Composability of state-separable proofs

Marc Ilunga

12/6/23, 5:19 PM

Brzusk et al. introduced the state-separation proof technique to tame complexity in game-based security proofs. The framework allows for modular, easy to understand, and reusable proofs. It has been applied to real-world protocols, like in this paper on the security of the TLS 1.3 key schedule. Additionally, this formalism is used in Mike Rosulek's book "The Joy of Cryptography".

The framework (that I am currently learning) relies on packages as basic building blocks and defines them in a way that provides a sequential and parallel composition.

What I don't understand so far is: are the composition theorem in state-separable proofs of the same kind as in composable frameworks like UC (and variants) or Constructive cryptography.

In particular, I don't see how the framework prevents the following "bad" example. Consider the task of combining an IND-CPA secure scheme (which we can define in the framework as well) and a secure MAC to create a secure channel; clearly, we can't expect the subsystems of all variants of this composition to retain their security in an arbitrary environment.

In short: Do state-separable proofs fundamentally change the semantics of code-based game-playing to allow composability in the sense of a known composable framework? Or do they "simply" provide a better syntax for code-based games that is more modular, readable, and reusable?

0 + 7

provable-security

Mikero

12/7/23, 2:37 PM

Why can we "clearly" not expect encrypt-then-MAC to always provide a secure channel? In other words, I don't understand why your "bad" example is bad.

Marc Ilunga

12/7/23, 2:44 PM

@Mikero, "clearly" is a bit of a strong word. But the intent was to say, well, if we consider a generic composition of MAC, then encrypt, then we don't know what guarantees we get. On one hand, EtM is not generically secure. If we use CBC we have padding oracles but at the same time, there are secure instantiations of EtM with CBC... So to my understanding the definitions are not meant to give universal guarantees in arbitrary environments. Ohh and, nice book tbw ; )

Mikero

12/7/23, 3:37 PM

But encrypt-then-MAC *is* generically secure. A padding oracle attack is usually on plain CBC mode without a MAC. A padding oracle attack against CBC within encrypt-then-MAC requires a Dec algorithm like "if invalid padding return error1; elsif invalid MAC return error2; else decrypt" -- and this is not the correct Dec for encrypt-then-MAC.

Marc Ilunga

12/7/23, 3:47 PM

arggg sorry, I goofed on the abbreviations before. I actually meant Mac-then-Encrypt...

Mikero

12/7/23, 6:43 PM

These bad ways of combining MAC and CPA encryption are secure or insecure, based on how you *internally* instantiate the MAC and encryption scheme. I don't see what it has to do with the *external* environment surrounding the combined scheme.

Marc Ilunga

12/7/23, 8:49 PM

The external environment part comes from the fact that CPA doesn't intrinsically say for which application (environment) it is sufficient. It may well be that in some application the attacker somehow gets decryption capabilities. Then composition of MAC and Enc is its own issue, which might or might not be secure if used in Mac-then-Encrypt... I found this paper: https://crypto.ethz.ch/publications/files/MaRuTa12.pdf to be interesting on those considerations.

Marc Ilunga

12/7/23, 8:50 PM

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/141157/discussion-between-marc-ilunga-and-mikero).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Composability of state-separable proofs

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.