Results 11  20
of
97
Computationally Sound Mechanized Proofs of Correspondence Assertions
, 2007
"... We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared and publickey encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
Bounded KeyDependent Message Security
, 2009
"... We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomi ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomials L and N we obtain a publickey encryption scheme that resists keydependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme which additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that the encryption and decryption algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain nonstandard hardness assumptions. Previous works obtained either full KDM security in the random oracle model (Black et al., SAC 2002) or security with respect to a very restricted class of functions (e.g., clique/circular security and affine functions, Boneh et al., CRYPTO 2008, and Applebaum et al., CRYPTO 2009). Our main result is based on a combination of the circularsecure encryption scheme of either Boneh et al. or Applebaum et al. with Yao’s garbled circuit construction. Finally, we extend the impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions, using only blackbox access to the query function and the adversary attacking the scheme. This proves that the nonblackbox usage of the query function in our proof of security makes to the KDM query function is inherent. Keywords: KDM/clique/circular security; fully homomorphic encryption; formal security. 1
Symbolic and cryptographic analysis of the secure WSReliableMessaging scenario
 In Foundations of Software Science and Computation Structures
, 2006
"... Abstract. Web services are an important series of industry standards for adding semantics to webbased and XMLbased communication, in particular among enterprises. Like the entire series, the security standards and proposals are highly modular. Combinations of several standards are put together for ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Web services are an important series of industry standards for adding semantics to webbased and XMLbased communication, in particular among enterprises. Like the entire series, the security standards and proposals are highly modular. Combinations of several standards are put together for testing as interoperability scenarios, and these scenarios are likely to evolve into industry best practices. In the terminology of security research, the interoperability scenarios correspond to security protocols. Hence, it is desirable to analyze them for security. In this paper, we analyze the security of the new Secure WSReliableMessaging Scenario, the first scenario to combine security elements with elements of another qualityofservice standard. We do this both symbolically and cryptographically. The results of both analyses are positive. The discussion of actual cryptographic primitives of web services security is a novelty of independent interest in this paper. 1
Deciding security properties of cryptographic protocols. application to key cycles
 Transaction on Computational Logic
, 2009
"... Abstract. There has been a growing interest in applying formal methods for validating cryptographic protocols and many results have been obtained. In this paper, we reinvestigate and extend the NPcomplete decision procedure for a bounded number of sessions [33]. In this setting, constraint systems ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
(Show Context)
Abstract. There has been a growing interest in applying formal methods for validating cryptographic protocols and many results have been obtained. In this paper, we reinvestigate and extend the NPcomplete decision procedure for a bounded number of sessions [33]. In this setting, constraint systems are now a standard for modeling security protocols. We provide a generic approach to decide general security properties by showing that any constraint system can be transformed in (possibly several) much simpler constraint systems that are called solved forms. As a consequence, we prove that deciding the existence of key cycles is NPcomplete for a bounded number of sessions. Indeed, many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution of protocols. We show that our decision procedure can also be applied to reprove decidability of authenticationlike properties and decidability of a significant existing fragment of protocols with timestamps. 1
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
A Computational Interpretation of DolevYao Adversaries
 in Proc. of 3rd Int. Workshop on Issues in the Theory of Security (WITS’03
, 2003
"... The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist situat ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist situations in which DolevYao adversary can be viewed as a valid abstraction of all realistic adversaries. We do this in two steps: 1. We translate the allowed behaviors of the DolevYao adversary into the computational model, an alternate framework with a very powerful adversary.
Cryptographically Sound Security Proofs for Basic And PublicKey Kerberos
 Proc. 11th European Symp. on Research. in Comp. Sec
, 2006
"... Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained sym ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This work was the first verification at the computational level of such a complex fragment of an industrial protocol. By considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev– Yao model to cryptographically sound results in the computational model.
Cryptographically sound implementations for communicating processes
, 2006
"... Abstract. We design a core language of principals running distributed programs over a public network. Our language is a variant of the pi calculus, with secure communications, mobile names, and highlevel certificates, but without any explicit cryptography. Within this language, security properties ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We design a core language of principals running distributed programs over a public network. Our language is a variant of the pi calculus, with secure communications, mobile names, and highlevel certificates, but without any explicit cryptography. Within this language, security properties can be conveniently studied using trace properties and observational equivalences, even in the presence of an arbitrary (abstract) adversary. With some care, these security properties can be achieved in a concrete setting, relying on standard cryptographic primitives and computational assumptions, even in the presence of an adversary modeled as an arbitrary probabilistic polynomialtime algorithm. To this end, we develop a cryptographic implementation that preserves all properties for all safe programs. We give a series of soundness and completeness results that precisely relate the language to its implementation. 1 Secure Implementations of Communications Abstractions When designing and verifying security protocols, some level of idealization is needed to provide manageable mathematical treatment. Accordingly, two views of cryptography
Adaptive security of symbolic encryption
 In Proc. 2nd Theory of Cryptography Conference (TCC’05), volume 3378 of LNCS
, 2005
"... Abstract. We prove a computational soundness theorem for the symbolic analysis of cryptographic protocols which extends an analogous theorem of Abadi and Rogaway (J. of Cryptology 15(2):103–127, 2002) to a scenario where the adversary gets to see the encryption of a sequence of adaptively chosen sym ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We prove a computational soundness theorem for the symbolic analysis of cryptographic protocols which extends an analogous theorem of Abadi and Rogaway (J. of Cryptology 15(2):103–127, 2002) to a scenario where the adversary gets to see the encryption of a sequence of adaptively chosen symbolic expressions. The extension of the theorem of Abadi and Rogaway to such an adaptive scenario is nontrivial, and raises issues related to the classic problem of selective decommitment, which do not appear in the original formulation of the theorem. Although the theorem of Abadi and Rogaway applies only to passive adversaries, our extension to adaptive attacks makes it substantially stronger, and powerful enough to analyze the security of cryptographic protocols of practical interest. We exemplify the use of our soundness theorem in the analysis of group key distribution protocols like those that arise in multicast and broadcast applications. Specifically, we provide cryptographic definitions of security for multicast key distribution protocols both in the symbolic as well as the computational framework and use our theorem to prove soundness of the symbolic definition.