Bringing State-Separating Proofs to EasyCrypt - A Security Proof for Cryptobox

Machine-checked cryptography aims to reinforce confidence in the primitives and protocols that underpin all digital security. However, machine-checked proof techniques remain in practice difficult to apply to real-world constructions. A particular challenge is structured reasoning about complex constructions at different levels of abstraction. The State-Separating Proofs (SSP) methodology for guiding cryptographic proofs by Brzuska, Delignat-Lavaud, Fournet, Kohbrok and Kohlweiss (ASIACRYPT\u2718) is a promising contestant to support such reasoning. In this work, we explore how SSPs can guide EasyCrypt formalisations of proofs for modular constructions. Concretely, we propose a mapping from SSP to EasyCrypt concepts which enables us to enhance cryptographic proofs with SSP insights while maintaining compatibility with existing EasyCrypt proof support. To showcase our insights, we develop a formal security proof for the Cryptobox family of public-key authenticated encryption schemes based on non-interactive key exchange and symmetric authenticated encryption. As a side effect, we obtain the first formal security proof for NaCl\u27s instantiation of Cryptobox. Finally we discuss changes to the practice of SSP on paper and potential implications for future tool designers

State Separation for Code-Based Game-Playing Proofs

The security analysis of real-world protocols involves reduction steps that are conceptually simple but still have to account for many protocol complications found in standards and implementations. Taking inspiration from universal composability, abstract cryptography, process algebras, and type-based verification frameworks, we propose a method to simplify large reductions, avoid mistakes in carrying them out, and obtain concise security statements. Our method decomposes monolithic games into collections of stateful *packages* representing collections of oracles that call one another using well-defined interfaces. Every component scheme yields a pair of a real and an ideal package. In security proofs, we then successively replace each real package with its ideal counterpart, treating the other packages as the reduction. We build this reduction by applying a number of algebraic operations on packages justified by their state separation. Our method handles reductions that emulate the game perfectly, and leaves more complex arguments to existing game-based proof techniques such as the code-based analysis suggested by Bellare and Rogaway. It also facilitates computer-aided proofs, inasmuch as the perfect reductions steps can be automatically discharged by proof assistants. We illustrate our method on two generic composition proofs: (1) a proof of self-composition using a hybrid argument; and (2) the composition of keying and keyed components. For concreteness, we apply them to the KEM-DEM proof of hybrid-encryption by Cramer and Shoup and to the composition of forward-secure game-based key exchange protocols with symmetric-key protocols

Key-schedule Security for the TLS 1.3 Standard

We analyze the security of the TLS 1.3 key establishment protocol, as specified at the end of its rigorous standardization process. We define a core key-schedule and reduce its security to concrete assumptions against an adversary that controls client and server configurations and adaptively chooses some of their keys. Our model supports all key derivations featured in the standard, including its negotiated modes and algorithms that combine an optional Diffie-Hellman exchange for forward secrecy with optional pre-shared keys supplied by the application or recursively established in prior sessions. We show that the output keys are secure as soon as any of their input key materials are. Our compositional, code-based proof makes use of state separation to yield concrete reductions despite the complexity of the key schedule. We also discuss (late) changes to the standard that would improve its robustness and simplify its analysis

State-Separating Proofs and Their Applications

Cryptographic protocols are commonly used to provide security for network traffic and digital interactions in general. Security means different things in different contexts. The most common security properties include confidentiality and authenticity of transmitted information, but cryptographicprotocols can also provide more sophisticated security properties such as unlinkability or deniability. Cryptographers typically use reduction proofs to show that a given protocol indeed provides a certain type of security. A prerequisite for such a proof is the formal description of the desired security notion. One way to achieve this formalization is the code-based game-playing framework introduced by Bellare and Rogaway [10], where security is encoded as a game played by a computationally boundedadversary. The game provides the adversary access to a set of oracles, which are defined through (pseudo-)code and which the adversary can query (or call) similar to functions in a computer program. Intuitively, the adversary wins the game if it can defeat the security of the protocol in question. A protocol is thus secure if the probability of an adversary winning the security game is sufficiently close to random chance. For example, we can define the security of a protocol aiming to allow two parties to agree on a secret key as follows: A protocol of this kind is secure if any adversary observing the protocol flow between two honest parties has a sufficiently low probability of distinguishing the resulting key from a randomly sampled string (thus expressing that the adversary has learned nothing about the real key). Despite the structure and formalism introduced by Bellare and Rogaway’s code-based gameplaying framework, security definitions for larger protocols are still often complex and their proofs error-prone and hard to verify. A variety of frameworks exist to allow for composed definitions and modularization of proofs. With the State Separating Proofs framework, this thesis includes (in Publication I) one such framework. The SSP framework builds on that introduced by Bellare and Rogaway by leveraging the separation of state within a model to facilitate compositional proofs. This thesis also includes several security proofs of real world protocols (or components thereof) to showcase the strengths and weaknesses of the SSP framework. In particular, the thesis includes a security proof of the key derivations of draft 11 of the Messaging Layer Security protocol (Publication III) the key schedule of the Transport Layer Security protocol (Version 1.3, Publication II), as well as a security protocol of a novel scheme for rotating signature keys (RSIG, Publication IV). This thesis also includes a computer-aided security proof of the cryptobox protocol (part of the NaCl library [11]) using the EasyCrypt [7] tool chain, where the SSP framework was used to guide both security modelling and proof (Publication V). Finally, we discuss the SSP framework in the context of related work such as other compositional frameworks and computer-aided cryptography

