Computational and InformationTheoretic Soundness and
Completeness of the Expanded
Logics of Formal Encryption
*Pedro Adão
**Gergei Bana
*
Center for Logic and Computation,
Instituto Superior Técnico, Lisbon
**
University of Pennsylvania
** Andre Scedrov
**
University of Pennsylvania
* Partially supported by FCT
** Partially supported by ONR CIP/SW URI
The Problem
• Relationship between two different approaches to
cryptography/security: formal and computational
• Formal approach
• uses simple, manageable formal language to
describe cryptographic protocols
• amenable to automatization, computer tools
• its accuracy is unclear
• Computational approach
• harder to handle mathematically
• proofs by hand
• seems more accurate, hence widely accepted
Abadi-Rogaway Approach
• Very simple formal language along with its
interpretation by means of probabilistic
ensembles in a computational cryptographic
setting.
• Two notions of equivalence: one for the
formal, one for the computational setting.
Then, it makes sense to try to prove:
• Soundness: if two formal expressions are
equivalent, then their computational
interpretations are equivalent,
• Completeness: vice versa.
Logic of Formal Encryption
• The Logic of Formal Encryption defined in
[Abadi, Rogaway 2000] is a logic defined in
the classical Dolev-Yao style. The terms are
represented as:
•
•
•
•
b, for a block of 0’s and 1’s;
K, for a Key;
(M1,M2), for a pair of terms;
{M}K, for the encryption of term M, with
the key K;
• Example
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )
Computational View
• Basic components of symmetric
encriptions:
• Key generation algorithm: K(), randomly
generates a string ( is security
parameter)
• Encryption algorithm: Ek, encrypts with
the key k, coin-tossing allowed.
• Decryption algorithm: D, Dk( Ek (x) )=x
Interpretation of Formal
Expressions
• Computational interpretation is a random variable:
• Run key-generation as many times as the number of keys in the
formal expression give all output the label “key”: k5,“key”
• Blocks become fixed labeled strings: 101,“block”
• Formal encryption { }K is replaced by Ek ( ),“cipher”
• Formal pairing ( , ) is replaced by  , ,“pair”
• Example:
• {({101}K2,K5)}K2 translates to the random variable
 Ek2(   Ek2 (101,“block”) ,“cipher” , k5,“key” ,“pair” ) ,“cipher”.
• The keys k2, k5 are randomly generated, and the two encrypting
functions have independent randomness as well.
Formal Equivalence
• Formal equivalence 
Two expressions are equivalent if replacing everything that is
indecipherable with  , we obtain the same formal pattern up
to key renaming
•
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )

( (K2,  ) , ( {({101}K2,K5)}K2, {  }K5) )
same up to key renaming
( (K1,  ) , ( {({101}K1,K5)}K1, {  }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Computational Equivalence
• Computational equivalence 
Two probabilistic ensembles are
computationally equivalent if they cannot
be distinguished by any probabilistic
polynomial time algorithm
Soundness and Completeness
({expression}K1,0) Soundness
string
ensemble,cipher,0,block,pair
({expression’}K1,0)
string
ensemble’,cipher,0,block,pair

({expression}K1,0) Completeness string

({expression’}K1,0)
string

ensemble,cipher,0,block,pair


ensemble’,cipher,0,block,pair
Previous Work
• Abadi and Rogaway 2000: soundness when
• a single  for all undecryptable ciphers
• acyclicity
• Their cryptosystems were “type-0”, i.e.,
• conceal repetition of plaintext
• conceal repetition of keys
• conceal length of message
• Micciancio and Warinschi 2002: completeness in
this case
• Horvitz and Gligor 2003: completeness for type-0
under strictly weaker assumptions
• Corin and Laud 2003: soundness extended to
composite keys
Type-0 Encryption Schemes
• In case of type-0 cryptosystems, any two ciphertexts are
computationally indistinguishable.
Type-0 Systems
F
x
AEk1 (.), Ek2 (.)
F(x)
AEk1(0), Ek1(0)
Previous Work
• Abadi and Jürjens 2000: extension to trace
equivalence in a progamming language setting
• Lincoln, J. Mitchell, M. Mitchell, Scedrov 1998:
process calculus for the computational model
• Canetti 2001: universally composable security
• Backes, B. Pfitzmann, and Waidner 2003:
simulatable Dolev-Yao-style cryptographic library
• Herzog 2003: computational soundness of standard
assumptions of formal cryptography
• Impagliazzo, Kapron 2003: logic of the
computational model
Our Work
• We extend the framework of Abadi
and Rogaway in two directions, still
maintaining soundness and
completeness
• In an expansion of the A-R formal
language by labeled boxes, we relax the
assumption on the cryptosystem
• We explore purely probabilistic,
information-theoretic interpretations of
the formal language
Expansion of the Logic
• We relax condition on security by using
labelled boxes in the definition of formal
equivalence: parameter
• For key repetition revealing cryptosystems
(which-key revealing):
• K boxes indexed by the encrypting key
• For length revealing cryptosystems:
• n boxes indexed by length
• For length and which-key revealing
cryptosystems:
• n,K boxes indexed by length and key
Different Types of Encryption
Schemes: Type-2
• In type-2 systems, key repetition is detectable, so we use
K for each encrypting key K.
Type-2 Systems
x
AEk1 (.)
F
F(x)
AEk1 (0)
x
AEk1 (.), Ek2 (.)
F
F(x)
AEk1(.), Ek1(.)
Formal Equivalence for Type-0
• Formal equivalence 
When we replace everything that is indecipherable with  ,
we obtain the same formal pattern up to key renaming
•
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )

( (K2,  ) , ( {({101}K2,K5)}K2, {  }K5) )
same up to key renaming
( (K1,  ) , ( {({101}K1,K5)}K1, {  }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Formal Equivalence for Type-2
• Formal equivalence 
Up to key renaming, the same formal pattern is obtained if we
replace all indecipherable expressions of the form {M}K with K
•
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )

( (K2, K3 ) , ( {({101}K2,K5)}K2, { K4 }K5) )
not same up to key renaming
( (K1, K7 ) , ( {({101}K1,K5)}K1, { K7 }K5) )

( (K1,{K1}K7) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )


Formal Equivalence for Type-2
• Formal equivalence 
Up to key renaming, the same formal pattern is obtained if we
replace all indecipherable expressions of the form {M}K with K
•
( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )

( (K2, K3 ) , ( {({101}K2,K5)}K2, { K4 }K5) )
same up to key renaming
( (K1, K6 ) , ( {({101}K1,K5)}K1, { K7 }K5) )

( (K1,{K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )

Soundness Proof Method
 K3
||( (K2, {0}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )||
 K4
||( (K2, {0}K3) , ( {({101}K2,K5)}K2, { {0}K4 }K5) )||


||( (K2,{01}K3) , ( {({101}K2,K5)}K2, {{K6}K4}K5) )||

||( (K2, {0}K6) , ( {({101}K2,K5)}K2, { {0}K7}K5) ) ||

 K7
|| ( (K1, {0}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5) ) ||
 K6
|| ( (K1, {K1}K6) , ( {({101}K1,K5)}K1, {{K6}K7}K5 ) )||

Completeness Proof Method
• Suppose we have the message
M=((K2,{01}K3),({({101}K2,K5)}K2,{{K6}K4}K5))
An element x sampled from the interpretation looks like
k,key,c1,cipher,pair,c3,cipher, c2,cipher,pair,pair
• The (first step of the) expansion of the tree associated with
M is illustrated in the following diagrams:
c4,cipher
k,key
c1,cipher c3,cipher
c2,cipher
((k,key,c1,cipher),(c3,cipher,c2,cipher))
B(x)
k,key
c1,cipher
k,key
k1,key
c2,cipher
((k,key,c1,cipher),(((c4,cipher, k1,key), 0, k,key),c2,cipher))
D1(M)B(x)
After the first step a new key k1,key is revealed, which corresponds to K5, thus some new strings appear and an “old”
string c2,cipher becomes available for decryption. This process is iterated until no further decryptions are possible.
Completeness Proof Method
Suppose that we have now two messages M and N such that their
interpretations are equivalent
We want to show that the tree expansions are also equivalent.
•
•
•
•
•
They have the same structure (straightforward);
In each place where one has a key, the other also has;
Wherever one has an encryption, the other also has;
The decryptions in both places have to coincide!
G0(C1key,M)(y)
D1(M)B(x)
D1(N)B(y)
G0(C1key,M)(x)
c4,cipher
k,key
k1,key
c1,cipher
c2,cipher
c4’,cipher
k’,key
c1’,cipher
k,key
((k,key,c1,cipher),(((c4,cipher, k1,key) ,0, k,key),c2,cipher))
k’,key
k1’,key
c2’,cipher
((k’,key,c1’,cipher),(((c4’,cipher, k1’,key),0, k’,key),c2’,cipher))
The keys used in both places have to be the same!
Information-Theoretic
Interpretations
• There is no reason to limit
interpretations to computational
systems. We can
• give purely probabilistic interpretations,
• define a notion of equivalence in the
probabilistic cryptosystem,
• try proving soundness and completeness.
• We carry this out for One-Time Pad.
Interpretation in
One-Time Pad
• Formal view:
• Length is introduced for formal expressions
• Encrypting twice with the same key is excluded
• Equivalence is defined via boxes indexed by
formal notion of length: n
• Interpretation:
• Key generation depends on formal key length
• Encryption via the rules of OTP
• Equivalence of interpretations holds if
probability distributions agree
• Soundness and completeness are proven
Further Extensions: A General
Probabilistic Treatment
• Single formalism for computational
and information-theoretic approach
• Security parameter then indexes independent
components of random variables
• Computational and information-theoretic
treatment differ in the notion of equivalence
introduced in the general formalism as well as in
the values of the random variables.
Further Expansions in the
Formal Language
• New objects:
• Equivalence relation on the set of formal ciphers
• A box  corresponding to each equivalence class of
ciphers
• Equivalence class on the formal set of keys
• Equivalence:
• Introduce a box  to each equivalence-class  on ciphers
• Key-renaming is allowed only among keys in the same class
• Replace each undecryptable cipher in an expression by the
box corresponding to its equivalence class
Soundness and Completeness
• Completeness iff:
• ||({M}k1,{N}k2)||  ||({M’}k1',{N’}k2')|| implies
({M}k1,{N}k2)  ({M’}k1',{N’}k2')
• Decrypting with the wrong key is detectable
• Soundness iff:
• Replacing ciphers of the form {.}k0 with
equivalent ciphers {.}k0' in an expression if k0
and k0' do not occur anywhere else (except as
encrypting keys) results in equivalent
interpretation.
Conclusions and Future Work
• Formal setting can be varied in useful ways
• Established soundness and completeness for
extended logics
• Introduced new technique for completeness proofs
• Include new primitives, e.g., signature schemes
• Extend the formalism to include active adversaries
• Relate our work with information- theoretic models
References
•
•
•
•
[Abadi, Jürjens 2001] M. Abadi and J. Jürjens, Formal
eavesdropping and its computational interpretation in 4th
International Symposium on Theoretical Aspects of Computer
Software (TACS), pages 82-94, 2001.
[Abadi, Rogaway 2000] M. Abadi and P. Rogaway, Reconciling two
views of cryptography: The computational soundness of formal
encryption in 1st IFIP International Conference on Theoretical
Computer Science, volume 1872 of Lecture Notes in Computer
Science, pages 3-22, 2000.
[Micciancio, Warinschi 2004a] D. Micciancio and B. Warinschi,
Completeness Theorems for the Abadi-Rogaway Logic of Encrypted
Expressions in Journal of Computer Security, 12(1), pages 99-129,
2004. Based on Extended Abstract in WITS 2002.
[Micciancio, Warinschi 2004b] D. Micciancio and B. Warinschi,
Soundness of Formal Encryption in the Presence of Active
Adversaries in Theory of Cryptography Conference (TCC),
Cambridge, Massachusetts, volume 2951 of Lecture Notes in
Computer Science, pages 133-151, February 19-21 2004.