11 research outputs found
Formalising oblivious transfer in the semi-honest and malicious model in CryptHOL
Multi-Party Computation (MPC) allows multiple parties to compute a function together while keeping their inputs private.
Large scale implementations of MPC protocols are
becoming practical thus it is important to have strong guarantees for the
whole development process, from the underlying cryptography to the
implementation. Computer aided proofs are a way to provide such guarantees.
We use CryptHOL to formalise a framework for reasoning about two party protocols using the security definitions for MPC. In particular we consider protocols for 1-out-of-2 Oblivious Transfer () --- a fundamental MPC protocol --- in both the semi-honest and malicious models. We then extend our semi-honest formalisation to which is a building block for our proof of security for the two party GMW protocol --- a protocol that can securely compute any Boolean circuit.
The semi-honest protocol we formalise is constructed from Extended Trapdoor Permutations (ETP), we first prove the general construction secure and then instantiate for the RSA collection of functions --- a known ETP. Our general proof assumes only the existence of ETPs, meaning any instantiated results come without needing to prove any security properties, only that the requirements of an ETP are met
Formalising cryptography using CryptHOL.
Security proofs are now a cornerstone of modern cryptography. Provable security has greatly increased the level of rigour of the security statements, however proofs of these statements often present informal or incomplete arguments. In fact, many proofs are still considered to be unverifiable due to their complexity and length. Formal methods offers one way to establish far higher levels of rigour and confidence in proofs and tools have been developed to formally reason about cryptography and obtain machine-checked proof of security statements.
In this thesis we use the CryptHOL framework, embedded inside Isabelle/HOL, to reason about cryptography. First we consider two fundamental cryptographic primitives: Ī£-protocols and Commitment Schemes. Ī£-protocols allow a Prover to convince a Verifier that they know a value without revealing anything beyond that the fact they know . Commitment Schemes allow a Committer to commit to a chosen value while keeping it hidden, and be able to reveal the value at a later time. We first formalise abstract definitions for both primitives and then prove multiple case studies and general constructions secure. A highlight of this part of the work is our general proof of the construction of commitment schemes from Ī£-protocols. This result means that within our framework for every Ī£-protocol proven secure we obtain, for free, a new commitment scheme that is secure also. We also consider compound -protocols that allow for the proof of AND and OR statements. As a result of our formalisation effort here we are able to highlight which of the different definitions of Ī£-protocols from the literature is the correct one; in particular we show that the most widely used definition of Ī£-protocols is not sufficient for the OR construction. To show our frameworks are usable we also formalise numerous other case studies of Ī£-protocols and commitment schemes, namely: the Ī£-protocols by Schnorr, Chaum-Pedersen, and Okamoto; and the commitment schemes by Rivest and Pedersen.
Second, we consider Multi-Party Computation (MPC). MPC allows for multiple distrusting parties to jointly compute functions over their inputs while keeping their inputs private. We formalise frameworks to abstractly reason about two party security in both the semi-honest and malicious adversary models and then instantiate them for numerous case studies and examples. A particularly important two party MPC protocol is Oblivious Transfer} (OT) which, in its simplest form, allows the Receiver to choose one of two messages from the other party, the Sender; the Receiver learns nothing of the other message held by the sender and the Sender does not learn which message the Receiver chose. Due to OTs fundamental importance we choose to focus much of our formalisation here, a highlight of this section of our work is our general proof of security of a 1-out-of-2 OT (OTāĀ¹) protocol in the semi-honest model that relies on Extended Trapdoor Permutations (ETPs). We formalise the construction assuming only that an ETP exists meaning any instantiations for known ETPs only require one to prove that it is in fact an ETP --- the security results on the protocol come for free. We demonstrate this by showing how the RSA collection of functions meets the definition of an ETP, and thus show how the security results are obtained easily from the general proof. We also provide proofs of security for the Naor Pinkas (OTāĀ¹) protocol in the semi-honest model as well as a proof that shows security for the two party GMW protocol --- a protocol that allows for the secure computation of any boolean circuit. The malicious model is more complex as the adversary can behave arbitrarily. In this setting we again consider an OTāĀ¹ protocol and prove it secure with respect to our abstract definitions
Formalizing Soundness Proofs of SNARKs
Succinct Non-interactive Arguments of Knowledge (SNARKs) have seen interest and development from the cryptographic community over recent years, and there are now constructions with very small proof size designed to work well in practice. A SNARK protocol can only be widely accepted as secure, however, if a rigorous proof of its security properties has been vetted by the community. Even then, it is sometimes the case that these security proofs are flawed, and it is then necessary for further research to identify these flaws and correct the record.
To increase the rigor of these proofs, we turn to formal methods. Focusing on the soundness aspect of a widespread class of SNARKs, we formalize proofs for six different constructions, including the well-known Groth \u2716. Our codebase is written in the Lean 3 theorem proving language, and uses a variety of techniques to simplify and automate these proofs as much as possible
Principles of Security and Trust
This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems
Principles of Security and Trust
This open access book constitutes the proceedings of the 8th International Conference on Principles of Security and Trust, POST 2019, which took place in Prague, Czech Republic, in April 2019, held as part of the European Joint Conference on Theory and Practice of Software, ETAPS 2019. The 10 papers presented in this volume were carefully reviewed and selected from 27 submissions. They deal with theoretical and foundational aspects of security and trust, including on new theoretical results, practical applications of existing foundational ideas, and innovative approaches stimulated by pressing practical problems
Machine-Checked Formalisation and Verification of Cryptographic Protocols
PhD ThesisAiming for strong security assurance, researchers in academia and industry focus
their interest on formal verification of cryptographic constructions. Automatising
formal verification has proved itself to be a very difficult task, where the main
challenge is to support generic constructions and theorems, and to carry out the
mathematical proofs.
This work focuses on machine-checked formalisation and automatic verification of cryptographic protocols. One aspect we covered is the novel support for
generic schemes and real-world constructions among old and novel protocols: key exchange schemes (Simple Password Exponential Key Exchange, SPEKE), commitment
schemes (with the popular Pedersen scheme), sigma protocols (with the Schnorrās
zero-knowledge proof of knowledge protocol), and searchable encryption protocols
(Sophos).
We also investigated aspects related to the reasoning of simulation based proofs,
where indistinguishability of two different algorithms by any adversary is the crucial
point to prove privacy-related properties. We embedded information-flow techniques
into the EasyCrypt core language, then we show that our effort not only makes some
proofs easier and (sometimes) fewer, but is also more powerful than other existing
techniques in particular situations
Zero-Knowledge in EasyCrypt
We formalize security properties of zero-knowledge protocols and
their proofs in EasyCrypt. Specifically, we focus on sigma-protocols
(three-round protocols). Most importantly, we also cover properties
whose security proofs require the use of rewinding; prior work has
focused on properties that do not need this more advanced technique.
On our way we give generic definitions of the main properties
associated with sigma protocols, both in the computational and
information-theoretical setting. We give generic derivations of
soundness, (malicious-verifier) zero-knowledge, and proof of
knowledge from simpler assumptions with proofs which rely on
rewinding. Also, we address sequential composition of sigma
protocols. Finally, we illustrate the applicability of our results
on three zero-knowledge protocols: Fiat-Shamir (for quadratic
residues), Schnorr (for discrete logarithms), and Blum (for Hamiltonian
cycles, NP-complete)