Available online at www.sciencedirect.com

W ScienceDirect

ELSEVIER Electronic Notes in Theoretical Computer Science 253 (2009) 143-165

www.elsevier.com/locate/entcs

Modeling and Reasoning about an Attacker with Cryptanalytical Capabilities

Bruno Montalto

Department of Computer Science Information Security Group ETH Zürich, Switzerland and

SQIG - Instituto de Telecomunicaçoes Department of Mathematics, IST TU Lisbon, Portugal

Carlos Caleiro 1,3

SQIG - Instituto de Telecomunicaçoes Department of Mathematics, IST TU Lisbon, Portugal

Abstract

We propose a probabilistic framework for the analysis of security protocols. The proposed framework allows one to model and reason about attackers that extend the usual Dolev-Yao adversary with explicit probabilistic statements representing properties of cryptographic primitives and the attacker's (partial) information about secret messages. The expressive power of these probabilistic statements is illustrated, namely by representing a standard security notion like indistinguishability under chosen plaintext attacks. We present an entropy-based approach to estimate the probability of a successful attack on a protocol given the prescribed knowledge of the attacker. We prove that, for an attacker whose knowledge increases with the security parameter, computing this quantity is NP-hard in the security parameter. However, we are still able to analyze a few meaningful and illustrative examples. Finally, we obtain a result which may be used to prove that a certain amount of probabilistic knowledge (about the properties of the cryptography being used) is not enough for allowing an attacker to correctly uncover a secret with non-negligible probability.

Keywords: Security protocol, attacker, probabilistic statement, cryptographic property, Shannon entropy.

1 This work was partially supported by FCT and EU FEDER, namely via the KLog PTDC/MAT/68723/2006 project of SQIG-IT. The first author acknowledges the successive support of a research grant awarded by Fundacao Calouste Gulbenkian on account of the 2006 edition of the Prize Professor Jaime Campos Ferreira, followed by a BI grant of the KLog project, and finally the PhD grant SFRH/BD/44204/2008 by FCT.

2 Email: brunoco@inf.ethz.ch

3 Email: ccal@math.ist.utl.pt

1571-0661/$ - see front matter © 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2009.10.010

1 Introduction

The analysis of security protocols has been the subject of much research in the last few decades. Two fundamentally distinct approaches have been used to this end.

In the symbolic approach, introduced in the early 1980's by Dolev and Yao [14], messages are represented as terms and technical details of cryptographic primitives are ignored. These models adopt the perfect cryptography assumption. For example, encryption is viewed as a black-box operation, so that, from an encrypted message, the attacker may not obtain any partial knowledge about the original message. Such symbolic methods have been widely accepted among the scientific community, and several tools for automated analysis of security protocols (mostly attack-search engines) have been developed based on this approach [5,10,13]. In fact, one of the main reasons for the popularity of this approach is that such strong abstractions allow automated proofs of the security of protocols. Their main weakness, however, is that it is hard to prove that these abstractions are sound, since in practice cryptographic primitives have properties which the attacker may explore and attack: for example, the redundancy of certain messages may be explored by the attacker to guess a weak password [8].

In stark contrast with the formal approach is the computational one. Computational methods use a more complex framework, in which messages are treated as actual bitstrings and cryptographic primitives as functions acting on those bit-strings. In order to provide a more complete and realistic representation of a "real" attacker, the computational approach deals with concepts like complexity and probability [20,25]. Security proofs in the computational approach are generally stronger than in the formal approach, since they allow the attacker to explore vulnerabilities of the cryptographic primitives to find a suitable attack. However, the greater complexity of these methods makes it difficult to obtain such proofs in an automated way, and it is hard to analyze even simple protocols in this setting.

In recent years, there has been a considerable effort in bridging the gap between these two approaches [1,6,7,16,27]. Our work aims precisely at this task. We present a formal model featuring an attacker who is allowed to take advantage of partial probabilistic information about the messages exchanged in the execution of a protocol by exploring certain cryptographic properties. This information is represented in the form of probabilistic statements about secret messages seen as random variables. We assume any suitable underlying communication model representing a Dolev-Yao adversary, such as in [3]. For the sake of space, we do not dwell here on the details of any particular symbolic model, although we have reported on it in [23]. We also present a way to estimate the probability of success of an attack based on the probabilistic statements that are known by the attacker. Estimating this quantity is useful not only because it provides a quantitative measure of the security of a protocol, but also because it allows us to evaluate the security impact of certain cryptographic weaknesses. In fact, our model is based not on the specific details of the cryptographic primitives but rather on probabilistic statements about their properties and the partial information about secret messages that the attacker may uncover. Thus, by describing general cryptographic properties, we may use

our model to assess their impact on the security of a protocol.

The presentation is organized as follows. In Section 2 we describe our setting. Namely, we define how we represent messages in our framework and describe the capabilities of the attacker. We define the syntax of the probabilistic statements considered in our model and present some examples which illustrate what these statements may represent, including cryptographic properties. In particular, we prove a theorem which shows how IND-CPA (indistinguishability under chosen plaintext attacks) security, a standard property for asymmetric encryption schemes, may be translated to our framework. Section 3 concerns the estimation of probabilities based on the set of probabilistic statements available to the attacker. We interpret messages as random variables whose range (the set of values which they may assume) is a set of bitstrings. To this end we use Shannon's notion of entropy. We present some examples which illustrate these ideas and methods, and obtain a theorem which may be useful in proving that the partial knowledge (about the properties of the cryptography being used) of an attacker is not enough for correctly guessing a secret with non-negligible probability. In Section 4 we assess our work and present some questions for further research. We include an Appendix with detailed proofs and examples.

2 The framework

We consider a public network where principals exchange private messages. To prevent an attacker from breaking the security of the network, the principals use security protocols. These protocols specify how the principals construct the messages that they publish using cryptographic functions. In our framework, each message corresponds to a bitstring. We represent the set of bitstrings by B = {0,1}*. We use elements of B to encode numbers and finite sequences of bitstrings 4 . To represent the functions used by the principals to manipulate messages and execute the protocols, we use a finite set F of deterministic algorithms and another finite set R of probabilistic algorithms. Note that it is possible to simulate the execution of a general probabilistic algorithm by means of a deterministic algorithm and a probabilistic algorithm which represents the randomness involved in the calculations and depends only on the security parameter. For this reason, we will assume (without loss of generality) that all algorithms in R receive only the security parameter as input, and will dub them random generation algorithms.

Since we want to model an attacker A with additional cryptanalytical capabilities, we consider additional finite sets of deterministic algorithms, FA 2 F, and random generation algorithms, RA 2 R, which A may use to obtain and represent knowledge about the secret data involved in the protocols or to compose messages of his own. For the sake of reasoning about complexity issues and ultimately modeling and reasoning about computationally feasible attacks exploring cryptanalysis, we consider that each algorithm depends on a security parameter. We will be interested

4 Recall that there are bijections between B and Z and between B and B* which may be efficiently computed and inverted.

in modeling an attacker with limited computational power, i.e.., an attacker who can only perform a number of operations limited by a function (usually a polynomial) of the security parameter.

The next definition introduces the set of valid expressions for given sets F, R of algorithms. We will denote this set by Exp(F, R). These expressions represent the construction of a message by applying deterministic algorithms to bitstrings (either randomly generated or chosen by the principals).

Definition 2.1 Let F be a finite set of deterministic algorithms and R a finite set of random generation algorithms. The set Exp(F, R) of expressions generated by the sets F, R is defined inductively as follows:

• for each j e N and R e R, Rj e Exp(F, R);

• B C Exp(F, R);

• if E1,..., En e Exp(F, R) and F eF, F (E 1,...,En) e Exp(F, R).

