Team, Visitors, External Collaborators
Overall Objectives
Research Program
Application Domains
Highlights of the Year
New Software and Platforms
New Results
Bilateral Contracts and Grants with Industry
Partnerships and Cooperations
XML PDF e-pub
PDF e-Pub

Section: New Software and Platforms


Cryptographic protocol verifier in the computational model

Keywords: Security - Verification - Cryptographic protocol

Functional Description: CryptoVerif is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomial-time probabilistic Turing machine. CryptoVerif can prove secrecy and correspondences, which include in particular authentication. It provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, public-key encryption, signatures, hash functions, and Diffie-Hellman key agreements. It also provides an explicit formula that gives the probability of breaking the protocol as a function of the probability of breaking each primitives, this is the exact security framework.

News Of The Year: We implemented the following features in CryptoVerif:

1) We added to the library of cryptographic primitives several variants of the PRF-ODH (pseudo-random function oracle Diffie-Hellman) assumption, pre-image resistant and second-preimage resistant hash functions, IND-CPA encryption with a nonce, IND-CPA and INT-CTXT encryption with a nonce, encryption schemes that satisfy IND$-CPA instead of IND-CPA.

2) To facilitate modular proofs, we allow querying indistinguishability properties with exactly the same syntax as the one used to specify indistinguishability assumptions on primitives.

3) To simplify declarations of assumptions on primitives, replications (which model any number of copies of processes or oracles) can be omitted at the root of indistinguishability assumptions. CryptoVerif adds them internally, thus inferring the assumption for N independent copies from the assumption for one copy. For instance, it infers the assumption for encryption with N keys from the assumption for encryption with a single key.

4) When we delay random number generations, we allow the user to specify expressions for which it is not necessary to generate the random value, so that the generation of the moved random value can be delayed further. In particular, we used this extension to prove that the OAEP scheme is IND-CCA2 assuming the underlying permutation is partial-domain one-way (a famous cryptographic result).

5) CryptoVerif can now remove parts of the code cannot be executed in case the adversary wins the game, by replacing them with event "AdversaryLoses". That is specially helpful in order to deal with complex cases of key compromise, e.g. for forward secrecy, by proving authentication by ignoring the compromise, showing that authentication is preserved in case the key is compromised (because the adversary never wins against the considered authentication property in case of compromise), and using the authentication to prove secrecy even in case of compromise. For instance, that allows us to show that the PSK-DHE handshake of TLS 1.3 preserves forward secrecy in case of compromise of the PSK.

6) After a cryptographic transformation, CryptoVerif expands terms into processes, which leads to duplicating code until the end of the protocol for each test that is expanded. The cryptographic transformation and the expansion were initially considered as a single transformation. There are now considered as separate transformations, so that other transformations can be performed in between, in particular to cut some branches of the code and reduce the code duplication.

These changes are included in CryptoVerif version 2.02 available at