Conference Paper

Computationally Sound Implementations of Equational Theories Against Passive Adversaries.

DCSSI, Paris, France; Loria/CNRS & INRIA Lorraine Projet Cassis, France; LSV/CNRS & INRIA Saclay Projet SECSI & ENS Cachan, France
DOI: 10.1007/11523468_53 Conference: Automata, Languages and Programming, 32nd International Colloquium, ICALP 2005, Lisbon, Portugal, July 11-15, 2005, Proceedings
Source: DBLP

ABSTRACT In this paper we study the link between formal and cryptographic models for security protocols in the presence of a passive adversary. In contrast to other works, we do not consider a fixed set of primitives but aim at re sults for an arbitrary equational theory. We define a framework for comparing a crypto- graphic implementation and its idealization w.r.t. various security notions. In par- ticular, we concentrate on the computational soundness of static equivale nce, a standard tool in cryptographic pi calculi. We present a soundness crite rion, which for many theories is not only sufficient but also necessary. Finally, we establish new soundness results for the Exclusive Or, as well as a theory of ciphers and lists.

  • [Show abstract] [Hide abstract]
    ABSTRACT: Security protocols aim to allow two or more principals to establish a secure communication over a hostile network, such as the Internet. The design of security protocols is particularly error-prone, because it is difficult to anticipate what an intruder may achieve interacting through a number of protocol runs, claiming to be an honest participant. Thus, the verification of security protocols has attracted a lot of interest in the formal methods community and as a result lots of verification techniques/tools, as well as good practices for protocol design, have appeared in the two last decades. In this paper, we describe the state of the art in automated tools that support security protocol development. This mainly involves tools for protocol verification and, to a lesser extent, for protocol synthesis and protocol diagnosis and repair. Also, we give an overview of the most significant principles for the design of security protocols and of the major problems that still need to be addressed in order to ease the development of security protocols.
  • [Show abstract] [Hide abstract]
    ABSTRACT: Computer-aided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for public-key encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosen-plaintext and chosen-ciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption schemes that records attacks against insecure schemes, and proofs with concrete bounds for secure ones.
    Proceedings of the 20th ACM Conference on Computer and Communications Security; 01/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper investigates the relationship between symbolic and computational approaches to the analysis of the anonymity of cryptographic protocols. We pro-vide two computational soundness results for a symbolic ring signature in the pres-ence of active adversaries, each corresponding to the unforgeability and signer anonymity of a ring signature scheme. The first result is the mapping-style sound-ness: every computational execution trace corresponds to a symbolic execution trace with overwhelming probability. The second result is the soundness of the symbolic anonymity of protocols: symbolic indistinguishability implies compu-tational indistinguishability. By employing the mapping-style soundness result, we obtain the soundness of the symbolic anonymity when the length of execution traces is bound by a constant independent of the security parameter.

Preview (3 Sources)

Available from