Computational Soundness of Symbolic Zero-Knowledge Proofs: Weaker Assumptions and Mechanized Verification

  • Michael Backes
  • Fabian Bendun
  • Dominique Unruh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7796)


The abstraction of cryptographic operations by term algebras, called symbolic models, is essential in almost all tool-supported methods for analyzing security protocols. Significant progress was made in proving that symbolic models offering basic cryptographic operations such as encryption and digital signatures can be sound with respect to actual cryptographic realizations and security definitions. Even abstractions of sophisticated modern cryptographic primitives such as zero-knowledge (ZK) proofs were shown to have a computationally sound cryptographic realization, but only in ad-hoc formalisms and at the cost of placing strong assumptions on the underlying cryptography, which leaves only highly inefficient realizations.

In this paper, we make two contributions to this problem space. First, we identify weaker cryptographic assumptions that we show to be sufficient for computational soundness of symbolic ZK proofs. These weaker assumptions are fulfilled by existing efficient ZK schemes as well as generic ZK constructions. Second, we conduct all computational soundness proofs in CoSP, a recent framework that allows for casting computational soundness proofs in a modular manner, independent of the underlying symbolic calculi. Moreover, all computational soundness proofs conducted in CoSP automatically come with mechanized proof support through an embedding of the applied π-calculus.


  1. 1.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. In: ACM CCS (1997)Google Scholar
  2. 2.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2) (2002)Google Scholar
  3. 3.
    Backes, M., Hofheinz, D., Unruh, D.: Cosp: A general framework for computational soundness proofs. In: ACM CCS (2009)Google Scholar
  4. 4.
    Backes, M., Hriţcu, C., Maffei, M.: Type-checking zero-knowledge. In: ACM CCS (2008)Google Scholar
  5. 5.
    Backes, M., Lorenz, S., Maffei, M., Pecina, K.: Anonymous Webs of Trust. In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 130–148. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Backes, M., Maffei, M., Mohammadi, E.: Computationally sound abstraction and verification of secure multi-party computations. In: FSTTCS (2010)Google Scholar
  7. 7.
    Backes, M., Maffei, M., Unruh, D.: Zero-knowledge in the applied pi-calculus and automated verification of the direct anonymous attestation protocol. In: IEEE S&P (2008)Google Scholar
  8. 8.
    Backes, M., Maffei, M., Unruh, D.: Computationally sound verification of source code. In: ACM CCS (2010)Google Scholar
  9. 9.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: IEEE CSFW (2004)Google Scholar
  10. 10.
    Backes, M., Unruh, D.: Computational soundness of symbolic zero-knowledge proofs. Journal of Computer Security 18(6) (2010)Google Scholar
  11. 11.
    Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. International Journal of Information Security (2004)Google Scholar
  12. 12.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE CSFW (2001)Google Scholar
  13. 13.
    Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: ACM CCS (2004)Google Scholar
  14. 14.
    Canetti, R., Herzog, J.: Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: Toward a Secure Voting System. In: IEEE S&P (2008)Google Scholar
  16. 16.
    Cortier, V., Warinschi, B.: Computationally Sound, Automated Proofs for Security Protocols. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Cortier, V., Warinschi, B.: A composable computational soundness notion. In: Proc. 18th ACM CCS (2011)Google Scholar
  18. 18.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2) (1983)Google Scholar
  19. 19.
    Even, S., Goldreich, O.: On the security of multi-party ping-pong protocols. In: IEEE CSF (1983)Google Scholar
  20. 20.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1) (1989)Google Scholar
  21. 21.
    Groth, J.: Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Groth, J., Ostrovsky, R.: Cryptography in the Multi-string Model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Kemmerer, R., Meadows, C., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7(2) (1994)Google Scholar
  24. 24.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: IEEE S&P (2004)Google Scholar
  25. 25.
    Li, H., Li, B.: An Unbounded Simulation-Sound Non-interactive Zero-Knowledge Proof System for NP. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 210–220. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  27. 27.
    Lu, L., Han, J., Liu, Y., Hu, L., Huai, J.-P., Ni, L., Ma, J.: Pseudo trust: Zero-knowledge authentication in anonymous p2ps. IEEE Trans. Parallel Distrib. Syst. (2008)Google Scholar
  28. 28.
    Maffei, M., Pecina, K.: Position paper: Privacy-aware proof-carrying authorization. In: PLAS (2011)Google Scholar
  29. 29.
    Merritt, M.: Cryptographic Protocols. PhD thesis, Georgia Tech (1983)Google Scholar
  30. 30.
    Micciancio, D., Warinschi, B.: Soundness of Formal Encryption in the Presence of Active Adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  31. 31.
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS (1999)Google Scholar
  32. 32.
    Sahai, A.: Simulation-sound non-interactive zero knowledge. Technical report, IBM Research Report RZ 3076 (2001)Google Scholar
  33. 33.
    Schneider, S.: Security properties and CSP. In: IEEE S&P (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Fabian Bendun
    • 1
  • Dominique Unruh
    • 3
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.MPI-SWSSaarbrückenGermany
  3. 3.University of TartuTartuEstonia

Personalised recommendations