114 research outputs found
Probabilistic relational Hoare logics for computer-aided security proofs
International audienceNon
Automated Cryptographic Analysis of the Pedersen Commitment Scheme
Aiming for strong security assurance, recently there has been an increasing
interest in formal verification of cryptographic constructions. This paper
presents a mechanised formal verification of the popular Pedersen commitment
protocol, proving its security properties of correctness, perfect hiding, and
computational binding. To formally verify the protocol, we extended the theory
of EasyCrypt, a framework which allows for reasoning in the computational
model, to support the discrete logarithm and an abstraction of commitment
protocols. Commitments are building blocks of many cryptographic constructions,
for example, verifiable secret sharing, zero-knowledge proofs, and e-voting.
Our work paves the way for the verification of those more complex
constructions.Comment: 12 pages, conference MMM-ACNS 201
Relational reasoning via probabilistic coupling
Probabilistic coupling is a powerful tool for analyzing pairs of
probabilistic processes. Roughly, coupling two processes requires finding an
appropriate witness process that models both processes in the same probability
space. Couplings are powerful tools proving properties about the relation
between two processes, include reasoning about convergence of distributions and
stochastic dominance---a probabilistic version of a monotonicity property.
While the mathematical definition of coupling looks rather complex and
cumbersome to manipulate, we show that the relational program logic pRHL---the
logic underlying the EasyCrypt cryptographic proof assistant---already
internalizes a generalization of probabilistic coupling. With this insight,
constructing couplings is no harder than constructing logical proofs. We
demonstrate how to express and verify classic examples of couplings in pRHL,
and we mechanically verify several couplings in EasyCrypt
Synthesizing Probabilistic Invariants via Doob's Decomposition
When analyzing probabilistic computations, a powerful approach is to first
find a martingale---an expression on the program variables whose expectation
remains invariant---and then apply the optional stopping theorem in order to
infer properties at termination time. One of the main challenges, then, is to
systematically find martingales.
We propose a novel procedure to synthesize martingale expressions from an
arbitrary initial expression. Contrary to state-of-the-art approaches, we do
not rely on constraint solving. Instead, we use a symbolic construction based
on Doob's decomposition. This procedure can produce very complex martingales,
expressed in terms of conditional expectations.
We show how to automatically generate and simplify these martingales, as well
as how to apply the optional stopping theorem to infer properties at
termination time. This last step typically involves some simplification steps,
and is usually done manually in current approaches. We implement our techniques
in a prototype tool and demonstrate our process on several classical examples.
Some of them go beyond the capability of current semi-automatic approaches
Computer-aided verification in mechanism design
In mechanism design, the gold standard solution concepts are dominant
strategy incentive compatibility and Bayesian incentive compatibility. These
solution concepts relieve the (possibly unsophisticated) bidders from the need
to engage in complicated strategizing. While incentive properties are simple to
state, their proofs are specific to the mechanism and can be quite complex.
This raises two concerns. From a practical perspective, checking a complex
proof can be a tedious process, often requiring experts knowledgeable in
mechanism design. Furthermore, from a modeling perspective, if unsophisticated
agents are unconvinced of incentive properties, they may strategize in
unpredictable ways.
To address both concerns, we explore techniques from computer-aided
verification to construct formal proofs of incentive properties. Because formal
proofs can be automatically checked, agents do not need to manually check the
properties, or even understand the proof. To demonstrate, we present the
verification of a sophisticated mechanism: the generic reduction from Bayesian
incentive compatible mechanism design to algorithm design given by Hartline,
Kleinberg, and Malekian. This mechanism presents new challenges for formal
verification, including essential use of randomness from both the execution of
the mechanism and from the prior type distributions. As an immediate
consequence, our work also formalizes Bayesian incentive compatibility for the
entire family of mechanisms derived via this reduction. Finally, as an
intermediate step in our formalization, we provide the first formal
verification of incentive compatibility for the celebrated
Vickrey-Clarke-Groves mechanism
Proving uniformity and independence by self-composition and coupling
Proof by coupling is a classical proof technique for establishing
probabilistic properties of two probabilistic processes, like stochastic
dominance and rapid mixing of Markov chains. More recently, couplings have been
investigated as a useful abstraction for formal reasoning about relational
properties of probabilistic programs, in particular for modeling
reduction-based cryptographic proofs and for verifying differential privacy. In
this paper, we demonstrate that probabilistic couplings can be used for
verifying non-relational probabilistic properties. Specifically, we show that
the program logic pRHL---whose proofs are formal versions of proofs by
coupling---can be used for formalizing uniformity and probabilistic
independence. We formally verify our main examples using the EasyCrypt proof
assistant
Boosting the Performance of High-Assurance Cryptography: Parallel Execution and Optimizing Memory Access in Formally-Verified Line-Point Zero-Knowledge
Despite the notable advances in the development of high-assurance, verified implementations of cryptographic protocols, such implementations typically face significant performance overheads, particularly due to the penalties induced by formal verification and automated extraction of executable code. In this paper, we address some core performance challenges facing computer-aided cryptography by presenting a formal treatment for accelerating such verified implementations based on multiple generic optimizations covering parallelism and memory access. We illustrate our techniques for addressing such performance bottlenecks using the Line-Point Zero-Knowledge (LPZK) protocol as a case study. Our starting point is a new verified implementation of LPZK that we formalize and synthesize using EasyCrypt; our first implementation is developed to reduce the proof effort and without considering the performance of the extracted executable code. We then show how such (automatically) extracted code can be optimized in three different ways to obtain a 3000x speedup and thus matching the performance of the manual implementation of LPZK. We obtain such performance gains by first modifying the algorithmic specifications, then by adopting a provably secure parallel execution model, and finally by optimizing the memory access structures. All optimizations are first formally verified inside EasyCrypt, and then executable code is automatically synthesized from each step of the formalization. For each optimization, we analyze performance gains resulting from it and also address challenges facing the computer-aided security proofs thereof, and challenges facing automated synthesis of executable code with such an optimization
Computer-aided proofs for multiparty computation with active security
Secure multi-party computation (MPC) is a general cryptographic technique
that allows distrusting parties to compute a function of their individual
inputs, while only revealing the output of the function. It has found
applications in areas such as auctioning, email filtering, and secure
teleconference. Given its importance, it is crucial that the protocols are
specified and implemented correctly. In the programming language community it
has become good practice to use computer proof assistants to verify correctness
proofs. In the field of cryptography, EasyCrypt is the state of the art proof
assistant. It provides an embedded language for probabilistic programming,
together with a specialized logic, embedded into an ambient general purpose
higher-order logic. It allows us to conveniently express cryptographic
properties. EasyCrypt has been used successfully on many applications,
including public-key encryption, signatures, garbled circuits and differential
privacy. Here we show for the first time that it can also be used to prove
security of MPC against a malicious adversary. We formalize additive and
replicated secret sharing schemes and apply them to Maurer's MPC protocol for
secure addition and multiplication. Our method extends to general polynomial
functions. We follow the insights from EasyCrypt that security proofs can be
often be reduced to proofs about program equivalence, a topic that is well
understood in the verification of programming languages. In particular, we show
that in the passive case the non-interference-based definition is equivalent to
a standard game-based security definition. For the active case we provide a new
NI definition, which we call input independence
- …