Results 11  20
of
24
Probabilistic Opacity for a Passive Adversary and its Application to Chaum's Voting Scheme
, 2005
"... A predicate is opaque for a given system, if an adversary will never be able to establish truth or falsehood of the predicate for any observed computation. This notion has been essentially introduced and studied in the context of transition systems whether describing the semantics of programs, se ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
A predicate is opaque for a given system, if an adversary will never be able to establish truth or falsehood of the predicate for any observed computation. This notion has been essentially introduced and studied in the context of transition systems whether describing the semantics of programs, security protocols or other systems. In this paper, we are interested in studying opacity in the probabilistic computational world. Indeed, in other settings, as in the DolevYao model for instance, even if an adversary is 99% sure of the truth of the predicate, it remains opaque as the adversary cannot conclude for sure. In this paper, we introduce a computational version of opacity in the case of passive adversaries called cryptographic opacity. Our main result is a composition theorem: if a system is secure in an abstract formalism and the cryptographic primitives used to implement it are secure, then this system is secure in a computational formalism. Security of the abstract system is the usual opacity and security of the cryptographic primitives is INDCPA security. To illustrate our result, we give two applications: a short and elegant proof of the classical AbadiRogaway result and the first computational proof of Chaum's visual electronic voting scheme.
The Java Virtual Machine Specification, http://java.sun.com/docs/books/vmspec
 In Proc. of GC’04, volume 3267 of Springer LNCS
, 2005
"... Abstract. Polynomial time adversaries based on a computational view of cryptography have additional capabilities that the classical DolevYao adversary model does not include. To relate these two different models of cryptography, in this paper we enrich a formal model for cryptographic expressions, ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Polynomial time adversaries based on a computational view of cryptography have additional capabilities that the classical DolevYao adversary model does not include. To relate these two different models of cryptography, in this paper we enrich a formal model for cryptographic expressions, originally based on the DolevYao assumptions, with computational aspects based on notions of probability and computational power. The obtained result is that if the cryptosystem is robust enough, then the two adversary models turn out to be equivalent. As an application of our approach, we show how to determine a secrecy property against the computational adversary. 1
Approximating Imperfect Cryptography in a Formal Model
 MEFISTO 2003 PRELIMINARY VERSION
, 2003
"... We present a formal view of cryptography that overcomes the usual assumptions of formal models for reasoning about security of computer systems, i.e. perfect cryptography and DolevYao adversary model. In our framework, equivalence among formal cryptographic expressions is parameterized by a computa ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
We present a formal view of cryptography that overcomes the usual assumptions of formal models for reasoning about security of computer systems, i.e. perfect cryptography and DolevYao adversary model. In our framework, equivalence among formal cryptographic expressions is parameterized by a computational adversary that may exploit weaknesses of the cryptosystem to cryptanalyze ciphertext with a certain probability of success. To validate our approach, we show that in the restricted setting of ideal cryptosystems, for which the probability of guessing information that the DolevYao adversary cannot derive is negligible, the computational adversary is limited to the allowed behaviors of the DolevYao adversary.
Verifying Statistical Zero Knowledge with Approximate Implementations ⋆
"... Abstract. Statistical zeroknowledge (SZK) properties play an important role in designing cryptographic protocols that enforce honest behavior while maintaining privacy. This paper presents a novel approach for verifying SZK properties, using recently developed techniques based on approximate simula ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Statistical zeroknowledge (SZK) properties play an important role in designing cryptographic protocols that enforce honest behavior while maintaining privacy. This paper presents a novel approach for verifying SZK properties, using recently developed techniques based on approximate simulation relations. We formulate statistical indistinguishability as an implementation relation in the TaskPIOA framework, which allows us to express computational restrictions. The implementation relation is then proven using approximate simulation relations. This technique separates proof obligations into two categories: those requiring probabilistic reasoning, as well as those that do not. The latter is a good candidate for mechanization. We illustrate the general method by verifying the SZK property of the wellknown identification protocol proposed by Girault, Poupard and Stern.
Soundness Limits of DolevYao Models
 Proceedings of the Workshop on Formal and Computational Cryptography (FCC 2006), 2006. [Can01] [CS02
, 2001
"... Abstract. Automated tools such as model checkers and theorem provers for the analysis of security protocols typically abstract from cryptography by DolevYao models, i.e., they replace real cryptographic operations by term algebras. The soundness of DolevYao models with respect to real cryptographi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Automated tools such as model checkers and theorem provers for the analysis of security protocols typically abstract from cryptography by DolevYao models, i.e., they replace real cryptographic operations by term algebras. The soundness of DolevYao models with respect to real cryptographic security definitions has received significant attention in the last years. Until recently, all published results were positive, i.e., they show that various classes of DolevYao models are indeed sound with respect to various soundness definitions. Here we discuss impossibility results. In particular, we present such results for DolevYao models with hash functions, and for the strong security notion of blackbox reactive simulatability (BRSIM)/UC. We show that the impossibility even holds if no secrecy (only collision resistance) is required of the DolevYao model of the hash function, or if probabilistic hashing is used, or certain plausible protocol restrictions are made. We also survey related results for XOR. In addition, we start to make some
NonDeterminism in MultiParty Computation (Abstract)
"... Outside security, nondeterminism is an important tool for specifying systems without fixing unnecessary details. In security, however, normal refinement of nondeterministic specifications is usually not applicable, in particular because it may invalidate secrecy properties. Especially simulatabili ..."
Abstract
 Add to MetaCart
(Show Context)
Outside security, nondeterminism is an important tool for specifying systems without fixing unnecessary details. In security, however, normal refinement of nondeterministic specifications is usually not applicable, in particular because it may invalidate secrecy properties. Especially simulatabilitybased security notions seem to require detailed deterministic or probabilistic specifications. We show how one can nevertheless use the reactive simulatability (RSIM) framework to address nondeterminism. In particular we survey its generic distributed scheduling for treating the nondeterminism of asynchronous execution, discuss the experiences we made with this, and how it encompasses other recent scheduling approaches. We also show how propertybased specifications can play the role of highestlevel nondeterminism in the RSIM context, and how functional nondeterminism of machines can be captured by the systemfromstructure derivations as well as by callouts to the adversary or more general resolvers. 1
title = Probabilistic Opacity for a Passive Adversary and its Application to Chaum’s Voting Scheme,
, 2005
"... A predicate is opaque for a given system, if an adversary will never be able to establish truth or falsehood of the predicate for any observed computation. This notion has been essentially introduced and studied in the context of transition systems whether describing the semantics of programs, secur ..."
Abstract
 Add to MetaCart
(Show Context)
A predicate is opaque for a given system, if an adversary will never be able to establish truth or falsehood of the predicate for any observed computation. This notion has been essentially introduced and studied in the context of transition systems whether describing the semantics of programs, security protocols or other systems. In this paper, we are interested in studying opacity in the probabilistic computational world. Indeed, in other settings, as in the DolevYao model for instance, even if an adversary is sure of the truth of the predicate, it remains opaque as the adversary cannot conclude for sure. In this paper, we introduce a computational version of opacity in the case of passive adversaries called cryptographic opacity. Our main result is a composition theorem: if a system is secure in an abstract formalism and the cryptographic primitives used to implement it are secure, then this system is secure in a computational formalism. Security of the abstract system is the usual opacity and security of the cryptographic primitives is INDCPA security. To illustrate our result, we give two applications: a short and elegant proof of the classical AbadiRogaway result and the first computational proof of Chaum’s visual electronic voting scheme.
Security, Languages, Verification
"... Type systems for secure information flow aim to prevent a program from leaking information from variables classified as H to variables classified as L. In this work we extend such a type system to address encryption and decryption; our intuition is that encrypting a H plaintext yields a L ciphertext ..."
Abstract
 Add to MetaCart
(Show Context)
Type systems for secure information flow aim to prevent a program from leaking information from variables classified as H to variables classified as L. In this work we extend such a type system to address encryption and decryption; our intuition is that encrypting a H plaintext yields a L ciphertext. We argue that welltyped, polynomialtime programs in our system satisfy a computational probabilistic noninterference property, provided that the encryption scheme is INDCCA secure. As a part of our proof, we first consider secure information flow in a language with a random assignment operator (but no encryption). We establish a result that may be of independent interest, namely, that welltyped, probabilistically total programs with random assignments satisfy probabilistic noninterference. We establish this result using a weak probabilistic bisimulation.