Proving observational equivalence with ProVerif
Size: px
Start display at page:

Download "Proving observational equivalence with ProVerif"

Transcription

1 Proving observational equivalence with ProVerif Bruno Blanchet INRIA Paris-Rocquencourt based on joint work with Martín Abadi and Cédric Fournet and with Vincent Cheval June 2015 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

2 Introduction Analysis of cryptographic protocols: Powerful automatic tools for proving properties on behaviors (traces) of protocols (secrecy of keys, correspondences). For instance, ProVerif was initially designed to prove trace properties. Many important properties can be formalized as process equivalences, not as properties on behaviors: secrecy of a boolean x in P(x): P(true) P(false) the process P implements an ideal specification Q: P Q Equivalences are usually proved by difficult, long manual proofs. Already much research on this topic, using in particular sophisticated bisimulation techniques (e.g., Boreale et al). Some recent tools for a bounded number of sessions (APTE, Akiss) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

3 Selected work relying on equivalences January 25, 1998 SRC Research Report 149 A Calculus for Cryptographic Protocols The Spi Calculus Martín Abadi and Andrew D. Gordon Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

4 Selected work relying on equivalences Secrecy by Typing in Security Protocols Martín Abadi Systems Research Center Compaq December 8, 1998 Abstract We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use shared-key cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

5 Selected work relying on equivalences ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û ÐÐ 2015 Ø 3 / 40

6 Equivalences as properties of behaviors (1) Goal: extend ProVerif to the proof of process equivalences. We focus on equivalences between processes that differ only by the terms they contain, e.g., P(true) P(false). Many interesting equivalences fall into this category. We introduce biprocesses to represent pairs of processes that differ only by the terms they contain. P(true) and P(false) are variants of a biprocess P(diff[true, false]). The variants give a different interpretation to diff[true, false], true for the first variant, false for the second one. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

7 Equivalences as properties of behaviors (2) We introduce a new operational semantics for biprocesses: A biprocess reduces when both variants reduce in the same way and after reduction, they still differ only by terms (so can be written using diff). We establish P(true) P(false) by reasoning on behaviors of P(diff[true, false]): If, for all reachable configurations, both variants reduce in the same way, then we have equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

8 Overview of the verification method Protocol: biprocess Pi calculus + cryptography Signature: Rewrite rules + equations Automatic translator Horn clauses Resolution with selection bad is not derivable Equivalence is true bad is derivable Equivalence may be false Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

9 The process calculus Dialect of the applied pi calculus [Abadi, Fournet, POPL 01]. M,N ::= terms x,y,z variable a,b,c,k,s name f(m 1,...,M n ) constructor application D ::= term evaluations M term fail special failure value h(d 1,...,D n ) function evaluation P, Q, R ::= processes M(x).P input M N.P output let x = D in P else Q term evaluation 0 P Q!P (νa)p if M then P else Q encoded as a term evaluation. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

10 Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

11 Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

12 Semantics D M when the term evaluation D evaluates to M. D fail when the term evaluation D fails. Uses rewrite rules of destructors and equations. transforms processes so that reduction rules can be applied. Main reduction rules: N M.Q N (x).p Q P{M/x} if Σ N = N (Red I/O) let x = D in P else Q P{M/x} (Red Fun 1) if D M let x = D in P else Q Q (Red Fun 2) if D fail Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

13 Observational equivalences and biprocesses Two processes P and Q are observationally equivalent (P Q) when the adversary cannot distinguish them. A biprocess P is a process with diff. fst(p) = the process obtained by replacing diff[m,m ] with M. snd(p) = the process obtained by replacing diff[m,m ] with M. P satisfies observational equivalence when fst(p) snd(p). Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

14 Semantics of biprocesses A biprocess reduces when both variants of the process reduce in the same way. N M.Q N (x).p Q P{M/x} if Σ fst(n) = fst(n ) and Σ snd(n) = snd(n ) (Red I/O) let x = D in P else Q P{diff[M 1,M 2 ]/x} (Red Fun 1) if fst(d) M 1 and snd(d) M 2 let x = D in P else Q Q (Red Fun 2) if fst(d) fail and snd(d) fail P Q fst(p) snd(p) fst(q) snd(q) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

15 Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

16 Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. An adversary is represented by a plain evaluation context (evaluation context without diff), so: If, for all plain evaluation contexts C and reductions C[P 0 ] P, both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

17 Formalizing reduce in the same way The biprocess P is uniform when fst(p) Q 1 implies P Q for some biprocess Q with fst(q) Q 1, and symmetrically for snd(p) Q 2. P Q P Q fst(p) Q 1 fst(q) snd(p) snd(q) Q 2 If, for all plain evaluation contexts C and reductions C[P 0 ] P, the biprocess P is uniform, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

