ComputerAided Security Proofs for the Working Cryptogr - PDF document

Computer-AidedSecurityProofsfortheWorkingCryptographer?GillesBarthe1,BenjaminGregoire2,SylvainHeraud2,andSantiagoZanellaBeguelin11IMDEASoftwareInstitute,Madrid,Spain2INRIASophiaAntipolis-Mediterranee,FranceAbstract.WepresentEasyCrypt,anautomatedtoolforelaboratingsecurityproofsofcrypto-graphicsystemsfromproofsketches|compact,formalrepresentationsoftheessenceofaproofasasequenceofgamesandhints.Proofsketchesarecheckedautomaticallyusingo-the-shelfSMTsolversandautomatedtheoremprovers,andthencompiledintoveriableproofsintheCertiCryptframework.Thetoolsupportsmostcommonreasoningpatternsandissignicantlyeasiertousethanitspredecessors.WearguethatEasyCryptisaplausiblecandidateforadoptionbyworkingcryptographersandillustrateitsapplicationtosecurityproofsoftheCramer-ShoupandHashedElGamalcryptosystems.Keywords:Provablesecurity,veriablesecurity,game-basedproofs,Cramer-Shoupcryptosys-tem,ElGamalencryption.1IntroductionThegame-playingtechnique[8,18,21]isanestablishedmethodologyforstructuringcryptographicproofs.Itsessenceliesingivingprecisemathematicaldescriptions,referredtoasgames,oftheinter-actionbetweenadversariesandoraclesystems.Proofsareorganizedassequencesofgames,startingfromagamethatrepresentsasecuritygoal(e.g.indistinguishabilityagainstchosen-ciphertextat-tacks),andproceedingtogamesthatrepresentsecurityassumptions(e.g.DecisionDie-Hellman)bysuccessivetransformationsthatcanbeshowntopreserve,oralteronlyslightlytheoverallsecurity.Inatypicalstepinagame-basedproofthegoalistorelatetheprobabilityofaneventAinagameGtotheprobabilityofapossiblydierenteventA0inagameG0.Forexample,thegoalmaybetoestablishaninequalityoftheformPr[GAPr[G0A0]+
,where
isanarithmeticexpressionthatdependsonthenumberoforaclequeriesmadebyanadversary.Theprevailingpracticeforprov-ingthevalidityofsuchproofstepsistousestandardmathematicaltools,whichinterleavereasoningaboutthesemanticsofgameswithinformation-theoreticorarithmeticalarguments.Inthecode-basedapproachtothegame-playingtechnique[8,18]gamesarecastasprobabilisticalgorithms.Theadoptionofprogrammingidiomsallowstogiveprecisedenitionsofgames,andpavesthewayforapplyingprogramminglanguagemethodstojustifyproofstepsrigorously.Asanticipatedbytheirproponents,code-basedgame-playingproofsareamenabletoformalverication,andanumberoftoolsprovidesupportforbuildingthem.CryptoVerif[11]isatoolforconductingsecurityproofsinagame-basedsettinginwhichgamesaremodeledasprocessesandtransitionsarejustiedbymeansofprocess-algebraicconceptssuchasbisimulations.OnestrengthofCryptoVerif,apartfrombeingthersttooltohavesupportedgame-basedproofs,isthatitappliesbothtoprotocolsandprimitives;ithasbeensuccessfullyappliedtoverifyKerberos[10]andtheFull-DomainHash(FDH)signaturescheme[12].CertiCrypt[6]isanotherframeworkthatallowsfortheinteractiveconstructionofgame-basedproofsintheCoqproofassistant[23].OnespecicityofCertiCryptisthatproofscanbeveried ?PartiallyfundedbyEuropeanProjectFP7-256980NESSoS,FrenchprojectANRSESUR-012SCALP,Span-ishprojectTIN2009-14599DESAFIOS10,andMadridRegionalprojectS2009TIC-1465PROMETIDOS. independentlyandautomaticallybyasmalltrustworthychecker;ithasbeensuccessfullyappliedtoverifyprominentcryptographicconstructions,includingOAEP[5],FDH[25],andzero-knowledgeprotocols[7].WhilethedevelopmentsbasedonCryptoVerifandCertiCryptmakeaconvincingcasethatcomputer-aidedcryptographicproofsareindeedplausible,neithertoolhasreachedawideaudienceamongcryptographers.In[5],wecontrastthehighguaranteesgivenbyCertiCryptwiththeeortandexpertiserequiredtobuildmachine-checkedproofs,andconcludethatcryptographersareunlikelytoadoptveriablesecurityinitscurrentform.Inthissense,itcanbeconsideredthatCryptoVerifandCertiCryptonlyprovideapartialrealizationofHalevi'sprogrammeofsystematicallybuildingcomputer-aidedcryptographicproofs[18].Thethesisofthisarticleisthatveriablesecuritycandramaticallybenetfromautomationusingstate-of-the-artvericationtechnology,andthatveriablegame-basedproofscanbeconstructedwithonlyamoderateeort.ThethesisisrealizedwiththepresentationofEasyCrypt,anautomatedtoolthatbuildsmachine-checkedproofsfromproofsketches,whichoeramachine-processablerepresen-tationoftheessenceofasecurityproof.WearguethatEasyCryptissignicantlyeasiertousethanprevioustools,makinganimportantsteptowardstheadoptionofcomputer-aidedsecurityproofsbyworkingcryptographersandhencetowardsfulllingHalevi'sprogramme.Tosubstantiateourclaim,wepresentcomputer-aidedproofsofsecurityofHashedElGamalencryptionandtheCramer-Shoupcryptosystem.EasyCryptadoptstheprincipledapproachmandatedbyCertiCrypttoconductgame-basedproofsandimposesaclearseparationbetweenprogramvericationandinformation-theoreticreasoning.Transitionsbetweengamesarejustiedintwosteps:rst,oneproveslogicalrelationsbetweenthegamesusingprobabilisticRelationalHoareLogic(pRHL);second,oneappliesinformation-theoreticreasoningtoderiveclaimsabouttheprobabilityofeventsfrompRHLjudgments.Weprovideforeachstephighlyeectivemechanismsthatbuilduponacombinationofo-the-shelfandpurpose-specictools.Specically,EasyCryptimplementsanautomatedprocedurethatcomputesforanypRHLjudg-mentasetofsucientconditionsforitsvalidity,knownasvericationconditions.Theoutstandingfeatureofthisprocedure,andthekeytotheeectivenessofEasyCrypt,isthatvericationcondi-tionsareexpressedinthelanguageofrst-orderlogic,withoutanymentionofprobability,andcanbedischargedautomaticallybystate-of-the-arttoolssuchasSMTsolversandtheoremprovers.Thevericationconditiongeneratorisproof-producing,inthesensethatitgeneratesCoqlesthatcanbemachine-checkedusingtheCertiCryptframework.Moreover,theconnectiontoCertiCryptmakesitpossibletobenetfromtheexpressivityand\rexibilityofageneral-purposeproofassistantforad-vancedvericationgoalsthatfalloutofthescopeofautomatedtechniques.Additionally,EasyCryptimplementsanautomatedmechanismforprovingclaimsaboutprobability.Themechanismcombinessomeelementaryrulestocompute(boundson)probabilitiesofevents|e.g.theprobabilityofauni-formlysampledelementtobelongtoalist|withrulestoderive(in)equalitiesbetweenprobabilitiesofeventsingamesfromjudgmentsinpRHL.ThecombinationofthesetoolswithothermoremundanefeaturessuchasalimitedformofspecicationinferenceforproceduresprovidessubstantialleveragetowardsmakingveriablesecuritypracticalandmakesEasyCryptaplausiblecandidateforadoptionbyworkingcryptographers.2IntroductoryExample:HashedElGamalEncryptionThissectionillustratestheapplicationofEasyCrypttoaproofofIND-CPAsecurityofHashedElGamalencryptionintheRandomOracleModel.Theexampleservestointroducethenotionofproofsketchandtogivethereaderanideaoftheinputthatthetoolexpects.ItalsoallowsforapreliminarycomparisonbetweenEasyCryptandCertiCrypt.Wereferthereaderto[4]foraproofofthesameresultinCertiCryptHashedElGamalisavariantofElGamalencryptionthatdoesnotrequireplaintextstobeelementsofagroup.Instead,plaintextsarebitstringsofacertainlengthkandgroupelementsaremapped intobitstringsusingahashfunctionHG!f01gk.LetGbeamultiplicativecyclicgroupoforderqwithgeneratorg.Formally,theschemeisdenedbythefollowingtripleofalgorithms:KG()def=x$ Zqreturn(gx;x)E(;m)def=y$ Zqh H(y);return(gy;hm)D(x;(;))def=h H(x);return(h)ThesecurityofHashedElGamalcanbereducedtotheComputationalDie-Hellman(CDH)assump-tionontheunderlyinggroupfamily.ThisistheassumptionthatitishardtocomputegxygivengxandgywherexandyareuniformlyrandomelementsinZq.TomatchtheexistingproofinCertiCrypt,weexhibitareductiontotheLCDHassumption,thesetversionoftheCDHassumption|thereductionfromLCDHtoCDHisimmediate.Figure1showsthesequenceofgamesusedtojustifythesecurityreduction.ThisisanessentialpartoftheproofsketchthatisinputtoEasyCrypt,andwhichiscomposedofveingredients:31.Type,constantandoperatordeclarations,whichintroducetheobjectsmanipulatedbythescheme.Inthiscase,theyincludeatypeforelementsofthecyclicgroupG,constantsrepresentingthelengthofmessagesk,theorderofthegroupqandageneratorg,andoperatorsdenotingthegrouplawandexponentiation,andexclusiveoronbitstrings;2.Axioms,whichcapturemathematicalpropertiesoftheseobjects,andareusedbyautomatedtoolstocheckthevalidityoftheproofsketch.Weuseaxiomstostatepropertiesofthegrouplawandexponentiation,andtheexclusiveoroperator;3.Gamedenitions,whereadversariesarespeciedasabstractprocedureswithaccesstooracles.InallgamesinthegurethehashfunctionHismodeledasarandomoracleandtheadversaryisrepresentedastwoproceduresA1andA2thatsharestate.TheproceduresrepresentingtheadversaryaregivenaccesstoawrapperHAforthehashoraclethatjuststoresqueriesinalistLAbeforeforwardingthemtoHH(x)def=ifx=2dom(L)thenh$ f01gkLLx hendifreturnLLxHA(x)def=LA xLAm H(x);returnm4.JudgmentsinpRHL.Thegeneralformofjudgmentsis=G1G2 ),whereG1andG2aregames,andthepre-condition andthepost-conditionarerelationsonprogrammemories(memoriesmapprogramvariablestovalues).Pre-andpost-conditionsarerst-orderformulaebuiltfromrelationalexpressions,inwhichlanguageexpressionsaretaggedwithh1iorh2itodenotetheirinterpretationintherstorsecondgame.WeoftenconsiderequivalenceofmemoriesonasetofvariablesX;weuse=Xasashorthandfortheformula8x2X:xh1i=xh2i5.Claimsaboutprobability,builtfromprobabilityquantities(theprobabilityofaneventinagame),arithmeticoperators,andmathematicalrelations(e.g.=;;).Thenalstatementthatexpressestheoverallsecurityguaranteebroughtbytheproofsketchisusuallyaclaimthatupperboundstheprobabilityofadversarysuccessinaninitialattackgameintermsoftheprobabilitiesofoneormoreadversariesbreakingsecurityassumptions.Webrie\rycommentonthesequenceofgamesinFigure1.TherstandlastgamesencodetheIND-CPAandLCDHexperiments,respectively.WeobtainG1byinliningthekeygenerationandencryptionproceduresintheinitialgameandrearranginginstructionssothatrandomchoicesaremadeupfront.WeprovethatgamesIND-CPAandG1yieldidenticaldistributionsontheresultofthegame(denotedbythekeywordres).Wededucefromthisthattheprobabilityoftheeventb=b0isthesameinbothgames.IngameG2wesubstitutethevalueH(^y)usedtocomputethechallengeciphertextbyauniformlychosenvalue.ThisonlymakesadierenceifA1queries^ytoH,andthishappenswiththesame 3Thersttwoareomittedfromthegure.WeincludeanextractoftheactualinputleforreferenceinAppendixB. GameIND-CPA:(;x) KG();(m0;m1) A1();b$ f0;1g;(;\r) E(;mb);b0 A2(;\r);return(b=b0) GameG1:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();b$ f0;1g;h H(^y);b0 A2(gy;hmb);return(b=b0) j=IND-CPAG1:true)=fresgPr[IND-CPA:b=b0]=Pr[G1:b=b0] GameG1:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();b$ f0;1g;h H(^y);b0 A2(gy;hmb);return(b=b0) GameG2:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();b$ f0;1g;h$ f0;1gk;b0 A2(gy;hmb);return(b=b0) j=G1G2:true)(^y2LA)h1i$(^y2LA)h2i^(^y=2LA)h1i!=fresg
jPr[G1:b=b0]Pr[G2:b=b0]jPr[G2:^y2LA] GameG2:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();b$ f0;1g;h$ f0;1gk;b0 A2(gy;hmb);return(b=b0) GameG3:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();\r$ f0;1gk;b0 A2(gy;\r);b$ f0;1g;return(b=b0) j=G2G3:true)=fres;^y;LAgPr[G2:b=b0]=Pr[G3:b=b0]=1=2Pr[G2:^y2LA]=Pr[G3:^y2LA] GameG3:x$ Zq; gx;y$ Zq;^y y;(m0;m1) A1();\r$ f0;1gk;b0 A2(gy;\r);b$ f0;1g;return(b=b0) GameLCDH:x$ Zq;y$ Zq;L B(gx;gy);return(gxy2L)AdversaryB(;):(m0;m1) A1();\r$ f0;1gk;b0 A2(;\r);returnLA j=G3LCDH:true)(^y2LA)h1i$resh2iPr[G3:^y2LA]=Pr[LCDH:gxy2L]Pr[IND-CPA:b=b0]1 2Pr[LCDH:gxy2L] Fig.1.ProofsketchofHashedElGamalsecurity