The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
|
|
- Samuel Long
- 5 years ago
- Views:
Transcription
1 The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC Formal Methods for the Science of Security Summer School, University of Illinois, July 22-26, / 51
2 Asymmetric Unification and the Finite Variant Property Background Outline 2/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
3 Asymmetric Unification and the Finite Variant Property Background The Problem 3/51 Protocol analysis tools often depend on syntactic properties of terms that fail to be invariant under equational theories Check for nonces appearing as subterms Logical systems: CPSA, PCL, PDL, to determine which actions should precede others Maude-NPA: to rule out unreachable states Depth of terms ProVerif : option to ensure termination Syntactic pattern matching Maude-NPA : to rule out infinite search paths In this lecture I ll describe how we re dealing with this problem in Maude-NPA, and how we think our techniques could be applied to other unification tools
4 Asymmetric Unification and the Finite Variant Property Background An Example 4/51 Start with exclusive-or is AC, with additional equations x 0 = x and x x = 0. Consider the following protocol 1 A B : pke(b, N A ) 2 B A : N B N A A checks that the message she receives is Z N A for some Z How it works in Maude-NPA ::r::[nil, +(pke(b,n(a,r))),-(z [+] n(a,r)), nil ] Unify Z [+] n(a,r) with some term in the intruder s knowledge So, what if Z = Y N A?
5 Asymmetric Unification and the Finite Variant Property Background How We Handle This in Maude-NPA 5/51 Express equational theory as R = {X 0 X, X X 0, X X X X } = AC nonce containment invariant under AC R is a set of rewrite rules convergent and terminating wrt AC Find all the possible reduced forms of Z [+] n(a,r) wrt R There are two: < Z [+] n(a,r), id > < Y, Z / Y [+] n(a,r) > One strand for each reduced form ::r::[nil, +(pke(b,n(a,r))),-(z [+] n(a,r)), nil ] ::r::[nil, +(pke(b,n(a,r))),-(y), nil ] Include constraints that negative terms in strands are irreducible wrt R Any further substitution made in the search process must obey these constraints
6 Asymmetric Unification and the Finite Variant Property Background Three Things we need to make this work 6/51 1 Characterize theories in which every term has a finite number of reduced forms We understand this: this is equivalent to the finite variant property 2 Unification algorithms giving a set of mgu s Σ x =?y such that for all σ Σ, σy is irreducible We call this asymmetric unification Variant narrowing has this property, we are looking for more efficient algorithms 3 Combine these into a sound and complete search strategy These lectures will concern 1 and 2; 3 will be covered in Santiago Escobar s lecture
7 Asymmetric Unification and the Finite Variant Property Background Variants and the Finite Variant Property Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. Let t be a term. A variant of t is a pair (θ, θt ). A set of most general variants of t is a set of variants V such that for every variant (θ, θt ) there is a variant (σ, σt ) V such that θ = τσ and θt = τ(σt ). A theory (Σ, E = R ) has the finite variant property if every term has a finite most general set of variants. Example: Find a set of most general variants d(y, Z) in ({e/2.d/2}, {d(k, e(k, X )) W }, ) We already know how to do it : narrowing! Perform all possible narrowing steps on d(y, Z) The set is {(ι, d(y, Z)), (Z/e(K, X ), X )} Note: concept of variants and finite variants originally due to Comon and Delaune, 2005; we use a slightly stronger definition of variant due to Escobar et al., /51
8 Asymmetric Unification and the Finite Variant Property Background What Has the Finite Variant Property, and What Hasn t 8/51 Finite Variant Theories R = {X + 0 = X, X + (X ) = 0} = AC R = {exp(exp(x, Y ), Z)) = exp(x, Y Z)}, = AC (for *) Various forms of cancellation of encryption-decryption Non Finite Variant Theory h homomorphic over operator * (doesn t matter whether it s free or AC) If t = h(x ), then Σ = {ι, X /X 1 X 2, X /X 1 X 2 X 3,...} Sufficient and/or necessary conditions for finite variant property studied by Escobar, Sasse, and Meseguer, 2008 A method for using narrowing to compute a most general set of variants, guaranteed to terminate for theories with the finite variant property, is given in Escobar, Sasse, and Meseguer, 2012.
9 Asymmetric Unification and the Finite Variant Property Background Using Variant Narrowing to Satisfy Irreducibility Constraints in Protocol Analysis 9/51 For each strand St in a specification, compute a most general set of variants V of the the negative terms For each variant (σ, t) create a new strand σst Each time a positive term s is unified with a term t in the intruder knowledge, user asymmetric unification to find a complete set of unifiers of s and t that leave t irreducible, as well as all negative terms already present in the state
10 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Outline 10/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
11 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Asymmetric Unification 11/51 Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. A solution to an asymmetric unification problem s 1 = t 1... s k = t k is a substitution σ such that 1 For each i, σs i = σt i 2 For each i, σt i is irreducible A set Θ is a most general set of asymmetric unifiers of P if for any asymmetric unifier σ there is a θ Θ such that σ = τθ for some τ
12 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Some Examples from XOR 12/51 1 c =?X Y, S-unifiable, but not A-unifiable 2 a b =?X Y σ = [X Y a b] is a most general S-unifier, but not an A-unifier [X a, Y b], [X b, Y a] is a set of most general A-unifiers 3 X =?Y Z [Y X Z] an a most general S-unifier but not an A-unifier [X Y Z] is equivalent, but is an A-unifier,
13 Asymmetric Unification and the Finite Variant Property Definition and Implementation of Asymmetric Unification Using Variant Narrowing to Find Most General Set of Asymmetric Unifiers 13/51 Let (Σ, R, ) be a an equational theory, where R is a set of rewrite rules confluent, terminating and coherent wrt. Furthermore, assume that (Σ, R, ) has the finite variant property Given a problem s = t 1 Use variant narrowing to find a set of most general variants V of s. 2 Discard any (σ, σs ) V such that σt is reducible 3 For each remaining (σ, σs ) find set of mgu s of σs =?σt. 4 Discard any unifier θ such that θσt or θσs reducible 5 Remaining set is a set of most general asymmetric unifiers Can we do better (e.g. faster)?
14 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Outline 14/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
15 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Next Step: Asymmetric Unification (AU) as a Problem in its Own Right 15/51 As far as we can tell, no-one had studied this before Variant narrowing only existing AU-algorithm we found What we do have found so far AU at least as hard as symmetric unification (SU) Any SU problem s =?t can be turned into AU problem s =?X, t =?X. AU strictly harder than SU - XOR without any other symbols is in P for SU but NP-complete for AU SU can be unitary while AU is not (XOR) There exist theories for which SU is decidable but AU is not We are working on a general approach for converting symmetric unification algorithms to asymmetric unification algorithms Have applied it to unification in XOR theory
16 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Outline for a General Procedure 16/51 Start with a decomposition R and a unification algorithm GIven a problem x = y, find a complete set of unifiers Σ using the symmetric algorithm For each σ Σ 1 If σ is an A-unifier, keep it 2 If not, see if there is an equivalent A-unifier σ and if so, replace σ with σ 3 If not, apply 1) and 2) to more completely instantiated versions of σ and replace it with those 4 If none of those work, discard σ Application to exclusive-or given in Ertabur et al Paper also includes experimental results
17 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Open Questions 17/51 How much will we be able to improve on performance of variant narrowing? How applicable is the general approach to finding complete sets of A-unifiers? What are the best ways of decomposing theories?
