Computational and Information-Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption

** Andre Scedrov ** University of Pennsylvania

**Gergei Bana **

University of Pennsylvania*Pedro Adão *Center for Logic and Computation,Instituto Superior Técnico, Lisbon

* Partially supported by FCT ** Partially supported by ONR CIP/SW URI

The Problem

• Relationship between two different approaches to cryptography/security: formal and computational

• Formal approach• uses simple, manageable formal language to

describe cryptographic protocols• amenable to automatization, computer tools • its accuracy is unclear

• Computational approach • harder to handle mathematically• proofs by hand• seems more accurate, hence widely accepted

Abadi-Rogaway Approach

• Very simple formal language along with its interpretation by means of probabilistic ensembles in a computational cryptographic setting.

• Two notions of equivalence: one for the formal, one for the computational setting. Then, it makes sense to try to prove: • Soundness: if two formal expressions are

equivalent, then their computational interpretations are equivalent,

• Completeness: vice versa.

Logic of Formal Encryption

• The Logic of Formal Encryption defined in [Abadi, Rogaway 2000] is a logic defined in the classical Dolev-Yao style. The terms are represented as:• b, for a block of 0’s and 1’s;• K, for a Key;• (M1,M2), for a pair of terms;• {M}K, for the encryption of term M, with

the key K; • Example ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )

Computational View

• Basic components of symmetric encriptions:• Key generation algorithm: K(),

randomly generates a string ( is security parameter)

• Encryption algorithm: Ek, encrypts with the key k, coin-tossing allowed.

• Decryption algorithm: D, Dk( Ek (x) )=x

Interpretation of Formal Expressions

• Computational interpretation is a random variable:• Run key-generation as many times as the number of keys

in the formal expression give all output the label “key”: k5,“key”

• Blocks become fixed labeled strings: 101,“block”• Formal encryption { }K is replaced by Ek ( ),“cipher” • Formal pairing ( , ) is replaced by , ,“pair”

• Example:• {({101}K2,K5)}K2 translates to the random variable

Ek2( Ek2 (101,“block”) ,“cipher” , k5,“key” ,“pair” ) ,“cipher”.• The keys k2, k5 are randomly generated, and the two

encrypting functions have independent randomness as well.

Formal Equivalence • Formal equivalence

Two expressions are equivalent if replacing everything that is indecipherable with , we obtain the same formal pattern up to key renaming

• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, ) , ( {({101}K2,K5)}K2, { }K5) ) same up to key renaming

( (K1, ) , ( {({101}K1,K5)}K1, { }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Computational Equivalence

• Computational equivalence Two probabilistic ensembles are

computationally equivalent if they cannot be distinguished by any probabilistic polynomial time algorithm

Soundness and Completeness

({expression}K1,0)

({expression’}K1,0)

string ensemble,cipher,0,block,pair

string ensemble’,cipher,0,block,pair

Soundness

({expression}K1,0)

({expression’}K1,0)

string ensemble,cipher,0,block,pair

string ensemble’,cipher,0,block,pair

Completeness

Previous Work

• Abadi and Rogaway 2000: soundness when • a single for all undecryptable ciphers• acyclicity

• Their cryptosystems were “type-0”, i.e., • conceal repetition of plaintext• conceal repetition of keys• conceal length of message

• Micciancio and Warinschi 2002: completeness in this case

• Horvitz and Gligor 2003: completeness for type-0 under strictly weaker assumptions

• Corin and Laud 2003: soundness extended to composite keys

Type-0 Encryption Schemes• In case of type-0 cryptosystems, any two ciphertexts are

computationally indistinguishable.

Type-0 Systems

F(x)xAEk1 (.), Ek2 (.)

AEk1(0), Ek1(0)

F

Previous Work

• Abadi and Jürjens 2000: extension to trace equivalence in a progamming language setting

• Lincoln, J. Mitchell, M. Mitchell, Scedrov 1998: process calculus for the computational model

• Canetti 2001: universally composable security• Backes, B. Pfitzmann, and Waidner 2003:

simulatable Dolev-Yao-style cryptographic library

• Herzog 2003: computational soundness of standard assumptions of formal cryptography

• Impagliazzo, Kapron 2003: logic of the computational model

Our Work

• We extend the framework of Abadi and Rogaway in two directions, still maintaining soundness and completeness• In an expansion of the A-R formal

language by labeled boxes, we relax the assumption on the cryptosystem

• We explore purely probabilistic, information-theoretic interpretations of the formal language

Expansion of the Logic

• We relax condition on security by using labelled boxes in the definition of formal equivalence: parameter

• For key repetition revealing cryptosystems (which-key revealing): K boxes indexed by the encrypting key

• For length revealing cryptosystems: n boxes indexed by length

• For length and which-key revealing cryptosystems: n,K boxes indexed by length and key

Different Types of Encryption Schemes: Type-2• In type-2 systems, key repetition is detectable, so we

use K for each encrypting key K.

F(x)xAEk1 (.), Ek2 (.)

AEk1(.), Ek1(.)

F

F(x)xAEk1 (.)

