Universally Composable
Symbolic Analysis of
Key-Exchange Protocols
Jonathan Herzog
(Joint work with Ran Canetti)
21 September 2004
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's
concurrence with, or support for, the positions, opinions or viewpoints expressed by the author. If captured, MITRE will disavow any knowledge of your
activities. Void where prohibited by law. No warrantee expressed or implied.
Introduction

This talk: symbolic (Dolev-Yao) analysis can
guarantee concrete (Universally Composable)
security



UC security: strongest known definition of security in
computational model
Therefore: automated formal analysis as strong as
strongest concrete, hand-crafted proof
Previous work: AR, MW, BPW, Gergi, others



Computational soundness for Dolev-Yao assumptions
Only relates proof-steps of formal analysis to proof-steps
of computational analysis
Are the two models trying to prove the same goal?
Our Results


Same security goals? Yes and no.
Mutual authentication: Yes

DY-MA, UC-MA achieved by same protocols




UC analog to MW04
Last mention of mutual authentication
All interesting details in KE case, anyway
Key-Exchange (KE): No



DY-KE is strictly weaker than UC-KE
Why? DY notion of secrecy weaker than UC notion
DY-KE and UC-KE equivalent, however, under “real-orrandom” notion of secrecy
Universally composable security

Strongest known computational definition of
security [C, BPW]


Definition phrased in terms of single execution
Implies secure even when composed with
Arbitrary peer protocols
 Arbitrary sub-protocols
 Arbitrary higher-level protocols



Currently requires “hand-crafted” proofs
Our goal: prove security in Dolev-Yao model
instead

Show DY-KE equivalent to UC-KE
Simplify
Analysis strategy
Symbolic singleinstance protocol
Satisfies DY-KE
Single-instance
Setting
Securely realizes
UC-KE (UC crypto)
Ideal
cryptography
Security for
multiple instances
Concrete
protocol
UC-KE using
actual crypto
UC
theorem
UC w/
joint
state
Overview of talk

First half: overview of UC security


(Familiarity with Dolev-Yao model assumed)
Second half:


Relating Dolev-Yao and UC models
Key-exchange
Computational protocols

P
Computational protocol:

P




Each message a bit-string
Each participant an
efficient Turing machine
Take inputs, produce
outputs
Adversary (also Turing
machine) controls network
Two questions:
What is a protocol
supposed to do?
2. What does it mean to do it
1.
A
securely?
The functionality

P’
P’

F
A


Pretend each participant has
secure channel to a trusted
third party called the
functionality
“Dummy” participants send
inputs to functionality
Functionality calculates, sends
appropriate output to each
participant
Functionality also provides
channel to adversary
Example: KE functionality
(start, P1, P2)
(Key, K)
(start, P2, P1)
(P1, P2)
(P2, P1)
K
(start,
(finished,
P2, P2)
P1,
P1)
P2)
P1)
(Key, K)
The functionality (cont.)

Definition of F specifies what information,
options available to adversary



Assumption: we are willing to tolerate that
leakage, those options, but no more



Adversary knows who starts protocol,
Chooses who receives keys
Adversary never learns key
Participants never get different keys
Intuition: no adversary should be able to tell real
setting from functionality setting
Formalizing intuition

P
P
A
In the “real” scenario,
adversary sees
potentially long series of
messages
Formalizing intuition (cont.)

P’
P’

F

A
In the “ideal” scenario,
adversary sees different
set of messages (defined
by description of F)
Need to make
functionality “look” like
protocol
This task performed by
simulator
The simulator
P’
P’


F
S
A

Sits between
functionality and
simulator
Translates functionality
output into “protocol”
Does not see F’s
messages to participants!
Protocol security


A protocol  securely realizes functionality F if:
 simulator S so that no adversary can distinguish
between execution of  and execution of (F, S)
Note that simulator does not see “forbidden” information



Participant inputs, outputs from F to participants
Thus, simulator output is independent of forbidden info
If simulated protocol indistinguishable from real protocol,
real protocol must also be (computationally) independent
of forbidden information as well
Higher-level protocols
P
P
F



S
Protocol  may be subprotocol of higher-level
protocol ’
Protocol ’ may leak
info about P to
adversary
Worst case scenario:
adversary learns from
P’ entire output from P

A
And can set inputs to P
Higher-level protocols (cont.)



Is it meaningful to even talk about security when
higher-level protocols reveal everything?
Answer: we have no control over higher-level
protocol
Nevertheless, we will keep our end of the deal

Will remain indistinguishable from F regardless of what
higher-level protocol (or adversary) does
UC secure realization of F
P
P
 S s. t. these two situations
indistinguishable to all
adversaries:
F
P
P
S
A
A
Key exchange

Standard symbolic definition:
•
•

Key Agreement: If P1 outputs (Finished K) and
P2 outputs (Finished K’) then
K = K’.
Traditional Dolev-Yao secrecy: If either participant
outputs (Finished K), then adversary can never
learn K
Not strong enough!


Protocols exists that satisfy above, but not UC secure
Example: Needham-Schroeder-Lowe
Needham-Schroeder-Lowe
{A Na}KB
A


{K}KB
B
Suppose K=Nb is used as secret key


{B Na K}KA
Secret, under traditional definition
K output by A before B receives third message
Goal of adversary: distinguish


Real - K used in protocol
Ideal - K independent of simulated protocol
Distinguisher for NSL

Test: Flip coin



Heads: send {K}KB (real value) to B
Tails: make random key K’, send {K’}KB to B
Adversary knows B’s “correct” response from B


B will give correct response in real setting
Simulator in ideal setting won’t know what to do
Can’t tell K’ from K
 Both random values to simulator
 Will be wrong with probability .5


No simulator can fool this adversary
Real-or-random (1/3)

Need: real-or-random property for session keys:

Let  be a protocol
Let r be , except that when a participant
finishes, it outputs real key Kr
Let f be , except that when a participant
finishes, it outputs random key Kf



Want: adversary can’t distinguish two protocols
Real-or-random (2/3)

Let S be a strategy


Sequence of deductions and transmissions
Attempt 1: For any strategy,
Trace(S, r) = Traces(S, f)


Problem: Kf not in any traces of r
Attempt 2:
Trace(S, r) = Rename(Trace(S, f), Kf  Kr)

Sufficient for “if,” too strong for “only if”

Two different traces may ‘appear’ the same to adversary
Real-or-random (3/3)

Observable part of trace: Abadi-Rogaway pattern


Undecipherable encryptions replaced by “blob”
Example:
t = {N1, N2}K1, {N2}K2, K1-1
Pattern(t) = {N1, N2}K1, K2, K1-1

Final condition: for any strategy:
Pattern(Trace(S, r))
=
Pattern(Rename(Trace(S, f), Kf  Kr)))
Main results

Theorem: let  be a concrete protocol. Then
 securely realizes FKE iff  satisfies
1.
2.
3.
Key agreement
Traditional Dolev-Yao secrecy of session key
Real-or-random
Future work

How to prove Dolev-Yao real-or-random?



Possibly related to Blanchet’s “super secrecy”
Simpler form?
Similar results for protocols using symmetric
encryption, signatures, Diffie-Hellman?
Backup-slides
Example: MA functionality
(start, P1, P2)
(finished, P1, P2)
(start, P2, P1)
(P1, P2)
(P2, P1)
(finished,
(start, P1,
P2,
P1,
P1)
P2)
P2)
(finished,
P2,
P1)
(finished, P1, P2)
Mutual Authentication



Dolev-Yao mutual authentication (DY-MA): Adversary
cannot make party P1 (locally) output
(finished P1 P2)
before P2 outputs
(starting P1 P2)
and vice-versa
UC: FMA only sends (success P1 P2) to participants
after both submit (start P1 P2)
Theorem: let  be a simple protocol. Then  achieves
DY-MA iff  securely realizes FMA

(Note: UC analog to MW04)
“Simple” protocols


Recall goal: equate DY and UC security
Need protocols to be meaningful in both models



Efficient implementations (needed by UC)
Messages with DY-like parse trees
Consider programs from a “programming
language”


Equality testing, branching
Standard DY adversary actions


Uses UC-secure asymmetric encryption
Will probably be replaced by CPPL
UC Key-Exchange Functionality
(P1 P2)
P1
Key k
(P1 P2)
k  {0,1}n
(P1 P2)
Key P1
Key P2
A
(P2 P1)
P2
(P2 P1)
(P2 P1)
Key k
FKE
Key P2
Mapping lemma



Let  be a simple protocol
Every concrete execution of protocol  (with any
concrete adversary) has valid Dolev-Yao interpretation
Lemma: such interpretations could almost always be
generated by Dolev-Yao adversary in purely Dolev-Yao
setting


Similar result to MW04
Cor: To prove that simple protocol  securely realizes F,
need only show that it achieves Dolev-Yao goal G
If F and G are equivalent over traces
 Note: traces now includes input/output

Protocol security

Intuition: A protocol  securely realizes a
functionality F if running  is “just like” using F
P
P’
P
=
A
P’
F
A
Implications of definition



Purpose of protocol: jointly calculate the outputs
specified by description of F
Security: No one learns more from  than would
be revealed by F
However: definition (in particular) requires that
no adversary can distinguish the two situations

Can this definition be realized?