Complexity of automatic verification of cryptographic protocols
|
|
- Teresa Hutchinson
- 6 years ago
- Views:
Transcription
1 Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1
2 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs designed to secure communications Rely on cryptographic primitives 2 / 29
3 Context The protocol: Honest participants 3 / 29
4 Context The protocol: Honest participants Controls the network Intruder 3 / 29
5 Context The protocol: Honest participants Controls the network Security properties Intruder 3 / 29
6 On the web Protocol HTTPS Password based authentication Confidentiality of personal data 4 / 29
7 Payment with credit card Authorization through PIN code Wireless payment Confidentiality of the transaction Authenticity of the bank card 5 / 29
8 Electronic passport RFID chip inside the passport Secret key printed on the passport Confidentiality of personal data Anonymity Untraceability 6 / 29
9 Electronic voting Vote from personal computer Vote from dedicated machines Verifiability of the votes Confidentiality of the vote No partial results One vote per voter Anonymity of the voter Coercition resistance 7 / 29
10 Attacks Designing a secure protocol is hard! Concrete attacks on: authentication used by Google Apps unlinkability of french passports authentication of credit card (Yes-Card) vote privacy on the Helios e-voting system anonymity of routing protocols These attacks are the consequence of a bad design and not of a: implementation bug weak cryptographic primitives usage of magical hacking techniques 8 / 29
11 Existing models Cryptographic model Symbolic model 9 / 29
12 Existing models Cryptographic model Symbolic model Bitstring Messages 9 / 29
13 Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives 9 / 29
14 Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives Function symbols 9 / 29
15 Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols 9 / 29
16 Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized 9 / 29
17 Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized 9 / 29
18 Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized Strong and clear Security guarantees Unclear 9 / 29
19 Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y 10 / 29
20 Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x 10 / 29
21 Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i 10 / 29
22 Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Subterm convergent Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Monadic convergent Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i unblind(sign(blind(x, y),z),y)! sign(x, z) 10 / 29
23 Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29
24 Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29
25 Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it 11 / 29
26 Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it Freshly generated by Reader 11 / 29
27 Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Knowledge of intruder: nonces he can generate + 1: n T 2: enc(hn R,n T,k R i,k e ) 3: enc(hn T,n R,k T i,k e ) 11 / 29
28 Symbolic models Another trace of the Electronic passport Knows k e Knows k e n T KO Passeport enc(hn R, KO,k R i,k e ) Error Reader Knowledge of intruder: nonces he can generate (e.g. KO) + 1: n T 2: enc(hn R, KO,k R i,k e ) 3: Error 12 / 29
29 Applied pi calculus 0 Nil P + Q Non deterministic choice P Q Parallel if u = v then P else Q Test in(c, x).p Input out(c, u).p Output k.p Name restriction!p Replication 13 / 29
30 Applied pi calculus Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport P (k e )= Reader n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Main process:! k e!p (k e ) R(k e ) 14 / 29
31 Trace A trace = one execution of the process P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Initial configuration: Set of private names (;, k e.p (k e ),id) The process Substitution representing the knowledge of the attacker 15 / 29
32 Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) w 1 16 / 29
33 Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) w 1 16 / 29
34 Trace P 1 = out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) w 1 16 / 29
35 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29
36 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29
37 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names w 1 16 / 29
38 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 16 / 29
39 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i 16 / 29
40 Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29
41 Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) ({k e,n T }, P 3, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29
42 Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) out(c, w 1 ) in(c, M) ({k e },P(k e ),id) ({k e,n T }, P 1,id) ({k e,n T }, P 2, { n T / }) w1 ({k e,n T }, P 3, { n T / }) w1 out(c, w 1 ).in(c, M) {k e,n T } { n T / w1 } The sequence of label with the set and the frame represents a trace. w 1 16 / 29
43 Internal communication Communication can happen internally on private channels ({d}, in(d, x).p out(d, a).q, ) ({d},p{ a / x } Q, ) 17 / 29
44 Security properties What we verify well : Confidentiality, authenticity Trace properties Tools : Avispa, ProVerif, Scyther, CSP/FdR What we don t verify well : Anonymity, privacy, traceability, properties for electronic voting Equivalence properties Tools : ProVerif, AkiSs, SPEC, APTE 18 / 29
45 Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29
46 Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29
47 Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol 19 / 29
48 Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol M 1,M 2,...,M k Knowledges of the attacker obtain in two traces with similar actions N 1,N 2,...,N k 19 / 29
49 Decision procedure How to automatically decide equivalence? General problem: Undecidable Usual restrictions: Bounded number of sessions, stronger notion of equivalence, simple algebraic properties for the cryptographic properties, Technics used : Saturation of Horn Clauses, Constraint solving, Equivalence of constraint systems 20 / 29
50 Decision procedure How difficult is it to automatically decide equivalence? P : Decidable by a deterministic Turing machine in polynomial time EXP : Decidable by a deterministic Turing machine in exponential time NP : Decidable by a non-deterministic Turing machine in polynomial time NEXP : Decidable by a non-deterministic Turing machine in exponential time PSPACE : Decidable by a deterministic Turing machine in polynomial space Σ0 = P and Σi = NP Σ i-1 Σ1 = NP 21 / 29
51 Complexity Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent Finite, subterm convergent P complete [AC 04] P complete [AC 04] Decidable? CoNP complete Decidable?? Finite, monadic convergent P hard??? 22 / 29
52 Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard CoNP complete Finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard conexp hard? Finite, monadic convergent P hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 23 / 29
53 Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp easy? conexp hard conexp complete? CoNP complete Finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp hard conexp complete? conexp hard conexp complete? conp complete? Finite, monadic convergent PTIME hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 24 / 29
54 Trace equivalence in pi-calculus Reduction from QSAT2 No else branche, no cryptographic primitive A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 9~x = 9x 1 9x 2...9x n 8~y = 8y 1 8y 2...8y m 25 / 29
55 Boolean formula in pi-calculus c 1 c 2 ^ c3 26 / 29
56 Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) 26 / 29
57 Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) Enforces that inputs are booleans! 26 / 29
58 Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) in(c 1,x) out(c 3,x^ y) in(c 2,y) 26 / 29
59 Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 27 / 29
60 Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
61 Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
62 Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! x '(b 1,b 2,b 3 ).P (x) out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
63 Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? 28 / 29
64 Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) 28 / 29
65 Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) Can reduce in either P { 0 / y } or P { 1 / y } 28 / 29
66 Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) 29 / 29
67 Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans 29 / 29
68 Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 29 / 29
69 Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 If 8~y. ' (~x 0,~y)=1 holds then A can never output 0 when ~x 0 is input 29 / 29
A process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationAutomated Verification of Privacy in Security Protocols:
Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie
More informationA method for proving observational equivalence
A method for proving observational equivalence Véronique Cortier LORIA, CNRS & INRIA Nancy Grand Est France Email: cortier@loria.fr Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA Saclay France Email:
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationCommunication security: Formal models and proofs
Commnication secrity: Formal models and proofs Hbert Comon September 1, 2016 1 Introdction to protocol secrity The context (I) credit cards contactless cards telephones online transactions cars, fridges,...
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationA Computationally Complete Symbolic Attacker for Equivalence Properties
A Computationally Complete Symbolic Attacker for Equivalence Properties ABSTRACT Gergei Bana INRIA Paris-Rocquencourt Paris, France bana@math.upenn.edu We consider the problem of computational indistinguishability
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationLengths may break privacy or how to check for equivalences with length
Lengths may break privacy or how to check for equivalences with length Vincent Cheval 1, Véronique Cortier 2, and Antoine Plet 2 1 LSV, ENS Cachan & CNRS & INRIA, France 2 LORIA, CNRS, France Abstract.
