Proving observational equivalence with ProVerif
|
|
- Homer Waters
- 6 years ago
- Views:
Transcription
1 Proving observational equivalence with ProVerif Bruno Blanchet INRIA Paris-Rocquencourt based on joint work with Martín Abadi and Cédric Fournet and with Vincent Cheval June 2015 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
2 Introduction Analysis of cryptographic protocols: Powerful automatic tools for proving properties on behaviors (traces) of protocols (secrecy of keys, correspondences). For instance, ProVerif was initially designed to prove trace properties. Many important properties can be formalized as process equivalences, not as properties on behaviors: secrecy of a boolean x in P(x): P(true) P(false) the process P implements an ideal specification Q: P Q Equivalences are usually proved by difficult, long manual proofs. Already much research on this topic, using in particular sophisticated bisimulation techniques (e.g., Boreale et al). Some recent tools for a bounded number of sessions (APTE, Akiss) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
3 Selected work relying on equivalences January 25, 1998 SRC Research Report 149 A Calculus for Cryptographic Protocols The Spi Calculus Martín Abadi and Andrew D. Gordon Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
4 Selected work relying on equivalences Secrecy by Typing in Security Protocols Martín Abadi Systems Research Center Compaq December 8, 1998 Abstract We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use shared-key cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
5 Selected work relying on equivalences ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û ÐÐ 2015 Ø 3 / 40
6 Equivalences as properties of behaviors (1) Goal: extend ProVerif to the proof of process equivalences. We focus on equivalences between processes that differ only by the terms they contain, e.g., P(true) P(false). Many interesting equivalences fall into this category. We introduce biprocesses to represent pairs of processes that differ only by the terms they contain. P(true) and P(false) are variants of a biprocess P(diff[true, false]). The variants give a different interpretation to diff[true, false], true for the first variant, false for the second one. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
7 Equivalences as properties of behaviors (2) We introduce a new operational semantics for biprocesses: A biprocess reduces when both variants reduce in the same way and after reduction, they still differ only by terms (so can be written using diff). We establish P(true) P(false) by reasoning on behaviors of P(diff[true, false]): If, for all reachable configurations, both variants reduce in the same way, then we have equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
8 Overview of the verification method Protocol: biprocess Pi calculus + cryptography Signature: Rewrite rules + equations Automatic translator Horn clauses Resolution with selection bad is not derivable Equivalence is true bad is derivable Equivalence may be false Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
9 The process calculus Dialect of the applied pi calculus [Abadi, Fournet, POPL 01]. M,N ::= terms x,y,z variable a,b,c,k,s name f(m 1,...,M n ) constructor application D ::= term evaluations M term fail special failure value h(d 1,...,D n ) function evaluation P, Q, R ::= processes M(x).P input M N.P output let x = D in P else Q term evaluation 0 P Q!P (νa)p if M then P else Q encoded as a term evaluation. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
10 Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
