cryptographic logical relations
play

Cryptographic Logical Relations What is the contextual equivalence - PowerPoint PPT Presentation

Feb 26, 2023 •103 likes •487 views

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

  1. Cryptographic Logical Relations — What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February 12, 2007

  2. Cryptography Using cryptography to hide information:  %$8?  λ @ Hello, Hello, Encryption Decryption ¥ ∂ ^#+ buddy! buddy! K enc K dec But, how to distribute keys on Internet?  %$8? Hello,  λ @ buddy! ¥ ∂ ^#+ Cryptographic Logical Relations 1

  3. The Needham-Schroeder’s protocol Bob Alice { } NONCE A Secret NONCE A becomes the session key Cryptographic Logical Relations 2

  4. The Needham-Schroeder’s protocol Bob Charlie Alice { NONCE A } PK Charlie Cryptographic Logical Relations 3

  5. Formal verification 1978 — The invention of the NS protocol [NS 78]. 1995 — G. Lowe found the flaw [Lowe 95]. Tho hose w who ho t thi hink t tha hat t the heir pr problem c can b be s solved b by What are you simpl ply a appl pplying c crypt ptography phy, d don’t u understand talking about? crypt ptography phy a and d don’t u understand t the heir pr problem. {m} k “Insecure”? We use ---- R R. N Needha ham CRYPTOGRAPHY here. As a logician, The protocol is I’d like to tell you secure, because very seriously: It’s NOT True!!! I don’t find any attack! Cryptographic Logical Relations 4

  6. Formal verification 1978 — The invention of the NS protocol [NS 78]. 1995 — G. Lowe found the flaw [Lowe 95]. Verify security properties with formal methods. Formal verification community Cryptographic Logical Relations 5

  7. Secrecy by contextual equivalence Run 1 { } k Charlie IS Protocol stupid Ehm, seems these � A -> B : message 1 B -> S : message 2 Internet stupid guys always S -> A : message 3 A -> B : message 4 B -> A : message 5 A -> B : message 1 Run 2 B -> S : message 2 talkin about the S -> A : message 3 A -> B : message 4 B -> A : message 5 { } k same thing … Charlie IS NOT stupid Secrecy: for every messages m 1 and m 2 , Protocol(m 1 ) ≈ Protocol(m 2 ). Spi-Calculus: with bisimulations [Abadi & Gordon 97]. What the hell did : m essag -> B A m essage 2 : message 3 A -> Bssage 4 that guy encrypt in Eh … looks like a … S A : age 5 -> A B : -> B A PROGRAM! this message? Cryptographic λ -calculus: with logical relations [Sumii & Pierce 02]. Higher-order functions are taken into account. Cryptographic Logical Relations 6

  8. Motivation We keep on using the λ -calculus approach. Sumii and Pierce’s logical relations are somehow ad-hoc. Is there a systematic way to construct these logical relations? And, to what extent can we rely on this method? If logical relations fail in proving the secrecy property, can we say that protocol is NOT secure? Cryptographic Logical Relations 7

  9. Related work and our contribution Side-effects Logical relations 1980, invention of logical relations [Plotkin 80] 1989, computational λ -calculus [Moggi 89, Moggi 90] 1992~93, categorical construction [Ma & Reynolds 92, Mitchell & Scedrov 93] 1993~94, operational logical relations for name creation [Pitts & Stark 93] 2002, logical relations for encryption [Sumii & Pierce 02] 2002, logical relations for computational λ -calculus [Goubault-Larrecq, Lasota & Nowak 02] 2003, denotational logical relations for key generation [Zhang & Nowak 03] 2004, lax cryptographic logical relations [Goubault-larrecq, Lasota, Nowak & Zhang 04] 2005, completeness of monadic logical relations [Lasota, Nowak & Zhang 06] Cryptographic Logical Relations 8

  10. Outline  The cryptographic metalanguage  Denotational semantics  Cryptographic logical relations  Contextual equivalence Cryptographic Logical Relations 9

  11. Cryptographic Logical Relations  Introduction  The cryptographic metalanguage  Denotational semantics  Cryptographic logical relations  Contextual equivalence  Conclusion Cryptographic Logical Relations

