Formal Verification for Multiparty Computation and Homomorphic Encryption?

Question

I've recently found some work on the use of Formal Verification Software, like ProVerif for enclaves. I wonder is if its feasible to have something similar for MPC and Homomorphic Encryption and their applications?

I always thought there were limitations adopting simulation based proofs and Universal Composability, in general, in Formal Verification, but as of late I'm thinking there must be more powerful reasons.

Answer 1

I think the area of formal verification for simulation-based security (multiparty computation as an example) is still nascent.

The main difficulty of simulation-based security is the higher-order existential quantifier for an algorithm, i.e., the so-called simulator ([SP'21] SoK: Computer-Aided Cryptography).

Even when the simulator is given, the task is still difficult. The remaining task is to look for the game hopping sequence between the security game for the original protocol ("the real world") and the game for the simulator ("the ideal world"). This game hopping is still hard for formal tools. I think the reasons are different for specific cryptographic mechanisms.

• for MPC, the arithmetic computation is inherent, which is very difficult to deal with for the tools based on the Dolev-Yao model like ProVerif. (Thanks to Vincent Cheval, who helped me confirm this point.) Recently, we developed an automatic verification tool, [SP'24] GAuV, but we only permit a small number of carefully crafted rewriting rules.
• for UC security, the control flow can be very complicated and may drastically change during a game hopping, which makes the hopping very difficult to analyze or synthesize. The complex comes from the flexibility of the UC definition itself: the environment can invoke protocols, block or deliver messages, and corrupt parties. Thus, the control flow is exploding. (Thanks to Manuel Barbosa, who explained this intricacy to me.) See [CSF'19] EasyUC and [CCS'21] for details.
• for ZKP, it's out of my current knowledge. I'd be happy if someone could contribute the reason here or deny the difficulty for ZKP.