18 Result [Blanchet, Abadi, Fournet, JLAP, 2008] Let P 0 be a closed biprocess. Suppose that, for all plain evaluation contexts C, all evaluation contexts C, and all reductions C[P 0 ] P, 1 the (Red I/O) rules apply in the same way on both variants. if P C [N M.Q N (x).r], then Σ fst(n) = fst(n ) if and only if Σ snd(n) = snd(n ), 2 the (Red Fun) rules apply in the same way on both variants. if P C [let x = D in Q else R], then fst(d) fail if and only if snd(d) fail. Then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

19 Application The previous result reduces the proof of observational equivalence to the proof of trace properties for biprocesses. We extend the Horn clause approach of ProVerif from processes to biprocesses, to prove these properties. Basically, each argument of the predicates is doubled, with one argument for each side. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

20 Example: probabilistic encryption Probabilistic public-key encryption is modeled by an equation: dec(enc(x,pk(s),a),s) = x Without knowledge of the decryption key, ciphertexts appear to be unrelated to the plaintexts. Ciphertexts are indistinguishable from fresh names: satisfies equivalence. (νs)(c pk(s)!c (x).(νa)c diff[enc(x,pk(s),a),a] ) This equivalence can be proved using the previous result, and verified automatically by ProVerif. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

21 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

22 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

23 Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

24 Proving anonymity {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Caesar should not be able to know who Obelix wants to talk to. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

25 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

26 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

27 False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {N B } pkb no The test takes a different branch: the proof of equivalence fails. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

28 Demo File private auth falseattack.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

29 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

30 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

31 Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb M M = ifthenelse(y,pk A,{x,N B,pk B } y,{n B } pkb ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

32 Demo File private auth direct.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

33 Merging two processes In order to prove that P and Q are observationally equivalent using this approach, we need to merge P and Q into a biprocess R: fst(r) P snd(r) Q Trivial when P and Q have exactly the same structure. There is a general merging: R = if diff[true,false] then P else Q does not allow ProVerif to prove observational equivalence. Do something more clever! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

34 A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

35 A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence....but moving this test implies merging the structures of P and Q! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

36 Merging algorithm Merge branches of biprocesses: Automatically transforms the private authencation example Allows merging P and Q by applying it to if diff[true,false] then P else Q Two steps: 1 Normalize the process (Try to reorganize processes that send the same messages so that they have the same syntactic form.) 2 Merge branches on the normalized process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

37 Normalization algorithm 1 Make sure term evaluations always succeed New destructors: catchfail(x) x otherwise catchfail(fail) c fail not c fail (c fail ) false otherwise not c fail (x) true let x = D in P else Q let x = catchfail(d) in if not c fail (x) then P else Q (We allow destructors outside let; they can be encoded using an additional let.) 2 Remove unused restrictions and lets;!0 0 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

38 Normalization algorithm 3 Move new, let, if before outputs M N.(νa)P (νa)m N.P M N.let x = D in P let x = D in M N.P M N.if M then P else Q if M then M N.P else M N.Q (Avoid capture of names and variables.) 4 Move new, let, if before parallel composition ((νa).p) Q (νa).(p Q) (let x = D in P) Q let x = D in (P Q) (if M then P else P ) Q if M then P Q else P Q 5 Group replicated processes inside a parallel composition!p P!P P!(P P ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

39 Normalization algorithm 6 Move new, let before if if M then (νa)p else Q (νa)if M then P else Q if M then let x = D in P else Q let x = D in if M then P else Q 7 Move new before let let x = D in (νa)p (νa)let x = D in 8 Move if (with its new/let) before replication!s ν s let if M then P else Q s ν s let if M then!s ν s let P else!s ν s let Q The equational theory is closed under one-to-one renaming, so the test M will always yield the same result independently of the considered fresh names. 9 Remove double replication!s let!s ν s let Q!s νs let s let Q Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

40 Grammar of normalized processes P ::= s ν s let T s ν consists of a sequence of (νa) s let consists of a sequence of let x = D in such that D always succeeds. T ::= Q if M then T 1 else T 2 decision tree test Q ::= R 1... R n S parallel composition (n 0) R ::= M(x).P M N.Q communication input output S ::= optional replicated process!s ν s let Q replicated process 0 no replicated process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

41 Some explanation When two processes Q have the same structure, we will be able to merge them. The structure ignores the precise channels and messages of inputs and outputs and considers parallel composition up to associativity and commutativity. It seems difficult to go further with general syntactic rules. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

42 Merging Merge leaves of decision trees then then C else then C else then C else C 1 else then C 2 else then C 3 else then Q P C 4 else Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

43 Merging Merge leaves of decision trees then then C then C else then else C else C 1 else then C 2 else then C 3 else then C 4 else If necessary, reorganize the decision tree so that the merged leaves are the two branches of an if. Q P Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

