CryptoVerif Tutorial



Similar documents
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Provable-Security Analysis of Authenticated Encryption in Kerberos

Ciphertext verification security of symmetric encryption schemes

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Introduction. Digital Signature

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Authenticated Encryption (AE) Instructor: Ahmad Boorghany

Lecture 3: One-Way Encryption, RSA Example

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

1 Message Authentication

DIGITAL SIGNATURES 1/1

Reconsidering Generic Composition

MACs Message authentication and integrity. Table of contents

Authentication and Encryption: How to order them? Motivation

1 Construction of CCA-secure encryption

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Semantic Security for the McEliece Cryptosystem without Random Oracles

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

CS155. Cryptography Overview

RSA OAEP is Secure under the RSA Assumption

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Foundations of Group Signatures: The Case of Dynamic Groups

Multi-Recipient Encryption Schemes: Efficient Constructions and their Security

Chosen-Ciphertext Security from Identity-Based Encryption

Authenticated encryption

MAC. SKE in Practice. Lecture 5

Chapter 12. Digital signatures Digital signature schemes

Crypto-Verifying Protocol Implementations in ML

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

1 Signatures vs. MACs

Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption

Computational Soundness of Symbolic Security and Implicit Complexity

Message Authentication Codes 133

Identity-Based Encryption from the Weil Pairing

On the Security of the Tor Authentication Protocol

Securing Remote Access Inside Wireless Mesh Networks

Provably Secure Timed-Release Public Key Encryption

On the Security of the CCM Encryption Mode and of a Slight Variant

Anonymity and Time in Public-Key Encryption

Overview of Public-Key Cryptography

Universal Padding Schemes for RSA

Chapter 16: Authentication in Distributed System

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Capture Resilient ElGamal Signature Protocols

Symmetric Crypto MAC. Pierre-Alain Fouque

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Digital Signatures. What are Signature Schemes?

Digital Signatures. Prof. Zeph Grunschlag

Talk announcement please consider attending!

Q: Why security protocols?

How to Formally Model Features of Network Security Protocols

Lecture 15 - Digital Signatures

Wildcarded Identity-Based Encryption

Non-interactive and Reusable Non-malleable Commitment Schemes

Formal Modelling of Network Security Properties (Extended Abstract)

Cryptography Overview

Lecture 13: Message Authentication Codes

Lecture 9 - Message Authentication Codes

CIS 5371 Cryptography. 8. Encryption --

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Message Authentication Code

An efficient and provably secure public key encryption scheme based on coding theory

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Lecture 2 August 29, 13:40 15:40

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Overview of Symmetric Encryption

Efficient and Secure Authenticated Key Exchange Using Weak Passwords

Recongurable Cryptography: A exible approach to long-term security

1 Domain Extension for MACs

Delegation of Cryptographic Servers for Capture-Resilient Devices

Distributed Key Generation for Secure Encrypted Deduplication

Certificate Based Signature Schemes without Pairings or Random Oracles

A Secure RFID Ticket System For Public Transport

Advanced Cryptography

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

the server that does not allow to treat relational databases. A fundamental question thus becomes what is the best guaranteed security that can be

1. a. Define the properties of a one-way hash function. (6 marks)

Victor Shoup Avi Rubin. Abstract

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Incremental Deterministic Public-Key Encryption

Proof of Freshness: How to efficiently use an online single secure clock to secure shared untrusted memory.

Chosen-Ciphertext Security from Identity-Based Encryption

Security Analysis for Order Preserving Encryption Schemes

A CCA2 Secure Variant of the McEliece Cryptosystem

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Cryptographic Agility and its Relation to Circular Encryption

Message Authentication Codes

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Chapter 3. Network Domain Security

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Transcription:

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14

Exercise 1: preliminary definition SUF-CMA Definition (SUF-CMA MACs) The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. MAC is SUF-CMA if and only if Succ suf cma MAC (t, q m, q v, l) is negligible when t, q m, q v, l are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 2 / 14

Exercise 1: preliminary definition IND-CCA2 Definition (IND-CCA2 symmetric encryption) The advantage of the adversary against indistinguishabibility under adaptive chosen-ciphertext attacks (IND-CCA2) of a symmetric encryption scheme SE is: Succ ind cca2 SE (t, q e, q d, l e, l d ) = b {0, R 1}; k R kgen; max 2 Pr b A enc(lr(.,.,b),k),dec(.,k) : b = b A A has not called dec(., k) on the result of 1 enc(lr(.,., b), k) where A runs in time at most t, calls enc(lr(.,., b), k) at most q e times on messages of length at most l e, calls dec(., k) at most q d times on messages of length at most l d. SE is IND-CCA2 if and only if Succ ind cca2 SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 3 / 14

Exercise 1: preliminary definition INT-CTXT Definition (INT-CTXT symmetric encryption) The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. SE is INT-CTXT if and only if Succ int ctxt SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 4 / 14

Exercise 1 1 Show using CryptoVerif that, if the MAC scheme is SUF-CMA and the encryption scheme is IND-CPA, then the encrypt-then-mac scheme is IND-CPA. 2 Show using the same assumptions that the encrypt-then-mac scheme is IND-CCA2. 3 Show using the same assumptions that the encrypt-then-mac scheme is INT-CTXT. 4 What happens if the MAC scheme is only UF-CMA? Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 5 / 14

Exercise 2: Preliminary definition A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under chosen-plaintext attacks (IND-CPA) is Succ ind cca2 AE (t) = max 2 Pr b {0, R 1}; (pk, sk) R kgen; (m A 0, m 1, s) A 1 (pk); y enc(m b, pk); 1 b A 2 (m 0, m 1, s, y) : b = b where A = (A 1, A 2 ) runs in time at most t. AE is IND-CPA if and only if Succ ind cpa AE (t) is negligible when t is polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 6 / 14

Exercise 2 Suppose that H is a hash function in the Random Oracle Model and that f is a one-way trapdoor permutation. Consider the encryption function E pk (x) = f pk (r) H(r) x, where denotes concatenation and denotes exclusive or (Bellare & Rogaway, CCS 93). What is the decryption function? Show using CryptoVerif that this public-key encryption scheme is IND-CPA. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 7 / 14

Exercise 3 Consider the fixed version of the Woo-Lam shared-key protocol, by Gordon and Jeffrey (CSFW 01): A B: B A: A B: B S: S B: A N (fresh nonce) {m3, B, N} kas A, B, {m3, B, N} kas {m5, A, N} kbs At the end, B verifies that {m5, A, N} kbs is the message from S. Show that, at the end of the protocol, A is authenticated to B. Suggestion: one may consider 1 First, a simple version in which A talks only to B, B talks only to A, and S talks only to A and B. 2 Then, generalize to the case in which A, B, and S may also talk to dishonest participants. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 8 / 14

Exercise 4 Consider the Needham-Schroeder public-key protocol, as fixed by Lowe. We first consider a simplified version without certificates: A B: B A: A B: {N A, pk A } pkb {N A, N B, pk B } pka {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 9 / 14

Exercise 4 Now consider the full version with certificates: A S: (A, B) S A: (pk B, B, {pk B, B} sks ) A B: {N A, A} pkb B S: (B, A) S B: (pk A, A, {pk A, A} sks ) B A: {N A, N B, B} pka A B: {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 10 / 14

Exercise 5 The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. Represent SUF-CMA MACs in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 11 / 14

Exercise 6 A signature scheme S consists of a key generation algorithm (pk, sk) R kgen a signature algorithm sign(m, sk) a verification algorithm verify(m, pk, s) such that verify(m, pk, sign(m, sk)) = 1. The advantage of the adversary against unforgeability under chosen message attacks (UF-CMA) of signatures is: Succ uf cma S (t, q s, l) = [ max Pr A (pk, sk) R kgen; (m, s) A sign(.,sk) (pk) : verify(m, pk, s) m was never queried to the oracle sign(., sk) where A runs in time at most t, calls sign(., sk) at most q s times with messages of length at most l. Represent UF-CMA signatures in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 12 / 14 ]

Exercise 7 The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. Represent INT-CTXT encryption in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 13 / 14

Exercise 8 A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) is Succ ind cca2 AE (t, q d ) = b {0, R 1}; (pk, sk) R kgen; max 2 Pr (m 0, m 1, s) A dec(.,sk) 1 (pk); y enc(m b, pk); A b A dec(.,sk) 2 (m 0, m 1, s, y) : b = b 1 A 2 has not called dec(., sk) on y where A = (A 1, A 2 ) runs in time at most t and calls dec(., sk) at most q d times. Represent IND-CCA2 encryption in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 14 / 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information