Games and the Impossibility of Realizable Ideal Functionality

A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal functionality is appealing because a mechanism that is indistinguishable from an ideal functionality is therefore guaranteed secure in any larger system that uses it. We relate ideal functionalities to games by defining the set of ideal functionalities associated with a game condition and show that under this definition, which reflects accepted use and known examples, bit commitment, a form of group signatures, and some other cryptographic concepts do not have any realizable ideal functionality.

[1]  Silvio Micali,et al.  Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements , 2000, EUROCRYPT.

[2]  Bernhard Steffen,et al.  Reactive, Generative and Stratified Models of Probabilistic Processes , 1995, Inf. Comput..

[3]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[4]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[5]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[6]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[7]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[8]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[9]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[10]  Vitaly Shmatikov,et al.  Unifying Equivalence-Based Definitions of Protocol Security , 2004 .

[11]  Amit Sahai,et al.  Relaxing Environmental Security: Monitored Functionalities and Client-Server Computation , 2005, TCC.

[12]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[13]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[14]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[15]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[16]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[17]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[18]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[19]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[20]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[21]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[22]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[23]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation Without Set-Up Assumptions , 2003, Journal of Cryptology.

[24]  Paula Severi Type Inference for Pure Type Systems , 1998, Inf. Comput..

[25]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[26]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[27]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..

[28]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[29]  John C. Mitchell,et al.  A linguistic characterization of bounded oracle computation and probabilistic polynomial time , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[30]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[31]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[32]  John C. Mitchell,et al.  Probabilistic Bisimulation and Equivalence for Security Analysis of Network Protocols , 2004, FoSSaCS.

[33]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[34]  Birgit Pfitzmann,et al.  Limits of the Reactive Simulatability/UC of Dolev-Yao Models with Hashes , 2006, IACR Cryptol. ePrint Arch..

[35]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[36]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[37]  Ralf Küsters,et al.  On the Relationships Between Notions of Simulation-Based Security , 2005, TCC.

[38]  John C. Mitchell,et al.  A modular correctness proof of IEEE 802.11i and TLS , 2005, CCS '05.