deciding knowledge in security protocols for monoidal
play

Deciding knowledge in security protocols for monoidal equational - PowerPoint PPT Presentation

Dec 05, 2022 •8 likes •378 views

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France July 8, 2007 S. Delaune (LORIA Projet Cassis) Deciding knowledge

  1. Deciding knowledge in security protocols for monoidal equational theories Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France July 8, 2007 S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 1 / 23

  2. Context: cryptographic protocols Messages are abstracted by terms ... encryption { x } y , pairing � x , y � , . . . ... together with an equational theory classical theory: proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y dec ( enc ( x , y ) , y ) = x exclusive or (ACUN): ( x + y ) + z = x + ( y + z ) ( A ) x + y = y + x ( C ) x + 0 = x ( U ) x + x = 0 ( N ) S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 2 / 23

  3. Context: cryptographic protocols Messages are abstracted by terms ... encryption { x } y , pairing � x , y � , . . . ... together with an equational theory classical theory: proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y dec ( enc ( x , y ) , y ) = x exclusive or (ACUN): ( x + y ) + z = x + ( y + z ) ( A ) x + y = y + x ( C ) x + 0 = x ( U ) x + x = 0 ( N ) S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 2 / 23

  4. Knowledge Understanding security protocols often requires reasoning about knowledge of the attacker. Two main kinds of knowledge deduction, static equivalence – indistinguishability − → often used as subroutines in many decision procedures S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 3 / 23

  5. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 4 / 23

  6. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 4 / 23

  7. Deduction is not always sufficient → The intruder knows the values yes and no ! The real question Is the intruder able to tell whether Alice sends yes or no? S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 5 / 23

  8. Static equivalence frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / x ℓ } φ = ν ˜ Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / φ 2 = ν k . { enc ( no , k ) / x } and x } If the key k is revealed, we have that x 1 , enc ( yes , k ) / x 1 , enc ( no , k ) / ψ 1 = ν k . { k / x 2 } and ψ 2 = ν k . { k / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 6 / 23

  9. Static equivalence frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / x ℓ } φ = ν ˜ Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / φ 2 = ν k . { enc ( no , k ) / x } and x } If the key k is revealed, we have that x 1 , enc ( yes , k ) / x 1 , enc ( no , k ) / ψ 1 = ν k . { k / x 2 } and ψ 2 = ν k . { k / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 6 / 23

  10. Static equivalence frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / x ℓ } φ = ν ˜ Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / φ 2 = ν k . { enc ( no , k ) / x } and x } If the key k is revealed, we have that x 1 , enc ( yes , k ) / x 1 , enc ( no , k ) / ψ 1 = ν k . { k / x 2 } and ψ 2 = ν k . { k / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 6 / 23

  11. Static equivalence frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / x ℓ } φ = ν ˜ Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / φ 2 = ν k . { enc ( no , k ) / x } and x } − → indistinguishable If the key k is revealed, we have that x 1 , enc ( yes , k ) / x 1 , enc ( no , k ) / ψ 1 = ν k . { k / x 2 } and ψ 2 = ν k . { k / x 2 } − → distinguishable S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 6 / 23

  12. Goal of this paper A general approach for deciding deduction and static equivalence to deal with the class of monoidal theories − → AC-like equational theories with homomorphism operators h ( x + y ) = h ( x ) + h ( y ) based on an algebraic characterization (semiring) many decidability and complexity results with several new ones S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 7 / 23

  13. Outline of the talk Monoidal theories / semirings 1 Deduction 2 Static equivalence 3 Applications 4 S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 8 / 23

  14. Monoidal theory Definition (Nutt’90) A theory E over Σ is called monoidal if: Σ contains + (binary), 0 (constant) and all other function symbols are unary, + is AC symbol with unit 0, for every unary h ∈ Σ , we have h ( x + y ) = h ( x ) + h ( y ) and h ( 0 ) = 0. Examples: 1 ACU: AC with unit 0, i.e. 0 + x = x , 2 ACUI: ACU with idempotency x + x = x , 3 ACUN (Exclusive Or): ACU with nilpotency x + x = 0, 4 AG (Abelian groups): ACU with x + − ( x ) = 0 (Inv), 5 ACUh, ACUIh, ACUNh, AGh, . . . S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 9 / 23

  15. Monoidal theory Definition (Nutt’90) A theory E over Σ is called monoidal if: Σ contains + (binary), 0 (constant) and all other function symbols are unary, + is AC symbol with unit 0, for every unary h ∈ Σ , we have h ( x + y ) = h ( x ) + h ( y ) and h ( 0 ) = 0. Examples: 1 ACU: AC with unit 0, i.e. 0 + x = x , 2 ACUI: ACU with idempotency x + x = x , 3 ACUN (Exclusive Or): ACU with nilpotency x + x = 0, 4 AG (Abelian groups): ACU with x + − ( x ) = 0 (Inv), 5 ACUh, ACUIh, ACUNh, AGh, . . . S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 9 / 23

  16. Monoidal theories defines semiring [Nutt’90] − → for any monoidal theory E there exists a corresponding semiring S E Examples: AG → ( Z , + , · ) – ring of integers , t = x + x + x 3 � u = − ( a + a ) − 2 � t [ x �→ u ] 3 · ( − 2 ) = − 6 � ACU → ( N , + , · ) – semiring of natural numbers , ACUh → ( N [ h ] , + , · ) – semiring of polynomials in one indeterminate with coefficient in N , h ( a ) + h ( h ( a )) � h + h 2 S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 10 / 23

  17. Monoidal theories defines semiring [Nutt’90] − → for any monoidal theory E there exists a corresponding semiring S E Examples: AG → ( Z , + , · ) – ring of integers , t = x + x + x 3 � u = − ( a + a ) − 2 � t [ x �→ u ] 3 · ( − 2 ) = − 6 � ACU → ( N , + , · ) – semiring of natural numbers , ACUh → ( N [ h ] , + , · ) – semiring of polynomials in one indeterminate with coefficient in N , h ( a ) + h ( h ( a )) � h + h 2 S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 10 / 23

  18. Representation of terms and frames We generalize the previous construction. Let B = [ b 1 , . . . , b m ] be a base, i.e. a sequence of free symbols. ψ B : T (Σ , { b 1 , . . . , b m } ) → S E m Example: theory ACU – B = [ n 1 , n 2 , n 3 ] Term built on B M = 3 n 1 + 2 n 2 + 3 n 3 � ( 3 , 2 , 3 ) Frame built on B and saturated w.r.t. B Let φ = ν n 1 , n 2 , n 3 . { 3 n 1 + 2 n 2 + 3 n 3 / x 1 , n 2 + 3 n 3 / x 2 , 3 n 2 + n 3 / x 3 , 3 n 1 + n 2 + 4 n 3 / x 4 } ψ B ( 3 n 1 + 2 n 2 + 3 n 3 ) = ( 3 , 2 , 3 ) ,   3 2 3 ψ B ( n 2 + 3 n 3 ) = ( 0 , 1 , 3 ) , 0 1 3   φ � since   0 3 1   ψ B ( 3 n 2 + n 3 ) = ( 0 , 3 , 1 ) , and   3 1 4 ψ B ( 3 n 1 + n 2 + 4 n 3 ) = ( 3 , 1 , 4 ) . S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 11 / 23

  19. Representation of terms and frames We generalize the previous construction. Let B = [ b 1 , . . . , b m ] be a base, i.e. a sequence of free symbols. ψ B : T (Σ , { b 1 , . . . , b m } ) → S E m Example: theory ACU – B = [ n 1 , n 2 , n 3 ] Term built on B M = 3 n 1 + 2 n 2 + 3 n 3 � ( 3 , 2 , 3 ) Frame built on B and saturated w.r.t. B Let φ = ν n 1 , n 2 , n 3 . { 3 n 1 + 2 n 2 + 3 n 3 / x 1 , n 2 + 3 n 3 / x 2 , 3 n 2 + n 3 / x 3 , 3 n 1 + n 2 + 4 n 3 / x 4 } ψ B ( 3 n 1 + 2 n 2 + 3 n 3 ) = ( 3 , 2 , 3 ) ,   3 2 3 ψ B ( n 2 + 3 n 3 ) = ( 0 , 1 , 3 ) , 0 1 3   φ � since   0 3 1   ψ B ( 3 n 2 + n 3 ) = ( 0 , 3 , 1 ) , and   3 1 4 ψ B ( 3 n 1 + n 2 + 4 n 3 ) = ( 3 , 1 , 4 ) . S. Delaune (LORIA – Projet Cassis) Deciding knowledge July 8, 2007 11 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Vronique

Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Vronique

Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France September 10, 2007 S. Delaune (LORIA Projet Cassis) Deciding

514 views • 34 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge

FIT5124 Advanced Topics in Security Lecture 5: Secure Computation Protocols I Zero-Knowledge Proofs Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 5: Secure

729 views • 26 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols

On the Composition of Public- - On the Composition of Public Coin Zero- -Knowledge Protocols Knowledge Protocols Coin Zero Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktrm (KTH) 1 Zero Knowledge [GMR85] Zero

