Formal and Computational Cryptography: Protocols, Hashes and Commitments

Cover: Zimmermann Telegram, written by German Foreign Secretary Arthur Zim-mermann, is an encrypted message sent to Mexico, proposing a military alliance against the United States. It was intercepted and decrypted by British cryptographers. The telegram inflamed American public opinion and draw the United States to declare war against Germany in 1917. The bookmarker contains the telegram as partially decrypted by the British cryptographers of Room 40. The work in this thesis has been carried out under the auspices of the research school IPA (Institute for Programming research and Algorithmics). Een wetenschappelijke proeve op het gebied van de Natuurwetenschappen, Wiskunde en Informatica. Proefschrift ter verkrijging van de graad van doctor aan de Radboud Universiteit Nijmegen op gezag van de rector magnificus, prof. mr. Summary In modern society we are surrounded by distributed systems. Most electronic devices that are currently on the market have some networking capability or are able to communicate with each other. Communication over shared media is inherently insecure. Therefore, proper design of security protocols is of primary concern. The design and analysis of security protocols is a challenging task. Several protocols have been proposed in the literature which later were found to be flawed. This is a consequence of the intrinsic complexity associated with the presence of a malicious adversary. The traditional complexity-theoretical adversarial model is realistic but complex. As a consequence of this, designing and analyzing protocols in this model is error prone. The Dolev-Yao model refers to the attacker model in which an adversary has complete control over the communication media. In this model, the adversary is not bounded in running time but is completely unable to break any cryptographic primitive. This model is satisfactory as it provides a good level of abstraction. Proofs are simpler than the complexity-theoretical ones, and therefore less error prone, still capturing most common mistakes in the design of security protocols. This thesis addresses the problem of secure protocol design from both formal and computational perspectives and also studies the relation among them. We present four original contributions: • We present a decentralized digital currency for peer-to-peer and grid applications that is able to detect double-spending of the coins and other types of fraud. • We develop a formal framework for the analysis of anonymizing protocols in terms of epistemic logic. We illustrate our approach by proving sender anonymity and unlinkability of some well-known anonymizing protocols. • We relate the Dolev-Yao …