Presentation is loading. Please wait.

Presentation is loading. Please wait.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague Partially supported by.

Published byOsborne Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague Partially supported by."— Presentation transcript:

1 Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague Partially supported by ONR CIP/SW URI

2 Outline Security protocols uResearch goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

3 Protocol security uCryptographic Protocol Program distributed over network Use cryptography to achieve goal uAttacker Intercept, replace, remember messages Guess random numbers, some computation uCorrectness Attacker cannot learn protected secret or cause incorrect conclusion

4 IKE subprotocol from IPSEC A, (g a mod p) B, (g b mod p) Result: A and B share secret g ab mod p AB m1 m2, signB(m1,m2) signA(m1,m2) Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks

5 Compositionality uConfidentiality A  B: encrypt KB (msg) uAuthentication A  B: sign KA (msg) uComposition A  B: encrypt KB (msg), sign KA (msg) Broken! sign KA (msg) can leak info abt. msg Right way: encrypt KB (msg), sign KA (cipher)

6 Standard analysis methods uModel-checking (finite state analysis) uAutomated theorem provers Symbolic search of protocol runs Correctness proofs in formal logic (Dolev-Yao) uComputational model Consider probability and complexity –More realistic intruder model –Interaction between protocol and cryptography Harder Easier

7 Outline uSecurity protocols Research goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

8 Language approach uWrite protocol in process calculus Dolev-Yao model uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Inherently compositional Context (environment) represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol Roscoe ‘95, Schneider ‘96, Abadi-Gordon’97

9 Probabilistic poly-time process calculus uProbabilistic polynomial-time execution model uSpecify security via equivalence to “ideal” protocol uAlso state cryptographic assumptions via equivalences uLeads to new proof system Equational reasoning Based on probabilistic bisimulation, asymptotic equivalence uConnections with modern crypto Characterize computational indistinguishability Formal derivation of semantic security from computational assumption DDH (both stated as equations) and vice versa (indistinguishability of encryptions)

10 Outline uSecurity protocols uResearch goals Specific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

11 Syntax uBounded CCS with integer terms P :: = 0 | out(c q(|n|),T). P send up to q(|n|) bits | in(c q(|n|),x). P receive |  c q(|n|).(P) private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication Terms may contain symbol n; channel width and replication bounded by poly in |n| Expressions have size poly in |n|

12 Evaluation uReduction Evaluate unguarded terms and matches Local computation embodied in terms uScheduling Probabilistically pick a type of action uCommunication Pick a particular action of the chosen type uniformly at random During an actual run only pick input/output actions.

13 Nondeterminism vs probabilism uAlice encrypts msg and sends to Bob A  B: { msg } K uAdversary uses nondeterminism Process E 0 out(c,0) | … | out(c,0) Process E 1 out(c,1) | … | out(c,1) Process E in(c, b 1 )....in(c, b n ).out(d,b 1 b 2...b n, msg) In reality, at most 2 -n chance to guess n-bit key

14 Complexity results uPolynomial time For each closed process expression P, there is a polynomial q(x) such that –For all n –For all probabilistic polynomial-time schedulers eval of P halts in time q(|n|)

15 Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

16 How to define process equivalence? uIntuition | Prob{ C[ P ]  o } - Prob{ C[ Q ]  o } | <  uDifficulty How do we choose  ? –Less than 1/2, 1/4, … ? (not equiv relation) –Vanishingly small ? As a function of what? uSolution Use security parameter –Protocol is family { P n } n>0 indexed by key length Asymptotic form of process equivalence P  Q if for all polynomials p, observables  < 1/p(n)

17 One way to get equivalences uLabeled transition system Allow process to send any output, read any input Label with numbers “resembling probabilities” uProbabilistic bisimulation relation Relation  ~ on processes If P ~ Q and P P’, then exists Q’ with Q Q’ and P’ ~ Q’, and vice versa Reactive form of bisimulation (scheduling) van Glabbeek, Smolka, Steffen ‘95 r r

18 Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

19 Provable equivalences Assume scheduler is stable under bisimulation u P ~ Q  C[P] ~ C[Q] u P ~ Q  P  Q u P | (Q | R)  (P | Q) | R u P | Q  Q | P u P | 0  P

20 Provable equivalences u P   c. ( out(c,T) | in(c,x).P) x  FV(P) u P{a/x}   c. ( out(c,a) | in(c,x).P) bandwidth of c large enough u P  0 if no public channels in P u P  Q  P{d/c}  Q{d/c} c, d same bandwidth, d fresh u out(c,T)  out(c,T’) Prob[T  a] = Prob[T’  a] all a

