Abstract
We show how to automate fragments of the logical framework \((\alpha , \beta )\)-privacy which provides an alternative to bisimilarity-based and trace-based definitions of privacy goals for security protocols. We consider the so-called message-analysis problem, which is at the core of \((\alpha , \beta )\)-privacy: given a set of concrete messages and their structure, which models can the intruder rule out? While in general this problem is undecidable, we give a decision procedure for a standard class of algebraic theories.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We use the pronoun “they” for gender-neutral expression.
- 2.
For some destructors, e.g., opening a pair, one does not need a key; for uniformity one could use here a fixed public constant as a dummy value, but slightly abusing notation, we just omit the key argument in such a case.
References
Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 46–58. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27836-8_7
Abadi, M., Fournet, C.: Private authentication. Theoret. Comput. Sci. 322(3), 427–476 (2004)
Baader, F., Nipkow, T.: Term Rewriting and All That. Cambridge University Press, Cambridge (1998)
Basin, D., Dreier, J., Sasse, R.: Automated symbolic proofs of observational equivalence. In: 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1144–1155. ACM (2015)
Bernhard, D., Cortier, V., Pereira, O., Smyth, B., Warinschi, B.: Adapting helios for provable ballot privacy. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 335–354. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_19
Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends Priv. Secur. 1(1–2), 1–135 (2016)
Boutet, A., et al.: Contact tracing by giant data collectors: opening Pandora’s box of threats to privacy, sovereignty and national security. University works (2020). https://hal.inria.fr/hal-03116024
Comon-Lundh, H., Cortier, V.: Computational soundness of observational equivalence. In: 15th ACM Conference on Computer and Communications Security, pp. 109–118. ACM (2008)
Cortier, V., Delaune, S.: A method for proving observational equivalence. In: 2009 22nd IEEE Computer Security Foundations Symposium, pp. 266–276. IEEE (2009)
Cortier, V., Dupressoir, F., Drăgan, C.C., Schmidt, B., Strub, P.Y., Warinschi, B.: Machine-checked proofs of privacy for electronic voting protocols. In: 2017 IEEE Symposium on Security and Privacy, pp. 993–1008. IEEE (2017)
Genesereth, M., Hinrichs, T.: Herbrand logic. Technical report, LG-2006-02, Stanford University (2006)
Gondron, S., Mödersheim, S., Viganò, L.: Privacy as reachability. Technical report, DTU (2021). http://www2.compute.dtu.dk/~samo/abg.pdf
Mödersheim, S.A., Groß, T., Viganò, L.: Defining privacy is supposed to be easy. In: McMillan, K., Middeldorp, A., Voronkov, A. (eds.) LPAR 2013. LNCS, vol. 8312, pp. 619–635. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-45221-5_41
Iovino, V., Vaudenay, S., Vuagnoux, M.: On the effectiveness of time travel to inject COVID-19 alerts. Cryptology ePrint Archive, Report 2020/1393 (2020)
Mödersheim, S., Viganò, L.: Alpha-beta privacy. ACM Trans. Priv. Secur. 22(1), 1–35 (2019)
Moran, M., Wallach, D.S.: Verification of STAR-vote and evaluation of FDR and ProVerif. In: Polikarpova, N., Schneider, S. (eds.) IFM 2017. LNCS, vol. 10510, pp. 422–436. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66845-1_28
Vaudenay, S., Vuagnoux, M.: Analysis of SwissCovid (2020). https://lasec.epfl.ch/people/vaudenay/swisscovid/swisscovid-ana.pdf
Acknowledgments
Thanks to Luca Viganò and Sébastien Gondron for useful comments. This work has been supported by the EU H2020-SU-ICT-03-2018 Project No. 830929 CyberSec4Europe (cybersec4europe.eu).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
Theorem 1
(Correctness of \( composeUnder \)). Let \(\theta \) be a substitution, \( struct \) be a frame and \(t \in \mathcal {T}_\varSigma (\mathcal {V})\). Then
-
1.
\(\forall (r, \sigma ) \in composeUnder (\theta , struct , t), \sigma ( struct \{\!|\, r \,|\!\}) = \sigma (t)\).
-
2.
\(\forall r \in \mathcal {R}^c, \exists \tau , \tau ( struct \{\!|\, r \,|\!\}) = \tau (t) \implies \)
\((\exists \sigma , (r, \sigma ) \in composeUnder (\theta , struct , t) \text { and } \tau \models \sigma )\).
