Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
7.5. CASES STUDIES 191<br />
re-encryption.<br />
dec(penc(x, y, P k(z)), z) = x<br />
renc(penc(x, y, z), w) = penc(x, f(y, w), z)<br />
The ElGamal encryption scheme exhibits the feature expressed by the equation<br />
dec(penc(x, y, P k(z)), commit(penc(x, y, P k(z)), z)) = x<br />
which is used by the protocol. We also add functions dvp, checkdvp to model<br />
designated verifier pro<strong>of</strong>s <strong>of</strong> the fact that a message is a re-encryption <strong>of</strong> another<br />
one; we adopt the equations<br />
checkdvp(dvp(x, renc(x, y), y, pk(z)),<br />
x, renc(x, y), pk(z)) = true<br />
checkdvp(dvp(x, y, z, w), x, y, pk(w)) = true<br />
The second equation models that checkdvp also succeeds for a fake pro<strong>of</strong> constructed<br />
using the designated verifier’s private key. By a slight abuse <strong>of</strong> notation<br />
we also interpret checkdvp(t1, t2, t3, t4) as a predicate which evaluates to true<br />
whenever checkdvp(t1, t2, t3, t4) =E true.<br />
We adopt the formalism for signature pro<strong>of</strong>s <strong>of</strong> knowledge due to Backes et<br />
al. [25]. A signature pro<strong>of</strong> <strong>of</strong> knowledge is a term SPKi,j( ˜ M, Ñ, F ) where ˜ M =<br />
(M1, . . . , Mi) denotes the witness (or private component), Ñ = (N1, . . . , Nj)<br />
defines the public parameters <strong>and</strong> F is a formula over those terms. More<br />
precisely F is a term without names or variables, but includes distinguished<br />
constants αk, βl where k, l ∈ N. The constants αk, βl in F denote placeholders<br />
for the terms Mk ∈ ˜ M, Nl ∈ Ñ used within a signature <strong>of</strong> knowledge<br />
SPKi,j( ˜ M, Ñ, F ). For example the signature pro<strong>of</strong> <strong>of</strong> knowledge used<br />
by the Lee et al. voting protocol [141] demonstrates possession <strong>of</strong> a secret<br />
key skT such that P k(skT ) = pkT <strong>and</strong> d = commit(b ′ , skT ) i.e. the<br />
pro<strong>of</strong> shows the public key pkT is correctly formed <strong>and</strong> d is a decryption<br />
key for the voter’s ballot b ′ . This can be captured as SPK1,3((skT ), (pkT ,<br />
commit(b ′ , skT ), b ′ ), FL) where FL = eq(β1, P k(α1)) ∧ eq(β2, commit(β3, α1)). A<br />
term SPKi,j( ˜ M, Ñ, F ) represents a valid signature if the term obtained by substituting<br />
Mk, Nl for the corresponding αk, βl evaluates to true. <strong>Verification</strong> <strong>of</strong> such<br />
a statement is modelled by the function Veri,j. The equational theory includes<br />
the following equations defined over all tuples ˜x = (x1, . . . , xi), ˜y = (y1, . . . , yj)<br />
<strong>and</strong> formula F ∈ TΣ∪{αk,βl|k≤i, l≤j} without names or variables:<br />
Publicp(SPKi,j(˜x, ˜y, F )) = nth j<br />
p(˜y) where p ∈ [i, j]<br />
Formula(SPKi,j(˜x, ˜y, F )) = F<br />
We also make use <strong>of</strong> the predicate Veri,j defined as Veri,j(F, SPKi,j( ˜ M, Ñ, F ′ ))<br />
if <strong>and</strong> only if F =E F ′ <strong>and</strong> F {M1/α1, . . . , Mi/αi, N1/β1, . . . , Nj/βj} holds where<br />
i = | ˜ M|, j = | Ñ| <strong>and</strong> F, F ′ ∈ TΣ∪{αk,βl|k≤i, l≤j} without names or variables.