Specifying and implementing privacy-preserving cryptographic protocols

Formal methods are an important tool for designing secure cryptographic protocols. However, the existing work on formal methods does not cover privacy-preserving protocols as much as other types of protocols. Furthermore, privacy-related properties, such as unlinkability, are not always easy or even possible to prove statically, but need to be checked dynamically during the protocol’s execution. In this paper, we demonstrate how, starting from an informal description of a privacy-preserving protocol in natural language, one may use a modified and extended version of the Typed MSR language to create a formal specification of this protocol, typed in a linkability-oriented type system, and then use this specification to reach an implementation of this protocol in Jif, in such a way that privacy vulnerabilities can be detected with a mixture of static and runtime checks.

[1]  Antti Huima,et al.  Using multimodal logic to express conflicting interests in security protocols in proceedings of DIMACS Workshop on Design and formal verification of security protocols , 1997 .

[2]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[3]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[4]  Alessandro Acquisti,et al.  Receipt-Free Homomorphic Elections and Write-in Ballots , 2004, IACR Cryptol. ePrint Arch..

[5]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[6]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[7]  J. Rubenfeld The Right of Privacy , 1989 .

[8]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[9]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[10]  Eric Puybaret,et al.  Universal Declaration of Human Rights , 2006 .

[11]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[12]  Stefanos Gritzalis,et al.  Specifying Privacy-Preserving Protocols in Typed MSR , 2005, Comput. Stand. Interfaces.

[13]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  Kent E. Seamons,et al.  Selective disclosure credential sets , 2002, IACR Cryptol. ePrint Arch..

[15]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[16]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[17]  Stefanos Gritzalis,et al.  An Extension of Typed MSR for Specifying Esoteric Protocols and Their Dolev-Yao Intruder , 2004, Communications and Multimedia Security.

[18]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[19]  Iliano Cervesato Typed MSR: Syntax and Examples , 2001, MMM-ACNS.

[20]  Paul F. Syverson,et al.  The Logic of Authentication Protocols , 2000, FOSAD.

[21]  Amos Fiat,et al.  Zero Knowledge Proofs of Identity , 1987, STOC.

[22]  David Aspinall,et al.  Subtyping dependent types , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[23]  Steve A. Schneider,et al.  CSP and Anonymity , 1996, ESORICS.

[24]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[25]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[26]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[27]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[28]  Stefanos Gritzalis,et al.  Specifying electronic voting protocols in typed MSR , 2005, WPES '05.

[29]  Iliano Cervesato Typed Multiset Rewriting Specifications of Security Protocols , 2000, Electron. Notes Theor. Comput. Sci..

[30]  Diomidis Spinellis,et al.  Security protocols over open networks and distributed systems: formal methods for their analysis, design, and verification , 1999, Comput. Commun..

[31]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[32]  Paul Syverson,et al.  Dolev-Yao is no better than Machiavelli , 2000 .

[33]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[34]  Somesh Jha,et al.  Model Checking for Security Protocols , 1997 .

[35]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[36]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[37]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.