Guessing attacks and the computational soundness of static equivalence

The indistinguishability of two pieces of data (or two lists of pieces of data) can be represented formally in terms of a relation called static equivalence. Static equivalence depends on an underlying equational theory. The choice of an inappropriate equational theory can lead to overly pessimistic or overly optimistic notions of indistinguishability, and in turn to security criteria that require protection against impossible attacks or—worse yet—that ignore feasible ones. In this paper, we define and justify an equational theory for standard, fundamental cryptographic operations. This equational theory yields a notion of static equivalence that implies computational indistinguishability. Static equivalence remains liberal enough for use in applications. In particular, we develop and analyze a principled formal account of guessing attacks in terms of static equivalence.

[1]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[2]  Martín Abadi,et al.  Deciding knowledge in security protocols under (many more) equational theories , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[3]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[4]  John Black,et al.  Ciphers with Arbitrary Finite Domains , 2002, CT-RSA.

[5]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[6]  Li Gong,et al.  Verifiable-text attacks in cryptographic protocols , 1990, Proceedings. IEEE INFOCOM '90: Ninth Annual Joint Conference of the IEEE Computer and Communications Societies@m_The Multiple Facets of Integration.

[7]  Sandro Etalle,et al.  Analysing Password Protocol Security Against Off-line Dictionary Attacks , 2003, WISP@ICATPN.

[8]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[9]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[10]  Gergei Bana,et al.  Soundness and Completeness of Formal Logics of Symmetric Encryption , 2005, IACR Cryptol. ePrint Arch..

[11]  Gene Tsudik,et al.  Some remarks on protecting weak keys and poorly-chosen secrets from guessing attacks , 1993, Proceedings of 1993 IEEE 12th Symposium on Reliable Distributed Systems.

[12]  Stéphanie Delaune,et al.  A theory of dictionary attacks and its complexity , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[13]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[14]  Peeter Laud,et al.  Symmetric encryption in automatic analyses for confidentiality against active adversaries , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[16]  Gavin Lowe Analysing Protocol Subject to Guessing Attacks , 2004, J. Comput. Secur..

[17]  Sandro Etalle,et al.  Guess what? Here is a new tool that finds some new guessing attacks (Extended Abstract) , 2003 .

[18]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2004, Theor. Comput. Sci..

[19]  Martín Abadi,et al.  Password-Based Encryption Analyzed , 2005, ICALP.

[20]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[21]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[22]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[23]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[24]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[25]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[27]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[28]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[29]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[30]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[31]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[32]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[33]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[34]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.