1. 1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy

2. 2 Motivation  We want to answer questions like:  Given a cryptographic protocol and a security property  How frequently should we refresh the keys?  How does any advance in breaking the specific cryptographic primitives used quantitatively affect security?  We base the analysis on the known security properties of the crypto primitives used  A protocol may use a number of different crypto primitives  How do we translate the quantitative guarantees?  How do we handle composition?  Precursor:  Computational PCL [DDMST05,DDMW06,RDDM07,RDM07]  Used to reason about asymptotic security

3. 3 Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack Advantage(Adversary,  ) = Prob[Adversary succeeds for sec. param.  ] A signature scheme is CMA secure if  Prob-Polytime A. Advantage (A,  ) is a negligible function of   Cryptographic Security  Complexity Theoretic  Concrete vk vk : public verification key k : private signing key

4. 4 Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack Advantage(Adversary,  ) = Prob[Adversary succeeds for sec. param.  ] A signature scheme is (t, q, e) - CMA secure if  t time bounded A making at most q sig queries. Advantage (A,  ) is less than e  Cryptographic Security  Complexity Theoretic  Concrete vk vk : public verification key k : private signing key

5. 5 A Challenge-Response Protocol AB m, A n, sig B {m, n, A} sig A {m, n, B}  Alice reasons: if Bob is honest, then:  only Bob can generate his signature  if Bob generates a signature of the form sig B {m, n, A},  he sends it as part of msg2 of the protocol, and  he must have received msg1 from Alice  Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

6. 6 Computational PCL  Proof system for direct reasoning  Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m)  No explicit use of probabilities and computational complexity  No explicit arguments about actions of attackers  Semantics capture idea that properties hold with high probability against PPT attackers  Explicit use of probabilities and computational complexity  Probabilistic polynomial time attackers  Soundness proofs one time  Soundness implies result equivalent to security proof by cryptographic reductions  Formal Proofs  Syntax, Semantics, Proof System

7. 7 Axiomatizing Security of signatures Adversary Challenger k mimi sig k (m i ) m’, sig k (m’) : m’  m i Existential Unforgeability under Chosen Message Attack vk vk : public verification key k : private signing key  Formal Proofs  Syntax, Semantics, Proof System Computational PCL: Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m) Quantitative PCL: T  esig(t,q,  ) (Verify (X, sig Y (m), Y)  Honest (Y)  Sign (Y, m))

8. 8 Axioms and Proof Rules where,  = e sig (t,q,  ) where,  ’ = l(  )(l(  )+1)/2 where, B i are basic steps of the protocol

9. 9 XY m, X n, sig Y {m, n, X} sig X {m, n, Y}

10. 10 Previous CPCL Results  Core logic [ICALP05]  Key exchange [CSFW06]  New security definition: key usability  Used by Blanchet et al in CryptoVerif Kerberos proof  Reasoning about computational secrecy [ESORICS07]  Application to Kerberos  Reasoning about Diffie-Hellman [TGC07]  Applications to IKEv2 (standard model) and DH Kerberos (random oracle model)

11. 11 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

12. 12 Thanks ! Questions?

13. 13 Example Property

14. 14 PCL: Big Picture Symbolic Model PCL Semantics (Meaning of formulas) Unbounded # concurrent sessions PCL Syntax (Properties) Proof System (Proofs) Soundness Theorem (Induction) High-level proof principles Cryptographic Model PCL Semantics (Meaning of formulas) Polynomial # concurrent sessions Computational PCL Syntax ±  Proof System±  Soundness Theorem (Reduction) [BPW, MW,…]

15. 15 Fundamental Question PCLCPCL Axioms and rules for reasoning about cryptographic protocols (Soundness) Axioms and rules for reasoning about cryptographic protocols (Computational soundness) First-order logic (Soundness and completeness) ??? Conditional first-order logic (Soundness and completeness) [?]

16. 16 Towards QPCL PCLQPCL Axioms and rules for reasoning about cryptographic protocols (Soundness) Axioms and rules for quantitative reasoning about cryptographic protocols (Computational soundness) First-order logic (Soundness and completeness) Conditional first-order logic (Soundness and completeness)

17. 17 Protocol language

18. 18 Conditional implication (OLD) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T ’,D,  ) where T ’ = [[  1 ]] (T,D,  )