44 Merging inputs and outputs (R) New destructor ite(true,u,v) u otherwise ite(x,u,v) v Outputs then C else M N.Q M N.Q ite(c,m,m ) ite(c,n,n ). C then else Q Q Inputs then C else M(x).Q M (x ).Q ite(c,m,m )(x ). C then else Q{ x / x } Q { x / x } Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

45 Merging parallel compositions (Q) then C else R 1... R n S C R 1... R n S then else R 1 then... C R i else 1 R n then C R i else n S S i 1,...i n is a permutation of 1,...,n. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

46 Merging replications (S) Nil Replication (naive version) then C else then C else!s ν s let Q!s νs let Q!s ν s νs let s let C then else Q Q!s ν1 s let1!s ν2 s let2 Q can actually be merged with!s νs let Q by merging Q and Q, because!s νs let Q!!s νs let Q. Separate the processes in s ν s let Q and s νs let Q into independent groups. Possibly add a replication in front of some of these groups. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

47 Merging general processes (P) then C else s ν s let T s ν s νs let s s νs let let if C then T else T T Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

48 Properties of this algorithm Soundness: these transformations preserve observational equivalence Incomplete. Open question: partial completeness? All channels public Other conditions? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

49 Demo File private auth biprocess.pv File private auth processes.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

50 Conclusion ProVerif is the only tool that can prove process equivalences for an unbounded number of sessions. Restricted but useful class of equivalences: First restricted to processes that differ only by the terms they contain. Extended by automatic merging of processes. Tool available at Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

51 Back to the applied pi calculus ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û 2015 ÐÐ Ø 39 / 40

52 Advertisement With Martín Abadi and Cédric Fournet, we recently revisited their applied pi calculus paper [POPL 01]: Minor changes to the language to make it closer to ProVerif Detailed proofs of all results Revised examples New example on indifferentiability Bruno Blanchet (INRIA) Observational equivalence with ProVerif June / 40

Similar documents

Proving More Observational Equivalences with ProVerif

Proving More Observational Equivalences with ProVerif Proving More Observational Equivalences with ProVerif Vincent Cheval 1 and Bruno Blanchet 2 1 LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France, France cheval@lsv.ens-cachan.fr 2 INRIA Paris-Rocquencourt,

More information

Lars Schmidt-Thieme, Information Systems and Machine Learning Lab (ISMLL), Institute BW/WI & Institute for Computer Science, University of Hildesheim

Lars Schmidt-Thieme, Information Systems and Machine Learning Lab (ISMLL), Institute BW/WI & Institute for Computer Science, University of Hildesheim Course on Information Systems 2, summer term 2010 0/29 Information Systems 2 Information Systems 2 5. Business Process Modelling I: Models Lars Schmidt-Thieme Information Systems and Machine Learning Lab

More information

F(jω) = a(jω p 1 )(jω p 2 ) Û Ö p i = b± b 2 4ac. ω c = Y X (jω) = 1. 6R 2 C 2 (jω) 2 +7RCjω+1. 1 (6jωRC+1)(jωRC+1) RC, 1. RC = p 1, p

F(jω) = a(jω p 1 )(jω p 2 ) Û Ö p i = b± b 2 4ac. ω c = Y X (jω) = 1. 6R 2 C 2 (jω) 2 +7RCjω+1. 1 (6jωRC+1)(jωRC+1) RC, 1. RC = p 1, p ÓÖ Ò ÊÄ Ò Ò Û Ò Ò Ö Ý ½¾ Ù Ö ÓÖ ÖÓÑ Ö ÓÒ Ò ÄÈ ÐØ Ö ½¾ ½¾ ½» ½½ ÓÖ Ò ÊÄ Ò Ò Û Ò Ò Ö Ý ¾ Á b 2 < 4ac Û ÒÒÓØ ÓÖ Þ Û Ö Ð Ó ÒØ Ó Û Ð Ú ÕÙ Ö º ËÓÑ Ñ ÐÐ ÕÙ Ö Ö ÓÒ Ò º Ù Ö ÓÖ ½¾ ÓÖ Ù Ö ÕÙ Ö ÓÖ Ò ØÖ Ò Ö ÙÒØ ÓÒ

More information

ÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ ÒÞ ÔÓÐÝÒÓÑ Ð º Ì ÛÓ¹ÐÓÓÔ ÙÒÖ Ö Ô Û Ö Ö ÖÝ Ñ ¹ ÝÓÒ ÑÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ

ÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ ÒÞ ÔÓÐÝÒÓÑ Ð º Ì ÛÓ¹ÐÓÓÔ ÙÒÖ Ö Ô Û Ö Ö ÖÝ Ñ ¹ ÝÓÒ ÑÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò ÝÒÑ Ò Ò Ö Ð Ö Ò Ó Ò Ö ÀÍ ÖÐ Òµ Ó Ò ÛÓÖ Û Ö Ò ÖÓÛÒ Ö Ú ½ ¼¾º ¾½ Û Åº Ä Ö Ö Ú ½ ¼¾º ¼¼ Û Äº Ñ Ò Ëº Ï ÒÞ ÖÐ Å ÒÞ ½ º¼ º¾¼½ ÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ

More information

Automated Verification of Selected Equivalences for Security Protocols

Automated Verification of Selected Equivalences for Security Protocols Automated Verification of Selected Equivalences for Security Protocols Bruno Blanchet CNRS, École Normale Supérieure, Paris Martín Abadi University of California, Santa Cruz Cédric Fournet Microsoft Research,

More information

Radu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER

Radu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER È Ö Ò Ò Ù Ò Ò Ò ÖÝ ÒÙÐ Ö Ý Ø Ñ Radu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER Radu.Gherghescu@nipne.ro IFIN-HH, Bucharest-Magurele, Romania and Frankfurt Institute for Advanced Studies, J

More information

Analysing privacy-type properties in cryptographic protocols

Analysing privacy-type properties in cryptographic protocols Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th

More information

A process algebraic analysis of privacy-type properties in cryptographic protocols

A process algebraic analysis of privacy-type properties in cryptographic protocols A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic

More information

A Short Tutorial on Proverif

A Short Tutorial on Proverif A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling

More information

Arbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, Abstracts

Arbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, Abstracts Arbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, 202 Abstracts ÁÒÚ Ö Ð Ñ Ø Ó Ø¹Ú ÐÙ ÙÒØ ÓÒ ÁÞØÓ Ò ÞØÓ º Ò ÙÒ ¹Ñ º ÙÐØÝ Ó Æ ØÙÖ Ð Ë Ò Ò Å Ø Ñ Ø ÍÒ Ú Ö ØÝ Ó Å Ö ÓÖ ÃÓÖÓ ½ ¼ Å Ö ÓÖ ¾¼¼¼

More information

A Language for Task Orchestration and its Semantic Properties

A Language for Task Orchestration and its Semantic Properties DEPARTMENT OF COMPUTER SCIENCES A Language for Task Orchestration and its Semantic Properties David Kitchin, William Cook and Jayadev Misra Department of Computer Science University of Texas at Austin

More information

Lund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics

Lund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics Lund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics STATISTICAL METHODS FOR SAFETY ANALYSIS FMS065 ÓÑÔÙØ Ö Ü Ö Ì ÓÓØ ØÖ Ô Ð ÓÖ Ø Ñ Ò Ý Ò Ò ÐÝ In this exercise we will

More information

µ(, y) Computing the Möbius fun tion µ(x, x) = 1 The Möbius fun tion is de ned b y and X µ(x, t) = 0 x < y if x6t6y 3

µ(, y) Computing the Möbius fun tion µ(x, x) = 1 The Möbius fun tion is de ned b y and X µ(x, t) = 0 x < y if x6t6y 3 ÈÖÑÙØØÓÒ ÔØØÖÒ Ò Ø ÅÙ ÙÒØÓÒ ÙÖ ØÒ ÎØ ÂÐÒ Ú ÂÐÒÓÚ Ò ÐÜ ËØÒÖÑ ÓÒ ÒÖ Ì ØÛÓµ 2314 ½¾ ½ ¾ ¾½ ¾ ½ ½¾ ¾½ ½¾ ¾½ ½ Ì ÔÓ Ø Ó ÔÖÑÙØØÓÒ ÛºÖºØº ÔØØÖÒ ÓÒØÒÑÒØ ½ 2314 ½¾ ½ ¾ ¾½ ¾ ½ ½¾ ¾½ ½¾ ¾½ Ì ÒØÖÚÐ [12,2314] ½ ¾ ÓÑÔÙØÒ

More information

PH Nuclear Physics Laboratory Gamma spectroscopy (NP3)

PH Nuclear Physics Laboratory Gamma spectroscopy (NP3) Physics Department Royal Holloway University of London PH2510 - Nuclear Physics Laboratory Gamma spectroscopy (NP3) 1 Objectives The aim of this experiment is to demonstrate how γ-ray energy spectra may

More information

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL

More information

INRIA Sophia Antipolis France. TEITP p.1

INRIA Sophia Antipolis France. TEITP p.1 ÌÖÙ Ø ÜØ Ò ÓÒ Ò ÓÕ Ä ÙÖ ÒØ Ì ÖÝ INRIA Sophia Antipolis France TEITP p.1 ÅÓØ Ú Ø ÓÒ Ï Ý ØÖÙ Ø Ó ÑÔÓÖØ ÒØ Å ÒÐÝ ÈÖÓÚ Ò ÌÖÙØ Ø Ò ÑÔÐ Ã Ô ÈÖÓÚ Ò ÌÖÙ Ø È Ó ÖÖÝ Ò ÈÖÓÓ µ Ò Ö ØÝ ÓÑ Ò ËÔ ÔÔÐ Ø ÓÒ TEITP p.2 ÇÙØÐ