18 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification How do we choose decompose a theory into R 18/51 Constraint 1: R must be have finite variant property wrt Constraint 2: should be regular Any variable on rhs of rewrite rule should also appear on lhs Regularity of necessary so that any nonce sub term appears in all members of a -equivalence class
19 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification A Case in Which These Constraints Cause Problems: Homomorphic Encryption Over Abelian Groups 19/51 operators are Abelian group operator *, encryption operator e, inverse operator inv, unary operator 0 * is AC Other equations are e(k, X ) e(k, Y ) = e(k, X Y ), X 0 = 0, X inv(x ) = 0 Plus others added to get coherence What Goes in? Commutativity can t be a rewrite rule, so it goes in Associativity w/o commutativity is not finitary, so it goes in too e(k, X ) e(k, Y ) = e(k, X Y ) doesn t have finite variant property, so it goes in too X inv(x ) = 0 must go in R, because it s not regular Unification in resulting -theory is undecidable!
20 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Solutions We re Investigating 20/51 Force homomorphic encryption theory to have finite variant properties by limiting the number of times the equation can be applied Gives completeness when can put bounds on number of encryptions needed to break protocol Modify state space reduction methods to allow some non-regular rules to appear in E.g. don t judge state unreachable based on nonce underneath homomorphic encryption operator Embed equational theory in larger decidable theory
21 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Some Experimental Results 21/51 Unif. Problem T. V # V T. D # D % T. % # NS 1 NS 2 = NS 3 N A NS 1 N A = NS 2 NS NS 1 NS 2 = NS 3 NS 4 NS NS 1 NS 2 = NS 3 NS 4 N A NS 1 NS 2 = N A NS 1 NS 2 = null NS 1 NS 2 = null NS
22 Asymmetric Unification and the Finite Variant Property New Research in Asymmetric Unification Some More Experimental Results 22/51 Unif. Problem T. A-V # A-V T. D-A # D-A % T. % # SP4 SP1 SP SP5 SP1 SP SP6 SP1 SP SP7 SP1 SP SP8 SP1 SP2 SP SP9 SP1 SP2 SP SP10 SP1 SP2 SP SP11 SP1 SP2 SP SP12 SP1 SP2 SP SP1 = M 1 M 2 = M 1 M 2 SP2 = M 1 M 3 = M 1 M 3 SP3 = M 1 M 4 = M 1 M 4 SP4 = M 1 M 2 M 3 = a b SP5 = M 1 M 2 M 3 = a b c SP6 = M 1 M 2 M 3 = a b c d Cuadro: Other Unification Problems SP7 = M 1 M 2 M 3 = a b c d e SP8 = M 1 M 2 M 3 M 4 = a SP9 = M 1 M 2 M 3 M 4 = a b SP10 = M 1 M 2 M 3 M 4 = a b c SP11 = M 1 M 2 M 3 M 4 = a b c d SP12 = M 1 M 2 M 3 M 4 = a b c d e
23 23/51 Outline 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
24 24/51 What is? Concept used to reason about security in cryptographic algorithms and protocols Example: Chosen plaintext security Attacker chooses messages m 1 and m 2 Receives encrypted message that could be e(k, m 1 ) or e(k, m 2 ) Performs tests on message, then tries to guess which one it is particularly useful for reasoning about protocols that protect low-entropy data Defense against password guessing attacks Voting Anonymous routing Privacy-preserving database queries
25 Background in Symbolic Outline 25/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
26 Background in Symbolic The Dolev-Yao Model and Symbolic Verification 26/51 Gives a way of reasoning about crypto protocols symbolically Messages represented by a message algebra Built out of variables, constants, and function symbols Function symbols satisfy equational theory describing algebraic properties of cryptosystems Principals interact with an intruder who can create, alter, and redirect messages Amenable to verification via model-checkers Properties traditionally verified in the Dolev-Yao model Attacker can t get secrets in the clear Authentication What about indistinguishability?
