Soundness and completeness of formal encryption: The cases of key cycles and partial information leakage

Pedro Adão, Gergei Bana, Jonathan Herzog, Andre Scedrov, J.D. Guttman
2009 Journal of Computer Security  
In their seminal work, Abadi and Rogaway [2, 3] show that the formal (Dolev-Yao) notion of indistinguishability is sound with respect to the computational model: messages that are indistinguishable in the formal model become indistinguishable messages in the computational model. However, this result leaves two problems unsolved. First, it cannot tolerate key cycles. Second, it makes the too-strong assumption that the underlying cryptography hides all aspects of the plaintext, including its
more » ... including its length. In this paper we extend their work in order to address these problems. We show that the recently-introduced notion of KDM-security can provide soundness even in the presence of key cycles. For this, we have to consider encryption that reveals the length of plaintexts, which we use to motivate a general examination information-leaking encryption. In particular, we consider the conditions under which an encryption scheme that may leak some partial information will provide soundness and completeness to some (possibly weakened) version of the formal model. encryption scheme is 'type-0,' a property of their own devising. This result was later translated to the public-key setting by Micciancio and Warinschi [46], who found that soundness is guaranteed by encryption schemes that satisfy 'chosen-ciphertext security' [51, 52] (CCA-2 in the notation of [18] ). This power of chosen-ciphertext security has been confirmed by subsequent extensions [33, 23] . These results, however-in both the symmetric and asymmetric settings-do not address two important problems. Unsolved problems in previous soundness results. Firstly, none of the existing soundness results address the problem of key cycles. An expression has a (symmetric) key cycle if one can find symmetric keys K 1 , K 2 ,. . . , K n such that K i is encrypted in the expression under K i+1 and K n is encrypted by K 1 . (In the asymmetric setting, the public key K i+1 encrypts the private key K −1 i , and K 1 encrypts K −1 n .) The formal model makes no distinction between those messages that have key cycles and those that do not. Further, the interpretation function is well-defined over key cycles, and so, formal key cycles are computationally meaningful. However, neither the soundness result of Abadi and Rogaway nor subsequent soundness results (described in Section 2) are known to hold for such messages. (In fact, the stronger of these results [11, 23] assumes that no private or symmetric keys are encrypted at all!) Another problem that was not dealt in most of the previous soundness results regards to partial leakage of information. Most of these results consider that formal encryption hides all information about the plaintext. As an example, the original Abadi and Rogaway result assumes that formal encryption conceals all aspects of the plaintext. That is, their result requires that symmetric encryption hides (among other things) the length of the plaintext. Unfortunately, this cannot be achieved except in very limited contexts. This particular issue has been noted by Backes, Pfitzmann and Waidner [13] , and Backes and Pfitzmann [8] . Furthermore, it is the focus of work by Micciancio and Warinschi [46], Laud [39] , and Micciancio and Panjwani [44] who resolve the matter by weakening the formal model. These results, however, are highly specific to particular classes of computational encryption schemes. Can these results can be generalized to encompass other encryption schemes that leak other kinds of information? Rephrased, under what conditions will an encryption scheme provide soundness to some formal model? Our work In this paper, we extend the original result of Abadi and Rogaway in order to address the problems mentioned above. First, we extend the formalism of Abadi Rogaway and show that soundness in the presence of key cycles can actually be achieved using a recentlyproposed notion of computational security. In doing this, however, we must (unlike Abadi and Rogaway) assume that formal encryptions reveal two things: the 'length' of their plaintexts, and whether two different ciphertexts were created using the same key. With this as motivation, we then turn to generalizations of the Abadi-Rogaway formalism. In particular, we show (in a general way) how Abadi and Rogaway's formulation of the formal model can be extended to consider encryption schemes (computational or information-theoretic) that leak partial information such as plaintext-length. That is, we Previous Work Work intended to connect the cryptographic and the formal models started with several independent approaches, including Lincoln, Mitchell, Mitchell, and Scedrov [41], Canetti [22], Pfitzmann, Schunter and Waidner [48, 49] , and Abadi and Rogaway [3]. In [3] , formal terms with nested operations are considered specifically for symmetric encryption, the adversary is restricted to passive eavesdropping, and the security goals are formulated as indistinguishability of