More information

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March

More information

Complexity of automatic verification of cryptographic protocols

Complexity of automatic verification of cryptographic protocols Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic

More information

2 Hallén s integral equation for the thin wire dipole antenna

2 Hallén s integral equation for the thin wire dipole antenna Ú Ð Ð ÓÒÐ Ò Ø ØØÔ»» Ѻ Ö Ùº º Ö ÁÒغ º ÁÒ Ù ØÖ Ð Å Ø Ñ Ø ÎÓк ÆÓº ¾ ¾¼½½µ ½ ¹½ ¾ ÆÙÑ Ö Ð Ñ Ø Ó ÓÖ Ò ÐÝ Ó Ö Ø ÓÒ ÖÓÑ Ø Ò Û Ö ÔÓÐ ÒØ ÒÒ Ëº À Ø ÑÞ ¹Î ÖÑ ÞÝ Ö Åº Æ Ö¹ÅÓ Êº Ë Þ ¹Ë Ò µ Ô ÖØÑ ÒØ Ó Ð ØÖ Ð Ò Ò

More information

CS 395T. Probabilistic Polynomial-Time Calculus

CS 395T. Probabilistic Polynomial-Time Calculus CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is

More information

x 0, x 1,...,x n f(x) p n (x) = f[x 0, x 1,..., x n, x]w n (x),

x 0, x 1,...,x n f(x) p n (x) = f[x 0, x 1,..., x n, x]w n (x), ÛÜØ Þ ÜÒ Ô ÚÜ Ô Ü Ñ Ü Ô Ð Ñ Ü ÜØ º½ ÞÜ Ò f Ø ÚÜ ÚÛÔ Ø Ü Ö ºÞ ÜÒ Ô ÚÜ Ô Ð Ü Ð Þ Õ Ô ÞØÔ ÛÜØ Ü ÚÛÔ Ø Ü Ö L(f) = f(x)dx ÚÜ Ô Ü ÜØ Þ Ü Ô, b] Ö Û Þ Ü Ô Ñ ÒÖØ k Ü f Ñ Df(x) = f (x) ÐÖ D Ü Ü ÜØ Þ Ü Ô Ñ Ü ÜØ Ñ

More information

ÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ

ÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ ÁÒØÖÐ ÓÙÒÖ Ò Ë»Ì Î ÊÐ ÔÖØÑÒØ Ó ÅØÑØ ÍÒÚÖ ØÝ Ó ÓÖ Á̳½½ ØÝ ÍÒÚÖ ØÝ ÄÓÒÓÒ ÔÖÐ ½ ¾¼½½ ÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ ÇÙØÐÒ ËÙÔÖ ØÖÒ Ò Ë»Ì Ì ØÙÔ ÏÓÖÐ Ø Ë¹ÑØÖÜ ÍÒÖÐÝÒ ÝÑÑØÖ ÁÒØÖÐ ÓÙÒÖ ÁÒØÖÐØÝ Ø Ø ÓÙÒÖÝ» ÖÒ Ò ØÛ Ø ÒÒ Ú»Ú

More information

Automatic, computational proof of EKE using CryptoVerif

Automatic, computational proof of EKE using CryptoVerif Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno

More information

Lecture 16: Modern Classification (I) - Separating Hyperplanes

Lecture 16: Modern Classification (I) - Separating Hyperplanes Lecture 16: Modern Classification (I) - Separating Hyperplanes Outline 1 2 Separating Hyperplane Binary SVM for Separable Case Bayes Rule for Binary Problems Consider the simplest case: two classes are

More information

ÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÁÒÜ ½ ÁÒØÖÓÙØÓÒ ¾ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ

ÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÁÒÜ ½ ÁÒØÖÓÙØÓÒ ¾ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÙÑÔ ÐØÖ ÓÖ ÙÒÖØÒ ÝÒÑ Ý ØÑ ÛØ ÖÓÔÓÙØ º ÓÐÞ ½ º º ÉÙÚÓ ¾ Áº ÈÖÖÓ ½ ʺ ËÒ ½ ½ ÔÖØÑÒØ Ó ÁÒÙ ØÖÐ ËÝ ØÑ ÒÒÖÒ Ò Ò ÍÒÚÖ ØØ ÂÙÑ Á ØÐÐ ËÔÒ ¾ ËÓÓÐ Ó ÐØÖÐ ÒÒÖÒ

More information

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying

More information

Analyzing Security Protocols with Secrecy Types and Logic Programs

Analyzing Security Protocols with Secrecy Types and Logic Programs Analyzing Security Protocols with Secrecy Types and Logic Programs Martín Abadi Computer Science Department University of California, Santa Cruz abadi@cs.ucsc.edu Bruno Blanchet Département d Informatique

