Probabilistic Polynomial-Time
Process Calculus for Security
Protocol Analysis
J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague
P. Mateus
P. Lincoln, M. Mitchell
Computer Security
Goal: protection of
computer systems and
digital information
Access control
OS security
Network security
Cryptography
…
Security
Crypto
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
Protocol Security
Cryptographic Protocol
• Program distributed over network
• Use cryptography to achieve goal
Attacker
• Intercept, replace, remember messages
• Guess random numbers, some computation
Correctness
• Attacker cannot learn protected secret
or cause incorrect conclusion
Example: Challenge-Response
Alice wants to know Bob is listening
• Send “fresh” number n, Bob returns f(n)
• Use encryption to avoid forgery
Protocol
• Alice  Bob: { nonce }K
• Bob  Alice: { nonce * 5 }K
Can Alice be sure that
– Message is from Bob?
– Message is fresh response to Alice’s challenge?
Standard analysis methods
Finite-state analysis
Dolev-Yao model
Easier
• Symbolic search of protocol runs
• Proofs of correctness in formal logic
Consider probability and complexity
• More realistic intruder model
• Interaction between protocol and
cryptography
Harder
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
Basic Idea
Express security properties in terms
of comparison to an ideal protocol
Protocol is secure if no adversary can
distinguish it from some idealized
version of the protocol
• Beaver ‘91, Goldwasser-Levin ‘90,
Micali-Rogaway ’91
Security properties should be
compositional
Language Approach
Roscoe ‘95, Schneider ‘96,
Abadi-Gordon’97
Write protocol in process calculus
• Dolev-Yao model
Express security using observational equivalence
• Standard relation from programming language theory
P  Q iff for all contexts C[ ], same
observations about C[P] and C[Q]
• Inherently compositional
• Context (environment) represents adversary
Use proof rules for  to prove security
• Protocol is secure if no adversary can distinguish it
from some idealized version of the protocol
Great general idea; application is complicated
Probabilistic Poly-time Analysis
Add probability, complexity
Probabilistic polynomial-time process calc
• Protocols use probabilistic primitives
– Key generation, nonce, probabilistic encryption, ...
• Adversary may be probabilistic
Express protocol and spec in calculus
Security using observational equivalence
• Use probabilistic form of process equivalence
Probabilistic Poly-time Process Calculus
[Lincoln, Mitchell, Scedrov, Ramanathan, Teague]
 Probabilistic polynomial-time execution model
 Specify security via equivalence to “ideal” protocol
 Also state cryptographic assumptions via
equivalences
 Leads to new proof system
• Equational reasoning
• Based on probabilistic bisimulation, asymptotic
equivalence
 Applications
• Characterize computational indistinguishability
• Proof of semantic security from computational assumption
(both stated as equations)
Secrecy for Challenge-Response
Protocol P
A  B: { i } K
B  A: { f(i) } K
“Obviously’’ secret protocol Q
A  B: { random_number } K
B  A: { random_number } K
Secrecy for Challenge-Response
Protocol P
A  B: { i } K
B  A: { f(i) } K
“Obviously’’ secret protocol Q
A  B: { random_number } K
B  A: { random_number } K
Non-malleability:
Given only a ciphertext,
it is difficult to generate
a different ciphertext so that
the respective plaintexts
are related
Analysis: P  Q reduces to crypto condition
related to non-malleability [Dolev, Dwork, Naor]
– Fails for “plain old” RSA if f(i) = 2i
Specification with Authentication
Protocol P
A  B: { random i } K
B  A: { f(i) } K
A  B: “OK”
if f(i) received
“Obviously’’ authenticating protocol Q
A  B: { random i } K
public channel
private channel
B  A: { random j } K i , j
public channel
A  B: “OK”
private channel
if private i, j match public msgs
Nondeterminism vs encryption
Alice encrypts msg and sends to Bob
A  B: { msg }
K
Adversary uses nondeterminism
Process E0 c0 | c0 | … | c0
Process E1 c1 | c1 | … | c1
Process E
c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg)
In reality, at most 2-n chance to guess n-bit key
Methodology
 Define general system
•
•
•
Process calculus
Probabilistic semantics
Asymptotic observational equivalence
 Apply to protocols
•
•
Protocols have specific form
“Attacker” is context of specific form
This talk: general calculus and properties
Neighbors
 Canetti;
•
•
•
•
B. Pfitzmann, Waidner, Backes
Interactive Turing machines
General framework for crypto properties
Protocol simulates an ideal setting
Universally composable security
 Abadi, Rogaway, Jürjens;
Herzog; Warinschi
• Toward transfer principles between formal
Dolev-Yao model and computational model
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
Technical Challenges
Language for prob. poly-time functions
• Extend work of Cobham, Bellantoni, Cook,
Hofmann
Replace nondeterminism with probability
• Otherwise adversary is too strong ...