Efficient Post-Compromise Security Beyond One Group

Version 2.0, December 2019Modern secure messaging protocols such as Signal [1] can offer strong security guarantees, in particular Post- Compromise Security (PCS) [2]. The core PCS mechanism in these protocols is designed for pairwise communication, making it inefficient for large groups. To address this, recently proposed designs for secure group messaging, ART [3], IETF’s MLS Draft-07 [4]/TreeKEM [5], use group keys derived from tree structures to efficiently achieve PCS in large groups. In this work we explore the healing behaviors of the pairwise and group-key based approaches. We show that both approaches have inherent limitations to what they can heal, and that without additional mechanisms, both ART and TreeKEM/MLS Draft-07 offer significantly weaker PCS guarantees than those offered by groups based on pairwise PCS channels: for example, we show that if new users can be created dynamically, ART, TreeKEM, and MLS Draft-07 never fully heal authentication. The core underlying problem is that the scope of the healing in ART and MLS is limited to a single group. We lay out the design space of this complex healing problem to identify mechanisms that narrow the gap between the pairwise and group-key approaches, and provide stronger healing for both. Optimizing security and minimizing overhead leads us to a promising solution based on (i) global updates and (ii) post-compromise secure signatures. We provide a security definition for post-compromise secure signatures and an instantiation. Notably, our solution can also be used to improve the healing properties of pairwise protocols such as Signal towards new users who did not previously receive a message of a compromised user.This work was supported by Microsoft Research through its PhD Scholarship Programm

The complexities of healing in secure group messaging

Funding Information: †This work was supported by Microsoft Research through its PhD Scholarship Programme. Publisher Copyright: © 2021 by The USENIX Association. All rights reserved.Modern secure messaging protocols can offer strong security guarantees such as Post-Compromise Security (PCS) [18], which enables participants to heal after compromise. The core PCS mechanism in protocols like Signal [34] is designed for pairwise communication, making it inefficient for large groups, while recently proposed designs for secure group messaging, ART [19], IETF's MLS Draft-11 [7]/TreeKEM [11], use group keys derived from tree structures to efficiently provide PCS to large groups. Until now, research on PCS designs only considered healing behaviour within a single group. In this work we provide the first analysis of the healing behaviour when a user participates in multiple groups. Surprisingly, our analysis reveals that the currently proposed protocols based on group keys, such as ART and TreeKEM/MLS Draft-11, provide significantly weaker PCS guarantees than group protocols based on pairwise PCS channels. In fact, we show that if new users can be created dynamically, ART, TreeKEM, and MLS Draft-11 never fully heal authentication. We map the design space of healing mechanisms, analyzing security and overhead of possible solutions. This leads us to a promising solution based on (i) global updates that affect all current and future groups, and (ii) post-compromise secure signatures. Our solution allows group messaging protocols such ART and MLS to achieve substantially stronger PCS guarantees. We provide a security definition for post-compromise secure signatures and an instantiation.Peer reviewe

Cryptographic Security of the MLS RFC, Draft 11

Cryptographic communication protocols provide confidentiality, integrity and authentication properties for end-to- end communication under strong corruption attacks, including, notably, post-compromise security (PCS). Most protocols are designed for one-to-one communication. Protocols for group communication are less common, less efficient, and tend to provide weaker security guarantees. This is because group communication poses unique challenges, such as coordinated key updates, changes to group membership and complex post-compromise recovery procedures. We need to tackle this complex challenge as a community. Thus, the Internet Engineering Task Force (IETF) has created a working group with the goal of developing a sound standard for a continuous asynchronous key-exchange protocol for dynamic groups that is secure and remains efficient for large group sizes. The current version of the Messaging Layer Security (MLS) security protocol is in a feature freeze, i.e., no changes are made in order to provide a stable basis for cryptographic analysis. The key schedule and TreeKEM design are of particular concern since they are crucial to distribute and combine several keys to achieve PCS. In this work, we study the MLS continuous group key distribution (CGKD) which comprises the MLS key schedule, TreeKEM and their composition, as specified in Draft 11 of the MLS RFC, while abstracting away signatures, message flow and authentication guarantees. We establish the uniqueness and key indistinguishability properties of the MLS CGKD as computational security properties

The Complexities of Healing in Secure Group Messaging: Why {Cross-Group} Effects Matter

Modern secure messaging protocols can offer strong security guarantees such as Post-Compromise Security (PCS) [18], which enables participants to heal after compromise. The core PCS mechanism in protocols like Signal [34] is designed for pairwise communication, making it inefficient for large groups, while recently proposed designs for secure group mes- saging, ART [19], IETF’s MLS Draft-11 [7]/TreeKEM [11], use group keys derived from tree structures to efficiently pro- vide PCS to large groups. Until now, research on PCS designs only considered healing behaviour within a single group. In this work we provide the first analysis of the healing behaviour when a user participates in multiple groups. Sur- prisingly, our analysis reveals that the currently proposed pro- tocols based on group keys, such as ART and TreeKEM/MLS Draft-11, provide significantly weaker PCS guarantees than group protocols based on pairwise PCS channels. In fact, we show that if new users can be created dynamically, ART, TreeKEM, and MLS Draft-11 never fully heal authentication. We map the design space of healing mechanisms, analyz- ing security and overhead of possible solutions. This leads us to a promising solution based on (i) global updates that affect all current and future groups, and (ii) post-compromise secure signatures. Our solution allows group messaging pro- tocols such ART and MLS to achieve substantially stronger PCS guarantees. We provide a security definition for post- compromise secure signatures and an instantiation