Automated Unbounded Analysis of Cryptographic Constructions in the Generic Group Model

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)

Abstract

We develop a new method to automatically prove security statements in the Generic Group Model as they occur in actual papers. We start by defining (i) a general language to describe security definitions, (ii) a class of logical formulas that characterize how an adversary can win, and (iii) a translation from security definitions to such formulas. We prove a Master Theorem that relates the security of the construction to the existence of a solution for the associated logical formulas. Moreover, we define a constraint solving algorithm that proves the security of a construction by proving the absence of solutions.

We implement our approach in a fully automated tool, the \(\mathsf {gga}^{\infty }\) tool, and use it to verify different examples from the literature. The results improve on the tool by Barthe et al. (CRYPTO’14, PKC’15): for many constructions, \(\mathsf {gga}^{\infty }\) succeeds in proving standard (unbounded) security, whereas Barthe’s tool is only able to prove security for a small number of oracle queries.

References

  1. 1.
    Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Abe, M., Groth, J., Ohkubo, M., Tango, T.: Converting cryptographic schemes from symmetric to asymmetric bilinear groups. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 241–260. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  4. 4.
    Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structure-preserving signatures from type II pairings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 390–407. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structure-preserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  6. 6.
    Abe, M., Kohlweiss, M., Ohkubo, M., Tibouchi, M.: Fully structure-preserving signatures and shrinking commitments. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 35–65. Springer, Heidelberg (2015)Google Scholar
  7. 7.
    Akinyele, J.A., Garman, C., Hohenberger, S.: Automating fast and secure translations from type-I to type-III pairing schemes. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 1370–1381. ACM, New York (2015)Google Scholar
  8. 8.
    Akinyele, J.A., Green, M., Hohenberger, S.: Using SMT solvers to automate design tasks for encryption, signature schemes. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 20th Conference on Computer and Communications Security, ACM CCS 2013, 4–8 November 2013, Berlin, Germany, pp. 399–410. ACM Press (2011)Google Scholar
  9. 9.
    Barthe, G., Cederquist, J., Tarento, S.: A machine-checked formalization of the generic model and the random oracle model. In: Basin, D., Rusinowitch, M. (eds.) IJCAR 2004. LNCS (LNAI), vol. 3097, pp. 385–399. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Barthe, G., Crespo, J.M., Grégoire, B., Kunz, C., Lakhnech, Y., Schmidt, B., Zanella Béguelin, S.: Fully automated analysis of padding-based encryption in the computational model. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) 20th Conference on Computer and Communications Security, ACM CCS 2013, 4–8 November 2013, Berlin, Germany, pp. 1247–1260. ACM Press (2011)Google Scholar
  11. 11.
    Barthe, G., Fagerholm, E., Fiore, D., Mitchell, J., Scedrov, A., Schmidt, B.: Automated analysis of cryptographic assumptions in generic group models. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 95–112. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  12. 12.
    Barthe, G., Fagerholm, E., Fiore, D., Scedrov, A., Schmidt, B., Tibouchi, M.: Strongly-optimal structure preserving signatures from type II pairings: synthesis and lower bounds. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 355–376. Springer, Heidelberg (2015)Google Scholar
  13. 13.
    Barthe, G., Grégoire, B., Heraud, S., Béguelin, S.Z.: Computer-aided security proofs for the working cryptographer. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 71–90. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Barthe, G., Grégoire, B., Schmidt, B.: Automated proofs of pairing-based cryptography. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 12–16 October 2015, Denver, CO, USA, pp. 1156–1168 (2015)Google Scholar
  15. 15.
    Barthe, G., Tarento, S.: A machine-checked formalization of the random oracle model. In: Filliâtre, J.-C., Paulin-Mohring, C., Werner, B. (eds.) TYPES 2004. LNCS, vol. 3839, pp. 33–49. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, 21–24 May 2006, Berkeley, California, USA, pp. 140–154. IEEE Computer Society Press (2006)Google Scholar
  17. 17.
    Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Chase, M., Meiklejohn, S., Zaverucha, G.: Algebraic MACs, keyed-verification anonymous credentials. In: Ahn, G.-J., Yung, M., Li, N. (eds.) 21st Conference on Computer and Communications Security, ACM CCS 2014, 3–7 November 2014, Scottsdale, AZ, USA, pp. 1205–1216. ACM Press (2011)Google Scholar
  19. 19.
    Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. In: Iwata, T., et al. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 286–310. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_13 CrossRefGoogle Scholar
  20. 20.
    de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  22. 22.
    Fagerholm, E.: Automated analysis in generic groups. Ph.D. thesis, University of Pennsylvania (2015)Google Scholar
  23. 23.
    Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Fuchsbauer, G.: Breaking existential unforgeability of a signature scheme from asiacrypt 2014. Cryptology ePrint Archive, Report 2014/892 (2014). http://eprint.iacr.org/2014/892
  25. 25.
    Fuchsbauer, G., Hanser, C., Slamanig, D.: EUF-CMA-secure structure-preserving signatures on equivalence classes. Cryptology ePrint Archive, Report 2014/944 (2014). http://eprint.iacr.org/2014/944
  26. 26.
    Groth, J.: Efficient fully structure-preserving signatures for large messages. In: Iwata, T., et al. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 239–259. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_11 CrossRefGoogle Scholar
  27. 27.
    Hoang, V.T., Katz, J., Malozemoff, A.J.: Automated analysis and synthesis of authenticated encryption schemes. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 12–16 October 2015, Denver, CO, USA, pp. 84–95 (2015)Google Scholar
  28. 28.
    Hwang, J.Y., Lee, D.H., Yung, M.: Universal forgery of the identity-based sequential aggregate signature scheme. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) 4th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, 10–12 March 2009, Sydney, Australia, pp. 157–160. ACM Press (2011)Google Scholar
  29. 29.
    Jager, T., Schwenk, J.: On the equivalence of generic group models. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 200–209. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. In: Heys, H., Adams, C. (eds.) SAC 1999. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)Google Scholar
  31. 31.
    Malozemoff, A.J., Katz, J., Green, M.D.: Automated analysis and synthesis of block-cipher modes of operation. In: IEEE 27th Computer Security Foundations Symposium, CSF 2014, 19–22 July 2014, Vienna, Austria, pp. 140–152 (2014)Google Scholar
  32. 32.
    Maurer, U.M.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. 33.
    Nechaev, V.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Heidelberg (2016)CrossRefGoogle Scholar
  35. 35.
    Rupp, A., Leander, G., Bangerter, E., Dent, A.W., Sadeghi, A.-R.: Sufficient conditions for intractability over black-box groups: generic lower bounds for generalized DL and DH problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 489–505. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Schnorr, C.-P.: Security of blind discrete log signatures against interactive attacks. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 1–12. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  37. 37.
    Schnorr, C.-P., Jakobsson, M.: Security of signed ElGamal encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 73–89. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  38. 38.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  39. 39.
    Szydlo, M.: A note on chosen-basis decisional Diffie-Hellman assumptions. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 166–170. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  40. 40.
    The Sage Developers. Sage Mathematics Software (Version 6.8) (2015). http://www.sagemath.org

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Miguel Ambrona
    • 1
  • Gilles Barthe
    • 1
  • Benedikt Schmidt
    • 1
  1. 1.IMDEA Software InstituteMadridSpain

Personalised recommendations