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationCSCI3390-Lecture 14: The class NP
CSCI3390-Lecture 14: The class NP 1 Problems and Witnesses All of the decision problems described below have the form: Is there a solution to X? where X is the given problem instance. If the instance is
More informationPOLYNOMIAL SPACE QSAT. Games. Polynomial space cont d
T-79.5103 / Autumn 2008 Polynomial Space 1 T-79.5103 / Autumn 2008 Polynomial Space 3 POLYNOMIAL SPACE Polynomial space cont d Polynomial space-bounded computation has a variety of alternative characterizations
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationLecture 26. Daniel Apon
Lecture 26 Daniel Apon 1 From IPPSPACE to NPPCP(log, 1): NEXP has multi-prover interactive protocols If you ve read the notes on the history of the PCP theorem referenced in Lecture 19 [3], you will already
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationComputer Science and Logic A Match Made in Heaven
A Match Made in Heaven Luca Aceto Reykjavik University Reykjavik, 3 April 2009 Thanks to Moshe Vardi from whom I have drawn inspiration (read stolen ideas ) for this presentation. Why This Talk Today?
More informationInteractive Proofs. Merlin-Arthur games (MA) [Babai] Decision problem: D;
Interactive Proofs n x: read-only input finite σ: random bits control Π: Proof work tape Merlin-Arthur games (MA) [Babai] Decision problem: D; input string: x Merlin Prover chooses the polynomial-length
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationExtending ProVerif s Resolution Algorithm for Verifying Group Protocols
Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying
More informationCSCI 1590 Intro to Computational Complexity
CSCI 1590 Intro to Computational Complexity Complement Classes and the Polynomial Time Hierarchy John E. Savage Brown University February 9, 2009 John E. Savage (Brown University) CSCI 1590 Intro to Computational
More informationUmans Complexity Theory Lectures
Umans Complexity Theory Lectures Lecture 8: Introduction to Randomized Complexity: - Randomized complexity classes, - Error reduction, - in P/poly - Reingold s Undirected Graph Reachability in RL Randomized
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationconp, Oracles, Space Complexity
conp, Oracles, Space Complexity 1 What s next? A few possibilities CS161 Design and Analysis of Algorithms CS254 Complexity Theory (next year) CS354 Topics in Circuit Complexity For your favorite course
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationChapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem SAT 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of
More informationFormalising security properties in electronic voting protocols
Formalising security properties in electronic voting protocols Stéphanie Delaune and Steve Kremer LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France The results presented in this report are based on joint
More informationProbabilistically Checkable Arguments
Probabilistically Checkable Arguments Yael Tauman Kalai Microsoft Research yael@microsoft.com Ran Raz Weizmann Institute of Science ran.raz@weizmann.ac.il Abstract We give a general reduction that converts
More informationIntroduction to Advanced Results
Introduction to Advanced Results Master Informatique Université Paris 5 René Descartes 2016 Master Info. Complexity Advanced Results 1/26 Outline Boolean Hierarchy Probabilistic Complexity Parameterized
More informationComplexity of domain-independent planning. José Luis Ambite
Complexity of domain-independent planning José Luis Ambite 1 Decidability Decision problem: a problem with a yes/no answer e.g. is N prime? Decidable: if there is a program (i.e. a Turing Machine) that
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More information18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018
18734: Foundations of Privacy Anonymous Cash Anupam Datta CMU Fall 2018 Today: Electronic Cash Goals Alice can ask for Bank to issue coins from her account. Alice can spend coins. Bank cannot track what
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationNP Complete Problems. COMP 215 Lecture 20
NP Complete Problems COMP 215 Lecture 20 Complexity Theory Complexity theory is a research area unto itself. The central project is classifying problems as either tractable or intractable. Tractable Worst
More informationDeducibility constraints, equational theory and electronic money
Deducibility constraints, equational theory and electronic money Sergiu Bursuc 1, Hubert Comon-Lundh 1, and Stéphanie Delaune 1,2 1 Laboratoire Spécification & Vérification ENS de Cachan & CNRS UMR 8643,
More informationNotes on Complexity Theory Last updated: October, Lecture 6
Notes on Complexity Theory Last updated: October, 2015 Lecture 6 Notes by Jonathan Katz, lightly edited by Dov Gordon 1 PSPACE and PSPACE-Completeness As in our previous study of N P, it is useful to identify
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationAutomated verification of equivalence properties of cryptographic protocols
Automated verification of equivalence properties of cryptographic protocols Rohit Chadha, Vincent Cheval, Ştefan Ciobâcǎ, Steve Kremer To cite this version: Rohit Chadha, Vincent Cheval, Ştefan Ciobâcǎ,