When the sets F, R of public algorithms and FA, RA of algorithms available to an attacker A are clear from the context, we abbreviate Exp = Exp(F, R), ExpA = Exp(FA,Ra). Intuitively, each expression in Exp (resp. ExpA) represents the construction of a message using public algorithms (resp. the algorithms available to the attacker A). Each random generation algorithm R e RA may be executed several times. Since each of these executions may output a different bitstring, we need to distinguish between them. Thus, for each j e N, the expression Rj represents a different execution of the random generation algorithm R.

We now introduce some useful notation. Consider an attacker A with limited computational power (i.e., for each security parameter n, A may only perform a finite number of operations f (n)). It is easy to see that, for each n, A can only interpret and obtain information from expressions with at most a finite size. Thus, when modeling A, the set of expressions which need to be considered is finite; for instance, one may only consider expressions with up to f (n) subexpressions 5 . Let us denote that set by ExpA C ExpA. For similar reasons, we may assume that the set of bitstrings which an expression in ExpA may possibly represent is also a finite set BA C B. For each n, we define the set

QA = {f I f: ExpA \ B - BA}.

We use the superscript A to highlight the fact that this set depends on the algorithms and bitstrings available to A. An element of QA associates each expression in ExpA \ B to a bitstring in BA - thus, a probability distribution on QA completely determines the probability distribution of all random variables represented by expressions, as well as dependencies between them. For example, for E, E' e ExpA

5 Note also that we need to assume a finite set of expressions of the form R2 for each algorithm R G we namely require that i < f (n).

B. Montalto, C. Caleiro /Electronic Notes in Theoretical Computer Science 253 (2009) 143-165

b, b' e BA,

, . P[{f e ExpA I f (E) = b, f (E') = b'}]

P [E = b I E' = b'] = —- n \ -——--.

1 1 J P[{f e ExpA I f (E')= b'}]

We will denote by DA the probability distribution induced on QA by the algorithms in FA and RA. If E e Exp A, we write En for the random variable representing the bitstring obtained by constructing a message in the way prescribed by E and using security parameter n in the computations. If D is any probability distribution on QA and {Ei,..., En} C ExpA, we will write En, ...,En — D to denote that the n-tuple of random variables (Ei,..., En) has the probability distribution determined by D. In particular, if D = DA and E 1,...,En — D, then (E1,...,En) - (E^,..., E") (i.e., both vectors have the same joint probability distribution). We will omit the security parameter n when it is clear from the context or is not relevant to the discussion.

We may now introduce our notion of probabilistic statement. Definition 2.2 A probabilistic statement is a statement of the form

P [Ei = bi,...,En = bn I E*'1 = bi,..., E;n = b*n* ] = p,

where n e N is a security parameter, E1,..., En, E *,1,..., E *,n* e ExpA, b1,...,bn, b*,..., bn* e BA, and p e [0,1].

Such probabilistic statements model cryptographic properties written as probabilistic relations between expressions. This means that, by knowing the bitstrings corresponding to certain expressions, the attacker is able to learn "something" about the probability distribution of the bitstrings corresponding to other expressions. If n e N, E\...,En, E * '1,..., E * >n* e ExpA, bu...,bn, b1,...,b*n* e BA and p e [0,1], we will say that

P[E1 = b1,...,En = bn I E*'1 = b!,...,E*'n* = b*n*] = p

is verified by a probability distribution D on QA if the equality holds when E 1,...,En,E * '1,...,E * 'n* —D.

We now present some simple properties of cryptographic primitives which may be represented by probabilistic statements.

Example 2.3 One of the simplest and most important properties one may think of is that decryption with a private key is the "inverse" operation of encryption with the corresponding public key. To represent this, consider a probabilistic asymmetric encryption scheme (Rk, pub, priv,Re, Enc, Dec), where:

• Rk eR is the key generation algorithm;

• pub, priv e F are deterministic algorithms such that pub(Rkk) (resp. priv(Rk)) returns the public (resp. private) key corresponding to R\;

• Re eR is a random generation algorithm representing the randomness involved in the (probabilistic) encryption;

• Enc, Dec E F are the encryption and decryption algorithms, respectively.

The encryption of a message represented by the expression E using a public key pub(Rzk) and random data Rje is represented by the expression Enc(E, pub(Rk), Ri), and the decryption of E using the private key priv(Rk) is represented by Dec(E, priv(Rk)), where R, Ri respectively represent a randomly generated key and random data used in the encryption. Thus, if the encryption/decryption algorithms are correct, the following probabilistic statements are valid:

P[Dec(Enc(E, pub(Rik),Rie), priv(Rkk)) = b | E = b] = 1,

P[E = b I Dec(Enc(E, pub(R\),R?e), privR)) = b] = 1.

Example 2.4 Let (Rk, pub, priv,Re, Enc, Dec) be the Elgamal encryption scheme. In this encryption scheme, messages are represented by elements of a group. Thus, we may consider an additional deterministic algorithm mult E FA such that mult(E1,E2) represents the multiplication of the two messages corresponding to E1 and E2. The well-known malleability property of Elgamal can be represented by the following pair of properties.

P[mult(E1, Enc(E2, pub(Rk),Rie)) = b | Enc(mult(E 1,E2), pub(Rik),Rie) = b] = 1,

P[Enc(mult(E 1,E2), pub(Rik),Rie) = b | mult(E1, Enc(E2, pub(Rik),Rie)) = b] = 1.

Example 2.5 Many encryption functions reveal some information about the length of the underlying plaintext. Suppose that an encryption scheme is such that

"If the length of a ciphertext is l, then there is a 0.5 probability that the length of the underlying plaintext is also l."

This may be represented by the cryptographic property

P[length(E) = l | length(Enc(E, pub(Rkk),Rj)) = l] = 0.5,

where length E FA is an algorithm which returns a bitstring representing the length of the bitstring corresponding to a given expression and l is a bitstring representing an integer.

Other examples of probabilistic statements may be found in Example 3.7 and Example 3.9; their discussions are given in the Appendix.

We now show how to represent the notion of IND-CPA (indistinguishability under chosen plaintext attacks) security for asymmetric encryption schemes using the notion of probabilistic statements as defined above. Recall that a function f: N ^ R is negligible if, for every c > 0, there exists n E N such that k > n ^ f (k) < k-c.

In the IND-CPA experiment, a polynomial-time attacker queries a certain oracle with pairs of plaintexts. The oracle either always returns an encryption of the

first message, or always returns an encryption of the second message; the goal of the attacker is to find which. The intuition behind IND-CPA security is that, for a polynomial-time observer, the encryption function reveals nothing about the underlying plaintext. A precise definition follows.

Definition 2.6 Let E = (Rk, pub, priv,Re, Enc, Dec) be an asymmetric encryption scheme. Consider the following experiment:

• a security parameter n is fixed

• a random key Rk is generated by running Rk (n)

• the corresponding public key pub(R\) is computed and published

• a random bit R\ is chosen using a random generation algorithm R¿; the value of b remains secret

• a probabilistic algorithm Alg receives as input a security parameter n and the public key pub(R\), and returns 0 or 1. Alg may use an oracle O such that, for any valid plaintexts m1,m2,

O(m1,m2) = Enc(mb, pub(R\),Rze),

where a different Rze is sampled from Re(n) each time the oracle is called.

We say that E is IND-CPA secure if, for any such polynomial-time algorithm Alg,

P[Alg(pub(Rk) = 1 I Rl = 1] - P[Alg(pub(R1)) = 1 I R1 = 0] (1)

is negligible as a function of n. We will also say that an algorithm Alg compromises the IND-CPA security of E if (1) is not negligible for Alg.

The next theorem describes this intuition in a rigorous (if a little involved) way. It expresses IND-CPA security in terms of probabilistic statements by using the well-known fact that an asymmetric encryption scheme is not IND-CPA secure iff an attacker can compromise its IND-CPA security by performing only one query to the oracle. The resulted is stated using the same notational conventions as above.

Theorem 2.7 The following are equivalent:

(1) E is not IND-CPA secure.

(2) There exist deterministic polynomial-time algorithms Q, (-)0, (-)1, B and a probabilistic polynomial-time algorithm R such that

P[B(Q0,Q1,O(Q0,Q1),R1) = 1 I R1 = 1] -P[B(n,Q0,Q1, O(Q0,Q1),R1) = 1 I R1 = 0]

is not negligible as a function of n, where Q0 = Q(Rl, R1)0 and Q1 = Q(R1, R1 )1.

(3) There is an algorithm which compromises the IND-CPA security of E by performing only one query to the oracle.

The proof can be found in the Appendix.

150 B. Montalto, C. Caleiro / Electronic Notes in Theoretical Computer Science 253 (2009) 143-165

3 Probabilistic reasoning

In this section we present a method for estimating the probability of success of an attack strategy based on the cryptanalytical knowledge of the attacker. This knowledge is represented in the form of probabilistic statements which may express general, abstract properties of cryptographic primitives; our goal is to evaluate the impact of such properties on the security of the protocol. For this we estimate a probability distribution of the random variables represented by expressions - that is, a probability distribution on QA - which verifies all the probabilistic statements known by the attacker but otherwise reveals as little information and remains as hard to attack as possible. To assess the impact of properties of the cryptographic primitives used on the security of a protocol one may then compute the probability of success of an attacker whose cryptanalytical knowledge contains those properties using the probability distribution mentioned above. Such an approach may also be used to analyze the security of a protocol when specific cryptographic primitives are used, by using the attacker's cryptanalytical knowledge to express known properties of those primitives.

We consider an attacker A with access to a function pA: N x ((ExpA x BA)*)2 — [0,1] U {^}, which we use to represent his cryptanalytical knowledge. pA represents the information available to A in the form of probabilistic statements: that is,

pA[n, (((E 1,bi),..., (En, bn)), ((E *'1,b1),..., (E , b^)))] =

PE = b1,...,E^ = bn 1 E*'1 = b*1,..., E"q'n = b*n*]

when the attacker's knowledge allows him to compute this probability, and ± otherwise. In order to model computationally realistic attackers, one may require, for example, that pA be efficiently computable.

We will denote the (finite) set of probabilistic statements known by the attacker A (i.e., the statements he can obtain by using the function pA as described above) for security parameter n by SA. Henceforth we will describe the knowledge of the attacker about the cryptographic primitives directly as probabilistic statements, using the sets SA instead of the function pA.

We want to estimate a probability distribution on QA given the set SA (representing A's knowledge about the cryptographic primitives). Exactly what is a reasonable estimation is difficult to define, and similar problems have been subject of extensive research, namely on inductive logic [12,17]. In our approach we use Shannon's notion of entropy [24]. Shannon's entropy is widely used in information theory as the standard measure for uncertainty about the outcome of a random experiment, and several information theoretic approaches have been proposed in the context of information security [4,11,22]. As usual, H(X) denotes the entropy of a random variable X, and H(X | Y) denotes the entropy of X conditioned on another random variable Y.

Definition 3.1 Given sets ExpA, BA and SA, we say that D is a distribution of maximum entropy on QA for SA if the following conditions are verified:

(P [E1 — bu...,En — bn | e;'1 — bl,..., E*v,n* — b*n. ] = p) G sAa,

P [E1 = bi,...,En — bn | E * '1 — b 1,..., E * 'n* — bn» ] = p

1 pn TT1 *'1 TP * ,n*

when E1,..., En, E * '1,...,E * 'n — D.

if D* is another distribution which respects the first property, and F, F* are random variables over Qa with distribution D, D*, then H(F) > H(F*).

The following example illustrates the behavior of such a distribution given a few simple probabilistic statements about two Bernoulli random variables.

Example 3.2 Consider two random variables A, B, each of which has values 0 or 1. We will denote the events A = 1 and A = 0 by A and A, respectively, and adopt similar conventions for B. We will add probabilistic statements to a set S and analyze the resulting changes in the distribution of maximum entropy D(S) which verifies the statements in S. We will use e as the base of the logarithms for the calculus of entropy; the values presented are approximate.

S P [A,B] P [A,B] P [A,B ] P [A,B] H (A,B)

{P [A] — 0.6} 0.3 0.3 0.2 0.2 1.366

{P [A] — 0.6, P [A | B]} — 0.7} 0.336 0.264 0.144 0.256 1.346

{P [A] — 0.6, P [A | B] — 0.7, P[B | A] — 0.5} 0.3 0.3 0.128 0.272 1.34

We will now present an important property of the distribution of maximum entropy which provides a slightly simpler way of computing it and also helps to justify why it is as a reasonable estimation. The following definition will be useful.

Definition 3.3 Let s e SA be the probabilistic statement

¡n — b1,..., En — bn 1 E*1 — b1 > ... -

and let

2 F — {f G üA : f (E1) — bl,..., f(En) — bn},

^ 2 F * — {f G ÜA : f (E * '1) — bl,..., f(E *n ) — b^ }.

We will say that the set {P,1, P2, Ps3} is the partition (of ) induced by s, where Pl — F * \ F, P2 — F n F *, and P3 — üv \ F *. Observe that U?=1 Pi — nv and Pi n Pi — 0 for any i — j.

152 B. Montalto, C. Caleiro / Electronic Notes in Theoretical Computer Science 253 (2009) 143-165

If SA = {S1,..., } is a finite set of cryptographic properties, we say that

U ... U {psi n...nPZ}

il = 1 in = 1

is the partition (of QA) induced by SA.

The next theorem illustrates the importance of this definition.

Theorem 3.4 Fix a security parameter n. Let SA = {s1,...,sn} be the set of probabilistic statements known by the attacker for security parameter n, and consider the partition of QA induced by SA. Suppose that there is a distribution of maximum entropy D for SA, and fix (i1,..., in) G {1, 2,3}n. Then, if F is a random element of QA sampled with probability distribution D (i.e., F D), we have

h,h G PS1 n ... n Pi: ^ P[F = /1] = P[F = /2].

This theorem, whose proof can be found in the Appendix, shows that the estimation of maximum entropy D gives the same probability to elements of QA which A's knowledge does not distinguish. This is a desirable property, since it indicates that in some sense D does not give the attacker more information than what he can infer from his knowledge. Another reason why this theorem is important is that it provides us with a (slightly) simpler way to compute the distribution D.

Corollary 3.5 Consider the set of cryptographic properties SA = {s1,...,sn}.

Suppose that the function p*: {1, 2,3}n — R is a maximum of 3 3

V IPll n ...n PH I- p*(iu. ..,in) log(p*(i1,..., in)) (2)

/ ; ' ' ' / ./ I" si........ Sn

il = 1 in = 1

restricted to the set of functions p: {1, 2,3}n — R such that

E3i=1 ...E3n Pi n... n Pi: I-p(i1, ...,in) = 1

p(i1, ...,in) > 0.

Then the distribution D defined by F ^D^ P[F = /] = p(i1,..., in), where each ij is such that / G Plj, is a distribution of maximum entropy for SA

The problem of maximizing such a function in a set bounded by linear conditions is well studied in linear programming, and there are efficient algorithms for solving it [18]. Of course, since the set {(i 1,..., in): ij G {1,2, 3},j = 1,...,n} has size 3n and n may grow as a function of n, this may still not be an efficient way of estimating the distribution. Indeed, the next result states that computing even one probability of this distribution is a NP-hard problem in terms of the number of statements in S. We use the fact that the problem 3SAT is NP-complete [19].

Theorem 3.6 Let Prob be the following problem: given finite sets of expressions Exp, of bitstrings B and of rules S, compute

P[E1 = b1,...,En = bn I E*'1,...,E*'n*]

where E 1,...,En,E * '1 ,...,E *n* —D and D is a distribution of maximum entropy for the sets S, Exp, B.

The problem 3SAT reduces to Prob and the complexity of the reduction is polynomial in ISI. In particular, Prob is NP-hard (in IS).

This theorem states that estimating this probability is NP-hard in the number of cryptographic properties known by the attacker 6 . Despite this fact, it may still be possible to use this distribution of maximum entropy to estimate the probability of success of a given attack strategy, even if it involves relatively complex cryptanalysis.

Example 3.7 It is possible to represent in our model an attack to a 6-round version of DES using the well-known differential cryptanalysis technique. We are able to define a set of algorithms and probabilistic statements about them, and use these properties to estimate (using the distribution of maximum entropy) that, by encrypting 200 pairs of plaintexts, an attacker can guess 30 of the 56 key bits with probability 0.65. This technique is somewhat involved; we present a simplified description of it using our framework in the Appendix. A detailed description of this attack is given in [28].

For the next theorem we consider a polynomial-time attacker A whose goal is to obtain the bitstring represented by a certain expression E. We present a result which may be useful in showing that a certain amount of cryptanalytical knowledge is not enough for A to have a non-negligible probability of success. The result concerns the (asymptotic) entropy of (the random variable represented by) E conditional on the A's guess, in the distribution of maximum entropy on QA given SA. We first present an intuitive description of the result. Suppose that A is able to use the knowledge obtained about messages exchanged in the network, together with its own knowledge about the cryptographic primitives, to correctly uncover the bitstring corresponding to the expression E with a non-negligible probability.

We present an attacker A which emulates A, and thus has the same computational complexity and the same probability of success. However, A may have access to different cryptographic properties and even use different algorithms. In particular, there is an expression g e ExpA which represents A's guess 7 . The result then states that A's cryptanalytical knowledge is sufficient to show that its guess is in a certain way non-negligibly correlated to the bitstring represented by E. A precise statement of the result follows. The proof is given in the Appendix.

6 However, this does not necessarily imply that the problem is NP-hard in the security parameter, for it is possible that the S^ does not grow when we increase the security parameter.

7 Note that this implies that A's guess is completely determined by the random generation algorithms executed during the protocol either by A or the honest principals.

Theorem 3.8 Let E G Exp be such that A(En) (the set of bitstrings which En may represent for security parameter n) verifies the following:

• given a bitstring b and a security parameter n, there are efficient algorithms for deciding whether or not b G A(En);

• there are N G N,k > 1 satisfying n > N ^ IA(En)I > kn (i.e., A(En) grows exponentially in n) 8 .

Suppose that there is a polynomial-time attacker A whose probability of guessing the bitstring represented by En is a non-negligible, computable function of n. Then,, there exists an attacker A and an expression g G ExpA representing A's guess such that

Hmax(Ev) - H(E I g) (3)

is non-negligible as a function of n, where E,g ^ D and D is the distribution of maximum entropy on QA which verifies the all statements in SA (i.e., the set of cryptanalytical properties known by A) and Hmax(En) = log IA(EV)I is the maximum entropy of a probability distribution on A(En).

This theorem may be useful in proving that a given set of known cryptographic properties SA are not enough to render a protocol insecure. In fact, suppose that (3) is negligible for A's guess g. If that attacker has a non-negligible probability of success, there must be some other relevant, polynomial-time computable property which would provide non-negligible information about En. If given the sets RA, FA there is no way to compute a guess g such that (3) is non-negligible, then the cryptographic properties used by A do not compromise the security of the protocol by themselves. Of course, when we consider specific cryptographic primitives, they may verify other properties which allow an attacker to be successful with non-negligible probability.

Example 3.9 Our last example uses a version of the Mastermind game, generalized in our framework as follows. We will use a random generation algorithm c gR such that c(n) is a random element of {1,..., 2n}. For security parameter n, the first player creates a code C = (c1... cn) by executing the random generation algorithm n times. Another player A (from attacker) tries to guess C by querying the first player with codes Ck = (c1+kn ... cn+kn). A obtains in return R(C, Ck), given by:

R(C,Ck)=#{j G{1,...,n}Icj = cj+kn}.

R(C, Ck) (the number of red balls) represents the number of slots in which Ck has the same color as the correct code C 9 .

The following cryptographic properties will be used:

Pc = n I cj+kn = n,R(C,Ck) =0] =0,j = 1,...,n, (4)

8 Intuitively, this last condition demands that ) is so large that guessing the bistring corresponding to En is hard.

9 The white balls may be ignored for the purposes of this example.

P [R(C, Ck) = 0 I c1 = b1,c1+kn = b1,...,cn = bv ,cn+kn = b'q ] = 1, (5) for all b1,b/1,..., bn, b'n such that b1 = b[, ..., bn = b'n.

Consider the following attack strategy. A randomly generates codes Ck and uses them in its queries. If R(C, Ck) = 0, he discards the information obtained. Otherwise, he concludes from the equation above that cj = ckn+j for each j (using (4)). Suppose that A performs 4n log n such queries and hopes to find the right code by excluding, for each slot, all but one possible color (note that this attack has less than quadratic complexity). We conservatively estimate (see Appendix) the probability of success to be 1/e, and it is easy to see, by calculations similar to the ones used in the proof of Theorem 3.8, that this implies a non-negligible decrease in the entropy of C.

By contrast, suppose that instead of (4), (5) we equip the attacker with property

P [cj = n I cj+kn = n, R(C, Ck) = n] = 1,j = 1,...,n. (6)

Note that, in the distribution of maximum entropy, this does not give the attacker any knowledge about the secret code if R(C, Ck) = n. Consider the following (natural) attack strategy. The attacker performs a polynomial number of queries, nm, and then either returns the correct bitstring (if he found it during those queries) or some random bitstring otherwise. This guess is correct with at most probability T^-y^ for some C; all other possible codes have the same probability of being correct. Again by a process similar to the one used in the proof of Theorem 3.8, the entropy reduction provided by the attacker's knowledge can then be shown to be a negligible function n, thus confirming that the property (6) does not compromise the security of the Masterind "protocol" against this strategy.

4 Conclusion

In this work we presented a formal model for analyzing the security of cryptographic protocols against attackers who may use cryptanalysis. This model allows the representation of cryptanalytical capabilities and partial probabilistic information about secret messages. It is a very general and flexible model: one may specifiy cryptographic properties and use them to describe or find an attack, but if one does not, then it behaves essentially as a symbolic model. For illustration purposes, we showed how IND-CPA security may be expressed in terms of the probabilistic statements considered. Finally, we proposed a way of estimating the attacker's probability of success. To obtain this estimation we define the probability distribution of maximum entropy and present a few properties and examples which justify this approach. This technique may also be used to study whether or not a weakness of the cryptographic primitives used compromises the security of a given protocol. Another advantage of the approach is that it allows, to some extent, a separate study of weaknesses of cryptographic primitives and the security of protocols, since one may simply write properties of the cryptographic primitives deemed relevant and verify if the protocol is still secure when the attacker explores them. Possible inter-

esting applications include the study of side-channel attacks, in which the attacker explores the physical implementation of algorithms to obtain partial information about secret data (such as a key).

Several problems and open questions remain. First of all, one needs to give a description of the properties of the cryptographic primitives used, which should typically be quite hard. Thus, for each cryptographic primitive, finding a suitable set of properties to describe its weaknesses is a non-trivial and interesting problem. Examples of attacks using properties of real cryptographic primitives are typically hard to manage given the complexity of the computations involved, though implementing the model could help overcome this difficulty. Finding an attack has exponencial complexity on the length of the attack, as is typically the case for most tools used for this task. Another interesting and relevant problem is to find alternative methods for estimating probability distributions of bitstrings based on the knowledge of the attacker. Though the proposal presented here has several advantages and is relatively natural, other methods may be more efficient or reflect better the power and knowledge of the attacker.

