# On the Relationships between Notions of Simulation-Based Security

## Abstract

Several compositional forms of simulation-based security have been proposed in the literature, including Universal Composability, Black-Box Simulatability, and variants thereof. These relations between a protocol and an ideal functionality are similar enough that they can be ordered from strongest to weakest according to the logical form of their definitions. However, determining whether two relations are in fact identical depends on some subtle features that have not been brought out in previous studies. We identify two main factors: the position of a “master process” in the distributed system and some limitations on transparent message forwarding within computational complexity bounds. Using a general computational framework, called Sequential Probabilistic Process Calculus (SPPC), we clarify the relationships between the simulation-based security conditions. Many of the proofs are carried out based on a small set of equivalence principles involving processes and distributed systems. These equivalences exhibit the essential properties needed to prove relationships between security notions and allow us to carry over our results to those computational models which satisfy these equivalences.

## Keywords

Simulation-based security Universal Composability Reactive Simulatability Black-Box Simulatability Process calculus## Preview

Unable to display preview. Download preview PDF.

## References

- [1]M. Abadi, C. Fournet, Mobile values, new names, and secure communication, in
*28th ACM Symposium on Principles of Programming Languages*, 2001, pp. 104–115 Google Scholar - [2]M. Abadi, A.D. Gordon, A bisimulation method for cryptographic protocol, in Proc. ESOP’98. Lecture Notes in Computer Science, vol. 1381 (Springer, Berlin, 1998), pp. 12–26 Google Scholar
- [3]M. Abadi, A.D. Gordon, A calculus for cryptographic protocols: the spi calculus, Inf. Comput. 143, 1–70 (1999). Expanded version available as SRC research report 149, January 1998 CrossRefMathSciNetGoogle Scholar
- [4]M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems, in Proceedings of the 1st Theory of Cryptography Conference
*(*TCC 2004*)*. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 336–354 Google Scholar - [5]M. Backes, B. Pfitzmann, M. Waidner, Secure asynchronous reactive systems. Technical report 082, Eprint, 2004 Google Scholar
- [6]M. Backes, B. Pfitzmann, M. Steiner, M. Waidner, Polynomial fairness and liveness, in
*Proceedings of 15th IEEE Computer Security Foundations Workshop*, Cape Breton, Nova Scotia, Canada, 2002, pp. 160–174 Google Scholar - [7]M. Backes, B. Pfitzmann, M. Waidner, Reactively secure signature schemes, in Proceedings of 6th Information Security Conference. Lecture Notes in Computer Science, vol. 2851 (Springer, Berlin, 2003), pp. 84–95 Google Scholar
- [8]R. Canetti, Universally composable security: a new paradigm for cryptographic protocols. Technical report, Cryptology ePrint Archive, December 2005. Online available at http://eprint.iacr.org/2000/067.ps
- [9]R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in Proc. 42nd IEEE Symp. on the Foundations of Computer Science (IEEE, New York, 2001) Google Scholar
- [10]R. Canetti, Personal communication, 2004 Google Scholar
- [11]R. Canetti, L. Cheung, D.K. Kaynar, M. Liskov, N.A. Lynch, O. Pereira, R. Segala, Time-bounded task-pioas: a framework for analyzing security protocols, in
*DISC*, 2006, pp. 238–253 Google Scholar - [12]R. Canetti, M. Fischlin, Universally composable commitments, in Proc. CRYPTO 2001, Santa Barbara, California. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 19–40 Google Scholar
- [13]R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 337–351 CrossRefGoogle Scholar
- [14]R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions, in Advances in Cryptology—EUROCRYPT 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 68–86 CrossRefGoogle Scholar
- [15]R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in
*Proc. ACM Symp. on the Theory of Computing*, 2002, pp. 494–503 Google Scholar - [16]A. Datta, R. Küsters, J. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security. Technical report 2006/153, Cryptology ePrint Archive, 2006 Google Scholar
- [17]A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security, in Proceedings of the 2nd Theory of Cryptography Conference (TCC 2005), ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 476–494 Google Scholar
- [18]A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, V. Shmatikov, Unifying equivalence-based definitions of protocol security, in
*ACM SIGPLAN and IFIP WG 1.7, 4th Workshop on Issues in the Theory of Security*, 2004. No formal proceedings Google Scholar - [19]C.A.R. Hoare, Communicating Sequential Processes (Prentice Hall, New York, 1985) zbMATHGoogle Scholar
- [20]D. Hofheinz, J. Müller-Quade, D. Unruh, Polynomial runtime in simulatability definitions, in 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005) (IEEE Computer Society, Los Alamitos, 2005), pp. 156–169 CrossRefGoogle Scholar
- [21]D. Hofheinz, D. Unruh, Comparing two notions of simulatability, in Theory of Cryptography, Proceedings of TCC 2005, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 86–103 Google Scholar
- [22]D. Hofheinz, D. Unruh, Simulatable security and concurrent composition, in Proceedings of the 2006 IEEE Symposium on Security and Privacy (IEEE Computer Society, Los Alamitos, 2006), pp. 169–183 Google Scholar
- [23]R. Küsters, Simulation-based security with inexhaustible interactive Turing machines, in Proceedings of the 19th IEEE Computer Security Foundations Workshop
*(*CSFW-19 2006*)*(IEEE Computer Society, Los Alamitos, 2006), pp. 309–320 CrossRefGoogle Scholar - [24]P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and security protocols, in Formal Methods World Congress, vol. I, Toulouse, France, ed. by J.M. Wing, J. Woodcock. Lecture Notes in Computer Science, vol. 1708 (Springer, Berlin, 1999), pp. 776–793 Google Scholar
- [25]R. Milner, A Calculus of Communicating Systems (Springer, Berlin, 1980) zbMATHGoogle Scholar
- [26]R. Milner, Communication and Concurrency. International Series in Computer Science (Prentice Hall, New York, 1989) Google Scholar
- [27]J.C. Mitchell, M. Mitchell, A. Scedrov, A linguistic characterization of bounded oracle computation and probabilistic polynomial time, in Proc. 39th Annual IEEE Symposium on the Foundations of Computer Science, Palo Alto, California (IEEE, New York, 1998), pp. 725–733 Google Scholar
- [28]J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time calculus for the analysis of cryptographic protocols (preliminary report), in
*17th Annual Conference on the Mathematical Foundations of Programming Semantics*, Arhus, Denmark, May, 2001, ed. by S. Brookes, M. Mislove. Electronic Notes in Theoretical Computer Science, vol. 45, 2001 Google Scholar - [29]J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols, Theor. Comput. Sci. 353(1–3), 118–164 (2006) zbMATHCrossRefMathSciNetGoogle Scholar
- [30]B. Pfitzmann, M. Waidner, A model for asynchronous reactive systems and its application to secure message transmission, in IEEE Symposium on Security and Privacy
*(*S&P 2001*)*(IEEE Computer Society Press, Los Alamitos, 2001), pp. 184–200 CrossRefGoogle Scholar - [31]A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols. Unpublished, see http://www-cs-students.stanford.edu/~ajith/, 2004
- [32]A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols, in FOSSACS 2004—Foundations of Software Science and Computation Structures. Lecture Notes in Computer Science, vol. 2987 (Springer, Berlin, 2004), pp. 468–483. Summarizes results in [31] Google Scholar