Results 1 -
8 of
8
Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds?
"... Abstract. Recent work on structure-preserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairing-product equations in the verification algorithm. While the size of keys and signatures is ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Recent work on structure-preserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairing-product equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairing-product equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structure-preserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structure-preserving signatures within a user-specified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomiz-able structure-preserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification. 1
Automated Analysis and Synthesis of Block-Cipher Modes of Operation∗
"... Block ciphers such as AES are deterministic, keyed functions that operate on small, fixed-size blocks. Block-cipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, agains ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
Block ciphers such as AES are deterministic, keyed functions that operate on small, fixed-size blocks. Block-cipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, against chosen-plaintext attacks) based on the assumption that the underlying block cipher is a pseudorandom function. Such proofs are complex and error-prone, however, and must be done from scratch whenever a new mode of operation is developed. We propose an automated approach for the security analysis of block-cipher modes of operation based on a “local ” analysis of the steps carried out by the mode when handling a single message block. We model these steps as a directed, acyclic graph, with nodes corresponding to instructions and edges corresponding to intermediate values. We then introduce a set of labels and constraints on the edges, and prove a meta-theorem showing that any mode for which there exists a labeling of the edges satisfying these constraints is secure (against chosen-plaintext attacks). This allows us to reduce security of a given mode to a constraint-satisfaction problem, which in turn can be handled using an SMT solver. We couple our security-analysis tool with a routine that automatically generates viable modes; together, these allow us to synthesize hundreds of secure modes. 1
Program Synthesis Using Dual Interpretation
"... We present an approach to component-based program synthesis that uses two distinct interpretations for the symbols in the program. The first interpretation defines the semantics of the program. It is used to specify functional requirements. The second interpretation is used to capture nonfunctional ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
We present an approach to component-based program synthesis that uses two distinct interpretations for the symbols in the program. The first interpretation defines the semantics of the program. It is used to specify functional requirements. The second interpretation is used to capture nonfunctional requirements that may vary by application. We present a language for program synthesis from components that uses dual interpretation. We reduce the synthesis problem to an exists-forall problem, which is solved using the exists-forall solver of the SMT-solver Yices. We use our approach to synthesize bitvector manipulation programs, padding-based encryption schemes, and block cipher modes of operations.
A formal definition of protocol indistinguishability and its verification using Maude-NPA
- In Security and Trust Management (STM) 2014
, 2014
"... Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in Maude-NPA; (ii) formalize such a notion in terms of state unreachabil ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in Maude-NPA; (ii) formalize such a notion in terms of state unreachability conditions on their synchronous product; (iii) prove theorems showing how -assuming the protocol's algebraic theory has a finite variant (FV) decomposition-these conditions can be checked by the Maude-NPA tool; and (iv) illustrate our approach with concrete examples. This provides for the first time a framework for automatic analysis of indistinguishability modulo as wide a class of algebraic properties as FV, which includes many associative-commutative theories of interest to cryptographic protocol analysis.
Automated analysis and synthesis of authenticated encryption schemes
"... Authenticated encryption (AE) schemes are symmetric-key encryption schemes ensuring strong no-tions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., mi ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Authenticated encryption (AE) schemes are symmetric-key encryption schemes ensuring strong no-tions of confidentiality and integrity. Although various AE schemes are known, there remains significant interest in developing schemes that are more efficient, meet even stronger security notions (e.g., misuse-resistance), or satisfy certain non-cryptographic properties (e.g., being patent-free). We present an automated approach for analyzing and synthesizing blockcipher-based AE schemes, significantly extending prior work by Malozemoff et al. (CSF 2014) who synthesize encryption schemes satisfying confidentiality only. Our main insight is to restrict attention to a certain class of schemes that is expressive enough to capture several known constructions yet also admits automated reasoning about security. We use our approach to generate thousands of AE schemes with provable security guarantees, both known (e.g., variants of OCB and CCM) and new. Implementing two of these new schemes, we find their performance competitive with state-of-the-art AE schemes. 1
Automated algebraic analysis of structure-preserving signature schemes
"... Structure-preserving signature schemes can be very useful in the construction of new cryp-tographic operations like blind signatures. Recently several of these schemes have been pro-posed. The security of signature-preserving signature schemes is still proved by hand, which can be a laborious task. ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Structure-preserving signature schemes can be very useful in the construction of new cryp-tographic operations like blind signatures. Recently several of these schemes have been pro-posed. The security of signature-preserving signature schemes is still proved by hand, which can be a laborious task. One of the ways to prove security of these schemes algebraic analysis can be used. We present an approach to perform this analysis and the first tool, CheckSPS, that can do an algebraic security analysis of these schemes, using SMT solvers as backend. This can help in constructing new schemes and analyse existing schemes. Our tool can handle all the common security objectives for signature schemes, i.e. existential unforgeability and strong existential unforgeability, and all the common capabilities for adversaries, i.e. random message attacks, non-adaptive chosen message attacks and adaptive chosen message attacks. The tool is sound, so if an attack is found it is actually possible to construct a forged signature. 1
Mind the Gap: Modular Machine-checked Proofs of One-Round Key Exchange Protocols?
"... Abstract. Using EasyCrypt, we formalize a new modular security proof for one-round authenticated key exchange protocols in the random or-acle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide su ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Using EasyCrypt, we formalize a new modular security proof for one-round authenticated key exchange protocols in the random or-acle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide support tailored to protocols that utilize the Naxos trick, and we support proofs under the Computational DH assumption not relying on Gap oracles. Furthermore, our modular proof can be used to obtain concrete security proofs for protocols with or with-out adversarial key registration. We use this support to investigate, still using EasyCrypt, the connection between proofs without Gap assump-tions and adversarial key registration. For the case of honestly generated keys, we obtain the first proofs of the Naxos and Nets protocols under the Computational DH assumption. For the case of adversarial key registra-tion, we obtain machine-checked and modular variants of the well-known proofs for Naxos, Nets, and Naxos+.
Computer-aided proofs in cryptography: an overview
"... The goal of modern cryptography is to design efficient constructions that simultaneously achieve some desired functionality and provable security against resource-bounded adversaries. Over the years, the realm of cryptography has expanded from basic functionalities such as encryption, decryption and ..."
Abstract
- Add to MetaCart
The goal of modern cryptography is to design efficient constructions that simultaneously achieve some desired functionality and provable security against resource-bounded adversaries. Over the years, the realm of cryptography has expanded from basic functionalities such as encryption, decryption and key agreement, to elaborate functionalities such as zero-knowledge protocols, secure multiparty computation, and more recently verifiable computation. In many cases, these elaborate functionalities can only be achieved through cryptographic systems, in which several elementary constructions interact. As a consequence of the evolution towards more complex functionalities, cryptographic proofs have become significantly more involved, and more difficult to check. Several cryptographers have therefore advocated the use of tool-supported frameworks for building and verifying proofs; the most vivid recommendation for using computer support is elaborated in a farseeing article [5] in which Shai Halevi describes a potential approach for realizing this vision. Besides increasing confidence in cryptographic proofs, tool-supported frameworks
