combining algorithms for deciding knowledge in security
play

Combining algorithms for deciding knowledge in security protocols - PowerPoint PPT Presentation

Oct 27, 2023 •165 likes •514 views

Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France September 10, 2007 S. Delaune (LORIA Projet Cassis) Deciding

  1. Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France September 10, 2007 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 1 / 20

  2. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. secrecy) use cryptographic primitives ( e.g. encryption, hash function, . . . ) Presence of an attacker may read every message sent on the network, may intercept and send new messages according to its deduction capabilities. S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 2 / 20

  3. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. secrecy) use cryptographic primitives ( e.g. encryption, hash function, . . . ) Presence of an attacker may read every message sent on the network, may intercept and send new messages according to its deduction capabilities. S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 2 / 20

  4. A simple protocol → Does the attacker know secret? − S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 3 / 20

  5. Attacker power (in formal models) − → The attacker can do symbolic manipulations on messages. Messages are abstracted by terms ... encryption { x } y , pairing � x , y � , . . . ... together with an equational theory classical theory (E enc ): proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y dec ( enc ( x , y ) , y ) = x exclusive or (E xor ): ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) x ⊕ y = y ⊕ x x ⊕ 0 = x x ⊕ x = 0 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 4 / 20

  6. Knowledge Understanding security protocols often requires reasoning about knowledge of the attacker. Two main kinds of knowledge deduction, static equivalence – indistinguishability − → rely on an underlying equational theory − → often used as subroutines in many decision procedures S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 5 / 20

  7. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 6 / 20

  8. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 6 / 20

  9. Deduction is not always sufficient → The intruder knows the values yes and no ! The real question Is the intruder able to tell whether Alice sends yes or no? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 7 / 20

  10. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  11. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  12. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  13. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } − → indistinguishable If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } − → distinguishable S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  14. Goal of this paper Our contribution We propose combination algorithms (PTIME) for deduction and static equivalence for disjoint equational theories. A modular approach − → Deciding interesting theories can be done by reducing the decision to simpler theories. New decidability results Deduction and static equivalence are decidable in PTIME for subterm theories ( e.g. E enc ) and exclusive or (E xor ) [Abadì&Cortier,06], [Chevalier et al. ,03]. − → those problems are also decidable in PTIME for E enc ∪ E xor . S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 9 / 20

  15. Goal of this paper Our contribution We propose combination algorithms (PTIME) for deduction and static equivalence for disjoint equational theories. A modular approach − → Deciding interesting theories can be done by reducing the decision to simpler theories. New decidability results Deduction and static equivalence are decidable in PTIME for subterm theories ( e.g. E enc ) and exclusive or (E xor ) [Abadì&Cortier,06], [Chevalier et al. ,03]. − → those problems are also decidable in PTIME for E enc ∪ E xor . S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 9 / 20

  16. Related works Combination for unification Our procedures rely on combination algorithms for solving unification modulo E = E 1 ∪ E 2 (E 1 and E 2 are disjoint) − → [Schmidt-Schauss,89], [Baader&Schulz,96] Combination for deduction (active case) We follow the approach developed in [Chevalier&Rusinowitch,05] − → combination algorithm for deduction in the presence of an active attacker (they take into account the rules of the protocol) − → they do not consider static equivalence S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 10 / 20

  17. Outline of the talk Introduction 1 Deduction 2 Static equivalence 3 Conclusion 4 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 11 / 20

  18. Deduction Lemma (characterization of deduction) φ ⊢ E M if and only if there exists a term ζ such that ζφ = E M. − → Such a term ζ is a recipe of the term M. Example: E := dec ( enc ( x , y ) , y ) = x . φ = ν k .ν s . { enc ( s , k ) / x 1 , k / x 2 } We have that φ ⊢ E s . Indeed ζ = dec ( x 1 , x 2 ) is a recipe of s . Deduction problem for the equational theory E built over Σ . Entries : A frame φ and a term M (both built over Σ ) Question : φ ⊢ E M ? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 12 / 20

  19. Deduction Lemma (characterization of deduction) φ ⊢ E M if and only if there exists a term ζ such that ζφ = E M. − → Such a term ζ is a recipe of the term M. Example: E := dec ( enc ( x , y ) , y ) = x . φ = ν k .ν s . { enc ( s , k ) / x 1 , k / x 2 } We have that φ ⊢ E s . Indeed ζ = dec ( x 1 , x 2 ) is a recipe of s . Deduction problem for the equational theory E built over Σ . Entries : A frame φ and a term M (both built over Σ ) Question : φ ⊢ E M ? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 12 / 20

  20. Main result for deduction Theorem (Combination for deduction) Let (Σ 1 , E 1 ) and (Σ 2 , E 2 ) be two disjoint equational theories. If deduction is decidable for (Σ 1 , E 1 ) and (Σ 2 , E 2 ) then deduction is decidable for (Σ 1 ∪ Σ 2 , E 1 ∪ E 2 ) . Our algorithm Let φ be a frame and M be a term built over Σ 1 ∪ Σ 2 . 1 compute the subterms (alien subterms) of φ and M . 2 saturation of φ by subterms which are deducible either in E 1 or in E 2 − → abstraction of alien factors by fresh names 3 check if M ∈ sat ( φ ) . − → completeness obtained thanks to a locality lemma. − → our algorithm is polynomial (in the DAG-size of the inputs) S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 13 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France July 8, 2007 S. Delaune (LORIA Projet Cassis) Deciding knowledge

378 views • 37 slides
Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU.

Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU.

2/15/2011 Scheduling Algorithms CPU Scheduling algorithms deal with the problem Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU. Following are the commonly used scheduling algorithms: Gursharan

329 views • 8 slides
An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining

An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining

An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining Global Knowledge Authors: Hao et al. Presenter : Shivank Mishra Link to complete paper : https://aclweb.org/anthology/P/P17/P17-1021.pdf What is

462 views • 29 slides
Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February

Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February

Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February 2015 Outline Program context Deliverables demonstration Success & Challenges Q&A 2 What is Utility Specific Knowledge?

482 views • 15 slides
Knowledge bases domainindependent algorithms Inference engine Knowledge base

Knowledge bases domainindependent algorithms Inference engine Knowledge base

Knowledge bases domainindependent algorithms Inference engine Knowledge base domainspecific content Logical agents Knowledge base = set of sentences in a formal language Declarative approach to building an agent (or other system): Tell

522 views • 18 slides
Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation

Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation

Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation Marie-Paule Cani Ecole Polytechnique Paris, France Visual representations Mandatory to understand and create! @ Renaud Chabrier Leonardo da Vinci

639 views • 33 slides
Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas

Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas

Combining Multiple Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas Fuhr, Peter Koch, Mathias Konrath, Ralf Lmmel, Heiko Winnebeck Contribution of this presentation Present a framework combining

537 views • 28 slides
"combining aboriginal tradi/onal knowledge with western-based

"combining aboriginal tradi/onal knowledge with western-based

"combining aboriginal tradi/onal knowledge with western-based science to benefit all" Overview The Nich Concept Walking in both Worlds A;ainment

461 views • 22 slides
Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference Masashi Yoshikawa, Koji Mineshima, Hiroshi Noji, Daisuke Bekki Nara Institute of Science and Technology Ochanomizu University Artificial

549 views • 35 slides
Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen Laboratoire Jacques-Louis Lions Universit e Pierre et Marie Curie Paris Joint work with Nira Dyn, Fr ed eric Hecht and Jean-Marie Mirebeau

979 views • 81 slides
Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1

Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1

Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1 15-Feb-2011 Scheduling Algorithms CPU Scheduling algorithms deal with the problem of deciding which process in ready queue should be allocated to

745 views • 46 slides
$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

Presentation Slides $ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I really need this item? Is it worth the time I spend making the money to pay for it? Is there a better use for my money

489 views • 18 slides
Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

The 2017 Paradosis lecture Rachel Dolezal Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve Walton St Marys University, Twickenham (London, UK) 1 2 The importance of the communal in Acts

