12 research outputs found
Logic of fusion
The starting point of this work is the observation that the Curry-Howard
isomorphism, relating types and propositions, programs and proofs, composition
and cut, extends to the correspondence of program fusion and cut elimination.
This simple idea suggests logical interpretations of some of the basic methods
of generic and transformational programming. In the present paper, we provide a
logical analysis of the general form of build fusion, also known as
deforestation, over the inductive and the coinductive datatypes, regular or
nested. The analysis is based on a novel logical interpretation of
parametricity in terms of the paranatural transformations, introduced in the
paper.Comment: 17 pages, 6 diagrams; Andre Scedrov FestSchrif
On Session Typing, Probabilistic Polynomial Time, and Cryptographic Experiments
A system of session types is introduced as induced by a Curry Howard correspondence applied to bounded linear logic, suitably extended with probabilistic choice operators and ground types. The resulting system satisfies some expected properties, like subject reduction and progress, but also unexpected ones, like a polynomial bound on the time needed to reduce processes. This makes the system suitable for modelling experiments and proofs from the so-called computational model of cryptography
On Session Typing, Probabilistic Polynomial Time, and Cryptographic Experiments
International audienceA system of session types is introduced as induced by a Curry Howard correspondence applied to bounded linear logic, suitably extended with probabilistic choice operators and ground types. The resulting system satisfies some expected properties, like subject reduction and progress, but also unexpected ones, like a polynomial bound on the time needed to reduce processes. This makes the system suitable for modelling experiments and proofs from the so-called computational model of cryptography
Cryptographically sound analysis of security protocols
In this thesis, we show how formal methods can be used for the cryptographically sound verification of concrete implementations of security protocols in order to obtain trustworthy and meaningful proofs, and to eliminate human inaccuracies. First, we show how to derive secure concrete implementations of a given abstract specification. The security proofs are essentially based on the well-established approach of bisimulation which can be formally verified yielding rigorous proofs. As an example, we present both a specification and a secure implementation of secure message transmission with ordered channels. Moreover, the example comprises a general methodology how secure implementation of arbitrary specifications can be obtained. Thereafter, we concentrate on the actual goals the protocol should fulfill. Thus, we define integrity properties in our underlying model and we show that logic derivations among them carry over specification to the concrete implementation, which makes them accessible for tool-assisted verification. As an example, we formally verify one concrete protocol using the theorem prover PVS yielding the first machine-aided and sound proof of a cryptographic protocol. As additional properties of security protocols, we consider liveness and noninterference. The standard definition of these properties is not suited to cope with protocols involving real cryptographic primitives, so we introduce new definitions which are restricted to polynomial runs and include error probabilities. We show that both properties carry over from the specification to the concrete implementation, and we present two examples, one for each property, which we prove to fulfill our definitions.Diese Arbeit behandelt formale Verifikation von Sicherheitsprotokollen mit dem Ziel,maschinell verifizierte Beweise zu ermöglichen, die die kryptographische Semantik respektieren, d.h., deren Aussagen bzgl. der zugrundeliegenden Kryptographie und den kryptographischen Sicherheitsdefinitionen gültig sind (engl. cryptographically sound proofs).Als erstes zeigen wir, wie formale Methoden benutzt werden können, um sichere konkrete Implementationen anhand einer gegebenen abstrakten Spezifikation herzuleiten. Wir geben dafür eine allgemeingültige Methodologie an, die auf formal verifizierten Bisimulationen basiert, was uns rigorose und glaubhafte Sicherheitsbeweise liefert. Als
Beispiel geben wir eine Spezifikation und eine konkrete Implementation für sichere geordnete Nachrichtenübertragung an. Die im Sicherheitsbeispiel der Implementation auftretende Bisimulation verifizieren wir mit Hilfe des Theorembeweisers PVS. Als zweites konzentrieren wir uns auf die Ziele, die ein Sicherheitsprotokoll erfüllen soll. Wir definieren Integritätseigenschaften in unserem zugrundeliegenden Modell, und wir beweisen, dass sich logische Schlussfolgerungen bzgl. dieser Eigenschaften von der Spezifikation auf die Implementation übertragen, was eine essentielle Voraussetzung für maschinelle Verifikation darstellt. Als Beispiel verifizieren wir ein konkretes Protokoll mit Hilfe des Theorembeweisers PVS, was uns den ersten Beweis eines Sicherheitsprotokolls liefert, der sowohl maschinell verifiziert ist als auch
der kryptographischen Semantik "treu'; bleibt, d.h., der wirklich ein Beweis gegen die kryptographischen Primitive und deren kryptographische Sicherheitsdefinitionen ist. Als zusätzliche Eigenschaften von Sicherheitsprotokollen betrachten wir Lebendigkeit (engl. liveness) und Unbeeinflussbarkeit (engl. non-interference). Da sich die Standarddefinition dieser wichtigen Eigenschaften als ungeeignet für echte Kryptographie
herausstellt, führen wir allgemeinere Definitionen ein, die auf polynomielle Länge beschränkt sind und Fehlerwahrscheinlichkeiten berücksichtigen.Wir zeigen, dass sich diese Eigenschaften von der Spezifikation auf die Implementation übertragen,was wiederum den Bezug zu formalen Methoden herstellt. Wir präsentieren zwei Beispiele, je eines für jede Eigenschaft, von denen wir beweisen, dass sie die entsprechende Definition erfüllen
Cryptographically sound analysis of security protocols
In this thesis, we show how formal methods can be used for the cryptographically sound verification of concrete implementations of security protocols in order to obtain trustworthy and meaningful proofs, and to eliminate human inaccuracies. First, we show how to derive secure concrete implementations of a given abstract specification. The security proofs are essentially based on the well-established approach of bisimulation which can be formally verified yielding rigorous proofs. As an example, we present both a specification and a secure implementation of secure message transmission with ordered channels. Moreover, the example comprises a general methodology how secure implementation of arbitrary specifications can be obtained. Thereafter, we concentrate on the actual goals the protocol should fulfill. Thus, we define integrity properties in our underlying model and we show that logic derivations among them carry over specification to the concrete implementation, which makes them accessible for tool-assisted verification. As an example, we formally verify one concrete protocol using the theorem prover PVS yielding the first machine-aided and sound proof of a cryptographic protocol. As additional properties of security protocols, we consider liveness and noninterference. The standard definition of these properties is not suited to cope with protocols involving real cryptographic primitives, so we introduce new definitions which are restricted to polynomial runs and include error probabilities. We show that both properties carry over from the specification to the concrete implementation, and we present two examples, one for each property, which we prove to fulfill our definitions.Diese Arbeit behandelt formale Verifikation von Sicherheitsprotokollen mit dem Ziel,maschinell verifizierte Beweise zu ermöglichen, die die kryptographische Semantik respektieren, d.h., deren Aussagen bzgl. der zugrundeliegenden Kryptographie und den kryptographischen Sicherheitsdefinitionen gültig sind (engl. cryptographically sound proofs).Als erstes zeigen wir, wie formale Methoden benutzt werden können, um sichere konkrete Implementationen anhand einer gegebenen abstrakten Spezifikation herzuleiten. Wir geben dafür eine allgemeingültige Methodologie an, die auf formal verifizierten Bisimulationen basiert, was uns rigorose und glaubhafte Sicherheitsbeweise liefert. Als
Beispiel geben wir eine Spezifikation und eine konkrete Implementation für sichere geordnete Nachrichtenübertragung an. Die im Sicherheitsbeispiel der Implementation auftretende Bisimulation verifizieren wir mit Hilfe des Theorembeweisers PVS. Als zweites konzentrieren wir uns auf die Ziele, die ein Sicherheitsprotokoll erfüllen soll. Wir definieren Integritätseigenschaften in unserem zugrundeliegenden Modell, und wir beweisen, dass sich logische Schlussfolgerungen bzgl. dieser Eigenschaften von der Spezifikation auf die Implementation übertragen, was eine essentielle Voraussetzung für maschinelle Verifikation darstellt. Als Beispiel verifizieren wir ein konkretes Protokoll mit Hilfe des Theorembeweisers PVS, was uns den ersten Beweis eines Sicherheitsprotokolls liefert, der sowohl maschinell verifiziert ist als auch
der kryptographischen Semantik "treu\u27; bleibt, d.h., der wirklich ein Beweis gegen die kryptographischen Primitive und deren kryptographische Sicherheitsdefinitionen ist. Als zusätzliche Eigenschaften von Sicherheitsprotokollen betrachten wir Lebendigkeit (engl. liveness) und Unbeeinflussbarkeit (engl. non-interference). Da sich die Standarddefinition dieser wichtigen Eigenschaften als ungeeignet für echte Kryptographie
herausstellt, führen wir allgemeinere Definitionen ein, die auf polynomielle Länge beschränkt sind und Fehlerwahrscheinlichkeiten berücksichtigen.Wir zeigen, dass sich diese Eigenschaften von der Spezifikation auf die Implementation übertragen,was wiederum den Bezug zu formalen Methoden herstellt. Wir präsentieren zwei Beispiele, je eines für jede Eigenschaft, von denen wir beweisen, dass sie die entsprechende Definition erfüllen
Computationally secure information flow
This thesis presents a definition and a static program analysis for
secure information flow. The definition of secure information flow is not
based on non-interference, but on the computational independence of
the programs public outputs from its secret inputs. Such definition allows
cryptographic primitives to be gracefully handled, as their security
is usually defined to be only computational, not information-theoretical.
The analysis works on a simple imperative programming language
containing a cryptographic primitive encryption as a possible operation.
The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove
the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the
encryption primitive hides the identity of plaintexts and keys.
This thesis also considers the case where the identities of plaintexts
and keys are not hidden by encryption, i.e. given two ciphertexts it may
be possible to determine whether the corresponding plaintexts are equal
or not. We also give an analysis for this case, though it is not a whole
program analysis. Namely, we cannot analyse loops. Nevertheless, with
the help of the analysis one can check, whether two formal expressions
(which are equivalent to the output of programs without loops) have
indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben
Computationally secure information flow
This thesis presents a definition and a static program analysis for
secure information flow. The definition of secure information flow is not
based on non-interference, but on the computational independence of
the programs public outputs from its secret inputs. Such definition allows
cryptographic primitives to be gracefully handled, as their security
is usually defined to be only computational, not information-theoretical.
The analysis works on a simple imperative programming language
containing a cryptographic primitive encryption as a possible operation.
The analysis captures the intuitive qualities of the (lack of) information flow from a plaintext to its corresponding ciphertext. We prove
the analysis correct with respect to the definition of secure information flow described above. In the proof of correctness we assume that the
encryption primitive hides the identity of plaintexts and keys.
This thesis also considers the case where the identities of plaintexts
and keys are not hidden by encryption, i.e. given two ciphertexts it may
be possible to determine whether the corresponding plaintexts are equal
or not. We also give an analysis for this case, though it is not a whole
program analysis. Namely, we cannot analyse loops. Nevertheless, with
the help of the analysis one can check, whether two formal expressions
(which are equivalent to the output of programs without loops) have
indistinguishable interpretations as bit-strings.In dieser Dissertation wird eine Definition und eine statische Programmanalyse für sicheren Informationsfluss präsentiert. Die Definition des sicheren Informations usses basiert nicht auf der Unbeeinflußbarkeit, sondern auf der komplexitätstheoretischen Unabhängigkeit der öffentlichen Ausgaben des Programms von seinen geheimen Eingaben. Eine solche Definition erlaubt uns, kryptographische Primitiven elegant zu bearbeiten, weil ihre Sicherheit meistens nur komplexitätstheoretisch und nicht informationstheoretisch definiert ist. Die Analyse arbeitet auf einer einfachen imperativen Programmiersprache, die eine kryptographische Primitive Verschlüsselung als eine mögliche Operation enthält. Die Analyse gibt die intuitive Eigenschaft des (nicht vorhandenen) Informationsflusses von einem Klartext zu dem entsprechenden Schlüsseltext wieder. Wir geben den Korrektheitsbeweis der Analyse in Bezug auf die obengegebene Definition des sicheren Informationflusses. Im Beweis nehmen wir an, daß die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel versteckt. Diese Dissertation behandelt auch den Fall, dass die Verschlüsselungsprimitive die Identität der Klartexte und Schlüssel nicht versteckt, d.h. daß man aus zwei Schlüsseltexten möglicherweise herausfinden kann, ob die entsprechenden Klartexte gleich sind oder nicht. Wir geben eine Analyse auch für diesen Fall an, obwohl sie nicht auf ganze Programme anwendbar ist, da wir keine Schleifen analysieren können. Mit Hilfe dieser Analyse kann man feststellen, ob zwei formale Ausdrücke (die gleichwertig zu der Ausgabe der Programme ohne Schleifen sind) gleiche Interpretation als Bitfolgen haben
Hierarchical and compositional verification of cryptographic protocols
Nella verifica dei protocolli di sicurezza ci sono due importanti approcci
che sono conosciuti sotto il nome di approccio simbolico e computazionale,
rispettivamente. Nell'approccio simbolico i messaggi sono termini di
un'algebra e le primitive crittografiche sono idealmente sicure; nell'approccio
computazionale i messaggi sono sequenze di bit e le primitive crittografiche
sono sicure con elevata probabilit\ue0. Questo significa, per esempio, che
nell'approccio simbolico solo chi conosce la chiave di decifratura pu\uf2 decifrare
un messaggio cifrato, mentre nell'approccio computazionale la probabilit\ue0 di decifrare un testo cifrato senza conoscere la chiave di decifratura \ue8 trascurabile.
Di solito, i protocolli crittografici sono il risultato dell'interazione di molte
componenti: alcune sono basate su primitive crittografiche, altre su altri
principi. In generale, quello che risulta \ue8 un sistema complesso che vorremmo
poter analizzare in modo modulare invece che doverlo studiare come un
singolo sistema.
Una situazione simile pu\uf2 essere trovata nel contesto dei sistemi distribuiti,
dove ci sono molti componenti probabilistici che interagiscono tra loro
implementando un algoritmo distribuito. In questo contesto l'analisi della
correttezza di un sistema complesso \ue8 molto rigorosa ed \ue8 basata su strumenti
che derivano dalla teoria dell'informazione, strumenti come il metodo
di simulazione che permette di decomporre grossi problemi in problemi pi\uf9 piccoli e di verificare i sistemi in modo gerarchico e composizionale. Il metodo
di simulazione consiste nello stabilire delle relazioni tra gli stati di due
automi, chiamate relazioni di simulazione, e nel verificare che tali relazioni
soddisfano delle condizioni di passo appropriate, come che ogni transizione
del sistema simulato pu\uf2 essere imitata dal sistema simulante nel rispetto
della relazione data. Usando un approccio composizionale possiamo studiare
le propriet\ue0 di ogni singolo sotto-problema indipendentemente dagli altri
per poi derivare le propriet\ue0 del sistema complessivo. Inoltre, la verifica gerarchica
ci permette di definire molti raffinamenti intermedi tra la specifica
e l'implementazione. Spesso la verifica gerarchica e composizionale \ue8 pi\uf9
semplice e chiara che l'intera verifica fatta in una volta sola.
In questa tesi introduciamo una nuova relazione di simulazione, che chiamiamo
simulazione polinomialmente accurata o simulazione approssimata,
che \ue8 composizionale e che permette di usare l\u2019approccio gerarchico nelle nostre
analisi. Le simulazioni polinomialmente accurate estendono le relazioni
di simulazione definite nel contesto dei sistemi distribuiti sia nel caso forte
sia in quello debole tenendo conto delle lunghezze delle esecuzioni e delle
propriet\ue0 computazionali delle primitive crittografiche.
Oltre alle simulazioni polinomialmente accurate, forniamo altri strumenti
che possono semplificare l\u2019analisi dei protocolli crittografici: il primo \ue8 il
concetto di automa condizionale che permette di rimuovere eventi che occorrono
con probabilit\ue0 trascurabile in modo sicuro. Data una macchina
che \ue8 attaccabile con probabilit\ue0 trascurabile, se costruiamo un automa che \ue8 condizionale all'assenza di questi attacchi, allora esiste una simulazione
tra i due. Questo ci permette, tra l'altro, di lavorare con le relazioni di
simulazione tutto il tempo e in particolare possiamo anche dimostrare in
modo composizionale che l'eliminazione di eventi trascurabili \ue8 sicura. Questa
propriet\ue0 \ue8 giustificata dal teorema dell\u2019automa condizionale che afferma
che gli eventi sono trascurabili se e solo se la relazione identit\ue0 \ue8 una simulazione
approssimata dall\u2019automa alla sua controparte condizionale. Un altro
strumento \ue8 il teorema della corrispondenza delle esecuzioni, che estende
quello del contesto dei sistemi distribuiti, che giustifica l\u2019approccio gerarchico.
Infatti, il teorema afferma che se abbiamo molti automi e una catena
di simulazioni tra di essi, allora con elevata probabilit\ue0 ogni esecuzione del
primo automa della catena \ue8 in relazione con un\u2019esecuzione dell'ultimo automa
della catena. In altre parole, abbiamo che la probabilit\ue0 che l'ultimo
automa non sia in grado di simulare un\u2019esecuzione del primo \ue8 trascurabile.
Infine, usiamo il framework delle simulazioni polinomialmente accurate
per fornire delle famiglie di automi che implementano le primitive crittografiche
comunemente usate e per dimostrare che l'approccio simbolico \ue8
corretto rispetto all\u2019approccio computazionale.Two important approaches to the verification of security protocols are
known under the general names of symbolic and computational, respectively.
In the symbolic approach messages are terms of an algebra and the cryptographic
primitives are ideally secure; in the computational approach messages
are bitstrings and the cryptographic primitives are secure with overwhelming
probability. This means, for example, that in the symbolic approach
only who knows the decryption key can decrypt a ciphertext, while in
the computational approach the probability to decrypt a ciphertext without
knowing the decryption key is negligible.
Usually, the cryptographic protocols are the outcome of the interaction
of several components: some of them are based on cryptographic primitives,
other components on other principles. In general, the result is a complex
system that we would like to analyse in a modular way instead of studying
it as a single system.
A similar situation can be found in the context of distributed systems,
where there are several probabilistic components that interact with each
other implementing a distributed algorithm. In this context, the analysis
of the correctness of a complex system is very rigorous and it is based on
tools from information theory such as the simulation method that allows
us to decompose large problems into smaller problems and to verify systems
hierarchically and compositionally. The simulation method consists
of establishing relations between the states of two automata, called simulation
relations, and to verify that such relations satisfy appropriate step
conditions: each transition of the simulated system can be matched by the
simulating system up to the given relation. Using a compositional approach
we can study the properties of each small problem independently from the
each other, deriving the properties of the overall system. Furthermore, the
hierarchical verification allows us to build several intermediate refinements
between specification and implementation. Often hierarchical and compositional
verification is simpler and cleaner than direct one-step verification,
since each refinement may focus on specific homogeneous aspects of the implementation.
In this thesis we introduce a new simulation relation, that we call polynomially
accurate simulation, or approximated simulation, that is compositional
and that allows us to adopt the hierarchical approach in our analyses.
The polynomially accurate simulations extend the simulation relations of
the distributed systems context in both strong and weak cases taking into
account the lengths of the computations and of the computational properties
of the cryptographic primitives.
Besides the polynomially accurate simulations, we provide other tools
that can simplify the analysis of cryptographic protocols: the first one is the
concept of conditional automaton, that permits to safely remove events that
occur with negligible probability. Starting from a machine that is attackable
with negligible probability, if we build an automaton that is conditional to
the absence of these attacks, then there exists a simulation. And this allows
us to work with the simulation relations all the time and in particular we can
also prove in a compositional way that the elimination of negligible events
from an automaton is safe. This property is justified by the conditional
automaton theorem that states that events are negligible if and only if the
identity relation is an approximated simulation from the automaton and
its conditional counterpart. Another tool is the execution correspondence
theorem, that extends the one of the distributed systems context, that allows
us to use the hierarchical approach. In fact, the theorem states that if we
have several automata and a chain of simulations between them, then with
overwhelming probability each execution of the first automaton is related
to an execution of the last automaton. In other words, we have that the
probability that the last automaton is not able to simulate an execution of
the first one is negligible.
Finally, we use the polynomially accurate simulation framework to provide
families of automata that implement commonly used cryptographic
primitives and to prove that the symbolic approach is sound with respect to
the computational approach