Escolar Documentos
Profissional Documentos
Cultura Documentos
Gilles Barthe
IMDEA Software Institute, Madrid, Spain
May 1, 2017
Ï S. Halevi: A plausible approach to computer-aided
cryptographic proofs
Ï M. Bellare and P. Rogaway: Code-Based Game-Playing Proofs
and the Security of Triple Encryption
Ï V. Shoup: Sequences of Games: A Tool for Taming
Complexity in Security Proofs
Computer-aided cryptography
Develop tool-assisted methodologies for helping the design,
analysis, and implementation of cryptographic constructions
(primitives and protocols)
Goals:
Ï Automated analysis of (symbolic or computational) security
Ï Verified implementations
Ï etc
Ï compilation (optimization)
Ï program synthesis
Ï etc
Potential benefits
Ï Code-based approach
Conditionals
Í {Φ ∧ b1 ∧ b2 } c1 ∼ c2 {Ψ} Í {Φ ∧ ¬b1 ∧ ¬b2 } c10 ∼ c20 {Ψ}
Í {Φ ∧ b1 = b2 } if b1 then c1 else c10 ∼ if b2 then c2 else c20 {Ψ}
Random assignment
1−1
f ∈ T −→ T ∀v ∈ T . µ1 (v ) = µ2 (f v )
$ µ
1 ∼ x2 ← µ2 {Q }
© ª
Í ∀v , Q[v /x1 , f v /x2 ] x1 ← $
Challenge
Ï Build sufficiently rich set of high-level rules
Ï Decision procedures
(Jutla and Roy 2012, Carmer and Rosulek 2016)
Automated proofs in ROM
Experiments
Ï Generated 1,000,000 candidates
Ï For CPA security: 99,5% solved by the tool
Ï For CCA security: 80% solved by tool
Ï Practical interpretation (sql database)
Ï Manual inspection for grey zone
Ï Interactive tutor
ZAEP
Ï OAEP (1994):
Ï SAEP (2001):
f (r ∥ (m ∥ 0) ⊕ G (r ))
Ï ZAEP (2012):
f (r || m ⊕ G (r ))
+ redundancy-free
+ INDCCA secure for RSA with exponent 2 and 3
Automated proofs in GGM
Product program
Ï Two copies of program in lockstep
Ï Check agreement at critical instructions (branching/memory)
Inspired from Zaks and Pnueli (2008)
Simplified case
Let f : A1 × A2 → B. The following are equivalent:
Ï there exists g : A2 → B s.t. f (a1 , a2 ) = g (a2 ) for every a1 , a2
Ï f (a1 , a2 ) = f (a10 , a2 ) for every a1 , a10 , a2
MaskVerif
Complexity
Reference Target # tuples Security
# sets time (s)
First-Order Masking
FSE13 full AES 17,206 4 3,342 128
MAC-SHA3 full Keccak-f 13,466 4 5,421 405
Second-Order Masking
RSA06 Sbox 1,188,111 4 4,104 1.649
1st -order
CHES10 Sbox 7,140 866 0.045
flaws (2)
CHES10 AES KS 23,041,866 4 771,263 340,745
FSE13 2 rnds AES 25,429,146 4 511,865 1,295
FSE13 4 rnds AES 109,571,806 4 2,317,593 40,169
Third-Order Masking
rd
3 -order
RSA06 Sbox 2,057,067,320 2,013,070 695
flaws (98, 176)
FSE13 Sbox(4) 4,499,950 4 33,075 3.894
FSE13 Sbox(5) 4,499,950 4 39,613 5.036
Fourth-Order Masking
FSE13 Sbox (4) 2, 277, 036, 685 4 3,343,587 879
Fifth-Order Masking
CHES10 ¯ 216,071,394 4 856,147 45
MaskComp
t0 Constraint:
A0
observations t0 + t1 + t2 + t3 É t
t1
A1
t2 observations
A2
observations
t3
A3
observations
Strong non-interference
show that any set of t intermediate variables with
- t1 on internal variables
- t2 = t − t1 on the outputs
can be simulated with at most t1 shares of each input
a0 a1 a2 a3
2 internal
observations
c0 c1 c2 c3 + 1 output
observation
t0 Constraint:
A0
observations t0 + t1 + t2 + t3 + tr É t
t1
A1
t2 observations
A2
observations
tr
internal ob-
servations
t3
A3
observations
Status