457 views • 6 slides
Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find

Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find

Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find goals via search, where we are provided with all the knowledge and possibly a heuristic With CSP we saw how to apply inference to rules to find the

265 views • 22 slides
Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239 Verifying security protocols Computer Security February 4, 2004 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004

297 views • 11 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
Introduction to Objects are a natural way of thinking about the world and about scripts that

Introduction to Objects are a natural way of thinking about the world and about scripts that

Introduction to Objects are a natural way of thinking about the world and about scripts that manipulate XHTML documents. JavaScript uses objects to perform many tasks and therefore is referred to as an object-based programming language (

913 views • 48 slides
Tableau Development for a Bi-Intuitionistic Tense Logic John G. Stell Renate A. Schmidt David

Tableau Development for a Bi-Intuitionistic Tense Logic John G. Stell Renate A. Schmidt David

Tableau Development for a Bi-Intuitionistic Tense Logic John G. Stell Renate A. Schmidt David Rydeheard RAMiCS 14, Marienstatt im Westerwald 30 April 2014 Stell, Schmidt, Rydeheard Tableau Development for BISKT RAMiCS 14 1 / 34 At RAMiCS

380 views • 35 slides
www.npec-web.org npec@npec-web.org Briefing before American Association for The Advancement of

www.npec-web.org npec@npec-web.org Briefing before American Association for The Advancement of

Falling Behind: International Scrutiny of the Peaceful Atom Henry Sokolski Executive Director The Nonproliferation Policy Education Center Washington, DC 20036 www.npec-web.org npec@npec-web.org Briefing before American Association for The

941 views • 35 slides
Whats Next INF 117 Project in Software Engineering Lecture Notes - Spring Quarter, 2008

Whats Next INF 117 Project in Software Engineering Lecture Notes - Spring Quarter, 2008

Whats Next INF 117 Project in Software Engineering Lecture Notes - Spring Quarter, 2008 Michele Rousseau Set 8 - Testing Set 8 - Testing 2 Announcements Todays Class k Drop Boxes k Testing We will use drop boxes for the remainder

281 views • 8 slides
Class Six openFrameworks! A software frameworks, by which we mean: a software infrastructure that

Class Six openFrameworks! A software frameworks, by which we mean: a software infrastructure that

The Code Liberation Foundation Lecture 5 Structs, classes, the heap and the stack Class Six openFrameworks! A software frameworks, by which we mean: a software infrastructure that provides low-level functionality Will allow you to

293 views • 11 slides
High Performance Computing What is it used for and why? Overview What is it used for?

High Performance Computing What is it used for and why? Overview What is it used for?

High Performance Computing What is it used for and why? Overview What is it used for? Drivers for HPC Examples of usage Why do you need to learn the basics? Hardware layout and structure matters Serial computing is

585 views • 19 slides
Fully-Convolutional Siamese Networks for Object Tracking Luca Bertinetto*, Jack Valmadre*, Joo

Fully-Convolutional Siamese Networks for Object Tracking Luca Bertinetto*, Jack Valmadre*, Joo

Fully-Convolutional Siamese Networks for Object Tracking Luca Bertinetto*, Jack Valmadre*, Joo Henriques, Andrea Vedaldi and Philip Torr www.robots.ox.ac.uk/~luca luca.bertinetto@eng.ox.ac.uk Tracking of single, arbitrary objects Problem .

514 views • 19 slides
VMGL: VMM-Independent Graphics Acceleration H. Andrs Lagar-Cavilla, U of Toronto

VMGL: VMM-Independent Graphics Acceleration H. Andrs Lagar-Cavilla, U of Toronto

VMGL: VMM-Independent Graphics Acceleration H. Andrs Lagar-Cavilla, U of Toronto andreslc@cs.toronto.edu Niraj Tolia (CMU), Eyal de Lara (Toronto), M. Satyanarayanan (CMU) Why Virtualize 3D Acceleration? Two simultaneous trends VMs out of

584 views • 27 slides

More recommend