Formal Methods and Cryptography

121
Formal Methods and Cryptography Lecture 24 1

Transcript of Formal Methods and Cryptography

Page 1: Formal Methods and Cryptography

Formal Methods and Cryptography

Lecture 24

1

Page 2: Formal Methods and Cryptography

Formal Methods

2

Page 3: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

2

Page 4: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

2

Page 5: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

To specify a computational procedure fully formally

2

Page 6: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

To specify a computational procedure fully formally

Don’t always need a computer: language abstracts away details not relevant to properties sought

2

Page 7: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

To specify a computational procedure fully formally

Don’t always need a computer: language abstracts away details not relevant to properties sought

Widely applied in practice

2

Page 8: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

To specify a computational procedure fully formally

Don’t always need a computer: language abstracts away details not relevant to properties sought

Widely applied in practice

Ensures that the procedures designed/analyzed and those implemented are the same

2

Page 9: Formal Methods and Cryptography

Formal MethodsLogical foundations of computer science

A language that “machines can understand”

To specify a computational procedure fully formally

Don’t always need a computer: language abstracts away details not relevant to properties sought

Widely applied in practice

Ensures that the procedures designed/analyzed and those implemented are the same

Can automate analysis of the designed procedures

2

Page 10: Formal Methods and Cryptography

Formal Methods in Cryptography

3

Page 11: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-prone

3

Page 12: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-proneA language to unambiguously specify cryptographic protocols and the whole system (in terms of basic building blocks)

3

Page 13: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-proneA language to unambiguously specify cryptographic protocols and the whole system (in terms of basic building blocks)Automated analysis

3

Page 14: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-proneA language to unambiguously specify cryptographic protocols and the whole system (in terms of basic building blocks)Automated analysis

Security definitions for various tasks are (were) often a list of intuitive high-level properties that must hold in adversarial environments

3

Page 15: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-proneA language to unambiguously specify cryptographic protocols and the whole system (in terms of basic building blocks)Automated analysis

Security definitions for various tasks are (were) often a list of intuitive high-level properties that must hold in adversarial environmentsFormal methods Goal: to be able to analyze any given protocol and see if it satisfies these properties

3

Page 16: Formal Methods and Cryptography

Formal Methods in Cryptography

Motivation: security bugs even in simple protocols, if system is under-specified; exhaustive analysis by hand is error-proneA language to unambiguously specify cryptographic protocols and the whole system (in terms of basic building blocks)Automated analysis

Security definitions for various tasks are (were) often a list of intuitive high-level properties that must hold in adversarial environmentsFormal methods Goal: to be able to analyze any given protocol and see if it satisfies these properties

As opposed to finding one protocol (by hand) that satisfies the properties

3

Page 17: Formal Methods and Cryptography

Formal Methods in Cryptography

4

Page 18: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

4

Page 19: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

Develop a formal language for modeling the entire system (protocol, adversary, environment) and its evolution

4

Page 20: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

Develop a formal language for modeling the entire system (protocol, adversary, environment) and its evolution

Use abstractions of cryptographic primitives like encryption

4

Page 21: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

Develop a formal language for modeling the entire system (protocol, adversary, environment) and its evolution

Use abstractions of cryptographic primitives like encryption

Define security properties in this language

4

Page 22: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

Develop a formal language for modeling the entire system (protocol, adversary, environment) and its evolution

Use abstractions of cryptographic primitives like encryption

Define security properties in this language

Given any concrete protocol, map it to the formal language, and use standard formal method tools to automatically analyze it for the security properties

4

Page 23: Formal Methods and Cryptography

Formal Methods in Cryptography

Outline:

Develop a formal language for modeling the entire system (protocol, adversary, environment) and its evolution

Use abstractions of cryptographic primitives like encryption

Define security properties in this language

Given any concrete protocol, map it to the formal language, and use standard formal method tools to automatically analyze it for the security properties

Ensure that security/insecurity in the formal model has useful implications in a more realistic model

4

Page 24: Formal Methods and Cryptography

Modeling

5

Page 25: Formal Methods and Cryptography

ModelingTypically, adversary controls the network

5

Page 26: Formal Methods and Cryptography

ModelingTypically, adversary controls the networkA “process algebra” or a logic framework to describe what can happen in the system

5

Page 27: Formal Methods and Cryptography

ModelingTypically, adversary controls the networkA “process algebra” or a logic framework to describe what can happen in the system

Dolev-Yao algebra: Parties can use keys to “encrypt” messages to get opaque symbols that can be operated on only if key is also provided. Deterministic encryption.

5

Page 28: Formal Methods and Cryptography

ModelingTypically, adversary controls the networkA “process algebra” or a logic framework to describe what can happen in the system

Dolev-Yao algebra: Parties can use keys to “encrypt” messages to get opaque symbols that can be operated on only if key is also provided. Deterministic encryption.BAN logic [Burrows-Abadi-Needham]: principals (parties) can “say” or “see” messages, and “believe” statements like “A said M” or “A believes B said M”. Includes a notion of shared keys and public/private keys used for “encryption” (or rather, signcryption)

5

Page 29: Formal Methods and Cryptography

ModelingTypically, adversary controls the networkA “process algebra” or a logic framework to describe what can happen in the system

Dolev-Yao algebra: Parties can use keys to “encrypt” messages to get opaque symbols that can be operated on only if key is also provided. Deterministic encryption.BAN logic [Burrows-Abadi-Needham]: principals (parties) can “say” or “see” messages, and “believe” statements like “A said M” or “A believes B said M”. Includes a notion of shared keys and public/private keys used for “encryption” (or rather, signcryption)spi calculus: incorporates an “encryption” primitive to pi calculus which is used to model concurrent, communicating systems

5

Page 30: Formal Methods and Cryptography

Modeling

6

Page 31: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

6

Page 32: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

6

Page 33: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt”

6

Page 34: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt”

For each user X, public operation EX and private operation DX

6

Page 35: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt”

For each user X, public operation EX and private operation DX

DX (EX(m)) can be rewritten as m

6

Page 36: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt”

For each user X, public operation EX and private operation DX

DX (EX(m)) can be rewritten as m

Separate(Pair(a,b)) gives a,b

6

Page 37: Formal Methods and Cryptography

Modelinge.g. Dolev-Yao

Term-rewriting algebra: operations that can lead to new events are defined by rules for writing new terms

Operations: send/receive terms; pick “nonces”; pair/separate; “encrypt”/“decrypt”

For each user X, public operation EX and private operation DX

DX (EX(m)) can be rewritten as m

Separate(Pair(a,b)) gives a,b

No other rewritings; each party can use terms it received and rewrite them (according to the protocol); adversary can obtain the closure of all terms sent out in the network

6

Page 38: Formal Methods and Cryptography

Security Properties

7

Page 39: Formal Methods and Cryptography

Security PropertiesValid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

7

Page 40: Formal Methods and Cryptography

Security PropertiesValid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

Event: input/output/communication by parties or adversary

7

Page 41: Formal Methods and Cryptography

Security PropertiesValid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

Event: input/output/communication by parties or adversary

Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property

7

Page 42: Formal Methods and Cryptography

Security PropertiesValid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

Event: input/output/communication by parties or adversary

Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property

e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] )

7

Page 43: Formal Methods and Cryptography

Security PropertiesValid trace of a system: a sequence of events possible in the system (for the given protocol and an arbitrary adversary)

Event: input/output/communication by parties or adversary

Security property is defined for a trace, and a protocol is called secure if all valid traces satisfy the security property

e.g.: For a key-agreement protocol, a trace is insecure if it has Alice outputting a nonce R (i.e., event [Alice:(output,R)] ) and the adversary also outputting R (event [Eve:(output,R)] )

e.g.: (in BAN logic) “(A believes B said X) at some point ⇒

(B said X) before that point”

