Security Proof with Dishonest Keys

  • Hubert Comon-Lundh
  • Véronique Cortier
  • Guillaume Scerri
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)


Symbolic and computational models are the two families of models for rigorously analysing security protocols. Symbolic models are abstract but offer a high level of automation while computational models are more precise but security proof can be tedious. Since the seminal work of Abadi and Rogaway, a new direction of research aims at reconciling the two views and many soundness results establish that symbolic models are actually sound w.r.t. computational models.

This is however not true for the prominent case of encryption. Indeed, all existing soundness results assume that the adversary only uses honestly generated keys. While this assumption is acceptable in the case of asymmetric encryption, it is clearly unrealistic for symmetric encryption. In this paper, we provide with several examples of attacks that do not show-up in the classical Dolev-Yao model, and that do not break the IND-CPA nor INT-CTXT properties of the encryption scheme.

Our main contribution is to show the first soundness result for symmetric encryption and arbitrary adversaries. We consider arbitrary indistinguishability properties and an unbounded number of sessions.

This result relies on an extension of the symbolic model, while keeping standard security assumptions: IND-CPA and IND-CTXT for the encryption scheme.


Encryption Scheme Symbolic Model Security Proof Symmetric Encryption Probabilistic Polynomial Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [AF01]
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: Principles of Programming Languages (POPL 2001), pp. 104–115 (2001)Google Scholar
  2. [AG99]
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. Information and Computation 148(1) (1999)Google Scholar
  3. [AR00]
    Abadi, M., Rogaway, P.: Reconciling Two Views of Cryptography: the Computational Soundness of Formal Encryption. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. [BHO09]
    Bana, G., Hasebe, K., Okada, M.: Computational Semantics for First-Order Logical Analysis of Cryptographic Protocols. In: Cortier, V., Kirchner, C., Okada, M., Sakurada, H. (eds.) Formal to Practical Security. LNCS, vol. 5458, pp. 33–56. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. [Bla05]
    Blanchet, B.: An automatic security protocol verifier based on resolution theorem proving (invited tutorial). In: 20th International Conference on Automated Deduction (CADE-20), Tallinn, Estonia (July 2005)Google Scholar
  6. [Bla08]
    Blanchet, B.: A computationally sound mechanized prover for security protocols. IEEE Trans. on Dependable and Secure Computing 5(4), 193–207 (2008); Special issue IEEE Symposium on Security and Privacy (2006)CrossRefGoogle Scholar
  7. [BP04]
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable dolev-yao style cryptographic library. In: Proc. IEEE Computer Security Foundations Workshop (2004)Google Scholar
  8. [BPW03]
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations. In: Proc. 10th ACM Concerence on Computer and Communications Security, CCS 2003 (2003)Google Scholar
  9. [CC11]
    Comon-Lundh, H., Cortier, V.: How to prove security of communication protocols? A discussion on the soundness of formal models w.r.t. computational ones. In: 28th Annual Symposium on Theoretical Aspects of Computer Science (STACS 2011). LIPIcs, vol. 9, pp. 29–44 (2011)Google Scholar
  10. [CLC08a]
    Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. In: ACM Conf. Computer and Communication Security, CCS 2008 (2008)Google Scholar
  11. [CLC08b]
    Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. Research Report RR-6508, INRIA (2008)Google Scholar
  12. [DY81]
    Dolev, D., Yao, A.C.: On the security of public key protocols. In: Proc. IEEE Symp. on Foundations of Computer Science, pp. 350–357 (1981)Google Scholar
  13. [KT09]
    Küsters, R., Tuengerthal, M.: Computational Soundness for Key Exchange Protocols with Symmetric Encryption. In: 16th ACM Conference on Computer and Communications Security (CCS 2009), pp. 91–100 (2009)Google Scholar
  14. [RS98]
    Ryan, P., Schneider, S.: An attack on a recursive authentication protocol: a cautionary tale. Information Processing Letters 65, 7–10 (1998)CrossRefGoogle Scholar
  15. [War03]
    Warinschi, B.: A computational analysis of the needham-schroeder(-lowe) protocol. In: 16th Computer Science Foundation Workshop (CSFW 2003), pp. 248–262 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Hubert Comon-Lundh
    • 1
  • Véronique Cortier
    • 2
  • Guillaume Scerri
    • 1
    • 2
  1. 1.LSV, ENS Cachan & CNRS & INRIAFrance
  2. 2.LORIA, CNRSFrance

Personalised recommendations