#### DMCA

## Automated Security Proofs with Sequences of Games (2006)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.iacr.org]
- [www.iacr.org]
- [prosecco.gforge.inria.fr]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.di.ens.fr]
- [eprint.iacr.org]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Proc. 27th IEEE Symposium on Security |

Citations: | 48 - 9 self |

### Citations

3463 | New directions in cryptography
- DIFFIE, HELLMAN
- 1976
(Show Context)
Citation Context ... achieve automatic provability under classical (and realistic) computational assumptions.s2 Bruno Blanchet and David Pointcheval The Computational Model. Since the seminal paper by Diffie and Hellman =-=[20]-=-, complexity theory is tightly related to cryptography. Cryptographers indeed tried to use N P-hard problems to build secure cryptosystems. Therefore, adversaries have been modeled by probabilistic po... |

1612 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...omatic proof of cryptographic protocols easier. One should note that the main addition from previous models [33, 28] is the introduction of arrays, which allow us to formalize the random oracle model =-=[9]-=-, but also the authenticity (unforgeability) in several cryptographic primitives, such as signatures, message authentication codes, but also encryption schemes. Arrays allow us to have full access to ... |

1373 |
Probabilistic Encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...under chosen-message attacks [23]. Similarly, for encryption, the adversary chooses two messages, and one of them is encrypted. Then the goal of the adversary is to guess which one has been encrypted =-=[22]-=-, with a probability significantly better than one half. Again, several oracles may be available to the adversary, according to the kind of attack (chosen-plaintext and/or chosenciphertext attacks [34... |

1350 | On the security of public key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...consequence, the actual security relies on the sole validity of the computational assumption. On the other hand, people from formal methods defined formal and abstract models, the so-called Dolev-Yao =-=[21]-=- framework, in order to be able to prove the security of cryptographic protocols too. However, these “formal” security proofs use the cryptographic primitives as ideal blackboxes. The main advantage o... |

952 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...tries to forge a new valid message-signature pair, while it is able to ask for the signature of any message of its choice. Such an attack is called an existential forgery under chosen-message attacks =-=[23]-=-. Similarly, for encryption, the adversary chooses two messages, and one of them is encrypted. Then the goal of the adversary is to guess which one has been encrypted [22], with a probability signific... |

818 | Universally Composable Security: A New Paradigm for Cryptographic Protocols
- Canetti
- 2002
(Show Context)
Citation Context ...ormal notions of secrecy in the framework of this library. Recently, this framework has been used for a computationally-sound machinechecked proof of the Needham-Schroeder-Lowe protocol [38]. Canetti =-=[16]-=- introduced the notion of universal composability. With Herzog [17], they show how a Dolev-Yao-style symbolic analysis can be used to prove security properties of protocols within the framework of uni... |

385 | The exact security of digital signatures: How to sign with RSA and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...of a random oracle, one generally stores the input and output of the random oracle in a list. In our calculus, they are stored in arrays. Contrarily to [13, 14], we adopt the exact security framework =-=[10]-=-, instead of the asymptotic one. The cost of the reductions, and the probability loss will thus be precisely determined. We also adapt the syntax of our calculus, in order to be closer to the usual sy... |

377 | Reconciling two views of cryptography (the computational soundness of formal encryption
- Abadi, Rogaway
(Show Context)
Citation Context ...lity hypotheses), which specify security properties of primitives, and which can be combined in order to obtain a proof of the protocol. Related Work. Following the seminal paper by Abadi and Rogaway =-=[1]-=-, recent results [32, 18, 25] show the soundness of the Dolev-Yao model with respect to the computational model, which makes it possible to use Dolev-Yao provers in order to prove protocols in the com... |

377 |
Non-interactive zero-knowledge proof of knowledge and chosenciphertext attacks
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...22], with a probability significantly better than one half. Again, several oracles may be available to the adversary, according to the kind of attack (chosen-plaintext and/or chosenciphertext attacks =-=[34, 35]-=-). One can see in these security notions that computation time and probabilities are of major importance: an unlimited adversary can always break them, with probability one; or in a shorter period of ... |

347 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...22], with a probability significantly better than one half. Again, several oracles may be available to the adversary, according to the kind of attack (chosen-plaintext and/or chosenciphertext attacks =-=[34, 35]-=-). One can see in these security notions that computation time and probabilities are of major importance: an unlimited adversary can always break them, with probability one; or in a shorter period of ... |

237 | Practical threshold signatures - Shoup - 2000 |

164 | Sequences of Games: a Tool for Taming Complexity in Security Proofs
- Shoup
- 2006
(Show Context)
Citation Context ...he adversary provided by the reduction was (almost) indistinguishable to the view of the adversary during a real attack. Such an indistinguishability was quite technical and error-prone. Victor Shoup =-=[37]-=- suggested to prove it by small changes [11], using a “sequence of games” (a.k.a. the game hopping technique) that the adAutomated Security Proofs with Sequences of Games 3 versary plays, starting fr... |

155 | M.: A composable cryptographic library with nested operations
- Backes, Pfitzmann, et al.
(Show Context)
Citation Context ...hey require some restrictions on protocols (such as the absence of key cycles). Several frameworks exist for formalizing proofs of protocols in the computational model. Backes, Pfitzmann, and Waidner =-=[5, 6, 3]-=- have designed an abstract cryptographic library and shown its soundness with respect to computational primitives, under arbitrary active attacks. Backes and Pfitzmann [4] relate the computational and... |

130 | A proposal for an ISO standard for public key encryption - Shoup - 2001 |

122 | A computationally sound mechanized prover for security protocols. Cryptology ePrint Archive, Report 2005/401
- Blanchet
- 2005
(Show Context)
Citation Context ...prover based on sequences of games would be useful, and suggests ideas in this direction, but does not actually implement one. Our prover, which we describe in this paper, was previously presented in =-=[13, 14]-=-, but in a more restricted way. It was indeed applied only to classical, DolevYao-style protocols of the literature, such as the Needham-Schroeder public-key protocol. In this paper, we show that it c... |

113 | A probabilistic poly-time framework for protocol analysis - Lincoln, Mitchell, et al. - 1998 |

112 | Oaep reconsidered - Shoup - 2001 |

96 | Soundness of formal encryption in the presence of active adversaries
- Micciancio, Warinschi
- 2004
(Show Context)
Citation Context ...ich specify security properties of primitives, and which can be combined in order to obtain a proof of the protocol. Related Work. Following the seminal paper by Abadi and Rogaway [1], recent results =-=[32, 18, 25]-=- show the soundness of the Dolev-Yao model with respect to the computational model, which makes it possible to use Dolev-Yao provers in order to prove protocols in the computational model. However, th... |

83 |
Automatic proof of strong secrecy for security protocols
- Blanchet
- 2004
(Show Context)
Citation Context ...ramework of universal composability, for a restricted class of protocols using public-key encryption as only cryptographic primitive. Then, they use the automatic Dolev-Yao verification tool ProVerif =-=[12]-=- for verifying protocols in this framework. Lincoln, Mateus, Mitchell, Mitchell, Ramanathan, Scedrov, and Teague [29–31, 36, 33] developed a probabilistic polynomial-time calculus for the analysis of ... |

72 | Symmetric encryption in a simulatable Dolev-Yao style cryptographic library
- Backes, Pfitzmann
- 2004
(Show Context)
Citation Context ...hey require some restrictions on protocols (such as the absence of key cycles). Several frameworks exist for formalizing proofs of protocols in the computational model. Backes, Pfitzmann, and Waidner =-=[5, 6, 3]-=- have designed an abstract cryptographic library and shown its soundness with respect to computational primitives, under arbitrary active attacks. Backes and Pfitzmann [4] relate the computational and... |

72 | Using hash functions as a hedge against chosen ciphertext attack - Shoup - 2000 |

70 | Computationally sound, automated proofs for security protocols
- Cortier, Warinschi
- 2005
(Show Context)
Citation Context ...ich specify security properties of primitives, and which can be combined in order to obtain a proof of the protocol. Related Work. Following the seminal paper by Abadi and Rogaway [1], recent results =-=[32, 18, 25]-=- show the soundness of the Dolev-Yao model with respect to the computational model, which makes it possible to use Dolev-Yao provers in order to prove protocols in the computational model. However, th... |

