Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
EasyCrypt - Lecture 5High-level Proof Principles
Benedikt Schmidt
Tuesday November 25th
Lecture 5 - High-Level Proof Principles
1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities
2. Plug&Pray
3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions
4. Example: IND-CPA$ security of CBC mode
5. Hybrid arguments
2
Lecture 5 - High-Level Proof Principles
1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities
2. Plug&Pray
3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions
4. Example: IND-CPA$ security of CBC mode
5. Hybrid arguments
2
Lecture 5 - High-Level Proof Principles
1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities
2. Plug&Pray
3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions
4. Example: IND-CPA$ security of CBC mode
5. Hybrid arguments
2
Lecture 5 - High-Level Proof Principles
1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities
2. Plug&Pray
3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions
4. Example: IND-CPA$ security of CBC mode
5. Hybrid arguments
2
Lecture 5 - High-Level Proof Principles
1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities
2. Plug&Pray
3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions
4. Example: IND-CPA$ security of CBC mode
5. Hybrid arguments
2
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xs =$ DFq
x = A.run()return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xs =$ DFq
x = A.run()return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xs =$ DFq
x = A.run()return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled
2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xx = A.run()s =$ DFq
return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled
2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xx = A.run()s =$ DFq
return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x
3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xx = A.run()s =$ DFq
return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()
4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Guessing Game
module type Adv =run : () → Fq
module GuessR(A : Adv) =proc main() =
var s, xx = A.run()s =$ DFq
return s = x
Use pHL:
1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq
Prove Pr[GuessR(A).main : res] ≤ 1/q
3
Probability Bounds: Generalize Guessing Game
type Taxiom finite_T : finite <:T>
const n : nataxiom n_pos : n > 0.
module type Adv =run : () → T set
module GuessR(A : Adv) =proc main() =
var s, sXs =$ DTsX = A.run()return s ∈ sX ∧ |sX | ≤ n
Prove Pr[GuessR(A).main : res] ≤ n/|T |
4
Probability Bounds: Generalize Guessing Game
type Taxiom finite_T : finite <:T>
const n : nataxiom n_pos : n > 0.
module type Adv =run : () → T set
module GuessR(A : Adv) =proc main() =
var s, sXs =$ DTsX = A.run()return s ∈ sX ∧ |sX | ≤ n
Prove Pr[GuessR(A).main : res] ≤ n/|T |4
Probability Bounds: n-Guessing Game
type Taxiom finite_T : finite <:T>
const nc : intaxiom nc_pos : nc > 0.
module type GO =guess : T → T
module type Adv(O : GO) =run : () → ()
module GuessC(FA : Adv) =module G : GO =
proc guess(x) =s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
module A = FA(G)
proc main() =win = falsec = 0A.run()
Prove Pr[GuessC(A).main : win] ≤ nc/|T |
5
Probability Bounds: n-Guessing Game
type Taxiom finite_T : finite <:T>
const nc : intaxiom nc_pos : nc > 0.
module type GO =guess : T → T
module type Adv(O : GO) =run : () → ()
module GuessC(FA : Adv) =module G : GO =
proc guess(x) =s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
module A = FA(G)
proc main() =win = falsec = 0A.run()
Prove Pr[GuessC(A).main : win] ≤ nc/|T |
5
Probability Bounds: Failure Event LemmaWe want to bound the probability of triggering win for:
proc guess(x) =s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
Give counter value (c), upper bound bound (nc) andprobability bound of setting flag (win) in single call (1/|T |).
1. Prove probability bound for flag setting,2. counter increases monotonically until it hits bound, and3. if counter is exhausted, then flag will never be set.
=⇒ Pr [G : win] ≤ Σnc−1i=0 h(i) where h(i) = 1/|T |
6
Probability Bounds: Failure Event LemmaWe want to bound the probability of triggering win for:
proc guess(x) =s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
Give counter value (c), upper bound bound (nc) andprobability bound of setting flag (win) in single call (1/|T |).
1. Prove probability bound for flag setting,2. counter increases monotonically until it hits bound, and3. if counter is exhausted, then flag will never be set.
=⇒ Pr [G : win] ≤ Σnc−1i=0 1/|T |
6
Probability Bounds: Failure Event LemmaWe want to bound the probability of triggering win for:
proc guess(x) =s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
Give counter value (c), upper bound bound (nc) andprobability bound of setting flag (win) in single call (1/|T |).
1. Prove probability bound for flag setting,2. counter increases monotonically until it hits bound, and3. if counter is exhausted, then flag will never be set.
=⇒ Pr [G : win] ≤ nc/|T |6
Probability Bounds: Generalized n-Guessing Game
type T .axiom finite_T : finite <:T>
const nc : nataxiom nc_pos : nc > 0.
const ns : nataxiom ns_pos : ns > 0.
module type GO =guess : T set → T
module type Adv(O : GO) =run : () → ()
module GuessC(FA : Adv) =module G =
proc guess(sX ) =s =$ DTif c < nc
if s ∈ sX ∧ |sX | ≤ nswin = true
c = c + 1return s
module A = FA(G)
proc main() =win = falsec = 0A.run()
Lemma: ∀ A. Pr[GuessC(A).main : win] ≤ (nc ∗ ns)/|T |
Given game G(B) and some event bad1, to boundPr[G(B) : bad ] ≤ (s ∗ l)/q :
1 Clone theory:instantiate type T and bounds nc and ns
2 Express G(B) as adversary A(B) against GuessC3 Prove Pr[G(B) : bad ] = Pr[GuessC(A(B)) : win]4 Apply (cloned) Lemma to get bound1: Adversary B guesses some value in Fq
7
Probability Bounds: Generalized n-Guessing Game
type T .axiom finite_T : finite <:T>
const nc : nataxiom nc_pos : nc > 0.
const ns : nataxiom ns_pos : ns > 0.
module type GO =guess : T set → T
module type Adv(O : GO) =run : () → ()
module GuessC(FA : Adv) =module G =
proc guess(sX ) =s =$ DTif c < nc
if s ∈ sX ∧ |sX | ≤ nswin = true
c = c + 1return s
module A = FA(G)
proc main() =win = falsec = 0A.run()
Lemma: ∀ A. Pr[GuessC(A).main : win] ≤ (nc ∗ ns)/|T |
Given game G(B) and some event bad1, to boundPr[G(B) : bad ] ≤ (s ∗ l)/q :
1 Clone theory:instantiate type T and bounds nc and ns
2 Express G(B) as adversary A(B) against GuessC3 Prove Pr[G(B) : bad ] = Pr[GuessC(A(B)) : win]4 Apply (cloned) Lemma to get bound1: Adversary B guesses some value in Fq
7
Probability Bounds: Generalized n-Guessing Game
type T .axiom finite_T : finite <:T>
const nc : nataxiom nc_pos : nc > 0.
const ns : nataxiom ns_pos : ns > 0.
module type GO =guess : T set → T
module type Adv(O : GO) =run : () → ()
module GuessC(FA : Adv) =module G =
proc guess(sX ) =s =$ DTif c < nc
if s ∈ sX ∧ |sX | ≤ nswin = true
c = c + 1return s
module A = FA(G)
proc main() =win = falsec = 0A.run()
Lemma: ∀ A. Pr[GuessC(A).main : win] ≤ (nc ∗ ns)/|T |
Given game G(B) and some event bad1, to boundPr[G(B) : bad ] ≤ (s ∗ l)/q :
1 Clone theory:instantiate type T and bounds nc and ns
2 Express G(B) as adversary A(B) against GuessC3 Prove Pr[G(B) : bad ] = Pr[GuessC(A(B)) : win]4 Apply (cloned) Lemma to get bound1: Adversary B guesses some value in Fq
7
Plug & Pray: bound without fel
G =proc guess(x) =
s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
proc main() =win = falsec = 0A.runguess()
Pr[G : win = true] ≤ nc/q
8
Plug & Pray: store when flag set
G =proc guess(x) =
s =$ DTif c < nc
if s = x {win = true}c = c + 1
return s
proc main() =win = falsec = 0A.runguess()
G1 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =win = Nonec = 0A.runguess()
Pr[G : win = true] = Pr[G1 : ∃ i ∈ [0..nc). win = Some i ]
9
Plug & Pray: guess when flag will be set
G1 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =win = Nonec = 0A.runguess()
G2 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =i =$ [0..nc)win = Nonec = 0A.runguess()
