Externally Verifiable Oblivious RAM

We present the idea of externally verifiable oblivious RAM (ORAM). Our goal is to allow a client and server carrying out an ORAM protocol to have disputes adjudicated by a third party, allowing for the enforcement of penalties against an unreliable or malicious server. We give a security definition that guarantees protection not only against a malicious server but also against a client making false accusations. We then give modifications of the Path ORAM and Ring ORAM protocols that meet this security definition. These protocols both have the same asymptotic runtimes as the semi-honest original versions and require the external verifier to be involved only when the client or server deviates from the protocol. Finally, we implement externally verified ORAM, along with an automated cryptocurrency contract to use as the external verifier

IPDL: A Simple Framework for Formally Verifying Distributed Cryptographic Protocols

Although there have been many successes in verifying proofs of non-interactive cryptographic primitives such as encryption and signatures, formal verification of interactive cryptographic protocols is still a nascent area. While in principle, it seems possible to extend general frameworks such as Easycrypt to encode proofs for more complex, interactive protocols, a big challenge is whether the human effort would be scalable enough for proof mechanization to eventually acquire mainstream usage among the cryptography community. We work towards closing this gap by introducing a simple framework, Interactive Probabilistic Dependency Logic (IPDL), for reasoning about a certain well-behaved subset of cryptographic protocols. A primary design goal of IPDL is for formal cryptographic proofs to resemble their on-paper counterparts. To this end, IPDL includes an equational logic to reason about approximate observational equivalence (i.e., computational indistinguishability) properties between protocols. IPDL adopts a channel-centric core logic, which decomposes the behavior of the protocol into the behaviors along each communication channel. IPDL supports straight-line programs with statically bounded loops. This design allows us to capture a broad class of protocols encountered in the cryptography literature, including multi-party, reactive, and/or inductively-defined protocols; meanwhile, the logic can track the runtime of the computational reduction in security proofs, thus ensuring computational soundness. We demonstrate the use of IPDL by a number of case studies, including a multi-use, secure message communication protocol, a multi-party coin toss with abort protocol, several oblivious transfer constructions, as well as the two-party GMW protocol for securely evaluating general circuits. We provide a mechanization of the IPDL proof system and our case studies in Coq, and our code is open sourced at https://github.com/ipdl/ipdl

IPDL: A Probabilistic Dataflow Logic for Cryptography

While there have been many successes in verifying cryptographic security proofs of noninter- active primitives such as encryption and signatures, less attention has been paid to interactive cryptographic protocols. Interactive protocols introduce the additional verification challenge of concurrency, which is notoriously hard to reason about in a cryptographically sound manner. When proving the (approximate) observational equivalance of protocols, as is required by simulation based security in the style of Universal Composability (UC), a bisimulation is typically performed in order to reason about the nontrivial control flows induced by concurrency. Unfortunately, bisimulations are typically very tedious to carry out manually and do not capture the high-level intuitions which guide informal proofs of UC security on paper. Because of this, there is currently a large gap of formality between proofs of cryptographic protocols on paper and in mechanized theorem provers. We work towards closing this gap through a new methodology for iteratively constructing bisimulations in a manner close to on-paper intuition. We present this methodology through Interactive Probabilistic Dependency Logic (IPDL), a simple calculus and proof system for specifying and reasoning about (a certain subclass of) distributed probabilistic computations. The IPDL framework exposes an equational logic on protocols; proofs in our logic consist of a number of rewriting rules, each of which induce a single low-level bisimulation between protocols. We show how to encode simulation-based security in the style of UC in our logic, and evaluate our logic on a number of case studies; most notably, a semi-honest secure Oblivious Transfer protocol, and a simple multiparty computation protocol robust to Byzantine faults. Due to the novel design of our logic, we are able to deliver mechanized proofs of protocols which we believe are comprehensible to cryptographers without verification expertise. We provide a mechanization in Coq of IPDL and all case studies presented in this work

Owl: Compositional Verification of Security Protocols via an Information-Flow Type System

Computationally sound protocol verification tools promise to deliver full-strength cryptographic proofs for security protocols. Unfortunately, current tools lack either modularity or automation. We propose a new approach based on a novel use of information flow and refinement types for sound cryptographic proofs. Our framework, Owl, allows type-based modular descriptions of security protocols, wherein disjoint subprotocols can be programmed and automatically proved secure separately. We give a formal security proof for Owl via a core language which supports standard symmetric and asymmetric primitives, Diffie-Hellman operations, and hashing via random oracles. We also implement a type checker for Owl along with a prototype extraction mechanism to Rust, and evaluate it on 14 case studies, including (simplified forms of) SSH key exchange and Kerberos

A Core Calculus for Equational Proofs of Cryptographic Protocols

International audienceMany proofs of interactive cryptographic protocols (e.g., as in Universal Composability) operate by proving the protocol at hand to be observationally equivalent to an idealized specification. While pervasive, formal tool support for observational equivalence of cryptographic protocols is still a nascent area of research. Current mechanization efforts tend to either focus on diff-equivalence, which establishes observational equivalence between protocols with identical control structures, or require an explicit witness for the observational equivalence in the form of a bisimulation relation. Our goal is to simplify proofs for cryptographic protocols by introducing a core calculus, IPDL, for cryptographic observational equivalences. Via IPDL, we aim to address a number of theoretical issues for cryptographic proofs in a simple manner, including probabilistic behaviors, distributed message-passing, and resource-bounded adversaries and simulators. We demonstrate IPDL on a number of case studies, including a distributed coin toss protocol, Oblivious Transfer, and the GMW multi-party computation protocol. All proofs of case studies are mechanized via an embedding of IPDL into the Coq proof assistant

Viaduct: An Extensible, Optimizing Compiler for Secure Distributed Programs (Technical Report)

Modern distributed systems involve interactions between principals with limited trust, so cryptographic mechanisms are needed to protect confidentiality and integrity. At the same time, most developers lack the training to securely employ cryptography. We present Viaduct, a compiler that transforms high-level programs into secure, efficient distributed realizations. Viaduct\u27s source language allows developers to declaratively specify security policies by annotating their programs with information flow labels. The compiler uses these labels to synthesize distributed programs that use cryptography efficiently while still defending the source-level security policy. The Viaduct approach is general, and can be easily extended with new security mechanisms. Our implementation of the Viaduct compiler comes with an extensible runtime system that includes plug-in support for multiparty computation, commitments, and zero-knowledge proofs. We have evaluated the system on a set of benchmarks, and the results indicate that our approach is feasible and can use cryptography in efficient, nontrivial ways

Symbolic Proofs for Lattice-Based Cryptography

International audienceSymbolic methods have been used extensively for proving security of cryptographic protocols in the Dolev-Yao model, and more recently for proving security of cryptographic primitives and constructions in the computational model. However, existing methods for proving security of cryptographic constructions in the computational model often require significant expertise and interaction, or are fairly limited in scope and expressivity. This paper introduces a symbolic approach for proving security of cryptographic constructions based on the Learning With Errors assumption (Regev, STOC 2005). Such constructions are instances of lattice-based cryptography and are extremely important due to their potential role in post-quantum cryptography. Following (Barthe, Grégoire and Schmidt, CCS 2015), our approach combines a computational logic and deducibility problems-a standard tool for representing the adversary's knowledge, the Dolev-Yao model. The computational logic is used to capture (indistinguishability-based) security notions and drive the security proofs whereas deducibility problems are used as side-conditions to control that rules of the logic are applied correctly. We then use AutoLWE, an implementation of the logic, to deliver very short or even automatic proofs of several emblematic constructions, including CPA-PKE (Gentry et al., STOC 2008), (Hierarchical) Identity-Based Encryption (Agrawal et al. Eurocrypt 2010), Inner Product Encryption (Agrawal et al. Asiacrypt 2011), CCA-PKE (Micciancio et al., Eurocrypt 2012). The main technical novelty beyond AutoLWE is a set of (semi-)decision procedures for deducibility problems, using extensions of Gröbner basis computations for subalgebras in the (non-)commutative setting (instead of ideals in the commutative setting). Our procedures cover the theory of matrices, which is required for lattice-based assumption, as well as the theory of non-commutative rings, fields, and Diffie-Hellman exponentiation, in its standard, bilinear and mul-tilinear forms. Additionally, AutoLWE supports oracle-relative assumptions , which are used specifically to apply (advanced forms of) the Leftover Hash Lemma, an information-theoretical tool widely used in lattice-based proofs

Clinical effectiveness and patient perspectives of different treatment strategies for tics in children and adolescents with Tourette syndrome: a systematic review and qualitative analysis

Background: Tourette syndrome (TS) is a neurodevelopmental condition characterised by chronic motor and vocal tics affecting up to 1% of school-age children and young people and is associated with significant distress and psychosocial impairment. Objective: To conduct a systematic review of the benefits and risks of pharmacological, behavioural and physical interventions for tics in children and young people with TS (part 1) and to explore the experience of treatment and services from the perspective of young people with TS and their parents (part 2). Data Sources: For the systematic reviews (parts 1 and 2), mainstream bibliographic databases, The Cochrane Library, education, social care and grey literature databases were searched using subject headings and text words for tic* and Tourette* from database inception to January 2013. Review/research methods: For part 1, randomised controlled trials and controlled before-and-after studies of pharmacological, behavioural or physical interventions in children or young people (aged < 18 years) with TS or chronic tic disorder were included. Mixed studies and studies in adults were considered as supporting evidence. Risk of bias associated with each study was evaluated using the Cochrane tool. When there was sufficient data, random-effects meta-analysis was used to synthesize the evidence and the quality of evidence for each outcome was assessed using the Grading of Recommendations Assessment, Development and Evaluation approach. For part 2, qualitative studies and survey literature conducted in populations of children/young people with TS or their carers or in health professionals with experience of treating TS were included in the qualitative review. Results were synthesized narratively. In addition, a national parent/carer survey was conducted via the Tourettes Action website. Participants included parents of children and young people with TS aged under 18 years. Participants (young people with TS aged 10–17 years) for the in-depth interviews were recruited via a national survey and specialist Tourettes clinics in the UK. Results: For part 1, 70 studies were included in the quantitative systematic review. The evidence suggested that for treating tics in children and young people with TS, antipsychotic drugs [standardised mean difference (SMD) –0.74, 95% confidence interval (CI) –1.08 to –0.41; n = 75] and noradrenergic agents [clonidine (Dixarit®, Boehringer Ingelheim) and guanfacine: SMD –0.72, 95% CI –1.03 to –0.40; n = 164] are effective in the short term. There was little difference among antipsychotics in terms of benefits, but adverse effect profiles do differ. Habit reversal training (HRT)/comprehensive behavioural intervention for tics (CBIT) was also shown to be effective (SMD –0.64, 95% CI –0.99 to –0.29; n = 133). For part 2, 295 parents/carers of children and young people with TS contributed useable survey data. Forty young people with TS participated in in-depth interviews. Four studies were in the qualitative review. Key themes were difficulties in accessing specialist care and behavioural interventions, delay in diagnosis, importance of anxiety and emotional symptoms, lack of provision of information to schools and inadequate information regarding medication and adverse effects. Limitations: The number and quality of clinical trials is low and this downgrades the strength of the evidence and conclusions. Conclusions: Antipsychotics, noradrenergic agents and HRT/CBIT are effective in reducing tics in children and young people with TS. The balance of benefits and harms favours the most commonly used medications: risperidone (Risperdal®, Janssen), clonidine and aripiprazole (Abilify®, Otsuka). Larger and better-conducted trials addressing important clinical uncertainties are required. Further research is needed into widening access to behavioural interventions through use of technology including mobile applications (‘apps’) and video consultation. Study registration: This study is registered as PROSPERO CRD42012002059