valisime Qt raamistiku ja programmeerimiskeele C++. Otsustasime keele C++ kasuks, sest ProveIt on selles keeles kirjutatud, ning see võimaldab ühildamise lihtsamaks muuta.This thesis introduces types into the ProveIt language, making it possible to perform type inference and type checking. The ProveIt language is a is a probabilistic program language used in ProveIt, a tool that helps cryptographers prove cryptographic protocols in a game-based way in the computational model. The work begins by explaining the necessary background knowledge: the computational model, game-based proving, the ProveIt prover tool and the ProveIt language. How they work and why they are relevant is also described. Introducing types into ProveIt allows further guarantee the correctness and providing better help to the user. Knowing that the user is tying to find the square root of a banana and where, might save a lot of his or her time. Although it would be easier to demand the user to state all the types for all the variables and only perform type checking, we decide not to do so and instead infer the types. This is done because our goal is to make the proving process as convenient for the user as possible. To do type inference, the work starts with defining the formal type system for the ProveIt language. Type rules for all the arithmetic operations available in ProveIt are provided and also type rules for the uniform choice statement and the assignment statement. Adding rules for typing functions and logical expressions is not in the scope of this thesis and is considered future work. In addition to the type system description, type checking and type inference were implemented. To do that, the thesis first deals with the scopes of the variables in ProveIt, as it has both local and global variables. Secondly, the relations between types are covered, including the need and means to find lowest common ancestors in directed acyclic graphs. This is necessary to be able to find the minimal common supertype if an arithmetic operation was performed between variables of different types. Next, the concepts of a minimum and a maximum type are introduced to make type inference easier and also be able to output better error messages. Finally six algorithms are given to complete the type inference and type checking

Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine

Typical security models used for proving security of deployed cryptographic primitives do not allow adversaries to rewind or reset honest parties to an earlier state. Thus, it is common to see cryptographic protocols rely on the assumption that fresh random numbers can be continually generated. In this paper, we argue that because of the growing popularity of virtual machines and, specifically, their state snapshot and revert features, the security of cryptographic protocols proven under these assumptions is called into question. We focus on public-key encryption security in a setting where resetting is possible and random numbers might be reused. We show that existing schemes and security models are insufficient in this setting. We then provide new formal security models and show that making a simple and efficient modification to any existing PKE scheme gives us security under our new models

Office认证机制中密钥导出函数安全性分析

微软Office2007及其后续版本采用ECMA-376的文件加密格式,其安全性主要通过用户认证和文件加密实现,而密钥导出算法是整个安全机制的核心。为此,研究ECMA-376密钥导出算法的安全性,利用Game-Playing技术计算该密钥导出算法与随机函数的不可区分优势的上限。通过该理论和攻击实例对Office安全性进行分析,结果表明,当用户口令字符长度大于6时,Office具有一定的安全性

Cascade Encryption Revisited

The security of cascade blockcipher encryption is an important and well-studied problem in theoretical cryptography with practical implications. It is well-known that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, stating the security of longer cascades as an open question. In this paper, we propose a new lemma on the indistinguishability of systems extending Maurer\u27s theory of random systems. In addition to being of independent interest, it allows us to compactly rephrase Bellare and Rogaway\u27s proof strategy in this framework, thus making the argument more abstract and hence easy to follow. As a result, this allows us to address the security of longer cascades as well as some errors in their paper. Our result implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit. This partially answers the open question mentioned above

On Notions of Security for Deterministic Encryption, and Efficient Constructions Without Random Oracles

The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO ’07), who provided the “strongest possible” notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes without random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess given the others (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for many practical applications. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC ’08) for constructing CCA-secure probabilistic encryption schemes, extending it to the deterministic-encryption setting as well