high-level programming for e-cash · 2009. 4. 13. · 15 this work we consider symbolic...
TRANSCRIPT
![Page 1: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/1.jpg)
CoSyProofs, April6-9. 2009
High-Level Programming for E-Cash
Cédric FournetMicrosoft Research and MSR-INRIA Joint Centre
Pedro AdãoIT and IST, Lisboa
Francesco Zappa NardelliINRIA and
MSR-INRIA Joint Centre
Nataliya GutsMSR-INRIA Joint Centre
![Page 2: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/2.jpg)
E-Cash Protocols
Introduced by Chaum in 1982 it intends to simulate the use of traditional money
Many interesting properties of the traditional money are delicate to mimic in digital world
Aim to provide robust abstractions for anonymous payment protocols
Users should spend coins anonymouslyUsers cannot forge coinsUser should not spend the same coin twice without being eventually caughtSpending should be offline
By necessity, these protocols involve sophisticated cryptographic constructions
![Page 3: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/3.jpg)
E-Cash Protocol
3
![Page 4: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/4.jpg)
E-Cash Protocol Spec
4
![Page 5: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/5.jpg)
E-Cash Protocol Spec
5
![Page 6: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/6.jpg)
Correctness
6
![Page 7: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/7.jpg)
Balance
7
![Page 8: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/8.jpg)
Identification of Double Spender
8
![Page 9: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/9.jpg)
Tracing of Double Spender
9
![Page 10: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/10.jpg)
Anonimity of the User
10
![Page 11: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/11.jpg)
An E-Cash Protocol [CHL05]
11
![Page 12: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/12.jpg)
An E-Cash Protocol [CHL05]
12
![Page 13: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/13.jpg)
Problem
How to symbolically model E-Cash Protocols?
How to reason about it? E-Cash properties involve elaborated cryptographic statements
And what about reasoning on E-Cash at an application layer?
Do we need to redo all these proofs?How is the interaction of programs and crypto?
Are we willing to model every single cryptographic or do we rather prefer to model E-Cash primitives as BB?
13
![Page 14: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/14.jpg)
Users are PPT Turing Machines
Compliant users follow the specification but may try to double spend coins
Adversaries are PPT Turing machines that may forge the cryptographic material in order to violate the protocol
14
The 3 Layer Cake
Crypto
Intermediate Semantics
Well-behaved Semantics
Users are modelled as applied pi-calculus processes
All users follow the specification but may try to double spend coins
Environment is an arbitrary process
Users are modelled as applied pi-calculus processes
All users follow the specification
Double spending is prevented by construction
Environment is an arbitrary process
![Page 15: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/15.jpg)
15
This Work
We consider symbolic characterizations of Compact E-Cash protocols following the specification proposed by Camenisch, Hohenberger, and Lysyanskaya [CHL05]
We design and implement a distributed (asynchronous) process calculus with high-level E-Cash primitives and communication (following ideas of [AF06])
Our calculus supports simple reasoning, based on labelled transitions and observational equivalence
We consider two variants of the symbolic semanticsAn abstract semantics that excludes any double spending (by design)A more realistic intermediate semantics that accounts for the possibility of double spending (with reliable detection)We show that any trace of the intermediate semantics can be captured by the “honest” semantics or an alert is issued
![Page 16: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/16.jpg)
This Work
We then consider a direct cryptographic implementation of high-level E-Cash primitives (Withdraw, Spend and Deposit following ideas of [AF06])
Relate the intermediate semantics to the computational properties of the underlying E-cash protocol
We obtain soundness and completeness for processes, in the presence of active adversaries
We do not rely on DY abstractions of cryptographic primitives
Full abstraction for spi or applied pi calculus is too hard
16
![Page 17: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/17.jpg)
High-Level Processes
![Page 18: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/18.jpg)
18
Processes and Systems
![Page 19: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/19.jpg)
19
Reduction Semantics
![Page 20: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/20.jpg)
20
Labelled Transition Semantics
![Page 21: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/21.jpg)
21
Labelled Transition Semantics
![Page 22: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/22.jpg)
22
Intermediate Reduction Semantics
![Page 23: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/23.jpg)
23
Intermediate LT Semantics
![Page 24: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/24.jpg)
High-Level Reasoning
![Page 25: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/25.jpg)
25
Example – Properties
![Page 26: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/26.jpg)
26
Example – Properties
![Page 27: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/27.jpg)
Soundness, Completeness for High-Level Semantics
![Page 28: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/28.jpg)
Main Results
28
Crypto
Intermediate Semantics
Well-behaved Semantics
![Page 29: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/29.jpg)
Low-Level Target Model
![Page 30: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/30.jpg)
Low-Level Excution Model
Systems consist of a finite number of communicating principals that are complying with the HL semantics
THEY MAY DOUBLE SPEND
Each principal runs its own program within a PPT machineincludes 3 crypto boxes to perform the 3 ecash protocols,has an input and an output tape
Priority is given to honest users
Whenever all machines complete, all messages to the adversary are shuffled, and given to the adversary
30
P
![Page 31: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/31.jpg)
Low-Level Execution Model
When activated, a machine reads one message from its input tape
an ecash message is routed to the appropriate cryptobox a communication message, is sent to the runing process
Ecash primitives in evaluation contextAn output primitive triggers a new session of the protocolAn input primitive starts a waiting thread
All machines should run to completionconsume all messages in its input tape and write all output messages in the input tapes of receivers
31
![Page 32: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/32.jpg)
Low Level Communications Model
32
P
![Page 33: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/33.jpg)
Low Level Communications Model
33
P P
P P
![Page 34: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/34.jpg)
34
Low-Level Equivalence (Target)
P1 Q1
P2 Q2 Adv Advguess
Pi Qi
¼¼
![Page 35: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/35.jpg)
Soundness, Completeness wrtComputational Cryptography
![Page 36: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/36.jpg)
Main Results
36Crypto
Intermediate Semantics
Well-behaved Semantics
![Page 37: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/37.jpg)
Summary
Reasoning about cryptographic actions is much more fun than cryptographic terms ☺
We define a 3-layer cake to reason about E-Cash protocols
A low Crypto layerAn intermediate symbolic layer where probabilities are discardedA higher symbolic layer where bad behaviours do not occur (by construction)
We “show” that the low-level crypto layer is correctly abstracted by the “well-behaved” semantics
Formalizing properties of E-Cash protocols helped us understand and fix part of the specification
37
![Page 38: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/38.jpg)
Future Work
Since it is work in progress....
Try to debug and clarify specification
Try to adapt similar techniques to other instancesEg, e-voting
38
![Page 39: High-Level Programming for E-Cash · 2009. 4. 13. · 15 This Work We consider symbolic characterizations of Compact E- Cash protocols following the specification proposed by Camenisch,](https://reader036.vdocument.in/reader036/viewer/2022071611/614ad99112c9616cbc69aeb0/html5/thumbnails/39.jpg)
CoSyProofs, April6-9. 2009
High-Level Programming for E-Cash
Cédric FournetMicrosoft Research and MSR-INRIA Joint Centre
Pedro AdãoIT and IST, Lisboa
Francesco Zappa NardelliINRIA and
MSR-INRIA Joint Centre
Nataliya GutsMSR-INRIA Joint Centre