Computational soundness of observational equivalence

Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the observational equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and public-key encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.

[1]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[2]  Véronique Cortier,et al.  Computationally Sound Symbolic Secrecy in the Presence of Hash Functions , 2006, FSTTCS.

[3]  Birgit Pfitzmann,et al.  Relating symbolic and cryptographic secrecy , 2005, IEEE Transactions on Dependable and Secure Computing.

[4]  Martín Abadi,et al.  Guessing attacks and the computational soundness of static equivalence , 2006, J. Comput. Secur..

[5]  Yassine Lakhnech,et al.  Computational Soundness of Symbolic Analysis for Protocols Using Hash Functions , 2007, Electron. Notes Theor. Comput. Sci..

[6]  Cédric Fournet,et al.  Cryptographically Sound Implementations for Communicating Processes , 2006, ICALP.

[7]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[8]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[10]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  Véronique Cortier,et al.  Computationally sound implementations of equational theories against passive adversaries , 2005, Inf. Comput..

[12]  Hans Hüttel,et al.  Deciding Framed Bisimilarity , 2003, INFINITY.

[13]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[14]  Yassine Lakhnech,et al.  (De)Compositions of Cryptographic Schemes and their Applications to Protocols , 2005, IACR Cryptol. ePrint Arch..

[15]  Ran Canetti,et al.  Universally composable symbolic analysis of cryptographic protocols , 2004 .

[16]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[17]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[18]  Ralf Küsters,et al.  On Simulatability Soundness and Mapping Soundness of Symbolic Cryptography , 2007, FSTTCS.

[19]  Gergei Bana,et al.  Soundness and Completeness of Formal Logics of Symmetric Encryption , 2005, IACR Cryptol. ePrint Arch..

[20]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[21]  Yassine Lakhnech,et al.  Completing the Picture: Soundness of Formal Encryption in the Presence of Active Adversaries , 2005, ESOP.

[22]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[23]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[24]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[25]  John C. Mitchell,et al.  A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols , 2005, Theor. Comput. Sci..

[26]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[27]  Véronique Cortier,et al.  Computationally Sound, Automated Proofs for Security Protocols , 2005, ESOP.

[28]  Martín Abadi,et al.  Deciding knowledge in security protocols under (many more) equational theories , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[29]  Bogdan Warinschi,et al.  On the Minimal Assumptions of Group Signature Schemes , 2004, ICICS.

[30]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[31]  Peeter Laud,et al.  Symmetric encryption in automatic analyses for confidentiality against active adversaries , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[32]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[33]  Daniele Micciancio,et al.  Adaptive Security of Symbolic Encryption , 2005, TCC.

[34]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[35]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[36]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[37]  Mark Ryan,et al.  Symbolic bisimulation for the applied pi calculus , 2007, J. Comput. Secur..

[38]  Ralf Küsters,et al.  Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[39]  Martín Abadi,et al.  Formal Eavesdropping and Its Computational Interpretation , 2001, TACS.

[40]  Steve Kremer,et al.  Adaptive Soundness of Static Equivalence , 2007, ESORICS.