composition theorems for cryptoverif and application to
play

Composition Theorems for CryptoVerif and Application to TLS 1.3 - PowerPoint PPT Presentation

Dec 26, 2022 •430 likes •825 views

Introduction Composition Application to TLS 1.3 Conclusion Composition Theorems for CryptoVerif and Application to TLS 1.3 Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr March 2018 Bruno Blanchet (INRIA) Composition for CryptoVerif

  1. Introduction Composition Application to TLS 1.3 Conclusion Composition Theorems for CryptoVerif and Application to TLS 1.3 Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr March 2018 Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 1 / 38

  2. Introduction Composition Application to TLS 1.3 Conclusion Introduction Composition between a key exchange protocol a protocol that uses the key Results stated in the CryptoVerif framework: computational model formal framework for stating the composition theorem prove bigger protocols in CryptoVerif prove protocols with loops in CryptoVerif Adapt and extend previous computational composition results by Brzuska, Fischlin et al. [CCS’11, CCS’14 and CCS’15] Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 2 / 38

  3. Introduction Composition Application to TLS 1.3 Conclusion Application to TLS 1.3 Why TLS 1.3 ? Important protocol, in the final stages of development Well designed to allow composition Contains loops: Unbounded number of handshakes and key updates Variety of compositions: In most cases, the key exchange provides injective authentication For 0-RTT data = data sent by the client to the server immediately after the message (ClientHello): possible replay, so non-injective authentication variant for the case of altered ClientHello Simpler composition theorem for key updates Fills a gap in the proof of TLS 1.3 Draft 18 by Bhargavan et al [S&P’18] The composition was stated only informally. Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 3 / 38

  4. Introduction Composition Application to TLS 1.3 Conclusion CryptoVerif, http://cryptoverif.inria.fr/ CryptoVerif is a semi-automatic prover that: works in the computational model. generates proofs by sequences of games. provides a generic method for specifying properties of cryptographic primitives which handles MACs (message authentication codes), symmetric encryption, public-key encryption, signatures, hash functions, Diffie-Hellman key agreements, . . . works for N sessions (polynomial in the security parameter), with an active adversary. gives a bound on the probability of an attack (exact security). Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 4 / 38

  5. Introduction Composition Application to TLS 1.3 Conclusion Reminder on CryptoVerif CryptoVerif represents protocols using a process calculus. P , Q : processes C : context = process with one or several holes [ ] Adversaries represented by evaluation contexts: C ::= evaluation context [ ] hole newChannel c ; C channel restriction Q | C parallel composition C | Q parallel composition Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 5 / 38

  6. Introduction Composition Application to TLS 1.3 Conclusion Security properties proved by CryptoVerif Indistinguishability: Q ≈ V Q ′ when an adversary with access to the variables V has a negligible probability of distinguishing Q from Q ′ . Secrecy: Q preserves the secrecy of x with public variables V when an adversary with access to the variables V has a negligible probability of distinguishing the values of x in several sessions from independent random values. Correspondences: If some events have been executed, then other events have been executed. Example: event ( e 1 ( x )) = ⇒ event ( e 2 ( x )) Q satisfies the correspondence corr with public variables V when an adversary with access to the variables V has a negligible probability of breaking corr . Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 6 / 38

  7. Introduction Composition Application to TLS 1.3 Conclusion The most basic composition theorem S composed : S 1 : k (secret) k S 2 : new k : T Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 7 / 38

  8. Introduction Composition Application to TLS 1.3 Conclusion The most basic composition theorem Theorem (Assumptions) Let C be any context with one hole, without replications above the hole. Let M be a term of type T. Let S 1 = C [ let k = M in c 1 �� ; Q 1 ] S 2 = c 2 (); new k : T ; c 3 �� ; Q 2 where c 1 , c 2 , c 3 do not occur elsewhere in S 1 , S 2 ; k is the only variable common to S 1 and S 2 ; S 1 and S 2 have no common channel, no common event, and no common table; and k does not occur in C and Q 1 . Let c ′ 1 be a fresh channel. Let S composed = C [ let k = M in c ′ 1 �� ; ( Q 1 | Q 2 )] Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 8 / 38

  9. Introduction Composition Application to TLS 1.3 Conclusion The most basic composition theorem Theorem (First conclusion) S 1 = C [ let k = M in c 1 �� ; Q 1 ] S 2 = c 2 (); new k : T ; c 3 �� ; Q 2 S composed = C [ let k = M in c ′ 1 �� ; ( Q 1 | Q 2 )] 1 If S 1 preserves the secrecy of k with public variables V (k / ∈ V ), then we can transfer security properties from S 2 to S composed . Let S ◦ composed be S composed with the events of S 1 removed. composed ≈ V 1 C ′ [ S 2 ] S ◦ for some evaluation context C ′ acceptable for S 2 without public variables and for any V 1 ⊆ V ∪ (var( S 1 ) \ { k } ) . C ′ is independent of Q 2 . Intuition: The secrecy of k allows us to replace k with a random key. Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 9 / 38

  10. Introduction Composition Application to TLS 1.3 Conclusion The most basic composition theorem Theorem (Second conclusion) S 1 = C [ let k = M in c 1 �� ; Q 1 ] S 2 = c 2 (); new k : T ; c 3 �� ; Q 2 S composed = C [ let k = M in c ′ 1 �� ; ( Q 1 | Q 2 )] 2 We can transfer security properties from S 1 to S composed , provided they are proved with public variable k. S composed ≈ V ′ C ′′ [ S 1 ] for some evaluation context C ′′ acceptable for S 1 with public variable k and for any V ′ ⊆ var( S composed ) . C ′′ contains the events of S 2 . C ′′ is independent of C and Q 1 . Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 10 / 38

  11. Introduction Composition Application to TLS 1.3 Conclusion Main theorem S composed : S 1 : A B A B k A k B k A k B A B S 2 : new k : T A B ( S 1 may run several sessions of A and B .) Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 11 / 38

  12. Introduction Composition Application to TLS 1.3 Conclusion Replicating S 2 Consider: S 2 = c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z ) suchthat . . . We want to replicate S 2 : ! � n c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . i ≤ � insert T ( M ′ ) . . . get T ( z ) suchthat . . . Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 12 / 38

  13. Introduction Composition Application to TLS 1.3 Conclusion Replicating S 2 Consider: S 2 = c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z ) suchthat . . . We want to replicate S 2 : ! � n c (); . . . c 1 ( y [ � i ≤ � i ] : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z [ � i ]) suchthat . . . Variables implicitly with indices of replication. Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 13 / 38

  14. Introduction Composition Application to TLS 1.3 Conclusion Replicating S 2 Consider: S 2 = c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z ) suchthat . . . We want to replicate S 2 : ! � i ≤ � n c [ � i ](); . . . c 1 [ � i ]( y [ � i ] : T ) . . . event e ( � i , M ) . . . insert T ( � i , M ′ ) . . . get T (= � i , z [ � i ]) suchthat . . . We could add indices to channels, events, and tables to distinguish the various sessions. Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 14 / 38

  15. Introduction Composition Application to TLS 1.3 Conclusion Replicating S 2 Consider: S 2 = c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z ) suchthat . . . We want to replicate S 2 : ! � n c [ � i ≤ � i ](); . . . c 1 [ � i ]( y [ � i ] : T ) . . . event e ( � i , M ) . . . insert T ( � i , M ′ ) . . . get T (= � i , z [ � i ]) suchthat . . . Problem: this is not preserved by composition. In the key exchange, partenered sessions exchange the same messages, but may not have the same replication indices. Also in the composed system. Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 15 / 38

  16. Introduction Composition Application to TLS 1.3 Conclusion Replicating S 2 Consider: S 2 = c (); . . . c 1 ( y : T ) . . . event e ( M ) . . . insert T ( M ′ ) . . . get T ( z ) suchthat . . . We want to replicate S 2 : ! � i ≤ � n c [ � i ]( x : T sid ); . . . c 1 [ � i ]( y [ � i ] : T ) . . . event e ( x , M ) . . . insert T ( x , M ′ ) . . . get T (= x , z [ � i ]) suchthat . . . Partnered sessions can be determined by a session identifier computed from the messages in the protocol. The protocol that uses the key receives the session identifier in a variable x . Bruno Blanchet (INRIA) Composition for CryptoVerif March 2018 16 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

972 views • 78 slides
Beyond Differential Privacy: Composition Theorems and Relational Logic for f -divergences between

Beyond Differential Privacy: Composition Theorems and Relational Logic for f -divergences between

Beyond Differential Privacy: Composition Theorems and Relational Logic for f -divergences between Probabilistic Programs Gilles Barthe Federico Olmedo IMDEA Software Institute, Madrid, Spain 40 th International Colloquium on Automata, Languages

514 views • 32 slides
Building complex DP algorithms using composition Privacy & Fairness in Data Science CS848

Building complex DP algorithms using composition Privacy & Fairness in Data Science CS848

Building complex DP algorithms using composition Privacy & Fairness in Data Science CS848 Fall 2019 2 Outline Recap Laplace Mechanism Composition Theorems Optimizing accuracy of DP algorithms Utilizing Parallel

972 views • 45 slides
The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and

The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and

Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and David Pointcheval CNRS, Ecole Normale Sup erieure, INRIA, Paris

226 views • 22 slides
Many Theorems and a Few Stories John Garnett Seoul 5/12/17 1 OUTLINE I. Extension Theorems.

