## Machine-checked security proofs of cryptographic signature schemes (2005)

Venue: | In Proceedings of ESORICS’05, volume 3xxx of Lecture Notes in Computer Science |

Citations: | 9 - 1 self |

### BibTeX

@INPROCEEDINGS{Tarento05machine-checkedsecurity,

author = {Sabrina Tarento},

title = {Machine-checked security proofs of cryptographic signature schemes},

booktitle = {In Proceedings of ESORICS’05, volume 3xxx of Lecture Notes in Computer Science},

year = {2005},

pages = {140--158},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. Formal methods have been extensively applied to the certification of cryptographic protocols. However, most of these works make the perfect cryptography assumption, i.e. the hypothesis that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. A model that does not require the perfect cryptography assumption is the generic model and the random oracle model. These models provide non-standard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the machine-checked account of the Generic Model and the Random Oracle Model formalized in Coq, we prove the safety of cryptosystems that depend on a cyclic group (like ElGamal cryptosystem), against interactive generic attacks and we prove the security of blind signatures against interactive attacks. To prove the last step, we use a generic parallel attack to create a forgery signature. 1

### Citations

2716 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ase, the probability of finding a secret is µ + 1 q ′ (1−µ) of possible values for x : Sec. (t 2)d , where µ = q−( t 2)d and q′ is the cardinal of the setsExample 2 (Decisional Diffie-Hellman Problem =-=[9]-=-). The algorithm is given as input the group generator g ∈ G, the group elements g x and g y , and the group elements g xy and g z in random order, where x, y, z are random in Zq, and outputs a guess ... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...cker is able to interact with oracles through interactive steps. Such interactive algorithms can be modeled using the Random Oracle Model, or ROM for short, that was introduced by Bellare and Rogaway =-=[6]-=- but its idea originates from earlier work by Fiat and Shamir [10]. For the purpose of our work, we do not need to develop a general framework for interactions; instead we focus on two typical oracles... |

832 | A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...Such interactive algorithms can be modeled using the Random Oracle Model, or ROM for short, that was introduced by Bellare and Rogaway [6] but its idea originates from earlier work by Fiat and Shamir =-=[10]-=-. For the purpose of our work, we do not need to develop a general framework for interactions; instead we focus on two typical oracles with whom the attacker can interact: queries to hash functions an... |

357 | Prudent engineering practice for cryptographic protocois
- Abadi, Needham
- 1996
(Show Context)
Citation Context ...vironment. Numerous application domains including distributed systems and web services used cryptographic schemes. However, designing secure cryptographic mechanisms is extremely difficult to achieve =-=[1]-=-, the literature abounds of attacks against cryptosystems that were previously proven correct. Recently, a significant research effort has been directed at linking the formal and computational approac... |

334 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption
- Abadi, Rogaway
- 2002
(Show Context)
Citation Context ...were previously proven correct. Recently, a significant research effort has been directed at linking the formal and computational approaches. One of the first result is presented by Abadi and Rogaway =-=[2]-=-: they prove the computational soundness of formal encryption in the case of a passive attacker. Since then, many results [3, 15, 19, 14] have been obtained. Efforts are also under way to formulate sy... |

221 | bounds for discrete logarithms and related problems
- Shoup, “Lower
- 1997
(Show Context)
Citation Context ... by assuming gi = g si , we define the function mex : Z d q → Z d q → Zq (a1, . . . , ad), (s1, . . . , sd) ↦→ 3 A review of the Generic Model The generic model, GM for short, was introduced by Shoup =-=[22]-=- and Nechaev [18], and can be used to provide an overall guarantee that a cryptographic scheme is not flawed [20, 21, 24]. For example, the GM is useful for establishing the complexity of the discrete... |

153 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
- 2000
(Show Context)
Citation Context ...onal approaches. One of the first result is presented by Abadi and Rogaway [2]: they prove the computational soundness of formal encryption in the case of a passive attacker. Since then, many results =-=[3, 15, 19, 14]-=- have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular [16, 12, 17] and a second step, to encode ... |

66 |
Complexity of a Determinate Algorithm for the Discrete Logarithm
- NECHAEV
- 1994
(Show Context)
Citation Context ... g si , we define the function mex : Z d q → Z d q → Zq (a1, . . . , ad), (s1, . . . , sd) ↦→ 3 A review of the Generic Model The generic model, GM for short, was introduced by Shoup [22] and Nechaev =-=[18]-=-, and can be used to provide an overall guarantee that a cryptographic scheme is not flawed [20, 21, 24]. For example, the GM is useful for establishing the complexity of the discrete logarithm or the... |

54 | M.: A universally composable cryptographic library
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...onal approaches. One of the first result is presented by Abadi and Rogaway [2]: they prove the computational soundness of formal encryption in the case of a passive attacker. Since then, many results =-=[3, 15, 19, 14]-=- have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular [16, 12, 17] and a second step, to encode ... |

54 | Open issues in formal methods for cryptographic protocol analysis
- MEADOWS
(Show Context)
Citation Context ...onal approaches. One of the first result is presented by Abadi and Rogaway [2]: they prove the computational soundness of formal encryption in the case of a passive attacker. Since then, many results =-=[3, 15, 19, 14]-=- have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular [16, 12, 17] and a second step, to encode ... |

