Section: New Software and Platforms

CryptoVerif

Cryptographic protocol verifier in the computational model

Keywords: Security - Verification - Cryptographic protocol

Functional Description: CryptoVerif is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomial-time probabilistic Turing machine. CryptoVerif can prove secrecy and correspondences, which include in particular authentication. It provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions, and Diffie-Hellman key agreements. It also provides an explicit formula that gives the probability of breaking the protocol as a function of the probability of breaking each primitives, this is the exact security framework.

News Of The Year: We implemented the following features in CryptoVerif:

1) We added to the library of cryptographic primitives several variants of the PRF-ODH (pseudo-random function oracle Diffie-Hellman) assumption, pre-image resistant and second-preimage resistant hash functions, IND-CPA encryption with a nonce, IND-CPA and INT-CTXT encryption with a nonce, encryption schemes that satisfy IND$-CPA instead of IND-CPA.

2) To facilitate modular proofs, we allow querying indistinguishability properties with exactly the same syntax as the one used to specify indistinguishability assumptions on primitives.

3) To simplify declarations of assumptions on primitives, replications (which model any number of copies of processes or oracles) can be omitted at the root of indistinguishability assumptions. CryptoVerif adds them internally, thus inferring the assumption for N independent copies from the assumption for one copy. For instance, it infers the assumption for encryption with N keys from the assumption for encryption with a single key.

4) When we delay random number generations, we allow the user to specify expressions for which it is not necessary to generate the random value, so that the generation of the moved random value can be delayed further. In particular, we used this extension to prove that the OAEP scheme is IND-CCA2 assuming the underlying permutation is partial-domain one-way (a famous cryptographic result).

5) CryptoVerif can now remove parts of the code cannot be executed in case the adversary wins the game, by replacing them with event "AdversaryLoses". That is specially helpful in order to deal with complex cases of key compromise, e.g. for forward secrecy, by proving authentication by ignoring the compromise, showing that authentication is preserved in case the key is compromised (because the adversary never wins against the considered authentication property in case of compromise), and using the authentication to prove secrecy even in case of compromise. For instance, that allows us to show that the PSK-DHE handshake of TLS 1.3 preserves forward secrecy in case of compromise of the PSK.

6) After a cryptographic transformation, CryptoVerif expands terms into processes, which leads to duplicating code until the end of the protocol for each test that is expanded. The cryptographic transformation and the expansion were initially considered as a single transformation. There are now considered as separate transformations, so that other transformations can be performed in between, in particular to cut some branches of the code and reduce the code duplication.

These changes are included in CryptoVerif version 2.02 available at https://cryptoverif.inria.fr.

• Participants: Bruno Blanchet and David Cadé

• Contact: Bruno Blanchet

• Publications: Composition Theorems for CryptoVerif and Application to TLS 1.3 - Composition Theorems for CryptoVerif and Application to TLS 1.3 - A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol - A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol - Proved Implementations of Cryptographic Protocols in the Computational Model - Proved Generation of Implementations from Computationally Secure Protocol Specifications - Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate - Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate - Symbolic and Computational Mechanized Verification of the ARINC823 Avionic Protocols - Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach

• URL: http://cryptoverif.inria.fr/