More information

Notes for Lecture 17

Notes for Lecture 17 U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,

More information

hal , version 1-27 Mar 2014

hal , version 1-27 Mar 2014 Author manuscript, published in "2nd Multidisciplinary International Conference on Scheduling : Theory and Applications (MISTA 2005), New York, NY. : United States (2005)" 2 More formally, we denote by

More information

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present

More information

This document has been prepared by Sunder Kidambi with the blessings of

This document has been prepared by Sunder Kidambi with the blessings of Ö À Ö Ñ Ø Ò Ñ ÒØ Ñ Ý Ò Ñ À Ö Ñ Ò Ú º Ò Ì ÝÊ À Å Ú Ø Å Ê ý Ú ÒØ º ÝÊ Ú Ý Ê Ñ º Å º ² ºÅ ý ý ý ý Ö Ð º Ñ ÒÜ Æ Å Ò Ñ Ú «Ä À ý ý This document has been prepared by Sunder Kidambi with the blessings of Ö º

More information

Automated reasoning for equivalences in the applied pi calculus with barriers

Automated reasoning for equivalences in the applied pi calculus with barriers Automated reasoning for equivalences in the applied pi calculus with barriers Bruno Blanchet, Ben Smyth RESEARCH REPORT N 8906 April 2016 Project-Team Prosecco ISSN 0249-6399 ISRN INRIA/RR--8906--FR+ENG

More information

SKMM 3023 Applied Numerical Methods

SKMM 3023 Applied Numerical Methods SKMM 3023 Applied Numerical Methods Solution of Nonlinear Equations ibn Abdullah Faculty of Mechanical Engineering Òº ÙÐÐ ÚºÒÙÐÐ ¾¼½ SKMM 3023 Applied Numerical Methods Solution of Nonlinear Equations

More information

! " # $! % & '! , ) ( + - (. ) ( ) * + / 0 1 2 3 0 / 4 5 / 6 0 ; 8 7 < = 7 > 8 7 8 9 : Œ Š ž P P h ˆ Š ˆ Œ ˆ Š ˆ Ž Ž Ý Ü Ý Ü Ý Ž Ý ê ç è ± ¹ ¼ ¹ ä ± ¹ w ç ¹ è ¼ è Œ ¹ ± ¹ è ¹ è ä ç w ¹ ã ¼ ¹ ä ¹ ¼ ¹ ±

More information

SME 3023 Applied Numerical Methods

SME 3023 Applied Numerical Methods UNIVERSITI TEKNOLOGI MALAYSIA SME 3023 Applied Numerical Methods Solution of Nonlinear Equations Abu Hasan Abdullah Faculty of Mechanical Engineering Sept 2012 Abu Hasan Abdullah (FME) SME 3023 Applied

More information

A Calculus for Control Flow Analysis of Security Protocols

A Calculus for Control Flow Analysis of Security Protocols International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson

More information

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to

More information

An Example file... log.txt

An Example file... log.txt # ' ' Start of fie & %$ " 1 - : 5? ;., B - ( * * B - ( * * F I / 0. )- +, * ( ) 8 8 7 /. 6 )- +, 5 5 3 2( 7 7 +, 6 6 9( 3 5( ) 7-0 +, => - +< ( ) )- +, 7 / +, 5 9 (. 6 )- 0 * D>. C )- +, (A :, C 0 )- +,

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots

More information

Automated Verification of Privacy in Security Protocols:

Automated Verification of Privacy in Security Protocols: Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie

More information

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of

More information

Lecture 9 - Symmetric Encryption

Lecture 9 - Symmetric Encryption 0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,

More information

I118 Graphs and Automata

I118 Graphs and Automata I8 Graphs and Automata Takako Nemoto http://www.jaist.ac.jp/ t-nemoto/teaching/203--.html April 23 0. Û. Û ÒÈÓ 2. Ø ÈÌ (a) ÏÛ Í (b) Ø Ó Ë (c) ÒÑ ÈÌ (d) ÒÌ (e) É Ö ÈÌ 3. ÈÌ (a) Î ÎÖ Í (b) ÒÌ . Û Ñ ÐÒ f

More information

Improving the Berlekamp algorithm for binomials x n a

Improving the Berlekamp algorithm for binomials x n a Improving the Berlekamp algorithm for binomials x n a Ryuichi Harasawa Yutaka Sueyoshi Aichi Kudo Nagasaki University July 19, 2012 1 2 3 Idea Example Procedure after applying the proposed mehod 4 Theoretical

More information

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004 CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key

