Modeling Computational Security in Long-Lived Systems
For many cryptographic protocols, security relies on the assumption that adversarial entities have limited computational power. This type of security degrades progressively over the lifetime of a protocol. However, some cryptographic services, such as timestamping services or digital archives, are long-lived in nature; they are expected to be secure and operational for a very long time (i.e. super-polynomial). In such cases, security cannot be guaranteed in the traditional sense: a computationally secure protocol may become insecure if the attacker has a super-polynomial number of interactions with the protocol.
This paper proposes a new paradigm for the analysis of long-lived security protocols. We allow entities to be active for a potentially unbounded amount of real time, provided they perform only a polynomial amount of work per unit of real time. Moreover, the space used by these entities is allocated dynamically and must be polynomially bounded. We propose a new notion of long-term implementation, which is an adaptation of computational indistinguishability to the long-lived setting. We show that long-term implementation is preserved under polynomial parallel composition and exponential sequential composition. We illustrate the use of this new paradigm by analyzing some security properties of the long-lived timestamping protocol of Haber and Kamat.
KeywordsSignature Scheme Turing Machine Security Property Sequential Composition Parallel Composition
Unable to display preview. Download preview PDF.
- 1.Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. In: Proceedings of the 17th Annual ACM Symposium on Theory of Computing (STOC 1985), pp. 291–304 (1985)Google Scholar
- 2.Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE Symposium on Security and Privacy, Oakland, CA, pp. 184–200. IEEE Computer Society, Los Alamitos (2001)Google Scholar
- 3.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Naor, M. (ed.) Proceedings of the 42nd Annual Symposium on Foundations of Computer Science, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)Google Scholar
- 6.Ostrovsky, R., Yung, M.: How to withstand mobile virus attacks. In: Proceedings of 10th annual ACM Symposium on Principles of Distributed Computing (PODC 1991), pp. 51–59 (1991)Google Scholar
- 7.Anderson, R.: Two remarks on public key cryptology. Technical Report UCAM-CL-TR-549. University of Cambridge (2002)Google Scholar
- 8.Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999)Google Scholar
- 10.Bayer, D., Haber, S., Stornetta, S.W.: Improving the efficiency and reliability of digital time-stamping. In: Capocalli, R.M., Santis, A.D., Vaccaro, U. (eds.) Sequences II: Methods in Communication, Security, and Computer Science (Proceedings of the Sequences Workshop, 1991), pp. 329–334. Springer, Heidelberg (1993)Google Scholar
- 11.Haber, S.: Long-lived digital integrity using short-lived hash functions. Technical report, HP Laboratories (2006)Google Scholar
- 12.Haber, S., Kamat, P.: A content integrity service for long-term digital archives. In: Proceedings of the IS&T Archiving Conference (2006); Also published as Technical Memo HPL-2006-54, Trusted Systems Laboratory, HP Laboratories, PrincetonGoogle Scholar
- 14.Backes, M., Pfitzmann, B., Waidner, M.: Secure asynchronous reactive systems. Cryptology ePrint Archive, Report 2004/082 (2004), http://eprint.iacr.org/
- 18.Merritt, M., Modugno, F., Tuttle, M.R.: Time constrained automata. In: Groote, J.F., Baeten, J.C.M. (eds.) CONCUR 1991. LNCS, vol. 527, pp. 408–423. Springer, Heidelberg (1991)Google Scholar
- 19.Canetti, R., Cheung, L., Kaynar, D., Lynch, N., Pereira, O.: Modeling bounded computation in long-lived systems. Cryptology ePrint Archive, Report 2007/406 (2007), http://eprint.iacr.org/