Define probabilistic equivalence
• Related to poly-time statistical tests ...
Proof rules for probabilistic equivalence
• Use the proof system to derive protocol
properties
Syntax
Expressions have size
poly in |n|
Bounded CCS with integer terms
P :: = 0
|
cq(|n|) T
|
cq(|n|) (x). P
|
cq(|n|) . P
|
[T=T] P
|
P|P
|
! q(|n|) . P
send up to q(|n|) bits
receive
private channel
test
parallel composition
bounded replication
Terms may contain symbol n; channel width
and replication bounded by poly in |n|
Probabilistic Semantics
Basic idea
• Alternate between terms and processes
– Probabilistic evaluation of terms (incl. rand)
– Probabilistic scheduling of parallel processes
Two evaluation phases
• Outer term evaluation
– Evaluate all exposed terms, evaluate tests
• Communication
– Match send and receive
– Probabilistic if multiple send-receive pairs
Scheduling
Outer term evaluation
• Evaluate all exposed terms in parallel
• Multiply probabilities
Communication
•
•
•
•
E(P) = set of eligible subprocesses
S(P) = set of schedulable pairs
Prioritize – private communication first
Probabilistic poly-time computable
scheduler that makes progress
Example
Process
• crand+1 | c(x).dx+1 | d2 | d(y). ex+1
Outer evaluation
• c1 | c(x).dx+1 | d2 | d(y). ex+1
• c2 | c(x).dx+1 | d2 | d(y). ex+1
Communication
• c1 | c(x).dx+1 | d2 | d(y). ex+1
Choose according to probabilistic scheduler
Each
prob ½
Complexity results
Polynomial time
• For each closed process expression P,
there is a polynomial q(x) such that
– For all n
– For all probabilistic polynomial-time
schedulers
eval of P halts in time q(|n|)
Complexity: Intuition
Bound on number of communications
• Count total number of inputs, multiplying
by q(|n|) to account for ! q(|n|) . P
Bound on term evaluation
• Closed T evaluated in time qT(|n|)
Bound on time for each comm step
• Example: cm | c(x).P  [m/x]P
• Substitution bounded by orig length of P
– Size of number m is bounded
– Previous steps preserve # occurr of x in P
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
Problem:
How to define process equivalence?
Intuition
• | Prob{ C[P]  “yes” } - Prob{ C[Q]  “yes” } | < 
Difficulty
• How do we choose ?
– Less than 1/2, 1/4, … ?
(not equiv relation)
– Vanishingly small ? As a function of what?
Solution
• Use security parameter
– Protocol is family { Pn }
n>0
indexed by key length
• Asymptotic form of process equivalence
Probabilistic Observational Equiv
Asymptotic equivalence within f
Process, context families { Pn } n>0 { Qn } n>0 { Cn } n>0
P f Q if  contexts C[ ].  obs v. n0 .  n> n0 .
| Prob[Cn[Pn]  v] - Prob[Cn[Qn]  v] | < f(n)
Asymptotically polynomially indistinguishable
P  Q if P f Q for every polynomial f(n) = 1/p(n)
Final def’n gives robust equivalence relation
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
Computational indistinguishability
T(i,n), T’(i,n) terms in the calculus
• T, T’ represent uniform prob. poly-time function
ensembles fi , gi : { }  {0,1}q(|n|)
 cq(|n|) T  cq(|n|) T’ says exactly that
the function ensembles fi , gi are
indistinguishable by prob. poly-time
statistical tests
Yao ’82: fundamental notion in crypto
Emulation
Canetti, also B. Pfitzmann et al.