probabilityineithergame.Thus,thedierenceintheprobabilityofanyeventinthesegamesisboundedbytheprobabilityof^y2LAinG2.ThiscanbeseenasasemanticvariantoftheFundamentalLemmaofGame-Playing;thelogicallowstodispensewiththecodeinstrumentationneededtoapplythesyntacticcounterpartofthelemma.ThetransitionfromG2toG3usesacodetransformationknownasoptimisticsampling:insteadofsamplinghanddeningavalue\rashmb,wesample\randdeneh=\rmb;wethenremovethedenitionofhasdeadcode.Thistransformationisprovenadmissiblewithinthelogicandremovesthedependencyoftheadversary'soutputfromthechallengebitbThenaltransitionperformsthereductiontoLCDHbyexhibitinganadversaryBthatusesAasasub-procedureandforwhichthesemanticsofgamesLCDHandG3coincide.Finally,fromtheprecedingclaims,theadvantageofAcanbeboundedbytheprobabilityofBinsolvingLCDH.Theresultingproofsketchisabout250lineslong,about5timesshorterthantheproofinCertiCryptreportedin[4]|andarguablymuchsimplerandclosetoapen-and-paperproof.3AnOverviewofEasyCryptProgrammingLanguageGamesaremodeledasprogramsinatyped,probabilistic,procedural,imper-ativelanguage.TypesincludeBooleans,integers,bitstrings,pairs,lists,maps,anduser-denedtypes.Expressionsarebuiltfromvariablesandoperatorsintheusualway;forinstance,Boolean-valuedoper-atorsincludetheusualconnectives,equality,listmembership,arithmeticcomparisons.Thecommandsofthelanguagearedenedbythefollowinggrammar:I::=V EassignmentjV$ DErandomsamplingifEthenCelseCconditionaljV P(E;:::;E)procedurecallC::=skipnopjICsequencewhereVisasetofvariables,Pisasetofprocedures,andDEisasetofdistributionexpressions.Forthepurposeofthisarticle,distributionexpressionsarerestrictedtouniformdistributionsoverspecicdomains,forinstanceintegersinZqor(non-neutral)elementsofsomegroupG.Adversariesaremodeledasabstractprocedureswithaninterfacethatspeciestheoraclestheymayquery.Gamescanbegivenasemanticsasmemorydistributiontransformers,inthestyleof[6].Formally,memoriesarewell-typedmappingsfromvariablestovalues,andthesemanticsofagameGisafunction,denotedJGK,thatreturnsforaninitialmemorymthe(sub-)distributiononnalmemoriesresultingfromexecutingGinm.GivenaninitialmemorymandaneventA(aBooleanexpression),weletPr[G;mA]denotetheprobabilityofAw.r.t.thedistributionJGKm;wesimplywritePr[GAwhentheinitialmemoryisnotrelevant.RelationalJudgmentsPre-andpost-conditionsinpRHLjudgmentsarerst-orderformulaebuiltfromrelationalexpressions.RelationalexpressionsarearbitraryBooleanexpressionsoverlogicalvariablesandprogramvariablestaggedwithh1ih2i;theonlyrestrictionisthatlogicalvariablesmayonlyappearquantied.Byabuseofnotation,wewriteehiifortheexpressioneinwhichallvariableshavebeentaggedwithhii.LetbstandforanarbitraryBooleanexpressionovertaggedandlogicalvariables,thenlogicalformulaearedenedbythefollowinggrammar: ;::=bj: ^ _ ! $()j8x:j9x:Alogicalformulaisinterpretedasarelationonprogrammemories.Forexample,theformulaxh1i+yh2izh1iisinterpretedastherelationR=f(m1;m2)m1(x)+m2(y)m1(z)g ApRHLjudgment=G1G2 )isvalidiforanypairofinitialmemoriesm1;m2satisfyingthepre-condition ,thedistributionsJG1Km1andJG2Km2satisfytheliftingofpost-condition(JG1Km1)L()(JG2Km2).Theliftingofarelationtoadistributionisdenedasamax-cutmin-\rowproblem,inthestyleof[19].Formally,let1beaprobabilitydistributiononasetAand2aprobabilitydistributiononasetB.Wedenethelifting1L(R)2ofarelationRABto1and2asfollows:49D(AB):1()=1^2()=2^8(a;b):AB:(a;b)�0=)aRbwheretheprojections1()and2()ofaredenedas1()(a)def=Xb2B(a;b)2()(b)def=Xa2A(a;b)Claimsaboutprobabilitycanbederivedfromvalidrelationaljudgmentsbymeansofthefollowingrules:m1 m2=G1G2 )!(Ah1i$Bh2i) Pr[G1;m1A]=Pr[G2;m2B[PrEq]m1 m2=G1G2 )!(Ah1i!Bh2i) Pr[G1;m1APr[G2;m2B[PrLe]AutomatedProofsofRelationalJudgmentsMostpracticalvericationtoolsadoptasimilarmethod-ology:aweakestprecondition(wp)calculusisusedtocomputefromaprogramanditsspecicationasetofsucientconditions,knownasvericationconditions,andtheseconditionsaredischargedbyautomatedtools.ExtendingthemethodologytothelogicpRHLisasignicantchallenge,fortworeasons:rst,generatingvericationconditionsforarelationalprogramlogicisanopentopicofre-search,andsecond,thereisnopriorapplicationofthemethodologytoproceduralnorprobabilisticprograms.Thereareatleasttwonaturalstrategiesfordeningawpcalculusinarelationalsetting.Thecalculuscaneitheroperateonbothgamesinlockstep,orelseitcanoperateoneachgameseparately,inthestyleofself-composition[2].Bothstrategiesareincomplete:thelockstepwpcalculusfailsonprogramsthatarenotstructurallyequivalent,whereasself-compositionfailstohandlerandomassignmentsandadversarycalls.Inordertocircumventtheselimitations,EasyCryptimplementsanalternativeapproachthatmixesbothstrategies:1.Callstonon-adversaryproceduresareeliminatedfromthegamesbysuccessiveinliningtheirde-nitions.Intheabsenceofrecursion,thetransformationterminatessuccessfullyandonlyadversarycallsremain;2.Randomassignmentsaremovedupfront.Theresultingcodeconsistsofasequenceofrandomassignmentsfollowedbydeterministiccode,possiblywithadversarycalls;3.Arelationalweakestpreconditioncalculusisappliedtothedeterministicfragmentofthegame,usingrelationalspecicationstodealwithadversarycalls.Eachadversaryspecicationinducesaproofobligation,expressedasapRHLjudgment,ontheoraclesinitsinterface.Self-compositionisappliedtoverifythecodeoforacleswithrespecttothesepRHLjudgments.Thisresultsinajudgmentoftheform=x1$ T1:::xl$ Tly1$ U1:::yn$ Un ) 4Fortheclarityofpresentation,weassumethatAandBarediscreteandcastourdenitionsusingtheusualrepresentationofdistributions.However,thetoolbuildsonamonadicrepresentationofdistributions,asin[6]. Forexample,provingtheequivalencebetweengamesG1andG2intheproofpresentedintheprevioussection,requiresprovingthefollowingspecicationforA1=A1()A1():=;^y;L;LA^(^y2dom(L)!^y2LA)h1i)=res;^y;L;LA^(^y2dom(L)!^y2LA)h1iwhichgeneratesthefollowingproofobligationonHA=HA(x)HA(x):=x;^y;L;LA^(^y2dom(L)!^y2LA)h1i)=res;^y;L;LA^(^y2dom(L)!^y2LA)h1i4.AmappingfT1


Tl!U1


Unisselected,andusedtogeneratethevericationcondition )f,denedas58m1m2t1:::tl:m1 m2=)m1~t=~x m2ff(t1;:::;tl)=~ygUnderspecicconditionsonf,see[24],thevalidityof )fentailsthevalidityofthecorre-spondingpRHLjudgment.Inpractice,itisgenerallysucienttorequirethatfisa1-1mapping,andtakingfastheidentityfunctionworksmostofthetime.(SeeAppendixAforajusticationofthemethod.)However,insomecasesothermappingsmustbeused.Forexample,toprovetheequivalencebetweengamesG2andG3intheproofofHashedElGamaldescribedintheprevioussection,itisnecessarytoproveajudgmentlikethefollowing:=h$ f01gk\r hmb\r$ f01gkh \rmb:=mb)=h;\rThewpwillstopaftercomputingtheweakestpreconditionforthedeterministicfragmentofthetwoprograms,yielding=h$ f01gk\r$ f01gk:=mb)(hh1i=\rh2imbh2i)ThisequivalenceisprovedinEasyCryptbyprovidingthebijectivefunctionf(x)=xmbasawitness.Thefactthatfisbijectiveisestablishedautomaticallysincefisidempotent.Inthegeneralcasethisisprovedbyprovidingalsotheinversemapping.5.Since )fisarst-orderformula,itsvaliditycanbeestablishedbyo-the-shelftools.Inordertotargetmultipletools,EasyCryptgeneratesitsvericationconditionsintheintermediateformatoftheWhytool[17].WethenusetheSimplifyprover[16]andthealt-ergoSMTsolver[13]todischargetheconditions(althoughmanyothersproversaresupported,includinginteractivetheoremproverssuchasCoq).Vericationconditiongenerationisincomplete(inthelogicalsense),andwouldfailonpRHLjudg-mentswheregamesperformcallstoadversariesinadierentorder.Pleasingly,thestrategyisex-tremelyeectiveinpractice|sothatwehavefoundnoneedtoimplementalternativesfordealingwithprogramsnothandledbyourapproach.AMechanizedProbabilisticRelationalHoareLogicEasyCryptimplementsasimpletacticlanguagetoprovethevalidityofjudgmentsusingrulesofthelogicandprogramtransformations.Thetacticsallowtheapplicationoftwo-sidedrules,whichrequirethatthetwocommandsofajudgmenthavethesameshape,andone-sidedrules,whichoperateononlyoneofthegamesinajudgment.Alllanguageconstructsadmitbothone-sidedandtwo-sidedrules,exceptforrandomassignmentsandadversarycalls,forwhichonlytwo-sidedrulesexist. 5Thememorym1~t=~x mapsxitotifori=1:::landztom1(z)forz62fx1:::xlg.Likewise,m2ff(t1;:::;tl)=~ygisthememorythatmapsyitoi(f(t1;:::;tl))fori=1:::nandztom2(z)forz62fy1:::yng. Thelackofone-sidedrulesforrandomassignmentsandadversarycallslimitstheapplicabilityofthelogic:e.g.,itcannotrelatetheprogramsx$ Xy A(z)andy A(z);x$ X,becauseinstructionsareexecutedinadierentorder.Tomitigatethislimitation,EasyCryptimplementspro-gramtransformationsforcodemotion,allowingtoswapinstructionsthatareindependent.Moreover,EasyCryptimplementstacticsforinliningprocedurecallsandeagerly/lazilysamplerandomvalues.Basictacticscanbecombinedusingtacticalstoincreaseautomation.ThetacticlanguageprovidesthenecessaryinfrastructureformakingmostcomponentsofEasyCryptproof-producing,asdiscussedbelow.ReasoningaboutFailureEventsGame-basedproofsoftenincludestepsinwhichitisarguedthattwogamesG1andG2behaveidenticallyunlessadesignatedfailureeventFoccurs.Suchtransitionsarejustiedusingtheso-calledFundamentalLemma[8,21],whichallowstoboundthedierencebetweentheprobabilityofaneventAingameG1andapossiblydierenteventBingameG2bytheprobabilityofFineithergame.Althoughasyntacticalcharacterizationofthislemmaisoftenused,inwhichfailureisrepresentedbyaBoolean\raginthecodeofthegames,westateamoregeneralversionofthelemmausingrelationallogic.Lemma1(FundamentalLemma).LetG1,G2betwogamesandA;B,andFbeeventssuchthat=G1G2 )(Fh1i$Fh2i)^(:Fh1i!(Ah1i$Bh2i))Then,ifm1 m2,1.Pr[G1;m1A^:F]=Pr[G2;m2B^:F,2.Pr[G1;m1APr[G2;m2BjPr[G1;m1F]=Pr[G2;m2FThehypothesisofthelemmacanbecheckedusingthepRHLprover.Thekeytoprovingthevalidityofthejudgmentisndinganappropriatespecicationforadversaries.EasyCryptinfersforeachadversarycallx A(~e)arelationandchecksthevalidityofthejudgment=AA:(:Fh1i^:Fh2i^=args(A)^))(Fh1i$Fh2i)^:Fh1i!=res^
whereargs(A)denotesthesetofformalparametersofA.Thisinturn,requiresinferringandcheckingsimilarspecicationsfororacles.Althoughtheseheuristicallyinferredspecicationssuceinmostcases,theusercanchoosetoprovetheirownspecicationsforoneormoreoraclesoradversarieswhenneeded,leavingthetooltoinfertherest.ComputingProbabilitiesEasyCryptcanproveclaimsabouttheprobabilityofeventsingamesusingpropertiesofprobability(e.g.inclusion-exclusionprinciple),arithmeticlaws,andtherules[PrEq]and[PrLe]above,whichallowderivingprobabilityclaimsfromvalidrelationaljudgments.Wealsoimplementasimplemechanismforcomputingprobabilitybounds.Thismechanismcanestablish,forinstance,thattheprobabilitythatavalueuniformlychosenfromasetTisequaltoanarbitraryexpressionis1=T,ortheprobabilityitbelongstoalistofnvaluesisatmostn=TGeneratingVeriableEvidenceEasyCryptimplementsacompilerthatturnsproofsketchesintoCoqlesthatarecompatiblewiththeCertiCryptframeworkandcanbeveriedusingthetypecheckerofCoq.Thecompilerservestwopurposes:rst,itsignicantlyincreasescondenceinproofsketchesbyproducingindependentlyveriableproofs,andprovidingmeansofcheckingtheconsistencyofthesetofaxiomsusedinaproofsketch.Second,itopensthepossibilitytoconductinageneral-purposeproofassistantproofstepsthatfalloutofthescopeofautomatedmethods.Webrie\rydescribetheworkingsofthecompiler.Thedeclarations,denitionsofgames,andaxiomsofaproofsketchadmitanimmediatetranslationintoCertiCrypt.Therecommendedpractice istoprovetheaxiomsusedbyEasyCryptinCertiCrypt.Inmostcases,theaxiomsalreadyexistinCertiCrypt,oraresimpleconsequencesofprovenfacts.Then,usingtheproof-producingoptionofthepRHLprover,alljudgmentsofaproofsketcharecompiledintopRHLderivationsinCertiCryptFinally,thecompilergeneratesforeachclaiminaproofsketchaCoqlemmathatmayneedtobecompletedmanuallywithjusticationsoftheprobabilityreasoningperformedbyEasyCrypt4AdvancedApplication:Cramer-ShoupCryptosystemTheCramer-Shoupcryptosystem[14]isapublic-keyencryptionschemebasedonElGamalencryptionthatgainedfameforbeingtherstecientasymmetricencryptionschemetobeprovensecureagainstadaptivechosen-ciphertextattacksunderstandardassumptions|thelengthofciphertextsisjusttwicethelengthofElGamalciphertexts.Givenacyclicgroup(family)GoforderqandakeyedhashfunctionfHkG3!Zqgk2KmappingtriplesofgroupelementsintointegersinZq,keygeneration,encryption,anddecryptionaredenedasfollows:KG()def=g;^g$ Gnf1gx1;x2;y1;y2;z1;z2$ Zqk$ Ke gx1^gx2f gy1^gy2h gz1^gz2pk (k;g;^g;e;f;h);sk (k;g;^g;x1;x2;y1;y2;z1;z2);return(pk;sk)E((k;g;^g;e;f;h);m)def=u$ Zqa gu;^a ^guc humv Hk(a;^a;c);d eufuvreturn(a;^a;c;d)D((k;g;^g;x1;x2;y1;y2;z1;z2)(a;^a;c;d))def=v Hk(a;^a;c);ifd=ax1+vy1^ax2+vy2thenreturnc=(az1^az2)elsereturn?WeprovethattheCramer-Shoupcryptosystemissecureagainstadaptivechosen-ciphertextattacks(IND-CCAsecure)inthestandardmodelassumingtheDDHproblemishardintheunderlyinggroupfamilyandthehashfunctionHistargetcollision-resistant(i.e.,universalone-way).Denition1(TargetCollision-Resistance).LetfHkA!Bgk2Kbeakeyedfamilyofhashfunctions.TheadvantageofanadversaryCagainstthetargetcollision-resistanceofHisdenedasAdvCTCRdef=Pr[TCRHk(x)=Hk(y)^x=ywheretheexperimentTCRisdenedbymeansofthefollowinggame:GameTCRx C1();k$ Ky C2(k)Denition2(CCA-advantage).Let(KGED)beanasymmetricencryptionscheme.TheCCA-advantageofanadversaryAlimitedtoqDdecryptionqueriesagainsttheadaptivechosen-ciphertextsecurityoftheschemeisdenedasAdvACCA(qD)def=Pr[IND-CCAb=b01 2wheretheexperimentIND-CCAisdenedbymeansofthefollowinggame: GameIND-CCA:(pk;sk) KG();(m0;m1) A1(pk);b$ f0;1g;\r E(pk;mb);\rdef true;b0 A2(\r);return(b=b0) OracleDA(\r):ifjLDjqD^:(\rdef^\r=\r)thenLD \r::LD;returnD(sk;\r)elsereturn? Theorem1(SecurityofCramer-Shoup).LetAbeanadversaryagainsttheIND-CCAsecurityofCramer-ShouplimitedtoqDdecryptionqueries.Then,thereexistsanalgorithmBforsolvingtheDDHprobleminGandanadversaryCagainstthetargetcollision-resistanceofthehashfunctionHsuchthatAdvACCA(qD)AdvBDDH+AdvCTCR+q4D q4+qD+2 qFigure2showsaproofsketchoftheabovetheoreminEasyCrypt.Theprooffollowscloselytheonepresentedin[18];wegiveonlyahigh-leveldescriptionhere.GameG1inthegureisobtaineddirectlyfromtheIND-CCAgameinstantiatedforCramer-Shoupbyinliningthedenitionsofthekeygenerationandencryptionprocedures,propagatingassignments,andreplacingexpressionsbyequivalentones.WeobservethatallvericationconditionsthatensurethevalidityofthistransformationcanbedischargedautomaticallyusinganSMTsolver.ThissurpassesHalevi'sexpectations[18],whosuggestedthistransformationbesplitinthreestepssothatitcouldbehandledbyanautomatedtool.WethenbuildaDDHdistinguisherBsuchthattheoutputdistributiononthevalueof(b=b0)isidenticalingamesDDH0(whereBreceivesvalidDDHtriples)andG1,ontheonehand,andingamesDDH1(whereBreceivesrandomtriples)andG2,ontheother.Inaddition,weinstrumentthedecryptionoracleinG2toraisea\ragbadwheneverAqueriesforthedecryptionofavalidciphertextwithloga^a=logg^g.WethenshowusingoursemanticcharacterizationoftheFundamentalLemmathatthedierenceintheprobabilityof(b=b0)inthisgameandingameG3,whereDrejectssuchciphertexts,isboundedbytheprobabilityofbadinthelattergame.Wealsochangethewaye;fandharecomputedinasemantics-preservingway.Uptothispoint,bythetriangularinequalitywehavePr[IND-CCAb=b0Pr[G3b=b0jAdvBDDH+Pr[G3badThenextgameinthesequence,G4,removesthedependencyoftheadversary'soutputfrombitbbychoosinguniformlyrandsettingc=gr.Thisrequirestobeabletocomputez2fromlogg(c)=uz+(uu0)wz2+logg(mb),whichisnotpossibleifu=u0,butthishappensonlywithprobability1=q.WeuseagainthesemanticformulationoftheFundamentalLemmatoboundthedierenceintheprobabilityof(b=b0)betweenG3andG4by1=q.Afterstraightforwardinformation-theoreticreasoningwegetPr[IND-CPAb=b01=2jAdvBDDH+2=q+Pr[G4bad^u=u0WecannowmovemostofthecodeofthegamebeforethecalltoA1.Thisinturnallowstomakedrandombyuniformlychoosingr0=logg(d)anddeningx2intermsofit,ratherthantheotherwayaround.Sincenowthegamecomputesthechallengeciphertextinadvance,wecaninstrumentDtoraisea\ragbad1whenthechallengeisqueriedduringtherstphaseofthegame.Notethatatthispointthechallengeciphertextisa4-tupleofuniformlyrandomelements,therefore,theprobabilityofbad1isboundedby(qD=q)4|thisisachievedbymeansofanintermediategame,notshowninthegure,thatstoresthe4componentsofqueriedciphertextsindierentlists,andbyindependentlyboundingtheprobabilityofeachcomponentofthechallengeappearinginthecorrespondinglist.Hence,wehavePr[G4bad^u=u0Pr[G5bad^u=u0]+(qD=q)4ThedecryptionoracleingameG5alsoraisesa\ragbad2whenavalidciphertextwithHk(a;^a;c)=Hk(gu^gu0;gr)isqueried.Sincethisleadstoacollision,wecanbuildanadversaryCagainsttheTCRofHsuchthatitssuccessprobabilityislowerboundedbytheprobabilityofbad2beingraisedinG5Thus,Pr[G5bad^u=u0AdvCTCR+Pr[G5bad^u=u0^:bad2TheproofconcludesbyshowingthattheprobabilityinG5ofbadbeingsetwhilebad2isnotisboundedbyqD=q.Thisisdonebyreformulatingthetestunderwhichbad2issetsothatitdoesnotdependonx1;x2;y1;y2.Therefore,theprobabilityofthistestsucceedinginanydecryptionquery(undertheconditionthatu=u0)istheprobabilityoftheadversaryguessingarandomvalueinthegroup,atmostqD=qsummingoverallqueries.Theboundinthestatementfollows. GameG1:g;^g$ Gnf1g;x1;x2;y1;y2;z1;z2$ Zq;k$ K;e gx1^gx2;f gy1^gy2;h gz1^gz2;(m0;m1) A1(k;g;^g;e;f;h);b$ f0;1g;u$ Zq;a gu;^a ^gu;c az1
^az2
mb;v Hk(a;^a;c);d ax1+vy1
^ax2+vy2;\r (a;^a;c;d);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:(\rdef^(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);ifd=ax1+vy1
^ax2+vy2thenreturnc=(az1
^az2)elsereturn?elsereturn?j=G1DDH0:true)=fresgPr[G1:b=b0]=Pr[DDH0:b=b0] Game DDH0 DDH1:g$ Gnf1g;x$ Zq;y$ Zq; z xy z$ Zq;returnB(g;gx;gy;gz)AdversaryB(g;^g;a;^a):x1;x2;y1;y2;z1;z2$ Zq;k$ K;e gx1^gx2;f gy1^gy2;h gz1^gz2;(m0;m1) A1(k;g;^g;e;f;h);b$ f0;1g;c az1
^az2
mb;v Hk(a;^a;c);d ax1+vy1
^ax2+vy2;\r (a;^a;c;d);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:(\rdef^(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);ifd=ax1+vy1
^ax2+vy2thenreturnc=(az1
^az2)elsereturn?elsereturn?j=DDH1G2:true)=fresgPr[DDH1:b=b0]=Pr[G2:b=b0] GameG2:g$ Gnf1g;w$ Zq;^g gw;u;u0$ Zq;a gu;^a ^gu0;x1;x2;y1;y2;z1;z2$ Zq;k$ K;e gx1^gx2;f gy1^gy2;h gz1^gz2;(m0;m1) A1(k;h;^g;e;f;h);b$ f0;1g;c az1
^az2
mb;v Hk(a;^a;c);d ax1+vy1
^ax2+vy2;\r (a;^a;c;d);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:(\rdef^(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);if^a=awthen;ifd=ax1+vy1
^ax2+vy2thenreturnc=(az1
^az2)elsereturn?elsifd=ax1+vy1
^ax2+vy2thenbad true;returnc=(az1
^az2)elsereturn?elsereturn? Fig.2.ProofsketchoftheIND-CCAsecurityoftheCramer-Shoupcryptosystem5LimitationsandExtensionsEasyCryptisinitsearlystagesofdevelopment;webrie\rycommentonsomeofitsmainlimitationsandpossibleextensions:{Programminglanguage:incomparisonwithCertiCrypt,thelanguageofEasyCryptlacksloops,recursiveprocedures,anddrawingfromskeweddistributions.Wedonotseetheneedforextendingthecurrentlanguagewithrecursiveprocedures.Incontrast,webelievethatmoregeneralformsforsamplingandboundedloopsareusefulandforeseenospecicdicultyinaddingthemtothelanguage(notethatannotatingloopswithinvariantsmayberequiredforvericationconditiongeneration);{Veriableevidence:EasyCryptonlygeneratespartialveriableevidence.AsthereiscurrentlynoSMTsolverthatgeneratesCoqproofs,thevericationconditionsareadmittedinordertomake GameG3:g$ Gnf1g;w$ Zq;^g gw;k$ K;x;x2$ Zq;x1 xwx2;e gx;y;y2$ Zq;y1 ywy2;f gy;z;z2$ Zq;z1 zwz2;h gz;(m0;m1) A1(k;h;^g;e;f;h);b$ f0;1g;u;u0$ Zq;a gu;^a ^gu0;c az1
^az2
mb;v Hk(a;^a;c);d ax1+vy1
^ax2+vy2;\r (a;^a;c;d);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:(\rdef^(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);if^a=awthenifd=ax+vythenreturnc=azelsereturn?elsifd=ax1+vy1
^ax2+vy2thenbad true;return?elsereturn?elsereturn?j=G3G4:true)(u=u0)h1i$(u=u0)h2i^(u=u0)h1i!=fres;badg
Pr[G4:b=b0]=1=2jPr[G3:b=b0]Pr[G4:b=b0]jPr[G3:u=u0]=1=q GameG4:g$ Gnf1g;w$ Zq;^g gw;k$ K;x;x2$ Zq;x1 xwx2;e gx;y;y2$ Zq;y1 ywy2;f gy;z$ Zq;h gz;u;u0$ Zq;a gu;^a ^gu0;r$ Zq;c gr;v Hk(a;^a;c);d ax1+vy1
^ax2+vy2;(m0;m1) A1(k;h;^g;e;f;h);b$ f0;1g;\r (a;^a;c;d);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:(\rdef^(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);if^a=awthenifd=ax+vythenreturnc=azelsereturn?elsifd=ax1+vy1
^ax2+vy2thenbad true;return?elsereturn?elsereturn?j=G4G04:true)(u=u0)h1i$(u=u0)h2i^(u=u0)h1i!=fbadg
j=G04G5:true)=fbad1g^:bad1h1i!=fbad;u;u0g
Pr[G4:bad^u=u0]Pr[G5:bad^u=u0]+(qD=q)4 Fig.2.ProofsketchoftheIND-CCAsecurityoftheCramer-ShoupcryptosystemtheoutputderivationscheckablebytheCoqproofassistant.MakingSMTsolversproof-producingisanactivesubjectofresearch[22],andadvancestowardsthisgoalshallbenetimmediatelytoEasyCrypt{Computationofprobability:EasyCryptgeneratesproofskeletonsforclaimsaboutprobabilityratherthanfullymachine-checkedproofs.Whileitisentirelyfeasibletoextendthecompilerforjustifyingmorereasonings,amoreprincipledsolutionwouldrequireatoolthatcansymbolicallycomputetheprobabilityofaneventinadistribution.Furtherresearchintothetheoryofcryptographicproofs,inthelineof[3],isneededtobroadenthescopeofapplicationsandeectivenessofEasyCrypt.Essentialgoalsincludeprovidingaformalaccountofusefulreasoningprinciples,suchasrewindingargumentsorcoin-xing,andnotions,suchasstatisticaldistance,thathavenotyetbeenconsideredinoursetting.Thereremainampleopportunitiestoapplymethodsfromprogramminglanguagesandformalvericationtocomputer-aidedcryptographicproofs.WementiontwoexcitingavenuesforimprovingautomationinEasyCrypt.Therstavenueistoimproveourmechanismforinferringrelationalspec-icationsofadversaries:thereisalargebodyofknowledgeoninferringinvariants,anditwouldbebenecialtotransposethemtooursetting.Morespeculatively,programsynthesiscouldbeusedtodiscoverpartofthesequenceofgamesneededtoconcludeaproof,andtobuildadversariesthatjustifyreductionstocryptographicassumptions.BothspecicationinferenceandprogramsynthesisrelyonvericationconditiongenerationandSMTsolving,hencethebasicblocksforsuchaninvestigationareinplace. Game G04G5:g$ Gnf1g;w$ Zq;^g gw;k$ K;u;u0$ Zq;a gu;^a ^gu0;y;y2$ Zq;y1 ywy2;f gy;x$ Zq;e gx;r0$ Zq;d gr0;x2 (r0u(x+vy))=(w(u0u))vy2;x1 xwx2;z$ Zq;h gz;r$ Zq;c gr;v Hk(a;^a;c);\r (a;^a;c;d);(m0;m1) A1(k;h;^g;e;f;h);\rdef true;b0 A2(\r);return(b=b0) OracleD(a;^a;c;d):ifjLDjqD^:\rdef^(a;^a;c;d)=\rthenbad1 true;ifjLDjqD^( :\rdef_(a;^a;c;d)=\r)thenLD \r::LD;v Hk(a;^a;c);if^a=awthenifd=ax+vythenreturnc=azelsereturn?elsifd=ax1+vy1
^ax2+vy2thenbad true;ifv=Hk(gu;^gu0;gr)thenbad2 trueelsereturn?elsereturn?j=G5TCR:true)bad2h1i!resh2iPr[G5:bad^u=u0]Pr[TCR:Hk(m0)=Hk(m1)^m0=m1]+Pr[G5:bad^u=u0^:bad2] GameTCR:m0 C1();k$ K;m1 C2(k);return(Hk(m0)=Hk(m1)^m0=m1)AdversaryC1():g$ Gnf1g;w$ Zq;^g gw;u;u0$ Zq;a gu;^a ^gu0;r$ Zq;c gr;return(a;^a;c)AdversaryC2(k):r0;x;y;z$ Zq;d gr0;e gx;f gy;h gz;y2$ Zq;y1 ywy2;^k k;v Hk(a;^a;c);x2 (r0u(x+vy))=(w(u0u))vy2;x1 xwx2;(m0;m1) A1(h;^g;e;f;h);\r (a;^a;c;d);b0 A2(\r);return^m OracleD(a;^a;c;d):ifjLDjqD^(a;^a;c;d)=\rthenLD \r::LD;v H^k(a;^a;c);if^a=awthenifd=ax+vythenreturnc=azelsereturn?elsifd=ax1+vy1
^ax2+vy2thenifv=H^k(gu;^gu0;gr)then^m (a;^a;c);return?elsereturn?elsereturn? Fig.2.ProofsketchoftheIND-CCAsecurityoftheCramer-ShoupcryptosystemFinally,Halevi[18]stressesthat\theusefulnessof(a)toolwilldependcruciallyonthewillingnessofthecustomers(inthiscasethecryptographiccommunity)touseit",andsuggestsonthisaccountthatanappropriateuserinterfacewillbeacrucialcomponentofthetool.Wefullyadheretohisview,andseebuildingsuchaninterfaceasanimportantobjectiveforfurtherwork.5.1ComparisonwithCertiCryptTable1comparesCertiCryptandEasyCryptonvarioussecurityproofsformalizedinbothsystems.Timesaremeasuredona2.8GHzIntelCore2Duoprocessorwith4GBofRAMunderMacOSX10.6.7.Forcomparison,weshowthesizeandcheckingtimeofCertiCryptproofsextractedfromEasyCryptproofsketches.Thisisnotanaltogetherfaircomparison,becauseextractedproofsassumeasaxiomsproofobligationscheckedbyautomatedprovers.Asanexperiment,wecompletedinteractivelytheextractedproofofsecurityofElGamalencryption,thusobtainingafullproofveriableunderCoq Theresultingproofis1173long(meaningthatonly43linesareneededtoproveinCoqtheproofobligationscheckedbyautomatedprovers)andtakes25stocheck.Table1.ComparisonofproofsizeandcheckingtimebetweenCertiCryptandEasyCrypt. CertiCryptEasyCryptExtracted LinesTimeLinesTimeLinesTime ElGamal(IND-CPA)56545s19012s113023sHashedElGamal(IND-CPA)12551m05s24333s177241sFull-DomainHash(EF-CMA)20355m46s5091m26s27241m11sCramer-Shoup(IND-CCA)n/an/a16375m12s55043m14sOAEP(IND-CPA)24513m27sn/an/an/an/aOAEP(IND-CCA)1116237m32sn/an/an/an/a 6ConclusionComputer-aidedvericationofcryptographicprotocolsinthesymbolicmodelisanestablishedeldofresearch:robusttoolsareavailableandhavebeenusedsuccessfullytoanalyzerealisticprotocols(e.g.