Logics of Knowledge and Cryptography: Completeness and Expressiveness (original) (raw)
Related papers
A Complete Axiomatization of Knowledge and Cryptography
22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007), 2007
The combination of first-order epistemic logic and formal cryptography offers a potentially very powerful framework for security protocol verification. In this article, we address two main challenges towards such a combination; First, the expressive power, specifically the epistemic modality, needs to receive concrete computational justification. Second, the logic must be shown to be, in some sense, formally tractable. Addressing the first challenge, we provide a generalized Kripke semantics that uses permutations on the underlying domain of cryptographic messages to reflect agents' limited computational power. Using this approach, we obtain logical characterizations of important concepts of knowledge in the security protocol literature, namely Dolev-Yao style message deduction and static equivalence. Answering the second challenge, we exhibit an axiomatization which is sound and complete relative to the underlying theory of cryptographic terms, and to an omega rule for quantifiers. The axiomatization uses largely standard axioms and rules from first-order modal logic. In addition, it includes some novel axioms for the interaction between knowledge and cryptography. To illustrate the usefulness of the logic we consider protocol examples using mixes, a Crowds style protocol, and electronic payments. Furthermore, we provide embedding results for BAN and SVO.
Knowledge in security protocols: an operational semantics for BAN logic
Communication usually aims at a certain desired knowledge change of the parties involved, rather than at a mere transport of information. In this paper, we focus on communication that takes place in the run of a protocol that is to establish a secure communication channel by means of a secret key. The protocol run must not only include the distribution of the key(s), but also convince the parties sharing the key that it can be trusted. Hence it makes sense to express the aim of such a protocol in terms of knowledge or convictions of the agents after a run of the protocol, usually under assumptions concerning what they know or believe beforehand.
DELP: Dynamic Epistemic Logic for Security Protocols
2021 23rd International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 2021
The formal analysis of security protocols is a challenging field, with various approaches being studied nowadays. The famous Burrows-Abadi-Needham Logic was the first logical system aiming to validate security protocols. Combining ideas from previous approaches, in this paper we define a complete system of dynamic epistemic logic for modeling security protocols. Our logic is implemented, and few of its properties are verifyied, using the theorem prover Lean.
Computational Semantics for First-Order Logical Analysis of Cryptographic Protocols
Lecture Notes in Computer Science, 2009
Linking Formal and Computational Views Linking the two approaches started with Martin Abadi and Philip Rogaway around 2000-passive adversaries. Active adversaries in two groups: Two-world view Symbolic and computational executions are formalized separately as well as security properties Soundness: Try to prove that no successful symbolic (Dolev-Yao) attacker implies no successful computational attacker. Such are Reactive Simulatability of M. Backes, B. Pfitzmann, M. Waidner D. Micciancio, B. Warinschi, Cortier (mapping lemma) V. Cortier, H. Comon-Lundh (soundness of observational equivalence) Logical view Only computational execution, symbolic formulas have direct computational meaning Logical theory axiomatizes the relevant properties cryptographic primitives. Security properties are directly proven from the axioms and derivation rules Computational Protocol Compositional Logic of Stanford (John Mitchell's group) Computational Basic Protocol Logic (Keio) Computational Soundness and Dolev-Yao Adversaries Two-world Soundness Theorems: Don't assume much about the specifics of the formal system Prove that no formal Dolev-Yao adversary implies no computational adversary Controls the network It is explicitly formulated what symbolic operations it may do: Encrypt, decrypt with a key it has, pair, etc, things expressible syntactically From a, b, it can compute (a,b) From a, K, it can compute {a} K If it has the decryption key, it can compute a from {a} K DY adversary does not give complete description of adversarial capabilities. For the soundness proofs complete axiomatization is needed. Problems arising from incomplete description Maybe for N, N' nonces, K key, R randomness, an adversary can generate a key K' and R' randomness such that {N} = {N'}-such an equality is usually not listed among the Dolev-Yao rules, and there might be countless others. Counterexamples can be created, i.e. no DY adversary but there is computational adversary To avoid it: Strong assumptions for avoiding arbitrary parsing, such as appending half of the encrypting key to the end of the encryption R
Verifying epistemic protocols under common knowledge
Proceedings of the 11th Conference on Theoretical Aspects of Rationality and Knowledge - TARK '09, 2009
Epistemic protocols are communication protocols aiming at transfer of knowledge in a controlled way. Typically, the preconditions or goals for protocol actions depend on the knowledge of agents, often in nested form. Informal epistemic protocol descriptions for muddy children, coordinated attack, dining cryptographers, Russian cards, secret key exchange are well known. The contribution of this paper is a formal study of a natural requirement on epistemic protocols, that the contents of the protocol can be assumed to be common knowledge. By formalizing this requirement we can prove that there can be no unbiased deterministic protocol for the Russian cards problem. For purposes of our formal analysis we introduce an epistemic protocol language, and we show that its model checking problem is decidable.
