Contingent payments on a public ledger: models and reductions for automated verification

International audienceWe study protocols that rely on a public ledger infrastructure, concentrating on protocols for zero-knowledge contingent payment, whose security properties combine diverse notions of fairness and privacy. We argue that rigorous models are required for capturing the ledger semantics, the protocol-ledger interaction, the cryptographic primitives and, ultimately, the security properties one would like to achieve.Our focus is on a particular level of abstraction, where network messages are represented by a term algebra, protocol execution by state transition systems (e.g. multiset rewrite rules) and where the properties of interest can be analyzed with automated verification tools. We propose models for: (1) the rules guiding the ledger execution, taking the coin functionality of public ledgers such as Bitcoin as an example; (2) the security properties expected from ledger-based zero-knowledge contingent payment protocols; (3) two different security protocols that aim at achieving these properties relying on different ledger infrastructures; (4) reductions that allow simpler term algebras for homomorphic cryptographic schemes.Altogether, these models allow us to derive a first automated verification for ledger-based zero-knowledge contingent payment using the Tamarin prover. Furthermore , our models help in clarifying certain underlying assumptions, security and efficiency tradeoffs that should be taken into account when deploying protocols on the blockchain

Contingent payments on a public ledger: models and reductions for automated verification

International audienceWe study protocols that rely on a public ledger infrastructure, concentrating on protocols for zero-knowledge contingent payment, whose security properties combine diverse notions of fairness and privacy. We argue that rigorous models are required for capturing the ledger semantics, the protocol-ledger interaction, the cryptographic primitives and, ultimately, the security properties one would like to achieve.Our focus is on a particular level of abstraction, where network messages are represented by a term algebra, protocol execution by state transition systems (e.g. multiset rewrite rules) and where the properties of interest can be analyzed with automated verification tools. We propose models for: (1) the rules guiding the ledger execution, taking the coin functionality of public ledgers such as Bitcoin as an example; (2) the security properties expected from ledger-based zero-knowledge contingent payment protocols; (3) two different security protocols that aim at achieving these properties relying on different ledger infrastructures; (4) reductions that allow simpler term algebras for homomorphic cryptographic schemes.Altogether, these models allow us to derive a first automated verification for ledger-based zero-knowledge contingent payment using the Tamarin prover. Furthermore , our models help in clarifying certain underlying assumptions, security and efficiency tradeoffs that should be taken into account when deploying protocols on the blockchain

Unification dans des mélanges non-disjoints avec des théories fermées en avant

We investigate the unification problemin theories defined by rewrite systems which are both convergent andforward-closed. These theories are also known in the context ofprotocol analysis as theories with the finite variant property andadmit a variant-based unification algorithm. In this paper, wepresent a new rule-based unification algorithm which can be seen as analternative to the variant-based approach. In addition, we defineforward-closed combination to capture the union of a forward-closedconvergent rewrite system with another theory, such as theAssociativity-Commutativity, whose function symbols may occur inright-hand sides of the rewrite system. Finally, we present acombination algorithm for this particular class of non-disjoint unionsof theories.On étudie le problème d’unification dans les théories définies par des systèmes deréécriture qui sont à la fois convergents et fermés en avant. Ces théories sont connues dans lecontexte de l’analyse de protocoles de sécurité comme les théories ayant la propriété des variantsfinis et admettant de ce fait un algorithme d’unification à base de variants. Dans ce papier,on présente un nouvel algorithme d’unification à base de règles qui peut être vu comme unealternative à l’approche basée sur le calcul de variants. On étudie l’union d’un système deréécriture convergent et fermé en avant avec une autre théorie dont les symboles de fonctionpeuvent apparaître dans les membres droits du système de réécriture. Finalement, on présenteun algorithme de combinaison pour cette classe particulière d’unions non-disjointes de théories