terms. This was extended in [1] from terms to more general programs, but the restriction to passive adversaries remained. We discuss other extensions of [3] further below. Several papers consider specific models or specific properties, e.g., Guttman, Thayer, and Zuck [31] consider strand spaces and information-theoretically secure authentication. A process calculus for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomial-time processes is introduced in [41]. In this framework, which provides a formal treatment of the computational model, security properties are formulated as observational equivalences. Mitchell, Ramanathan, Scedrov, and Teague [47] use this framework to develop a form of process bisimulation that justifies an equational proof system for protocol security. The approach by Pfitzmann, Schunter and Waidner [48, 49] starts with a general reactive system model, a general definition of cryptographically secure implementation by simulatability, and a composition theorem for this notion of secure implementation. This work is based on definitions of secure function evaluation, i.e.the computation of one set of outputs from one set of inputs [29, 43, 16, 21] . The approach was extended from synchronous to asynchronous systems in [50, 22] , which are now known as the reactive simulatability framework [50, 10] and the universal composability framework [22] . A detailed comparison of the two approaches may be found in [27] . The first soundness result of a formal model under active attacks has been achieved by Backes, Pfitzmann and Waidner [11] within the reactive simulatability framework. Their result comprises arbitrary active attacks and holds in the context of arbitrary surrounding interactive protocols and independently of the goals that one wants to prove about the surrounding protocols; in particular, property preservation theorems for the simulatability have been proved, e.g., for integrity and secrecy [6, 9] . While the original result in [11] considered public-key encryption and digital signatures, the soundness result was extended to symmetric authentication and to symmetric encryption in [12] and [8], respectively. (These authors are also among the first to explicitly note that symbolic models of cryptography ignore plaintext-lengths while real cryptographic algorithms often reveal it [13, 8] .) 8 Expressions may represent either a single message sent during an execution of the protocol, or the entire knowledge available to the adversary. In this second case, the expression contains not only the messages sent so far, but also any additional knowledge in the adversary's possession. We wish to define when two formal expressions are indistinguishable to the adversary. Intuitively, this occurs when the only differences between the two messages lie within encryption terms that the adversary cannot decrypt. In order to rigorously define this notion, we first need to formalize when an encryption term is 'undecryptable' by the adversary, which in turn requires us to define the set of keys that the adversary can learn from an expression. An expression might contain keys in the clear. The adversary will learn these keys, and then be able to use them to decrypt encryption terms of the expression-which might reveal yet more keys. By repeating this process, the adversary can learn the set of recoverable decryption keys: Definition 2 (Subexpressions, Visible Subexpressions, Recoverable Keys, B-Keys, Undecryptable Terms). We define the set of subexpressions of an expression M , denoted by sub (M ), as the smallest subset of expressions such that: -M ∈ sub (M ), -(M 1 , M 2 ) ∈ sub (M ) =⇒ M 1 ∈ sub (M ) and M 2 ∈ sub (M ), and -{M ′ } K ∈ sub (M ) =⇒ M ′ ∈ sub (M ). We say that N is a subexpression of M , and denote it by N ⊑ M , if N ∈ sub (M ). The set of visible subexpressions of a symmetric expression M , vis (M ), is the smallest subset of expressions such that: -M ∈ vis (M ), -(M 1 , M 2 ) ∈ vis (M ) =⇒ M 1 ∈ vis (M ) and M 2 ∈ vis (M ), and -{M ′ } K and K ∈ vis (M ) =⇒ M ′ ∈ vis (M ). The recoverable keys of a (symmetric) expression M , R-Keys(M ), are those that an adversary can recover by looking at an expression. That is, R-Keys(M ) = vis (M ) ∩ Keys(M ). We say that an encryption term {M ′ } K ∈ vis (M ) is undecryptable in M if K / ∈ R-Keys(M ). Among the non-recoverable keys of an expression M , there is an important subset denoted by B-Keys(M ). The set B-Keys(M ) contains those keys which encrypt the outermost undecryptable terms. Formally, for an expression M , we define B-Keys(M ) as B-Keys(M ) = {K ∈ Keys(M ) | {M } K ∈ vis (M ) but K ∈ R-Keys(M )} . Example 3. Let M be the following expression (({0} K6 , {{K 7 } K1 } K4 ), ((K 2 , {({001} K3 , {K 6 } K5 )} K5 ), {K 5 } K2 )). In this case, Keys(M ) = {K 1 , K 2 , K 3 , K 4 , K 5 , K 6 , K 7 }. The set of recoverable keys of M is R-Keys(M ) = {K 2 , K 5 , K 6 }, because an adversary sees the non-encrypted K 2 , and with that he can decrypt {K 5 } K2 , hence recovering K 5 ; then, decrypting twice with K 5 , K 6 can be revealed. We also have that B-Keys(M ) = {K 3 , K 4 }.
doi:10.3233/jcs-2009-0358 fatcat:ietxpac7uzforoiicorsojlvia