More information

arxiv:hep-ph/ v1 10 May 2001

arxiv:hep-ph/ v1 10 May 2001 New data and the hard pomeron A Donnachie Department of Physics, Manchester University P V Landshoff DAMTP, Cambridge University DAMTP-200-38 M/C-TH-0/03 arxiv:hep-ph/005088v 0 May 200 Abstract New structure-function

More information

Periodic monopoles and difference modules

Periodic monopoles and difference modules Periodic monopoles and difference modules Takuro Mochizuki RIMS, Kyoto University 2018 February Introduction In complex geometry it is interesting to obtain a correspondence between objects in differential

More information

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state

More information

Mean, Median, Mode, More. Tilmann Gneiting University of Washington

Mean, Median, Mode, More. Tilmann Gneiting University of Washington Mean, Median, Mode, More ÓÖ ÉÙ ÒØ Ð ÇÔØ Ñ Ð ÈÓ ÒØ ÈÖ ØÓÖ Tilmann Gneiting University of Washington Mean, Median, Mode, More or Quantiles as Optimal Point Predictors Tilmann Gneiting University of Washington

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from

More information

Verification of the TLS Handshake protocol

Verification of the TLS Handshake protocol Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.

More information

Multi-electron and multi-channel effects on Harmonic Generation

Multi-electron and multi-channel effects on Harmonic Generation Multi-electron and multi-channel effects on Harmonic Generation Contact abrown41@qub.ac.uk A.C. Brown and H.W. van der Hart Centre for Theoretical Atomic, Molecular and Optical Physics, Queen s University

More information

Mixing Finite Success and Finite Failure. Automated Prover

Mixing Finite Success and Finite Failure. Automated Prover in an Automated Prover Alwen Tiu 1, Gopalan Nadathur 2 and Dale Miller 3 1 INRIA Lorraine, France 2 University of Minnesota, USA 3 INRIA Futurs/École polytechnique, France ESHOL 2005 Montego Bay, Jamaica

More information

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian

More information

Identity Authentication and Secrecy in the πcalculus and Prolog

Identity Authentication and Secrecy in the πcalculus and Prolog Wesleyan University The Honors College Identity Authentication and Secrecy in the πcalculus and Prolog by Stefan Sundseth A thesis submitted to the faculty of Wesleyan University in partial fulfillment

More information

Constructive Decision Theory

Constructive Decision Theory Constructive Decision Theory Joe Halpern Cornell University Joint work with Larry Blume and David Easley Economics Cornell Constructive Decision Theory p. 1/2 Savage s Approach Savage s approach to decision

More information

From the Applied Pi Calculus to Horn Clauses for Protocols with Lists

From the Applied Pi Calculus to Horn Clauses for Protocols with Lists From the Applied Pi Calculus to Horn Clauses for Protocols with Lists Miriam Paiola, Bruno Blanchet To cite this version: Miriam Paiola, Bruno Blanchet. From the Applied Pi Calculus to Horn Clauses for

More information

Lecture Notes, Week 6

Lecture Notes, Week 6 YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several

More information

A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB

A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv

More information

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable

More information

Redoing the Foundations of Decision Theory

Redoing the Foundations of Decision Theory Redoing the Foundations of Decision Theory Joe Halpern Cornell University Joint work with Larry Blume and David Easley Economics Cornell Redoing the Foundations of Decision Theory p. 1/21 Decision Making:

More information

Block vs. Stream cipher

Block vs. Stream cipher Block vs. Stream cipher Idea of a block cipher: partition the text into relatively large (e.g. 128 bits) blocks and encode each block separately. The encoding of each block generally depends on at most

More information

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to

More information

u x + u y = x u . u(x, 0) = e x2 The characteristics satisfy dx dt = 1, dy dt = 1

u x + u y = x u . u(x, 0) = e x2 The characteristics satisfy dx dt = 1, dy dt = 1 Õ 83-25 Þ ÛÐ Þ Ð ÚÔÜØ Þ ÝÒ Þ Ô ÜÞØ ¹ 3 Ñ Ð ÜÞ u x + u y = x u u(x, 0) = e x2 ÝÒ Þ Ü ÞØ º½ dt =, dt = x = t + c, y = t + c 2 We can choose c to be zero without loss of generality Note that each characteristic

More information

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

More information

Group Diffie Hellman Protocols and ProVerif

Group Diffie Hellman Protocols and ProVerif Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.

