Proving Correctness and Security of Two-Party Computation Implemented in Java in Presence of a Semi-Honest Sender ⋆

Abstract. We provide a proof of correctness and security of a two-party-computation protocol based on garbled circuits and oblivious transfer in the presence of a semi-honest sender. To achieve this we are the first to combine a machine-assisted proof of correctness with advanced cryptographic primitives to prove security properties of Java code. The machine-assisted part of the proof is conducted with KeY, an interactive theorem prover. The proof includes a correctness result for the construction and evaluation of garbled circuits. This is particularly interesting since checking such an implementation by hand would be very tedious and error-prone. Although we stick to the secure two-party-computation of an n-bit AND in this paper, our approach is modular, and we explain how our techniques can be applied to other functions. To prove the security of the protocol for an honest-but-curious sender and an honest receiver, we use the framework presented by Küsters et al. for the cryptographic verification of Java programs. As part of our work, we add oblivious transfer to the set of cryptographic primitives supported by the framework. This is a general contribution beyond our results for concrete Java code.

Symbolic Analysis of Cryptographic Protocols

We rely on the security properties of cryptographic protocols every day while browsing the Internet or withdrawing money from an ATM. However, many of the protocols we use today were standardized without a proof of security. Serious flaws in protocols restrict the level of security we can reach for applications. This thesis motivates why we should strive for proofs of security and provides a framework that makes using automated tools to conduct such proofs more feasible