Union, intersection, and refinement types and reasoning about type disjointness for security protocol analysis

In this thesis we present two new type systems for verifying the security of cryptographic protocol models expressed in a spi-calculus and, respectively, of protocol implementations expressed in a concurrent lambda calculus. In this thesis we present two new type systems for verifying the security of cryptographic protocol models expressed in a spi-calculus and, respectively, of protocol implementations expressed in a concurrent lambda calculus. The two type systems combine prior work on refinement types with union and intersection types and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the type-based analyses of cryptographic protocols. In particular, our type systems can statically analyze protocols that are based on zero-knowledge proofs, even in scenarios when certain protocol participants are compromised. The analysis is scalable and provides security proofs for an unbounded number of protocol executions. The two type systems come with mechanized proofs of correctness and efficient implementations.In dieser Arbeit werden zwei neue Typsysteme vorgestellt, mit denen die Sicherheit kryptographischer Protokolle, modelliert in einem spi-Kalkül, und Protokollimplementierungen, beschrieben in einem nebenläufigen Lambdakalkül, verifiziert werden kann. Die beiden Typsysteme verbinden vorausgehende Arbeiten zu Verfeinerungstypen mit disjunktiven und konjunktiven Typen, und ermöglichen außerdem, statisch zu folgern, dass zwei Typen disjunkt sind. Die Ausdrucksstärke der Systeme erlaubt die Analyse wichtiger Klassen von Protokollen, die bisher nicht durch typbasierte Protokollanalysen behandelt werden konnten. Insbesondere ist mit den vorgestellten Typsystemen auch die statische Analyse von Protokollen möglich, die auf Zero-Knowledge-Beweisen basieren, selbst unter der Annahme, dass einige Protokollteilnehmer korrumpiert sind. Die Analysetechnik skaliert und erlaubt Sicherheitsbeweise für eine unbeschränkte Anzahl von Protokollausführungen. Die beiden Typsysteme sind formal korrekt bewiesen und effizient implementiert

Enabling Machine-aided Cryptographic Design

The design of cryptographic primitives such as digital signatures and public-key encryption is very often a manual process conducted by expert cryptographers. This persists despite the fact that many new generic or semi-generic methods have been proposed to construct new primitives by transforming existing ones in interesting ways. However, manually applying transformations to existing primitives can be error-prone, ad-hoc and tedious. A natural question is whether automating the process of applying cryptographic transformations would yield competitive or better results? In this thesis, we explore a compiler-based approach for automatically performing certain cryptographic designs. Similar approaches have been applied to various types of cryptographic protocol design with compelling results. We extend this same approach and show that it also can be effective towards automatically applying cryptographic transformations. We first present our extensible architecture that automates a class of cryptographic transformations on primitives. We then propose several techniques that address the aforementioned question including the Charm cryptographic framework, which enables rapid prototyping of cryptographic primitives from abstract descriptions. We build on this work and show the extent to which transformations can be performed automatically given these descriptions. To illustrate this automation, we present a series of cryptographic tools that demonstrate the effectiveness of our automated approach. Our contributions are listed as follows: - AutoBatch: Batch verification is a transformation that improves signature verification time by efficiently processing many signatures at once. Historically, this manual process has been prone to error and tedious for practitioners. We describe the design of an automated tool that finds efficient batch verification algorithms from abstract descriptions of signature schemes. - AutoGroup: Cryptographers often prefer to describe their pairing-based constructions using symmetric group notation for simplicity, while they prefer asymmetric groups for implementation due to the efficiency gains. The symmetric- to-asymmetric translation is usually performed through manual analysis of a scheme and finding an efficient translation that suits applications can be quite challenging. We present an automated tool that uses SMT solvers to find efficient asymmetric translations from abstract descriptions of cryptographic schemes. - AutoStrong: Strongly unforgeable signatures are desired in practice for a variety of cryptographic protocols. Several transformations exist in the literature that show how to obtain strongly unforgeable signatures from existentially unforgeable ones. We focus on a particular highly-efficient transformation due to Boneh, Shen and Waters that is applicable if the signature satisfies a notion of partitioning. Checking for this property can be challenging and has been less explored in the literature. We present an automated tool that also utilizes SMT solvers to determine when this property is applicable for constructing efficient strongly unforgeable signatures from abstract descriptions. We anticipate that these proof-of-concept tools embody the notion that certain cryptographic transformations can be safely and effectively outsourced to machines

Automatic Generation of Sigma-Protocols

Efficient zero-knowledge proofs of knowledge (ZK-PoK) are basic building blocks of many practical cryptographic applications such as identification schemes, group signatures, and secure multi-party computation (SMPC). Currently, first applications that essentially rely on ZK-PoKs are being deployed in the real world. The most prominent example is the Direct Anonymous Attestation (DAA) protocol, which was adopted by the Trusted Computing Group (TCG) and implemented as one of the functionalities of the cryptographic chip Trusted Platform Module (TPM). Implementing systems using ZK-PoK turns out to be challenging, since ZK-PoK are significantly more complex than standard crypto primitives (e.g., encryption and signature schemes). As a result, the designimplementation cycles of ZK-PoK are time-consuming and error-prone. To overcome this, we present a compiler with corresponding languages for the automatic generation of sound and efficient ZK-PoK based on Σ-protocols. The protocol designer using our compiler formulates the goal of a ZK-PoK proof in a high-level protocol specification language, which abstracts away unnecessary technicalities from the designer. The compiler then automatically generates the protocol implementation in Java code; alternatively, the compiler can output a description of the protocol in LATEX which can be used for documentation or verification