Automated Verification of Privacy in Security Protocols:
|
|
- Ginger Reed
- 5 years ago
- Views:
Transcription
1 Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie Delaune
2 Automated Verification of Privacy in Security Protocols 2 /36
3 Security Protocols Once upon a time... Attack at dawn 3 /36
4 Security Protocols Once upon a time... Attack at dawn 3 /36
5 Security Protocols Once upon a time...? Attack at dawn hscpzf df zdad Attack at dawn 3 /36
6 Security Protocols Remote Key Open Car #41 Car #41 Car #41 4 /36
7 Security Protocols Remote Key Attack: steals Open Car #41 Car #41 4 /36
8 Security Protocols Remote Key X X Car #41 Car #41 generate random X 4 /36
9 Security Protocols Remote Key Attack: tracks (attack on unlinkability) Car #41 4 /36
10 Security Protocols Remote Key Attack: tracks (attack on unlinkability) Car??? = = 4 /36
11 Security Protocols Remote Key X X, Y Car #41 generate random X Car #41 generate random Y End of attack/fix cycle? 4 /36
12 Secure? Extremely complex setting unsecure network active attacker parties running concurrently 5 /36
13 Secure? Extremely complex setting unsecure network active attacker parties running concurrently Formal methods mathematical & exhaustive analysis formal guarantees automated & mechanised 5 /36
14 Automated Verification of Privacy in Security Protocols 6 /36
15 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m 7 /36
16 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m Security protocols in a process algebra each party process P = in(x). new Y. out(enc((x, Y ), k)) 7 /36
17 Symbolic Model Cryptographic primitives assumed perfect primitives modelled as function symbols & equational theory e.g., enc(, ), dec(, ) & dec(enc(m, k), k) = m Security protocols in a process algebra each party process P = in(x). new Y. out(enc((x, Y ), k)) Attacker = network (worst case scenario) eavesdrop: he learns all protocol outputs injections: he chooses all protocol inputs Benefit: high level of automation! 7 /36
18 Symbolic Model Big Picture Protocol s specification X X, Y e.g. Security goal cannot steal 8 /36
19 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... e.g. Security goal cannot steal Unreachability of bad states e.g. States( knows k) 8 /36
20 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... Undecidable Reachability in a transition system? # sessions s choices e.g. Security goal cannot steal Unreachability of bad states e.g. States( knows k) 8 /36
21 Symbolic Model Big Picture Protocol s specification X X, Y Protocol s model P = in(x). new Y. out(enc((x, Y ), k)) P =... Undecidable between transition systems e.g. Privacy goal cannot track between scenarios e.g.,, 8 /36
22 Two Approaches for Verifying Automatically Decision for < sessions < branching bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec 9 /36
23 Two Approaches for Verifying Automatically Decision for < sessions Semi-decision for sessions Real attack < branching False attack bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 9 /36
24 Limitation of Decision Procedures Decision for < sessions < branching bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec States Space Explosion (concurrency) scales very badly PA: 1 sess. 1sec. vs. 3 sess. >2days 10 /36
25 Limitation of Decision Procedures Decision for < sessions < branching Contributions Partial Order Reduction techniques adequate for security & integration (proof & implem) bounded # sessions bound the number of sessions symbolic semantics finite description of exhaustive exploration of symbolic executions Tools: Apte, Akiss, Spec POST 14 & CONCUR 15 States Space Explosion (concurrency) scales very badly PA: 1 sess. 1sec. vs. 3 sess. >2days 10 /36
26 Limitation of Semi-decision Procedures Semi-decision for sessions Real attack False attack Serious Precision Issue (privacy) systematic false attacks (unlinkability) e.g. e-passport, RFID protocols, over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 11 /36
27 Limitation of Semi-decision Procedures Semi-decision for sessions Contributions Real attack Privacy via Sufficient Conditions 2 conditions unlinkability & ano. automatic verification (our tool UKano) False attack new proofs/attacks on real-life protocols Serious Precision Issue (privacy) S&P 16 systematic false attacks (unlinkability) e.g. e-passport, RFID protocols, over-approximations of & semantics strong form of (i.e. diff-equivalence) Tools: ProVerif, Tamarin, Maude-NPA 11 /36
28 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion
29 Applied π-calculus Model of messages: Term algebra Function symbols enc(, ), dec(, ) Equational theory = E Model of protocols: Process calculus dec(enc(x, y), y) = E x Process: P, Q := 0 null in(c, x).p input out(c, m).p output if Test then P else Q conditional P Q parallel! P replication new X.P creation of name 13 /36
30 Applied π-calculus Model of messages: Term algebra Function symbols enc(, ), dec(, ) Equational theory = E Model of protocols: Process calculus dec(enc(x, y), y) = E x Process: P, Q := 0 null in(c, x).p input out(c, m).p output if Test then P else Q conditional P Q parallel! P replication new X.P creation of name Frame (ϕ): the set of messages revealed to ( s knowledge) Configuration: A = (P; ϕ) ϕ = { w }{{} 1 enc(m, k), w 2 k} }{{} handle out. message 13 /36
31 Applied-π - Semantics Recipes: terms built using handles e.g. R = dec(w 1, w 2 ) Rϕ = E m for ϕ = {w 1 enc(m, k), w 2 k} How builds messages from its knowledge 14 /36
32 Applied-π - Semantics Recipes: terms built using handles e.g. R = dec(w 1, w 2 ) Rϕ = E m for ϕ = {w 1 enc(m, k), w 2 k} How builds messages from its knowledge Protocol s output: ({out(c, u).p } P; ϕ) out(c,w) ({P } P; ϕ {w u}) if w fresh Protocol s input: u ({in(c, x).p } P; ϕ) in(c,r) ({P {x Rϕ}} P; ϕ) + expected rules for conditional (modulo = E ) & others RΦ controls all the network 14 /36
33 Applied-π - Trace Equivalence Static Equivalence (intuitively) Φ Ψ when dom(φ) = dom(ψ) and for all tests, it holds on Φ it holds on Ψ (modulo = E ) Trace Equivalence A B: for any A t A there exists B t B such that Φ(A ) Φ(B ) (and the converse). 15 /36
34 Trace Equivalence: Example k = k = = 0 enc(0, k) 0 enc(0, k ) Key k Key k P P P P P = in(c, x).out(c, enc(x, k)) P = in(c, x).out(c, enc(x, k )) (P P ; ) in(c,0).out(c,w 1).in(c,0).out(c,w 2 ) ( ; {w 1 enc(0, k), w 2 enc(0, k)}) (P P ; ) in(c,0).out(c,w 1).in(c,0).out(c,w 2 ) ( ; {w 1 enc(0, k), w 2 enc(0, k )}) 16 /36
35 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion
36 States Space Explosion Problem in(c, M 1 ) out(c, w 1 ) in(c, M 2 ) out(c, w 2 ) 18 /36
37 States Space Explosion Problem in(c, M 1 ) in(c, M 1 ) in(c, M 1 ) in(c, M 2 ) out(c, w 1 ) in(c, M 2 ) out(c, w 2 ) in(c, M 2 ) out(c, w 1 ) out(c, w 2 ) in(c, M 2 ) out(c, w 2 ) out(c, w 1 ) in(c, M 1 ) out(c, w 1 ) out(c, w 2 ) in(c, M 2 ) in(c, M 2 ) in(c, M 1 ) out(c, w 2 ) out(c, w 1 ) out(c, w 2 ) in(c, M 1 ) out(c, w 1 ) Example: Private Authentication protocol Verification of anonymity: 1 session 1 second 2 sessions 1 hour 3 sessions >2 days 2 parties, 4 actions (with APTE) 18 /36
38 1 st Type of Redundancies & Compression out(c 1, m 1 ) out(c 2, m 2 ) out(c 1, w 1 ).out(c 2, w 2 ) out(c 2, w 2 ).out(c 1, w 1 ) = in(c 1, x 1 ) out(c 2, m 2 ) in(c 1, M 1 ).out(c 2, w 2 ) out(c 2, w 2 ).in(c 1, M 1 ) M 1 = 0 M 1 = w 2 M 1 = dec(w 2, 0) 19 /36
39 1 st Type of Redundancies & Compression out(c 1, m 1 ) out(c 2, m 2 ) out(c 1, w 1 ).out(c 2, w 2 ) out(c 2, w 2 ).out(c 1, w 1 ) in(c 1, x 1 ) out(c 2, m 2 ) Goal: do not explore states in(c 1, M 1 ).out(c 2, w 2 ) out(c 2, w 2 ).in(c 1, M 1 ) M 1 = 0 M 1 = w 2 M 1 = dec(w 2, 0) + generic class Compressed semantics c exploration strategy based on nature of available actions actions are executed in a row blocks (big steps) indep. from data 19 /36
40 2 nd Type of Redundancies & Reduction M 2 = 0 M 2 = w 1 IO c1 (M 1, w 1 ).IO c2 (M 2, w 2 ) in(c 1, x 1 ).out(c 1, m 1 ) in(c 2, x 2 ).out(c 2, m 2 ), IO c2 (M 2, w 2 ).IO c1 (M 1, w 1 ) M 1 = 0 M 1 = w 2 Goal: do not explore twice states in the area + generic class 20 /36
41 2 nd Type of Redundancies & Reduction M 2 = 0 M 2 = w 1 IO c1 (M 1, w 1 ).IO c2 (M 2, w 2 ) in(c 1, x 1 ).out(c 1, m 1 ) in(c 2, x 2 ).out(c 2, m 2 ), IO c2 (M 2, w 2 ).IO c1 (M 1, w 1 ) M 1 = 0 M 1 = w 2 Goal: do not explore twice states in the area + generic class Reduced semantics r refines further c by analyzing data exploration strategy relying on data dependencies M 1 needs w 2 : M 1 w 2 20 /36
42 Soundness & Completeness Reachability: soundness & completeness of r / c w.r.t. same states are reachable Equivalence is more involved and requires additional assumption Action-determinacy A is action-deterministic if: two reachable actions in parallel must be Attacker knows to/from whom he is sending/receiving messages. Theorem: r = c = Let A and B be two action-deterministic configurations. A r B A c B A B 21 /36
43 Integration, Implementation & Practical Impact Integration in symbolic & constraints solving setting Proof of soundness of integration in APTE Fully implemented in the distributed version of APTE github.com/apte Selection of benchmarks: seconds reference compression reduction nb. of parallel processes Toy example seconds reference compression reduction nb. of parallel processes Wide Mouthed Frog New scenarios & protocols can be analysed 22 /36
44 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion
45 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. 1 user 2 sessions Id 1 Id 1 Id 2 24 /36
46 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5!new Id.!new Sess. P?!new Id. new Sess. P 24 /36
47 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5 M =!new Id.!new Sess. (P P )?!new Id. new Sess. (P P ) = S Strong Unlinkability [Arapinis, Chothia, Ritter, Ryan CSF 10] 24 /36
48 Unlinkability [ISO/IEC 15408] Ensuring that a user may make multiple uses of a service or resource without others being able to link these uses together. Id 5 Id 4 Id 3 Id 2 users sessions Id 1 Id 1 Id 2 Id 3 Id 4 Id 5 M =!new Id.!new Sess. (P P )?!new Id. new Sess. (P P ) = S never diff-equivalent (false attacks) 24 /36
49 Contributions between simpler systems with precise verification Unlinkability & Anonymity Reachability property Theory 2 conditions implying unlinkability and anonymity for a large class of 2-party protocols for any crypto. primitives each condition is fundamentally simpler & captures key ingredient Practice our conditions can be checked automatically using encodings we provide tool support for that: UKano Applications new proofs & attacks on real-life protocols e.g. e-passport 25 /36
50 Class of Protocols 2-party Protocols Intuitively, a party P is a process of the form: P ::= 0 in(c, x). if Test then out(c, u).p else P else P else ::= 0 out(c, u ) Two parties: I (initiator) & R (responder) Example: R = P I = P = in(c, x).out(c, enc(x, k)) = out(c, X).in(c, z). if dec(z, k) = X then out(c, open) M =!new k.!new X.(I R) S =!new k. new X.(I R) 26 /36
51 1 st Class: Leaks through Relations over Messages k = k = = 0 enc(0, k) 0 enc(0, k ) For some behaviour relation over messages that leaks info about identities. Key k R[k, sess 1] Key k R[k, sess 2] 27 /36
52 1 st Class: Leaks through Relations over Messages Problem For some s behaviours, relations over messages leak info about involved agents. Ideas of our condition preventing such attacks Avoid rel. R: R holds specific mapping [sessions identities] e.g. w 1 = E w 2 [sess 1 id, sess 2 id] Introduce Ideal(Φ): frame one obtains for [session fresh identity] 1 st Condition: Frame Opacity For all M t (P; Φ), we have that Φ Ideal(Φ). Example: Φ = {w 1 enc(0, k), w 2 enc(0, k)} Ideal(Φ) = {w enc(0, k 1 ), w 2 enc(0, k 2 )} 28 /36
53 2 nd Class: Leaks through Conditionals Outcomes So, let s introduce two modifications... enc( challenge, X, k) Key k new X enc( X, Y, k) Key k new Y 29 /36
54 2 nd Class: Leaks through Conditionals Outcomes Attack: tracks enc( challenge, X, k) enc( challenge, X, k) Key k new X enc( X, Y, k) Key k new Y enc( challenge, X, k) Abort Abort Key k 29 /36
55 2 nd Class: Leaks through Conditionals Outcomes Problem For some s behaviours, conditionals outcomes leak info about involved agents. Ideas of our condition preventing such attacks Expected: does not interfere conditionals Problems when: did interfere conditionals / binary info about agents Require: conditional did not interfere 2 nd Condition: Well-Authentication For any execution of M, if an agent I(id, sess) successfully passes a test, he must be interacting honestly with some unique R(id, sess ). 30 /36
56 Main Result Theorem For any protocol in our class, for any term algebra: Frame Opacity & Well-Authentication } { Unlinkability & Anonymity Idea of the proof M t (P; Φ) S t (Q; Ψ) with Φ Ψ Seen as exchanges between threads: [id,session] Rename ids to pairwise distinct ids (keeping connected threads together) Goal: (i) still executable & (ii) frames (i) Have honest interactions stable by our renaming + Well-Authentication (ii) Stability of Ideal( ) by renamings + Frame Opacity 31 /36
57 Practical Impact Mechanisation & UKano Benefit: each condition is fundamentally simpler Unlinkability:.. Frame Opacity:. Well-Authentication:.Reach Both conditions can be automatically verified using ProVerif & encodings Well-Authentication: just reachability properties Frame Opacity: checkable with good precision via diff-equivalence Tool: UKano (built on top of ProVerif) Automatically checks our conditions 32 /36
58 Practical Impact Case Studies: verification of unlinkability (UK) RFID protocols FO WA UK Feldhofer safe Hash-Lock safe LAK (stateless) Fixed LAK safe [*] FO WA UK DAA sign safe DAA join safe abcdh (irma) safe e-passport FO WA UK BAC safe BAC/PA/AA safe PACE (fallible dec) PACE (missing test) PACE PACE with tags safe Our conditions are tight Established new proofs and found new attacks using UKano Was impossible before: systematic false attacks except for [*] 33 /36
59 Practical Impact Case Studies: verification of unlinkability (UK) RFID protocols FO WA UK Feldhofer safe Hash-Lock safe LAK (stateless) Fixed LAK safe [*] FO WA UK DAA sign safe DAA join safe abcdh (irma) safe e-passport FO WA UK BAC safe BAC/PA/AA safe PACE (fallible dec) PACE (missing test) PACE PACE with tags safe Our conditions are tight Established new proofs and found new attacks using UKano Was impossible before: systematic false attacks except for [*] 33 /36
60 Introduction I Model II Partial Order Reduction III Privacy via Sufficient Conditions IV Conclusion
61 Summary Decision for < sessions Semi-decision for sessions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 35 /36
62 Summary Decision for < sessions Semi-decision for sessions POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Implem + Benchmarks Tool + New Proofs/Attacks Verification of privacy for real-life protocols 35 /36
63 Future Work Decision for < sessions Drop action-determinacy assumption Semi-decision for sessions POR for backward search (e.g. Tamarin) POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36
64 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36
65 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols 36 /36
66 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols Generic approach: Exploit in broader contexts & Infer guidelines for PETs 36 /36
67 Future Work Decision for < sessions Drop action-determinacy assumption POR for backward search (e.g. Tamarin) Semi-decision for sessions Extend the class: stateful & > 2 parties Verification of FO via reachability: UK & ANO. pure reachability Adapt for bounded case + benefit from POR POR Techniques Privacy via Sub-Conditions Issue: scales too badly Verification of in symbolic model Issue: not precise enough Verification of privacy for real-life protocols Generic approach: Exploit in broader contexts & Infer guidelines for PETs Ready to guide analysis/design/standardisation? 36 /36
68 Backup Slides
69 Compressed Strategy Compressed semantics c Polarities: Negative: out().p, (P 1 P 2 ), 0 & Positive: in().p Negative: explored greedily, in a given order e.g. c 1 < c 2 Positive: explored only when Negative, chooses one and put it under focus focus is released when becomes begative Replication:! a c,np is positive but releases the focus. 34 /36
70 Reduced Strategy We assume an arbitrary order over blocks priority order. Reduced Semantics r r explores a block b after a trace t only when: c explores t.b and t b. Informally, t b means: there is no way to swap b towards the beginning of t before a block b 0 b (even by modifying recipes) Theorem: r = Let A and B be two action-deterministic configurations. A B if, and, only if, A r B. 35 /36
71 POR & Trace Equivalence What about trace equivalence ( c )? e.g., (in(c 1, x) out(c 2, m)) (out(c 2, m).in(c 1, x)) same swaps are possible ( same sequential dependencies) Lemma: A, B action-det, A B same sequential dependencies 36 /36
Analysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationA method for proving observational equivalence
A method for proving observational equivalence Véronique Cortier LORIA, CNRS & INRIA Nancy Grand Est France Email: cortier@loria.fr Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA Saclay France Email:
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationNo#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability
No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2 Secure Authentication
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationDynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationD1.1 - A taxonomy of process equivalences: the communication model revisited
D1.1 - A taxonomy of process equivalences: the communication model revisited Kushal Babel 1, Vincent Cheval 2, Steve Kremer 2 1 IIT Bombay 2 LORIA, Inria Nancy & CNRS & Université de Lorraine, France Automated,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationSelf-Adaptation and Information Flow in Multiparty Communications
Self-Adaptation and Information Flow in Multiparty Communications Joint work with Ilaria Castellani (INRIA, FR) Jorge A. Pérez (University of Groningen, NL) ABCD meeting London, 20th April, 2015 1 / 36
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationValentin Goranko Stockholm University. ESSLLI 2018 August 6-10, of 29
ESSLLI 2018 course Logics for Epistemic and Strategic Reasoning in Multi-Agent Systems Lecture 5: Logics for temporal strategic reasoning with incomplete and imperfect information Valentin Goranko Stockholm
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.
CS 221: Computational Complexity Prof. Salil Vadhan Lecture Notes 17 March 31, 2010 Scribe: Jonathan Ullman 1 Interactive Proofs ecall the definition of NP: L NP there exists a polynomial-time V and polynomial
More informationComposition of Password-based Protocols
Composition of Password-based Protocols Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA France Mark Ryan School of Computer Science Birmingham University, UK Steve Kremer LSV, ENS Cachan & CNRS & INRIA
More informationAutomata-based Verification - III
COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationMPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security
MPRI Course on Concurrency Lecture 14 Application of probabilistic process calculi to security Catuscia Palamidessi LIX, Ecole Polytechnique kostas@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia
More informationLengths may break privacy or how to check for equivalences with length
Lengths may break privacy or how to check for equivalences with length Vincent Cheval 1, Véronique Cortier 2, and Antoine Plet 2 1 LSV, ENS Cachan & CNRS & INRIA, France 2 LORIA, CNRS, France Abstract.
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationA Computationally Complete Symbolic Attacker for Equivalence Properties
A Computationally Complete Symbolic Attacker for Equivalence Properties ABSTRACT Gergei Bana INRIA Paris-Rocquencourt Paris, France bana@math.upenn.edu We consider the problem of computational indistinguishability
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationExtending ProVerif s Resolution Algorithm for Verifying Group Protocols
Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationAsymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José
More informationAlgorithmic verification
Algorithmic verification Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2018 Outline Overview Model checking Symbolic execution Outline Overview Model checking Symbolic execution Program verification
More informationAutomata-based Verification - III
CS3172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20/22: email: howard.barringer@manchester.ac.uk March 2005 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationLecture Notes on Compositional Reasoning
15-414: Bug Catching: Automated Program Verification Lecture Notes on Compositional Reasoning Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 4 1 Introduction This lecture will focus on
More informationOblivious Transfer in Incomplete Networks
Oblivious Transfer in Incomplete Networks Varun Narayanan and Vinod M. Prabahakaran Tata Institute of Fundamental Research, Mumbai varun.narayanan@tifr.res.in, vinodmp@tifr.res.in bstract. Secure message
More informationSemantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr
Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationCommunication security: Formal models and proofs
Commnication secrity: Formal models and proofs Hbert Comon September 1, 2016 1 Introdction to protocol secrity The context (I) credit cards contactless cards telephones online transactions cars, fridges,...
