Inductive Proofs of Computational Secrecy (original) (raw)
Related papers
Inductive Proof Method for Computational Secrecy
We investigate inductive methods for proving secrecy properties of network protocols, in a "computational" setting applying a probabilistic polynomial-time adversary. As in cryptographic studies, our secrecy properties assert that no probabilistic polynomial-time distinguisher can win a suitable game presented by a challenger. Our method for establishing secrecy properties uses inductive proofs of computational trace-based properties, and axioms and inference rules for relating tracebased properties to non-trace-based properties. We illustrate the method, which is formalized in a logical setting that does not require explicit reasoning about computational complexity, probability, or the possible actions of the attacker, by giving a modular proof of computational authentication and secrecy properties of the Kerberos V5 protocol.
Proving Properties of Security Protocols by Induction
1997
Informal justifications of security protocols involve arguing backwards that various events are impossible. Inductive definitions can make such arguments rigorous. The resulting proofs are complicated, but can be generated reasonably quickly using the proof tool Isabelle/HOL. There is no restriction to finite-state systems and the approach is not based on belief logics.
The inductive approach to verifying cryptographic protocols
Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components de- crypted from previous traffic.
Inductive trace properties for computational security
Journal of Computer Security, 2010
Protocol authentication properties are generally trace-based, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computationally distinguish a system that transmits a secret from one that does not is measured by overall success on the set of all traces of each system. This presents a challenge for inductive or compositional methods: induction is a natural way of reasoning about traces of a system, but it does not appear applicable to non-trace properties. We therefore investigate the semantic connection between trace properties that could be established by induction and non-tracebased security requirements. Specifically, we prove that a certain trace property implies computational secrecy and authentication properties, assuming the encryption scheme provides chosen ciphertext security and ciphertext integrity. We also prove a similar theorem for computational secrecy assuming Decisional Diffie-Hellman and a chosen plaintext secure encryption scheme.
Computationally Sound, Automated Proofs for Security Protocols
Lecture Notes in Computer Science, 2005
Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear.
Mechanized proofs for a recursive authentication protocol
1997
A novel protocol has been formally analyzed using the prover Isabelle/HOL, following the inductive approach described in earlier work . There is no limit on the length of a run, the nesting of messages or the number of agents involved. A single run of the protocol delivers session keys for all the agents, allowing neighbours to perform mutual authentication. The basic security theorem states that session keys are correctly delivered to adjacent pairs of honest agents, regardless of whether other agents in the chain are compromised. The protocol's complexity caused some difficulties in the specification and proofs, but its symmetry reduced the number of theorems to prove.
A note on an NP-completeness proof for cryptographic protocol insecurity
2008
This article discusses the paper "Protocol insecurity with a finite number of sessions and composed keys is NP-complete" [1]. Some understanding of the paper is recorded in this article. Especially a non-trivial error of the NP proof of [1] is presented, and we provide a solution to fix this error. We suggest that the NP-completeness proof can be improved in several aspects.
Proving secure properties of cryptographic protocols with knowledge based approach
2005
Existing ciptogruph ic profocols usually contain Jaws. To analyze these protocols and j n d potential flaws in them, the secure properties of them need be studied in depth. This paper attempts to provide CI iiew fiumework to analyze and prove the secure properties in these protocols. A nuniber of predicates and action jiinctions are used to nrodel the network coiwnrimication environment. Doniain rules are given to describe the transitions of principals * knowledge and belief states. An example of public key authentication prorocois has been studied and analysed.
Security Protocol Verification with Implicit Induction and Explicit Destructors 1
We present a new method for automatic implicit induction theorem proving, and its application for the verification of a key distribution cryptographic protocol. The method can handle axioms between constructor terms, a feature generally not sup- ported by other induction procedure. We use such axioms in order to specify explicit destructors representing cryptographic operators.