Using SMT solvers to automate design tasks for encryption and signature schemes

Akinyele, Joseph A.; Green, Matthew; Hohenberger, Susan

doi:10.1145/2508859.2516718

Cited by 26 publications

(34 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Akinyele, Green, and Hohenberger [9] develop two synthesis tools for pairing-based cryptography. Their tool AutoGroup converts schemes in the Type I setting into schemes in the Type III setting, whereas their tool AutoStrong transforms an existentially unforgeable signature into a strongly unforgeable one, using SMT solvers to check whether the original signature satisfies a criterion allowing an efficient transformation.…”

Section: Other Related Workmentioning

confidence: 99%

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Barthe

Fagerholm

Fiore

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Recent work on structure-preserving signatures studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairing-product equations in the verification algorithm. While the size of keys and signatures is crucial for many applications, another important aspect to consider for performance is the time it takes to verify a given signature. By far, the most expensive operation during verification is the computation of pairings. However, the concrete number of pairings that one needs to compute is not captured by the number of pairing-product equations considered in earlier work. To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structure-preserving signatures. First, we prove lower bounds for schemes in the Type II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structure-preserving signatures within a user-specified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structure-preserving signature scheme in the Type II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification.

show abstract

Section: Other Related Workmentioning

confidence: 99%

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Barthe

Fagerholm

Fiore

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The n-queens problem is a classic way to represent such a constraint satisfaction problem [22,32] and a common benchmark for such a solver [17]. Classification as a constraint satisfaction problem that can be solved by Z3 has proven to be successful in other design domains, such as automating design of encryption and signature schemes [1].…”

Section: :4mentioning

confidence: 99%

Characterizing Data Dependence Constraints for Dynamic Reliability Using N-Queens Attack Domains

Bayram

Rozier

2015

Quantitative Evaluation of Systems

View full text Add to dashboard Cite

As data centers attempt to cope with the exponential growth of data, new techniques for intelligent, software-defined data centers (SDDC) are being developed to confront the scale and pace of changing resources and requirements. For costconstrained environments, like those increasingly present in scientific research labs, SDDCs also may provide better reliability and performability with no additional hardware through the use of dynamic syndrome allocation. To do so, the middleware layers of SDDCs must be able to calculate and account for complex dependence relationships to determine an optimal data layout. This challenge is exacerbated by the growth of constraints on the dependence problem when available resources are both large (due to a higher number of syndromes that can be stored) and small (due to the lack of available space for syndrome allocation). We present a quantitative method for characterizing these challenges using an analysis of attack domains for high-dimension variants of the n-queens problem that enables performable solutions via the SMT solver Z3. We demonstrate correctness of our technique, and provide experimental evidence of its efficacy; our implementation is publicly available. ACM Subject ClassificationEmbedded and cyber-physical systems, Data centers, Theorem proving and SAT solving

show abstract

“…Several works have recently considered automated generation and/or analysis of cryptographic algorithms. Akinyele et al [AGHP12,AGH13] developed tools for automatically generating batch-verification algorithms for digital-signature schemes [AGHP12], for converting schemes using symmetric bilinear groups into ones using asymmetric bilinear groups [AGH13], and for compiling signature schemes to schemes achieving stronger security properties [AGH13]. In all these cases, their tools do not directly analyze or verify security of new constructions; instead, they take as input schemes that are assumed to be secure, and then attempt to apply a fixed set of transformations that have been proven to preserve (or amplify) security.…”

Section: Prior Workmentioning

confidence: 99%

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Malozemoff

Katz

Green

2014

2014 IEEE 27th Computer Security Foundations Symposium

View full text Add to dashboard Cite

Block ciphers such as AES are deterministic, keyed functions that operate on small, fixed-size blocks. Block-cipher modes of operation define a mechanism for probabilistic encryption of arbitrary length messages using any underlying block cipher. A mode of operation can be proven secure (say, against chosen-plaintext attacks) based on the assumption that the underlying block cipher is a pseudorandom function. Such proofs are complex and error-prone, however, and must be done from scratch whenever a new mode of operation is developed. We propose an automated approach for the security analysis of block-cipher modes of operation based on a "local" analysis of the steps carried out by the mode when handling a single message block. We model these steps as a directed, acyclic graph, with nodes corresponding to instructions and edges corresponding to intermediate values. We then introduce a set of labels and constraints on the edges, and prove a meta-theorem showing that any mode for which there exists a labeling of the edges satisfying these constraints is secure (against chosen-plaintext attacks). This allows us to reduce security of a given mode to a constraint-satisfaction problem, which in turn can be handled using an SMT solver. We couple our security-analysis tool with a routine that automatically generates viable modes; together, these allow us to synthesize hundreds of secure modes.

show abstract

Using SMT solvers to automate design tasks for encryption and signature schemes

Cited by 26 publications

References 47 publications

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Strongly-Optimal Structure Preserving Signatures from Type II Pairings: Synthesis and Lower Bounds

Characterizing Data Dependence Constraints for Dynamic Reliability Using N-Queens Attack Domains

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Contact Info

Product

Resources

About