Computationally Sound Symbolic Secrecy in the Presence of Hash Functions (original) (raw)
Related papers
Inductive Proofs of Computational Secrecy
2007
Secrecy properties of network protocols assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by traceby-trace behavior of the protocol, we establish a trace-based protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5.
Computational soundness without protocol restrictions
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012
The abstraction of cryptographic operations by term algebras, called Dolev-Yao models, is essential in almost all tool-supported methods for verifying security protocols. Recently significant progress was made in establishing computational soundness results: these results prove that Dolev-Yao style models can be sound with respect to actual cryptographic realizations and security definitions. However, these results came at the cost of imposing various constraints on the set of permitted security protocols: e.g., dishonestly generated keys must not be used, key cycles need to be avoided, and many more. In a nutshell, the cryptographic security definitions did not adequately capture these cases, but were considered carved in stone; in contrast, the symbolic abstractions were bent to reflect cryptographic features and idiosyncrasies, thereby requiring adaptations of existing verification tools. In this paper, we pursue the opposite direction: we consider a symbolic abstraction for public-key encryption and identify two cryptographic definitions called PROG-KDM (programmable key-dependent message) security and MKE (malicious-key extractable) security that we jointly prove to be sufficient for obtaining computational soundness without imposing assumptions on the protocols using this abstraction. In particular, dishonestly generated keys obtained from the adversary can be sent, received, and used. The definitions can be met by existing cryptographic schemes in the random oracle model. This yields the first computational soundness result for trace-properties that holds for arbitrary protocols using this abstraction (in particular permitting to send and receive dishonestly generated keys), and that is accessible to all existing tools for reasoning about Dolev-Yao models without further adaptations.
On Defining Proofs of Knowledge in the Bare Public-Key Model
Theoretical Computer Science - Proceedings of the 10th Italian Conference on ICTCS '07, 2007
One contribution provided by the groundbreaking concept of interactive proofs is the notion of proofs of knowledge, where a prover can convince a verifier that she knows a secret related to a public statement. This notion was formalized in the conventional complexity-theoretic model of interactive protocols and showed to be very useful for cryptographic applications, such as entity authentication schemes. Motivated by these applicability considerations, in this paper, we consider proofs of knowledge in a cryptographic model, called the bare public-key model (BPK model in short), where round-efficient interactive proofs with strong variants of security against provers (i.e., soundness) and security against verifiers (i.e., zero-knowledge) have been presented. We formally define notions of proofs of knowledge in the BPK model, and show that there are 4 distinct such notions for each of the previously studied four known notions of soundness. Finally, under the existence of any homomorphic one-way function family, (a generalization of) a 4-round argument system for all N P languages from the literature is a proof of knowledge that is secure against concurrent attacks from provers or verifiers.
Public-Key Encryption with Random Oracles
Introduction to Security Reduction, 2018
In this chapter, we mainly use a variant of ElGamal encryption to introduce how to prove the security of encryption schemes under computational hardness assumptions. The basic scheme is called the hashed ElGamal scheme [1]. The twin ElGamal scheme and the iterated ElGamal scheme are from [29] and [55], respectively, and introduce two totally different approaches for addressing the reduction loss of finding a correct solution from hash queries. The ElGamal encryption scheme with CCA security is introduced using the Fujisaki-Okamoto transformation [42]. The given schemes and/or proofs may be different from the original ones. 7.1 Hashed ElGamal Scheme SysGen: The system parameter generation algorithm takes as input a security parameter λ. It chooses a cyclic group (G, p, g), selects a cryptographic hash function H : {0, 1} * → {0, 1} n , and returns the system parameters SP = (G, p, g, H). KeyGen: The key generation algorithm takes as input the system parameters SP. It randomly chooses α ∈ Z p , computes g 1 = g α , and returns a public/secret key pair (pk, sk) as follows: pk = g 1 , sk = α. Encrypt: The encryption algorithm takes as input a message m ∈ {0, 1} n , the public key pk, and the system parameters SP. It chooses a random number r ∈ Z p and returns the ciphertext CT as CT = (C 1 ,C 2) = g r , H(g r 1) ⊕ m .
On Constructions and Security Notions of Public-key Cryptosystems
Book Chapter, Contemporary Topics in Mathematics and Statistics with Applications, Volume-I, Asian Books Pvt Ltd., 2012
From its inception, public-key cryptosystems have been an area of active research. Various aspects of public-key encryption like constructions, security notions, adversarial models, hardness assumptions, proof-methodology, efficiency, compatibility etc. have been analysed and re-analysed in the last three and half decades by numerous cryptographers. Some of them are good enough to survive while some of them, though broken, provides meaningful insights towards the subject. In this article, our aim is to provide an expository as well as technical (as far as possible, keeping in mind its brevity) overview of the subject as it has progressed over the years, along with some open problems and suitable references.
A Semi-Decidable Procedure for Secrecy in Cryptographic Protocols
In this paper, we present a new semi-decidable procedure to analyze cryptographic protocols for the property of secrecy based on a new class of functions that we call: the Witness-Functions. A Witness-Function is a raliable function that guarantees the secrecy in any protocol proved increasing once analyzed by it. Hence, the problem of correctness becomes a problem of protocol growth. A Witness-Function operates on derivative messages in a role-based specification and introduces new derivation techniques. We give here the technical aspects of the Witness-Functions and we show how to use them in a semi-decidable procedure. Then, we analyze a variation of Needham-Schroeder protocol and we show that a Witness-Function can also help to teach about flaws. Finally, we analyze the NSL protocol and we prove that it is correct with respect to secrecy.
Inductive Proof Method for Computational Secrecy
We investigate inductive methods for proving secrecy properties of network protocols, in a "computational" setting applying a probabilistic polynomial-time adversary. As in cryptographic studies, our secrecy properties assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Our method for establishing secrecy properties uses inductive proofs of computational trace-based properties, and axioms and inference rules for relating tracebased properties to non-trace-based properties. We illustrate the method, which is formalized in a logical setting that does not require explicit reasoning about computational complexity, probability, or the possible actions of the attacker, by giving a modular proof of computational authentication and secrecy properties of the Kerberos V5 protocol.
How to Guarantee Secrecy for Cryptographic Protocols
Eprint Arxiv Cs 0703140, 2007
In this paper we propose a general definition of secrecy for cryptographic protocols in the Dolev-Yao model. We give a sufficient condition ensuring secrecy for protocols where rules have encryption depth at most two, that is satisfied by almost all practical protocols. The only allowed primitives in the class of protocols we consider are pairing and encryption with atomic keys. Moreover, we describe an algorithm of practical interest which transforms a cryptographic protocol into a secure one from the point of view of secrecy, without changing its original goal with respect to secrecy of nonces and keys, provided the protocol satisfies some conditions. These conditions are not very restrictive and are satisfied for most practical protocols.
Soundness of Formal Encryption in the Presence of Active Adversaries
Lecture Notes in Computer Science, 2004
We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network.
On the Security Notions for Public-Key Encryption Schemes
2004
In this paper, we revisit the security notions for public-key encryption, and namely indistinguishability. We indeed achieve the surprising result that no decryption query before receiving the challenge ciphertext can be replaced by queries (whatever the number is) after having received the challenge, and vice-versa. This remark leads to a stricter and more complex hierarchy for security notions in the public-key setting: the (i, j)-IND level, in which an adversary can ask at most i (j resp.) queries before (after resp.) receiving the challenge. Excepted the trivial implications, all the other relations are strict gaps, with no polynomial reduction (under the assumption that IND-CCA2 secure encryption schemes exist.) Similarly, we define different levels for non-malleability (denoted (i, j)-NM.)