Gergei Bana

Soundness of formal encryption in the presence of key-cycles

Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when key-cycles are present. We demonstrate that an encryption scheme provides soundness in the presence of key-cycles if it satisfies the recently-introduced notion of key-dependent message (KDM) security. We also show that soundness in the presence of key-cycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA-2). Therefore, soundness for key-cycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosen-ciphertext security.

Computational and information-theoretic soundness and completeness of formal encryption

We consider expansions of the Abadi-Rogaway logic of indistinguishability of formal cryptographic expressions. We expand the logic in order to cover cases when partial information of the encrypted plaintext is revealed. We consider not only computational, but also purely probabilistic, information-theoretic interpretations. We present a general, systematic treatment of the expansions of the logic for symmetric encryption. We establish general soundness and completeness theorems for the interpretations. We also present applications to specific settings not covered in earlier works: a purely probabilistic one based on one-time pad, and computational settings of the so-called type-2 (which-key revealing) and type-3 (which-key and length revealing) encryption schemes based on computational complexity.

Towards unconditional soundness: computationally complete symbolic attacker

We consider the question of the adequacy of symbolic models versus computational models for the verification of security protocols. We neither try to include properties in the symbolic model that reflect the properties of the computational primitives nor add computational requirements that enforce the soundness of the symbolic model. We propose in this paper a different approach: everything is possible in the symbolic model, unless it contradicts a computational assumption. In this way, we obtain unconditional soundness almost by construction. And we do not need to assume the absence of dynamic corruption or the absence of key-cycles, which are examples of hypotheses that are always used in related works. We set the basic framework, for arbitrary cryptographic primitives and arbitrary protocols, however for trace security properties only.

Soundness and completeness of formal encryption: The cases of key cycles and partial information leakage

In their seminal work, Abadi and Rogaway show that the formal (Dolev-Yao) notion of indistinguishability is sound with respect to the computational model: messages that are indistinguishable in the formal model become indistinguishable messages in the computational model. However, this result leaves two problems unsolved. First, it cannot tolerate key cycles. Second, it makes the too-strong assumption that the underlying cryptography hides all aspects of the plaintext, including its length. In this paper we extend their work in order to address these problems. We show that the recently-introduced notion of KDM-security can provide soundness even in the presence of key cycles. For this, we have to consider encryption that reveals the length of plaintexts, which we use to motivate a general examination information-leaking encryption. In particular, we consider the conditions under which an encryption scheme that may leak some partial information will provide soundness and completeness to some (possibly weakened) version of the formal model. Partially supported by FCT grant SFRH/BD/8148/2002. Additional support from FEDER/FCT projects QuantLog POCI/MAT/55796/2004, QSec PTDC/EIA/67661/2006 and KLog PTDC/MAT/68723/2006. Partially supported by OSD/ONR CIP/SW URI “Software Quality and Infrastructure Protection for Diffuse Computing” through ONR Grant N00014-01-1-0795. Additional support from NSF Grant CNS-0429689. Additional support from the Packard Fellowship. Part of this work was done while the author was affiliated with University of Pennsylvania, Department of Mathematics. Partially supported by OSD/ONR CIP/SW URI “Software Quality and Infrastructure Protection for Diffuse Computing” through ONR Grant N00014-01-1-0795 and OSD/ONR CIP/SW URI “Trustworthy Infrastructure, Mechanisms, and Experimentation for Diffuse Computing” through ONR Grant N00014-04-1-0725. Additional support from NSF Grants CCR-0098096 and CNS-0429689.

A Computationally Complete Symbolic Attacker for Equivalence Properties

We consider the problem of computational indistinguishability of protocols. We design a symbolic model, amenable to automated deduction, such that a successful inconsistency proof implies computational indistinguishability. Conversely, symbolic models of distinguishability provide clues for likely computational attacks. We follow the idea we introduced earlier for reachability properties, axiomatizing what an attacker cannot violate. This results a computationally complete symbolic attacker, and ensures unconditional computational soundness for the symbolic analysis. We present a small library of computationally sound, modular axioms, and test our technique on an example protocol. Despite additional difficulties stemming from the equivalence properties, the models and the soundness proofs turn out to be simpler than they were for reachability properties.

Computational soundness of formal indistinguishability and static equivalence

In the investigation of the relationship between the formal and the computational view of cryptography, a recent approach, first proposed in [10], uses static equivalence from cryptographic pi calculi as a notion of formal indistinguishability. Previous work [10,1] has shown that this yields the soundness of natural interpretations of some interesting equational theories, such as certain cryptographic operations and a theory of XOR. In this paper however, we argue that static equivalence is too coarse to allow sound interpretations of many natural and useful equational theories. We illustrate this with several explicit examples in which static equivalence fails to work. To fix the problem, we propose a notion of formal indistinguishability that is more flexible than static equivalence. We provide a general framework along with general theorems, and then discuss how this new notion works for the explicit examples where static equivalence fails to ensure soundness.

Computationally Complete Symbolic Attacker in Action

We show that the recent technique of computationally complete symbolic attackers proposed by Bana and Comon-Lundh [POST 2012] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and Comon-Lundh presented only the general framework, but they did not introduce sufficiently many axioms to actually prove protocols. We present a set of axioms -- some generic axioms that are computationally sound for all PPT algorithms, and two specific axioms that are sound for CCA2 secure encryptions -- and illustrate the power of this technique by giving the first computationally sound verification (secrecy and authentication) via symbolic attackers of the NSL Protocol that does not need any further restrictive assumptions about the computational implementation. The axioms are entirely modular, not particular to the NSL protocol.

Computational Semantics for First-Order Logical Analysis of Cryptographic Protocols

This paper is concerned about relating formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic As opposed to earlier treatments, we introduce a new, fully probabilistic method to assign computational semantics to the syntax. The idea is to make use of the usual mathematical treatment of stochastic processes, hence be able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence, and so on. We present this via considering a simple example of such a formal model, the Basic Protocol Logic by K. Hasebe and M. Okada [20], but we think the technique is suitable for a wide range of formal methods for protocol correctness proofs. We first review our framework of proof-system, BPL, for proving correctness of authentication protocols, and provide computational semantics. Then we give a full proof of the soundness theorem. We also comment on the differences of our method and that of Computational PCL.

On the Formal Consistency of the Principal Principle

Rédei and Gyenis suggest that Lewis’s Principal Principle is meaningful only if it satisfies certain consistency conditions: starting from any assignment of credences to some algebra of events, we must always be able to extend our algebra with events as “the value of the objective chance of event E is p” and assign credences to such events in a consistent manner. I show that this extension is possible. However, I also argue that this requirement is unnecessary: the Principal Principle concerns subjective beliefs about objective chance; hence, events concerning those probabilities are meant to be in the algebra initially.

Computational semantics for basic protocol logic: a stochastic approach

This paper relates formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic. Instead of the way Datta et al. defined computational semantics to their Protocol Composition Logic, we introduce a new, fully probabilistic method to assign computational semantics to the syntax. We present this via considering a simple example of such a formal model, the Basic Protocol Logic by K. Hasebe and M. Okada [7], but the technique is suitable for extensions to more complex situations such as PCL. We make use of the usual mathematical treatment of stochastic processes, hence are able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence.