286 research outputs found
Proving More Observational Equivalences with ProVerif
This paper presents an extension of the automatic protocol verifier ProVerif in order to prove more observational equivalences. ProVerif can prove observational equivalence between processes that have the same structure but differ by the messages they contain. In order to extend the class of equivalences that ProVerif handles, we extend the language of terms by defining more functions (destructors) by rewrite rules. In particular, we allow rewrite rules with inequalities as side-conditions, so that we can express tests ''if then else'' inside terms. Finally, we provide an automatic procedure that translates a process into an equivalent process that performs as many actions as possible in- side terms, to allow ProVerif to prove the desired equivalence. These extensions have been implemented in ProVerif and allow us to au- tomatically prove anonymity in the private authentication protocol by Abadi and Fournet
Automatic Verification of Correspondences for Security Protocols
We present a new technique for verifying correspondences in security
protocols. In particular, correspondences can be used to formalize
authentication. Our technique is fully automatic, it can handle an unbounded
number of sessions of the protocol, and it is efficient in practice. It
significantly extends a previous technique for the verification of secrecy. The
protocol is represented in an extension of the pi calculus with fairly
arbitrary cryptographic primitives. This protocol representation includes the
specification of the correspondence to be verified, but no other annotation.
This representation is then translated into an abstract representation by Horn
clauses, which is used to prove the desired correspondence. Our technique has
been proved correct and implemented. We have tested it on various protocols
from the literature. The experimental results show that these protocols can be
verified by our technique in less than 1 s.Comment: 95 page
The Security Protocol Verifier ProVerif and its Horn Clause Resolution Algorithm
ProVerif is a widely used security protocol verifier. Internally, ProVerif
uses an abstract representation of the protocol by Horn clauses and a
resolution algorithm on these clauses, in order to prove security properties of
the protocol or to find attacks. In this paper, we present an overview of
ProVerif and discuss some specificities of its resolution algorithm, related to
the particular application domain and the particular clauses that ProVerif
generates. This paper is a short summary that gives pointers to publications on
ProVerif in which the reader will find more details.Comment: In Proceedings HCVS/VPT 2022, arXiv:2211.1067
CryptoVerif: a Computationally-Sound Security Protocol Verifier (Initial Version with Communications on Channels)
This document presents the security protocol verifier CryptoVerif.CryptoVerif
does not rely on the symbolic, Dolev-Yao model, but on the computational model.
It can verify secrecy, correspondence (which include authentication), and
indistinguishability properties. It produces proofs presented as sequences of
games, like those manually written by cryptographers; these games are
formalized in aprobabilistic process calculus. CryptoVerif provides a generic
method for specifying security properties of the cryptographic primitives.It
produces proofs valid for any number of sessions of the protocol, and provides
an upper bound on the probability of success of an attack against the protocol
as a function of the probability of breaking each primitive and of the number
of sessions. It can work automatically, or the user can guide it with manual
proof indications
Accurate numerical simulations of inspiralling binary neutron stars and their comparison with effective-one-body analytical models
Binary neutron-star systems represent one of the most promising sources of
gravitational waves. In order to be able to extract important information,
notably about the equation of state of matter at nuclear density, it is
necessary to have in hands an accurate analytical model of the expected
waveforms. Following our recent work, we here analyze more in detail two
general-relativistic simulations spanning about 20 gravitational-wave cycles of
the inspiral of equal-mass binary neutron stars with different compactnesses,
and compare them with a tidal extension of the effective-one-body (EOB)
analytical model. The latter tidally extended EOB model is analytically
complete up to the 1.5 post-Newtonian level, and contains an analytically
undetermined parameter representing a higher-order amplification of tidal
effects. We find that, by calibrating this single parameter, the EOB model can
reproduce, within the numerical error, the two numerical waveforms essentially
up to the merger. By contrast, analytical models (either EOB, or Taylor-T4)
that do not incorporate such a higher-order amplification of tidal effects,
build a dephasing with respect to the numerical waveforms of several radians.Comment: 25 pages, 17 figs. Matched published versio
Théorèmes de composition pour CryptoVerif et application à TLS 1.3