 I generic or ideal representation of
cyptographic task
 Protocol Q securely realizes I if
for any adversary A[]  A
there exists a simulator B[]  B
s.t. A[Q]  B[I]
• Enough to consider a single simulator
for certain generic adversaries
•    reducible to  
Compositionality
Intuitively, if:
• Q securely realizes I ,
• R securely realizes J,
• R, J use I as a component,
then
R{Q/I} securely realizes J
 Fits well with process calculus
because  is a congruence
• Q  I  C[Q]  C[I]
• contexts constructed from R, J, simulators
Outline
Security protocols
Research goals
Specific process calculus
•
•
•
•
•
Probabilistic semantics
Complexity – probabilistic poly time
Asymptotic equivalence
Computational indistinguishability
Equational properties and challenges
One way to get equivalences
Labeled transition system
• Allow process to send any output, read any input
• Label with numbers “resembling probabilities”
Bisimulation relation
• Relation ~ on processes
• If P ~ Q and P r P’, then exists Q’
with Q r Q’ and P’ ~ Q’ , and vice versa
Stronger form of prob. equivalence
• van Glabbeek – Smolka – Steffen
Provable equivalences
• Assume scheduler is stable under
bisimulation





P ~ Q  C[P] ~ C[Q]
P~Q  PQ
P | (Q | R)  (P | Q) | R
P|QQ|P
P|0  P
Provable equivalences
 P   c. ( c<T> | c(x).P)
x FV(P)
 P{a/x}   c. ( c<a> | c(x).P)
bandwidth of c large enough
 P  0 if no public channels in P
 P  Q  P{d/c}  Q{d/c}
c , d same bandwidth, d fresh
 c<T>  c<T’>
Prob[T  a] = Prob[T’  a]
all a
Connections with modern crypto
Cryptosystem consists of three parts
• Key generation
• Encryption (often probabilistic)
• Decryption
Many forms of security
• Semantic security, non-malleability, chosenciphertext security, …
• Formal derivation of semantic security
of ElGamal from DDH and vice versa
Common conditions use prob. games
Decision Diffie-Hellman DDH
Standard crypto benchmark
 n security parameter (e.g., key length)
Gn cyclic group of prime order p,
length of p roughly n ,
g generator of Gn
 For random a, b, c  {0, . . . , p-1}
 ga , gb , gab    ga , gb , gc 
ElGamal cryptosystem
n security parameter (e.g., key length)
Gn cyclic group of prime order p ,
length of p roughly n , g generator of Gn
Keys
• public  g , y  , private  g , x  s.t. y = gx
Encryption of m  Gn
• for random k  {0, . . . , p-1} outputs  gk , m yk 
Decryption of  v, w  is w (vx)-1
• For v = gk , w = m yk get
w (vx)-1 = m yk / gkx = m gxk / gkx = m
Semantic security
Known equivalent:
indistinguishability of encryptions
• adversary can’t tell from the traffic which of
the two chosen messages has been encrypted
• ElGamal:
 1n , gk , m yk    1n , gk’ , m’ yk’ 
 In case of ElGamal known to be
equivalent to DDH
Formally derivable using the proof rules
Current State of Project
 Compositional framework for protocol analysis
• Determine crypto requirements of protocols
• Precise definition of crypto primitives
 Probabilistic ptime language
 Process framework
• Replace nondeterminism with rand
• Equivalence based on ptime statistical tests
 Methods for establishing equivalence
• Probabilistic simulation technique
 Emulation and compositionality
 Examples:
Decision Diffie-Hellman, ElGamal, Bellare-Rogaway,
Oblivious Transfer, Computational Zero Knowledge, …
Conclusion
Computer security
• Exacting subject amenable to analysis
• Analysis useful since correctness critical
Protocols
• Short but complex
Probabilistic poly-time process calc
• Challenging semantics, proof theory
• Appropriate for game equivalence
Probabilistic Polynomial-Time
Process Calculus for Security
Protocol Analysis
J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague
P. Mateus
P. Lincoln, M. Mitchell
IKE subprotocol from IPSEC
m1
A, (ga mod p)
A
B, (gb mod p), signB(m1,m2)
m2
signA(m1,m2)
B
Result: A and B share secret gab mod p
Analysis involves probability, modular exponentiation, digital
signatures, communication networks, …
Example: Oblivious Transfer
Standard in crypto
Parties are adversarial
Sender with k input bits x1 , … , xk
Receiver with input i , 1  i  k
Receiver should learn xi
and nothing else
Sender should learn nothing
Ideally …
Use Trusted Third Party, TTP
Sender and Receiver each privately
send their inputs to TTP
TTP sends xi privately to Receiver
Actually …
Rabin 1981
Even-Goldreich-Lempel 1985
Assumptions:
Sender uses a trapdoor generator G to get
(addresses of)
• trapdoor one-way permutation f on {0,1}m
and its inverse f-1 , and
• hard-core predicate B on {0,1}m , such that
B(w) is hard to predict from f(w)
Sender’s private input: k bits x1 , … , xk
Receiver’s private input: i , 1  i  k
Protocol
Rabin 1981
Even-Goldreich-Lempel 1985
Sender reveals (addresses of) f and B
but keeps inverse f-1 private
Receiver chooses random e1 , … , ek  {0,1}m
and sends e1 , … , ei-1 , f(ei), ei+1 , … , ek
Sender reads y1 , …, yk , sends u1 , …, uk ,
where un = xn  B(f-1(yn)) , each n , 1  n  k
Receiver reads z1 , … , zk , computes zi  B(ei)
Proof:
ui  B(ei) = xi  B(f-1(f(ei)))  B(ei) = xi
Oblivious Transfer Protocol
f, B
Send
e1 , … , ei-1 , f(ei), ei+1 , … , ek
Rec
( xn  B(f-1(yn)) )1  n  k
Rec obtains ui  B(ei) = xi  B(f-1(f(ei)))  B(ei) = xi
Send sees only random strings
Analysis involves probability, , assumptions, …
Probabilistic functions
 Probabilistic function from X to Y
F: X  Y  [0,1]
such that for any x  X
 F(x,y)
 1
yY
the sum with finitely many non-zero terms
 “F(x) = y with probability p “
means F(x,y) = p
Oracle polynomial time
 Oracle Turing machine M
• Turing machine with an extra oracle tape and
three extra states ? , yes, no
• When machine enters state ? , control passes
to state yes if the contents on the oracle tape
are in the oracle set, else to state no
 M runs in oracle polynomial time
•  a polynomial q s.t. for any oracle  and any
input sequence of bit strings x1 , … , xn ,
M halts in at most q(| x1| + … + | xn |) steps
(also a bound on the length of any query and on
the number of queries)
Probabilistic polynomial time
 Probabilistic poly-time Turing machine
• Oracle poly-time Turing machine M , with the
oracle  chosen uniformly at random from the
finite space of oracles
 Probabilistic poly-time machine M
computes a probabilistic function F
• For all inputs x and outputs y
F(x,y) = Prob[M(x, random ) = y]
Complexity results
Polynomial time
• For each process P,
there is a poly q(x) such that
– For all n
– For all probabilistic polynomial-time
schedulers
– All minimal evaluation contexts C[ ]
eval of C[P] halts in time q(|n|+|C[]|)
• Minimal evaluation context
– C[ ] = c(x).d(y)…[ ] | c20 | d7 | e492 | …
Pseudo-random number generators
Sequence generated from random seed
Pn: let b = nk-bit sequence generated from n random bits
in PUBLIC b end
Truly random sequence
Qn: let b = sequence of nk random bits
in PUBLIC b end
P is crypto strong pseudo-random number
generator
PQ
Equivalence is asymptotic in security parameter n
Desired equivalences




P | (Q | R)  (P | Q) | R
P|QQ|P
P|0  P
P  Q  C[P]  C[Q]
P   c. ( c<1> | c(x).P)
(immediate)
x FV(P)
Warning: hard to get all of these…
Provable equivalences





P ~ Q  C[P] ~ C[Q]
P~Q  PQ
P | (Q | R)  (P | Q) | R
P|QQ|P
P|0  P
• Assume scheduler is stable under
bisimulation
Compositionality is important issue in computer security
Aspect of compositionality
Property of observational equiv
AB
CD
A|C  B|D
similarly for other process forms
Sources of Problems
Needham-Schroeder
Protocol
Low-Exp-RSA
Single DES
Interaction
Cryptography
other sources exist
(timing, power, radiation, traffic, …)