Message Equivalence and Imperfect Cryptography in a Formal Model

1
Message Equivalence and Imperfect Cryptographyin
a Formal Model

• Angelo Troina1, Alessandro Aldini2 and Roberto
  Gorrieri3

1 Dipartimento di Informatica, University of
Pisa troina_at_di.unipi.it 2 Istituto STI,
University of Urbino aldini_at_sti.uniurb.it 3
Dipartimento di Scienze dell'Informazione,
University of Bologna gorrieri_at_cs.unibo.it
DIMACS Workshop on Security Analysis of Protocols
- Piscataway (NJ) June 9, 2004
2
Introduction
Increasing interest towards the compatibility
problem between the computational approach and
the Dolev-Yao model for the analysis of security
protocols.
3
Introduction
Dolev-Yao model

• Provides abstractions that allow mechanical
  proofs of protocol properties.
• Requires stronger assumptions such as perfect
  cryptography and the restricted expressive power
  of the adversaries.

Computational model

• Detailed view of cryptosystems - deals with
  probabilities and computational power.
• Models adversaries resources and relaxes the
  perfect encryption assumption.

4
Introduction
A recent formal view of cryptography introduced
by Abadi and Rogaway AR00 defines formal
algebraic cryptographic expressions and a related
notion of equivalence. Such an approach relates
the formal view and the computational model of
cryptography by proving the soundness of the
formal world with respect to the computational
world. Under particular assumptions Micciancio
and Warinschi MW02 present a completeness
result.
5
Introduction
A similar approach is also followed by Herzog
Her03, showing that if there's no good
Dolev-Yao strategy in breaking a protocol,
there's also no good PPT adversary strategy that
can do it (given ideal encryption).
Zunino and Degano ZD04 compare the classical
Dolev-Yao adversary with an enhanced
computational adversary which can guess the key
for decrypting an intercepted message (albeit
only with negligible probability).
6
Introduction

• The robustness of a ciphertext may be jeopardized
  by clever attackers that may succeed in
  retrieving information, by
• randomly guessing data
• analyzing a large amount of ciphertext
• employing a partial knowledge of the plaintext
• breaking weak keys
• breaking too simple, foreseeable cryptographic
  algorithms

7
Introduction

• We present a novel equivalence for cryptographic
  expressions that overcomes the two limitations of
  classical security models
• perfect cryptography
• nondeterministic adversary.

