140 likes | 354 Vues
See you all at Refine 2009?. 3 November, as part of FM Week, Eindhoven NL Invited speaker: Carroll Morgan Programme to be announced soon. Security specification: completeness, feasibility, refinement. Eerke Boiten, University of Kent Dagstuhl “Refinement Based Methods ...”, Sep 2009.
E N D
See you all at Refine 2009? 3 November, as part of FM Week, Eindhoven NL Invited speaker: Carroll Morgan Programme to be announced soon
Security specification: completeness, feasibility, refinement Eerke Boiten, University of Kent Dagstuhl “Refinement Based Methods ...”, Sep 2009
Cryptography based security • Naively ... ideal area for FM: small and mathematically sophisticated critical software • Example: bit commitment primitive • Security/correctness: binding, hiding, e.g. ... • For any probabilistic polynomial algorithm D, SD(D(commitn(0,X0)), D(commitn(1, X1)) with Xi uniform on {0,1}n is negligible in n.
Specification A B Commit(b) A T B Commit(b) Commit and b A B Open A T B Open Open(b)
Implementation electronic scratch cards???
Completeness of specification • Commitment: properties: hiding + binding + correctness, this is “obviously” equivalent to trusted party spec, so probably OK • E-voting: fairness, eligibility, individual verifiability, universal verifiability, privacy, coercion-resistance, receipt-freeness – assuming hostile computers, corrupt officials (or not) [Ryan, Kremer, ...] – complete?
Feasibility? • Commitment in its absolute form (no chance of cheating for either party) is infeasible • Universally composable commitment is provably impossible
Refinement? • State of the art: post-hoc verification only, very little machine proof checking or proving; notations and theories not for manipulation. • Direct proofs: no induction over BPP so by contradiction and probabilistic reduction • Game-hopping: similar but includes program equivalence ideas, automation improving • Development of abstractions: hit and miss; provably impossible for relevant primitives
Refinement impossible anyway • “You can’t do refinement for security” • E.g. ... System output is underspecified in a particular error case? Refine to ... • ... System output gives away my pin code! • Morgan “The shadow knows” (MPC 2006)
Refinement for cryptography – what are the elements? Overview • Action refinement • Approximate refinement • Probabilistic refinement • Attack model encodings, with complexity bounds?! • Skip next three slides with more details, there can’t be any time left!
Approximate Refinement • Arose to refine by int, etc (and as an alternative to “retrenchment”) • Needed as perfect security is often unrealistic or even provably impossible (commitment) • See [Boiten & Derrick, ZB 2005] or a draft paper on reconstructing commitment • Mingsheng Ying in a probabilistic setting
Probabilistic refinement • Nonces, and attack models (2x) • Specification formalisms difficult: how does probabilistic choice interact with other choice? • McIver and Morgan for action systems (inspired Hehner, Schneider et al, Kleene algebraists) • Probabilistic CSP still not quite solved
The final question: Attack models • Non-determinism subsumes malevolence, how does that generalise to include guessing? • ... and how is that restricted to remain polynomial? (Is timing termination?) • What does (probabilistic) refinement calculus say about game-hopping? • Can we encode things in relational ADT rather than action systems or CSP?
CryptoForma • A UK (EPSRC) network of excellence, starting with Birmingham, Bristol, HP, Kent, Microsoft, Royal Holloway, Surrey, ... (not closed!) • 3 years: workshops, meetings, visits, tutorials ...