decidability of a sound set of inference rules for
play

Decidability of a Sound Set of Inference Rules for Computational - PowerPoint PPT Presentation

Sep 19, 2022 •287 likes •1.06k views

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation

  1. Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34

  2. Introduction Motivation Security protocols are distributed programs which aim at providing some security properties. They are extensively used, and bugs can be very costly. Security protocols are often short, but the security properties are complex. ⇒ Need to use formal methods. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 2 / 34

  3. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  4. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  5. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  6. Introduction Goal of this work We focus on fully automatic proofs of indistinguishability properties in the computational model: Computational model: the adversary is any probabilistic polynomial time Turing machine . This offers strong security guarantees. Indistinguishability properties: e.g. strong secrecy, anonymity or unlinkability. Fully automatic: we want a complete decision procedure. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 3 / 34

  7. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 4 / 34

  8. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 5 / 34

  9. The Private Authentication Protocol $ A’ : n A’ ← $ B : n B ← 1 : A’ − → B : {� A’ , n A’ �} pk ( B ) � {� n A’ , n B �} pk ( A ) if A’ = A 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 6 / 34

  10. Bana-Comon Model: Messages Messages We use terms to model protocol messages , build upon: Names N , e.g. n A , n B , for random samplings. Function symbols F , e.g.: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if_then_else_ , eq ( _ , _ ) Variables X . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 7 / 34

  11. Bana-Comon Model: Messages Messages We use terms to model protocol messages , build upon: Names N , e.g. n A , n B , for random samplings. Function symbols F , e.g.: A , B , � _ , _ � , π i ( _ ) , { _ } _ , pk ( _ ) , sk ( _ ) , if_then_else_ , eq ( _ , _ ) Variables X . Examples � n A , A � π 1 ( n B ) {� A’ , n A’ �} pk ( B ) Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 7 / 34

  12. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  13. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use adversarial functions symbols , typically g . g takes as input the current knowledge of the adversary ( the frame ). Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  14. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B {� A’ , n A’ �} pk ( B ) : ��� n A’ , n B �� if A’ = A 2 : B − → A’ pk ( A ) : {� n B , n B �} pk ( A ) otherwise How do we represent the adversary’s inputs? We use adversarial functions symbols , typically g . g takes as input the current knowledge of the adversary ( the frame ). Intuitively, they can be any probabilistic polynomial time algorithm . Moreover, branching of the protocol is done using if_then_else_. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 8 / 34

  15. Bana-Comon Model: Messages The Private Authentication Protocol 1 : A’ − → B : {� A’ , n A’ �} pk ( B ) ��� n A’ , n B �� if A’ = A pk ( A ) 2 : B − → A’ : {� n B , n B �} pk ( A ) otherwise Term Representing the Messages in PA t 1 = {� A’ , n A’ �} pk ( B ) t 2 = if eq ( π 1 ( dec ( g ( t 1 ) , sk ( B ))); A ) �� �� then π 2 ( dec ( g ( t 1 ) , sk ( B ))) , n B pk ( A ) {� n B , n B �} pk ( A ) else Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 9 / 34

  16. Bana-Comon Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 1 , . . . , u P n where u P i is the i -th message sent on the network by P . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 10 / 34

  17. Bana-Comon Model: Protocol Execution Protocol Execution The execution of a protocol P is a sequence of terms using adversarial function symbols: u P 1 , . . . , u P n where u P i is the i -th message sent on the network by P . Remark This is only possible for a bounded number of messages. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 10 / 34

  18. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  19. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Examples n ∼ if g () then n else n’ Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  20. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Examples n ∼ if g () then n else n’ Privacy of the PA protocol can be expressed by the ground formula: t A 1 , t A t C 1 , t C ∼ 2 2 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  21. Bana-Comon Model: Security Properties Formula Formulas are build using: For every n ∈ N , the predicate ∼ n of arity 2 n . Boolean connectives ∧ , ∨ , ¬ , → . First-order quantifier ∀ . Examples n ∼ if g () then n else n’ Privacy of the PA protocol can be expressed by the ground formula: t A 1 , t A t C 1 , t C ∼ 2 2 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 11 / 34

  22. 1 Introduction 2 The Bana-Comon Model 3 Inference Rules Unitary Inference Rules Inference Rules 4 Decision Result 5 Conclusion Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 12 / 34

  23. Unitary Inference Rules Unitary Inference Rules We know that some atomic formulas are valid: Using α -renaming of random samplings: n A , n B ∼ n C , n D Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 13 / 34

  24. Unitary Inference Rules Unitary Inference Rules We know that some atomic formulas are valid: Using α -renaming of random samplings: n A , n B ∼ n C , n D Using cryptographic assumptions on the security primitives, e.g. if the encryption scheme is ind-cca 1 . Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 13 / 34

  25. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } pk ∼ { m 1 } pk Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  26. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } pk ∼ { m 1 } pk Assuming: sk occurs only in decryption position in m 0 , m 1 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  27. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } n r { m 1 } n r pk ∼ pk Assuming: sk occurs only in decryption position in m 0 , m 1 n r does not appear in m 0 , m 1 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

