EasyCrypt - Lecture 5 High-level Proof Principles · Lecture 5 - High-Level Proof Principles 1. Bounding probabilities: – pHL and failure event lemma (fel) – reusable modules

EasyCrypt - Lecture 5High-level Proof Principles

Benedikt Schmidt

Tuesday November 25th

Lecture 5 - High-Level Proof Principles

1. Bounding probabilities:– pHL and failure event lemma (fel)– reusable modules to bound guessing and collision probabilities

2. Plug&Pray

3. Code movement for random samplings:– the eager tactic– replacing lazily with eagerly sampled random functions

4. Example: IND-CPA$ security of CBC mode

5. Hybrid arguments

2



2. Plug&Pray



5. Hybrid arguments

2



2. Plug&Pray



5. Hybrid arguments

2



2. Plug&Pray



5. Hybrid arguments

2



2. Plug&Pray



5. Hybrid arguments

2

Probability Bounds: Guessing Game

module type Adv =run : () → Fq

module GuessR(A : Adv) =proc main() =

var s, xs =$ DFq

x = A.run()return s = x

Use pHL:

1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq

Prove Pr[GuessR(A).main : res] ≤ 1/q

3




var s, xs =$ DFq


Use pHL:



3




var s, xs =$ DFq


Use pHL:

1. swap sampling and A.run()⇒ x fixed when s sampled

2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq


3




var s, xx = A.run()s =$ DFq

return s = x

Use pHL:

1. swap sampling and A.run()⇒ x fixed when s sampled

2. rnd with event s = x3. call(_:true) for A.run()4. unfold definition of DFq


3





return s = x

Use pHL:

1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x

3. call(_:true) for A.run()4. unfold definition of DFq


3





return s = x

Use pHL:

1. swap sampling and A.run()⇒ x fixed when s sampled2. rnd with event s = x3. call(_:true) for A.run()

4. unfold definition of DFq


3





return s = x

Use pHL:



3

Probability Bounds: Generalize Guessing Game

type Taxiom finite_T : finite <:T>

const n : nataxiom n_pos : n > 0.

module type Adv =run : () → T set


var s, sXs =$ DTsX = A.run()return s ∈ sX ∧ |sX | ≤ n

Prove Pr[GuessR(A).main : res] ≤ n/|T |

4

Probability Bounds: Generalize Guessing Game


const n : nataxiom n_pos : n > 0.

module type Adv =run : () → T set


var s, sXs =$ DTsX = A.run()return s ∈ sX ∧ |sX | ≤ n

Prove Pr[GuessR(A).main : res] ≤ n/|T |4

Probability Bounds: n-Guessing Game


const nc : intaxiom nc_pos : nc > 0.

module type GO =guess : T → T

module type Adv(O : GO) =run : () → ()

module GuessC(FA : Adv) =module G : GO =

proc guess(x) =s =$ DTif c < nc

if s = x {win = true}c = c + 1

return s

module A = FA(G)

proc main() =win = falsec = 0A.run()

Prove Pr[GuessC(A).main : win] ≤ nc/|T |

5

Probability Bounds: n-Guessing Game


const nc : intaxiom nc_pos : nc > 0.

module type GO =guess : T → T


module GuessC(FA : Adv) =module G : GO =



return s

module A = FA(G)


Prove Pr[GuessC(A).main : win] ≤ nc/|T |

5

Probability Bounds: Failure Event LemmaWe want to bound the probability of triggering win for:



return s

Give counter value (c), upper bound bound (nc) andprobability bound of setting flag (win) in single call (1/|T |).

1. Prove probability bound for flag setting,2. counter increases monotonically until it hits bound, and3. if counter is exhausted, then flag will never be set.

