decidability of a sound set of inference rules for
play

Decidability of a Sound Set of Inference Rules for Computational - PowerPoint PPT Presentation

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation


  1. Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34

  2. Introduction Motivation Security protocols are distributed programs which aim at providing some security properties. They are extensively used, and bugs can be very costly. Security protocols are often short, but the security properties are complex. ⇒ Need to use formal methods. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 2 / 34

  3. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  4. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  5. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  6. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Fully automatic: we want a complete decision procedure. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  7. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 4 / 34

  8. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 5 / 34

  9. The Private Authentication Protocol $ A’ : n A’ ← $ B : n B ← 1 : A’ − → B : {� A’ , n A’ �} pk ( B ) � {� n A’ , n B �} pk ( A ) if A’ = A 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 6 / 34

  10. Bana-Comon Model: Messages Messages We use terms to model protocol messages , build upon: Names N , e.g. n A , n B , for random samplings. Function symbols F , e.g.: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if_then_else_ , eq ( _ , _ ) Variables X . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 7 / 34

  11. Bana-Comon Model: Messages Messages We use terms to model protocol messages , build upon: Names N , e.g. n A , n B , for random samplings. Function symbols F , e.g.: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if_then_else_ , eq ( _ , _ ) Variables X . Examples � n A , A � π 1 ( n B ) {� A’ , n A’ �} pk ( B ) Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 7 / 34

  12. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  13. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use adversarial functions symbols , typically g . g takes as input the current knowledge of the adversary ( the frame ). Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  14. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use adversarial functions symbols , typically g . g takes as input the current knowledge of the adversary ( the frame ). Intuitively, they can be any probabilistic polynomial time algorithm . Moreover, branching of the protocol is done using if_then_else_. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  15. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B : {� A’ , n A’ �} pk ( B ) ��� n A’ , n B �� if A’ = A pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Term Representing the Messages in PA t 1 = {� A’ , n A’ �} pk ( B ) t 2 = if eq ( π 1 ( dec ( g ( t 1 ) , sk ( B ))); A ) �� �� then π 2 ( dec ( g ( t 1 ) , sk ( B ))) , n B pk ( A ) {� n B , n B �} pk ( A ) else Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 9 / 34

  16. Bana-Comon Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 1 , . . . , u P n where u P i is the i -th message sent on the network by P . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 10 / 34

  17. Bana-Comon Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 1 , . . . , u P n where u P i is the i -th message sent on the network by P . Remark This is only possible for a bounded number of messages. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 10 / 34

  18. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  19. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Examples n ∼ if g () then n else n’ Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  20. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Examples n ∼ if g () then n else n’ Privacy of the PA protocol can be expressed by the ground formula: t A 1 , t A t C 1 , t C ∼ 2 2 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  21. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Boolean connectives ∧ , ∨ , ¬ , → . First-order quantifier ∀ . Examples n ∼ if g () then n else n’ Privacy of the PA protocol can be expressed by the ground formula: t A 1 , t A t C 1 , t C ∼ 2 2 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  22. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 12 / 34

  23. Unitary Inference Rules Unitary Inference Rules We know that some atomic formulas are valid: Using α -renaming of random samplings: n A , n B ∼ n C , n D Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 13 / 34

  24. Unitary Inference Rules Unitary Inference Rules We know that some atomic formulas are valid: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using cryptographic assumptions on the security primitives, e.g. if the encryption scheme is ind-cca 1 . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 13 / 34

  25. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } pk ∼ { m 1 } pk Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  26. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } pk ∼ { m 1 } pk Assuming: sk occurs only in decryption position in m 0 , m 1 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  27. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } n r { m 1 } n r pk ∼ pk Assuming: sk occurs only in decryption position in m 0 , m 1 n r does not appear in m 0 , m 1 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  28. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } n r { m 1 } n r pk ∼ pk Assuming: sk occurs only in decryption position in m 0 , m 1 n r does not appear in m 0 , m 1 Theorem The CCA1 rules are valid when the encryption and decryption functions form an ind-cca 1 encryption scheme. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

Recommend


More recommend