More informationProving More Observational Equivalences with ProVerif
Proving More Observational Equivalences with ProVerif Vincent Cheval 1 and Bruno Blanchet 2 1 LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France, France cheval@lsv.ens-cachan.fr 2 INRIA Paris-Rocquencourt,
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationComputability and Complexity Theory: An Introduction
Computability and Complexity Theory: An Introduction meena@imsc.res.in http://www.imsc.res.in/ meena IMI-IISc, 20 July 2006 p. 1 Understanding Computation Kinds of questions we seek answers to: Is a given
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationP = k T IME(n k ) Now, do all decidable languages belong to P? Let s consider a couple of languages:
CS 6505: Computability & Algorithms Lecture Notes for Week 5, Feb 8-12 P, NP, PSPACE, and PH A deterministic TM is said to be in SP ACE (s (n)) if it uses space O (s (n)) on inputs of length n. Additionally,
More informationChapter 10 Elliptic Curves in Cryptography
Chapter 10 Elliptic Curves in Cryptography February 15, 2010 10 Elliptic Curves (ECs) can be used as an alternative to modular arithmetic in all applications based on the Discrete Logarithm (DL) problem.
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationComputability and Complexity CISC462, Fall 2018, Space complexity 1
Computability and Complexity CISC462, Fall 2018, Space complexity 1 SPACE COMPLEXITY This material is covered in Chapter 8 of the textbook. For simplicity, we define the space used by a Turing machine
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationCircuits. Lecture 11 Uniform Circuit Complexity
Circuits Lecture 11 Uniform Circuit Complexity 1 Recall 2 Recall Non-uniform complexity 2 Recall Non-uniform complexity P/1 Decidable 2 Recall Non-uniform complexity P/1 Decidable NP P/log NP = P 2 Recall
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security
MPRI Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia Palamidessi LIX, Ecole Polytechnique kostas@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia
More informationDefinition: conp = { L L NP } What does a conp computation look like?
Space Complexity 28 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode: Guess string y of x k length and the machine accepts
More informationIdentifying an Honest EXP NP Oracle Among Many
Identifying an Honest EXP NP Oracle Among Many Shuichi Hirahara The University of Tokyo CCC 18/6/2015 Overview Dishonest oracle Honest oracle Queries Which is honest? Our Contributions Selector 1. We formulate
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationNP-completeness was introduced by Stephen Cook in 1971 in a foundational paper.
NP Completeness NP-completeness was introduced by Stephen Cook in 1971 in a foundational paper. Leonid Levin independently introduced the same concept and proved that a variant of SAT is NP-complete. 1.
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationDynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This
More informationSums of Products. Pasi Rastas November 15, 2005
Sums of Products Pasi Rastas November 15, 2005 1 Introduction This presentation is mainly based on 1. Bacchus, Dalmao and Pitassi : Algorithms and Complexity results for #SAT and Bayesian inference 2.
More informationA Theory of Dictionary Attacks and its Complexity
A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th
More informationUmans Complexity Theory Lectures
Umans Complexity Theory Lectures Lecture 12: The Polynomial-Time Hierarchy Oracle Turing Machines Oracle Turing Machine (OTM): Deterministic multitape TM M with special query tape special states q?, q
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationReview of unsolvability
Review of unsolvability L L H To prove unsolvability: show a reduction. To prove solvability: show an algorithm. Unsolvable problems (main insight) Turing machine (algorithm) properties Pattern matching
More informationECash and Anonymous Credentials
ECash and Anonymous Credentials CS/ECE 598MAN: Applied Cryptography Nikita Borisov November 9, 2009 1 E-cash Chaum s E-cash Offline E-cash 2 Anonymous Credentials e-cash-based Credentials Brands Credentials
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationAUTOMATED VERIFICATION OF ASYMMETRIC ENCRYPTION. Van Chan NGO
AUTOMATED VERIFICATION OF ASYMMETRIC ENCRYPTION Van Chan NGO June 2008 Acknowledgements I would like to thank Cristian ENE, Yassine LAKHNECH for their tremendous support as thesis advisors, and also for
More informationCS154, Lecture 17: conp, Oracles again, Space Complexity
CS154, Lecture 17: conp, Oracles again, Space Complexity Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode: Guess string
More informationLecture 8: Complete Problems for Other Complexity Classes
IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Basic Course on Computational Complexity Lecture 8: Complete Problems for Other Complexity Classes David Mix Barrington and Alexis Maciel
More informationCircuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.
Circuit Complexity Circuit complexity is based on boolean circuits instead of Turing machines. A boolean circuit with n inputs computes a boolean function of n variables. Now, identify true/1 with yes
More information6-1 Computational Complexity
6-1 Computational Complexity 6. Computational Complexity Computational models Turing Machines Time complexity Non-determinism, witnesses, and short proofs. Complexity classes: P, NP, conp Polynomial-time
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationIntroduction to Interactive Proofs & The Sumcheck Protocol
CS294: Probabilistically Checkable and Interactive Proofs January 19, 2017 Introduction to Interactive Proofs & The Sumcheck Protocol Instructor: Alessandro Chiesa & Igor Shinkar Scribe: Pratyush Mishra
More informationRandomized Complexity Classes; RP
Randomized Complexity Classes; RP Let N be a polynomial-time precise NTM that runs in time p(n) and has 2 nondeterministic choices at each step. N is a polynomial Monte Carlo Turing machine for a language
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCoordination. Failures and Consensus. Consensus. Consensus. Overview. Properties for Correct Consensus. Variant I: Consensus (C) P 1. v 1.
Coordination Failures and Consensus If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency update propagation
More informationAlgebraic Dynamic Programming. Solving Satisfiability with ADP
Algebraic Dynamic Programming Session 12 Solving Satisfiability with ADP Robert Giegerich (Lecture) Stefan Janssen (Exercises) Faculty of Technology Summer 2013 http://www.techfak.uni-bielefeld.de/ags/pi/lehre/adp
More informationLecture 20: conp and Friends, Oracles in Complexity Theory
6.045 Lecture 20: conp and Friends, Oracles in Complexity Theory 1 Definition: conp = { L L NP } What does a conp computation look like? In NP algorithms, we can use a guess instruction in pseudocode:
More informationDefinition: Alternating time and space Game Semantics: State of machine determines who
CMPSCI 601: Recall From Last Time Lecture 3 Definition: Alternating time and space Game Semantics: State of machine determines who controls, White wants it to accept, Black wants it to reject. White wins
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationDetecting Wormhole Attacks in Wireless Networks Using Local Neighborhood Information
Detecting Wormhole Attacks in Wireless Networks Using Local Neighborhood Information W. Znaidi M. Minier and JP. Babau Centre d'innovations en Télécommunication & Intégration de services wassim.znaidi@insa-lyon.fr
More informationCOMPLEXITY THEORY. Lecture 17: The Polynomial Hierarchy. TU Dresden, 19th Dec Markus Krötzsch Knowledge-Based Systems
COMPLEXITY THEORY Lecture 17: The Polynomial Hierarchy Markus Krötzsch Knowledge-Based Systems TU Dresden, 19th Dec 2017 Review: ATM vs. DTM Markus Krötzsch, 19th Dec 2017 Complexity Theory slide 2 of
More informationLOGIC PROPOSITIONAL REASONING
LOGIC PROPOSITIONAL REASONING WS 2017/2018 (342.208) Armin Biere Martina Seidl biere@jku.at martina.seidl@jku.at Institute for Formal Models and Verification Johannes Kepler Universität Linz Version 2018.1
More informationMonotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols
Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols Giorgio Delzanno 1, Javier Esparza 2 and Jiří Srba 3 1 Dipartimento di Informatica e Scienze dell Informazione
More information