EasyUC: Using EasyCrypt to Mechanize Proofs of Universally Composable Security

Ran Canetti, Alley Stoughton, Mayank Varia
2019 2019 IEEE 32nd Computer Security Foundations Symposium (CSF)  
EasyUC: using EasyCrypt to mechanize proofs of universally composable security This work was made openly accessible by BU Faculty. Please share how this access benefits you. Your story matters. Abstract-We present a methodology for using the EASY-CRYPT proof assistant (originally designed for mechanizing the generation of proofs of game-based security of cryptographic schemes and protocols) to mechanize proofs of security of cryptographic protocols within the universally composable (UC)
more » ... osable (UC) security framework. This allows, for the first time, the mechanization and formal verification of the entire sequence of steps needed for proving simulation-based security in a modular way: • Specifying a protocol and the desired ideal functionality. • Constructing a simulator and demonstrating its validity, via reduction to hard computational problems. • Invoking the universal composition operation and demonstrating that it indeed preserves security. We demonstrate our methodology on a simple example: stating and proving the security of secure message communication via a one-time pad, where the key comes from a Diffie-Hellman key-exchange, assuming ideally authenticated communication. We first put together EASYCRYPT-verified proofs that: (a) the Diffie-Hellman protocol UC-realizes an ideal key-exchange functionality, assuming hardness of the Decisional Diffie-Hellman problem, and (b) one-time-pad encryption, with a key obtained using ideal key-exchange, UCrealizes an ideal secure-communication functionality. We then mechanically combine the two proofs into an EASYCRYPTverified proof that the composed protocol realizes the same ideal secure-communication functionality. Although formulating a methodology that is both sound and workable has proven to be a complex task, we are hopeful that it will prove to be the basis for mechanized UC security analyses for significantly more complex protocols and tasks. lemma smc security1 (Adv <: FUNC{MI, SMCReal, KEReal, KEIdeal, KESim, DDH Adv, CompEnv}) (Env <: ENV{Adv, MI, SMCReal, KEReal, KEIdeal, KESim, DDH Adv, CompEnv}) (func' adv' : addr, in guard' : int fset) &m : exper pre func' adv' ⇒ ! (2 \in in guard') ⇒ CompEnv.in guard low{m} = in guard' ⇒ KeyEx.DDH Adv.func{m} = func' ++ [2] ⇒ KeyEx.DDH Adv.adv{m} = adv' ⇒ KeyEx.DDH Adv.in guard{m} = in guard"|'fset1 1 ⇒ lemma smc security (Adv <: (func' adv' : addr, in guard' : int fset) &m : exper pre func' adv' ⇒ ! (2 \in in guard') ⇒ ! (3 \in in guard') ⇒ CompEnv.in guard low{m} = in guard' ⇒ KeyEx.DDH Adv.func{m} = func' ++ [2] ⇒ KeyEx.DDH Adv.adv{m} = adv' ⇒ KeyEx.DDH Adv.in guard{m} = in guard"|'fset1 1 ⇒ |Pr[Exper(MI(SMCReal(KEReal), Adv), Env). main(func', adv', in guard') @ &m : res] − Pr[Exper(MI(SMCIdeal, SMCSimComp(Adv))), Env). main(func', adv', in guard') @ &m : res]| ≤ |Pr[DDH1(DDH Adv(CompEnv(Env), Adv)).main() @ &m : res] − Pr[DDH2(DDH Adv(CompEnv(Env), Adv)).main() @ &m : res]|.
doi:10.1109/csf.2019.00019 dblp:conf/csfw/CanettiSV19 fatcat:ficfekq7rncwzcvyqoragps3v4