The layered games framework for specifications and analysis of security protocols

We establish rigorous foundations to the use of modular and layered design for building complex distributed systems, resilient to failures and attacks. Layering is a key to the design of the internet and other distributed systems. Hence, solid, theoretical foundations are essential, especially when considering adversarial settings. A protocol realises a layer (over some lower layer) if it 'wins' with high probability, a specified game, when running over any implementation of the lower layer. This is in contrast to existing frameworks allowing modular design of cryptographic protocols, where protocols must emulate an ideal functionality. Ideal functionalities are a very elegant method for specifications, but we argue that often, game-based specifications are more appropriate, to avoid over-specification ('forcing' a particular design) and under specification (e.g. protocols that work poorly for realistic adversaries). Our results allow specification and analysis of each layer independently, then combining the results to ensure properties of the complete system.

[1]  Amir Herzberg,et al.  Layered Architecture for Secure E-Commerce Applications , 2006, SECRYPT.

[2]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[3]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[4]  Silvio Micali,et al.  Strong signature schemes , 1983, STOC '83.

[5]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation Without Set-Up Assumptions , 2003, Journal of Cryptology.

[6]  Allan Borodin,et al.  Adversarial queuing theory , 2001, JACM.

[7]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[8]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[9]  John C. Mitchell,et al.  Games and the Impossibility of Realizable Ideal Functionality , 2006, TCC.

[10]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[11]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[12]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[13]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[14]  John C. Mitchell,et al.  A derivation system and compositional logic for security protocols , 2005, J. Comput. Secur..

[15]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[16]  Martín Abadi,et al.  Composing specifications , 1989, TOPL.

[17]  Birgit Pfitzmann,et al.  Secure Asynchronous Reactive Systems , 2004 .

[18]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[19]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[20]  Bruno Blanchet,et al.  Computationally Sound Mechanized Proofs of Correspondence Assertions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[21]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[22]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[23]  Shai Halevi,et al.  A plausible approach to computer-aided cryptographic proofs , 2005, IACR Cryptol. ePrint Arch..

[24]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[25]  Keith W. Ross,et al.  Computer networking - a top-down approach featuring the internet , 2000 .

[26]  Ralf Küsters,et al.  Conditional Reactive Simulatability , 2006, ESORICS.

[27]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[28]  Jörn Müller-Quade,et al.  Polynomial runtime in simulatability definitions , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[29]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[30]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[31]  Nancy A. Lynch,et al.  Hierarchical correctness proofs for distributed algorithms , 1987, PODC '87.

[32]  Amir Herzberg,et al.  On Secure Orders in the Presence of Faults , 2006, SCN.

[33]  Amir Herzberg,et al.  The Delivery and Evidences Layer , 2007, IACR Cryptol. ePrint Arch..

[34]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[35]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[36]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[37]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[38]  John C. Mitchell,et al.  Compositional analysis of contract-signing protocols , 2006, Theor. Comput. Sci..