## Computationally sound implementations of equational theories against . . . (2008)

### Cached

### Download Links

Citations: | 53 - 16 self |

### BibTeX

@MISC{Baudet08computationallysound,

author = {Mathieu Baudet and Véronique Cortier and Steve Kremer},

title = {Computationally sound implementations of equational theories against . . . },

year = {2008}

}

### OpenURL

### Abstract

In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.

### Citations

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...n developed, based on the seminal work of Dolev and Yao [9]. These models view cryptographic operations in a rather abstract and idealized way. On the other hand cryptographic or computational models =-=[10]-=- are closer to implementations: cryptographic operations are modeled as algorithms manipulating bit-strings. Those models cover a large class of attacks, namely all those implementable by a probabilis... |

1047 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...have been very useful in increasing the understanding and quality of security protocol design. On the one hand formal or logical models have been developed, based on the seminal work of Dolev and Yao =-=[9]-=-. These models view cryptographic operations in a rather abstract and idealized way. On the other hand cryptographic or computational models [10] are closer to implementations: cryptographic operation... |

334 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption
- Abadi, Rogaway
- 2002
(Show Context)
Citation Context ...mated tools and still benefit from the security guarantees of the computational model. Recently, a significant research effort has been directed at linking these two approaches. In their seminal work =-=[3]-=-, Abadi and Rogaway prove the computational soundness of formal (symmetric) encryption in the case a passive attacker. Since then, many results [5, 11, 12] have been obtained. Notably, Backes et al. [... |

273 | Mobile values, new names, and secure communication
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ... equational theories, such as encryption, but also less studied ones, e.g. groups or exclusive OR. We concentrate on static equivalence, a now standard notion originating from the applied pi calculus =-=[2]-=-. Intuitively, static equivalence asks whether an attacker can distinguish between two tuples of terms, by exhibiting an equation which holds on one tuple but not on the other. This provides an elegan... |

134 | A composable cryptographic library with nested operations (extended abstract
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ... linking these two approaches. In their seminal work [3], Abadi and Rogaway prove the computational soundness of formal (symmetric) encryption in the case a passive attacker. Since then, many results =-=[5, 11, 12]-=- have been obtained. Notably, Backes et al. [5] prove the soundness ofsa rich language including digital signatures, public-key and symmetric key encryption in the presence of an active attacker. Laud... |

80 | Deciding knowledge in security protocols under equational theories. Theoretical Computer Science 387
- Abadi, Cortier
(Show Context)
Citation Context ... of terms, by exhibiting an equation which holds on one tuple but not on the other. This provides an elegant means to express security properties against passive attackers. Moreover there exist exact =-=[1]-=- and approximate [8] algorithms to decide static equivalence for a large family of equational theories. Our first contribution is a general framework for comparing formal and computational models in t... |

78 | A computationally sound mechanized prover for security protocols - Blanchet - 2008 |

63 |
Automatic proof of strong secrecy for security protocols
- Blanchet
- 2004
(Show Context)
Citation Context ...ting an equation which holds on one tuple but not on the other. This provides an elegant means to express security properties against passive attackers. Moreover there exist exact [1] and approximate =-=[8]-=- algorithms to decide static equivalence for a large family of equational theories. Our first contribution is a general framework for comparing formal and computational models in the presence of a pas... |

60 | B.: Computationally sound, automated proofs for security protocols - Cortier, Warinschi - 2005 |

58 | B.: Symmetric encryption in a simulatable Dolev-Yao stylecryptographiclibrary.In:CSFW’04.pp.204–218.IEEE,LosAlamitos(2004
- Backes, Pfitzmann
(Show Context)
Citation Context ...advantage of any probabilistic polynomial-time adversary is negligible. It holds for the inverse of the encryption scheme, iff it holds for the collection of ciphers (Dη,n, Eη,n). As in previous work =-=[3, 12, 4, 11]-=-, we restrict frames to those with only atomic keys and no encryption cycles. Specifically a closed frame ϕ has only atomic keys if for all subterms encn(u, v) and decn(u, v) of ϕ, v is a name. Given ... |

53 | Symmetric encryption in automatic analyses for confidentiality against active adversaries
- Laud
- 2004
(Show Context)
Citation Context ... linking these two approaches. In their seminal work [3], Abadi and Rogaway prove the computational soundness of formal (symmetric) encryption in the case a passive attacker. Since then, many results =-=[5, 11, 12]-=- have been obtained. Notably, Backes et al. [5] prove the soundness ofsa rich language including digital signatures, public-key and symmetric key encryption in the presence of an active attacker. Laud... |

49 | A survey of algebraic properties used in cryptographic protocols - Cortier, Delaune, et al. |

48 | Deciding security of protocols against off-line guessing attacks - Baudet |

38 |
Completeness Theorems for the AbadiRogaway Logic of Encrypted Expressions
- Micciancio, Warinschi
- 2004
(Show Context)
Citation Context ... linking these two approaches. In their seminal work [3], Abadi and Rogaway prove the computational soundness of formal (symmetric) encryption in the case a passive attacker. Since then, many results =-=[5, 11, 12]-=- have been obtained. Notably, Backes et al. [5] prove the soundness ofsa rich language including digital signatures, public-key and symmetric key encryption in the presence of an active attacker. Laud... |

37 | Is it possible to decide whether a cryptographic protocol is secure or not - Comon, Shmatikov |

36 | A.: Soundness of formal encryption in the presence of key-cycles - Adão, Bana, et al. - 2005 |

35 | Symmetric authentication within a simulatable cryptographic library - Backes, Pfitzmann, et al. - 2003 |

35 | Guessing attacks and the computational soundness of static equivalence - Abadi, Baudet, et al. - 2006 |

28 | Analysing password protocol security against off-line dictionary attacks - Corin, Doumen, et al. |

28 | L.: Completing the picture: Soundness of formal encryption in the presence of active adversaries - Janvier, Lakhnech, et al. - 2005 |

25 | V.: Computational soundness of observational equivalence - Comon-Lundh, Cortier - 2008 |

21 | Computational and information-theoretic soundness and completeness of formal encryption - Adão, Bana, et al. |

19 | About the security of ciphers (semantic security and pseudo-random permutations
- Phan, Pointcheval
- 2004
(Show Context)
Citation Context ....2 Symmetric, deterministic, length-preserving encryption and lists We now detail the example of symmetric, deterministic and length-preserving encryption schemes. Such schemes, also known as ciphers =-=[13]-=-, are widely used in practice, the most famous examples being DES and AES . Our formal model consists of a set of sorts S = {Data, List 0, List 1 ...List n ...}, an infinite number of names for every ... |

19 | The cryptographic impact of groups with infeasible inversion - Hohenberger - 2003 |

16 | On the notion of pseudo-free groups
- Rivest
(Show Context)
Citation Context ...ons for the hs are collision-resistant, then (Aη) is =E-sound, ≈E-faithful and �⊢E-faithful. 3.2 ≈E-soundness implies classical assumptions on groups Inspired by the work of Rivest on pseudo-freeness =-=[14]-=-, we now study some consequences of ≈E-soundness on groups. Let EG be the equational theory modeling a free group G with exponents taken over a free commutative ring A. Assume a ≈EG -sound family of c... |

16 | Sound computational interpretation of formal encryption with composed keys - Laud, Corin - 2003 |

16 | Limits of the cryptographic realization of Dolev-Yao-style XOR - Backes, Pfitzmann - 2005 |

14 | Invertible universal hashing and the TET encryption mode - Halevi - 2007 |

8 | Soundness and Completeness of Formal Logics of Symmetric Encryption
- Bana
- 2004
(Show Context)
Citation Context ... that for every closed frame ϕ it holds that ([ϕ]Aη ) ≈ ([ϕ]ideal). Then (Aη) is ≈E-sound. Aη 4.2 Patterns revisited Patterns have been introduced by Abadi and Rogaway [3] and used in subsequent work =-=[12, 6]-=- as a way to define computationally sound formal equivalences. Typically frames are mapped to patterns by replacing non-decipherable terms by boxes �. Two frames are then equivalent iff they yield the... |

7 | Computationally secure information flow - Laud - 2002 |

7 | The RSA group is pseudo-free - Micciancio - 2005 |

6 | Adaptive soundness of static equivalence - Kremer, Mazaré - 2007 |

4 | Computational Soundness of Formal Indistinguishability and Static Equivalence - Bana, Mohassel, et al. - 2007 |