Models for Cryptographic Protocol Analysis

Formal models for security protocols often rely on assumptions not to be found in computational models. A first assumption is the perfect encryption one: encrypted data can not be manipulated in any way unless the decryption key is known. Another usual assumption is the free algebra one: only a few cryptographic primitives are considered in the model, and these must form a free algebra. We study these assumptions, and relax them to define more general models. We then define static analysis techniques for veryfing protocols secure in our models

Static Analysis of Circuits for Security

The purpose of the present work is to define a methodology to analyze a system description given in VHDL code and test its security properties. In particular the analysis is aimed at ensuring that a malicious user cannot make a circuit output the secret data it contains

Design and Verification of Specialised Security Goals for Protocol Families

Communication Protocols form a fundamental backbone of our modern information networks. These protocols provide a framework to describe how agents - Computers, Smartphones, RFID Tags and more - should structure their communication. As a result, the security of these protocols is implicitly trusted to protect our personal data. In 1997, Lowe presented ‘A Hierarchy of Authentication Specifications’, formalising a set of security requirements that might be expected of communication protocols. The value of these requirements is that they can be formally tested and verified against a protocol specification. This allows a user to have confidence that their communications are protected in ways that are uniformly defined and universally agreed upon. Since that time, the range of objectives and applications of real-world protocols has grown. Novel requirements - such as checking the physical distance between participants, or evolving trust assumptions of intermediate nodes on the network - mean that new attack vectors are found on a frequent basis. The challenge, then, is to define security goals which will guarantee security, even when the nature of these attacks is not known. In this thesis, a methodology for the design of security goals is created. It is used to define a collection of specialised security goals for protocols in multiple different families, by considering tailor-made models for these specific scenarios. For complex requirements, theorems are proved that simplify analysis, allowing the verification of security goals to be efficiently modelled in automated prover tools

Les preuves de protocoles cryprographiques revisitées

With the rise of the Internet the use of cryptographic protocols became ubiquitous. Considering the criticality and complexity of these protocols, there is an important need of formal verification.In order to obtain formal proofs of cryptographic protocols, two main attacker models exist: the symbolic model and the computational model. The symbolic model defines the attacker capabilities as a fixed set of rules. On the other hand, the computational model describes only the attacker's limitations by stating that it may break some hard problems. While the former is quiteabstract and convenient for automating proofs the later offers much stronger guarantees.There is a gap between the guarantees offered by these two models due to the fact the symbolic model defines what the adversary may do while the computational model describes what it may not do. In 2012 Bana and Comon devised a new symbolic model in which the attacker's limitations are axiomatised. In addition provided that the (computational semantics) of the axioms follows from the cryptographic hypotheses, proving security in this symbolic model yields security in the computational model.The possibility of automating proofs in this model (and finding axioms general enough to prove a large class of protocols) was left open in the original paper. In this thesis we provide with an efficient decision procedure for a general class of axioms. In addition we propose a tool (SCARY) implementing this decision procedure. Experimental results of our tool shows that the axioms we designed for modelling security of encryption are general enough to prove a large class of protocols.Avec la généralisation d'Internet, l'usage des protocoles cryptographiques est devenu omniprésent. Étant donné leur complexité et leur l'aspect critique, une vérification formelle des protocoles cryptographiques est nécessaire.Deux principaux modèles existent pour prouver les protocoles. Le modèle symbolique définit les capacités de l'attaquant comme un ensemble fixe de règles, tandis que le modèle calculatoire interdit seulement a l'attaquant derésoudre certain problèmes difficiles. Le modèle symbolique est très abstrait et permet généralement d'automatiser les preuves, tandis que le modèle calculatoire fournit des garanties plus fortes.Le fossé entre les garanties offertes par ces deux modèles est dû au fait que le modèle symbolique décrit les capacités de l'adversaire alors que le modèle calculatoire décrit ses limitations. En 2012 Bana et Comon ont proposé unnouveau modèle symbolique dans lequel les limitations de l'attaquant sont axiomatisées. De plus, si la sémantique calculatoire des axiomes découle des hypothèses cryptographiques, la sécurité dans ce modèle symbolique fournit desgaranties calculatoires.L'automatisation des preuves dans ce nouveau modèle (et l'élaboration d'axiomes suffisamment généraux pour prouver un grand nombre de protocoles) est une question laissée ouverte par l'article de Bana et Comon. Dans cette thèse nous proposons une procédure de décision efficace pour une large classe d'axiomes. De plus nous avons implémenté cette procédure dans un outil (SCARY). Nos résultats expérimentaux montrent que nos axiomes modélisant la sécurité du chiffrement sont suffisamment généraux pour prouver une large classe de protocoles

Is Information-Theoretic Topology-Hiding Computation Possible?

