A formal methodology for integral security design and verification of network protocols

We propose a methodology for verifying security properties of network protocols at design level. It can be separated in two main parts: context and requirements analysis and informal verification; and formal representation and procedural verification. It is an iterative process where the early steps are simpler than the last ones. Therefore, the effort required for detecting flaws is proportional to the complexity of the associated attack. Thus, we avoid wasting valuable resources for simple flaws that can be detected early in the verification process. In order to illustrate the advantages provided by our methodology, we also analyze three real protocols

On formal verification of arithmetic-based cryptographic primitives

Cryptographic primitives are fundamental for information security: they are used as basic components for cryptographic protocols or public-key cryptosystems. In many cases, their security proofs consist in showing that they are reducible to computationally hard problems. Those reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assistant Coq, we had implemented in previous work a toolbox for writing and checking game-based security proofs of cryptographic primitives. In this paper we describe its extension with number-theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic security of the public-key cryptographic scheme of Goldwasser and Micali.Comment: 13 page

Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack: A Pledge for Formal Methods in the Field of Implementation Security

In our paper at PROOFS 2013, we formally studied a few known countermeasures to protect CRT-RSA against the BellCoRe fault injection attack. However, we left Vigilant's countermeasure and its alleged repaired version by Coron et al. as future work, because the arithmetical framework of our tool was not sufficiently powerful. In this paper we bridge this gap and then use the same methodology to formally study both versions of the countermeasure. We obtain surprising results, which we believe demonstrate the importance of formal analysis in the field of implementation security. Indeed, the original version of Vigilant's countermeasure is actually broken, but not as much as Coron et al. thought it was. As a consequence, the repaired version they proposed can be simplified. It can actually be simplified even further as two of the nine modular verifications happen to be unnecessary. Fortunately, we could formally prove the simplified repaired version to be resistant to the BellCoRe attack, which was considered a "challenging issue" by the authors of the countermeasure themselves.Comment: arXiv admin note: substantial text overlap with arXiv:1401.817

Computer-aided proofs for multiparty computation with active security

Secure multi-party computation (MPC) is a general cryptographic technique that allows distrusting parties to compute a function of their individual inputs, while only revealing the output of the function. It has found applications in areas such as auctioning, email filtering, and secure teleconference. Given its importance, it is crucial that the protocols are specified and implemented correctly. In the programming language community it has become good practice to use computer proof assistants to verify correctness proofs. In the field of cryptography, EasyCrypt is the state of the art proof assistant. It provides an embedded language for probabilistic programming, together with a specialized logic, embedded into an ambient general purpose higher-order logic. It allows us to conveniently express cryptographic properties. EasyCrypt has been used successfully on many applications, including public-key encryption, signatures, garbled circuits and differential privacy. Here we show for the first time that it can also be used to prove security of MPC against a malicious adversary. We formalize additive and replicated secret sharing schemes and apply them to Maurer's MPC protocol for secure addition and multiplication. Our method extends to general polynomial functions. We follow the insights from EasyCrypt that security proofs can be often be reduced to proofs about program equivalence, a topic that is well understood in the verification of programming languages. In particular, we show that in the passive case the non-interference-based definition is equivalent to a standard game-based security definition. For the active case we provide a new NI definition, which we call input independence

