State Separation for Code-Based Game-Playing Proofs

  • Chris BrzuskaEmail author
  • Antoine Delignat-Lavaud
  • Cédric Fournet
  • Konrad Kohbrok
  • Markulf Kohlweiss
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11274)


The security analysis of real-world protocols involves reduction steps that are conceptually simple but still have to account for many protocol complications found in standards and implementations. Taking inspiration from universal composability, abstract cryptography, process algebras, and type-based verification frameworks, we propose a method to simplify large reductions, avoid mistakes in carrying them out, and obtain concise security statements.

Our method decomposes monolithic games into collections of stateful packages representing collections of oracles that call one another using well-defined interfaces. Every component scheme yields a pair of a real and an ideal package. In security proofs, we then successively replace each real package with its ideal counterpart, treating the other packages as the reduction. We build this reduction by applying a number of algebraic operations on packages justified by their state separation. Our method handles reductions that emulate the game perfectly, and leaves more complex arguments to existing game-based proof techniques such as the code-based analysis suggested by Bellare and Rogaway. It also facilitates computer-aided proofs, inasmuch as the perfect reductions steps can be automatically discharged by proof assistants.

We illustrate our method on two generic composition proofs: a proof of self-composition using a hybrid argument; and the composition of keying and keyed components. For concreteness, we apply them to the KEM-DEM proof of hybrid-encryption by Cramer and Shoup and to the composition of forward-secure game-based key exchange protocols with symmetric-key protocols.



We are deeply indebted to Cas Cremers for extensive feedback on an early draft of our article. We are grateful to Simon Peyton Jones for pointing out the associativity of Monadic composition as a generalization of function composition to effectful programs. We thank Giorgia Azzurra Marson and Hoeteck Wee for feedback on the presentation of our IND-CPA toy example in the introduction. We thank Martijn Stam for suggesting to use KEM-DEM composition as one of our application cases. We are grateful to Håkon Jacobsen for feedback on our key exchange definition. We thank Ueli Maurer for an inspiring and helpful discussion on abstraction. We thank Sabine Oechsner, Frieder Steinmetz, Bogdan Warinschi, Jan Winkelmann, and Santiago Zanella-Béguelin for helpful suggestions and inspiration.

Chris Brzuska is grateful to NXP for the support of his previously held chair of IT Security Analysis at TU Hamburg. Much of the research was done while the first author was at Microsoft Research Cambridge and during internships and research visits supported by Microsoft and the EU COST framework. In particular, this work was supported by an STSM Grant from COST Action IC1306 “Cryptography for Secure Digital Interaction”. This work was supported by Microsoft Research through its PhD Scholarship Programme. Markulf Kohlweiss is grateful for a fellowship from IOHK.


  1. 1.
    Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  2. 2.
    Barthe, G., Crespo, J.M., Lakhnech, Y., Schmidt, B.: Mind the gap: modular machine-checked proofs of one-round key exchange protocols. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 689–718. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  3. 3.
    Barthe, G., Daubignard, M., Kapron, B.M., Lakhnech, Y.: Computational indistinguishability logic. In: ACM CCS, pp. 375–386 (2010)Google Scholar
  4. 4.
    Barthe, G., Grégoire, B., Heraud, S., Béguelin, S.Z.: Computer-aided security proofs for the working cryptographer. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 71–90. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). CrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: STOC (1995)Google Scholar
  8. 8.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321–340. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  10. 10.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y.: Implementing TLS with verified cryptographic security. In: Security and Privacy (2013)Google Scholar
  11. 11.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (As It Is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  12. 12.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. IEEE Trans. Dependable Sec. Comput. 5(4), 193–207 (2008)CrossRefGoogle Scholar
  13. 13.
    Blanchet, B.: Composition theorems for CryptoVerif and application to TLS 1.3. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, 9–12 July 2018, Oxford, United Kingdom, pp. 16–30 (2018)Google Scholar
  14. 14.
    Brzuska, C.: On the foundations of key exchange. Ph.D. thesis, Darmstadt University of Technology, Germany (2013)Google Scholar
  15. 15.
    Brzuska, C., Delignat-Lavaud, A., Fournet, C., Kohbrok, K., Kohlweiss, M.: State separation for code-based game-playing proofs. Cryptology ePrint Archive, Report 2018/306 (2018).
  16. 16.
    Brzuska, C., Fischlin, M., Smart, N.P., Warinschi, B., Williams, S.C.: Less is more: relaxed yet composable security notions for key exchange. Int. J. Inf. Sec. 12(4), 267–297 (2013)CrossRefGoogle Scholar
  17. 17.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: ACM CCS (2011)Google Scholar
  18. 18.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS (2001)Google Scholar
  19. 19.
    Cohn-Gordon, K., Cremers, C.J.F., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: EuroS&P 2017 (2017)Google Scholar
  20. 20.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Cremers, C.J.F., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. Des. Codes Cryptography 74(1), 183–218 (2015)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Delignat-Lavaud, A., et al.: Implementing and proving the TLS 1.3 record layer. In: Security and Privacy (2017)Google Scholar
  23. 23.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: ACM CCS (2015)Google Scholar
  24. 24.
    Fischlin, M., Günther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: Security and Privacy (2016)Google Scholar
  25. 25.
    Fournet, C., Kohlweiss, M., Strub, P.-Y.: Modular code-based cryptographic verification. In: ACM CCS (2011)Google Scholar
  26. 26.
    Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. Cryptology ePrint Archive, Report 2011/303 (2011).
  27. 27.
    Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. J. Cryptol. 28(3), 423–508 (2015)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). CrossRefzbMATHGoogle Scholar
  29. 29.
    Jones, S.P.: Haskell 98 language and libraries: the revised report (2003)Google Scholar
  30. 30.
    Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: (De-)Constructing TLS 1.3. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 85–102. Springer, Cham (2015). CrossRefGoogle Scholar
  31. 31.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  32. 32.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  33. 33.
    Kuesters, R., Tuengerthal, M.: The IITM model: a simple and expressive model for universal composability. Cryptology ePrint Archive 2013/025 (2013)Google Scholar
  34. 34.
    Maurer, U.: Constructive cryptography - a primer (invited paper). In: FC (2010)Google Scholar
  35. 35.
    Maurer, U.: Constructive cryptography - a new paradigm for security definitions and proofs. In: TOSCA (2011)Google Scholar
  36. 36.
    Maurer, U., Renner, R.: Abstract cryptography. In: ITCS (2011)Google Scholar
  37. 37.
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  38. 38.
    Micciancio, D., Tessaro, S.: An equational approach to secure multi-party computation. In: Innovations in Theoretical Computer Science, ITCS (2013)Google Scholar
  39. 39.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes. I. Inf. Comput. 100(1) (1992)Google Scholar
  40. 40.
    Mitchell, J.C., Ramanathan, A., Scedrov, A., Teague, V.: A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols. Theor. Comput. Sci. 353(1–3) (2006)MathSciNetCrossRefGoogle Scholar
  41. 41.
    Müller-Quade, J., Unruh, D.: Long-term security and universal composability. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 41–60. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  42. 42.
    Ristenpart, T., Shacham, H., Shrimpton, T.: Careful with composition: limitations of the indifferentiability framework. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 487–506. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  43. 43.
    Rogaway, P.: Formalizing human ignorance. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 211–228. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  44. 44.
    Rosulek, M.: The joy of cryptography. Online Draft (2018).
  45. 45.
    Swamy, N., Hricu, C., Keller, C., Rastogi, A., Delignat-Lavaud, A., Forest, S., Bhargavan, K., Fournet, C., Strub, P.-Y., Kohlweiss, M., Zinzindohoue, J.-K., Zanella-Béguelin, S.: Dependent types and multi-monadic effects in F*. In: POPL (2016)Google Scholar
  46. 46.
    Syme, D., Granicz, A., Cisternino, A.: Expert F\(^\#\) 3.0. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  47. 47.
    Tofte, M.: Essentials of standard ML modules. In: Launchbury, J., Meijer, E., Sheard, T. (eds.) AFP 1996. LNCS, vol. 1129, pp. 208–229. Springer, Heidelberg (1996). CrossRefGoogle Scholar
  48. 48.
    van Leeuwen, J., Wiedermann, J.: Beyond the turing limit: evolving interactive systems. In: Pacholski, L., Ružička, P. (eds.) SOFSEM 2001. LNCS, vol. 2234, pp. 90–109. Springer, Heidelberg (2001). CrossRefGoogle Scholar
  49. 49.
    Wikström, D.: Simplified universal composability framework. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 566–595. Springer, Heidelberg (2016). CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Chris Brzuska
    • 1
    Email author
  • Antoine Delignat-Lavaud
    • 2
  • Cédric Fournet
    • 2
  • Konrad Kohbrok
    • 1
  • Markulf Kohlweiss
    • 2
    • 3
  1. 1.Aalto UniversityHelsinkiFinland
  2. 2.Microsoft ResearchRedmondUSA
  3. 3.University of EdinburghEdinburghUK

Personalised recommendations