![Page 1: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/1.jpg)
PhD Defense
Symbolic Proofs of Computational Indistinguishability
Adrien KoutsosThèse préparée au sein du LSV, ENS Paris-Saclay
September 27, 2019
![Page 2: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/2.jpg)
Introduction
![Page 3: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/3.jpg)
Motivation
Security ProtocolsDistributed programs which aim at providing some securityproperties.
2
![Page 4: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/4.jpg)
Security Properties
The ProblemAttacks against security protocols can be very damageable, e.g.theft or privacy breach.⇒ We need to check that protocols are secure.
The Context
• Security protocols may be short: few lines of specification.
• Security properties are complex.
• Eavesdrop• Intercept messages• Forge messages
[HeartBleed,TripleHandshake,LogJam]
3
![Page 5: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/5.jpg)
Security Properties
The ProblemAttacks against security protocols can be very damageable, e.g.theft or privacy breach.⇒ We need to check that protocols are secure.
The Context
• Security protocols may be short: few lines of specification.
• Security properties are complex.
• Eavesdrop• Intercept messages• Forge messages
[HeartBleed,TripleHandshake,LogJam]
3
![Page 6: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/6.jpg)
Security Properties
The ProblemAttacks against security protocols can be very damageable, e.g.theft or privacy breach.⇒ We need to check that protocols are secure.
The Context
• Security protocols may be short: few lines of specification.
• Security properties are complex.
• Eavesdrop• Intercept messages• Forge messages
[HeartBleed,TripleHandshake,LogJam]
3
![Page 7: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/7.jpg)
Security Properties
The ProblemAttacks against security protocols can be very damageable, e.g.theft or privacy breach.⇒ We need to check that protocols are secure.
The Context
• Security protocols may be short: few lines of specification.
• Security properties are complex.
• Eavesdrop• Intercept messages• Forge messages
[HeartBleed,TripleHandshake,LogJam]
3
![Page 8: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/8.jpg)
Can We Use Testing?
PrincipleRun the protocol multiple times, on random inputs, to lookfor bugs.
ProblemA protocol is not executed in a random environment:an adversary can systematically trigger an unlikely corner case.
4
![Page 9: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/9.jpg)
Can We Use Testing?
PrincipleRun the protocol multiple times, on random inputs, to lookfor bugs.
ProblemA protocol is not executed in a random environment:an adversary can systematically trigger an unlikely corner case.
4
![Page 10: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/10.jpg)
Formal Verification
GoalProvide a mathematical proof that a protocol P is secure:
∀
∈ C
( || P
)
|= φsafe
QuestionWhat is the class of attackers C?
5
![Page 11: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/11.jpg)
Formal Verification
GoalProvide a mathematical proof that a protocol P is secure:
∀
∈ C
( ||
P
)
|= φsafe
QuestionWhat is the class of attackers C?
5
![Page 12: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/12.jpg)
Formal Verification
GoalProvide a mathematical proof that a protocol P is secure:
∀
∈ C
( || P ) |= φsafe
QuestionWhat is the class of attackers C?
5
![Page 13: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/13.jpg)
Formal Verification
GoalProvide a mathematical proof that a protocol P is secure:
∀ ∈ C ( || P ) |= φsafe
QuestionWhat is the class of attackers C?
5
![Page 14: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/14.jpg)
Symbolic Attackers
Dolev-Yao Model
• Symbolic model, messages are (first-order) terms:
t = {〈A , nA〉}pkB
• The adversary is explicitly granted some capabilities, e.g.:
a b
〈a , b〉
m pk
{m}pk
〈a , b〉
a
〈a , b〉
b
{m}pk sk
m
6
![Page 15: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/15.jpg)
Symbolic Attackers
Advantages
• Adapted to proof automation: ProVerif, Tamarin, Deepsec. . .
• Can automatically find attacks.
ProblemWe prove only that there are no attacks using the capabilitiesgranted to the attacker.
7
![Page 16: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/16.jpg)
Symbolic Attackers
Advantages
• Adapted to proof automation: ProVerif, Tamarin, Deepsec. . .
• Can automatically find attacks.
ProblemWe prove only that there are no attacks using the capabilitiesgranted to the attacker.
7
![Page 17: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/17.jpg)
Computational Attackers
Computational Model
• More realistic model, messages are bit-strings.
• The attacker is any Probabilistic Polynomial-time TuringMachine (PPTM).
• The security property is expressed through a game.
Scenario1
(Concrete)Scenario2
(Ideal)VS.
8
![Page 18: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/18.jpg)
Computational Attackers
Computational Model
• More realistic model, messages are bit-strings.
• The attacker is any Probabilistic Polynomial-time TuringMachine (PPTM).
• The security property is expressed through a game.
Scenario1
(Concrete)Scenario2
(Ideal)VS.
8
![Page 19: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/19.jpg)
Computational Attackers
AdvantageThis model gives strong security guarantees.
Problems
• Proofs are long, complicated and error-prone.
• Implicit hypotheses.Example: An agent name cannot be confused with a pair.
• Proof automation is hard (CryptoVerif).
9
![Page 20: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/20.jpg)
Computational Attackers
AdvantageThis model gives strong security guarantees.
Problems
• Proofs are long, complicated and error-prone.
• Implicit hypotheses.Example: An agent name cannot be confused with a pair.
• Proof automation is hard (CryptoVerif).