Proof
(Sketch).
-
1.
The idea is to proceed by induction on the structure of \(t\). For the pairs found by comparing with labels or composing a variable, the property holds trivially. For the additional pairs found with terms \(f(t_1, \dots , t_n)\) composed with a public function, the point is that the pairs returned for the arguments are correct by induction. The property is then verified for composing \(t\) because it reduces to mapping the unifiers returned to all arguments.
-
2.
The idea is to proceed by induction on the structure of \(r \in \mathcal {R}^c\). For a label, there is a pair \((r, \varepsilon )\) returned so the property holds. For a recipe that is a composition, i.e., \(r = f(r_1, \dots , r_n)\) for some \(f\) and some \(r_1, \dots , r_n \in \mathcal {R}^c\), the point is that the recipes are paired with MGUs by induction. The property is then verified for \(r\) because a substitution \(\tau \) such that \(\tau ( struct \{\!|\, r \,|\!\}) = \tau (t)\) also unifies the arguments inside the function application, so the algorithm can compute an MGU from the results of the recursive calls. \(\square \)
Theorem 2
(Correctness of \( analyze \)). Let \(\theta \) be a substitution, \( struct \) be a frame and \(( struct _ ana , \sigma , Ex ) = analyze (\theta , struct )\). Then
-
1.
\(\forall r \in \mathcal {R}, struct _ ana \{\!|\, r \,|\!\} \approx \sigma ( struct \{\!|\, r \,|\!\})\).
-
2.
\(\forall r \in \mathcal {R}, \exists r' \in \mathcal {R}^c_{ struct _ ana }, struct _ ana \{\!|\, r' \,|\!\} \approx \sigma ( struct \{\!|\, r \,|\!\})\).
-
3.
\(\forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct ) \implies \theta ' \models \sigma \wedge \bigwedge _{\sigma ' \in Ex } \lnot \sigma '\).
-
4.
\(\forall \theta ' \in \varTheta , \theta ' \models \sigma \implies \)
\( (\theta '( struct ) \sim \theta ( struct ) \iff \theta '( struct _ ana ) \sim \theta ( struct _ ana ))\)
Proof
-
1.
When analyzing \(\mathsf {l}\mapsto \mathsf {constr}(t_1, \dots , t_n)\), the frame is augmented with mappings of the form \(\mathsf {destr}(r, \mathsf {l}) \mapsto t_i\) following the destructor theory. Thus, the “labels” added are recipes over the domain of \( struct \). These shorthands are correct when applying \(\sigma \), which is required to compose the keys for decryption steps. The frame \( struct _ ana \) is the frame \(\sigma ( struct )\) with shorthands.
-
2.
We proceed by induction on the structure of \(r\). We consider the occurrence of a destructor \(\mathsf {destr}\) such that no subrecipe for the arguments of \(\mathsf {destr}\) contains destructors.
-
If the destructor is applied to a label and the decryption is successful, then a shorthand \(\mathsf {m} = \mathsf {destr}(r_k, \mathsf {l}) \mapsto t'\) has been added in the frame, i.e., \(\sigma ( struct \{\!|\, \mathsf {m} \,|\!\}) \approx t'\), where \(r_k\) is some recipe for the key \(k\) such that \(\mathsf {destr}(k, t) = t' \in E\).
-
If the destructor is applied to a constructor, i.e., for some \(r_k, r_1, \dots , r_n\), \(r=\mathsf {destr}(r_k, \mathsf {constr}(r_1, \dots , r_n))\), and the decryption is successful, then the recipe can be simplified to one of the \(r_i\) yielding the same term.
-
If the decryption is not successful, then we can replace the application of \(\mathsf {destr}\) by the constant \(\mathsf {error}\), which represents failed decryption
We have covered all cases since the subrecipes do not contain destructors. By induction, we can replace all occurrences of destructors in the recipe, i.e., we can define a constructive recipe \(r'\) which is the same as \(r\) but all occurrences of destructors and have been replaced by the methods listed above.
-
-
3.