=⇒ Pr [G : win] ≤ Σnc−1i=0 h(i) where h(i) = 1/|T |

6




return s



=⇒ Pr [G : win] ≤ Σnc−1i=0 1/|T |

6




return s



=⇒ Pr [G : win] ≤ nc/|T |6

Probability Bounds: Generalized n-Guessing Game

type T .axiom finite_T : finite <:T>

const nc : nataxiom nc_pos : nc > 0.

const ns : nataxiom ns_pos : ns > 0.

module type GO =guess : T set → T


module GuessC(FA : Adv) =module G =

proc guess(sX ) =s =$ DTif c < nc

if s ∈ sX ∧ |sX | ≤ nswin = true

c = c + 1return s

module A = FA(G)


Lemma: ∀ A. Pr[GuessC(A).main : win] ≤ (nc ∗ ns)/|T |

Given game G(B) and some event bad1, to boundPr[G(B) : bad ] ≤ (s ∗ l)/q :

1 Clone theory:instantiate type T and bounds nc and ns

2 Express G(B) as adversary A(B) against GuessC3 Prove Pr[G(B) : bad ] = Pr[GuessC(A(B)) : win]4 Apply (cloned) Lemma to get bound1: Adversary B guesses some value in Fq

7










c = c + 1return s

module A = FA(G)






7










c = c + 1return s

module A = FA(G)






7

Plug & Pray: bound without fel

G =proc guess(x) =

s =$ DTif c < nc


return s

proc main() =win = falsec = 0A.runguess()

Pr[G : win = true] ≤ nc/q

8

Plug & Pray: store when flag set

G =proc guess(x) =

s =$ DTif c < nc


return s

proc main() =win = falsec = 0A.runguess()

G1 =proc guess(x) =

s =$ DTif c < nc

if s = x {win = Some c}c = c + 1

return s

proc main() =win = Nonec = 0A.runguess()

Pr[G : win = true] = Pr[G1 : ∃ i ∈ [0..nc). win = Some i ]

9

Plug & Pray: guess when flag will be set

G1 =proc guess(x) =

s =$ DTif c < nc


return s


G2 =proc guess(x) =

s =$ DTif c < nc


return s

proc main() =i =$ [0..nc)win = Nonec = 0A.runguess()

Pr[G1 : ∃ i ∈ [0..nc). win = Some i ] ≤ nc ∗Pr[G2 : win = Some i ]

Packaged as a functor that adds the sampling of i :

PnP(G) =i =$ [0, n); resG = G .main(); return(i , resG)

define ϕ (glob G) = index for bad and prove thatϕ (glob G) ∈ [0, n)=⇒

Pr[G : res]≤ n ∗ Pr[PnP(G) : snd res ∧ ϕ (glob G) = fst res]

10


G1 =proc guess(x) =

s =$ DTif c < nc


return s


G2 =proc guess(x) =

s =$ DTif c < nc


return s







10


G1 =proc guess(x) =

s =$ DTif c < nc


return s


G2 =proc guess(x) =

s =$ DTif c < nc


return s







10

Plug & Pray: exploit that we know i

G2 =proc guess(x) =

s =$ DTif c < nc


return s


G3 =proc guess(x) =

s =$ DTif c < nc

if s = x ∧ i = cwin = true

c = c + 1return s

proc main() =i =$ [0..nc)win = falsec = 0A.runguess()

Pr[G2 : win = Some i ] ≤ Pr[G3 : win = true]

11

Plug & Pray: rewrite some more exploiting i

G3 =proc guess(x) =

s =$ DTif c < nc

if s = x ∧ i = cwin = true

c = c + 1return s

proc main() =i =$ [0..nc)win = false; c = 0A.runguess()

G4 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s

else if c = is =$ DTif s = x {win = true}

return defaultT


Pr[G3 : win = true] = Pr[G4 : win = true]12

Plug & Pray: move sampling and test to main

G4 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s


return defaultT


G5 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s

else if c = ix_i = x //store in global

return defaultT

proc main() =i =$ [0..nc); c = 0A.runguess()s =$ DTwin = (s = x_i)

Pr[G4 : win = true] = Pr[G5 : win = true]

Pr[G5 : win = true] = 1/|T | now trivial (rnd)Combined with previous steps:Pr[G : win = true] ≤ nc /|T |BUT: How do we move the sampling to main?

