exploiting symmetries when proving equivalence properties
play

Exploiting symmetries when proving equivalence properties for - PowerPoint PPT Presentation

Jun 12, 2023 •135 likes •830 views

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

  1. Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est

  2. Security protocols TLS Wifi @ PASS E-voting E-passport 2 24

  3. Security protocols TLS Wifi @ 2016 (early ver. 1.3) 2017 (WPA2) PASS E-voting E-passport 2010 (Helios) 2013 (BAC) 2 24

  4. Symbolic attacker model = protocol’s logic in an adversarial environment, with perfect cryptography 3 24

  5. Symbolic attacker model = protocol’s logic in an adversarial environment, with perfect cryptography Crypto = equations: Dishonest parties can: read / overwrite e.g. dec(enc(m, k), k) = m messages (symmetric encryption) no other behaviours DoS 3 24

  6. Privacy as indistinguishability Anonymity Alice Bob 4 24

  7. Privacy as indistinguishability Anonymity Alice Bob yes no no yes Vote privacy … 4 24

  8. Privacy as indistinguishability Behavioural indistinguishability for all potential attackers Anonymity Alice Bob yes no no yes Vote privacy … 4 24

  9. Privacy as indistinguishability yes no no yes 5 24

  10. Privacy as indistinguishability yes no no yes Equivalence coNEXP-complete for a fixed number of participants [S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice 5 24

  11. Privacy as indistinguishability yes no no yes Observation ! Equivalence coNEXP-complete Each time, the two processes for a fixed number of participants share a common structure [S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice 5 24

  12. Contributions A refinement of trace equivalence for processes with structural similarities Partial-order reductions for any process for this new equivalence Integration into the DeepSec prover 6 24

  13. Trace equivalence

  14. Modelling indistinguishability A simple example 8 24

  15. Modelling indistinguishability A simple example enc(0,k) enc(1,k) t 8 24

  16. Modelling indistinguishability A simple example enc(0,k) enc(1,k) t out(c, enc(0,k)) out(c, enc(1,k)) 8 24

  17. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | 8 24

  18. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | m 1 m 2 Distinguishing execution: 8 24

  19. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | m 1 m 2 ? Distinguishing execution: + test dec(m 1 ,m 2 ) = 0 8 24

  20. Modelling indistinguishability Formalism P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  21. Modelling indistinguishability Formalism algebra of finite concurrent processes P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  22. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  23. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in an active adversarial environment 9 24

  24. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in an active adversarial environment out(c,u) ⇒ adds u to the attacker’s knowledge in(c,x) ⇒ receives a term from the attacker 9 24

  25. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in static indistinguishability of an active adversarial environment sequences of inputs/outputs out(c,u) ⇒ adds u to the attacker’s knowledge in(c,x) ⇒ receives a term from the attacker 9 24

  26. Trace equivalence… in practice

  27. A combinatorial fact … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … 11 24

  28. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … 11 24

  29. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np 11 24

  30. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np ~(np)! matchings Actions 11 24

  31. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np ~(np)! matchings ~n! matchings Actions Sessions 11 24

  32. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … 12 24

  33. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … Reduces combinatorial explosion Sound, and often sufficient to prove trace equivalence 12 24

  34. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … Reduces combinatorial explosion Actually a realistic attacker model e.g. for an adversary observing ports Sound, and often sufficient to dynamically allocated to each session prove trace equivalence 12 24

  35. Formally: process pairing 13 24

  36. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 13 24

  37. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) 13 24

  38. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) Trace Equiv. ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ 13 24

  39. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) Trace Equiv. ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ Equiv. by session ∃ t 2 ∈ Traces(P,Q), snd(t 2 ) = t’ 13 24

  40. Optimisations

  41. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols 15 24

  42. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ 15 24

  43. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? 15 24

  44. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? Main theorem If P,Q are determinate, it is sufficient to consider traces up to permutation of adjacent independent actions. 15 24

  45. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? Main theorem If P,Q are determinate, it is sufficient to consider traces up to permutation of adjacent independent actions. independent 15 24 Concurrent actions with no data flow

Recommend

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Introduction Proving properties of programs Proving equality and equivalence Applications Summary Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and Sergei Romanenko Keldysh Institute of Applied

588 views • 31 slides
Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs Birkbeck, University of London joint work with Cynthia Kop (U Copenhagen) and Naoki Nishida (U Nagoya) Workshop on Program Equivalence, London, UK 11

2.1k views • 197 slides
Proving Equivalence Between Imperative and MapReduce Implementations Using Program

Proving Equivalence Between Imperative and MapReduce Implementations Using Program

Proving Equivalence Between Imperative and MapReduce Implementations Using Program Transformations VPT 2018 Thessaloniki 20 April 2018 Bernhard Beckert, Timo Bingman, Moritz Kiefer, Peter Sanders, Mattias Ulbrich , Alexander Weigl www.kit.edu

968 views • 60 slides
Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak

Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak

Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak Natarajan Globerson Mladenov Ahmadi U. Indiana HUJI TUD, Google PicoEgo Kristian Martin Pavel Christopher Grohe Tokmakov Kersting Re

