Adaptive Security of Symbolic Encryption
We prove a computational soundness theorem for the symbolic analysis of cryptographic protocols which extends an analogous theorem of Abadi and Rogaway (J. of Cryptology 15(2):103–127, 2002) to a scenario where the adversary gets to see the encryption of a sequence of adaptively chosen symbolic expressions. The extension of the theorem of Abadi and Rogaway to such an adaptive scenario is nontrivial, and raises issues related to the classic problem of selective decommitment, which do not appear in the original formulation of the theorem.
Although the theorem of Abadi and Rogaway applies only to passive adversaries, our extension to adaptive attacks makes it substantially stronger, and powerful enough to analyze the security of cryptographic protocols of practical interest. We exemplify the use of our soundness theorem in the analysis of group key distribution protocols like those that arise in multicast and broadcast applications. Specifically, we provide cryptographic definitions of security for multicast key distribution protocols both in the symbolic as well as the computational framework and use our theorem to prove soundness of the symbolic definition.
KeywordsSymbolic encryption adaptive adversaries soundness theorem formal methods for security protocols
- 6.Canetti, R., Garay, J., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: A taxonomy and some efficient constructions. In: INFOCOM 1999. Proceedings of the Eighteenth Annual Joint conference of the IEEE computer and communications societies, New York, NY, March 1999, vol. 2, pp. 708–716. IEEE, Los Alamitos (1999)Google Scholar
- 7.Canetti, R., Malkin, T., Nissim, K.: Efficient communication-storage tradeoffs for multicast encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 459. Springer, Heidelberg (1999)Google Scholar
- 10.Gligor, V., Horvitz, D.O.: Weak Key Authenticity and the Computational Completeness of Formal Encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 530–547. Springer, Heidelberg (2003)Google Scholar
- 12.Herzog, J.C.: Computational Soundness for Standard Assumptions of Formal Cryptography. PhD thesis, Massachusetts Institute of Technology, Boston, USA (2004)Google Scholar
- 15.Lincoln, P.D., Mitchell, J.C., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: Proceedings of the fifth ACM conference on computer and communications security - CCS 1998, San Francisco, California, USA, November 1998, pp. 112–121. ACM, New York (1998)CrossRefGoogle Scholar
- 16.Micciancio, D.: Towards Computationally Sound Symbolic Security Analysis (June 2004), Tutorial. Slides available at http://dimacs.rutgers.edu/Workshops/Protocols/slides/micciancio.pdf
- 17.Micciancio, D., Panjwani, S.: Adaptive Security of Symbolic Encryption (November 2004), Full version of this paper. Available from http://www-cse.ucsd.edu/users/spanjwan/papers.html
- 19.Micciancio, D., Warinschi, B.: Completeness theorems for the abadi-rogaway logic of encrypted expressions. Journal of Computer Security 12(1), 99–129 (2004); Preliminary version in WITS 2002Google Scholar
- 21.Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar