Results 1  10
of
13
Games and the impossibility of realizable ideal functionality
 IN THEORY OF CRYPTOGRAPHY, 3RD THEORY OF CRYPTOGRAPHY CONFERENCE, TCC 2006, VOLUME 3876 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2006
"... A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal fun ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal functionality is appealing because a mechanism that is indistinguishable from an ideal functionality is therefore guaranteed secure in any larger system that uses it. We relate ideal functionalities to games by defining the set of ideal functionalities associated with a game condition and show that under this definition, which reflects accepted use and known examples, a number of cryptographic concepts do not have any realizable ideal functionality in the plain model. Some interesting examples are multiparty cointossing, bitcommitment and shared random sequences. One interpretation of this negative result is that equational approaches based on computational observational equivalence might be better applied to reasoning about game conditions than equivalence with ideal functionalities. Alternatively, generality might be obtained by allowing for various setup assumptions, or by other means.
Sound computational interpretation of symbolic hashes in the standard model
 In IWSEC’06, volume 4266 of LNCS
, 2006
"... The following full text is an author's version which may differ from the publisher's version. For additional information about this publication click this link. ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
The following full text is an author's version which may differ from the publisher's version. For additional information about this publication click this link.
Conditional Reactive Simulatability
 In ESORICS 2006, 11th European Symposium on Research in Computer Security
, 2006
"... Simulatability has established itself as a salient notion for defining and proving the security of cryptographic protocols since it entails strong security and compositionality guarantees, which are achieved by universally quantifying over all environmental behaviors of the analyzed protocol. As a ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Simulatability has established itself as a salient notion for defining and proving the security of cryptographic protocols since it entails strong security and compositionality guarantees, which are achieved by universally quantifying over all environmental behaviors of the analyzed protocol. As a consequence, however, protocols that are secure except for certain environmental behaviors are not simulatable, even if these behaviors are efficiently identifiable and thus can be prevented by the surrounding protocol.
Inductive proofs of computational secrecy
 In ESORICS
, 2007
"... Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitabl ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5. 1
Sound and Complete Computational Interpretation of Symbolic Hashes in the Standard Model
"... Abstract. This paper provides one more step towards bridging the gap between the formal and computational approaches to the verification of cryptographic protocols. We extend the wellknown AbadiRogaway logic with probabilistic hashes and give a precise semantic interpretation to it using Canetti’s ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper provides one more step towards bridging the gap between the formal and computational approaches to the verification of cryptographic protocols. We extend the wellknown AbadiRogaway logic with probabilistic hashes and give a precise semantic interpretation to it using Canetti’s oracle hashes. These are probabilistic polynomialtime hashes that hide all partial information. Finally, we show that this interpretation is computationally sound and complete. 1
Inductive trace properties for computational security
, 2009
"... Protocol authentication properties are generally tracebased, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computat ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Protocol authentication properties are generally tracebased, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computationally distinguish a system that transmits a secret from one that does not is measured by overall success on the set of all traces of each system. Nontracebased properties present a challenge for inductive or compositional methods: induction is a natural way of reasoning about traces of a system, but it does not appear directly applicable to nontrace properties. We therefore investigate the semantic connection between trace properties that could be established by induction and nontracebased security requirements. Specifically, we prove that a certain trace property implies computational secrecy and authentication properties, assuming the encryption scheme provides chosen ciphertext security and ciphertext integrity. We also prove a similar theorem for computational secrecy assuming Decisional DiffieHellman and a chosen plaintext secure encryption scheme.
Formal proofs of cryptographic security of DiffieHellmanbased protocols
, 2007
"... Abstract. We present axioms and inference rules for reasoning about DiffieHellmanbased key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the DiffieHellman variant of Kerberos, and IKEv2, the revised standard key manageme ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present axioms and inference rules for reasoning about DiffieHellmanbased key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the DiffieHellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studies. In the process of applying our system, we uncover a deficiency in DiffieHellman Kerberos that is easily repaired. 1
Threshold Homomorphic Encryption in the Universally Composable Cryptographic Library
"... Abstract. The universally composable cryptographic library by Backes, Pfitzmann and Waidner provides DolevYaolike, but cryptographically sound abstractions to common cryptographic primitives like encryptions and signatures. The library has been used to give the correctness proofs of various protoc ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The universally composable cryptographic library by Backes, Pfitzmann and Waidner provides DolevYaolike, but cryptographically sound abstractions to common cryptographic primitives like encryptions and signatures. The library has been used to give the correctness proofs of various protocols; while the arguments in such proofs are similar to the ones done with the DolevYao model that has been researched for a couple of decades already, the conclusions that such arguments provide are cryptographically sound. Various interesting protocols, for example evoting, make extensive use of primitives that the library currently does not provide. The library can certainly be extended, and in this paper we provide one such extension — we add threshold homomorphic encryption to the universally composable cryptographic library and demonstrate its usefulness by (re)proving the security of a wellknown evoting protocol. 1
Completeness of Formal Hashes in the Standard Model
"... We study an extension of the wellknown AbadiRogaway logic with hashes. Previously, we have given a sound computational interpretation of this extension using Canetti's oracle hashing. This paper extends Micciancio and Warinschi's completeness result for the original logic to this set ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We study an extension of the wellknown AbadiRogaway logic with hashes. Previously, we have given a sound computational interpretation of this extension using Canetti's oracle hashing. This paper extends Micciancio and Warinschi's completeness result for the original logic to this setting.
Soundness Limits of DolevYao Models
 Proceedings of the Workshop on Formal and Computational Cryptography (FCC 2006), 2006. [Can01] [CS02
, 2001
"... Abstract. Automated tools such as model checkers and theorem provers for the analysis of security protocols typically abstract from cryptography by DolevYao models, i.e., they replace real cryptographic operations by term algebras. The soundness of DolevYao models with respect to real cryptographi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Automated tools such as model checkers and theorem provers for the analysis of security protocols typically abstract from cryptography by DolevYao models, i.e., they replace real cryptographic operations by term algebras. The soundness of DolevYao models with respect to real cryptographic security definitions has received significant attention in the last years. Until recently, all published results were positive, i.e., they show that various classes of DolevYao models are indeed sound with respect to various soundness definitions. Here we discuss impossibility results. In particular, we present such results for DolevYao models with hash functions, and for the strong security notion of blackbox reactive simulatability (BRSIM)/UC. We show that the impossibility even holds if no secrecy (only collision resistance) is required of the DolevYao model of the hash function, or if probabilistic hashing is used, or certain plausible protocol restrictions are made. We also survey related results for XOR. In addition, we start to make some