Formal Certification of Game-Based Cryptographic...
Transcript of Formal Certification of Game-Based Cryptographic...
![Page 1: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/1.jpg)
Formal Certification ofGame-Based Cryptographic Proofs
Santiago Zanella Beguelin
IMDEA Software, Madrid, Spain
INRIA Sophia Antipolis - Mediterranee, France
Microsoft Research - INRIA Joint Centre, France
2010.12.09ENS Paris
![Page 2: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/2.jpg)
A tale of two worlds
Formal World{({(0,K1)}K2 , 1)}K3
Values as symbols
Primitives as symbolicexpressions
Adversaries as inference engines
Asymptotic security
Indirect(computation soundness)
ProVerif, PCL, AVISPA
Better suited for protocols?
Computational Worldf (G (r)⊕(m‖0k)‖H(G (r)⊕(m‖0k))⊕r)
Values as bitstrings
Primitives as functions onbitstrings
Probabilistic Polynomial-timeAdversaries
Exact security bounds
Direct
CryptoVerif, CPCL, CIL
Better suited for primitives?
This work is in the computational world
2/44
![Page 3: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/3.jpg)
A tale of two worlds
Formal World{({(0,K1)}K2 , 1)}K3
Values as symbols
Primitives as symbolicexpressions
Adversaries as inference engines
Asymptotic security
Indirect(computation soundness)
ProVerif, PCL, AVISPA
Better suited for protocols?
Computational Worldf (G (r)⊕(m‖0k)‖H(G (r)⊕(m‖0k))⊕r)
Values as bitstrings
Primitives as functions onbitstrings
Probabilistic Polynomial-timeAdversaries
Exact security bounds
Direct
CryptoVerif, CPCL, CIL
Better suited for primitives?
This work is in the computational world
2/44
![Page 4: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/4.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
3/44
![Page 5: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/5.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
3/44
![Page 6: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/6.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attackAttack found!
Patch scheme
3/44
![Page 7: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/7.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attackAttack found! Patch scheme
3/44
![Page 8: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/8.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
Enough waiting
Declare the scheme secure
How much time is enough?
3/44
![Page 9: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/9.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
Enough waiting
Declare the scheme secure
It took 5 years to break the Merkle-Hellman cryptosystem
3/44
![Page 10: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/10.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
Enough waiting
Declare the scheme secure
It took 10 years to break the Chor-Rivest cryptosystem
3/44
![Page 11: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/11.jpg)
Cryptanalysis-driven design
Propose a cryptographic scheme
Wait for someone to come out with an attack
Patch scheme
Enough waiting
Declare the scheme secure
Can’t we do better?
3/44
![Page 12: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/12.jpg)
The Provable Security paradigm
1 Define a security goal and a model for adversaries
2 Propose a cryptographic scheme
3 Reduce security of the scheme to a cryptographic assumption
IF an adversary A can break the security of the schemeTHEN the assumption can be broken with little extra effort
Conversely,
IF the security assumption holds THEN the scheme is secure
4/44
![Page 13: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/13.jpg)
Proof by reduction
Assume a polynomial adversary A breaks the security of ascheme
Build a polynomial algorithm B that uses A to solve acomputational hard problem
IF the problem is intractableTHEN the cryptographic scheme is asymptotically secure
BA
Problem instance Solution
5/44
![Page 14: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/14.jpg)
Exact security
Assume an adversary A breaks the security of a scheme withintime t with probability ε
Build an algorithm B that uses A to solve a computationalhard problem with probability ε′ ≥ f (ε) within time t ′ ≤ g(t)
Bounds matter: the greater f (ε) and the smaller g(t) are, thecloser the security of the scheme is related to the problem.
Choosing scheme parameters
What is the best known method to solve the problem?
Choose parameters so that the reduction yields a better one
6/44
![Page 15: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/15.jpg)
Exact security
Assume an adversary A breaks the security of a scheme withintime t with probability ε
Build an algorithm B that uses A to solve a computationalhard problem with probability ε′ ≥ f (ε) within time t ′ ≤ g(t)
Bounds matter: the greater f (ε) and the smaller g(t) are, thecloser the security of the scheme is related to the problem.
Choosing scheme parameters
What is the best known method to solve the problem?
Choose parameters so that the reduction yields a better one
6/44
![Page 16: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/16.jpg)
Game-based proofs
Security proofs in cryptography may be organized assequences of games [...] this can be a useful tool intaming the complexity of security proofs that mightotherwise become so messy, complicated, and subtle asto be nearly impossible to verifyV. Shoup
Game G0 :. . .. . .← A( . . . );. . .
Pr[G0 : A0]
Game G1 :. . .. . .. . .
≤ h1(Pr[G1 : A1])
· · ·
Game Gn :. . .. . .← B( . . . ). . .
≤ . . . ≤ hn(Pr[Gn : An])
Start from an initial game encoding the security goal
7/44
![Page 17: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/17.jpg)
Game-based proofs
Security proofs in cryptography may be organized assequences of games [...] this can be a useful tool intaming the complexity of security proofs that mightotherwise become so messy, complicated, and subtle asto be nearly impossible to verifyV. Shoup
Game G0 :. . .. . .← A( . . . );. . .
Pr[G0 : A0]
Game G1 :. . .. . .. . .
≤ h1(Pr[G1 : A1])
· · ·
Game Gn :. . .. . .← B( . . . ). . .
≤ . . . ≤ hn(Pr[Gn : An])
Stepwise transform the game keeping track of probabilities
7/44
![Page 18: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/18.jpg)
Game-based proofs
BA
Problem instance Solution
Game G0 :. . .. . .← A( . . . );. . .
Pr[G0 : A0]
Game G1 :. . .. . .. . .
≤ h1(Pr[G1 : A1])
· · ·
Game Gn :. . .. . .← B( . . . ). . .
≤ . . . ≤ hn(Pr[Gn : An])
Reach a final game encoding a computational assumption
7/44
![Page 19: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/19.jpg)
Things can still go wrong (e.g. RSA-OAEP)
1994
Bellare and Rogaway
2001
Shoup
Fujisaki, Okamoto, Pointcheval, Stern
2004
Pointcheval
2009
Bellare, Hofheinz, Kiltz
1994 Purported proof of chosen-ciphertext security
2001 Proof is flawed, but can be patched
1 ...for a weaker security notion, or2 ...for a modified scheme, or3 ...under stronger assumptions
2004 Filled gaps in Fujisaki et al. 2001 proof
2009 Security definition needs to be clarified
2010 Filled gaps and marginally improved bound in 2004 proof
8/44
![Page 20: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/20.jpg)
Beyond Provable Security: Verifiable Security
GoalBuild a framework to formalize game-based
cryptographic proofs
Provide foundations to game-based proofs
Notation as close as possible to the one used bycryptographers
Automate common reasoning patterns
Support exact security
Provide independently and automatically verifiable proofs
9/44
![Page 21: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/21.jpg)
CertiCryptLanguage-based cryptographic proofs
10/44
![Page 22: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/22.jpg)
A language-based approach
Security definitions, assumptions and games are formalized using aprobabilistic programming language
pWhile: a probabilistic programming language
C ::= skip nop| C; C sequence| V ← E assignment| V $← DE random sampling| if E then C else C conditional| while E do C while loop| V ← P(E , . . . , E) procedure call
x $← d : sample the value of x according to distribution d
The language of expressions (E) and distribution expressions(DE) admits user-defined extensions
11/44
![Page 23: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/23.jpg)
Some design choices
CertiCrypt is built on top of the Coq proof assistant
Deep-embedding formalization
Strongly-typed language
Syntax is dependently-typed(only well-typed programs are admitted)
Monadic semantics uses Paulin-Mohring’s ALEA Coq library
12/44
![Page 24: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/24.jpg)
Semantics
Measure Monad
Distributions represented as monotonic, linear and continuousfunctions of type
D(A) def= (A→ [0, 1])→ [0, 1]
unit : A→ D(A) def= λx . λf . f x
bind : D(A)→ (A→ D(B))→ D(B) def= λµ. λF . λf . µ(λx . F x f )
Intuition
Given µ ∈ D(A) and f : A→ [0, 1]µ(f ) represents the expected value of f w.r.t. µ
13/44
![Page 25: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/25.jpg)
Semantics
Programs map an initial memory to a distribution on finalmemories
Jc ∈ CK :M→D(M)
The probability of an event is the expected value of itscharacteristic function:
Pr[c ,m : A] def= JcK m 1A
Instrumented and parametrized semantics to characterize PPT:
Jc ∈ CKη :M→D(M× N)
14/44
![Page 26: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/26.jpg)
Semantics
Programs map an initial memory to a distribution on finalmemories
Jc ∈ CK :M→D(M)
The probability of an event is the expected value of itscharacteristic function:
Pr[c ,m : A] def= JcK m 1A
Instrumented and parametrized semantics to characterize PPT:
Jc ∈ CKη :M→D(M× N)
14/44
![Page 27: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/27.jpg)
Observational equivalence
Definition
f =X g def= ∀m1 m2. m1 =X m2 =⇒ f m1 = g m2
� c1 'IO c2
def= ∀m1 m2 f g .
