Symbolic Proofs for Lattice-Based Cryptography

Symbolic methods have been used extensively for proving security of cryptographic protocols in the Dolev-Yao model, and more recently for proving security of cryptographic primitives and constructions in the computational model. However, existing methods for proving security of cryptographic constructions in the computational model often require significant expertise and interaction, or are fairly limited in scope and expressivity. This paper introduces a symbolic approach for proving security of cryptographic constructions based on the Learning With Errors assumption (Regev, STOC 2005). Such constructions are instances of lattice-based cryptography and are extremely important due to their potential role in post-quantum cryptography. Following (Barthe, Grégoire and Schmidt, CCS 2015), our approach combines a computational logic and deducibility problems---a standard tool for representing the adversary's knowledge, the Dolev-Yao model. The computational logic is used to capture (indistinguishability-based) security notions and drive the security proofs whereas deducibility problems are used as side-conditions to control that rules of the logic are applied correctly. We then use AutoLWE, an implementation of the logic, to deliver very short or even automatic proofs of several emblematic constructions, including CPA-PKE (Gentry et al., STOC 2008), (Hierarchical) Identity-Based Encryption (Agrawal et al. Eurocrypt 2010), Inner Product Encryption (Agrawal et al. Asiacrypt 2011), CCA-PKE (Micciancio et al., Eurocrypt 2012). The main technical novelty beyond AutoLWE is a set of (semi-)decision procedures for deducibility problems, using extensions of Gröbner basis computations for subalgebras in the (non-)commutative setting (instead of ideals in the commutative setting). Our procedures cover the theory of matrices, which is required for lattice-based assumption, as well as the theory of non-commutative rings, fields, and Diffie-Hellman exponentiation, in its standard, bilinear and multilinear forms. Additionally, AutoLWE supports oracle-relative assumptions, which are used specifically to apply (advanced forms of) the Leftover Hash Lemma, an information-theoretical tool widely used in lattice-based proofs.

[1]  David Shannon,et al.  Using Gröbner Bases to Determine Algebra Membership Split Surjective Algebra Homomorphisms Determine Birational Equivalence , 1988, J. Symb. Comput..

[2]  Pascal Lafourcade,et al.  Automated Security Proofs for Almost-Universal Hash for MAC Verification , 2013, ESORICS.

[3]  Craig Gentry,et al.  Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits , 2014, EUROCRYPT.

[4]  Vinod Vaikuntanathan,et al.  Predicate Encryption for Circuits from LWE , 2015, CRYPTO.

[5]  Ashish Tiwari,et al.  Program Synthesis Using Dual Interpretation , 2015, CADE.

[6]  Brent Waters,et al.  Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions , 2009, IACR Cryptol. ePrint Arch..

[7]  Bruce M. Kapron,et al.  Computational indistinguishability logic , 2010, CCS '10.

[8]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[9]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[10]  Alex J. Malozemoff,et al.  Automated Analysis and Synthesis of Authenticated Encryption Schemes , 2015, IACR Cryptol. ePrint Arch..

[11]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[12]  Arjen K. Lenstra,et al.  Factoring multivariate polynomials over finite fields , 1983, J. Comput. Syst. Sci..

[13]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[14]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[15]  Pierre Corbineau,et al.  Certified Security Proofs of Cryptographic Protocols in the Computational Model: An Application to Intrusion Resilience , 2011, CPP.

[16]  Feng-Hao Liu,et al.  Deniable Attribute Based Encryption for Branching Programs from LWE , 2016, TCC.

[17]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[18]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[19]  Pascal Lafourcade,et al.  Towards automated proofs for asymmetric encryption schemes in the random oracle model , 2008, CCS.

[20]  Vinod Vaikuntanathan,et al.  Functional Encryption for Inner Product Predicates from Learning with Errors , 2011, IACR Cryptol. ePrint Arch..

[21]  Teo Mora,et al.  An Introduction to Commutative and Noncommutative Gröbner Bases , 1994, Theor. Comput. Sci..

[22]  John C. Mitchell,et al.  Semantic Security Invariance under Variant Computational Assumptions , 2018, IACR Cryptol. ePrint Arch..

[23]  Chris Peikert,et al.  Faster Bootstrapping with Polynomial Error , 2014, CRYPTO.

[24]  Reihaneh Safavi-Naini,et al.  Automated Security Proof for Symmetric Encryption Modes , 2009, ASIAN.

[25]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[26]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[27]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[29]  Benjamin Grégoire,et al.  EasyCrypt: A Tutorial , 2013, FOSAD.

[30]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[31]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[32]  Benjamin Grégoire,et al.  Automated Proofs of Pairing-Based Cryptography , 2015, CCS.

[33]  Jerry den Hartog,et al.  A Probabilistic Hoare-style Logic for Game-Based Cryptographic Proofs , 2006, ICALP.

[34]  Andreas Lochbihler,et al.  Probabilistic Functions and Cryptographic Oracles in Higher Order Logic , 2016, ESOP.

[35]  Michaël Rusinowitch,et al.  Protocol insecurity with a finite number of sessions, composed keys is NP-complete , 2003, Theor. Comput. Sci..

[36]  D. Eisenbud Commutative Algebra: with a View Toward Algebraic Geometry , 1995 .

[37]  Leonid A. Levin,et al.  Pseudo-random Generation from one-way functions (Extended Abstracts) , 1989, STOC 1989.

[38]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[39]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[40]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2013, J. Funct. Program..

[41]  Karthikeyan Bhargavan,et al.  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[42]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[43]  Bruce M. Kapron,et al.  On the Equality of Probabilistic Terms , 2010, LPAR.

[44]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[45]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[46]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[47]  Bruce M. Kapron,et al.  Logics for reasoning about cryptographic constructions , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[48]  Benjamin Grégoire,et al.  Fully automated analysis of padding-based encryption in the computational model , 2013, CCS.

[49]  Bruno Buchberger,et al.  A theoretical basis for the reduction of polynomials to canonical forms , 1976, SIGS.

[50]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[51]  Patrik Nordbeck Canonical subalgebraic bases in non-commutative polynomial rings , 1998, ISSAC '98.

[52]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[53]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[54]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[55]  J. Gregory Morrisett,et al.  The Foundational Cryptography Framework , 2014, POST.

[56]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[57]  Alex J. Malozemoff,et al.  Automated Analysis and Synthesis of Block-Cipher Modes of Operation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[58]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[59]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[60]  Juan Chen,et al.  Secure distributed programming with value-dependent types , 2011, Journal of Functional Programming.

[61]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[62]  Ralf Treinen,et al.  Reducing Equational Theories for the Decision of Static Equivalence , 2009, ASIAN.

[63]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[64]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[65]  Daniel J. Dougherty,et al.  Decidability for Lightweight Diffie-Hellman Protocols , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.