Proving observational equivalence with ProVerif

Similar documents
Proving More Observational Equivalences with ProVerif

Lars Schmidt-Thieme, Information Systems and Machine Learning Lab (ISMLL), Institute BW/WI & Institute for Computer Science, University of Hildesheim

F(jω) = a(jω p 1 )(jω p 2 ) Û Ö p i = b± b 2 4ac. ω c = Y X (jω) = 1. 6R 2 C 2 (jω) 2 +7RCjω+1. 1 (6jωRC+1)(jωRC+1) RC, 1. RC = p 1, p

ÇÙÐ Ò ½º ÅÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ Ò Ú Ö Ð Ú Ö Ð ¾º Ä Ò Ö Ö Ù Ð Ý Ó ËÝÑ ÒÞ ÔÓÐÝÒÓÑ Ð º Ì ÛÓ¹ÐÓÓÔ ÙÒÖ Ö Ô Û Ö Ö ÖÝ Ñ ¹ ÝÓÒ ÑÙÐ ÔÐ ÔÓÐÝÐÓ Ö Ñ

Automated Verification of Selected Equivalences for Security Protocols

Radu Alexandru GHERGHESCU, Dorin POENARU and Walter GREINER

Analysing privacy-type properties in cryptographic protocols

A process algebraic analysis of privacy-type properties in cryptographic protocols

A Short Tutorial on Proverif

Arbeitstagung: Gruppen und Topologische Gruppen Vienna July 6 July 7, Abstracts

A Language for Task Orchestration and its Semantic Properties

Lund Institute of Technology Centre for Mathematical Sciences Mathematical Statistics

µ(, y) Computing the Möbius fun tion µ(x, x) = 1 The Möbius fun tion is de ned b y and X µ(x, t) = 0 x < y if x6t6y 3

PH Nuclear Physics Laboratory Gamma spectroscopy (NP3)

MASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY

INRIA Sophia Antipolis France. TEITP p.1

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

Complexity of automatic verification of cryptographic protocols

2 Hallén s integral equation for the thin wire dipole antenna

CS 395T. Probabilistic Polynomial-Time Calculus

x 0, x 1,...,x n f(x) p n (x) = f[x 0, x 1,..., x n, x]w n (x),

ÆÓÒ¹ÒØÖÐ ËÒÐØ ÓÙÒÖÝ

Automatic, computational proof of EKE using CryptoVerif

Lecture 16: Modern Classification (I) - Separating Hyperplanes

ÁÒØÖÓÙØÓÒ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ ÁÒÜ ½ ÁÒØÖÓÙØÓÒ ¾ ÈÖÓÐÑ ØØÑÒØ ÓÚÖÒ¹ ÐØÖ Ò ËÑÙÐØÓÒ Ê ÙÐØ ÓÒÐÙ ÓÒ

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols

Analyzing Security Protocols with Secrecy Types and Logic Programs

Notes for Lecture 17

hal , version 1-27 Mar 2014

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

This document has been prepared by Sunder Kidambi with the blessings of

Automated reasoning for equivalences in the applied pi calculus with barriers

SKMM 3023 Applied Numerical Methods


SME 3023 Applied Numerical Methods

A Calculus for Control Flow Analysis of Security Protocols

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

An Example file... log.txt

CPSC 467b: Cryptography and Computer Security

Automated Verification of Privacy in Security Protocols:

The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability

Lecture 9 - Symmetric Encryption

I118 Graphs and Automata

Improving the Berlekamp algorithm for binomials x n a

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

arxiv:hep-ph/ v1 10 May 2001

Periodic monopoles and difference modules

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality

Mean, Median, Mode, More. Tilmann Gneiting University of Washington

CPSC 467: Cryptography and Computer Security

Verification of the TLS Handshake protocol

Multi-electron and multi-channel effects on Harmonic Generation

Mixing Finite Success and Finite Failure. Automated Prover

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Identity Authentication and Secrecy in the πcalculus and Prolog