m1 =I m2 ∧ f =O g =⇒ Jc1K m1 f = Jc2K m2 g
Example
� x $← {0, 1}k ; y ← x ⊕ z '{z}{x ,y ,z} y $← {0, 1}k ; x ← y ⊕ z
Useful to relate probabilities
fv(A) ⊆ O � c1 'IO c2 m1 =I m2
Pr[c1,m1 : A] = Pr[c2,m2 : A]
Only a Partial Equivalence Relation
� c 'IO c not true in general (obviously)
Generalizes information flow security (take I = O = Vlow)15/44
![Page 28: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/28.jpg)
Observational equivalence
Definition
f =X g def= ∀m1 m2. m1 =X m2 =⇒ f m1 = g m2
� c1 'IO c2
def= ∀m1 m2 f g .
m1 =I m2 ∧ f =O g =⇒ Jc1K m1 f = Jc2K m2 g
Example
� x $← {0, 1}k ; y ← x ⊕ z '{z}{x ,y ,z} y $← {0, 1}k ; x ← y ⊕ z
Useful to relate probabilities
fv(A) ⊆ O � c1 'IO c2 m1 =I m2
Pr[c1,m1 : A] = Pr[c2,m2 : A]
Only a Partial Equivalence Relation
� c 'IO c not true in general (obviously)
Generalizes information flow security (take I = O = Vlow)15/44
![Page 29: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/29.jpg)
Generalized relational equivalence
Probabilistic extension of Benton’s Relational Hoare Logic
Definition
� c1 ∼ c2 : Ψ⇒ Φ def= ∀m1 m2. m1 Ψ m2 =⇒ Jc1K m1 'Φ Jc2K m2
µ1 'Φ µ2 lifts relation Φ from memories to distributions.
µ1 'Φ µ2 holds if there exists a distribution µ on M×M s.t.
The 1st projection of µ coincides with µ1
The 2nd projection of µ coincides with µ2
Pairs with positive measure are in Φ
16/44
![Page 30: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/30.jpg)
Proving program equivalence
Goal
� c1 'IO c2
A Relational Hoare Logic generalized to arbitrary relations
� c1 ∼ c2 : Φ⇒ Φ′ � c ′1 ∼ c ′2 : Φ′ ⇒ Φ′′
� c1; c ′1 ∼ c2; c ′2 : Φ⇒ Φ′′[Seq]
� c1 ∼ c2 : Ψ⇒ Φ � c2 ∼ c3 : Ψ′ ⇒ Φ′
� c1 ∼ c3 : Ψ ◦Ψ′ ⇒ Φ ◦ Φ′[Comp]
. . .
17/44
![Page 31: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/31.jpg)
Proving program equivalence
Goal
� c1 'IO c2
Mechanized program transformations
Transformation: T (c1, c2, I ,O) = (c ′1, c′2, I′,O ′)
Soundness theorem
T (c1, c2, I ,O) = (c ′1, c′2, I′,O ′) � c ′1 'I ′
O′ c ′2� c1 'I
O c2
Reflection-based Coq tactic(replace reasoning by computation)
17/44
![Page 32: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/32.jpg)
Proving program equivalence
Goal
� c1 'IO c2
Mechanized program transformations
Dead code elimination (deadcode)
Constant folding and propagation (ep)
Procedure call inlining (inline)
Code movement (swap)
Common suffix/prefix elimination (eqobs hd, eqobs tl)
17/44
![Page 33: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/33.jpg)
Proving program equivalence
Goal
� c 'IO c
An –incomplete– tactic for self-equivalence(eqobs in)
Does � c 'IO c hold?
Analyze dependencies to compute I ′ s.t. � c 'I ′O c
Check that I ′ ⊆ I
Think about type systems for information flow security
17/44
![Page 34: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/34.jpg)
Reasoning about Failure Events
Lemma (Fundamental Lemma of Game-Playing)
Let A,B,F be events and G1,G2 be two games such that
Pr[G1 : A ∧ ¬F ] = Pr[G2 : B ∧ ¬F ]
Then, |Pr[G1 : A]− Pr[G2 : B]| ≤ max(Pr[G1 : F ],Pr[G2 : F ])
18/44
![Page 35: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/35.jpg)
Automation
Syntactic Criterion
When A = B and F = bad. If G0,G1 are syntactically identicalexcept after program points setting bad e.g.
Game G0 :. . .bad← true; c0
. . .
Game G1 :. . .bad← true; c1
. . .
then
Pr[G0 : A ∧ ¬bad] = Pr[G1 : A ∧ ¬bad]
If game Gi (ci ) terminates with probability 1:Pr[G1−i : bad] ≤ Pr[Gi : bad]
If both c0, c1 terminate absolutely:Pr[G0 : bad] = Pr[G1 : bad]
19/44
![Page 36: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/36.jpg)
Automation
Syntactic Criterion
When A = B and F = bad. If G0,G1 are syntactically identicalexcept after program points setting bad e.g.
Game G0 :. . .bad← true; c0
. . .
Game G1 :. . .bad← true; c1
. . .
then
Pr[G0 : A ∧ ¬bad] = Pr[G1 : A ∧ ¬bad]
If game Gi (ci ) terminates with probability 1:Pr[G1−i : bad] ≤ Pr[Gi : bad]
If both c0, c1 terminate absolutely:Pr[G0 : bad] = Pr[G1 : bad]
19/44
![Page 37: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/37.jpg)
Failure Event lemmaMotivation: the Fundamental Lemma is typically applied in gameswhere only oracles trigger bad.
IF the probability of triggering bad in an oracle call can bebound as a function of the number of oracle calls so far
THEN the probability of the whole game triggering bad canbe bound provided the number of oracle calls is bounded
Failure Event Lemma (simplified)
Assume that m(bad) = false
IF Pr[O,m : bad] ≤ p for every memory m such thatm(bad) = false
THEN Pr[G,m : bad] ≤ p qO
Hypothesis holds for oracle
O(x) : y $← T ; if y = y0 then bad← true else . . .
with p = 1/|T |20/44
![Page 38: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/38.jpg)
Application: PRP/PRF Switching Lemma
Game GRP :L← nil; b ← A()
Oracle O(x) :if x /∈ dom(L) theny $← {0, 1}` \ ran(L);L← (x , y) :: L
return L(x)
Game GRF :L← nil; b ← A()
Oracle O(x) :if x /∈ dom(L) theny $← {0, 1}`;L← (x , y) :: L
return L(x)
Suppose A makes at most q queries to O. Then
|Pr[GRP : b]− Pr[GRF : b]| ≤ q(q − 1)
2`+1
First introduced by Impagliazzo and Rudich in 1989
Proof fixed by Bellare and Rogaway (2006) and Shoup (2004)
21/44
![Page 39: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/39.jpg)
Proof
Game GRP :L← nil; b ← A()
Oracle O(x) :if x /∈ dom(L) theny $← {0, 1}`;if y ∈ ran(L) then ;
bad← true;y $← {0, 1}` \ ran(L)
L← (x , y) :: Lreturn L(x)
Game GRF :L← nil; b ← A()
Oracle O(x) :if x /∈ dom(L) theny $← {0, 1}`;if y ∈ ran(L) then ;
bad← true
L← (x , y) :: Lreturn L(x)
|Pr[GRP : b]− Pr[GRF : b]| ≤ Pr[GRF : bad]
22/44
![Page 40: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/40.jpg)
Proof
Failure Event Lemma (less simplified)
Let k be a counter for O and m(bad) = false:
IF Pr[O,m : bad] ≤ f (m(k)) for all memories m such thatm(bad) = false
THEN Pr[G,m : bad] ≤qO−1∑k=0
f (k)
Oracle O(x) :if x /∈ dom(L) theny $← {0, 1}`; if y ∈ ran(L) then bad← true;L← (x , y) :: L
return L(x)
Prove that
Pr[O,m : bad] ≤ |m(L)|2`
23/44
![Page 41: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/41.jpg)
Eager/Lazy Sampling
Interprocedural code motion
Eager sampling: from an oracle to main game
Lazy sampling: from main game to an oracle
Motivation
In crypto proofs
Often need to know that some values are independent anduniformly distributed at some program point
This holds when values can be resampled preservingsemantics!
To prove correctness of eager and lazy sampling, we developed alogic for swapping statements
� E , (c ; S) ' E ′, (S ; c ′)
24/44
![Page 42: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/42.jpg)
Application: PRP/PRF Switching Lemma
Game GeagerRF :
L← nil; S ; b ← A()
Oracle O(x) :if x 6∈ dom(L) then
if 0 < |Y| theny ← hd(Y); Y ← tl(Y)
else y $← {0, 1}`L← (x , y) :: L
return L(x)
where S def= Y ← [ ]; while |Y| < q do y $← {0, 1}`; Y ← Y ++ [y ]
Prove using the logic:
� ERF , (b ← A(); S) ≡ E eagerRF , (S ; b ← A())
Prove by induction:
Pr[GRF; S : bad] = Pr[GeagerRF : collision] =
q−1∑i=0
i
2`
25/44
![Page 43: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/43.jpg)
What does it take to trust a proof in CertiCrypt
Verification is fully-automated!(but proof construction is time-consuming)
You need to
trust the type checker of Coqtrust the language semanticsmake sure the security statement (a few lines in Coq) is asexpected
You don’t need to
understand or even read the prooftrust tactics, program transformationstrust program logics, wp-calculusbe an expert in Coq
26/44
![Page 44: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/44.jpg)
Zero-Knowledge Proofs
27/44
![Page 45: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/45.jpg)
Zero-Knowledge Proofs
Victor Peggy
28/44
![Page 46: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/46.jpg)
Zero-Knowledge Proofs
Victor Peggy
28/44
![Page 47: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/47.jpg)
Zero-Knowledge Proofs
Victor Peggy
28/44
![Page 48: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/48.jpg)
If you ever need to explain this to your kids
How to Explain Zero-Knowledge Protocols to your ChildrenJean-Jacques Quisquater, Louis C. Guillou. CRYPTO’89
29/44
![Page 49: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/49.jpg)
Properties of Zero-Knowledge Proofs
CompletenessA honest prover always convinces a honest verifier
SoundnessA dishonest prover (almost) never convinces a verifier
Zero-KnowledgeA verifier doesn’t learn anything from playing the protocol
30/44
![Page 50: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/50.jpg)
Formalizing Σ-Protocols
Prover knows (x ,w) s.t. R(x ,w) / Verifier knows only x
Prover Verifier
Computes commitment r
(r , state)← P1(x ,w)
r
c Samples challenge c
c $← C
Computes response s
s ← P2(x ,w , state, c)
s Accepts/rejects response
b ← V2(x , r , c , s)
31/44
![Page 51: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/51.jpg)
Formalizing Σ-Protocols
Prover knows (x ,w) s.t. R(x ,w) / Verifier knows only x
Prover Verifier
Computes commitment r
(r , state)← P1(x ,w) r
c
Samples challenge c
c $← C
Computes response s
s ← P2(x ,w , state, c) s
Accepts/rejects response
b ← V2(x , r , c , s)
31/44
![Page 52: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/52.jpg)
Formalizing Σ-Protocols
A Σ-protocol is given by:
Types for x ,w , r , s, state
A knowledge relation R
A challenge set C
Procedures P1, P2, V2
The protocol can be seen as a program
protocol(x ,w) :(r , state)← P1(x ,w);c $← C ;s ← P2(x ,w , state, c);b ← V2(x , r , c , s)
32/44
![Page 53: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/53.jpg)
Formalizing Σ-Protocols
Completeness
∀x ,w . R(x ,w) =⇒ Pr[protocol(x ,w) : b = true] = 1
Soundness
There exists a polynomial time procedure KE s.t.
c1 6= c2
(x , r , c1, s1) accepting(x , r , c2, s2) accepting
=⇒
Pr[w ← KE(x , r , c1, c2, s1, s2) : R(x ,w)] = 1
33/44
![Page 54: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/54.jpg)
Honest-Verifier ZK vs. Special Honest-Verifier ZK
protocol(x ,w) :(r , state)← P1(x ,w);c $← C ;s ← P2(x ,w , state, c);b ← V2(x , r , c , s)
protocol(x ,w , c) :(r , state)← P1(x ,w);s ← P2(x ,w , state, c);b ← V2(x , r , c, s)
Special Honest-Verifier ZK
∃S. ∀x ,w , c . R(x ,w) =⇒� protocol(x ,w , c) '{x ,c}{r ,c,s} (r , s)← S(x , c)
Honest-Verifier ZK
∃S. ∀x ,w . R(x ,w) =⇒� protocol(x ,w) '{x}{r ,c,s} (r , c, s)← S(x)
34/44
![Page 55: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/55.jpg)
Honest-Verifier ZK vs. Special Honest-Verifier ZK
protocol(x ,w) :(r , state)← P1(x ,w);c $← C ;s ← P2(x ,w , state, c);b ← V2(x , r , c , s)
protocol(x ,w , c) :(r , state)← P1(x ,w);s ← P2(x ,w , state, c);b ← V2(x , r , c, s)
Special Honest-Verifier ZK
∃S. ∀x ,w , c . R(x ,w) =⇒� protocol(x ,w , c) '{x ,c}{r ,c,s} (r , s)← S(x , c)
Honest-Verifier ZK
∃S. ∀x ,w . R(x ,w) =⇒� protocol(x ,w) '{x}{r ,c,s} (r , c, s)← S(x)
34/44
![Page 56: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/56.jpg)
Σφ-Protocols
Let φ be a homomorphism from an additive group (G,⊕) to amultiplicative group (H,⊗)
φ(a⊕ b) = φ(a)⊗ φ(b)
Homomorphism φ is special if there exists
1 a constant v ∈ Z2 a PPT-computable function u : H → G
such that ∀x ∈ φ[G]φ(u(x)) = xv
35/44
![Page 57: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/57.jpg)
Σφ-Protocols
A special homomorphism φ from an additive group (G,⊕) toa multiplicative group (H,⊗)c+ ∈ N smaller than any prime divisor of special exponent v
This protocol is a ZK proof of knowledge of preimages of φ:
R = {(x ,w) | x = φ(w)}
Prover Verifier
y $← G; r ← φ(y) r
c c $← [0..c+]
s ← y ⊕ cw s φ(s) ?= r ⊗ xc
36/44
![Page 58: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/58.jpg)
Formalized Σφ-Protocols
Protocol G → H φ(x) u(x) v
Schnorr Z+q → Z∗p g x 0 q
Okamoto (Z+q ,Z+
q )→ Z∗p g x11 ⊗ g x2
2 (0, 0) q
Diffie-Hellman Z+q → Z∗p × Z∗p (g x , gbx) 0 q
Fiat-Shamir Z∗N → Z∗N x2 x 2
Guillou-Quisquater Z∗N → Z∗N xe x e
Feige-Fiat-Shamir {−1, 1} × Z∗N → Z∗N s.x2 |x | 2
All these protocols are proved sound, complete and sHVZK in Coq
37/44
![Page 59: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/59.jpg)
Combination of Σφ-protocols
Special homomorphisms are closed under direct product
Proof.
Special homomorphisms φ1 : G1 → H1, φ2 : G2 → H2
φ : G1 × G2 → H1 ×H2
φ(x1, x2) = (φ(x1), φ(x2))
v def= lcm(v1, v2)
u(x1, x2) def= (u1(x1)v/v1 , u2(x2)v/v2)
A cheap and efficient way of combining Σφ-protocols to proveknowledge of several preimages!
...which bring us to combining arbitrary Σ-protocols
38/44
![Page 60: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/60.jpg)
Combination of Σφ-protocols
Special homomorphisms are closed under direct product
Proof.
Special homomorphisms φ1 : G1 → H1, φ2 : G2 → H2
φ : G1 × G2 → H1 ×H2
φ(x1, x2) = (φ(x1), φ(x2))
v def= lcm(v1, v2)
u(x1, x2) def= (u1(x1)v/v1 , u2(x2)v/v2)
A cheap and efficient way of combining Σφ-protocols to proveknowledge of several preimages!
...which bring us to combining arbitrary Σ-protocols
38/44
![Page 61: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/61.jpg)
Combination of Σ-Protocols
Given
a Σ-protocol (P1,V 1) for relation R1
a Σ-protocol (P2,V 2) for relation R2
Two basic ways of combining them. Given (x1, x2)
AND-combination: prove knowledge of (w1,w2) such that
R1(x1,w1) AND R2(x2,w2)
R def= {((x1, x2), (w1,w2)) | (x1,w1) ∈ R1 ∧ (x2,w2) ∈ R2}
OR-combination: prove knowledge of a w such that
R1(x1,w) OR R2(x2,w)
without revealing which is the case
R def= {((x1, x2),w) | (x1,w) ∈ R1 ∨ (x2,w) ∈ R2}
39/44
![Page 62: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/62.jpg)
AND-Combination
Prover Verifier
r1 ← P11 (x1,w1)
r2 ← P21 (x2,w2)
r1, r2
c c $← {0, 1}`
s1 ← P12 (x1,w1, c)
s2 ← P22 (x2,w2, c)
s1, s2V 1
2 (x1, r1, c , s1) ∧V 2
2 (x2, r2, c , s2)
Using the same challenge for both proofs is the key
Only possible if protocols are Special HVZK
40/44
![Page 63: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/63.jpg)
OR-Combination
Suppose w is a witness for x1, i.e. R1(x1,w)
Prover Verifier
r1 ← P11 (x1,w)
c2$← {0, 1}`
(r2, s2)← S2(x2, c2)
r1, r2
c c $← {0, 1}`
c1 ← c2 ⊕ cs1 ← P1
2 (x1,w , c1)s1, s2
c = c1 ⊕ c2 ∧V 1
2 (x1, r1, c , s1) ∧V 2
2 (x2, r2, c , s2)
Sound w.r.t. {((x1, x2),w) | (x1,w) ∈ R1 ∨ (x2,w) ∈ R2}41/44
![Page 64: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/64.jpg)
Conclusions
42/44
![Page 65: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/65.jpg)
Summary of contributions
A language-based approach to computational crypto proofs
Automated framework to formalize game-based proofs in Coq
Probabilistic extension of Relational Hoare Logic
Foundations for techniques used in crypto proofs
Several case studies
PRP/PRF switching lemmaChosen-plaintext security of ElGamalChosen-plaintext security of Hashed ElGamal in ROM and SMUnforgeability of Full-Domain Hash signaturesAdaptive chosen-ciphertext security of OAEPΣ-protocolsIBE (F. Olmedo), Golle-Juels (Z. Luo), BLS (M. Christofi)
43/44
![Page 66: Formal Certification of Game-Based Cryptographic Proofssoftware.imdea.org/~szanella/Zanella.2010.PhD.slides.pdfFormal Certi cation of Game-Based Cryptographic Proofs Santiago Zanella](https://reader033.fdocuments.us/reader033/viewer/2022051603/5febeb2d9f69c0653d2c6c3f/html5/thumbnails/66.jpg)
The road ahead
We fulfilled our goals, yet we don’t believe cryptographers willuse proofs assistants (or CertiCrypt) anytime soon
Started to bridge gap between fully formal machine-checkedproofs and pen-and-paper proof sketches
What if we start building from the other side?
Start from a proof sketch and try to fill in the blanks and justifyreasoning steps, building into the tool as much automation aspossible. Record and highlight unjustified proof steps and let theuser give finer-grained justifications—perhaps interactively, usingautomated tools.
44/44