Many Theorems and a Few Stories John Garnett Seoul 5/12/17 1 OUTLINE I. Extension Theorems.

Many Theorems and a Few Stories John Garnett Seoul 5/12/17 1 OUTLINE I. Extension Theorems. II. BMO and A p Weights. III. Constructions with H Interpolation, , and BMO. IV. Corona Theorems and Problems. V. Harmonic Measure and

892 views • 35 slides
Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds

Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds

Composition and Deployment of Complex Container-Based Application Architectures on Multi-Clouds DI4R Lisbon, Portugal Andy S. Alic 1 , Marica Antonacci 2 , Ignacio Blanquer 1 , Miguel October 2018 Caballer 1 , Giacinto Donvito 2 , lvaro

297 views • 12 slides
Fixed points of the composition of earthquakes Francesco Bonsante (joint work with J.-M.

Fixed points of the composition of earthquakes Francesco Bonsante (joint work with J.-M.

The results Equivalence of the two results Proof of theorems Fixed points of the composition of earthquakes Francesco Bonsante (joint work with J.-M. Schlenker) July 28, 2010 Francesco Bonsante Fixed points of the composition of earthquakes

710 views • 29 slides
Gr obner-Shirshov bases method in algebra L.A. Bokut Introduction Composition-Diamond . . .

Gr obner-Shirshov bases method in algebra L.A. Bokut Introduction Composition-Diamond . . .

Gr obner-Shirshov bases method in algebra L.A. Bokut Introduction Composition-Diamond . . . Examples Sobolev Institute of Mathematics, Russia PBW theorems Linear bases of free . . . Normal forms for . . . South China Normal University,

602 views • 37 slides
Compositional Methods Alex Rabinovich Department of Computer Science Tel-Aviv University

Compositional Methods Alex Rabinovich Department of Computer Science Tel-Aviv University

Compositional Methods Alex Rabinovich Department of Computer Science Tel-Aviv University p.1/30 Composition Theorem s Composition Theorems are tools which reduce sentences about some compound structures to sentences about their parts.

771 views • 74 slides
De Finetti Theorems for Quantum Channels arXiv:1810.12197 Mario Berta with Borderi, Fawzi,

De Finetti Theorems for Quantum Channels arXiv:1810.12197 Mario Berta with Borderi, Fawzi,

De Finetti Theorems for Quantum Channels arXiv:1810.12197 Mario Berta with Borderi, Fawzi, Scholz Banfg 07/25/2019 1 / 24 Outline Motivation: Noisy Channel Coding De Finetti Theorems Application: Noisy Channel Coding Conclusion Add-on:

656 views • 46 slides
Automated Web Service Composition in Practice: from Composition Requirements Specification to

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Outline Automated Web Service Composition The Amazon-MPS Case study Conclusions and Future Works Automated Web Service Composition in Practice: from Composition Requirements Specification to Process Run. Annapaola Marconi , Marco Pistore and

730 views • 59 slides
Hierarchy theorems Evgenij Thorstensen V18 Evgenij Thorstensen Hierarchy theorems V18 1 / 18

Hierarchy theorems Evgenij Thorstensen V18 Evgenij Thorstensen Hierarchy theorems V18 1 / 18

Hierarchy theorems Evgenij Thorstensen V18 Evgenij Thorstensen Hierarchy theorems V18 1 / 18 Comparing functions To prove results like TIME ( f ( n )) TIME ( g ( n )) , we need a stronger notion of one function growing faster than

673 views • 21 slides
A Machine-Assisted Proof of Gdel's Incompleteness Theorems Lawrence C. Paulson, Computer

A Machine-Assisted Proof of Gdel's Incompleteness Theorems Lawrence C. Paulson, Computer

A Machine-Assisted Proof of Gdel's Incompleteness Theorems Lawrence C. Paulson, Computer Laboratory, University of Cambridge The most misunderstood theorems in mathematics Gdels theorems have highly For the first time, both of

319 views • 28 slides
Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al Morton + many others M March, 2008 h 2008 draft-ietf-ippm-framework-compagg-06.txt Overall Framework (includes common concepts and concepts and

257 views • 9 slides
Sylow Theorems Andrew Clarey Looking at the Structure of Arbitrary Groups Definitions/ Theorems

Sylow Theorems Andrew Clarey Looking at the Structure of Arbitrary Groups Definitions/ Theorems

Sylow Theorems Sylow Theorems Andrew Clarey Looking at the Structure of Arbitrary Groups Definitions/ Theorems Groups, Subgroups Lagranges, Normality Class Equation, Andrew Clarey Cauchys Theorem First Sylow Theorem Occidental

417 views • 26 slides
JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave & Piano Ay Olrnt Music Composition & Theory University of Pittsburgh USA A Symposium & Festival Bridging Musicology & Composition:

553 views • 16 slides
Chapter 8 Section 1 MA1032 Data, Functions & Graphs Sidney Butler Michigan Technological

Chapter 8 Section 1 MA1032 Data, Functions & Graphs Sidney Butler Michigan Technological

Chapter 8 Section 1 MA1032 Data, Functions & Graphs Sidney Butler Michigan Technological University November 28, 2006 S Butler (Michigan Tech) Chapter 8 Section 1 November 28, 2006 1 / 5 Composition The function f ( g ( t )) is said to

282 views • 5 slides
On Spatial Reasoning with Description Logics Motivation The family of ALCI logics Work

On Spatial Reasoning with Description Logics Motivation The family of ALCI logics Work

On Spatial Reasoning with Description Logics Motivation The family of ALCI logics Work in progress What we know What we dont know Future Work Michael Wessel, April 2002 Motivation Slide

459 views • 19 slides
On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik

Introduction Permutation-Based MACs PDMMAC Security of PDM*MAC Good Events Conclusion On the Composition of Single-Keyed Tweakable Even-Mansour for Achieving BBB Security Avik Chakraborti, Mridul Nandi, Suprita Talnikar , Kan Yasuda

1.03k views • 25 slides
Approximate Nature of Ideal Case: Example Traditional Fuzzy What Happens When . . . Natural

Approximate Nature of Ideal Case: Example Traditional Fuzzy What Happens When . . . Natural

Outline Fuzzy Logic: Reminder How t-Norms Are . . . In Practice, the . . . Approximate Nature of Ideal Case: Example Traditional Fuzzy What Happens When . . . Natural Idea Leads to . . . Methodology Naturally A Slightly More . . . Complex

323 views • 13 slides
CSE 1030 What is Aggregation ? Yves Lesp erance Aggregation is a relation between classes. An

CSE 1030 What is Aggregation ? Yves Lesp erance Aggregation is a relation between classes. An

CSE 1030 What is Aggregation ? Yves Lesp erance Aggregation is a relation between classes. An instance of one class has an instance of another class as one of its parts. Also callled the has a relation. The part is called an aggregate of the

147 views • 3 slides
Relational Formalisations of Compositions and Liftings of Multirelations Hitoshi Furusawa 1 ,

Relational Formalisations of Compositions and Liftings of Multirelations Hitoshi Furusawa 1 ,

Relational Formalisations of Compositions and Liftings of Multirelations Hitoshi Furusawa 1 , Yasuo Kawahara 2 , Georg Struth 3 and Norihiro Tsumagari 4 1 Department of Mathematics and Computer Science, Kagoshima University 2 Professor Emeritus,

780 views • 30 slides
Web Applications and Compound Documents Vincent Hardy We make the net work. Senior Staff

Web Applications and Compound Documents Vincent Hardy We make the net work. Senior Staff

Web Applications and Compound Documents Vincent Hardy We make the net work. Senior Staff Engineer Sun Microsystems, Inc. Technology silos Documents and applications need XML n XForms XHTML SMIL SVG ... Combining Existing Features

314 views • 6 slides
Agenda In this chapter, we take a closer look at: The role of processes in distributed

Agenda In this chapter, we take a closer look at: The role of processes in distributed

Lecturer: Hadi Salimi Lecturer: Hadi Salimi Distributed Systems Lab, School of Computer Engineering I Iran University of Science and Technology, U i i f S i d T h l hsalimi@iust.ac.ir Agenda In this chapter, we take a closer look at:

539 views • 21 slides

More recommend