IPDL: A Simple Framework for Formally Verifying Distributed Cryptographic Protocols

Although there have been many successes in verifying proofs of non-interactive cryptographic primitives such as encryption and signatures, formal verification of interactive cryptographic protocols is still a nascent area. While in principle, it seems possible to extend general frameworks such as Easycrypt to encode proofs for more complex, interactive protocols, a big challenge is whether the human effort would be scalable enough for proof mechanization to eventually acquire mainstream usage among the cryptography community. We work towards closing this gap by introducing a simple framework, Interactive Probabilistic Dependency Logic (IPDL), for reasoning about a certain well-behaved subset of cryptographic protocols. A primary design goal of IPDL is for formal cryptographic proofs to resemble their on-paper counterparts. To this end, IPDL includes an equational logic to reason about approximate observational equivalence (i.e., computational indistinguishability) properties between protocols. IPDL adopts a channel-centric core logic, which decomposes the behavior of the protocol into the behaviors along each communication channel. IPDL supports straightline programs with statically bounded loops. This design allows us to capture a broad class of protocols encountered in the cryptography literature, including multi-party, reactive, and/or inductively-defined protocols; meanwhile, the logic can track the runtime of the computational reduction in security proofs, thus ensuring computational soundness. We demonstrate the use of IPDL by a number of case studies, including a multi-use, secure message communication protocol, a multi-party coin toss with abort protocol, several oblivious transfer constructions, as well as the twoparty GMW protocol for securely evaluating general circuits. We provide a mechanization of the IPDL proof system and our case studies in Coq, and our code is open sourced at https://github.com/ipdl/ipdl. ∗Author order randomized.

[1]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[2]  Daniele Micciancio,et al.  Symbolic Encryption with Pseudorandom Keys , 2019, EUROCRYPT.

[3]  Enrico Tassi,et al.  A Small Scale Reflection Extension for the Coq system , 2008 .

[4]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[5]  Andrew Miller,et al.  ILC: a calculus for composable, computational cryptography , 2019, IACR Cryptol. ePrint Arch..

[6]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[7]  Alley Stoughton,et al.  Mechanizing the Proof of Adaptive, Information-Theoretic Security of Cryptographic Protocols in the Random Oracle Model , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[8]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[9]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[10]  Ueli Maurer,et al.  Formalizing Constructive Cryptography using CryptHOL , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[11]  Karim M. El Defrawy,et al.  A High-Assurance Evaluator for Machine-Checked Secure Multiparty Computation , 2019, CCS.

[12]  ROBIN MILNER,et al.  Edinburgh Research Explorer A Calculus of Mobile Processes, I , 2003 .

[13]  Bas Spitters,et al.  Computer-Aided Proofs for Multiparty Computation with Active Security , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[14]  Alberto Ciaffaglione,et al.  A weak HOAS approach to the POPLmark Challenge , 2013, LSFA.

[15]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[16]  Stefano Tessaro,et al.  An equational approach to secure multi-party computation , 2013, ITCS '13.

[17]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[18]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[19]  Ran Canetti,et al.  Task-structured probabilistic I/O automata , 2006, J. Comput. Syst. Sci..

[20]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[21]  Hubert Comon-Lundh,et al.  Towards Unconditional Soundness: Computationally Complete Symbolic Attacker , 2012, POST.

[22]  Ran Canetti,et al.  EasyUC: Using EasyCrypt to Mechanize Proofs of Universally Composable Security , 2019, 2019 IEEE 32nd Computer Security Foundations Symposium (CSF).

[23]  Ueli Maurer,et al.  Secure multi-party computation made simple , 2002, Discret. Appl. Math..

[24]  Andrzej S. Murawski,et al.  Nominal games and full abstraction for the nu-calculus , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[25]  Moni Naor,et al.  Oblivious transfer and polynomial evaluation , 1999, STOC '99.

[26]  Rohit Chadha,et al.  Verification Methods for the Computationally Complete Symbolic Attacker Based on Indistinguishability , 2019, IACR Cryptol. ePrint Arch..

[27]  Hubert Comon-Lundh,et al.  A Computationally Complete Symbolic Attacker for Equivalence Properties , 2014, CCS.

[28]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[29]  Donald Beaver,et al.  Precomputing Oblivious Transfer , 1995, CRYPTO.

[30]  J. Gregory Morrisett,et al.  Type-safe linking and modular assembly language , 1999, POPL '99.

[31]  J. Gregory Morrisett,et al.  The Foundational Cryptography Framework , 2014, POST.

[32]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[33]  Benjamin Grégoire,et al.  A Fast and Verified Software Stack for Secure Function Evaluation , 2017, IACR Cryptol. ePrint Arch..

[34]  Ben Smyth,et al.  ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial , 2011 .