1 © IBM, 2003-2004 A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,

Slides:



Advertisements
Similar presentations
Universally Composable Symbolic Analysis of Cryptographic Protocols
Advertisements

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Security Definitions in Computational Cryptography
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CS 395T Computational Soundness of Formal Models.
Leakage-Resilient Signatures Sebastian Faust KU Leuven Joint work with Eike Kiltz CWI Krzysztof Pietrzak CWI Guy Rothblum Princeton TCC 2010, Zurich, Switzerland.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Message Equivalence and Imperfect Cryptography in a Formal Model Angelo Troina 1, Alessandro Aldini 2 and Roberto Gorrieri 3 1 Dipartimento di Informatica,
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Computational Soundness for PCL Dilsun Kaynar Carnegie Mellon University Foundations of Security and Privacy October 11, 2007.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ASYMMETRIC CIPHERS.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Programming Satan’s Computer
How to play ANY mental game
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Public-Key Encryption with Lazy Parties Kenji Yasunaga Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Japan Presented at SCN.
CIS 5371 Cryptography Introduction.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Improved Non-Committing Encryption with Application to Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia Univ.), Tal Malkin (Columbia.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
S EMINAR P RESENTATION ON N OTIONS OF S ECURITY 1 S M Masud Karim January 18, 2008 Bonn, Germany.
Intro to Cryptography Lesson Introduction
Feasibility and Completeness of Cryptographic Tasks in the Quantum World Hong-Sheng Zhou (U. Maryland) Joint work with Jonathan Katz (U. Maryland) Fang.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptographic Hash Functions Part I
Cryptography Lecture 5.
Cryptography Lecture 23.
Presentation transcript:

1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research, Zurich

2 © IBM, But can we justify The Big Picture Designed by CAD Verified by CAV Signature Signature Hashfunction Hashfunction Encryption Encryption Key establishment Key establishment Idealized Crypto given ?

3 © IBM, Limits of Automation Full arithmetic is out Probability theory just developing So how do current tools handle cryptography?

4 © IBM, Dolev-Yao Model Idea [DY81] Abstraction as term algebras, e.g., D x (E x (E x (m))) Cancelation Rules, e.g., D x E x =  Well-developed proof theories Abstract data types Equational 1 st -order logic Important for security proofs Inequalities! (Everything that cannot be derived.) Known as “initial model” Important goal: Justify or replace

5 © IBM, Dolev-Yao Model – Variants [Ours] Operators and equations sym enc, pub enc, nonce, payload, pairing, sigs,... Inequalities assumed across operators! Untyped or typed Destructors explicit or implicit Abstraction from probabilism Finite selection, counting, multisets Surrounding protocol language Special-purpose, CSP, pi- calculus,... [any] sign Epk’ (, ) pk mN [EG82, M83, EGS85...]

6 © IBM, Overview of Our Approach Precise system model allowing cryptographic and abstract operations “As secure as” with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations In particular: Dolev-Yao style cryptographic library Detailed Proofs Poly-time, cryptographic bisimulations with static information flow analysis, …

7 © IBM, Other Work on DY Justification [AR00, AJ01, L01]: symmetric encryption, passive [HLM03]: public-key encryption, passive [MW04]: public-key encryption, much more restricted, slightly more efficient [L04]: Active symmetric encryption (earlier than ours).

8 © IBM, Idea: Whatever happens with real system could also happen with ideal system. Reactive Simulatability H  A  H A’  Real system Ideal system M2M2M2M2 M1M1M1M1 TH Indistinguishability of random variables view real (H)  view ideal (H) [Y82, GMW87, GM95, LMMS98, HM00, PW00, PW01, C01, …]

9 © IBM, Composition  Given: Does this hold?  And transitivity   

10 © IBM, Cryptographic Idealization Layers Encryption as E(pk, 1 len(m) ) Secure channels Small real abstractions [LMMS98, PW00, C01,...] Low-level crypto (not abstract) Auth/sigs as statement database Real auth/sig’s + integrity lookup Larger abstractions [PW00, PW01, CK02, BJP02,...] Certified mail... [PSW00] Normal cryptographic definitions [LMMS98, C01,...] [GM95] [BPW03...] Related: [SM93,P93] [CL01] VSS Creden- tials...

11 © IBM, Dolev-Yao-style Crypto Abstractions Recall: Term algebra, inequalities Major tasks: Represent ideal and real library in the same way to higher protocols Prevent honest users from stupidity with real crypto objects, but don’t restrict adversary E.g., sending a bitstring that’s almost a signature What imperfections are tolerable / must be allowed?

12 © IBM, Ideal Cryptographic Library E mpk E m Term 1Term 2Not globally known Term 3 Commands, payloads, terms? Payloads / test results, terms? TH UV No crypto outputs! Deterministic! A handles For U: For V: For A: T u,2 T v,1 T a,1 T u,3 - T u,1 -

13 © IBM, Ideal Cryptographic Library (2) TH UV E Epk m Term 4...  T u,4  encrypt(T u,1, T u,3 ) get_type(T v,2 ) T v,3 := decrypt(...) received(U, T v,2 ) send(V, T u,4 ) A E mpk E m Term 1Term 2Term 3 For U: For V: For A: T u,2 T v,1 T a,1 T u,3 - T u,1 -

14 © IBM, Main Differences to Dolev-Yao Tolerable imperfections: Lengths of encrypted messages cannot be kept secret Adversary may include incorrect messages inside encryptions Signature schemes can have memory

15 © IBM, Real Cryptographic Library Commands, payloads, handles Payloads / test results, handles pk c 1  E(pk, m) c 2  E(pk, m) Real system UV No crypto outputs! A c1c1 Bitstrings

16 © IBM, Main Additions to Given Cryptosystems Standard model, standard assumptions Type tags Tagging with keys Additional randomization (e.g., needed when correct machines use A’s keys)

17 © IBM, Proof of Correct Simulation (2) Probabilistic bisimulations Combined system With error sets (of runs) With info-flow analysis Reduction proofs for collisions, guesses, forgeries

18 © IBM, Summary Needham-Schroeder-Lowe (hand-proved) sometimes better TBD: Tool proof; more primitives & variants 

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.