11 Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
12 Semantics D M when the term evaluation D evaluates to M. D fail when the term evaluation D fails. Uses rewrite rules of destructors and equations. transforms processes so that reduction rules can be applied. Main reduction rules: N M.Q N (x).p Q P{M/x} if Σ N = N (Red I/O) let x = D in P else Q P{M/x} (Red Fun 1) if D M let x = D in P else Q Q (Red Fun 2) if D fail Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
13 Observational equivalences and biprocesses Two processes P and Q are observationally equivalent (P Q) when the adversary cannot distinguish them. A biprocess P is a process with diff. fst(p) = the process obtained by replacing diff[m,m ] with M. snd(p) = the process obtained by replacing diff[m,m ] with M. P satisfies observational equivalence when fst(p) snd(p). Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
14 Semantics of biprocesses A biprocess reduces when both variants of the process reduce in the same way. N M.Q N (x).p Q P{M/x} if Σ fst(n) = fst(n ) and Σ snd(n) = snd(n ) (Red I/O) let x = D in P else Q P{diff[M 1,M 2 ]/x} (Red Fun 1) if fst(d) M 1 and snd(d) M 2 let x = D in P else Q Q (Red Fun 2) if fst(d) fail and snd(d) fail P Q fst(p) snd(p) fst(q) snd(q) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
15 Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
16 Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. An adversary is represented by a plain evaluation context (evaluation context without diff), so: If, for all plain evaluation contexts C and reductions C[P 0 ] P, both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
17 Formalizing reduce in the same way The biprocess P is uniform when fst(p) Q 1 implies P Q for some biprocess Q with fst(q) Q 1, and symmetrically for snd(p) Q 2. P Q P Q fst(p) Q 1 fst(q) snd(p) snd(q) Q 2 If, for all plain evaluation contexts C and reductions C[P 0 ] P, the biprocess P is uniform, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
18 Result [Blanchet, Abadi, Fournet, JLAP, 2008] Let P 0 be a closed biprocess. Suppose that, for all plain evaluation contexts C, all evaluation contexts C, and all reductions C[P 0 ] P, 1 the (Red I/O) rules apply in the same way on both variants. if P C [N M.Q N (x).r], then Σ fst(n) = fst(n ) if and only if Σ snd(n) = snd(n ), 2 the (Red Fun) rules apply in the same way on both variants. if P C [let x = D in Q else R], then fst(d) fail if and only if snd(d) fail. Then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
19 Application The previous result reduces the proof of observational equivalence to the proof of trace properties for biprocesses. We extend the Horn clause approach of ProVerif from processes to biprocesses, to prove these properties. Basically, each argument of the predicates is doubled, with one argument for each side. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
20 Example: probabilistic encryption Probabilistic public-key encryption is modeled by an equation: dec(enc(x,pk(s),a),s) = x Without knowledge of the decryption key, ciphertexts appear to be unrelated to the plaintexts. Ciphertexts are indistinguishable from fresh names: satisfies equivalence. (νs)(c pk(s)!c (x).(νa)c diff[enc(x,pk(s),a),a] ) This equivalence can be proved using the previous result, and verified automatically by ProVerif. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
21 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
22 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
23 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
