Eike Ritter

Analysing Unlinkability and Anonymity Using the Applied Pi Calculus

An attacker that can identify messages as coming from the same source, can use this information to build up a picture of targets’ behaviour, and so, threaten their privacy. In response to this danger, unlinkable protocols aim to make it impossible for a third party to identify two runs of a protocol as coming from the same device. We present a framework for analysing unlinkability and anonymity in the applied pi calculus. We show that unlinkability and anonymity are complementary properties; one does not imply the other. Using our framework we show that the French RFID e-passport preserves anonymity but it is linkable therefore anyone carrying a French e-passport can be physically traced.

Categorical and Kripke Semantics for Constructive S4 Modal Logic

We consider two systems of constructive modal logic which are computationally motivated. Their modalities admit several computational interpretations and are used to capture intensional features such as notions of computation, constraints, concurrency, etc. Both systems have so far been studied mainly from type-theoretic and category-theoretic perspectives, but Kripke models for similar systems were studied independently. Here we bring these threads together and prove duality results which show how to relate Kripke models to algebraic models and these in turn to the appropriate categorical models for these logics.

New privacy issues in mobile telephony: fix and verification

Mobile telephony equipment is daily carried by billions of subscribers everywhere they go. Avoiding linkability of subscribers by third parties, and protecting the privacy of those subscribers is one of the goals of mobile telecommunication protocols. We use formal methods to model and analyse the security properties of 3G protocols. We expose two novel threats to the user privacy in 3G telephony systems, which make it possible to trace and identify mobile telephony subscribers, and we demonstrate the feasibility of a low cost implementation of these attacks. We propose fixes to these privacy issues, which also take into account and solve other privacy attacks known from the literature. We successfully prove that our privacy-friendly fixes satisfy the desired unlinkability and anonymity properties using the automatic verification tool ProVerif.

An Authentication Framework for Wireless Sensor Networks using Identity-Based Signatures

In Wireless Sensor Networks (WSNs), authentication is a crucial security requirement to avoid attacks against secure communication, and to mitigate DoS attacks exploiting the limited resources of sensor nodes. Resource constraints of sensor nodes are hurdles in applying strong public key cryptographic based mechanisms in WSNs. To address the problem of authentication in WSNs, we propose an efficient and secure framework for authenticated broadcast/multicast by sensor nodes as well as for outside user authentication, which utilizes identity based cryptography and online/offline signature schemes. The primary goals of this framework are to enable all sensor nodes in the network, firstly, to broadcast and/or multicast an authenticated message quickly; secondly, to verify the broadcast/multicast message sender and the message contents; and finally, to verify the legitimacy of an outside user. The proposed framework is also evaluated using the most efficient and secure identity-based signature schemes.

StatVerif: Verification of Stateful Processes

We present StatVerif, which is an extension the ProVerif process calculus with constructs for explicit state, in order to be able to reason about protocols that manipulate global state. Global state is required by protocols used in hardware devices (such as smart cards and the TPM), as well as by protocols involving databases that store persistent information. We provide the operational semantics of StatVerif. We extend the ProVerif compiler to a compiler for StatVerif: it takes processes written in the extended process language, and produces Horn clauses. Our compilation is carefully engineered to avoid many false attacks. We prove the correctness of the StatVerif compiler. We illustrate our method on two examples: a small hardware security device, and a contract signing protocol. We are able to prove their desired properties automatically.

On the intuitionistic force of classical search

The combinatorics of classical propositional logic lies at the heart of both local and global methods of proof-search enabling the achievement of least-commitment search. Extension of such methods to the predicate calculus, or to non-classical systems, presents us with the problem of recovering this least-commitment principle in the context of non-invertible rules. One successful approach is to view the non-classical logic as a perturbation on search in classical logic and characterize when a least-commitment (classical) search yields sufficient evidence for provability in the (non-classical) logic. This technique has been successfully applied to both local and global methods at the cost of subsidiary searches and is the analogue of the standard treatment of quantifiers via skolemization and unification. In this paper, we take a type-theoretic view of this approach for the case in which the non-classical logic is intuitionistic. We develop a system of realizers (proof-objects) for sequents in classical propositional logic (the types) by extending Parigots λμ-calculus, a system of realizers for classical free deduction (cf. natural deduction). Our treatment of disjunction exploits directly the multiple-conclusioned form of LK as opposed to the single-conclusioned form of LJ. Consequently, it requires the addition of another binding operator, called ν, to λμ. This choice is motivated by our concern to reflect the properties of classical proof-search in the system of realizers. Using this framework, we illustrate the sense in which intuitionistic search can be viewed as a perturbation on classical search. As an application, we develop a proof procedure based on the natural extension of the notion of uniform proof to the multiple-conclusioned classical sequent calculus Harrop fragment of intuitionistic logic. This paper develops the proof-theoretic aspects of the approach.

On the semantics of classical disjunction

Abstract The λμ -calculus provides a system of realizers for classical free (cf. natural) deduction in the absence of disjunction. We identify two forms of disjunction, one derived from Gentzens sequent calculus LJ and one from LK, and develop the corresponding metatheory for λμ extended with disjunction. We describe a class of categorical models for the λμ -calculus with each of these disjunctions. Considering the calculus with LK-derived disjunction, λμν , we establish the standard metatheoretic properties and show that a class of continuations models of λμ can be elegantly extended to λμν . Comparing the two forms of disjunction, we show that any model which identifies them collapses to a trivial family of Boolean algebras.

A Fully Abstract Translation between a Lambda-Calculus with Reference Types and Standard ML

This paper describes a syntactic translation for a substantial fragment of the core Standard ML language into a typed λ-calculus with recursive types and imperative features in the form of reference types. The translation compiles SMLs use of declarations and pattern matching into λ-terms, and transforms the use of environments in the operational semantics into a simpler relation of evaluation to canonical form. The translation is shown to be ‘fully abstract’, in the sense that it both preserves and reflects observational equivalence (also commonly called contextual equivalence). A co-inductively defined notion of applicative bisimilarity for lambda calculi with state is developed to establish this result.

Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model

A multi-party fair exchange protocol is a cryptographic protocol allowing several parties to exchange commodities in such a way that everyone gives an item away if and only if it receives an item in return. In this paper we discuss a multi-party fair exchange protocol originally proposed by Franklin and Tsudik, and subsequently shown to have flaws and fixed by Gonzalez and Markowitch. We identify flaws in the fixed version of the protocol, propose a corrected version, and give a formal proof of correctness in the strand space model.

Linear explicit substitutions

The-calculus adds explicit substitutions to the-calculus so as to provide a theoretical framework within which the implementation of functional programming languages can be studied. This paper generalises the-calculus to provide a linear calculus of explicit substitutions, called xDILL, which analogously describes the implementation of linear functional programming languages. Our main observation is that there are non-trivial interactions between linearity and explicit substitutions and that xDILL is therefore best understood as a synthesis of its underlying logical structure and the technology of explicit substitutions. This is in contrast to the-calculus where the explicit substitutions are independent of the underlying logical structure.