Unifying Equivalence-Based Definitions of Protocol Security

1
Unifying Equivalence-Based Definitions of
Protocol Security

• A. Datta, R. Küsters, J. C. Mitchell,
• A. Ramanathan, V. Shmatikov
• Stanford University SRI International

WITS April 4, 2004
2
Main Result

• Universal composability, black box simulatability
  and process equivalence express the same
  properties of a protocol (with asynchronous
  communication)
• Result holds for any computational model
  satisfying standard process calculus equational
  principles

3
Outline

• Equivalence-Based Specification
• Main Idea, Examples, Advantages
• 3 Approaches
• Models Turing Machines, IO Automata, Process
  Calculus
• Security Notions UC, BB, PE
• Comparative Study
• Relating Security Notions
• Relating models (WIP)

4
General approach

• Real protocol
• The protocol we want to use
• Expressed precisely in some formalism
• Ideal protocol
• Defines the behavior we want from real protocol
• May use unrealistic mechanisms (e.g., private
  channels)
• Expressed precisely in same formalism
• Specification
• Real protocol indistinguishable from ideal
  protocol
• Beaver 91, Goldwasser-Levin 90, Micali-Rogaway
  91
• Depends on some characterization of observability
• Achieves compositionality

5
Secrecy for Challenge-Response

• Real Protocol P
• A ? B i K
• B ? A f(i) K
  
• Ideal Protocol Q
• A ? B random_number K
• B ? A random_number K

6
Specification with Authentication

• Real Protocol P
• A ? B random i K
• B ? A f(i) K
• A ? B OK if f(i) received
• Ideal Protocol Q
• A ? B random i K
• B ? A random j K i , j
  
• A ? B OK if private i, j match
  public msgs

7
Pseudo-random number generators

• Sequence from random seed (Real protocol)
• Pn let b nk-bit sequence generated from n
  random bits
• in PUBLIC ?b? end
• Truly random sequence (Ideal protocol)
• Qn let b sequence of nk random bits
• in PUBLIC ?b? end
• P is crypto strong pseudo-random number generator
• P ? Q
• Equivalence is asymptotic in security parameter n

8
Many more

• Commitment Schemes
• Signature Schemes
• Key Exchange
• Secure channels
• Secure Multiparty Computation

9
Compositionality

• Crypto primitives
• Cipher text indistinguishable from noise
• ? encryption secure in all protocols
• Protocols
• Protocol indistinguishable from ideal key
  distribution
• ? protocol secure in all systems that rely on
  secure key distributions

10
Outline

• Equivalence-Based Specification
• 3 Schools of Thought
• Models Turing Machines, IO Automata, Process
  Calculus
• Security Notions UC, BB, PE
• Comparative Study

11
Three technical settings

• Can, Universal composability
• Condition two adversaries and environment
• Computation Communicating Turing machines
• PW, Black-box simulatability
• Condition one adversary, simulator, environment
• Computation I/O automata
• AG,LMMRST, Process equivalence
• Condition observational equivalence
• Computation ppoly or nondet process calculus

12
More Background
Universal Compos. Black-box Simulat. Observ. Equiv.
Communicating Turing Machines Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus Spi, Applied ?
Prob Poly Process Calculus LMMRST
13
This study
Universal Compos. Black-box Simulat. Observ. Equiv.
Communicating Turing Machines Canetti
I/O Automata Pfitz-W Pfitz-W
Nondet. Process Calculus Spi, Applied ?
Prob Poly Process Calculus LMMRST
Axiomatic Calculus UC BB PE
Compare conditions over uniform computation model
14
Ideal functionality (UC,BB)

• What is the ideal key exchange protocol?
• Clients ask server for key, receive response?
• Server chooses keys and sends secretly?
• Issue
• Easy to distinguish number of messages
• No canonical key exchange protocol is
  equivalent to all secure key exchange protocols
• Ideal functionality
• Not a protocol with number of messages, etc.
• A functionality that can be used to create ideal
  protocols