AEk1 (0)

F

Type-2 Systems

Formal Equivalence for Type-0

• Formal equivalence When we replace everything that is indecipherable with ,

we obtain the same formal pattern up to key renaming

• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, ) , ( {({101}K2,K5)}K2, { }K5) ) same up to key renaming

( (K1, ) , ( {({101}K1,K5)}K1, { }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Formal Equivalence for Type-2

• Formal equivalence Up to key renaming, the same formal pattern is obtained if we

replace all indecipherable expressions of the form {M}K with K

• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, K3 ) , ( {({101}K2,K5)}K2, { K4 }K5) ) not same up to key renaming

( (K1, K7 ) , ( {({101}K1,K5)}K1, { K7 }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Formal Equivalence for Type-2

• Formal equivalence Up to key renaming, the same formal pattern is obtained if we

replace all indecipherable expressions of the form {M}K with K

• ( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) ) ( (K2, K3 ) , ( {({101}K2,K5)}K2, { K4 }K5) ) same up to key renaming

( (K1, K6 ) , ( {({101}K1,K5)}K1, { K7 }K5) )

( (K1,{K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Soundness Proof Method ||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K3

||( (K2, {0}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )|| K4

||( (K2, {0}K3) , ( {({101}K2,K5)}K2, { {0}K4 }K5) )||

||( (K2, {0}K6) , ( {({101}K2,K5)}K2, { {0}K7}K5) ) || K7

|| ( (K1, {0}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5) ) || K6

|| ( (K1, {K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )||

Completeness Proof Method

• Suppose we have the messageM=((K2,{01}K3),({({101}K2,K5)}K2,{{K6}K4}K5))

An element x sampled from the interpretation looks likek,key,c1,cipher,pair,c3,cipher, c2,cipher,pair,pair

• The (first step of the) expansion of the tree associated with M is illustrated in the following diagrams:

((k,key,c1,cipher),(c3,cipher,c2,cipher))B(x)

k,key c1,cipher c3,cipher c2,cipher

((k,key,c1,cipher),(((c4,cipher, k1,key), 0, k,key),c2,cipher))

D1(M)B(x)

k,key c1,cipher c2,cipher

c4,cipher k1,key

After the first step a new key k1,key is revealed, which corresponds to K5, thus some new strings appear and an “old” string c2,cipher becomes available for decryption. This process is iterated until no further decryptions are possible.

k,key

Completeness Proof Method

• Suppose that we have now two messages M and N such that their interpretations are equivalent

We want to show that the tree expansions are also equivalent.• They have the same structure (straightforward);• In each place where one has a key, the other also has;• Wherever one has an encryption, the other also has;• The decryptions in both places have to coincide!

((k’,key,c1’,cipher),(((c4’,cipher, k1’,key),0, k’,key),c2’,cipher))

k’,key c1’,cipher c2’,cipher

c4’,cipher k1’,key

((k,key,c1,cipher),(((c4,cipher, k1,key) ,0, k,key),c2,cipher))

k,key c1,cipher c2,cipher

c4,cipher k1,key

The keys used in both places have to be the same!

G0(C1key,M)(x)

G0(C1key,M)(y)

D1(M)B(x) D1(N)B(y)

k’,keyk,key

Information-Theoretic Interpretations

• There is no reason to limit interpretations to computational systems. We can • give purely probabilistic

interpretations,• define a notion of equivalence in the

probabilistic cryptosystem, • try proving soundness and

completeness.• We carry this out for One-Time Pad.

Interpretation in One-Time Pad

• Formal view: • Length is introduced for formal expressions• Encrypting twice with the same key is excluded• Equivalence is defined via boxes indexed by

formal notion of length: n

• Interpretation: • Key generation depends on formal key length• Encryption via the rules of OTP• Equivalence of interpretations holds if

probability distributions agree• Soundness and completeness are proven

Further Extensions: A General Probabilistic Treatment

• Single formalism for computational and information-theoretic approach• Security parameter then indexes

independent components of random variables

• Computational and information-theoretic treatment differ in the notion of equivalence introduced in the general formalism as well as in the values of the random variables.

Further Expansions in the Formal Language

• New objects: • Equivalence relation on the set of formal ciphers• A box corresponding to each equivalence class of

ciphers• Equivalence class on the formal set of keys

• Equivalence:• Introduce a box to each equivalence-class on

ciphers• Key-renaming is allowed only among keys in the

same class• Replace each undecryptable cipher in an expression

by the box corresponding to its equivalence class

Soundness and Completeness

• Completeness iff:• ||({M}k1,{N}k2)|| ||({M’}k1',{N’}k2')|| implies

({M}k1,{N}k2) ({M’}k1',{N’}k2')

• Decrypting with the wrong key is detectable

• Soundness iff:• Replacing ciphers of the form {.}k0 with

equivalent ciphers {.}k0' in an expression if k0 and k0' do not occur anywhere else (except as encrypting keys) results in equivalent interpretation.

Conclusions and Future Work

• Formal setting can be varied in useful ways• Established soundness and completeness for

extended logics• Introduced new technique for completeness

proofs

• Include new primitives, e.g., signature schemes• Extend the formalism to include active

adversaries• Relate our work with information- theoretic

models

References• [Abadi, Jürjens 2001] M. Abadi and J. Jürjens, Formal eavesdropping

and its computational interpretation in 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pages 82-94, 2001.

• [Abadi, Rogaway 2000] M. Abadi and P. Rogaway, Reconciling two views of cryptography: The computational soundness of formal encryption in 1st IFIP International Conference on Theoretical Computer Science, volume 1872 of Lecture Notes in Computer Science, pages 3-22, 2000.

• [Micciancio, Warinschi 2004a] D. Micciancio and B. Warinschi, Completeness Theorems for the Abadi-Rogaway Logic of Encrypted Expressions in Journal of Computer Security, 12(1), pages 99-129, 2004. Based on Extended Abstract in WITS 2002.

• [Micciancio, Warinschi 2004b] D. Micciancio and B. Warinschi, Soundness of Formal Encryption in the Presence of Active Adversaries in Theory of Cryptography Conference (TCC), Cambridge, Massachusetts, volume 2951 of Lecture Notes in Computer Science, pages 133-151, February 19-21 2004.