Automating Security Analysis: Symbolic Equivalence of Constraint Systems

Abstract. Identity Mixer is an anonymous credential system developed at IBM that allows users for instance to prove that they are over 18 years old without revealing their name or birthdate. This privacy-friendly technology is realized using zero-knowledge proofs. We describe a formal model of Identity Mixer that is well-suited for automated protocol verification tools in the spirit of black-box cryptography models.

“…These models are quite difficult for automated analysis, though there are some new ideas [20,19]. Further investigation is left for future work.…”

Section: Discussionmentioning

confidence: 99%

Section: Identity Mixer Protocols In Concrete Scenariosmentioning

confidence: 99%

A Formal Model of Identity Mixer

Camenisch

Mödersheim²,

Sommer

2010

“…If results for process equivalence are limited to subterm-convergent theories [22,29,9,10,5,15], results for static equivalence go further than that. [1] shows decidability in presence of blind signatures and homomorphic encryption (without AC), and there is also a tool available [6].…”

Section: Introductionmentioning

confidence: 97%

“…However, only few results are known for verification of process equivalence. They are in general restricted to a bounded number of sessions and a basic Dolev-Yao theory [22,29,9,10], and do not go further than subterm-convergent theories [5,15], where the right-hand side of each equation is either a constant or a subterm of the left-hand side. ProVerif can handle an unbounded number of sessions and a broad class of equational theories [8], but may not terminate and may discover false attacks.…”

Section: Introductionmentioning

confidence: 99%

Reduction of Equational Theories for Verification of Trace Equivalence: Re-encryption, Associativity and Commutativity

Arapinis

Bursuc

Ryan

2012

Abstract. Verification of trace equivalence is difficult to automate in general because it requires relating two infinite sets of traces. The problem becomes even more complex when algebraic properties of cryptographic primitives are taken in account in the formal model. For example, no verification tool or technique can currently handle automatically a realistic model of re-encryption or associative-commutative operators. In this setting, we propose a general technique for reducing the set of traces that have to be analyzed to a set of local traces. A local trace restricts the way in which some function symbols are used, and this allows us to perform a second reduction, by showing that some algebraic properties can be safely ignored in local traces. In particular, local traces for re-encryption will contain only a bounded number of re-encryptions for any given ciphertext, leading to a sound elimination of equations that model re-encryption. For associativity and commutativity, local traces will determine a canonical use of the associativecommutative operator, where reasoning modulo AC is no stronger than reasoning without AC. We illustrate these results by considering a non-disjoint combination of equational theories for the verification of vote privacy in Prêtà Voter. ProVerif can not handle the input theory as it is, but it does terminate with success on the theory obtained using our reduction result.

“…However, both procedures are highly non-deterministic and do not yield a reasonable algorithm that could be implemented. Therefore, Cheval et al [17] have designed a new procedure and a prototype tool to decide the equivalence of constraint systems, but only for a fixed set of primitives. Tools have also been implemented for checking testing equivalence [30], open bisimulation [39] and trace equivalence [18] for a bounded number of sessions but again only for a limited set of primitives.…”

Section: Introductionmentioning

confidence: 99%

Automated Verification of Equivalence Properties of Cryptographic Protocols

Chadha

Ciobâcă

Kremer

2012

Abstract. Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks, and can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for bounded number of sessions. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under-and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those which can be modeled by an optimally reducing convergent rewrite system. Although, we were unable to prove its termination, it has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools.