Unifying Equivalence-Based Definitions of Protocol Security A Datta

Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International

Main Result u. Universal composability, black box simulatability and process equivalence express the same properties of a protocol (with asynchronous communication) • Result holds for any computational model satisfying standard process calculus equational principles

Outline u. Equivalence-Based Specification • Main Idea, Examples, Advantages u 3 Approaches • Models: Turing Machines, IO Automata, Process Calculus • Security Notions: UC, BB, PE u. Comparative Study • Relating Security Notions • Relating models (WIP)

General approach u Real protocol • The protocol we want to use • Expressed precisely in some formalism u Ideal protocol • Defines the behavior we want from real protocol • May use unrealistic mechanisms (e. g. , private channels) • Expressed precisely in same formalism u Specification • Real protocol indistinguishable from ideal protocol • Beaver ‘ 91, Goldwasser-Levin ‘ 90, Micali-Rogaway ’ 91 • Depends on some characterization of observability u Achieves compositionality

Secrecy for Challenge-Response u. Real Protocol P A B: { i } K B A: { f(i) } K u. Ideal Protocol Q A B: { random_number } K B A: { random_number } K

Specification with Authentication u. Real Protocol P A B: { random i } K B A: { f(i) } K A B: “OK” if f(i) received u. Ideal Protocol Q A B: { random i } K public channel private channel B A: { random j } K i , j public channel A B: “OK” private channel if private i, j match public msgs

Pseudo-random number generators u. Sequence from random seed (Real protocol) Pn: let b = nk-bit sequence generated from n random bits in PUBLIC b end u. Truly random sequence (Ideal protocol) Qn: let b = sequence of nk random bits in PUBLIC b end u. P is crypto strong pseudo-random number generator P Q Equivalence is asymptotic in security parameter n

Many more… u. Commitment Schemes u. Signature Schemes u. Key Exchange u. Secure channels u. Secure Multiparty Computation

Compositionality u. Crypto primitives • Cipher text indistinguishable from noise encryption secure in all protocols u. Protocols • Protocol indistinguishable from ideal key distribution protocol secure in all systems that rely on secure key distributions

Outline u. Equivalence-Based Specification u 3 Schools of Thought • Models: Turing Machines, IO Automata, Process Calculus • Security Notions: UC, BB, PE u. Comparative Study

Three technical settings u. Can, …: Universal composability • Condition: two adversaries and environment • Computation: Communicating Turing machines u. PW, … : Black-box simulatability • Condition: one adversary, simulator, environment • Computation: I/O automata u. AG, LMMRST, …: Process equivalence • Condition: observational equivalence • Computation: ppoly or nondet process calculus

More Background Universal Black-box Compos. Simulat. Communicating Turing Machines Canetti I/O Automata Pfitz-W Observ. Equiv. Nondet. Process Calculus Prob Poly Process Calculus Pfitz-W Spi, Applied LMMRST

This study Universal Black-box Compos. Simulat. Communicating Turing Machines Canetti I/O Automata Pfitz-W Observ. Equiv. Pfitz-W Nondet. Process Calculus Spi, Applied LMMRST Prob Poly Process Calculus Axiomatic Calculus UC BB PE Compare conditions over uniform computation model

Ideal functionality (UC, BB) u. What is the ideal key exchange protocol? • Clients ask server for key, receive response? • Server chooses keys and sends secretly? u. Issue • Easy to distinguish number of messages • No “canonical” key exchange protocol is equivalent to all secure key exchange protocols u. Ideal functionality • Not a protocol with number of messages, etc. • A functionality that can be used to create ideal protocols

Adversary vs. Environment (UC, BB) u. Adversary • Interacts with protocol over network • Does not choose messages to send, contract to sign, certificate authority, … u. Environment • Represents the configuration of honest users who are trying to use the protocol • Provides input to and observes output of protocol • Example – Kerberos TGS, KDC, clients, servers set by environment Separation of net and io channels of a protocol

Universal composability (UC) u Given • Protocol P • Ideal functionality F u Require • For every adversary A 1 for P, there exists an adversary A 2 for F revealing same information in any environment E E io io io P net A 1 E F net io A 2

Black-box simulatability u Given • Protocol P • Ideal functionality F u Require • There exists a simulator S such that for any adversary A, protocols P and S F reveal same information in any environment E E E io io P net A io F sim S net io A

Observational Equivalence u Given • Protocol P • Ideal protocol Q (not functionality F) u Require • Protocols P and Q reveal same information in any context C[] Context = attacker + environment C[]= E + A io C[]= E + A net P io net Q

Comparison u. UC and BB + ideal functionality: allows single specification, regardless of communication pattern of protocol - Separate adversary and environment : Not clear if useful, except in exposition u. Observational equivalence + Standard relation, well-known properties + Bisimulation technique + Proof system - No ideal functionality

Process Equivalence u Given • Protocol P • Ideal functionality F u Require • There exists a simulator S such that protocols P and S F reveal same information in any context C[] Context = attacker + environment C[]= E + A io C[]= E + A net P io net F sim S

Outline u. Equivalence-Based Specification u 3 Schools of Thought u. Comparative Study • • Process calculus Equational Principles Security Definitions Results

Process Calculus u. Syntax P : : = 0 | out(c, T). P | in(c, x). P | c. (P) | [T=T] P | P|P | ! q(|n|). P send receive private channel test parallel composition bounded replication

Equational principles u. P | Q Q | P u. P | (Q | R) (P | Q) | R u. P | 0 P u c. P d. [d/c]P u c. C[P] C[ c. P] c channels( C[0] ) u. P Q Q P u. P Q, Q R P R u. P Q C[P] C[Q] Prove results using these properties of process calculus

Formal definitions u. Universal composability A 1 A 2. net(P | A 1) net(F | A 2) u. Black-box simulatability S A. net(P | A) net( sim(F|S)|A) u. Process equivalence S. P sim(F | S) Notes • Relation includes quantifying over environments • Divide channels into network channels, environment (io) channels

Results u. UC and BB • Equivalent w/synchronous communication • Equivalent w/asynchronous communication u. BB and Process Equivalence (PE) • PE implies BB in synch communication • PE equivalent BB with asynch communication Results hold for any computational framework satisfying standard equational principles (PPC, spi, …)

Proof sketch (also have nice pictures) u PE BB UC : Easy. Congruence and quantifier order. u UC BB u BB PE

Key Lemmas u. Lemma 6. Scope Extrusion • c. (P | Q) ( c. P) | Q c channels( Q ) u. Lemma 8. Double buffering • One asynchronous buffer is indistinguishable from the composition of two u. Lemma 9. Dummy adversary and buffer • Composing a dummy adversary (that just sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone

Synchronous communication u Buffering fails (BB does not imply PE) • With synchronous communication, adding a buffer or dummy adversary can change the observable order of actions io io P net io io A net P io F sim S net A io net F sim S

Conclusions and Future Work u. UC, BB, PE: equivalent notions of security. So, use PE (simplest) u. Complete this study • Relate computational models • Do results transfer?

Questions?

Language Approach u. Write protocol in process calculus • Accepted and long-studied approach to concurrency u. Express security using observational equivalence • Standard relation from programming language theory P Q iff for all contexts C[ ], same observations about C[P] and C[Q] • Inherently compositional • Context represents adversary u. Use proof rules for to prove security • Protocol is secure if no adversary can distinguish it from some idealized version of the protocol