24 Proving anonymity {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Caesar should not be able to know who Obelix wants to talk to. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
25 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
26 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
27 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {N B } pkb no The test takes a different branch: the proof of equivalence fails. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
28 Demo File private auth falseattack.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
29 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
30 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
31 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb M M = ifthenelse(y,pk A,{x,N B,pk B } y,{n B } pkb ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
32 Demo File private auth direct.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
33 Merging two processes In order to prove that P and Q are observationally equivalent using this approach, we need to merge P and Q into a biprocess R: fst(r) P snd(r) Q Trivial when P and Q have exactly the same structure. There is a general merging: R = if diff[true,false] then P else Q does not allow ProVerif to prove observational equivalence. Do something more clever! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
34 A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
35 A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence....but moving this test implies merging the structures of P and Q! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
36 Merging algorithm Merge branches of biprocesses: Automatically transforms the private authencation example Allows merging P and Q by applying it to if diff[true,false] then P else Q Two steps: 1 Normalize the process (Try to reorganize processes that send the same messages so that they have the same syntactic form.) 2 Merge branches on the normalized process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
37 Normalization algorithm 1 Make sure term evaluations always succeed New destructors: catchfail(x) x otherwise catchfail(fail) c fail not c fail (c fail ) false otherwise not c fail (x) true let x = D in P else Q let x = catchfail(d) in if not c fail (x) then P else Q (We allow destructors outside let; they can be encoded using an additional let.) 2 Remove unused restrictions and lets;!0 0 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
38 Normalization algorithm 3 Move new, let, if before outputs M N.(νa)P (νa)m N.P M N.let x = D in P let x = D in M N.P M N.if M then P else Q if M then M N.P else M N.Q (Avoid capture of names and variables.) 4 Move new, let, if before parallel composition ((νa).p) Q (νa).(p Q) (let x = D in P) Q let x = D in (P Q) (if M then P else P ) Q if M then P Q else P Q 5 Group replicated processes inside a parallel composition!p P!P P!(P P ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
39 Normalization algorithm 6 Move new, let before if if M then (νa)p else Q (νa)if M then P else Q if M then let x = D in P else Q let x = D in if M then P else Q 7 Move new before let let x = D in (νa)p (νa)let x = D in 8 Move if (with its new/let) before replication!s ν s let if M then P else Q s ν s let if M then!s ν s let P else!s ν s let Q The equational theory is closed under one-to-one renaming, so the test M will always yield the same result independently of the considered fresh names. 9 Remove double replication!s let!s ν s let Q!s νs let s let Q Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
40 Grammar of normalized processes P ::= s ν s let T s ν consists of a sequence of (νa) s let consists of a sequence of let x = D in such that D always succeeds. T ::= Q if M then T 1 else T 2 decision tree test Q ::= R 1... R n S parallel composition (n 0) R ::= M(x).P M N.Q communication input output S ::= optional replicated process!s ν s let Q replicated process 0 no replicated process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
41 Some explanation When two processes Q have the same structure, we will be able to merge them. The structure ignores the precise channels and messages of inputs and outputs and considers parallel composition up to associativity and commutativity. It seems difficult to go further with general syntactic rules. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
42 Merging Merge leaves of decision trees then then C else then C else then C else C 1 else then C 2 else then C 3 else then Q P C 4 else Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
43 Merging Merge leaves of decision trees then then C then C else then else C else C 1 else then C 2 else then C 3 else then C 4 else If necessary, reorganize the decision tree so that the merged leaves are the two branches of an if. Q P Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
44 Merging inputs and outputs (R) New destructor ite(true,u,v) u otherwise ite(x,u,v) v Outputs then C else M N.Q M N.Q ite(c,m,m ) ite(c,n,n ). C then else Q Q Inputs then C else M(x).Q M (x ).Q ite(c,m,m )(x ). C then else Q{ x / x } Q { x / x } Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
45 Merging parallel compositions (Q) then C else R 1... R n S C R 1... R n S then else R 1 then... C R i else 1 R n then C R i else n S S i 1,...i n is a permutation of 1,...,n. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
46 Merging replications (S) Nil Replication (naive version) then C else then C else!s ν s let Q!s νs let Q!s ν s νs let s let C then else Q Q!s ν1 s let1!s ν2 s let2 Q can actually be merged with!s νs let Q by merging Q and Q, because!s νs let Q!!s νs let Q. Separate the processes in s ν s let Q and s νs let Q into independent groups. Possibly add a replication in front of some of these groups. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
47 Merging general processes (P) then C else s ν s let T s ν s νs let s s νs let let if C then T else T T Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
48 Properties of this algorithm Soundness: these transformations preserve observational equivalence Incomplete. Open question: partial completeness? All channels public Other conditions? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
49 Demo File private auth biprocess.pv File private auth processes.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
50 Conclusion ProVerif is the only tool that can prove process equivalences for an unbounded number of sessions. Restricted but useful class of equivalences: First restricted to processes that differ only by the terms they contain. Extended by automatic merging of processes. Tool available at Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
51 Back to the applied pi calculus ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û 2015 ÐÐ Ø 39 / 40
52 Advertisement With Martín Abadi and Cédric Fournet, we recently revisited their applied pi calculus paper [POPL 01]: Minor changes to the language to make it closer to ProVerif Detailed proofs of all results Revised examples New example on indifferentiability Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40
Proving More Observational Equivalences with ProVerif
