exploiting symmetries when proving equivalence properties
play

Exploiting symmetries when proving equivalence properties for - PowerPoint PPT Presentation

Jun 12, 2023 •135 likes •830 views

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

  1. Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est

  2. Security protocols TLS Wifi @ PASS E-voting E-passport 2 24

  3. Security protocols TLS Wifi @ 2016 (early ver. 1.3) 2017 (WPA2) PASS E-voting E-passport 2010 (Helios) 2013 (BAC) 2 24

  4. Symbolic attacker model = protocol’s logic in an adversarial environment, with perfect cryptography 3 24

  5. Symbolic attacker model = protocol’s logic in an adversarial environment, with perfect cryptography Crypto = equations: Dishonest parties can: read / overwrite e.g. dec(enc(m, k), k) = m messages (symmetric encryption) no other behaviours DoS 3 24

  6. Privacy as indistinguishability Anonymity Alice Bob 4 24

  7. Privacy as indistinguishability Anonymity Alice Bob yes no no yes Vote privacy … 4 24

  8. Privacy as indistinguishability Behavioural indistinguishability for all potential attackers Anonymity Alice Bob yes no no yes Vote privacy … 4 24

  9. Privacy as indistinguishability yes no no yes 5 24

  10. Privacy as indistinguishability yes no no yes Equivalence coNEXP-complete for a fixed number of participants [S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice 5 24

  11. Privacy as indistinguishability yes no no yes Observation ! Equivalence coNEXP-complete Each time, the two processes for a fixed number of participants share a common structure [S&P18] S. Kremer, V. Cheval, I. Rakotonirina. DEEPSEC: Deciding equivalence properties in security protocols — theory and practice 5 24

  12. Contributions A refinement of trace equivalence for processes with structural similarities Partial-order reductions for any process for this new equivalence Integration into the DeepSec prover 6 24

  13. Trace equivalence

  14. Modelling indistinguishability A simple example 8 24

  15. Modelling indistinguishability A simple example enc(0,k) enc(1,k) t 8 24

  16. Modelling indistinguishability A simple example enc(0,k) enc(1,k) t out(c, enc(0,k)) out(c, enc(1,k)) 8 24

  17. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | 8 24

  18. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | m 1 m 2 Distinguishing execution: 8 24

  19. Modelling indistinguishability A simple example enc(0,k) enc(1,k) k k t out(c, enc(0,k)) out(c, enc(1,k)) | out(d, k) out(d, k) | m 1 m 2 ? Distinguishing execution: + test dec(m 1 ,m 2 ) = 0 8 24

  20. Modelling indistinguishability Formalism P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  21. Modelling indistinguishability Formalism algebra of finite concurrent processes P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  22. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t 9 24

  23. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in an active adversarial environment 9 24

  24. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in an active adversarial environment out(c,u) ⇒ adds u to the attacker’s knowledge in(c,x) ⇒ receives a term from the attacker 9 24

  25. Modelling indistinguishability Formalism in(c,x). P P | Q algebra of finite concurrent processes out(c,u). P if u = v then P else Q P 0 P 1 iff ∀ t ∈ Traces(P i ), ∃ t’ ∈ Traces(P 1-i ), t ~ t’ t sequences of inputs/outputs in static indistinguishability of an active adversarial environment sequences of inputs/outputs out(c,u) ⇒ adds u to the attacker’s knowledge in(c,x) ⇒ receives a term from the attacker 9 24

  26. Trace equivalence… in practice

  27. A combinatorial fact … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … 11 24

  28. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … 11 24

  29. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np 11 24

  30. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np ~(np)! matchings Actions 11 24

  31. A combinatorial fact n sessions … … action’ 1,1 action’ n,1 action 1,1 action n,1 p actions … … … … per session … … action’ 1,p action’ n,p action n,p action 1,p … … Goal ∀ seq. of actions a 1 a 2 … a np , ∃ equivalent seq. of actions a’ 1 a’ 2 … a’ np ~(np)! matchings ~n! matchings Actions Sessions 11 24

  32. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … 12 24

  33. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … Reduces combinatorial explosion Sound, and often sufficient to prove trace equivalence 12 24

  34. Why matching sessions? instead of individual actions … … action’ 1,1 action’ n,1 action 1,1 action n,1 … … … … … … action’ 1,p action’ n,p action n,p action 1,p … … Reduces combinatorial explosion Actually a realistic attacker model e.g. for an adversary observing ports Sound, and often sufficient to dynamically allocated to each session prove trace equivalence 12 24

  35. Formally: process pairing 13 24

  36. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 13 24

  37. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) 13 24

  38. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) Trace Equiv. ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ 13 24

  39. Formally: process pairing (M ATCH ) (P 1 | … | P n , Q 1 | … | Q n ) (P 1 ,Q σ (1) ), …, (P 1 , Q σ (n) ) σ permutation of {1,…,n} 훼 훼 훼 (E XEC ) (P,Q) (P’,Q’) if P → P’ and Q → Q’ (in the single-process semantics) Trace Equiv. ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ Equiv. by session ∃ t 2 ∈ Traces(P,Q), snd(t 2 ) = t’ 13 24

  40. Optimisations

  41. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols 15 24

  42. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ 15 24

  43. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? 15 24

  44. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? Main theorem If P,Q are determinate, it is sufficient to consider traces up to permutation of adjacent independent actions. 15 24

  45. For trace equivalence [CONCUR15] D. Baelde, S. Delaune, L. Hirschi. Partial-order reductions for security protocols ∀ t ∈ Traces(P), ∃ t’ ∈ Traces(Q), t ~ t’ reduce the number of traces to check? Main theorem If P,Q are determinate, it is sufficient to consider traces up to permutation of adjacent independent actions. independent 15 24 Concurrent actions with no data flow

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and

Introduction Proving properties of programs Proving equality and equivalence Applications Summary Proving the Equivalence of Higher-Order Terms by Means of Supercompilation Ilya Klyuchnikov and Sergei Romanenko Keldysh Institute of Applied

588 views • 31 slides
Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs Birkbeck, University of London joint work with Cynthia Kop (U Copenhagen) and Naoki Nishida (U Nagoya) Workshop on Program Equivalence, London, UK 11

2.1k views • 197 slides
Proving Equivalence Between Imperative and MapReduce Implementations Using Program

Proving Equivalence Between Imperative and MapReduce Implementations Using Program

Proving Equivalence Between Imperative and MapReduce Implementations Using Program Transformations VPT 2018 Thessaloniki 20 April 2018 Bernhard Beckert, Timo Bingman, Moritz Kiefer, Peter Sanders, Mattias Ulbrich , Alexander Weigl www.kit.edu

968 views • 60 slides
Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak

Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak

Relational QPs Exploiting Symmetries for Modelling and Solving QPs Sriraam Amir Martin Babak Natarajan Globerson Mladenov Ahmadi U. Indiana HUJI TUD, Google PicoEgo Kristian Martin Pavel Christopher Grohe Tokmakov Kersting Re

820 views • 58 slides
Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts

Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts

Einstein Workshop on Lattice Polytopes Berlin, December 11th-15th, 2016 Exploiting Symmetries of Lattice Polytopes Achill Schrmann (Universitt Rostock) ( with parts based on work with David Bremner, Mathieu Dutour Sikiri , Erik

381 views • 27 slides
On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo

On CCZ-Equivalence, Extended-Affine Equivalence and Function Twisting Anne Canteaut, L eo Perrin June 3, 2019 Fq14, Vancouver Setting up the background Cryptographic properties Equivalence classes CCZ-equivalence Cryptographic

885 views • 63 slides
Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the

Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the

Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the Projektgruppe Formale Methoden der Softwareentwicklung WS 2012/2013 1 / 24 Introduction Formal Verification Formally prove correctness of

457 views • 41 slides
Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris

Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris

Automated method in proving graph properties Kailiang Ji INRIA & Universit e Paris Diderot-Paris 7 October 31, 2013 Outline Background Expressions of graph properties Automated theorem proving Implementation Motivation

1.08k views • 65 slides
NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs

NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs

NFA/DFA: Closure Properties, Relation to Regular Languages Lecture 5 1 Today NFAs recap : Determinizing an NFA Closure Properties of class of languages accepted by NFAs/DFAs Towards proving equivalence of regular languages and

537 views • 25 slides
On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work

On proving liveness properties of programs Alexey Gotsman University of Cambridge joint work with Byron Cook, Andreas Podelski, and Andrey Rybalchenko BCTCS06, 6 April 2006 State-of-the-art Systems Model checking Abstraction Properties

484 views • 13 slides
Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint

Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint

Symmetries, graph properties, and quantum speedups Daochen Wang University of Maryland Joint work with Shalev Ben-David, Andrew M. Childs, Andr as Gily en, William Kretschmer, and Supartha Podder arXiv: 2006.12760 Microsoft Research

527 views • 29 slides
Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor

Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor

CBSSS 04 Nano-electronics Exploring and exploiting novel electronic properties of nanomaterials Professor Marc Bockrath Applied Physics, Caltech for computation Microelectronics The basis for present-day Circuitry patterned on micron

938 views • 47 slides
Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis

389 views • 24 slides
Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S tefan Ciob ac a, V eronique Cortier, St ephanie

1.09k views • 87 slides
Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else

Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else

Symmetry: a . . . Basic Symmetries: . . . Basic Nonlinear . . . Symmetries: Symmetries Explain . . . Symmetries Explain . . . A General Approach to What Else We Do in . . . Integrated Uncertainty First Example: . . . Second Example: . . .