613 views • 22 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second

Zero-Knowledge Zero-Knowledge Two-Party Protocols Two-Party Protocols Outline 1 Zero-Knowledge MTAT.07.005 Cryptographic Protocols First Lecture: Main Notions Second Lecture: Proofs of Knowledge Introduction to Zero-Knowledge Third Lecture:

473 views • 31 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara Schmid Institute of Information Security Recap Security Protocols We have defined the Dolev-Yao adversary communicating agents that follow a

618 views • 51 slides
Skew monoidal structures on categories of algebras Marcelo Fiore and Philip Saville University

Skew monoidal structures on categories of algebras Marcelo Fiore and Philip Saville University

Skew monoidal structures on categories of algebras Marcelo Fiore and Philip Saville University of Cambridge Dept. of Computer Science 11th July 2018 1 / 26 Skew monoidal categories A version of monoidal categories: structural transformations

1.52k views • 112 slides
Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini Gianluca Dini Dept. of Ingegneria dellInformazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it If you

467 views • 35 slides
Examples Example The countable product R with the uniform topology is an example of a first

Examples Example The countable product R with the uniform topology is an example of a first

Examples Example The countable product R with the uniform topology is an example of a first countable space which is not second countable. Theorem 1 A subspace of a first (second) countable space is first (second) countable. 2 A countable

332 views • 5 slides
Fair division of indivisible goods under risk Sylvain Bouveret Charles Lumet Michel Lematre

Fair division of indivisible goods under risk Sylvain Bouveret Charles Lumet Michel Lematre

Fair division of indivisible goods under risk Sylvain Bouveret Charles Lumet Michel Lematre Onera Toulouse Workshop on Social Choice and Artificial Intelligence @ IJCAI 2011 Barcelona, July 16, 2011 Introduction Classical fair division

772 views • 76 slides
JUNO: Design and Progress J. Pedro Ochoa-Ricoux* University of California at Irvine *on behalf

JUNO: Design and Progress J. Pedro Ochoa-Ricoux* University of California at Irvine *on behalf

SPMT JUNO: Design and Progress J. Pedro Ochoa-Ricoux* University of California at Irvine *on behalf of the JUNO collaboration 1 ccerna@in2p3.fr CPAD Instrumentation Workshop, 2019 Image by JUNO Basics The J iangmen U nderground N eutrino O

443 views • 20 slides
Eduroam in Australia APAN29 Middleware Workshop February 9, 2010 What is eduroam? Guide for

Eduroam in Australia APAN29 Middleware Workshop February 9, 2010 What is eduroam? Guide for

Eduroam in Australia APAN29 Middleware Workshop February 9, 2010 What is eduroam? Guide for users 2 Eduroam Infrastructure .nl .au .ca .cn .hk .jp .edu org1.edu.au org1.edu.au RADIUS AP1 AP1 AP1 AP1 AP1 AP1 3 AU Eduroam

151 views • 12 slides
Abstract Data Type Map Map ADT Another fundamental abstract data type is the map (also The most

Abstract Data Type Map Map ADT Another fundamental abstract data type is the map (also The most

CS206 CS206 Abstract Data Type Map Map ADT Another fundamental abstract data type is the map (also The most important map methods are: called dictionary, in particular in Python). dict() Create new map. A map implements a mapping from

313 views • 3 slides
E -Unification of Higher-order Patterns Alexandre Boudet Evelyne Contejean LRI Orsay France

E -Unification of Higher-order Patterns Alexandre Boudet Evelyne Contejean LRI Orsay France

E -Unification of Higher-order Patterns Alexandre Boudet Evelyne Contejean LRI Orsay France Motivations Higher-order unification is undecidable (Huet) Unification of higher-order patterns is decidable (Miller) Combination of

496 views • 23 slides
Q Yes a a b a o e c o d o f Ic lb floc x c 112 not defined at 0 No 1 se IDefI A set is an

Q Yes a a b a o e c o d o f Ic lb floc x c 112 not defined at 0 No 1 se IDefI A set is an

Qi Yining talks to someone aboutmath iff they don't talk to themselves about math to herself about math Does Yining talk Q 013 EIN True F does f represent a well defined function Q Yes a a b a o e c o d o f Ic lb floc x c 112 not defined at

252 views • 8 slides
Latest Results on Electron-antineutrino Disappearance at Daya Bay Kam-Biu Luk University of

Latest Results on Electron-antineutrino Disappearance at Daya Bay Kam-Biu Luk University of

Latest Results on Electron-antineutrino Disappearance at Daya Bay Kam-Biu Luk University of California, Berkeley And Lawrence Berkeley National Laboratory On Behalf of the Daya Bay Collaboration Seminar at Imperial College/UCL, 14 June 2012

758 views • 49 slides

More recommend