Proving More Observational Equivalences with ProVerif Vincent Cheval 1 and Bruno Blanchet 2 1 LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France, France cheval@lsv.ens-cachan.fr 2 INRIA Paris-Rocquencourt,
More informationLars Schmidt-Thieme, Information Systems and Machine Learning Lab (ISMLL), Institute BW/WI & Institute for Computer Science, University of Hildesheim
Course on Information Systems 2, summer term 2010 0/29 Information Systems 2 Information Systems 2 5. Business Process Modelling I: Models Lars Schmidt-Thieme Information Systems and Machine Learning Lab
More informationF(jω) = a(jω p 1 )(jω p 2 ) Û Ö p i = b± b 2 4ac. ω c = Y X (jω) = 1. 6R 2 C 2 (jω) 2 +7RCjω+1. 1 (6jωRC+1)(jωRC+1) RC, 1. RC = p 1, p
ÓÖ Ò ÊÄ Ò Ò Û Ò Ò Ö Ý ½¾ Ù Ö ÓÖ ÖÓÑ Ö ÓÒ Ò ÄÈ ÐØ Ö ½¾ ½¾ ½» ½½ ÓÖ Ò ÊÄ Ò Ò Û Ò Ò Ö Ý ¾ Á b 2 < 4ac Û ÒÒÓØ ÓÖ Þ Û Ö Ð Ó ÒØ Ó Û Ð Ú ÕÙ Ö º ËÓÑ Ñ ÐÐ ÕÙ Ö Ö ÓÒ Ò º Ù Ö ÓÖ ½¾ ÓÖ Ù Ö ÕÙ Ö ÓÖ Ò ØÖ Ò Ö ÙÒØ ÓÒ
More informationÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ ÒÞ ÔÓÐÝÒÓÑ Ð º Ì ÛÓ¹ÐÓÓÔ ÙÒÖ Ö Ô Û Ö Ö ÖÝ Ñ ¹ ÝÓÒ ÑÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ
ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò ÝÒÑ Ò Ò Ö Ð Ö Ò Ó Ò Ö ÀÍ ÖÐ Òµ Ó Ò ÛÓÖ Û Ö Ò ÖÓÛÒ Ö Ú ½ ¼¾º ¾½ Û Åº Ä Ö Ö Ú ½ ¼¾º ¼¼ Û Äº Ñ Ò Ëº Ï ÒÞ ÖÐ Å ÒÞ ½ º¼ º¾¼½ ÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ
More informationAutomated Verification of Selected Equivalences for Security Protocols
Automated Verification of Selected Equivalences for Security Protocols Bruno Blanchet CNRS, École Normale Supérieure, Paris Martín Abadi University of California, Santa Cruz Cédric Fournet Microsoft Research,
More informationRadu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER
È Ö Ò Ò Ù Ò Ò Ò ÖÝ ÒÙÐ Ö Ý Ø Ñ Radu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER Radu.Gherghescu@nipne.ro IFIN-HH, Bucharest-Magurele, Romania and Frankfurt Institute for Advanced Studies, J
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationArbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, Abstracts
Arbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, 202 Abstracts ÁÒÚ Ö Ð Ñ Ø Ó Ø¹Ú ÐÙ ÙÒØ ÓÒ ÁÞØÓ Ò ÞØÓ º Ò ÙÒ ¹Ñ º ÙÐØÝ Ó Æ ØÙÖ Ð Ë Ò Ò Å Ø Ñ Ø ÍÒ Ú Ö ØÝ Ó Å Ö ÓÖ ÃÓÖÓ ½ ¼ Å Ö ÓÖ ¾¼¼¼
More informationA Language for Task Orchestration and its Semantic Properties
DEPARTMENT OF COMPUTER SCIENCES A Language for Task Orchestration and its Semantic Properties David Kitchin, William Cook and Jayadev Misra Department of Computer Science University of Texas at Austin
More informationLund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics
Lund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics STATISTICAL METHODS FOR SAFETY ANALYSIS FMS065 ÓÑÔÙØ Ö Ü Ö Ì ÓÓØ ØÖ Ô Ð ÓÖ Ø Ñ Ò Ý Ò Ò ÐÝ In this exercise we will
More informationµ(, y) Computing the Möbius fun tion µ(x, x) = 1 The Möbius fun tion is de ned b y and X µ(x, t) = 0 x < y if x6t6y 3
ÈÖÑÙØØÓÒ ÔØØÖÒ Ò Ø ÅÙ ÙÒØÓÒ ÙÖ ØÒ ÎØ ÂÐÒ Ú ÂÐÒÓÚ Ò ÐÜ ËØÒÖÑ ÓÒ ÒÖ Ì ØÛÓµ 2314 ½¾ ½ ¾ ¾½ ¾ ½ ½¾ ¾½ ½¾ ¾½ ½ Ì ÔÓ Ø Ó ÔÖÑÙØØÓÒ ÛºÖºØº ÔØØÖÒ ÓÒØÒÑÒØ ½ 2314 ½¾ ½ ¾ ¾½ ¾ ½ ½¾ ¾½ ½¾ ¾½ Ì ÒØÖÚÐ [12,2314] ½ ¾ ÓÑÔÙØÒ
More informationPH Nuclear Physics Laboratory Gamma spectroscopy (NP3)
Physics Department Royal Holloway University of London PH2510 - Nuclear Physics Laboratory Gamma spectroscopy (NP3) 1 Objectives The aim of this experiment is to demonstrate how γ-ray energy spectra may
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationINRIA Sophia Antipolis France. TEITP p.1
ÌÖÙ Ø ÜØ Ò ÓÒ Ò ÓÕ Ä ÙÖ ÒØ Ì ÖÝ INRIA Sophia Antipolis France TEITP p.1 ÅÓØ Ú Ø ÓÒ Ï Ý ØÖÙ Ø Ó ÑÔÓÖØ ÒØ Å ÒÐÝ ÈÖÓÚ Ò ÌÖÙØ Ø Ò ÑÔÐ Ã Ô ÈÖÓÚ Ò ÌÖÙ Ø È Ó ÖÖÝ Ò ÈÖÓÓ µ Ò Ö ØÝ ÓÑ Ò ËÔ ÔÔÐ Ø ÓÒ TEITP p.2 ÇÙØÐ
