Download A second look at Shoup`s lemma - Prosecco

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Infinite monkey theorem wikipedia , lookup

Probability box wikipedia , lookup

Birthday problem wikipedia , lookup

Inductive probability wikipedia , lookup

Ars Conjectandi wikipedia , lookup

Probability interpretations wikipedia , lookup

Transcript 
A second look at Shoup’s lemma
Bruno Blanchet
INRIA, École Normale Supérieure, CNRS, Paris
[email protected]
In order to show that a security protocol satisfies a security property P in the computational model,
cryptographers generally use proofs by sequences of games [3]. The first game G0 is the protocol to
prove. Each game Gi is transformed into the next one Gi+1 using game transformations, such that the
probability pi that an adversary distinguishes Gi from Gi+1 is bounded by a small value, for instance
the probability of solving a difficult computational problem. Finally, the last game Gn is such that
the desired security property P is obvious from the form of the game, so that the probability that an
adversary breaks P is 0 in this game. The probability that an adversary breaks P in the initial game is
then at most the sum p0 + · · · + pn−1 .
Shoup’s lemma [3] is a technique frequently used in proofs by sequences of games. One transforms
the game Gi into Gi+1 by introducing some event e: Gi+1 behaves differently from Gi only when it
executes the event e. The probability pi of distinguishing Gi from Gi+1 is then the probability that
Gi+1 executes e. This probability is itself bounded by performing a proof by sequences of games starting
from Gi+1 . Often, in order to bound the probability of e, we wait until a later game of the sequence
G1 , . . . , Gn in which that probability is easier to bound, so that the proof that serves in bounding the
probability of e shares some or all game transformations with the proof of the initial security property
P : this is the “deferred analysis” technique [?]. Suppose that the sequence Gi+1 , . . . , Gn ends with a
game Gn that never executes e and such that P is always true. Then the probability that Gi+1 executes
e is at most pi = pi+1 + . . . + pn−1 . The probability that an adversary breaks P is then at most
p0 + · · · + pn−1 = p0 + · · · + pi−1 + 2(pi+1 + · · · + pn−1 ).
In this talk, we will show that the factor 2 in this formula can be avoided. (More generally, other
constant factors that appear when several events are introduced can also be avoided.) We prove this
result by considering the property “e is executed or P is broken” instead of considering separately the
event e and the property P .
This result has been shown in the context of the automatic protocol prover CryptoVerif [1]; it is
implemented in this prover, but it also applies to manual proofs. It allows us to obtain better probability bounds than with the standard computation of probabilities. For example, in the proof of the
password-based protocol One-Encryption Key Exchange [2], [2] shows that the adversary can test at
most 3 passwords per interaction with the protocol. By applying our improvement in the computation
of probabilities, we can show using the same sequence of games that the adversary can in fact test at
most one password per session of the protocol, which is the optimal result.
Acknowledgments
004-01).
This work was partly supported by the ANR ProSe project (decision 2010-VERS-
References
[1] B. Blanchet. A computationally sound mechanized prover for security protocols. IEEE Transactions
on Dependable and Secure Computing, 5(4):193–207, Oct.–Dec. 2008.
[2] E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key
exchange. In V. Atluri, editor, Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ’03), pages 241–250, Washington DC, 2003. ACM Press.
[3] R. Gennaro and V. Shoup. A note on an encryption scheme of Kurosawa and Desmedt. Cryptology
ePrint Archive, Report 2004/194, Aug. 2004. Available at http://eprint.iacr.org/2004/194.
1
[4] V. Shoup. Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint
Archive, Report 2004/332, Nov. 2004. Available at http://eprint.iacr.org/2004/332.
2
Related documents
Document 8932819
Document 8932819
Definition of `civil resistance`
Definition of `civil resistance`
Some Content Area Standards Geometry Social Science in the
Some Content Area Standards Geometry Social Science in the
geom1CP_essay review
geom1CP_essay review
Key Vocabulary If-then Statements Proofs Law of Detachment Law
Key Vocabulary If-then Statements Proofs Law of Detachment Law
Intro to Geometry C1:
Intro to Geometry C1:
How Others Compromise Your Location Privacy
How Others Compromise Your Location Privacy
Privacy-Preserving Applications on Smartphones Yan Huang
Privacy-Preserving Applications on Smartphones Yan Huang
A Graph Based Theorem Proving Platform with Strategies - PUC-Rio
A Graph Based Theorem Proving Platform with Strategies - PUC-Rio
File - balko
File - balko
short company profile
short company profile
2-6 Algebraic Proofs
2-6 Algebraic Proofs
Chapter 2 Review Geometry
Chapter 2 Review Geometry
Speaker Training for ISTR19
Speaker Training for ISTR19
pdf
pdf
daniel bandmann - City of Missoula
daniel bandmann - City of Missoula
RSA: 1977--1997 and beyond
RSA: 1977--1997 and beyond
conjugacy search problem in public key cryptography
conjugacy search problem in public key cryptography
a game-theoretic approach - Security and Cooperation in Wireless
a game-theoretic approach - Security and Cooperation in Wireless
Introduction to Operations Security (OPSEC)
Introduction to Operations Security (OPSEC)
Notes #1 - Department of Computer Science
Notes #1 - Department of Computer Science
Anonymizing social networks
Anonymizing social networks