We take into account the probability for a
polynomial time adversary of attacking with
success a message encrypted with a secret key.
8
Metodology
A classical formal logic for cryptographic
expressions
9
Metodology
A classical formal logic for cryptographic
expressions
Based on the Dolev-Yao encryption model defined
by Abadi and Rogaway AR00
Formal model for cryptographic expressions in an
imperfect criptography scenario
Indistinguishability with ?-tolerance
10
Expressions
String finite set of binary strings of a fixed
length.
Keys is a finite set of Keys K,K,,K1,K2,.
Exp is the set of expressions, defined by the
grammar
M, N expressions
K key, K?Keys
m string, m?String
(M, N) pair
MK encryption
11
Entailment
The entailment relation M?N specifies the
expressions N that can be derived form M. Such a
relation is the least relation satisfying the
following properties
M?M
M?(N1, N2) ? M?N1 ? M?N2
M?N1 ? M?N2 ? M?(N1, N2)
M?N ? M?K ? M?NK
M?NK ? M?K ? M?N
12
Patterns
Function p, given a set of keys T and an
expression M, computes the pattern that an
attacker can obtain from M if the initial
knowledge is the set of keys T.
p(K, T) K K?Keys
p(m, T) m m?String
p((M, N), T) (p(M, T), p(N, T))
p(MK, T) p(M, T)K if K ? T
M, T) ? otherwise
13
Patterns
Function p, given a set of keys T and an
expression M, computes the pattern that an
attacker can obtain from M if the initial
knowledge is the set of keys T.
p(K, T) K K?Keys
p(m, T) m m?String
p((M, N), T) (p(M, T), p(N, T))
p(MK, T) p(M, T) if K ? T
M, T) ? otherwise
14
Expression Equivalence
Two expressions are equivalent if they yield the
same pattern
M ? N ? pattern(M) pattern(N)
(KK1K2, K2) ? (mK1K2, K2)
(?, K2)
15
Metodology
A classical formal logic for cryptographic
expressions
Formal model for cryptographic expressions in an
imperfect criptography scenario
Indistinguishability with ?-tolerance
16
Metodology
A classical formal logic for cryptographic
expressions
Formal model for cryptographic expressions in an
imperfect criptography scenario
Indistinguishability with ?-tolerance
17
Imperfect cryptography scenario
We take into account the possibility for an
adversary of obtaining meaningful information
from a ciphertext MK without knowing the key K.
We give a new definition for patterns, which were
used to denote the information (associated to a
ciphertext) employed to decide the equivalence
between expressions.
We propose a new equivalence relation for
expressions that captures when two expressions
contain information that an adversary can obtain
with the same probability.
18
Probabilistic Patterns
A probabilistic pattern P.p represents an
expression P that does not contain ciphered
blocks and is associated with a parameter
p?0,1, modeling the probability of getting the
plaintext contained in P. Formally, we define the
set pPat of probabilistic patterns with the
grammar
P.p, Q.p probabilistic patterns
K.p key, K?Keys
m.p string, m?String
(P.p, Q.p).p pair
19
Imperfect cryptography scenario
A probabilistic pattern associated to an
expression is obtained by substituting every
ciphered block with the corresponding plaintext
in clear associated with the probability of
obtaining information about it.
probabilistic pattern ( mK ) m.p
Value p depends on many factors, such as the
cryptosystem used for encryptions, the
computational power of (and the information
collected by) the adversary, the expected
robustness of the key K against guesses or
attacks.
20
pdec
Given a computational polynomial time adversary
A, an initial knowledge G, and a ciphered
expression NK, we assume a function pdec to
return the probability of obtaining meanigful
information from the ciphertext NK by
exploiting the initial knowledge G.
21
Imperfect cryptography scenario
The outcome of pdec represents the starting point
for estimating the probability of cracking a
ciphered block.
(mK1K2, (K1, K2)K)
What is the probability of getting the string m
in clear?
22
Imperfect cryptography scenario
The outcome of pdec represents the starting point
for estimating the probability of cracking a
ciphered block.
(mK1K2, (K1, K2)K)
pdec(mK1K2, G) ? pdec(mK1, G)
23
Imperfect cryptography scenario
The outcome of pdec represents the starting point
for estimating the probability of cracking a
ciphered block.
(mK1K2, (K1, K2)K)
pdec((K1, K2)K, G)
24
Imperfect cryptography scenario
The outcome of pdec represents the starting point
for estimating the probability of cracking a
ciphered block.
(mK1K2, (K1, K2)K)
The probability of breaking a block may vary
according to the strategy an attacker uses when
he tries to cryptanalyze an expression.
25
Probabilistic Equivalence
Given the expressions M and N, we say that M and
N are probabilistically equivalent (M ? N) if
they yield the same probabilistic pattern.
M ? N ? pPM pPN
26
Example
M ( mK1K2, (K1, K2)K )
pPM ( m.p1, (K1.p2, K2.p2).p2 )
N ( mK1, (K1, K2)K )
If pdec (mK1) ? pdec ((K1, K2)K) p ?
p1 p2 p
M ? N
pPM pPN ( m.p', (K1.p', K2.p').p' )
27
Metodology
A classical formal logic for cryptographic
expressions
Formal model for cryptographic expressions in an
imperfect criptography scenario
Indistinguishability with ?-tolerance
28
Metodology
A classical formal logic for cryptographic
expressions
Formal model for cryptographic expressions in an
imperfect criptography scenario
Indistinguishability with ?-tolerance
29
Approximating Probabilistic Equivalence
The notion of probabilistic equivalence is
extremely strict

• Ciphered blocks have to be decrypted with
  exactly the same probabilities.
• Considers also those blocks that can be
  decrypted with negligible
  probabilities.