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More information2 Hallén s integral equation for the thin wire dipole antenna
Ú Ð Ð ÓÒÐ Ò Ø ØØÔ»» Ѻ Ö Ùº º Ö ÁÒغ º ÁÒ Ù ØÖ Ð Å Ø Ñ Ø ÎÓк ÆÓº ¾ ¾¼½½µ ½ ¹½ ¾ ÆÙÑ Ö Ð Ñ Ø Ó ÓÖ Ò ÐÝ Ó Ö Ø ÓÒ ÖÓÑ Ø Ò Û Ö ÔÓÐ ÒØ ÒÒ Ëº À Ø ÑÞ ¹Î ÖÑ ÞÝ Ö Åº Æ Ö¹ÅÓ Êº Ë Þ ¹Ë Ò µ Ô ÖØÑ ÒØ Ó Ð ØÖ Ð Ò Ò
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationx 0, x 1,...,x n f(x) p n (x) = f[x 0, x 1,..., x n, x]w n (x),
ÛÜØ Þ ÜÒ Ô ÚÜ Ô Ü Ñ Ü Ô Ð Ñ Ü ÜØ º½ ÞÜ Ò f Ø ÚÜ ÚÛÔ Ø Ü Ö ºÞ ÜÒ Ô ÚÜ Ô Ð Ü Ð Þ Õ Ô ÞØÔ ÛÜØ Ü ÚÛÔ Ø Ü Ö L(f) = f(x)dx ÚÜ Ô Ü ÜØ Þ Ü Ô, b] Ö Û Þ Ü Ô Ñ ÒÖØ k Ü f Ñ Df(x) = f (x) ÐÖ D Ü Ü ÜØ Þ Ü Ô Ñ Ü ÜØ Ñ
More informationÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ
ÁÒØÖÐ ÓÙÒÖ Ò Ë»Ì Î ÊÐ ÔÖØÑÒØ Ó ÅØÑØ ÍÒÚÖ ØÝ Ó ÓÖ Á̳½½ ØÝ ÍÒÚÖ ØÝ ÄÓÒÓÒ ÔÖÐ ½ ¾¼½½ ÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ ÇÙØÐÒ ËÙÔÖ ØÖÒ Ò Ë»Ì Ì ØÙÔ ÏÓÖÐ Ø Ë¹ÑØÖÜ ÍÒÖÐÝÒ ÝÑÑØÖ ÁÒØÖÐ ÓÙÒÖ ÁÒØÖÐØÝ Ø Ø ÓÙÒÖÝ» ÖÒ Ò ØÛ Ø ÒÒ Ú»Ú
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationLecture 16: Modern Classification (I) - Separating Hyperplanes
Lecture 16: Modern Classification (I) - Separating Hyperplanes Outline 1 2 Separating Hyperplane Binary SVM for Separable Case Bayes Rule for Binary Problems Consider the simplest case: two classes are
More informationÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÁÒÜ ½ ÁÒØÖÓÙØÓÒ ¾ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ
ÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÙÑÔ ÐØÖ ÓÖ ÙÒÖØÒ ÝÒÑ Ý ØÑ ÛØ ÖÓÔÓÙØ º ÓÐÞ ½ º º ÉÙÚÓ ¾ Áº ÈÖÖÓ ½ ʺ ËÒ ½ ½ ÔÖØÑÒØ Ó ÁÒÙ ØÖÐ ËÝ ØÑ ÒÒÖÒ Ò Ò ÍÒÚÖ ØØ ÂÙÑ Á ØÐÐ ËÔÒ ¾ ËÓÓÐ Ó ÐØÖÐ ÒÒÖÒ
More informationExtending ProVerif s Resolution Algorithm for Verifying Group Protocols
Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying
More informationAnalyzing Security Protocols with Secrecy Types and Logic Programs
Analyzing Security Protocols with Secrecy Types and Logic Programs Martín Abadi Computer Science Department University of California, Santa Cruz abadi@cs.ucsc.edu Bruno Blanchet Département d Informatique
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationhal , version 1-27 Mar 2014
Author manuscript, published in "2nd Multidisciplinary International Conference on Scheduling : Theory and Applications (MISTA 2005), New York, NY. : United States (2005)" 2 More formally, we denote by
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationThis document has been prepared by Sunder Kidambi with the blessings of
Ö À Ö Ñ Ø Ò Ñ ÒØ Ñ Ý Ò Ñ À Ö Ñ Ò Ú º Ò Ì ÝÊ À Å Ú Ø Å Ê ý Ú ÒØ º ÝÊ Ú Ý Ê Ñ º Å º ² ºÅ ý ý ý ý Ö Ð º Ñ ÒÜ Æ Å Ò Ñ Ú «Ä À ý ý This document has been prepared by Sunder Kidambi with the blessings of Ö º
More informationAutomated reasoning for equivalences in the applied pi calculus with barriers
Automated reasoning for equivalences in the applied pi calculus with barriers Bruno Blanchet, Ben Smyth RESEARCH REPORT N 8906 April 2016 Project-Team Prosecco ISSN 0249-6399 ISRN INRIA/RR--8906--FR+ENG
More informationSKMM 3023 Applied Numerical Methods
SKMM 3023 Applied Numerical Methods Solution of Nonlinear Equations ibn Abdullah Faculty of Mechanical Engineering Òº ÙÐÐ ÚºÒÙÐÐ ¾¼½ SKMM 3023 Applied Numerical Methods Solution of Nonlinear Equations
More information! " # $! % & '! , ) ( + - (. ) ( ) * + / 0 1 2 3 0 / 4 5 / 6 0 ; 8 7 < = 7 > 8 7 8 9 : Œ Š ž P P h ˆ Š ˆ Œ ˆ Š ˆ Ž Ž Ý Ü Ý Ü Ý Ž Ý ê ç è ± ¹ ¼ ¹ ä ± ¹ w ç ¹ è ¼ è Œ ¹ ± ¹ è ¹ è ä ç w ¹ ã ¼ ¹ ä ¹ ¼ ¹ ±
More informationSME 3023 Applied Numerical Methods
