Results 1  10
of
50
Probabilistic Relational Reasoning for Differential Privacy
"... Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and errorprone task that calls for principled approaches and tool support. ..."
Abstract

Cited by 27 (6 self)
 Add to MetaCart
Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and errorprone task that calls for principled approaches and tool support. Approaches based on linear types and static analysis have recently emerged; however, an increasing number of programs achieve privacy using techniques that cannot be analyzed by these approaches. Examples include programs that aim for weaker, approximate differential privacy guarantees, programs that use the Exponential mechanism, and randomized programs that achieve differential privacy without using any standard mechanism. Providing support for reasoning about the privacy of such programs has been an open problem. We report on CertiPriv, a machinechecked framework for reasoning about differential privacy built on top of theCoq proof assistant. The central component ofCertiPriv is a quantitative extension of a probabilistic relational Hoare logic that enables one to derive differential privacy guarantees for programs from first principles. We demonstrate the expressiveness of CertiPriv using a number of examples whose formal analysis is out of the reach of previous techniques. In particular, we provide the first machinechecked proofs of correctness of the Laplacian and Exponential mechanisms and of the privacy of randomized and streaming algorithms from the recent literature.
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Tractable inference systems: an extension with a deducibility predicate
 In CADE’13, LNAI
, 2013
"... Abstract. The main contribution of the paper is a PTIME decision procedure for the satisfiability problem in a class of firstorder Horn clauses. Our result is an extension of the tractable classes of Horn clauses of Basin & Ganzinger in several respects. For instance, our clauses may contain at ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
Abstract. The main contribution of the paper is a PTIME decision procedure for the satisfiability problem in a class of firstorder Horn clauses. Our result is an extension of the tractable classes of Horn clauses of Basin & Ganzinger in several respects. For instance, our clauses may contain atomic formulas S ` t where ` is a predicate symbol and S is a finite set of terms instead of a term. ` is used to represent any possible computation of an attacker, given a set of messages S. The class of clauses that we consider encompasses the clauses designed by Bana & ComonLundh for security proofs of protocols in a computational model. Because of the (variadic) ` predicate symbol, we cannot use ordered resolution strategies only, as in Basin & Ganzinger: given S ` t, we must avoid computing S ′ ` t for all subsets S ′ of S. Instead, we design PTIME entailment procedures for increasingly expressive fragments, such procedures being used as oracles for the next fragment. Finally, we obtain a PTIME procedure for arbitrary ground clauses and saturated Horn clauses (as in Basin & Ganzinger), together with a particular class of (non saturated) Horn clauses with the ` predicate and constraints (which are necessary to cover the application). 1
Full proof cryptography: Verifiable compilation of efficient zeroknowledge protocols
 In 19th ACM Conference on Computer and Communications Security, CCS 2012. ACM
, 2012
"... Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers f ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Developers building cryptography into securitysensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from having to implement cryptography on their own by turning highlevel specifications of security goals into efficient implementations. Yet, trusting such tools is risky as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper, we present ZKCrypt, an optimizing cryptographic compiler that achieves an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as ZeroKnowledge Proofs of Knowledge. The pipeline of ZKCrypt tightly integrates purposebuilt verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage in the pipeline, ZKCrypt provides assurance that the implementation it outputs securely realizes the highlevel proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system.
Probabilistic relational verification for cryptographic implementations,” Unpublished manuscript
, 2013
"... Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards endtoend security proofs for implementations of distributed systems, we present RF⋆, a relational extension of F⋆, a generalpurpose ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Relational program logics have been used for mechanizing formal proofs of various cryptographic constructions. With an eye towards scaling these successes towards endtoend security proofs for implementations of distributed systems, we present RF⋆, a relational extension of F⋆, a generalpurpose higherorder stateful programming language with a verification system based on refinement types. The distinguishing feature of RF ⋆ is a relational Hoare logic for a higherorder, stateful, probabilistic language. Through careful language design, we adapt the F ⋆ typechecker to generate both classic and relational verification conditions, and to automatically discharge their proofs using an SMT solver. Thus, we are able to benefit from the existing features of F⋆, including its abstraction facilities for modular reasoning about program fragments. We evaluate RF ⋆ experimentally by programming a series of cryptographic constructions and protocols, and by verifying their security properties, ranging from information flow to unlinkability, integrity, and privacy. Moreover, we validate the design of RF ⋆ by formalizing in Coq a core probabilistic λcalculus and a relational refinement type system and proving the soundness of the latter against a denotational semantics of the probabilistic λcalculus.
Verified computational differential privacy with applications to smart metering
 In 26th IEEE Computer Security Foundations Symposium, CSF 2013, Los Alamitos
, 2013
"... Abstract—EasyCrypt is a toolassisted framework for reasoning about probabilistic computations in the presence of adversarial code, whose main application has been the verification of security properties of cryptographic constructions in the computational model. We report on a significantly enhanced ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
Abstract—EasyCrypt is a toolassisted framework for reasoning about probabilistic computations in the presence of adversarial code, whose main application has been the verification of security properties of cryptographic constructions in the computational model. We report on a significantly enhanced version of EasyCrypt that accommodates a richer, userextensible language of probabilistic expressions and, more fundamentally, supports reasoning about approximate forms of program equivalence. This enhanced framework allows us to express a broader range of security properties, that notably include approximate and computational differential privacy. We illustrate the use of the framework by verifying two protocols: a twoparty protocol for computing the Hamming distance between bitvectors, yielding twosided privacy guarantees; and a novel, efficient, and privacyfriendly distributed protocol to aggregate smart meter readings into statistics and bills. I.
Verified Indifferentiable Hashing into Elliptic Curves
"... Abstract. Many cryptographic systems based on elliptic curves are proven secure in the Random Oracle Model, assuming there exist probabilistic functions that map elements in some domain (e.g. bitstrings) onto uniformly and independently distributed points in a curve. When implementing such systems, ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many cryptographic systems based on elliptic curves are proven secure in the Random Oracle Model, assuming there exist probabilistic functions that map elements in some domain (e.g. bitstrings) onto uniformly and independently distributed points in a curve. When implementing such systems, and in order for the proof to carry over to the implementation, those mappings must be instantiated with concrete constructions whose behavior does not deviate significantly from random oracles. In contrast to other approaches to publickey cryptography, where candidates to instantiate random oracles have been known for some time, the first generic construction for hashing into ordinary elliptic curves indifferentiable from a random oracle was put forward only recently by Brier et al. We present a machinechecked proof of this construction. The proof is based on an extension of the CertiCrypt framework with logics and mechanized tools for reasoning about approximate forms of observational equivalence, and integrates mathematical libraries of group theory and elliptic curves. 1
Beyond 2safety: Asymmetric product programs for relational program verification
 In LFCS
, 2013
"... Abstract. Relational Hoare Logic is a generalization of Hoare logic that allows reasoning about executions of two programs, or two executions of the same program. It can be used to verify that a program is robust or (information flow) secure, and that two programs are observationally equivalent. Pr ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Relational Hoare Logic is a generalization of Hoare logic that allows reasoning about executions of two programs, or two executions of the same program. It can be used to verify that a program is robust or (information flow) secure, and that two programs are observationally equivalent. Product programs provide a means to reduce verification of relational judgments to the verification of a (standard) Hoare judgment, and open the possibility of applying standard verification tools to relational properties. However, previous notions of product programs are defined for deterministic and structured programs. Moreover, these notions are symmetric, and cannot be applied to properties such as refinement, which are asymmetric and involve universal quantification on the traces of the first program and existential quantification on the traces of the second program. Asymmetric products generalize previous notions of products in three directions: they are based on a controlflow graph representation of programs, they are applicable to nondeterministic languages, and they are by construction asymmetric. Thanks to these characteristics, asymmetric products allow to validate abstraction/refinement relations between two programs, and to prove the correctness of advanced loop optimizations that could not be handled by our previous work. We validate their effectiveness by applying a prototype implementation to verify representative examples from translation validation and predicate abstraction. 1
Fully Automated Analysis of PaddingBased Encryption in the Computational Model
, 2013
"... Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for publickey encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosenplaintext and chosenciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption
Computationally Complete Symbolic Attacker in Action
"... Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general f ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general framework, but they did not introduce sufficiently many axioms to actually prove protocols. We present a set of axioms—some generic axioms that are computationally sound for all PPT algorithms, two specific axioms that are sound for CCA2 secure encryptions, and a further minimal parsing assumption for pairing—and illustrate the power of this technique by giving the first computationally sound verification (secrecy and authentication) via symbolic attackers of the NSL Protocol that does not need any further restrictive assumptions about the computational implementation. In other words, all implementations for which the axioms are sound—namely, implementations using CCA2 encryption, and satisfying the parsing requirement for pairing—exclude the possibility of successful computational attacks. Furthermore, the axioms are entirely modular and not particular to the NSL protocol (except for the parsing assumption without which there is an attack). 1