9
![Page 21: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/21.jpg)
The Bana-Comon Model
The Bana-Comon Model
• Messages are modeled by (first-order) terms.
• Axioms specifying what the adversary cannot do.
len(u) = len(v){u}pk ∼ {v}pk
CPA
• We have to prove that the axioms entail the security property.
10
![Page 22: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/22.jpg)
The Bana-Comon Model
The Bana-Comon Model
• Messages are modeled by (first-order) terms.
• Axioms specifying what the adversary cannot do.
len(u) = len(v){u}pk ∼ {v}pk
CPA
• We have to prove that the axioms entail the security property.
10
![Page 23: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/23.jpg)
The Bana-Comon Model
The Bana-Comon Model
• Messages are modeled by (first-order) terms.
• Axioms specifying what the adversary cannot do.
len(u) = len(v){u}pk ∼ {v}pk
CPA
• We have to prove that the axioms entail the security property.
10
![Page 24: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/24.jpg)
The Bana-Comon Model
Advantages
• This model gives strong security guarantees.
• Formal model, which may be amenable to automateddeduction techniques.
• All hypotheses are explicit (in the axioms).
Variants
• A reachability logic, studied in Scerri’s thesis.
• A more recent indistinguishability logic.
11
![Page 25: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/25.jpg)
The Bana-Comon Model
Advantages
• This model gives strong security guarantees.
• Formal model, which may be amenable to automateddeduction techniques.
• All hypotheses are explicit (in the axioms).
Variants
• A reachability logic, studied in Scerri’s thesis.
• A more recent indistinguishability logic.
11
![Page 26: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/26.jpg)
The Bana-Comon Model
Problems at the Beginning of this Thesis
• Usefulness remained to be shown:• lack of case studies (only a toy example).• small set of axioms.
• No proof automation.
12
![Page 27: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/27.jpg)
This Thesis
Contributions
• Case study of two RFID protocols, KCL and LAK.
• Case study of a complex protocol, AKA.
• Decidability result for a fixed set of axioms.
13
![Page 28: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/28.jpg)
The AKA Protocol
![Page 29: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/29.jpg)
Authentication and Key Agreement Protocol
UESN HN
Wireless channel
µ
Secure channel (TLS)
Security Properties
• Mutual authentication between the user and theservice provider.
• Untraceability of the user against an outside observer.
14
![Page 30: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/30.jpg)
Authentication and Key Agreement Protocol
UESN HN
Wireless channel
µ
Secure channel (TLS)
Security Properties
• Mutual authentication between the user and theservice provider.
• Untraceability of the user against an outside observer.
14
![Page 31: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/31.jpg)
Authentication and Key Agreement Protocol
UESN HN
Wireless channel
µ
Secure channel (TLS)
Security Properties
• Mutual authentication between the user and theservice provider.
• Untraceability of the user against an outside observer.
14
![Page 32: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/32.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 33: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/33.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 34: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/34.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 35: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/35.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 36: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/36.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 37: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/37.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 38: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/38.jpg)
Replay Protection
15 16
· · ·
3EYFPOCGµ(EYFP|FTU)µ(EYFP|16|FTU)
YLPZCCSµ(EYFP|CCS)3
· · ·
· · ·µ(FGHA|VHP)
YLPZCCSµ(EYFP|CCS)?716
· · ·
?7µ(EYFP|FTU)µ(EYFP|16|FTU)
15
![Page 39: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/39.jpg)
id, k, sqnu id, k, sqnn
id
⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check-mac
bsqn ← check-range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
4G-AKA 16
![Page 40: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/40.jpg)
id, k, sqnu id, k, sqnn
id
⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check-mac
bsqn ← check-range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
4G-AKA 16
![Page 41: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/41.jpg)
id, k, sqnu id, k, sqnn
id
⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check-mac
bsqn ← check-range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
4G-AKA 16
![Page 42: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/42.jpg)
id, k, sqnu id, k, sqnn
id
⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check-mac
bsqn ← check-range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
4G-AKA 16
![Page 43: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/43.jpg)
id, k, sqnu id, k, sqnn
id
⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check-mac
bsqn ← check-range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
4G-AKA 16
![Page 44: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/44.jpg)
The imsi Catcher Attack [Strobel, 2007]
No Confidentiality of the User IdentityThe id is sent in plain text!
UE Attackertmp-id or id
“Permanent-ID-Request”If tmp-id received
id
Why This is a Major Attack
• Reliable: always works.
• Easy to deploy: only needs an antenna.
• Large scale: is not targeted.
17
![Page 45: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/45.jpg)
The imsi Catcher Attack [Strobel, 2007]
No Confidentiality of the User IdentityThe id is sent in plain text!
UE Attackertmp-id or id
“Permanent-ID-Request”If tmp-id received
id
Why This is a Major Attack
• Reliable: always works.
• Easy to deploy: only needs an antenna.
• Large scale: is not targeted.
17
![Page 46: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/46.jpg)
The imsi Catcher Attack [Strobel, 2007]
No Confidentiality of the User IdentityThe id is sent in plain text!
UE Attackertmp-id or id
“Permanent-ID-Request”If tmp-id received
id
Why This is a Major Attack
• Reliable: always works.
• Easy to deploy: only needs an antenna.
• Large scale: is not targeted.
17
![Page 47: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/47.jpg)
Privacy in 5G-AKA
The 5G-AKA protocol5G-AKA is the next version of AKA (drafts are available).
