Random Polynomial-Time Attacks and Dolev-Yao Models

For several decades two different communities have been working on the formal security of cryptographic protocols. Many efforts have been made recently to take benefit of both approaches, in brief: the comprehensiveness of computational models and the automatizability of formal methods. The purpose of this paper is to investigate an original approach to relate the two views, that is: to extend existing Dolev-Yao models to account for random polynomial-time (Las Vegas) computability. This is done first by noticing that Dolev-Yao models can be seen as transition systems, possibly infinite. We then extend these transition systems with computation times and probabilities. The extended models can account for normal Dolev-Yao transitions as well as nonstandard operations such as inverting a one-way function. Our main contribution consists of showing that under sufficient realistic assumptions the extended models are equivalent to standard Dolev-Yao models as far as security is concerned. Thus our work enlarges the scope of existing decision procedures.

[1]  David Monniaux Abstracting cryptographic protocols with tree automata , 2003, Sci. Comput. Program..

[2]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[3]  Birgit Pfitzmann,et al.  A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol , 2003, IEEE Journal on Selected Areas in Communications.

[4]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[5]  Bruno Blanchet,et al.  From Secrecy to Authenticity in Security Protocols , 2002, SAS.

[6]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[7]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[8]  Jean-Jacques Quisquater,et al.  A security analysis of the cliques protocols suites , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[10]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[11]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2000, Journal of Cryptology.

[12]  Jean Goubault-Larrecq,et al.  Alternating two-way AC-tree automata , 2007, Inf. Comput..

[13]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[14]  Muriel Roger Raffinements de la résolution et vérification de protocoles cryptographiques , 2003 .

[15]  Jonathan C. Herzog,et al.  The Diffie-Hellman key-agreement scheme in the strand-space model , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[16]  Flemming Nielson,et al.  Automatic validation of protocol narration , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[17]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[18]  John C. Mitchell,et al.  Composition of Cryptographic Protocols in a Probabilistic Polynomial-Time Process Calculus , 2003, CONCUR.

[19]  Antti Huima Efficient Infinite-State Analysis of Security Protocols , 1999 .

[20]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[21]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[23]  Peeter Laud,et al.  Sound Computational Interpretation of Formal Encryption with Composed Keys , 2003, ICISC.

[24]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[25]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[26]  Peeter Laud,et al.  Symmetric encryption in automatic analyses for confidentiality against active adversaries , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[27]  Bogdan Warinschi,et al.  A computational analysis of the Needham-Schroeder-(Lowe) protocol , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[28]  Vitaly Shmatikov,et al.  Symbolic protocol analysis with products and Diffie-Hellman exponentiation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[29]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[30]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[31]  Pierpaolo Degano,et al.  Flow logic for Dolev-Yao secrecy in cryptographic processes , 2002, Future Gener. Comput. Syst..

[32]  Jean-François Raskin,et al.  Game analysis of abuse-free contract signing , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[33]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[34]  Dominique Bolignano Towards the formal verification of electronic commerce protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[35]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[36]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[37]  John C. Mitchell,et al.  Probabilistic Bisimulation and Equivalence for Security Analysis of Network Protocols , 2004, FoSSaCS.

[38]  Pierpaolo Degano,et al.  A Note on the Perfect Encryption Assumption in a Process Calculus , 2004, FoSSaCS.

[39]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[40]  Rajeev Motwani,et al.  Randomized Algorithms , 1995, SIGA.

[41]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[42]  Kumar Neeraj Verma,et al.  Two-Way Equational Tree Automata for AC-Like Theories: Decidability and Closure Properties , 2003, RTA.

[43]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[44]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[45]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.