Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions (Extended Abstract) by Backes, Michael
Technical Report: Unifying Simulatability Definitions in
Cryptographic Systems under Different Timing Assumptions∗
Michael Backes
Saarland University
backes@cs.uni-sb.de
January 28, 2007
Abstract
The cryptographic concept of simulatability has become a salient technique for faithfully analyzing
and proving security properties of arbitrary cryptographic protocols. We investigate the relationship
between simulatability in synchronous and asynchronous frameworks by means of the formal models
of Pfitzmann et al., which are seminal in using this concept in order to bridge the gap between the
formal-methods and the cryptographic community. We show that the synchronous model can be seen
as a special case of the asynchronous one with respect to simulatability, i.e., we present an embedding
from the synchronous model into the asynchronous one that we show to preserve simulatability. We
show that this result allows for carrying over lemmas and theorems that rely on simulatability from the
asynchronous model to its synchronous counterpart without any additional work, hence future work on
enhancing simulatability-based models can concentrate on the more general asynchronous case.
Keywords: Probabilistic systems, security, simulatability, cryptography, synchronous / asynchronous
1 Introduction
In recent times, the analysis of cryptographic protocols has been getting more and more attention, and the
demand for general frameworks for representing cryptographic protocols and the security requirements of
cryptographic tasks has been rising. Existing framework are either motivated by the complexity-theoretic
view on cryptography, which aims at proving cryptographic protocols with respect to the cryptographic
semantics, or they are motivated by the view of the formal-methods community, which aims at capturing
abstractions of cryptography in order to make such protocols accessible for formal verification. Frameworks
built on abstractions of cryptography will be further dealt with in the related literature along with a discussion
on the cryptographic justification of these abstractions.
For living up to the probabilistic nature of cryptography, a framework for dealing with actual cryp-
tography necessarily has to be able to deal with probabilistic behaviors. The standard understanding in
well-known, non security-specific probabilistic frameworks like [3, 4] is that the order of events is fixed
by means of a probabilistic scheduler that has full information about the system. In contrast to that, the
standard understanding in cryptology (closest to a rigorous definition in [5]) is that the adversary schedules
everything, but only with realistic information. This corresponds to making a certain subclass of sched-
ulers explicit for the model from [3]. However, if one splits a machine into local submachines, or defines
∗Earlier versions of this paper appeared in [1, 2].
1
intermediate systems for the purposes of proof only, this may introduce many schedules that do not corre-
spond to a schedule of the original system and therefore just complicate the proofs. The typical solution is
a distributed definition of scheduling which allows machines that have been scheduled to schedule certain
(statically fixed) other machines themselves.
Based on these requirements, several general definitions of secure protocols were developed over the
years, e.g. [6, 7, 8, 9, 10, 11, 12, 13, 14, 15], with many individual extensions in subsequent papers, e.g.,
[16, 17], which are all potential candidates for such a framework. To allow for a faithful analysis of cryp-
tographic protocols, it is well-known that such models not only have to capture probabilistic behaviors, but
also complexity-theoretically bounded adversaries as well as a reactive environment of the protocol, i.e.,
continuous interaction with the users and the adversary. Unfortunately, most of the above work does not
live up to these requirements in spite of its generality, mainly since it concentrates on the task of secure
function evaluation, which does not capture a reactive environment. Currently, the models of Pfitzmann et
al. [10, 13, 15] and Canetti [14], which have been developed concurrently but independently, seem to be
establishing themselves as the standard models for sound protocol analysis and design.
Regarding the underlying definition of time, such models can be split into synchronous and asyn-
chronous ones. In synchronous models [10], time is assumed to be expressible in rounds, whereas asyn-
chronous scenarios [13, 14, 15] do not impose any assumption on time. This makes asynchronous scenarios
attractive since no assumption is made about network delays and the relative execution speed of the parties.
Moreover, the notion of rounds is difficult to justify in practice as it seems to be very difficult to estab-
lish them for the Internet for example. This attractiveness is substantiated by a large body of literature on
asynchronous cryptographic protocols, e.g., [19, 20]. However, time guarantees are sometimes explicitly
desired, e.g., on when a process can abort. Hence assumptions have to be made in this case, which induce a
certain amount of synchrony again. This sometimes makes a synchronous assumption of time nevertheless
necessary in practice, e.g., in Kerberos [21].
Hence researchers usually restrict their attention to one definition of time, or they are driving double-
tracked by maintaining two separate models which, however, presupposes proving every theorem for both
models. This is not nice. An alternative approach, taken in this work, is to show that the synchronous model
can be regarded as a special case of an asynchronous one, and hence does not have to be further advanced
separately, but still can be used to conveniently express synchronous protocols.
Although this idea might not be surprising, it is very difficult to achieve since it turns out that carrying
over general results from the asynchronous to the embedded synchronous model presupposes the possibility
of (at least partially) reversing the considered embedding. Recall that suitable frameworks, especially the
framework of Pfitzmann et al., have a distributed scheduling which significantly complicates this reversion.
Formally, a special case means that there is an embedding from the synchronous model into the asyn-
chronous model that preserves a desired property. Which property has to be preserved depends on the goals
to strive for. For cryptographic protocols, the property of simulatability stands out. Simulatability cap-
tures the notion of a cryptographically secure implementation and serves as a link to the formal-methods
community, which typically only hold a top-level view of cryptography, where cryptographic primitives
are replaced by deterministic abstractions. A more comprehensive discussion of simulatability and its rela-
tionship to protocol verification work done by the formal-methods community is given in the paragraph on
related literature below.
In the following, we investigate the synchronous and asynchronous models of Pfitzmann et al. [10, 13,
15], which are seminal in using the concept of simulatability to bridge the gap between the formal-methods
and the cryptographic community. We show that the synchronous model can be embedded in the asyn-
chronous model such that simulatability is preserved by this embedding, i.e., if two systems fulfill the sim-
ulatability relation in the synchronous model, their respective images fulfill the relation in the asynchronous
model and vice versa. We show that this result allows for carrying over lemmas and theorems from the
2
asynchronous case to the synchronous case without proving them twice, hence future work on enhancing
simulatability-based models can concentrate on the more general asynchronous case. We are confident that
this result helps to make future protocol analysis in these models more convenient and more efficient.
Moreover, we believe that our approach for establishing the embedding and its properties can be suc-
cessfully used for other models with only minor changes. Especially the asynchronous model of Canetti
is surely worth to be investigated. However, his corresponding synchronous model [12] is still specific for
secure function evaluation; hence adopting it to a reactive environment is a necessary prerequisite for this
future work. The lack of such a reactive synchronous model was – besides the fact that the models of Pfitz-
mann et al. are more rigorously defined than the one of Canetti – our main reason why we decided to base
our work on the model of Pfitzmann et al.
Related Literature. If cryptographic protocols should be verified using formal methods, some kind of
abstraction is needed as the underlying reduction proofs of cryptography are still out of scope of current
verification techniques.1 This abstraction is usually based on the so-called Dolev-Yao abstraction [25],
which considers cryptographic primitives, e.g., E for encryption and D for decryption, as operators in a free
algebra where only predefined cancellation rules hold. For instance, twofold encryption of a message m
does not yield another message from the basic message space but the term E(E(m)). A typical cancellation
rule is D(E(m)) = m. This abstraction simplifies proofs of larger protocols considerably, and it gave rise
to a large body of literature on analyzing the security of protocols using techniques for formal verification
of computer programs (a very partial list of work includes [26, 27, 28, 29, 30, 31, 32, 33, 34, 35]).
Since this line of work turned out to be very successful, the interesting question arose whether these ab-
stractions are indeed justified from the view of cryptography, i.e., whether properties proved for the abstrac-
tions are still valid for the cryptographic implementation. Such cryptographic underpinnings of a Dolev-Yao
model were first addressed by Abadi and Rogaway in [36]. However, they only handled passive adversaries
and symmetric encryption. The protocol language and security properties handled were extended in [37, 38],
but still only for passive adversaries. This excludes most of the typical ways of attacking protocols, e.g.,
man-in-the-middle attacks and attacks by reusing a message part in a different place or a concurrent protocol
run. A full cryptographic justification for a Dolev-Yao model, i.e., for arbitrary active attacks and within ar-
bitrary surrounding interactive protocols, was first given in [39, 40], with extensions in [41, 42].2 It supports
nested operations in the intuitive sense; operations that are performed locally are not visible to the adver-
sary. It is secure against arbitrary active attacks, and works in the context of arbitrary surrounding interactive
protocols. This holds independently of the goals that one wants to prove about the surrounding protocols;
in particular, property preservation theorems for the simulatability definition we use have been proved for
integrity, fairness, liveness, and non-interference [45, 46, 47, 48, 49, 50]. Moreover, tailored tool support
for this library was subsequently added [51, 52]. Based on the specific Dolev-Yao model whose soundness
was proven in these papers, several well-known security protocols were proved in a computationally sound
manner [53, 54, 55, 56, 57, 58]. This shows that in spite of adding certain operators and rules compared with
simpler Dolev-Yao models (in order to be able to use arbitrary cryptographically secure primitives without
too many changes in the cryptographic realization), such a proof is possible in the style already used in
automated tools, only now with a sound cryptographic basis. Another cryptographically sound proof of this
protocol was concurrently developed by Warinschi [59]. The proof establishes a stronger security property
1Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in
particular [22, 9, 23, 24] and, as a second step, to encode them into proof tools. However, this approach can not yet handle protocols
with any degree of automation. Generally it should be seen as complementary to, rather than competing with, the approach of getting
simple deterministic abstractions of cryptography and working with those wherever cryptography is only used in a blackbox way.
2In more recent work, drawing upon insides gained from the proof of the cryptographic library, we showed that widely consid-
ered symbolic abstractions of hash functions and of the XOR operation cannot be proven computationally sound in general, hence
indicating that their current symbolic representations might be overly simplistic [43, 44].
3
but is conducted from scratch in the cryptographic approach which takes it out of the scope of formal proof
tools. Laud [60] has presented a cryptographic underpinning for a Dolev-Yao model of symmetric encryp-
tion under active attacks. His work enjoys a direct connection with a formal proof tool, but it is specific to
certain confidentiality properties, restricts the surrounding protocols to straight-line programs in a specific
language, and does not address a connection to the remaining primitives of the Dolev-Yao model. Herzog et
al. [61, 62] and Micciancio and Warinschi [63] have recently also given a cryptographic underpinning under
active attacks. Their results are considerably weaker than the one in [39] since they are specific for public-
key encryption; moreover, the former relies on a stronger assumption whereas the latter severely restricts
the classes of protocols and protocol properties that can be analyzed using this primitive. Section 6 of [63]
further points out several possible extensions of their work which all already exist in the earlier work of [39].
Guttman et al. [64] show that the probability of two executions of the same protocol – either executed in a
Dolev-Yao-like framework or using real cryptographic primitives – may deviate from each other at most for
a certain bound. However, their results are specific for the Wegman-Carter system so far. Moreover, as this
system is information-theoretically secure, its security proof is much easier to handle than primitives with
security guarantees only against computationally bounded adversaries since no reduction proofs against un-
derlying number-theoretic assumptions have to be made. Some further approaches for special security goals
or primitives are [65, 38].
The first full justification of a Dolev-Yao model presented in [39] was achieved by exploiting the concept
of simulatability, which serves as a cryptographically sufficient relationship between abstract specifications
and cryptographic implementations, i.e., abstractions which can be shown to simulate a given implemen-
tation in a particular sense are known to be sound with respect to the security definitions of cryptography.
Simulatability was first invented for multi-party function evaluation [66, 6, 8, 7, 12], i.e., systems with only
one initial input set and only one output set. An extension to a reactive scenario, where participants can make
new inputs many times, e.g., start new sessions like key exchanges, was first fully defined in [67], with exten-
sions to asynchronous systems in [13, 14, 15]. Each of the three considered models was already successfully
used to built up sound abstractions of various cryptographic primitives like secure channels [13, 14], certified
mail [68], or key exchange [69, 70].
Comparing the models of Canetti and Pfitzmann et al., we can first state that both models enjoy very
general composition theorems (where the first composition theorems in [71, 13] were superseded by the
theorem in [14], and again by the one in [72]). Now on the one hand, Canetti’s model has been used to
address more abstractions of stand-alone cryptographic primitives so far like secure multi-party computa-
tion [73] or commitments [74]. On the other hand, the asynchronous model of Pfitzmann et al. was used
to solve the long-standing open problem of justifying a Dolev-Yao type model of cryptography as used in
virtually all automated protocol provers: the aforementioned cryptographic library from [39]. This library
is a flexible toolbox for constructing abstract nested cryptographic terms and for using them in arbitrary
protocols, together with a cryptographic realization provably secure under arbitrary active attacks in the
standard model of cryptography. Together with composition and preservation theorems of the underlying
model, the library serves as the foundation for machine-assisted reasoning about cryptographic protocols
while nevertheless providing a provably secure implementation. Furthermore, the models of Pfitzmann et
al. are more rigorously defined and early examples of tool-supported proofs in their models exist [16, 45],
using PVS [75].
Outline. In Section 2 we review the reactive models for synchronous and asynchronous time. In Section 3,
we explain how the embedding works and give a rigorous definition. Starting with a proof sketch of the first
embedding theorem in Section 4 (there will be two of them) and some lemmas capturing essential steps in
the theorem’s proof, we fade to the embedding theorems in Section 5. In conjunction, both theorems allow
for carrying over theorems from the asynchronous to the synchronous case, which is shown in Section 6 by
4
M
2
M
3
M
1
M
2
M
3
Figure 1: A collection of three machines is shown on the left. Solid arrows represent channels. The dashed
arrow depicts that M1 schedules messages on the channel from M2 to M3. Each channel implicitly contains
a buffer for storing messages in transit, shown on the right.
means of an example.
2 Review of the Reactive Models in Synchronous and Asynchronous Net-
works
In this section we review the synchronous and the asynchronous model for probabilistic reactive systems as
introduced in [10] and [13, 15], respectively. Several definitions are only sketched, whereas those that are
essential for understanding our upcoming results are given in full detail. To simplify the basic understanding
of these models, we start with an informal overview of the more complex asynchronous model and the
distributed scheduling scheme.
2.1 Informal Overview of the Asynchronous Model
We consider sets of asynchronously communicating probabilistic state machines; such sets are called col-
lections of machines. The left-hand side of Figure 1 sketches a collection of three machines connected via
channels represented by solid arrows. To model asynchronous timing, messages sent between the machines
stay on their respective channel until they are scheduled. Technically, each channel contains an additional
machine called a buffer, which stores messages in transit. This is shown on the right-hand side of Figure 1.
When M2 sends a message to M3, this message is stored in the buffer. An incoming message at a clock
channel for the buffer, represented by the dashed arrow, is interpreted as a number i, and the i-th message
in the buffer is removed and output to M3. Buffers need not be specified explicitly; a completion operator
adds all necessary buffers to a collection of normal machines.
A distributed scheduling scheme that allows for expressing all realistic scenarios is achieved by allow-
ing a machine that has been scheduled to schedule certain other machines itself. This is done by giving the
machine the control over the clock channels of certain buffers. In Figure 1, the machine M1 can schedule
messages sent from M2 to M3, while the channels between M1 and M2 show procedure-call-style local
interaction. Where one wants to express that an adversary schedules everything, one simply gives the ad-
versary all the scheduling rights. Problems with purely adversarial scheduling were already noted in [76];
hence they schedule secure channels with uniform probability before adversary-chosen events. However,
that introduces a certain amount of global synchrony. Furthermore, the considered model does not require
local scheduling for all secure channels; they may be blindly scheduled by the adversary (i.e., without even
seeing if there are messages on the channel). For instance, this models cases where the adversary has a
global influence on relative network speed.
Probability spaces for runs are defined in detail for such collections of machines, as well as the view
of a subset of the machines. These definitions are useful beyond the more security-specific system classes
5
Receiving
machine
Sending
machine
Scheduler for
buffer q~
q!
q   !
q?
Buffer q~
q   ?
q↔!
q↔?
1
Figure 2: Ports and buffers.
considered later. Further, the Turing-machine realization and runtime considerations are defined in this
generality.
Security-specific structures are defined as collections of machines with distinguished service ports for
the honest users. Such structures are augmented by arbitrary machines H and A representing the honest
users and the adversary, who can interact. One then speaks of a configuration. In the presence of adversaries,
the structure of correct machines running may not be the intended structure that the designer originally
planned. For instance, some machines might have been corrupted; hence they are missing from the actual
structure and the adversary took over their connections. This is modeled by defining a system as a set of
possible actual structures.
2.2 General System Model
In the following we consider a finite alphabet Σ and some special symbols !, ?,↔ ,⊳ 6∈ Σ that will be used to
express different ports of machines. For s ∈ Σ∗ and l ∈ N0, we define s⌈l to be the l-letter prefix of s.
Machines can exchange messages with each other via ports. Intuitively, a port is a possible attachment
point for a channel when a machine of Figure 1 is considered in isolation. As in many other models, channels
in collections of machines are specified implicitly by naming conventions on the ports. Figure 2 gives an
overview of the naming scheme; it can be seen as a yet more detailed view of the right-hand side of Figure 1.
The name of a port (here q) serves as an identifier and will later be used to define which ports are connected
to each other. Inspired by the CSP-notation [77], input and output ports are represented by the symbols ?
and !, respectively. These ports are used for “usual” message transmission, whereas the ports q↔?, q↔!,
q⊳?, and q⊳! are used for the distributed scheduling. In the following, we call the port q⊳! the clock-out port
for buffer q˜. In the synchronous model, buffers do not exist nor do the “scheduling” ports q↔?, q↔!, q⊳?,
and q⊳!.
As the low-level complement qc of a port q (either in- or output port) we denote the port with which it
connects according to Figure 2, i.e., q⊳!c := q⊳?, q!c := q↔?, q↔!c := q?, and vice versa. The high-level
complement qC of a port q denotes the connecting port without the buffer, i.e., q!C = q? and vice versa. For
a set or a sequence P of ports, let in(P) and out(P) denote the subset or subsequence of P consisting of the
input ports or the output ports of P , respectively.
After introducing ports, we now define machines. The primary machine model is probabilistic state-
transition machines, similar to probabilistic I/O automata as in [78, 79]. Other terms for such machines are
extended finite-state automata or state-transition machines. For the computational complexity aspects, im-
plementations of such machines are defined by probabilistic interactive Turing machines. Turing machines
are not used as the sole or primary model, in contrast to prior cryptographic literature, because the I/O
automata allows for expressing non-cryptographic protocol parts and abstractions from cryptography in a
well-defined way unencumbered with Turing-machine details. This is important for the desired accessibility
of the resulting model to existing theorem provers and model checkers. The model makes one addition to
6
individual machines compared with other I/O automata models, in order to enable machines to have polyno-
mial runtime independent of their environment without being automatically vulnerable to denial-of-service
attacks by long messages: It allows state-dependent length bounds on the inputs that a machine will read
from each channel.