Constructive Decision Theory

From the Applied Pi Calculus to Horn Clauses for Protocols with Lists

Lecture Notes, Week 6

A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Redoing the Foundations of Decision Theory

Block vs. Stream cipher

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

u x + u y = x u . u(x, 0) = e x2 The characteristics satisfy dx dt = 1, dy dt = 1

CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL

Group Diffie Hellman Protocols and ProVerif

«Û +(2 )Û, the total charge of the EH-pair is at most «Û +(2 )Û +(1+ )Û ¼, and thus the charging ratio is at most

ASYMMETRIC ENCRYPTION

Chebyshev Spectral Methods and the Lane-Emden Problem

Negative applications of the ASM thesis

NSL Verification and Attacks Agents Playing Both Roles

Evolution of the water stable isotopic composition of the rain sampled along Sahelian squall lines

Linear Multi-Prover Interactive Proofs

Calculation of the van der Waals potential of argon dimer using a modified Tang-Toennies model

CryptoVerif - the tool of crypto analysis

Monodic Temporal Resolution

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

A method for proving observational equivalence

Public Key Cryptography

Private Authentication

Notes on BAN Logic CSG 399. March 7, 2006

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Computational security & Private key encryption

Provable security. Michel Abdalla

1 Number Theory Basics

Lecture 2: Perfect Secrecy and its Limitations

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Applications of Discrete Mathematics to the Analysis of Algorithms

Depending on equations

Symbolic Encryption with Pseudorandom Keys

Advanced Topics in Cryptography

Non-Conversation-Based Zero Knowledge

Control Flow Analysis of Security Protocols (I)

ECS 189A Final Cryptography Spring 2011

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Cryptography IV: Asymmetric Ciphers

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Transcription:

Proving observational equivalence with ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr based on joint work with Martín Abadi and Cédric Fournet and with Vincent Cheval June 2015 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 1 / 40

Introduction Analysis of cryptographic protocols: Powerful automatic tools for proving properties on behaviors (traces) of protocols (secrecy of keys, correspondences). For instance, ProVerif was initially designed to prove trace properties. Many important properties can be formalized as process equivalences, not as properties on behaviors: secrecy of a boolean x in P(x): P(true) P(false) the process P implements an ideal specification Q: P Q Equivalences are usually proved by difficult, long manual proofs. Already much research on this topic, using in particular sophisticated bisimulation techniques (e.g., Boreale et al). Some recent tools for a bounded number of sessions (APTE, Akiss) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 2 / 40

Selected work relying on equivalences January 25, 1998 SRC Research Report 149 A Calculus for Cryptographic Protocols The Spi Calculus Martín Abadi and Andrew D. Gordon Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 3 / 40

Selected work relying on equivalences Secrecy by Typing in Security Protocols Martín Abadi Systems Research Center Compaq ma@pa.dec.com December 8, 1998 Abstract We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use shared-key cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 3 / 40

Selected work relying on equivalences ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û ÐÐ 2015 Ø 3 / 40

Equivalences as properties of behaviors (1) Goal: extend ProVerif to the proof of process equivalences. We focus on equivalences between processes that differ only by the terms they contain, e.g., P(true) P(false). Many interesting equivalences fall into this category. We introduce biprocesses to represent pairs of processes that differ only by the terms they contain. P(true) and P(false) are variants of a biprocess P(diff[true, false]). The variants give a different interpretation to diff[true, false], true for the first variant, false for the second one. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 4 / 40

Equivalences as properties of behaviors (2) We introduce a new operational semantics for biprocesses: A biprocess reduces when both variants reduce in the same way and after reduction, they still differ only by terms (so can be written using diff). We establish P(true) P(false) by reasoning on behaviors of P(diff[true, false]): If, for all reachable configurations, both variants reduce in the same way, then we have equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 5 / 40

Overview of the verification method Protocol: biprocess Pi calculus + cryptography Signature: Rewrite rules + equations Automatic translator Horn clauses Resolution with selection bad is not derivable Equivalence is true bad is derivable Equivalence may be false Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 6 / 40