21 Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

22 Computational indistinguishability uT(i,n), T’(i,n) terms in the calculus T, T’ represent uniform prob. poly-time function ensembles f i, g i : { }  {0,1} q(|n|) u out(c,T)  out(c,T’) says exactly that the function ensembles f i, g i are indistinguishable by prob. poly-time statistical tests uYao ’82: fundamental notion in crypto

23 Outline uSecurity protocols uResearch goals uSpecific process calculus Probabilistic semantics & complexity Asymptotic equivalence & bisimulation Equational proof system Examples –Computational indistinguishability –Decision Diffie-Hellman & ElGamal encryption

24 Connections with modern crypto uCiphersystem consists of three parts Key generation Encryption (often probabilistic) Decryption Formal derivation of semantic security of ElGamal from DDH and vice versa –Well known fact in crypto [Tsiounis & Yung ’98]

25 ElGamal cryptosystem un security parameter (e.g., key length) G n cyclic group of prime order p, length of p roughly n, g generator of G n uKeys public  g, y , private  g, x  s.t. y = g x uEncryption of m  G n for random k  {0,..., p-1} outputs  g k, m y k  uDecryption of  v, w  is w (v x ) -1 For v = g k, w = m y k get w (v x ) -1 = m y k / g kx = m g xk / g kx = m

26 Semantic security uKnown equivalent: indistinguishability of encryptions adversary can’t tell from the traffic which of the two chosen messages has been encrypted ElGamal:  1 n, g k, m y k    1 n, g k’, m’ y k’  u In case of ElGamal known to be equivalent to DDH [Tsiounis-Yung] uFormally derivable using the proof rules

27 Decision Diffie-Hellman (DDH) uStandard crypto assumption u n security parameter (e.g., key length) G n cyclic group of prime order p, length of p roughly n, g generator of G n u For random a, b, c  {0,..., p-1}  g a, g b, g ab    g a, g b, g c 

28 DDH implies sem. sec. of ElGamal uStart with  g a, g b, g ab    g a, g b, g c  (random a,b,c) uBuild up statement of sem. sec. from this. in(c, ).out(c,  g r, x.g rx  )  in(c, ).out(c,  g r, y.g rx  ) uThe proof consists of Structural transformations –E.g., out(c,T(r); r random)  out(c,U(r)) (any r) implies in(c,x).out(c,T(x) )  in(c,x).out(c,U(x) ) Domain-specific axioms –E.g., out(c,  g a, g b, g ab  )  out(c,  g a, g b, g c  ) implies out(c,  g a, g b, Mg ab  )  out(c,  g a, g b, Mg c  ) (any M)

29 Sem. sec. of ElGamal implies DDH uHarder direction. Compositionality of  makes ‘building up’ easier than breaking down. uWant to go from in(c, ).out(c,  g r,x.g rx  )  in(c, ).out(c,  g r, y.g rx  ) to  g x, g r, g rx    g x, g r, g c  uProof idea: if x = 1, then we essentially have DDH. uThe proof ’constructs’ a DDH tuple by Hiding all public channels except the output challenge Setting a message to 1 uNeed structural rule equating a process with the term simulating the process We use special case where process only has one public output

30 Current State of Project uCompositional framework for protocol analysis Precise language for studying security protocols Replace nondeterminism with probability Equivalence based on ptime statistical tests uProbabilistic ptime language uMethods for establishing equivalence Probabilistic bisimulation technique uNotion of compositionality uExamples Decision Diffie-Hellman, semantic security, ElGamal encryption, computational indistinguishability

31 Conclusion uFuture work Simplify semantics Weaken bisimulation technique to generate asymptotic equivalences Apply to more complex protocols –Bellare-Rogaway, Oblivious Transfer, Computational Zero Knowledge, … Studying various models of compositionality for security protocols (WITS ‘04) –Canetti (ITMs), Pfitzmann-Waidner (IOAs)

32 Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague Partially supported by ONR CIP/SW URI

Download ppt "Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague Partially supported by."

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis John Mitchell Stanford University P. Lincoln, M. Mitchell, A. Ramanathan,
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
7. Asymmetric encryption-

7. Asymmetric encryption-
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.

Soundness And Completeness of Formal Logics of Symmetric Encryption ** Andre Scedrov ** University of Pennsylvania **Gergei Bana ** University of Pennsylvania.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.

Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Mateus P. Lincoln, M.
Complexity and Cryptography

Complexity and Cryptography
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.

Computational and Information- Theoretic Soundness and Completeness of the Expanded Logics of Formal Encryption ** Andre Scedrov ** University of Pennsylvania.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google