464 views • 29 slides
Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh

Proving Probabilistic Proving Probabilistic Properties of the I tai I tai Rodeh Rodeh Properties of the leader election protocol for leader election protocol for any Number of Processes any Number of Processes Douglas Graham Douglas

597 views • 40 slides
Testing Object Oriented Software Chapter 15 p Learning objectives Learning objectives

Testing Object Oriented Software Chapter 15 p Learning objectives Learning objectives

Testing Object Oriented Software Chapter 15 p Learning objectives Learning objectives Understand how obj ect orientation impacts Understand how obj ect orientation impacts software testing What characteristics matter? What

742 views • 62 slides
Can Neural Networks Learn Symbolic Rewriting? Bartosz Piotrowski, Chad Brown, Josef Urban and

Can Neural Networks Learn Symbolic Rewriting? Bartosz Piotrowski, Chad Brown, Josef Urban and

Can Neural Networks Learn Symbolic Rewriting? Bartosz Piotrowski, Chad Brown, Josef Urban and Cezary Kaliszyk 7 April 2019, Obergurgl Motivation Neural network architectures proved to be very successful in various tasks related to

485 views • 30 slides
gnucap and related work development status Felix Salfelder FOSDEM 2016 About gnucap GNU

gnucap and related work development status Felix Salfelder FOSDEM 2016 About gnucap GNU

gnucap and related work development status Felix Salfelder FOSDEM 2016 About gnucap GNU Circuit Analysis Package Quick History 1983. First traces (Albert Davis) 1990. ACS , Als Circuit Simulator 1992. GPL 2001.

791 views • 49 slides
Set 7: Predicate logic Chapter 8 R&N ICS 271 Fall 2017 Outline New ontology

Set 7: Predicate logic Chapter 8 R&N ICS 271 Fall 2017 Outline New ontology

Set 7: Predicate logic Chapter 8 R&N ICS 271 Fall 2017 Outline New ontology objects, relations, properties, functions New Syntax Constants, predicates, properties, functions New semantics meaning of new syntax

974 views • 46 slides
dialogue notations and design Dialogue Notations and Design Dialogue Notations

dialogue notations and design Dialogue Notations and Design Dialogue Notations

chapter 16 dialogue notations and design Dialogue Notations and Design Dialogue Notations Diagrammatic state transition networks, JSD diagrams, flow charts Textual formal grammars, production rules, CSP Dialogue

513 views • 18 slides
ART I F I CI AL I NT E L L I GE NCE -- the wa y ma c hine thinks Sta nle y L ia

ART I F I CI AL I NT E L L I GE NCE -- the wa y ma c hine thinks Sta nle y L ia

ART I F I CI AL I NT E L L I GE NCE -- the wa y ma c hine thinks Sta nle y L ia ng , PhD Ca ndida te , L a sso nde Sc ho o l o f E ng ine e ring , Yo rk Unive rsity He lix Sc ie nc e E ng a g e me nt Pro g ra ms 2018 2 AGE

635 views • 10 slides
Classical Combinatory Logic Karim Nour LAMA - Equipe de logique Universit e de Savoie 73376

Classical Combinatory Logic Karim Nour LAMA - Equipe de logique Universit e de Savoie 73376

Classical Combinatory Logic Karim Nour LAMA - Equipe de logique Universit e de Savoie 73376 Le Bourget du Lac France e-mail: nour@univ-savoie.fr and some helpful discussions with Ren e David 1 Content 1. (Ordinary) Combinatory Logic

257 views • 25 slides
Lecture 1: Combinatory Logic and Lambda Calculus H. Geuvers Radboud University Nijmegen, NL

Lecture 1: Combinatory Logic and Lambda Calculus H. Geuvers Radboud University Nijmegen, NL

Combinatory Logic Radboud University Lambda Calculus Lecture 1: Combinatory Logic and Lambda Calculus H. Geuvers Radboud University Nijmegen, NL 21st Estonian Winter School in Computer Science Winter 2016 H. Geuvers - Radboud Univ. EWSCS

525 views • 37 slides

More recommend