Soundness and Completeness of Formal Logics of Symmetric Encryption

In the last two decades, two major directions in cryptography have developed: formal and computational. The formal approach uses simple, manageable formal language to describe cryptographic protocols; it is amenable to automatization, suitable for computer tools, but its accuracy is often unclear. The computational approach is harder to handle mathematically, involves probability theory and considers limits in computing power; proofs are done by hand, but it is more accurate, hence widely accepted. Much effort has been done to bridge the gap between the two views starting with Martin Abadi and Philip Rogaway in 2000, and followed by many others. These approaches are inspiring, but are worked out only for specific settings, and lack generality. Our aim is to give a complete, general analysis of the original Abadi-Rogaway approach, including applications to specific settings. The AR approach has three important ingredients: a formal language along with an equivalence notion of formal expressions, a computational cryptosystem with the notion of computational equivalence of ensembles of random distributions, and an interpreting function that assigns to each formal expression an ensemble of distributions. We say that the interpretation satisfies soundness if equivalence of formal expressions implies computational equivalence of their interpretations, and satisfies completeness if computational equivalence of the interpretations requires equivalence of the expressions. The language of the AR logic uses a box as formal notation for indecipherable strings, through which formal equivalence is defined. We expand the logic by considering different kinds of boxes corresponding to equivalence classes of formal ciphers. We consider not only computational, but also purely probabilistic, information-theoretic interpretations. We establish soundness and completeness for specific interpretations not covered in earlier works: a purely probabilistic one that interprets formal expressions in One-Time Pad, and another one in the so-called type 2 (which-key revealing) cryptosystems based on computational complexity. Furthermore, we present a general, systematic treatment of expansions of the logic as well as general soundness and completeness theorems for the interpretations, and some applications for specific settings.

[1]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[2]  Richard A. Kemmerer,et al.  Analyzing encryption protocols using formal verification techniques , 1989, IEEE J. Sel. Areas Commun..

[3]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[4]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[5]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[6]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[7]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[8]  Joshua D. Guttman,et al.  Strand Spaces: Proving Security Protocols Correct , 1999, J. Comput. Secur..

[9]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[10]  Birgit Pfitzmann,et al.  Cryptographic Security of Reactive Systems Extended Abstract , 2000 .

[11]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[12]  Silvio Micali,et al.  Plaintext Awareness via Key Registration , 2003, CRYPTO.

[13]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[14]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[15]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[16]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[17]  John C. Mitchell,et al.  Composition of Cryptographic Protocols in a Probabilistic Polynomial-Time Process Calculus , 2003, CONCUR.

[18]  Birgit Pfitzmann,et al.  Deriving Cryptographically Sound Implementations Using Composition and Formally Verified Bisimulation , 2002, FME.

[19]  Birgit Pfitzmann,et al.  A Universally Composable Cryptographic Library , 2003, IACR Cryptol. ePrint Arch..

[20]  John C. Mitchell,et al.  A meta-notation for protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[21]  Joshua D. Guttman,et al.  The faithfulness of abstract protocol analysis: message authentication , 2001, CCS '01.

[22]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[23]  Virgil D. Gligor,et al.  Weak Key Authenticity and the Computational Completeness of Formal Encryption , 2003, CRYPTO.

[24]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[25]  Ueli Maurer,et al.  Information-Theoretic Cryptography , 1999, CRYPTO.

[26]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[27]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[28]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[29]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[30]  Jonathan Herzog,et al.  Computational soundness for standard assumptions of formal cryptography , 2004 .

[31]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[32]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[33]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[34]  Matthias Fitzi,et al.  General Adversaries in Unconditional Multi-party Computation , 1999, ASIACRYPT.

[35]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[36]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[37]  Catherine A. Meadows,et al.  Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches , 1996, ESORICS.

[38]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[39]  Takayasu Ito Fourth International Symposium on Theoretical Aspects of Computer Software (TACS2001) , 2002 .

[40]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[41]  Peeter Laud,et al.  Sound Computational Interpretation of Formal Encryption with Composed Keys , 2003, ICISC.

[42]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[43]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[44]  Nancy A. Lynch,et al.  Cryptographic protocols , 1982, STOC '82.

[45]  Ueli Maurer,et al.  Information-Theoretic Key Agreement: From Weak to Strong Secrecy for Free , 2000, EUROCRYPT.

[46]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[47]  Catherine A. Meadows,et al.  A system for the specification and analysis of key management protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[48]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[49]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.