A. Datta, R Küsters, J. Mitchell, A. Ramanathan,
V. Shmatikov
A. Scedrov, V. Teague, P. Mateus

 Real protocol
• The protocol we want to use
• Expressed precisely in some formalism
 Idealized protocol
• May use unrealistic mechanisms (e.g., private channels)
• Defines the behavior we want from real protocol
• Expressed precisely in same formalism
 Specification
• Real protocol indistinguishable from ideal protocol
• Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91
• Depends on some characterization of observability
 Achieves compositionality

 Protocol P
A  B: { i }
K
B  A: { f(i) }
K
 “Obviously’’ secret protocol Q
A  B: { random_number }
B  A: { random_number }
K
K

 Protocol P
A  B: { random i }
K
B  A: { f(i) }
K
A  B: “OK” if f(i) received
 “Obviously’’ authenticating protocol Q
A  B: { random i }
K public channel private channel
B  A: { random j }
K i , j public channel private channel
A  B: “OK” if private i, j match public msgs

 Sequence generated from random seed
P n
: let b = n k -bit sequence generated from n random bits in
PUBLIC  b  end
 Truly random sequence
Q n
: let b = sequence of n k random bits in
PUBLIC  b  end
 P is crypto strong pseudo-random number generator
P  Q
Equivalence is asymptotic in security parameter n

 Crypto primitives
• Ciphertext indistinguishable from noise
 encryption secure in all protocols
 Protocols
• Protocol indistinguishable from ideal key distribution
 protocol secure in all systems that rely on secure key distributions

 Intuitively, if:
• Q securely realizes I ,
• R securely realizes J,
• R, J use I as a component ,
 then
R{Q/I} securely realizes J
 Fits well with process calculus because  is a congruence
• Q  I  C[Q]  C[I]
• contexts constructed from R , J , simulators

 Canetti – Universal composability
• Condition: two adversaries and environment
• Computation: Communicating Turing machines
 PW, … – Black-box simulatability
• Condition: one adversary, simulator, environment
• Computation: I/O automata (or CT machines)
 AG,LMMRST… - Process equivalence
• Condition: observational equivalence
• Computation: ppoly or nondet process calculus
Compare symmetric version of conditions over uniform computation model

Communicating
Turing Mach
I/O Automata
Nondet. Process
Calc
Prob Poly Process
Calc
Universal
Compos.
Black-box
Simulat.
Canetti Canetti
Observ.
Equiv.
Pfitz-W Pfitz-W
Spi,
Applied 
LMMRST

Communicating
Turing Mach
I/O Automata
Universal
Compos.
Canetti
Black-box
Simulat.
Canetti
Pfitz-W Pfitz-W
Nondet. Process
Calculus
Prob Poly Process
Calculus
Axiomatic Calculus UC BB
Observ.
Equiv.
Spi,
Applied 
LMMRST
PE

 What is the ideal key exchange protocol?
• Clients ask server for key, receive response?
• Server chooses keys and sends secretly?
 Issue
• Easy to distinguish number of messages
• No “canonical” key exchange protocol is equivalent to all secure key exchange protocols
 Ideal functionality
• Not a protocol with number of messages, etc.
• A functionality that can be used to create ideal protocols

 Adversary
• Interacts with protocol over network
• Does not choose messages to send, contract to sign, certificate authority,…
 Environment
• Represents the configuration of honest users who are trying to use the protocol
• Input to general protocol
• Example
– Kerberos TGS, KDC, clients, servers set by environment

 Given
• Protocol P
• Ideal functionality F
 Require
• For every attack attack A
A in any environment
1
E on P , there exists an on F revealing same information
• And conversely (in symmetric form of UC)

 Given
• Protocol P
• Ideal functionality F
 Require
• There exists a simulator S such that for any attacker A , protocols P and S  F reveal same information in any environ E

 Given
• Protocol P
• Ideal protocol Q (not functionality F )
 Require
• Protocols P and Q reveal same information in any context
No simulator, context = attacker + env

 UC and BB use “ideal functionality”
+ Allows single specification, regardless of communication pattern of protocol
 Observational equivalence
+ Standard relation, well-known properties
+ Bisimulation technique
+
Proof system
 Separate adversary and environment
-
Not clear if useful, except in exposition
Add ideal functionality to specification using process equivalence

 Write protocol in process calculus
• Accepted and long-studied approach to concurrency
 Express security using observational equivalence
• Standard relation from programming language theory
P  Q iff for all contexts C[ ] , same observations about C[P] and C[Q]
• Inherently compositional
• Context represents adversary
 Use proof rules for  to prove security
• Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

UC
BB
PE

 Process calculus summary
 Formal definition of relations
 Sketch proof of equivalences
 Future directions

 Bounded  -calculus with integer terms
P :: = 0
| c q(|n|)
| c q(|n|)
 T 
(x). P send up to q(|n|) bits receive
|  c q(|n|)
. P private channel
| [T=T] P test
| P | P parallel composition
| ! q(|n|)
. P bounded replication
Terms may contain symbol n; channel width and replication bounded by poly in |n|

 P | Q  Q | P
 P | (Q | R)  (P | Q) | R
 P | 0  P
  c. P   d. [d/c]P same bandwidth,
  c. C[P]  C[  c.P] c  channels( C[0] )
 P  Q  Q  P
 P  Q, Q  R  P  R
 P  Q  C[P]  C[Q]
Prove results using these properties of process calculus; true for TM, IOA

 Universal composability
 A
1
 A
2
.  net
(P | A
1
)   net
(F | A
2
)
 Black-box simulability
 S  A .  net
(P | A)   net
 Process equivalence
(  sim
(F|S)|A)
 S . P   sim
(F | S)
Notes
• Relation  includes quantifying over environments
• Divide channels into network channels, simulator channels, environment channels

 UC and BB
• Equivalent w/synchronous communication
• Equivalent w/asynchronous communication
 BB and Process Equivalence (PE)
• PE implies BB in synch communication
• PE equivalent BB with asynch communication
These results are proved formally in process calculus
(we worked out soundness for PPC and spi-calculus).
Results hold for any computational framework satisfying equational principles given in earlier slide

(also have nice pictures)
 PE  BB  UC : Easy. Congruence and quantifier order.
 UC

BB
 BB

PE

 Lemma 6. Scope Extrusion
•  c. (P | Q)  (  c.P) | Q c  channels( Q )
 Lemma 8. Double buffering
• One asynchronous buffer is indistinguishable from the composition of two
 Lemma 9. Dummy adversary and buffer
• Composing a dummy adversary (that just sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone

 Buffering fails
• With synchronous communication, adding a buffer or dummy adversary can change the observable order of actions

 Complete this study
• Relate computational models
• Look at asymmetric specifications
– P is at least as secure as Q
 Relate logical specification methods
• Equivalence P  Q
– P is detailed, Q more abstract
• Properties of Q
– Prove Q achieves authenticated key exchange