Computationally Sound Implementations of Equational Theories Against Passive Adversaries

Abstract: In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi cal… Show more

“…In this paper, we show that even though static equivalence works well to obtain soundness results for the cases analyzed in [10,1], it does not work well in other important cases, and a more flexible notion is needed. For a brief exposition of why this is so, consider the Decisional Diffie-Hellman assumption.…”

“…formally distinguishable, if an adversary is able to come up with two formal computations that, on one of the tuples yield two results that are identical according to the equational theory but yield different results on the other tuple. Baudet et al [10] use this equivalence notion on the formal side, proving soundness of a theory of exclusive or as well as of certain symmetric encryptions that are deterministic and length-preserving. Abadi et al [1] employ this framework to analyze a principled formal account of guessing attacks.…”

“…For a brief exposition of why this is so, consider the Decisional Diffie-Hellman assumption. As Baudet et al describe in [10], in an equational theory modeling group exponentiation without including logarithm, the 4-tuples (g, g a , g b , g ab ) and (g, g a , g b , g c ) are statically equivalent. Therefore, if the interpretation of the theory in a certain computational group scheme is sound, then this scheme satisfies the DDH assumption.…”

“…Our definition is equivalent to the one given by Baudet et al [10]; the only difference is that we allow probabilistic as opposed to only deterministic interpretations for the symbols in F, and that we have ordered sorts. To each closed term, the interpretation assigns an ensemble of probability distributions on bit strings.…”

“…In the investigation of the relationship between the formal and the computational view of cryptography, a recent approach, first proposed in [10], uses static equivalence from cryptographic pi calculi as a notion of formal indistinguishability. Previous work [10,1] has shown that this yields the soundness of natural interpretations of some interesting equational theories, such as certain cryptographic operations and a theory of XOR. In this paper however, we argue that static equivalence is too coarse to allow sound interpretations of many natural and useful equational theories.…”

Computational Soundness of Formal Indistinguishability and Static Equivalence

“…In this paper, we show that even though static equivalence works well to obtain soundness results for the cases analyzed in [10,1], it does not work well in other important cases, and a more flexible notion is needed. For a brief exposition of why this is so, consider the Decisional Diffie-Hellman assumption.…”

“…formally distinguishable, if an adversary is able to come up with two formal computations that, on one of the tuples yield two results that are identical according to the equational theory but yield different results on the other tuple. Baudet et al [10] use this equivalence notion on the formal side, proving soundness of a theory of exclusive or as well as of certain symmetric encryptions that are deterministic and length-preserving. Abadi et al [1] employ this framework to analyze a principled formal account of guessing attacks.…”

“…For a brief exposition of why this is so, consider the Decisional Diffie-Hellman assumption. As Baudet et al describe in [10], in an equational theory modeling group exponentiation without including logarithm, the 4-tuples (g, g a , g b , g ab ) and (g, g a , g b , g c ) are statically equivalent. Therefore, if the interpretation of the theory in a certain computational group scheme is sound, then this scheme satisfies the DDH assumption.…”

“…Our definition is equivalent to the one given by Baudet et al [10]; the only difference is that we allow probabilistic as opposed to only deterministic interpretations for the symbols in F, and that we have ordered sorts. To each closed term, the interpretation assigns an ensemble of probability distributions on bit strings.…”

“…In the investigation of the relationship between the formal and the computational view of cryptography, a recent approach, first proposed in [10], uses static equivalence from cryptographic pi calculi as a notion of formal indistinguishability. Previous work [10,1] has shown that this yields the soundness of natural interpretations of some interesting equational theories, such as certain cryptographic operations and a theory of XOR. In this paper however, we argue that static equivalence is too coarse to allow sound interpretations of many natural and useful equational theories.…”

Computational Soundness of Formal Indistinguishability and Static Equivalence

Computationally Sound Implementations of Equational Theories Against Passive Adversaries

Limits of the Cryptographic Realization of Dolev-Yao-Style XOR