7

Page 44: Formal Methods and Cryptography

Security Properties

8

Page 45: Formal Methods and Cryptography

Security PropertiesSecurity in spi calculus (inherited from pi calculus) essentially same as simulation-based security

8

Page 46: Formal Methods and Cryptography

Security PropertiesSecurity in spi calculus (inherited from pi calculus) essentially same as simulation-based security

Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs

8

Page 47: Formal Methods and Cryptography

Security PropertiesSecurity in spi calculus (inherited from pi calculus) essentially same as simulation-based security

Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs

To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent

8

Page 48: Formal Methods and Cryptography

Security PropertiesSecurity in spi calculus (inherited from pi calculus) essentially same as simulation-based security

Observational Equivalence: Two systems P, Q are observationally equivalent if for all systems (environments) Z, the systems (Z|P) and (Z|Q) produce the same outputs

To define security of a protocol, define an ideal protocol (think as ideal functionality, combined with a simulator for the “dummy adversary”) and require that the two systems are observationally equivalent

(But spi calculus incorporates an ideal shared-key encryption and no other cryptographic features; typically limited to secure communication tasks)

8

Page 49: Formal Methods and Cryptography

An Example

9

Page 50: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

9

Page 51: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

9

Page 52: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

Or, for “key agreement”

9

Page 53: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

Or, for “key agreement”

Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

9

Page 54: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

Or, for “key agreement”

Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

The nonce should be useful as a secret shared-key

9

Page 55: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

Or, for “key agreement”

Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

The nonce should be useful as a secret shared-key

Most formal frameworks use this an example, to show that they can find the bug in the original Needham-Schroeder protocol (1978)

9

Page 56: Formal Methods and Cryptography

An ExampleNeedham-Schroeder-Lowe (public-key) protocol

For “mutual authentication”

Or, for “key agreement”

Uses an ideal encryption (or signcryption) to let two parties exchange nonces so that each should know that the nonce came from the other party (whose public-key it already has)

The nonce should be useful as a secret shared-key

Most formal frameworks use this an example, to show that they can find the bug in the original Needham-Schroeder protocol (1978)

Or new bugs in extended settings

9

Page 57: Formal Methods and Cryptography

Initiator (Minit):

initialize(self, other);newrandom(na);pair(self, na, a na);encrypt(other, a na, a na enc);send(a na enc);receive(b na nb enc);decrypt(self, b na nb enc, b na nb);separate(b na nb, b, na nb);test(b == other);separate(na nb, na2, nb);test(na == na2);encrypt(other, nb, nb enc);send(nb enc);pair(self, other, a b);pair(a b, x , a b x);pair(Finished , a b x, out);output(out);done;

Responder (Mresp):

initialize(self, other);receive(a na enc);decrypt(self, a na enc, a na);separate(a na, a, na);test(a == other);newrandom(nb);pair(other, na, b na);pair(b na, nb, b na nb);encrypt(other, b na nb, b na nb enc);send(b na nb enc);receive(nb enc);decrypt(self, nb enc, nb2);test(nb == nb2);pair(self, x , b a x);pair(Finished , b a x, out);output(out);done;

Version 1: x=na (Initiator’s nonce output as secret key)Version 2: x=nb (Responder’s nonce output as secret key)

Figure 4: The Needham-Schroeder-Lowe protocol for key exchange.

A, upon receiving this message, checks two things: that the first component is the name of the intendedresponder, and that second component is the random string that it recently created. If so, it re-encrypts thethird component in B’s public key:

A → B : Enc(Nb;KB)

At this point, A terminates and signals a successful protocol execution. B will do the same upon receivingthe third message iff the plaintext is its recently-generated random string.