52 | Probabilistic Polynomial-time equivalence and security analysis. Formal Methods Workshop
- Lincoln, Mitchell, et al.
- 1999
(Show Context)
Citation Context |

48 | Proof-assistants using dependent type systems
- Barendregt, Geuvers
- 2001
(Show Context)
Citation Context ...ories such as the Calculus of Inductive Constructions lack intensional constructs that allow the formation of subsets or quotients. In order to circumvent this problem, formalizations rely on setoids =-=[4]-=-, that is mathematical structures packaging a carrier, the “set”; its equality, the “book equality”; and a proof component ensuring that the book equality is well-behaved. For the sake of readability,... |

44 | A probabilistic polynomial-time calculus for the analysis of cryptographic protocols
- Mitchell, Ramanathan, et al.
- 2006
(Show Context)
Citation Context .... Since then, many results [3, 15, 19, 14] have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[16, 12, 17]-=- and a second step, to encode them into proof tolls. Therefore, there has lastly been an increasing interest in provable security. A system is said to have provable security if its security requiremen... |

41 | Security of Signed ElGamal Encryption
- Schnorr, Jakobsson
- 2000
(Show Context)
Citation Context ...A review of the Generic Model The generic model, GM for short, was introduced by Shoup [22] and Nechaev [18], and can be used to provide an overall guarantee that a cryptographic scheme is not flawed =-=[20, 21, 24]-=-. For example, the GM is useful for establishing the complexity of the discrete logarithm or the decisional Diffie-Hellman problem, which we describe below. 3.1 Informal account The GM focuses on gene... |

26 | A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time
- Mitchell, Mitchell, et al.
- 1998
(Show Context)
Citation Context .... Since then, many results [3, 15, 19, 14] have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[16, 12, 17]-=- and a second step, to encode them into proof tolls. Therefore, there has lastly been an increasing interest in provable security. A system is said to have provable security if its security requiremen... |

25 | B.M.: Logics for reasoning about cryptographic constructions
- Impagliazzo, Kapron
- 2003
(Show Context)
Citation Context .... Since then, many results [3, 15, 19, 14] have been obtained. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[16, 12, 17]-=- and a second step, to encode them into proof tolls. Therefore, there has lastly been an increasing interest in provable security. A system is said to have provable security if its security requiremen... |

24 | Security of Blind Discrete Log Signatures against Interactive Attacks
- Schnorr
- 2001
(Show Context)
Citation Context ...A review of the Generic Model The generic model, GM for short, was introduced by Shoup [22] and Nechaev [18], and can be used to provide an overall guarantee that a cryptographic scheme is not flawed =-=[20, 21, 24]-=-. For example, the GM is useful for establishing the complexity of the discrete logarithm or the decisional Diffie-Hellman problem, which we describe below. 3.1 Informal account The GM focuses on gene... |

22 | A machine-checked formalization of the generic model and the random oracle model
- Barthe, Cerderquist, et al.
- 2004
(Show Context)
Citation Context ... using methodssfrom provable security. Formal proofs enable to detail assumptions so by using a proof assistant like Coq, we do not have implicit requirements. The objective of our work, initiated in =-=[5]-=-, is to use proof assistants for formalizing provable cryptography. There are two motivations for our work. From the point of view of cryptography, proof assistants provide an excellent tool to highli... |

13 | Generic Groups, Collision Resistance, and ECDSA
- Brown
(Show Context)
Citation Context ...n the context of the GM and ROM: in particular, we intend to provide a machine-checked treatment of ROS, and to exploit our formalizations to prove the security of realistic protocols, following e.g. =-=[7, 23]-=-. An even more far-fetched goal would be to give a machine-checked account of a formalism that integrates the computational view of cryptography, and provable cryptography. Acknowledgments I am gratef... |

11 | Why provable security matters
- Stern
- 2003
(Show Context)
Citation Context ...A review of the Generic Model The generic model, GM for short, was introduced by Shoup [22] and Nechaev [18], and can be used to provide an overall guarantee that a cryptographic scheme is not flawed =-=[20, 21, 24]-=-. For example, the GM is useful for establishing the complexity of the discrete logarithm or the decisional Diffie-Hellman problem, which we describe below. 3.1 Informal account The GM focuses on gene... |

7 |
The exact security of ecies in the generic group model
- Smart
- 2001
(Show Context)
Citation Context ...n the context of the GM and ROM: in particular, we intend to provide a machine-checked treatment of ROS, and to exploit our formalizations to prove the security of realistic protocols, following e.g. =-=[7, 23]-=-. An even more far-fetched goal would be to give a machine-checked account of a formalism that integrates the computational view of cryptography, and provable cryptography. Acknowledgments I am gratef... |

1 | Parameter Sec Val:Set. 2 Parameter SymbM:Set. 3 Parameter input:list Zq[Sec]. 4 Definition SymbH:=(list Zq)*SymbM*Val. 6 Inductive IGA : Type := 7 erun: IGA 8 | mexstep: IGA → list Zq → IGA 9 | hashstep: IGA → SymbH → IGA 10 | signstep: IGA →SymbH → Sec→ - Springer-Verlag |