3GPP fix for 5G-AKA
Simply encrypts the permanent identity by sending {id}pkn
18
![Page 48: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/48.jpg)
Privacy in 5G-AKA
The 5G-AKA protocol5G-AKA is the next version of AKA (drafts are available).
3GPP fix for 5G-AKA
Simply encrypts the permanent identity by sending {id}pkn
18
![Page 49: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/49.jpg)
id, k, pkn, sqnu id, k, skn, sqnn
{id}pkn⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩bmac ← check mac
bsqn ← check range(sqnu, sqnn)
sqnn ← sqnn + 1
sqnu ← sqnnH2
k(n)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If the mac is valid:sqnn ← sqnu + 1
bmac ∧ ¬bsqn
5G-AKA 19
![Page 50: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/50.jpg)
Privacy in 5G-AKA
Is it enough?
For confidentiality of the id, yes.
For unlinkability, no.
20
![Page 51: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/51.jpg)
Privacy in 5G-AKA
Is it enough?
For confidentiality of the id, yes.
For unlinkability, no.
20
![Page 52: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/52.jpg)
Privacy in 5G-AKA
Is it enough?
For confidentiality of the id, yes.
For unlinkability, no.
20
![Page 53: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/53.jpg)
Unlinkability
Unlinkability AttackEven if id is hidden, an attacker can link sessions of a user.
Example of an Unlinkability Scenario
F
A
A
B
B
A
C
B
D
B
E
B
F
∼
21
![Page 54: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/54.jpg)
Unlinkability
Unlinkability AttackEven if id is hidden, an attacker can link sessions of a user.
Example of an Unlinkability Scenario
F
A
A
B
B
A
C
B
D
B
E
B
F
∼
21
![Page 55: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/55.jpg)
Unlinkability
Unlinkability AttackEven if id is hidden, an attacker can link sessions of a user.
Example of an Unlinkability Scenario
F
A
A
B
B
A
C
B
D
B
E
B
F
∼
21
![Page 56: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/56.jpg)
Unlinkability
Unlinkability AttackEven if id is hidden, an attacker can link sessions of a user.
Example of an Unlinkability Scenario
F
A
A
B
B
A
C
B
D
B
E
B
F
∼
21
![Page 57: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/57.jpg)
Unlinkability
Unlinkability AttackEven if id is hidden, an attacker can link sessions of a user.
Example of an Unlinkability Scenario
F
A
A
B
B
A
C
B
D
B
E
B
F
∼
21
![Page 58: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/58.jpg)
The Failure Message Attack [Arapinis et al., 2012]
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
22
![Page 59: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/59.jpg)
The Failure Message Attack [Arapinis et al., 2012]
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
22
![Page 60: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/60.jpg)
The Failure Message Attack [Arapinis et al., 2012]
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
22
![Page 61: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/61.jpg)
The Failure Message Attack [Arapinis et al., 2012]
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
22
![Page 62: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/62.jpg)
Goal
Goal
Design a modified version of AKA, called AKA+, that:
• Provides some form of unlinkability.
• Satisfies the design and efficiency constraints of 5G-AKA.
• Is proved secure.
23
![Page 63: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/63.jpg)
Goal
Goal
Design a modified version of AKA, called AKA+, that:
• Provides some form of unlinkability.
• Satisfies the design and efficiency constraints of 5G-AKA.
• Is proved secure.
23
![Page 64: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/64.jpg)
Goal
Goal
Design a modified version of AKA, called AKA+, that:
• Provides some form of unlinkability.
• Satisfies the design and efficiency constraints of 5G-AKA.
• Is proved secure.
23
![Page 65: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/65.jpg)
Theorem
Theorem
The AKA+ protocol is σ-unlinkable for an arbitrary number ofagents and sessions when:
• The asymmetric encryption {_}_ is ind-cca1.
• H and Hr (resp. Mac1–Mac5) are jointly prf.
Remarks
• Computational security.
• AKA+ is stateful, and uses the ⊕ operator.
• The proof is technical (around 80 pages).
24
![Page 66: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/66.jpg)
Theorem
Theorem
The AKA+ protocol is σ-unlinkable for an arbitrary number ofagents and sessions when:
• The asymmetric encryption {_}_ is ind-cca1.
• H and Hr (resp. Mac1–Mac5) are jointly prf.
Remarks
• Computational security.
• AKA+ is stateful, and uses the ⊕ operator.
• The proof is technical (around 80 pages).
24
![Page 67: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/67.jpg)
The Bana-Comon Model
![Page 68: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/68.jpg)
Example of a Protocol
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA〉}pk(A)
25
![Page 69: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/69.jpg)
Bana-Comon Model: Messages
MessagesWe use terms to model protocol messages, built upon:
• Names N , e.g. nA, nB, for random samplings.
• Function symbols F , e.g.:
A, B, 〈_ , _〉 , πi (_), {_}_, pk(_), sk(_)
if_then_else_, eq(_,_)
Examples
〈nA , A〉 π1(nB) {〈B , nA〉}pk(A)
26
![Page 70: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/70.jpg)
Bana-Comon Model: Messages
MessagesWe use terms to model protocol messages, built upon:
• Names N , e.g. nA, nB, for random samplings.
• Function symbols F , e.g.:
A, B, 〈_ , _〉 , πi (_), {_}_, pk(_), sk(_)
if_then_else_, eq(_,_)
Examples
〈nA , A〉 π1(nB) {〈B , nA〉}pk(A)
26
![Page 71: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/71.jpg)
Bana-Comon Model: Messages
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA 〉}pk(A)
How do we represent the adversary’s inputs?
• We use an adversarial functions symbol g.g’s input is the current knowledge of the adversary.
• Intuitively, g can be any PPTM.
27
![Page 72: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/72.jpg)
Bana-Comon Model: Messages
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA 〉}pk(A)
How do we represent the adversary’s inputs?
• We use an adversarial functions symbol g.g’s input is the current knowledge of the adversary.
• Intuitively, g can be any PPTM.
27
![Page 73: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/73.jpg)
Bana-Comon Model: Messages
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA 〉}pk(A)
How do we represent the adversary’s inputs?
• We use an adversarial functions symbol g.g’s input is the current knowledge of the adversary.
• Intuitively, g can be any PPTM.
27
![Page 74: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/74.jpg)
Bana-Comon Model: Messages
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA 〉}pk(A)
Term Representing the Messages
t1 = nA
t2 ={⟨
B, g(t1)⟩}
pk(A)
28
![Page 75: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/75.jpg)
Bana-Comon Model: Messages
A Simple Handshake
1 : A −→ B : nA
2 : B −→ A : {〈B , nA 〉}pk(A)
Term Representing the Messages
t1 = nA
t2 ={⟨
B, g(t1)⟩}
pk(A)
28
![Page 76: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/76.jpg)
Bana-Comon Model: Security Properties
FormulaFormulas are built using a predicate ∼ of arbitrary arity.
Example
n ∼ if g() then n else n′
29
![Page 77: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/77.jpg)
Bana-Comon Model: Security Properties
FormulaFormulas are built using a predicate ∼ of arbitrary arity.
Example
n ∼ if g() then n else n′
29
![Page 78: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/78.jpg)
Example of a Proof
g(), n ∼ g(), n
Refl
g(), n ∼ g(), n′
Refl
if g() then n else n ∼ if g() then n else n′
CS
n ∼ if g() then n else n′
R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 79: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/79.jpg)
Example of a Proof
g(), n ∼ g(), n
Refl
g(), n ∼ g(), n′
Refl
if g() then n else n ∼ if g() then n else n′
CS
n ∼ if g() then n else n′
R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 80: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/80.jpg)
Example of a Proof
g(), n ∼ g(), n
Refl
g(), n ∼ g(), n′
Refl
if g() then n else n ∼ if g() then n else n′
CS
n ∼ if g() then n else n′ R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 81: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/81.jpg)
Example of a Proof
g(), n ∼ g(), n
Refl
g(), n ∼ g(), n′
Refl
if g() then n else n ∼ if g() then n else n′
CS
n ∼ if g() then n else n′ R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 82: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/82.jpg)
Example of a Proof
g(), n ∼ g(), n
Refl
g(), n ∼ g(), n′
Refl
if g() then n else n ∼ if g() then n else n′ CS
n ∼ if g() then n else n′ R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 83: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/83.jpg)
Example of a Proof
g(), n ∼ g(), n Reflg(), n ∼ g(), n′ Refl
if g() then n else n ∼ if g() then n else n′ CS
n ∼ if g() then n else n′ R
t ∼ us ∼ u R
when s =R t
(x =R if b then x else x)
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
30
![Page 84: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/84.jpg)
Decision Result
![Page 85: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/85.jpg)
Decidability
Decision Problem: DerivabilityInput: A ground formula ~u ∼ ~v .Question: Is there a derivation of ~u ∼ ~v using Ax?
or equivalently
Decision Problem: Game TransformationsInput: A game ~u ∼ ~v .Question: Is there a sequence of cryptographic gametransformations in Ax showing that ~u ∼ ~v is secure?
31
![Page 86: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/86.jpg)
Decidability
Decision Problem: DerivabilityInput: A ground formula ~u ∼ ~v .Question: Is there a derivation of ~u ∼ ~v using Ax?
or equivalently
Decision Problem: Game TransformationsInput: A game ~u ∼ ~v .Question: Is there a sequence of cryptographic gametransformations in Ax showing that ~u ∼ ~v is secure?
31
![Page 87: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/87.jpg)
The Set of Axioms Ax
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
32
![Page 88: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/88.jpg)
The Set of Axioms Ax
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
32
![Page 89: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/89.jpg)
The Set of Axioms Ax
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
32
![Page 90: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/90.jpg)
The Set of Axioms Ax
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
32
![Page 91: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/91.jpg)
Equational Theory
Equational Theory: Protocol Functions
• πi (〈x1, x2〉) = xi i ∈ {1, 2}• dec({x}pk(y), sk(y)) = x
33
![Page 92: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/92.jpg)
Equational Theory
Equational Theory: Protocol Functions
If Homomorphism:f (~u, if b then x else y , ~v) = if b then f (~u, x , ~v) else f (~u, y , ~v)
if (if b then a else c) then x else y =
if b then (if a then x else y) else (if c then x else y)
If Rewriting:
if b then x else x = x
if b then (if b then x else y) else z = if b then x else z
if b then x else (if b then y else z) = if b then x else z
If Re-Ordering:if b then (if a then x else y) else z =
if a then (if b then x else z) else (if b then y else z)
if b then x else (if a then y else z) =
if a then (if b then x else y) else (if b then x else z)34
![Page 93: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/93.jpg)
Equational Theory
Equational Theory: Protocol Functions
If Homomorphism:f (~u, if b then x else y , ~v) = if b then f (~u, x , ~v) else f (~u, y , ~v)
if (if b then a else c) then x else y =
if b then (if a then x else y) else (if c then x else y)
If Rewriting:
if b then x else x = x
if b then (if b then x else y) else z = if b then x else z
if b then x else (if b then y else z) = if b then x else z
If Re-Ordering:if b then (if a then x else y) else z =
if a then (if b then x else z) else (if b then y else z)
if b then x else (if a then y else z) =
if a then (if b then x else y) else (if b then x else z)34
![Page 94: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/94.jpg)
Strategy
Deconstructing RulesRules CCA1, CS,FA and Dup are decreasing transformations.