27 Background in Symbolic and the Dolev-Yao Model 27/51 Two main sources Abadi and Fournet s definition of observational equivalence and its realization in terms of labeled bisimulation Lowe s work on password guessing attacks Basic idea: Represent tests by Attacker applying function symbols to terms and comparing results [x 1, h(x 1)] and [x2, h(x1)] are distinguishable from each other First list satisfies h(l 1) = l 2, but not the second Attacker sending messages to principals and seeing what happens Same thing should happen for the two different versions of the protocol
28 Background in Symbolic State of the Art Now 28/51 A number of approaches following same general paradigm Trace equivalence: can attacker distinguish between two traces? Algebraic properties of cryptosystems that can be handled are limited Main tool: ProVerif under restricted algebraic properties Uses a stronger notion than observational equivalence, uniformity, defined in terms of state reachability Two instances of the protocol are run in lockstep, bad state is one in which they diverge Subterm convergent rewrite rules, but not AC rules Work on extensions of ProVerif for special cases Extensions implement methods for representing equational theories in theories that can be handled by ProVerif
29 Background in Symbolic Research Problems we are Addressing 29/51 Can indistinguishability be formally defined in terms of state reachabiity in general and easy to understand terms? Are there sound and complete methods for verifying indistinguishability modulo algebraic properties? How general can we make an approach based on state reachability? Can such methods be integrated into the Maude-NPA tool?
30 Our Notion of Outline 30/51 1 Asymmetric Unification and the Finite Variant Property Background Definition and Implementation of Asymmetric Unification New Research in Asymmetric Unification 2 Background in Symbolic Our Notion of
31 Our Notion of Our Approach 31/51 Like ProVerif, run two instances of the protocol in lockstep We introduce a pairing operation on protocols, For us, a bad state is one in one half of the pair can is reachable, and the isn t
32 Our Notion of Protocol Pairing 32/51 Given two protocols P 1 and P 2, we define a protocol pairing P 1,P 2 in terms of the strand representation iff 1 P 1 and P 2 share the same equational theory of messages and message functions 2 P 1 and P 2 share the same intruder strands 3 Correspondence between protocol strands of P 1 and P 2 such that two corresponding strands Have the same length Have output and input messages in the same order Can differ in the actual messages
33 Our Notion of Synchronous Product of Protocols 33/51 Given a protocol pairing P 1,P 2, s.t. P 1 = (Σ P, E P, T P1 ) P 2 = (Σ P, E P, T P2 ) A synchronous product of P 1 and P 2, P 1 P 2 = (Σ P { }, E P, T P1 T P2 ) is a new protocol where the strands of P 1 P 2 are obtained by zipping together each strand of P 1 and its corresponding strand from P 2
34 Our Notion of Example of Synchronous Product of Protocols 34/51 Protocol P 1 (Alice) :: r 1, r 2 ::[ +(k(a, B, r 1 )),+(e(k(a, B, r 1 ), n(a, r 2 ))) ] (Bob) :: nil :: [ (Key), (e(key, N A )) ] Protocol P 2 (Alice) :: r 1, r 2, r 3 ::[ +(k(a, B, r 3 )),+(e(k(a, B, r 1 ), n(a, r 2 ))) ] (Bob) :: nil :: [ (Key 1 ), (e(key 2, N A )) ] Synchronous product P 1 P 2 (Alice) :: r 1, r 2, r 3 :: [ +(k(a, B, r 1 ) k(a, B, r 3 )), + (e(k(a, B, r 1 ), n(a, r 2 )) e(k(a, B, r 1 ), n(a, r 2 ))) ] & (Bob) :: nil :: [ (Key Key 1 ), (e(key, N A ) e(key 2, N A )) ]
35 Our Notion of Properties of Synchronous Product Operator 35/51 Introduce a new type SingleMessage. : SingleMessage SingleMessage Message This means that can never be applied twice For any function f on messages add rewrite rule f (x 1 y 1,..., x k y k ) f (x 1,..., x k ) f (y 1,... y k ) Allows principals in synchronous product to apply functions to messages of the form s t and produce another message of the form s t Result: Adding synchronous product does not affect rewrite semantics of Maude-NPA; it only extends the signature and equational theory!
36 Our Notion of There s More... 36/51 Maude-NPA unification makes extensive use of decomposition of the equational theory into (Σ, R, E) where R is confluent, terminating, and coherent over E and has the finite variant property over E Finite variant property means each term has a finite number of R-irreducible variants Theorem: If (Σ, R, E) has the finite variant property, so does its extension by Main difference: resulting theory is strongly right irreducible only if R is empty Strongly right irreducible: right side of every rewrite rule remains irreducible under any irreducible substation Strongly right irreducibility requirement for Maude-NPA 2.0 But not for Maude-NPA 3.0, being developed on new version of Maude with built-in variant narrowing Currently experimenting with this
37 Our Notion of Projections on Synchronous Product of Protocols 37/51 Given a synchronous product of protocols P 1 P 2, there are projections π 1 : P 1 P 2 P 1 π 2 : P 1 P 2 P 2 from the states of the synchronous product to the states of each of these protocols such that π 1 and π 2 are simulation maps Example: π 1 : {[ (m 1 m 1) ±,..., (m n m n) ± ] &...} {[m ± 1,..., m± n ] &...}
38 Our Notion of Protocol 38/51 We propose a formal definition of indistinguishability of two protocols as the conjunction of two more basic properties over a protocol pairing P 1,P 2 First, some preliminaries are required.
39 Our Notion of Attacker Event Sequences 39/51 The attacker has complete control over the network Therefore, behavior of a protocol for an attacker can be reduced to a sequence of attacker events that are either (i) Message sent/received events, or (ii) Message manipulation actions Transitions from an initial state to any reachable state are performed via a sequence of attacker events of category (i) or (ii), called attacker event sequence (AES) In Maude-NPA this corresponds to the fact any state transition corresponds to an attacker event of either category (i) or (ii)
40 Our Notion of notion in Maude-NPA 40/51 Two protocols P 1 and P 2 are indistinguishable iff: 1 P 1 and P 2 have indistinguishable attacker event sequences (IAES), and 2 P 1 and P 2 have indistinguishable messages (IM)
41 Our Notion of Indistinguishable Attacker Event Sequences (IAES) 41/51 Intuitive Definition P 1 and P 2 have indistinguishable AESs (IAES) if from any initial state the attacker is able to perform exactly the same type of event sequences for each protocol Transitions of the same type if involve same actions appearing in synchronous products of strands at same point of execution Formal Definition Let P 1,P 2 be a protocol pairing, then P 1 and P 2 satisfy the IAES property iff projections π 1 : P 1 P 2 P 1, and π 2 : P 1 P 2 P 2 are both labeled bisimulations, where type of transition corresponds to label
42 Our Notion of Indistinguishable Messages (IM) 42/51 Intuitive Definition The intruder can never perform two different AESs, say, α and β, so that as a result of α and β the intruder either learns (i) the same message from P 1 but different messages from P 2, or (ii) different messages from P 1 but the same message from P 2 Formal Definition A protocol pairing P 1,P 2 satisfies the IM property iff from any initial state there is not any reachable state in P 1 P 2 with and intruder knowledge of either the form (i) {(M N I) & (M N I) & N N & IK}, or (ii) {(M N I) & (M N I) & M M & IK} (*) Equality here is modulo the equational theroy (Σ P, E P)
43 Our Notion of Implementing in Maude-NPA 43/51 No need to change the rewrite rule semantics The completeness of the Maude-NPA indistinguishability analysis is based on two facts
44 Our Notion of Fact 1: Satisfiability of IM 44/51 P 1 and P 2 satisfy the IM property iff no initial state can be backwards reached from an attack state of either the form { {(M N I) & (M N I) & N N }}, or { {(M N I) & (M N I) & M M }}
45 Our Notion of Example 45/51 :: r 1, r 2 :: [ +((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) ] does not satisfy IM since the following initial state can be found in Maude-NPA :: r 1, r 2 :: [ +((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) nil ] & :: nil :: [ ((n(a, r 1 ); h(n(a, r 1 ))) (n(a, r 2 ); h(n(a, r 1 ))), + ((n(a, r 1 ) n(a, r 2 )) nil ] & :: nil :: [ ((n(a, r 1 ); h(n(a, r 1 )))) (n(a, r 2 ); h(n(a, r 1 ))) + ((h(n(a, r 1 )) h(n(a, r 1 ))) nil ] & :: nil :: [ ((n(a, r 1 ) n(a, r 2 )), +((h(n(a, r 1 )) h(n(a, r 2 ))) nil ] & {((n(a, r 1 ) ; h(n(a, r 1 )))) (n(a, r 2 ) ; h(n(a, r 1 ))) I) & (n(a, r 1 ) n(a, r 2 ) I) & (h(n(a, r 1 )) h(n(a, r 1 )) I) & (h(n(a, r 1 )) h(n(a, r 2 )) I) & h(n(a, r 1 )) h(n(a, r 2 ))}
46 Our Notion of Fact 2: Satisfiability of IAES 46/51 If P 1 and P 2 satisfy the the IM property in Maude-NPA, then they satisfy the IAES property iff no initial state can be backwards reached from any attack state of the form 1 {[ L (m 1 m 2 ), L ] & {(m 1 m 2 ) I, m 2 m 2 }}, or 2 {[ L (m 1 m 2 ), L ] & {(m 1 m 2) I, m 1 m 1 }} Idea of Proof: If one of the above conditions holds, then IAES can hold only if (m 1 m 2 ) I, which would violate IM.
47 Our Notion of What Does Need to Be Changed In Maude-NPA to Make this Word 47/51 State space reduction techniques need to be reformulated to take properties of paired protocols into account Need to revamp Maude-NPA to handle theories that are not strongly right irreducible This was already planned and is under way Finding states defined in such generality is challenging for Maude-NPA Increases state explosion and may require further improvements to state space reduction techniques Techniques that would allow us to find use more specialized state descriptions and maintain completeness would be useful
48 Our Notion of Current Status and Future Work 48/51 Have developed new theoretical foundations and new analysis techniques for indistinguishability modulo algebraic properties Have used Maude-NPA to experiment with these techniques on simple examples Have begun experimenting with more complex examples with development version of Maude-NPA In future plan to Further develop the theoretical foundations How does our definition of indistinguishability relate to others? Investigate how to adapt state space reduction techniques to theory Explore use of Maude-NPA on privacy-preserving protocols
49 Our Notion of Finite Variant Property and Narrowing References 49/51 Hubert Comon-Lundh, Stéphanie Delaune: The Finite Variant Property: How to Get Rid of Some Algebraic Properties. RTA 2005: Santiago Escobar, José Meseguer, Ralf Sasse: Effectively Checking the Finite Variant Property. RTA 2008: Santiago Escobar, Ralf Sasse, José Meseguer: Folding variant narrowing and optimal variant termination. J. Log. Algebr. Program. 81(7-8): (2012).
50 Our Notion of Asymmetric Unification References 50/51 Serdar Erbatur, Santiago Escobar, Deepak Kapur, Zhiqiang Liu, Christopher Lynch, Catherine Meadows, José Meseguer, Paliath Narendran, Sonia Santiago, Ralf Sasse. Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions.. In Proceedings of ESORICS 2012, Springer-Verlag, Serdar Erbatur, Santiago Escobar, Deepak Kapur, Zhiqiang Liu, Christopher Lynch, Catherine Meadows, José Meseguer, Paliath Narendran, Sonia Santiago, Ralf Sasse. Asymmetric unification: A new unification paradigm for cryptographic protocol analysis. In proceedings of CADE 2013, Springer-Verlag, 2013.
51 Our Notion of References 51/51 Martin Abadi and Cedric Fournet. Mobile values, new names, and secure communication. In POPL, pages , [Definition of observational equivalence for applied pi calculus] Gavin Lowe. Analysing protocol subject to guessing attacks. Journal of Computer Security, 12(1):83-98, Bruno Blanchet, Martin Abadi, and Cedric Fournet. Automated Verification of Selected Equivalences for Security Protocols. Journal of Logic and Algebraic Programming, 75(1):3-51, February-March (shows how indistinguishability is handled in ProVerif)
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationOn Asymmetric Unification and the Combination Problem in Disjoint Theories
On Asymmetric Unification and the Combination Problem in Disjoint Theories Serdar Erbatur 1, Deepak Kapur 2, Andrew M. Marshall 3, Catherine Meadows 3, Paliath Narendran 4, and Christophe Ringeissen 5
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationA Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA
A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA Sonia Santiago 1, Santiago Escobar 1, Catherine Meadows 2,andJosé Meseguer 3 1 DSIC-ELP, Universitat Politècnica
More informationVARIANTS OF VARIANTS AND THE FINITE VARIANT PROPERTY
VARIANTS OF VARIANTS AND THE FINITE VARIANT PROPERTY ANDREW CHOLEWA, JOSÉ MESEGUER, AND SANTIAGO ESCOBAR Abstract. Variants and the finite variant property were originally introduced about a decade ago
More informationNon-Disjoint Combination with Forward-Closed Theories (Extended Abstract)
(Extended Abstract) Serdar Erbatur 1, Andrew M. Marshall 2, and Christophe Ringeissen 3 1 Ludwig-Maximilians-Universität, München (Germany) serdar.erbatur@ifi.lmu.de 2 University of Mary Washington (USA)
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationAlgebraic Intruder Deductions
Algebraic Intruder Deductions David Basin, Sebastian Mödersheim, and Luca Viganò Information Security Group, Dep. of Computer Science, ETH Zurich, Switzerland www.infsec.ethz.ch/~{basin,moedersheim,vigano}
More informationUnification modulo a partial theory of exponentiation
Unification modulo a partial theory of exponentiation Deepak Kapur University of New Mexico Department of Computer Science kapur@cs.unm.edu Andrew Marshall University at Albany SUNY Computer Science Department
More informationHierarchical Combination of Unification Algorithms (Extended Abstract)
of Unification Algorithms (Extended Abstract) Serdar Erbatur 5, Deepak Kapur 1, Andrew M Marshall 2, Paliath Narendran 3 and Christophe Ringeissen 4 1 University of New Mexico (USA) 2 Naval Research Laboratory
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationDeducibility constraints, equational theory and electronic money
Deducibility constraints, equational theory and electronic money Sergiu Bursuc 1, Hubert Comon-Lundh 1, and Stéphanie Delaune 1,2 1 Laboratoire Spécification & Vérification ENS de Cachan & CNRS UMR 8643,
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationEffectively Checking or Disproving the Finite Variant Property
Effectively Checking or Disproving the Finite Variant Property Santiago Escobar 1, José Meseguer 2 and Ralf Sasse 2 1 Universidad Politécnica de Valencia, Spain. sescobar@dsic.upv.es 2 University of Illinois
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationReduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures
Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures Daniele Nantes Sobrinho 1 and Mauricio Ayala-Rincón 1,2 Grupo de Teoria
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationA Constructor-Based Reachability Logic for Rewrite Theories
A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationIntruder Deduction for AC-like Equational Theories with Homomorphisms
Intruder Deduction for AC-like Equational Theories with Homomorphisms Pascal Lafourcade 1,2, Denis Lugiez 2, and Ralf Treinen 1 1 LSV, ENS de Cachan & CNRS UMR 8643 & INRIA Futurs project SECSI, 94235
More informationCombining Intruder Theories
Combining Intruder Theories Yannick Chevalier, Michaël Rusinowitch 1 IRIT Université Paul Sabatier, France email: ychevali@irit.fr 2 LORIA-INRIA-Lorraine, France email: rusi@loria.fr Abstract. Most of
