Conditional Reactive Simulatability
Simulatability has established itself as a salient notion for defining and proving the security of cryptographic protocols since it entails strong security and compositionality guarantees, which are achieved by universally quantifying over all environmental behaviors of the analyzed protocol. As a consequence, however, protocols that are secure except for certain environmental behaviors are not simulatable, even if these behaviors are efficiently identifiable and thus can be prevented by the surrounding protocol.
We propose a relaxation of simulatability by conditioning the permitted environmental behaviors, i.e., simulation is only required for environmental behaviors that fulfill explicitly stated constraints. This yields a more fine-grained security definition that is achievable for several protocols for which unconditional simulatability is too strict a notion, or at lower cost for the underlying cryptographic primitives. Although imposing restrictions on the environment destroys unconditional composability in general, we show that the composition of a large class of conditionally simulatable protocols yields protocols that are again simulatable under suitable conditions. This even holds for the case of cyclic assume-guarantee conditions where protocols only guarantee suitable behavior if they themselves are offered certain guarantees. Furthermore, composing several commonly investigated protocol classes with conditionally simulatable subprotocols yields protocols that are again simulatable in the standard, unconditional sense.
KeywordsEncryption Scheme Safety Property Cryptographic Protocol Conditional Simulatability Symmetric Encryption
Unable to display preview. Download preview PDF.
- 2.Backes, M., Dürmuth, M., Hofheinz, D., Küsters, R.: Conditional Reactive Simulatability. Technical Report 132, Cryptology ePrint Archive (2006), Online available at: http://eprint.iacr.org/2006/132.ps
- 5.Backes, M., Pfitzmann, B., Scedrov, A.: Key-dependent message security under active attacks. ePrint Archive, 2005/421 (2006)Google Scholar
- 8.Backes, M., Pfitzmann, B., Waidner, M.: Secure asynchronous reactive systems. IACR ePrint Archive (March 2004)Google Scholar
- 9.Backes, M., Pfitzmann, B., Waidner, M.: Limits of the Reactive Simulatability/UC of Dolev-Yao models with hashes. Cryptology ePrint Archive 2006/068 (2006)Google Scholar
- 10.Barak, B., Sahai, A.: How to play almost any mental game over the net — concurrent composition via super-polynomial simulation. In: 46th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2005, pp. 543–552. IEEE Computer Society, Los Alamitos (2005)Google Scholar
- 11.Beaver, D.: Foundations of secure interactive computing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992)Google Scholar
- 14.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001, pp. 136–145. IEEE Computer Society, Los Alamitos (2001)Google Scholar
- 15.Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. IACR ePrint Archive, Full and revised version of  (January 2005)Google Scholar
- 20.Giannakopoulou, D., Pasareanu, C.S., Cobleigh, J.M.: Assume-guarantee verification of source code with design-level assumptions. In: Proceedings 26th International Conference on Software Engineering, pp. 211–220 (2004)Google Scholar
- 24.Hinton, H.: Composing partially-specified systems. In: IEEE Symposium on Security and Privacy, Proceedings of SSP 1998, pp. 27–39. IEEE Computer Society, Los Alamitos (1998)Google Scholar
- 26.Jones, C.: Specification and design of (parallel) programs. In: Information Processing 83: Proceedings 9th IFIP World Congress, pp. 321–322 (1983)Google Scholar
- 30.Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar