Results 1 
8 of
8
StronglyOptimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work on structurepreserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairingproduct equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairingproduct equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structurepreserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structurepreserving signatures within a userspecified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structurepreserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
Automated Analysis and Synthesis of BlockCipher Modes of Operation∗
"... Block ciphers such as AES are deterministic, keyed functions that operate on small, fixedsize blocks. Blockcipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, agains ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Block ciphers such as AES are deterministic, keyed functions that operate on small, fixedsize blocks. Blockcipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, against chosenplaintext attacks) based on the assumption that the underlying block cipher is a pseudorandom function. Such proofs are complex and errorprone, however, and must be done from scratch whenever a new mode of operation is developed. We propose an automated approach for the security analysis of blockcipher modes of operation based on a “local ” analysis of the steps carried out by the mode when handling a single message block. We model these steps as a directed, acyclic graph, with nodes corresponding to instructions and edges corresponding to intermediate values. We then introduce a set of labels and constraints on the edges, and prove a metatheorem showing that any mode for which there exists a labeling of the edges satisfying these constraints is secure (against chosenplaintext attacks). This allows us to reduce security of a given mode to a constraintsatisfaction problem, which in turn can be handled using an SMT solver. We couple our securityanalysis tool with a routine that automatically generates viable modes; together, these allow us to synthesize hundreds of secure modes. 1
Program Synthesis Using Dual Interpretation
"... We present an approach to componentbased program synthesis that uses two distinct interpretations for the symbols in the program. The first interpretation defines the semantics of the program. It is used to specify functional requirements. The second interpretation is used to capture nonfunctional ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We present an approach to componentbased program synthesis that uses two distinct interpretations for the symbols in the program. The first interpretation defines the semantics of the program. It is used to specify functional requirements. The second interpretation is used to capture nonfunctional requirements that may vary by application. We present a language for program synthesis from components that uses dual interpretation. We reduce the synthesis problem to an existsforall problem, which is solved using the existsforall solver of the SMTsolver Yices. We use our approach to synthesize bitvector manipulation programs, paddingbased encryption schemes, and block cipher modes of operations.
A formal definition of protocol indistinguishability and its verification using MaudeNPA
 In Security and Trust Management (STM) 2014
, 2014
"... Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in MaudeNPA; (ii) formalize such a notion in terms of state unreachabil ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in MaudeNPA; (ii) formalize such a notion in terms of state unreachability conditions on their synchronous product; (iii) prove theorems showing how assuming the protocol's algebraic theory has a finite variant (FV) decompositionthese conditions can be checked by the MaudeNPA tool; and (iv) illustrate our approach with concrete examples. This provides for the first time a framework for automatic analysis of indistinguishability modulo as wide a class of algebraic properties as FV, which includes many associativecommutative theories of interest to cryptographic protocol analysis.
Automated analysis and synthesis of authenticated encryption schemes
"... Authenticated encryption (AE) schemes are symmetrickey encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., mi ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Authenticated encryption (AE) schemes are symmetrickey encryption schemes ensuring strong notions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., misuseresistance), or satisfy certain noncryptographic properties (e.g., being patentfree). We present an automated approach for analyzing and synthesizing blockcipherbased AE schemes, significantly extending prior work by Malozemoff et al. (CSF 2014) who synthesize encryption schemes satisfying confidentiality only. Our main insight is to restrict attention to a certain class of schemes that is expressive enough to capture several known constructions yet also admits automated reasoning about security. We use our approach to generate thousands of AE schemes with provable security guarantees, both known (e.g., variants of OCB and CCM) and new. Implementing two of these new schemes, we find their performance competitive with stateoftheart AE schemes. 1
Automated algebraic analysis of structurepreserving signature schemes
"... Structurepreserving signature schemes can be very useful in the construction of new cryptographic operations like blind signatures. Recently several of these schemes have been proposed. The security of signaturepreserving signature schemes is still proved by hand, which can be a laborious task. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Structurepreserving signature schemes can be very useful in the construction of new cryptographic operations like blind signatures. Recently several of these schemes have been proposed. The security of signaturepreserving signature schemes is still proved by hand, which can be a laborious task. One of the ways to prove security of these schemes algebraic analysis can be used. We present an approach to perform this analysis and the first tool, CheckSPS, that can do an algebraic security analysis of these schemes, using SMT solvers as backend. This can help in constructing new schemes and analyse existing schemes. Our tool can handle all the common security objectives for signature schemes, i.e. existential unforgeability and strong existential unforgeability, and all the common capabilities for adversaries, i.e. random message attacks, nonadaptive chosen message attacks and adaptive chosen message attacks. The tool is sound, so if an attack is found it is actually possible to construct a forged signature. 1
Mind the Gap: Modular Machinechecked Proofs of OneRound Key Exchange Protocols?
"... Abstract. Using EasyCrypt, we formalize a new modular security proof for oneround authenticated key exchange protocols in the random oracle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide su ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Using EasyCrypt, we formalize a new modular security proof for oneround authenticated key exchange protocols in the random oracle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide support tailored to protocols that utilize the Naxos trick, and we support proofs under the Computational DH assumption not relying on Gap oracles. Furthermore, our modular proof can be used to obtain concrete security proofs for protocols with or without adversarial key registration. We use this support to investigate, still using EasyCrypt, the connection between proofs without Gap assumptions and adversarial key registration. For the case of honestly generated keys, we obtain the first proofs of the Naxos and Nets protocols under the Computational DH assumption. For the case of adversarial key registration, we obtain machinechecked and modular variants of the wellknown proofs for Naxos, Nets, and Naxos+.
Computeraided proofs in cryptography: an overview
"... The goal of modern cryptography is to design efficient constructions that simultaneously achieve some desired functionality and provable security against resourcebounded adversaries. Over the years, the realm of cryptography has expanded from basic functionalities such as encryption, decryption and ..."
Abstract
 Add to MetaCart
The goal of modern cryptography is to design efficient constructions that simultaneously achieve some desired functionality and provable security against resourcebounded adversaries. Over the years, the realm of cryptography has expanded from basic functionalities such as encryption, decryption and key agreement, to elaborate functionalities such as zeroknowledge protocols, secure multiparty computation, and more recently verifiable computation. In many cases, these elaborate functionalities can only be achieved through cryptographic systems, in which several elementary constructions interact. As a consequence of the evolution towards more complex functionalities, cryptographic proofs have become significantly more involved, and more difficult to check. Several cryptographers have therefore advocated the use of toolsupported frameworks for building and verifying proofs; the most vivid recommendation for using computer support is elaborated in a farseeing article [5] in which Shai Halevi describes a potential approach for realizing this vision. Besides increasing confidence in cryptographic proofs, toolsupported frameworks