Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1
Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs designed to secure communications Rely on cryptographic primitives 2 / 29
Context The protocol: Honest participants 3 / 29
Context The protocol: Honest participants Controls the network Intruder 3 / 29
Context The protocol: Honest participants Controls the network Security properties Intruder 3 / 29
On the web Protocol HTTPS Password based authentication Confidentiality of personal data 4 / 29
Payment with credit card Authorization through PIN code Wireless payment Confidentiality of the transaction Authenticity of the bank card 5 / 29
Electronic passport RFID chip inside the passport Secret key printed on the passport Confidentiality of personal data Anonymity Untraceability 6 / 29
Electronic voting Vote from personal computer Vote from dedicated machines Verifiability of the votes Confidentiality of the vote No partial results One vote per voter Anonymity of the voter Coercition resistance 7 / 29
Attacks Designing a secure protocol is hard! Concrete attacks on: authentication used by Google Apps unlinkability of french passports authentication of credit card (Yes-Card) vote privacy on the Helios e-voting system anonymity of routing protocols These attacks are the consequence of a bad design and not of a: implementation bug weak cryptographic primitives usage of magical hacking techniques 8 / 29
Existing models Cryptographic model Symbolic model 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives Function symbols 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized 9 / 29
Existing models Cryptographic model Symbolic model Bitstring Messages Terms Real algorithms Cryptographic primitives Function symbols PPT Attacker Idealized Difficult and by hand Proofs "Easier" and mechanized Strong and clear Security guarantees Unclear 9 / 29
Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y 10 / 29
Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x 10 / 29
Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i 10 / 29
Symbolic models Symbolic terms Nonces: a, b, c,... Variables: Functions symbols: enc, dec, hi,,... x, y, z,... enc(x, y) hx, yi a x enc hi x y x y Subterm convergent Rewrite rules dec(enc(x, y),y)! x proj 1 (hx, yi)! x Monadic convergent Example: dec(enc(hm 1,m 2 i,k),k)!hm 1,m 2 i unblind(sign(blind(x, y),z),y)! sign(x, z) 10 / 29
Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29
Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader 11 / 29
Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it 11 / 29
Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Reader expects a nonce and returns it Freshly generated by Reader 11 / 29
Symbolic models Example : Electronic passport Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport Reader Knowledge of intruder: nonces he can generate + 1: n T 2: enc(hn R,n T,k R i,k e ) 3: enc(hn T,n R,k T i,k e ) 11 / 29
Symbolic models Another trace of the Electronic passport Knows k e Knows k e n T KO Passeport enc(hn R, KO,k R i,k e ) Error Reader Knowledge of intruder: nonces he can generate (e.g. KO) + 1: n T 2: enc(hn R, KO,k R i,k e ) 3: Error 12 / 29
Applied pi calculus 0 Nil P + Q Non deterministic choice P Q Parallel if u = v then P else Q Test in(c, x).p Input out(c, u).p Output k.p Name restriction!p Replication 13 / 29
Applied pi calculus Knows k e Knows k e n T enc(hn R,n T,k R i,k e ) enc(hn T,n R,k T i,k e ) Passeport P (k e )= Reader n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Main process:! k e!p (k e ) R(k e ) 14 / 29
Trace A trace = one execution of the process P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) Initial configuration: Set of private names (;, k e.p (k e ),id) The process Substitution representing the knowledge of the attacker 15 / 29
Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) w 1 16 / 29
Trace P (k e )= n T.out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) w 1 16 / 29
Trace P 1 = out(c, n T ).in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) w 1 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) w 1 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names w 1 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i 16 / 29
Trace P 2 = in(c, x). if proj 3 (dec(x, k e )) = n T then k T.out(c, hn T, proj 1 (dec(x, k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29
Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) ({k e },P(k e ),id) ({k e,n T }, P 1,id) out(c, w 1 ) in(c, M) ({k e,n T }, P 2, { n T / w1 }) ({k e,n T }, P 3, { n T / w1 }) Cannot contain private names Can contain variables from the frame, i.e. w 1 Ex: M = hn I,w 1 i x!hn I,n T i 16 / 29
Trace P 3 = if proj 3 (dec(hn I,n T i,k e )) = n T then k T.out(c, hn T, proj 1 (dec(hn I,n T i,k e )),k T i) else out(c, Error) (;, k e.p (k e ),id) out(c, w 1 ) in(c, M) ({k e },P(k e ),id) ({k e,n T }, P 1,id) ({k e,n T }, P 2, { n T / }) w1 ({k e,n T }, P 3, { n T / }) w1 out(c, w 1 ).in(c, M) {k e,n T } { n T / w1 } The sequence of label with the set and the frame represents a trace. w 1 16 / 29
