Logical relations for encryption

The theory of relational parametricity and its logical relations proof technique are powerful tools for reasoning about information hiding in the polymorphic λ-calculus. We investigate the application of these tools in the security domain by defining a cryptographic λ-calculus—an extension of the standard simply typed λ-calculus with primitives for encryption, decryption, and key generation— and introducing syntactic logical relations (in the style of Pitts and Birkedal-Harper) for this calculus that can be used to prove behavioral equivalences between programs that use encryption. We illustrate the framework by encoding some simple security protocols, including the NeedhamSchroeder public-key protocol. We give a natural account of the well-known attack on the original protocol and a straightforward proof that the improved variant of the protocol is secure.

[1]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[2]  Claudio V. Russo,et al.  Operational Properties of Lily, a Polymorphic Linear Lambda Calculus with Recursion , 2001, HOOTS.

[3]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[4]  Davide Sangiorgi,et al.  Behavioral equivalence in the polymorphic pi-calculus , 1997, POPL '97.

[5]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[6]  Roberto Gorrieri,et al.  A compiler for analyzing cryptographic protocols using noninterference , 2000, TSEM.

[7]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[8]  John C. Mitchell,et al.  Foundations for programming languages , 1996, Foundation of computing series.

[9]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[10]  Andrew M. Pitts,et al.  Process Calculus Based Upon Evaluation to Committed Form , 1996, Theor. Comput. Sci..

[11]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[12]  David N. Turner,et al.  The polymorphic Pi-calculus : theory and implementation , 1996 .

[13]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[14]  Davide Sangiorgi,et al.  Behavioral equivalence in the polymorphic pi-calculus , 2000, JACM.

[15]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[16]  Jon G. Riecke,et al.  The SLam calculus: programming with secrecy and integrity , 1998, POPL '98.

[17]  Catherine A. Meadows Open Issues in Formal Methods for Cryptographic Protocol Analysis , 2001, MMM-ACNS.

[18]  Martín Abadi Protection in Programming-Language Translations: Mobile Object Systems (Abstract) , 1998, ECOOP Workshops.

[19]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[20]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[21]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[22]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[23]  Rocco De Nicola,et al.  Proof Techniques for Cryptographic Processes , 2001, SIAM J. Comput..

[24]  Dennis M. Volpano Formalization and proof of secrecy properties , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[25]  I. Stark,et al.  Operational reasoning for functions with local state , 1999 .

[26]  François Pottier,et al.  Information flow inference for ML , 2002, POPL '02.

[27]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[28]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[29]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[30]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[31]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[32]  James Riely,et al.  Information flow vs. resource access in the asynchronous pi-calculus , 2000, TOPL.

[33]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[34]  Benjamin C. Pierce,et al.  Relating Cryptography and Polymorphism , 2000 .

[35]  Andrew M. Pitts Existential Types: Logical Relations and Operational Equivalence , 1998, ICALP.

[36]  Lars Birkedal,et al.  Relational Interpretations of Recursive Types in an Operational Setting , 1999, Inf. Comput..

[37]  Ian David Bede Stark,et al.  Names and higher-order functions , 1994 .

[38]  A. Pitts Parametric polymorphism and operational equivalence , 2000, Mathematical Structures in Computer Science.