Page 1

Computationally sound implementations of equational

theories against passive adversaries$

Mathieu Baudeta, V´ eronique Cortierb, Steve Kremerc

aDCSSI, France

bLoria/CNRS & INRIA Lorraine projet Cassis, France

cLSV/ CNRS & INRIA Saclay projet SECSI & ENS Cachan, France

Abstract

In this paper we study the link between formal and cryptographic models for

security protocols in the presence of passive adversaries. In contrast to other

works, we do not consider a fixed set of primitives but aim at results for arbi-

trary equational theories. We define a framework for comparing a cryptographic

implementation and its idealization with respect to various security notions. In

particular, we concentrate on the computational soundness of static equivalence,

a standard tool in cryptographic pi calculi. We present a soundness criterion,

which for many theories is not only sufficient but also necessary. Finally, to

illustrate our framework, we establish the soundness of static equivalence for

the exclusive OR and a theory of ciphers and lists.

1. Introduction

Today’s ubiquity of computer networks increases the need for theoretic foun-

dations for cryptographic protocols. For more than twenty years now, two com-

munities separately developed two families of models. Both views have been

very useful in increasing the understanding and quality of security protocol de-

sign. On the one hand formal or logical models have been developed, based on

the seminal work of Dolev and Yao [2]. These models view cryptographic oper-

ations in a rather abstract and idealized way. On the other hand cryptographic

or computational models [3] are closer to implementations: cryptographic op-

erations are modeled as algorithms manipulating bit-strings.

cover a large class of attacks, namely all those implementable by a probabilistic

polynomial-time Turing machine.

The advantage of formal models is that security proofs are generally simpler

and suitable for automatic procedures, even for complex protocols. Unfortu-

nately, the high degree of abstraction and the limited adversary power raise

Those models

$An extended abstract of this work was published in the proceedings of the ICALP’05

conference [1].

Email addresses: mathieu.baudet@sgdn.gouv.fr (Mathieu Baudet), cortier@loria.fr

(V´ eronique Cortier), kremer@lsv.ens-cachan.fr (Steve Kremer)

Preprint submitted to ElsevierDecember 30, 2008

Page 2

questions regarding the security offered by such proofs. Potentially, justifying

symbolic proofs with respect to standard computational models has tremendous

benefits: protocols can be analyzed using automated tools and still benefit from

the security guarantees of the computational model.

For the past few years, a significant research effort has been directed at link-

ing these two approaches. In their seminal work [4], Abadi and Rogaway prove

the computational soundness of formal (symmetric) encryption in the case a

passive attacker. Since then, many results have been obtained. Each of these

results considers a fixed set of primitives, for instance symmetric or public-

key encryption. In this paper, we aim at presenting general results for arbitrary

equational theories, such as encryption, but also less studied ones, such as groups

or exclusive OR. The interest of our approach is not only to develop a general

and unified framework for the treatment of cryptographic primitives. Conceptu-

ally, it also offers a better understanding of the use of equational theories when

modeling the algebraic properties of the primitives. Indeed, for several years,

formal models have considered equational theories like the theory of exclusive

OR, abelian groups or homomorphic encryption (for a survey on algebraic prop-

erties see for instance [5, 6]) in order to model some cryptographic aspects. But

it is a priori unclear whether “enough” equations have been considered to pro-

vide realistic security guarantees. A real attacker might still exploit additional

properties of a cryptographic primitive that have not been modeled. Here, we

propose a setting and some proof techniques that allow us to formally define

and prove that “enough” equations have been considered.

We concentrate on static equivalence, a now standard notion originating

from the applied pi calculus [7]. Intuitively, static equivalence asks whether an

attacker can distinguish between two tuples of messages—later called frames—

by exhibiting a relation which holds on one tuple but not on the other. Static

equivalence provides an elegant means to express security properties on pieces

of data, for instance those observed by a passive attacker during the run of a

protocol. In the context of active attackers, static equivalence has also been

used to characterize process equivalences [7] and off-line guessing attacks [8, 9].

There now exist exact [10] and approximate [11] algorithms to decide static

equivalence for a large family of equational theories.

Our first contribution is a general framework for comparing formal and com-

putational models in the presence of a passive attacker. We define the notions

of soundness and faithfulness of a cryptographic implementation with respect

to equality, static equivalence and (non-)deducibility. Soundness holds when

a formal notion of security has a computational interpretation. For instance,

statically equivalent tuples of messages (frames) should be computationally in-

distinguishable. Conversely, faithfulness holds when every formal attack on a

given notion of security can be mapped to an efficient computational attacker.

As an illustration, we consider an equational theory modeling Abelian groups

with exponents taken over a commutative ring. We show that the soundness of

static equivalence implies the hardness of several classical problems in cryptog-

raphy, notably the decisional Diffie-Hellmann and the RSA problem. Although

not completely surprising, this results illustrate well the expressive power of

2

Page 3

static equivalence defined over tailored equational theories.

Our second contribution is a sufficient criterion for soundness with respect to

static equivalence: intuitively the usual computational semantics of terms has to

be indistinguishable to an idealized one. We also define and study a useful class

of frames, called transparent frames, for arbitrary equational theories. Infor-

mally, a frame is transparent if every secret in use is deducible from the frame

itself. Transparent frames enjoy notable properties such as a simple charac-

terization of static equivalence and—in the case of uniform distributions—the

fact that two statically equivalent transparent frames always yield the same

concrete distribution, that is, are indistinguishable in the sense of information

theory. This study of transparent frames allows us to exhibit a class of equa-

tional theories for which our soundness criterion is necessary.

Our third contribution consists in applying our framework to obtain two

first soundness results for static equivalence. The first equational theory that

we consider deals with the exclusive OR. This simple but important primitive

has been largely used in cryptographic constructions such as the One-Time

Pad and in protocols (see [6] for examples). Interestingly, our proof of sound-

ness reflects the unconditional security (in the information-theoretic sense) of

the One-Time Pad [12]. Second we consider a theory of symmetric encryption

and lists. The result is similar in spirit to the one of Abadi and Rogaway [4].

However, we consider deterministic, length-preserving, symmetric encryption

schemes—also known as pseudo-random permutations or ciphers, while Abadi

and Rogaway consider probabilistic, symmetric encryption. This choice is mo-

tivated by famous examples of ciphers such as DES or AES. In both examples,

the specificity of our work is to prove the soundness of a standard formal notion,

static equivalence, rather than that of a specialized relation.

Related work.. The study of the link between the formal and the computational

approaches for cryptographic protocols started with the seminal work of Abadi

and Rogaway [4], in a passive setting. There have been many extensions to the

work of Abadi and Rogaway in the passive case, such as studying complete-

ness [13], considering deterministic encryption [14] (a more detailed comparison

is provided below), One-Time pad, length-revealing and same-key revealing en-

cryption [12] or allowing composed keys [15] and key-cycles [16].

The first results in an active setting were achieved by Backes, Pfitzmann,

and Waidner [17, 18, 19]. These works prove the soundness of a rich language

including digital signatures, public-key and symmetric key encryption in the

presence of an active attacker for several kind of security properties. Quite sim-

ilar results were established in more abstract and classical Dolev-Yao models for

asymmetric encryption and signatures [20, 21]. While more easily amendable

to full automation, these results do not offer universal composability guarantees

like the previous ones. However, Canetti and Herzog [22] have recently ob-

tained a similar soundness theorem for a restricted class of protocols—mutual

authentication and key exchange protocols using only public-key encryption—

which does offer strong composability properties in the universal composability

framework. Laud [23] presents an automated procedure for computationally

3

Page 4

sound proofs of confidentiality in the case of an active attacker and symmetric

encryption when the number of sessions is bounded. Datta et al. [24] introduce

a symbolic logic that allows cryptographically sound security proof. Recently,

Blanchet [25] proposed a computationally sound mechanized prover that relies

directly on games transformations, a proof technique commonly used in the

cryptographic setting.

Except [25], the previously mentioned results are all dedicated to some fixed

set of cryptographic primitives. Here, our goal is not restricted to obtaining

some particular soundness result for a given set of primitives and security prop-

erties. Rather, we aim at developing a general setting to reason about the

adequacy of abstract functional symbols equipped with an equational theory

and their corresponding cryptographic implementations. To the best of our

knowledge, this approach is new and distinct from existing work. We now dis-

cuss some related work concerning the two theories (exclusive OR as well as

ciphers and lists) that we have considered to illustrate our framework.

Regarding the soundness of exclusive OR, Backes and Pfitzmann [26] have

independently shown an impossibility result in the framework of reactive simu-

latability, in the presence of an active adversary. They also present a soundness

result in the presence of a passive adversary. While we consider the application

of exclusive OR only to pure random values, Backes and Pfitzmann deal with

arbitrary payloads. It is however not clear how the framework of reactive sim-

ulatability in the presence of a passive adversary compares to our framework

based on static equivalence.

Concerning the theory of ciphers and list, Laud [14] presents soundness re-

sults in the style of Abadi and Rogaway for ciphers. While these results are close

to ours, Laud’s notion of formal equivalence is apparently more pessimistic than

ours regarding the secrecy of encryption keys. For instance, as opposed to [14],

we consider that the encryption of a fresh random value by a known key is

indistinguishable from a random value—that is, formally, the pair (enc(n,k),k)

is indistinguishable from (n?,k). The reason is that, in the absence of tags,

each encryption key of a cipher yields a permutation on the space of values.

Therefore, if n follows the uniform distribution, such as in our implementation

(Section 5.2), so does the term enc(n,k). Provided a suitable set of equations,

static equivalence naturally accounts for this property, whereas there seems to

be no natural and immediate way to express the same equivalences using pat-

terns in the style of Abadi and Rogaway. In some sense, the work of Abadi and

Warinschi [27] can be seen as an attempt to do so on a fragment of equivalences

modeling guessing attacks. Recently, the techniques developed in the present

paper have been applied successfully by Abadi, Baudet, and Warinschi [28] to

generalize the ideas of [27] and justify a modeling of guessing attacks purely

based on static equivalence.

In [14], Laud provides a computationally sound proof system handling both

ciphers and exclusive OR in the presence of a passive attacker. This proof system

is used to prove the security of several encryption modes including CBC. This

approach differs from the one developed here as it aims at direct cryptographic

proofs of security (much as in [23, 25]). In comparison, our approach (as in [4,

4

Page 5

12, 15, 16, 17, 18, 19, 13, 20, 21]) aims to exhibit a class of protocols for which

the absence of formal attacks entails the existence of a computational proof of

security.

Further related work.. Since the publication of a preliminary version [1] of this

article, several papers have addressed the computational soundness of static

equivalence. As already mentioned, Abadi, Baudet, and Warinschi [28] study

resistance against offline guessing attacks modelled in terms of static equivalence

and use the framework developed in this paper to show the soundness of an equa-

tional theory including ciphers, symmetric and asymmetric encryption. In [29],

Bana, Mohassel and Stegers argue that the notion of static equivalence is too

coarse and not sound for many interesting equational theories. They introduce

a general notion of formal indistinguishability relation. This highlights that

soundness of static equivalence only holds for a restricted set of well-formed

frames (in the same vein Abadi and Rogaway used restrictions to forbid key

cycles). They illustrate the unsoundness of static equivalence for modular ex-

ponentiation. More recently, Kremer and Mazar´ e [30] use our framework to

define soundness of static equivalence in the presence of an adaptive, rather

than purely passive, adversary. They show soundness results of static equiva-

lence for an equational theory modelling modular exponentiation (for a class of

well-formed frames, hence not contradicting [29]), as well as symmetric encryp-

tion with composed keys which can be computed using modular exponentiation

or exclusive or.

The active version of static equivalence is the observational equivalence rela-

tion introduced by Milner and Hoare in the early 80s. Intuitively, two processes

are equivalent if an observer cannot tell the difference between the two pro-

cesses. The observer can in particular intercept and send messages to the pro-

cesses. Comon-Lundh and Cortier [31] have recently shown that observational

equivalence between processes in a fragment of the applied pi-calculus [32] im-

plies cryptographic indistinguishability against active attackers, in the context

of symmetric encryption. They use an extended version of soundness of static

equivalence (called tree soundness) as a key step in their proof.

Outline of the paper.. In the next section, we introduce our abstract and con-

crete models together with the notions of indistinguishability. We then define

the notions of soundness and faithfulness and illustrate some consequences of

soundness with respect to static equivalence on groups. In Section 4, we de-

fine the ideal semantics of abstract terms, present our soundness criterion, and

prove it necessary for a large family of equational theories. As an illustration

(Section 5), we prove the soundness for the theories modeling exclusive OR, as

well as ciphers and lists. We then conclude in Section 6. An appendix contains

detailed proofs of formal lemmas related to static equivalence.

2. Modeling cryptographic primitives with abstract algebras

In this section we introduce some notations and set our abstract and concrete

models.

5