Internal communication Communication can happen internally on private channels ({d}, in(d, x).p out(d, a).q, ) ({d},p{ a / x } Q, ) 17 / 29
Security properties What we verify well : Confidentiality, authenticity Trace properties Tools : Avispa, ProVerif, Scyther, CSP/FdR What we don t verify well : Anonymity, privacy, traceability, properties for electronic voting Equivalence properties Tools : ProVerif, AkiSs, SPEC, APTE 18 / 29
Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29
Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 19 / 29
Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol 19 / 29
Trace equivalence Untraceability of electronic passport Situation 1 Situation 2 Two protocols are in equivalence if for all traces of one of the protocol, we can find an equivalent trace in the other protocol M 1,M 2,...,M k Knowledges of the attacker obtain in two traces with similar actions N 1,N 2,...,N k 19 / 29
Decision procedure How to automatically decide equivalence? General problem: Undecidable Usual restrictions: Bounded number of sessions, stronger notion of equivalence, simple algebraic properties for the cryptographic properties, Technics used : Saturation of Horn Clauses, Constraint solving, Equivalence of constraint systems 20 / 29
Decision procedure How difficult is it to automatically decide equivalence? P : Decidable by a deterministic Turing machine in polynomial time EXP : Decidable by a deterministic Turing machine in exponential time NP : Decidable by a non-deterministic Turing machine in polynomial time NEXP : Decidable by a non-deterministic Turing machine in exponential time PSPACE : Decidable by a deterministic Turing machine in polynomial space Σ0 = P and Σi = NP Σ i-1 Σ1 = NP 21 / 29
Complexity Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent Finite, subterm convergent P complete [AC 04] P complete [AC 04] Decidable? CoNP complete Decidable?? Finite, monadic convergent P hard??? 22 / 29
Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard CoNP complete Finite, subterm convergent P complete [AC 04] Decidable [CK 17] conexp hard conexp hard? Finite, monadic convergent P hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 23 / 29
Complexity Results Applied Pi Calculus Static equivalence Trace equivalence Observational equivalence Diff equivalence Positive, finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp easy? conexp hard conexp complete? CoNP complete Finite, subterm convergent PTIME complete [AC 04] Decidable [CK 17] conexp hard conexp complete? conexp hard conexp complete? conp complete? Finite, monadic convergent PTIME hard conexp hard conexp hard? Pure Pi Calculus Static equivalence Trace equivalence Positive, finite LOGSPACE coσ2 complete Finite LOGSPACE coσ2 complete Observational equivalence PSPACE easy coσ4 hard PSPACE easy coσ4 hard 24 / 29
Trace equivalence in pi-calculus Reduction from QSAT2 No else branche, no cryptographic primitive A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 9~x = 9x 1 9x 2...9x n 8~y = 8y 1 8y 2...8y m 25 / 29
Boolean formula in pi-calculus c 1 c 2 ^ c3 26 / 29
Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) 26 / 29
Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) Enforces that inputs are booleans! 26 / 29
Boolean formula in pi-calculus c 1 c 2 ^ c3 in(c 1,x).in(c 2,y).( if x =1then if y =1then out(c 3, 1) if x =1then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) if x =0then if y =0then out(c 3, 0) ) in(c 1,x) out(c 3,x^ y) in(c 2,y) 26 / 29
Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 27 / 29
Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
Boolean formula in pi-calculus c 1 c 2 c 3 ^ c 4 c 6 _ c 5 Enforces that inputs are booleans! x '(b 1,b 2,b 3 ).P (x) out(c 2,b 2 ) out(c 1,b 1 ) in(c 1,x) inp out(c 3,b 3 ) in(c 2,y) out(c 4,x^ y) in(c 3,x) out(c 5, x) in(c 4,x) P (x) in(c 5,y) 27 / 29 out(c 6,x_ y) in(c 6,x)
Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? 28 / 29
Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) 28 / 29
Universal quantification A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 How to express universality in pi-calculus? Guess(y).P def = d.((out(d, 0)+out(d, 1) in(d, y).p ) Can reduce in either P { 0 / y } or P { 1 / y } 28 / 29
Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) 29 / 29
Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans 29 / 29
Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 29 / 29
Reduction A 6 tr B i 9~x 8~y, ' (~x, ~y )=1 A def = in(c, ~x). test ^ ~x. B def = in(c, ~x). test ^ ~x. Guess(~y ). out(c, 0)+out(c, 1) (v '(~x, ~y ). out(c, v) + out(c, 1)) The processes can only output if the inputs are booleans Whatever the boolean input, the process B can always output 0 or 1 If 8~y. ' (~x 0,~y)=1 holds then A can never output 0 when ~x 0 is input 29 / 29