Figure 4 holds the simple programs for the Needham-Schroeder-Lowe initiator and responder roles. Inparticular, it specifies two versions of these roles which differ only in the values they output. As describedby its authors, the Needham-Schroeder-Lowe protocol has no defined outputs. It has been later noted,however, that the participants of this protocol exchange random strings and that either of these stringsmight subsequently be used as a symmetric key. We incorporate this observation into our simple programsby having both roles output one of the two random strings to be used as a symmetric key. In the firstversion of this protocol, the participants output the random string chosen by the initiator, and in the secondthey output the random string chosen by the responder. In Section 7 we show that Version 1 is a securekey-exchange protocol but that Version 2 is insecure. Before we can do so, however, we must introduce acrucial technical lemma.

5 The Mapping Lemma

This section presents the Mapping Lemma, sketched in Section 2.3. Recall that this lemma states thatfor any simple protocol, the computational adversary (in the UC setting) has only a negligible chance ofproducing executions that do not correspond to an execution of a Dolev-Yao adversary. Our presentation

23

[NSL protocol, from Canetti-Herzog 2006]10

Page 58: Formal Methods and Cryptography

Automated Analysis

11

Page 59: Formal Methods and Cryptography

Automated AnalysisNot necessarily very efficient

11

Page 60: Formal Methods and Cryptography

Automated AnalysisNot necessarily very efficient

Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

11

Page 61: Formal Methods and Cryptography

Automated AnalysisNot necessarily very efficient

Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

Typically undecidable when allowing an unbounded number of concurrent sessions

11

Page 62: Formal Methods and Cryptography

Automated AnalysisNot necessarily very efficient

Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

Typically undecidable when allowing an unbounded number of concurrent sessions

Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (single session)

11

Page 63: Formal Methods and Cryptography

Automated AnalysisNot necessarily very efficient

Often NP-hard (or even P-SPACE hard). Typical algorithms are exponential in the size of the system

Typically undecidable when allowing an unbounded number of concurrent sessions

Popular models (Dolev-Yao, BAN logic, spi calculus) have reasonably efficient algorithms for analyzing a variety of security properties, if the system is small (single session)

Sometimes state-exploration (using model-checking tools) can be used to discover (some) flaws, but does not prove security

11

Page 64: Formal Methods and Cryptography

What does Security in a Formal Model mean?

12

Page 65: Formal Methods and Cryptography

What does Security in a Formal Model mean?

“Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

12

Page 66: Formal Methods and Cryptography

What does Security in a Formal Model mean?

“Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

Possibly achievable in random-oracle model or generic-group model

12

Page 67: Formal Methods and Cryptography

What does Security in a Formal Model mean?

“Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

Possibly achievable in random-oracle model or generic-group model

Security guarantee similar in spirit to these heuristic models

12

Page 68: Formal Methods and Cryptography

What does Security in a Formal Model mean?

“Encryption” as proposed in most of the formal models attributes message secrecy, key-anonymity, non-malleability, circular-encryption security, MAC/signature properties and much more (while requiring it to be deterministic)

Possibly achievable in random-oracle model or generic-group model

Security guarantee similar in spirit to these heuristic models

Security against adversaries who use only operations permitted by the formal model

12

Page 69: Formal Methods and Cryptography

What does Security in a Formal Model mean?

13

Page 70: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

13

Page 71: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational model

13

Page 72: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational modelA formal model is “sound” if we can do the following:

13

Page 73: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational modelA formal model is “sound” if we can do the following:

Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

13

Page 74: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational modelA formal model is “sound” if we can do the following:

Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

In a specific format, using only specific primitives

13

Page 75: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational modelA formal model is “sound” if we can do the following:

Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational model

In a specific format, using only specific primitives

If primitives satisfy certain security

definitions

13

Page 76: Formal Methods and Cryptography

What does Security in a Formal Model mean?

Can we develop strong underlying crypto primitives to implement the “encryption” as used in these formal models?