Pr[G1 : ∃ i ∈ [0..nc). win = Some i ] ≤ nc ∗Pr[G2 : win = Some i ]
Packaged as a functor that adds the sampling of i :
PnP(G) =i =$ [0, n); resG = G .main(); return(i , resG)
define ϕ (glob G) = index for bad and prove thatϕ (glob G) ∈ [0, n)=⇒
Pr[G : res]≤ n ∗ Pr[PnP(G) : snd res ∧ ϕ (glob G) = fst res]
10
Plug & Pray: guess when flag will be set
G1 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =win = Nonec = 0A.runguess()
G2 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =i =$ [0..nc)win = Nonec = 0A.runguess()
Pr[G1 : ∃ i ∈ [0..nc). win = Some i ] ≤ nc ∗Pr[G2 : win = Some i ]
Packaged as a functor that adds the sampling of i :
PnP(G) =i =$ [0, n); resG = G .main(); return(i , resG)
define ϕ (glob G) = index for bad and prove thatϕ (glob G) ∈ [0, n)=⇒
Pr[G : res]≤ n ∗ Pr[PnP(G) : snd res ∧ ϕ (glob G) = fst res]
10
Plug & Pray: guess when flag will be set
G1 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =win = Nonec = 0A.runguess()
G2 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =i =$ [0..nc)win = Nonec = 0A.runguess()
Pr[G1 : ∃ i ∈ [0..nc). win = Some i ] ≤ nc ∗Pr[G2 : win = Some i ]
Packaged as a functor that adds the sampling of i :
PnP(G) =i =$ [0, n); resG = G .main(); return(i , resG)
define ϕ (glob G) = index for bad and prove thatϕ (glob G) ∈ [0, n)=⇒
Pr[G : res]≤ n ∗ Pr[PnP(G) : snd res ∧ ϕ (glob G) = fst res]
10
Plug & Pray: exploit that we know i
G2 =proc guess(x) =
s =$ DTif c < nc
if s = x {win = Some c}c = c + 1
return s
proc main() =i =$ [0..nc)win = Nonec = 0A.runguess()
G3 =proc guess(x) =
s =$ DTif c < nc
if s = x ∧ i = cwin = true
c = c + 1return s
proc main() =i =$ [0..nc)win = falsec = 0A.runguess()
Pr[G2 : win = Some i ] ≤ Pr[G3 : win = true]
11
Plug & Pray: rewrite some more exploiting i
G3 =proc guess(x) =
s =$ DTif c < nc
if s = x ∧ i = cwin = true
c = c + 1return s
proc main() =i =$ [0..nc)win = false; c = 0A.runguess()
G4 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = is =$ DTif s = x {win = true}
return defaultT
proc main() =i =$ [0..nc)win = false; c = 0A.runguess()
Pr[G3 : win = true] = Pr[G4 : win = true]12
Plug & Pray: move sampling and test to main
G4 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = is =$ DTif s = x {win = true}
return defaultT
proc main() =i =$ [0..nc)win = false; c = 0A.runguess()
G5 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = ix_i = x //store in global
return defaultT
proc main() =i =$ [0..nc); c = 0A.runguess()s =$ DTwin = (s = x_i)
Pr[G4 : win = true] = Pr[G5 : win = true]
Pr[G5 : win = true] = 1/|T | now trivial (rnd)Combined with previous steps:Pr[G : win = true] ≤ nc /|T |BUT: How do we move the sampling to main?
13
Plug & Pray: move sampling and test to main
G4 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = is =$ DTif s = x {win = true}
return defaultT
proc main() =i =$ [0..nc)win = false; c = 0A.runguess()
G5 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = ix_i = x //store in global
return defaultT
proc main() =i =$ [0..nc); c = 0A.runguess()s =$ DTwin = (s = x_i)
Pr[G4 : win = true] = Pr[G5 : win = true]
Pr[G5 : win = true] = 1/|T | now trivial (rnd)Combined with previous steps:Pr[G : win = true] ≤ nc /|T |BUT: How do we move the sampling to main?