13


G4 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s


return defaultT


G5 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s


return defaultT




13


G4 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s


return defaultT


G5 =proc guess(x) =

c = c + 1if c < i

s =$ DTreturn s


return defaultT




13

Code movement for random samplingseager tactic: Show that command csamp can be commuted

from start of game to end of game. This includes proofobligations that csamp commutes with oracle bodies.Example: csamp = if (G [x ] = None) {G [x ] =$ DT }

lazy/eager RF: Indistinguishability theorem for randomfunction with finite domain.Pr [G(RFlazy , A) : res] = Pr [G(RFeager , A) : res] where:

G(RF , A) :RF .init()b = ARF .query()return b

RFlazy :proc init() = m = {}

proc query(x) =if x ∈ dom m

m[x ] =$ T ′

return m[x ]

RFeager :proc init() =

m =$ D(T ,T ′) map

proc query(x) =return m[x ]

14

Example: CBC modeLet F = (KG, F ) denote a pseudo random permutation (PRP):

k = KG()

proc enc(m : {0, 1}n list) =s =$ {0, 1}n

c = sfor i = 0 to |m| − 1

s = Fk(s ⊕ mi)c = c || s

return c

15

IND-CPA$ security of CBC modeLet F = (KG, F ) denote a PRP, then A.run must distinguishCBC(F) from a random ciphertext to win IND-CPA$.

proc enc(m) =c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

s = Fk(s ⊕ mi)c = c || s

return c

k = KG()return A.runenc()

proc enc(m) =c = [ ]for i = 0 to |m|

s =$ {0, 1}n

c = c || sreturn c

return A.runenc()

bound Pr[CBC1(A) : res] − Pr[IND-CPA$(A) : res]

16

CBC: Apply PRP-security and RP/RFproc enc(m) =

c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

s = Fk(s ⊕ mi)c = c || s

return c

k = KG()return A.runenc()

proc enc(m) =c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

if (s ⊕ mi /∈ dom G)G [s ⊕ mi ] =

$ {0, 1}n

s = G [s ⊕ mi ]c = c || s

return c

G = {}return A.runenc()

Pr[CBC1(A) : res] ≤ Pr[CBC2(A) : res] + ϵPRP/RP + ϵRP/RF

17

CBC: Replace RF calls by random samplingsproc enc(m) =

c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

if (s ⊕ mi /∈ dom G)G [s ⊕ mi ] =

$ {0, 1}n

s = G [s ⊕ mi ]c = c || s

return c

G = {}return A.runenc()

proc enc(m) =c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

if (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ Ls =$ {0, 1}n

c = c || sreturn c

bad = falseL = ∅return A.runenc()

Pr[CBC2(A) : res] ≤ Pr[CBC3(A) : res]+Pr[CBC3(A) : bad ]Pr[CBC3(A) : res] = Pr[IND-CPA$(A) : res]

18

CBC: Rearrange loopproc enc(m) =

c = [ ]s =$ {0, 1}n

c = c || sfor i = 0 to |m| − 1

if (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ Ls =$ {0, 1}n

c = c || sreturn c


proc enc(m) =c = [ ]for i = 0 to |m| − 1

s =$ {0, 1}n

c = c || sif (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ L

s =$ {0, 1}n

c = c || sreturn c


Pr[CBC3(A) : res] = Pr[CBC4(A) : res]

19

CBC: Optimistic Samplingproc enc(m) =

c = [ ]for i = 0 to |m| − 1

s =$ {0, 1}n

c = c || sif (s ⊕ mi ∈ L) {bad = true}L = {s ⊕ mi} ∪ L

s =$ {0, 1}n

c = c || sreturn c



s =$ {0, 1}n

c = c || s ⊕ miif (s ∈ L) {bad = true}L = {s} ∪ L

s =$ {0, 1}n

c = c || sreturn c


Pr[CBC4(A) : res] = Pr[CBC5(A) : res]

20

CBC: Reduce to n-Guessing Gameproc enc(m) =

c = [ ]for i = 0 to |m| − 1

s =$ {0, 1}n

c = c || s ⊕ miif (s ∈ L) {bad = true}L = {s} ∪ L

s =$ {0, 1}n

c = c || sreturn c



s = guess(L)c = c || s ⊕ mi

L = {s} ∪ Ls =$ {0, 1}n

c = c || sreturn c

L = ∅return A.runenc()

Pr[CBC4(A) : res] = Pr[GuessC(B(A)) : win] ≤ (nc ∗nm)2/2n

21

CBC: Alternative approach using Plug&PrayThis proof is slightly more work, but does not require the looptransformation.

▶ Start with game CBC3 that introduces bad : bound bad

▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:

Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”

▶ Case distinction i > 0:Collision on intermediate value =⇒ split out i-th iteration(sampling) and (i + 1)-th iteration (test) of the loop andbound event “state sampled in i-th iteration queriedalready to RF”

22


▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.

▶ Guess c and i .▶ Case distinction i = 0:



22


▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .

▶ Case distinction i = 0:Collision on IV =⇒ unfold once and bound event“randomly sampled IV queried already to RF”


22


▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:



22


▶ Start with game CBC3 that introduces bad : bound bad▶ Store query index c and block i where bad is set.▶ Guess c and i .▶ Case distinction i = 0:



22

Hybrid arguments: n-IND-CPA security▶ Assume: Pr[IND-CPA0 : res]− Pr[IND-CPA1 : res] small

proc main() =(pk , sk) =$ KG()(m0, m1) = A.choose(pk)b′ = A.guess(Epk(mb))return b′

▶ Get: Pr[n-IND-CPA0 : res]− Pr[n-IND-CPA1 : res] small

proc main() =(pk , sk) =$ KG()b′ = B.runenc(pk)return b′

proc enc(m0, m1) =return Epk(mb)

23

Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n

▶ Intuition: to prove that a sequence of n oracle calls toOL

i and ORi is indistiguishable, it suffices to show that

we can replace on oracle call at an arbitrary position i :

≈OL

1 . . . OLi−1 OL

i ORi+1 . . . OR

n

OL1 . . . OL

i−1 ORi OR

i+1 . . . ORn

=⇒ ≈OL

1 . . . OLn

OR1 . . . OR

n

▶ Formalized in EasyCrypt as instantiable functor▶ Key step in proving security of constructions using Dual

System Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument

24

Hybrid Argument: Summary▶ Allows us to go from 1-IND-CPA to n-IND-CPA, loss n▶ Intuition: to prove that a sequence of n oracle calls to

OLi and OR

i is indistiguishable, it suffices to show thatwe can replace on oracle call at an arbitrary position i :

≈OL

1 . . . OLi−1 OL

i ORi+1 . . . OR

n

OL1 . . . OL

i−1 ORi OR

i+1 . . . ORn

=⇒ ≈OL

1 . . . OLn

OR1 . . . OR

n



24


OLi and OR


≈OL

1 . . . OLi−1 OL

i ORi+1 . . . OR

n

OL1 . . . OL

i−1 ORi OR

i+1 . . . ORn

=⇒ ≈OL

1 . . . OLn

OR1 . . . OR

n



24


OLi and OR


≈OL

1 . . . OLi−1 OL

i ORi+1 . . . OR

n

OL1 . . . OL

i−1 ORi OR

i+1 . . . ORn

=⇒ ≈OL

1 . . . OLn

OR1 . . . OR

n

▶ Formalized in EasyCrypt as instantiable functor

▶ Key step in proving security of constructions using DualSystem Technique [Waters’09]: replace real oracle O bysemi-functional oracle O′ using Hybrid argument

24


OLi and OR


≈OL

1 . . . OLi−1 OL

i ORi+1 . . . OR

n

OL1 . . . OL

i−1 ORi OR

i+1 . . . ORn

=⇒ ≈OL

1 . . . OLn

OR1 . . . OR

n



24

Lecture 5 - SummaryWe learned about:

▶ Bounding probabilities: by using fel, by defining andapplying parametric hardness theorems, and by usingPlug&Pray

▶ Code movement: by using eager and by defining anapplying parametric indistinguishability theorems

▶ Hybrid argument: lift indistinguishability assumption from1 to n

25

Documents

EasyCrypt - Lecture 5 High-level Proof Principles · Lecture 5 - High-Level Proof Principles 1. Bounding probabilities: – pHL and failure event lemma (fel) – reusable modules