Union, Intersection, and Refinement Types and Reasoning about Type - - PowerPoint PPT Presentation

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis

Saarbrücken, 10 January 2011

Cătălin Hrițcu

• Prof. Dr. Holger Hermanns (UdS)
• Prof. Dr. Gert Smolka (UdS)
• Prof. Dr. Michael Backes (UdS+MPI-SWS)
• Prof. Dr. Andrew D. Gordon (MSRC+UoE)
• Dr. Matteo Maffei (UdS)
• Dr. Derek Dreyer (MPI-SWS)

Dean of Math and CS Faculty Chair of Examination Board Supervisor, Reporter, Examiner Reporter Reporter, Examiner Examiner

Expressive Types for Security Protocol Analysis

Saarbrücken, 10 January 2011

Cătălin Hrițcu

• Prof. Dr. Holger Hermanns (UdS)
• Prof. Dr. Gert Smolka (UdS)
• Prof. Dr. Michael Backes (UdS+MPI-SWS)
• Prof. Dr. Andrew D. Gordon (MSRC+UoE)
• Dr. Matteo Maffei (UdS)
• Dr. Derek Dreyer (MPI-SWS)

Dean of Math and CS Faculty Chair of Examination Board Supervisor, Reporter, Examiner Reporter Reporter, Examiner Examiner

Security protocols

sign("Meet@2pm", kA)

Security protocols

sign("Meet@2pm", kA) sign("Meet@2pm", kA)

Security protocols

sign(("Meet@2pm", Bob), kA)

Security protocols

• Security protocols are ubiquitous

sign(("Meet@2pm", Bob), kA)

Security protocols

• Security protocols are ubiquitous
• Designing security protocols very easy to get wrong
• long history of flaws in standards and deployed products
• bugs very hard to find manually
• might be too late to fix; update would “break the Internet”

sign(("Meet@2pm", Bob), kA) 1981 2009 NSL proposed 1995 SSL 2.0 broken NSL bug 1996 2000

MS-Passport bug PKINIT bug

2005

TLS bug Google Apps bug

2008

“Programming Satan’s Computer”

“our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment” [Anderson & Needham, 1995]

“Programming Satan’s Computer”

Attacker model: active attacker completely controls network

“our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment” [Anderson & Needham, 1995]

“Programming Satan’s Computer”

Attacker model: active attacker completely controls network

Extremely powerful attacker!

• can intercept and block all messages
• can decompose them (e.g. decrypt using known keys)
• can reassemble the parts in creative ways
• can send such messages to unsuspecting 3rd parties
• for any number of participants, sessions, ...

Extremely powerful attacker! ... even with perfect crypto

hash encryption signature

Symbolic abstraction of crypto

Extremely powerful attacker! ... even with perfect crypto

crypto primitives = fully reliable black-boxes (e.g. terms)

hash encryption signature

Symbolic abstraction of crypto

Extremely powerful attacker! ... even with perfect crypto

crypto primitives = fully reliable black-boxes (e.g. terms) we focus on incorrect usage of crypto building blocks in larger context

this abstraction helps automatic protocol analysis

Type-checking protocols

sign((m,Bob), kA) m = "Meet@2pm" : String

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) let y = in(net) in m = "Meet@2pm" : String

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in m = "Meet@2pm" : String

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in m = "Meet@2pm" : String if xb == Bob then

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

Type-checking protocols

sign((m,Bob), kA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

kA secret & authentic kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un kA secret & authentic kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un kA secret & authentic vk(kA) authentic (also for Bob) kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un (xm,xb) : TA kA secret & authentic vk(kA) authentic (also for Bob) kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un (xm,xb) : TA {xb == Bob} kA secret & authentic vk(kA) authentic (also for Bob) kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un (xm,xb) : TA {xb == Bob}

✓

kA secret & authentic vk(kA) authentic (also for Bob) kA only signs pairs for which AliceSends holds

∀ ∀exec. assumes ⇒ asserts

Robust safety (informal)

Un-typed

Type-checking protocols

sign((m,Bob), kA) kA:SigKey(TA) vk(kA) : VerKey(TA) TA = {x : String*Prin | AliceSends x} if check(y,vk(kA)) ⇓ (xm,xb) then let y = in(net) in assume (AliceSends (m,Bob)) m = "Meet@2pm" : String if xb == Bob then assert (AliceSends (xm,Bob))

[Fournet, Gordon & Mafgeis, CSF 2007], [Bengtson et. al., CSF 2008]

y : Un (xm,xb) : TA {xb == Bob}

✓

kA secret & authentic vk(kA) authentic (also for Bob) kA only signs pairs for which AliceSends holds

Intuituion:

strong type of kA allows us to “transfer” AliceSends predicate from Alice to Bob

Advantages of type systems for protocol analysis

• modular → efficient and scalable analysis
• incremental (type-check while writing the code)
• robust to changes
• useful error messages (pinpoints location in the code)
• both for protocol models (π) & implementations (λ)
• unbounded # of executions by sound approximation

Inherent / incidental limitations

• User often needs to write some type annotations
• we require the same (π, inference) or more annotations (λ)
• Precise protocol analysis requires sophisticated types
• we use even more expressive types
• Restricted to simple crypto primitives (enc, sign, hash)
• no existing type system could handle zero-knowledge proofs
• the only previous symbolic analysis for ZK used ProVerif

[Backes, Maffei & Unruh, S&P 2008]

Inherent / incidental limitations

• User often needs to write some type annotations
• we require the same (π, inference) or more annotations (λ)
• Precise protocol analysis requires sophisticated types
• we use even more expressive types
• Restricted to simple crypto primitives (enc, sign, hash)
• no existing type system could handle zero-knowledge proofs
• the only previous symbolic analysis for ZK used ProVerif

[Backes, Maffei & Unruh, S&P 2008]

• the first type systems that can handle ZK (π + λ)

Inherent / incidental limitations

• User often needs to write some type annotations
• we require the same (π, inference) or more annotations (λ)
• Precise protocol analysis requires sophisticated types
• we use even more expressive types
• Restricted to simple crypto primitives (enc, sign, hash)
• no existing type system could handle zero-knowledge proofs
• the only previous symbolic analysis for ZK used ProVerif

[Backes, Maffei & Unruh, S&P 2008]

• the first type systems that can handle ZK (π + λ)

Inherent / incidental limitations

• User often needs to write some type annotations
• we require the same (π, inference) or more annotations (λ)
• Precise protocol analysis requires sophisticated types
• we use even more expressive types
• Restricted to simple crypto primitives (enc, sign, hash)
• no existing type system could handle zero-knowledge proofs
• the only previous symbolic analysis for ZK used ProVerif

[Backes, Maffei & Unruh, S&P 2008]

• the first type systems that can handle ZK (π + λ)
• we use even more expressive types

Inherent / incidental limitations

• User often needs to write some type annotations
• we require the same (π, inference) or more annotations (λ)
• Precise protocol analysis requires sophisticated types
• we use even more expressive types
• Restricted to simple crypto primitives (enc, sign, hash)
• no existing type system could handle zero-knowledge proofs
• the only previous symbolic analysis for ZK used ProVerif

[Backes, Maffei & Unruh, S&P 2008]

• the first type systems that can handle ZK (π + λ)
• we require the same (π, inference) or more annotations (λ)
• we use even more expressive types

13 emerging applications of zero-knowledge proofs

anonymous authentication security despite compromise electronic voting anonymous credentials

privacy-aware digital identity management

e-cash electronic auctions

anonymous trust and reputation

decentralized social networks

risk assurance for hedge funds anonymous electronic ticketing for public transportation

biometric authentication privacy-friendly smart metering

Achieving seemingly conflicting security requirements with ZK

electronic voting

➔ +

verifiability vote privacy

+ ➔

digital credentials protecting personal information privacy-enabled identity systems

“proving you are over 18 without revealing your age”

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki))

Verifier

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki))

Verifier

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki)) check(sign((A,29),ki), vk(ki)) ⇓ (A,29) ∧ 29≥18

Verifier

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki)) check(sign((A,29),ki), vk(ki)) ⇓ (A,29) ∧ 29≥18

Verifier

✓

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki)) check(sign((A,29),ki), vk(ki)) ⇓ (A,29) ∧ 29≥18

Verifier

✓

• verifier finds out whether the proof is valid or not,

and the public arguments

A vk(ki)

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

Zero-knowledge (symbolically)

• Non-interactive zero-knowledge proofs
• very powerful crypto primitives
• show validity of a statement without revealing the witnesses

zkSage(29, sign((A,29),ki); A, vk(ki)) check(sign((A,29),ki), vk(ki)) ⇓ (A,29) ∧ 29≥18

Verifier

✓

• verifier finds out whether the proof is valid or not,

and the public arguments

A vk(ki)

(zero-knowledge) no other information is revealed about the witnesses (soundness) cannot produce wrong proof that passes verification

Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

sign((A,29),ki) Prover

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private cert = sign((A,age),ki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in cert = sign((A,age),ki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age) if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) assume IssueId(A,age)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) assume IssueId(A,age)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age) Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age) Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age) Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert!

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age) Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! zkSage(age, cert’; A, vk(ki))

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) assume IssueId(A,age) Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! zkSage(age, cert’; A, vk(ki)) If proof created by attacker: xage : Un xcert : Un yname : Un yvki : Un ∧ VerKey(Tki)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! If proof created by attacker: xage : Un xcert : Un yname : Un yvki : Un ∧ VerKey(Tki) It can’t be that xage : Private and xage : Un since Private and Un are disjoint types; so the proof was’n created by attacker

✖

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker initially knows: yvki = vk(ki) vk(ki) : VerKey(Tki) xage≥18 check(xcert, yvki) ⇓ (yname,xage) Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! It can’t be that xage : Private and xage : Un since Private and Un are disjoint types; so the proof was’n created by attacker The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) Type associated to ZK statement

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) Check this formula whenever honest participant creates ZK proof Type associated to ZK statement

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage)

✖

Not enough to justify assert! The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) Check this formula whenever honest participant creates ZK proof Type associated to ZK statement

✓

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage) The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) Check this formula whenever honest participant creates ZK proof Type associated to ZK statement

✓

Assume (existentially quantified) formula if verification succeeds

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private assume ProverSends(A,age)

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} Type-checker infers: (yname,xage) : Tki same as xage : Private and IssueId(yname,xage) The proof was created by honest participant (ie. type-checked), so we just need to impose more restrictions on ZK proof creation TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) Check this formula whenever honest participant creates ZK proof Type associated to ZK statement

✓

Assume (existentially quantified) formula if verification succeeds

✓

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) assume ProverSends(A,age)

zkSage(age, cert; A, vk(ki)) Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) assume ProverSends(A,age)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18 age = 29 : Private

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert This needs to change

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) Tki={x : Un*Private | IssueId x} ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} This needs to change age = 29 : PrivateUnless(A)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} Snowball effect This needs to change age = 29 : PrivateUnless(A)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) zkSage(age, cert; A, vk(ki)) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} Snowball effect This needs to change age = 29 : PrivateUnless(A)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) zkSage(age, cert; A, vk(ki)) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} Snowball effect This needs to change age = 29 : PrivateUnless(A)

✖

Failed assert - no ProverSends...

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) zkSage(age, cert; A, vk(ki)) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} Snowball effect This needs to change age = 29 : PrivateUnless(A)

✖

Failed assert - no ProverSends... Attacker following protocol (not real attack)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) zkSage(age, cert; A, vk(ki)) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(yname) ⇒ ∀xage. ProverSends(yname,xage)) assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} age = 29 : PrivateUnless(A)

✖

Failed assert - no ProverSends... Attacker following protocol (not real attack) weaken policy

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(yname) ⇒ ∀xage. ProverSends(yname,xage)) assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} age = 29 : PrivateUnless(A) weaken policy Inferred types conditioned by other types not being compromised xage : {|fkind(Tki, tnt)|} ∨ {xage:PrivateUnless(A) | IssueId(yname,xage)}

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(yname) ⇒ ∀xage. ProverSends(yname,xage)) assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} age = 29 : PrivateUnless(A) weaken policy Inferred types conditioned by other types not being compromised xage : {|fkind(Tki, tnt)|} ∨ {xage:PrivateUnless(A) | IssueId(yname,xage)} false because of IssueId (issuer is not compromised)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...) age cert

assume (Comp(yname) ⇒ ∀xage. ProverSends(yname,xage)) assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} age = 29 : PrivateUnless(A) weaken policy Inferred types conditioned by other types not being compromised xage : {|fkind(Tki, tnt)|} ∨ {xage:PrivateUnless(A) | IssueId(yname,xage)} false because of IssueId (issuer is not compromised) case analysis on Comp(A)

Verifier Sage = witness xage, xcert public yname,yvki, in check(xcert, yvki) ⇓ (yname,xage) ∧ xage≥18

assume (∀yname,xage. ProverSends(yname,xage) ∧ IssueId(yname,xage)∧ xage≥18 ⇒ Accept(xname))

if verSage(z, =vk(ki)) ⇓ yname then let z = in(net) in assert (Accept (yname)) cert = sign((A,age),ki) ki : SigKey(Tki) TSage=ZKProof(... ∃xage,xcert. ProverSends(yname,xage)...)

✓

age cert

assume (Comp(yname) ⇒ ∀xage. ProverSends(yname,xage)) assume (Comp(A))

PrivateUnless(A) = {Private | ¬Comp(A)} ∨ {Un | Comp(A)} Tki={x : (xname : Un * PrivateUnless(xname)) | IssueId x} age = 29 : PrivateUnless(A) weaken policy Inferred types conditioned by other types not being compromised xage : {|fkind(Tki, tnt)|} ∨ {xage:PrivateUnless(A) | IssueId(yname,xage)} false because of IssueId (issuer is not compromised) case analysis on Comp(A)

Protocol robustly safe even when A compromised

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

tree α = µβ. α + α ∗ β ∗ β

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

tree α = µβ. α + α ∗ β ∗ β

Private # Un Private # Un Private ∗ tree Private ∗ tree Private # Un ∗ tree Un ∗ tree Un Private + Private ∗ tree Private ∗ tree Private # Un + Un ∗ tree Un ∗ tree Un µβ. Private + Private ∗ β ∗ β # µβ. Un + Un ∗ β ∗ β tree Private # Un

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

E ⊢ T1 T2 F

• More powerful non-disjointness judgement

If T1 overlaps with T2 then formula F holds

tree α = µβ. α + α ∗ β ∗ β

Private # Un Private # Un Private ∗ tree Private ∗ tree Private # Un ∗ tree Un ∗ tree Un Private + Private ∗ tree Private ∗ tree Private # Un + Un ∗ tree Un ∗ tree Un µβ. Private + Private ∗ β ∗ β # µβ. Un + Un ∗ β ∗ β tree Private # Un

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

E ⊢ T1 T2 F

• More powerful non-disjointness judgement

If T1 overlaps with T2 then formula F holds

T1#T2 ⊢ T1 T2 false

Disjointness encoded

tree α = µβ. α + α ∗ β ∗ β

Private # Un Private # Un Private ∗ tree Private ∗ tree Private # Un ∗ tree Un ∗ tree Un Private + Private ∗ tree Private ∗ tree Private # Un + Un ∗ tree Un ∗ tree Un µβ. Private + Private ∗ β ∗ β # µβ. Un + Un ∗ β ∗ β tree Private # Un

Reasoning about Type Disjointness

• Syntactically derive type disjointness information

New!

E ⊢ T1 T2 F

• More powerful non-disjointness judgement

If T1 overlaps with T2 then formula F holds

T1#T2 ⊢ T1 T2 false

Disjointness encoded Our base case is security-specific (⊢ PrivateUnlessF Un F) but the inductive cases are not.

tree α = µβ. α + α ∗ β ∗ β

Private # Un Private # Un Private ∗ tree Private ∗ tree Private # Un ∗ tree Un ∗ tree Un Private + Private ∗ tree Private ∗ tree Private # Un + Un ∗ tree Un ∗ tree Un µβ. Private + Private ∗ β ∗ β # µβ. Un + Un ∗ β ∗ β tree Private # Un

Models (π) Implementations (λ)

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types first-order authorization logic der authorization logic

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types first-order authorization logic der authorization logic reasoning about type disjointness (#) easoning about type disjointness (#)

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types first-order authorization logic der authorization logic reasoning about type disjointness (#) easoning about type disjointness (#) logical kinding&subtyping (novel) inductive kinding&subtyping (standard)

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types first-order authorization logic der authorization logic reasoning about type disjointness (#) easoning about type disjointness (#) logical kinding&subtyping (novel) inductive kinding&subtyping (standard) statement-based inference for ZK code generation from ZK statement