UNIVERSITI TEKNOLOGI MALAYSIA SME 3023 Applied Numerical Methods Solution of Nonlinear Equations Abu Hasan Abdullah Faculty of Mechanical Engineering Sept 2012 Abu Hasan Abdullah (FME) SME 3023 Applied
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationAn Example file... log.txt
# ' ' Start of fie & %$ " 1 - : 5? ;., B - ( * * B - ( * * F I / 0. )- +, * ( ) 8 8 7 /. 6 )- +, 5 5 3 2( 7 7 +, 6 6 9( 3 5( ) 7-0 +, => - +< ( ) )- +, 7 / +, 5 9 (. 6 )- 0 * D>. C )- +, (A :, C 0 )- +,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationAutomated Verification of Privacy in Security Protocols:
Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationI118 Graphs and Automata
I8 Graphs and Automata Takako Nemoto http://www.jaist.ac.jp/ t-nemoto/teaching/203--.html April 23 0. Û. Û ÒÈÓ 2. Ø ÈÌ (a) ÏÛ Í (b) Ø Ó Ë (c) ÒÑ ÈÌ (d) ÒÌ (e) É Ö ÈÌ 3. ÈÌ (a) Î ÎÖ Í (b) ÒÌ . Û Ñ ÐÒ f
More informationImproving the Berlekamp algorithm for binomials x n a
Improving the Berlekamp algorithm for binomials x n a Ryuichi Harasawa Yutaka Sueyoshi Aichi Kudo Nagasaki University July 19, 2012 1 2 3 Idea Example Procedure after applying the proposed mehod 4 Theoretical
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationarxiv:hep-ph/ v1 10 May 2001
New data and the hard pomeron A Donnachie Department of Physics, Manchester University P V Landshoff DAMTP, Cambridge University DAMTP-200-38 M/C-TH-0/03 arxiv:hep-ph/005088v 0 May 200 Abstract New structure-function
More informationPeriodic monopoles and difference modules
Periodic monopoles and difference modules Takuro Mochizuki RIMS, Kyoto University 2018 February Introduction In complex geometry it is interesting to obtain a correspondence between objects in differential
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationMean, Median, Mode, More. Tilmann Gneiting University of Washington
Mean, Median, Mode, More ÓÖ ÉÙ ÒØ Ð ÇÔØ Ñ Ð ÈÓ ÒØ ÈÖ ØÓÖ Tilmann Gneiting University of Washington Mean, Median, Mode, More or Quantiles as Optimal Point Predictors Tilmann Gneiting University of Washington
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationMulti-electron and multi-channel effects on Harmonic Generation
Multi-electron and multi-channel effects on Harmonic Generation Contact abrown41@qub.ac.uk A.C. Brown and H.W. van der Hart Centre for Theoretical Atomic, Molecular and Optical Physics, Queen s University
More informationMixing Finite Success and Finite Failure. Automated Prover
in an Automated Prover Alwen Tiu 1, Gopalan Nadathur 2 and Dale Miller 3 1 INRIA Lorraine, France 2 University of Minnesota, USA 3 INRIA Futurs/École polytechnique, France ESHOL 2005 Montego Bay, Jamaica
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationIdentity Authentication and Secrecy in the πcalculus and Prolog
Wesleyan University The Honors College Identity Authentication and Secrecy in the πcalculus and Prolog by Stefan Sundseth A thesis submitted to the faculty of Wesleyan University in partial fulfillment
More informationConstructive Decision Theory
Constructive Decision Theory Joe Halpern Cornell University Joint work with Larry Blume and David Easley Economics Cornell Constructive Decision Theory p. 1/2 Savage s Approach Savage s approach to decision
More informationFrom the Applied Pi Calculus to Horn Clauses for Protocols with Lists
From the Applied Pi Calculus to Horn Clauses for Protocols with Lists Miriam Paiola, Bruno Blanchet To cite this version: Miriam Paiola, Bruno Blanchet. From the Applied Pi Calculus to Horn Clauses for
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationRedoing the Foundations of Decision Theory
