Probabilistic Polynomial-Time
Process Calculus for Security
Protocol Analysis
John Mitchell
Stanford University
P. Lincoln, M. Mitchell,
A. Ramanathan, A. Scedrov, V. Teague
Computer Security
Goal: protection of
computer systems and Security
digital information
Access control
OS security
Network security Crypto
Cryptography
…
Research challenge
Invent the logic of computer security
• Reasoning principles for systems that use
cryptography and are subject to attack
Analogy
• Effective topos, synthetic domain thy, …
• Recursion, recursive domains, collections
of types, … form a model of intuitionistic
set theory with additional axioms
LICS presence at CSFW
Abadi
Blanchet
Fiore
Gordon
Gunter
Halpern
Jeffrey
Kirli
Pierce
Pavlovic
Abadi Rusinowitch
Roscoe Scedrov
1998 1999 2000 2001
Check out: Crypto, Oakland, CCS, …
Today: Protocols and Probability
Security protocols
Goals for process calculus
Specific process calculus
• Probabilistic semantics
• Complexity: probabilistic poly time
• Asymptotic equivalence
• Pseudo-random number generators
• Equational properties and challenges
Protocol Security
Cryptographic Protocol
• Program distributed over network
• Use cryptography to achieve goal
Attacker
• Intercept, replace, remember messages
• Guess random numbers, some computation
Correctness
• Attacker cannot learn protected secret
or cause incorrect conclusion
IKE subprotocol from IPSEC
m1
A, (ga mod p)
B, (gb mod p), signB(m1,m2)
A B
m2
signA(m1,m2)
Result: A and B share secret gab mod p
Analysis involves probability, modular exponentiation, digital
signatures, communication networks, …
Simpler: Challenge-Response
Alice wants to know Bob is listening
• Send “fresh” number n, Bob returns f(n)
• Use encryption to avoid forgery
Protocol
• Alice Bob: { nonce }K
• Bob Alice: { nonce * 5 }K
Can Alice be sure that
– Message is from Bob?
– Message is fresh response to Alice’s challenge?
Important Modeling Decisions
How powerful is the adversary?
• Simple replay of previous messages
• Decompose, reassemble and resend
• Statistical analysis, timing attacks, ...
How much detail in model of crypto?
• Assume perfect cryptography
• Include algebraic properties
– encr(x*y) = encr(x) * encr(y) for
RSA encrypt(k,msg) = msgk mod N
Standard analysis methods
Finite-state analysis
Easy
Logic based models
• Symbolic search of protocol runs
• Proofs of correctness in formal logic
Consider probability and complexity
• More realistic intruder model
• Interaction between protocol and Hard
cryptography
Comparison
Hand proofs
Sophistication of attacks
High
Poly-time calculus
Spi-calculus
Athena Paulson
NRL
Bolignano
BAN logic
Low
FDR Murj
Low High
Protocol complexity
Outline
Security protocols
Goals for process calculus
Specific process calculus
• Probabilistic semantics
• Complexity – probabilistic poly time
• Asymptotic equivalence
• Pseudo-random number generators
• Equational properties and challenges
Language Approach [Abadi, Gordon]
Write protocol in process calculus
Express security using observational equivalence
• Standard relation from programming language theory
P Q iff for all contexts C[ ], same
observations about C[P] and C[Q]
• Context (environment) represents adversary
Use proof rules for to prove security
• Protocol is secure if no adversary can distinguish it
from some idealized version of the protocol
Great general idea; application is complicated
Probabilistic Poly-time Analysis
Add probability, complexity
Probabilistic polynomial-time process calc
• Protocols use probabilistic primitives
– Key generation, nonce, probabilistic encryption, ...
• Adversary may be probabilistic
Express protocol and spec in calculus
Security using observational equivalence
• Use probabilistic form of process equivalence
Secrecy for Challenge-Response
Protocol P
A B: { i } K
B A: { f(i) } K
“Obviously’’ secret protocol Q
A B: { random_number } K
B A: { random_number } K
Analysis: P Q reduces to crypto condition
related to non-malleability [Dolev, Dwork, Naor]
– Fails for “plain old” RSA if f(i) = 2i
Specification with Authentication
Protocol P
A B: { random i } K
B A: { f(i) } K
A B: “OK” if f(i) received
“Obviously’’ authenticating protocol Q
A B: { random i } K
public channel private channel
B A: { random j } K i , j
public channel private channel
A B: “OK” if private i, j match public msgs
Nondeterminism vs encryption
Alice encrypts msg and sends to Bob
A B: { msg } K
Adversary uses nondeterminism
Process E0 c0 | c0 | … | c0
Process E1 c1 | c1 | … | c1
Process E
c(b1).c(b2)...c(bn).decrypt(b1b2...bn, msg)
In reality, at most 2-n chance to guess n-bit key
Semantics
Probabilistic Semantics
Nondeterministic Semantics
0.2 0.5
0.2
0.3
0.2 0.2
0.5 0.5 0.5
0.3 0.3
0.5
0.2 0.5 0.2
0.5
0.3 0.5 0.3 0.5
Prove initial results for arbitrary scheduler
Methodology
Define general system
• Process calculus
• Probabilistic semantics
• Asymptotic observational equivalence
Apply to protocols
• Protocols have specific form
• “Attacker” is context of specific form
– Induces coarser observational equivalence
This talk: general calculus and properties
Outline
Security protocols
Goals for process calculus
Specific process calculus
• Probabilistic semantics
• Complexity – probabilistic poly time
• Asymptotic equivalence
• Pseudo-random number generators
• Equational properties and challenges
Technical Challenges
Language for prob. poly-time functions
• Extend work of Cobham, Cook, Hofmann
Replace nondeterminism with probability
• Otherwise adversary is too strong ...
Define probabilistic equivalence
• Related to poly-time statistical tests ...
Syntax
Bounded -calculus with integer terms
P :: = 0
| cq(|n|) T send up to q(|n|) bits
| cq(|n|) (x). P receive
| cq(|n|) . P private channel
| [T=T] P test
| P|P parallel composition
| ! q(|n|) . P bounded replication
Terms may contain symbol n; channel width
and replication bounded by poly in |n|
Probabilistic Semantics
Basic idea
• Alternate between terms and processes
– Probabilistic evaluation of terms (incl. rand)
– Probabilistic scheduling of parallel processes
Two evaluation phases
• Outer term evaluation
– Evaluate all exposed terms, evaluate tests
• Communication
– Match send and receive
– Probabilistic if multiple send-receive pairs
Scheduling
Outer term evaluation
• Evaluate all exposed terms in parallel
• Multiply probabilities
Communication
• E(P) = set of eligible subprocesses
• S(P) = set of schedulable pairs
• Prioritize – private communication first
• Choose highest-priority communication
with uniform (or other) probability
Example
Process
• crand+1 | c(x).dx+1 | d2 | d(y). ex+1
Outer evaluation
• c1 | c(x).dx+1 | d2 | d(y). ex+1 Each
prob ½
• c2 | c(x).dx+1 | d2 | d(y). ex+1
Communication
• c1 | c(x).dx+1 | d2 | d(y). ex+1
Choose according to probabilistic scheduler
Example (again)
crand+1 | c(x).dx+1 | d2 | d(y). ex+1
Outer
Eval Each with prob 0.5
c2 | c(x).dx+1 | d2 | d(y). ex+1
c1 | c(x).dx+1 | d2 | d(y). ex+1
Comm
Step
Choose according to probabilistic scheduler
Complexity results
Polynomial time
• For each process P, there is a poly q(x)
such that
– For all n
– For all probabilistic schedulers
– All minimal evaluation contexts C[ ]
eval of C[P] halts in time q(|n|+|C[]|)
• Minimal evaluation context
– C[ ] = c(x).d(y)…[ ] | c20 | d7 | e492 | …
Complexity: Intuition
Bound on number of communications
• Count total number of inputs, multiplying
by q(|n|) to account for ! q(|n|) . P
Bound on term evaluation
• Closed T evaluated in time qT(|n|)
Bound on time for each comm step
• Example: cm | c(x).P [m/x]P
• Substitution bounded by orig length of P
– Size of number m is bounded
– Previous steps preserve # occurr of x in P
Outline
Security protocols
Application of process calculus
Specific process calculus
• Probabilistic semantics
• Complexity – probabilistic poly time
• Asymptotic equivalence
• Pseudo-random number generators
• Equational properties and challenges
Problem:
How to define process equivalence?
Intuition
• | Prob{ C[P] “yes” } - Prob{ C[Q] “yes” } | 0 indexed by key length
• Asymptotic form of process equivalence
Probabilistic Observational Equiv
Asymptotic equivalence within f
Process, context families { Pn } n>0 { Qn } n>0 { Cn } n>0
P f Q if contexts C[ ]. obs v. n0 . n> n0 .
| Prob[Cn[Pn] v] - Prob[Cn[Qn] v] | | c(x).P) x FV(P)
Warning: hard to get all of these…
One way to get equivalences
Labeled transition system
• Allow process to send any output, read any input
• Label with numbers “resembling probabilities”
Simulation relation
• Relation ~ on processes
• If P ~ Q and P r P’, then exists Q’
with Q
r
Q’ and P’ ~ Q’
Weak form of prob equivalence
• But enough to get started …
Hold for uniform scheduler
P | (Q | R) (P | Q) | R
P|QQ|P
P|0 P
P Q C[P] C[Q]
Compositionality is important issue in computer security
Problem
Want this equivalence
• P c. ( c | c(x).P) x FV(P)
Fails for general calculus, general
• P = d(x).e
• C[ ] = d.( d | d(y).e | [ ] )
Comparison
d.( d | d(y).e | c. ( c | c(x).P) )
left c
d.( d | d(y).e | d(x).e )
left right P c
left right
e e e e e
Even prioritizing private channels, equivalence fails
Paradox
Two processors connect by network
Each does private actions
Unrealistic interaction
• Private coin flip in Beijing does not
influence coin flip in Washington
Solutions
Modify scheduler
• Process private channels left-to-right
• Each channel: random send-receive pair
Restrict syntax of protocol, attack
• C[ P ] = C[ c. ( c | c(x).P) ]
for all contexts C[ ] that
– do not share private channels
– do not bind channel names used in [ ]
Modification of scheduler more reasonable for protocols
Current State of Project
Framework for protocol analysis
• Determine crypto requirements of protocols
• Precise definition of crypto primitives
Probabilistic ptime language
Process framework
• Replace nondeterminism with rand
• Equivalence based on ptime statistical tests
Methods for establishing equivalence
• Develop probabilistic simulation technique
Examples: Diffie-Hellman, Bellare-Rogaway, …
Connections with modern crypto
Cryptosystem consist of three parts
• Key generation
• Encryption
• Decryptions
Many forms of security
• Semantic security, non-malleability,
chosen-ciphertext security, …
Common conditions use prob. games
Chosen-ciphertext security
Probabilistic poly-time player A cannot win game (>1/2):
1) A gets public key
2) A submits ciphertexts and receives decryptions
3) A submits two messages m0, m1 and receives either
= Encr(m0) or = Encr(m1) at random
4) A submits ciphertexts and receives decryptions
5) A declares guess g = 0 or 1
6) Score win if = Encr(mg), else lose
Deterministic encryption vulnerable to chosen-c attack
Simulation security of K,E,D
m pk m
m pk m
pk sk K
E K D
sk D
P plain
cipher
Q
Algorithms K, E, D indistinguishable from variant where
encryption uses random messages and private table
[Canetti 00; Shoup; Pfitzmann-Waidner 00,01]
Goal: Chosen-c-secure iff sim-secure
P P1 P2 … Q
• Hope to prove using process calculus
• Derive protocol correctness by congruence
where
• P = Game on previous slide
• P1 = Same, but quit if some output of E seen
before as input to D or output of E
• P2 = If input to D was output by E, use table
instead of algorithm D
• Q = instead of encrypt, use Encr(0) and table
Conclusion
Computer security
• Exacting subject amenable to analysis
• Analysis useful since correctness critical
Protocols
• Short but complex
Probabilistic poly-time process calc
• Challenging semantics, proof theory
• Appropriate for game equivalence
Chosen-ciphertext security
pk
1) A gets public key Key Gen
2) A submits ciphertexts sk
and receives decryptions
Decrypt
3) A submits two messages
m0, m1 and receives m0, m1
either = Encr(mi) for choose
i=1 or i=2
? i=0,1
4) A submits ciphertexts m
and gets decryptions Encrypt(mi)
i
Encrypt
5) A guesses g = 0 or 1
6) Score win if = i
Encr(mg), else lose
=
Compositionality
Property of observational equiv
AB CD
A|C B|D
similarly for other process forms
Zero-Knowledge Protocol
I know a number x with Q(x)
Answer these questions
P V
Here. Now you’ll believe me.
Witness protection program
• Q(x) iff w. P(x,w)
• Prove w. P(x,w) without revealing w
Identify Friend or Foe
Sequential M
• One V
conversation at A
a time
Concurrent Base S
• Base station
proves identity
concurrently
prover verifiers
Are concurrent sessions still zero-k ?