More informationAlgebraic Trace Theory
Algebraic Trace Theory EE249 Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October 21, 2002 ee249
More informationTackling Fibonacci words puzzles by finite countermodels
Tackling Fibonacci words puzzles by finite countermodels Alexei Lisitsa 1 Department of Computer Science, The University of Liverpool A.Lisitsa@csc.liv.ac.uk Abstract. In the paper we present an automated
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationInformation Flow Analysis via Path Condition Refinement
Information Flow Analysis via Path Condition Refinement Mana Taghdiri, Gregor Snelting, Carsten Sinz Karlsruhe Institute of Technology, Germany FAST September 16, 2010 KIT University of the State of Baden-Wuerttemberg
More informationFormal Proofs of Security Protocols
Formal Proofs of Security Protocols David Baelde, ENS Paris-Saclay February 3, 2019 (work in progress) Contents 1 Model 2 1.1 Terms.............................................. 2 1.1.1 Equational theory..................................
More informationModel checking the basic modalities of CTL with Description Logic
Model checking the basic modalities of CTL with Description Logic Shoham Ben-David Richard Trefler Grant Weddell David R. Cheriton School of Computer Science University of Waterloo Abstract. Model checking
More informationAlgebraic Trace Theory
Algebraic Trace Theory EE249 Presented by Roberto Passerone Material from: Jerry R. Burch, Trace Theory for Automatic Verification of Real-Time Concurrent Systems, PhD thesis, CMU, August 1992 October
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationA Brief Introduction to Model Checking
A Brief Introduction to Model Checking Jan. 18, LIX Page 1 Model Checking A technique for verifying finite state concurrent systems; a benefit on this restriction: largely automatic; a problem to fight:
More informationClassical Verification of Quantum Computations
Classical Verification of Quantum Computations Urmila Mahadev UC Berkeley September 12, 2018 Classical versus Quantum Computers Can a classical computer verify a quantum computation? Classical output (decision
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationFormal Verification of Mobile Network Protocols
Dipartimento di Informatica, Università di Pisa, Italy milazzo@di.unipi.it Pisa April 26, 2005 Introduction Modelling Systems Specifications Examples Algorithms Introduction Design validation ensuring
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More information6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti
6.897: Advanced Topics in Cryptography Lecturer: Ran Canetti Focus for first half (until Spring Break): Foundations of cryptographic protocols Goal: Provide some theoretical foundations of secure cryptographic
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationA Tableau Calculus for Minimal Modal Model Generation
M4M 2011 A Tableau Calculus for Minimal Modal Model Generation Fabio Papacchini 1 and Renate A. Schmidt 2 School of Computer Science, University of Manchester Abstract Model generation and minimal model
More informationDr George Danezis University College London, UK
Dr George Danezis University College London, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More informationFormal Avenue for Chasing Metamorphic Malware
Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th
More informationCIS 4930/6930: Principles of Cyber-Physical Systems
CIS 4930/6930: Principles of Cyber-Physical Systems Chapter 11 Scheduling Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) CIS 4930/6930: Principles
More informationModel Checking. Boris Feigin March 9, University College London
b.feigin@cs.ucl.ac.uk University College London March 9, 2005 Outline 1 2 Techniques Symbolic 3 Software 4 Vs. Deductive Verification Summary Further Reading In a nutshell... Model checking is a collection
More informationHoare Logic: Reasoning About Imperative Programs
Hoare Logic: Reasoning About Imperative Programs COMP1600 / COMP6260 Dirk Pattinson Australian National University Semester 2, 2018 Programming Paradigms Functional. (Haskell, SML, OCaml,... ) main paradigm:
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More information5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes
5th March 2004 Unconditional Security of Quantum Key Distribution With Practical Devices Hermen Jan Hupkes The setting Alice wants to send a message to Bob. Channel is dangerous and vulnerable to attack.
More informationVote-Independence: A Powerful Privacy Notion for Voting Protocols
: Powerful Privacy Notion for Voting Protocols Université Grenoble 1, CNRS, Verimag FPS 2011: May 13, 2011 Plan Introduction 1 Introduction What is electronic voting? n ttack on Privacy in Helios 2 Privacy
More informationCS154, Lecture 18: 1
CS154, Lecture 18: 1 CS 154 Final Exam Wednesday December 12, 12:15-3:15 pm STLC 111 You re allowed one double-sided sheet of notes Exam is comprehensive (but will emphasize post-midterm topics) Look for
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationExpressing Dynamics of Mobile Programs by Typing
5 th Slovakian-Hungarian Joint Symposium on Applied Machine Intelligence and Informatics January 25-26, 2007 Poprad, Slovakia Expressing Dynamics of Mobile Programs by Typing Martin Tomášek Department
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information