From f43ff93b00374700209252e0ec1b2d2d40b3bc0e Mon Sep 17 00:00:00 2001 From: Dionysis Zindros Date: Mon, 27 Nov 2017 12:04:18 +0200 Subject: [PATCH 1/4] Remove unnecessary TODOs --- etc/theory/compression_security.tex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/theory/compression_security.tex b/etc/theory/compression_security.tex index 2302e2aa..3111663e 100644 --- a/etc/theory/compression_security.tex +++ b/etc/theory/compression_security.tex @@ -21,7 +21,7 @@ \newcommand\defeq{\stackrel{\mathclap{\normalfont\mbox{def}}}{=}} \begin{document} -\title{On the (in)security of encryption over compression in TLS} % TODO: replace with your title +\title{On the (in)security of encryption over compression in TLS} \input{sections/abstract.tex} @@ -37,7 +37,7 @@ \ccsdesc[500]{Security and privacy~Web application security} -\keywords{compression, BREACH, CRIME, web security, defense, reflection security} % TODO: replace with your keywords +\keywords{compression, BREACH, CRIME, web security, defense, reflection security} \maketitle From b40430a91a21bf9e0d0b8db5b5a1378083d503b0 Mon Sep 17 00:00:00 2001 From: Dionysis Zindros Date: Mon, 27 Nov 2017 12:04:46 +0200 Subject: [PATCH 2/4] Refactor reflection security game --- etc/theory/sections/reflection_security.tex | 39 ++++++++++++--------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/etc/theory/sections/reflection_security.tex b/etc/theory/sections/reflection_security.tex index 20064f1d..8e1bf8c7 100644 --- a/etc/theory/sections/reflection_security.tex +++ b/etc/theory/sections/reflection_security.tex @@ -8,14 +8,20 @@ \section{Reflection security}\label{sec:refsec} \subsection{The reflection game}\label{subsec:refsecgame} -Let $\mathcal{SE} = (Gen, \mathcal{E}, \mathcal{D})$ be a private-key encryption -scheme, $\mathcal{A}$ be an adversary and $\mathcal{S}$ be a simulator. Also let -some function $f(\cdot, \cdot)$, some function -$g$ of the plaintext, some function $Com(\cdot)$, and a distribution of secrets -$\mathcal{M}$. We call $f$ a rendering function and require that it -is polynomially computable and reversible. We call $Com$ the compression -function and require that it is a deterministic polynomially computable and -reversible bijection. +Let $\mathcal{T} = (Gen, K, \mathcal{D})$ be a triplet of algorithms. In this +triplet, $Gen$ is a key generation algorithm which, given a security parameter +$1^\lambda$ returns some key $\kappa$. The function $K$ is an encryption +function with three parameters: The key $\kappa$ and two plaintexts $s$ and $r$, +which we call the \textit{secret} and \textit{reflection} specifically. For now, +we leave the question of how these plaintexts are combined to be encrypted +together undefined; this will be instantiated into a concrete function when we +discuss the security of particular schemes. + +Let $\mathcal{A}$ be an adversary and $\mathcal{S}$ be a simulator. Also let +$\mathcal{M}$ be a distribution of plaintexts and $g$ a function defined on its +support, as well as some function $Com(\cdot)$ defined on the domain of $K$. We +call $Com$ the compression function and require that it is a deterministic +polynomially computable and reversible bijection. The game $\text{Game}_{\text{REF-SEC}}^{\mathcal{SE},\mathcal{A}}(\lambda)$ is parameterized with the security parameter $\lambda$. The challenger produces a @@ -25,9 +31,8 @@ \subsection{The reflection game}\label{subsec:refsecgame} The adversary is then allowed to run and make arbitrary calls to a reflection oracle. The oracle is parameterized by $s$, the secret unknown to the adversary. For the reflection oracle call, the adversary chooses a reflection string $r$ -and sends it to the oracle. The oracle computes $m = f(s, r)$. Subsequently $m$ -is encrypted as $c = \mathcal{E}_\kappa(m)$, and $c$ is sent back to the -adversary. +and sends it to the oracle. The oracle computes $c = K_\kappa(s, r)$. +Subsequently $c$ is sent back to the adversary. When the adversary decides to complete the game, they output a guess $y$. The adversary is successful if $g(s) = y$. In the case of Rupture, a successful @@ -51,8 +56,7 @@ \subsection{The reflection game}\label{subsec:refsecgame} \begin{lstlisting}[texcl,mathescape,basicstyle=\small] def $\text{Reflect}^{k}_s(r)$: - $m = f(s, r)$ - $c \leftarrow \mathcal{E}_{k}(m)$ + $c \leftarrow K_{k}(s, r)$ return $c$ \end{lstlisting} @@ -62,7 +66,7 @@ \subsection{The reflection game}\label{subsec:refsecgame} def $\text{Game}_{\text{REF-SIM}}^{\mathcal{SE},\mathcal{S}}(\lambda)$: $s \leftarrow \mathcal{M}$ $s' = 0^{|s|}$ - $y \leftarrow \mathcal{S}^{\text{Reflect}^{k}_s(r)}(1^\lambda, {|Com(s)|})$ + $y \leftarrow \mathcal{S}^{\text{Reflect}^{k}_{s'}(r)}(1^\lambda, {|Com(s)|})$ if $y = g(s)$: return 1 else: @@ -101,8 +105,9 @@ \subsection{Adversarial advantage}\label{subsec:refsecadv} \subsection{Adaptive reflection security}\label{subsec:adaptiverefsec} -Given a rendering function $f(\cdot, \cdot)$, a private-key encryption -scheme $\mathcal{SE}$ is \textit{reflection-secure} if: +Given a rendering function $f(\cdot, \cdot)$, a private-key encryption scheme +$\mathcal{SE}$ composed with a rendering function $f$ is +\textit{reflection-secure} if: \begin{align*} \forall \mathcal{M}: \forall g: @@ -112,7 +117,7 @@ \subsection{Adaptive reflection security}\label{subsec:adaptiverefsec} \end{align*} \begin{lemma}[Semantic security] - Let $(Gen, K, D)$ be a length-preserving reflection-secure encryption + Let $(Gen, E, D)$ be a length-preserving reflection-secure encryption scheme. Then it is also semantically secure. \end{lemma} From 9cdf09494c1f8d22986127c504cfcd77a0e2ce63 Mon Sep 17 00:00:00 2001 From: Dionysis Zindros Date: Mon, 27 Nov 2017 12:04:56 +0200 Subject: [PATCH 3/4] Typo --- etc/theory/sections/security_of_compression.tex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/theory/sections/security_of_compression.tex b/etc/theory/sections/security_of_compression.tex index 20d04662..00b1ef0c 100644 --- a/etc/theory/sections/security_of_compression.tex +++ b/etc/theory/sections/security_of_compression.tex @@ -197,7 +197,7 @@ \subsection{Good compression allows predicate detection} We now move on to show that all good compression functions exhibit compression-detectability of some predicate. In intuitive terms, this means -that if a compression function compresses well enough, it will necessarilly +that if a compression function compresses well enough, it will necessarily allow one part of the plaintext to affect how another part of the plaintext compresses. An attacker that is able to measure how well a string compresses can use this to detect a predicate on the second part of the plaintext by From 17112ceb0ab5c7553ae19092f001d598fa62f8f3 Mon Sep 17 00:00:00 2001 From: Dionysis Zindros Date: Mon, 27 Nov 2017 12:13:22 +0200 Subject: [PATCH 4/4] Fix reflection oracle of simulator for new game --- etc/theory/sections/reflection_security.tex | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/theory/sections/reflection_security.tex b/etc/theory/sections/reflection_security.tex index 8e1bf8c7..e12bfb66 100644 --- a/etc/theory/sections/reflection_security.tex +++ b/etc/theory/sections/reflection_security.tex @@ -77,8 +77,7 @@ \subsection{The reflection game}\label{subsec:refsecgame} \begin{lstlisting}[texcl,mathescape,basicstyle=\small] def $\text{Reflect}^{k}_{s'}(r)$: - $m = f(s', r)$ - $c \leftarrow \mathcal{E}_{k}(m)$ + $c \leftarrow \mathcal{K}_{k}(s', r)$ return $c$ \end{lstlisting}