## Verifying Statistical Zero Knowledge with Approximate Implementations ⋆

### Cached

### Download Links

Citations: | 1 - 1 self |

### BibTeX

@MISC{Cheung_verifyingstatistical,

author = {Ling Cheung and Sayan Mitra and Olivier Pereira},

title = {Verifying Statistical Zero Knowledge with Approximate Implementations ⋆},

year = {}

}

### OpenURL

### Abstract

Abstract. Statistical zero-knowledge (SZK) properties play an important role in designing cryptographic protocols that enforce honest behavior while maintaining privacy. This paper presents a novel approach for verifying SZK properties, using recently developed techniques based on approximate simulation relations. We formulate statistical indistinguishability as an implementation relation in the Task-PIOA framework, which allows us to express computational restrictions. The implementation relation is then proven using approximate simulation relations. This technique separates proof obligations into two categories: those requiring probabilistic reasoning, as well as those that do not. The latter is a good candidate for mechanization. We illustrate the general method by verifying the SZK property of the well-known identification protocol proposed by Girault, Poupard and Stern.

### Citations

1086 | The knowledge complexity of interactive proof systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...nd in the cryptography community through the work of Goldwasser and Micali introducing semantic security [2]. In cryptography, three flavors of indistinguishability have traditionally been considered =-=[3]-=-. Suppose X = {Xk}k∈N and Y = {Yk}k∈N are two families of random variables indexed by k, which we refer to as the security parameter. These two families are (i) perfectly indistinguishable if they hav... |

776 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...about establishing that the behaviors of systems are indistinguishable. This idea probably appeared first in the security community through the work of Goguen and Meseguer introducing noninterference =-=[1]-=-, and in the cryptography community through the work of Goldwasser and Micali introducing semantic security [2]. In cryptography, three flavors of indistinguishability have traditionally been consider... |

146 | Bisimulation for labelled Markov processes
- Desharnais, Edalat, et al.
(Show Context)
Citation Context ...babilistic systems in the context of Labelled Markov Processes (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden =-=[21,22,23]-=- and by van Breugel, Mislove, Ouaknine, and Worrell [24,25,26,27,28]. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches i... |

137 |
Probabilistic Encryption and How to Play Mental Poker Keeping Secret All Partial Information. STOC
- Goldwasser, Micali
- 1982
(Show Context)
Citation Context ...e security community through the work of Goguen and Meseguer introducing noninterference [1], and in the cryptography community through the work of Goldwasser and Micali introducing semantic security =-=[2]-=-. In cryptography, three flavors of indistinguishability have traditionally been considered [3]. Suppose X = {Xk}k∈N and Y = {Yk}k∈N are two families of random variables indexed by k, which we refer t... |

132 | Probabilistic noninterference for multi-threaded programs
- Sabelfeld, Sands
- 2000
(Show Context)
Citation Context ...tes the fundamental assumption. Recently, much work has been done in the distributed system and security communities to develop reasoning techniques for statistical distance between system executions =-=[4,5,6,7,8,9,10]-=-. These techniques are proposed in the context of noninterference, therefore are not immediately applicable in the analysis of cryptographic protocols. For example, they typically do not consider the ... |

99 | Approximate noninterference
- Piero, Hankin, et al.
- 2002
(Show Context)
Citation Context ...tes the fundamental assumption. Recently, much work has been done in the distributed system and security communities to develop reasoning techniques for statistical distance between system executions =-=[4,5,6,7,8,9,10]-=-. These techniques are proposed in the context of noninterference, therefore are not immediately applicable in the analysis of cryptographic protocols. For example, they typically do not consider the ... |

97 | Probabilistic noninterference in a concurrent language
- Volpano, Smith
- 1998
(Show Context)
Citation Context ...tes the fundamental assumption. Recently, much work has been done in the distributed system and security communities to develop reasoning techniques for statistical distance between system executions =-=[4,5,6,7,8,9,10]-=-. These techniques are proposed in the context of noninterference, therefore are not immediately applicable in the analysis of cryptographic protocols. For example, they typically do not consider the ... |

52 | The metric analogue of weak bisimulation for probabilistic processes
- Desharnais, Gupta, et al.
- 2002
(Show Context)
Citation Context ...babilistic systems in the context of Labelled Markov Processes (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden =-=[21,22,23]-=- and by van Breugel, Mislove, Ouaknine, and Worrell [24,25,26,27,28]. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches i... |

49 | Metrics for labelled markov processes
- Desharnais, Gupta, et al.
- 2004
(Show Context)
Citation Context ...babilistic systems in the context of Labelled Markov Processes (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden =-=[21,22,23]-=- and by van Breugel, Mislove, Ouaknine, and Worrell [24,25,26,27,28]. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches i... |

45 |
An algorithm for quantitative verification of probabilistic transition systems
- Breugel, Worrell
- 2001
(Show Context)
Citation Context ... (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden [21,22,23] and by van Breugel, Mislove, Ouaknine, and Worrell =-=[24,25,26,27,28]-=-. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches in at least one of the following ways: (a) the taskPIOA model allows ... |

26 | Axioms for probability and nondeterminism
- Mislove, Ouaknine, et al.
(Show Context)
Citation Context ... (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden [21,22,23] and by van Breugel, Mislove, Ouaknine, and Worrell =-=[24,25,26,27,28]-=-. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches in at least one of the following ways: (a) the taskPIOA model allows ... |

23 | Computational probabilistic non-interference
- Backes, Pfitzmann
- 2002
(Show Context)
Citation Context |

21 | Probabilistic noninterference through weak probabilistic bisimulation
- Smith
- 2003
(Show Context)
Citation Context |

21 | On the fly authentication and signature schemes based on groups of unknown order
- Girault, Poupard, et al.
(Show Context)
Citation Context ... way that the trace distributions are “close” with respect to some metric. We exemplify our approach through the analysis of a classical identification protocol proposed by Girault, Poupard and Stern =-=[15]-=-. Our analysis establishes that the GPS protocol is statistical zero-knowledge; that is, there is a probabilistic polynomial-time simulator that produces a protocol transcript that is 1 This means the... |

18 | Task-structured probabilistic I/O automata
- Canetti, Cheung, et al.
- 2006
(Show Context)
Citation Context ...f [6]). We shall return to these works in the related work section. In this paper, we show that statistical indistinguishability properties can be formulated very naturally in the Task-PIOA framework =-=[11,12]-=-, and they can be verified using the approximate simulation relation techniques developed in [13,14], which provide formal soundness proofs for these techniques. Here soundness means the existence of ... |

16 | Time-bounded task-PIOAs: a framework for analyzing security protocols
- Canetti, Cheung, et al.
(Show Context)
Citation Context ...d V . To the best of our knowledge, approximate implementations have not been applied to verify SZK properties prior to this work. 2 Background Task-structured Probabilistic I/O Automaton (Task-PIOA) =-=[29]-=- is a modeling framework for distributed systems which allows both probabilistic and nondeterministic state transitions. It has a task-based scheduling mechanism which is less powerful that than tradi... |

15 | An intrinsic characterization of approximate probabilistic bisimilarity
- Breugel, Mislove, et al.
- 2004
(Show Context)
Citation Context ... (LMP) have been extensively investigated and many fundamental results have been obtained by Desharnais, Gupta, Jagadeesan and Panangaden [21,22,23] and by van Breugel, Mislove, Ouaknine, and Worrell =-=[24,25,26,27,28]-=-. Our notion of approximate implementation, introduced in [13] and developed further in [14], differs from the previous approaches in at least one of the following ways: (a) the taskPIOA model allows ... |

13 | Proving safety properties of an aircraft landing protocol using I/O Automata and the PVS theorem prover: A case study
- Umeno, Lynch
(Show Context)
Citation Context ... well-suited for hierarchical verification of large systems with nondeterministic behavior. Many applications of these techniques in mechanical verification of systems have been published (see, e.g., =-=[16,17]-=- for some recent nonsecurity related case studies in the I/O Automaton framework). Our GPS case study demonstrates that nondeterminism can be used to simplify specifications, without increasing the pr... |

12 | Confidentiality for multithreaded programs via bisimulation
- Sabelfeld
- 2003
(Show Context)
Citation Context |

10 | Duality for Labelled Markov Processes
- Mislove, Ouaknine, et al.
- 2004
(Show Context)
Citation Context |

9 | Specifying and proving properties of timed I/O automata using Tempo. Design Automation for Embedded Systems
- Archer, Lim, et al.
- 2008
(Show Context)
Citation Context ...a separate set of obligations that do not involve probabilities. The latter type of obligations can be checked using the currently available TIOA Toolsuite and its interface to the PVS theorem prover =-=[18]-=-. Eventually, we hope to (partially) mechanize or even automate the verification of statistical indistinguishability properties for cryptographic protocols. Related Work. Probabilistic observational e... |

6 | Approximate simulations for task-structured probabilistic I/O automata
- Mitra, Lynch
- 2006
(Show Context)
Citation Context ...istical indistinguishability properties can be formulated very naturally in the Task-PIOA framework [11,12], and they can be verified using the approximate simulation relation techniques developed in =-=[13,14]-=-, which provide formal soundness proofs for these techniques. Here soundness means the existence of an approximate simulation guarantees that every trace distribution in the first system can be matche... |

6 | Approximate reasoning for real-time probabilistic processes
- Gupta, Jagadeesan, et al.
- 2004
(Show Context)
Citation Context ... achieve, if not impossible to achieve. This has been noted both in the security community (for example in [10]), and also in the literature related to verification of timed and probabilistic systems =-=[19]-=-. Based on these observations, there has been intense research in the recent years towards developing metric-based generalizations of probabilistic bisimulations and observational equivalences. Jou an... |

5 | A quantitative approach to noninterference for probabilistic systems
- Aldini, Pierro
- 2009
(Show Context)
Citation Context |

5 | Proving approximate implementation relations for probabilistic I/O automata - Mitra, Lynch - 2007 |

4 | Proving atomicity: An assertional approach
- Chockler, Lynch, et al.
- 2005
(Show Context)
Citation Context ... well-suited for hierarchical verification of large systems with nondeterministic behavior. Many applications of these techniques in mechanical verification of systems have been published (see, e.g., =-=[16,17]-=- for some recent nonsecurity related case studies in the I/O Automaton framework). Our GPS case study demonstrates that nondeterminism can be used to simplify specifications, without increasing the pr... |

4 |
Equivalences, congruences and complete approximations for probabilistic processes
- Jou, Smolka
- 1990
(Show Context)
Citation Context ...n these observations, there has been intense research in the recent years towards developing metric-based generalizations of probabilistic bisimulations and observational equivalences. Jou and Smolka =-=[20]-=- first introduced the idea of formalizing similarity of observed behavior by using metrics. Approximation metrics for probabilistic systems in the context of Labelled Markov Processes (LMP) have been ... |

4 |
Domain theory, testing and simulation for labelled markov processes. Theoretical Computer Science
- Breugel, Mislove, et al.
- 2005
(Show Context)
Citation Context |