Search

Your search keyword '"Ralf Küsters"' showing total 205 results
Start Over Author "Ralf Küsters"
205 results on '"Ralf Küsters"'

87. The IITM Model: A Simple and Expressive Model for Universal Composability

Author

Max Tuengerthal, Daniel Rausch, and Ralf Küsters

Subjects
Flexibility (engineering), 0303 health sciences, Theoretical computer science, business.industry, Computer science, Applied Mathematics, Cryptography, 0102 computer and information sciences, Cryptographic protocol, Modular design, 01 natural sciences, Computer Science Applications, Identifier, 03 medical and health sciences, Turing machine, symbols.namesake, 010201 computation theory & mathematics, Universal composability, symbols, business, Protocol (object-oriented programming), Software, 030304 developmental biology
Abstract

The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (“Inexhaustible Interactive Turing Machine”). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model., Projekt DEAL, Deutsche Forschungsgemeinschaft

Published
2020

88. Embedding the UC Model into the IITM Model

Author

Daniel Rausch, Ralf Küsters, Céline Chevalier, University of Stuttgart, Centre de Recherche en Economie et Droit (CRED), Université Paris-Panthéon-Assas, Construction and Analysis of Systems for Confidentiality and Authenticity of Data and Entities (CASCADE), Département d'informatique - ENS Paris (DI-ENS), École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-École normale supérieure - Paris (ENS-PSL), Université Paris sciences et lettres (PSL)-Université Paris sciences et lettres (PSL)-Institut National de Recherche en Informatique et en Automatique (Inria)-Centre National de la Recherche Scientifique (CNRS)-Centre National de la Recherche Scientifique (CNRS)-Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria), Orr Dunkelman, and Stefan Dziembowski

Subjects
[INFO]Computer Science [cs]
Abstract

International audience; Universal Composability is a widely used concept for the design and analysis of protocols. Since Canetti’s original UC model and the model by Pfitzmann and Waidner several different models for universal composability have been proposed, including, for example, the IITM model, GNUC, CC, but also extensions and restrictions of the UC model, such as JUC, GUC, and SUC. These were motivated by the lack of expressivity of existing models, ease of use, or flaws in previous models. Cryptographers choose between these models based on their needs at hand (e.g., support for joint state and global state) or simply their familiarity with a specific model. While all models follow the same basic idea, there are huge conceptually differences, which raises fundamental and practical questions: (How) do the concepts and results proven in one model relate to those in another model? Do the different models and the security notions formulated therein capture the same classes of attacks? Most importantly, can cryptographers re-use results proven in one model in another model, and if so, how?In this paper, we initiate a line of research with the aim to address this lack of understanding, consolidate the space of models, and enable cryptographers to re-use results proven in other models. As a start, here we focus on Canetti’s prominent UC model and the IITM model proposed by Küsters et al. The latter is an interesting candidate for comparison with the UC model since it has been used to analyze a wide variety of protocols, supports a very general protocol class and provides, among others, seamless treatment of protocols with shared state, including joint and global state. Our main technical contribution is an embedding of the UC model into the IITM model showing that all UC protocols, security and composition results carry over to the IITM model. Hence, protocol designers can profit from the features of the IITM model while being able to use all their results proven in the UC model. We also show that, in general, one cannot embed the full IITM model into the UC model.

Published
2022

91. An In-Depth Symbolic Security Analysis of the ACME Standard

Author

Quoc Huy Do, Guido Schmitz, Abhishek Bichhawat, Karthikeyan Bhargavan, Pedram Hosseyni, Tim Würtele, Ralf Küsters, Programming securely with cryptography (PROSECCO), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Indian Institute of Technology [Gandhinagar] ( IIT Gandhinagar ), and Universität Stuttgart [Stuttgart]

Subjects
Security analysis, business.industry, Computer science, Public key infrastructure, Cryptography, Cryptographic protocol, Internet security, Computer security, computer.software_genre, [INFO.INFO-CL]Computer Science [cs]/Computation and Language [cs.CL], [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Server, Key (cryptography), business, Protocol (object-oriented programming), computer, ComputingMilieux_MISCELLANEOUS
Abstract

