ebook img

DTIC ADA493035: Verifying Secrets and Relative Secrecy PDF

10 Pages·0.33 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA493035: Verifying Secrets and Relative Secrecy

Verifying Secrets and Relative Secrecy (cid:0) y Dennis Volpano Geo(cid:2)rey Smith Abstract requiresthatthe(cid:8)nalvalueoflbeindependentoftheinitial value of h(cid:22)this plainly fails here(cid:4) k Systems that authenticate a user based on a shared secret But the loop is a (cid:23)(cid:2)(cid:19) (cid:3) attack(cid:5) assuming the value of h (cid:2)suchasapasswordorPIN(cid:3)normallyallowanyonetoquery ischosenatrandom(cid:4) Soaslongaskislargeenoughandthe whether the secret is a given value(cid:4) For example(cid:5) an ATM value of h is randomly chosen(cid:5) we do not consider the at(cid:6) machineallowsonetoaskwhetherastringisthesecretPIN tackathreatandwouldlikeasecrecycriterion thatre(cid:7)ects ofa(cid:2)lostorstolen(cid:3)ATMcard(cid:4) Yetsuchqueriesareprohib(cid:6) this view(cid:4) Our approach is to adopt a relative criterion for ited in any model whose programs satisfy an information(cid:6) secrecy that depends upon certain parameters(cid:5) speci(cid:8)cally(cid:5) (cid:7)owpropertylikeNoninterference(cid:4) Butthereiscomplexity(cid:6) the number of bits in a secret and randomness(cid:4) The idea basedjusti(cid:8)cationforallowingthesequeries(cid:4) Atypesystem is to admitonly those programs for which it can be proved isgiventhatprovidestheaccesscontrolneededtoprovethat that su(cid:9)ciently(cid:6)long secrets cannot be learned in polyno(cid:6) no well(cid:6)typed program can leak secrets inpolynomial time(cid:5) mial time or even learned with nonnegligible probability in or even leak them with nonnegligible probability if secrets polynomial time if randomlychosen(cid:4) areofsu(cid:9)cientlengthandrandomlychosen(cid:4) However(cid:5)there The queryexpression match(cid:2)e(cid:3) also represents the most arewell(cid:6)typeddeterministicprogramsinasynchronouscon(cid:6) basic tool any attacker has for compromising public(cid:6)key currentmodel capable of leaking secrets in linear time(cid:4) cryptography(cid:4) Given ciphertext c that is the result of en(cid:6) crypting plaintext h with a public key(cid:5)an attackercan test (cid:2) Introduction e(cid:9)ciently whether h is a particular string e simply by en(cid:6) cryptingewiththepublickeyandseeingwhetherthesame A common approach to authenticating a user is based on a ciphertext c is produced(cid:4) Of course the nonuniform dis(cid:6) sharedsecret(cid:4) Normally(cid:5)anyonecan ask whetherthesecret tribution of plaintext makes cracking a public(cid:6)key system is a particular value(cid:4) For instance(cid:5) password(cid:6)based authen(cid:6) with match queries di(cid:10)erent from a brute(cid:6)force attack on a ticationallows anyonetoaskwhetheracertainstringisthe random secret(cid:4) Good dictionary attacks exploit the distri(cid:6) password of a given user(cid:4) An ATM permits anyone to ask(cid:5) bution(cid:4) Inthiscase(cid:5)matchqueriesmaynotbejusti(cid:8)edfrom for a given card(cid:5) whether a string is the hidden PIN (cid:2)Per(cid:6) a complexitystandpoint and another cryptographic system sonal ID Number(cid:3)of thatcard(cid:5) and so on(cid:4) Formalizing the maybe required(cid:4) secrecyguaranteedbysystemsthatusethisformofauthen(cid:6) Inthispaper(cid:5) weconsidertheproblemoftryingtolearn tication is beyond the scope of information(cid:6)(cid:7)ow techniques thek(cid:6)bitintegervalueofaconstanthoftypeH usingwell(cid:6) because their goal is absolute secrecy(cid:4) typedprogramswritteninadeterministicprogramminglan(cid:6) Forinstance(cid:5)supposehisaconstant(cid:2)read(cid:6)onlyvariable(cid:3) guagewithmatchqueries(cid:4) Werequirethatprogramsbewell whosevalueisak(cid:6)bitintegersecret(cid:4) Ifwerepresentaquery typed in the system of (cid:17)(cid:16)(cid:18)(cid:21)(cid:5) except that we allow the type asmatch(cid:2)e(cid:3)(cid:5)whichistruei(cid:10)h(cid:11)e(cid:5)thenabrute(cid:6)forceattack of match queries tobe L(cid:5)whichdestroystraditional Nonin(cid:6) on h can be represented bya simple loop(cid:12) terference properties(cid:4) Instead(cid:5) we argue for the security of our language by l(cid:12)(cid:11)(cid:13)(cid:14) proving that no well(cid:6)typed program that is capable of de(cid:6) while (cid:0)match(cid:2)l(cid:3)do ducing h runs in time bounded by a polynomial in k (cid:2)the l(cid:12)(cid:11)l(cid:15)(cid:16) size of h(cid:3)(cid:4) Notice that such a result appears to separate P andNP (cid:2)see pg(cid:4) (cid:24)(cid:25)(cid:24) of (cid:17)(cid:16)(cid:16)(cid:21)(cid:3)(cid:5) as a well(cid:6)typednondetermin(cid:6) Aninformation(cid:6)(cid:7)owpropertylikeNoninterference(cid:17)(cid:18)(cid:5)(cid:16)(cid:18)(cid:5)(cid:16)(cid:19)(cid:5) istic program can guess h and verify its guess with match (cid:16)(cid:20)(cid:21) rejects the program(cid:4) Given that h has security class in time linear in k(cid:4) But our result actually separates rela(cid:6) H (cid:2)high(cid:3) and l has security class L (cid:2)low(cid:3)(cid:5) Noninterference tivizedformsof P andNP because ofour useof thematch (cid:0) oracle(cid:4) This sort of separation was shown long ago (cid:17)(cid:16)(cid:21)(cid:4) ComputerScienceDepartment(cid:2)NavalPostgraduateSchool(cid:2)Mon(cid:3) The preceding guarantee is the best one can do in the terey(cid:2)California(cid:4)(cid:5)(cid:4)(cid:6)(cid:5)(cid:7) Email(cid:8) volpano(cid:2)cs(cid:3)nps(cid:3)navy(cid:3)mil(cid:7) ySchoolofComputerScience(cid:2)FloridaInternationalUniversity(cid:2)Mi(cid:3) absence of any probability distribution for the values of h(cid:4) ami(cid:2)Florida(cid:5)(cid:5)(cid:9)(cid:4)(cid:4)(cid:7) Email(cid:8) smithg(cid:2)cs(cid:3)fiu(cid:3)edu(cid:7) Inthe case where there is a distribution(cid:5)we can talk about (cid:0) AppearsintheProceedingsofthe(cid:10)(cid:11)thACMSymposiumonPrin(cid:3) the probability of successfully learning h(cid:4) We show that if cipl(cid:2)eAsCoMfPCrOoPgYraRmIGmHiTngNOLaTnICgEu(cid:3)agPeersm(cid:2)BissoisotnotnoMmaAk(cid:2)e(cid:9)d(cid:4)ig(cid:12)it(cid:10)a(cid:9)loJrahna(cid:7)rd(cid:10)(cid:13)c(cid:13)op(cid:13)i(cid:7)esof the value of h is chosen with respect to a uniform proba(cid:6) partorallofthisworkforpersonalorclassroomuseisgrantedwithoutfeepro(cid:4) bilitydistribution(cid:5) thenfor anywell(cid:6)typedpolynomial(cid:6)time videdthatcopiesarenotmadeordistributedforprofitorcommercialadvantage program c(cid:5) the probability that c successfully learns h goes andthatcopiesbearthisnoticeandthefullcitationonthefirstpage(cid:3) Copy(cid:4) rightsforcomponentsofthisworkownedbyothersthanACMmustbehonored(cid:3) to zero as k increases(cid:4) Abstractingwithcreditispermitted(cid:3) Tocopyotherwise(cid:5)torepublish(cid:5)toposton servers(cid:5)ortoredistributetolists(cid:5)requirespriorspecificpermissionand(cid:6)orafee(cid:3) One might conclude that equality testing is safe in gen(cid:6) RequestpermissionsfromPublicationsDept(cid:5)ACMInc(cid:3)(cid:5)fax(cid:7)(cid:0)(cid:8)(cid:2)(cid:0)(cid:2)(cid:9)(cid:10)(cid:11)(cid:12)(cid:4)(cid:13)(cid:14)(cid:10)(cid:0)(cid:5) orpermissions(cid:15)acm(cid:3)org(cid:3) eral(cid:5) and that we could simply give e(cid:0) (cid:11)e(cid:2) typeL(cid:5) regard(cid:6) Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 2. REPORT TYPE 3. DATES COVERED 01 JAN 2000 N/A - 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Verifying Secrets and Relative Secrecy 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Computer Science Department Naval Postgraduate School Monterey, CA REPORT NUMBER 93943, USA 