We relax the notion of probabilistic equivalence
by introducing a new compatibility relation,
called ?-probabilistic similarity (??).
30
Approximating Probabilistic Equivalence
?-probabilistic similarity (??)

• approximates the equivalence by introducing a
  tolerance to small differences (up to ?) of the
  probabilistic parameters associated with the
  probabilistic patterns.
• allows for equating those ciphertexts that can
  be decrypted with small probabilities (lt ?).

31
Example
M mK
N mK'
If p1 ? p2 and p1 - p2 ? ? then
M ?? N
32
Example
M mK
N m'K'
If p1, p2 lt ? then
M ?? N
33
Ideal Encryption
It should be hard for the adversary to decrypt a
message ciphered with an unknown key. The
probability of breaking an encrypted message that
cannot be derived in the classical Dolev-Yao
model should be negligible.
A function f N ? R is negligible if for any
polynomial q ??0 f (?) ? 1 / q (?) ? ? gt?0
An encryption scheme is ideal ? pdec is a
negligible function
34
Main results
M, N ? Exp.
M ? N ? M ?? N M ? N ? M ? N
35
A Secrecy Property
Inspired by Abadi and Gordon AG99, we observe
that a certain secret a is private in M if the
expression N obtained by substituting every
occurrence of a with a'?a is probabilistically
similar to M.
Given a parameter ??0,1 and an expression M?Exp
such that a occurs in M, we say that a is
?-secret in M iff M ?? N, where N is obtained by
substituting every occurrence of a in M with a'
?a.
36
A Secrecy Property
p pdec(KK2)
M (m, KK2)
K is ?-secret in M
m is not ?-secret in M
37
An Application of Secrecy
A server S waits for requests from clients,
generates a secret key and sends it back to the
client.
A ? S request, A, S, tKSA S ? A K, S, A,
tKSA
request, A, S, t ? String and K, KSA ? Keys.
In G the server keeps track of the messages
exchanged in the network.
38
An Application of Secrecy
A ? S request, A, S, tKSA S ? A K, S, A,
tKSA
We want to check whether the expression K, S, A,
tKSA ensures a given degree ? of secrecy for K.
The server verifies whether K is ?G-secret in K,
S, A, tKSA.
As the traffic of information within the network
increases and the amount of messages ciphered
with KSA gets larger, the server may not
guarantee the ?G-secrecy anymore.
39
Conclusions Future work

• We have shown a novel framework in order to offer
  the means for defining a formal cryptographic
  language where
• i) information leakage due to cryptanalysis can
  be estimated by employing ? and conditional
  statements
• ii) probabilistic covert channels can be studied
  by verifying non-interference security properties.

The similarity relation ?? can be used, in
combination with an approximated definition of
non-interference, to verify whether the privacy
of cryptographic protocols can be guaranteed at a
reasonable level.
40
Bibliography
AG99 M. Abadi, A.D. Gordon. A Calculus for
Cryptographic Protocols The Spi Calculus.
Information and Computation, 148(1)1-70,1999. A
R00 M. Abadi, P. Rogaway. Reconciling Two Views
of Cryptography (The Computational Soundness of
Formal Encryption). In Proc. Int. Conf.
Theoretical Computer Science, LNCS 18723-22,
2000. DY83 D. Dolev, A. Yao. On the Security
of Publik-key Protocols. IEEE Transactions on
Information Theory, 29198-208, 1983. Her03 J.
Herzog. A Computational Interpretation of
Dolev-Yao Adversaries. In Proc. of Workshop on
Issues in the Theory of Security (WITS'03),
2003. MW02 D. Micciancio, B. Warinschi.
Completeness Theorems for the Abadi-Rogaway
Language of Encrypted Expressions. In Proc. of
Workshop on Issues in the Theory of Security
(WITS'02), 2002. ZD04 R. Zunino, P. Degano. A
Note on the Perfect Encryption Assumption in a
Process Calculus. In Proc. of Foundations of
Software Science and Computation Structures
(FOSSACS'04).
41
Example
M (mK, K)
N (m, K)