  12. Syntax (i) — Types Based on Moggi’s computational λ -calculus — a nice framework for reasoning about side-effects, including key generation. Type for computations, from Moggi’s language • A computation may generate fresh keys. Cryptographic Logical Relations 11

  13. Syntax (ii) — Terms generation of fresh key, from Stark’s metalanguage trivial computation and trivial computation and sequential computation, sequential computation, from Moggi’s language from Moggi’s language Cryptographic Logical Relations 12

  14. Syntax (ii) — Typing rules Cryptographic Logical Relations 13

  15. Modeling asymmetric cryptography Public key cryptography can be modeled using functions [Sumii & Pierce 02]: • If k is a private key, then the public key is: • Encrypt a message with a public key: Cryptographic Logical Relations 14

  16. Encoding of protocols • Principals as functions. • Interactions as function applications. • The protocol is a tuple of functions: P(secret) = <f Alice , f Bob , …> • An attack is a function F: F(P(secret)) = secret Cryptographic Logical Relations 15

  17. Cryptographic Logical Relations  Introduction  The cryptographic metalanguage  Denotational semantics  Cryptographic logical relations  Contextual equivalence  Conclusion Cryptographic Logical Relations

  18. Modeling cryptography — a set of keys. function symbol An encrypted message is written as . plain-text key Cryptographic Logical Relations 17

  19. Computations as monads • According to Moggi, side-effects can be modeled by monads [Moggi 89]. – Concrete monads: exceptions, non-determinism, ... • Fresh key generation is seen as a side-effect. • Key generation monad: computations might generate fresh keys. – Stark uses this monad to interpret his language for name creation [Stark 94]. Cryptographic Logical Relations 18

  20. Stark’s model A functor category with a monad T : • — category of finite sets and injections. – A set represents a computation stage. • Denotations are defined over a set of keys. • Computations are interpreted as fresh keys generated result of the computation during the computation We use Stark’s model to interpret our metalanguage. Cryptographic Logical Relations 19

  21. Cryptographic Logical Relations  Introduction  The cryptographic metalanguage  Denotational semantics  Cryptographic logical relations  Contextual equivalence  Conclusion Cryptographic Logical Relations

  22. What is a logical relation? • A logical relation is a family of relations, each indexed by a type. • Two functions f 1 and f 2 are related iff • Basic Lemma – If the denotation of each constant is related to itself, denotations of every term in related environments are related. – Basic Lemma helps us to prove contextual equivalence. What is a cryptographic logical relation? • The sprit of Sumii and Pierce’s logical relations: A cryptographic logical relation must relate encryption with itself, and relate decryption with itself. Cryptographic Logical Relations 21

  23. Relations for base types • Only keys that are accessible to attackers are related [Sumii & Pierce 02, Abadi & Gordon 97]: — the set of disclosed keys. • Encrypted messages are then divided into two parts U or built by induction on fixed by the parameter ϕ message structure ϕ — parameter of the logical relation, fixing the relation between secret messages [Sumii & Pierce 02]. Cryptographic Logical Relations 22

  24. Logical relations for monadic types • Categorical construction of logical relation for monadic types [Goubault-Larrecq et al. 02]. But what is the category for constructing logical relations? • A logical relation constructed over : – Kripke logical relation — logical relations defined over functor categories [Mitchell & Moggi 91]. – is called a “world”, representing a computation stage. – Two functions are related iff they take related arguments at any larger world to related results. • Logical relations derived over are too weak with naïve relations for keys: How to represent the parameter ? Cryptographic Logical Relations 23

  25. The “frame” category Formalize the parameter in the category [ZN 03]: • objects are tuples ; • morphisms are pairs of injections such that the following diagram commutes: all keys that have all keys that have disclosed keys disclosed keys been created been created Becomes : Cryptographic Logical Relations 24

  26. Logical relations over (using the general construction of [GLLN02]). • Basic Lemma holds, but only for a very limited set of ϕ . • This logical relation fails in relating equivalent programs: k ∉ w disclosed keys disclosed keys k ∈ w’ Secret keys get known by attackers at a larger “world”. Cryptographic Logical Relations 25

  27. The “frame” category (revised) • In our model, secret keys must NOT be exposed at any larger “world”. – A “world” represents a stage based on keys, not on time. k ∉ w disclosed keys disclosed keys � k ∉ w’ • Category : the subcategory of where every is a pull-back. Cryptographic Logical Relations 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Logical Step-Indexed Logical Relations Derek Dreyer Max Planck Institute for Software Systems

Logical Step-Indexed Logical Relations Derek Dreyer Max Planck Institute for Software Systems

Logical Step-Indexed Logical Relations Derek Dreyer Max Planck Institute for Software Systems Saarbrcken, Germany LICS 2009 UCLA August 12, 2009 Joint work with Amal Ahmed and Lars Birkedal Logical Relations V nat = { ( n , n )

551 views • 40 slides
WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake Mathy Vanhoef - @vanhoefm Black Hat, 27 July 2017 In collaboration with Domien Schepers and Frank Piessens Introduction More and more Wi-Fi network use

414 views • 26 slides
Structural Logical Relations with Case Analysis and Equality Reasoning Ulrik Rasmussen Andrzej

Structural Logical Relations with Case Analysis and Equality Reasoning Ulrik Rasmussen Andrzej

Structural Logical Relations with Case Analysis and Equality Reasoning Ulrik Rasmussen Andrzej Filinski Department of Computer Science University of Copenhagen LFMTP , Boston, MA September 23, 2013 1 Motivation Logical relations (LR) are

429 views • 28 slides
Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity

Reasoning about Object Capa- bilities with Logical Relations and Effect Parametricity (EuroS&amp;P 2016, Saarbrcken) Dominique Devriese 1 , Frank Piessens 1 , Lars Birkedal 2 1 iMinds-DistriNet, KU Leuven, 2 Aarhus University December 2015

387 views • 21 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software

Verified cryptographic implementations: how far can we go? Gilles Barthe IMDEA Software Institute, Madrid, Spain September 30, 2014 Motivation Loss of trust in Internet Implementation bugs (HeartBleed) Logical bugs (Triple

670 views • 38 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Differential Logical Relations Joint work with Francesco Gavazzo and Akira Yoshimizu Ugo Dal Lago

Differential Logical Relations Joint work with Francesco Gavazzo and Akira Yoshimizu Ugo Dal Lago

Differential Logical Relations Joint work with Francesco Gavazzo and Akira Yoshimizu Ugo Dal Lago IFIP WG 2.2 Annual Meeting , Vienna, September 23rd 2019 Comparing Interacting Programs M N C A C B Comparing Interacting

1.01k views • 48 slides
Logical Relations for a Manifest Contract Calculus Taro Sekiyama Atsushi Igarashi Kyoto

Logical Relations for a Manifest Contract Calculus Taro Sekiyama Atsushi Igarashi Kyoto

Logical Relations for a Manifest Contract Calculus Taro Sekiyama Atsushi Igarashi Kyoto University Taro Sekiyama Atsushi Igarashi Logical Relations for a Manifest Contract Calculus Manifest Contract Calculus [1] A typed lambda calculus with

696 views • 40 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic primitives Shashank Raghuraman and Leyla Nazhandali Abstract Logical metrics such as gate count have been extensively used in estimating the hardware

401 views • 12 slides
CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR

CONDITIONAL EXECUTION: PART 2 yes no x &gt; y? max = y; max = x; logical AND logical OR logical NOT &amp;&amp; || ! Fundamentals of Computer Science I Outline Review: The if-else statement The switch statement A look at

536 views • 25 slides
Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void

Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void

Basic Computation logical AND logical OR logical NOT &amp;&amp; || ! public static void main(String [] args) Fundamentals of Computer Science Outline Data Types Variables Primitive Data Types The String Class Type

922 views • 55 slides
A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano

A Linear Logical A Linear Logical A Linear Logical Framework Framework Framework Iliano Cervesato - Frank Pfenning Department of Computer Science Carnegie Mellon University 11 th IEEE Symposium on Logic in Computer Science New

587 views • 30 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Optimal Cryptographic Functions Lilya Budaghyan Selmer Center University of Bergen Norway

Optimal Cryptographic Functions Lilya Budaghyan Selmer Center University of Bergen Norway

Preliminaries Equivalence Relations of Functions APN Polynomial Constructions, Their Applications and Properties Optimal Cryptographic Functions Lilya Budaghyan Selmer Center University of Bergen Norway Finse Winter School 2019 May 10, 2019

1.41k views • 79 slides
Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop

Hint Orchestration Using ACL2's Simplifier Sol Swords Centaur Technology, Inc. ACL2 Workshop 2018 This talk is for hint abusers This might be you if: You cant be bothered to figure out a good rewriting strategy You just dont know

541 views • 30 slides
A logical framework for incremental type-checking Matthias Puech 1 , 2 egis-Gianas 2 Yann R 1

A logical framework for incremental type-checking Matthias Puech 1 , 2 egis-Gianas 2 Yann R 1

A logical framework for incremental type-checking Matthias Puech 1 , 2 egis-Gianas 2 Yann R 1 Dept. of Computer Science, University of Bologna 2 University Paris 7, CNRS, and INRIA, PPS, team r 2 May 2011 CEA LIST 1 / 28 A paradoxical

1.03k views • 90 slides
Implementing Knowledge-based Systems To build an interpreter for a language, we need to

Implementing Knowledge-based Systems To build an interpreter for a language, we need to

Implementing Knowledge-based Systems To build an interpreter for a language, we need to distinguish Base language the language of the RRS being implemented. Metalanguage the language used to implement the system. They could even be the same

342 views • 11 slides
with Melange A tool demonstration Thomas Degueule, Benoit Combemale, Arnaud Blouin, Olivier

with Melange A tool demonstration Thomas Degueule, Benoit Combemale, Arnaud Blouin, Olivier

Reusing Legacy DSLs with Melange A tool demonstration Thomas Degueule, Benoit Combemale, Arnaud Blouin, Olivier Barais An open-source (EPL) language workbench o r a meta -language for DSL engineering o r a language -based,

311 views • 7 slides
A Counterexample to Tensorability of Effects Sergey Goncharov and Lutz Schr oder September 1,

A Counterexample to Tensorability of Effects Sergey Goncharov and Lutz Schr oder September 1,

A Counterexample to Tensorability of Effects Sergey Goncharov and Lutz Schr oder September 1, 2011 2 / 16 Very-very Abstract Picture Our work addresses the question of general existence of tensor products of monads open since 1969: Ernie

504 views • 25 slides
Standard ML ML - historically stands for Meta Language. ML CSCI: 4500/6500 Programming

Standard ML ML - historically stands for Meta Language. ML CSCI: 4500/6500 Programming

Standard ML ML - historically stands for Meta Language. ML CSCI: 4500/6500 Programming was a meta language for expressing and manipulating logical proofs. Languages General purpose, modular functional programming language

379 views • 6 slides
Software Language Engineering by Vadim Zaytsev Intentional Universiteit van Amsterdam SQM 2014

Software Language Engineering by Vadim Zaytsev Intentional Universiteit van Amsterdam SQM 2014

Software Language Engineering by Vadim Zaytsev Intentional Universiteit van Amsterdam SQM 2014 @ CSM R -WC R E R ewriting 3 February 2014 CC-BY-SA Who am I 20132014: Universiteit van Amsterdam 20102013: Centrum Wiskunde &amp;

701 views • 28 slides
Programming with Comonads and Codo Notation ([talk]) Dominic Orchard, Thursday 2nd June 2011

Programming with Comonads and Codo Notation ([talk]) Dominic Orchard, Thursday 2nd June 2011

Programming with Comonads and Codo Notation ([talk]) Dominic Orchard, Thursday 2nd June 2011 Institute of Cybernetics, Tallinn University of Technology, Tallinn, Estonia Monday, 6 June 2011 Monads x12 as popular as comonads?! Monday, 6 June

1.11k views • 67 slides

More recommend