820 views • 58 slides
Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts

Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts

Einstein Workshop on Lattice Polytopes Berlin, December 11th-15th, 2016 Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts based on work with David Bremner, Mathieu Dutour Sikiri , Erik

381 views • 27 slides
On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo Perrin June 3, 2019 Fq14, Vancouver Setting up the background Cryptographic properties Equivalence classes CCZ-equivalence Cryptographic

885 views • 63 slides
Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the

Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the

Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the Projektgruppe Formale Methoden der Softwareentwicklung WS 2012/2013 1 / 24 Introduction Formal Verification Formally prove correctness of

457 views • 41 slides
Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris

Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris

Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris Diderot-Paris 7 October 31, 2013 Outline Background Expressions of graph properties Automated theorem proving Implementation Motivation

1.08k views • 65 slides
NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs

NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs

NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs recap : Determinizing an NFA Closure Properties of class of languages accepted by NFAs/DFAs Towards proving equivalence of regular languages and

537 views • 25 slides
On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work with Byron Cook, Andreas Podelski, and Andrey Rybalchenko BCTCS06, 6 April 2006 State-of-the-art Systems Model checking Abstraction Properties

484 views • 13 slides
Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint

Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint

Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint work with Shalev Ben-David, Andrew M. Childs, Andr as Gily en, William Kretschmer, and Supartha Podder arXiv: 2006.12760 Microsoft Research

527 views • 29 slides
Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor

Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor

CBSSS 04 Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor Marc Bockrath Applied Physics, Caltech for computation Microelectronics The basis for present-day Circuitry patterned on micron

938 views • 47 slides
Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis

389 views • 24 slides
Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S tefan Ciob ac a, V eronique Cortier, St ephanie

1.09k views • 87 slides
Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else

Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else

Symmetry: a . . . Basic Symmetries: . . . Basic Nonlinear . . . Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else We Do in . . . Integrated Uncertainty First Example: . . . Second Example: . . .

464 views • 29 slides
Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh Properties of the leader election protocol for leader election protocol for any Number of Processes any Number of Processes Douglas Graham Douglas

597 views • 40 slides
Exploiting Environmental Properties for Wireless Localization and Location Aware Applications

Exploiting Environmental Properties for Wireless Localization and Location Aware Applications

Exploiting Environmental Properties for Wireless Localization and Location Aware Applications Presenter: Yingying Chen Joint w ork w ith Shu Chen* and W ade Trappe* * W I NLAB, Rutgers University Dept. of ECE, Stevens I nstitute of

419 views • 19 slides
Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju

Improved Division Property Based Cube Attacks Exploiting Algebraic Properties of Superpoly Qingju Wang 1 Yonglin Hao 2 Yosuke Todo 3 Chaoyun Li 4 Takanori Isobe 5 Willi Meier 6 1 SnT, University of Luxembourg, LU 2 State Key Laboratory of

577 views • 46 slides
Symmetries in CSP Elena Sherman UNL, CSE April 18, 2009 Symmetries in CSP Table of contents

Symmetries in CSP Elena Sherman UNL, CSE April 18, 2009 Symmetries in CSP Table of contents

Symmetries in CSP Symmetries in CSP Elena Sherman UNL, CSE April 18, 2009 Symmetries in CSP Table of contents Why Symmetry? Symmetry Examples Approaches for Symmetrical CSPs Adding symmetry-breaking global contraints Search space

747 views • 51 slides
Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When

Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When

Equivalence of PDA, CFG Conversion of CFG to PDA Conversion of PDA to CFG 1 Overview When we talked about closure properties of regular languages, it was useful to be able to jump between RE and DFA representations. Similarly, CFGs

999 views • 22 slides
Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop

418 views • 21 slides
SU(2)CS and SU(2NF) hidden symmetries L. Ya. Glozman Institut f ur Physik, FB Theoretische

SU(2)CS and SU(2NF) hidden symmetries L. Ya. Glozman Institut f ur Physik, FB Theoretische

Outline Key questions J = 0 mesons J = 1 mesons Left-right mixing. The chiralspin SU (2) CS and SU (4) groups. J=2 mesons J = 1 / 2 baryons SU (2) CS and SU (4) symmetries of confinement in QCD Conclusions SU(2)CS and SU(2NF) hidden symmetries

375 views • 21 slides
1 Curve sketching Symmetries, envelopes and square roots 1.5 Comments on symmetries. Shapes

1 Curve sketching Symmetries, envelopes and square roots 1.5 Comments on symmetries. Shapes

1 Curve sketching Symmetries, envelopes and square roots 1.5 Comments on symmetries. Shapes have symmetries (e.g. square, certain triangles, circle) so do functions. There are three kinds: (i) symmetric (i.e. even), (ii)

530 views • 18 slides
On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, Lo Perrin June 18, 2018 BFA2018 Definition (EA-Equivalence; EA-mapping) F and G are E(xtented) A(ffine) equivalent if G x B F A x C x , where A B C

1.11k views • 98 slides

More recommend