We first show that the intruder can exclude all models that are not instances of \(\sigma \). The substitution \(\sigma \) has been built from unification of some \(\sigma _i\) in successful analysis steps, i.e., where \((r_i,\sigma _i)\in composeUnder (\theta , struct ,k)\) was a possibility to compose a decryption key k, and \(r_i\in compose (\theta ( struct ),\theta (k))\) is also a recipe for the corresponding key \(\theta (k)\) in \(\theta ( struct )\). It suffices to show that \(\theta '\models \sigma _i\) for all \(\sigma _i\). From Theorem 1 follows that \(\sigma _i\) is the MGU under which k can be derived in \(\theta \), i.e., \(\theta '(struct\{\!|\, r_i \,|\!\})\not \approx \theta '(k)\) for any \(\theta '\) that is not an instance of \(\sigma _i\). Since the intruder can see that \(r_i\) produces the correct decryption key in \(\theta ( struct )\), all models that are not consistent with \(\sigma _i\) can be excluded.
We next show that all models that are instances of a substitution \(\sigma '\in Ex\) can be excluded by the intruder as well. The substitution \(\sigma '\) has been found during analysis of some mapping \(\mathsf {l}\mapsto t\) where the key \(k\) can be composed in the current \( struct \) under some unifier but \(\theta (k)\) cannot be composed in \(\theta ( struct )\). There exists \((r_k, \sigma ') \in composeUnder (\theta , struct , k)\) for some recipe \(r_k\). There is a destructor \(\mathsf {destr}\) for the decryption under consideration. We define the recipe \(r = \mathsf {destr}(r_k, \mathsf {l})\) for this decryption step. The decryption fails in \(\theta ( struct )\), so \(\theta ( struct \{\!|\, r \,|\!\}) \approx \theta ( struct \{\!|\, \mathsf {error} \,|\!\})\). Since \(\theta '( struct ) \sim \theta ( struct )\), we also have that \(\theta '( struct \{\!|\, r \,|\!\}) \approx \theta '( struct \{\!|\, \mathsf {error} \,|\!\})\). However, the decryption is successful in \( struct \), so \(\sigma '( struct \{\!|\, r \,|\!\}) \not \approx \sigma '( struct \{\!|\, \mathsf {error} \,|\!\})\). Therefore, \(\theta '\) is not an instance of \(\sigma '\), because if it were there would be a pair of recipes, namely \((r, \mathsf {error})\), to distinguish the frames.
-
4.
Let \(\theta ' \in \varTheta \) such that \(\theta ' \models \sigma \). Using property 1. and the fact that \(\theta ' \models \sigma \), we have that for any recipe \(r\), \(\theta '( struct _ ana \{\!|\, r \,|\!\}) \approx \theta '( struct \{\!|\, r \,|\!\})\). This also holds in particular for \(\theta \). Therefore, \(\theta '( struct ) \sim \theta ( struct )\) if and only if \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\) because any pair of recipes distinguishing \(\theta '( struct )\) and \(\theta ( struct )\) would also distinguish the analyzed frames, and vice-versa. \(\square \)
Theorem 3
(Termination of \( analyze \)). Let \(\theta \) be a substitution and \( struct \) be a frame. Then the call \( analyze (\theta , struct )\) terminates.
Proof
By definition, \( analyze \) calls \( analyzeRec \), so what we really want to show is that the call to \( analyzeRec \) terminates. We now consider that the frame \( struct \) has been split into three frames \(N, H, D\) and denote with \(\sigma \) and \( Ex \) the unifier and the set of substitutions passed as arguments to \( analyzeRec \), respectively. The size of a term \(t \in \mathcal {T}_\varSigma (\mathcal {V})\) is defined as 1 for a variable and \( size (f(t_1, \dots , t_n)) = 1 + \sum _{i = 1}^n size (t_i)\) for a function application. We abuse the notation and write \( size (N \cup H)\) to mean the sum of the size of all terms in \(N \cup H\). We consider the tuple \(( size (N \cup H), \#N)\). When analyzing the mapping \(\mathsf {l}\mapsto t \in N\):
-
If the decryption of \(t\) fails, \(\mathsf {l}\mapsto t\) is removed from \(N\) and put in \(H\). Then \( size (N \cup H)\) stays the same but \(\#N\) has decreased by 1.
-
If the decryption of \(t\) succeeds, \(\mathsf {l}\mapsto t\) is removed from \(N\) and put in \(D\). The new terms from the analysis and the terms that were on hold are put in \(N\). Then \( size (N \cup H)\) has decreased by at least 1 (\(t\) is not present anymore but some of its subterms might be).
The lexicographic order on \((\mathbb {N}, \le ) \times (\mathbb {N}, \le )\) forms a well-order and the sequence of tuples for the recursive calls is a strictly decreasing sequence bounded by \((0, 0)\), so such a sequence is finite and the call terminates. \(\square \)
Theorem 4
(Correctness of \( findRelations \)). Let \((\alpha , \beta )\) be a message-analysis problem, where \( struct = \{\!|\, \mathsf {l}_1 \mapsto t_1, \dots , \mathsf {l}_k \mapsto t_k \,|\!\}\) for some \(t_1, \dots , t_k \in \mathcal {T}_\varSigma ( fv (\alpha ))\) and \( concr = \theta ( struct )\) for some \(\theta \in \varTheta \). Let \(\phi \equiv findRelations (\theta , struct )\). Then
Proof
Let \(( struct _ ana , \sigma , Ex ) = analyze (\theta , struct )\). First, recall that we have \((\alpha , \beta )\)-privacy holds \(\iff \forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct )\). We show that \(\forall \theta ' \in \varTheta , \theta '( struct ) \sim \theta ( struct ) \iff \theta ' \models \phi \). The models that are not instances of \(\sigma \) can already be excluded and violate the privacy of \(\alpha \) because \(\phi \models \sigma \). We now consider \(\theta ' \in \varTheta \) such that \(\theta ' \models \sigma \).
-
If \(\theta '( struct ) \not \sim \theta ( struct )\): then \(\theta '( struct _ ana ) \not \sim \theta ( struct _ ana )\) from Theorem 2, so there exists a pair of recipes \((r_1, r_2)\) that distinguishes the frames. From Theorem 2, we can assume without loss of generality that \(r_1, r_2\) are constructive. Moreover, either one the recipes is a label (or from a shorthand) or both recipes have the same constructor at the top-level and one pair of the recipes for the arguments distinguishes the frames. So we can further assume that \(r_1\) is a label (or from a shorthand). This justifies the fact that \( findRelations \) will perform a check for this pair of recipes.
-
If \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \not \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\) and for the concrete observation \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\): then \(\theta '\) cannot be an instance of the substitution \(\sigma \) unifying, among others, the following equation: \( struct _ ana \{\!|\, r_1 \,|\!\} = struct _ ana \{\!|\, r_2 \,|\!\}\). The algorithm returns \(\phi \) such that \(\phi \models \sigma \), so \(\theta ' \not \models \phi \).
-
If \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\) and for the concrete observation \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \not \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\): then \(\theta '\) is an instance of some substitution \(\sigma '\) found when checking inequations. The algorithm returns \(\phi \) such that \(\phi \models \lnot \sigma '\), so \(\theta ' \not \models \phi \).
-
-
If \(\theta '( struct ) \sim \theta ( struct )\): then \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\) from Theorem 2. For every \(t \in \mathcal {T}_\varSigma \) and \((r_1, r_2) \in pairsEcs ( compose (\theta ( struct _ ana ), t))\), we have by definition of \( compose \) that \(\theta ( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta ( struct _ ana \{\!|\, r_2 \,|\!\})\). Since \(\theta '( struct _ ana ) \sim \theta ( struct _ ana )\), then \(\theta '( struct _ ana \{\!|\, r_1 \,|\!\}) \approx \theta '( struct _ ana \{\!|\, r_2 \,|\!\})\). Therefore, \(\theta ' \models \sigma \), where \(\sigma \) unifies all equations found from calling \( compose \) on terms in \(\theta ( struct _ ana )\).
Let \( ineqs \) be the set of substitutions \( Ex \) found during analysis union with the substitutions found by the \( findRelations \) algorithm. If \(\theta '\) were an instance of some \(\sigma ' \in ineqs \), then \(\theta '( struct _ ana ) \not \sim \theta ( struct _ ana )\) and thus \(\theta '( struct ) \not \sim \theta ( struct )\) following Theorem 2. This would contradict the assumption, so \(\theta ' \models \lnot \sigma '\). Therefore, \(\theta ' \models \sigma \wedge \bigwedge _{\sigma ' \in ineqs } \lnot \sigma '\) which is exactly \(\theta ' \models \phi \). \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Fernet, L., Mödersheim, S. (2021). Deciding a Fragment of \((\alpha , \beta )\)-Privacy. In: Roman, R., Zhou, J. (eds) Security and Trust Management. STM 2021. Lecture Notes in Computer Science(), vol 13075. Springer, Cham. https://doi.org/10.1007/978-3-030-91859-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-91859-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91858-3
Online ISBN: 978-3-030-91859-0
eBook Packages: Computer ScienceComputer Science (R0)