Results 11  20
of
23
Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions
 Concurrency Theory, Proceedings of CONCUR 2003
, 2003
"... The cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
The cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models of Pfitzmann et. al., which are seminal in using this concept in order to bridge the gap between the formalmethods and the cryptographic community. We show that the synchronous model can be seen as a special case of the asynchronous one with respect to simulatability, i.e., we present an embedding between both models that we show to preserve simulatability.
On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol
 PROCEEDINGS OF IFIP SEC 2006
, 2006
"... Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means comput ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means computational indistinguishability between the real key and a random one, given the view of a much more general adversary. We analyze the cryptographic key secrecy for the strengthened Yahalom protocol, which constitutes one of the most prominent key exchange protocols analyzed symbolically by means of automated proof tools. We show that the strengthened Yahalom protocol does not guarantee cryptographic key secrecy. We further show that cryptographic key secrecy can be proven for a slight simplification of the protocol by exploiting recent results on linking symbolic and cryptographic key secrecy in order to perform a symbolic proof of secrecy for the simplified Yahalom protocol in a specific setting that allows us to derive the desired cryptographic key secrecy from the symbolic proof. The proof holds in the presence of arbitrary active attacks provided that the protocol is relying on standard provably secure cryptographic primitives.
The RSA group is pseudofree
 Advances in Cryptology– EUROCRYPT 2005, Lecture Notes in Computer Science
, 2005
"... We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudofree. More specifically, no polynomial time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free abelian group generat ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudofree. More specifically, no polynomial time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free abelian group generated by the symbols g1,...,gn, together with a solution modulo the product of two randomly chosen safe primes when g1,..., gn are instantiated to randomly chosen quadratic residues. Ours is the first provably secure construction of pseudofree abelian groups under a standard cryptographic assumption, and resolves a conjecture of Rivest (TCC 2004).
Logical Concepts in Cryptography
, 2006
"... This paper is about the exploration of logical concepts in cryptography and their linguistic abstraction and modeltheoretic combination in a logical system, called CPL (for Cryptographic Protocol Logic). ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
This paper is about the exploration of logical concepts in cryptography and their linguistic abstraction and modeltheoretic combination in a logical system, called CPL (for Cryptographic Protocol Logic).
Secure Asynchronous Reactive Systems
, 2004
"... We present a rigorous model for secure reactive systems in asynchronous networks. It captures both computational aspects of security as needed for cryptography, and abstractions as needed in typical theorem provers and model checkers, with clear refinement relations within and between the layers ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We present a rigorous model for secure reactive systems in asynchronous networks. It captures both computational aspects of security as needed for cryptography, and abstractions as needed in typical theorem provers and model checkers, with clear refinement relations within and between the layers of abstraction.
Threshold Homomorphic Encryption in the Universally Composable Cryptographic Library
"... Abstract. The universally composable cryptographic library by Backes, Pfitzmann and Waidner provides DolevYaolike, but cryptographically sound abstractions to common cryptographic primitives like encryptions and signatures. The library has been used to give the correctness proofs of various protoc ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. The universally composable cryptographic library by Backes, Pfitzmann and Waidner provides DolevYaolike, but cryptographically sound abstractions to common cryptographic primitives like encryptions and signatures. The library has been used to give the correctness proofs of various protocols; while the arguments in such proofs are similar to the ones done with the DolevYao model that has been researched for a couple of decades already, the conclusions that such arguments provide are cryptographically sound. Various interesting protocols, for example evoting, make extensive use of primitives that the library currently does not provide. The library can certainly be extended, and in this paper we provide one such extension — we add threshold homomorphic encryption to the universally composable cryptographic library and demonstrate its usefulness by (re)proving the security of a wellknown evoting protocol. 1
Key Exchange Protocols: Security Definition, Proof Method and Applications
 In 19th IEEE Computer Security Foundations Workshop (CSFW 19
, 2006
"... We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of r ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs of a protocol involves inductionlike arguments about properties preserved by each run, we formulate a specification of secure key exchange that, unlike conventional key indistinguishability, is closed under general composition with steps that use the key.
The computational SLR: a logic for reasoning about computational indistinguishability
"... Abstract. Computational indistinguishability is a notion in complexitytheoretic cryptography and is used to define many security criteria. However, in traditional cryptography, proving computational indistinguishability is usually informal and becomes errorprone when cryptographic constructions ar ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. Computational indistinguishability is a notion in complexitytheoretic cryptography and is used to define many security criteria. However, in traditional cryptography, proving computational indistinguishability is usually informal and becomes errorprone when cryptographic constructions are complex. This paper presents a formal proof system based on an extension of Hofmann’s SLR language, which can capture probabilistic polynomialtime computations through typing and is sufficient for expressing cryptographic constructions. We in particular define rules that justify directly the computational indistinguishability between programs and prove that these rules are sound with respect to the settheoretic semantics, hence the standard definition of security. We also show that it is applicable in cryptography by verifying, in our proof system, Goldreich and Micali’s construction of pseudorandom generator, and the equivalence between nextbit unpredictability and pseudorandomness. 1
Reactively Simulatable Certified Mail
, 2006
"... Certified mail is the fair exchange of a message for a receipt, i.e., the recipient gets the message if and only if the sender gets a receipt. It is an important primitive for electronic commerce and other atomicity services. Certifiedmail protocols are known in the literature, but there was no rig ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Certified mail is the fair exchange of a message for a receipt, i.e., the recipient gets the message if and only if the sender gets a receipt. It is an important primitive for electronic commerce and other atomicity services. Certifiedmail protocols are known in the literature, but there was no rigorous definition yet, in particular for optimistic protocols and for many interleaved executions. We provide such a definition via an ideal system and show that a specific real certifiedmail protocol is as secure as this ideal system in the sense of reactive simulatability in the standard model of cryptography and under standard assumptions.
Lowlevel ideal signatures and general integrity idealization
 Research Report RZ 3511, IBM Research
, 2003
"... Abstract. Recently we showed how to justify a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks and in arbitrary protocol environments. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Recently we showed how to justify a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks and in arbitrary protocol environments. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This holds the standard model of cryptography and under standard assumptions of adaptively secure primitives. While treating a term algebra is the point of that paper, a natural question is whether the proof could be more modular, e.g., by using a lowlevel idealization of signature schemes similar to the treatment of encryption. We present a lowlevel ideal signature system that we tried to use as a lower layer in prior versions of the library proof. It may be of independent interest for cryptography because idealizing signature schemes has proved surprisingly errorprone. However, we also explain why using it makes the overall proof of the justification of the DolevYao type model more complicated instead of simpler. We further present a technique, integrity idealization, for mechanically constructing composable lowlevel ideal systems for other cryptographic primitives that have “normal ” cryptographic integrity definitions. 1