Automated Proofs for Computational Indistinguishability

c© The British Computer Society 2013. All rights reserved.For Permissions, please email: [email protected]

Advance Access publication on 25 July 2013 doi:10.1093/comjnl/bxt078

Automated Proofs for ComputationalIndistinguishability

Long Ngo∗, Colin Boyd and Juan Gonzalez Nieto

Information Security Institute, Queensland University Of Technology, GPO Box 2434, Brisbane, QLD 4001,Australia

∗Corresponding author: [email protected]

We present a tool for automatic analysis of computational indistinguishability between two stringsof information. This is designed as a generic tool for proving cryptographic security based on aformalism that provides computational soundness preservation. The tool has been implemented and

tested successfully with several cryptographic schemes.

Keywords: automated proof; computational soundness; indistinguishability; key exchange; encryption

Received 31 July 2012; revised 2 July 2013Handling editor: Chris Mitchell

1. INTRODUCTION

It is now widely accepted in the cryptography researchcommunity that a proof of security is highly desirable for anycryptographic primitive intended for real-world deployment.Unfortunately, it has been shown repeatedly that provingsecurity manually is both time-consuming and easy to getwrong. Because of this a significant research effort has beenspent on developing tools that can (semi-)automatically dothe job of providing a proof. Tools based on Dolev–Yao models [1–3] have gained a lot of success, but Dolev–Yaomodels do not capture a fully realistic representation ofcryptography. There has been recent interest in tools that candeal with computationally sound cryptographic models. Todaythere are still few tools available for such a task.

Most of the current automated provers based on crypto-graphic models [4–8] are designed for a specific type ofschemes. For example, one has to design a specification lan-guage and the prover can only verify schemes written in thatlanguage. Since the language is customized for a particularcryptographic model, such a prover can verify security againsta relatively strong adversary specific to that model. However,those tools are not easily expandable for non-experts to othercryptographic models. The only exception that we are aware ofis CryptoVerif [9], which does not stick to any particular primi-tive or type of protocols, but offers a generic framework. How-ever, CryptoVerif does not offer full automation and guidanceis still required for non-trivial cases.

In this paper, we describe a generic tool for provingindistinguishability between two strings of information.Information indistinguishability is the most basic notionused in public-key cryptography. Proving the security of anencryption or key exchange scheme usually requires showingindistinguishability between a secret and a random piece ofinformation. How it is used to verify security depends onwhat users wish to achieve. For example, one may apply itfor proving indistinguishability under chosen plaintext attacks(IND-CPA) secure encryption schemes or key exchangeprotocols secure against passive adversaries. The tool is notfixed to any specific type of cryptographic scheme. Note thatwhile automated proofs of active security are not easily madein a fully automatic and generic way, there exist genericcompilers that can turn a passively secure group key exchangescheme into an actively secure one [10].

The tool is based on a formalism suitable for checking com-putational indistinguishability automatically and an algorithmfor reasoning on the formalism. The key point of the formal-ism is that it provides syntactic rules to extend some initialassumptions, i.e. hard problems, while preserving computa-tional soundness. One will have to make sure that his initialspecification for hard problems is computationally sound andthen whatever extended from that will be also computation-ally sound. Informally, one should start with a specification tomodel sorts (i.e. types), some functions and their relations, andsome hard computational and decisional problems. Then he can

The Computer Journal, Vol. 57 No. 10, 2013

at Ondokuz M

ayis University on N

ovember 2, 2014

http://comjnl.oxfordjournals.org/

Dow

nloaded from


1514 L. Ngo et al.

aim to extend the specifications so that eventually the securityof a cryptographic scheme is implied.

Our formalism and algorithm are designed with a focuson automatic security verification for practical cryptographicschemes rather than a broad treatment for indistinguishabilityin general. This tool is also generic like CryptoVerif, whoseformalism is based on a variant of the applied π -calculus.However, our tool considers a weaker adversary with limitedactions, and hence its formalism, a universal algebra, issimpler. As a result, the tool can search for security proofs in afully automatic manner. It is designed to take the advantageof the computer’s power by exploring as much as possibleand it stops when it finds a proof. Owing to the simplicity ofthe formalism and the relatively small size of cryptographicschemes, this idea works well in practice; normally the tooldoes not have to explore the whole space but stops after a shorttime in the cases of provably secure schemes.

1.1. Related work

1.1.1. Cryptographically sound automated proofsSignificant research effort has been spent on automated proofsfor cryptographic systems. One trend is based on simplifiedmodels, namely Dolev–Yao style models, by which it iseasier to achieve fully automated proofs. Our work followsthe other trend, which aims toward automated proofs incryptographic models, i.e. proofs with cryptographic (a.k.a.computational) soundness. While the first direction has broughtmany successes, the second trend still has limited results due tothe complexity of cryptographic models. We review here somework of the second trend.

Laud used the information-flow technique to check if anencryption scheme is used securely in programs written ina simply designed language [4, 5]. That work covers onlyencryption schemes and a fixed programming language. Healso designed a type system for proving protocol security [6].That system requires that the underlying cryptographic librarybe universally composable.

Blanchet designed a variant of π -calculus [9], which allowsus to formally define security games and game transformations.He also developed CryptoVerif, a tool that can automaticallytransform games using game-hopping techniques, therebyfreeing the human from the mundane parts of the proof.While CryptoVerif can prove security with a more activeadversary than ours, it requires guidance for non-trivial cases.For example, CryptoVerif can prove the indistinguishabilityagainst chosen ciphertext attack Bellare–Rogaway encryp-tion’s [11] security only when it is guided. In contrast, by focus-ing on a less active adversary, we can design a fully automatedalgorithm. For example, our tool can only prove the IND-CPAsecurity of that encryption, but in a fully automatic way. Also,to the best of our knowledge, CryptoVerif has not been able tocope with a wide class of Diffie–Hellman protocols, while ourtool can verify the passive security of such a protocol.

Courant et al. [7] used a Hoare-style logic to verify anasymmetric encryption scheme’s security, which is modeledas an invariant. Later, the logic has been extended to coversymmetric block ciphers by Gagné et al. [12]. While theirlogic can work with symmetric encryption, which is notcovered in this work, the logic does not scale well becauseone has to carefully extend the programming language and thelogic in order to guarantee computational soundness of otherprimitives. In this work, we use a generic formalism that canbe applied on any specific primitive.

Ngo et al. [8] also used a Hoare-style logic to verify Diffie–Hellman-based key exchanges in a variant of the Bellare–Rogaway model [13]. Although that work covers activeadversaries and one can even achieve adaptive security via acompiler, it is also not so scalable since the language used tospecify protocols is fixed and so is the logic.

1.1.2. Abstract indistinguishability notionsA typical abstraction of computational indistinguishability insymbolic models is the notion static equivalence [14], whichhas been studied thoroughly and now is supported by someautomated tools. However, this notion does not guaranteecomputational soundness [15]. In addition, tools designedto verify static equivalence usually require mathematicalproperties to be modeled by convergent equational theories,which rule out the very popular exclusive-or (XOR) operation.For example, we have not been able to make the recenttool YAPA [3] terminate with XOR. Our tool needs simplerrequirements and uses brute-force-style algorithms in order todeal with XOR.

The formalism used in this work is based on the idea offormal indistinguishability. This notion was first proposed byBana et al. [15] as a cryptographically sound framework forcomputational indistinguishability. Ene et al. [16] extendedit to cover active adversaries with hash functions modeledas random oracles. Those results offer a generic formalismto express information and analyze indistinguishability, whileguaranteeing computational soundness. In this work, on theone hand we simplify the work by Ene et al. [16] in order tomake automation easy while preserving practicability, on theother hand we extend their work to cover more practical cases.

1.2. Our contributions

(i) We tailored the notion of formal non-derivabilityrelation (FNDR) and its connection with formalindistinguishability relation (FIR) to make themsuitable for automation in practical applications.

(ii) We demonstrate the mechanizability of the formal-ism by proposing an algorithm that can automaticallyreason on FIR and FNDR. Because FIR and FNDRpreserve the cryptographic soundness, as long as thespecification of the cryptographic scheme and assump-tions are cryptographically sound, this algorithm can


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


Automated Proofs for Computational Indistinguishability 1515

be used to check the cryptographic security of schemes(see Section 4).

(iii) We have implemented the algorithm and tested with anumber of cases. The tool can prove IND-CPA securityof encryption schemes and passive security of keyexchange protocols (see Section 5). Note that thereexist generic transformations from passive to activesecurity, such as the compiler by Katz and Yung [10],which turn a passively secure group key exchangeprotocol into an actively secure one.

Outline. The rest of this paper is structured as follows:

(i) Section 2 describes some notations and basic crypto-graphic primitives used in demonstrated schemes.

(ii) Section 3 explains the generic framework we use tomodel a security problem.

(iii) Section 4 presents the algorithm designed to check FIRand FNDR.

(iv) Section 5 discusses our experimentation of theimplementation with some practical protocols and thelimitations.

(v) Section 6 summarizes the paper.

2. PRELIMINARIES

This section describes some basic notations and some crypto-graphic primitives that will be used to demonstrate our work.

2.1. Notations

We list some common notations used in this paper here.Throughout the paper, η denotes the security parameter andN denotes the set of all natural numbers. For a term T , wewrite T [M/N ] to denote a term similar to T except that everyappearance of the subterm N is replaced by a subterm M . Weuse �T � to denote the semantics of a term T .

We use vl ← vr to express that the value of vl is made equalto the value of vr . For example, given a algorithm A(), wewrite o← A() to mean that o holds the output of A. We writee

u← s to denote that an element e is chosen uniformly from aset s, i.e. with the same probability for every element in s. Wealso write v

r← d to denote that a value v is randomly sampledaccording to a distribution d.

Later in the paper, there are some algorithms written ina pseudo programming language. Besides some keywords,which are intuitively understandable, we use hd(l) and tl(l)to denote the first element and the rest of a list l, respectively.Also, a comment in an algorithm starts with this symbol � (forinstance, � Note: This is a comment).

2.2. Trapdoor permutation

Definition 2.1 (Trapdoor Permutation). Let η ∈ N bethe security parameter. A trapdoor permutation consists of

four algorithms Gen, S, F and F−1 satisfying the followingconditions:

(i) Gen(1η) is a probabilistic algorithm which outputs apair pk, sk. We assume that from sk it is possible to getpk, e.g. sk includes pk.

(ii) S(pk) is a probabilistic algorithm which uniformlyoutputs an element x ∈ Dpk, where the domain Dpk

is defined by pk.(iii) F(x, pk) is a deterministic algorithm which outputs an

element y ∈ Dpk, where (pk, sk) ← Gen(1η) andx ∈ Dpk. Furthermore, F(., pk) : Dpk → Dpk is apermutation.

(iv) F−1(y, sk) is a deterministic algorithm which outputsan element x ∈ Dpk and satisfies the correctnesscondition F−1(F(x, pk), sk) = x, where (pk, sk) ←Gen(1η) and x, y ∈ Dpk.

(v) One-wayness: For all probabilistic polynomial-time(PPT) algorithm A, the probability

Pr[(pk, sk)← Gen(1η); y ← S(pk); x ← A(pk, y) :

F(x, pk) = y] is negligible.

2.3. Diffie–Hellman (DH) hard problems

Let Zp be the set of all integers modulo a positive number pand Z∗p be the multiplicative group of Zp.

Definition 2.2 (Diffie–Hellman Problems). Let p and q beprimes where q|p − 1 and |q| = η where η is the securityparameter, and let G be a multiplicative subgroup of Z∗p oforder q. Let g be a generator of G. Note that by ga we meanga mod p. The computational and decisional problems of theDiffie–Hellman instance (p, q, g) are defined as follows.

(i) Computational Diffie–Hellman (CDH) problem. Givenga, gb ∈ G where a, b∈RZq , output gab.

(ii) Decisional Diffie–Hellman (DDH) problem. Givenga, gb, gc ∈ G where a, b∈RZq , determine whetheror not gc = gab.

We assume that the above problems are hard, i.e. there is noPPT algorithm to solve them successfully with a not negligibleprobability.

2.4. Hash functions and the random oracle model

A hash function h is a map h : X → Y , where X is the set ofall possible messages and Y is the set of all possible messagedigests.

Every hash function used in this paper is modeled as arandom oracle. In the random oracle model (ROM), a hashfunction h : X → Y is chosen uniformly from the set ofall functions from X to Y . Every party who participates in a


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1516 L. Ngo et al.

cryptosystem has only oracle access to h as follows.

(i) The party cannot know how h is implemented.(ii) The party can only ask the oracle what h(x) is for some

values x .

From the definition of the ROM, the following theorem isobvious and used widely for proving security of schemes basedon hash functions.

Theorem 2.1 (ROM). Suppose a hash function h : X → Yis modeled as a random oracle. Let X0 ⊂ X . If h(x) is givenfor only x ∈ X0, then Pr[h(x) = y] = 1/|Y| for all x ∈ X \X0and all y ∈ Y .

The above property of a random oracle is useful for provingindistinguishability-based security. The basic idea is that whena hash is a random oracle, if an adversary can distinguishbetween h(x) and a random value from Y , then the adversarymust know x . In other words, if we can prove that x isunpredictable, then we can treat h(x) as a nonce. Such atreatment often makes proving security much easier.

3. SECURITY MODEL

We define a generic formalism to model security problemsof cryptographic schemes. The formalism is not fixed to anyspecific type of schemes, but offers a framework for users touse according to their specific requirements. The formalismcontains a universal algebra, a cryptographic semantics andsome relations between abstract terms where those relationspreserve cryptographic soundness. This model is based on themodel of Ene et al. [16] with a few differences as we listed inSection 3.5.

More specifically, we extended the model by Ene et al. [16]by considering ordered sorts. This allows us to reduce thenumber of equations used to model functions and sorts, whena sort is actually a sub-sort of another. In addition, we removesome FNDR closure rules because they are already covered byanother. This makes the set of rules more compact and simple,thus easier for automation. Also, on the one hand we add oneclosure rule for FIR by allowing one to replace a second-ordervariable with any suitable value. This extension allows us toremove the rule for bijective functions, while the propertiesof functions like XOR are still definable using second-ordervariables. On the other hand, we combine two rules for hashesinto one and enhance it, making it easier to reason on the tworelations while covering a wider class of applications, where ahash function may have more than one instance, for exampleNAXOS key exchange [17] (see Section 3). We will discussthese differences in more detail in Section 3.5.

3.1. Abstract algebras

A signature � = (S,≤S ,F ,H) consists of a finite set S ofsorts with partial order ≤S , a finite set F of function symbols

TABLE 1. Syntax of terms.

T ::= x variable x of sort s|n name n of sort s|p(T1, . . . , Tk) variable p of arity s1 × · · · × sk → s′

and Ti is of sort si and s′ ≤S s| f (T1, . . . , Tk) function f ∈ F with arity

s1 × · · · × sk → s′ and Ti is of sort siand s′ ≤S s

|h(T ) hash h ∈ H with arity s0 → s′ and T isof sort s0 and s′ ≤S s

and a finite set H of hash symbols . Each f ∈ F has a uniquearity ar( f ) = s1 × · · · × sk → s for some s1 · · · sk, s ∈ S andk ≥ 0. If k = 0, then f is a constant. Each h ∈ H has a uniquearity ar(h) = s0 → s with s0, s ∈ S.

We assume that there are three countably infinite sets N ,X and P , where N is a set of names, X is a set of first-order variables and P is a set of second-order variables. Eachvariable or name u is assigned a subset Su ⊆ S. We sayu is of sort s if s ∈ Su . If u is of sort s1, and s1 ≤ s2,then u is also of sort s2. Let s(u) denote the minimum ofSu . A second-order variable p ∈ P also has a unique arityar(p) = s1 × · · · × sk → s. A renaming is a bijectionτ : N → N such that s(n) = s(τ (n)) for any name n.

The syntax of a term of sort s is defined in the Table 1. Letname(T ), sndvar(T ), var(T ) and st (T ) denote, respectively,the set of free names, the set of second-order variables, the setof variables and the set of subterms which appear in T . Alsolet hash(T ) denote the set of subterms of T in the form of ahash instance, i.e. h(T ′), where h ∈ H. A term T is closed ifvar(T ) = ∅. The set of all terms is denoted by T. We writeT [T ′1/T1, . . . , T ′n/Tn] for the term T with every appearance ofthe subterm Ti is replaced by T ′i .

Remark 1. Sometimes we use infix notations for readability.For example, we write a + b instead of +(a, b) where + is afunction symbol.

Symbols in F model cryptographic primitives. Symbols inH model hash functions. Names in N model nonces. A second-order variable p ∈ P models a query to or a challenge fromadversaries, where the arguments for p model the knowledgethat the adversary may use to compute p. A renaming is usedto model the fact that two names, i.e. nonces, of the same sorthas the same meaning, i.e. the same distribution, in the com-putational settings. Next examples demonstrate these ideas.

Example 1. The most popular class of key exchangeprotocols is the class based on the original Diffie–Hellmanprotocol [18]. Figure 1 shows a description of the originalDiffie–Hellman key exchange protocol using the arrownotation, which is commonly found in cryptography books.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



FIGURE 1. An arrow-based specification of the Diffie–Hellmanprotocol.

Informally speaking, there are two parties A and B, who bothagree on the same value g initially. To start a protocol run, partyA chooses a nonce a and sends ga to B in order to keep a secretfrom attackers. Party B does similarly with another nonce b.Finally, a session key shared between A and B is computed asgab. From this idea, many other protocols have been developedsuch as NAXOS [17] or HMQV [19].

The following signature can be used for modelinga Diffie–Hellman-based scheme. The signature has twosorts DHExpo, DHBase, trivial ordering and the followingfunctions:

∗ : DHExpo× DHExpo→ DHExpo,

exp : DHBase× DHExpo→ DHBase.

Informally speaking, the symbol ∗ models multiplication,i.e. a ∗ b means the multiplication a and b. The symbol expmodels exponentiation, i.e. exp(g, a ∗ b) means gab. Theformal semantics of this signature will be defined in Example 5.

Example 2. One can define the following signature for mod-eling the Bellare–Rogaway Encryption [11] as demonstratedin some later examples. The signature contains sorts Nonce,HashH, PlainText, SecKey, PubKey, Pair with trivial orderingand the following functions:

‖ : PlainText× Nonce→ Pair,

⊕ : PlainText× PlainText→ PlainText,

π1 : Pair→ PlainText,

π2 : Pair→ Nonce,

f : Nonce× PubKey→ Nonce,

pub : SecKey→ PubKey.

There are two hash symbols:

h : Pair→ HashH,

g : Nonce→ PlainText.

Informally speaking, the symbol ‖ models concatenation ofa plaintext and a nonce, making a pair. The symbol ⊕ modelsXOR of two plaintexts. The two symbols π1 and π2 model thereverse of ‖, i.e. projection. The symbol f models a trapdoorpermutation F (see Section 2.2). The symbol pub models thealgorithm that extracts the public key from a secret key, sincewe assume that the secret key includes the public one. The two

symbols h and g models two hash functions in the ROM (seeSection 2.4).

In the above examples, the meaning of sorts and functionsare straightforward, although we still have to formally definetheir meaning (see Section 3.2). However, so far the formalismis not enough to model the behaviors of operations, such as x⊕y = x ⊕ y as XOR operation, denoted by ⊕, is commutative.Next the formalism is expanded to cover this point.

Definition 3.1 (Substitution). A substitution σ = {x1 =T1, . . . , xn = Tn} is a mapping from variables to terms, wherethe domain of σ, dom(σ ) = {x1, . . . , xn} is finite.

A substitution as above is well-sorted if s(Ti ) ≤S s(xi )

for each i , and there is no circular dependence xi2 ∈var(Ti1), xi3 ∈ var(Ti2), . . . , xi1 ∈ var(Tik ). We require thatx1, . . . , xn are distinct variables. We write T σ to denote theapplication of σ = {xi = Ti }ni=1 on T , i.e. replacing everyoccurrence of xi in T by Ti for each xi . This definition is liftedto application of a substitution σ to another substitution σ ′,written σσ ′. For example, for σ = {x = a; y = z + a} andT = x + y, where x, y, z are variables and a is a constant, wehave T σ = a + (z + a).

The normal form σ ∗ of a substitution σ is the iterativecomposition of σ with itself until it remains unchanged, i.e.σ ∗ = (· · · ((σ )σ ) · · · ). A substitution σ with its normal formσ ∗ = {xi = Ti }ni=1 is closed if all terms Ti are closed. Fora substitution σ , let var(σ ) = ⋃

i var(Ti ), sndvar(σ ) =⋃i sndvar(Ti ), name(σ ) =⋃

i name(Ti ), st (σ ) =⋃i st (Ti )

and hash(σ ) = ⋃i hash(Ti ). The notations st (.), var(.),

sndvar(.), name(.) and hash(.) are extended to tuples and setsof terms in a similar way.

The (axiomatic) abstract semantics of a signature σ =(S,≤S ,F) is defined by an equational theory. The equationaltheory models the intended behavior of functions in F .

Definition 3.2 (Equational theory). Given a signature �, anequational theory is an equivalence E ⊆ T×T (written as=E

in infix notation) such that

(1) T1 =E T2 implies T1σ =E T2σ for everysubstitution σ ;

(2) T1 =E T2 implies T {x = T1} =E T {x = T2} for everyterm T and every variable x with s(Ti ) ≤S s(x);

(3) T1 =E T2 implies τ(T1) =E τ(T2) for everyrenaming τ .

Equational theories are for expressing behaviors of functionsof a signature. An equational theory is generated from aninitial set of equations. From an initial set, we can derive moreequations using the above rules. For example, given a functionsymbol +, which denotes the addition function, one can definean equation x + (y + z) = (x + y) + z, where x , y and z arevariables in order to express the associativity of addition.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1518 L. Ngo et al.

Another element in the syntax of this formalism are frames.As this formalism is designed as a tool for modeling andverifying computational indistinguishability, we need a way toexpress sequences of information. A frame, which is a list ofterms, models a sequence of messages that an adversary mayobserve.

Definition 3.3 (Frame). A frame is an expression of the formφ = νn.σ, where σ is well-sorted, and n is name(σ ).1

Given a frame φ = νn.σ , we extend the notationst (.), var(.), sndvar(.), name(.) and hash(.) by definingst (φ) = st (σ ), var(φ) = var(σ ), sndvar(φ) = sndvar(σ ),name(φ) = n and hash(φ) = hash(σ ). Given a frameφ = νn.σ , its normal form is φ∗ = νn.σ ∗. And φ = νn.σ

is closed if σ is closed, and the set of all frames is denotedby F. Given two frames φ = νn.{x1 = T1, . . . , xn = Tn}and φ′ = νn′.σ with n ∩ n′ = ∅, let φφ′ denote the frameν(n ∪ n′).{x1 = T1σ, . . . , xn = Tnσ }. For readability, witha frame φ = νn.σ we often write σ while assuming thatn = name(σ ). Also when frames are closed and their variablesare not important, we omit the variables to make them morereadable. For example, instead of {x1 = T1, x2 = T2} we write{T1, T2}. We also write φ[T ′1/T1, . . . , T ′n/Tn] for the frame φ

with every appearance of the subterm Ti is replaced by T ′i .We can also define an equivalence relation between frames

using an equational theory.

Definition 3.4. Given two frames φ and φ′ with theirnormal forms

φ∗ = νn.{x1 = T1, . . . , xn = Tn}and

φ′∗ = νn.{x1 = T ′1, . . . , xn = T ′n},respectively, and an equational theory E, we say φ and φ′ areequationally equivalent, written as φ =E φ′, iff Ti =E T ′i forall i .

Now Example 1 and 2 can be improved by modeling thebehaviors of functions as follows.

Example 3. This example continues Example 1. Theequational theory that we use is generated from the followingequations, where vg, x, y are variables of suitable sorts.

EEXP1 : x ∗ y = y ∗ x,

EEXP2 : (vgx )y = vgx∗y .

When an attacker passively attacks a cryptographic scheme,it will get a sequence of information. Specifically, the original

1The notation ν is originally used in the applied π -calculus [20] to expressthe set of names, i.e. nonces, generated by a process. Informally, a frame isa special process for representing the static knowledge observed by a passiveadversary. It means that the set of all names generated by such a process isactually the set of names that appear in the process. Thus sometimes we omitthe notation ν for readability.

Diffie–Hellman key exchange protocol (see Fig. 1) provides anattacker the following frame:

{x1 = g, x2 = ga, x3 = gb, x4 = gab},where g is name of the sort DHBase and a, b are names of thesort DHExpo.

Example 4. We continue from Example 2 to model theBellare–Rogaway Encryption [11]. Let the equational theoryE be generated from the following equations where x, y, vrare variables of suitable sorts.

EXOR1 : x ⊕ y = y ⊕ x,

EXOR2 : x ⊕ (y ⊕ z) = (x ⊕ y)⊕ z,

ECCT1 : π1(x‖vr) = x,

ECCT2 : π2(x‖vr) = vr.

Let p1 be a second-order variable, which models a plaintextdecided by an attacker given a public key. The following framemodels the information that an attacker gets when challenginga plaintext and receiving back a corresponding ciphertext.

{x1 = pub(k), x2 = f (r, pub(k)), x3 = g(r)⊕ p1(pub(k)),

x4 = h(p1(pub(k))‖r)},where r is a variable of the sort Nonce, and k is a variable ofthe sort SecKey.

3.2. The computational semantics

We have described the syntax of our formalism for describing asequence of information and its informal semantics in intuition.Now we describe formally the semantics of the formalism. Thesemantics is defined in a computational setting.

We use the ROM [11] (see Section 2.4). We write H u← todenote that each hash function in the set H is chosen uniformlyfrom the set of all functions in the appropriate domain. Weconsider distribution ensembles constructed by PPT algorithmswith access to a set H of randomly chosen hash functions byan oracle O.

Given a signature � = (S,≤S ,F), an S,F-computationalalgebra A consists of the following elements:

(i) a sequence of non-empty finite sets of bitstrings{�s�A,η}η∈N where �s�A,η ⊆ {0, 1}∗ for each sort s ∈S. We assume that the size of every sort is exponentialin the security parameter η.

(ii) a sequence of deterministic2 polynomial-timecomputable functions {� f �A,η}η∈N where � f �A,η :�s1�A,η×· · ·×�sk�A,η → �s�A,η for each f ∈ F where

ar( f ) = s1 × · · · × sk → s

2We require to model random coin inputs explicitly.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



(iii) a polynomial-time computable congruence =A,η,s forchecking the equality of bitstring in �s�A,η for eachsort s. Here a congruence is reflexive, symmetric andtransitive such that e1 =A,η,s1 e′1, . . . , ek =A,η,sk e′k ⇒� f �A,η(e1, . . . , ek) =A,η,s � f �A,η(e′1, . . . , e′k), wherear( f ) = s1 × · · · × sk → s.

(iv) a polynomial-time procedure to draw uniformlyelements from �s�A,η, written as x

u← �s�A,η, for eachsort �s�A,η.

For readability, from now on except when explicitly statedotherwise, we assume a fixed S,F-computational algebra Aand a fixed security parameter η, thus we omit the indices A, sand η. Now, given a fixed set H = {Hi } of hash functions and astateless3 PPT adversary A that has access to H via the randomoracle O = H and provides a set of stateless PPT functions{AO

i } for evaluating second-order variables, the followingprocedure evalA,H(φ) is used to interpret the computationalsemantics of a frame φ = νn.{x1 = T1, . . . , xk = Tk} :

(i) for each name n appearing in n, draw a value nu←

�s(u)�;(ii) for each variable xi , where xi = Ti , compute Ti

recursively on the structure of the term;(iii) for each hash call hi (T ), compute hi (T ) = Hi (T );(iv) for each function call f (T ′1, . . . , T ′m), compute

recursively on the structure of input terms; thenf (T ′1, . . . , T ′m) = � f �(T ′1, . . . , T ′m);

(v) for each second-order variable call pi (T ′1, . . . , T ′m),compute recursively on the structure of input terms;then

(pi (T ′1, . . . , T ′m), spi )r← AO

i (T ′1, . . . , T ′m),

where spi is some extra information as a result of theevaluation of pi ;

(vi) return a pair {φ, S P} where φ = {x1 = T1, . . . , xk =Tk} and S P is the set of all {spi }.

The semantics of a frame φ w.r.t. a PPT adversary A isdefined as

�φ�Adef= [H u← ;O = H; (φ, S P)

r← evalA,H(φ) : φ].

A frame φ = {x1 = bs1, . . . , xk = bsk} with bsi ∈ �si �is a concrete frame. The reason we allow S P to be returned isbecause second-order variables are evaluated by an adversary,and so S P is allowed to be used by an adversarial distinguisher,which has to distinguish between two concrete frames (seeSection 3.3).

Remark 2. Each of A and the functions {AOi } does not

share its state with any other. However, a AOi does give

3By stateless we mean every time the adversary evaluates a frame it startswith a fresh state.

some extra information to A after the evaluation of asecond-order variable. It limits adversarial actions, but itmakes the interpretation simple and clear and still expressiveenough to model IND-CPA security. For example, we canprove IND-CPA security by showing the indistinguishabilitybetween the ciphertexts of a chosen and a random plaintext(see Example 8).

Note that each signature may have more than one semantics,and what semantics is used depending on how a schemeis designed. However, practically one should associate asignature used for a cryptographic scheme with a realsemantics, which is how the scheme should be understood andused in real life. Even so, one can come up with more thanone reasonable semantics for one signature, e.g. the length ofa nonce can be the same as or double the security parameter,depending on how we design a scheme. In this formalism, thechoice of semantics is left to users who use the formalism, andour result does not depend on that choice.

Example 5. The computational semantics of the signaturefor the Diffie–Hellman key exchange protocol used inExample 3 could be understood intuitively. Here, we define itformally using our formalism.

Assume that the security parameter is η. Let p and q beprimes where q|p−1 and |q| = η, and let G be a multiplicativesubgroup of Z∗p of order q. Let g be a generator of G. Notethat by ga , we mean ga mod p. The semantics is defined asfollows.

(i) Semantics of sort symbols:

(a) �DHExpo� = Zq .(b) �DHBase� = G.

(ii) Semantics of function symbols:

(a) �exp� is the exponentiation function yx mod p,where y ∈ G and x ∈ Zq .

(b) �∗� is the multiplication function y × x mod q,where y, x ∈ Zq .

(iii) Congruences:

(a) x = DH Expo y if x mod q = y mod q.(b) x = DH Base y if x mod p = y mod p.

(iv) Drawing procedures: For every sort, a drawingprocedure just draws uniformly an element as normal.

Example 6. The computational semantics of the signatureused in Example 4 could be understood intuitively. When itis specified formally in our formalism, it will be as follows.Assume that the security parameter is η. For simplicity, weassume that the length of any plaintext is fixed as η. Also,we assume that there is a trapdoor permutation Gen, S, F andF−1 where, given the security parameter η, the range of Genis P K × SK , the domain of permutation element is {0, 1}η and


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1520 L. Ngo et al.

the algorithm to find a public key from a secret key is Pub (seeSection 2.2).

(i) Semantics of sort symbols:

(a) �Nonce� = {0, 1}η.(b) �HashH� = {0, 1}η.(c) �PlainText� = {0, 1}η.(d) �SecKey� = SK .

(e) �PubKey� = P K .

(f) �Pair� = {0, 1}η × {0, 1}η.(ii) Semantics of function symbols:

(a) �‖� is the concatenation of two inputs.(b) �⊕� is the XOR function.(c) �π1� is the function that returns the first element of

a given pair.(d) �π2� is the function that returns the second element

of a given pair.(e) � f � is the algorithm F of the trapdoor permutation.(f) �pub� is the algorithm Pub of the trapdoor

permutation.

(iii) Congruences: The congruence of each sort is just thenormal equality in the semantics of each sort.

(iv) Drawing procedures: For every sort, a drawingprocedure just draws uniformly an element as normal.

3.3. Computational soundness

Now we consider how hard for adversaries to distinguishbetween the interpretations of two closed frames, i.e. thecomputational indistinguishability. Lets assume that we have afixed computational algebra to interpret closed frames. Giventwo closed frames φ1 and φ2, we say �φ1�A is computationallyindistinguishable from �φ2�A, written �φ1�A ≈ �φ2�A, if, forany PPT distinguisher D,

|Pr[φ1r← �φ1�A, φ2

r← �φ2�A : DO(η, φ1, S P1, S P2) = 1]

− Pr[φ1r← �φ1�A, φ2

r← �φ2�A :

DO(η, φ2, S P1, S P2) = 1]|,denoted by Adv(D, η, �φ1�A, �φ2�A), is negligible as afunction of η, where S Pi is extra information generated by Aafter evaluating φi (see Section 3.2).

Now given three relations R1 ⊆ T × T, R2 ⊆ F × T,R3 ⊆ F× F, we say

(i) R1 is =-sound iff, for all terms T1, T2 of the same sort,(T1, T2) ∈ R1 implies that, for any PPT adversary A,

Pr[e1, e2r← �T1, T2�A : e1 �= e2] is negligible.

(ii) R2 is �-sound iff, for all frames φ and term T , (φ, T ) ∈R2 implies that, for any PPT adversary A,

Pr[φ, er← �φ, T �A : A(φ) = e] is negligible.

(iii) R3 is ≈-sound iff, for all frames φ1, φ2 with the samedomain, (φ1, φ2) ∈ R3 implies that, for any PPTadversary A

�φ1�A ≈ �φ2�A.

3.4. Formal relations

In this section, we define some syntactic rules for buildingup some relations between frames and terms. The basic ideaof those rules is that they preserve computational soundness.Informally, it means that, from a formal expression thatreflects something sound in the computational setting, we cansyntactically form another expression that reflects somethingelse also computationally sound. Next we define what type ofrelations we consider first.

Definition 3.5 (Well-formed relations). A relation Sd ⊆ F×T is well-formed if M and φ are closed for any (φ, M) ∈ Sd ,

and a relation Si ⊆ F × F is well-formed if φ1, φ2 are closedand dom(φ1) = dom(φ2) for any (φ1, φ2) ∈ Si .

Now we define the case when it is safe to replaceshash instances by nonces but the semantics of the new andold frames are still computationally indistinguishable. Theintuitive idea is as follows. We aim to replace as manyhash instances by nonces as possible. However, sometimesreplacing every of them by a new nonce is not sound. Forexample, given two instances h(M) and h(N ) of the same hashfunction h(), if the values of M and N are always the same thenh(M) and h(N ) must be replaced by the same nonce. If M andN are always different, then h(M) and h(N ) must be replacedby two different nonces.

Later in the algorithms, we have a step to rewrite inputsof the instances of the same hash. More specifically, if theinputs are =E , making them written as the same term. Forexample, the frame {h(a + b), h(b + a), g(c), g(d)}, whereh and g are different hash functions, should be transformedto {h(a + b), h(a + b), g(c), g(d)}. After that, we aim toprove that if two inputs are still different terms, then theirsemantics are always different. The semantics difference isguaranteed if one input is unpredictable from the other. Morespecifically, given two instances h(M) and h(N ) of the samehash function h(), if from M it is always impossible to predictN , then M is always different from N (with an overwhelmingprobability). For example, {h(a + b), h(a + b), g(c), g(d)}is indistinguishable from {r1, r1, r2, r3}, where r1, r2, r3 arenonces of relevant sorts because c � d. This fact will be usedlater in the rule to replace hashes (rule RH ). Now we definethis condition formally as follows.

Definition 3.6 (Hash Safe). Given a frame φ, a hash symbolh and a relation �⊆ F × T, let {h(T1), . . . , h(Tk)} be the setof all subterms of φ in the form h(.). We say φ is hash safewith respect to (h, �) if, for every {i, j}, we have {Ti } � Tj or{Tj } � Ti .


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



Now we are ready to define the relations we need.

Definition 3.7 (FNDR and FIR). We say a pair of well-formed relations (�,∼=), where �⊆ F × T and ∼=⊆ F × F,

is a pair of (FNDR, FIR) with respect to the equational theory=E , if ∼= is an equivalence and (�,∼=) is closed with respectto the following rules.

The first four rules reflect the preservation of computationalindistinguishability.

(i) (RI1) If φ1 ∼= φ2, then φφ1 ∼= φφ2 for any frame φ suchthat var(φ) ⊆ dom(φi ) and name(φ)∩name(φi ) = ∅.

Informally, this rule means that, given two indistin-guishable distributions φ1 and φ2 and a PPT algorithmP() (abstracted by φ), the outputs P(φ1) and P(φ2) arealso indistinguishable.

(ii) (RI2) If φ1 =E φ2, then φ1 ∼= φ2.Informally, this rule means identical distributions are

also indistinguishable.(iii) (RI3) τ (φ) ∼= φ for any renaming τ .

Informally, this rule means that nonces of the samesort mean the same thing, i.e. the same distribution, nomatter what name we call them.

(iv) (RI4) If φ1 ∼= φ2, then φ1[T φ/p(T1, . . . , Tk)] ∼= φ2with φ = {x1 = T1, . . . , xk = Tk} for any term Tand second-order variable p(.) such that name(T ) ∩(name(φ1)∪name(φ2)∪name(φ)) = ∅ and var(T ) ⊆dom(φ) and s(T φ) = s(p(.)) and sndvar(φ2) = ∅.

Informally, this rules means if an adversary cannotdistinguish two distributions, then it still cannot dis-tinguish them when some of its adversarial behaviorsbecome more restricted. In this case, the restrictionmeans an adversarial output becomes a fixed algorithm,i.e. a fixed term. Note that one may remove the last con-dition sndvar(φ2) = ∅ if the replacement of a second-order variable occurs on both sides. However, since ourtool needs such a condition to avoid explosions (seeSection 4.2), we prefer to keep this condition here.

The next five rules reflect how computational predictabilitycan be constructed.

(i) (RND1) φ � r if r /∈ name(φ).Informally, this rule means if a PPT algorithm does

know anything about a nonce, then it cannot predict it.(ii) (RND2)if φ � M, then τ(φ) � τ(M) for any

renaming τ .Similar to RI3, this rule means that if a nonce is

unpredictable, then changing its name does not help topredict it.

(iii) (RND3) If φ � M, then φ′φ � M for any frameφ′ such that var(φ′) ⊆ dom(φ) and name(φ′) ∩(name(φ) ∪ name(M)) = ∅.

Informally, this rule means that if it is hard to predicta secret given some input, then more computation onthat input does not help to predict better.

(iv) (RND4) For all substitutions σ1, σ2 such that x /∈dom(σi ), if νn.{σ1, x = M} ∼= νn.{σ2, x = N } andνn.σ1 � M, then νn.σ2 � N.

Informally, this rule means that if one can distinguishbetween the combination of two strings s1 and s2 andthe combination of two strings s′1 and s′2, and from s1it is hard to guess s2, then it is also hard to guess s′2from s′1.

(v) (RND5) For any function symbol f ∈ F , if φ � f (M),

then φ � M.Informally, this rule is a variant of the fact that if it

is possible to predict a value, then it is also possible topredict any efficient deterministic computation on thatvalue.

The last rule defines when replacing hash instances bynonces preserves the computational soundness. The ruleemploys the condition hash safe defined above.

(i) (RH) If there exists a set {h1(T1), . . . , hk(Tk)} such that

φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti ,

where ri are distinct names, ri /∈ name(φ) and φ

is hash safe w.r.t. (hi , �) for i = 1 · · · k, then φ ∼=φ[r1/h1(T1), . . . , rk/hk(Tk)].

As we have explained, the main idea of FIR and FNDR isthat they preserve computational soundness. To define a pair of(FNDR, FIR), one should provide an initial pair of (FNDR,FIR) Sd , Si and then construct their closure (〈Sd〉�, 〈Si 〉∼=using the above rules. As long as the equational theory capturescorrectly our computational sorts and functions, and the twoinitial sets Si and Sd contain only computationally soundpairs, then every pair in the closure 〈Sd〉� and 〈Si 〉∼= iscomputationally sound. That is how one can use FIR to checkcomputational indistinguishability. The next theorem formallystates the computational soundness preservation.

Let us define an order relation � as (D1, I1) � (D2, I2) iffD1 ⊆ D2 and I1 ⊆ I2.

Theorem 3.1. Given a well-formed pair of relations (Sd , Si ),there exists a unique smallest (with respect to �) pair of(FNDR, FIR) relations (〈Sd〉�, 〈Si 〉∼=) with respect to =E

((�Sd ,∼=Si ) in infix notation) such that 〈Sd〉� ⊇ Sd and

〈Si 〉∼= ⊇ Si . Furthermore, if =E is =-sound, Sd is �-soundand Si is ≈-sound, then also 〈Sd〉� is �-sound and 〈Si 〉∼= is≈-sound.

Proof. Given a well-formed pair or relations (Sd , Si ), first weprove the existence of the unique smallest (〈Sd〉�, 〈Si 〉∼=).

Define the intersection between (D1, I1) and (D2, I2) as

(D1, I1) ∧ (D2, I2)def= (D1 ∩ D2, I1 ∩ I2).

And let D be the set of every (φ, M) ∈ F × T such thatname(M) ⊆ name(φ), and I be the set of very (φ1, φ2) ∈F× F such that dom(φ1) = dom(φ2).


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1522 L. Ngo et al.

Clearly D ad I are well-formed and (D, I) is a (FNDR,FIR) and (Sd , Si ) � (D, I). Also, according to the definitionof (FNDR, FIR), if (D1, I1) and (D2, I2) are both (FNDR,FIR), then so is (D1, I1) ∧ (D2, I2). Thus, (〈Sd〉�, 〈Si 〉∼=).can be defined as the intersection between all (D, I ) where(Sd , Si ) � (D, I ).

To prove the preservation of the computational soundness,it is sufficient to prove that each closure rule preserves thecomputational soundness. Next we are going to prove thatproperty for each rule.

(i) Rules of equivalence:

(a) Reflexivity: φ ∼= φ.

(b) Symmetry: If φ1 ∼= φ2, then φ2 ∼= φ1.

(c) Transitivity: If φ1 ∼= φ2 and φ2 ∼= φ3, then φ1 ∼= φ3.

Proof. The computational soundness of reflexivity isguaranteed because a distinguisher D always gets thesame view from both sides. Similarly, the case ofsymmetry is also clear since we just swap two sidesof an indistinguishability game.

In this work, proving the computational soundnessof transitivity is a little bit different from normal. Notethat in our indistinguishability game, the distinguisherhas access to the information of the evaluation ofsecond-order variables. Let us assume that φ1 ∼= φ2 iscomputationally sound. Then, for any PPT algorithmsA and D,

|Pr[φ1r← �φ1�A, φ2

r← �φ2�A :

DO(η, φ1, S P1, S P2) = 1]

− Pr[φ1r← �φ1�A, φ2

r← �φ2�A :

DO(η, φ2, S P1, S P2) = 1]|is negligible.

Now, because frames are evaluated separately, suchinformation from a frame is perfectly independent ofthe evaluation of another frame. It means that when weadditionally evaluate φ3 and give S P3 to D, we stillhave that

|Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ1, S P1, S P2, S P3) = 1]

− Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ2, S P1, S P2, S P3) = 1]|is negligible.

Similarly, by assuming φ2 ∼= φ3 is computationallysound, we have that

|Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ2, S P1, S P2, S P3) = 1]

− Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ3, S P1, S P2, S P3) = 1]|

is negligible.All together we have that

|Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ1, S P1, S P2, S P3) = 1]

− Pr[φ1r← �φ1�A, φ2

r← �φ2�A, φ3r← �φ3�A :

DO(η, φ3, S P1, S P2, S P3) = 1]|

is negligible.Finally, because the evaluation of φ2 is independent,

we can remove it from the game; then the computa-tional soundness of φ1 ∼= φ3 is guaranteed because

|Pr[φ1r← �φ1�A, φ3

r← �φ3�A :

DO(η, φ1, S P1, S P3) = 1]

− Pr[φ1r← �φ1�A, φ3

r← �φ3�A :

DO(η, φ3, S P1, S P3) = 1]|

is negligible.

(ii) (RI1) If φ1 ∼= φ2, then φφ1 ∼= φφ2 for any frameφ such that var(φ) ⊆ dom(φi ) and name(φ) ∩name(φi ) = ∅.Proof. We will show that if φ1 ∼= φ2 is ≈-sound, thenφφ1 ∼= φφ2 is also ≈-sound, i.e for any PPT adversaryA, �φφ1�A ≈ �φφ2�A.

Assume that there exist PPT A and D such thatAdv(D, η, �φφ1�A, �φφ2�A) is not negligible, we canconstruct two PPT adversaries B and D′ such thatAdv(D′, η, �φ1�B, �φ2�B) is also not negligible asfollows.

First, B must provide algorithms to evaluate allsecond-order variables that appear in φ1 and φ2. Fora second-order variable that also appears in φφ1 andφφ2, B just uses the corresponding algorithm fromA. For any other second-order variable, B just returnsa uniformly chosen value from the relevant sort.Now D′ can interpret every variable in var(φ) fromthe concrete frame it has obtained (since var(φ) ⊆dom(φi )). Also D′ interprets the rest of φφi to get aconcrete frame, using A’s algorithm to evaluate anynew second-order variable appearing in φ (note thatname(φ) ∩ name(φi ) = ∅). Finally, D′ passes theconcrete frame to D and uses the answer from D asits answer.

In this way, all the concrete frames are perfectlyconstructed and the advantage of D′ equals D’sadvantage. Thus, Adv(D′, η, �φ1�B, �φ2�B) is also not


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



negligible. It is a contradiction because φ1 ∼= φ2 is≈-sound.

(iii) (RI2) If φ1 =E φ2, then φ1 ∼= φ2.

Proof. The proof immediate because =E is=-sound.

(iv) (RI3) τ (φ) ∼= φ for any renaming τ .

Proof. The proof immediate because according to thesemantics, renaming does not change distributions.

(v) (RI4) If φ1 ∼= φ2, then φ1[T φ/p(T1, . . . , Tk)] ∼= φ2with φ = {x1 = T1, . . . , xk = Tk} for any term Tand second-order variable p(.) such that name(T ) ∩(name(φ1)∪name(φ2)∪name(φ)) = ∅ and var(T ) ⊆dom(φ) and s(T φ) = s(p(.)) and sndvar(φ2) = ∅.Proof. We will show that if φ1 ∼= φ2 is ≈-sound,then φ1[T φ/p(T1, . . . , Tk)] ∼= φ2 is also≈-sound, i.e for any PPT adversary A and D,Adv(D, η, �φ1[T φ/p(T1, . . . , Tk)]�A, �φ2�A) isnegligible.

Assume that there exist PPT A and D suchthat Adv(D, η, �φ1[T φ/p(T1, . . . , Tk)]�A, �φ2�A) isnot negligible, we can construct PPT B such thatAdv(D, η, �φ1�B, �φ2�B) is also not negligible asfollows.

Now B uses A as a black box to interpret φi asnormal, except that �p(T1, . . . , Tk)�A is replaced by�T φ�A with the interpretation of var(T ) is done using�Ti �A. Every �Ti �A must be available because B mustbe able to evaluate p(). Finally, D gets the concreteframe evaluated by B and returns a guess.

In this indistinguishability game with B, all theconcrete frames are perfectly constructed so thatthe advantage of D must not be negligible. It is acontradiction because φ1 ∼= φ2 is ≈-sound.

(vi) (RND1) φ � r if r /∈ name(φ).

Proof. We have to prove that

Pr[φ, er← �φ, r�A : A(φ) = e] is negligible,

i.e. for any PPT algorithm A, given the value of φ, Aoutputs the corresponding value of r with a negligibleprobability. The proof is obvious because A does nothave any information about r , while the value r is arandom number drawn uniformly from a sort whosesize is exponential in η.

(vii) (RND2) If φ � M , then τ(φ) � τ(M) for anyrenaming τ .

Proof. It is obvious because renaming does not changedistributions.

(viii) (RND3) If φ � M , then φ′φ � M for any frameφ′ such that var(φ′) ⊆ dom(φ) and name(φ′) ∩(name(φ) ∪ name(M)) = ∅.Proof. We will show that if φ′φ � M is not �-sound,then φ � M is also not �-sound.

Let us assume that there exists a PPT adversary Asuch that

Pr[φ′φ, er← �φ′φ, M�A : A(φ′φ) = e]

× is not negligible.

Now we show that we can construct a PPT adversaryB such that

Pr[φ, er← �φ, M�B : B(φ)= e] is also not negligible.

First, B must provide algorithms to evaluate allsecond-order variables that appear in φ. For a second-order variable that also appears in φ′φ, B just uses thecorresponding algorithm from A. For any other second-order variable, B just returns a uniformly chosen valuefrom the relevant sort. Then B can interpret everyvariable in var(φ) from the concrete frame it hasobtained (since var(φ) ⊆ dom(φ)). Now B interpretsthe rest of φ′φ to get a concrete frame, using A’salgorithm to evaluate any new second-order variableappearing in φ′ (note that name(φ′) ∩ (name(φ) ∪name(M)) = ∅). Finally, B passes the concrete frameto A and uses the answer from A as its answer.

In this way, all the concrete frames are perfectlyconstructed. Thus,

Pr[φ, er← �φ, M�B : B(φ) = e] is also not negligible.

This is a contradiction because φ � M is �-sound.

(ix) (RND4) For all substitutions σ1, σ2 such that x /∈dom(σi ), if νn.{σ1, x = M} ∼= νn.{σ2, x = N } andνn.σ1 � M , then νn.σ2 � N .

Proof. We will show that if νn.σ2 � N is not �-soundbut νn.σ1 � M is �-sound, then νn.{σ1, x = M} ∼=νn.{σ2, x = N } is not ≈-sound.

Let us assume that there is a PPT adversary A againstνn.σ2 � N with a not negligible advantage. We willshow that we can construct a PPT distinguisher D thatcan break νn.{σ1, x = M} ∼= νn.{σ2, x = N } with anot negligible advantage if νn.σ1 � M is �-sound.D gets a concrete frame νn.{σ, x = T } which can

be νn.{σ1, x = M} or νn.{σ2, x = N } by using A forany second-order variables in νn.{σ2, x = N }. For anyother second-order variables D just uses a uniformlychosen value from the relevant sort. Then D passes σ toA. If A returns T , then D returns 1, otherwise it returns0. If the concrete frame that D has obtained is actually a


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1524 L. Ngo et al.

concrete frame of νn.{σ1, x = M}, then the probabilitythat D return 1 is negligible, because A returns Twith a not negligible probability, i.e. νn.σ1 � M is�-sound. If the concrete frame that D has obtained is aconcrete frame of νn.{σ2, x = N }, then the probabilitythat D returns 1 is not negligible, because in this caseA’s advantage is not negligible. Thus, the subtractionof these two probabilities is not negligible, i.e. D’sadvantage is not negligible.

(x) (RND5) For any function symbol f ∈ F , if φ �f (M), then φ � M .

Proof. We will show that, for any function symbol f , ifφ � M is not �-sound, then φ � f (M) is not �-sound,either.

Let us assume that there is a PPT adversary A againstφ � M with a not negligible advantage. We willshow that we can construct a PPT adversary B againstφ � f (M) with a not negligible advantage.

Now B just uses A as a black box to get a concreteframe φ

r← �φ�A; A will return a value m, which is thesemantics of M with a not negligible probability. ThenB just returns f (m), which is the semantics of f (M)

with a not negligible probability. Thus, φ � f (M) isnot �-sound. This is a contradiction.

(xi) (RH) If there exists a set {h1(T1), . . . , hk(Tk)} such that

φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti ,

where ri are distinct names, ri /∈ name(φ) and φ

is hash safe w.r.t. (hi , �) for i = 1 · · · k, then φ ∼=φ[r1/h1(T1), . . . , rk/hk(Tk)].

Proof. We will show that if φ ∼= φ[r1/h1(T1), . . . ,

rk/hk(Tk)] is not ≈-sound but φ is hash safe withrespect to (hi , �,=E ) for i = 1 · · · k, then there existsa Ti such that φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti is not�-sound.

Let us assume that there exists a pair of PPTevaluating adversary A and distinguisher D against

φ ∼= φ[r1/h1(T1), . . . , rk/hk(Tk)]

with a not negligible advantage and φ is hash safewith respect to (hi , �,=E ) for i = 1 · · · k. We willshow that there exists a PPT adversary B that canbreak φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti with a notnegligible advantage for some i .B uses A as a black box to construct a concrete frame

of φ[r1/h1(T1), . . . , rk/hk(Tk)]. Note that ri is used toreplace hi (Ti ), which is supposed to be obtained fromthe random oracle O, and hi (Ti ) and h j (Tj ) can be twoinstances of the same hash function. Because φ is hashsafe with respect to (hi , �,=E ) for i = 1 · · · k, with

an overwhelming probability, the semantics �hi (Ti )� isdifferent from any �h j (Tj )� where i �= j . That is thereason why ri must be distinct names. The concreteframe is given to D as a challenge. And since we areworking in ROM, it means that D has a not negligibleadvantage only when it queries at least one of the inputsand figures out the difference between the answer fromO and the replacing nonce. Thus, B can pick a randomqueried value to O and returns. Because the numberof queries to O is polynomial in η, the probabilitythat B returns the correct value of one hash input isnot negligible. Thus, B is a PPT adversary with a notnegligible advantage against

φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti

for some i .

Example 7. We continue Example 5 by modeling some hardproblems that we will use to prove the security later. The set Si

contains the following pair to model the DDH assumption asfollows:

({x1 = g, x2 = ga, x3 = gb, x4 = ga∗b},{x1 = g, x2 = ga, x3 = gb, x4 = gc}).

The passive multi-session security of a key exchange can beexpressed by the indistinguishability between a real transcriptand a transcript where the session key is replaced by a nonce.Thus, the passive multi-session security of the Diffie–Hellmankey exchange is implied by the following:

{x1 = g, x2 = ga, x3 = gb, x4 = (ga)b}

∼= {x1 = g, x2 = ga, x3 = gb, x4 = gc}.

Example 8. We continue Example 6 by modeling some hardproblems that we will use to prove the security later. There aresets Si and Sd as follows.

The set Si includes the following pair, which models theproperty of ⊕, where pXor is a second-order variable and mis a name.

({x1 = pXor()⊕ m}, {x1 = m}).The set Sd includes the following pair, which models the

property of f , a trapdoor one-way function, where k, r are twonames.

({x1 = pub(k), x2 = f (r, pub(k))}, r).

The IND-CPA security of an encryption is modeled asthe indistinguishability of the ciphertexts of two messagesgiven by the attacker. Let p be a second-order variable andm be a name of the sort PlainText, i.e. a uniformly randomplaintext. Then the validity of the next relation will imply therandomness of ciphertexts, i.e the IND-CPA security of the


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



Bellare–Rogaway encryption.

{x1 = pub(k), x2 = f (r, pub(k)), x3 = g(r)⊕ p(pub(k)),

x4 = h(p(pub(k))‖r)}∼= {x1 = pub(k), x2 = f (r, pub(k)), x3 = g(r)⊕ m,

x4 = h(m‖r)}.

Remark 3. One may note that we can always extend thesignature �, =E , Si and Sd to suit any cryptographic scheme.As long as every equation in =E , and every pair in Si and Sd

is computational sound, then 〈Sd〉� is still �-sound and 〈Si 〉∼=is still ≈-sound.

Remark 4. The computational soundness of FIR and FNDRis preserved, no matter whether the adversary is uniform ornon-uniform PPT. Note that FIR and FNDR provide onlyreductions from hard problem assumptions to computationalindistinguishability or non-derivability. One must guaranteethat his hard problem assumptions expressed in Si and Sd aresound w.r.t. uniform or non-uniform settings, depending onwhat is wanted to achieve.

3.5. Comparison with the original definitions of FIRand FNDR in ROM

These closure rules are a bit different from the original rulesdefined by Ene et al. [16]. Now we explain the differences inmore detail.

(i) We replace Ene et al.’s [16] FIR closure rule GE4by our new rule RI4. On the one hand, we can avoidsearching for bijective functions, which require usto use the equational theory backward, and thereforethe search space explodes quickly. With our rule RI4we let the property of bijective functions be defined inthe initial set Si . For example, for a XOR function wecan put {x = p() ⊕ r} ∼= {x = r}, where p() is asecond-order variable. On the other hand, we can treatthe case where Si contains frames that have second-order variables (see Section 5).

While this change makes reasoning easier since theindistinguishability property is specified directly in Si ,there are cases that become uncovered under this newrule. For example, with the old rule GE4, it is possibleto prove {a, a ⊕ b} ∼= {a, b} with σ = {a}, M = y ⊕ aand N = z ⊕ a, as long as the XOR function ⊕can be detected as a bijective function (depending onthe equational theory). However, when we model theindistinguishability property of XOR as pXor()⊕b ∼= bwhere pXor is a second-order variable, we cannot applyRI4 to prove this case because pXor() is not specifiedto take a as an input.

(ii) Regarding FNDR, we remove Ene et al.’s [16] tworules GD3, GD4 because they are covered by their rule

GD6, which is renamed RND4 in this work. Also, ourrule RND1 still has the idea of their GD1 rule but ina different and simpler presentation. Additionally, wereplaced their rule GD7 by our rule RND5, which is alimited case of GD7, because GD7 is too general andwe cannot find an efficient way of reasoning with it.RND5 captures the fact that if there is a way to extractsome information a from b, then the impossibility ofcomputing a implies the impossibility of computing b.

(iii) For hashes, we allow more instances of the samehash function in a frame. Our rule allows one toreplace those instances with nonces as long as theinputs are always equal or always different (withoverwhelming probabilities). In addition, our rule RHallows us to replace more than one hash at one time.The reason is that in our algorithm we want to replacehashes once only in the beginning in order to increasethe performance and avoid potential loops betweenchecking FNDR and FIR, as checking FNDR mayrequire checking FIR and vice versa.

4. COMPUTATIONALLY SOUND AUTOMATEDPROOFS FOR FORMALINDISTINGUISHABILITY AND FORMALNON-DERIVABILITY

This section describes the problem we aim to solve and ouralgorithms for doing it. We use the formalism described aboveto check security of practical cryptographic schemes. We donot aim at completeness but a simple and efficient algorithmto take advantage of the computational power of computers inorder to check the indistinguishability of the cases often seenin security problems (see Section 3.3).

4.1. Validity problems

Now we define formally the problems that we aim to solve.Note that these are problems of FNDR and FIR only, notdirectly of computational indistinguishability. In order toachieve computationally sound proofs, one has to make surethat the semantics of everything used in these problems arecomputationally sound.

Definition 4.1 (Validity problems). Given a signature � =(S,≤S ,F ,H), an equational theory E generated by anequation system E and a pair of (FNDR, FIR) relations(〈Sd〉�, 〈Si 〉∼=) generated from (Sd , Si ) (w.r.t. the equationaltheory =E ), the validity problems are defined as follows:

(i) FNDR problem: Given a pair (φ, T ) ∈ F × T, is(φ, T ) ∈ 〈Sd〉�?

(ii) FIR problem: Given a pair (φ1, φ2) ∈ F × F, is(φ1, φ2) ∈ 〈Si 〉∼=?


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1526 L. Ngo et al.

4.2. Assumptions

In order to make automation possible, we will have to orientthe initial relations E and Si . Therefore, we take the followingassumptions.

(i) For any equation l = r in the equation system whichgenerates E , var(r) ⊆ var(l).

(ii) For any pair (l, r) in Si , sndvar(r) = ∅.

The first assumption enables the conversion from an equa-tional theory to a rewriting system, which is mechanizable.This conversion is explained later in Section 4.3.1. The seconddoes a similar thing with the exploration of 〈Si 〉∼=. In particular,since our algorithm aims to ‘simplify’ the two given frames tosee if their simplified ones match in the middle, the second con-dition guarantees that new frames are becoming ‘simpler’ thantheir original ones. The reasoning on FIR is explained later inSections 4.3.3 and 4.6.

These two assumptions are practical as we usually canfind a way to specify a scheme to satisfy these assumptions.Regarding the first assumption, in most cases, if an equationl =E r does not satisfy the assumption, then r =E l does.Therefore, it is simple to build an initial set in which everyequation is satisfied. For the case when var(r) \ var(l) �=∅ and var(l) \ var(r) �= ∅, it may be still possible towrite the equation in another way while the semantics isstill preserved. For example, in the case of the multiplicationoperation, the equation x × 0 = y × 0 is valid but doesnot satisfy our assumption. However, we can use the equationx × 0 = 0 instead. The second assumption is also similar.For example, given an encryption algorithm Enc(pk, m, r),where pk is a public key, m is a plaintext and r is a nonce, theIND-CPA security, i.e. indistinguishability of two ciphertexts,can be expressed as Enc(pub(sk), p1(pub(sk))), r1) ∼=Enc(pub(sk), p2(pub(sk))), r2), where p1 and p2 are twosecond-order variables and pub(sk) gives the correspondingpublic key from a secret key sk. This expression does notsatisfy the second assumption. However, we can always modelthe IND-CPA security by Enc(pub(sk), p1(pub(sk))), r1) ∼=Enc(pub(sk), m, r2)), where m is a random plaintext and thenthe assumption is satisfied.

4.3. Supporting algorithms

We now describe some small functions which help our mainalgorithms to solve the validity problems.

4.3.1. Conversion from equational theory to term rewritingOne way to reason on algebraic properties based on equationsis to use equations to transform a term to another equal termuntil we get a desired one. In order to make it possible, itis necessary to direct equations, i.e. to specify which wayto transform terms. Intuitively, the good direction is the one

that reduces the size of a term, otherwise the reasoning willexplode. A directed version of an equational theory is called aterm rewriting system.

Term rewriting. We extend some notations related torewriting. The set of positions of a term T is pos(T ) ⊆ N∗.The subterm of T at the position p ∈ pos(T ) is denoted byT |p. We write T [U ]p for the term obtained by replacing T |pin T with a term U .

Given a signature, a term rewriting system R is a finite setof rewriting rules in the form of l → r, where l, r ∈ T andvar(r) ⊆ var(l). A term S rewrites to another term T byR, written as S →R T , if there exists a rule l → r in R,p ∈ pos(S) and a substitution σ such that S|p = lσ andT = S[rσ ]p. Let→+R denote the transitive closure of→R.

Conversion. Given an equational theory E , we generate aterm rewriting system by constructing a rewriting rule fromevery initial equation. More specifically, for every initialequation l =E r we construct a rule l → r . As we requirevar(r) ⊆ var(l) for every rewriting rule, not every equationcan be transformed to a rewriting rule. Thus, it is necessary toassume that, for every initial equation l =E r of any equationaltheory E , var(r) ⊆ var(l).

4.3.2. Equational theory explorationIn this algorithm, we assume that the rewriting system Rconverted from an equational theory E is implicitly available.Given a frame φ, the algorithm builds a set S which containsonly frames =E φ. The pseudo-code of the algorithm isexplained in Algorithm 1. Note that S will not contain allframes possibly found by using R starting from φ. Actuallyin each frame in S there is only one term different from thecorresponding term in φ. However, this algorithm will be usedrepeatedly to explore more frames.

Algorithm 1 Equational theory exploration.Input: A frame φ.Output: A set S of frame.

function et_ext(φ)S← ∅for all T ∈ φ do

for all T ′ : T →+R T ′ doφ′ ← φ

replace T in φ′ with T ′S← S ∪ φ′

return Send function

4.3.3. FIR explorationIn this algorithm, we assume that the signature � = (S,≤S ,

F ,H), the extended initial relation S′i and a rewriting systemR are implicitly available. Given a frame φ, this algorithm


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



builds a set that contains only frames ∼= φ. The details of thealgorithm is explained in Algorithm 2.

Algorithm 2 FIR exploration.Input: A frame φ.

Output: A set of frame S.

function fir_ext(φ)

S← ∅for all (l, r) ∈ S′i do

S′ = ∅make a renaming τ such that

τ(name(l) ∪ name(r)) ∩ name(φ) = ∅� Note: to avoid name conflicts

l ′ ← τ(l) and r ′ ← τ(r)

� Note: Next RI 3 and RI 4 are used together

for all l2, l1, τ ′, T, p(.) :

l1 = τ ′(l ′) and name(l1) ⊆ name(φ) ∪ name(l ′)and l2 = l1[T φ′/p(T1, . . . , Tk)] and T φ′ ∈ st (φ)

and p(.) is second-order and s(T φ′) = s(p(.))

and φ′ = {x1 = T1, . . . , xk = Tk} and

name(T ) ∩ name(l1) = ∅ and

var(T ) ⊆ dom(φ′) doS′ = S′ ∪ (l2, τ ′(r ′))

for all (l ′′, r ′′) ∈ S′ and φ′ : φ = φ′l ′′ doS = S ∪ φ′r ′′ � Note: RI 1 is applied

return S

end function

For every pair (l, r) ∈ S′i , there is a loop that builds atemporary relation S′ from l, r using rule RI3 and RI4. Insidethis loop, first every pair (l, r) ∈ S′i is renamed to pair (l ′, r ′)to avoid name conflicts with φ. Secondly, S′ is built up bya loop searching for some l2, l1, τ ′, T, p(.) that must satisfysome conditions from RI3 and RI4. In this small loop, alll1 can be found because name(l1) is bound by name(l1) ⊆name(φ)∪name(l ′). After that τ ′ is constructed. Then all p(.)

can be found by searching all second-order variables in l1; all Tcan also be found with some conditions which limit the numberof T and then l2 can be constructed.

Finally, the algorithm searches in S′ for all pairs which canbe applied with φ using the rule RI1, making the set S to return.

4.4. Initialization

This is the algorithm to run in the beginning of the tool. Itconverts the initial equation system E into a term rewriting

system R and extends the initial relations Sd , Si into new initialsets S′d , S′i . The extension of Sd , Si is done as follows. Given a(φ, φ′) ∈ Si , we find as many φ′′, where φ′′ =E φ, as possible(rule RI2). We extend Si by adding (φ′′, φ′) into it. Similarly,given a (φ, T ) ∈ Sd , we extend Sd by looking for φ′′ whereφ′′ =E φ and then add (φ′′, T ) into Sd . Finally, we output newSi , Sd . The initialization is described in Algorithm 3.

Algorithm 3 Initialization.Input: An equational theory set E , two FNDR and FIR initial

set Sd , Si .Output: A rewriting system R, two new FNDR and FIR

initial sets S′d , S′i .

function init()convert E to a term rewriting system RS′i ← Si

done← Falserepeat

Stemp ← ∅for all (l, r) ∈ S′i do

for all l ′ ∈ et_ext(l) doStemp ← Stemp ∪ {(l ′, r)}

if Stemp ⊆ S′i thendone← True

elseS′i ← S′i ∪ Stemp

until done

S′d ← Sd

done← Falserepeat

Stemp ← ∅for all (φ, T ) ∈ S′d do

for all φ′ ∈ et_ext(φ) doStemp ← Stemp ∪ {(φ′, T )}

if Stemp ⊆ S′d thendone← True

elseS′d ← S′d ∪ Stemp

until done

return R, S′d , S′iend function

The reason of the extension of Sd , Si is to make itsignificantly faster to simplify a frame, because we have morechoices from Si and Sd . The fact is that normally frames tobe checked for their indistinguishability are often bigger thanframes in Si and Sd , which model hard assumptions. Thus,rewriting Si and Sd is better than rewriting frames that are to be


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1528 L. Ngo et al.

checked. Also, we do it only once in the beginning of the wholeprocess. In practice, the sizes of S′d , S′i are not much biggerthan those of the original Sd , Si , owing to the compactness ofSd , Si . In our tests the sizes of S′d , S′i always grew less than 3times bigger.

This algorithm should be executed once in the beginning.After this algorithm is executed, we assume that the signature� = (S,≤S ,F ,H), the rewriting system R, and the extendedpair of (FNDR, FIR) relations (S′d , S′i ) are global, i.e. implicitlyavailable.

4.5. Algorithm to solve FNDR validity problem

This algorithm assumes that the initialization described inSection 4.4 has been done and the signature � = (S,≤S ,

F ,H), the two extended initial sets S′d , S′i and a rewritingsystem R are implicitly available. This algorithm is to checkif φ � T , given a frame φ and term T . Although one canuse this algorithm independently, it is designed originally tosupport removing hashes in frames in order to check FIRmembership. Overall, the algorithm keeps checking and returnYes immediately when it can prove, or returns No in the end.Informally, the algorithm contains the following steps. A settochk is maintained such that if ∃(φ′, T ′) ∈ tochk. (φ′, T ′) ∈〈S′d〉�, then also (φ, T ) ∈ 〈S′d〉�. In the beginning of the loop,the top element (φ′, T ′) of tochk is taken out. Then (φ′, T ′) ischecked if it is ∈ 〈S′d〉� by the rule RND1 and RND2, RND3.If it is, then the algorithm returns Yes. Otherwise, (φ′, T ′) ismarked by being put in a set chked. Also new pairs, whichare /∈ chked, are added into tochk by RND4 and a restrictedversion of RND5 (we consider only cases in which f (M) isa subterm of M . See Section 4.7.2 for explanations). Thisprocess is looped until tochk = ∅ and then the algorithmreturns No. The pseudocode of the algorithm is described inAlgorithm 4.

4.6. Algorithm to solve FIR validity problem

This algorithm assumes that the initialization described inSection 4.4 has been done and the signature � = (S,≤S ,

F ,H), the two extended initial sets S′d , S′i and a rewritingsystem R are implicitly available. This algorithm, given a pair(φl , φr ), answers Yes if it can conclude that φl ∼=S′i φr , orNo if it fails. The basic idea of the algorithm is to replacehash instances in both φl , φr by nonces (see Algorithm 5), thensimplify both new frames until we can match them together.

Overall, the algorithm keeps checking and returns Yesimmediately when it can prove, or returns No in the end.Informally speaking, the algorithm contains the followingsteps. Initially, hash instances are removed as many as possible,resulting in two new frames φ′l , φ

′r . Then the algorithm builds

as large as possible a set Sr such that ∀φ ∈ Sr .φ ∼=S′i φ′r . Nextthe algorithm also builds as large as possible a set Sl such that∀φ ∈ Sl .φ ∼=S′i φ′l , but this time, it returns Yes immediately if

Algorithm 4 Solve FNDR validity problem.Input: A frame φ and a term T

Output: Yes if φ � T , No if fail.

function check_fndr(φ, T )

chked ← ∅tochk ← {(φ, T )}repeat

(φ′, T ′)← hd(tochk) � Note: hd(tochk) returns

the top element of tochk

if ∃(φ′′, T ′′) ∈ chked and a renaming τ

such that (φ′, T ′) = τ(φ′′, T ′′) thengo to until � Note: skip this round

if T ′ is a name and T ′ /∈ name(φ′) thenreturn Yes

else if ∃φ1, T1, τ, φ2 : (φ1, T1) ∈ S′dand τ(φ2φ1, T1) = (φ′, T ′)and name(φ2) ∩ name(φ1)

and var(φ2) ⊂ dom(φ1) thenreturn Yes

elsechked ← chked ∪ {(φ′, T ′)}byrnd4← { (φ′′, T ′′) : {φ′′, T ′′} ∈

fir_ext({φ′, T ′}) ∪ et_ext({φ′, T ′}) }byrnd5← { (φ′, Ts) : Ts ∈ st (T ′)

and ∃ f ∈ F . f (T ′) = Ts }tochk ← tl(tochk) ∪ byrnd4 ∪ byrnd5

� Note: tl(tochk) returns tochk without the top

element

until tochk = ∅return No

end function

the currently checked frame is equal to any frame ∈ Sr up torenaming. Finally, the algorithm returns No. The pseudocodeof the algorithm is described in Algorithm 6.

4.7. Soundness, completeness, termination andperformance

4.7.1. SoundnessLemma 4.1 (Soundness of supporting algorithms). Given aninstance of the FIR or FNDR validity problem, the followingstatements hold:

(i) If S← et_ext(φ), then ∀φ′ ∈ S.φ′ =E φ.(ii) If S← fir_ext(φ), then ∀φ′ ∈ S.φ′ ∼=S′i φ.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



Algorithm 5 Hash removal.Input: A frame φ.Output: A frame φ′.

function hash_rm(φ)for all h(T ) ∈ hash(φ) do � Note: rewrite hash

for all h(T ′) ∈ hash(φ) : T ′ →R T doφ← φ[h(T ′)/h(T )]

if ∃{h1(T1), . . . , hk(Tk)} ⊆ hash(φ) :φ[r1/h1(T1), . . . , rk/hk(Tk)] � Ti ,ri /∈ name(σ ) for every ri ,φ is hash safe w.r.t. (hi , �) for every hi thenφ′ ← φ[r1/h1(T1), . . . , rk/hk(Tk)].

return φ′end function

(iii) If (R, S′d , S′i )← init(), then→+R ⊆=E , �S′d and �Sd

coincide, and ∼=S′i and ∼=Si coincide.

Proof. We now prove each statement.

(i) Let S ← et_ext(φ). We will prove that if φ′ ∈ S, thenφ′ =E φ. According to the algorithm, if φ′ ∈ S, thenφ′ is the same as φ except at one term T ∈ φ andits corresponding term T ′ ∈ φ′ (at the same position)where T →+R T ′. According to the above statement,T =E T ′. It means that φ′ =E φ.

(ii) Let S ← fir_ext(φ). We will prove that if φ′ ∈ S, thenφ′ ∼=S′i φ. According to the algorithm, the temporaryrelation S′ has the following property: ∀(l ′, r ′) ∈S′.l ′ ∼=S′i r ′. Then S is updated with only pairs thatare constructed by the rule RI1 with base pairs in S′. Itmeans that if φ′ ∈ S, then φ′ ∼=S′i φ.

(iii) Let (R, S′d , S′i ) ← init(). First,→+R ⊆=E because Ris the term rewriting system converted from E . Also�S′d and �Sd coincide, and ∼=S′i and ∼=Si coincide,because∼=S′d , �S′i are extended from∼=Sd , �Si using theterm rewriting system R, which has been proved in thefirst statement that→+R ⊆=E .

Proposition 4.1 (Soundness of main algorithms). Given aninstance of the FIR or FNDR validity problem, if the algorithmcheck_fndr(φ, T ) returns Yes, then φ �Sd T and if thealgorithm check_fir(φl , φr ) returns, Yes then φl ∼=Si φr .

Proof. First, we prove the soundness of the algorithmcheck_fndr. Assume that check_fndr(φ, T ) returns Yes. Notethat in check_fndr, the set tochk contains only pairs whosemembership in 〈S′d〉� implies that (φ, T ) ∈ 〈S′d〉�, sincetochk is constructed only by the rules RND4 and RND5. Andthe algorithm returns Yes only at two points, where a pairpicked from tochk is confirmed to be in 〈S′d〉� by the rules

Algorithm 6 Solve FIR validity problem.Input: Two frames φl , φr

Output: Yes if φl , φr , No if fail.

function check_fir(φl , φr )φ′l ← hash_rm(φl); φ′r ← hash_rm(φr )

Sl ← ∅; Sr ← ∅

tochk ← {φr } � Note: start with the right siderepeat

cur ← hd(tochk) � Note: hd(tochk) returnsthe top element of tochk

if ∃cur ′ ∈ Sr and a renaming τ such thatcur = τ(cur ′) then

go to until � Note: skip this round

Sr ← Sr ∪ {cur}Snew ← (fir_ext(cur) ∪ et_ext(cur)) \ Sr

tochk ← tl(tochk) ∪ Snew

� Note: tl(tochk) returns tochk without the topelement

until tochk = ∅

tochk ← {φl} � Note: extend the left to comparerepeat

cur ← hd(tochk) � Note: hd(tochk) returns thetop element of tochk

if �cur ′ ∈ Sl and a renaming τ such thatcur = τ(cur ′) then

go to until � Note: skip this round

if ∃φ′ ∈ Sr and τ : τ(φ′) = cur thenreturn Yes

elseSl ← Sl ∪ {cur}Snew ← (fir_ext(cur) ∪ et_ext(cur))

tochk ← tl(tochk) ∪ Snew

� Note: tl(tochk) returns tochk without the topelement

until tochk = ∅return No

end function

RND1, RND2 and RND3. This means that φ �S′d T . However,according to Lemma 4.1, �S′d and �Sd coincide. Therefore,φ �Sd T .

Secondly, we prove the soundness of the algorithmcheck_fir. Assume that check_fir(φl , φr ) returns Yes. Becausewe have the soundness of check_fir, so φ′l ∼=S′i φl and φ′r ∼=S′iφr . Also it is clear that Sr contains only frames which are ∼=S′iφr . When Sl is constructed, tochk also contains only frameswhich are ∼=S′i φl . And the algorithm returns Yes only whena frame picked from tochk is the same as a frame in Sr upto


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1530 L. Ngo et al.

renaming. Thus, φl ∼=S′i φr . However, according to Lemma 4.1,∼=S′i and ∼=Si coincide. This means that φl ∼=Si φr .

4.7.2. CompletenessThe algorithm cannot guarantee completeness in general for anumber of reasons. First, we use only the oriented version ofthe equational theory and initial set for FIR; therefore we donot capture exactly the properties of those relations.

Secondly, our algorithms use only a restricted version ofthe rule RND5. More specifically, we want to focus only thecases with f (M) is a subterm of M , because it helps to avoidnon-terminating searches. In fact, it is usually the case inpractical schemes, e.g. concatenation where f is a projectionfunction.

Thirdly, to achieve completeness there may potentially bea non-terminating loop in checking FIR, because of hashes.More specifically, according to FIR and FNDR definitions, themembership of a pair in FNDR may imply the membership ofa pair in FIR and vice versa. Unfortunately, we cannot keepchecking back and forth between these two relations since itmay go forever, therefore our algorithms only check FNDRusing only limited checks of FIR first (non-recursively), andthen check FIR more rigorously (recursively until stop) withoutconsidering FNDR. One can always restrict the relations FIRand FNDR to achieve termination and completeness, but wewant to keep the algorithm as usable and simple as possible,e.g. avoid requiring convergent rewriting systems.

Our algorithms were developed by experience, testingpractical cases and tuning the algorithms. Although we canalways justify our choices in every step of our algorithms, theyare mainly heuristic and we have neither been able to formallyprove the advantages of our choices nor show in what casesthe algorithms provide completeness. We leave those things tofuture work.

4.7.3. TerminationThe assumptions we take for the algorithm in Section 4.2are only to narrow the exploration, avoiding ‘totally useless’frames, but not enough to guarantee the termination of ouralgorithm in general.

However, since we orient the equational theory and theinitial set for FIR and use a brute-force-style algorithm,termination is guaranteed if explored sets are finite. To makesure that this is the case, for any pair in the FIR initial setSi and the generating equation system E , the left side’s depthmust be greater or equal to the right side’s one. Thus, whenwe simplify a frame, the size of the new one is always lessthan or equal to the size of the original. this means that theexploration must terminate eventually. Note that this conditionworks even when our term rewriting system is associative andcommutative, e.g. XOR, because the algorithm maintains a setof explored frames, rather than trying to reach the final frame,

which may not exist.4

Let us define the depth of a closed term T as

(i) depth(T ) = 1 when T is a name, a second-ordervariable and a constant function;

(ii) depth(T ) = 1 + max({depth(T1), . . . , depth(Tk)})when T = f (T1, . . . , Tk), where f is a functionsymbol.

We lift the definition to the depth of a frame f = {T1, . . . , Tk}such that

depth( f ) = max({depth(T1), . . . , depth(Tk)}).

In addition to assumptions in Section 4.2, we requirethe following conditions to guarantee that the algorithmterminates.

(i) For every (l, r) ∈ E , depth(lσ) ≥ depth(rσ) with anysubstitution σ such that dom(σ ) = var(l).

(ii) Let (R, S′d , S′i )← init(). For every pair (φl , φr ) ∈ S′i ,depth(φl) ≥ depth(φr ).

The first condition can be (but not always) checked bymanually or automatically inspecting every rule. The secondone can be checked manually or automatically after theinitialization.

The following lemma states that a set of terms whosesecond-order variables and depths are limited is finite. Thelemma helps to prove the termination of algorithms later.

Lemma 4.2 (Finite sets). Given a signature � = (S,≤S ,

F ,H), a finite set Ssv of second-order variables and a positivenumber d, any set of closed term S such that, for all T ∈ S,

(i) sndvar(T ) ⊆ Ssv and(ii) depth(T ) ≤ d and

(iii) ∀T ′, T ∈ S where T �= T ′, there is no renaming τ suchthat T �= τ(T ′)

is finite.

Proof. First, we prove that the number of names of every termin S must be bound by a fixed number. We will prove it byinduction on the depth d. In the case d = 1, i.e. every term∈ S must be a name or a second-order variable or a constantfunction. In this case, the maximum number of names in everyterm ∈ S is 1.

Now let us assume that the claim holds when d = m ≥ 1.Because it holds in the case d = m, i.e. the number of names in

4It would be simpler if we assumed that the term rewriting system isconvergent, as with such a condition we might just keep rewriting framesuntil the final frame is reached without maintaining the whole set of rewrittenframes. However, we would like to use only assumptions that are morepractical and can be checked quickly by hand.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



every term whose depth is≤ m is bound by a fixed number. Weonly have to prove that it holds for the subset S1 ⊆ S such thatthe depth of every term ∈ S1 is exactly m + 1. And becauseevery term T ∈ S1 has the depth m + 1 > 1, T must be ofthe form f (T1, . . . , Tk) where f ∈ F . Therefore, the numberof names in T ∈ S1 must be bound by k×, the maximum ofthe number of names in Ti . And because the set F is finite andthe number of names of any Ti , whose depth must be ≤ m isbound, so the number of names of every term ∈ S must bebound by a fixed number. Lets l be that bound.

Secondly, we map every term in S to another term in S2,whose set of names are finite. For every sort s ∈ S, let Ns

be the set of l extended names such that all of those sets ofextended names and the original set of names N are pairwisedisjoint. Now, for every term T ∈ S, we build a renaming τ

by picking name by name. Whenever we pick a name a of sortsa , if τ(a) has been defined, then we skip; otherwise, we picka name b ∈ Nsa where no name has been mapped by τ tob and define τ(a) = b. Because |Nsa | = l, we always haveenough names to build the renaming. The disjointness of thoseextended sets of names guarantees that τ is a valid renaming,i.e. a bijection. Let S2 be the set of renamed terms using thoserenamings. Because of the third condition of the lemma, no twoterms ∈ S can be renamed to the same term ∈ S2. It means thatif S is infinite, then S2 is also infinite.

Finally, we prove that S2 is finite. Note that S2 must satisfythe three conditions of the lemma, because every term ∈ S2 isjust a renamed one from a term ∈ S. The difference betweenS2 and S is just that the set of names that appear in S2 is finite.

Assume that S2 is infinite. It means that there must be aninfinite subset S3 ⊆ S2 such that every term ∈ S3 has exactlythe depth d3 ≤ d. If d3 = 1, then every term ∈ S3 mustbe a name or a second-order variable or a constant function.Since the set of names, the set of second-order variables andthe set of functions symbols are finite, S3 must be finite. Thatis a contradiction. If d3 > 1, then every term ∈ S3 must beof the form f (T1, . . . , Tk), where f ∈ F . Because F is finite,there must be an infinite subset S4 ⊆ S3 such that every term∈ S4 is of the form f4(T1, . . . , Tk), where f4 is a fixed functionsymbol. It also means that there must be an infinite set S5 ofsubterm Ti for some i where the maximum depth of every term∈ S5 is d3 − 1. If we keep going like this, eventually we willhave to prove that there exists an infinite set of terms whosedepth is 1 and every term in that set is constructed from a finiteset of second-order variables and a finite set of names. This isa contradiction.

The next lemma proves the termination of supportingalgorithms. Let

sndvar(R) =⋃

(l→r)∈Rsndvar(l),

i.e. all second-order variables that appear in a term rewriting R.

Lemma 4.3 (Termination of supporting algorithms). Given aninstance of the FIR or FNDR validity problem which satisfiesthe above conditions, the following statements are true:

(i) If S ← et_ext(φ), then depth(φ′) ≤ depth(φ) andsndvar(φ′) ⊆ sndvar(φ) ∪ sndvar(R) for everyφ′ ∈ S and et_ext(φ) terminates.

(ii) If S ← fir_ext(φ), then depth(φ′′) ≤ depth(φ) andsndvar(φ′′) ⊆ sndvar(φ) for every φ′′ ∈ S andfir_ext(φ) terminates.

(iii) If (R, S′d , S′i )← init(), then init() terminates.

Proof. We prove each statement as follows.

(i) According to the first condition above, if T →RT ′, then depth(T ) ≥ depth(T ′). It also meansthat if T →+R T ′, then depth(T ) ≥ depth(T ′).Thus, depth(φ′) ≤ depth(φ). Also, note thatvar(r) ⊆ var(l) for any l → r ∈ R, thussndvar(T ′) ⊆ sndvar(T ) ∪ sndvar(R). Thus,sndvar(φ′) ⊆ sndvar(φ) ∪ sndvar(R). Finally,according to Lemma 4.2, the set S ← et_ext(φ) mustbe finite, i.e. et_ext(φ) terminates.

(ii) fir_ext(φ) terminates because of the following reasons.First, the renaming τ exists because it just containsnames that do not appear in φ. Therefore, the pair l ′, r ′must be computable for every (l, r) ∈ S′i . Secondly,owing to the condition name(l1) ⊆ name(φ) ∪name(l ′), the number of possible l1 is finite. Thirdly,owing to the conditions T φ′ ∈ st (φ) and φ′ = {x1 =T1, . . . , xk = Tk}, the number of possible l2 is finite,too. As a consequence, for every (l, r) ∈ S′i , the set S′is finite. Finally, owing to the condition φ = φ′l ′′, theset S is finite.

Moreover, depth(l1) = depth(l), depth(l2) ≥depth(l1) and depth(r) = depth(τ ′(r ′)). Andaccording to the second condition for termination,depth(l) ≥ depth(r); therefore, for every (l2, r2) ∈ S′we have depth(l2) ≥ depth(r2). This means thatdepth(φ′′) ≤ depth(φ) for every φ′′ ∈ S. Andaccording to our assumptions, for every (l, r) ∈ Si ,sndvar(r) = ∅ and in the algorithm init(), when Si

is extended to S′i , there is no second-order variableintroduced into the right-hand side of any pair in S′i .This means that sndvar(φ′′) ⊆ sndvar(φ) for everyφ′′ ∈ S.

(iii) To show that init() terminates, first we show thatthe first repeat/until loop terminates, i.e. eventuallyStemp ⊆ S′i . For all (l, r) in the initial S′i (whichis actually Si ), let dl and dr be the maximum ofdepth(l) and depth(r), respectively. Note that, forevery new (l ′, r) added into S′i , there exists a (l, r) ∈ S′isuch that l ′ ∈ et_ext(l). Thus, depth(l) ≤ dl anddepth(r) ≤ dr . And since r is not modified, it followsthat sndvar(r) is still ∅. According to Lemma 4.2, S′


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1532 L. Ngo et al.

is finite. Therefore, eventually Stemp ⊆ S′i . Similarly,the second repeat/until loop also terminates.

Proposition 4.2 (Termination). Given an instance of the FIRor FNDR validity problem which satisfies the above conditions,the algorithms check_fndr(φ, T ) and check_fir(φl , φr ) termi-nate.

Proof. First, we prove the termination of check_fndr(φ, T ).If the algorithm returns Yes, then, of course, the algorithmterminates. Otherwise, we now prove that the set chked isfinite. The finiteness of chked means that eventually there isno other element that can be added into chked, i.e. tochk = ∅and the algorithm will return No.

We now prove that chked satisfies the conditions ofLemma 4.2. The third condition is met because a new elementis only added into chked iff there is no other element inchked that is equal upto renaming to the new one (the firstif). Since every element added into chked is actually fromtochk, it is enough to prove that tochk satisfies the first twoconditions of Lemma 4.2. Note that tochk is expanded only bythe command tochk ← tl(tochk)∪fir_ext(cur)∪et_ext(cur)∪byrnd5 where the frame cur is already in tochk. Therefore,tochk satisfies the first two conditions because tochk initiallysatisfies and every time it is expanded, each set fir_ext(cur),et_ext(cur) and byrnd5 also satisfies the conditions.

Finally, check_fir(φl , φr ) also terminates because of thesame reason. Note that in check_fir(φl , φr ), we actually runhash_rm(φ) in the beginning but hash_rm(φ) does terminatebecause the set of hash instances in any frame is finite andcheck_fndr(φ, T ) has been proved to terminate.

4.7.4. PerformanceWe would like to mention two technical points regarding theperformance of the algorithm.

(i) In order to check the formal indistinguishabilitybetween two frames, we allow our algorithm to searchframes simplified from those two frames as many aspossible. The disadvantage of this technique is thatit may consume much time and computer resource.That is why traditionally rewriting systems are oftenassumed to be convergent. However, we do not haveconvergent rewriting systems in many cryptographicapplications, since commutative functions are popular,e.g. XOR. In addition, extra assumptions on themodel bring inconvenience to cryptographers who maybenefit from the tool. Moreover, today computers arebecoming more and more powerful and can handlewell cryptographic schemes which are often relativelysmall, i.e. few parties with few messages between (seeSection 5).

(ii) For checking both FNDR and FIR, we keep checkingwhile exploring and as soon as a proof is found, we

stop. Thus, we may not have to explore all possiblecases and the tool can terminate very quickly with aproof (see Section 5).

5. EXPERIMENTAL RESULT AND LIMITS

5.1. Implementation

We have implemented the algorithm in OCaml with about 2500lines of code. We allow users to define a signature and a pairof frames to check FIR or a frame and a term to check FNDR.The output will be presented in a LATEX file and then compiledto a PDF file. The implementation has been tested with somecryptographic systems in a Core 2 Duo 2 × 2.4 GHz and4 GB RAM machine. The source code with some tested casesis available to download at http://ngothanglong.com/resource/frp.zip.

5.2. Experimentation

For the experiment, we choose schemes of different typesand based on different assumptions. For encryption schemes,we check the indistinguishability between the encryptionsof two messages given by the adversary (modeled as twosecond-order variables). For key exchanges, we check theindistinguishability between transcripts of real and randomkeys. Our tool can prove the IND-CPA security of encryptionschemes which have been proved automatically by Courantet al. [7], such as the Bellare–Rogaway [11] or Pointchevalschemes [21]. Also, we demonstrate how to prove passivesecurity of some Diffie–Hellman-based key exchanges, whichare the most common class of key exchange protocols,although proofs for key exchange protocols based on otherhard assumptions are also possible. Diffie–Helman-based keyexchange protocols have not been treated by generic tools likeCryptoVerif.

There are two special cases where we demonstrate theusefulness of our modification for the FIR and FNDRformalism. The first case is the Fujisaki and Okamotoencryption [22], where the second encryption scheme’ssecurity is guaranteed by the first encryption scheme’s security.The rule RI 4 allows us to put a pair that contains second-ordervariables into Si ; thus we can define the security of the firstusing Si . The second case is NAXOS key exchange [17], wherethe same hash function is used twice in one transcript. Our ruleRH allows us to cope with this case well. The result of ourtests on some cryptographic schemes is shown in Table 2.

One may note the significant difference between the timespent for HMQV [19] and the rest of key exchanges. Thereason is that the computation in HMQV is more complicatedthan the rest, resulting in a higher depth of terms. Thus, the tooltook much more time to transform terms in HMQV’s transcriptusing the related equational theory in order to simplify thetranscript. In addition, the time spent for a scheme also depends


at Ondokuz M


ovember 2, 2014


Dow

nloaded from

http://ngothanglong.com/resource/frp.zip

http://ngothanglong.com/resource/frp.zip



TABLE 2. Schemes tested.

Type Scheme Security Assumption Time

Encryption Bellare–Rogaway [11] IND-CPA TOF, ROM 0.02 sPointcheval [21] IND-CPA PTOF, ROM 0.02 sHash Elgamal [23] IND-CPA CDH, ROM 0.02 sPaillier [24] IND-CPA DCR 0.02 sFujisaki and Okamoto [22] IND-CPA Another IND-CPA scheme 0.02 sOAEP [25] fail to prove IND-CPA

Key exchange Diffie Hellman [18] Multisession, Passive DDH 0.02 sNAXOS [17] Multisession, Passive CDH, ROM 0.04 sHMQV [19] Multisession, Passive DDH, ROM 1 min 29 sEC Diffie Hellman Multisession, Passive ECDDH 0.01 sJoux Tripartite [26] Multisession, Passive CBDH 0.02 s

Identification Schnorr[27] fail to prove WH or WI

IND-CPA, indistinguishability under chosen plaintext attacks; DCR, decisional composite residuosity; ROM, random oracle model; DDH,decisional Diffie–Hellman; TOF, trapdoor one-way permutation; ECDDH, elliptic curve decisional Diffie–Hellman; PTOF, partially trapdoorone-way permutation; CBDH, computational bilinear Diffie–Hellman; CDH, computational Diffie–Hellman; WH, witness hiding; WI, witnessindistinguishability.

on how simply we can specify the scheme. For example, theNAXOS [17] key exchange transcript contains a concatenationof five elements. If we model it by a concatenation functionwith five arguments instead of a binary concatenation, we usethe function only once instead of five times in the case of binaryconcatenation. This means that the depth of terms is reducedsignificantly, resulting in significantly less time spent.

Example of automated proof. We show here the automatedproof produced by our tool for the Bellare–Rogawayencryption scheme modeled in Examples 2, 4, 6 and 8.

The specification of the security problem is put in a filenamed BREnc.frp exactly as follows. In the specification,we define sorts, functions and so on. Finally, the commandcheck phi1 ∼ phi2 is used to ask the tool to check theindistinguishability between two frames phi1 and phi2.

sortNonce(), HashH(), PlainText(), SecKey(), PubKey(),Pair()

(*We write SortA(SortB, SortC,...) to denote SortA ≥SortB and so on*)

(*Next is the set of functions and their arities*)functionconcat(PlainText, Nonce)→ Pair,xor(PlainText, PlainText)→ PlainText,pi1(Pair)→ PlainText,pi2(Pair)→ Nonce,f(Nonce, PubKey)→ Nonce,

pub(SecKey)→ PubKey

(*Next is the set of hashes*)hashh(Pair)→ HashH,g(Nonce)→ PlainText

(*Next is the set of second-order variables and theiroutput sorts*)sndvarp(PubKey)→ PlainText,pXor()→ PlainText

(*Next is the set of names and their sorts*)namek: SecKey,r: Nonce,m: PlainText

(*Next is the set of normal variables*)fstvarx: PlainText,y: PlainText,z: PlainText,vr: Nonce

(*Next is the equational theory*)equationEXOR1: xor(x, y) = xor(y, x),


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1534 L. Ngo et al.

EXOR2: xor(x, xor(y, z)) = xor(xor(x, y), z),ECCT1: pi1(concat(x, vr)) = x,ECCT2: pi2(concat(x, vr)) = vr

(*Next is the set Si *)DHA XOR: xor( pXor(), m ) ∼ m

(*Next is the set of Sd*)CHA TOF:pub(k), f(r, pub(k)) � r

(*Next are two frames phi1 and phi2*)frame phi1 = {pub(k), f(r, pub(k)), xor(g(r), p(pub(k))),h(concat(p(pub(k)), r))}

frame phi2 = {pub(k), f(r, pub(k)), xor(g(r), m),h(concat(m, r))}

(*Next is the command to check the formal indistin-guishability between phi1 and phi2*)check phi1 ∼ phi2

The following command is then executed to check thespecification of the scheme

. / f r p . o p t BREnc . f r p

The proof produced in a form of a pdf file contains thetrack of the reasoning process, which has been described inSection 4. If a proof is not found, then nothing is shown inthe final step; otherwise the full track of the reasoning processis presented. Next, the content of the proof that has beensplit into several parts in boxes with explanations for betterunderstanding.

The next box shows the first part of the proof, where theproblem to be proved is restated (see Example 8 for theproblem written in more readable notations).

Main problem to prove:{pub(k), f(r, pub(k)), xor(g(r ), p(pub(k))),h(concat(p(pub(k)), r ))}∼={pub(k), f(r, pub(k)), xor(g(r ), m), h(concat(m, r ))}

The next box shows S′i and S′d as the result of the extensionof Si and Sd (see Section 4.4). One more pair is added intoSi owing to the equation EXOR1 in the equation theory (seeExample 4). Now S′i contains

{pXor()⊕ m} ∼= {m},{m⊕ pXor()} ∼= {m}.

The set Sd remains unchanged, i.e. it contains

{pub(k), f (r, pub(k))} � r.

Step 1 Extending the initial FIR and FNDR set usingthe equational theory.

Extended FIR:

XOR: {xor(m, pXor())} ∼= {m}XOR: {xor(pXor(), m)} ∼= {m}

Extended FNDR:

TOF: {pub(k), f(r, pub(k))} � r

The next box shows the first step to replace hashes bynonces. In this step, the tool checks if the inputs of the instancesof the hash are =E (see Section 4.6 and the first part ofAlgorithm 5). However, in this case each hash has only oneinstance and so the problem remains unchanged.

Step 2. Inputs of the same hash are made the same ifthey are equal. New problem to prove:{pub(k), f(r, pub(k)), xor(g(r ), p(pub(k))),h(concat(p(pub(k)), r ))}∼={pub(k), f(r, pub(k)), xor(g(r ), m), h(concat(m, r ))}

In the next two steps, the tool processes the left-handside and the right-hand side separately. In each side, first itchecks the condition hash safe for every hash symbol (see thediscussion about hash safe, the rule RH in Section 3.4 andAlgorithm 5). For a hash satisfying that condition, it tries toprove that the inputs of the hash’s instances are unpredictable.If the tool proves successfully, then we can replace each of thathash’s instances by a nonce.

Step 3, left-hand side. In the left-hand side, provinginputs of the same hash are different:Hashes from the following functions are OK to try beingreplaced by nonces: g,h

Left-hand side after replacing hashes by nonces: {pub(k),f(r, pub(k)), xor(r1, p(pub(k))), r2}

Proofs:{pub(k), f(r, pub(k))} � r (TOF)⇒ {pub(k), f(r, pub(k)), r1, r2} � r (RND3)⇒ {pub(k), f(r, pub(k)), r1, r2} �concat(p(pub(k)), r ) (RND5)⇒ {pub(k), f(r, pub(k)), xor(r1, p(pub(k))), r2}� concat(p(pub(k)), r ) (XOR)


at Ondokuz M


ovember 2, 2014


Dow

nloaded from



(* The above proves {pub(k), f (r, pub(k)), r1 ⊕p(pub(k)), r2} � p(pub(k))‖r *)

{pub(k), f(r, pub(k))} � r (TOF)⇒ {pub(k), f(r, pub(k)), xor(r1, p(pub(k))), r2} � r(RND3)

(* The above proves {pub(k), f (r, pub(k)), r1 ⊕p(pub(k)), r2} � r *)

The right-hand side is now processed similarly.

Step 3, right-hand side. In the right-hand side, provinginputs of the same hash are different:Hashes from the following functions are OK to try beingreplaced by nonces: g,h

Right-hand side after replacing hashes by nonces:{pub(k), f(r, pub(k)), xor(r1, m), r2}Proofs:{pub(k), f(r, pub(k))} � r (TOF)⇒ {pub(k), f(r, pub(k)), r1, r2} � r (RND3)⇒ {pub(k), f(r, pub(k)), r1, r2} � concat(m, r )(RND5)⇒ {pub(k), f(r, pub(k)), xor(r1, m), r2}� concat(m, r ) (XOR)

{pub(k), f(r, pub(k))} � r (TOF)⇒ {pub(k), f(r, pub(k)), xor(r1, m), r2} � r (RND3)

Before the final step, the problem to prove has become asfollows. Note that all hash instances have been replaced.

{pub(k), f (r, pub(k)), r1 ⊕ p(pub(k)), r2}∼={pub(k), f (r, pub(k)), r1 ⊕ m, r2}.

In the final step, the tool simplifies the left and right framesand checks if simplified frames from both sides can match byrenaming. The changed parts are framed in colors to make themeasy to spot.

Final step: Prove FIR after removing hashes. The sim-plification of the left-hand side is as follows.

{pub(k), f(r, pub(k)), xor(r1, p(pub(k))) , r2}(Given)

∼= {pub(k), f(r, pub(k)) , r1 , r2} (XOR)∼= {pub(k), f(r, pub(k)), r1, r2} (Renaming)

where in the right-hand side:{pub(k), f(r, pub(k)), xor(r1, m) , r2} (Given)∼= {pub(k), f(r, pub(k)), r1 , r2} (XOR)

5.3. Limitations

Our algorithm still has some limitations. One problem is tocope with OAEP encryption [25], which exploits the factthat if we cannot compute a‖b, then we cannot compute aor b. The current framework of FIR and FNDR does notallow us to deal with this case. This would be fixed byadding some logical operators into their definitions, but itmight make the formalism more complicated and impossibleto automate. Another problem is our algorithm cannot verifywitness indistinguishability. The main reason for this isthat for two frames which are witness-indistinguishable wecannot simplify them with current rules, e.g. Schnorr [27] orOkamoto’s identification scheme [28]. However, our algorithmis based on the idea of simplifying both sides to meetin the middle. One solution for this problem is to allowthe algorithm to reason backward for a limited number ofsteps. We have not been aware of any fully automated proofby a computationally sound prover for OAEP or witnessindistinguishability.

One limit of the algorithm is that it may take muchtime for proving too complicated schemes, whose transcriptscould be large, because the algorithm is based on ‘brute-force’ techniques. However, in return we do not requireany special properties from the equational theory, FIR andFNDR.

6. SUMMARY

We have presented a method for computationally soundautomated proofs of indistinguishability. The work is achievedby tailoring a formal framework for manual proof ofindistinguishability. We also have implemented our algorithmand tested it on some practical schemes.

This is the first computationally sound tool that is fullyautomated and uses a generic specification language, which canbe applied to different classes of cryptographic schemes.

ACKNOWLEDGEMENTS

We would like to thank Yassine Lakhnech, David Basin andanonymous reviewers for their continual useful advice on thiswork. This work would not been possible without their help.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


1536 L. Ngo et al.

REFERENCES

[1] Lowe, G. (1996) Breaking and fixing the Needham–Schroederpublic-key protocol using fdr. Softw. - Concepts Tools, 17,93–102.

[2] Blanchet, B. (2004) Automatic Proof of Strong Secrecy forSecurity Protocols. IEEE Symposium on Security and Privacy,Berkeley, CA, USA, May 9–12, pp. 86–100. IEEE ComputerSociety.

[3] Baudet, M., Cortier, V. and Delaune, S. (2009) Yapa: AGeneric Tool for Computing Intruder Knowledge. In Treinen,R. (ed.), RTA, Brasília, Brazil, June 29–July 1, Lecture Notes inComputer Science 5595, pp. 148–163. Springer.

[4] Laud, P. (2003) Handling Encryption in an Analysis for SecureInformation Flow. In Degano, P. (ed.), ESOP, Warsaw, Poland,April 7–11, Lecture Notes in Computer Science 2618, pp. 159–173. Springer.

[5] Laud, P. (2004) Symmetric Encryption in Automatic Analysesfor Confidentiality Against Active Adversaries. IEEE Sympo-sium on Security and Privacy, Berkeley, CA, USA, May 9–12,pp. 71–85. IEEE Computer Society.

[6] Laud, P. (2005) Secrecy Types for a Simulatable CryptographicLibrary. In Atluri, V., Meadows, C. and Juels, A. (eds),ACM Conference on Computer and Communications Security,Alexandria, VA, USA, November 7–11, pp. 26–35. ACM.

[7] Courant, J., Daubignard, M., Ene, C., Lafourcade, P. andLakhnech, Y. (2008) Towards Automated Proofs for Asym-metric Encryption Schemes in the Random Oracle Model. InNing, P., Syverson, P.F. and Jha, S. (eds), ACM Conference onComputer and Communications Security, Alexandria, VA, USA,October 27–31, pp. 371–380. ACM.

[8] Ngo, L., Boyd, C. and Nieto, J.G. (2011) Automated Proofs forDiffie–Hellman-Based Key Exchanges. CSF, Cernay-la-Ville,France, June 27–29, pp. 51–65. IEEE Computer Society.

[9] Blanchet, B. (2008) A computationally sound mechanizedprover for security protocols. IEEE Trans. Dependable Secur.Comput., 5, 193–207.

[10] Katz, J. and Yung, M. (2007) Scalable protocols for authenti-cated group key exchange. J. Cryptol., 20, 85–113.

[11] Bellare, M. and Rogaway, P. (1993) Random Oracles arePractical: A Paradigm for Designing Efficient Protocols. InDenning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S. and Ashby,V. (eds), ACM Conference on Computer and CommunicationsSecurity, Fairfax, VA, USA, November 3–5, pp. 62–73.ACM.

[12] Gagné, M., Lafourcade, P., Lakhnech, Y. and Safavi-Naini, R.(2009) Automated Security Proof for Symmetric EncryptionModes. In Datta, A. (ed.), ASIAN, Seoul, Korea, December14–16, Lecture Notes in Computer Science 5913, pp. 39–53.Springer.

[13] Bellare, M. and Rogaway, P. (1993) Entity Authenticationand Key Distribution. In Stinson, D.R. (ed.), CRYPTO, SantaBarbara, CA, USA, August 22–26, Lecture Notes in ComputerScience 773, pp. 232–249. Springer.

[14] Abadi, M. and Gordon, A.D. (1998) A Bisimulation Methodfor Cryptographic Protocols. In Hankin, C. (ed.), ESOP, Lisbon,Portugal, March 28–April 4, Lecture Notes in Computer Science1381, pp. 12–26. Springer.

[15] Bana, G., Mohassel, P. and Stegers, T. (2006) ComputationalSoundness of Formal Indistinguishability and Static Equiva-lence. In Okada, M. and Satoh, I. (eds), ASIAN, Tokyo, Japan,December 6–8, Lecture Notes in Computer Science 4435,pp. 182–196. Springer.

[16] Ene, C., Lakhnech, Y. and Ngo, V.C. (2009) Formal Indistin-guishability Extended to the Random Oracle Model. In Backes,M. and Ning, P. (eds), ESORICS, Saint-Malo, France, September21–23, Lecture Notes in Computer Science 5789, pp. 555–570.Springer.

[17] LaMacchia, B.A., Lauter, K. and Mityagin, A. (2007) StrongerSecurity of Authenticated Key Exchange. In Susilo, W., Liu, J.K.and Mu, Y. (eds), ProvSec, Wollongong, Australia, November1–2, Lecture Notes in Computer Science 4784, pp. 1–16.Springer.

[18] Diffie, W. and Hellman, M.E. (1976) New directions incryptography. IEEE Trans. Inf. Theory, 22, 644–654.

[19] Krawczyk, H. (2005) HMQV: A High-Performance SecureDiffie–Hellman Protocol. In Shoup, V. (ed.), CRYPTO, SantaBarbara, CA, USA, August 14–18, Lecture Notes in ComputerScience 3621, pp. 546–566. Springer.

[20] Abadi, M. and Fournet, C. (2001) Mobile Values, New Names,and Secure Communication. In Hankin, C. and Schmidt, D.(eds), POPL, London, UK, January 17–19, pp. 104–115.ACM.

[21] Pointcheval, D. (2000) Chosen-Ciphertext Security for AnyOne-Way Cryptosystem. In Imai, H. and Zheng, Y. (eds), PublicKey Cryptography, Melbourne, VIC, Australia, January 18–20, Lecture Notes in Computer Science 1751, pp. 129–146.Springer.

[22] Fujisaki, E. and Okamoto, T. (1999) How to Enhance theSecurity of Public-Key Encryption at Minimum Cost. In Imai,H. and Zheng, Y. (eds), Public Key Cryptography, Kamakura,Japan, March 1–3, Lecture Notes in Computer Science 1560,pp. 53–68. Springer.

[23] Shoup, V. (2004) Sequences of Games: A Tool for TamingComplexity in Security Proofs. IACR Cryptology ePrintArchive, Report 2004/332.

[24] Paillier, P. (1999) Public-Key Cryptosystems Based on Compos-ite Degree Residuosity Classes. In Stern, J. (ed.), EUROCRYPT,Prague, Czech Republic, May 2–6, Lecture Notes in ComputerScience 1592, pp. 223–238. Springer.

[25] Bellare, M. and Rogaway, P. (1994) Optimal AsymmetricEncryption. In Santis, A.D. (ed.), EUROCRYPT, Perugia, Italy,May 9–12, Lecture Notes in Computer Science 950, pp. 92–111.Springer.

[26] Joux, A. (2004) A one round protocol for tripartite Diffie–Hellman. J. Cryptol., 17, 263–276.

[27] Schnorr, C.-P. (1989) Efficient Identification and Signatures forSmart Cards. In Brassard, G. (ed.), CRYPTO, Santa Barbara, CA,USA, August 20–24, Lecture Notes in Computer Science 435,pp. 239–252. Springer.

[28] Okamoto, T. (1992) Provably Secure and Practical IdentificationSchemes and Corresponding Signature Schemes. In Brickell,E.F. (ed.), CRYPTO, Santa Barbara, CA, USA, August16–20, Lecture Notes in Computer Science 740, pp. 31–53.Springer.


at Ondokuz M


ovember 2, 2014


Dow

nloaded from


Documents

Automated Proofs for Computational Indistinguishability