  28. Unitary Inference Rules: Cryptographic Assumptions CCA1 Rules { m 0 } n r { m 1 } n r pk ∼ pk Assuming: sk occurs only in decryption position in m 0 , m 1 n r does not appear in m 0 , m 1 Theorem The CCA1 rules are valid when the encryption and decryption functions form an ind-cca 1 encryption scheme. Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 14 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Syntax Gabriele Keller Overview So far - judgements and inference rules - rule induction -

Syntax Gabriele Keller Overview So far - judgements and inference rules - rule induction -

Concepts of Program Design Syntax Gabriele Keller Overview So far - judgements and inference rules - rule induction - grammars specified using inference rules This week - relations and inference rules - first-order & higher-order

288 views • 24 slides
The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6

The Foundations: Logic and Proofs Chapter 1, Part III: Proofs Rules of Inference Section 1.6 Section Summary Valid Arguments Inference Rules for Propositional Logic Using Rules of Inference to Build Arguments Rules of Inference

733 views • 57 slides
Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive

Inductive Definitions with Inference Rules 1 / 25 Outline Introduction Specifying inductive definitions Inference rules in action Judgments, axioms, and rules Reasoning about inductive definitions Direct proofs Admissibility Rule induction

498 views • 25 slides
Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and

Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and

Concepts of Program Design Semantics S E T O N T F A R D Gabriele Keller Where we are So far - Judgements and inference rules - Rule induction - Inference rules - Grammars specified using inference rules - Judgements and relations -

465 views • 18 slides
Syntax Gabriele Keller Ron Vanderfeesten Overview So far Revision of inference rules,

Syntax Gabriele Keller Ron Vanderfeesten Overview So far Revision of inference rules,

Concepts of Program Design Syntax Gabriele Keller Ron Vanderfeesten Overview So far Revision of inference rules, natural (rule) induction Haskell Simple grammars specified using inference rules This week - first-order &

611 views • 40 slides
Decidability of the Admissible Rules in Intuitionistic Propositional Logic Jeroen P. Goudsmit

Decidability of the Admissible Rules in Intuitionistic Propositional Logic Jeroen P. Goudsmit

Decidability of the Admissible Rules in Intuitionistic Propositional Logic Jeroen P. Goudsmit Utrecht University Workshop on Admissibility and Unification 2 January 31 st 2015 A / admissible A is derivable A / admissible C is

1.22k views • 87 slides
Theory of Computer Science D6. Decidability and Semi-Decidability Malte Helmert University of

Theory of Computer Science D6. Decidability and Semi-Decidability Malte Helmert University of

Theory of Computer Science D6. Decidability and Semi-Decidability Malte Helmert University of Basel May 4, 2016 (Semi-) Decidability Recursive Enumerability Models of Computation and Semi-Decidability Summary Overview: Computability Theory

600 views • 39 slides
Theory of Computer Science May 4, 2016 D6. Decidability and Semi-Decidability Theory of

Theory of Computer Science May 4, 2016 D6. Decidability and Semi-Decidability Theory of

Theory of Computer Science May 4, 2016 D6. Decidability and Semi-Decidability Theory of Computer Science D6.1 (Semi-) Decidability D6. Decidability and Semi-Decidability D6.2 Recursive Enumerability Malte Helmert University of Basel D6.3

406 views • 7 slides
An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen

An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen

Introduction Learning by Inference Rules Experiment Conclusion An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen Yao, Jianqiang Ma, Sergio Duarte, ar ltekin University of Groningen 18

669 views • 30 slides
Computational Learning Theory 1 / 22 Decidability Computation Decidability which

Computational Learning Theory 1 / 22 Decidability Computation Decidability which

Computational Learning Theory 1 / 22 Decidability Computation Decidability which problems have algorithmic solutions Machine Learning Feasibility what assumptions must we make to trust that we can learn an unknown target

246 views • 22 slides
Chapter9 Inference in First-Order Logic 20070510 Chap9 1 Inference Rules Involving

Chapter9 Inference in First-Order Logic 20070510 Chap9 1 Inference Rules Involving

Chapter9 Inference in First-Order Logic 20070510 Chap9 1 Inference Rules Involving Quantifiers Substitution SUBST ( , ) refers to applying the substitution or binding list to the sentence . SUBST ({ x / Sam , y / Pam } ,

340 views • 33 slides
Theory of Computer Science C5. Context-free Languages: Normal Forms, Closure, Decidability Malte

Theory of Computer Science C5. Context-free Languages: Normal Forms, Closure, Decidability Malte

Theory of Computer Science C5. Context-free Languages: Normal Forms, Closure, Decidability Malte Helmert University of Basel April 6, 2016 Context-free Grammars and -Rules Chomsky Normal Form Closure Properties Decidability Summary

831 views • 47 slides
Decidability Decidability p.1/27 Topics Discuss the power of algorithms

Decidability Decidability p.1/27 Topics Discuss the power of algorithms

Decidability Decidability p.1/27 Topics Discuss the power of algorithms to solve problems Demonstrate that some problems can be solved by algorithms while other cannot Explore the limits of algorithmic solvability

