Secrecy by Witness-Functions under Equational Theories
This addresses security vulnerabilities in cryptographic protocols for applications using algebraic properties like homomorphism, but it is incremental as it extends existing witness-function methods to nonempty equational theories.
The paper tackles the problem of analyzing cryptographic protocols for secrecy under nonempty equational theories, such as homomorphic primitives, and shows that the Needham-Schroeder-Lowe protocol, previously secure under perfect encryption, becomes vulnerable under these conditions, leading to a proposed fix.
In this paper, we use the witness-functions to analyze cryptographic protocols for secrecy under nonempty equational theories. The witness-functions are safe metrics used to compute security. An analysis with a witness-function consists in making sure that the security of every atomic message does not decrease during its lifecycle in the protocol. The analysis gets more difficult under nonempty equational theories. Indeed, the intruder can take advantage of the algebraic properties of the cryptographic primitives to derive secrets. These properties arise from the use of mathematical functions, such as multiplication, addition, exclusive-or or modular exponentiation in the cryptosystems and the protocols. Here, we show how to use the witness-functions under nonempty equational theories and we run an analysis on the Needham-Schroeder-Lowe protocol under the cipher homomorphism. This analysis reveals that although this protocol is proved secure under the perfect encryption assumption, its security collapses under the homomorphic primitives. We show how the witness-functions help to illustrate an attack scenario on it and we propose an amended version to fix it.