Secrecy by Witness-Functions under Equational Theories

TL;DR

This paper applies witness-functions to analyze cryptographic protocols' secrecy under equational theories, revealing vulnerabilities in the Needham-Schroeder-Lowe protocol with homomorphic encryption and proposing fixes.

Contribution

It extends witness-function analysis to nonempty equational theories and demonstrates its effectiveness on a real protocol vulnerability.

Findings

The Needham-Schroeder-Lowe protocol is insecure under homomorphic encryption.

Witness-functions can identify security breaches caused by algebraic properties.

An amended protocol version is proposed to address the identified vulnerability.

Abstract

In this paper, we use the witness-functions to analyze cryptographic protocols for secrecy under nonempty equational theories. The witness-functions are safe metrics used to compute security. An analysis with a witness-function consists in making sure that the security of every atomic message does not decrease during its lifecycle in the protocol. The analysis gets more difficult under nonempty equational theories. Indeed, the intruder can take advantage of the algebraic properties of the cryptographic primitives to derive secrets. These properties arise from the use of mathematical functions, such as multiplication, addition, exclusive-or or modular exponentiation in the cryptosystems and the protocols. Here, we show how to use the witness-functions under nonempty equational theories and we run an analysis on the Needham-Schroeder-Lowe protocol under the cipher homomorphism. This analysis reveals that although this protocol is proved secure under the perfect encryption assumption, its security collapses under the homomorphic primitives. We show how the witness-functions help to illustrate an attack scenario on it and we propose an amended version to fix it.