A complete and decidable security-specialised logic and its application to the TESLA protocol
Proceedings of the fifth international joint conference on Autonomous agents and multiagent systems, 2006
We examine a logic to reason about security protocols by means of temporal and epistemic concepts. We report results on completeness and decidability of the formalism as well as its expressiveness. As a case study we apply the formalism in the analysis of Tesla, a secure stream multi-cast protocol.
On the Existence of an Effective and Complete Inference System for Cryptographic Protocols
Lecture Notes in Computer Science, 2004
A central question in the domain of program semantics and program verification is the existence of a complete inference system for assertions of the form π |= ϕ meaning that program π satisfies property ϕ. A stronger version of this question asks for an effective (decidable) complete inference system. We investigate these questions for cryptographic protocols focusing on authentication and confidentiality properties. While it is not difficult to see that a complete and effective inference system cannot exist when an unbounded number of sessions are considered, we prove that such a system exists for bounded protocols. More, precisely 1.) we provide a complete weakest precondition calculus for bounded cryptographic protocols and 2.) we show that assertions needed for completeness of the calculus are expressible in a decidable second order logic on terms.
Computational soundness without protocol restrictions
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12, 2012
The abstraction of cryptographic operations by term algebras, called Dolev-Yao models, is essential in almost all tool-supported methods for verifying security protocols. Recently significant progress was made in establishing computational soundness results: these results prove that Dolev-Yao style models can be sound with respect to actual cryptographic realizations and security definitions. However, these results came at the cost of imposing various constraints on the set of permitted security protocols: e.g., dishonestly generated keys must not be used, key cycles need to be avoided, and many more. In a nutshell, the cryptographic security definitions did not adequately capture these cases, but were considered carved in stone; in contrast, the symbolic abstractions were bent to reflect cryptographic features and idiosyncrasies, thereby requiring adaptations of existing verification tools. In this paper, we pursue the opposite direction: we consider a symbolic abstraction for public-key encryption and identify two cryptographic definitions called PROG-KDM (programmable key-dependent message) security and MKE (malicious-key extractable) security that we jointly prove to be sufficient for obtaining computational soundness without imposing assumptions on the protocols using this abstraction. In particular, dishonestly generated keys obtained from the adversary can be sent, received, and used. The definitions can be met by existing cryptographic schemes in the random oracle model. This yields the first computational soundness result for trace-properties that holds for arbitrary protocols using this abstraction (in particular permitting to send and receive dishonestly generated keys), and that is accessible to all existing tools for reasoning about Dolev-Yao models without further adaptations.
SECURITY ANALYSIS OF NETWORK PROTOCOLS: COMPOSITIONAL REASONING AND COMPLEXITY-THEORETIC FOUNDATIONS
2005
This dissertation addresses two central problems associated with the design and security analysis of network protocols that use cryptographic primitives. The first problem pertains to the secure composition of protocols, where the goal is to develop methods for proving properties of complex protocols by combining independent proofs of their parts. In order to address this problem, we have developed a framework consisting of two formal systems: