Results 1  10
of
15
Universally composable symbolic analysis of mutual authentication and keyexchange protocols
 In Shai Halevi and Tal Rabin, editors, TCC, volume 3876 of LNCS
, 2006
"... Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on crypto ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how DolevYao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to DolevYao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UCsecure. For mutual authentication, our symbolic criterion is similar to the traditional DolevYao criterion. For key exchange, we demonstrate that the traditional DolevYao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent keyexchange protocols are UCsecure. 1
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 40 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1
Computational and informationtheoretic soundness and completeness of formal encryption
 In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW
, 2005
"... We consider expansions of the AbadiRogaway logic of indistinguishability of formal cryptographic expressions. We expand the logic in order to cover cases when partial information of the encrypted plaintext is revealed. We consider not only computational, but also purely probabilistic, informationt ..."
Abstract

Cited by 23 (7 self)
 Add to MetaCart
We consider expansions of the AbadiRogaway logic of indistinguishability of formal cryptographic expressions. We expand the logic in order to cover cases when partial information of the encrypted plaintext is revealed. We consider not only computational, but also purely probabilistic, informationtheoretic interpretations. We present a general, systematic treatment of the expansions of the logic for symmetric encryption. We establish general soundness and completeness theorems for the interpretations. We also present applications to specific settings not covered in earlier works: a purely probabilistic one based on OneTime Pad, and computational settings of the socalled type2 (whichkey revealing) and type3 (whichkey and length revealing) encryption schemes based on computational complexity.
Security analysis of cryptographically controlled access to XML documents
 In Proceedings of the 24th ACM Symposium on Principles of Database Systems
, 2005
"... Some promising recent schemes for XML access control employ encryption for implementing security policies on published data, avoiding data duplication. In this paper we study one such scheme, due to Miklau and Suciu. That scheme was introduced with some intuitive explanations and goals, but without ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Some promising recent schemes for XML access control employ encryption for implementing security policies on published data, avoiding data duplication. In this paper we study one such scheme, due to Miklau and Suciu. That scheme was introduced with some intuitive explanations and goals, but without precise definitions and guarantees for the use of cryptography (specifically, symmetric encryption and secret sharing). We bridge this gap in the present work. We analyze the scheme in the context of the rigorous models of modern cryptography. We obtain formal results in simple, symbolic terms close to the vocabulary of Miklau and Suciu. We also obtain more detailed computational results that establish security against probabilistic polynomialtime adversaries. Our approach, which relates these two layers of the analysis, continues a recent thrust in security research and may be applicable to a broad class of systems that rely on cryptographic data protection. 1.
The RSA group is pseudofree
 Advances in Cryptology– EUROCRYPT 2005, Lecture Notes in Computer Science
, 2005
"... We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudofree. More specifically, no polynomial time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free abelian group generat ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
We prove, under the strong RSA assumption, that the group of invertible integers modulo the product of two safe primes is pseudofree. More specifically, no polynomial time algorithm can output (with non negligible probability) an unsatisfiable system of equations over the free abelian group generated by the symbols g1,...,gn, together with a solution modulo the product of two randomly chosen safe primes when g1,..., gn are instantiated to randomly chosen quadratic residues. Ours is the first provably secure construction of pseudofree abelian groups under a standard cryptographic assumption, and resolves a conjecture of Rivest (TCC 2004).
Adaptive soundness of static equivalence
 In Proc. 12th European Symposium on Research in Computer Security (ESORICS’07), volume 4734 of LNCS
, 2007
"... Abstract. We define a framework to reason about implementations of equational theories in the presence of an adaptive adversary. We particularly focus on soundess of static equivalence. We illustrate our framework on several equational theories: symmetric encryption, XOR, modular exponentiation and ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We define a framework to reason about implementations of equational theories in the presence of an adaptive adversary. We particularly focus on soundess of static equivalence. We illustrate our framework on several equational theories: symmetric encryption, XOR, modular exponentiation and also joint theories of encryption and modular exponentiation. This last example relies on a combination result for reusing proofs for the separate theories. Finally, we define a model for symbolic analysis of dynamic group key exchange protocols, and show its computational soundness. 1
Computationally Sound Analysis of Protocols using Bilinear Pairings
, 2007
"... In this paper, we introduce a symbolic model to analyse protocols that use a bilinear pairing between two cyclic groups. This model consists in an extension of the AbadiRogaway logic and we prove that the logic is still computationally sound: symbolic indistinguishability implies computational ind ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In this paper, we introduce a symbolic model to analyse protocols that use a bilinear pairing between two cyclic groups. This model consists in an extension of the AbadiRogaway logic and we prove that the logic is still computationally sound: symbolic indistinguishability implies computational indistinguishability provided that the Bilinear Decisional DiffieHellman assumption holds and that the encryption scheme is INDCPA secure. We illustrate our results on classical protocols using bilinear pairing like Joux tripartite DiffieHellman protocol or the TAK2 and TAK3 protocols.
Computational soundness, coinduction and encryption cycles
"... We analyze the relation between induction, coinduction and the presence of encryption cycles in the context of computationally sound symbolic equivalence of cryptographic expressions. Our main finding is that the use of coinduction in the symbolic definition of the adversarial knowledge allows to ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
We analyze the relation between induction, coinduction and the presence of encryption cycles in the context of computationally sound symbolic equivalence of cryptographic expressions. Our main finding is that the use of coinduction in the symbolic definition of the adversarial knowledge allows to prove unconditional soundness results, that do not require syntactic restrictions, like the absence of encryption cycles. Encryption cycles are relevant only to the extent that the key recovery function associated to acyclic expressions can be shown to have a unique fixpoint. So, when a cryptographic expression has no encryption cycles, the inductive (least fixpoint) and coinductive (greatest fixpoint) security definitions produce the same results, and the computational soundness of the inductive definitions for acyclic expressions follows as a special case of the soundness of the coinductive definition.
Soundness of Symbolic Equivalence for Modular Exponentiation
 In Proceedings of the Second Workshop on Formal and Computational Cryptography (FCC’06
, 2006
"... Abstract. In this paper, we study the Dynamic Decisional DiffieHellman (3DH) problem, a powerful generalization of the Decisional DiffieHellman (DDH) problem. Our main result is that DDH implies 3DH. This result leads to significantly simpler proofs for protocols by relying directly on the more ge ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the Dynamic Decisional DiffieHellman (3DH) problem, a powerful generalization of the Decisional DiffieHellman (DDH) problem. Our main result is that DDH implies 3DH. This result leads to significantly simpler proofs for protocols by relying directly on the more general problem. Our second contribution is a computationally sound symbolic technique for reasoning about protocols that use symmetric encryption and modular exponentiation. We show how to apply our results in the case of the Burmester & Desmedt protocol.
Pseudorandomness and partial information in symbolic security analysis
, 2009
"... We prove computational soundness results for cryptographic expressions with pseudorandom keys, as used, for example, in the design and analysis of secure multicast key distribution protocols. In particular, we establish a symbolic notion of independence (for pseudorandom keys) that exactly matches ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We prove computational soundness results for cryptographic expressions with pseudorandom keys, as used, for example, in the design and analysis of secure multicast key distribution protocols. In particular, we establish a symbolic notion of independence (for pseudorandom keys) that exactly matches the standard computational security definition (namely, indistinguishability from the uniform distribution) for pseudorandom generators. As a conceptual contribution, we initiate the study of partial information in the context of computationally sound symbolic security analysis. Specifically, we show that (within our admittedly simple, but hopefully evocative setting) partial information can be taken into account in the symbolic model, in a computationally sound way, by simply annotating each key with a label which specifies that the key is either known, unknown, or partially known, without further details about the amount and type of partial information.