Functions for Calculus Chapter 1- Linear, Quadratic, Polynomial and ...
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
description
Transcript of Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
![Page 1: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/1.jpg)
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis
J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague
P. Lincoln, P. Mateus, M. Mitchell
![Page 2: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/2.jpg)
Standard analysis methods Finite-state analysis Dolev-Yao model
• Symbolic search of protocol runs • Proofs of correctness in formal logic
Consider probability and complexity• More realistic intruder model• Interaction between protocol and
cryptography Harder
Easier
![Page 3: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/3.jpg)
Protocol analysis spectrum
Low High
Hig
hLo
wSo
phis
ticat
ion
of a
ttack
s
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
Bolignano
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Symbolic methods (MSR)
Protocol logic
![Page 4: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/4.jpg)
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod pAnalysis involves probability, modular exponentiation,
digital signatures, communication networks, …
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
![Page 5: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/5.jpg)
Equivalence-based specification Real protocol
• The protocol we want to use• Expressed precisely in some formalism
Idealized protocol• May use unrealistic mechanisms (e.g., private channels)• Defines the behavior we want from real protocol• Expressed precisely in same formalism
Specification• Real protocol indistinguishable from ideal protocol• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91• Depends on some characterization of observability
Achieves compositionality
![Page 6: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/6.jpg)
Compositionality (intuition)
Crypto primitives• Ciphertext indistinguishable from noise encryption secure in all protocols
Protocols• Protocol indistinguishable from ideal
key distribution protocol secure in all systems that
rely on secure key distributions
![Page 7: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/7.jpg)
Compositionality Intuitively, if:
• Q securely realizes I , • R securely realizes J, • R, J use I as a component,
then R{Q/I} securely realizes J
Fits well with process calculus because is a congruence
• Q I C[Q] C[I] • contexts constructed from R, J, simulators
![Page 8: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/8.jpg)
Language Approach Write protocol in process calculus
• Dolev-Yao model Express security using observational equivalence
• Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q]• Inherently compositional • Context (environment) represents adversary
Use proof rules for to prove security• Protocol is secure if no adversary can distinguish it from
some idealized version of the protocolGreat general idea; application is complicated
Roscoe ‘95, Schneider ‘96,
Abadi-Gordon’97
![Page 9: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/9.jpg)
Aspect of compositionality Property of observational equiv
A B C D A|C B|D
similarly for other process forms
![Page 10: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/10.jpg)
The proof is easy Recall definition
P Q iff for all contexts C[ ], same observations about C[P] and C[Q]
Assume• A B C[ ], C[A] C[B]
Therefore • For any C[ ], let C’[ ] = C[ | D]• By assumption, C’[A] C’[B]• Which means that A|D B|D
By similar reasoning• Can show A|C A|D • Therefore A|C A|D B|D
A B C D A|C B|D
![Page 11: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/11.jpg)
Probabilistic Poly-time Analysis Add probability, complexity Probabilistic polynomial-time process calc
• Protocols use probabilistic primitives– Key generation, nonce, probabilistic encryption, ...
• Adversary may be probabilistic Express protocol and spec in calculus Security using observational equivalence
• Use probabilistic form of process equivalence
![Page 12: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/12.jpg)
Pseudo-random number generators Sequence generated from random seed
Pn: let b = nk-bit sequence generated from n random bits in PUBLIC b end
Truly random sequenceQn: let b = sequence of nk random bits in PUBLIC b end
P is crypto strong pseudo-random number generatorP QEquivalence is asymptotic in security parameter
n
![Page 13: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/13.jpg)
Secrecy for Challenge-Response Protocol P
A B: { i } K
B A: { f(i) } K
“Obviously’’ secret protocol Q A B: { random_number } K
B A: { random_number } K
![Page 14: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/14.jpg)
Secrecy for Challenge-Response Protocol P
A B: { i } K
B A: { f(i) } K
“Obviously’’ secret protocol Q A B: { random_number } K B A: { random_number } K
Analysis: P Q reduces to crypto condition related to non-malleability [Dolev, Dwork, Naor]
– Fails for “plain old” RSA if f(i) = 2i
Non-malleability:Given only a ciphertext, it is difficult to generate
a different ciphertext so thatthe respective plaintexts
