By Topic

Symbolic Analysis of Cryptographic Protocols Containing Bilinear Pairings

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
2 Author(s)
Alisa Pankova ; Inst. of Comput. Sci., Univ. of Tartu, Tartu, Estonia ; Peeter Laud

Bilinear pairings are powerful mathematical structures that can be used in cryptography. Their equational properties allow constructing cryptographic primitives and protocols that would be otherwise ineffective or even impossible. In formal cryptography, the protocols are expressed through term algebras and process calculi. ProVerif, one of the most successful protocol analyzers, internally converts them to Horn theories for the analysis. This approach cannot easily deal with complex equational theories. In this paper, we propose an equational theory that models bilinear pairings in formal cryptography. We also propose a reduction from the derivation problem for Horn theories modulo this equational theory to (almost) purely syntactical derivation problem for Horn theories. This derivation problem can be readily tackled by ProVerif. We have implemented our analysis and have demonstrated that it is able to handle several secure and insecure protocols based on bilinear pairings. Our approach mostly follows Kusters's and Truderung's handling of Diffie-Hellman exponentiation. The greater complexity of the theory for bilinear pairings introduces several complications, the arithmetic properties of exponentiation play a much bigger role in our reduction. Still, our approach has the same kind of generality as theirs. Similarly to their approach, we do not treat the group operations as (independent) term constructors. But we show that access to those operations will not increase the power of the adversary.

Published in:

2012 IEEE 25th Computer Security Foundations Symposium

Date of Conference:

25-27 June 2012