Security and Privacy Column

Abstract

Cryptographic protocols are really hard to design: they mix difficulties stemming from distributed systems, rely on cryptographic primitives and need to provide complex guarantees in the presence of an arbitrary attacker running in parallel. Rigorous security proofs are basically the only hope to avoid design flaws as witnessed by numerous examples. This has been recognized since the early 80's and two main approaches have been actively developed since. The computational model is rooted in complexity theory and relies on a reduction of the security of the protocol to a security assumption of a cryptographic primitive which itself may rely on the hardness of a computational problem. Attackers are any probabilistic polynomial time Turing Machines (PPTMs). A security proof in this model provides strong guarantees. However, getting proofs in such a detailed model correct is challenging. The symbolic model takes a different approach: messages are modeled as first-order logic terms and cryptographic primitives such as encryption schemes are idealized. Typically, only the intended functionality of an encryption is modeled by an equation such as dec(enc(m,k),k) = m to state that decryption and encryption cancel out when the same key k is used. Crucially, only the properties that are explicitly stated hold and the adversary actions are restricted to those. At the cost of being more abstract this approach is amenable to automation and tools nowadays succeed in proving industrial protocols, such as TLS or Signal.