Logical Relations for Encryption

The theory ofrelational parametricityand its logical relationsproof technique are powerful tools for reasoning about information hiding in the polymorphic λ-calculus. We investigate the application of these tools in the security domain by defining acryptographicλ-calculus—an extension of the standard simply typed λ-calculus with primitives for encryption, decryption, and key generation—and introducing logical relations for this calculus that can be used to prove behavioral equivalences between programs that rely on encryption. We illustrate the framework by encoding some simple security protocols, including the Needham-Schroeder publickey protocol. We give a natural account of the well-known attack on the original protocol and a straightforward proof that the improved variant of the protocol is secure.

[1]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[2]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[3]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[4]  Claudio V. Russo,et al.  Operational Properties of Lily, a Polymorphic Linear Lambda Calculus with Recursion , 2001, HOOTS.

[5]  Davide Sangiorgi,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[6]  Catherine A. Meadows Open Issues in Formal Methods for Cryptographic Protocol Analysis , 2001, MMM-ACNS.

[7]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[8]  Andrew M. Pitts,et al.  Process Calculus Based Upon Evaluation to Committed Form , 1996, Theor. Comput. Sci..

[9]  Jonathan Millen A Necessarily Parallel Attack , 1999 .

[10]  Andrew M. Pitts,et al.  Higher order operational techniques in semantics , 1999 .

[11]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[12]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[13]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[14]  Dennis M. Volpano Formalization and proof of secrecy properties , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[15]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[16]  Ian David Bede Stark,et al.  Names and higher-order functions , 1994 .

[17]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[18]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 2001 .

[19]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[20]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[21]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[22]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[23]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[24]  David N. Turner,et al.  The polymorphic Pi-calculus : theory and implementation , 1996 .

[25]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[26]  Davide Sangiorgi,et al.  Behavioral equivalence in the polymorphic pi-calculus , 2000, JACM.

[27]  HennessyMatthew,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2002 .

[28]  Lars Birkedal,et al.  Relational Interpretations of Recursive Types in an Operational Setting , 1999, Inf. Comput..

[29]  Benjamin C. Pierce,et al.  Relating Cryptography and Polymorphism , 2000 .

[30]  James H. Morris Protection in programming languages , 1973, CACM.

[31]  Andrew M. Pitts Existential Types: Logical Relations and Operational Equivalence , 1998, ICALP.

[32]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[33]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[34]  I. Stark,et al.  Operational reasoning for functions with local state , 1999 .

[35]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[36]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[37]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[38]  Andrew M. Pitts,et al.  Parametric polymorphism and operational equivalence , 2000, Mathematical Structures in Computer Science.

[39]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).