Not quite, but maybe strong enough to translate the formal-model guarantees to security guarantees in the computational modelA formal model is “sound” if we can do the following:

Translate protocol in computational model to formal model. Get security guarantee for it in formal model. This should imply security of the original protocol in the computational modelSoundness of the formal model and formal security property for the computational task and primitive used

In a specific format, using only specific primitives

If primitives satisfy certain security

definitions

13

Page 77: Formal Methods and Cryptography

Soundness of Formal Models

14

Page 78: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

14

Page 79: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model

14

Page 80: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model

Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

14

Page 81: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model

Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

Recent works incorporate signatures, NIZK proofs etc.

14

Page 82: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model

Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

Recent works incorporate signatures, NIZK proofs etc.

Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption)

14

Page 83: Formal Methods and Cryptography

Soundness of Formal ModelsInitiated by Abadi-Rogaway (2001)

Shows soundness for a class of protocols/tasks, if CCA secure encryption is mapped to ideal encryptions in a formal model, and a certain security property is proven in the formal model

Since then extended to various authentication/key-agreement-like tasks (and some computation tasks), against passive and active adversaries, using different formal models (algebras, spi-calculus)

Recent works incorporate signatures, NIZK proofs etc.

Typically each work considers a specific task, develops a security criterion in a specific formal model, and establishes soundness for protocols using specific crypto primitives (like CCA2 encryption)

A somewhat general framework by Backes et al. (CCS 2009)14

Page 84: Formal Methods and Cryptography

Soundness of Formal Models

15

Page 85: Formal Methods and Cryptography

Soundness of Formal ModelsSeveral challenges

15

Page 86: Formal Methods and Cryptography

Soundness of Formal ModelsSeveral challenges

Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

15

Page 87: Formal Methods and Cryptography

Soundness of Formal ModelsSeveral challenges

Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

If model is too general, becomes hard/intractable to automatically reason

15

Page 88: Formal Methods and Cryptography

Soundness of Formal ModelsSeveral challenges

Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

If model is too general, becomes hard/intractable to automatically reason

Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session

15

Page 89: Formal Methods and Cryptography

Soundness of Formal ModelsSeveral challenges

Traditional models usually deterministic (except for picking nonces, and possibly within the encryption operation), but for many interesting tasks cryptographic protocols typically use more randomness

If model is too general, becomes hard/intractable to automatically reason

Promising approach: Universal Composition -- require stronger per-session security that will allow decomposing the analysis to be per-session

Only a few security properties have been considered (related to authentication and secure communication). Need to identify automatically verifiable (and sufficient) criteria for each new task

15

Page 90: Formal Methods and Cryptography

Universal Composition

16

Page 91: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

16

Page 92: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

16

Page 93: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environment

16

Page 94: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environmentComposition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions

16

Page 95: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environmentComposition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions

Drawback: a strong security requirement that is more “expensive” to realize

16

Page 96: Formal Methods and Cryptography

Universal CompositionRecall: security guarantee (in computational model) in terms of an ideal functionality (can be used in a formal model)

From [GMW’87]. Used by [Pfitzmann-Waidner’01] and [Canetti’01]

UC Security [Canetti’01]: security is defined for one session of the protocol, in the presence of an arbitrary environmentComposition Theorem: UC security of individual sessions automatically implies UC security of multiple concurrent sessions

Drawback: a strong security requirement that is more “expensive” to realizeAdvantages: 1. Security for concurrent sessions. 2. Easy to use as a sub-module in higher level protocols and analyze security. Analysis of higher level protocols often “automatable”

16

Page 97: Formal Methods and Cryptography

Composition Logic

17

Page 98: Formal Methods and Cryptography

Composition Logic

On going research

17

Page 99: Formal Methods and Cryptography

Composition Logic

On going research

Protocol Composition Logic of Mitchell et al.

17

Page 100: Formal Methods and Cryptography

Composition Logic

On going research

Protocol Composition Logic of Mitchell et al.

Formal model and soundness theorems by Canetti-Herzog

17

Page 101: Formal Methods and Cryptography

Composition Logic

On going research

Protocol Composition Logic of Mitchell et al.

Formal model and soundness theorems by Canetti-Herzog

...

