The reactive simulatability (RSIM) framework for asynchronous systems

We define reactive simulatability for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times, e.g., in many concurrent protocol runs or a multi-round game. In terms of distributed systems, reactive simulatability is a type of refinement that preserves particularly strong properties, in particular confidentiality. A core feature of reactive simulatability is composability, i.e., the real system can be plugged in instead of the ideal system within arbitrary larger systems; this is shown in follow-up papers, and so is the preservation of many classes of individual security properties from the ideal to the real systems. A large part of this paper defines a suitable system model. It is based on probabilistic IO automata (PIOA) with two main new features: One is generic distributed scheduling. Important special cases are realistic adversarial scheduling, procedure-call-type scheduling among colocated system parts, and special schedulers such as for fairness, also in combinations. The other is the definition of the reactive runtime via a realization by Turing machines such that notions like polynomial-time are composable. The simple complexity of the transition functions of the automata is not composable. As specializations of this model we define security-specific concepts, in particular a separation between honest users and adversaries and several trust models. The benefit of IO automata as the main model, instead of only interactive Turing machines as usual in cryptographic multi-party computation, is that many cryptographic systems can be specified with an ideal system consisting of only one simple, deterministic IO automaton without any cryptographic objects, as many follow-up papers show. This enables the use of classic formal methods and automatic proof tools for proving larger distributed protocols and systems that use these cryptographic systems.

[1]  Yehuda Lindell,et al.  General Composition and Universal Composability in Secure Multiparty Computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[2]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[3]  Birgit Pfitzmann,et al.  Reactively Secure Signature Schemes , 2003, ISC.

[4]  Dennis Hofheinz,et al.  Comparing Two Notions of Simulatability , 2005, TCC.

[5]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[6]  Nancy A. Lynch,et al.  I/O automaton models and proofs for shared-key communication systems , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[7]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[8]  Birgit Pfitzmann,et al.  Limits of the Reactive Simulatability/UC of Dolev-Yao Models with Hashes , 2006, IACR Cryptol. ePrint Arch..

[9]  Mark R. Tuttle,et al.  A Semantics for a Logic of Authentication , 1991, PODC 1991.

[10]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[11]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[12]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[13]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[14]  Birgit Pfitzmann,et al.  Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library , 2005, International Journal of Information Security.

[15]  Peeter Laud,et al.  Computationally sound secrecy proofs by mechanized flow analysis , 2006, CCS '06.

[16]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[17]  Birgit Pfitzmann,et al.  On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol , 2006, SEC.

[18]  Michael Backes,et al.  Cryptographically sound analysis of security protocols , 2002 .

[19]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[20]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[21]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[22]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[23]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[24]  Birgit Pfitzmann,et al.  A Composable Cryptographic Library with Nested Operations (Extended Abstract) , 2003 .

[25]  Catherine A. Meadows,et al.  Using narrowing in the analysis of key management protocols , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[26]  Richard A. Kemmerer,et al.  Analyzing encryption protocols using formal verification techniques , 1989, IEEE J. Sel. Areas Commun..

[27]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[28]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[29]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[30]  Jörn Müller-Quade,et al.  Polynomial runtime in simulatability definitions , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[31]  Michael Backes,et al.  A cryptographically sound Dolev-Yao style security proof of an electronic payment system , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[32]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[33]  Birgit Pfitzmann,et al.  Polynomial Liveness * , 2022 .

[34]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[35]  Silvio Micali,et al.  Verifiable Secret Sharing as Secure Computation , 1994, EUROCRYPT.

[36]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[37]  Birgit Pfitzmann,et al.  Intransitive non-interference for cryptographic purposes , 2003, 2003 Symposium on Security and Privacy, 2003..

[38]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[39]  Vitaly Shmatikov,et al.  Probabilistic Polynomial-Time Semantics for a Protocol Security Logic , 2005, ICALP.

[40]  Michael Steiner,et al.  Secure group key agreement , 2002 .

[41]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions , 2003, EUROCRYPT.

[42]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[43]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[44]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[45]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[46]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[47]  Ralf Küsters,et al.  Conditional Reactive Simulatability , 2006, ESORICS.

[48]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[49]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[50]  Birgit Pfitzmann,et al.  Computational probabilistic noninterference , 2002, International Journal of Information Security.

[51]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[52]  Dennis Hofheinz,et al.  On the Notion of Statistical Security in Simulatability Definitions , 2005, ISC.

[53]  Yvo Desmedt,et al.  How to Break a Practical MIX and Design a New One , 2000, EUROCRYPT.

[54]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[55]  John C. Mitchell,et al.  Games and the Impossibility of Realizable Ideal Functionality , 2006, TCC.

[56]  J. Neveu,et al.  Mathematical foundations of the calculus of probability , 1965 .

[57]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[58]  John C. Mitchell,et al.  A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report) , 2001, MFPS.

[59]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[60]  Kim G. Larsen,et al.  Bisimulation through Probabilistic Testing , 1991, Inf. Comput..

[61]  Birgit Pfitzmann,et al.  Relating Symbolic and Cryptographic Secrecy , 2005, IEEE Trans. Dependable Secur. Comput..

[62]  Amit Sahai,et al.  How to play almost any mental game over the net - concurrent composition via super-polynomial simulation , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[63]  Birgit Pfitzmann,et al.  A General Framework for Formal Notions of "Secure" Systems , 1994 .

[64]  Birgit Pfitzmann,et al.  How To Break and Repair A "Provably Secure" Untraceable Payment System , 1991, CRYPTO.

[65]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[66]  Bruce M. Kapron,et al.  Logics for reasoning about cryptographic constructions , 2006, J. Comput. Syst. Sci..

[67]  Ralf Küsters,et al.  On the Relationships Between Notions of Simulation-Based Security , 2005, TCC.

[68]  Michael Backes,et al.  Cryptographically Sound and Machine-Assisted Verification of Security Protocols , 2003, STACS.

[69]  Birgit Pfitzmann,et al.  Cryptographically sound theorem proving , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[70]  Birgit Pfitzmann,et al.  A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol , 2003, FSTTCS.

[71]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[72]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[73]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[74]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[75]  Jonathan K. Millen,et al.  The Interrogator A Tool for Cryptographic Protocol Security , 1984, 1984 IEEE Symposium on Security and Privacy.

[76]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[77]  Birgit Pfitzmann,et al.  Computational probabilistic noninterference , 2004, International Journal of Information Security.

[78]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[79]  Michael Backes,et al.  Cryptographically Sound Security Proofs for Basic and Public-Key Kerberos , 2006, ESORICS.

[80]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[81]  Juan A. Garay Efficient and Universally Composable Committed Oblivious Transfer and Applications , 2004, TCC.

[82]  Scott A. Smolka,et al.  Composition and Behaviors of Probabilistic I/O Automata , 1994, Theor. Comput. Sci..

[83]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[84]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[85]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[86]  Birgit Pfitzmann,et al.  Low-Level Ideal Signatures and General Integrity Idealization , 2004, ISC.

[87]  Birgit Pfitzmann,et al.  Deriving Cryptographically Sound Implementations Using Composition and Formally Verified Bisimulation , 2002, FME.

[88]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[89]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[90]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[91]  Jörn Müller-Quade,et al.  Initiator-Resilient Universally Composable Key Exchange , 2003, ESORICS.

[92]  Dennis Hofheinz,et al.  Simulatable security and polynomially bounded concurrent composability , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[93]  Ran Canetti,et al.  Universally Composable Commitments (Extended Abstract) , 2001, CRYPTO 2001.

[94]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[95]  Michael Backes,et al.  A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol , 2004, ESORICS.

[96]  Birgit Pfitzmann,et al.  Symmetric Authentication within a Simulatable Cryptographic Library , 2003, ESORICS.

[97]  Michael Backes,et al.  On fairness in simulatability-based cryptographic systems , 2005, FMSE '05.

[98]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[99]  John C. Mitchell,et al.  A linguistic characterization of bounded oracle computation and probabilistic polynomial time , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[100]  Birgit Pfitzmann,et al.  A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol , 2003, IEEE Journal on Selected Areas in Communications.

[101]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[102]  Birgit Pfitzmann,et al.  Key-dependent Message Security under Active Attacks--BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[103]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[104]  Ran Canetti,et al.  An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack , 1999, EUROCRYPT.

[105]  Peeter Laud,et al.  Symmetric encryption in automatic analyses for confidentiality against active adversaries , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[106]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.