Results 1 
9 of
9
Formal certification of codebased cryptographic proofs
 4 th Workshop on Formal and Computational Cryptography (FCC
, 2008
"... As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps es ..."
Abstract

Cited by 81 (25 self)
 Add to MetaCart
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps establish the validity of transitions between successive games. Codebased techniques form an instance of this approach that takes a codecentric view of games, and that relies on programming language theory to justify proof steps. While codebased techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present CertiCrypt, a framework that enables the machinechecked construction and verification of codebased proofs. CertiCrypt is built upon the generalpurpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. CertiCrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and gamebased techniques such as reasoning about failure events. The usefulness of CertiCrypt is demonstrated through classical examples, including a proof of semantic security of OAEP (with a bound that improves upon [9]), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi’s ambitious programme [21] of providing tool support for cryptographic proofs. 1.
Béguelin, S.: Computeraided security proofs for the working cryptographer
 In: Advances in Cryptology – CRYPTO 2011. Lecture Notes in Computer Science
, 2011
"... Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and auto ..."
Abstract

Cited by 51 (22 self)
 Add to MetaCart
Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and automated theorem provers, and then compiled into verifiable proofs in the CertiCrypt framework. The tool supports most common reasoning patterns and is significantly easier tousethanits predecessors. Weargue thatEasyCryptisaplausible candidate foradoption by working cryptographers and illustrate its application to security proofs of the CramerShoup and Hashed ElGamal cryptosystems. Keywords: Provable security, verifiable security, gamebased proofs, CramerShoup cryptosystem,
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Verified Indifferentiable Hashing into Elliptic Curves
"... Abstract. Many cryptographic systems based on elliptic curves are proven secure in the Random Oracle Model, assuming there exist probabilistic functions that map elements in some domain (e.g. bitstrings) onto uniformly and independently distributed points in a curve. When implementing such systems, ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many cryptographic systems based on elliptic curves are proven secure in the Random Oracle Model, assuming there exist probabilistic functions that map elements in some domain (e.g. bitstrings) onto uniformly and independently distributed points in a curve. When implementing such systems, and in order for the proof to carry over to the implementation, those mappings must be instantiated with concrete constructions whose behavior does not deviate significantly from random oracles. In contrast to other approaches to publickey cryptography, where candidates to instantiate random oracles have been known for some time, the first generic construction for hashing into ordinary elliptic curves indifferentiable from a random oracle was put forward only recently by Brier et al. We present a machinechecked proof of this construction. The proof is based on an extension of the CertiCrypt framework with logics and mechanized tools for reasoning about approximate forms of observational equivalence, and integrates mathematical libraries of group theory and elliptic curves. 1
Automatically Verified Mechanized Proof of OneEncryption Key Exchange
"... Abstract—We present a mechanized proof of the passwordbased protocol OneEncryption Key Exchange (OEKE) using the computationallysound protocol prover CryptoVerif. OEKE is a nontrivial protocol, and thus mechanizing its proof provides additional confidence that it is correct. This case study was a ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract—We present a mechanized proof of the passwordbased protocol OneEncryption Key Exchange (OEKE) using the computationallysound protocol prover CryptoVerif. OEKE is a nontrivial protocol, and thus mechanizing its proof provides additional confidence that it is correct. This case study was also an opportunity to implement several important extensions of CryptoVerif, useful for proving many other protocols. We have indeed extended CryptoVerif to support the computational DiffieHellman assumption. We have also added support for proofs that rely on Shoup’s lemma and additional game transformations. In particular, it is now possible to insert case distinctions manually and to merge cases that no longer need to be distinguished. Eventually, some improvements have been added on the computation of the probability bounds for attacks, providing better reductions. In particular, we improve over the standard computation of probabilities when Shoup’s lemma is used, which allows us to improve the bound given in a previous manual proof of OEKE, and to show that the adversary can test at most one password per session of the protocol. In this paper, we present these extensions, with their application to the proof of OEKE. All steps of the proof, both automatic and manually guided, are verified by CryptoVerif. KeywordsAutomatic proofs, Formal methods, Provable security, Protocols, Passwordbased authentication
Mechanizing GameBased Proofs of Security Protocols
, 2013
"... Abstract. After a short introduction to the field of security protocol verification, we present the automatic protocol verifier CryptoVerif. In contrast to most previous protocol verifiers, CryptoVerif does not rely on the DolevYao model, but on the computational model. It produces proofs presented ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. After a short introduction to the field of security protocol verification, we present the automatic protocol verifier CryptoVerif. In contrast to most previous protocol verifiers, CryptoVerif does not rely on the DolevYao model, but on the computational model. It produces proofs presented as sequences of games, like
Under consideration for publication in Formal Aspects of Computing Actornetwork procedures: Modeling multifactor authentication,
"... device pairing, social interactions ..."
(Show Context)
ProjectTeam marelle Mathematical, Reasoning and Software
, 2010
"... c t i v i t y ..."
(Show Context)
CERTIFICATE OF APPROVAL
, 2014
"... Interactive theorem provers are software tools that help users create machinechecked proofs. Although difficult to use, they have been playing an important role in the effort to create highly reliable software. I present several novel user interface ideas for interactive theorem provers, generaliza ..."
Abstract
 Add to MetaCart
Interactive theorem provers are software tools that help users create machinechecked proofs. Although difficult to use, they have been playing an important role in the effort to create highly reliable software. I present several novel user interface ideas for interactive theorem provers, generalizable to other mathematics and programming tools. Prototypes tailored to the Coq interactive theorem prover were developed and tested in an experiment with human participants. The results show promising directions for making interactive theorem provers easier to use. ii This dissertation discusses the development and testing, with human participants, of several novel user interfaces for interactive theorem provers. Interactive theorem provers are software tools used to precisely describe and correctly reason about mathematical ideas and, in particular, to create and check what are often very complex mathematical proofs. One important application is the development of