Probabilistic Polynomial-Time Semantics for a Protocol Security Logic

“…The axioms presented in this paper are used in Protocol Composition Logic (PCL) [24,26,41,25,39]. Our formalization uses the characterization of "good key" from [27], but improves on previous work in several respects: (i) we fix a bug in the DH axiom in [27] by using the "DHStrongSecretive" formulas developed in the paper, (ii) we present a general inductive method for proving secrecy conditions for Diffie-Hellman key exchange, and (iii) we present axioms for reasoning from ciphertext integrity assumptions.…”

“…More generally, Abadi and Rogaway [1] initiated computationally sound symbolic analysis of static equivalence, with extensions and completeness explored in [37,2]; a recent extension to Diffie-Hellman appears in [15], covering only passive adversaries, not the stronger active adversaries used in the present paper. Protocol Composition Logic [24] was used in a case study of 802.11i [29], has previous computational semantics [26], and was used to study protocol composition and key exchange [27]. In other studies of DHKE, [30] uses a symbolic model, while [36] imposes nonstandard protocol assumptions.…”

“…Additional background appears in [24,26,41,25,39]. Modelling protocols A protocol is given by a set of roles, each specifying a sequence of actions to be executed by an honest agent.…”

“…Since an attacker is not given by a symbolic program, a trace only records the send-receive actions of the attacker, not its internal actions. Traces also include the random bits (used by the honest parties, the adversary and available to an additional probabilistic polynomial-time algorithm called the distinguisher), as well as a few other elements used in defining semantics of formulas over collections of traces [26].…”

“…We say a protocol Q satisfies a formula ϕ, written Q |= ϕ if, for all adversaries and sufficiently large security parameters, the probability that ϕ "holds" is asymptotically overwhelming. A precise inductive semantics is given in [26].…”

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

“…The axioms presented in this paper are used in Protocol Composition Logic (PCL) [24,26,41,25,39]. Our formalization uses the characterization of "good key" from [27], but improves on previous work in several respects: (i) we fix a bug in the DH axiom in [27] by using the "DHStrongSecretive" formulas developed in the paper, (ii) we present a general inductive method for proving secrecy conditions for Diffie-Hellman key exchange, and (iii) we present axioms for reasoning from ciphertext integrity assumptions.…”

“…More generally, Abadi and Rogaway [1] initiated computationally sound symbolic analysis of static equivalence, with extensions and completeness explored in [37,2]; a recent extension to Diffie-Hellman appears in [15], covering only passive adversaries, not the stronger active adversaries used in the present paper. Protocol Composition Logic [24] was used in a case study of 802.11i [29], has previous computational semantics [26], and was used to study protocol composition and key exchange [27]. In other studies of DHKE, [30] uses a symbolic model, while [36] imposes nonstandard protocol assumptions.…”

“…Additional background appears in [24,26,41,25,39]. Modelling protocols A protocol is given by a set of roles, each specifying a sequence of actions to be executed by an honest agent.…”

“…Since an attacker is not given by a symbolic program, a trace only records the send-receive actions of the attacker, not its internal actions. Traces also include the random bits (used by the honest parties, the adversary and available to an additional probabilistic polynomial-time algorithm called the distinguisher), as well as a few other elements used in defining semantics of formulas over collections of traces [26].…”

“…We say a protocol Q satisfies a formula ϕ, written Q |= ϕ if, for all adversaries and sufficiently large security parameters, the probability that ϕ "holds" is asymptotically overwhelming. A precise inductive semantics is given in [26].…”

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

Protocol Derivation System for the Needham–Schroeder family

Computationally Sound Implementations of Equational Theories Against Passive Adversaries