Modular Code-Based Cryptographic Verification

Type systems are effective tools for verifying the security of cryptographic programs. They provide automation, modularity and scalability, and have been applied to large security protocols. However, they traditionally rely on abstract assumptions on the underlying cryptographic primitives, expressed in symbolic models. Cryptographers usually reason on security assumptions using lower level, computational models that precisely account for the complexity and success probability of attacks. These models are more realistic, but they are harder to formalize and automate.
We present the first modular automated program verification method based on standard cryptographic assumptions. We show how to verify ideal functionalities and protocols written in ML by typing them against new cryptographic interfaces, using~F7, a refinement type checker coupled with Z3, an SMT-solver. We develop a probabilistic variant of RCF, the core calculus of F7, and formalize its type safety in~Coq. We develop typed module and interfaces for MACs, signatures, and encryptions, and establish their authenticity and secrecy properties against chosen plaintext and chosen ciphertext attacks. We relate their ideal functionalities and concrete implementations, using game-based program transformations behind typed interfaces. We illustrate our method on a series of protocol implementations.

Related work on symbolic cryptographic verification

• Verified Interoperable Implementations of Security Protocol (MSR-TR-2006-46); the final version appeared in TOPLAS, v.30 n.6, p.1-59.
• Refinement Types for Secure Implementations (MSR-TR-2008-118, last revised Feb 2010); its final version will appear in TOPLAS.
• Modular Verification of Security Protocol Code by Typing (draft extended version of POPL'10).