17

Page 102: Formal Methods and Cryptography

Secure Computation?

18

Page 103: Formal Methods and Cryptography

Secure Computation?

Most tasks formally analyzed still relate to secure communication

18

Page 104: Formal Methods and Cryptography

Secure Computation?

Most tasks formally analyzed still relate to secure communication

UC framework in principle allows arbitrary functionalities

18

Page 105: Formal Methods and Cryptography

Secure Computation?

Most tasks formally analyzed still relate to secure communication

UC framework in principle allows arbitrary functionalities

Also, possibility of modeling certain homomorphic encryption schemes algebraically (and in a sound manner) if implemented using “non-malleable” homomorphic encryption

18

Page 106: Formal Methods and Cryptography

Secure Computation?

Most tasks formally analyzed still relate to secure communication

UC framework in principle allows arbitrary functionalities

Also, possibility of modeling certain homomorphic encryption schemes algebraically (and in a sound manner) if implemented using “non-malleable” homomorphic encryption

Challenge: Efficient automated analysis in the resulting formal model

18

Page 107: Formal Methods and Cryptography

More Automation?

19

Page 108: Formal Methods and Cryptography

More Automation?

Formal models are used to analyze higher level protocols, reducing their security to security of underlying cryptographic primitives

19

Page 109: Formal Methods and Cryptography

More Automation?

Formal models are used to analyze higher level protocols, reducing their security to security of underlying cryptographic primitives

Crypto primitives themselves designed and security reduced to computational complexity assumptions by hand

19

Page 110: Formal Methods and Cryptography

More Automation?

Formal models are used to analyze higher level protocols, reducing their security to security of underlying cryptographic primitives

Crypto primitives themselves designed and security reduced to computational complexity assumptions by hand

Can this be automated?

19

Page 111: Formal Methods and Cryptography

More Automation?

Formal models are used to analyze higher level protocols, reducing their security to security of underlying cryptographic primitives

Crypto primitives themselves designed and security reduced to computational complexity assumptions by hand

Can this be automated?

Plausible, if a formal model of complexity assumptions

19

Page 112: Formal Methods and Cryptography

More Automation?

Formal models are used to analyze higher level protocols, reducing their security to security of underlying cryptographic primitives

Crypto primitives themselves designed and security reduced to computational complexity assumptions by hand

Can this be automated?

Plausible, if a formal model of complexity assumptions

Likely, for generic group model (which is a formal model)

19

Page 113: Formal Methods and Cryptography

Today

20

Page 114: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

20

Page 115: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communities

20

Page 116: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logic

20

Page 117: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logicSecurity in formal model had little bearing as a security guarantee in the computational model (but attacks in the formal model give real attacks)

20

Page 118: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logicSecurity in formal model had little bearing as a security guarantee in the computational model (but attacks in the formal model give real attacks)

Soundness guarantees

20

Page 119: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logicSecurity in formal model had little bearing as a security guarantee in the computational model (but attacks in the formal model give real attacks)

Soundness guaranteesSecurity in formal models that can be translated to security in computational models

20

Page 120: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logicSecurity in formal model had little bearing as a security guarantee in the computational model (but attacks in the formal model give real attacks)

Soundness guaranteesSecurity in formal models that can be translated to security in computational models

Composition: to make analysis of complex protocols feasible; also to obtain security in arbitrary environments

20

Page 121: Formal Methods and Cryptography

TodayUse of formal methods in cryptography

Prior to 2000 (or Abadi-Rogaway), separate communitiesDolev-Yao, spi calculus, BAN logicSecurity in formal model had little bearing as a security guarantee in the computational model (but attacks in the formal model give real attacks)

Soundness guaranteesSecurity in formal models that can be translated to security in computational models

Composition: to make analysis of complex protocols feasible; also to obtain security in arbitrary environmentsOn going work: Probabilistic models (e.g. Task PIOA), more tasks, more tools for formal analysis

20