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE UU 9 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 (cid:2) less of the types of e(cid:0) and e(cid:2)(cid:4) However(cid:5) this is not so(cid:14) it i and j such that i(cid:2)(cid:11)j and neither i nor j is queried by c(cid:4) then becomes possible to leak a secret in linear time(cid:4) Nowc mustcopythe valuei intol when thevalueof h is i(cid:4) Finally(cid:5) we consider the e(cid:10)ect of adding concurrency to But if it does(cid:5) then it also copies i into l when the value of thelanguage(cid:4) Unlikeourpreviouswork(cid:17)(cid:16)(cid:19)(cid:5)(cid:16)(cid:20)(cid:21)(cid:5)weconsider h is j(cid:5) since it is deterministic and does notqueryj(cid:4) asynchronousformofconcurrency(cid:5)sothatprogramsremain deterministic(cid:4) Weshowthatsynchronousconcurrency(cid:5)even Noticethatifcommandswerenondeterministic(cid:5)thenacom(cid:6) without match queries(cid:5) allows well(cid:6)typed programs to leak mand could nondeterministically choose an integer n and secrets inlinear time(cid:4) thenissueaquerymatch(cid:2)n(cid:3)(cid:4) Ifthequerysucceeds(cid:5)itcopies n into l(cid:4) So we can always copythe valueof h innondeter(cid:6) ministic polynomialtime(cid:4) (cid:3) The deterministic language The preceding guarantee is the best one can do in the absence of any probability distribution on the values of h(cid:5) In this paper(cid:5) we consider a deterministic imperative pro(cid:6) gramminglanguage with a queryprimitivematch(cid:12) or in other words(cid:5) when its values are chosen nondetermin(cid:6) istically(cid:4) When there is a probability distribution for h(cid:5) we (cid:2)expr(cid:3) e (cid:12)(cid:12)(cid:11) x j n j h j match(cid:2)e(cid:3) j e(cid:0)(cid:15)e(cid:2) j can talk about theprobability of copying h(cid:4) Indeed(cid:5)in this e(cid:0) (cid:2)e(cid:2) j e(cid:0)(cid:11)e(cid:2) j e(cid:0) (cid:2)(cid:11)e(cid:2) case(cid:5) a command might succeed often(cid:5) perhaps even most of the time(cid:5) in copying h(cid:4) However(cid:5) one can show that if (cid:2)cmds(cid:3) c (cid:12)(cid:12)(cid:11) skip j x(cid:12)(cid:11)e j c(cid:0)(cid:14)c(cid:2) j access to h is limited to match queries(cid:5) then any determin(cid:6) if e then c(cid:0) else c(cid:2) j istic(cid:5) polynomial(cid:6)timecommandfor copyingh toa variable while e do c lwillsucceedwithonlynegligible probabilityforuniformly(cid:6) distributedand su(cid:9)ciently(cid:6)large values of h(cid:4) Metavariable x ranges over identi(cid:8)ers that are mapped by Supposecisadeterministiccommandthatrunsinpoly(cid:6) memoriestointegers(cid:14)nrangesoverintegerliterals(cid:4) Integers nomialtimep(cid:2)k(cid:3)andaccessesaconstanthviamatchqueries are theonly values(cid:14) we use (cid:13) for false and nonzero for true(cid:4) only(cid:4) And suppose the value of h is a k(cid:6)bit integer(cid:5) cho(cid:6) Thespecialidenti(cid:8)erhisaread(cid:6)onlyvariablewhosebinding senwithrespect tosome probabilitydistribution don k(cid:6)bit we assume is secret(cid:4) integers(cid:4) Finally(cid:5) assume that k is large enough so that Astandardtransitionsemanticsforthelanguageisgiven k (cid:19) (cid:6) p(cid:2)k(cid:3)(cid:4) Now(cid:5) as c runs(cid:5) it makes match queries in an in Figure (cid:16)(cid:4) A memory (cid:3) is a mapping from identi(cid:8)ers to attempt to learn h(cid:4) If any such query gets result (cid:16)(cid:5) then c integers(cid:4) We assume that expressions are evaluated atom(cid:6) can putthe correct value into l and halt(cid:4) But in p(cid:2)k(cid:3)time(cid:5) ically(cid:4) Thus we simply extend a memory in the obvious k c can query at most p(cid:2)k(cid:3) out of the (cid:19) possible values of way to map expressions to integers(cid:5) writing (cid:3)(cid:2)e(cid:3) to de(cid:6) k note the value of expression e in memory (cid:3)(cid:4) We say that h(cid:4) Since (cid:19) (cid:6)p(cid:2)k(cid:3)(cid:5) all of c(cid:26)s queries might get result (cid:13)(cid:4) In (cid:3)(cid:2)match(cid:2)e(cid:3)(cid:3)(cid:11)(cid:16)i(cid:10)(cid:3)(cid:2)h(cid:3)(cid:11)(cid:3)(cid:2)e(cid:3)(cid:14)otherwise(cid:3)(cid:2)match(cid:2)e(cid:3)(cid:3)(cid:11)(cid:13)(cid:4) such a run(cid:5) c must eventually halt and put some value v Note that expressions do not have side e(cid:10)ects(cid:5) nor do they into l(cid:4) But note that since c is deterministic and accesses containpartialoperationslikedivision(cid:4) Thus(cid:3)(cid:2)e(cid:3)isde(cid:8)ned h only through match queries(cid:5) c(cid:26)s behavior will be exactly for all e(cid:5) so long as everyidenti(cid:8)erin e is in dom(cid:2)(cid:3)(cid:3)(cid:4) thesameifthevalueofhisany oftheunqueriedintegers(cid:22) These rules de(cid:8)ne a transition relation (cid:3)(cid:4) on con(cid:8)gu(cid:6) in any such run(cid:5) c will make exactly the same sequence of rations(cid:4) A con(cid:8)guration is either a pair (cid:2)c(cid:4)(cid:3)(cid:3) or simply a queries and will (cid:8)nally write the same default value v into memory (cid:3)(cid:4) In the (cid:8)rst case(cid:5) c is the command yet to be l(cid:4) That is(cid:5) for anysuchcwe canidentifyasetS of at most executed(cid:14)inthesecondcase(cid:5) thecommandhasterminated(cid:5) p(cid:2)k(cid:3) integers that c will query(cid:5)and a default value v that c yielding (cid:8)nal memory (cid:3)(cid:4) As usual(cid:5) we de(cid:8)ne (cid:5) (cid:3)(cid:4)(cid:3) (cid:5)(cid:5) for will write into l if all of the queries get result (cid:13)(cid:4) It follows any con(cid:8)guration (cid:5)(cid:5) and (cid:5)(cid:3)(cid:4)k (cid:5)(cid:0)(cid:0)(cid:5) for k (cid:6)(cid:13)(cid:5) if there is a that c will be successful in copying the value of h into l if con(cid:8)guration (cid:5)(cid:0) suchthat(cid:5)(cid:3)(cid:4)k(cid:2)(cid:0) (cid:5)(cid:0) and(cid:5)(cid:0) (cid:3)(cid:4)(cid:5)(cid:0)(cid:0)(cid:4) andonly if the value of his in S(cid:5)fvg(cid:4) Givendistributiond(cid:5)howcancmaximizeitsprobability of success(cid:27) Clearly(cid:5) the best strategy is to choose S and v (cid:4) Relative secrecy so thatd(cid:2)S(cid:5)fvg(cid:3) is as large as possible(cid:4) This can be done bychoosingthep(cid:2)k(cid:3)(cid:15)(cid:16)mostlikelyvaluesunderd(cid:5)putting We begin bylooking at relative secrecy properties that can p(cid:2)k(cid:3) of theminto S(cid:5) and using theremaining valueas v(cid:4) beprovedforprogramsthataccesshviamatchqueriesonly(cid:4) The probabilityof success maybe high if eitherk is too Then(cid:5) in Section (cid:18)(cid:5) we give a reduction that extends these smallortheprobabilitydistributiondisseverelyskew(cid:4) But results to programs that may have free occurrences of h(cid:4) if d is a uniform distribution(cid:5) so that all possible values of The reduction requires that these programs be well typed hareequallylikely(cid:5)thenforanychoiceofp(cid:2)k(cid:3)(cid:15)(cid:16)elements underthetypesystemof Section (cid:20)(cid:4) of S(cid:5)fvg we have The (cid:8)rst propertyis an intractability guarantee(cid:12) Theorem (cid:2)(cid:3)(cid:4) There is no deterministic command capable d(cid:2)S(cid:5)fvg(cid:3)(cid:11) p(cid:2)k(cid:3)k(cid:15)(cid:16)(cid:7) of copying the k(cid:2)bit integer value of h into a variable l in (cid:19) time polynomial in k(cid:3) for all k(cid:3) if h is accessed via match (cid:2)Indeed(cid:5) we can see that a uniform distribution minimizes queries only(cid:4) c(cid:26)s probability of success(cid:4)(cid:3) Hencewe haveproved Proof(cid:4) Suppose c runs in polynomial time p(cid:2)k(cid:3) where k is Theorem (cid:2)(cid:3)(cid:5) If the value of h is a uniformly distributed thenumberofbitsneededtoencodethevalueofh(cid:4) Choose k k(cid:2)bit integer and c is a deterministic command that runs in k large enough so that (cid:19) (cid:6)p(cid:2)k(cid:3)(cid:15)(cid:16)(cid:4) Since c can make at polynomialtimep(cid:2)k(cid:3)andaccesses hviamatchqueriesonly(cid:3) k mostp(cid:2)k(cid:3)queriesand(cid:19) (cid:6)p(cid:2)k(cid:3)(cid:15)(cid:16)(cid:5)therearek(cid:6)bitintegers then the probability that c successfully copies the value of h k (cid:2) into a variable l is at most (cid:2)p(cid:2)k(cid:3)(cid:15)(cid:16)(cid:3)(cid:8)(cid:19) (cid:4) In contrast(cid:2) (cid:0) is clearly dangerous(cid:2) as it allows a secret to be computedbybinarysearch(cid:7) (cid:19) (cid:2)no(cid:2)op(cid:3) (cid:2)skip(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:3) (cid:2)update(cid:3) x(cid:6)dom(cid:2)(cid:3)(cid:3) (cid:2)x(cid:12)(cid:11)e(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:3)(cid:17)x(cid:12)(cid:11)(cid:3)(cid:2)e(cid:3)(cid:21) (cid:0) (cid:2)sequence(cid:3) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:3) (cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:0) (cid:0) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:0) (cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:2)branch(cid:3) (cid:3)(cid:2)e(cid:3)(cid:2)(cid:11)(cid:13) (cid:2)if e then c(cid:0) else c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:3)(cid:2)e(cid:3)(cid:11)(cid:13) (cid:2)if e then c(cid:0) else c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:2)loop(cid:3) (cid:3)(cid:2)e(cid:3)(cid:11)(cid:13) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:3) (cid:3)(cid:2)e(cid:3)(cid:2)(cid:11)(cid:13) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:14)while e do c(cid:4)(cid:3)(cid:3) Figure (cid:16)(cid:12) Transition semantics (cid:5) The type system copiesaone(cid:6)bitsecrettoalowvariable(cid:4) Butmatchisclearly unsafe with a secret of onlyone bit(cid:28) Now we wish to allow programs to access h directly(cid:5) rather than just via match queries(cid:4) Of course(cid:5) a program could (cid:6) The reduction then simply do l (cid:12)(cid:11) h(cid:5) so we need another mechanism to ensure that h is not leaked(cid:4) For this purpose(cid:5) we impose a We reduce the problem of learning the value of h(cid:5) using a typesystem(cid:4) deterministicprogramwhoseaccesstohislimitedtomatch The typesare strati(cid:8)edinto data andphrase types(cid:12) queries(cid:5)tothatoflearningthevalueofhusingawell(cid:6)typed deterministic program (cid:2)whose access to h is not limited to (cid:2)data types(cid:3) (cid:9) (cid:12)(cid:12)(cid:11) L j H queries(cid:3)(cid:4) Moreprecisely(cid:5)weshowthateverywell(cid:6)typedcom(cid:6) (cid:2)phrase types(cid:3) (cid:10) (cid:12)(cid:12)(cid:11) (cid:9) j (cid:9) var j (cid:9) cmd mand(cid:26)s computation with respect to low variables can be simulated(cid:5) with no increase in time complexity(cid:5) by a com(cid:6) Thedatatypesarejustthesecuritylevelslowandhigh(cid:4) The mand whose access to h is restricted to match queries(cid:4) So rules of the type system are given in Figure (cid:19)(cid:4) They just learning a secret with any well(cid:6)typed program is as hard extend the system of (cid:17)(cid:16)(cid:18)(cid:21) with a rule for match(cid:4) The rules as learning it with only match queries at your disposal(cid:4) allow us to prove typing judgmentsof the form (cid:11) (cid:7)p(cid:12)(cid:10) as Hence the relative secrecy properties apply to well(cid:6)typed well as subtyping judgments of the form (cid:10)(cid:0) (cid:8) (cid:10)(cid:2)(cid:4) Here (cid:11) commands(cid:4) If a program is notwell typedthenall bets are is a typingthatmapsidenti(cid:8)ersto typesof the form(cid:9) var(cid:5) o(cid:10)(cid:5) as itcouldwell bethecasethatasecretiseasily leaked except for h which is mapped by every typing to H(cid:4) The via a direct or indirect (cid:7)ow(cid:4) typing rules for the remaining binary operators are similar Webegin with some de(cid:8)nitions(cid:12) to that for eq(cid:4) Intuitively(cid:5) (cid:11) classi(cid:8)es variables as either high or low(cid:5) and the typing rules prevent information from De(cid:6)nition (cid:7)(cid:3)(cid:4) Memories (cid:3) and (cid:12) are equivalent with re(cid:2) (cid:7)owing from high variables to low variables(cid:4) spect to a typing (cid:11)(cid:3) written (cid:3)(cid:9)(cid:2)(cid:12)(cid:3) if dom(cid:2)(cid:3)(cid:3) (cid:11) dom(cid:2)(cid:12)(cid:3) (cid:11) Notice that rule query allows one to assign type L to dom(cid:2)(cid:11)(cid:3) and (cid:3)(cid:2)x(cid:3)(cid:11)(cid:12)(cid:2)x(cid:3) for all x such that (cid:11)(cid:2)x(cid:3)(cid:11)Lvar(cid:4) a query even though that query is against a high constant(cid:4) It is this rule that breaks Noninterference (cid:17)(cid:16)(cid:18)(cid:21)(cid:5) for it allows This de(cid:8)nition requires two memories to agree on the con(cid:6) someinformationaboutasecrettobecomepublic(cid:4) Alsonote tentsof all low variables(cid:4) that the rule allows restricted access to a high constant in De(cid:6)nition (cid:7)(cid:3)(cid:5) We say that a command c is a low com(cid:2) the guard of a while loop or conditional without requiring mand with respect to (cid:11) if (cid:11)(cid:2)x(cid:3)(cid:11)Lvar for every free iden(cid:2) the bodyor branches to betypedas H cmd(cid:4) This provides (cid:4) ti(cid:5)er x in c(cid:4) more(cid:7)exibilityinprogramming(cid:5)andindeeditnowbecomes (cid:16) possibletowriteaconditionalthat(cid:5)throughanindirect(cid:7)ow(cid:5) Notethatthisisnotthesameassayingthat thecommandhas typeLcmd(cid:2)asevery well(cid:3)typedcommandhastypeLcmd(cid:7) (cid:24) (cid:2)int(cid:3) (cid:11) (cid:7)n(cid:12)L (cid:2)secret(cid:3) (cid:11)(cid:2)h(cid:3)(cid:11)H (cid:11)(cid:7)h(cid:12)H (cid:2)r(cid:2)val(cid:3) (cid:11)(cid:2)x(cid:3)(cid:11)(cid:9) var (cid:11)(cid:7)x(cid:12)(cid:9) (cid:2)skip(cid:3) (cid:11) (cid:7)skip(cid:12)H cmd (cid:2)eq(cid:3) (cid:11)(cid:7)e(cid:0) (cid:12)(cid:9)(cid:4) (cid:11) (cid:7)e(cid:2)(cid:12)(cid:9) (cid:11)(cid:7)e(cid:0) (cid:11)e(cid:2)(cid:12)(cid:9) (cid:2)query(cid:3) (cid:11)(cid:7)e(cid:12)L (cid:11)(cid:7)match(cid:2)e(cid:3)(cid:12)L (cid:2)assign(cid:3) (cid:11)(cid:2)x(cid:3)(cid:11)(cid:9) var(cid:4) (cid:11)(cid:7)e(cid:12)(cid:9) (cid:11)(cid:7)x(cid:12)(cid:11)e(cid:12)(cid:9) cmd (cid:2)compose(cid:3) (cid:11)(cid:7)c(cid:0) (cid:12)(cid:9) cmd(cid:4) (cid:11) (cid:7)c(cid:2) (cid:12)(cid:9) cmd (cid:11)(cid:7)c(cid:0)(cid:14)c(cid:2) (cid:12)(cid:9) cmd (cid:2)if(cid:3) (cid:11)(cid:7)e(cid:12)(cid:9)(cid:4) (cid:11) (cid:7)c(cid:0) (cid:12)(cid:9) cmd(cid:4) (cid:11) (cid:7)c(cid:2) (cid:12)(cid:9) cmd (cid:11)(cid:7)if e then c(cid:0) else c(cid:2) (cid:12)(cid:9) cmd (cid:2)while(cid:3) (cid:11)(cid:7)e(cid:12)(cid:9)(cid:4) (cid:11) (cid:7)c(cid:12)(cid:9) cmd (cid:11)(cid:7)while e do c(cid:12)(cid:9) cmd (cid:2)base(cid:3) L(cid:8)H (cid:2)reflex(cid:3) (cid:10)(cid:8)(cid:10) (cid:2) (cid:2)cmd (cid:3) (cid:9)(cid:0) (cid:8)(cid:9)(cid:2) (cid:9)(cid:2) cmd (cid:8)(cid:9)(cid:0) cmd (cid:2)subtype(cid:3) (cid:11)(cid:7)p(cid:12)(cid:10)(cid:0)(cid:4) (cid:10)(cid:0)(cid:8)(cid:10)(cid:2) (cid:11)(cid:7)p(cid:12)(cid:10)(cid:2) Figure (cid:19)(cid:12) Typing andsubtypingrules (cid:20) (cid:0) De(cid:6)nition (cid:7)(cid:3)(cid:2) We say that a command c is a low simu(cid:2) in (cid:17)(cid:16)(cid:13)(cid:21) (cid:2)see pg(cid:4) (cid:30)(cid:20)(cid:13)(cid:3)(cid:4) The default is to avoid multiplication (cid:0) lation of a command c with respect to (cid:11) if c is a low com(cid:2) when certain bits of a keyare zero(cid:4) mand relative to (cid:11) and for all (cid:3) where dom(cid:2)(cid:3)(cid:3) (cid:11) dom(cid:2)(cid:11)(cid:3)(cid:3) The essence of this sort of attack can be formulated n (cid:0) (cid:0)(cid:0) whenever (cid:2)c(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3)(cid:3) there is a (cid:3) and m such that within the synchronous concurrent model(cid:4) To formulate it (cid:0) m (cid:0)(cid:0) (cid:0) (cid:0)(cid:0) (cid:2)c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:3) (cid:3)(cid:9)(cid:2)(cid:3) and m(cid:10)n(cid:4) concretely(cid:5) let us introduce the bitwise operators (cid:0) (cid:2)ones complement(cid:3)(cid:5) (cid:2) (cid:2)bitwise and(cid:3)(cid:5) (cid:3) (cid:2)bitwise or(cid:3) and (cid:4)(cid:4) (cid:2)right The reduction is given bythe following theorem(cid:4) shift(cid:3)(cid:4) Typing rules for these operators are similar to that of rule eq(cid:4) We also take the liberty to introduce a while Theorem (cid:7)(cid:3)(cid:4) If c is a well(cid:2)typed command with respect to loop with emptybody(cid:4) Now suppose h stores a k(cid:6)bitsecret (cid:11)(cid:3) then there is a low simulation of c with respect to (cid:11)(cid:4) that is being inspected bitwise by a legitimate thread that simply loops through all bits(cid:5) doing some computation if a A proof of the theorem is given in the Appendix(cid:4) The bit is nonzero and nothing otherwise(cid:4) Think of the thread essenceoftheproofisthatcommandsoftypeH cmd cannot asanimplementationofanencryptionalgorithmwhereless a(cid:10)ect any low variable(cid:4) Therefore(cid:5) they can be replaced by time is required if a bit of the k(cid:6)bit secret key is zero(cid:4) The the skip command(cid:4) Commands that cannot be given type inspection thread is givenbythefollowing command(cid:12) H cmd areretained(cid:4) Theresultisacommandthatpreserves thecomputationonlowvariablesandrunsintimebounded while mask (cid:5)(cid:6) (cid:7) bythatof theoriginal command(cid:4) if h (cid:2) mask then Sincealowcommandislimitedtoaccessinghviamatch skip(cid:8) queries(cid:5) we havethefollowing corollaries(cid:12) skip(cid:8) skip(cid:8) Corollary (cid:7)(cid:3)(cid:5) There is no well(cid:2)typed deterministic com(cid:2) skip mand capable ofcopyingthe k(cid:2)bitinteger value ofhtoalow fi variable in time polynomial in k(cid:3) for all k(cid:4) mask (cid:9)(cid:6) mask (cid:4)(cid:4) (cid:10) Corollary (cid:7)(cid:3)(cid:2) If the value of h is a uniformly distributed We set up (cid:19)k attack threads(cid:5) one pair for each bit of the k(cid:2)bit integer and c is a well(cid:2)typed deterministic command secret(cid:4) Each is responsible for setting a particular bit of an that runs in polynomial time p(cid:2)k(cid:3)(cid:3) then the probability that integer stored in low variable l which is where the secret is c successfully copies the value of h into a low variable is at leaked(cid:4) If k (cid:11)(cid:31)(cid:5) for instance(cid:5) then for the most signi(cid:8)cant k most (cid:2)p(cid:2)k(cid:3)(cid:15)(cid:16)(cid:3)(cid:8)(cid:19) (cid:4) bit(cid:5) we havethe threads(cid:12) Thuswehaveshown thatthesecrecyofhis (cid:2)practically while mask (cid:5)(cid:6) (cid:10)(cid:11)(cid:12) speaking(cid:3) preserved even if programs are allowed to make while mask (cid:5)(cid:6) (cid:10)(cid:11)(cid:12) (cid:8) match queries freely(cid:4) One might conclude from this that (cid:8) skip(cid:8) equality testing is harmless in general(cid:4) However(cid:5) this is not while mask (cid:6)(cid:6) (cid:10)(cid:11)(cid:12) skip(cid:8) so(cid:4) Ifweallowgeneralequalitytestsamonghighexpressions (cid:8) skip(cid:8) to havetype L(cid:5) then we can leak h in linear time(cid:12) l (cid:9)(cid:6) l (cid:3) (cid:10)(cid:11)(cid:12) skip(cid:8) l (cid:9)(cid:6) l (cid:2) (cid:0)(cid:10)(cid:11)(cid:12) l(cid:12)(cid:11)(cid:13)(cid:14) k(cid:2)(cid:0) mask (cid:12)(cid:11)(cid:19) (cid:14) There would be another identical pair for the next bit(cid:5) ex(cid:6) whilemask (cid:2)(cid:11) (cid:13)do cept they would spin while waiting for mask to become (cid:30)(cid:20)(cid:5) b(cid:12)(cid:11)h(cid:29)mask(cid:14) and so on(cid:4) The inspection and attack threads share mask (cid:5) ifb(cid:11)mask then whichisalow variable(cid:4) Further(cid:5)allthreadsarewelltyped l(cid:12)(cid:11)ljmask(cid:14) and every attackthread is a low commandwhich we would mask (cid:12)(cid:11)mask (cid:11)(cid:16) expectsinceanattack would nothavedirectaccess to vari(cid:6) ables storing secrets anyway(cid:4) We have set up a race where (cid:7) Synchronous concurrency the thread that sets a bit of l to b wins the race i(cid:10) the corresponding bitof his (cid:0)b(cid:4) Now consider a deterministic(cid:5) multi(cid:6)threaded semantics To illustrate the behavior(cid:5) suppose the (cid:8)rst two bits of whereallthreadsexecutesimultaneouslyandsynchronously(cid:4) h are (cid:13)(cid:16) and that mask is initially (cid:16)(cid:19)(cid:31)(cid:4) The trace of the Threads are commands that communicate via a shared inspection thread on this input is given in the (cid:8)rst column global memory(cid:4) Every thread of a multi(cid:6)threaded program ofFigures(cid:24)and(cid:20)(cid:4) Figure(cid:24)showsthetraceofathreadpair can makeonetransition(cid:5) according to thesemanticsof Fig(cid:6) attackingthe(cid:8)rstbitofhwhileFigure(cid:20)showsthetraceof ure(cid:16)(cid:5)inagivenclockcycle(cid:4) Ateachstep(cid:5)parallelreadsare a thread pair attacking the second bit(cid:4) The type system is allowed but not parallel writes(cid:4) The latter situation causes not equipped to deal with this kind of model where timing an evaluation to get stuck(cid:4) observations canbe made(cid:4) Tricks like atomicity(cid:17)(cid:16)(cid:20)(cid:21) do not The synchronous behavior of the model provides well(cid:6) help here because threads in e(cid:10)ectshare a real(cid:6)time clock(cid:28) typed commands with a timing channel that can be ex(cid:6) If one views the preceding multi(cid:6)threaded program as a ploited to leak a secret perfectly in time linear in its size(cid:4) probabilistic algorithm then Examplesof multi(cid:6)threadedprogramscapable of doing this canbefoundintimingattacks onimplementationsof cryp(cid:6) Pr(cid:17)h(cid:11)njl(cid:11)n(cid:21)(cid:11)(cid:16) tography (cid:17)(cid:25)(cid:21)(cid:4) Here thereare bit(cid:6)wise operations on a secret (cid:14) Makingmaskahighvariableisnotagoodideaherebecausethen keyandoneexploitsthefactthattheimplementationisop(cid:6) noassignmentstolowvariableswouldbeallowedinthebodyofthe timized according to certain bits of the key(cid:4) An example is loop(cid:7) Thisinturnwouldhamperanimplementationofencryption(cid:7) the C implementation of the block cipher algorithm IDEA (cid:18) while mask (cid:5)(cid:6) (cid:7) while mask (cid:5)(cid:6) (cid:10)(cid:11)(cid:12) while mask (cid:5)(cid:6) (cid:10)(cid:11)(cid:12) if h (cid:2) mask then while mask (cid:6)(cid:6) (cid:10)(cid:11)(cid:12) skip mask (cid:9)(cid:6) mask (cid:4)(cid:4) (cid:10) while mask (cid:6)(cid:6) (cid:10)(cid:11)(cid:12) skip while mask (cid:5)(cid:6) (cid:7) while mask (cid:6)(cid:6) (cid:10)(cid:11)(cid:12) skip if h (cid:2) mask then l (cid:9)(cid:6) l (cid:3) (cid:10)(cid:11)(cid:12) skip skip l (cid:9)(cid:6) l (cid:2) (cid:0)(cid:10)(cid:11)(cid:12) Figure (cid:24)(cid:12) Timing attack on(cid:8)rst bitof h while mask (cid:5)(cid:6) (cid:7) while mask (cid:5)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:13)(cid:14) if h (cid:2) mask then while mask (cid:5)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:13)(cid:14) mask (cid:9)(cid:6) mask (cid:4)(cid:4) (cid:10) while mask (cid:5)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:7) while mask (cid:5)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:13)(cid:14) if