Fully automated analysis of padding-based encryption in the computational model

Barthe, Gilles; Crespo, Juan Manuel; Grégoire, Benjamin; Kunz, César; Lakhnech, Yassine; Schmidt, Benedikt; Zanella-Béguelin, Santiago

doi:10.1145/2508859.2516663

Cited by 38 publications

(38 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…But smaller padding-based schemes were also found by the tool. Similar schemes have also been reported in [2]. Fig.…”

Section: Synthesis Of Padding-based Encryption Schemessupporting

confidence: 79%

“…We first provide an example from public key cryptography inspired by the work in [2] that consist on synthesizing padding schemes. Our second example is related to symmetric key encryption, and builds upon the work presented in [13].…”

Section: Cryptographic Constructionsmentioning

confidence: 99%

“…Inspired by the success of the tool Zoocrypt in synthesizing padding-based encryption schemes [2] (and their corresponding security proofs), we used our synthesis tool for exploring the same space. Figure 2 shows part of the sketch that we used.…”

Section: Synthesis Of Padding-based Encryption Schemesmentioning

confidence: 99%

See 2 more Smart Citations

Program Synthesis Using Dual Interpretation

Tiwari

Gascón

Dutertre

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present an approach to component-based program synthesis that uses two distinct interpretations for the symbols in the program. The first interpretation defines the semantics of the program. It is used to specify functional requirements. The second interpretation is used to capture nonfunctional requirements that may vary by application. We present a language for program synthesis from components that uses dual interpretation. We reduce the synthesis problem to an exists-forall problem, which is solved using the exists-forall solver of the SMT-solver Yices. We use our approach to synthesize bitvector manipulation programs, padding-based encryption schemes, and block cipher modes of operations.

show abstract

“…But smaller padding-based schemes were also found by the tool. Similar schemes have also been reported in [2]. Fig.…”

Section: Synthesis Of Padding-based Encryption Schemessupporting

confidence: 79%

Section: Cryptographic Constructionsmentioning

confidence: 99%

See 1 more Smart Citation

Program Synthesis Using Dual Interpretation

Tiwari

Gascón

Dutertre

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In contrast to computer-aided tools for verifying cryptographic proofs, which have existed for some time, computer-aided tools for synthesizing new constructions are very recent. Barthe et al [11] develop an automated tool, called ZooCrypt, for synthesizing padding-based encryption schemes; their tool uses a dedicated logic with an efficient proof search procedure to prove chosen-plaintext or chosen-ciphertext security, and an efficient method for finding attacks on insecure schemes. Because the search space for reasonably-sized constructions is small (about 10 6 well-typed schemes), simple trimming techniques are sufficient to cover the full search space efficiently.…”

Section: Other Related Workmentioning

confidence: 99%

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Barthe

Fagerholm

Fiore

et al. 2015

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Recent work on structure-preserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairing-product equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairing-product equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structure-preserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structure-preserving signatures within a user-specified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structure-preserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification.

show abstract

“…In this work, multiple possible algorithms are generated out of a library of components and then checked for security. This may involve the use of Dolev-Yao like tools to weed out insecure algorithms or even verify the security of correct ones, as in [Barthe et al, 2013].…”

Section: Security Propertiesmentioning

confidence: 99%

Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA

Pinazo

View full text Add to dashboard Cite

A mis padres, Juan y Rosa, por su apoyo incondicional. Su ejemplo de esfuerzo y trabajo duro ha sido siempre mi inspiración.To my parents, Juan and Rosa, for their unconditional support. Their example of effort and hard work has always been my inspiration. AbstractThe area of formal analysis of cryptographic protocols has been an active one since the mid 80's. The idea is to verify communication protocols that use encryption to guarantee secrecy and that use authentication of data to ensure security. Formal methods are used in protocol analysis to provide formal proofs of security, and to uncover bugs and security flaws that in some cases had remained unknown long after the original protocol publication, such as the case of the well known Needham-Schroeder Public Key (NSPK) protocol. In this thesis we tackle problems regarding the three main pillars of protocol verification: modelling capabilities, verifiable properties, and efficiency.This thesis is devoted to investigate advanced features in the analysis of cryptographic protocols tailored to the Maude-NPA tool. This tool is a model-checker for cryptographic protocol analysis that allows for the incorporation of different equational theories and operates in the unbounded session model without the use of data or control abstraction.An important contribution of this thesis is relative to theoretical aspects of protocol verification in Maude-NPA. First, we define a forwards operational semantics, using rewriting logic as the theoretical framework and the Maude programming language as tool support. This is the first time that a forwards rewriting-based semantics is given for Maude-NPA. Second, we also study the problem that arises in cryptographic protocol analysis when it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the protocol equational theory.We also study techniques to extend Maude-NPA capabilities to support the verification of a wider class of protocols and security properties. First, we present a framework to specify and verify sequential protocol compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a theoretical framework to specify and verify protocol indistinguishability in Maude-NPA. This kind of properties aim to verify that an attacker cannot distinguish between two versions of a protocol: for example, one using one secret and one using another, as it happens in electronic voting protocols.Finally, this thesis contributes to improve the efficiency of protocol verification in Maude-NPA. We define several techniques which drastically reduce the state space, and can often yield a finite state space, so that whether the desired security property holds or not can in fact be decided automatically, in spite of the general undecidability of such problems. ResumenElárea de análisis formal de protocolos criptográficos ha experimentado una gran actividad desde mediados de los 80. El objetivo es verificar proto...

show abstract

Fully automated analysis of padding-based encryption in the computational model

Cited by 38 publications

References 30 publications

Program Synthesis Using Dual Interpretation

Program Synthesis Using Dual Interpretation

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA

Contact Info

Product

Resources

About