477 views • 27 slides
1 Alphabets and Languages Look at handout 1 (inference rules for sets) and use the rules on some

1 Alphabets and Languages Look at handout 1 (inference rules for sets) and use the rules on some

1 Alphabets and Languages Look at handout 1 (inference rules for sets) and use the rules on some exam- ples like { a } {{ a }} { a } { a, b } , { a } {{ a }} , { a } {{ a }} , { a } { a, b } , a {{ a }} , a { a, b } ,

860 views • 6 slides
We will start momentarily. 2 A Few Housekeeping Rules: To avoid any sound interference, all

We will start momentarily. 2 A Few Housekeeping Rules: To avoid any sound interference, all

1 The PPP Journey: Paycheck Protection Program, From Application Through Forgiveness, and Beyond! Welcome! We will start momentarily. 2 A Few Housekeeping Rules: To avoid any sound interference, all participants are muted during the

717 views • 43 slides
Logic: The Big Picture Propositional logic: atomic statements are facts Inference via

Logic: The Big Picture Propositional logic: atomic statements are facts Inference via

Logic: The Big Picture Propositional logic: atomic statements are facts Inference via resolution is sound and complete Inference via resolution is sound and complete (though likely computationally intractable) First-order logic: adds

604 views • 13 slides
Space vs Time, Cache vs Main Memory Marc Moreno Maza University of Western Ontario, London,

Space vs Time, Cache vs Main Memory Marc Moreno Maza University of Western Ontario, London,

Space vs Time, Cache vs Main Memory Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS 4435 - CS 9624 (Moreno Maza) Space vs Time, Cache vs Main Memory CS 4435 - CS 9624 1 / 49 Plan Space vs Time 1 Cache vs Main

690 views • 49 slides
4CSLL5 IBM Translation Models Martin Emms October 22, 2020 4CSLL5 IBM Translation Models IBM

4CSLL5 IBM Translation Models Martin Emms October 22, 2020 4CSLL5 IBM Translation Models IBM

4CSLL5 IBM Translation Models 4CSLL5 IBM Translation Models Martin Emms October 22, 2020 4CSLL5 IBM Translation Models IBM models Probabilities and Translation Alignments IBM Model 1 definitions 4CSLL5 IBM Translation Models IBM models

1.23k views • 103 slides
Ricco RAKOTOMALALA Ricco Rakotomalala 1 Tutoriels Tanagra -

Ricco RAKOTOMALALA Ricco Rakotomalala 1 Tutoriels Tanagra -

Ricco RAKOTOMALALA Ricco Rakotomalala 1 Tutoriels Tanagra - http://data-mining-tutorials.blogspot.fr/ Maximum a posteriori rule Calculating the posterior probability P Y y P / Y y

383 views • 35 slides
The neighbours of Baxter numbers Lattice paths Veronica Guerrini University of Siena, DIISM 31

The neighbours of Baxter numbers Lattice paths Veronica Guerrini University of Siena, DIISM 31

Number sequences Generating trees Slicings of parallelogram polyominoes Slicings generalizations Permutations Semi-Baxter sequence The neighbours of Baxter numbers Lattice paths Veronica Guerrini University of Siena, DIISM 31 January

1.05k views • 65 slides
Catalytic Networks Mark Baumback Introduction Summary w Artificial Chemistry review w Self

Catalytic Networks Mark Baumback Introduction Summary w Artificial Chemistry review w Self

Catalytic Networks Mark Baumback Introduction Summary w Artificial Chemistry review w Self organization w Catalytic Networks n Autocatalytic Sets n Self Reproduction n Self Maintenance w Evolving autocatalytic sets (in a catalytic network) w

937 views • 54 slides
AM07: Characterization of the Novel Associative Memory Chip Prototype Designed in 28 nm CMOS

AM07: Characterization of the Novel Associative Memory Chip Prototype Designed in 28 nm CMOS

AM07: Characterization of the Novel Associative Memory Chip Prototype Designed in 28 nm CMOS Technology for High Energy Physics and Interdisciplinary Applications AM07: Characterization of the Novel Associative Memory Chip Prototype Designed in 28

207 views • 17 slides
A Computation- and Network-Aware Energy Optimization model for Virtual Machine Allocation C.

A Computation- and Network-Aware Energy Optimization model for Virtual Machine Allocation C.

A Computation- and Network-Aware Energy Optimization model for Virtual Machine Allocation C. Canali, R. Lancellotti Department of Engineering Enzo Ferrari, University of Modena and Reggio Emilia M. Shojafar Italian National Council for

550 views • 17 slides
Analysis of Algorithms & Big-O CS16: Introduction to Algorithms & Data Structures Spring

Analysis of Algorithms & Big-O CS16: Introduction to Algorithms & Data Structures Spring

Analysis of Algorithms & Big-O CS16: Introduction to Algorithms & Data Structures Spring 2020 Outline Running time Big- O Big- and Big- 2 What is a Good Algorithm? 3 What is a Good Algorithm In CS16

887 views • 69 slides

More recommend