[1,9,15,20]).Incontrast,thereislittlepriorworkoncomputer-aidedcryptographicproofsinthecomputationalmodel.TheimportanceofsuchproofswassuggestedindependentlybyBellareandRogaway[8]and,moreexplicitly,byHalevi[18],whoconvincinglyarguesthattheycanbeviewedasthe\naturalnextstepalongthewayofviewingcryptographicproofsasasequenceofprobabilisticgames".Todate,therearetwomaintoolsforcomputer-aidedcryptographicproofs:CertiCrypt,whichfavorsgeneralityandveriableproofs,andCryptoVerif,whichfavorsautomation.WehavepresentedEasyCrypt,anewtoolwhichprovidestherst\rexibleandautomatedframeworkforbuildingmachine-checkablecryptographicproofs,andillustrateditsusethroughcomputer-aidedsecurityproofsofHashedElGamalencryptionintheRandomOracleModelandtheCramer-Shoupcryptosysteminthestandardmodel.TheseexamplesdemonstratethatproofsinEasyCryptaresignicantlyeasierandfastertobuildthaninanyprevioustool,whileprovidingguaranteessimilartoCertiCrypt.Overall,webelievethatEasyCryptmakesanimportantsteptowardstheadoptionofcomputer-aidedproofsbyworkingcryptographers.AcknowledgmentsWearegratefultoDanielHedinandAnnePacaletfortheirparticipationintheinitialphasesoftheproject,toYassineLakhnech,DavidNaumann,andDavidPointchevalforusefuldiscussions,andtotheanonymousreviewersfortheirinsightfulcomments.References1.Backes,M.,Maei,M.,Unruh,D.:Computationallysoundvericationofsourcecode.In:17thACMconferenceonComputerandCommunicationsSecurity,CCS2010.pp.387{398.ACM,NewYork(2010)2.Barthe,G.,D'Argenio,P.,Rezk,T.:Secureinformation\rowbyself-composition.In:17thIEEEworkshoponComputerSecurityFoundations,CSFW2004.pp.100{114.IEEEComputerSociety,Washington(2004)3.Barthe,G.,Daubignard,M.,Kapron,B.,Lakhnech,Y.:Computationalindistinguishabilitylogic.In:17thACMconferenceonComputerandCommunicationsSecurity,CCS2010.pp.375{386.ACM,NewYork(2010)4.Barthe,G.,Gregoire,B.,Heraud,S.,ZanellaBeguelin,S.:FormalcerticationofElGamalencryption.AgentleintroductiontoCertiCrypt.In:5thInternationalworkshoponFormalAspectsinSecurityandTrust,FAST2008.LectureNotesinComputerScience,vol.5491,pp.1{19.Springer,Heidelberg(2009) 5.Barthe,G.,Gregoire,B.,Lakhnech,Y.,ZanellaBeguelin,S.:Beyondprovablesecurity.VeriableIND-CCAsecurityofOAEP.In:TopicsinCryptology{CT-RSA2011.LectureNotesinComputerScience,vol.6558,pp.180{196.Springer,Heidelberg(2011)6.Barthe,G.,Gregoire,B.,ZanellaBeguelin,S.:Formalcerticationofcode-basedcryptographicproofs.In:36thACMSIGPLAN-SIGACTsymposiumonPrinciplesofProgrammingLanguages,POPL2009.pp.90{101.ACM,NewYork(2009)7.Barthe,G.,Hedin,D.,ZanellaBeguelin,S.,Gregoire,B.,Heraud,S.:Amachine-checkedformalizationofSigma-protocols.In:23rdIEEEComputerSecurityFoundationssymposium,CSF2010.pp.246{260.IEEEComputerSociety,LosAlamitos(2010)8.Bellare,M.,Rogaway,P.:Thesecurityoftripleencryptionandaframeworkforcode-basedgame-playingproofs.In:AdvancesinCryptology{EUROCRYPT2006.LectureNotesinComputerScience,vol.4004,pp.409{426.Springer,Heidelberg(2006)9.Bhargavan,K.,Fournet,C.,Gordon,A.D.:Modularvericationofsecurityprotocolcodebytyping.In:37thACMSIGPLAN-SIGACTsymposiumonPrinciplesofprogramminglanguages,POPL2010.pp.445{456.ACM(2010)10.Blanchet,B.,Jaggard,A.D.,Scedrov,A.,Tsay,J.K.:Computationallysoundmechanizedproofsforbasicandpublic-keyKerberos.In:15thACMconferenceonComputerandCommunicationsSecurity,CCS2008.pp.87{99.ACM,NewYork(2008)11.Blanchet,B.:Acomputationallysoundmechanizedproverforsecurityprotocols.In:27thIEEEsymposiumonSecurityandPrivacy,S&P2006.pp.140{154.IEEEComputerSociety(2006)12.Blanchet,B.,Pointcheval,D.:Automatedsecurityproofswithsequencesofgames.In:AdvancesinCryp-tology{CRYPTO2006.LectureNotesinComputerScience,vol.4117,pp.537{554.Springer,Heidelberg(2006)13.Conchon,S.,Contejean,E.,Kanig,J.,Lescuyer,S.:CC(X):Semanticcombinationofcongruenceclosurewithsolvabletheories.ElectronicNotesinTheoreticalComputerScience198(2),51{69(2008)14.Cramer,R.,Shoup,V.:Apracticalpublickeycryptosystemprovablysecureagainstadaptivechosenciphertextattack.In:AdvancesinCryptology{CRYPTO1998.LectureNotesinComputerScience,vol.1462,pp.13{25.Springer(1998)15.Cremers,C.:TheScytherTool:Verication,falsication,andanalysisofsecurityprotocols.In:20thInternationalConferenceonComputerAidedVerication,CAV2008.LectureNotesinComputerScience,vol.5123,pp.414{418.Springer,Heidelberg(2008)16.Detlefs,D.,Nelson,G.,Saxe,J.B.:Simplify:Atheoremproverforprogramchecking.Tech.Rep.HPL-2003-148,HPLaboratoriesPaloAlto(2003)17.Filli^atre,J.C.:TheWHYvericationtool:TutorialandReferenceManualVersion2.28.Online{http://why.lri.fr(2010)18.Halevi,S.:Aplausibleapproachtocomputer-aidedcryptographicproofs.CryptologyePrintArchive,Report2005/181(2005)19.Jonsson,B.,Yi,W.,Larsen,K.G.:Probabilisticextensionsofprocessalgebras.In:Bergstra,J.,Ponse,A.,Smolka,S.(eds.)HandbookofProcessAlgebra,pp.685{710.Elsevier,Amsterdam(2001)20.Paulson,L.C.:Theinductiveapproachtoverifyingcryptographicprotocols.J.ofComput.Secur.6(1-2),85{128(1998)21.Shoup,V.:Sequencesofgames:atoolfortamingcomplexityinsecurityproofs.CryptologyePrintArchive,Report2004/332(2004)22.Stump,A.:Proofcheckingtechnologyforsatisabilitymodulotheories.Electr.NotesTheor.Comput.Sci.228,121{133(2009)23.TheCoqdevelopmentteam:TheCoqProofAssistantReferenceManualVersion8.3.Online{http://coq.inria.fr(2010)24.ZanellaBeguelin,S.:FormalCerticationofGame-BasedCryptographicProofs.Ph.D.thesis,EcoleNa-tionaleSuperieuredesMinesdeParis{MinesParisTech(2010)25.ZanellaBeguelin,S.,Gregoire,B.,Barthe,G.,Olmedo,F.:Formallycertifyingthesecurityofdigitalsignatureschemes.In:30thIEEEsymposiumonSecurityandPrivacy,S&P2009.pp.237{250.IEEEComputerSociety,LosAlamitos(2009)AJustifyingVericationConditionsThepurposeofthisappendixistojustifythelaststepinthegenerationofvericationconditions.Forsimplicity,weonlydealwiththecasewhereisapartialequivalencerelation.Inthiscase,a judgment=G1G2 )isvalidiforeverym0;m1;m2s.t.m1 m2Pr[G1;m1m:mm0]=Pr[G2;m2m:mm0NowletS1def=x1$ T1:::xl$ TlandS2def=y1$ U1:::yn$ Un.Assumethereexistsa1-1mappingfT1


Tl!U1


Unsuchthatthevericationcondition )f,denedas8m1m2~t:m1 m2=)m1~t=~x m2f(~t)=~y isvalid.Weprovethat=S1S2 ).First,observethatPr[S1;m1m:mm0]=#f~tm1~t=~x m0g #(T1


Tl)ThisequalityfollowsfromthedenitionofthesemanticsofS1sincethesetT1


Tlisnite.Likewise,Pr[S2;m2m:mm0]=#f~um2f~u=~ygm0g #(U1


Un)Nowletm1andm2suchthatm1 m2.WeclaimthatPr[S1;m1m:mm0]=Pr[S2;m2m:mm0fromwhichtheresultfollows.Sincefisa1-1mapping,wehave#(T1


Tl)=#(U1


Un),sobytheaboveitissucienttoshowthatforeverymemorym0,#f~tm1~t=~x m0g=#f~um2f~u=~ygm0g.Sinceisapartialequivalencerelationand )fisvalid,wecaneasilyprovethatforevery~t2T1


Tlwehavem1~t=~x m0im2f~u=~ygm0,wheref(~t)=~u.Theclaimfollows.BInputFilefortheProofofSecurityofHashedElGamalThefollowingisanextracttakenfromtheEasyCryptinputlecorrespondingtotheproofofIND-CPAsecurityofHashedElGamaldescribedinSection2:100typegroup101102cnstq:int103cnstg:group104cnstk:int105cnstzero:bitstringk106107typeskey=int108typepkey=group109typekey=skeypkey110typemessage=bitstringk111typecipher=groupbitstringk112113op():group,group!group=mul114op(^):group,int!group=pow115op(^^):bitstringk,bitstringkg!bitstringk=xor116117axiompow mul:1188(x:int,y:int).(g^x)^y=g^(xy)119120axiomxor comm:1218(x:bitstringk,y:bitstringk).(x^^y)=(y^^x)122123axiomxor assoc:1248(x:bitstringk,y:bitstringk,z:bitstringk).125((x^^y)^^z)=(x^^(y^^z))126 127axiomxor zero:1288(x:bitstringk).(x^^zero)=x129130axiomxor cancel:1318(x:bitstringk).(x^^x)=zero132133134adversaryA1(pk:pkey):messagemessagegroup!message135adversaryA2(c:cipher):boolgroup!message136137gameINDCPA=138varL:(group,bitstringk)map139varLA:grouplist140141funH(x:group):message=142varh:message=0;1k;143if(:in dom(x,L))L[x]=h;;144returnL[x];145146147funH A(x:group):message=148varm:message;149LA=x::LA;150m=H(x);151returnm;152153154funKG():key=155varx:int=[0..q1];156return(x,g^x);157158159funEnc(pk:pkey,m:message):cipher=160vary:int=[0..q1];161varh:message;162h=H(pk^y);163return(g^y,h^^m);164165166absA1=A1H A167absA2=A2H A168169funMain():bool=170varsk:skey;171varpk:pkey;172varm0,m1:message;173varc:cipher;174varb,b':bool;175176L=empty map();177LA=[];178(sk,pk)=KG();179(m0,m1)=A1(pk);180b=0,1;181c=Enc(pk,b?m0:m1);182b'=A2(c);183return(b=b');184185186187gameG1=INDCPA188vary':group189whereMain=190varm0,m1:message;191varc:cipher;192varb,b':bool;193varx,y:int;194varhy:message;195var:group;196197L=empty map();198LA=[];199x=[0..q1];=g^x;200y=[0..q1];y'=^y;201(m0,m1)=A1();202b=0,1; 203hy=H(y');204b'=A2((g^y,hy^^(b?m0:m1)));205return(b=b');206207208equivFact1:INDCPA.MainG1.Main:true=)=res209inlineKG,Enc;210derandomize;211autoinv=L,LA;212poph2i1;repeatrnd;trivial;;213save;;214215claimPr1:INDCPA.Main[res]=G1.Main[res]216usingFact1;;217218219//FixthevalueofH(y'),applyFundamentalLemma220gameG2=G1221whereMain=222varm0,m1:message;223varc:cipher;224varb,b':bool;225varx,y:int;226varh:message;227var:group;228229L=empty map();230LA=[];231x=[0..q1];=g^x;232y=[0..q1];y'=^y;233(m0,m1)=A1();234b=0,1;235h=0;1k;236b'=A2((g^y,h^^(b?m0:m1)));237return(b=b');238239240equivautoG1 G2 A1:G1.A1G2.A1:241=y',L,LAg^((in dom(y',L))h1ig)f(in(y',LA))h1ig);;242243equivFact2:G1.MainG2.Main:244true=)f(in(y',LA))h1i=(in(y',LA))h2ig^((:in(y',LA))h1ig)=res)245autoinvuptoin(y',LA)246with=y',LAg^2478(w:group).248f:(w=y'h1i)g)fLh1i[w]=Lh2i[w]g^fin dom(w,Lh1i)=in dom(w,Lh2i);;249rnd;wp;rnd;callG1 G2 A1;250wp;rnd;wp;rnd;trivial;;251save;;252253claimPr2:jG1.Main[res]G2.Main[res]jG2.Main[in(y',LA)]254usingFact2;;255256257//Removedependanceonmbusingoptimisticsampling258gameG3=G2259whereMain=260varm0,m1:message;261varb,b':bool;262varx,y:int;263varh:message;264var:group;265266L=empty map();267LA=[];268x=[0..q1];=g^x;269y=[0..q1];y'=^y;270(m0,m1)=A1();271h=0;1k;272b'=A2((g^y,h));273b=0,1;274return(b=b');275276277equivFact3:G2.MainG3.Main:true=)=res,y',LA;;278poph2i2;auto;; 279d280rnd(h^^(b?m0:m1));rnd;auto;281rnd;wp;rnd;trivial;;282save;;283284claimPr3 1:G2.Main[res]=G3.Main[res]285usingFact3;;286287claimPr3 2:G2.Main[in(y',LA)]=G3.Main[in(y',LA)]288usingFact3;;289290claimPr3 3:G3.Main[res]=1%r/2%r291compute;;292293294//BuildanadversaryagainstLCDH295gameLCDH=296varL:(group,bitstringk)map297varLA:grouplist298299funH(x:group):message=300varh:message=0;1k;301if(:in dom(x,L))L[x]=h;;302returnL[x];303304305funH A(x:group):message=306varm:message;307LA=x::LA;308m=H(x);309returnm;310311312absA1=A1H A313absA2=A2H A314315funB(gx:group,gy:group):grouplist=316varm0,m1:message;317varh:message;318varb':bool;319320L=empty map();321LA=[];322(m0,m1)=A1(gx);323h=0;1k;324b'=A2((gy,h));325returnLA;326327328funMain():bool=329varx,y:int;330varL':grouplist;331x=[0..q1];y=[0..q1];332L'=B(g^x,g^y);333return(in(g^(xy),L'));334335336337equivautoFact4:G3.MainLCDH.Main:true=)f(in(y',LA))h1i=resh2ig338inv=L,LA;;339340claimPr4:G3.Main[in(y',LA)]=LCDH.Main[res]341usingFact4;;342343claimConclusion:jINDCPA.Main[res]1%r/2%rjLCDH.Main[res]