h (cid:2) mask then while mask (cid:6)(cid:6) (cid:13)(cid:14) skip skip while mask (cid:6)(cid:6) (cid:13)(cid:14) skip skip while mask (cid:6)(cid:6) (cid:13)(cid:14) skip skip while mask (cid:6)(cid:6) (cid:13)(cid:14) skip skip while mask (cid:6)(cid:6) (cid:13)(cid:14) l (cid:9)(cid:6) l (cid:2) (cid:0)(cid:13)(cid:14) mask (cid:9)(cid:6) mask (cid:4)(cid:4) (cid:10) while mask (cid:6)(cid:6) (cid:13)(cid:14) while mask (cid:5)(cid:6) (cid:7) while mask (cid:6)(cid:6) (cid:13)(cid:14) if h (cid:2) mask then l (cid:9)(cid:6) l (cid:3) (cid:13)(cid:14) Figure (cid:20)(cid:12) Timing attack on second bit of h (cid:6) for all n(cid:4) In other words(cid:5) one can be certain that h stores to learn a password is subject to the limitations of Theo(cid:6) a particular secret if thealgorithm says so(cid:4) This is an ideal rems(cid:24)(cid:4)(cid:16) and(cid:24)(cid:4)(cid:19)(cid:4) probabilistic algorithm(cid:4) Note we have said nothing about the role of the type But consider an interleaving semantics where at each system at this point(cid:4) Type checking would be performed step of executing a multi(cid:6)threaded program(cid:5) exactly one on any program that updates the password (cid:8)le(cid:5) since this thread is chosen to execute for a single transition(cid:4) Now is where new passwords are input(cid:4) Aslong as the password multi(cid:6)threaded programs are nondeterministic(cid:4) If at every checkermerelyreturnstheresultofamatchquery(cid:5)password step(cid:5) every thread has a nonzero probability of being se(cid:6) updatingiswelltyped(cid:5)andpasswordsare storedinasecret lected by a scheduler(cid:5) then Pr(cid:17)h(cid:11)njl(cid:11)n(cid:21) (cid:2) (cid:16)(cid:5) for all n(cid:5) (cid:2)high(cid:3) (cid:8)le(cid:5) the password system as a whole is secure in the unless Pr(cid:17)h(cid:11)n(cid:21) (cid:11) (cid:16)(cid:4) That(cid:26)s because the (cid:8)nal value of l sense that it is subject to the limitations of Corollaries (cid:18)(cid:4)(cid:19) can be any value with nonzero probability(cid:5) regardless of h(cid:4) and(cid:18)(cid:4)(cid:24)(cid:4) Each value of mask will be considered(cid:5) allowing the thread But what can we say about the security of a system in pairforthebitinquestiontoexecute(cid:5)andthesetwothreads which there is a public (cid:8)le containing the images of the can complete in either order with nonzero probability(cid:4) So passwords under some one(cid:6)way function(cid:27) The reduction Pr(cid:17)l(cid:11)njh(cid:2)(cid:11)n(cid:21)(cid:6)(cid:13)(cid:4) of Theorem (cid:18)(cid:4)(cid:16) can also be used to argue for security in The example shows that there are attacks that are this case(cid:4) Suppose we add to our deterministic language a strongerinasynchronousconcurrentmodelthaninaprob(cid:6) function f that we believe is a one(cid:6)way function (cid:17)(cid:16)(cid:16)(cid:21) and abilisticinterleaving one(cid:4) Foreachnewmodel(cid:5)oneneedsto a constant fh bound to the image of h under f(cid:4) That is(cid:5) investigate thefeasibility of revealing secrets(cid:4) (cid:3)(cid:2)fh(cid:3)(cid:11)(cid:3)(cid:2)f(cid:2)h(cid:3)(cid:3)(cid:5) for any memory(cid:3)(cid:4) Further(cid:5) suppose they are typedas (cid:11) (cid:7)fh (cid:12)L(cid:5) and for any expression e(cid:5) (cid:8) Discussion (cid:11)(cid:7)e(cid:12)(cid:9) (cid:11)(cid:7)f(cid:2)e(cid:3)(cid:12)(cid:9) It has long been recognized that practical information (cid:7)ow control mustallow for declassifying information(cid:4) An exam(cid:6) Onecannotallowf(cid:2)e(cid:3)tobetypedlowunlessecanbetyped ple is a simple password checker(cid:4) It must indicate whether as a low expression(cid:4) Otherwise(cid:5) we can copy h into a low a given string matchesa user(cid:26)s password ina password (cid:8)le(cid:4) variable l in linear time using a well(cid:6)typed program similar Information(cid:6)(cid:7)ow control would prohibit the result of such to the one in Section(cid:18)(cid:12) an attempt from being observed by an arbitrary user(cid:4) One way around this restriction is to allow privileged users to l(cid:12)(cid:11)(cid:13)(cid:14) explicitlydeclassifytheresult(cid:5)allowingsomeinformationto mask (cid:12)(cid:11)(cid:19)k(cid:2)(cid:0)(cid:14) leak (cid:17) (cid:21)(cid:4) If a password checker merely returns the result of whilemask (cid:2)(cid:11) (cid:13)do a match query(cid:5) then the declassi(cid:8)cation could be justi(cid:8)ed iff(cid:2)mask(cid:3)(cid:11)f(cid:2)h(cid:29)mask(cid:3)then knowing that any attempt to exploit the checker in order l(cid:12)(cid:11)ljmask(cid:14) (cid:17) mask (cid:12)(cid:11)mask (cid:11)(cid:16) When we run the algorithm and it terminates with l (cid:14) n(cid:2) we want tobeabletoconcludethath(cid:14)nwithsomeprobability(cid:7) The conditionalprobabilityPr(cid:15)l(cid:14)njh(cid:14)n(cid:16)iswrongforthispurpose(cid:7) If Noticethatthisprogrammightfailtocopyeverybitofhdue Pr(cid:15)l(cid:14)njh(cid:14)n(cid:16)(cid:14)(cid:2)(cid:4)(cid:4)(cid:2)say(cid:2)andwerunthealgorithmforsomevalue toacollisioncausedbyf(cid:4) Butthiswouldbeunlikelyiff is ofhanditterminateswithl(cid:14)n(cid:2)thenthisdoesnotimplyh(cid:14)nwith indeed a one(cid:6)way function(cid:4) Also note that fh makes match probability(cid:2)(cid:4)(cid:4)(cid:7) Thesameargumentappliestoprobabilisticprimality testingalgorithms(cid:15)(cid:10)(cid:16)(cid:7) unnecessary(cid:12) if (cid:11)(cid:7)e(cid:12)L thentheexpression fh (cid:11)f(cid:2)e(cid:3) can(cid:5) practically speaking(cid:5) be usedin place of match(cid:2)e(cid:3)(cid:4) (cid:30) We wish toarguefor thesecurityof anywell(cid:6)typedpro(cid:6) Information Security(cid:4) Lecture Notes in Computer Sci(cid:6) gram c that uses f(cid:4) Now c may have free occurrences of h ence (cid:16)(cid:24) (cid:30)(cid:5) (cid:16) (cid:31)(cid:4) andcancallf accordingtothetypingrulesabove(cid:4) Suppose thatccancopyhintoalowvariable(cid:5)forallk(cid:6)bitvaluesofh(cid:5) (cid:17)(cid:18)(cid:21) J(cid:4)GoguenandJ(cid:4)Meseguer(cid:4) Securitypoliciesandsecu(cid:6) intimet(cid:2)k(cid:3)(cid:4) ByTheorem(cid:18)(cid:4)(cid:16)(cid:5)wecanconstructalowsimu(cid:6) rity models(cid:4) In Proceedings (cid:8)(cid:6)(cid:9)(cid:10) IEEE Symposium on (cid:0) lationc ofcthatdoesthesamethingase(cid:9)ciently(cid:4) Thatis(cid:5) SecurityandPrivacy(cid:5)pages(cid:16)(cid:16)!(cid:19)(cid:13)(cid:5)Oakland(cid:5)CA(cid:5)(cid:16) (cid:31)(cid:19)(cid:4) given only fh and all calls to f that c makes involving only (cid:0) (cid:0) (cid:17)(cid:30)(cid:21) J(cid:4)Gray(cid:5)K(cid:4)Ip(cid:5)andK(cid:4)Lui(cid:4)Provablesecurityforcrypto(cid:6) low variables(cid:5) c canalso copyhint(cid:2)k(cid:3)time(cid:4) Ine(cid:10)ect(cid:5)c is graphic protocols(cid:22)exact analysis and engineering ap(cid:6) analgorithmfor deducinghfromfh usingsomenumber(cid:2)as plications(cid:4) JournalofComputerSecurity(cid:5)(cid:30)(cid:2)(cid:16)(cid:5)(cid:19)(cid:3)(cid:12)(cid:19)(cid:24)!