Type Inference for a Cryptographic Protocol Prover Tool

Krüptograafia uurimisrühm Tartus arendab mängupõhiste krüptograafiliste protokollide tõestajat nimega ProveIt. Idee ProveIt’i taga on lihtsustada tõestamise protsessi. Tegemist ei ole automaatse tõestajaga, vaid abivahendiga krüptograafidele. ProveIt võimaldab teadlastel teha muudatusi koodina üleskirjutatud tõenäosuslikele mängudele ja teeb koodi ümberkirjutamise automaatselt. See aitab garanteerida korrektsuse, hoida kokku aega ja samas jätta tõestuse arusaadavaks. Üks võimalus kirjutada üles krüptograafilisi protokolle on kirjeldada neid programmeerimiskeelele sarnase pseudokoodiga, mida nimetatakse mänguks. Mängu muutmisel samm-sammult saame mõnikord jõuda teise mänguni, mille turvalisuse hinnangut me teame. Nende mängude jada ongi üks võimalik viis, kuidas saab anda protokolli turvalisuse tõestuse - seda nimetatakse mängupõhiseks tõestamiseks. Mängupõhine tõestamine on populaarne viis analüüsimaks protokollide turvalisust, sest see on võrdlemisi intuitiivne. Tavaliselt kasutatakse paberit ja pliiatsit, et kirjutada üles mänge, kuid kuna krüptograafiliste protokollide tõestamine ei ole just kõige lihtsam asi, mida teha, siis inimesed sageli lõpetavad suure kuhja paberitega igal pool, sealhulgas mitmete tupikute ja vigadega. Meie eesmärgiks on seda muuta ja anda krüptograafile võimalus mängu ümber kirjutamise asemel keskenduda järgmise sammu väljamõtlemisele. Kuigi krüptograafial on oluline roll selle bakalaureusetöö juures, siis põhi fookus lasub siiski tüübiteoorial. Nimelt on selle töö eesmärgiks luua tüübikontroll ProveIt’i jaoks. Mängupõhiseid tõestusi saab edukalt kirjutada ilma tüüpidest mi- dagi teadmata, aga tüüpide kasutamine ProveIt’is võimaldab tagada kindlamalt korrektsuse ja kasutajat paremini aidata. Tüübikontrolli abil saame näiteks veenduda, et krüptograaf ei ürita omavahel liita numbreid ja pesukarusid. Selle fakti ja vea asukoha teadmine võib kokku hoida palju kasutaja aega. Lihtne lahendus tüübikontrolli jaoks oleks nõuda kasutajalt kõigi muutujate tüüpide defineerimist, kuid see nõuaks temalt lisatööd, mis on aga vastuolus ProveIt’i eesmärgiga. Järelikult tuleb lisaks tüübikontrollile realiseerida ka tüübituletus ehk programm, mis üritab ise kõigi muutujate tüüpe määrata. Selleks, et teha tüübituletust defineerisime me kõigepealt tüübisüsteemi ProveIt’i keele jaoks. Andsime tüübireeglid aritmeetiliste avaldiste, juhuslikult hulgast valimise ja omistamise jaoks. Funktsioonide ja loogiliste avaldiste tüüpimine ei ole käesoleva bakalaureusetöö skoobis, kuid need on vajalikud osad ProveIt’ile täieliku tüüpija lisamiseks. Lisaks tüübisüsteemi ja tüübireeglite kirjeldamisele kuulus käesoleva bakalaureuse töö juurde aritmeetiliste avaldiste tüüpimise realiseerimine ja ProveIt’ile lisamine. Selle jaoks on töös antud kuus algoritmi. Arendusvahenditena valisime Qt raamistiku ja programmeerimiskeele C++. Otsustasime keele C++ kasuks, sest ProveIt on selles keeles kirjutatud, ning see võimaldab ühildamise lihtsamaks muuta.This thesis introduces types into the ProveIt language, making it possible to perform type inference and type checking. The ProveIt language is a is a probabilistic program language used in ProveIt, a tool that helps cryptographers prove cryptographic protocols in a game-based way in the computational model. The work begins by explaining the necessary background knowledge: the computational model, game-based proving, the ProveIt prover tool and the ProveIt language. How they work and why they are relevant is also described. Introducing types into ProveIt allows further guarantee the correctness and providing better help to the user. Knowing that the user is tying to find the square root of a banana and where, might save a lot of his or her time. Although it would be easier to demand the user to state all the types for all the variables and only perform type checking, we decide not to do so and instead infer the types. This is done because our goal is to make the proving process as convenient for the user as possible. To do type inference, the work starts with defining the formal type system for the ProveIt language. Type rules for all the arithmetic operations available in ProveIt are provided and also type rules for the uniform choice statement and the assignment statement. Adding rules for typing functions and logical expressions is not in the scope of this thesis and is considered future work. In addition to the type system description, type checking and type inference were implemented. To do that, the thesis first deals with the scopes of the variables in ProveIt, as it has both local and global variables. Secondly, the relations between types are covered, including the need and means to find lowest common ancestors in directed acyclic graphs. This is necessary to be able to find the minimal common supertype if an arithmetic operation was performed between variables of different types. Next, the concepts of a minimum and a maximum type are introduced to make type inference easier and also be able to output better error messages. Finally six algorithms are given to complete the type inference and type checking

Formal Verification of ElGamal Encryption using a Probabilistic Lambda-Calculus

Game-based proofs are a common technique used to verify cryptographic constructions. Such proofs consist of a sequence of games where each transition from one game to the next can be individually verified. However, as more and more increasingly complex proofs are being published, even such transitions are often non-trivial. Moreover, games are frequently described informally or just in some ad-hoc pseudocode and may be understood differently than originally intended by the authors, or underlying assumptions may not be made explicit. For this reason, Backes et al. developed a new formal language at the chair of Information Security and Cryptography at the Universit ̈at des Saarlandes. This language supports most cryptographic primitives typically used in such games and is intended to provide a formal standard to model them. Furthermore it has been implemented on top of the proof assistant Isabelle/HOL, such that it is possible to use Isabelle’s logic to formally verify game transitions. The goal of this thesis is to provide a first application of this language to a real-world cryptographic construction by using it to formally verify the security of the well-known ElGamal encryption scheme. For this, we use the language to model the scheme as well as the desired security properties and the necessary assumptions. Next, we find appropriate game transformations in the language and formally prove their validity. Finally we show how to use these transformations to achieve a fully formalized game-based proof of the security of ElGamal

High-level Cryptographic Abstractions

The interfaces exposed by commonly used cryptographic libraries are clumsy, complicated, and assume an understanding of cryptographic algorithms. The challenge is to design high-level abstractions that require minimum knowledge and effort to use while also allowing maximum control when needed. This paper proposes such high-level abstractions consisting of simple cryptographic primitives and full declarative configuration. These abstractions can be implemented on top of any cryptographic library in any language. We have implemented these abstractions in Python, and used them to write a wide variety of well-known security protocols, including Signal, Kerberos, and TLS. We show that programs using our abstractions are much smaller and easier to write than using low-level libraries, where size of security protocols implemented is reduced by about a third on average. We show our implementation incurs a small overhead, less than 5 microseconds for shared key operations and less than 341 microseconds (< 1%) for public key operations. We also show our abstractions are safe against main types of cryptographic misuse reported in the literature

A Formalization of Polytime Functions

We present a deep embedding of Bellantoni and Cook's syntactic characterization of polytime functions. We prove formally that it is correct and complete with respect to the original characterization by Cobham that required a bound to be proved manually. Compared to the paper proof by Bellantoni and Cook, we have been careful in making our proof fully contructive so that we obtain more precise bounding polynomials and more efficient translations between the two characterizations. Another difference is that we consider functions on bitstrings instead of functions on positive integers. This latter change is motivated by the application of our formalization in the context of formal security proofs in cryptography. Based on our core formalization, we have started developing a library of polytime functions that can be reused to build more complex ones.Comment: 13 page