Runtime Monitoring of Metric First-order Temporal Properties

We introduce a novel approach to the runtime monitoring of complex system properties. In particular, we present an online algorithm for a safety fragment of metric first-order temporal logic that is considerably more expressive than the logics supported by prior monitoring methods. Our approach, based on automatic structures, allows the unrestricted use of negation, universal and existential quantification over infinite domains, and the arbitrary nesting of both past and bounded future operators. Moreover, we show how to optimize our approach for the common case where structures consist of only finite relations, over possibly infinite domains. Under an additional restriction, we prove that the space consumed by our monitor is polynomially bounded by the cardinality of the data appearing in the processed prefix of the temporal structure being monitored

Sequential Iteration of Interactive Arguments and an Efficient Zero-Knowledge Argument for NP

We study the behavior of interactive arguments under sequential iteration, in particular how this affects the error probability. This problem turns out to be more complex than one might expect from the fact that for interactive proofs, the error trivially decreases exponentially in the number of iterations.In particular, we study the typical efficient case where the iterated protocol is based on a single instance of a computational problem. This is not a special case of independentiterations of an entire protocol, and real exponential decrease of the error cannot be expected, but nevertheless, for practical applications, one needs concrete relationsbetween the complexity and error probability of the underlying problem and that of the iterated protocol. We show how this problem can be formalized and solved using thetheory of proofs of knowledge. We also prove that in the non-uniform model of complexity the error probabilityof independent iterations of an argument does indeed decrease exponentially - to our knowledge this is the first result about a strictly exponentially small error probability in a computational cryptographic security property. As an illustration of our first result, we present a very efficient zero-knowledge argumentfor circuit satisfiability, and thus for any NP problem, based on any collision-intractable hash function. Our theory applies to show the soundness of this protocol. Using an efficient hash function such as SHA-1, the protocol can handle about 20000 binary gates per second at an error level of 2^−50.Keywords -- Interactive proofs, arguments, proofs of knowledge, computational security,efficient general primitives, multi-bit commitment, statistical zero-knowledge

Intransitive non-interference for cryptographic purposes. In

Abstrac

Statistical Secrecy and Multi-Bit Commitments

We present and compare definitions of the notion of "statisticallyhiding" protocols, and we propose a novel statistically hiding commitmentscheme. Informally, a protocol statistically hides a secret if acomputationally unlimited adversary who conducts the protocol withthe owner of the secret learns almost nothing about it. One definitionis based on the L1-norm distance between probability distributions,the other on information theory. We prove that the two definitions areessentially equivalent. For completeness, we also show that statisticalcounterparts of definitions of computational secrecy are essentiallyequivalent to our main definitions. Commitment schemes are an important cryptologic primitive. Their purpose is to commit one party to a certain value, while hiding this value from the other party until some later time. We present a statisticallyhiding commitment scheme allowing commitment to manybits. The commitment and reveal protocols of this scheme are constantround, and the size of a commitment is independent of the number ofbits committed to. This also holds for the total communication complexity,except of course for the bits needed to send the secret when itis revealed. The proof of the hiding property exploits the equivalenceof the two definitions.Index terms -- Cryptology, Shannon theory, unconditional security,statistically hiding, multi-bit commitment, similarity of ensemblesof distributions, zero-knowledge, protocols.

Composable Security Analysis of OS Services

We provide an analytical framework for analyzing basic integrity properties of file systems, namely the binding of files to filenames and writing capabilities. A salient feature of our modeling and analysis is that it is *composable*: In spite of the fact that we analyze the filesystem in isolation, security is guaranteed even when the file system operates as a component within an arbitrary, and potentially adversarial system. Such secure composability properties seem essential when trying to assert the security of large systems. Our results are obtained by adapting the *Universally Composable* (UC) security framework to the analysis of software systems. Originally developed for cryptographic protocols, the UC framework allows the analysis of simple components in isolation, and provides assurance that these components maintain their behavior when combined in a large system, potentially under adversarial conditions