(cid:18)(cid:19)(cid:5) a function of k(cid:3) of calls to f(cid:4) So any lower bound on this (cid:16) (cid:31)(cid:4) problemapplies to copying h with a well(cid:6)typed program(cid:4) Althoughwesuggestabovethatmatchcouldbereplaced(cid:5) (cid:17)(cid:25)(cid:21) P(cid:4) Kocher(cid:4) Timing attacks on implementations of theprecedingargumentdoesnotsubsumeourresultsabout Di(cid:9)e(cid:6)Hellman(cid:5) RSA(cid:5) DSS and other systems(cid:4) In Pro(cid:2) thesecurityofprogramsthataccesshusingmatchonly(cid:4) For ceedings (cid:8)(cid:7)th AnnualCrypto Conference(cid:5) August(cid:16) (cid:30)(cid:4) instance(cid:5)theprecedingargumentaboutf doesnotprovean intractability result for programs limited to accessing h via (cid:17)(cid:31)(cid:21) P(cid:4)Lincoln(cid:5)J(cid:4)Mitchell(cid:5) M(cid:4)Mitchell(cid:5)andA(cid:4)Scedrov(cid:4) A fh(cid:5) as Theorem (cid:24)(cid:4)(cid:16) does for match(cid:4) We have only argued probabilisticpoly(cid:6)timeframeworkforprotocolanalysis(cid:4) that the hardness of copying h using a well(cid:6)typed program InProceedings (cid:11)th ACM Conference on Computer and with references to fh and calls to f rests squarely upon the Communications Security(cid:5) San Francisco(cid:5) CA(cid:5) Novem(cid:6) hardness of inverting f(cid:4) ber (cid:16) (cid:31)(cid:4) Turing reductions have also been used in proving the (cid:17) (cid:21) A(cid:4) Myers(cid:4) J(cid:7)ow(cid:12) Practical mostly(cid:6)static information security of RSA(cid:6)basedsignature schemes (cid:17)(cid:24)(cid:5) (cid:20)(cid:21) and crypto(cid:6) (cid:7)ow control(cid:4) In Proceedings (cid:10)(cid:7)th Symposium on Prin(cid:2) graphicprotocols(cid:17)(cid:30)(cid:5)(cid:31)(cid:21)(cid:4) Againthebasicideaistoprovethat ciples of Programming Languages(cid:5) pages (cid:19)(cid:19)(cid:31)!(cid:19)(cid:20)(cid:16)(cid:5) San thesecurityofaprotocolrestsonthestrengthofitscrypto(cid:6) Antonio(cid:5) TX(cid:5) January (cid:16) (cid:4) graphic primitives(cid:4) Our synchronous concurrency example showsthatifanintrudercanobservethetimingbehaviorof (cid:17)(cid:16)(cid:13)(cid:21) B(cid:4)Schneier(cid:4)AppliedCryptography(cid:4) JohnWiley(cid:29)Sons(cid:5) an implementation of a cryptographic operation(cid:5) then the (cid:16) (cid:30)(cid:4) SecondEdition(cid:4) speci(cid:8)cation of a protocol that uses the operation cannot realistically treatitasprimitive(cid:4) Areductionmaynotexist (cid:17)(cid:16)(cid:16)(cid:21) M(cid:4) Sipser(cid:4) Introduction to the Theory of Computation(cid:4) because of timingobservations(cid:5) as our example shows(cid:4) PWS Publishing Company(cid:5)(cid:16) (cid:25)(cid:4) (cid:17)(cid:16)(cid:19)(cid:21) G(cid:4) Smith and D(cid:4) Volpano(cid:4) Secure information (cid:7)ow in (cid:9) Conclusion a multi(cid:6)threaded imperative language(cid:4) In Proceedings (cid:10)(cid:11)th Symposium on Principles of Programming Lan(cid:2) Our research is aimed at characterizing secrecy in systems guages(cid:5) pages (cid:24)(cid:18)(cid:18)!(cid:24)(cid:30)(cid:20)(cid:5) SanDiego(cid:5) CA(cid:5) January (cid:16) (cid:31)(cid:4) withinherent leaks(cid:5)forexample(cid:5)thosethatuseauthentica(cid:6) tion based on shared secrets(cid:4) Noninterference is too strong (cid:17)(cid:16)(cid:24)(cid:21) D(cid:4)VolpanoandG(cid:4)Smith(cid:4)Eliminatingcovert(cid:7)owswith for such systems(cid:4) Instead(cid:5) we propose a relative secrecy minimumtypings(cid:4) InProceedings(cid:8)(cid:12)thIEEEComputer proof thattakes practical securityparameters (cid:2)e(cid:4)g(cid:4) keysize Security Foundations Workshop(cid:5) pages (cid:16)(cid:18)(cid:30)!(cid:16)(cid:30)(cid:31)(cid:5) June and randomness(cid:3) intoconsideration(cid:4) (cid:16) (cid:25)(cid:4) (cid:17)(cid:16)(cid:20)(cid:21) D(cid:4) Volpano and G(cid:4) Smith(cid:4) Probabilistic noninterfer(cid:6) Acknowledgments ence in a concurrent language(cid:4) Journal of Computer This material is based upon activities supported by the Security(cid:5) (cid:25)(cid:2)(cid:19)(cid:5)(cid:24)(cid:3)(cid:12)(cid:19)(cid:24)(cid:16)!(cid:19)(cid:18)(cid:24)(cid:5) (cid:16) (cid:4) National Science Foundation under Agreement Nos(cid:4) CCR(cid:6) (cid:17)(cid:16)(cid:18)(cid:21) D(cid:4) Volpano(cid:5) G(cid:4) Smith(cid:5) and C(cid:4) Irvine(cid:4) A sound type (cid:30)(cid:16)(cid:19)(cid:16)(cid:25)(cid:30) and CCR(cid:6) (cid:30)(cid:16)(cid:19)(cid:24)(cid:20)(cid:18) (cid:17)sic(cid:21)(cid:4) We are grateful to the system for secure (cid:7)ow analysis(cid:4) Journal of Computer anonymousreferees for helpful comments(cid:4) Security(cid:5) (cid:20)(cid:2)(cid:19)(cid:5)(cid:24)(cid:3)(cid:12)(cid:16)(cid:30)(cid:25)!(cid:16)(cid:31)(cid:25)(cid:5) (cid:16) (cid:30)(cid:4) References (cid:10) Appendix (cid:17)(cid:16)(cid:21) T(cid:4)Baker(cid:5)J(cid:4)Gill(cid:5)andR(cid:4)Solovay(cid:4) Relativizationsofthe The proofs of Theorem (cid:18)(cid:4)(cid:16) and the Simple Security and P(cid:11)(cid:27) NPquestion(cid:4) SIAMJ(cid:4)Computing(cid:5)(cid:20)(cid:2)(cid:20)(cid:3)(cid:12)(cid:20)(cid:24)(cid:16)!(cid:20)(cid:20)(cid:19)(cid:5) Con(cid:8)nement lemmas are complicated a bit by subtyping(cid:4) (cid:16) (cid:25)(cid:18)(cid:4) Assume(cid:5) without loss of generality(cid:5) that all typing deriva(cid:6) (cid:17)(cid:19)(cid:21) P(cid:4) Beauchemin(cid:5) G(cid:4) Brassard(cid:5) C(cid:4) Cr"epeau(cid:5) C(cid:4) Goutier(cid:5) tions end with a single (cid:2)perhaps trivial(cid:3) application of rule and C(cid:4) Pomerance(cid:4) The generation of random num(cid:6) subtype(cid:4) bers that are provably prime(cid:4) Journal of Cryptology(cid:5) Theorem (cid:7)(cid:3)(cid:4) If c is a well(cid:2)typed command with respect to (cid:16)(cid:2)(cid:16)(cid:3)(cid:12)(cid:18)(cid:24)!(cid:30)(cid:20)(cid:5) (cid:16) (cid:31)(cid:31)(cid:4) (cid:11)(cid:3) then there is a low simulation of c with respect to (cid:11)(cid:4) (cid:17)(cid:24)(cid:21) M(cid:4) Bellare and P(cid:4) Rogaway(cid:4) The exact security of dig(cid:6) ital signatures(cid:22)how to sign with RSA and Rabin(cid:4) In Proof(cid:4) The proof is byinductionon thestructure of c(cid:4) Proc(cid:4)Eurocrypt(cid:6)(cid:7)(cid:4)LectureNotesinComputerScience We (cid:8)rst consider the case when (cid:11) (cid:7) c (cid:12) H cmd(cid:4) In this (cid:16)(cid:13)(cid:25)(cid:13)(cid:5) (cid:16) (cid:30)(cid:4) case(cid:5) wecansimplyletthelow simulationof cbeskip(cid:4) For by the Con(cid:8)nementlemmabelow(cid:5) c does not assign to any n (cid:0) (cid:17)(cid:20)(cid:21) M(cid:4)Bellare andP(cid:4)Rogaway(cid:4) Practice(cid:6)orientedprovable variable x for which (cid:11)(cid:2)x(cid:3)(cid:11)Lvar(cid:4) Hence if (cid:2)c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:5) (cid:0) (cid:0) security(cid:4) In Proc(cid:4) of First International Workshop on then (cid:3)(cid:9)(cid:2)(cid:3)(cid:4) And we have (cid:2)skip(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:5) byrule no(cid:2)op(cid:4) (cid:25) Finally(cid:5)wenotethatn(cid:12)(cid:16)andthatskipisalowcommand Case while e do c(cid:0)(cid:4) As above(cid:5) there is a derivation with respect to (cid:11)(cid:4) of (cid:11) (cid:7) while e do c(cid:0) (cid:12) Lcmd ending with rule while(cid:5) Next we consider the case when (cid:11) (cid:2)(cid:7) c (cid:12) H cmd(cid:4) In this which implies that (cid:11) (cid:7) e (cid:12) L and c(cid:0) is well typed with (cid:0) casewemusthave(cid:11)(cid:7)c(cid:12)Lcmd (cid:2)sinceciswelltypedunder respect to (cid:11)(cid:4) By induction(cid:5) there is a low simulatio(cid:0)n c(cid:0) (cid:11)(cid:3) and the derivation must end with a trivial application of c(cid:0) with respect to (cid:11)(cid:4) We claim that while e do c(cid:0) is a of rule subtype (cid:2)since otherwise we would have (cid:11) (cid:7) c (cid:12) low simulation of while e do c(cid:0) with respect to (cid:11)(cid:4) First(cid:5) H cmd(cid:3)(cid:4) We now consider thepossible forms of c(cid:12) it is a low command under (cid:11)(cid:5) since (cid:2)by the Simple Secu(cid:6) Caseskip(cid:4) Since(cid:11) (cid:7)skip(cid:12)H cmd(cid:5)thiscasehasalready rity lemma(cid:3) (cid:11)(cid:2)x(cid:3) (cid:11) Lvar for every free identi(cid:8)er x in e(cid:4) been handled(cid:4) Next(cid:5) suppose (cid:3) is a memory with dom(cid:2)(cid:3)(cid:3) (cid:11) dom(cid:2)(cid:11)(cid:3) and n (cid:0) Case x(cid:12)(cid:11)e(cid:4) By the discussion above(cid:5) there is a deriva(cid:6) (cid:2)while e do c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:4) Then byLemma (cid:4)(cid:16)(cid:5) there ex(cid:6) (cid:0) (cid:0) m (cid:0) (cid:0) (cid:0) tion of (cid:11) (cid:7)x(cid:12)(cid:11)e(cid:12)Lcmd that ends with an application of ist(cid:12) andmsuchthat(cid:2)while e do c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:5)(cid:3)(cid:9)(cid:2)(cid:12) (cid:5) rule assign(cid:4) This implies that (cid:11)(cid:2)x(cid:3)(cid:11)Lvar and (cid:11) (cid:7)e(cid:12)L(cid:4) andm(cid:10)n(cid:4) So(cid:5) by the Simple Security lemma below(cid:5) (cid:11)(cid:2)y(cid:3) (cid:11) Lvar for (cid:0) every identi(cid:8)er y free in e(cid:4) Therefore x (cid:12)(cid:11) e is itself a low Lemma (cid:8)(cid:3)(cid:4) Suppose that c is a low simulation of c with command relative to (cid:11)(cid:5) and x (cid:12)(cid:11) e is thus (cid:2)trivially(cid:3) a low respect to(cid:11)(cid:3)ciswelltnyped(cid:0) under (cid:11)(cid:3)dom(cid:2)(cid:3)(cid:3)(cid:11)(cid:0)dom(cid:2)(cid:11)(cid:3)(cid:3)and simulation of itself(cid:4) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:0)(cid:4) (cid:3)(cid:4)mThe(cid:0)n t(cid:0)here (cid:0)exist (cid:12) and m such Case if e then c(cid:0) else c(cid:2)(cid:4) Again by the discussion that (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:3) (cid:3)(cid:9)(cid:2)(cid:12) (cid:3) and m(cid:10)n(cid:4) above(cid:5) there is a derivation of (cid:11) (cid:7) if e then c(cid:0) else c(cid:2) (cid:12) Lcmd that ends with an application of rule if(cid:4) Hence Proof(cid:4) By inductionon n(cid:4) (cid:0) (cid:11)(cid:11)(cid:4)(cid:7)Teh(cid:12)enLbaynidndbuocthtiocn(cid:0)tahnedrece(cid:2)xaisrtecwoemllmtyapneddscw(cid:0)(cid:0)itahndrecs(cid:0)(cid:2)pwechtictho So (cid:2)Iwfnh(cid:11)ile(cid:16)ethdeon(cid:5)cb(cid:0)(cid:4)y(cid:3)t(cid:3)h(cid:3)e(cid:4)(cid:8)rs(cid:3)tlboyotpheru(cid:8)ler(cid:5)st(cid:3)l(cid:2)eo(cid:3)o(cid:11)p(cid:13)rualne(cid:4)d(cid:3) (cid:11)(cid:3)(cid:4) are low simulations of c(cid:0) and c(cid:2)(cid:5) respectively(cid:5) with respect Suppose n(cid:6)(cid:16)(cid:4) Then bythe second loop rule(cid:5) we have (cid:0) (cid:0) to(cid:11)(cid:4) Weclaimthatif e then c(cid:0) else c(cid:2)isalowsimulation n(cid:2)(cid:0) (cid:0) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:14)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:7) of if e then c(cid:0) else c(cid:2) with respect to (cid:11)(cid:4) First(cid:5) note that it is a low commandunder(cid:11)(cid:5) since(cid:2)bytheSimpleSecurity (cid:0)(cid:0) k (cid:0)(cid:0) ByLemma (cid:4)(cid:20)(cid:5)thereisa(cid:3) andksuchthat(cid:2)c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:5) lemma(cid:3) (cid:11)(cid:2)x(cid:3)(cid:11)Lvar for every free identi(cid:8)er x in e(cid:4) Next(cid:5) (cid:0)(cid:0) n(cid:2)(cid:0)(cid:2)k (cid:0) suppose that (cid:3) is a memory such that dom(cid:2)(cid:3)(cid:3) (cid:11) dom(cid:2)(cid:11)(cid:3) (cid:2)w(cid:0) hile e do c(cid:4)(cid:3) (cid:3) (cid:3)(cid:4) (cid:3)(cid:5) and (cid:13)(cid:2)k (cid:2)(cid:0)(cid:0)n(cid:3)(cid:16)(cid:4) Since n (cid:0) c isalowsimulationofc(cid:5)thereisamemory(cid:12) andintegeri and (cid:2)if e then c(cid:0) else c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3)(cid:4) Then if (cid:3)(cid:2)e(cid:3) (cid:2)(cid:11) (cid:13)(cid:5) (cid:0) i (cid:0)(cid:0) (cid:0)(cid:0) (cid:0)(cid:0) suchthat(cid:2)c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:5)(cid:3) (cid:9)(cid:2)(cid:12) andi(cid:10)k(cid:4) Andbyinduc(cid:6) the evaluation has the form (cid:0) (cid:0) (cid:0)(cid:0) j n(cid:2)(cid:0) (cid:0) ti(cid:0)on(cid:5)(cid:0)there(cid:0) is a (cid:12) andj such that(cid:2)while e do c(cid:4)(cid:3) (cid:3)(cid:3)(cid:4) (cid:2)if e then c(cid:0) else c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:7) (cid:12) (cid:5) (cid:3)(cid:9)(cid:2)(cid:12) andj (cid:10)n(cid:3)(cid:16)(cid:3)k(cid:4) (cid:0) Now c is well typed under (cid:11) and(cid:0)t(cid:0)herefore h is not as(cid:6) Therefore(cid:5)(cid:0)(cid:0)since c(cid:0) is a low simulation of c(cid:0)(cid:0)(cid:5) there exmists(cid:0)(cid:0)a si(cid:0)gnedtoincbecause(cid:11)(cid:2)h(cid:0)(cid:0)(cid:3)(cid:11)H(cid:4) So(cid:3) (cid:2)h(cid:3)(cid:11)(cid:3)(cid:0)(cid:0)(cid:2)h(cid:3)(cid:4) Fur(cid:0)t(cid:0)her(cid:5) m(cid:3)(cid:0)e(cid:9)m(cid:2)o(cid:3)r(cid:0)y(cid:0) a(cid:3)ndamnd(cid:10)ann(cid:3)in(cid:16)t(cid:4)egTehremrefosruec(cid:5)hbythrautle(cid:2)cb(cid:0)r(cid:4)a(cid:3)n(cid:3)c(cid:3)h(cid:4)(cid:5) (cid:3) (cid:5) cSinisceal(cid:3)o(cid:0)w(cid:0)(cid:9)c(cid:2)o(cid:12)m(cid:0)(cid:0)m(cid:5) (cid:3)an(cid:0)(cid:0)d(cid:2)h(cid:5)(cid:3)so(cid:11)(cid:12)(cid:12)(cid:2)(cid:0)h(cid:0)(cid:2)(cid:3)h(cid:11)(cid:3)(cid:5) (cid:3)an(cid:2)hd(cid:3)(cid:4)wHheilnecee(cid:3)do(cid:2)hc(cid:3)(cid:0)(cid:11)is(cid:12)a(cid:2)lhow(cid:3)(cid:4) (cid:0) (cid:0) (cid:0) m (cid:0)(cid:0) command(cid:5) we have (cid:2)while e do c(cid:0)(cid:4)(cid:12)(cid:0)(cid:0)(cid:3) (cid:3)(cid:4)j (cid:12)(cid:0)(cid:4) Therefore (cid:2)if e then c(cid:0) else c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:7) byLemma (cid:4)(cid:18)(cid:5) And m(cid:15)(cid:16)(cid:10)n(cid:4) The argument is similar in the case when (cid:0) (cid:0) i(cid:8)j (cid:0) (cid:3)(cid:2)e(cid:3)(cid:11)(cid:13)(cid:4) (cid:2)c(cid:14)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:7) Case c(cid:0)(cid:14)c(cid:2)(cid:4) Asabove(cid:5)thereisaderivationof(cid:11) (cid:7)c(cid:0)(cid:14)c(cid:2) (cid:12) Lcmd that ends with an application of rule compose(cid:5) im(cid:6) Andbythe secondloop rule plying that c(cid:0) and c(cid:2) are well typed under (cid:11)(cid:4) So by in(cid:6) (cid:0) (cid:0) (cid:0) (cid:0) (cid:0) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:14)while e do c(cid:4)(cid:3)(cid:3)(cid:7) ductionthereexistcommandsc(cid:0) andc(cid:2) whichare low sim(cid:6) ulations of c(cid:0) and c(cid:2)(cid:5) respectively(cid:5) with respect to (cid:11)(cid:4) We (cid:0) i(cid:8)j(cid:8)(cid:0) (cid:0) (cid:0) (cid:0) Therefore(cid:5) (cid:2)while e do c(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:4) And i(cid:15)j(cid:15)(cid:16)(cid:10) claim that c(cid:0)(cid:14)c(cid:2) is a low simulation of c(cid:0)(cid:14)c(cid:2) under (cid:11)(cid:4) For k(cid:15)(cid:2)n(cid:3)(cid:16)(cid:3)k(cid:3)(cid:15)(cid:16)(cid:11)n(cid:4) suppose that (cid:3) is a memory with dom(cid:2)(cid:3)(cid:3) (cid:11) dom(cid:2)(cid:11)(cid:3) and n (cid:0) (cid:0)(cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:4) ByLemma (cid:4)(cid:20)(cid:5)thereexistkand(cid:3) such k (cid:0)(cid:0) (cid:0)(cid:0) n(cid:2)k (cid:0) Lemma (cid:8)(cid:3)(cid:5) (cid:9)Simple Security(cid:10) If (cid:11) (cid:7)e (cid:12)L then (cid:11)(cid:2)x(cid:3)(cid:11) that (cid:13) (cid:0)(cid:2) k (cid:2) n(cid:5) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) (cid:5) and (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3) (cid:3)(cid:4)(cid:0)(cid:0) (cid:3)(cid:4) Lvar(cid:3) for every free identi(cid:5)er x in e(cid:4) Since c(cid:0) is a(cid:0) low simmula(cid:0)(cid:0)tion(cid:0)(cid:0)of c(cid:0)(cid:0)(cid:0)(cid:5) there exist (cid:12) and m su(cid:0)ch that (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:12) (cid:5) (cid:3) (cid:9)(cid:2)(cid:12) (cid:5) and m(cid:0) (cid:10)k(cid:4) And since Proof(cid:4) Byinductiononthestructureofe(cid:4) SinceH (cid:2)(cid:8)L(cid:5)the c(cid:2)(cid:0)is a(cid:0)(cid:0) low sjim(cid:0)ulat(cid:0)ion o(cid:0)f c(cid:2)(cid:5) there exist (cid:12) and j such that derivationof(cid:11) (cid:7)e(cid:12)Lendswithatrivialapplicationofrule (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3)(cid:3)(cid:4) (cid:12) (cid:5) (cid:3)(cid:9)(cid:2)(cid:12) (cid:5) andj (cid:10)n(cid:3)k(cid:4) subtype(cid:4) Now c(cid:0) is well typed under (cid:11) and therefore h is not assigned to in c(cid:0) because (cid:11)(cid:2)h(cid:3) (cid:11) H (cid:2)i(cid:4)e(cid:4) h is not a vari(cid:6) (cid:16)(cid:4) Case n(cid:4) The lemmaholds vacuously(cid:4) (cid:0)(cid:0) (cid:0) able(cid:3)(cid:0)(cid:0)(cid:4) So (cid:3) (cid:2)h(cid:3) (cid:11) (cid:3)(cid:2)h(cid:3)(cid:4) F(cid:0)(cid:0)urther(cid:5) c(cid:0)(cid:0)(cid:0) is a low com(cid:0)(cid:0)mand(cid:0)(cid:0)(cid:5) (cid:19)(cid:4) Case x(cid:4) By rulerule r(cid:2)val(cid:5) (cid:11)(cid:2)x(cid:3)(cid:11)Lvar(cid:4) so (cid:12) (cid:2)h(cid:3) (cid:11) (cid:3)(cid:2)h(cid:3)(cid:4) Hence (cid:3) (cid:2)h(cid:3) (cid:11) (cid:12) (cid:2)h(cid:3)(cid:4) Since (cid:3) (cid:9)(cid:2)(cid:12) (cid:5) (cid:0)(cid:0) (cid:0)(cid:0) (cid:0) (cid:3) (cid:2)h(cid:3)(cid:11)(cid:12) (cid:2)h(cid:3)(cid:5) and c(cid:2) is a low command(cid:5)we have (cid:24)(cid:4) Case match(cid:2)e(cid:3)(cid:4) By rule query(cid:5) we have (cid:11) (cid:7)e(cid:12)L(cid:4) By (cid:0) (cid:0)(cid:0) j (cid:0)(cid:7) induction(cid:5)(cid:11)(cid:2)x(cid:3)(cid:11)Lvar for everyfree identi(cid:8)erxine(cid:4) (cid:2)c(cid:2)(cid:4)(cid:12) (cid:3)(cid:3)(cid:4) (cid:12) (cid:7) (cid:0) (cid:0) m(cid:8)j (cid:0) (cid:20)(cid:4) Case e(cid:0) (cid:11) e(cid:2)(cid:4) By rule eq(cid:5) (cid:11) (cid:7) e(cid:0) (cid:12) L and (cid:11) (cid:7) e(cid:2) (cid:12) L(cid:4) Therefore(cid:5) by Lemma (cid:4)(cid:18)(cid:5) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:12) (cid:4) And m(cid:15) By induction(cid:5) (cid:11)(cid:2)x(cid:3) (cid:11) Lvar for every free identi(cid:8)er x j (cid:10)k(cid:15)n(cid:3)k(cid:11)n(cid:4) in e(cid:0) and e(cid:2)(cid:4) The other binary operators are handled (cid:11)Note thatthisconclusiondoes not follow simplyfrom thefacts similarly(cid:4) (cid:2) (cid:2)(cid:2) j (cid:2) (cid:2)(cid:2) (cid:2)(cid:2) (cid:2) that (cid:17)c(cid:2)(cid:3)(cid:4) (cid:18) (cid:2)(cid:3) (cid:5) and (cid:4) (cid:4)(cid:2)(cid:5) (cid:2) because c(cid:2) may contain match queries(cid:7) (cid:31) Notice here a departure from our earlier work(cid:4) We can (cid:0) (cid:0) (cid:0) have (cid:11) (cid:7) e (cid:12) L and (cid:3)(cid:9)(cid:2)(cid:3) yet (cid:3)(cid:2)e(cid:3) (cid:2)(cid:11) (cid:3)(cid:2)e(cid:3)(cid:5) if (cid:3) and (cid:3) disagree on the value of h(cid:4) This fact breaks some forms of Noninterference introduced in our earlier work(cid:5) speci(cid:8)cally (cid:17)(cid:16)(cid:19)(cid:5)(cid:16)(cid:24)(cid:5)(cid:16)(cid:20)(cid:21)(cid:4) Theseformsareessentiallybisimulationswhich are sensitive toany di(cid:10)erencein thevalue of h(cid:4) Lemma (cid:8)(cid:3)(cid:2) (cid:9)Con(cid:6)nement(cid:10) If (cid:11) (cid:7) c (cid:12) H cmd(cid:3) then we have (cid:11)(cid:2)x(cid:3)(cid:11)H var(cid:3) for every variable x assigned to in c(cid:4) Proof(cid:4) By induction on the structure of c(cid:4) Since Lcmd (cid:2)(cid:8) H cmd(cid:5) the derivation of (cid:11) (cid:7)c(cid:12)H cmd ends with a trivial application of rulesubtype(cid:4) (cid:16)(cid:4) Case skip(cid:4) The lemmaholds vacuously(cid:4) (cid:19)(cid:4) Case x(cid:12)(cid:11)e(cid:4) Byrule assign(cid:5)(cid:11)(cid:2)x(cid:3)(cid:11)H var(cid:4) (cid:24)(cid:4) Case c(cid:0)(cid:14)c(cid:2)(cid:4) Byrule compose(cid:5)wehave(cid:11) (cid:7)c(cid:0) (cid:12)H cmd and (cid:11) (cid:7) c(cid:2) (cid:12) H cmd(cid:4) By induction(cid:5) we have (cid:11)(cid:2)x(cid:3) (cid:11) H var for every variable xassigned to in c(cid:0) andin c(cid:2)(cid:4) (cid:20)(cid:4) Case if e then c(cid:0) else c(cid:2)(cid:4) Byruleif(cid:5)wehave(cid:11)(cid:7)c(cid:0) (cid:12) H cmd and (cid:11) (cid:7) c(cid:2) (cid:12) H cmd(cid:4) By induction(cid:5) we have (cid:11)(cid:2)x(cid:3)(cid:11)H var foreveryvariablexassignedtoinc(cid:0) and in c(cid:2)(cid:4) (cid:18)(cid:4) Case while e do c(cid:4) By rule while(cid:5) we have (cid:11) (cid:7) c (cid:12) H cmd(cid:4) Byinduction(cid:5)wehave(cid:11)(cid:2)x(cid:3)(cid:11)H var forevery variable x assigned to in c(cid:4) The next two lemmas treat the behavior of sequential composition(cid:12) j (cid:0) (cid:0)(cid:0) Lemma (cid:8)(cid:3)(cid:11) If(cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3)(cid:3)thenthereexistkand(cid:3) k (cid:0)(cid:0) (cid:0)(cid:0) j(cid:2)k (cid:0) such that (cid:13)(cid:2)k(cid:2)j(cid:3) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) and (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3)(cid:3)(cid:4) (cid:3)(cid:4) Proof(cid:4) By induction on j(cid:4) If the derivation begins with an (cid:0)(cid:0) application of the (cid:8)rst sequence rule(cid:5) then thereexists (cid:3) (cid:0)(cid:0) (cid:0)(cid:0) j(cid:2)(cid:0) such that (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) and (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3) (cid:3)(cid:4) (cid:0) (cid:3)(cid:4) So we can let k (cid:11) (cid:16)(cid:4) And(cid:5) since j (cid:3)(cid:16) (cid:12) (cid:16)(cid:5) we have k(cid:2)j(cid:4) If the derivation begins with an application of the sec(cid:6) (cid:0) ond sequenc(cid:0)e rule(cid:5) then there exists c(cid:0)(cid:0) and (cid:3)(cid:0) sucjh(cid:2)(cid:0)tha(cid:0)t (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:2)c(cid:0)(cid:4)(cid:3)(cid:0)(cid:3) and (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4)(cid:0)(cid:0)(cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:0)(cid:3)(cid:3)(cid:4) (cid:3)(cid:4) By induction(cid:5) there exists k and (cid:3) such that (cid:13) (cid:2) k (cid:2) (cid:0) k (cid:0)(cid:0) (cid:0)(cid:0) j(cid:2)(cid:0)(cid:2)k (cid:0) j (cid:3)(cid:16)(cid:5) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:0)(cid:3) (cid:3)(cid:4) (cid:3) (cid:5) and (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3) (cid:3)(cid:4) (cid:3)(cid:4) Hence k(cid:8)(cid:0) (cid:0)(cid:0) (cid:0)(cid:0) j(cid:2)(cid:9)k(cid:8)(cid:0)(cid:10) (cid:0) (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) and (cid:2)c(cid:2)(cid:4)(cid:3) (cid:3) (cid:3)(cid:4) (cid:3)(cid:4) And (cid:13) (cid:2) k(cid:15)(cid:16)(cid:2)j(cid:4) j (cid:0) (cid:0) k (cid:0)(cid:0) Lemma (cid:8)(cid:3)(cid:7) If (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) and (cid:2)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) (cid:3) then j(cid:8)k (cid:0)(cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:4) Proof(cid:4) By induction on j(cid:4) If j (cid:11) (cid:16) then by the (cid:8)rst (cid:0) k (cid:0)(cid:0) sequence rule(cid:5) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:2)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:3) (cid:4) Hence (cid:0)(cid:8)k (cid:0)(cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:4) (cid:0) If j (cid:6)(cid:16) thenthere exist c(cid:0) and (cid:3)(cid:0) suchthat (cid:2)c(cid:0)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:0) j(cid:2)(cid:0) (cid:0) (cid:0) j(cid:2)(cid:0)(cid:8)k (cid:2)c(cid:0)(cid:0)(cid:0)(cid:4)(cid:3)(cid:0)(cid:3) (cid:3)(cid:4) (cid:3)(cid:4) By induction(cid:5) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:0)(cid:3) (cid:3)(cid:4) (cid:3) (cid:4) And(cid:5) by the second sequence rule(cid:5) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3) (cid:3)(cid:4) (cid:0) j(cid:8)k (cid:0)(cid:0) (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:0)(cid:3)(cid:4) Hence (cid:2)c(cid:0)(cid:14)c(cid:2)(cid:4)(cid:3)(cid:3)(cid:3)(cid:4) (cid:3) (cid:4)

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.