15
Adversary vs. Environment (UC,BB)

• Adversary
• Interacts with protocol over network
• Sees and delivers messages from A to B
• Environment
• Represents the configuration of honest users who
  are trying to use the protocol
• Provides input to and observes output of protocol
• Example - Using SSL protocol through IE
• Input(start session), output(key) of SSL
  (environment)
• actual SSL messages on network (adversary)

Separation of net and io channels of a protocol
16
Universal composability (UC)

• Given
• Protocol P
• Ideal functionality F
• Require
• For every adversary A1 for P, there exists an
  adversary A2 for F revealing same information in
  any environment E

?
E
E
io
io
io
io
net
net
?
P
A1
A2
F
?
?
17
Black-box simulatability

• Given
• Protocol P
• Ideal functionality F
• Require
• There exists a simulator S such that for any
  adversary A, protocols P and S?F reveal same
  information in any environment E

?
E
E
io
io
io
io
?
sim
net
net
P
A
A
?
F
S
?
?
18
Observational Equivalence

• Given
• Protocol P
• Ideal protocol Q (not functionality F)
• Require
• Protocols P and Q reveal same information in any
  context C
• Context attacker environment

?
C E A
C E A
io
net
io
net
P
Q
?
19
Comparison

• UC and BB
• ideal functionality allows single
  specification, regardless of communication
  pattern of protocol
• - Separate adversary and environment Not clear
  if useful, except in exposition
• Observational equivalence
• Standard relation, well-known properties
• Bisimulation technique
• Proof system
• - No ideal functionality

20
Process Equivalence

• Given
• Protocol P
• Ideal functionality F
• Require
• There exists a simulator S such that protocols P
  and S?F reveal same information in any context
  C
• Context attacker environment

?
C E A
C E A
io
net
io
net
?
sim
P
F
?
S
21
Outline

• Equivalence-Based Specification
• 3 Schools of Thought
• Comparative Study
• Process calculus syntax
• Equational Principles
• Security Definitions
• Results

22
Process Calculus

• Syntax
• P 0
• out(c,T). P send
• in(c,x). P receive
• ?c . (P) private channel
• TT P test
• P P parallel
  composition
• ! q(n) . P bounded
  replication

23
Equational principles

• P Q ? Q P
• P (Q R) ? (P Q) R
• ?c. P ? ?d. d/cP
• ?c. CP ? C?c.P c ?channels( C0 )
• P ? Q ? Q ? P
• P ? Q, Q ? R ? P ? R
• P ? Q ? CP ? CQ

Prove results using these properties of process
calculus
24
Formal definitions

• Universal composability
• ?A1 ?A2 . ?net(P A1) ? ?net(F A2)
• Black-box simulatability
• ?S ?A . ?net(P A) ? ?net(?sim(FS)A)
• Process equivalence
• ?S . P ? ?sim(F S)
• Notes
• Relation ? includes quantifying over environments
• Scoping restricts access to channels, e.g.,
  environment does not see network

25
Results

• UC and BB
• Equivalent w/synchronous communication
• Equivalent w/asynchronous communication
• BB and Process Equivalence (PE)
• PE implies BB in synch communication
• PE equivalent BB with asynch communication
• Results hold for any computational framework
  satisfying standard equational principles (PPC,
  spi,)

26
Proof sketch (also have nice pictures)

• PE ?BB ? UC Easy. Congruence and quantifier
  order.
• UC
• ?
• BB
• BB
• ?
• PE

27
Key Lemmas

• Double buffering
• One asynchronous buffer is indistinguishable from
  the composition of two
• Dummy adversary and buffer
• Composing a dummy adversary (that just sends
  network information to the environment) with
  asynchronous buffer is indistinguishable from a
  buffer alone

28
Synchronous communication

• Buffering fails (BB does not imply PE)
• With synchronous communication, adding a buffer
  or dummy adversary can change the observable
  order of actions

io
io
io
io
F
net
sim
P
A
A
S
net
?
io
io
net
net
sim
P
F
S
?
29
Conclusions and Future Work

• UC, BB, PE equivalent notions of security. So,
  use PE (simplest)
• Complete this study
• Relate computational models
• Do results transfer?

30
Questions?