13
Plug & Pray: move sampling and test to main
G4 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = is =$ DTif s = x {win = true}
return defaultT
proc main() =i =$ [0..nc)win = false; c = 0A.runguess()
G5 =proc guess(x) =
c = c + 1if c < i
s =$ DTreturn s
else if c = ix_i = x //store in global
return defaultT
proc main() =i =$ [0..nc); c = 0A.runguess()s =$ DTwin = (s = x_i)
Pr[G4 : win = true] = Pr[G5 : win = true]
Pr[G5 : win = true] = 1/|T | now trivial (rnd)Combined with previous steps:Pr[G : win = true] ≤ nc /|T |BUT: How do we move the sampling to main?
13
Code movement for random samplingseager tactic: Show that command csamp can be commuted
from start of game to end of game. This includes proofobligations that csamp commutes with oracle bodies.Example: csamp = if (G [x ] = None) {G [x ] =$ DT }
lazy/eager RF: Indistinguishability theorem for randomfunction with finite domain.Pr [G(RFlazy , A) : res] = Pr [G(RFeager , A) : res] where:
G(RF , A) :RF .init()b = ARF .query()return b
RFlazy :proc init() = m = {}
proc query(x) =if x ∈ dom m
m[x ] =$ T ′
return m[x ]
RFeager :proc init() =
m =$ D(T ,T ′) map
proc query(x) =return m[x ]
14
Example: CBC modeLet F = (KG, F ) denote a pseudo random permutation (PRP):
k = KG()
proc enc(m : {0, 1}n list) =s =$ {0, 1}n
c = sfor i = 0 to |m| − 1
s = Fk(s ⊕ mi)c = c || s
return c
15
IND-CPA$ security of CBC modeLet F = (KG, F ) denote a PRP, then A.run must distinguishCBC(F) from a random ciphertext to win IND-CPA$.
proc enc(m) =c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
s = Fk(s ⊕ mi)c = c || s
return c
k = KG()return A.runenc()
proc enc(m) =c = [ ]for i = 0 to |m|
s =$ {0, 1}n
c = c || sreturn c
return A.runenc()
bound Pr[CBC1(A) : res] − Pr[IND-CPA$(A) : res]
16
CBC: Apply PRP-security and RP/RFproc enc(m) =
c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
s = Fk(s ⊕ mi)c = c || s
return c
k = KG()return A.runenc()
proc enc(m) =c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
if (s ⊕ mi /∈ dom G)G [s ⊕ mi ] =
$ {0, 1}n
s = G [s ⊕ mi ]c = c || s
return c
G = {}return A.runenc()
Pr[CBC1(A) : res] ≤ Pr[CBC2(A) : res] + ϵPRP/RP + ϵRP/RF
17
CBC: Replace RF calls by random samplingsproc enc(m) =
c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
if (s ⊕ mi /∈ dom G)G [s ⊕ mi ] =
$ {0, 1}n
s = G [s ⊕ mi ]c = c || s
return c
G = {}return A.runenc()
proc enc(m) =c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
if (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ Ls =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
Pr[CBC2(A) : res] ≤ Pr[CBC3(A) : res]+Pr[CBC3(A) : bad ]Pr[CBC3(A) : res] = Pr[IND-CPA$(A) : res]
18
CBC: Rearrange loopproc enc(m) =
c = [ ]s =$ {0, 1}n
c = c || sfor i = 0 to |m| − 1
if (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ Ls =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
proc enc(m) =c = [ ]for i = 0 to |m| − 1
s =$ {0, 1}n
c = c || sif (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ L
s =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
Pr[CBC3(A) : res] = Pr[CBC4(A) : res]
19
CBC: Optimistic Samplingproc enc(m) =
c = [ ]for i = 0 to |m| − 1
s =$ {0, 1}n
c = c || sif (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ L
s =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
proc enc(m) =c = [ ]for i = 0 to |m| − 1
s =$ {0, 1}n
c = c || s ⊕ miif (s ∈ L) {bad = true}L = {s} ∪ L
s =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
Pr[CBC4(A) : res] = Pr[CBC5(A) : res]
20
CBC: Reduce to n-Guessing Gameproc enc(m) =
c = [ ]for i = 0 to |m| − 1
s =$ {0, 1}n
c = c || s ⊕ miif (s ∈ L) {bad = true}L = {s} ∪ L
s =$ {0, 1}n
c = c || sreturn c
bad = falseL = ∅return A.runenc()
proc enc(m) =c = [ ]for i = 0 to |m| − 1
s = guess(L)c = c || s ⊕ mi
L = {s} ∪ Ls =$ {0, 1}n
c = c || sreturn c
L = ∅return A.runenc()
Pr[CBC4(A) : res] = Pr[GuessC(B(A)) : win] ≤ (nc ∗nm)2/2n
21
CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.
▶ Start with game CBC3 that introduces bad : bound bad
▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:
Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”
▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”
22
CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.
▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.
▶ Guess c and i .▶ Case distinction i = 0:
Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”
▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”
22
CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.
▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .
▶ Case distinction i = 0:Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”
▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”
22
CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.
▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:
Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”
▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”
22
CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.
▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:
Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”
▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”
22
Hybrid arguments: n-IND-CPA security▶ Assume: Pr[IND-CPA0 : res]− Pr[IND-CPA1 : res] small
proc main() =(pk , sk) =$ KG()(m0, m1) = A.choose(pk)b′ = A.guess(Epk(mb))return b′
▶ Get: Pr[n-IND-CPA0 : res]− Pr[n-IND-CPA1 : res] small
proc main() =(pk , sk) =$ KG()b′ = B.runenc(pk)return b′
proc enc(m0, m1) =return Epk(mb)
23
Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n
▶ Intuition: to prove that a sequence of n oracle calls toOL
i and ORi is indistiguishable, it suffices to show that
we can replace on oracle call at an arbitrary position i :
≈OL
1 . . . OLi−1 OL
i ORi+1 . . . OR
n
OL1 . . . OL
i−1 ORi OR
i+1 . . . ORn
=⇒ ≈OL
1 . . . OLn
OR1 . . . OR
n
▶ Formalized in EasyCrypt as instantiable functor▶ Key step in proving security of constructions using Dual
System Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument
24
Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n▶ Intuition: to prove that a sequence of n oracle calls to
OLi and OR
i is indistiguishable, it suffices to show thatwe can replace on oracle call at an arbitrary position i :
≈OL
1 . . . OLi−1 OL
i ORi+1 . . . OR
n
OL1 . . . OL
i−1 ORi OR
i+1 . . . ORn
=⇒ ≈OL
1 . . . OLn
OR1 . . . OR
n
▶ Formalized in EasyCrypt as instantiable functor▶ Key step in proving security of constructions using Dual
System Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument
24
Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n▶ Intuition: to prove that a sequence of n oracle calls to
OLi and OR
i is indistiguishable, it suffices to show thatwe can replace on oracle call at an arbitrary position i :
≈OL
1 . . . OLi−1 OL
i ORi+1 . . . OR
n
OL1 . . . OL
i−1 ORi OR
i+1 . . . ORn
=⇒ ≈OL
1 . . . OLn
OR1 . . . OR
n
▶ Formalized in EasyCrypt as instantiable functor▶ Key step in proving security of constructions using Dual
System Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument
24
Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n▶ Intuition: to prove that a sequence of n oracle calls to
OLi and OR
i is indistiguishable, it suffices to show thatwe can replace on oracle call at an arbitrary position i :
≈OL
1 . . . OLi−1 OL
i ORi+1 . . . OR
n
OL1 . . . OL
i−1 ORi OR
i+1 . . . ORn
=⇒ ≈OL
1 . . . OLn
OR1 . . . OR
n
▶ Formalized in EasyCrypt as instantiable functor
▶ Key step in proving security of constructions using DualSystem Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument
24
Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n▶ Intuition: to prove that a sequence of n oracle calls to
OLi and OR
i is indistiguishable, it suffices to show thatwe can replace on oracle call at an arbitrary position i :
≈OL
1 . . . OLi−1 OL
i ORi+1 . . . OR
n
OL1 . . . OL
i−1 ORi OR
i+1 . . . ORn
=⇒ ≈OL
1 . . . OLn
OR1 . . . OR
n
▶ Formalized in EasyCrypt as instantiable functor▶ Key step in proving security of constructions using Dual
System Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument
24
Lecture 5 - SummaryWe learned about:
▶ Bounding probabilities: by using fel, by defining andapplying parametric hardness theorems, and by usingPlug&Pray
▶ Code movement: by using eager and by defining anapplying parametric indistinguishability theorems
▶ Hybrid argument: lift indistinguishability assumption from1 to n
25