More information

«Û +(2 )Û, the total charge of the EH-pair is at most «Û +(2 )Û +(1+ )Û ¼, and thus the charging ratio is at most

«Û +(2 )Û, the total charge of the EH-pair is at most «Û +(2 )Û +(1+ )Û ¼, and thus the charging ratio is at most ÁÑÔÖÓÚ ÇÒÐÒ ÐÓÖØÑ ÓÖ Ù«Ö ÅÒÑÒØ Ò ÉÓË ËÛØ ÅÖ ÖÓ ÏÓ ÂÛÓÖ ÂÖ ËÐÐ Ý ÌÓÑ ÌÝ Ý ØÖØ We consider the following buffer management problem arising in QoS networks: packets with specified weights and deadlines arrive

More information

ASYMMETRIC ENCRYPTION

ASYMMETRIC ENCRYPTION ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall

More information

Chebyshev Spectral Methods and the Lane-Emden Problem

Chebyshev Spectral Methods and the Lane-Emden Problem Numer. Math. Theor. Meth. Appl. Vol. 4, No. 2, pp. 142-157 doi: 10.4208/nmtma.2011.42s.2 May 2011 Chebyshev Spectral Methods and the Lane-Emden Problem John P. Boyd Department of Atmospheric, Oceanic and

More information

Negative applications of the ASM thesis

Negative applications of the ASM thesis Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms

More information

NSL Verification and Attacks Agents Playing Both Roles

NSL Verification and Attacks Agents Playing Both Roles NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality

More information

Evolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines

Evolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines Evolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines Camille Risi, Sandrine Bony, Françoise Vimeux, Luc Descroix AMMA meeting, Toulouse 14 october 28 Water

More information

Linear Multi-Prover Interactive Proofs

Linear Multi-Prover Interactive Proofs Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject

More information

Calculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model

Calculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model J. At. Mol. Sci. doi: 10.4208/jams.011511.022111a Vol. x, No. x, pp. 1-5 xxx 2011 ½ ¾ ½¼ Calculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model J. F. Peng a, P.

More information

CryptoVerif - the tool of crypto analysis

CryptoVerif - the tool of crypto analysis CryptoVerif - the tool of crypto analysis Ivo Seeba The University of Tartu, The Department of Computer Science, EST Abstract. This paper describes about crypto analyzing program CryptoVerif. There is

More information

Monodic Temporal Resolution

Monodic Temporal Resolution Monodic Temporal Resolution ANATOLY DEGTYAREV Department of Computer Science, King s College London, London, UK. and MICHAEL FISHER and BORIS KONEV Department of Computer Science, University of Liverpool,

More information

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University

More information

A method for proving observational equivalence

A method for proving observational equivalence A method for proving observational equivalence Véronique Cortier LORIA, CNRS & INRIA Nancy Grand Est France Email: cortier@loria.fr Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA Saclay France Email:

More information

Public Key Cryptography

Public Key Cryptography Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:

More information

Private Authentication

Private Authentication Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence

More information

Notes on BAN Logic CSG 399. March 7, 2006

Notes on BAN Logic CSG 399. March 7, 2006 Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab

More information

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Analysis - Post-Quantum Security of Fiat-Shamir by Dominic Unruh Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis

More information

Computational security & Private key encryption

Computational security & Private key encryption Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability

More information

Provable security. Michel Abdalla

Provable security. Michel Abdalla Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only

More information

1 Number Theory Basics

1 Number Theory Basics ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his

More information

Lecture 2: Perfect Secrecy and its Limitations

Lecture 2: Perfect Secrecy and its Limitations CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption

More information

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL 1 ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL GIOVANNI DI CRESCENZO Telcordia Technologies, Piscataway, NJ, USA. E-mail: giovanni@research.telcordia.com IVAN VISCONTI Dipartimento di Informatica

More information

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access

More information

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies

More information

Applications of Discrete Mathematics to the Analysis of Algorithms

Applications of Discrete Mathematics to the Analysis of Algorithms Applications of Discrete Mathematics to the Analysis of Algorithms Conrado Martínez Univ. Politècnica de Catalunya, Spain May 2007 Goal Given some algorithm taking inputs from some set Á, we would like

More information

Depending on equations

Depending on equations Depending on equations A proof-relevant framework for unification in dependent type theory Jesper Cockx DistriNet KU Leuven 3 September 2017 Unification for dependent types Unification is used for many

More information

Symbolic Encryption with Pseudorandom Keys

Symbolic Encryption with Pseudorandom Keys Symbolic Encryption with Pseudorandom Keys Daniele Micciancio February 23, 2018 Abstract We give an efficient decision procedure that, on input two (acyclic) cryptographic expressions making arbitrary

More information

Advanced Topics in Cryptography

Advanced Topics in Cryptography Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,

More information

Non-Conversation-Based Zero Knowledge

Non-Conversation-Based Zero Knowledge Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission

More information

Control Flow Analysis of Security Protocols (I)

Control Flow Analysis of Security Protocols (I) Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005

More information

ECS 189A Final Cryptography Spring 2011

ECS 189A Final Cryptography Spring 2011 ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I

More information

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states

More information

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1 Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes

More information

Cryptography IV: Asymmetric Ciphers

Cryptography IV: Asymmetric Ciphers Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline

More information

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015. Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback