IPDL: A Probabilistic Dataflow Logic for Cryptography

While there have been many successes in verifying cryptographic security proofs of noninteractive primitives such as encryption and signatures, less attention has been paid to interactive cryptographic protocols. Interactive protocols introduce the additional verification challenge of concurrency, which is notoriously hard to reason about in a cryptographically sound manner. When proving the (approximate) observational equivalance of protocols, as is required by simulation based security in the style of Universal Composability (UC), a bisimulation is typically performed in order to reason about the nontrivial control flows induced by concurrency. Unfortunately, bisimulations are typically very tedious to carry out manually and do not capture the high-level intuitions which guide informal proofs of UC security on paper. Because of this, there is currently a large gap of formality between proofs of cryptographic protocols on paper and in mechanized theorem provers. We work towards closing this gap through a new methodology for iteratively constructing bisimulations in a manner close to on-paper intuition. We present this methodology through Interactive Probabilistic Dependency Logic (IPDL), a simple calculus and proof system for specifying and reasoning about (a certain subclass of) distributed probabilistic computations. The IPDL framework exposes an equational logic on protocols; proofs in our logic consist of a number of rewriting rules, each of which induce a single low-level bisimulation between protocols. We show how to encode simulation-based security in the style of UC in our logic, and evaluate our logic on a number of case studies; most notably, a semi-honest secure Oblivious Transfer protocol, and a simple multiparty computation protocol robust to Byzantine faults. Due to the novel design of our logic, we are able to deliver mechanized proofs of protocols which we believe are comprehensible to cryptographers without verification expertise. We provide a mechanization in Coq of IPDL and all case studies presented in this work.

[1]  Andrew Miller,et al.  ILC: a calculus for composable, computational cryptography , 2019, IACR Cryptol. ePrint Arch..

[2]  Hubert Comon-Lundh,et al.  Towards Unconditional Soundness: Computationally Complete Symbolic Attacker , 2012, POST.

[3]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[4]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[5]  Hubert Comon-Lundh,et al.  A Computationally Complete Symbolic Attacker for Equivalence Properties , 2014, CCS.

[6]  Nancy A. Lynch,et al.  Using Probabilistic I/O Automata to Analyze an Oblivious Transfer Protocol , 2005, IACR Cryptol. ePrint Arch..

[7]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[8]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[9]  J. Gregory Morrisett,et al.  The Foundational Cryptography Framework , 2014, POST.

[10]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[11]  P. Cogn,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2009 .

[12]  Ueli Maurer,et al.  Formalizing Constructive Cryptography using CryptHOL , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[13]  Stefano Tessaro,et al.  An equational approach to secure multi-party computation , 2013, ITCS '13.

[14]  Benjamin Grégoire,et al.  Symbolic Methods in Computational Cryptography Proofs , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[15]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[16]  Ran Canetti,et al.  Task-structured probabilistic I/O automata , 2006, J. Comput. Syst. Sci..

[17]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[18]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[19]  Rohit Chadha,et al.  Verification Methods for the Computationally Complete Symbolic Attacker Based on Indistinguishability , 2019, IACR Cryptol. ePrint Arch..

[20]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[21]  Ran Canetti,et al.  EasyUC: Using EasyCrypt to Mechanize Proofs of Universally Composable Security , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[22]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[23]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.