18 research outputs found
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
Universally Composable Symmetric Encryption
For most basic cryptographic tasks, such as public key
encryption, digital signatures, authentication, key
exchange, and many other more sophisticated tasks, ideal
functionalities have been formulated in the
simulation-based security approach, along with their
realizations. Surprisingly, however, no such functionality
exists for symmetric encryption, except for a more abstract
Dolev-Yao style functionality. In this paper, we fill this
gap. We propose two functionalities for symmetric
encryption, an unauthenticated and an authenticated
version, and show that they can be implemented based on
standard cryptographic assumptions for symmetric encryption
schemes, namely IND-CCA security and authenticated
encryption, respectively. We also illustrate the usefulness
of our functionalities in applications, both in
simulation-based and game-based security settings
The IITM Model: a Simple and Expressive Model for Universal Composability
The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model.
In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine\u27\u27). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages.
Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications.
Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model
Joint state composition theorems for public-key encryption and digital signature functionalities with local computation
In frameworks for universal composability, complex protocols can be built from sub-protocols in a modular way using composition theorems. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state (composition) theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-key encryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations proposed in the literature are shown to be unsuitable. Our work is based on the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.Projekt DEALdeutsche Forschungsgemeinschaf
The IITM model : a simple and expressive model for universal composability
The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (“Inexhaustible Interactive Turing Machine”). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.Projekt DEALDeutsche Forschungsgemeinschaf
Unification modulo a partial theory of exponentiation
Modular exponentiation is a common mathematical operation in modern
cryptography. This, along with modular multiplication at the base and exponent
levels (to different moduli) plays an important role in a large number of key
agreement protocols. In our earlier work, we gave many decidability as well as
undecidability results for multiple equational theories, involving various
properties of modular exponentiation. Here, we consider a partial subtheory
focussing only on exponentiation and multiplication operators. Two main results
are proved. The first result is positive, namely, that the unification problem
for the above theory (in which no additional property is assumed of the
multiplication operators) is decidable. The second result is negative: if we
assume that the two multiplication operators belong to two different abelian
groups, then the unification problem becomes undecidable.Comment: In Proceedings UNIF 2010, arXiv:1012.455
Implementing a Unification Algorithm for Protocol Analysis with XOR
Unification algorithms are central components in constraint solving procedures for security protocol analysis. For the analysis of security protocols with XOR a unification algorithm for an equational theory including ACUN is required. While such an algorithm can easily be obtained using general combination methods such methods do not yield practical unification algorithms. In this work, we present a unification algorithm for an equational theory including ACUN which performs well in practice and is well-suited as a subprocedure in constraint solving procedures for security protocols with XOR. Our algorithm contains several optimizations which make use of the specific properties of the equational theories at hand. The efficiency of our implementation is demonstrated by experimental results
Ein Beitrag zur Würdigung von Grimmelshausens Simplicius Simplicissimus
von Max TüngerthalProgr.-Nr. 42
Computational soundness for key exchange protocols with symmetric encryption
Formal analysis of security protocols based on symbolic mod-els has been very successful in finding flaws in published pro-tocols and proving protocols secure, using automated tools. An important question is whether this kind of formal analy-sis implies security guarantees in the strong sense of modern cryptography. Initiated by the seminal work of Abadi and Rogaway, this question has been investigated and numerous positive results showing this so-called computational sound-ness of formal analysis have been obtained. However, for the case of active adversaries and protocols that use sym-metric encryption computational soundness has remained a challenge. In this paper, we show the first general computational soundness result for key exchange protocols with symmetric encryption, along the lines of a paper by Canetti and Herzog on protocols with public-key encryption. More specifically, we develop a symbolic, automatically checkable criterion, based on observational equivalence, and show that a key ex-change protocol that satisfies this criterion realizes a key ex-change functionality in the sense of universal composability. Our results hold under standard cryptographic assumptions