Message Equivalence and Imperfect Cryptography in a Formal Model

We present a formal view of cryptography that overcomes the usual assumptions of formal models for reasoning about security of computer systems, i.e. perfect cryptography and Dolev-Yao adversary model. The use of formal methods for modeling and analyzing cryptographic operations is well-established. Since the seminal paper by Dolev and Yao [4] introduced a simple and intuitive formalization of cryptographic operations, many alternative definitions have been proposed on the basis of several approaches, ranging from modal logics to process algebras. Key to success of such a theory was the very simple idea behind the definition of ciphertext, which is based on the assumption of perfect cryptography. Simply put, a message encrypted with a given key K can be decrypted if and only if K is known, while in each other case such a message is a black box. More formally, {M}K (representing the encryption of M with the key K) and ⊗ (representing an undecryptable ciphertext) are always equivalent if K is not known. On the basis of such an assumption, an adversary can (i) decrypt ciphered information if and only if the needed key is known, (ii) capture plaintext, and (iii) encrypt plaintext with a known key. However, a real computational adversary is an arbitrary algorithm that collects large amount of ciphertext, exploits partial knowledge of information contained in a ciphertext, and performs exhaustive searches in order to crack ciphertext, compute ciphertext from a plaintext without knowing the related key, and guess secret keys. For instance, in [2] it is shown that an improper use of the block cipher Skipjack allows the adversary to perform an attack that is faster than exhaustive search, thus increasing the probability of retrieving data ciphered with an unknown key. As another example, the Wired Equivalent Privacy protocol for wireless networks falls short of accomplishing its security goals [3], because of an improper use of the stream cipher RC4. The lesson we learnt is that design of secure protocols is difficult, even if the underlying cryptographic primitives are believed to be secure. These considerations are discordant with the usual assumptions made by formal models, which do not define security in terms of the probability of successful attacks. As a consequence, in practice formal proofs are not enough to guarantee system security or, at least, they need specific assumptions about encryption. In this lecture, following the line of [5], we overcome the limitations mentioned above. In particular, we interpret the adversary as a probabilistic polynomial time process that may randomly guess data, perform statistical analysis of exchanged information, exploit keys weakness, use well-known attacks to the used ciphering algorithm, and employ partial information to reduce the range of exhaustive searches. For such a model of adversary the probability of illegally cryptanalyzing information from a particular ciphertext may be not negligible. In other words, we abandon the perfect cryptography assumption and we take into account encryption schemes that may be violated. To this purpose, we use a probabilistic estimation of the robustness of the cryptosystem to decide the equivalence between formal cryptographic expressions. More formally, we define a function parameterized by the initial knowledge of the adversary, whose outcome is strictly related to the considerations surveyed above. Such an outcome represents an estimation of the probability of obtaining useful information from a given ciphertext. Consider, for instance, the expressions N = ({M}K , {K}K′), expressing a pair of ciphertexts, the second one containing the key needed to decrypt the first one, and ({M}K ,K), expressing a ciphertext and the related key. The two expressions may be equivalent if, e.g., K ′ is a very short key, the used algorithm is a stream cipher, and in the initial knowledge of the adversary there exists a large amount of data encrypted in the same way by re-using K ′, so that, in practice, the probability for such an adversary of retrieving M from N in polynomial time can be considered equal to 1. Obviously, when computing the probability of retrieving data, the knowledge of the adversary increases as it succeeds in obtaining new information. Therefore, the probabilistic estimation of the adversary power always depends on the current knowledge of such an adversary. The notion of equivalence we adopt takes into consideration the computational power of the adversary in order to establish the indistinguishability among different cryptographic expressions. However, it is possible that the estimation of the adversary capability of retrieving data is not accurate. Moreover, sometimes in practice the adversary cannot distinguish two expressions that, instead, are not equivalent because of negligible differences. In essence, the distinction between sets of cryptographic expressions may be too strong. To this aim, we approximate the closure among cryptographic expressions by introducing an εtolerance, which allows those expressions that require almost the same effort to reveal information to be indistinguishable from the viewpoint of the computational adversary. For instance, expressions {M}K and {rubbish}K are indistinguishable (both represent undecryptable text) if a probabilistic adversary can infer with a negligible probability information about M or rubbish from the ciphertexts encrypted with the unknown key K. That means the encryption scheme is ideal. Such an example suggests that equivalence in the formal view implies indistinguishability in the computational view if ideal encryption is assumed. In other words, if the probability of retrieving data that the Dolev-Yao adversary cannot obtain is negligible, then the expressive power of the computational adversary is limited to the allowed behaviors of the Dolev-Yao adversary. This is, indeed, the result shown in [1], where the formal view and the computational view of cryptography are related by providing a computational motivation for a formal treatment of encryption. Similarly, as a result of this lecture, we show that under the same assumption of ideal encryption, our notion of approximate indistinguishability is implied by a classical notion of equivalence inspired by the formal model of Dolev and Yao.