Modelling and verification of post-quantum key encapsulation mechanisms using Maude

Abstract

Communication and information technologies shape the world's systems of today, and those systems shape our society. The security of those systems relies on mathematical problems that are hard to solve for classical computers, that is, the available current computers. Recent advances in quantum computing threaten the security of our systems and the communications we use. In order to face this threat, multiple solutions and protocols have been proposed in the Post-Quantum Cryptography project carried on by the National Institute of Standards and Technologies. The presented work focuses on defining a formal framework in Maude for the security analysis of different post-quantum key encapsulation mechanisms under assumptions given under the Dolev-Yao model. Through the use of our framework, we construct a symbolic model to represent the behaviour of each of the participants of the protocol in a network. We then conduct reachability analysis and find a man-in-the-middle attack in each of them and a design vulnerability in Bit Flipping Key Encapsulation. For both cases, we provide some insights on possible solutions. Then, we use the Maude Linear Temporal Logic model checker to extend the analysis of the symbolic system regarding security, liveness and fairness properties. Liveness and fairness properties hold while the security property does not due to the man-in-the-middle attack and the design vulnerability in Bit Flipping Key Encapsulation.

Keywords: Formal verification; Key encapsulation mechanisms; Maude; Post-quantum protocols; Rewriting logic.

Figure 1. Network diagram of a simplified Needham–Schroeder protocol version.

Figure 2. Subtype relation between defined Key, PubKey and SecKey types.

Figure 3. Definition of operators for participants and messages in our model of the simplified NSPK.

Figure 4. Definition in Maude of a set operator for participants with associative and commutative properties and empty as the identity element.

Figure 5. Definition of the system state for the NSPK protocol.

Figure 6. Rules regarding the capabilities of the honest participants as defined by the simplified version of the NSPK protocol.

Figure 7. Rules regarding the capabilities of the intruder as defined by the simplified version of the NSPK protocol.

Figure 8. Output of a search command to examine the execution paths for states where two participants have applied the NSPK protocol, and thus share their respective secret values.

Figure 9. Output of a search command to examine the execution paths for a MITM attack in the NSPK protocol symbolic specification.

Figure 10. Code of a functional module that implements the factorial in Maude.

Figure 11. Execution of two factorial expressions with the reduce command.

Figure 12. High-level view of the behaviour of a key exchange of a KEM between two honest participants, i.e., Alice and Bob.

Figure 13. Algorithms of Kyber Key Encapsulation Mechanism adapted from Avanzi et al. (2019).

Figure 14. Internal algorithms of the Kyber Key Encapsulation Mechanism adapted from Avanzi et al. (2019).

Figure 15. Algorithms implementing the three main steps of the KEM BIKE, adapted from Aragon et al. (2017).

Figure 16. Algorithms of McEliece adapted from Chou et al. (2022).

Figure 17. Structure of our framework in modules with relations of inclusion between them.

Figure 18. Definition of a participant at the network in MODEL-CONFIGURATION.

Figure 19. Definition of components to link three notions of keys with a participant.

Figure 20. Definition of the message operator for our symbolic model.

Figure 21. Definition of the syntax to represent the global state of our system.

Figure 22. Example of initial state definition for KYBER.

Figure 23. General definition of conditional rule KeyGen in our framework.

Figure 24. Definition of rules SendPK and ReceivePK to send and receive a public key in our framework.

Figure 25. Definition of conditional rule Enc in our framwork.

Figure 26. Definition of rules SendCiph and ReceiveCiph to send and receive a ciphertext in our framework.

Figure 27. Definition of conditional rule Dec in our system module KYBER.

Figure 28. Definition of conditional rule Intercept1 in our system module KYBER.

Figure 29. Definition of conditional rule Intercept2 in our system module KYBER.

Figure 30. Conditions of rule KeyGen in the symbolic model of Kyber.

Figure 31. Conditions of rule Enc in the symbolic model of Kyber.

Figure 32. Conditions of rule Dec in the symbolic model of Kyber.

Figure 33. Conditions of rule KeyGen in the symbolic model of BIKE.

Figure 34. Conditions of Enc in the symbolic model of BIKE.

Figure 35. Conditions of rule Dec in the symbolic model of BIKE.

Figure 36. Conditions of rule KeyGen in the symbolic model of Classic McEliece.

Figure 37. Conditions of rule Enc in the symbolic model of Classic McEliece.

Figure 38. Conditions of rule Dec in the symbolic model of Classic McEliece.

Figure 39. New capabilities an intruder might use to learn certain values in BIKE without following the scheme.

Figure 40. Definition template of an initial state for any of our system modules representing a KEM.

Figure 41. Command template for a key agreement session of any KEMs of our framework in Maude.

Figure 42. Command template to search for a man-in-the-middle attack of any KEMs of our framework in Maude.

Figure 43. Diagram depicting a possible step trace that led to the MITM attack of a KEM regarding our symbolic model.

Figure 44. Diagram depicting a step trace in the BIKE symbolic model leading to the leakage of critical information.

Figure 45. wantsToShareKey predicate definition in module KEM-PREDS.

Figure 46. sharedAKeyWith predicate definition in module KEM-PREDS.

Figure 47. stolenSharedKey predicate definition in module KEM-PREDS.