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
ProblemThe rule R is not decreasing!
35
![Page 95: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/95.jpg)
Strategy
Deconstructing RulesRules CCA1, CS,FA and Dup are decreasing transformations.
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
ProblemThe rule R is not decreasing!
35
![Page 96: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/96.jpg)
Strategy
Deconstructing RulesRules CCA1, CS,FA and Dup are decreasing transformations.
u ∼ tu ∼ s R
when s =R t
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′ CS
x ∼ yx , x ∼ y , y Dup
x1, . . . , xn ∼ y1, . . . , ynf (x1, . . . , xn) ∼ f (y1, . . . , yn)
FA
~u , {s}pk(n) ∼ ~u , {t}pk(n)CCA1 when . . .
ProblemThe rule R is not decreasing!
35
![Page 97: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/97.jpg)
Difficulties
If Introduction: x → if b then x else x
g(), n ∼ g(), n Reflg(), n ∼ g(), n′ Refl
if g() then n else n ∼ if g() then n else n′ CS
n ∼ if g() then n else n′ R
Bounded Introduction
The introduced conditional g() is bounded by the other side.
36
![Page 98: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/98.jpg)
Difficulties
If Introduction: x → if b then x else x
g(), n ∼ g(), n Reflg(), n ∼ g(), n′ Refl
if g() then n else n ∼ if g() then n else n′ CS
n ∼ if g() then n else n′ R
Bounded Introduction
The introduced conditional g() is bounded by the other side.
36
![Page 99: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/99.jpg)
Decision Procedure
Proof Cut: Introduction of a Conditional on Both Sides
a, s ∼ b, t a, s ∼ b, t
if a then s else s ∼ if b then t else tCS
s ∼ t R
LemmaWe can extract from a, s ∼ b, t a (smaller) proof of s ∼ t.
⇒ Proof Cut Elimination
37
![Page 100: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/100.jpg)
Decision Procedure
Proof Cut: Introduction of a Conditional on Both Sides
a, s ∼ b, t a, s ∼ b, t
if a then s else s ∼ if b then t else tCS
s ∼ t R
LemmaWe can extract from a, s ∼ b, t a (smaller) proof of s ∼ t.
⇒ Proof Cut Elimination
37
![Page 101: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/101.jpg)
Decision Procedure
Proof Cut: Introduction of a Conditional on Both Sides
a, s ∼ b, t a, s ∼ b, t
if a then s else s ∼ if b then t else tCS
s ∼ t R
LemmaWe can extract from a, s ∼ b, t a (smaller) proof of s ∼ t.
⇒ Proof Cut Elimination
37
![Page 102: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/102.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else t
R
where p ≡ if c then s else t
Key LemmaIf b, b ∼ c , d can be shown using only FA,Dup and CCA1 then:
c ≡ d
38
![Page 103: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/103.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else tR
where p ≡ if c then s else t
Key LemmaIf b, b ∼ c , d can be shown using only FA,Dup and CCA1 then:
c ≡ d
38
![Page 104: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/104.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else tR
where p ≡ if c then s else t
Key LemmaIf b, b ∼ c , d can be shown using only FA,Dup and CCA1 then:
c ≡ d
38
![Page 105: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/105.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else tR
where p ≡ if c then s else t
Key LemmaIf b, b ∼ c , d can be shown using only FA,Dup and CCA1 then:
c ≡ d
38
![Page 106: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/106.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else tR
where p ≡ if c then s else t
Proof Cut Elimination
• b, b ∼ c , d =⇒ c ≡ d .
• a, b ∼ d , c =⇒ a ≡ b.
39
![Page 107: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/107.jpg)
Decision Procedure
Proof Cut
a, b, b, u,w , u, v ∼ d , c , d , s, t, r , p
a
b
u b
w u
v∼
d
c
s d
t r
p
FA(3)
if a then u else v ∼ if c then s else tR
where p ≡ if c then s else t
Proof Cut Elimination
• b, b ∼ c , d =⇒ c ≡ d .
• a, b ∼ d , c =⇒ a ≡ b.
39
![Page 108: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/108.jpg)
Strategy: Theorem
TheoremThe following problem is decidable:Input: A ground formula ~u ∼ ~v .Question: Is there a derivation of ~u ∼ ~v using Ax?
Remark: Unitary Inference RulesThis holds when using CCA2 as unitary inference rules.
Sketch
• Commute rule applications to order them as follows:
(2Box+R�) · CS� · FAif · FAf · Dup · CCA2
• We do proof cut eliminations to get a small proof.
40
![Page 109: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/109.jpg)
Strategy: Theorem
TheoremThe following problem is decidable:Input: A ground formula ~u ∼ ~v .Question: Is there a derivation of ~u ∼ ~v using Ax?
Remark: Unitary Inference RulesThis holds when using CCA2 as unitary inference rules.
Sketch
• Commute rule applications to order them as follows:
(2Box+R�) · CS� · FAif · FAf · Dup · CCA2
• We do proof cut eliminations to get a small proof.
40
![Page 110: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/110.jpg)
Strategy: Theorem
TheoremThe following problem is decidable:Input: A ground formula ~u ∼ ~v .Question: Is there a derivation of ~u ∼ ~v using Ax?
Remark: Unitary Inference RulesThis holds when using CCA2 as unitary inference rules.
Sketch
• Commute rule applications to order them as follows:
(2Box+R�) · CS� · FAif · FAf · Dup · CCA2
• We do proof cut eliminations to get a small proof.
40
![Page 111: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/111.jpg)
Conclusion
![Page 112: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/112.jpg)
Conclusion: Contributions
RFID ProtocolsStudied the privacy of two RFID protocols, KCL and LAK.
The 5G-AKA Protocol
• Showed that some attacks against 4G-AKA apply to 5G-AKA.
• Proposed a fixed version, and proved it secure in thecomputational model.
• Found a new privacy attack on another protocol, priv-aka.
41
![Page 113: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/113.jpg)
Conclusion: Contributions
Decidability Result
• Decidability of a set of inference rules for computationalindistinguishability.
• First decidability result for a non-trivial set of cryptographicgame transformations.
42
![Page 114: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/114.jpg)
Perspectives
Study the Scope of the Decidability Result
• Support for a larger class of primitives and associatedassumptions.
• Undecidability results for extensions of the set of axioms.
Proof Automation for the AKA+ Case Study
• AKA+ security proof is very lengthy (around 80 pages).
• The proofs are out-of-scope of the decidability result:• Arbitrary number of sessions (induction).• Reasoning on sequence numbers.
⇒ We need some proof automation/mechanization.
43
![Page 115: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/115.jpg)
Perspectives
Study the Scope of the Decidability Result
• Support for a larger class of primitives and associatedassumptions.
• Undecidability results for extensions of the set of axioms.
Proof Automation for the AKA+ Case Study
• AKA+ security proof is very lengthy (around 80 pages).
• The proofs are out-of-scope of the decidability result:• Arbitrary number of sessions (induction).• Reasoning on sequence numbers.
⇒ We need some proof automation/mechanization.
43
![Page 116: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/116.jpg)
References i
[Arapinis et al., 2012] Arapinis, M., Mancini, L. I., Ritter, E., Ryan,M., Golde, N., Redon, K., and Borgaonkar, R. (2012).New privacy issues in mobile telephony: fix andverification.In the ACM Conference on Computer and CommunicationsSecurity, CCS’12, pages 205–216. ACM.
[Fouque et al., 2016] Fouque, P., Onete, C., and Richard, B.(2016).Achieving better privacy for the 3GPP AKA protocol.PoPETs, 2016(4):255–275.
![Page 117: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/117.jpg)
References ii
[Strobel, 2007] Strobel, D. (2007).IMSI catcher.Ruhr-Universität Bochum, Seminar Work.
![Page 118: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/118.jpg)
The Encrypted id Replay Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
![Page 119: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/119.jpg)
The Encrypted id Replay Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
![Page 120: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/120.jpg)
The Encrypted id Replay Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
![Page 121: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/121.jpg)
The Encrypted id Replay Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
Unlinkability AttackThe adversary knows if it interacted with idA or idB.
![Page 122: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/122.jpg)
Key Ideas
Key Ideas Behind AKA+
• Postpone re-synchronization to the next session:
{〈id , sqnu〉}pkn
• No re-synchronization message =⇒ no failure message attack.• No extra randomness for the user.
• Add a challenge n from the HN when using the permanentidentity.UE HN
n⟨{〈id , sqnu〉}pkn
, Mac1km(〈{〈id , sqnu〉}pkn
, n〉)⟩
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
The Failure Message Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
The Encrypted id Replay Attack
![Page 123: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/123.jpg)
Key Ideas
Key Ideas Behind AKA+
• Postpone re-synchronization to the next session:
{〈id , sqnu〉}pkn
• No re-synchronization message =⇒ no failure message attack.• No extra randomness for the user.
• Add a challenge n from the HN when using the permanentidentity.UE HN
n⟨{〈id , sqnu〉}pkn
, Mac1km(〈{〈id , sqnu〉}pkn
, n〉)⟩
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
The Failure Message Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
The Encrypted id Replay Attack
![Page 124: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/124.jpg)
Key Ideas
Key Ideas Behind AKA+
• Postpone re-synchronization to the next session:
{〈id , sqnu〉}pkn
• No re-synchronization message =⇒ no failure message attack.• No extra randomness for the user.
• Add a challenge n from the HN when using the permanentidentity.UE HN
n⟨{〈id , sqnu〉}pkn
, Mac1km(〈{〈id , sqnu〉}pkn
, n〉)⟩
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
The Failure Message Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
The Encrypted id Replay Attack
![Page 125: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/125.jpg)
Key Ideas
Key Ideas Behind AKA+
• Postpone re-synchronization to the next session:
{〈id , sqnu〉}pkn
• No re-synchronization message =⇒ no failure message attack.• No extra randomness for the user.
• Add a challenge n from the HN when using the permanentidentity.UE HN
n⟨{〈id , sqnu〉}pkn
, Mac1km(〈{〈id , sqnu〉}pkn
, n〉)⟩
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
The Failure Message Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
The Encrypted id Replay Attack
![Page 126: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/126.jpg)
Key Ideas
Key Ideas Behind AKA+
• Postpone re-synchronization to the next session:
{〈id , sqnu〉}pkn
• No re-synchronization message =⇒ no failure message attack.• No extra randomness for the user.
• Add a challenge n from the HN when using the permanentidentity.UE HN
n⟨{〈id , sqnu〉}pkn
, Mac1km(〈{〈id , sqnu〉}pkn
, n〉)⟩
UE(idA) HNtauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩H2
k(n)
UE(idB) Attackertauth
“Auth-Failure”If idB 6= idA
tre-sync ≡⟨sqnu ⊕ H5,∗
k (n) , H1,∗k (〈sqnu , n〉)
⟩If idB = idA
The Failure Message Attack
UE(idA) HN{idA}pkn
UE(idB) HN{idB}pkn/
{idA}pkn
tauth ≡⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Failure MessageIf idB 6= idA
taccept ≡ H2k(n)
If idB = idA
The Encrypted id Replay Attack
![Page 127: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/127.jpg)
UE
id,tmp-id, k, sqnu
HN
id,tmp-id, k, sqnn
tmp-id or id
if tmp-id was used: tmp-id← UnSet⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Input x:nR, sqnR ← π1(x), π2(x)⊕ H5
k(nR)
bmac ← H1k(〈sqnR , nR〉) = π3(x)
bsqn ← range(sqnu, sqnR)
sqnn ← sqnn + 1
sqnu ← sqnRH2
k(nR)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (nR) , H1,∗k (〈sqnu , nR〉)
⟩Input y:sqn∗
R ← π1(y)⊕ H5,∗k (n)
if H1,∗k (〈sqn∗
R , n〉) = π2(y) then sqnn ← sqn∗R + 1
bmac ∧ ¬bsqn
4G-AKA
![Page 128: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/128.jpg)
UE
id,tmp-id, k, pkn, sqnu
HN
id,tmp-id, k, skn, sqnn
tmp-id or {id}pkn
if tmp-id was used: tmp-id← UnSet⟨n , sqnn ⊕ H5
k(n) , H1k(〈sqnn , n〉)
⟩Input x:nR, sqnR ← π1(x), π2(x)⊕ H5
k(nR)
bmac ← H1k(〈sqnR , nR〉) = π3(x)
bsqn ← range(sqnu, sqnR)
sqnn ← sqnn + 1
sqnu ← sqnRH2
k(nR)
bmac ∧ bsqn
“Auth-Failure”¬bmac
⟨sqnu ⊕ H5,∗
k (nR) , H1,∗k (〈sqnu , nR〉)
⟩Input y:sqn∗
R ← π1(y)⊕ H5,∗k (n)
if H1,∗k (〈sqn∗
R , n〉) = π2(y) then sqnn ← sqn∗R + 1
bmac ∧ ¬bsqn
5G-AKA
![Page 129: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/129.jpg)
UEid
stateidu
HN
statenn⟨
{〈id , sqnu〉}pkn , Mac1kidm
(〈{〈id , sqnu〉}pkn , n〉)⟩
sqnu ← sqnu + 1 bMac ← check-mac
if bMac then authenticated id
bInc ← bMac ∧ sqnu ≥ sqnidn
if bInc then sqnidn ← sqnu + 1
sessionidn ← n
tmp-ididn ← tmp-id
Mac2kidm
(〈n , sqnu + 1〉)bMac
if check-mac then authenticated HN
idSub-Protocol(Simplified)
![Page 130: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/130.jpg)
UEid
stateidu
HN
staten
tmp-iduvalid-tmpu
valid-tmpu ← false bid ← tmp-ididn = tmp-idu 6= UnSet
if bid then tmp-ididn ← UnSet
sessionidn ← n
⟨n , sqnid
n ⊕ Hkid(n) , Mac3kidm
(〈n , sqnidn , tmp-idu〉)
⟩ bid
bacc ← check-mac ∧ range(sqnu, sqnidn )
if bacc then sqnu ← sqnu + 1
Mac4kidm
(n)bacc
bMac ← check-mac
if bMac then authenticated id
bInc ← bMac ∧ sessionidn = n
if bInc then sqnidn ← sqnid
n + 1tmp-idid
n ← tmp-id
tmp-idSub-Protocol(Simplified)
![Page 131: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/131.jpg)
The assign-tmp-id Sub-Protocol (Simplified)
UEid
stateidu
HN
staten
〈tmp-id⊕ Hrkid(n) , Mac5
kidm(〈tmp-id , n〉)〉
bacc ← check-mactmp-idu ← if bacc then tmp-id else UnSetvalid-tmpu ← bacc
![Page 132: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/132.jpg)
UE
stateidu
HN(j)
statennj
Input nR: b-authu ← nR⟨{〈id , sqnu〉}pkn , Mac1
kidm(〈{〈id , sqnu〉}pkn , nR〉)
⟩sqnu ← sqnu + 1 Input y:
〈idR , sqnR〉 ← dec(π1(y), skn)
bidMac ← π2(y) = Mac1
kidm(〈π1(y) , nj〉)∧ idR = id
bidInc ← bid
Mac ∧ sqnR ≥ sqnidn
if bidMac then b-authjn, e-auth
jn ← id
if bidInc then sqnid
n ← sqnR + 1sessionid
n ← nj
tmp-ididn ← tmp-idj
Mac2kidm
(〈nj , sqnR + 1〉)bMac
Input z:
bok ← z = Mac2kidm
(〈b-authu , sqnu〉)e-authu ← if bok then b-authu else fail
idSub-Protocol
![Page 133: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/133.jpg)
UE(id)
stateidu
HN(j)
staten
tmp-iduvalid-tmpu
valid-tmpu ← false Input x:bid ← tmp-idid
n = x ∧ tmp-ididn 6= UnSet
if bid then tmp-ididn ← UnSet
b-authjn ← idsessionid
n ← nj
⟨nj , sqnid
n ⊕ Hkid(nj) , Mac3kidm
(〈nj , sqnidn , tmp-idid
n 〉)⟩ bid
Input y:nR, sqnR ← π1(y), π2(y)⊕ Hkid(nR)
bacc ← π3(y) = Mac3kidm(〈nR , sqnR , tmp-idu〉))
∧ range(sqnu, sqnR)
if bacc then b-authu, e-authu ← nR
sqnu ← sqnu + 1
if ¬bacc then b-authu, e-authu ← fail
Mac4kidm
(nR)bacc
Input z:
bidMac ← (b-authjn = id) ∧ (z = Mac4
kidm(nj))
bidInc ← bid
Mac ∧ sessionidn = nj
if bidMac then e-authjn ← id
if bidInc then sqnid
n ← sqnidn + 1
tmp-ididn ← tmp-idj
tmp-idSub-Protocol
![Page 134: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/134.jpg)
The assign-tmp-id Sub-Protocol
UE
stateidu
HN(j)
staten
〈tmp-idj ⊕ Hrkid(n
j) , Mac5kidm
(⟨tmp-idj , nj
⟩)〉
e-authidn = id
Input x:tmp-idR ← π1(x)⊕ Hr
kidm(e-authu)
bacc ←(π2(x) = Mac5
kidm(〈tmp-idR , e-authu〉))
∧ (e-authu 6= fail)
tmp-idu ← if bacc then tmp-idR else UnSetvalid-tmpu ← bacc
![Page 135: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/135.jpg)
New Attack on the priv-aka Protocol
The priv-aka ProtocolThe authors of [Fouque et al., 2016] propose a new protocol,priv-aka (claimed unlinkable).
Unlinkability Attack (four sessions)We found an attack to permanently de-synchronize the user:
• Run a session but keep the last message t1.
• Re-synchronize the user and the network.
• Re-iterate the last two steps to get a second message t2.
• Re-synchronize the user and the network.
• Send both t1 and t2, which increments sqnn by two.
• The user is permanently de-synchronized=⇒ unlinkability attack.
![Page 136: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/136.jpg)
New Attack on the priv-aka Protocol
The priv-aka ProtocolThe authors of [Fouque et al., 2016] propose a new protocol,priv-aka (claimed unlinkable).
Unlinkability Attack (four sessions)We found an attack to permanently de-synchronize the user:
• Run a session but keep the last message t1.
• Re-synchronize the user and the network.
• Re-iterate the last two steps to get a second message t2.
• Re-synchronize the user and the network.
• Send both t1 and t2, which increments sqnn by two.
• The user is permanently de-synchronized=⇒ unlinkability attack.
![Page 137: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/137.jpg)
New Attack on the priv-aka Protocol
The priv-aka ProtocolThe authors of [Fouque et al., 2016] propose a new protocol,priv-aka (claimed unlinkable).
Unlinkability Attack (four sessions)We found an attack to permanently de-synchronize the user:
• Run a session but keep the last message t1.
• Re-synchronize the user and the network.
• Re-iterate the last two steps to get a second message t2.
• Re-synchronize the user and the network.
• Send both t1 and t2, which increments sqnn by two.
• The user is permanently de-synchronized=⇒ unlinkability attack.
![Page 138: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/138.jpg)
priv-aka [Fouque et al., 2016]
![Page 139: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/139.jpg)
priv-aka [Fouque et al., 2016]
![Page 140: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/140.jpg)
Counter-Examples
Remark: ∼ is not a congruence
Counter-Example: n ∼ n and n ∼ n′, but n, n 6∼ n, n′.
Congruence
If eq(u, v) ∼ true then u and v are (almost always) equal⇒ we have a congruence.
![Page 141: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/141.jpg)
Counter-Examples
Remark: ∼ is not a congruence
Counter-Example: n ∼ n and n ∼ n′, but n, n 6∼ n, n′.
Congruence
If eq(u, v) ∼ true then u and v are (almost always) equal⇒ we have a congruence.
![Page 142: Adrien Koutsos · Title: PhD Defense - Symbolic Proofs of Computational Indistinguishability Author: Adrien Koutsos Thèse préparée au sein du LSV, ENS Paris-Saclay](https://reader034.vdocuments.us/reader034/viewer/2022042912/5f47788b86234b4fa85cecae/html5/thumbnails/142.jpg)
Counter-Examples
Remark: b is necessary in CS
b, u ∼ b′, u′ b, v ∼ b′, v ′
if b then u else v ∼ if b′ then u′ else v ′CS
We have:
zero ∼ zero one ∼ one
But:
if true then zero else one 6∼ if false then zero else one