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationAutomated Verification of Privacy in Security Protocols:
Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationEffectively Checking the Finite Variant Property
Effectively Checking the Finite Variant Property Santiago Escobar 1,José Meseguer 2, and Ralf Sasse 2 1 Universidad Politécnica de Valencia, Spain sescobar@dsic.upv.es 2 University of Illinois at Urbana-Champaign,
More informationA Rewriting-based Forwards Semantics for Maude-NPA
A Rewriting-based Forwards Semantics for Maude-NPA Santiago Escobar DSIC-ELP, Universitat Politècnica de València, Spain sescobar@dsic.upv.es Catherine Meadows Naval Research Laboratory, Washington DC,
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationUNITARY UNIFICATION OF S5 MODAL LOGIC AND ITS EXTENSIONS
Bulletin of the Section of Logic Volume 32:1/2 (2003), pp. 19 26 Wojciech Dzik UNITARY UNIFICATION OF S5 MODAL LOGIC AND ITS EXTENSIONS Abstract It is shown that all extensions of S5 modal logic, both
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationDecidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation Vitaly Shmatikov SRI International shmat@csl.sri.com Abstract. We demonstrate that the symbolic trace reachability
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationAutomated verification of equivalence properties of cryptographic protocols
Automated verification of equivalence properties of cryptographic protocols Rohit Chadha, Vincent Cheval, Ştefan Ciobâcǎ, Steve Kremer To cite this version: Rohit Chadha, Vincent Cheval, Ştefan Ciobâcǎ,
More informationReduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures
Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures Daniele Nantes Sobrinho 1 and Mauricio Ayala-Rincón 1,2 Grupo de Teoria
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCollaborative Planning with Privacy
Collaborative Planning with Privacy Protocol exchange May 7, 2007 Max Kanovich 1, Paul Rowe 2, Andre Scedrov 2 1 Quenn Mary, University of London 2 University of Pennsylvania Context Many examples of collaboration
More informationA Theory of Dictionary Attacks and its Complexity
A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationHierarchical Combination of Intruder Theories
Hierarchical Combination of Intruder Theories Yannick Chevalier, Michaël Rusinowitch 1 IRIT Université Paul Sabatier, France email: ychevali@irit.fr 2 LORIA-INRIA-Lorraine, France email: rusi@loria.fr
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationIntruder Deduction for AC-like Equational Theories with Homomorphisms
Intruder Deduction for AC-like Equational Theories with Homomorphisms Pascal Lafourcade, Denis Lugiez, Ralf Treinen To cite this version: Pascal Lafourcade, Denis Lugiez, Ralf Treinen. Intruder Deduction
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationCheat Sheet Equational Logic (Spring 2013) Terms. Inductive Construction. Positions: Denoting Subterms TERMS
TERMS Cheat Sheet Equational Logic (Spring 2013) The material given here summarizes those notions from the course s textbook [1] that occur frequently. The goal is to have them at hand, as a quick reminder
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationCanonical Forms Some questions to be explored by high school investigators William J. Martin, WPI
MME 529 June 2017 Canonical Forms Some questions to be explored by high school investigators William J. Martin, WPI Here are some exercises based on various ideas of canonical form in mathematics. Perhaps
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationNegative applications of the ASM thesis
Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR-1466 October 24, 2012
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationEquational Logic. Chapter 4
Chapter 4 Equational Logic From now on First-order Logic is considered with equality. In this chapter, I investigate properties of a set of unit equations. For a set of unit equations I write E. Full first-order
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More information