Advertisement

Journal of Cryptology

, Volume 21, Issue 4, pp 492–546 | Cite as

On the Relationships between Notions of Simulation-Based Security

  • Ralf KüstersEmail author
  • Anupam Datta
  • John C. Mitchell
  • Ajith Ramanathan
Article

Abstract

Several compositional forms of simulation-based security have been proposed in the literature, including Universal Composability, Black-Box Simulatability, and variants thereof. These relations between a protocol and an ideal functionality are similar enough that they can be ordered from strongest to weakest according to the logical form of their definitions. However, determining whether two relations are in fact identical depends on some subtle features that have not been brought out in previous studies. We identify two main factors: the position of a “master process” in the distributed system and some limitations on transparent message forwarding within computational complexity bounds. Using a general computational framework, called Sequential Probabilistic Process Calculus (SPPC), we clarify the relationships between the simulation-based security conditions. Many of the proofs are carried out based on a small set of equivalence principles involving processes and distributed systems. These equivalences exhibit the essential properties needed to prove relationships between security notions and allow us to carry over our results to those computational models which satisfy these equivalences.

Keywords

Simulation-based security Universal Composability Reactive Simulatability Black-Box Simulatability Process calculus 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Abadi, C. Fournet, Mobile values, new names, and secure communication, in 28th ACM Symposium on Principles of Programming Languages, 2001, pp. 104–115 Google Scholar
  2. [2]
    M. Abadi, A.D. Gordon, A bisimulation method for cryptographic protocol, in Proc. ESOP’98. Lecture Notes in Computer Science, vol. 1381 (Springer, Berlin, 1998), pp. 12–26 Google Scholar
  3. [3]
    M. Abadi, A.D. Gordon, A calculus for cryptographic protocols: the spi calculus, Inf. Comput. 143, 1–70 (1999). Expanded version available as SRC research report 149, January 1998 CrossRefMathSciNetGoogle Scholar
  4. [4]
    M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems, in Proceedings of the 1st Theory of Cryptography Conference (TCC 2004). Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 336–354 Google Scholar
  5. [5]
    M. Backes, B. Pfitzmann, M. Waidner, Secure asynchronous reactive systems. Technical report 082, Eprint, 2004 Google Scholar
  6. [6]
    M. Backes, B. Pfitzmann, M. Steiner, M. Waidner, Polynomial fairness and liveness, in Proceedings of 15th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, 2002, pp. 160–174 Google Scholar
  7. [7]
    M. Backes, B. Pfitzmann, M. Waidner, Reactively secure signature schemes, in Proceedings of 6th Information Security Conference. Lecture Notes in Computer Science, vol. 2851 (Springer, Berlin, 2003), pp. 84–95 Google Scholar
  8. [8]
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols. Technical report, Cryptology ePrint Archive, December 2005. Online available at http://eprint.iacr.org/2000/067.ps
  9. [9]
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in Proc. 42nd IEEE Symp. on the Foundations of Computer Science (IEEE, New York, 2001) Google Scholar
  10. [10]
    R. Canetti, Personal communication, 2004 Google Scholar
  11. [11]
    R. Canetti, L. Cheung, D.K. Kaynar, M. Liskov, N.A. Lynch, O. Pereira, R. Segala, Time-bounded task-pioas: a framework for analyzing security protocols, in DISC, 2006, pp. 238–253 Google Scholar
  12. [12]
    R. Canetti, M. Fischlin, Universally composable commitments, in Proc. CRYPTO 2001, Santa Barbara, California. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 19–40 Google Scholar
  13. [13]
    R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 337–351 CrossRefGoogle Scholar
  14. [14]
    R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions, in Advances in Cryptology—EUROCRYPT 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 68–86 CrossRefGoogle Scholar
  15. [15]
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in Proc. ACM Symp. on the Theory of Computing, 2002, pp. 494–503 Google Scholar
  16. [16]
    A. Datta, R. Küsters, J. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security. Technical report 2006/153, Cryptology ePrint Archive, 2006 Google Scholar
  17. [17]
    A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security, in Proceedings of the 2nd Theory of Cryptography Conference (TCC 2005), ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 476–494 Google Scholar
  18. [18]
    A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, V. Shmatikov, Unifying equivalence-based definitions of protocol security, in ACM SIGPLAN and IFIP WG 1.7, 4th Workshop on Issues in the Theory of Security, 2004. No formal proceedings Google Scholar
  19. [19]
    C.A.R. Hoare, Communicating Sequential Processes (Prentice Hall, New York, 1985) zbMATHGoogle Scholar
  20. [20]
    D. Hofheinz, J. Müller-Quade, D. Unruh, Polynomial runtime in simulatability definitions, in 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005) (IEEE Computer Society, Los Alamitos, 2005), pp. 156–169 CrossRefGoogle Scholar
  21. [21]
    D. Hofheinz, D. Unruh, Comparing two notions of simulatability, in Theory of Cryptography, Proceedings of TCC 2005, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 86–103 Google Scholar
  22. [22]
    D. Hofheinz, D. Unruh, Simulatable security and concurrent composition, in Proceedings of the 2006 IEEE Symposium on Security and Privacy (IEEE Computer Society, Los Alamitos, 2006), pp. 169–183 Google Scholar
  23. [23]
    R. Küsters, Simulation-based security with inexhaustible interactive Turing machines, in Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW-19 2006) (IEEE Computer Society, Los Alamitos, 2006), pp. 309–320 CrossRefGoogle Scholar
  24. [24]
    P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and security protocols, in Formal Methods World Congress, vol. I, Toulouse, France, ed. by J.M. Wing, J. Woodcock. Lecture Notes in Computer Science, vol. 1708 (Springer, Berlin, 1999), pp. 776–793 Google Scholar
  25. [25]
    R. Milner, A Calculus of Communicating Systems (Springer, Berlin, 1980) zbMATHGoogle Scholar
  26. [26]
    R. Milner, Communication and Concurrency. International Series in Computer Science (Prentice Hall, New York, 1989) Google Scholar
  27. [27]
    J.C. Mitchell, M. Mitchell, A. Scedrov, A linguistic characterization of bounded oracle computation and probabilistic polynomial time, in Proc. 39th Annual IEEE Symposium on the Foundations of Computer Science, Palo Alto, California (IEEE, New York, 1998), pp. 725–733 Google Scholar
  28. [28]
    J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time calculus for the analysis of cryptographic protocols (preliminary report), in 17th Annual Conference on the Mathematical Foundations of Programming Semantics, Arhus, Denmark, May, 2001, ed. by S. Brookes, M. Mislove. Electronic Notes in Theoretical Computer Science, vol. 45, 2001 Google Scholar
  29. [29]
    J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols, Theor. Comput. Sci. 353(1–3), 118–164 (2006) zbMATHCrossRefMathSciNetGoogle Scholar
  30. [30]
    B. Pfitzmann, M. Waidner, A model for asynchronous reactive systems and its application to secure message transmission, in IEEE Symposium on Security and Privacy (S&P 2001) (IEEE Computer Society Press, Los Alamitos, 2001), pp. 184–200 CrossRefGoogle Scholar
  31. [31]
    A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols. Unpublished, see http://www-cs-students.stanford.edu/~ajith/, 2004
  32. [32]
    A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols, in FOSSACS 2004—Foundations of Software Science and Computation Structures. Lecture Notes in Computer Science, vol. 2987 (Springer, Berlin, 2004), pp. 468–483. Summarizes results in [31] Google Scholar

Copyright information

© International Association for Cryptologic Research 2008

Authors and Affiliations

  • Ralf Küsters
    • 1
    Email author
  • Anupam Datta
    • 2
  • John C. Mitchell
    • 3
  • Ajith Ramanathan
    • 3
  1. 1.Computer Science DepartmentUniversity of TrierTrierGermany
  2. 2.CyLab, Computer Science, Electrical and Computer EngineeringCarnegie Mellon UniversityPittsburghUSA
  3. 3.Computer Science DepartmentStanford UniversityStanfordUSA

Personalised recommendations