The ACME certificate issuance and management protocol, standardized as IETF RFC 8555, is an essential element of the web public key infrastructure (PKI). It has been used by Let's Encrypt and other certification authorities to issue over a billion certificates, and a majority of HTTPS connections are now secured with certificates issued through ACME. Despite its importance, however, the security of ACME has not been studied at the same level of depth as other protocol standards like TLS 1.3 or OAuth. Prior formal analyses of ACME only considered the cryptographic core of early draft versions of ACME, ignoring many security-critical low-level details that play a major role in the 100 page RFC, such as recursive data structures, long-running sessions with asynchronous sub-protocols, and the issuance for certificates that cover multiple domains. We present the first in-depth formal security analysis of the ACME standard. Our model of ACME is executable and comprehensive, with a level of detail that lets our ACME client interoperate with other ACME servers. We prove the security of this model using a recent symbolic protocol analysis framework called DY⋆, which in turn is based on the F⋆ programming language. Our analysis accounts for all prior attacks on ACME in the literature, including both cryptographic attacks and low-level attacks on stateful protocol execution. To analyze ACME, we extend DY⋆ with authenticated channels, key substitution attacks, and a concrete execution framework, which are of independent interest. Our security analysis of ACME totaling over 16,000 lines of code is one of the largest proof developments for a cryptographic protocol standard in the literature, and it serves to provide formal security assurances for a crucial component of web security.

Published
2021

92. A Security Framework for Distributed Ledgers

Author

Daniel Rausch, Viktoria Ronge, Ralf Küsters, Dominique Schröder, Christoph Egger, and Mike Graf

Subjects
Security analysis, Class (computer programming), Computer science, business.industry, Modular design, Computer security, computer.software_genre, Core (game theory), Universal composability, business, computer, Implementation, Protocol (object-oriented programming), Block (data storage)
Abstract

In the past few years blockchains have been a major focus for security research, resulting in significant progress in the design, formalization, and analysis of blockchain protocols. However, the more general class of distributed ledgers, which includes not just blockchains but also prominent non-blockchain protocols, such as Corda and OmniLedger, cannot be covered by the state-of-the-art in the security literature yet. These distributed ledgers often break with traditional blockchain paradigms, such as block structures to store data, system-wide consensus, or global consistency. In this paper, we close this gap by proposing the first framework for defining and analyzing the security of general distributed ledgers, with an ideal distributed ledger functionality, called Fledger, at the core of our contribution. This functionality covers not only classical blockchains but also non-blockchain distributed ledgers in a unified way. To illustrate Fledger, we first show that the prominent ideal block-chain functionalities Gledger and GPL realize (suitable instantiations of) Fledger, which captures their security properties. This implies that their respective implementations, including Bitcoin, Ouroboros Genesis, and Ouroboros Crypsinous, realize Fledger as well. Secondly, we demonstrate that Fledger is capable of precisely modeling also non-blockchain distributed ledgers by performing the first formal security analysis of such a distributed ledger, namely the prominent Corda protocol. Due to the wide spread use of Corda in industry, in particular the financial sector, this analysis is of independent interest. These results also illustrate that Fledger not just generalizes the modular treatment of blockchains to distributed ledgers, but moreover helps to unify existing results.

Published
2021

93. $\text{DY}^{\star}$: A Modular Symbolic Verification Framework for Executable Cryptographic Protocol Code

Author

Quoc Huy Do, Abhishek Bichhawat, Karthikeyan Bhargavan, Guido Schmitz, Ralf Küsters, Pedram Hosseyni, and Tim Würtele

Subjects
0303 health sciences, Theoretical computer science, Finite-state machine, Computer science, Star (game theory), computer.file_format, Cryptographic protocol, Data structure, Dependent type, 03 medical and health sciences, 0302 clinical medicine, 030220 oncology & carcinogenesis, Executable, Formal verification, Protocol (object-oriented programming), computer, Computer Science::Cryptography and Security, 030304 developmental biology
Abstract

We present $\text{DY}^{\star}$ , a new formal verification framework for the symbolic security analysis of cryptographic protocol code written in the $\mathrm{F}^{\star}$ programming language. Unlike automated symbolic provers, our framework accounts for advanced protocol features like unbounded loops and mutable recursive data structures, as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Our work extends a long line of research on using dependent type systems for this task, but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. This approach enables us to uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security. $\text{DY}^{\star}$ is built as a library of $\mathrm{F}^{\star}$ modules that includes a model of low-level protocol execution, a Dolev-Yao symbolic attacker, and generic security abstractions and lemmas, all verified using $\mathrm{F}^{\star}$ . The library exposes a high-level API that facilitates succinct security proofs for protocol code. We demonstrate the effectiveness of this approach through a detailed symbolic security analysis of the Signal protocol that is based on an interoperable implementation of the protocol from prior work, and is the first mechanized proof of Signal to account for forward and post-compromise security over an unbounded number of protocol rounds.

Published
2021

97. A Tutorial-Style Introduction to $$\textsf {DY}^\star $$

Author

Ralf Küsters, Quoc Huy Do, Tim Würtele, Guido Schmitz, Pedram Hosseyni, Karthikeyan Bhargavan, Abhishek Bichhawat, Programming securely with cryptography (PROSECCO), Inria de Paris, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Indian Institute of Technology [Gandhinagar] ( IIT Gandhinagar ), University of Stuttgart, Royal Holloway [University of London] (RHUL), Daniel Dougherty, José Meseguer, Sebastian Alexander Mödersheim, and Paul Rowe

Subjects
Discrete mathematics, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Finite-state machine, Trace (linear algebra), Computer science, Star (game theory), State (functional analysis), Cryptographic protocol, Data structure, Formal verification, Dependent type, ComputingMilieux_MISCELLANEOUS, [INFO.INFO-CL]Computer Science [cs]/Computation and Language [cs.CL]
Abstract

\(\textsf {DY}^\star \) is a recently proposed formal verification framework for the symbolic security analysis of cryptographic protocol code written in the \(\textsf {F}^\star \) programming language. Unlike automated symbolic provers, \(\textsf {DY}^\star \) accounts for advanced protocol features like unbounded loops and mutable recursive data structures as well as low-level implementation details like protocol state machines and message formats, which are often at the root of real-world attacks. Protocols modeled in \(\textsf {DY}^\star \) can be executed, and hence, tested, and they can even interoperate with real-world counterparts. \(\textsf {DY}^\star \) extends a long line of research on using dependent type systems but takes a fundamentally new approach by explicitly modeling the global trace-based semantics within the framework, hence bridging the gap between trace-based and type-based protocol analyses. With this, one can uniformly, precisely, and soundly model, for the first time using dependent types, long-lived mutable protocol state, equational theories, fine-grained dynamic corruption, and trace-based security properties like forward secrecy and post-compromise security.

Published
2021

98. Correction to: Electronic Voting

Author

Robert Krimmer, Oksana Kulyk, Mihkel Solvak, David Duenas-Cid, Ralf Küsters, Bernhard Beckert, and Melanie Volkamer

Subjects
Information retrieval, Electronic voting, Computer science
Published
2020

100. Accountability in a Permissioned Blockchain: Formal Analysis of Hyperledger Fabric

Author

Mike Graf, Ralf Küsters, and Daniel Rausch

Subjects
021110 strategic, defence & security studies, Blockchain, Property (philosophy), business.industry, Computer science, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Computer security, computer.software_genre, Formal proof, Domain (software engineering), 03 medical and health sciences, Consistency (database systems), 0302 clinical medicine, Distributed ledger, Accountability, 030212 general & internal medicine, business, computer
Abstract

While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet. Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly. We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.

Published
2020

Catalog

Books, media, physical & digital resources
See catalog results