Paper 2024/534

CryptoVampire: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model

Simon Jeanteur, TU Wien
Laura Kovács, TU Wien
Matteo Maffei, TU Wien, Christian Doppler Laboratory Blockchain Technologies for the Internet of Things
Michael Rawson, TU Wien
Abstract

Cryptographic protocols are hard to design and prove correct, as witnessed by the ever-growing list of attacks even on protocol standards. Symbolic models of cryptography enable automated formal security proofs of such protocols against an idealized cryptographic model, which abstracts away from the algebraic properties of cryptographic schemes and thus misses attacks. Computational models of cryptography yield rigorous guarantees but support at present only interactive proofs and/or restricted classes of protocols (e.g., stateless ones). A promising approach is given by the computationally complete symbolic attacker (CCSA) model, formalized in the BC Logic, which aims at bridging and getting the best of the two worlds, obtaining cryptographic guarantees by symbolic protocol analysis. The BC Logic is supported by a recently developed interactive theorem prover, namely Squirrel, which enables machine-checked interactive security proofs, as opposed to automated ones, thus requiring expert knowledge both in the cryptographic space as well as on the reasoning side. In this paper, we introduce the CryptoVampire cryptographic protocol verifier, which for the first time fully automates proofs of trace properties in the BC Logic. The key technical contribution is a first-order formalization of protocol properties with tailored handling of subterm relations. As such, we overcome the burden of interactive proving in higher-order logic and automatically establish soundness of cryptographic protocols using only first-order reasoning. Our first-order encoding of cryptographic protocols is challenging for various reasons. On the theoretical side, we restrict full first-order logic with cryptographic axioms to ensure that, by losing the expressivity of the higher-order BC Logic, we do not lose soundness of cryptographic protocols in our first-order encoding. On the practical side, CryptoVampire integrates dedicated proof techniques using first-order saturation algorithms and heuristics, which all together enable leveraging the state-of-the-art Vampire first-order automated theorem prover as the underlying proving engine of CryptoVampire. Our experimental results showcase the effectiveness of CryptoVampire as a standalone verifier as well as in terms of automation support for Squirrel.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Security ProtocolsFormal MethodsComputational SecurityAutomated Theorem Proving
Contact author(s)
simon jeanteur @ tuwien ac at
laura kovacs @ tuwien ac at
matteo maffei @ tuwien ac at
michael rawson @ tuwien ac at
History
2024-04-06: approved
2024-04-05: received
See all versions
Short URL
https://ia.cr/2024/534
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/534,
      author = {Simon Jeanteur and Laura Kovács and Matteo Maffei and Michael Rawson},
      title = {{CryptoVampire}: Automated Reasoning for the Complete Symbolic Attacker Cryptographic Model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/534},
      year = {2024},
      url = {https://eprint.iacr.org/2024/534}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.