As mentioned in the introduction, the work presented here tries to bridge the gap between the symbolic and computational approaches to the analysis of security protocols. This is a line of work which has been widely explored since [1]. Different proposals have dealt with this problem from different perspectives. In [2], algebraic properties of the cryptographic functions are included in the model. Several formal models for analysing guessing attacks have been proposed [21,15], some of which include probabilistic analysis [3]. Work has also been aimed at the computational validation of the cryptographic assumptions of the Dolev-Yao model [16], and even at automatically obtaining or checking cryptographically sound proofs of the security of protocols - namely using the CryptoVerif tool [9] and the BPW model [26]. Of course, a thorough comparison of our approach with other proposals in the literature (both extensions of the Dolev-Yao such as those mentioned above and other information-theoretic approaches to security such as those presented in [4,11,22]) shall deserve close attention in the near future.

References

[1] Abadi, M. and P. Rogaway, Reconciling two views of cryptography, Journal of Cryptology (2002), 103— 127.

[2] Abadi, M. and V. Cortier, Deciding knowledge in security protocols under equational theories, Proceedings 31st Int. Coll. Automata, Languages and Programming (ICALP 2004) (2004), 46-58.

[3] Adào, P., P. Mateus, T. Reis and L. Vigano, Towards a quantitative analysis of security protocols, Electronic Notes in Theoretic Computer Science 164 (2006), 3-25.

[4] Aldini, A. and A. Di Pierro, Estimating the maximum information leakage, International Journal of Information Security 7 (2008), 219-242.

[5] Armando, A., D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, L. Cuellar, P. Drielsma, P. Heam, O. Kouchnareko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Vigano and L. Vigneron, The AVISPA Tool for Automated Validation of Internet Security Protocols and Applications, Lecture Notes in Computer Science 3576 (2005), Springer-Verlag.

[6] Backes, M. and B. Pfitzmann, A cryptographically sound security proof of the Needham-Schröder-Lowe public-key protocols, IEEE Journal on Selected Areas in Communications (2004), 2075-2086.

Backes, M. and B. Pfitzmann, Relating symbolic and cryptographic secrecy, IEEE Transactions on Dependable and Secure Computing 2 (2005), 109-123.

Bellovin, S.M. and M. Merritt, Encrypted key exchange: Password-based protocols secure against dictionary attacks, In Proc. IEEE Computer Society Symposium on Research in Security and Privacy (1992), 72-84.

Blanchet, B. A computationally sound mechanized prover for security protocols, Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006).

Blanchet, B., An efficiente cryptographic protocol verifier based on Prolog rules, 14th IEEE Computer Security Foundations WS (2001), IEEE Computer Society, 82-96.

Chatzikokolakis and C. Palamidessi, A framework to analyze probabilistic protocols and its application to the partial secrets exchange, Theoretical Computer Science 389 (2007), 512-527.

Cox, R.T., "The Algebra of Probable Inference", Johns Hopkins University, 1961.

Cremers, C. "Scyther - Semantics and Verification of Security Protocols", Ph.D. thesis (2006), Computer Science Department, Eindhoven University of Technology.

Dolev, D. and A. Yao, On The Security of Public Key Protocols, IEEE Transactions on Information Theory (1983), 198-208.

Drielsma, P., S. Modersheim and L. Vigano, A formalization of off-line guessing for security protocol analysis, Lecture Notes in Artificial Intelligence 3452 (2005), Springer, 363-379.

Herzog, J., "Computational Soundness for Standard Assumptions of Formal Cryptography", Ph.D. thesis, Massachussets Institute of Technology (2004).

Fine, T.L., Theories of probability: an examination of foundations, New York: Academic Press, 1973.

Karmakar, N., A new polynomial-time algorithm for linear programming, Combinatorica 4 (1984), 373-395.

Karp, R. M., Reducibility among combinatorial problems, Complexity of Computer Computations, R. Miller and J. Thatcher, eds. Plenum Press, New York, 85—103.

Lincoln, P., J. C. Mitchell, M. Mitchell and A. Scedrov, A Probabilistic Polynomial-Time Framework For Protocol Analysis, Proceedings of the 5th ACM Conference on Computer and Communications Security (1998), M. Reiter, 112-121.

Lowe, G., Analysing protocols subject to guessing attacks, WS on Issues in the Theory of Security, 2002.

Malacaria, P. and H. Chen, Lagrange multipliers and maximum information leakage in different observational models, Proceedings of the 3rd WS on Programming Languages and Analysis for Security, 2008.

Montalto, B., "Modelling an Attacker with Cryptanalytical Capabilities", Ms.C. thesis (2008), IST, TU Lisbon, Portugal, http://wslc.math.ist.utl.pt/ftp/pub/MontaltoB/08-M-MScThesis.pdf.

Shannon, C.E., A mathematical theory of communication, Bell System Technical Journal 27 (1948), 379-423.

Shoup, V., On formal models for secure key exchange (version 4), Revision of IBM Research Report RZ 3120 (1999).

Sprenger, C. and David Basin, Cryptographically-sound protocol-model abstractions, Proceedings of Computer Security Foundations (CSF '08) (2008), IEEE Computer Society.

Sprenger, C., M. Backes, D. Basin, B. Pfitzmann and M. Waidner, Cryptographically sound theorem proving, Proceedings of 19th Computer Science Foundation WS (2006).

Stinson, D., "Cryptography: Theory and Practice", CRC Press, 1995.

Appendix

Theorem 2.7 The following are equivalent:

(1) E is not IND-CPA secure.

(2) There exist deterministic polynomial-time algorithms Q, (-)°, (-)1 ,B and a probabilistic polynomial-time algorithm R such that

P[B(Q°,Q1,O(Q°,Q1),R1) = 1 | Ri = 1] ^

-P[B(n,Q°,Q1,O(Q°,Q1),R1) = 1 | Ri =0]

is not negligible as a function of n, where Q° = Q(R1,R1)° and Q1 = Q(R\ ,R1)1.

(3) There is an algorithm which compromises the IND-CPA security of E by performing only one query to the oracle.

Proof. Implication (3) (1) is trivial. Implication (2) ^ (3) is also simple.

The proof of (1) ^ (2) is harder. For simplicity, we will assume fixed a security parameter n and drop it from the notation when there is no ambiguity. We also abbreviate K = Rk and write Ob to refer to the

oracle O using bit b in the computations, so that Ob(m°,m1) = Enc(n, ,K,Rie). Let Alg be an algorithm which compromises the IND-CPA security of E. Observe that, since Alg is a polynomial-time algorithm, there is a fixed number c such that, for security parameter n, Alg performs at most nc queries to the oracle. We may assume, without loss of generality, that Alg always performs exactly nc queries to the oracle and that the random choices of the attacker throughout the computation (i.e., the nc steps) are determined by a single bitstring R1 sampled from a random generation algorithm Rr.

We may write the first pair of plaintexts with which Alg queries the oracle as (Q(1,K,Rr))°, (Q(1, K, R1))1, where Q, (-)°, (-)1 e FA are functions available to the attacker A. More generally, for i = 1,...,nc, let

qz = Q(i,K,Rir,q°,q\,01,...,q°-1,q—1,0i-1) (8)

represent the pair of messages used in the i-th query to the oracle. Each qi is computable in polynomial-time: in the worst case, qi needs to emulate the executions of q1,...,qi—1 using random data R1 (note that the output may depend on computations performed by these algorithms). Since i < nc, this involves computing at most a polynomial number of algorithms, each of which is computable in polynomial time.

