Computational Soundness of Formal Reasoning about Indistinguishability and Non-Malleability of Cryptographic Expressions.

摘要

Analysis and verification of security protocols are typically carried out in two different models of cryptography: formal cryptography and computational cryptography. Formal cryptography, originally inspired by the work of Dolev and Yao [14], takes an abstract and idealized view of security, and develops its proof techniques based on methods and ideas from logic and theory of programming languages. It makes strong assumptions about cryptographic operations by treating them as perfectly-secure symbolic operations. Computational cryptography, on the other hand, has developed its foundations based on complexity theory. Messages are viewed as bit-strings, and cryptographic operations are treated as actual transformations on bit-strings with certain asymptotic properties.;In this thesis, we explore the relation between the Dolev-Yao model and the computational model of public-key cryptography in two contexts: indistinguishability and non-malleability of expressions . This problem in the absence of key-cycles is partially addressed in [21, 20] by Herzog. We adapt our approach to use the co-inductive definition of symbolic security, whose private-key treatment was considered in [27], and establish our main results as follow: (1) Using a co-inductive approach, we extend the indistinguishability and non-malleability results of Herzog in the presence of key-cycles. (2) By providing a counter-example, we show that the indistinguishability property in this setting is strictly stronger than the non-malleability property, which gives a negative answer to Herzog's conjecture that they are equivalent. (3) we prove that despite the fact that IND-CCA2 security provides non-malleability in our setting, the same result does not hold for IND-CCA1 security. (4) We prove that, under certain hypothesis, our co-inductive formal indistinguishability is computationally-complete in the absence of key-cycles and with respect to any length-revealing encryption scheme. In the presence of key-cycles, we prove that the completeness does not hold even with respect to IND-CPA security.