Computational Soundness of Coinductive Symbolic Security under Active Attacks

In Eurocrypt 2010, Miccinacio initiated an investigation of cryptographically sound, symbolic security analysis with respect to coinductive adversarial knowledge, and showed that under an adversarially passive model, certain security criteria may be given a computationally sound symbolic characterization, without the assumption of key acyclicity. Left open in his work was the fundamental question of 'the viability of extending the coinductive approach to prove computational soundness results in the presence of active adversaries.' In this paper we make some initial steps toward this goal with respect to an extension of a trace-based security model (Micciancio and Warinschi, TCC 2004) including asymmetric and symmetric encryption; in particular we prove that a random computational trace can be soundly abstracted by a coinductive symbolic trace with overwhelming probability, provided that both the underlying encryption schemes provide IND-CCA2 security (plus ciphertext integrity for the symmetric scheme), and that the diameter of the underlying coinductively-hidden subgraph is constant in every symbolic trace. This result holds even if the protocol allows arbitrarily nested applications of symmetric/asymmetric encryption, unrestricted transmission of symmetric keys, and adversaries who adaptively corrupt users, along with other forms of active attack. As part of our proof, we formulate a game-based definition of encryption security allowing adaptive corruptions of keys and certain forms of adaptive key-dependent plaintext attack, along with other common forms of CCA2 attack. We prove that (with assumptions similar to above) security under this game is implied by IND-CCA2 security. This also characterizes a provably benign form of cyclic encryption implied by standard security definitions, which may be of independent interest.

[1]  Bruce M. Kapron,et al.  Computational indistinguishability logic , 2010, CCS '10.

[2]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[3]  David Cash,et al.  Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2000, Journal of Cryptology.

[6]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[7]  Birgit Pfitzmann,et al.  Key-dependent Message Security under Active Attacks--BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[8]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[9]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[10]  John C. Mitchell,et al.  Inductive trace properties for computational security , 2010, J. Comput. Secur..

[11]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[12]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[15]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[16]  Bogdan Warinschi,et al.  Separating Trace Mapping and Reactive Simulatability Soundness: The Case of Adaptive Corruption , 2009, ARSPA-WITS.

[17]  Michael Backes,et al.  Real-or-random Key Secrecy of the Otway-Rees Protocol via a Symbolic Security Proof , 2006, MFPS.

[18]  Jonathan Herzog,et al.  A computational interpretation of Dolev-Yao adversaries , 2005, Theor. Comput. Sci..

[19]  Graham Steel,et al.  Security for Key Management Interfaces , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[20]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[21]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[22]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[23]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[24]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[25]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[26]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[27]  Saurabh Panjwani,et al.  Tackling Adaptive Corruptions in Multicast Encryption Protocols , 2007, TCC.

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Daniele Micciancio,et al.  Computational soundness, co-induction, and encryption cycles , 2010, IACR Cryptol. ePrint Arch..

[30]  Hubert Comon-Lundh,et al.  Towards Unconditional Soundness: Computationally Complete Symbolic Attacker , 2012, POST.

[31]  Daniele Micciancio,et al.  Adaptive Security of Symbolic Encryption , 2005, TCC.

[32]  Ralf Küsters,et al.  Computational soundness for key exchange protocols with symmetric encryption , 2009, CCS.

[33]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[34]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[35]  Daniele Micciancio,et al.  Corrupting One vs. Corrupting Many: The Case of Broadcast and Multicast Encryption , 2006, ICALP.

[36]  John C. Mitchell,et al.  A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols , 2005, Theor. Comput. Sci..

[37]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[38]  Véronique Cortier,et al.  Computationally Sound, Automated Proofs for Security Protocols , 2005, ESOP.

[39]  Bruce M. Kapron,et al.  Logics for reasoning about cryptographic constructions , 2006, J. Comput. Syst. Sci..

[40]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[41]  Matthew Green,et al.  New Definitions and Separations for Circular Security , 2012, Public Key Cryptography.

[42]  John C. Mitchell,et al.  Computationally sound compositional logic for key exchange protocols , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[43]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[44]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[45]  Michael Backes,et al.  OAEP Is Secure under Key-Dependent Messages , 2008, ASIACRYPT.

[46]  Véronique Cortier,et al.  Deciding Key Cycles for Security Protocols , 2006, LPAR.

[47]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[48]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[49]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..