Section: New Software and Platforms
CryptoVerif
Cryptographic protocol verifier in the computational model
Keywords: Security  Verification  Cryptographic protocol
Functional Description: CryptoVerif is an automatic protocol prover sound in the computational model. In this model, messages are bitstrings and the adversary is a polynomialtime probabilistic Turing machine. CryptoVerif can prove secrecy and correspondences, which include in particular authentication. It provides a generic mechanism for specifying the security assumptions on cryptographic primitives, which can handle in particular symmetric encryption, message authentication codes, publickey encryption, signatures, hash functions, and DiffieHellman key agreements. It also provides an explicit formula that gives the probability of breaking the protocol as a function of the probability of breaking each primitives, this is the exact security framework.
News Of The Year: We implemented the following features in CryptoVerif:
1) We added to the library of cryptographic primitives several variants of the PRFODH (pseudorandom function oracle DiffieHellman) assumption, preimage resistant and secondpreimage resistant hash functions, INDCPA encryption with a nonce, INDCPA and INTCTXT encryption with a nonce, encryption schemes that satisfy IND$CPA instead of INDCPA.
2) To facilitate modular proofs, we allow querying indistinguishability properties with exactly the same syntax as the one used to specify indistinguishability assumptions on primitives.
3) To simplify declarations of assumptions on primitives, replications (which model any number of copies of processes or oracles) can be omitted at the root of indistinguishability assumptions. CryptoVerif adds them internally, thus inferring the assumption for N independent copies from the assumption for one copy. For instance, it infers the assumption for encryption with N keys from the assumption for encryption with a single key.
4) When we delay random number generations, we allow the user to specify expressions for which it is not necessary to generate the random value, so that the generation of the moved random value can be delayed further. In particular, we used this extension to prove that the OAEP scheme is INDCCA2 assuming the underlying permutation is partialdomain oneway (a famous cryptographic result).
5) CryptoVerif can now remove parts of the code cannot be executed in case the adversary wins the game, by replacing them with event "AdversaryLoses". That is specially helpful in order to deal with complex cases of key compromise, e.g. for forward secrecy, by proving authentication by ignoring the compromise, showing that authentication is preserved in case the key is compromised (because the adversary never wins against the considered authentication property in case of compromise), and using the authentication to prove secrecy even in case of compromise. For instance, that allows us to show that the PSKDHE handshake of TLS 1.3 preserves forward secrecy in case of compromise of the PSK.
6) After a cryptographic transformation, CryptoVerif expands terms into processes, which leads to duplicating code until the end of the protocol for each test that is expanded. The cryptographic transformation and the expansion were initially considered as a single transformation. There are now considered as separate transformations, so that other transformations can be performed in between, in particular to cut some branches of the code and reduce the code duplication.
These changes are included in CryptoVerif version 2.02 available at https://cryptoverif.inria.fr.

Publications: Composition Theorems for CryptoVerif and Application to TLS 1.3  Composition Theorems for CryptoVerif and Application to TLS 1.3  A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol  A Mechanised Cryptographic Proof of the WireGuard Virtual Private Network Protocol  Proved Implementations of Cryptographic Protocols in the Computational Model  Proved Generation of Implementations from Computationally Secure Protocol Specifications  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate  Symbolic and Computational Mechanized Verification of the ARINC823 Avionic Protocols  Automated Verification for Secure Messaging Protocols and Their Implementations: A Symbolic and Computational Approach