Models (π) Implementations (λ)

spi calculus variant concurrent λ-calculus (RCF); ML core encryption, signatures, hashes, blind signatur hashes, blind signatures, zero-knowledge constructors and destructors crypto encoded using dynamic sealing union (∨), intersection (∧), refinement {x : efinement {x : T | C}, dependent pair (Σ) types + lots of crypto-specific types + dependent function (Π), sum (+), iso- recursive (μ), polymorphic (∀) types first-order authorization logic der authorization logic reasoning about type disjointness (#) easoning about type disjointness (#) logical kinding&subtyping (novel) inductive kinding&subtyping (standard) statement-based inference for ZK code generation from ZK statement type-checker is extensible, proof is not extending type system requires no proof

Formalization and Proofs

• Formalized definitions in Coq + “partial formal proofs”

(π) 17kLOC (2.9kLOC of definitions -- 250 rules) (λ) 14kLOC (1.5kLOC of definitions -- 135 rules)

• Found and fixed bugs in our previous definitions and in

published “convincing paper proofs”

Coq + Ott + LNGen

no proofs convincing paper proofs

axiom-free formal proofs

vigorous handwaving partial formal proofs

Formalization and Proofs

• Formalized definitions in Coq + “partial formal proofs”

(π) 17kLOC (2.9kLOC of definitions -- 250 rules) (λ) 14kLOC (1.5kLOC of definitions -- 135 rules)

• Found and fixed bugs in our previous definitions and in

published “convincing paper proofs”

• Shortly before Christmas Matteo found a bug in

weakening for statement-based inference (π)

• fix required significant change to subtyping

(inductive+logical → just logical)

• still working on updating all the proofs

(will finish that for final version of thesis)

Coq + Ott + LNGen

no proofs convincing paper proofs

axiom-free formal proofs

vigorous handwaving partial formal proofs

Type-checkers

• Implemented the 2 type systems (π+λ)
• Kudos to Stefan Lorenz, Kim Pecina, and Thorsten Tarrach
• 5kLOC of Ocaml (π) + 5kLOC of F# (λ)
• Proof obligations discharged using SMT (Z3)
• r FOL prover (SPASS, eprover, or Vampire)
• Available under Apache License

(π) http://www.infsec.cs.uni-saarland.de/projects/zk-typechecker/ (λ) http://www.infsec.cs.uni-saarland.de/projects/F5/

Experiments

(π) DAA protocol - 100LOC in ~3s (π) achieving security despite compromise - 120LOC in ~3s (λ) symbolic libraries & samples - 1500LOC in ~12s + Independent experiments by internal users:

(π) Thorsten Tarrach - Spi2RCF prototype (π) Esfandiar Mohammadi et. al. - SMPC, auction protocol (λ) Fabienne Eigner - Civitas e-voting protocol (λ) Matteo Maffei & Kim Pecina - privacy-aware proof-carrying authorization

Contributions of thesis

• More expressive type systems for security protocols
• union (∨) + intersection (∧) + refinement {x : T | C} types
• static reasoning about type disjointness (#)
• and more: statement-based inference (π), logical subtyping

(π), more precise typing for asymmetric crypto (π+λ), etc.

• Main application:
• analyzing protocols based on NIZK proofs
• even when some participants are compromised (^^)
• Both for protocol models (π) & implementations (λ)
• Formalized, proved, implemented, experimented

Thank you

Backup slides

anonymous authentication security despite compromise electronic voting anonymous credentials

digital identity management

e-cash electronic auctions

anonymous trust and reputation

decentralized social networks

risk assurance for hedge funds anonymous electronic ticketing for public transportation

biometric authentication privacy-friendly smart metering

13 emerging applications of zero-knowledge proofs

Future Work

• Finish fixing Coq proofs for π (by final version)
• Type disjointness reasoning in other contexts ... Coq?
• Semantic subtyping for RCF; is it possible? λ + {x:T|C}
• Semantic model for RCF
• Observational equivalence in RCF (logical relations,

bisimulations, etc.) - strong secrecy

• Type inference for RCF (∨ and ∧ types should help)
• Automating intuitionistic FO authorization logic with “says”
• Automatically generating concrete cryptographic

implementations from abstract ZK statements