Formalising oblivious transfer in the semi-honest and malicious model in CryptHOL

Multi-Party Computation (MPC) allows multiple parties to compute a function together while keeping their inputs private. Large scale implementations of MPC protocols are becoming practical thus it is important to have strong guarantees for the whole development process, from the underlying cryptography to the implementation. Computer aided proofs are a way to provide such guarantees. We use CryptHOL to formalise a framework for reasoning about two party protocols using the security definitions for MPC. In particular we consider protocols for 1-out-of-2 Oblivious Transfer ($OT^1_2$) --- a fundamental MPC protocol --- in both the semi-honest and malicious models. We then extend our semi-honest formalisation to $OT^1_4$ which is a building block for our proof of security for the two party GMW protocol --- a protocol that can securely compute any Boolean circuit. The semi-honest $OT^1_2$ protocol we formalise is constructed from Extended Trapdoor Permutations (ETP), we first prove the general construction secure and then instantiate for the RSA collection of functions --- a known ETP. Our general proof assumes only the existence of ETPs, meaning any instantiated results come without needing to prove any security properties, only that the requirements of an ETP are met

Formalising cryptography using CryptHOL.

Security proofs are now a cornerstone of modern cryptography. Provable security has greatly increased the level of rigour of the security statements, however proofs of these statements often present informal or incomplete arguments. In fact, many proofs are still considered to be unverifiable due to their complexity and length. Formal methods offers one way to establish far higher levels of rigour and confidence in proofs and tools have been developed to formally reason about cryptography and obtain machine-checked proof of security statements. In this thesis we use the CryptHOL framework, embedded inside Isabelle/HOL, to reason about cryptography. First we consider two fundamental cryptographic primitives: Σ-protocols and Commitment Schemes. Σ-protocols allow a Prover to convince a Verifier that they know a value $x$ without revealing anything beyond that the fact they know $x$. Commitment Schemes allow a Committer to commit to a chosen value while keeping it hidden, and be able to reveal the value at a later time. We first formalise abstract definitions for both primitives and then prove multiple case studies and general constructions secure. A highlight of this part of the work is our general proof of the construction of commitment schemes from Σ-protocols. This result means that within our framework for every Σ-protocol proven secure we obtain, for free, a new commitment scheme that is secure also. We also consider compound $\Sigma$-protocols that allow for the proof of AND and OR statements. As a result of our formalisation effort here we are able to highlight which of the different definitions of Σ-protocols from the literature is the correct one; in particular we show that the most widely used definition of Σ-protocols is not sufficient for the OR construction. To show our frameworks are usable we also formalise numerous other case studies of Σ-protocols and commitment schemes, namely: the Σ-protocols by Schnorr, Chaum-Pedersen, and Okamoto; and the commitment schemes by Rivest and Pedersen. Second, we consider Multi-Party Computation (MPC). MPC allows for multiple distrusting parties to jointly compute functions over their inputs while keeping their inputs private. We formalise frameworks to abstractly reason about two party security in both the semi-honest and malicious adversary models and then instantiate them for numerous case studies and examples. A particularly important two party MPC protocol is Oblivious Transfer} (OT) which, in its simplest form, allows the Receiver to choose one of two messages from the other party, the Sender; the Receiver learns nothing of the other message held by the sender and the Sender does not learn which message the Receiver chose. Due to OTs fundamental importance we choose to focus much of our formalisation here, a highlight of this section of our work is our general proof of security of a 1-out-of-2 OT (OT₂¹) protocol in the semi-honest model that relies on Extended Trapdoor Permutations (ETPs). We formalise the construction assuming only that an ETP exists meaning any instantiations for known ETPs only require one to prove that it is in fact an ETP --- the security results on the protocol come for free. We demonstrate this by showing how the RSA collection of functions meets the definition of an ETP, and thus show how the security results are obtained easily from the general proof. We also provide proofs of security for the Naor Pinkas (OT₂¹) protocol in the semi-honest model as well as a proof that shows security for the two party GMW protocol --- a protocol that allows for the secure computation of any boolean circuit. The malicious model is more complex as the adversary can behave arbitrarily. In this setting we again consider an OT₂¹ protocol and prove it secure with respect to our abstract definitions

Formalizing Soundness Proofs of SNARKs

Succinct Non-interactive Arguments of Knowledge (SNARKs) have seen interest and development from the cryptographic community over recent years, and there are now constructions with very small proof size designed to work well in practice. A SNARK protocol can only be widely accepted as secure, however, if a rigorous proof of its security properties has been vetted by the community. Even then, it is sometimes the case that these security proofs are flawed, and it is then necessary for further research to identify these flaws and correct the record. To increase the rigor of these proofs, we turn to formal methods. Focusing on the soundness aspect of a widespread class of SNARKs, we formalize proofs for six different constructions, including the well-known Groth \u2716. Our codebase is written in the Lean 3 theorem proving language, and uses a variety of techniques to simplify and automate these proofs as much as possible

Principles of Security and Trust

This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems

Principles of Security and Trust

This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems

Machine-Checked Formalisation and Verification of Cryptographic Protocols

PhD ThesisAiming for strong security assurance, researchers in academia and industry focus their interest on formal verification of cryptographic constructions. Automatising formal verification has proved itself to be a very difficult task, where the main challenge is to support generic constructions and theorems, and to carry out the mathematical proofs. This work focuses on machine-checked formalisation and automatic verification of cryptographic protocols. One aspect we covered is the novel support for generic schemes and real-world constructions among old and novel protocols: key exchange schemes (Simple Password Exponential Key Exchange, SPEKE), commitment schemes (with the popular Pedersen scheme), sigma protocols (with the Schnorr’s zero-knowledge proof of knowledge protocol), and searchable encryption protocols (Sophos). We also investigated aspects related to the reasoning of simulation based proofs, where indistinguishability of two different algorithms by any adversary is the crucial point to prove privacy-related properties. We embedded information-flow techniques into the EasyCrypt core language, then we show that our effort not only makes some proofs easier and (sometimes) fewer, but is also more powerful than other existing techniques in particular situations

Zero-Knowledge in EasyCrypt

We formalize security properties of zero-knowledge protocols and their proofs in EasyCrypt. Specifically, we focus on sigma-protocols (three-round protocols). Most importantly, we also cover properties whose security proofs require the use of rewinding; prior work has focused on properties that do not need this more advanced technique. On our way we give generic definitions of the main properties associated with sigma protocols, both in the computational and information-theoretical setting. We give generic derivations of soundness, (malicious-verifier) zero-knowledge, and proof of knowledge from simpler assumptions with proofs which rely on rewinding. Also, we address sequential composition of sigma protocols. Finally, we illustrate the applicability of our results on three zero-knowledge protocols: Fiat-Shamir (for quadratic residues), Schnorr (for discrete logarithms), and Blum (for Hamiltonian cycles, NP-complete)