Bulletin of the Japan Society for Industrial and Applied Mathematics Volume 17, Issue 4

Verification of Information Security by Formal Methods(<Special Topics> Formal Approach to Information Security)

There are two approaches to verifying cryptographic protocols. One is the traditional computational approach in which an adversary is formulated as a polynomial-time probabilistic Turing machine and success probability of attack is estimated with respect to computational complexity. The other is the symbolic approach which applies formal methods such as automated theorem proving and model checking to formalize and verify cryptographic protocols. Recently, substantial effort is being made to merge the two approaches to enjoy the advantages of both. Such effort can be classified into direct and indirect methods. In the former, traditional computational arguments are formalized using appropriate frameworks from formal methods. In the latter, symbolic arguments, which usually rely on the Dolev-Yao assumption, are given probabilistic interpretation and justified computationally. The latter methods are applied to protocols in a level above cryptographic schemes, while the former are usually applied to verify cryptographic schemes or more basic cryptographic assumptions.

Formal Verification of Cryptographic Protocols in Spi-Calculus(<Special Topics> Formal Approach to Information Security)

This survey presents Abadi and Gordon's spi-calculus, which is a "process calculus" (i.e., a formal language of concurrent computation) for the verification of "cryptographic protocols" (i.e., procedures for secure communication in computer networks). First, we present process calculi before the spi-calculus (CCS and the pi-calculus), introducing the notion of reaction relation and structural congruence. We then define the spi-calculus and show an example of cryptographic ptotocols, represented as a class of spi-calculus processes. After discussing the formalization of security properties (secrecy and authenticity) and multiple sessions, we conclude by referring to generalizations of the spi-calculus (Abadi and Fournet's applied pi-calculus, and a recent result by Bruno Blanchet).

A Survey of Researches of Relationship between Symbolic and Computational Semantics in Security Analysis(<Special Topics> Formal Approach to Information Security)

Two kinds of models are used for analyzing cryptography protocols. One is the computational model where encrypted information are deciphered by computation of probabilistic polynomial-time Turing machines. The other is the symbolic model (or, Dolev-Yao Model) where a set of algebraic lows are applied. Analysis with the symbolic model is simple and easy to understand since it is regarded as abstract-level analysis by discarding a phenomenon of which probability is negligible. Due to subtlety of difference between these two kinds of analysis, several attempts have been made to bridge the gap between these two models. Among them, a work by Abadi and Rogaway and a work by Micciancio and Warinschi provide basic idea for bridging the gap. In this article, we mainly provide a survey of these works. Abadi and Rogaway showed that messages are not computationally indistinguishable if they are equivalent symbolically. This property is the soundness of symbolic analysis for computational one. Micciancio and Warinschi showed its converse, i. e. completeness property. We also summarize extensions of these works, which are analysises in more practical setting.

Formalization and Automation of Security Proof by Sequences of Games(<Special Topics> Formal Approach to Information Security)

Recently extensive research has been undertaken on the computational foundations of symbolic proof methods for security protocols. There are two approaches to providing such foundations. One is to give a probabilistic re-interpretation to existing symbolic methods such as the Dolev-Yao model and justify it computationally. The other is to re-formulate traditional computational arguments in an appropriate formal system and apply symbolic methods. The former approach is called indirect while the latter is called direct. This paper introduces the direct approach. Three studies on the direct approach are dealt with here, namely those by Corin and den Hartog, by Blanchet and Pointcheval, and by Canetti et al. They all formalize security proofs by sequences of games in different formal systems. We describe the formal systems they use, how they formalize probabilistic aspects and computational intractability assumptions, and the possibility of obtaining formal security proofs automatically.

From BAN Logic to Protocol Composition Logic : An Introduction to Logical Verification Methods for Security Protocols(<Special Topics> Formal Approach to Information Security)

We give an overview of several inference-based formal verification methods for security protocols. Especially, we survey the basic ideas of BAN logic and Protocol Composition Logic (PCL) and their related works such as Basic Protocol Logic (BPL). We also discuss some recent works on computational semantics for PCL.