FormaCrypt project: meeting June 19, 2009

ENS, salle INFO1, Nouvel Immeuble Rataud, level -1 (see access maps; the building is marked "Bibliotheque" on the map of ENS)

10:15 - 10:30 Welcome

10:30 - 11:00 Steve Kremer, Simulation based security in the applied pi calculus (with Stéphanie Delaune and Olivier Pereira) slides

We present a symbolic framework for refinement and composition of security protocols. The framework uses the notion of ideal functionalities. These are abstract systems which are secure by construction and which can be combined into larger systems. They can be separately refined in order to obtain concrete protocols implementing them. Our work builds on ideas from computational models such as the universally composable security and reactive simulatability frameworks. The underlying language we use is the applied pi calculus which is a general language for specifying security protocols. In our framework we can express the different standard flavours of simulation-based security which happen to all coincide. We illustrate our framework on an authentication functionality which can be realized using the Needham-Schroeder-Lowe protocol. For this we need to define an ideal functionality for asymmetric encryption and its realization. We also show a joint state result for this functionality which allows composition (even though the same key material is reused) using a tagging mechanism.

11:00 - 11:30 Graham Steel, Synthesising Secure APIs (with Véronique Cortier) slides

Security APIs are used to define the boundary between trusted and untrusted code. The security properties of existing API are not always clear. In this paper, we give a new generic API for managing symmetric keys on a trusted cryptographic device. We state and prove security properties for the API. In particular, our API offers a high level of security even when the host machine is controlled by an attacker. Our API is generic in the sense that it can implement a wide variety of (symmetric key) protocols. As a proof of concept, we give an algorithm for automatically instantiating the API commands for a given key management protocol. We demonstrate the algorithm on a set of key establishment protocols from the Clark-Jacob suite.

11:30 - 12:00 Gurvan Le Guernic, A Security-Preserving Compiler for Distributed Programs (with Cédric Fournet and Tamara Rezk) slides

This presentation/demo introduces a compiler to cryptographically secure information flows of distributed programs. We build and prove the correctness of a translation mechanism from sequential source programs to distributed target programs. The source program is a sequential program with annotations regarding the distribution of the target program. The source program uses a shared memory whose protection mechanism relies on security labels associated to variables. The translation mechanism returns a distributed program whose threads use local memory for their execution. Communication of values between threads of the target language is achieved through a shared memory of encrypted and signed values.

12:00 - 14:00 Lunch

La Truffière, 4 rue Blainville, 75005 Paris

14:00 - 14:30 Ralf Küsters, An Epistemic Approach to Coercion-Resistance for Electronic Voting Protocols (with Tomasz Truderung) slides

Coercion resistance is an important and one of the most intricate security requirements of electronic voting protocols. Several definitions of coercion resistance have been proposed in the literature, including definitions based on symbolic models. However, existing definitions in such models are rather restricted in their scope and quite complex.

In this talk, I will report about a new definition of coercion resistance in a symbolic setting, based on an epistemic approach, that we have proposed recently. Our definition is relatively simple and intuitive. It allows for a fine-grained formulation of coercion resistance and can be stated independently of a specific, symbolic protocol and adversary model. As a proof of concept, we apply our definition to three voting protocols. In particular, we carry out the first rigorous analysis of the recently proposed Civitas system. We precisely identify those conditions under which this system guarantees coercion resistance or fails to be coercion resistant. We also analyze protocols proposed by Lee et al. and Okamoto.

14:30 - 15:00 Marion Daubignard, CIL : Computational Indistinguishability Logic (with Gilles Barthe, Bruce Kapron, and Yassine Lakhnech) slides

Computational Indistinguishability Logic (CIL) is a general logic to reason about indistinguishability in presence of adaptive adversaries and oracles. Using a notion of computational frame, which is inspired from frames in the applied pi-calculus but abstracts away from many specifics of a particular language, CIL provides a powerful framework in which the security of cryptographic primitives can be established; CIL is versatile, in that it is sound (with different axioms) both in standard and idealized models and that it can be used for encryption, signature... To illustrate the power of CIL, we provide concise formal proofs of correctness for two emblematic case studies that are often used in the literature: OAEP and FDH.

15:00 - 15:30 Pascal Lafourcade, Automated Security Proof for Symmetric Encryption Modes (with Martin Gagné, Yassine Lakhnech, and Reihaneh Safavi-Naini) slides

A block cipher algorithm (e.g. AES, Blowfish, DES, Serpent and Twofish) is a symmetric key algorithm that takes a fixed size input message block and produces a fixed size output block. A mode of operation is a method of using a block cipher on an arbitrary length message. Important modes of operation are Electronic Code Book ECB, Cipher Block Chaining (CBC), Cipher FeedBack mode (CFB), Output FeedBack (OFB), and Counter mode (CTR). Modes of operations have different applications and provide different levels of security and efficiency. An important question when a mode of operation is used for encryption is the level of security that the mode provides, assuming the underlying block cipher is secure. The answer to this question is not straightforward. For example if one uses the naive ECB mode with a ``secure'' block cipher, then the encryption scheme obtained is not even IND-CPA secure. Other modes of operations preserve confidentiality only if the initial vector is chosen appropriately.

Our main contribution is to propose a compositional Hoare logic for proving IND-CPA-security of modes of operation for symmetric key block ciphers. We first notice that most of modes use a small set of operations such as xor, concatenation, and selection of random values. This allows us to introduce a simple programming language to specify encryption modes and an assertion language that allows to state invariants and axioms and rules to establish such invariants. The assertion language consists of few atomic predicates.

Transforming the Hoare logic into an (incomplete) automated verification procedure is quite standard. Indeed, we can interpret the logic as a set of rules that tell us how to propagate the invariants backwards. We were able to automatically verify IND-CPA security of several encryption modes including CBC, CFB, CTR and OFB.

15:30 - 16:00 Break

16:00 - 16:30 Bruno Blanchet, Models and Proofs of Protocol Security: A Progress Report (with Martín Abadi and Hubert Comon-Lundh) slides

We discuss progress in the verification of security protocols. Focusing on a small, classic example, we stress the use of program-like representations of protocols, and their automatic analysis in symbolic and computational models.

Bruno Blanchet, Diffie-Hellman in CryptoVerif slides

We present the formalization of Diffie-Hellman in the automatic, computationally-sound prover CryptoVerif. We begin with simple formalizations of the Decisional and Computational Diffie-Hellman assumptions, which are sufficient for studying cryptographic schemes, such as the El Gamal encryption scheme. We show why they are not sufficient for proving in CryptoVerif protocols based on Diffie-Hellman key agreements, and how to extend the formalization of the Computational Diffie-Hellman assumption to handle such protocols.

16:30 - 17:00 David Cadé, From CryptoVerif Specifications to Computationally Secure Implementations of Protocols (Work in Progress) slides

We are implementing a compiler that takes a CryptoVerif specification and generates an implementation of the protocol in OCaml. The goal of this work is to obtain implementations of security protocols proved secure in the computational model. We will prove that our compiler is correct, that is, the semantics of the generated code corresponds to the semantics of the specification. Therefore, if CryptoVerif can prove a property on the protocol, then the implementation will also satisfy this property.

The CryptoVerif specification is annotated by the user with hints about the implementation details: the user indicates how the specification is split into modules (e.g., the key generator part, the client part, and the server part), the files that will store data shared between several modules, the name of the OCaml functions corresponding to the cryptographic primitives, and the size of the random numbers. The compiler generates code for each module. For each step of the protocol, inputting a message and outputting the response, the compiler generates a function that takes the received message as argument and returns the response. These functions can then be called by a manually implemented network layer, which can be considered as part of the adversary, so we need not make any security assumptions on it. On the other hand, the CryptoVerif specification makes security assumptions on the cryptographic primitives. We do not verify that the OCaml implementation of these primitives satisfies these assumptions: they still need to be proved manually, but the CryptoVerif specification states precisely what has to be proved.

17:00 - Short business meeting


Page maintained by Bruno Blanchet