are related
![Page 15: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/15.jpg)
Security of encryption schemes Passive adversary
• Semantic security• Indistinguishability
Chosen ciphertext attacks (CCA1)• Adversary can ask for decryption
before receiving a challenge ciphertext Chosen ciphertext attacks (CCA2)
• Adversary can ask for decryption before and after receiving a challenge ciphertext
![Page 16: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/16.jpg)
Passive Adversary
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
![Page 17: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/17.jpg)
Chosen ciphertext CCA1
Challenger Attackerm0, m1
E(mi)guess 0 or 1
cD(c)
![Page 18: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/18.jpg)
Chosen ciphertext CCA2
Challenger Attacker
m0, m1
E(mi)
guess 0 or 1
cD(c)
c E(mj) D(c)
![Page 19: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/19.jpg)
Specification with Authentication Protocol P
A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received “Obviously’’ authenticating protocol Q
A B: { random i } K
B A: { random j } K i , j
A B: “OK” if private i, j match public msgs
public channel private channel
public channel private channel
![Page 20: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/20.jpg)
Methodology Define general system
• Process calculus• Probabilistic semantics• Asymptotic observational
equivalence Apply to protocols
• Protocols have specific form• “Attacker” is context of specific form
![Page 21: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/21.jpg)
Nondeterminism vs encryption Alice encrypts msg and sends to Bob
A B: { msg } K
Adversary uses nondeterminismProcess E0 c0 | c0 | … | c0 Process E1 c1 | c1 | … | c1
Process E c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg)
In reality, at most 2-n chance to guess n-bit key
![Page 22: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/22.jpg)
Related work Canetti; B. Pfitzmann, Waidner, Backes
• Interactive Turing machines• General framework for crypto properties• Protocol simulates an ideal setting• Universally composable security
Abadi, Rogaway, Jürjens; Herzog; Warinschi
• Toward transfer principles between formal Dolev-Yao model and computational model
![Page 23: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/23.jpg)
Technical Challenges Language for prob. poly-time functions
• Extend work of Cobham, Bellantoni, Cook, Hofmann
Replace nondeterminism with probability• Otherwise adversary is too strong ...
Define probabilistic equivalence• Related to poly-time statistical tests ...
Proof rules for probabilistic equivalence• Use the proof system to derive protocol
properties
![Page 24: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/24.jpg)
Syntax Bounded -calculus with integer terms
P :: = 0| cq(|n|) T send up to q(|n|) bits| cq(|n|) (x). P receive| cq(|n|) . P private channel| [T=T] P test| P | P parallel composition| ! q(|n|) . P bounded replication
Terms may contain symbol n; channel width and replication bounded by poly in |n|
Expressions have size poly in |n|
![Page 25: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/25.jpg)
Probabilistic Semantics Basic idea
• Alternate between terms and processes– Probabilistic evaluation of terms (incl. rand)– Probabilistic scheduling of parallel processes
Two evaluation phases• Outer term evaluation
– Evaluate all exposed terms, evaluate tests• Communication
– Match send and receive– Probabilistic if multiple send-receive pairs
![Page 26: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/26.jpg)
Scheduling Outer term evaluation
• Evaluate all exposed terms in parallel• Multiply probabilities
Communication• E(P) = set of eligible subprocesses• S(P) = set of schedulable pairs• Prioritize – private communication first• Probabilistic poly-time computable
scheduler that makes progress
![Page 27: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/27.jpg)
Example Process
• crand+1 | c(x).dx+1 | d2 | d(y). ex+1
Outer evaluation • c1 | c(x).dx+1 | d2 | d(y). ex+1• c2 | c(x).dx+1 | d2 | d(y). ex+1
Communication• c1 | c(x).dx+1 | d2 | d(y). ex+1
Each prob ½
Choose according to probabilistic scheduler
![Page 28: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/28.jpg)
Complexity results Polynomial time
• For each closed process expression P, there is a polynomial q(x) such that
– For all n– For all probabilistic polynomial-time
schedulers eval of P halts in time q(|n|)
![Page 29: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/29.jpg)
Complexity: Intuition Bound on number of communications
• Count total number of inputs, multiplying by q(|n|) to account for ! q(|n|) . P
Bound on term evaluation• Closed T evaluated in time qT(|n|)
Bound on time for each comm step• Example: cm | c(x).P [m/x]P • Substitution bounded by orig length of P
– Size of number m is bounded– Previous steps preserve # occurr of x in P
![Page 30: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/30.jpg)
How to define process equivalence? Intuition
• | Prob{ C[P] “yes” } - Prob{ C[Q] “yes” } | < Difficulty
• How do we choose ?– Less than 1/2, 1/4, … ? (not equiv relation)– Vanishingly small ? As a function of what?
Solution• Use security parameter
– Protocol is family { Pn } n>0 indexed by key length • Asymptotic form of process equivalence
Problem:
![Page 31: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/31.jpg)
Probabilistic Observational Equiv
Asymptotic equivalence within fProcess, context families { Pn } n>0 { Qn } n>0 { Cn } n>0
P f Q if contexts C[ ]. obs v. n0 . n> n0 . | Prob[Cn[Pn] v] - Prob[Cn[Qn] v] | < f(n)
Asymptotically polynomially indistinguishableP Q if P f Q for every polynomial f(n) = 1/p(n)
Final def’n gives robust equivalence relation
![Page 32: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/32.jpg)
One way to get equivalences Labeled transition system
• Evaluate process is a “maximally benevolent context”• Allows process read any input on a public channel or
send output even if no matching input exists in process
• Label with numbers “resembling probabilities” Bisimulation relation
• If P Q and P P’, then exists Q’ with Q Q’ and P’ Q’ , and vice versa
Strong form of prob equivalence• But enough to get started … [van Glabbeek – Smolka – Steffen]
r~~r
![Page 33: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/33.jpg)
Provable equivalences• Assume scheduler is stable under
bisimulation
P ~ Q C[P] ~ C[Q] P ~ Q P Q P | (Q | R) (P | Q) | R P | Q Q | P P | 0 P
![Page 34: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/34.jpg)
Provable equivalences P c. ( c<T> | c(x).P) x
FV(P) P{a/x} c. ( c<a> | c(x).P)
if bandwidth of c large enough P 0 if no public channels in P P Q P{d/c} Q{d/c}
c , d same bandwidth, d fresh c<T> c<T’>
if Prob[T a] = Prob[T’ a] all a
![Page 35: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/35.jpg)
Connections with modern crypto Cryptosystem consists of three parts
• Key generation• Encryption (often probabilistic) • Decryption
Many forms of security• Semantic security, non-malleability, chosen-
ciphertext security, … • Formal derivation of semantic security of ElGamal from DDH and vice versa
Common conditions use prob. games
![Page 36: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/36.jpg)
ElGamal cryptosystem n security parameter (e.g., key length) Gn cyclic group of prime order p , length of p roughly n , g generator of Gn Keys
• public g , y , private g , x s.t. y = gx
Encryption of m Gn • for random k {0, . . . , p-1} outputs gk , m yk
Decryption of v, w is w (vx)-1 • For v = gk , w = m yk get w (vx)-1 = m yk / gkx = m gxk / gkx = m
![Page 37: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/37.jpg)
Semantic security Known equivalent: indistinguishability of encryptions
• adversary can’t tell from the traffic which of the two chosen messages has been encrypted
• ElGamal: 1n , gk , m yk 1n , gk’ , m’ yk’
In case of ElGamal known to be equivalent to DDH Formally derivable using the proof rules
![Page 38: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/38.jpg)
Decision Diffie-Hellman DDH Standard crypto benchmark n security parameter (e.g., key length) Gn cyclic group of prime order p, length of p roughly n , g generator of Gn
For random a, b, c {0, . . . , p-1} ga , gb , gab ga , gb , gc
![Page 39: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/39.jpg)
DDH implies sem. sec. of ElGamal Start with ga , gb , gab ga , gb , gc (random
a,b,c) Build up statement of sem. sec. from this.
• in(c,<x,y>).out(c, gr, x.grx ) in(c,<x,y>).out(c, gr , y.grx )
The proof consists of• Structural transformations
– E.g., out(c,T(r); r random) out(c,U(r)) (any r) implies in(c,x).out(c,T(x) ) in(c,x).out(c,U(x) )
• Domain-specific axioms– E.g., out(c, ga , gb , gab ) out(c, ga , gb , gc ) implies out(c, ga , gb , Mgab ) out(c, ga , gb , Mgc ) (any M)
![Page 40: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/40.jpg)
Sem. sec. of ElGamal implies DDH Harder direction. Compositionality of makes ‘building
up’ easier than breaking down. Want to go from
in(c,<x,y>).out(c, gr,x.grx ) in(c,<x,y>).out(c, gr, y.grx )
to gx , gr , grx gx , gr , gc
Proof idea: if x = 1, then we essentially have DDH. The proof ’constructs’ a DDH tuple by
• Hiding all public channels except the output challenge• Setting a message to 1
Need structural rule equating a process with the term simulating the process• We use special case where process only has one
public output
![Page 41: Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis](https://reader034.fdocuments.us/reader034/viewer/2022051316/56815d33550346895dcb2e9e/html5/thumbnails/41.jpg)
Current State of Project Compositional framework for protocol analysis
• Precise language for studying security protocols• Replace nondeterminism with probability• Equivalence based on ptime statistical tests
Probabilistic ptime language Methods for establishing equivalence
• Probabilistic bisimulation technique Notion of compositionality Examples
• Decision Diffie-Hellman, semantic security, ElGamal encryption, computational indistinguishability
Applications• Study models of compositionality for security
protocols – Canetti (ITMs), Pfitzmann-Waidner (IOAs)