Redoing the Foundations of Decision Theory Joe Halpern Cornell University Joint work with Larry Blume and David Easley Economics Cornell Redoing the Foundations of Decision Theory p. 1/21 Decision Making:
More informationBlock vs. Stream cipher
Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationu x + u y = x u . u(x, 0) = e x2 The characteristics satisfy dx dt = 1, dy dt = 1
Õ 83-25 Þ ÛÐ Þ Ð ÚÔÜØ Þ ÝÒ Þ Ô ÜÞØ ¹ 3 Ñ Ð ÜÞ u x + u y = x u u(x, 0) = e x2 ÝÒ Þ Ü ÞØ º½ dt =, dt = x = t + c, y = t + c 2 We can choose c to be zero without loss of generality Note that each characteristic
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More information«Û +(2 )Û, the total charge of the EH-pair is at most «Û +(2 )Û +(1+ )Û ¼, and thus the charging ratio is at most
ÁÑÔÖÓÚ ÇÒÐÒ ÐÓÖØÑ ÓÖ Ù«Ö ÅÒÑÒØ Ò ÉÓË ËÛØ ÅÖ ÖÓ ÏÓ ÂÛÓÖ ÂÖ ËÐÐ Ý ÌÓÑ ÌÝ Ý ØÖØ We consider the following buffer management problem arising in QoS networks: packets with specified weights and deadlines arrive
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationChebyshev Spectral Methods and the Lane-Emden Problem
Numer. Math. Theor. Meth. Appl. Vol. 4, No. 2, pp. 142-157 doi: 10.4208/nmtma.2011.42s.2 May 2011 Chebyshev Spectral Methods and the Lane-Emden Problem John P. Boyd Department of Atmospheric, Oceanic and
More informationNegative applications of the ASM thesis
Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationEvolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines
Evolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines Camille Risi, Sandrine Bony, Françoise Vimeux, Luc Descroix AMMA meeting, Toulouse 14 october 28 Water
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationCalculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model
J. At. Mol. Sci. doi: 10.4208/jams.011511.022111a Vol. x, No. x, pp. 1-5 xxx 2011 ½ ¾ ½¼ Calculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model J. F. Peng a, P.
More informationCryptoVerif - the tool of crypto analysis
CryptoVerif - the tool of crypto analysis Ivo Seeba The University of Tartu, The Department of Computer Science, EST Abstract. This paper describes about crypto analyzing program CryptoVerif. There is
More informationMonodic Temporal Resolution
Monodic Temporal Resolution ANATOLY DEGTYAREV Department of Computer Science, King s College London, London, UK. and MICHAEL FISHER and BORIS KONEV Department of Computer Science, University of Liverpool,
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationA method for proving observational equivalence
A method for proving observational equivalence Véronique Cortier LORIA, CNRS & INRIA Nancy Grand Est France Email: cortier@loria.fr Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA Saclay France Email:
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL
1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationApplications of Discrete Mathematics to the Analysis of Algorithms
Applications of Discrete Mathematics to the Analysis of Algorithms Conrado Martínez Univ. Politècnica de Catalunya, Spain May 2007 Goal Given some algorithm taking inputs from some set Á, we would like
More informationDepending on equations
Depending on equations A proof-relevant framework for unification in dependent type theory Jesper Cockx DistriNet KU Leuven 3 September 2017 Unification for dependent types Unification is used for many
More informationSymbolic Encryption with Pseudorandom Keys
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio February 23, 2018 Abstract We give an efficient decision procedure that, on input two (acyclic) cryptographic expressions making arbitrary
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More information