The process calculus Dialect of the applied pi calculus [Abadi, Fournet, POPL 01]. M,N ::= terms x,y,z variable a,b,c,k,s name f(m 1,...,M n ) constructor application D ::= term evaluations M term fail special failure value h(d 1,...,D n ) function evaluation P, Q, R ::= processes M(x).P input M N.P output let x = D in P else Q term evaluation 0 P Q!P (νa)p if M then P else Q encoded as a term evaluation. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 7 / 40

Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 8 / 40

Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x otherwise sdecrypt(u,v) fail The else branch of the term evaluation is executed when D fails, that is, D evaluates to fail. When success/failure is not visible: equations sdecrypt(sencrypt(x,y),y) = x sencrypt(sdecrypt(x,y),y) = x Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 8 / 40

Semantics D M when the term evaluation D evaluates to M. D fail when the term evaluation D fails. Uses rewrite rules of destructors and equations. transforms processes so that reduction rules can be applied. Main reduction rules: N M.Q N (x).p Q P{M/x} if Σ N = N (Red I/O) let x = D in P else Q P{M/x} (Red Fun 1) if D M let x = D in P else Q Q (Red Fun 2) if D fail Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 9 / 40

Observational equivalences and biprocesses Two processes P and Q are observationally equivalent (P Q) when the adversary cannot distinguish them. A biprocess P is a process with diff. fst(p) = the process obtained by replacing diff[m,m ] with M. snd(p) = the process obtained by replacing diff[m,m ] with M. P satisfies observational equivalence when fst(p) snd(p). Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 10 / 40

Semantics of biprocesses A biprocess reduces when both variants of the process reduce in the same way. N M.Q N (x).p Q P{M/x} if Σ fst(n) = fst(n ) and Σ snd(n) = snd(n ) (Red I/O) let x = D in P else Q P{diff[M 1,M 2 ]/x} (Red Fun 1) if fst(d) M 1 and snd(d) M 2 let x = D in P else Q Q (Red Fun 2) if fst(d) fail and snd(d) fail P Q fst(p) snd(p) fst(q) snd(q) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 11 / 40

Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 12 / 40

Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. An adversary is represented by a plain evaluation context (evaluation context without diff), so: If, for all plain evaluation contexts C and reductions C[P 0 ] P, both variants of P reduce in the same way, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 12 / 40

Formalizing reduce in the same way The biprocess P is uniform when fst(p) Q 1 implies P Q for some biprocess Q with fst(q) Q 1, and symmetrically for snd(p) Q 2. P Q P Q fst(p) Q 1 fst(q) snd(p) snd(q) Q 2 If, for all plain evaluation contexts C and reductions C[P 0 ] P, the biprocess P is uniform, then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 13 / 40

Result [Blanchet, Abadi, Fournet, JLAP, 2008] Let P 0 be a closed biprocess. Suppose that, for all plain evaluation contexts C, all evaluation contexts C, and all reductions C[P 0 ] P, 1 the (Red I/O) rules apply in the same way on both variants. if P C [N M.Q N (x).r], then Σ fst(n) = fst(n ) if and only if Σ snd(n) = snd(n ), 2 the (Red Fun) rules apply in the same way on both variants. if P C [let x = D in Q else R], then fst(d) fail if and only if snd(d) fail. Then P 0 satisfies observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 14 / 40

Application The previous result reduces the proof of observational equivalence to the proof of trace properties for biprocesses. We extend the Horn clause approach of ProVerif from processes to biprocesses, to prove these properties. Basically, each argument of the predicates is doubled, with one argument for each side. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 15 / 40

Example: probabilistic encryption Probabilistic public-key encryption is modeled by an equation: dec(enc(x,pk(s),a),s) = x Without knowledge of the decryption key, ciphertexts appear to be unrelated to the plaintexts. Ciphertexts are indistinguishable from fresh names: satisfies equivalence. (νs)(c pk(s)!c (x).(νa)c diff[enc(x,pk(s),a),a] ) This equivalence can be proved using the previous result, and verified automatically by ProVerif. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 16 / 40

Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 17 / 40

Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 17 / 40

Example: private authentication Simplified version of the private authentication protocol [Abadi, Fournet, TCS, 2004]. {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 17 / 40

Proving anonymity {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Caesar should not be able to know who Obelix wants to talk to. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 18 / 40

False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 19 / 40

False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 19 / 40

False attack {N A,pk A } pkb {x,y} pkb y = pka? {x,n B,pk B } y yes {N A,pk A } pkb {x,y} pkb y = pka? {N B } pkb no The test takes a different branch: the proof of equivalence fails. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 19 / 40

Demo File private auth falseattack.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 20 / 40

Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 21 / 40

Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb y = pka? {x,n B,pk B } y yes {N B } pkb no Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 21 / 40

Solution: encode tests inside terms [Cheval, Blanchet, POST 13] The if-then-else destructor: ifthenelse(x,x,u,v) u otherwise ifthenelse(x,y,u,v) v {x,y} pkb M M = ifthenelse(y,pk A,{x,N B,pk B } y,{n B } pkb ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 21 / 40

Demo File private auth direct.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 22 / 40

Merging two processes In order to prove that P and Q are observationally equivalent using this approach, we need to merge P and Q into a biprocess R: fst(r) P snd(r) Q Trivial when P and Q have exactly the same structure. There is a general merging: R = if diff[true,false] then P else Q does not allow ProVerif to prove observational equivalence. Do something more clever! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 23 / 40

A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 24 / 40

A related problem: simplifying biprocesses In the private authentication example, we moved a test from the process level to the term level. Doing the same on the process R = if diff[true,false] then P else Q could allow ProVerif to prove observational equivalence....but moving this test implies merging the structures of P and Q! Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 24 / 40

Merging algorithm Merge branches of biprocesses: Automatically transforms the private authencation example Allows merging P and Q by applying it to if diff[true,false] then P else Q Two steps: 1 Normalize the process (Try to reorganize processes that send the same messages so that they have the same syntactic form.) 2 Merge branches on the normalized process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 25 / 40

Normalization algorithm 1 Make sure term evaluations always succeed New destructors: catchfail(x) x otherwise catchfail(fail) c fail not c fail (c fail ) false otherwise not c fail (x) true let x = D in P else Q let x = catchfail(d) in if not c fail (x) then P else Q (We allow destructors outside let; they can be encoded using an additional let.) 2 Remove unused restrictions and lets;!0 0 Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 26 / 40

Normalization algorithm 3 Move new, let, if before outputs M N.(νa)P (νa)m N.P M N.let x = D in P let x = D in M N.P M N.if M then P else Q if M then M N.P else M N.Q (Avoid capture of names and variables.) 4 Move new, let, if before parallel composition ((νa).p) Q (νa).(p Q) (let x = D in P) Q let x = D in (P Q) (if M then P else P ) Q if M then P Q else P Q 5 Group replicated processes inside a parallel composition!p P!P P!(P P ) Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 27 / 40

Normalization algorithm 6 Move new, let before if if M then (νa)p else Q (νa)if M then P else Q if M then let x = D in P else Q let x = D in if M then P else Q 7 Move new before let let x = D in (νa)p (νa)let x = D in 8 Move if (with its new/let) before replication!s ν s let if M then P else Q s ν s let if M then!s ν s let P else!s ν s let Q The equational theory is closed under one-to-one renaming, so the test M will always yield the same result independently of the considered fresh names. 9 Remove double replication!s let!s ν s let Q!s νs let s let Q Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 28 / 40

Grammar of normalized processes P ::= s ν s let T s ν consists of a sequence of (νa) s let consists of a sequence of let x = D in such that D always succeeds. T ::= Q if M then T 1 else T 2 decision tree test Q ::= R 1... R n S parallel composition (n 0) R ::= M(x).P M N.Q communication input output S ::= optional replicated process!s ν s let Q replicated process 0 no replicated process Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 29 / 40

