Anne Broadbent,Martti Karvonen

DOI: https://doi.org/10.46298/lmcs-19%284%3A30%292023

2024-10-19

Abstract:We formalize the simulation paradigm of cryptography in terms of category theory and show that protocols secure against abstract attacks form a symmetric monoidal category, thus giving an abstract model of composable security definitions in cryptography. Our model is able to incorporate computational security, set-up assumptions and various attack models such as colluding or independently acting subsets of adversaries in a modular, flexible fashion. We conclude by using string diagrams to rederive the security of the one-time pad, correctness of Diffie-Hellman key exchange and no-go results concerning the limits of bipartite and tripartite cryptography, ruling out e.g., composable commitments and broadcasting. On the way, we exhibit two categorical constructions of resource theories that might be of independent interest: one capturing resources shared among multiple parties and one capturing resource conversions that succeed asymptotically. This is a corrected version of the paper <a class="link-https" data-arxiv-id="2208.13232" href="https://arxiv.org/abs/2208.13232">arXiv:2208.13232</a> published originally on December 18, 2023.

Cryptography and Security,Category Theory

Takehiko Mieno,Hiroyuki Okazaki,Kenichi Arai,Yuichi Futa

DOI: https://doi.org/10.1109/access.2024.3368453

IF: 3.9

2024-03-06

IEEE Access

Abstract:The formal verification of cryptographic protocols has been extensively studied in recent years. To verify the cryptographic protocol security, formal verification tools consider protocol properties as interactive processes involving a cryptographic functionality. In general, we formally define a cryptographic functionality as an abstract function. However, the actual cryptographic protocols used comprise complex combinations of cryptographic functionalities. Thus, we may not determine if the protocol is secure, even when the cryptographic protocol security with cryptographic functionalities is verified using verification tools. Increasing the reliability of the verification results necessitates the verification of the security properties of these algorithms using ProVerif. Many cryptographic algorithms have been designed as iterative algorithms. These include the Merkle and Damgård construction (MD construction) method for cryptographic hash functions and the cipher block chaining mode (CBC mode) for the block cipher mode of operation. However, formalizing an iterative execution is difficult in ProVerif. Thus, we propose a method for formalizing a model of iterative executions. In the proposed method, we describe to formalize iterative execution as a formal model of function calls. We demonstrate the validity of our proposed method by formally verifying the safety of the MD construction method, which behaves like an iterative execution by including a one-way compression function and internal variables changed by the output of these functions. We also present a method for formalizing a common block cipher mode of operation (i.e., CBC mode) used in the proposed method to handle iterative execution.

computer science, information systems,telecommunications,engineering, electrical & electronic

Li Li,Jun Sun,Yang Liu,Meng Sun,Jin Song Dong

DOI: https://doi.org/10.1109/TSE.2017.2712621

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Nowadays, protocols often use time to provide better security. For instance, critical credentials are often associated with expiry dates in system designs. However, using time correctly in protocol design is challenging, due to the lack of time related formal specification and verification techniques. Thus, we propose a comprehensive analysis framework to formally specify as well as automatically ...

Wiktor B. Daszczuk

DOI: https://doi.org/10.48550/arXiv.1710.09084

2017-10-25

Abstract:During the project of a communication protocol, many design decisions influence the behavior of the protocol and its correctness. Formal specification and verification of the protocol may prove its correctness. In this paper, an example of a verification of design decision using formal specification in CSM automata and verification in temporal logic is presented.

Software Engineering

Dusan Dordevic,Zoran Petric,Mladen Zekic

2023-11-18

Abstract:As shown by Abramsky and Coecke, quantum mechanics can be studied in terms of dagger compact closed categories with biproducts. Within this structure, many well-known quantum protocols can be described and their validity can be shown by establishing the commutativity of certain diagrams in that category. In this paper, we propose an explicit realisation of a category with enough structure to check the validity of a certain class of quantum protocols. In order to do this, we construct a category based on 1-dimensional cobordisms with attached elements of a certain group freely generated by a finite set. We use this category as a graphical language, and we show that it is dagger compact closed with biproducts. Then, relying on the coherence result for compact closed categories, proved by Kelly and Laplaza, we show the coherence result, which enables us to check the validity of quantum protocols just by drawing diagrams. In particular, we show the validity of quantum teleportation, entanglement swapping (as formulated in the work of Abramsky and Coecke) and superdense coding protocol.

Category Theory,Quantum Physics

Lawrence C. Paulson

DOI: https://doi.org/10.3233/JCS-1998-61-205

2021-05-13

Abstract:Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components decrypted from previous traffic. Three protocols are analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder (which uses public-key encryption), and a recursive protocol by Bull and Otway (which is of variable length). One can prove that event $ev$ always precedes event $ev'$ or that property $P$ holds provided $X$ remains secret. Properties can be proved from the viewpoint of the various principals: say, if $A$ receives a final message from $B$ then the session key it conveys is good.

Cryptography and Security,Logic in Computer Science

Fusheng Wu,Jinhui Liu,Yanbin Li,Mingtao Ni

DOI: https://doi.org/10.1049/2024/2634744

2024-06-14

IET Information Security

Abstract:The π‐calculus is a basic theory of mobile communication based on the notion of interaction, which, is aimed at analyzing and modeling the behaviors of communication processes in communicating and mobile systems, and is widely applied to the security analysis of cryptographic protocol's design and implementation. But the π‐calculus does not provide seamless logical security analysis, so the logical flaws in the design and the implementation of a cryptographic protocol cannot be discovered in time. This paper introduces logical rules and logical proofs, binary tree, and the KMP algorithm and proposes a new extension of the π‐calculus theory, a logical security analysis method, and an algorithm. The aim is to analyze whether there are logical flaws in the design and the implementation of a cryptographic protocol, to ensure the security of the cryptographic protocol when it is encoded into software and implemented. This paper presents the logical security proof and analysis of the TLS1.3 protocol's interactional implementation process. Empirical results show that the additional extension theory, the logical security analysis method, and the algorithm can effectively analyze whether there are logical flaws in the design and the implementation of a cryptographic protocol.

computer science, information systems, theory & methods

Joshua Guttman

DOI: https://doi.org/10.4204/EPTCS.8.5

2009-11-11

Abstract:A model-theoretic approach can establish security theorems for cryptographic protocols. Formulas expressing authentication and non-disclosure properties of protocols have a special form. They are quantified implications for all xs . (phi implies for some ys . psi). Models (interpretations) for these formulas are *skeletons*, partially ordered structures consisting of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors. We show two results. (1) If phi is the antecedent of a security goal, then there is a skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi implies for some ys . psi) iff every realized homomorphic image of A_phi satisfies psi. Hence, to verify a security goal, one can use the Cryptographic Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in each of these shapes, then the goal holds.

Cryptography and Security,Logic in Computer Science

Fusheng Wu,Jinhui Liu,Yanbing Li,Mingtao Ni

2023-11-01

Abstract:The pi calculus is a basic theory of mobile communication based on the notion of interaction, which, aimed at analyzing and modelling the behaviors of communication process in communicating and mobile systems, is widely applied to the security analysis of cryptographic protocol's design and implementation. But the pi calculus does not provide perfect logic security analysis, so the logic flaws in the design and the implementation of a cryptographic protocol can not be discovered in time. The aim is to analyze whether there are logic flaws in the design and the implementation of a cryptographic protocol, so as to ensure the security of the cryptographic protocol when it is encoded into a software and implemented. This paper introduces logic rules and proofs, binary tree and the KMP algorithm, and proposes a new extension the pi calculus theory, a logic security analysis framework and an algorithm. This paper presents the logic security proof and analysis of TLS1.3 protocol's interactional implementation process. Empirical results show that the new extension theory, the logic security analysis framework and the algorithm can effectively analyze whether there are logic flaws in the design and the implementation of a cryptographic protocol. The security of cryptographic protocols depends not only on cryptographic primitives, but also on the coding of cryptographic protocols and the environment in which they are implemented. The security analysis framework of cryptographic protocol implementation proposed in this paper can ensure the security of protocol implementation.

Cryptography and Security,Logic in Computer Science

张玉清,吴建平,李星

DOI: https://doi.org/10.3321/j.issn:1000-0054.2002.01.028

2002-01-01

Abstract:BAN (Burrows, Abadi and Needham) like logic can aid the design, analysis, and verification of cryptographic protocols used over open networks and distributed systems. This paper introduces BAN like logic and then illustrates the limitations of BAN logic on protocol idealization as a survey of the current state of BAN like logic. The conclusions are that BAN like logic is still one of the main tools for analysis of cryptographic protocols, but protocol idealization is the fatal weakness of BAN like logic. Suggestions are then made for future work. These conclusions will facilitate the development of formal methods for the analysis and design of cryptographic protocols.

张玉清,吴建平,李星

DOI: https://doi.org/10.3969/j.issn.1002-137X.2001.08.012

2001-01-01

Abstract:Model checking can aid the design,analysis,and verification of the cryptographic protocols used over open networks and distributed systems. In this paper we give a survey of the state of model checking to the analysis of cryptographic protocols. We attempt to outline some of the major threads of research in this area ,and also to make a suggestion of future work. These conclusions will facilitate the development of using model checker for analysis of cryptographic protocols.

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Rajagopal Nagarajan,Simon Gay

DOI: https://doi.org/10.48550/arXiv.quant-ph/0203086

2002-03-18

Abstract:We propose to analyse quantum protocols by applying formal verification techniques developed in classical computing for the analysis of communicating concurrent systems. One area of successful application of these techniques is that of classical security protocols, exemplified by Lowe's discovery and fix of a flaw in the well-known Needham-Schroeder authentication protocol. Secure quantum cryptographic protocols are also notoriously difficult to design. Quantum cryptography is therefore an interesting target for formal verification, and provides our first example; we expect the approach to be transferable to more general quantum information processing scenarios. The example we use is the quantum key distribution protocol proposed by Bennett and Brassard, commonly referred to as BB84. We present a model of the protocol in the process calculus CCS and the results of some initial analyses using the Concurrency Workbench of the New Century (CWB-NC).

Quantum Physics

Xiangyu Luo,Yan Chen,Ming Gu,Lijun Wu

DOI: https://doi.org/10.1109/nswctc.2009.384

2009-01-01

Abstract:Formal verification approaches can guarantee the correctness of security protocols. In this paper we take the well-known Needham-Schroeder public-key authentication protocol as an example, to show how we can apply the symbolic model checker for multiagent systems MCTK, which is developed by us, to the verification of security protocols. One temporal epistemic property is checked successfully both in the original version and the Lowe's revised version of the Needham-Schroeder protocol. The experimental result shows that our method is an effective way to the verification of security protocol.

N. Inassaridze,T. Kandelaki,M. Ladra

DOI: https://doi.org/10.1007/s10958-013-1588-y

2013-11-08

Journal of Mathematical Sciences

Abstract:We give interpretations of some known key agreement protocols in the framework of category theory and in this way we propose a method of constructing of many new key agreement protocols.

Mitsugu Iwamoto,Kazuo Ohta,Junji Shikata

DOI: https://doi.org/10.48550/arXiv.1410.1120

2014-10-05

Abstract:This paper revisits formalizations of information-theoretic security for symmetric-key encryption and key agreement protocols which are very fundamental primitives in cryptography. In general, we can formalize information-theoretic security in various ways: some of them can be formalized as stand-alone security by extending (or relaxing) Shannon's perfect secrecy or by other ways such as semantic security; some of them can be done based on composable security. Then, a natural question about this is: what is the gap between the formalizations? To answer the question, we investigate relationships between several formalizations of information-theoretic security for symmetric-key encryption and key agreement protocols. Specifically, for symmetric-key encryption protocols in a general setting including the case where there exist decryption-errors, we deal with the following formalizations of security: formalizations extended (or relaxed) from Shannon's perfect secrecy by using mutual information and statistical distance; information-theoretic analogues of indistinguishability and semantic security by Goldwasser and Micali; and composable security by Maurer et al. and Canetti. Then, we explicitly show the equivalence and non-equivalence between those formalizations. Under the model, we also derive lower bounds on the adversary's (or distinguisher's) advantage and the size of secret-keys required under all of the above formalizations. Although some of them may be already known, we can explicitly derive them all at once through our relationships between the formalizations. In addition, we briefly observe impossibility results which easily follow from the lower bounds. The similar results are also shown for key agreement protocols in a general setting including the case where there exist agreement-errors in the protocols.

Cryptography and Security,Information Theory

David Nowak

DOI: https://doi.org/10.1007/978-3-642-00730-9_23

2009-04-07

Abstract:Cryptographic primitives are fundamental for information security: they are used as basic components for cryptographic protocols or public-key cryptosystems. In many cases, their security proofs consist in showing that they are reducible to computationally hard problems. Those reductions can be subtle and tedious, and thus not easily checkable. On top of the proof assistant Coq, we had implemented in previous work a toolbox for writing and checking game-based security proofs of cryptographic primitives. In this paper we describe its extension with number-theoretic capabilities so that it is now possible to write and check arithmetic-based cryptographic primitives in our toolbox. We illustrate our work by machine checking the game-based proofs of unpredictability of the pseudo-random bit generator of Blum, Blum and Shub, and semantic security of the public-key cryptographic scheme of Goldwasser and Micali.

Cryptography and Security,Logic in Computer Science

CHEN Qiang,HUANG Lian-sheng,ZHAO Xiu-wen

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.06.033

2006-01-01

Abstract:This paper presents a combined analysis method for security protocols.By specifying security protocols using Common Authentication Protocol Specification Language,then convert CAPSL specification into formal inputs for other analysis tools by connector.This method can utilize the advantage of various analysis tools and ensure the accuracy of formal analysis.Meanwhile,it is convenient for analyzer.We design two CAPSL connector and give an instance.

E. Chunlin,Songtao Liang,Tao Zhang

DOI: https://doi.org/10.1109/wicom.2011.6038694

2011-01-01

Abstract:Cryptography plays an important role in the network environment and wireless applications. Most of the time, the information in wireless and network environment is encrypted by stream ciphers which must resist many kinds of attacks. Algebraic immunity (AI) is one of the most important characteristics which evaluate the resistance against algebraic attacks. Constructing a Boolean function which has both AI and other crypto characteristics is an important studying field. In this paper, we study the AI and other properties, and then propose a construction method based on genetic algorithm that can obtain Boolean functions with good cryptographic appearance.

Ittoop Vergheese Puthoor

2024-09-26

Abstract:Formal methods have been a successful approach for modelling and verifying the correctness of complex technologies like microprocessor chip design, biological systems and others. This is the main motivation of developing quantum formal techniques which is to describe and analyse quantum information processing systems. Our previous work demonstrates the possibility of using a quantum process calculus called Communicating Quantum Processes (CQP) to model and describe higher dimensional quantum systems. By developing the theory to generalise the fundamental gates and Bell states, we have modelled quantum qudit protocols like teleportation and superdense coding in CQP. In this paper, we demonstrate the use of CQP to analyse higher dimensional quantum protocols. The main idea is to define two processes, one modelling the real protocol and the other expressing a specification, and prove that they are behaviourally equivalent. This is a work-in-progress and we present our preliminary results in extending the theory of behavioural equivalence in CQP to verify higher dimensional quantum protocols using qudits.

Formal Languages and Automata Theory,Quantum Physics