Alg's response can be represented using an algorithm Bp as follows:

Bp (n,K,Rl,q°,ql,o 1,...,q°c ,q},c ,o^ ). (9)

Since Q, Bp are polynomial-time algorithms, we may assume, without loss of generality, that they are total: if they are not, we may specify some predetermined result and stipulate that they will return that result if they do not return another answer after a certain polynomial number of operations.

Now suppose that, instead of using the same bit R^ in all queries, the oracle O uses the bit bi in the i-th query (in other words, in the i-th query Alg is querying O^). Let $i>j = 1 if i > j and 0 otherwise. Note that '

P[Alg(n, K) = 1 | bi = 1] - P[Alg(n, K) = 1 | bi = 0] (10)

= Y.(P[Alg(n, K) = 1 | bi = 6i>j] - P[Alg(n, K) = 1 | bi = Si>j+1]), j=1

because the sum on the right-hand side is telescopic. The left-hand side is non-negligible by hypothesis, and thus so is the right hand side. The assumption that Q, BF return an answer in polynomial time for every possible input is necessary here, since we are running these algorithms with inputs that would be impossible in the original setting.

Querying the oracle Ob with q°, q1 is the same as computing Enc(n, qb, K, Re(n)). Thus, if in some step of the algorithm Alg, instead of querying the oracle Ob with plaintexts q®,q\, we encrypt qi with public key k and random data ri <— Re(n), the probability distribution of the output does not change.

Consider the following modified version Alg' of the algorithm Alg. For each n, Alg' receives an additional argument j e {1,...,nc}. Alg' mimics the execution of Alg, except for the following. In the first j — 1 queries, Alg' computes an encryption of the first message of the pair (instead of querying the oracle O) and uses that result in the following computations. In the j-th query, Alg' queries the oracle just as Alg would; after the j-th query, Alg' computes encryptions of the second message of the pair instead of querying the oracle.

It is easy to see that

P[Alg'(n, k, j) = 1 | b = 1] — P[Alg'(n, k, j) = 1 | b = 0]

= P[Alg(n, k) = 1 | bi = Si>3] - P[Alg(n, k) = 1 | bi = Sz>3+1].

Suppose now that Alg'' is an algorithm which chooses j = 1,...,nc randomly (with uniform distribution) and then executes Alg'(n,k,j). We obtain:

P[Alg"(n, k) = 1 | b =1] - P[Alg"(n, k) = 1 | b = 0]

= E P[j = l • (P[Alg'(n, k, l) = 1 | b = 1] - P[Alg'(n, k, l) = 1 | b = 0]) ¡=1

= "7 D(P[Alg(n, k) = 1 | bi = 5i>j] - P[Alg(n, k) = 1 | bi = Si>3+i]) n j=i

= — (P[Alg(n, k) = 1 | b =1] - P[Alg(n, k) = 1 | b = 0]). nc

Thus, by (10) and the equalities above, we conclude that

P[Alg''(n, k) = 1 | b =1] - P[Alg''(n, k) = 1 | b = 0]

is non-negligible.

It is clear that Alg'' is a polynomial-time algorithm. Furthermore, Alg'' involves only one query to the oracle, compromises the IND-CPA security of E, and it is easy to see that Alg'' may be written in terms of algorithms Q, (•)0, (•)1, B, R as desired: R(n) returns the random generated data Rr, the random j £ {1,...,nc} used by Alg'' and the random data used in the encryptions , Q generates the

pairs of plaintexts with which Alg'' queries the oracle and B computes the final answer. This concludes the demonstration. □

Theorem 3.4 Fix a security parameter n- Let S^ = {si,...,sn} be the set of probabilistic statements known by the attacker for security parameter n, and consider the partition of Q^ induced by S^ - Suppose that there is a distribution of maximum entropy D for S^, and fix (ii,... ,in) £ {1, 2, 3}n. Then, if F is a random element of QA sampled with probability distribution D (i.e., F ^D), we have

fi,f2 £ Pl\ n ... n Pil ^ P[F = fi] = P[F = /2]. (11)

Proof. For each s £ SA and each f £ we write i(s, f) for the number i £ {1, 2, 3} such that f £ PT ' .

We will consider an arbitrary distribution D which verifies all properties in SA and obtain another distribution D'. We will then show that properties in SA still hold for D', which verifies (11) and has greater entropy than D.

Let F <-D,F' <- D'. We define the distribution D' by

r , n P [F £ Pils ix) n ...n Pl{ s n'x)]

P [F' = f ] = ^-^-rP^-].

s 1iX) n ...n Pins n>x)

It is clear that D' verifies (11). To see that D' verifies all properties in SA, let

sj = (P [E1 = bi,...,En = bn | E*>i = bi,..., E*n = b*n„ ] = p) £ SA.

Now, if F' —D', we have

P [F' £ P2j ]

P[F' £ Pj | F' £ Pi U P2 ] =

P[F' £ Pi U P? ] •

For each sequence (ii,...,in) £ {1, 2, 3}n, it is clear that P [F' £ Pi1 n...nPin ] = P [F £ Pi{ n...nPin ]. From this, by setting ij = 2 and summing over all other ik, we conclude that P [F' £ P?, ] = P [F £ P?. ],

and thus

P[F'(Ei) = bi,..., F'(En) = bn | F'(E*'i)= bt1,...,F'(E*'n*) = b*nt. ]

= P [F (Ei) = bi,..., F(En) = bn | F (E1'i) = b1,..., F(E1-n*) = b^ ]. Since we know that D verifies properties SA, we conclude that D' does too.

We now check that H(F') > H(F). From Jensen's inequality for convex functions, we know that

y^ Xi = k ^-^J Xi log Xi < k log —. i=i i=i k

Thus, for each sequence (ii,... ,in) £ {1, 2, 3}n, we obtain

- X P [F = f] • log P[F = f]

f ePll n...nPin

< P [F £ Pi11 n ...n Pli ] • log

Pi n ... n Pll | P [X £ Pii n ...n Pil ]

X P [F £ Pi1 n ...n Pil ] lo Pii n ...n Pi

I Di1 o o Oin I g

i, * P1 n ...n Pi | P [F £ Pi1 n ...n Pil ]

f ep;1 n...nP'il 11 l 1 ll

= - X P[F' = f] • logP[F' = f].

f ep:1 n...np

Using the inequality above, the desired result comes from

H(F') = - X X P[F' = f] • log P[F' = f]

i1,...,ii f epi1 n...npjl

^ - X X (P[F = f] • logP[F = f]= H(F).

i1,...,ii f epi1 n...npjl

Theorem 3.6 Let Prob be the following problem: given finite sets of expressions Exp, of bitstrings B and of rules S, compute

P[Ei = bi,...,En = bn | E1'i,...,E1'n*]

where Ei ,...,En,E1'i ,...,E1'n* —D and D is a distribution of maximum entropy for the sets S, Exp, B.

The problem 3SAT reduces to Prob and the complexity of the reduction is polynomial in In particular, Prob is NP-hard (in |S|).

Proof. We prove that, given an algorithm for deciding in polynomial-time (in |S|) whether a certain probability is 0 or 1, one may obtain a polynomial-time algorithm for solving the problem 3SAT. Let

¥ = (lii V li2 V lis) A ... A (lni v ln2 V In3)

be an instance of the problem 3SAT (i.e., a propositional formula consisting of a conjunction of disjunctions of three literals). Denote by S(^) = {si,...,sk } the set of propositional symbols present in p.

We will set B = {0, 1}, Exp = {si,...,sk, ci,...,cn, ¥}. Intuitively, the expression si represents the truth value of the propositional symbol si, ci represents the truth value of the i-th clause ci = (lii Vli? Vlis), and ip represents the truth value of the formula p = ci A ... A cn. For each i = 1,...,n and each j = 1, 2, 3, let sij £ S(p) be such that either lj = sij or lij = —sij. Furthermore, let bij = 1 if lij = sij and 0 if lij — —sij.

The set of rules S describes how the value of each expression ci may be computed from the expressions si,...,sk and how p may be computed from ci,i = 1,...,n. Thus, S contains the properties:

P [ci = 1 | sij = bij ] = 1,j £ {1, 2, 3},i £ {1,...,n} P [ci = 0 | sii = 1 - bi3 for all j £{1, 2, 3}] = 1,i £{1,...,n}, ( )

P[p = 0 | ci = 0] = 1,i £ {1,..., n},

P[p =1 | ci = 1,..., crt = 1]. ( )

It is clear that the original instance of 3SAT may be polynomially converted in this instance of Prob. Thus, we need only show that

f is satisfiable ^^ P[f = 1] > 0 in D(S), (14)

where D(S) is the distribution of maximum entropy which verifies all probabilistic statements in S. In order to do this, we first note that each f e n determines an assignment which attributes "true" to Si if f (si) = 1 and "false" otherwise.

Let F be a random varible taking values in n, and let Fs = (F(sO,...,F(sfc)), Fa,y = (F(c1),..., F(cn), F(f)), so that F is determind by (Fs, fa,y). It is clear from equations (12), (13) that if F verifies all probabilistic statements in S then Fa,y is determined by Fs. Thus, we have H(F) = H(Fs), and it becomes clear that Fs has uniform probability distribution (when considering the distribution of maximum entropy D(S) on n).

(14) is now clear: if i is satisfiable, then there is at least one assignment which satisfies it, and if f is such that fs = (f (s1),..., f (sn)) is the value of Fs which induces that assignment, then f (f) = 1 and

P[f = 1] > P[Fs = fs] = 1/2k > 0.

On the other hand, if f is not satisfiable, then for all f we have P[f = 1,Fs = fs] = 0, and hence

P [f = 1] = 0. □

Example 3.7 (Cryptanalysis of DES) In this example we show that it is possible to represent in our model an attack to a 6-round version of DES using the well-known differential cryptanalysis technique. We

refer the reader to [28] for a detailed description of the DES encryption scheme and this cryptanalysis technique. For simplicity, we will ignore the security parameter during this description.

We will use the following algorithms. Again for simplicity, instead of describing all the algorithms themselves, we define abbreviations representing the expressions in ExpA which we will use.

• K e R is the key generation algorithm. We will assume throughout this example that K1 represents the key being used in the encryption (which the attacker wants to uncover);

• b, b' are two specific bitstrings which the attacker will use in the construction of pairs of plaintexts;

• Lm(b), L*,m(b) (resp. Rm(b), R*,m(b)) represent two randomly generated 32-bits bitstrings whose x-or is the bitstring b. We write Pm = Lm(b)Rm(b'), P*,m = L*,m(b)R*,m(b') to represent the pair of plaintexts obtained from the m-th execution of these algorithms.

• BBeF computes the x-or of two bitstrings. We will use infix notation for ©;

• For each i = 1,...,6 and each j = 1,...,8, ISi,j (P, K) (resp. OSi,j (P, K)) represents bitstrings used during the computation of the encryption of a plaintext P; Kj j represents six key bits used in a certain step of the encryption;

• L^m ,E3m ,EOq j ,E1Jlj e ExpA are certain expressions needed in the cryptanalysis procedure which

depend on the input plaintexts Pm,P*,m and the corresponding ciphertexts. As such, the attacker can compute the bitstring corresponding to these expressions.

• For each j = 1,..., 8, and each b,b' e c e Z^, testj (b, b', c) represents a set of 6-bit bitstrings.

• For each j,b,b',c as described above and each k e contains(testj (b,b',c),k) is 1 if k belongs to the set represented by testj (b,b',c) and 0 otherwise.

• For (j1 ,...,j5) = (2, 5, 6, 7, 8), filtersEj Ej ,EmS,]1 ,---,Ej E* :T5,E0,j5) is either 0 or 1.

The main cryptographic properties which we will need are the following:

P[L0 = b | E0 = b] = —, for b e Z6; (15)

P[OS6(Lm(b)Rm(b'),Km ) ® OS6(L*,m(b)R*,m(b'),Km ) = E° ^ | L° = b,E° = b] = 1 for j e {2,5, 6, 7,8};

P[IS6^ (Lm(b)Rm(b'),Km ) = b | Emj = b] = 1;

(16) (17)

P [IS6,3 (L1 •m(b)R1 m(b'),Km ) = b | Ej = b] = 1 (18)

(note that the attacker cannot compute IS6,j (Lm(b)Rm(b'),Km ) directly, as it depends on the unknown key Km');

P [contains(testj (ISjk(Lm(b)Rm(b'),Km'),

ISjik(L1 '(b)R1 m(b'),Km' ),bo ),K'j) (19)

| OS6,k(Lm(b)Rm(b'),Km') ® OS6,k(L1 •m(b)R1 m(b'),Km') = bo] = 1;

P[contains(testj (ISj k (Lm(b)Rm(b'),Km ),

' 1 (20) ISjk(L1 'm(b)R1 m(b'),Km ),c),k] = 16,

where c £ Z?, k £ Z6 and we assume that either c is different from the bitstring represented by OS6k (Lm(b)Rm(b'),Km')® OS6k (L1 >m(b)R" m(b'),Km') or k is different from the bitstring represented by Km' i0 ;

p [filtersEj , E* m, EStjlE7j, E* m, EOSj ) = 1

p [filters(EY,j1, e1 m, ^ Ej, e1 m, Es.)=0 (22)

| L' = b',E' = b]=5/8,b = b'. )

We will tacitly assume that the attacker knows probabilistic statements which imply that if one replaces a subexpression s of an expression E by another subexpression s' which represents the same bitstring then the bitstring represented by E does not change. For the sake of brevity, we omit such details here.

We now describe the strategy of the attacker. The attacker generates pairs of plaintexts Pm = Lm(b)Rm(b'), P1'm = L1'm(b)R1'm(b'). From these plaintexts and corresponding cipher-texts, he computes E'j ,E'lj, EI ' for j = 2,5,6, 7,8, and uses the results to compute filtersm =

fi,l,t,ers(Em , E1' m,Em . ,...,Em. , E1' m,Em . ). If the computation returns 0 for a certain m, the at' v J,31' 1,31' 0,31' ' 1,35' 1,35' 0,35' K '

tacker disregards the pair of plaintexts Pm,P1,m.

Now, according to (15), P[E' = L'] = 1/16; by (21), if this is the case, then filters' = 1. From (22), we also conclude that P[filters' = 1] = 3/8. Thus, the attacker discards 5/8 of the pairs of plaintexts; of the remaining 3/8, 1/6 of them correspond to pairs Pm,P1,m such that L' = E55. These are the plaintexts which the attacker will use to gain information about the secret key. From (16) and the previous reasoning, we conclude that

P[OS6 ,3(Lm(b)Rm(b'),Ki) ® OS6 ,3(L 1,'(b)R1,m(b'),Ki) = E'3

' o1j (23)

| filters' = 1] = -.

(17) and (18) tell us that

E'3 = ISe,j (L'^R'^b'),^ ),

E= IS6j (L1 '(b)R1 ,'(b'),Ki).

The attacker then computes contains(testj (E'j, E('', E' j), k) for all j = 2, 5, 6, 7, 8 and all k £ . Now, if

E' = OS6j(L'^R'^'), K1) ® OS6j(L1 ,'(b)R1 ,'(b'), K1), (24)

which happens with probability 1/6, we have

contains' (k) = contains(test3 (Efj,E*I' ,E' 3 ),k) = contains(test3 (IS3, k (Lm(b)Rm(b'),K1 )

I f = b, E'm = b] = 1

10This property is an estimation rather than a precise value; using a more complete set of cryptographic properties, it is obtained in the distribution of maximum entropy from other properties of the encryption process.

ISj, k (L *, ™(b)R *, ™(b'),Kg),bo ),k).

Thus, by (19), contains™ (Kg j) = 1. If k = Kg,j is some other bitstring, P[contains™(k) = 1] = 1/16 and P[contains™(k) = 0] = 15/16. If (24) is not verified, which happens with probability 5/6, we have P[contains™(k) = 1] = 1/16 with probability 1/16 for all k e . It is easy to see that in the distribution of maximum entropy:

• the results of contains™ (k) and contains")(k) are independent for j = j';

• the results of contains™(k) and contains™ (k') are independent for k = k';

• the results of contains™(k) and contains™ (k) are independent for m = m'.

The attacker will try to guess the bits Kg j for j = 2, 5, 6, 7, 8, thus obtaining 30 of the 56 bits of the original key. Suppose that the attacker encrypts N = 200 pairs of plaintexts. We may estimate his probability of success as follows. The expected number of "filtered" pairs if 3N/8 = 75. For each j = 2, 5, 6, 7, 8 and each filtered pair of plaintexts, we have P[contains™(k) = 1] = 1/6 + 5/6 • 1/16 = 7/32 if k = Kgj and P[contains™ (k) = 1] = 1/16 if k = Kg j.

Fix j e {2, 5, 6, 7, 8}, Kg j = k e Z|, and recall that in the distribution of maximum entropy the results of contains™ are independent for different values of m. Taking this fact and the previous estimations into account, we conclude that the probability that after 75 filtered tests there are more positive results contains™(k) than contains™(Kg j) is given by

p = ^(f75^-)^-)75"2 X "75"(-)j(-)75-j) ^ 0.0013. (25)

^ V if v32; v16; V j/ 16; v16; ; v ;

Thus, the probability that some bitstring Kg j = k e Z^ has more positive results than Kg j can be estimated to be less than 63p ~ 0.082. As such, the probability that, for all j = 2, 5, 6, 7, 8, the bitstring with more positive results contains™(k) is the one represented by Kg j is

at least (1 - 63p)5 ^ 0.65. □

Theorem 3.8 Let E e Exp be such that A(En) (the set of bitstrings which En may represent for security parameter n) verifies the following:

• given a bitstring b and a security parameter n, there are efficient algorithms for deciding whether or not

b e A(En);

• there are N e N,k > 1 satisfying n > N ^ \A(En)| > kn (i.e., A(En) grows exponentially in n) 11 •

Suppose that there is a polynomial-time attacker A whose probability of guessing the bitstring represented by En is a non-negligible, computable function of n• Then, there exists an attacker A and an expression g e Exp^ representing A's guess such that

H™ax(En) - H(E I g) (26)

is non-negligible as a function of n, where E, g ^ D and D is the distribution of maximum entropy on which verifies the all statements in S^ (i.e., the set of cryptanalytical properties known by A) and Hmax(En) = log |A(En)| is the maximum entropy of a probability distribution on A(En)•

Proof. The first step of the proof is to see that we may specify an attacker A with the two properties described above.

For this, suppose that, whenever the attacker A would make a probabilistic decision, A runs some

random generation algorithm R e and records its result. He then makes his choice deterministically, as determined by the output of the random generation algorithm. Clearly, we may assume that the probability of each decision is the same for both attackers, A and A, and so their probability of success is also the same. Since all of A's probabilistic decisions and computations are represented by the results of random

generation algorithms in RA, it is clear that we may write A's guess as an expression g e ExpA which depends on the outputs of random generation algorithms executed during the protocol (either by the attacker or other users of the network). Since A is a polynomial-time adversary, each random generation algorithm

1 Intuitively, this last condition demands that A(En) is so large that guessing the bistring corresponding

to En is hard.

cannot be executed more than a polynomial number of times, and it is easy to see that g can be computed in polynomial-time by simulating an execution of the attack (recall that all probabilistic decisions and randomly generated data are determined by the random generation algorithms).

Let s be the non-negligible, computable function such that s(n) is the probability that the attacker correctly guesses the bitstring corresponding to En. A's cryptanalytical knowledge contains the properties

P [(Equals(E,g))v = 1] = s(n)

for each fixed security parameter n, where Equals E FA is an algorithm which receives two bitstrings and returns 1 if they are equal, 0 otherwise. This property states that the probability that the guess of the attacker is correct is given by s(n), and thus is correct by hypothesis. Furthermore, we let the attacker

know that the value of E is in A(E^): i.e., we define e E F^ so that e(n,b) = 1 if b E A(n) and 0 otherwise, and consider the properties

P[E = b | e(b) = 0] = 0, P [e(E) = e(b) | E = b] = 1 for all E E ExpA. We also need some properties of Equals to prove our result:

P[Ef = b I E = b, Equals(E, Ef) = 1] = 1, P[Ef = b I E = b, Equals(E, Ef) = 0] = 0,

P[E = b I g = b] = s(n),

P [E = b I e(b) = 0] = 0

when E is sampled from the distribution of maximum entropy given A's cryptanalytical knowledge; the second property is valid for all b E B^.

Without any further knowledge of E, it follows that, in the distribution of maximum entropy,

P[E = b I Equals(g, b) = 0, e(b) = 1] = ■ 1 " s(n)

A, b e b£.

These properties imply that

where E, E' e Exp^, b e B^.

\A(EV )| - 1

for b e B^

H (E | g) = —s(n) log(s(n)) - (1 - s(n))log- 1 s(n)

\A(EV)| - 1

1 1 1 1 - nc < - - log-, - (1 - - )log-n—

nc nc n IA(En)

for sufficiently large n and some c > 0. By definition of Hmax,

(En) = log(IA(En )I).

1 1 1 1 Hmax(En) - H(E \ g) > log(|A(En)|) + -- log — + (1 - --) log

nc nc n \A(En)| - 1

= log(|A(En)|) + —, log^: nc n:

+ (1 - JC) log(1 - ^) - (1 - ^) log(|A(En)| - 1) (27)

nc nc nc

= [log(|A(En)|) - log(|A(En)| - 1)] + ^ log ic

+ (1 - nC) log(1 - nC) + nf log(|A(En)| - 1).

Dividing each of these parcels by nc — 1 and using properties of logarithms, one obtains that

H™ax (En ) - H( En | gn ) > Q'

for some constant C' and all sufficiently large n, which concludes the proof. □

Example 3.9 (Probability of Success) It is clear that the probability distribution of c(n) is uniform in the set {1,..., 2n} (considering the distribution of maximu entropy), and that different executions of c are independent (i.e., cm, cm are independent for m = m'). It is also easy to see that the responses R(C, Ck) are independent for different values of k. From the first consideration one may conclude that P[cm = cm ] = 1/(2n) for m = m'. Equations (4), (5) imply that R(C,Ck) =0 iff cj = cj+kn for j = 1,...,v. Thus, we obtain P[R(C,Ck) = 0] = ()n ^ —.

After 4n log n queries, we expect that approximately N = n log n of them, say k\,...,k]N, are

"relevant" (i.e., A's response, R(C,Cki), is 0). Let us then estimate the probability that I can obtain the correct bitstring from this number of relevant queries. Consider the set Si of the bitstrings represented by c1+kin, ..., cl + k^n. If #Si = 2n — 1, then the information available to the attacker allows to exclude all but one hypothesis for the value of ci (by equation (4)). The probability of this event is at least

(2n)Bn log n — (2n — 1)Bn los n (2n)Bn los n

= 1 — (1 — 1/2 )Bnlogn ^ 1 1 ,

n n2/ve

where B = -4=.

Since all executions of c are independent, it is easy to conclude that the same calculation can be made for all other "slots" 1 through n. Thus, the probability that the attacker is able to obtain the correct "color" for all slots can be estimated to be

2— )n > (1 — -)n

2/ e n