Laurent Mazaré

Completing the picture: soundness of formal encryption in the presence of active adversaries

In this paper, we extend previous results relating the Dolev-Yao model and the computational model. We add the possibility to exchange keys and consider cryptographic primitives such as signature. This work can be applied to check protocols in the computational model by using automatic verification tools in the formal model. To obtain this result, we introduce a precise definition for security criteria which leads to a nice reduction theorem. The reduction theorem is of interest on its own as it seems to be a powerful tool for proving equivalences between security criteria. Also, the proof of this theorem uses original ideas that seem to be applicable in other situations.

A generalization of DDH with applications to protocol analysis and computational soundness

In this paper we identify the (P,Q)-DDH assumption, as an extreme, powerful generalization of the Decisional Diffie-Hellman (DDH) assumption: virtually all previously proposed generalizations of DDH are instances of the (P,Q)-DDH problem. We prove that our generalization is no harder than DDH through a concrete reduction that we show to be rather tight in most practical cases. One important consequence of our result is that it yields significantly simpler security proofs for protocols that use extensions of DDH. We exemplify in the case of several group-key exchange protocols (among others we give an elementary, direct proof for the Burmester-Desmedt protocol). Finally, we use our generalization of DDH to extend the celebrated computational soundness result of Abadi and Rogaway [1] so that it can also handle exponentiation and Diffie-Hellman-like keys. The extension that we propose crucially relies on our generalization and seems hard to achieve through other means.

Decidability of Opacity with Non-Atomic Keys

The most studied property, secrecy, is not always sufficient to prove the security of a protocol. Other properties such as anonymity, privacy or opacity could be useful. Here, we use a simple definition of opacity which works by looking at the possible traces of the protocol using a new property over messages called similarity. The opacity property becomes a logical constraint involving both similarities and syntactic equalities. The main theorem proves that satisfiability of these constraints and thus opacity are decidable without having to make the hypothesis of atomic keys. Moreover, we use syntactic equalities to model some deductions an intruder could make by performing bit-to-bit comparisons (i.e. known-ciphertext attack).

Computational Soundness of Symbolic Analysis for Protocols Using Hash Functions

In this paper, we consider a Dolev-Yao model with hash functions and establish its soundness with respect to the computational model. Soundness means that the absence of attacks in the Dolev-Yao model implies that the probability for an adversary to perform an attack in the computational model is negligible. Classical requirements for deterministic hash functions (e.g. one-wayness, collision freeness) are not sufficient for proving this result. Therefore we introduce new security requirements that are sufficient to prove the soundness result and that are verified by random oracles.

Separating Trace Mapping and Reactive Simulatability Soundness: The Case of Adaptive Corruption

Computational soundness is the research direction that aims to translate security guarantees with respect to Dolev-Yao models into guarantees with resepect to the stronger computational models of modern cryptography. There are essentially two different approaches that aim to achieve computational soundness. One approach is based on the so-called trace mapping theorems, and one based on reactive simulatability. In a recent paper, Backes, Durthmuth, and Kusters have shown that the stronger requirements needed for reactive simulatability-based soundness imply that a trace mapping theorem also holds. It was left as an open problem whether there exists interesting settings where the simulatability framework breaks down but mapping theorems still exist. In this paper we describe one such setting, and thus give a separation between the two frameworks. Specifically, we show that adaptive corruption of symmetric encryption keys (a problematic setting for simulation-based frameworks) can be smoothly treated in a mapping theorem-based soundness framework. A crucial ingredient of our proof, and a result of independent interest, is a new (indistinguishability based) security notion for encryption. The central feature of our definition is that in addition to standard chosen-ciphertext attacks in multi-user settings, it also directly accounts for adaptive corruption of decryption keys. We show that our notion satisfies the intuitively appealing property that it is equivalent to standard security requirements on encryption.

Concurrent Construction of Proof-Nets

The functional paradigm of computation has been widely investigated and given a solid mathematical foundation, initiated with the Curry-Howard isomorphism, then elaborated and extended in multiple ways. However, this paradigm is inadequate to capture many useful programming intuitions, arising in particular in the development of applications integrating distributed, autonomous components. Indeed, in this context, non-determinism and true concurrency are the rule, whereas functional programming stresses determinism, and, although it allows some degree of concurrency, it is more as a “nice feature to have” rather than a primary assumption.

Game-based criterion partition applied to computational soundness of adaptive security

The composition of security definitions is a subtle issue. As most security protocols use a combination of security primitives, it is important to have general results that allow to combine such definitions. We present here a general result of composition for security criteria (i.e. security requirements). This result can be applied to deduce security of a criterion from security of one of its sub-criterion and an indistinguishability criterion. To illustrate our result, we introduce joint security for asymmetric and symmetric cryptography and prove that it is equivalent to classical security assumptions for both the asymmetric and symmetric encryption schemes. Using this, we give a modular proof of computational soundness of symbolic encryption. This result holds in the case of an adaptive adversary which can use both asymmetric and symmetric encryption.