39,051 research outputs found
Symbolic Abstractions for Quantum Protocol Verification
Quantum protocols such as the BB84 Quantum Key Distribution protocol exchange
qubits to achieve information-theoretic security guarantees. Many variants
thereof were proposed, some of them being already deployed. Existing security
proofs in that field are mostly tedious, error-prone pen-and-paper proofs of
the core protocol only that rarely account for other crucial components such as
authentication. This calls for formal and automated verification techniques
that exhaustively explore all possible intruder behaviors and that scale well.
The symbolic approach offers rigorous, mathematical frameworks and automated
tools to analyze security protocols. Based on well-designed abstractions, it
has allowed for large-scale formal analyses of real-life protocols such as TLS
1.3 and mobile telephony protocols. Hence a natural question is: Can we use
this successful line of work to analyze quantum protocols? This paper proposes
a first positive answer and motivates further research on this unexplored path
Safe abstractions of data encodings in formal security protocol models
When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants. In order to address this issue, this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev-Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified model
The cryptographic power of misaligned reference frames
Suppose that Alice and Bob define their coordinate axes differently, and the
change of reference frame between them is given by a probability distribution
mu over SO(3). We show that this uncertainty of reference frame is of no use
for bit commitment when mu is uniformly distributed over a (sub)group of SO(3),
but other choices of mu can give rise to a partially or even asymptotically
secure bit commitment.Comment: 4 pages Latex; v2 has a new referenc
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Actor-network procedures: Modeling multi-factor authentication, device pairing, social interactions
As computation spreads from computers to networks of computers, and migrates
into cyberspace, it ceases to be globally programmable, but it remains
programmable indirectly: network computations cannot be controlled, but they
can be steered by local constraints on network nodes. The tasks of
"programming" global behaviors through local constraints belong to the area of
security. The "program particles" that assure that a system of local
interactions leads towards some desired global goals are called security
protocols. As computation spreads beyond cyberspace, into physical and social
spaces, new security tasks and problems arise. As networks are extended by
physical sensors and controllers, including the humans, and interlaced with
social networks, the engineering concepts and techniques of computer security
blend with the social processes of security. These new connectors for
computational and social software require a new "discipline of programming" of
global behaviors through local constraints. Since the new discipline seems to
be emerging from a combination of established models of security protocols with
older methods of procedural programming, we use the name procedures for these
new connectors, that generalize protocols. In the present paper we propose
actor-networks as a formal model of computation in heterogenous networks of
computers, humans and their devices; and we introduce Procedure Derivation
Logic (PDL) as a framework for reasoning about security in actor-networks. On
the way, we survey the guiding ideas of Protocol Derivation Logic (also PDL)
that evolved through our work in security in last 10 years. Both formalisms are
geared towards graphic reasoning and tool support. We illustrate their workings
by analysing a popular form of two-factor authentication, and a multi-channel
device pairing procedure, devised for this occasion.Comment: 32 pages, 12 figures, 3 tables; journal submission; extended
references, added discussio
Proof Theory, Transformations, and Logic Programming for Debugging Security Protocols
We define a sequent calculus to formally specify, simulate, debug and verify security protocols. In our sequents we distinguish between the current knowledge of principals and the current global state of the session. Hereby, we can describe the operational semantics of principals and of an intruder in a simple and modular way. Furthermore, using proof theoretic tools like the analysis of permutability of rules, we are able to find efficient proof strategies that we prove complete for special classes of security protocols including Needham-Schroeder. Based on the results of this preliminary analysis, we have implemented a Prolog meta-interpreter which allows for rapid prototyping and for checking safety properties of security protocols, and we have applied it for finding error traces and proving correctness of practical examples
Detecting Key-Dependencies
The confidentiality of encrypted data depends on how well the key under which it was encrypted is maintained. If a session key was exchanged encrypted under a long-term key, exposure of the long-term key may reveal the session key and hence the data encrypted with it. The problem of key-dependencies between keys can be mapped onto connectivity of a graph, and the resulting graph can be inspected. This article presents a structured method (an algorithm) with which key-dependencies can be detected and analysed. Several well-known protocols are examined, and it is shown that they are vulnerable to certain attacks exploiting key-dependencies. Protocols which are free from this defect do exist. That is, when a session is terminated it is properly closed
Fiat-Shamir for highly sound protocols is instantiable
The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model.
We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks.
Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments.
We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable
- …