57 | Symmetric encryption in automatic analyses for confidentiality against active adversaries
- Laud
- 2004
(Show Context)
Citation Context ... have not been automated up to now, as far as we know. Laud [26] designed an automatic analysis for proving secrecy for protocols using shared-key encryption, with passive adversaries. He extended it =-=[27]-=- to active adversaries, but with only one session of the protocol. This work is the closest to ours. We extend it considerably by handling more primitives, a variable number of sessions, and evaluatin... |

51 | Probabilistic polynomial-time equivalence and security protocols - Lincoln, Mitchell, et al. - 1999 |

48 | A probabilistic polynomial-time calculus for the analysis of cryptographic protocols
- Mitchell, Ramanathan, et al.
- 2006
(Show Context)
Citation Context ... in computational security proofs. This calculus has been carefully designed to make the automatic proof of cryptographic protocols easier. One should note that the main addition from previous models =-=[33, 28]-=- is the introduction of arrays, which allow us to formalize the random oracle model [9], but also the authenticity (unforgeability) in several cryptographic primitives, such as signatures, message aut... |

47 | Relating symbolic and cryptographic secrecy
- Backes, Pfitzmann
- 2005
(Show Context)
Citation Context ...Pfitzmann, and Waidner [5, 6, 3] have designed an abstract cryptographic library and shown its soundness with respect to computational primitives, under arbitrary active attacks. Backes and Pfitzmann =-=[4]-=- relate the computational and formal notions of secrecy in the framework of this library. Recently, this framework has been used for a computationally-sound machinechecked proof of the Needham-Schroed... |

45 | Probabilistic polynomial-time semantics for a protocol security logic
- Datta, Derek, et al.
- 2005
(Show Context)
Citation Context ...ework. Lincoln, Mateus, Mitchell, Mitchell, Ramanathan, Scedrov, and Teague [29–31, 36, 33] developed a probabilistic polynomial-time calculus for the analysis of cryptographic protocols. Datta et al =-=[19]-=- have designed a computationally sound logic that enables them to prove computationals4 Bruno Blanchet and David Pointcheval security properties using a logical deduction system. These frameworks can ... |

43 | On concrete security treatment of signatures derived from identification - Ohta, Okamoto |

39 | Symmetric authentication within a simulatable cryptographic library
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...hey require some restrictions on protocols (such as the absence of key cycles). Several frameworks exist for formalizing proofs of protocols in the computational model. Backes, Pfitzmann, and Waidner =-=[5, 6, 3]-=- have designed an abstract cryptographic library and shown its soundness with respect to computational primitives, under arbitrary active attacks. Backes and Pfitzmann [4] relate the computational and... |

38 | A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181
- Halevi
- 2005
(Show Context)
Citation Context ...n contrast to our specialized prover, proofs in generic interactive theorem provers require a lot of human effort, in order to build a detailed enough proof for the theorem prover to check it. Halevi =-=[24]-=- explains that implementing an automatic prover based on sequences of games would be useful, and suggests ideas in this direction, but does not actually implement one. Our prover, which we describe in... |

38 | A Paradoxical Solution to the Signature Problem - Goldwasser, Micali, et al. - 1984 |

33 | Cryptographically sound theorem proving
- Sprenger, Backes, et al.
- 2006
(Show Context)
Citation Context ...tational and formal notions of secrecy in the framework of this library. Recently, this framework has been used for a computationally-sound machinechecked proof of the Needham-Schroeder-Lowe protocol =-=[38]-=-. Canetti [16] introduced the notion of universal composability. With Herzog [17], they show how a Dolev-Yao-style symbolic analysis can be used to prove security properties of protocols within the fr... |

32 |
Completing the picture: Soundness of formal encryption in the presence of active adversaries
- Janvier, Lakhnech, et al.
- 2005
(Show Context)
Citation Context ...ich specify security properties of primitives, and which can be combined in order to obtain a proof of the protocol. Related Work. Following the seminal paper by Abadi and Rogaway [1], recent results =-=[32, 18, 25]-=- show the soundness of the Dolev-Yao model with respect to the computational model, which makes it possible to use Dolev-Yao provers in order to prove protocols in the computational model. However, th... |

31 |
Practice-Oriented Provable Security
- Bellare
- 1997
(Show Context)
Citation Context ...ion There exist two main frameworks for analyzing the security of cryptographic protocols. The most famous one, among the cryptographic community, is the “provable security” in the reductionist sense =-=[8]-=-: adversaries are probabilistic polynomial-time Turing machines which try to win a game, specific to the cryptographic primitive/protocol and to the security notion to be satisfied. The “computational... |

30 | Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange
- Canetti, Herzog
- 2004
(Show Context)
Citation Context ..., this framework has been used for a computationally-sound machinechecked proof of the Needham-Schroeder-Lowe protocol [38]. Canetti [16] introduced the notion of universal composability. With Herzog =-=[17]-=-, they show how a Dolev-Yao-style symbolic analysis can be used to prove security properties of protocols within the framework of universal composability, for a restricted class of protocols using pub... |

30 |
Secrecy Types for a Simulatable Cryptographic Library
- Laud
(Show Context)
Citation Context ...of the protocol. This work is the closest to ours. We extend it considerably by handling more primitives, a variable number of sessions, and evaluating the probability of an attack. More recently, he =-=[28]-=- designed a type system for proving security protocols in the computational model. This type system handles shared- and public-key encryption, with an unbounded number of sessions. This system relies ... |

26 | Handling encryption in an analysis for secure information flow
- Laud
- 2003
(Show Context)
Citation Context ...n be used to prove security properties of protocols in the computational sense, but except for [17] which relies on a Dolev-Yao prover, they have not been automated up to now, as far as we know. Laud =-=[26]-=- designed an automatic analysis for proving secrecy for protocols using shared-key encryption, with passive adversaries. He extended it [27] to active adversaries, but with only one session of the pro... |

26 | Scedrov, A.: Composition of cryptographic protocols in a probabilistic polynomial-time process calculus - Mateus, Mitchell - 2003 |

24 | Proba-bilistic bisimulation and equivalence for security analysis of network protocols - Ramanathan, Mitchell, et al. - 2004 |

23 | A machine-checked formalization of the generic model and the random oracle model
- Barthe, Cerderquist, et al.
- 2004
(Show Context)
Citation Context ...public-key encryption, with an unbounded number of sessions. This system relies on the Backes-PfitzmannWaidner library. A type inference algorithm is sketched in [2]. Barthe, Cerderquist, and Tarento =-=[7, 39]-=- have formalized the generic model and the random oracle model in the interactive theorem prover Coq, and proved signature schemes in this framework. In contrast to our specialized prover, proofs in g... |

10 |
The game-playing technique and its application to triple encryption. Cryptology ePrint Archive, Report 2004/331, 2004. http://eprint. iacr.org/. [Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols
- Bellare, Rogaway
(Show Context)
Citation Context ...almost) indistinguishable to the view of the adversary during a real attack. Such an indistinguishability was quite technical and error-prone. Victor Shoup [37] suggested to prove it by small changes =-=[11]-=-, using a “sequence of games” (a.k.a. the game hopping technique) that the adAutomated Security Proofs with Sequences of Games 3 versary plays, starting from the real attack game. Two consecutive gam... |

9 | Machine-checked security proofs of cryptographic signature schemes
- Tarento
(Show Context)
Citation Context ...public-key encryption, with an unbounded number of sessions. This system relies on the Backes-PfitzmannWaidner library. A type inference algorithm is sketched in [2]. Barthe, Cerderquist, and Tarento =-=[7, 39]-=- have formalized the generic model and the random oracle model in the interactive theorem prover Coq, and proved signature schemes in this framework. In contrast to our specialized prover, proofs in g... |

2 | Advanced Course on Contemporary Cryptology, chapter Provable Security for Public-Key Schemes - Pointcheval - 2005 |

1 |
A mechanized, cryptographically sound type inference checker
- Backes, Laud
- 2006
(Show Context)
Citation Context ... This type system handles shared- and public-key encryption, with an unbounded number of sessions. This system relies on the Backes-PfitzmannWaidner library. A type inference algorithm is sketched in =-=[2]-=-. Barthe, Cerderquist, and Tarento [7, 39] have formalized the generic model and the random oracle model in the interactive theorem prover Coq, and proved signature schemes in this framework. In contr... |