Some explanation When two processes Q have the same structure, we will be able to merge them. The structure ignores the precise channels and messages of inputs and outputs and considers parallel composition up to associativity and commutativity. It seems difficult to go further with general syntactic rules. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 30 / 40

Merging Merge leaves of decision trees then then C else then C else then C else............ C 1 else then C 2 else then C 3 else then Q P C 4 else Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 31 / 40

Merging Merge leaves of decision trees then then C then C else then else C else............ C 1 else then C 2 else then C 3 else then C 4 else If necessary, reorganize the decision tree so that the merged leaves are the two branches of an if. Q P Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 31 / 40

Merging inputs and outputs (R) New destructor ite(true,u,v) u otherwise ite(x,u,v) v Outputs then C else M N.Q M N.Q ite(c,m,m ) ite(c,n,n ). C then else Q Q Inputs then C else M(x).Q M (x ).Q ite(c,m,m )(x ). C then else Q{ x / x } Q { x / x } Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 32 / 40

Merging parallel compositions (Q) then C else R 1... R n S C R 1... R n S then else R 1 then... C R i else 1 R n then C R i else n S S i 1,...i n is a permutation of 1,...,n. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 33 / 40

Merging replications (S) Nil Replication (naive version) then C else 0 0 0 then C else!s ν s let Q!s νs let Q!s ν s νs let s let C then else Q Q!s ν1 s let1!s ν2 s let2 Q can actually be merged with!s νs let Q by merging Q and Q, because!s νs let Q!!s νs let Q. Separate the processes in s ν s let Q and s νs let Q into independent groups. Possibly add a replication in front of some of these groups. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 34 / 40

Merging general processes (P) then C else s ν s let T s ν s νs let s s νs let let if C then T else T T Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 35 / 40

Properties of this algorithm Soundness: these transformations preserve observational equivalence Incomplete. Open question: partial completeness? All channels public Other conditions? Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 36 / 40

Demo File private auth biprocess.pv File private auth processes.pv Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 37 / 40

Conclusion ProVerif is the only tool that can prove process equivalences for an unbounded number of sessions. Restricted but useful class of equivalences: First restricted to processes that differ only by the terms they contain. Extended by automatic merging of processes. Tool available at http://proverif.inria.fr. Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 38 / 40

Back to the applied pi calculus ÅÓ Ð Î ÐÙ Æ Û Æ Ñ Ò Ë ÙÖ ÓÑÑÙÒ Ø ÓÒ Å ÖØ Ò ÐÐ Ä Ê Ö ÄÙ ÒØ Ì ÒÓÐÓ Ö ÓÙÖÒ Ø Å ÖÓ Ó Ø Ê Ö ØÖ Ø Ï ØÙ Ý Ø ÒØ Ö Ø ÓÒ Ó Ø Ò Û ÓÒ ØÖÙØ Û Ø Ö ÙØ ÓÑÑÓÒ ÓÖÑ Ó Ö Ø¹ÓÖ Öµ ÓÑÑÙÒ Ø ÓÒº Ì Ò¹ Ø Ö Ø ÓÒ ÖÙ Ð Ò ÙÖ ØÝ ÔÖÓØÓÓÐ Û Ö Ø Ñ Ò ÑÓØ Ú Ø Ò Ü ÑÔÐ ÓÖ ÓÙÖ ÛÓÖ Ø Ð Ó ÔÔ Ö Ò ÓØ Ö ÔÖÓ Ö ÑÑ Ò ¹Ð Ò Ù ÓÒØ ÜØ º ËÔ ÐÐÝ Û ÒØÖÓ Ù ÑÔÐ Ò Ö Ð ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û Ø Ú ÐÙ Ô ¹ Ò ÔÖ Ñ Ø Ú ÙÒØ ÓÒ Ò ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ º Ï Ú ÐÓÔ Ñ ÒØ Ò ÔÖÓÓ Ø Ò ÕÙ ÓÖ Ø ÜØ Ò Ð Ò Ù Ò ÔÔÐÝ Ø Ñ Ò Ö ÓÒ Ò ÓÙØ ÓÑ ÙÖ ØÝ ÔÖÓØÓÓÐ º Ì ÆÙÐØ Ö Ó Ø Ò ÖÙÑÚ ÒØ Ø ÖÓÙ ÓÒ¹Ø ¹ Ý ÜØ Ò ÓÒ º Ì ÜØ Ò ÓÒ Ö Ò ÖÓÑ ÕÙ ÔÙÒØ ÓÖ Ø Ò ÜØ Ü ÑÔРРس ÔÖ Ø Ò Ø Ø Û Ú Ø ØÝÔ Ó ÒØ Ö µ ØÓ Ø Ð ÓÖ ÓÙ Ú ÐÓÔÑ ÒØ Ó Ò Û ÐÙÐ Ù Ø Ô ÐÙÐÙ Ò Ø Ú Ö ÒØ º Ò Ö ÐÐÝ Ø ÜØ Ò¹ ÓÒ Ö Ò Ù ÐÓ Ö ØÓ Ö Ð Ø ÔÖÓ Ö ÑÑ Ò Ð Ò Ù ÓÖ ÑÓ Ð Ò Ð Ò Ù Ø Ø ÒÓØ ÐÛ Ý Ø Ò º ÐØ ÓÙ Ñ ÒÝ Ó Ø Ö ÙÐØ Ò ÐÙÐ Ö Ó Ò ÔÓÓÖÐÝ ÙÒ Ö ØÓÓ ÓØ Ö Ö ÖÓ Ù Ø Ò ÙÒ ÓÖÑ ÒÓÙ ØÓ Ú Ö Ø ÓÖÝ Ò Ú Ö ØÝ Ó ÔÔÐ Ø ÓÒ º ÁÒ Ô ÖØ ÙÐ Ö ÑÔÙÖ ÜØ Ò ÓÒ Ó Ø Ð Ñ ÐÙÐÙ Û Ø ÙÒØ ÓÒ ÝÑ ÓÐ Ò Û Ø ÕÙ Ø ÓÒ ÑÓÒ Ø ÖÑ ÐØ ÖÙÐ µ Ú Ò Ú ÐÓÔ Ý Ø Ñ Ø ÐÐÝ Û Ø ÓÒ Ö¹ ½ ÓÖ ÑÔÙÖ ØÝ Ð Ù º Ë Ñ Ð ÖÐÝ ÑÔÙÖ Ú Ö ÓÒ Ó Ë Ò ËÈ Û Ø Ú ÐÙ ¹Ô Ò Ö ÒÓØ ÐÛ Ý Ô ÙØ Ó Ø Ò Ò Ø Ò ÈÙÖ ØÝ Ó Ø Ò ÓÑ ÓÖ ÓÒÚ Ò Ò Ò Ú Ò ÓÖ Ø ÙÐÒ Ò Ø Ð Ñ ÐÙÐÙ Ø Ô ÐÙÐÙ Ò ÓÒÚ Ò ÒØ ½ º ÁÒ Ø Ô Ô Ö Û ÒØÖÓ Ù ØÙ Ý Ò Ù Ò Ò ÐÓ¹ BrunoÓØ Ö Blanchet ÓÙÒ Ø ÓÒ Ð (INRIA) ÔÖÓ Ö ÑÑ Ò Ð Ò Ù º Observational ÓÖ Ü ÑÔÐ equivalence ÓÙ with ÙÒ ÓÖÑ ProVerif ÜØ Ò ÓÒ Ó Ø Ô ÐÙÐÙ Û June Û 2015 ÐÐ Ø 39 / 40

Advertisement With Martín Abadi and Cédric Fournet, we recently revisited their applied pi calculus paper [POPL 01]: Minor changes to the language to make it closer to ProVerif Detailed proofs of all results Revised examples New example on indifferentiability Bruno Blanchet (INRIA) Observational equivalence with ProVerif June 2015 40 / 40

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback