Automated Security Proofs with Sequences of Games

  • Bruno Blanchet
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the Dolev-Yao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosen-message attacks (UF-CMA) of the Full-Domain Hash signature scheme under the (trapdoor)-one-wayness of some permutations.


Signature Scheme Random Oracle Cryptographic Protocol Security Proof Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2), 103–127 (2002)MATHMathSciNetGoogle Scholar
  2. 2.
    Backes, M., Laud, P.: A mechanized, cryptographically sound type inference checker. In: Workshop on Formal and Computational Cryptography (FCC 2006) (July 2006) (to appear)Google Scholar
  3. 3.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: CSFW 2004, June 2004. IEEE, Los Alamitos (2004)Google Scholar
  4. 4.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic secrecy. In: 26th IEEE Symposium on Security and Privacy, May 2005, pp. 171–182. IEEE, Los Alamitos (2005)Google Scholar
  5. 5.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations. In: CCS 2003, October 2003, pp. 220–230. ACM Press, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Barthe, G., Cederquist, J., Tarento, S.: A machine-checked formalization of the generic model and the random oracle model. In: Basin, D., Rusinowitch, M. (eds.) IJCAR 2004. LNCS, vol. 3097, pp. 385–399. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Bellare, M.: Practice-Oriented Provable Security. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: CCS 1993, pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Bellare, M., Rogaway, P.: The Game-Playing Technique and its Application to Triple Encryption. Cryptology ePrint Archive 2004/331 (2004)Google Scholar
  12. 12.
    Blanchet, B.: Automatic proof of strong secrecy for security protocols. In: IEEE Symposium on Security and Privacy, May 2004, pp. 86–100 (2004)Google Scholar
  13. 13.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. Cryptology ePrint Archive, Report 2005/401 (November 2005), Available at:
  14. 14.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, May 2006, pp. 140–154 (2006)Google Scholar
  15. 15.
    Blanchet, B., Pointcheval, D.: Automated security proofs with sequences of games. Cryptology ePrint Archive, Report 2006/069 (Feburary 2006), Available at:
  16. 16.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001, October 2001, pp. 136–145. IEEE, Los Alamitos (2001); Cryptology ePrint Archive, An updated version is available at: Google Scholar
  17. 17.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004), Available at:
  18. 18.
    Cortier, V., Warinschi, B.: Computationally sound, automated proofs for security protocols. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Datta, A., Derek, A., Mitchell, J.C., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 16–29. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory IT–22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  21. 21.
    Dolev, D., Yao, A.C.: On the Security of Public-Key Protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Goldwasser, S., Micali, S., Rivest, R.: A Digital Signature Scheme Secure Against Adaptative Chosen-Message Attacks. SIAM Journal of Computing 17(2), 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Halevi, S.: A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181 (June 2005), Available at:
  25. 25.
    Janvier, R., Lakhnech, Y., Mazaré, L.: Completing the picture: Soundness of formal encryption in the presence of active adversaries. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 172–185. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Laud, P.: Handling encryption in an analysis for secure information flow. In: Degano, P. (ed.) ESOP 2003 and ETAPS 2003. LNCS, vol. 2618, pp. 159–173. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: IEEE Symposium on Security and Privacy, May 2004, pp. 71–85 (2004)Google Scholar
  28. 28.
    Laud, P.: Secrecy types for a simulatable cryptographic library. In: CCS 2005, November 2005, pp. 26–35. ACM Press, New York (2005)CrossRefGoogle Scholar
  29. 29.
    Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: CCS 1998, November 1998, pp. 112–121 (1998)Google Scholar
  30. 30.
    Lincoln, P., Mitchell, J., Mitchell, M., Scedrov, A.: Probabilistic polynomial-time equivalence and security analysis. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 776–793. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  31. 31.
    Mateus, P., Mitchell, J., Scedrov, A.: Composition of cryptographic protocols in a probabilistic polynomial-time process calculus. In: Amadio, R., Lugiez, D. (eds.) CONCUR 2003. LNCS, vol. 2761, pp. 327–349. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  33. 33.
    Mitchell, J.C., Ramanathan, A., Scedrov, A., Teague, V.: A probabilistic polynomial-time calculus for the analysis of cryptographic protocols. Theoretical Computer Science 353(1–3), 118–164 (2006)MATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Naor, M., Yung, M.: Universal One-Way Hash Functions and Their Cryptographic Applications. In: STOC 1989, pp. 33–43. ACM Press, New York (1989)CrossRefGoogle Scholar
  35. 35.
    Rackoff, C., Simon, D.R.: Non-interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  36. 36.
    Ramanathan, A., Mitchell, J., Scedrov, A., Teague, V.: Probabilistic bisimulation and equivalence for security analysis of network protocols. In: Walukiewicz, I. (ed.) FOSSACS 2004. LNCS, vol. 2987, pp. 468–483. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  37. 37.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive 2004/332 (2004)Google Scholar
  38. 38.
    Sprenger, C., Backes, M., Basin, D., Pfitzmann, B., Waidner, M.: Cryptographically sound theorem proving. In: CSFW 2006, July 2006. IEEE, Los Alamitos (2006) (to appear)Google Scholar
  39. 39.
    Tarento, S.: Machine-checked security proofs of cryptographic signature schemes. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 140–158. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Bruno Blanchet
    • 1
  • David Pointcheval
    • 1
  1. 1.CNRS, École Normale SupérieureParis

Personalised recommendations