Conference Paper

Computationally Sound Implementations of Equational Theories Against Passive Adversaries.

DCSSI, Paris, France; Loria/CNRS & INRIA Lorraine Projet Cassis, France; LSV/CNRS & INRIA Saclay Projet SECSI & ENS Cachan, France
DOI: 10.1007/11523468_53 Conference: Automata, Languages and Programming, 32nd International Colloquium, ICALP 2005, Lisbon, Portugal, July 11-15, 2005, Proceedings
Source: DBLP

ABSTRACT In this paper we study the link between formal and cryptographic models for security protocols in the presence of a passive adversary. In contrast to other works, we do not consider a fixed set of primitives but aim at re sults for an arbitrary equational theory. We define a framework for comparing a crypto- graphic implementation and its idealization w.r.t. various security notions. In par- ticular, we concentrate on the computational soundness of static equivale nce, a standard tool in cryptographic pi calculi. We present a soundness crite rion, which for many theories is not only sufficient but also necessary. Finally, we establish new soundness results for the Exclusive Or, as well as a theory of ciphers and lists.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Computer-aided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for public-key encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosen-plaintext and chosen-ciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption schemes that records attacks against insecure schemes, and proofs with concrete bounds for secure ones.
    Proceedings of the 20th ACM Conference on Computer and Communications Security; 01/2013
  • [Show abstract] [Hide abstract]
    ABSTRACT: Security protocols aim to allow two or more principals to establish a secure communication over a hostile network, such as the Internet. The design of security protocols is particularly error-prone, because it is difficult to anticipate what an intruder may achieve interacting through a number of protocol runs, claiming to be an honest participant. Thus, the verification of security protocols has attracted a lot of interest in the formal methods community and as a result lots of verification techniques/tools, as well as good practices for protocol design, have appeared in the two last decades. In this paper, we describe the state of the art in automated tools that support security protocol development. This mainly involves tools for protocol verification and, to a lesser extent, for protocol synthesis and protocol diagnosis and repair. Also, we give an overview of the most significant principles for the design of security protocols and of the major problems that still need to be addressed in order to ease the development of security protocols.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Static equivalence is a well established notion of indistin- guishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theo- ries allows a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows in some cases to simplify the task of deciding static equivalence in a multi-sorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings. For almost thirty years, many formal models for analyzing cryptographic pro- tocols have been developed. Among them we find logical or symbolic models, based on the seminal ideas of Dolev and Yao (11), that represent cryptographic primitives in an abstract way. This is justified by the so-called perfect cryptog- raphy assumption which states that the intruder has no means to break the cryptographic primitives themselves, and that he can hence break security only by exploiting logical flaws in the protocol. Messages of the protocol are represented by terms in an abstract algebra. The motivation of such abstractions was the simplification and even automation of the analyzes and the proofs of security protocols. Since the assumption of perfect cryptography is not always realistic, some properties of cryptographic primitives (a survey can be found in (10)) have been taken into account in logical models by the means of equational theories on the terms. In this paper we concentrate on static equivalence, a standard notion of in- distinguishability of sequences of terms originating from the pi calculus (2). Intu- itively static equivalence asks whether or not an attacker can distinguish between two sequences of messages, later called frames, by exhibiting a relation which holds on one sequence but not on the other. Static equivalence provides an ele- gant means to express security properties on pieces of data, for instance those observed by a passive attacker during the run of a protocol. In the context of
    J. Autom. Reasoning. 01/2012; 48.

Full-text (3 Sources)

Available from