We present composition theorems for security protocols, to compose a key exchange protocol and a symmetric-key protocol that uses the exchanged key. Our results rely on the computational model of cryptography and are stated in the framework of the tool CryptoVerif. They support key exchange protocols that guarantee injective or non-injective authentication. They also allow random oracles shared between the composed protocols. To our knowledge, they are the first composition theorems for key exchange stated for a computational protocol verification tool, and also the first to allow such flexibility.As a case study, we apply our composition theorems to a proof of TLS 1.3 Draft-18. This work fills a gap in a previous paper that informally claimsa compositional proof of TLS 1.3, without formally justifying it.Nous présentons des théorèmes de composition pour les protocoles cryptographiques, pour composer un protocole d'échange de clés et un protocole à clé symétrique qui utilise la clé échangée. Nous résultats reposent sur le modèle calculatoire de la cryptographie et sont formulés dans le cadre de l'outil CryptoVerif. Ils autorisent des protocoles d'échange de clés qui garantissent l'authentification injective ou non-injective. Ils autorisent aussi le partage d'oracles aléatoires entre les protocole composés. À notre connaissance, ils sont les premiers théorèmes de composition pour l'échange de clés formulés pour un outil de vérification de protocole dans le modèle calculatoire, et aussi les premiers à autoriser une telle flexibililté.Comme étude de cas, nous appliquons nos théorèmes de composition à une preuve de TLS 1.3 brouillon 18. Ce travail fournit un élément manquant dans un article précédent qui donne informellement une preuve compositionnelle de TLS 1.3, sans la justifier formellement
Mechanizing Game-Based Proofs of Security Protocols
Proceedings of the summer school MOD 2011International audienceAfter a short introduction to the field of security protocol verification, we present the automatic protocol verifier CryptoVerif. In contrast to most previous protocol verifiers, CryptoVerif does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games, like those manually done by cryptographers; these games are formalized in a probabilistic process calculus. CryptoVerif provides a generic method for specifying security properties of the cryptographic primitives. It can prove secrecy and correspondence properties (including authentication). It produces proofs valid for any number of sessions, in the presence of an active adversary. It also provides an explicit formula for the probability of success of an attack against the protocol, as a function of the probability of breaking each primitive and of the number of sessions
Automatically Verified Mechanized Proof of One-Encryption Key Exchange
We present a mechanized proof of the password-based protocol One-Encryption Key Exchange (OEKE) using the computationally-sound protocol prover CryptoVerif. OEKE is a non-trivial protocol, and thus mechanizing its proof provides additional confidence that it is correct. This case study was also an opportunity to implement several important extensions of CryptoVerif, useful for proving many other protocols. We have indeed extended CryptoVerif to support the computational Diffie-Hellman assumption. We have also added support for proofs that rely on Shoup\u27s lemma and additional game transformations. In particular, it is now possible to insert case distinctions manually and to merge cases that no longer need to be distinguished. Eventually, some improvements have been added on the computation of the probability bounds for attacks, providing better reductions. In particular, we improve over the standard computation of probabilities when Shoup\u27s lemma is used, which allows us to improve the bound given in a previous manual proof of OEKE, and to show that the adversary can test at most one password per session of the protocol. In this paper, we present these extensions, with their application to the proof of OEKE. All steps of the proof are verified by CryptoVerif.
This document is an updated version of a report from 2012. In the 10 years between 2012 and 2022, CryptoVerif has made a lot of progress. In particular, the probability bound obtained by CryptoVerif for OEKE has been improved, reaching an almost optimal probability: only statistical terms corresponding to collisions between group elements or between hashes are overestimated by a small constant factor
A Computationally Sound Mechanized Prover for Security Protocols
We present a new mechanized prover for secrecy properties of
cryptographic protocols. In contrast to most previous provers, our
tool does not rely on the Dolev-Yao model, but on the computational
model. It produces proofs presented as sequences of games; these
games are formalized in a probabilistic polynomial-time process
calculus. Our tool provides a generic method for specifying security
properties of the cryptographic primitives, which can handle shared-
and public-key encryption, signatures, message authentication codes,
and hash functions. Our tool produces proofs valid for a number of
sessions polynomial in the security parameter, in the presence of an
active adversary. We have implemented our tool and tested it on a
number of examples of protocols from the literature
Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif
International audienceProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses. This survey presents an overview of the research on ProVerif
- …