computer aided security proofs for the working
play

Computer-aided security proofs for the working cryptographer Gilles - PowerPoint PPT Presentation

Jan 14, 2024 •185 likes •630 views

Computer-aided security proofs for the working cryptographer Gilles Barthe Benjamin Grgoire Sylvain Heraud Santiago Zanella Bguelin CRYPTO11, August 15 2011 Monday, August 15, 2011 1 A plea for

  1. Computer-aided security proofs for the working cryptographer Gilles Barthe Benjamin Grégoire Sylvain Heraud Santiago Zanella Béguelin CRYPTO’11, August 15 2011 Monday, August 15, 2011 1

  2. A plea for computer-aided cryptographic proofs A plausible approach to computer-aided cryptographic proofs. Halevi, 2005 Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006 Monday, August 15, 2011 2

  3. A plea for computer-aided cryptographic proofs A plausible approach to computer-aided cryptographic proofs. Halevi, 2005 Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006 A problem with security proofs Do we have a problem with cryptographic proofs? Yes, we do [...] We generate more proofs than we carefully verify (and as a consequence some of our published proofs are incorrect)—Halevi, 2005 In our opinion, many proofs in cryptography have become essentially unverifiable. Our field may be approaching a crisis of rigor—Bellare and Rogaway, 2004-2006 Monday, August 15, 2011 2

  4. A plea for computer-aided cryptographic proofs A plausible approach to computer-aided cryptographic proofs. Halevi, 2005 Code-Based Game-Playing Proofs and the Security of Triple Encryption. Bellare and Rogaway, 2004-2006 A problem with security proofs : a plausible solution I advocate creating an automated tool to help us [...] writing and checking [...] our proofs—Halevi, 2005 The possibility for tools [to help write and verify proofs] has always been one of our motivations, and one of the reasons why we focused on code-based games—Bellare and Rogaway, 2004-2006 Monday, August 15, 2011 2

  5. A primer on computer-aided proofs Monday, August 15, 2011 3

  6. A primer on computer-aided proofs Monday, August 15, 2011 3

  7. A primer on computer-aided proofs Lemma : ∀ r : R , ∃ n : N .r < n Monday, August 15, 2011 3

  8. A primer on computer-aided proofs Lemma : ∀ r : R , ∃ n : N .r < n Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Monday, August 15, 2011 3

  9. A primer on computer-aided proofs Manual review Lemma : ∀ r : R , ∃ n : N .r < n Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Monday, August 15, 2011 3

  10. A primer on computer-aided proofs Manual review Lemma : ∀ r : R , ∃ n : N .r < n Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Automated checking Monday, August 15, 2011 3

  11. A primer on computer-aided proofs Correctness from Manual review Lemma : ∀ r : R , ∃ n : N .r < n first principles Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Automated checking Monday, August 15, 2011 3

  12. A primer on computer-aided proofs Correctness from Manual review Lemma : ∀ r : R , ∃ n : N .r < n first principles Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Automated checking 4 colour C seL4 Kepler theorem compiler HyperV conjecture Monday, August 15, 2011 3

  13. A primer on computer-aided proofs Correctness from Manual review Lemma : ∀ r : R , ∃ n : N .r < n first principles Proof . intros r ; exists ( ⌈ r ⌉ + 1) . destruct ( nceil spec r ) as ( , H ); exact H. Qed . Automated checking Monday, August 15, 2011 3

  14. CertiCrypt Formal framework for security proofs: • Code-based game-based technique • Independently verifiable proofs • Applied to FDH, OAEP, Sigma-Protocols, IBE Monday, August 15, 2011 4

  15. CertiCrypt Formal framework for security proofs: • Code-based game-based technique • Independently verifiable proofs • Applied to FDH, OAEP, Sigma-Protocols, IBE High level of Coq expertise and a lot of time Monday, August 15, 2011 4

  16. CertiCrypt Formal framework for security proofs: • Code-based game-based technique • Independently verifiable proofs • Applied to FDH, OAEP, Sigma-Protocols, IBE High level of Coq expertise and a lot of time Exploit state-of-the-art program verification tools! Monday, August 15, 2011 4

  17. From CertiCrypt to EasyCrypt Formal framework for security proofs: • Code-based game-based technique • Independently verifiable proofs • Applied to FDH, OAEP, Sigma-Protocols, IBE High level of Coq expertise and a lot of time Exploit state-of-the-art program verification tools! Computer-assisted security proofs • With moderate effort • Using off-the-shelf tools Simplify Monday, August 15, 2011 4

  18. The essence of game-based proofs Monday, August 15, 2011 5

  19. The essence of game-based proofs Monday, August 15, 2011 5

  20. The essence of game-based proofs Monday, August 15, 2011 5

  21. The essence of game-based proofs Monday, August 15, 2011 5

  22. The essence of game-based proofs Monday, August 15, 2011 5

  23. The essence of game-based proofs Monday, August 15, 2011 5

  24. The essence of game-based proofs Monday, August 15, 2011 5

  25. The essence of game-based proofs Monday, August 15, 2011 5

  26. The essence of game-based proofs Monday, August 15, 2011 5

  27. The essence of game-based proofs Monday, August 15, 2011 5

  28. The essence of game-based proofs Monday, August 15, 2011 5

  29. Automated verification of proof sketches Monday, August 15, 2011 6

  30. Automated verification of proof sketches Inline Monday, August 15, 2011 6

  31. Automated verification of proof sketches Inline Eager Sampling Monday, August 15, 2011 6

  32. Automated verification of proof sketches Inline Eager Sampling Relational invariant Monday, August 15, 2011 6

  33. Automated verification of proof sketches Inline Eager Sampling Witness Relational invariant Monday, August 15, 2011 6

  34. Automated verification of proof sketches Inline Check VC Eager Sampling Witness Relational invariant Monday, August 15, 2011 6

  35. Automated verification of proof sketches Simplify Inline Check VC Eager Sampling Witness Relational invariant Monday, August 15, 2011 6

  36. Automated verification of proof sketches equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; Simplify Inline Check VC Eager Sampling Witness Relational invariant Monday, August 15, 2011 6

  37. Automated verification of proof sketches equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; Simplify Monday, August 15, 2011 6

  38. Automated verification of proof sketches equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;; Simplify Monday, August 15, 2011 6

  39. Automated verification of proof sketches equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;; Simplify Bridging steps Lazy sampling Code motion Algebraic equivs Failure events Reduction steps Monday, August 15, 2011 6

  40. Automated verification of proof sketches equiv Fact1 : INDCPA.Main ~ G1.Main : {true} ==> ={res} inline KG, Enc; derandomize; auto inv ={L,LA}; pop{2} 1; repeat rnd; trivial;; save;; claim Pr1 : INDCPA.Main[res] == G1.Main[res] using Fact1;; Simplify Bridging steps Lazy sampling Code motion Algebraic equivs Failure events Reduction steps Monday, August 15, 2011 6

  41. Case studies Cramer-Shoup encryption system: 10 games, 1650 lines of EasyCrypt, ~100 lines of Coq CertiCrypt EasyCrypt ElGamal 565 190 Hashed ElGamal 1255 243 Full-Domain Hash 2035 509 Cramer-Shoup n/a 1637 OAEP 11162 n/a Significant reduction in: • script size (from × 2 to ÷5 wrt sequence of games) • development time (~10 times faster) • learning time Monday, August 15, 2011 7

  42. Perspectives Computer-assisted security proofs • Can be built with moderate effort • Using off-the-shelf tools • Producing independently verifiable evidence • Work for challenging example: Cramer-Shoup encryption Monday, August 15, 2011 8

  43. Perspectives Computer-assisted security proofs • Can be built with moderate effort • Using off-the-shelf tools • Producing independently verifiable evidence • Work for challenging example: Cramer-Shoup encryption • Distribute (http://certicrypt.gforge.inria.fr/) • Improve and extend • More examples: SHA3, differential privacy Monday, August 15, 2011 8

Recommend

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Challenges with provable security Building or verifying reductionist proofs is hard Proofs are long and error-prone Rely on unstated and unverified

921 views • 78 slides
Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute, Spain Computer-aided cryptography Develop tool-assisted methodologies for helping the design, analysis, and implementation of cryptographic

533 views • 26 slides
Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute,

Computer-aided cryptographic proofs Gilles Barthe MPI-SP , Germany IMDEA Software Institute, Spain Computer-aided cryptography Develop tool-assisted methodologies for helping the design, analysis, and implementation of cryptographic

451 views • 43 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Modern

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Modern

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain Modern cryptography Shannon 49 Mathematical proof of security Perfect secrecy is impossible Diffie &amp; Hellman 76 Computational

1.01k views • 98 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 1, 2017

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 1, 2017

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 1, 2017 S. Halevi: A plausible approach to computer-aided cryptographic proofs M. Bellare and P. Rogaway: Code-Based Game-Playing Proofs and the

619 views • 31 slides
Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July

Computer-aided cryptographic proofs Gilles Barthe IMDEA Software Institute, Madrid, Spain July 18, 2014 Motivation Cryptography is a small but important part of security Proofs are a small but important part of cryptography Hard to

402 views • 17 slides
Computer-aided cryptographic proofs Gilles Barthe &amp; Yassine Lakhnech IMDEA Software

Computer-aided cryptographic proofs Gilles Barthe &amp; Yassine Lakhnech IMDEA Software

Computer-aided cryptographic proofs Gilles Barthe &amp; Yassine Lakhnech IMDEA Software Institute, Madrid, Spain Universit Joseph Fourier &amp; CNRS, Grenoble, France Based on joint work with J.M. Crespo, F. Dupressoir, B. Grgoire, C. Kunz,

746 views • 52 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1, 2015 Introduction Two models of cryptography: Computational: strong guarantees but complex proofs Symbolic: automated proofs but weak

1.42k views • 26 slides
Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire

Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire

Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire (INRIA Sophia Antipolis, France) Juan Manuel Crespo (IMDEA, Spain) Francois Dupressoir (IMDEA, Spain) Csar Kunz (IMDEA/U. Politecnica Madrid,

815 views • 44 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Integrated computer-aided working-fluid design and thermoeconomic ORC system optimisation MT

Integrated computer-aided working-fluid design and thermoeconomic ORC system optimisation MT

IV International Seminar on ORC Power Systems 13 15th September, 2017, Milan, Italy Integrated computer-aided working-fluid design and thermoeconomic ORC system optimisation MT White, OA Oyewunmi, MA Chatzopoulou, AM Pantaleo, AJ Haslam and

270 views • 25 slides
Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr

Computer-Aided Privacy Proofs C esar Kunz Joint work with Gilles Barthe, Benjamin Gr egoire, Santiago Zanella-B eguelin 2012.07.10 Provable Privacy Workshop 2012 Privacy for Statistical Databases Privacy for Statistical Databases

721 views • 23 slides
Computer Aided Many sorts of computer assisted/aided Learning learning From PowerPoint

Computer Aided Many sorts of computer assisted/aided Learning learning From PowerPoint

Topics Computer Aided Many sorts of computer assisted/aided Learning learning From PowerPoint presentations to educational Computer Literacy 1 Lecture 14 websites and more Moodle an active e-learning platform 21/10/08 CAL and

99 views • 6 slides
Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Pascal Lafourcade November 6, 2012

624 views • 44 slides
Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

464 views • 34 slides
Why and What is the National 3D CAE Software Computer Aided Engineering Computer Aided

Why and What is the National 3D CAE Software Computer Aided Engineering Computer Aided

Why and What is the National 3D CAE Software Computer Aided Engineering Computer Aided Design Somboon Otarawanna ( ) CAD/CAE Lab (

659 views • 28 slides
Computer Aided Translation Philipp Koehn 1 September 2017 Philipp Koehn Computer Aided

Computer Aided Translation Philipp Koehn 1 September 2017 Philipp Koehn Computer Aided

Computer Aided Translation Philipp Koehn 1 September 2017 Philipp Koehn Computer Aided Translation 1 September 2017 Overview 1 A practical introduction: the casmacat workbench Postediting Types of assistance Logging, eye

1.31k views • 106 slides
Existence of Noise Induced Order, a computer aided proof. S. Galatolo Dip. Mat, Univ. Pisa CIRM

Existence of Noise Induced Order, a computer aided proof. S. Galatolo Dip. Mat, Univ. Pisa CIRM

Existence of Noise Induced Order, a computer aided proof. S. Galatolo Dip. Mat, Univ. Pisa CIRM 2019 S.Galatolo (Dip. Mat, Univ. Pisa ) Existence of Noise Induced Order, a computer aided proof. CIRM 2019 1 / 24 Computer aided proofs and

484 views • 24 slides
Welcome to SolidWorks Computer Aided Design (CAD) Part Assemblies Drawings Design Analyses

Welcome to SolidWorks Computer Aided Design (CAD) Part Assemblies Drawings Design Analyses

Welcome to SolidWorks Computer Aided Design (CAD) Part Assemblies Drawings Design Analyses Finite Element Analysis (FEA) Topology Optimization Production Preparation Computer Aided CAD to XR Manufacturing (CAM) (AR/VR/MR/Web)

378 views • 18 slides
Computer- -Aided Diagnosis in Aided Diagnosis in Computer Medical Imaging: From Pattern

Computer- -Aided Diagnosis in Aided Diagnosis in Computer Medical Imaging: From Pattern

Computer- -Aided Diagnosis in Aided Diagnosis in Computer Medical Imaging: From Pattern Medical Imaging: From Pattern Recognition to Clinical Validation Recognition to Clinical Validation Axel Wismller Dept. of Radiology, Klinikum

428 views • 25 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
BLOX Naeem Bhatti Jonathan Voss Tyrone Wilkinson Motivation Computer-aided design and

BLOX Naeem Bhatti Jonathan Voss Tyrone Wilkinson Motivation Computer-aided design and

BLOX Naeem Bhatti Jonathan Voss Tyrone Wilkinson Motivation Computer-aided design and computer-aided engineering software such as Solidworks allow the user to model 2D and 3D structures by providing a series of parameters. Sandbox video

485 views • 15 slides
Trimming while Checking Clausal Proofs Marijn J.H. Heule Warren A. Hunt, Jr. Nathan Wetzler

Trimming while Checking Clausal Proofs Marijn J.H. Heule Warren A. Hunt, Jr. Nathan Wetzler

Trimming while Checking Clausal Proofs Marijn J.H. Heule Warren A. Hunt, Jr. Nathan Wetzler The University of Texas at Austin Formal Methods in Computer-Aided Design (FMCAD) Portland, Oregon October 23, 2013 Wednesday, October 23, 13

870 views • 50 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain May 17, 2015 Modern cryptography Shannon 49 Mathematical proof of security Perfect secrecy is impossible Diffie &amp; Hellman 76

607 views • 41 slides

More recommend