An Interactive Prover for Protocol Verification in the Computational Model

Abstract: Given the central importance of designing secure protocols, providing solid mathematical foundations and computer-assisted methods to attest for their correctness is becoming crucial. Here, we elaborate on the formal approach introduced by Bana and Comon in [10], [11], which was originally designed to analyze protocols for a fixed number of sessions and which more importantly lacks support for proof mechanization.In this paper, we present a framework and an interactive prover allowing to mechanize proofs of se… Show more

“…The Squirrel paper [5] introduces a meta-logic that introduces universal quantification over the possible traces of a protocol, as well as its number of sessions. As one can then reason at an abstract level on the traces, a single proof in the meta-logic covers multiple traces of the protocol, and it is now possible to consider unbounded protocols, thus solving both previous issues.…”

“…Concretely, our work builds on the BC logic [7] and its mechanization in the Squirrel prover [5]. The BC logic can be used to construct security proofs that provide computational guarantees against a classical (non-quantum) attacker, while only working inside a logical framework in which many intricate details have been abstracted.…”

“…It has notably been used for manual proofs of real-world protocols, see e.g., proofs of RFID based protocols [27], AKA [48], e-voting protocols [6], key-wrapping API [56], and SSH through a composition framework [26]. Reasoning in BC was recently mechanized and extended in the Squirrel prover [5], dedicated to the formal proofs of protocols. Notably, reasoning in BC (and therefore Squirrel) is not sound with respect to a quantum attacker, because the framework allows reduction steps that cannot be reproduced with a quantum attacker.…”

“…However, Squirrel does not provide any concrete security bounds, and in security proofs over unbounded protocols, the number of sessions is arbitrary and not attacker chosen. For a detailed comparison between Squirrel, EasyCrypt and CryptoVerif, we refer the reader to [5,Appendix E].…”

“…2 Background: the classical BC logic and Squirrel Below we first recall the main elements of the original BC logic [7] that are relevant for understanding our work in the following sections. In Section 2.5 we describe the Squirrel prover [5], which mechanizes reasoning in the BC logic.…”

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

“…The Squirrel paper [5] introduces a meta-logic that introduces universal quantification over the possible traces of a protocol, as well as its number of sessions. As one can then reason at an abstract level on the traces, a single proof in the meta-logic covers multiple traces of the protocol, and it is now possible to consider unbounded protocols, thus solving both previous issues.…”

“…Concretely, our work builds on the BC logic [7] and its mechanization in the Squirrel prover [5]. The BC logic can be used to construct security proofs that provide computational guarantees against a classical (non-quantum) attacker, while only working inside a logical framework in which many intricate details have been abstracted.…”

“…It has notably been used for manual proofs of real-world protocols, see e.g., proofs of RFID based protocols [27], AKA [48], e-voting protocols [6], key-wrapping API [56], and SSH through a composition framework [26]. Reasoning in BC was recently mechanized and extended in the Squirrel prover [5], dedicated to the formal proofs of protocols. Notably, reasoning in BC (and therefore Squirrel) is not sound with respect to a quantum attacker, because the framework allows reduction steps that cannot be reproduced with a quantum attacker.…”

“…However, Squirrel does not provide any concrete security bounds, and in security proofs over unbounded protocols, the number of sessions is arbitrary and not attacker chosen. For a detailed comparison between Squirrel, EasyCrypt and CryptoVerif, we refer the reader to [5,Appendix E].…”

“…2 Background: the classical BC logic and Squirrel Below we first recall the main elements of the original BC logic [7] that are relevant for understanding our work in the following sections. In Section 2.5 we describe the Squirrel prover [5], which mechanizes reasoning in the BC logic.…”

A Logic and an Interactive Prover for the Computational Post-Quantum Security of Protocols

Formal Verification Techniques for Post-quantum Cryptography: A Systematic Review

LπCET: A Logic Security Analysis for Cryptographic Protocols Based on π‐Calculus Extension Theory