Towards Automated Security Proof for Symmetric Encryption Modes

1
Towards Automated Security Proof for Symmetric
Encryption Modes

• Martin Gagné
• Joint work with Reihaneh Safavi-Naini, Pascal
  Lafourcade and Yassine Lakhnech
• 2nd Canada-France Workshop on
• Foundations Practice of Security
• June 27, 2009

2
Motivation

• Crypto protocol becoming increasingly complicated
• Verification is hard, and conditions are not
  always optimal
• Sometimes, mistakes get through
• e.g. OAEP

3
Why use Automated Provers

• Automated provers provide an alternate method for
  verifying the correctness of crypto protocols
• Individual rules easier to prove and verify than
  whole protocols
• Increase confidence in correctness of protocols

4
Methodology

• We propose a grammar that can be used to generate
  cryptographic protocols
• Determine properties (invariants) that are
  relevant for proving security of protocols
• Determine - and prove rules to propagate
  invariants for each command in the grammar

5
Proving Confidentiality

• The traditional notion of security of encryption
  schemes is semantic security (indistinguishability
  of two chosen ciphertexts)
• Our prover does something stronger prove that
  the ciphertexts are indistinguishable from random
  bits

6
Block Cipher vs Mode of Operation

• Block cipher family of keyed functions with
  fixed input and output size

7
Block Cipher vs Mode of Operation

• Block cipher mode of operation algorithm to
  encrypt arbitrary length messages using a block
  cipher

8
Our Grammar

• c x U x e(y) x e-1(y)
• x y z x y z x
  yn,m
• x y 1 c1 c2

9
Invariants

• Indis(nxV) x is indistinguishable from random
  given the values in V
• E(e,x) the probability that x has been queried
  to e is negligible
• F(x) x is a fresh random value
• Rcounter(x) x is the most recent value of a
  counter that started at a fresh random value

10
Rules

• Random Assignment
• (R1) true x U F(x)
• Lemma F(x) implies Indis(nxVar) and E(e,x)
• Increment
• (I1) F(y) x y1 Rcounter(x) and E(e,x)
  and
• 
  Indis(nyVar-x)
• (I2) RCounter(y) x y1 Rcounter(x) and
  
  E(e,x)

11
Rules (continued)

• Xor Operator
• (X1) Indis(nyV,y,z) x y z
  Indis(nxV,x,z)
• (X2) Indis(nyV,x,z) x y z
  Indis(nyV,z)
• (X4) F(y) x y z E(e,x)
• Block Cipher
• (B1) E(e,y) x e(y) F(x)
• Generic Preservation
• (G1) Indis(nt V) c Indis(nt V)
• If t is not in V, c is either x U, x yz,
  x y z or x e(y) and t is not x, y or z

12
Example of Proof

• CBC encryption mode

13
Example of Proof

• Program for CBC (for 3 message blocks)
• IV U
• z1 IV m1
• c1 e(z1)
• z2 c1 m2
• c2 e(z2)
• z3 c2 m3
• c3 e(z3)

14
Example of Proof
15
Conclusion and Future Directions

• We presented a grammar and logic rules that can
  be used to prove the security of many symmetric
  modes of operation (CBC, CFB, OFB, CTR)
• We intend to test this grammar and rules on more
  complex modes of operation. This may suggest new
  rules that we have not yet considered
• We may need to modify the grammar to include more
  operations and cryptographic primitives
• We could try to use our method to prove security
  properties other than confidentiality of
  encryption

16
Questions?