CryptoVerif Tutorial



Similar documents
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Provable-Security Analysis of Authenticated Encryption in Kerberos

Ciphertext verification security of symmetric encryption schemes

Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm

Introduction. Digital Signature

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Authenticated Encryption (AE) Instructor: Ahmad Boorghany

Lecture 3: One-Way Encryption, RSA Example

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

1 Message Authentication

DIGITAL SIGNATURES 1/1

Reconsidering Generic Composition

MACs Message authentication and integrity. Table of contents

Authentication and Encryption: How to order them? Motivation

1 Construction of CCA-secure encryption

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

CS155. Cryptography Overview

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Foundations of Group Signatures: The Case of Dynamic Groups

Chosen-Ciphertext Security from Identity-Based Encryption

Authenticated encryption

MAC. SKE in Practice. Lecture 5

Chapter 12. Digital signatures Digital signature schemes

Crypto-Verifying Protocol Implementations in ML

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

1 Signatures vs. MACs

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Computational Soundness of Symbolic Security and Implicit Complexity

Message Authentication Codes 133

Identity-Based Encryption from the Weil Pairing

On the Security of the Tor Authentication Protocol

Overview of Public-Key Cryptography

Universal Padding Schemes for RSA

Chapter 16: Authentication in Distributed System

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Capture Resilient ElGamal Signature Protocols

Symmetric Crypto MAC. Pierre-Alain Fouque

Authenticated Encryption in SSH: Provably Fixing the SSH Binary Packet Protocol

Digital Signatures. What are Signature Schemes?

Digital Signatures. Prof. Zeph Grunschlag

Talk announcement please consider attending!

Q: Why security protocols?

How to Formally Model Features of Network Security Protocols

Lecture 15 - Digital Signatures

Non-interactive and Reusable Non-malleable Commitment Schemes

Cryptography Overview

Lecture 13: Message Authentication Codes

Lecture 9 - Message Authentication Codes

CIS 5371 Cryptography. 8. Encryption --

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Message Authentication Code

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Lecture 2 August 29, 13:40 15:40

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Overview of Symmetric Encryption

Efficient and Secure Authenticated Key Exchange Using Weak Passwords

Recongurable Cryptography: A exible approach to long-term security

Delegation of Cryptographic Servers for Capture-Resilient Devices

Certificate Based Signature Schemes without Pairings or Random Oracles

A Secure RFID Ticket System For Public Transport

Advanced Cryptography

1. a. Define the properties of a one-way hash function. (6 marks)

Victor Shoup Avi Rubin. Abstract

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Chosen-Ciphertext Security from Identity-Based Encryption

Security Analysis for Order Preserving Encryption Schemes

A CCA2 Secure Variant of the McEliece Cryptosystem

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Message Authentication Codes

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Chapter 3. Network Domain Security

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Transcription:

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14

Exercise 1: preliminary definition SUF-CMA Definition (SUF-CMA MACs) The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. MAC is SUF-CMA if and only if Succ suf cma MAC (t, q m, q v, l) is negligible when t, q m, q v, l are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 2 / 14

Exercise 1: preliminary definition IND-CCA2 Definition (IND-CCA2 symmetric encryption) The advantage of the adversary against indistinguishabibility under adaptive chosen-ciphertext attacks (IND-CCA2) of a symmetric encryption scheme SE is: Succ ind cca2 SE (t, q e, q d, l e, l d ) = b {0, R 1}; k R kgen; max 2 Pr b A enc(lr(.,.,b),k),dec(.,k) : b = b A A has not called dec(., k) on the result of 1 enc(lr(.,., b), k) where A runs in time at most t, calls enc(lr(.,., b), k) at most q e times on messages of length at most l e, calls dec(., k) at most q d times on messages of length at most l d. SE is IND-CCA2 if and only if Succ ind cca2 SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 3 / 14

Exercise 1: preliminary definition INT-CTXT Definition (INT-CTXT symmetric encryption) The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. SE is INT-CTXT if and only if Succ int ctxt SE (t, q e, q d, l e, l d ) is negligible when t, q e, q d, L e, l d are polynomial in the security parameter. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 4 / 14

Exercise 1 1 Show using CryptoVerif that, if the MAC scheme is SUF-CMA and the encryption scheme is IND-CPA, then the encrypt-then-mac scheme is IND-CPA. 2 Show using the same assumptions that the encrypt-then-mac scheme is IND-CCA2. 3 Show using the same assumptions that the encrypt-then-mac scheme is INT-CTXT. 4 What happens if the MAC scheme is only UF-CMA? Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 5 / 14

Exercise 2: Preliminary definition A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under chosen-plaintext attacks (IND-CPA) is Succ ind cca2 AE (t) = max 2 Pr b {0, R 1}; (pk, sk) R kgen; (m A 0, m 1, s) A 1 (pk); y enc(m b, pk); 1 b A 2 (m 0, m 1, s, y) : b = b where A = (A 1, A 2 ) runs in time at most t. AE is IND-CPA if and only if Succ ind cpa AE (t) is negligible when t is polynomial in the security parameter. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 6 / 14

Exercise 2 Suppose that H is a hash function in the Random Oracle Model and that f is a one-way trapdoor permutation. Consider the encryption function E pk (x) = f pk (r) H(r) x, where denotes concatenation and denotes exclusive or (Bellare & Rogaway, CCS 93). What is the decryption function? Show using CryptoVerif that this public-key encryption scheme is IND-CPA. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 7 / 14

Exercise 3 Consider the fixed version of the Woo-Lam shared-key protocol, by Gordon and Jeffrey (CSFW 01): A B: B A: A B: B S: S B: A N (fresh nonce) {m3, B, N} kas A, B, {m3, B, N} kas {m5, A, N} kbs At the end, B verifies that {m5, A, N} kbs is the message from S. Show that, at the end of the protocol, A is authenticated to B. Suggestion: one may consider 1 First, a simple version in which A talks only to B, B talks only to A, and S talks only to A and B. 2 Then, generalize to the case in which A, B, and S may also talk to dishonest participants. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 8 / 14

Exercise 4 Consider the Needham-Schroeder public-key protocol, as fixed by Lowe. We first consider a simplified version without certificates: A B: B A: A B: {N A, pk A } pkb {N A, N B, pk B } pka {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 9 / 14

Exercise 4 Now consider the full version with certificates: A S: (A, B) S A: (pk B, B, {pk B, B} sks ) A B: {N A, A} pkb B S: (B, A) S B: (pk A, A, {pk A, A} sks ) B A: {N A, N B, B} pka A B: {N B } pkb Show that, at the end of the protocol, A and B are mutually authenticated. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 10 / 14

Exercise 5 The advantage of the adversary against strong unforgeability under chosen message attacks (SUF-CMA) of MACs is: Succ suf cma MAC (t, q m, q v, l) = [ max Pr A k R mkgen; (m, s) A mac(.,k),verify(.,k,.) : verify(m, k, s) s is not the result of calling the oracle mac(., k) on m where A runs in time at most t, calls mac(., k) at most q m times with messages of length at most l, calls verify(., k,.) at most q v times with messages of length at most l. Represent SUF-CMA MACs in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 11 / 14

Exercise 6 A signature scheme S consists of a key generation algorithm (pk, sk) R kgen a signature algorithm sign(m, sk) a verification algorithm verify(m, pk, s) such that verify(m, pk, sign(m, sk)) = 1. The advantage of the adversary against unforgeability under chosen message attacks (UF-CMA) of signatures is: Succ uf cma S (t, q s, l) = [ max Pr A (pk, sk) R kgen; (m, s) A sign(.,sk) (pk) : verify(m, pk, s) m was never queried to the oracle sign(., sk) where A runs in time at most t, calls sign(., sk) at most q s times with messages of length at most l. Represent UF-CMA signatures in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 12 / 14 ]

Exercise 7 The advantage of the adversary against ciphertext integrity (INT-CTXT) of a symmetric encryption scheme SE is: Succ int ctxt SE (t, q e, q d, l e, l d ) = [ max Pr A k R kgen; c A enc(.,k),dec(.,k) : dec(c, k) c is not the result of a call to the enc(., k) oracle where A runs in time at most t, calls enc(., k) at most q e times with messages of length at most l e, calls dec(., k) at most q d times with messages of length at most l d. Represent INT-CTXT encryption in the CryptoVerif formalism. ] Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 13 / 14

Exercise 8 A public-key encryption scheme AE consists of a key generation algorithm (pk, sk) R kgen a probabilistic encryption algorithm enc(m, pk) a decryption algorithm dec(m, sk) such that dec(enc(m, pk), sk) = m. The advantage of the adversary against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) is Succ ind cca2 AE (t, q d ) = b {0, R 1}; (pk, sk) R kgen; max 2 Pr (m 0, m 1, s) A dec(.,sk) 1 (pk); y enc(m b, pk); A b A dec(.,sk) 2 (m 0, m 1, s, y) : b = b 1 A 2 has not called dec(., sk) on y where A = (A 1, A 2 ) runs in time at most t and calls dec(., sk) at most q d times. Represent IND-CCA2 encryption in the CryptoVerif formalism. Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 14 / 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information