Topology-hiding computation (THC) is a form of multi-party computation over an incomplete communication graph that maintains the privacy of the underlying graph topology. Existing THC protocols consider an adversary that may corrupt an arbitrary number of parties, and rely on cryptographic assumptions such as DDH. In this paper we address the question of whether information-theoretic THC can be achieved by taking advantage of an honest majority. In contrast to the standard MPC setting, this problem has remained open in the topology-hiding realm, even for simple privacy-free functions like broadcast, and even when considering only semi-honest corruptions. We uncover a rich landscape of both positive and negative answers to the above question, showing that what types of graphs are used and how they are selected is an important factor in determining the feasibility of hiding topology information-theoretically. In particular, our results include the following. We show that topology-hiding broadcast (THB) on a line with four nodes, secure against a single semi-honest corruption, implies key agreement. This result extends to broader classes of graphs, e.g., THB on a cycle with two semi-honest corruptions. On the other hand, we provide the first feasibility result for information-theoretic THC: for the class of cycle graphs, with a single semi-honest corruption. Given the strong impossibilities, we put forth a weaker definition of distributional-THC, where the graph is selected from some distribution (as opposed to worst-case). We present a formal separation between the definitions, by showing a distribution for which information theoretic distributional-THC is possible, but even topology-hiding broadcast is not possible information-theoretically with the standard definition. We demonstrate the power of our new definition via a new connection to adaptively secure low-locality MPC, where distributional-THC enables parties to reuse a secret low-degree communication graph even in the face of adaptive corruptions

Rational cryptography: novel constructions, automated verification and unified definitions

Rational cryptography has recently emerged as a very promising field of research by combining notions and techniques from cryptography and game theory, because it offers an alternative to the rather inflexible traditional cryptographic model. In contrast to the classical view of cryptography where protocol participants are considered either honest or arbitrarily malicious, rational cryptography models participants as rational players that try to maximize their benefit and thus deviate from the protocol only if they gain an advantage by doing so. The main research goals for rational cryptography are the design of more efficient protocols when players adhere to a rational model, the design and implementation of automated proofs for rational security notions and the study of the intrinsic connections between game theoretic and cryptographic notions. In this thesis, we address all these issues. First we present the mathematical model and the design for a new rational file sharing protocol which we call RatFish. Next, we develop a general method for automated verification for rational cryptographic protocols and we show how to apply our technique in order to automatically derive the rational security property for RatFish. Finally, we study the intrinsic connections between game theory and cryptography by defining a new game theoretic notion, which we call game universal implementation, and by showing its equivalence with the notion of weak stand-alone security.Rationale Kryptographie ist kürzlich als ein vielversprechender Bereich der Forschung durch die Kombination von Begriffen und Techniken aus der Kryptographie und der Spieltheorie entstanden, weil es eine Alternative zu dem eher unflexiblen traditionellen kryptographischen Modell bietet. Im Gegensatz zur klassischen Ansicht der Kryptographie, nach der Protokollteilnehmer entweder als ehrlich oder willkürlich bösartig angesehen werden, modelliert rationale Kryptografie die Protokollteilnehmer als rationale Akteure, die versuchen ihren Vorteil zu maximieren und damit nur vom Protokoll abweichen, wenn sie dadurch einen Vorteil erlangen. Die wichtigsten Forschungsziele rationaler Kryptographie sind: das Design effizienterer Protokolle, wenn die Spieler ein rationale Modell folgen, das Design und die Implementierung von automatisierten Beweisen rationaler Sicherheitsbegriffe und die Untersuchung der intrinsischen Verbindungen zwischen spieltheoretischen und kryptographischen Begriffen. In dieser Arbeit beschäftigen wir uns mit all diesen Fragen. Zunächst präsentieren wir das mathematische Modell und das Design für RatFish, ein neues rationales Filesharing-Protokoll. Dann entwickeln wir eine allgemeine Methode zur automatischen Verifikation rationaler kryptographischer Protokolle und wir zeigen, wie man unsere Technik nutzen kann, um die rationale Sicherheitseigenschaft von RatFish automatisch abzuleiten. Abschließend untersuchen wir die intrinsische Verbindungen zwischen Spieltheorie und Kryptographie durch die Definition von game universal implementation, einem neuen spieltheoretischen Begriff, und wir zeigen die Äquivalenz von game universal implementation und weak stand-alone security