A machine has a sequence of ports, containing both input ports and output ports, and a set of states,
comprising sets of initial and final states. If a machine is switched, it receives an input tuple at its input
ports and performs its transition function yielding a new state and an output tuple in the deterministic case,
or a finite distribution over the set of states and possible outputs in the probabilistic case. Furthermore,
each machine has state-dependent bounds on the length of the inputs accepted at each port to enable flexible
enforcement of runtime bounds. The parts of an input that are beyond the length bound are ignored. The
value ∞ denotes that arbitrarily long inputs are accepted.
Definition 2.1 (Machines) A machine is a tuple
M = (nameM,PortsM,StatesM, δM, lM, IniM,FinM)
of a name nameM ∈ Σ+, a finite sequence PortsM of ports, a set StatesM ⊆ Σ∗ of states, a probabilistic
state-transition function δM, a length function lM : StatesM→ (N∪{∞})|in(PortsM)|, and sets IniM,FinM ⊆
StatesM of initial and final states. Its input set is IM := (Σ∗)|in(PortsM)|; the i-th element of an input tuple
denotes the input at the i-th input port. Its output set is OM := (Σ∗)|out(PortsM)|. The empty word, ǫ,
denotes no in- or output at a port. δM maps each pair (s, I) ∈ StatesM × IM to a finite distribution over
StatesM × OM. If s ∈ FinM then lM(s) = (0, . . . , 0); if I = (ǫ, . . . , ǫ) then δM(s, I) = (s, (ǫ, . . . , ǫ))
deterministically. Inputs are ignored beyond the length bounds, i.e., δM(s, I) = δM(s, I⌈lM(s)) for all I ∈
IM, where (I⌈lM(s))i := Ii⌈lM(s)i for all i. ✸
In the text, we often write “M” also for nameM. For a set Mˆ of machines, let ports(Mˆ ) denote the set
of ports of all machines M ∈ Mˆ . We call a machine M a black-box submachine of a machine M′ if the
machine M′ has access to the state-transition function δM of M, i.e., it can execute δM for the current state of
the machine and arbitrary inputs. In order to concisely denote specific input and output tuples of a machine
M, we introduce some additional notation. Let (p1?, . . . , pn?) := in(PortsM), let P := (pi1?, . . . , pij ?)
denote a subsequence of (p1?, . . . , pn?), and let (vi)i∈{1,...,j} ∈ (Σ∗)j . If the sequence of input ports of
M is clear from the context, we define Ipi1?=v1,...,pij ?=vj to be the tuple I of length n with Iil = vl for all
l ∈ {1, . . . , j} and Il = ǫ for all l ∈ {1, . . . , n} \ {i1, . . . , ij}. In the special case P = () or vi = ǫ for all i,
i.e., in case of an all-empty input, we write Iǫ. Outputs are defined similarly.
For computational aspects, a machine M is regarded as implemented by a probabilistic interactive Turing
machine as introduced in [80]. We refer to [15] for the precise definition of the implementation. The main
reason to introduce a Turing-machine realization of the machine model is to define complexity notions. A
machine is called polynomial-time if its Turing machine implementation only needs time polynomial in its
initial worktape content, independent of all inputs on communication tapes, i.e., if there exists a polynomial
Q such that all possible runs of the Turing machine are of length at most Q(k), where k is the length of the
initial worktape content.
After introducing individual machines, we now focus on collections of finitely many machines, with the
intuition that these machines interact. A collection C of machines is a finite set of machines with pairwise
different machine names and disjoint sets of ports. A port of a collection is called free if its connecting
port is not in the collection. The free ports of a collection C are denoted as free(C). Given a collection of
machines in the asynchronous model, we want to add buffers for all channels to model asynchronous timing.
This is modeled by the completion [C] of a collection C. The completion is the union of all machines of C
and the buffers needed for every channel. In the asynchronous model, a collection C is called closed if its
7
completion [C] has no free ports except a special master clock-in port clk⊳?, i.e., free([C]) = {clk⊳?}. When
we define the interaction of several machines, the master clock-in port will belong to a distinguished machine
called the master scheduler which is used to resolve situations where the interaction cannot proceed. In the
synchronous case, we demand free(C) = ∅.
For security purposes, special collections are needed, because an adversary may have taken over parts
of the initially intended system, e.g., different situations have to be captured depending on which and how
many users are considered as being malicious. Therefore, a system consists of several possible remaining
structures.
Definition 2.2 (Structures and Systems) A structure is a pair struc = (Mˆ ,S ) where Mˆ is a collection of
non-buffer machines called correct machines, and S ⊆ free(Mˆ ) is called specified ports. If Mˆ is clear from
the context, let S¯ := free(Mˆ ) \ S . We call forb(Mˆ ,S ) := ports(Mˆ ) ∪ S¯C the forbidden ports, i.e., those
ports that the honest user is forbidden to have. A system Sys is a set of structures. It is polynomial-time iff
all machines in all its collections Mˆ are polynomial-time. ✸
The separation of the free ports into specified ports and others is an important feature of the upcoming
security definitions. The specified ports are those where a certain service is guaranteed. Concretely, specified
ports will later be used to connect a user machine to the structure.
Note that this definition is valid for both the synchronous and the asynchronous case. In particular,
buffers do not have to be explicitly included in the specification of a system, e.g., in the specification of
a cryptographic protocol that one wants to analyze, but the completion operator will be used instead. The
different timing assumptions stem from the different definitions of runs which we will introduce in the
following.
A structure can be completed to a configuration by adding machines H and A, modeling the joint honest
users and the adversary, respectively. The machine H is restricted to the specified ports S , A connects to the
remaining free ports of the structure and both machines can interact, e.g., in order to model active attacks.
In the asynchronous case, buffers are additionally added to close the collection. Moreover, the initial state
of all machines is isomorphic to the natural numbers which allows for letting the machines run on input the
same security parameter in the subsequently described run algorithm.
Definition 2.3 (Configurations) A configuration of a system Sys is a tuple conf = (Mˆ ,S ,H,A) where
(Mˆ ,S ) ∈ Sys is a structure, Mˆ∪{H,A} is a closed collection, ports(H)∩forb(Mˆ ,S ) = ∅, and IniM = {1}∗
for all M ∈ Mˆ ∪ {H,A}. The set of configurations is written Conf(Sys). The set of configurations of Sys
with polynomial-time user H and adversary A is called Confpoly(Sys). The index poly is omitted if it is clear
from the context. ✸
2.3 Capturing Asynchronous Runs
For a configuration, both models define a probability space of runs (sometimes called traces or executions).
In the asynchronous model, the collection contains a unique master scheduler X since the collection is
closed. Machines switch sequentially, i.e., we have exactly one active machine M at any time. If this
machine has clock-out ports, it can select the next message to be delivered by scheduling a buffer via one
of these clock-out ports. If a message exists at the respective position of the buffer’s internal queue, it is
delivered by the buffer and the unique receiving machine is the next active machine. If M tries to schedule
multiple messages, only one is taken, and if it schedules none or the message does not exist, the master
scheduler X becomes active.
Definition 2.4 (Asynchronous Runs and Views) For a given configuration conf = (Mˆ ,S ,H,A) with
master scheduler X (which is uniquely determined by having the master-clock in-port clk⊳?), set Cˆ :=
8
[Mˆ ∪{H,A}]. Runs and their probability spaces are defined inductively by the following algorithm for each
tuple ini ∈ {(1k)
M∈Mˆ∪{H,A}} ⊂ ×M∈Cˆ IniM of initial states of the machines of Cˆ .
The probability space of runs is defined inductively by the following algorithm. It has a variable r for
the resulting run, an initially empty list, a variable MCS (“current scheduler”) over machine names, initially
MCS := X, and treats each port as a variable over Σ∗, initialized with ǫ except for clk⊳? := 1. Probabilistic
choices only occur in Phase (1).
1. Switch current scheduler: Switch machine MCS, i.e., set (s′, O) ← δMCS(s, I) for its current state s
and input port values I . Then assign ǫ to all input ports of MCS.
2. Termination: If X is in a final state, the run stops.
3. Buffer messages: For each simple output port q! of MCS, in their given order, switch buffer q˜ with
input q↔? := q!, cf. Figure 2. Then assign ǫ to all these ports q! and q↔?.
4. Clean up scheduling: If at least one clock-out port of MCS has a value 6= ǫ, let q⊳! denote the first such
port and assign ǫ to the others. Otherwise let clk⊳? := 1 and MCS := X and go back to Phase (1).
5. Scheduled message: Switch q˜ with input q⊳? := q⊳! (cf. Figure 2), set q? := q↔! and then assign ǫ to
all ports of q˜ and to q⊳!. Let MCS := M′ for the unique machine M′ with q? ∈ ports(M′). Go back to
Phase (1).
Whenever a machine (this may be a buffer) with name nameM is switched from (s, I) to (s′, O), we add a
step (nameM, s, I ′, s′, O) with I ′ := I⌈lM(s) to the run r, except if s is final or I
′ = (ǫ, . . . , ǫ). This gives
a random variable for each tuple ini , i.e., for each value k of the security parameter denoted as runconf ,k.
Hence we obtain a family of random variables
runconf = (runconf ,k)k∈N.
The view of a subset M ⊂ Cˆ in a run r is the restriction of r to M , i.e., the subsequence of all steps
(nameM, s, I, s
′, O), where nameM is the name of a machine M ∈ M . This gives a family of random
variables
viewconf (M ) = (viewconf ,k(M ))k∈N.
For a singleton M = {H} we write viewconf (H) instead of viewconf ({H}). ✸
This still rather informal definition of runs can naturally be formalized using transition probabilities, which
induce probability spaces over the finite sequences of steps similar to Markov Chains. The extension to
infinite sequences can then be achieved using well-established results of measure theory and probability
theory, cf. Section 5 of [81]. It is further easy to show that views of polynomial-time machines are of
polynomial size, i.e., that the length of any trace that occurs with non-zero probability according to the
considered view is bounded by a polynomial in the security parameter.
2.4 Capturing Synchronous Runs
In the synchronous model, ports, machines, collections, structures, and systems are defined similar to the
asynchronous model. The only exception is that there are no clock ports and no buffers, which have only
been included to model asynchronous timing, i.e., corresponding ports p? and p! are directly connected.
The main difference is the definition of runs. Instead of our asynchronous run algorithm (cf. Definition 2.4),
runs are defined using rounds which is the usual concept in synchronous scenarios. Every global round is
again divided into n so-called subrounds, and there is a mapping κ, called clocking scheme, from the set
9
{1, . . . , n} into the powerset of considered machines, i.e., the machines of the structure, the user, and the
adversary. κ(i) denotes which machines switch in subround i. After finishing the n-th subround, the run
starts the first subround of the next global round. At the beginning of each subround, all messages from
the previous subround are transported from the output ports to the connected input ports. After that, each
machine of κ(i) switches with its current inputs yielding a finite distribution over the set of states and the
set of possible outputs.
Definition 2.5 (Clocking Scheme) A clocking scheme κ for a configuration (Mˆ ,S ,H,A) and n ∈ N is a
mapping from the set {1, . . . , n} to the powerset of Mˆ ∪ {H,A}, i.e., it assigns each number a subset of the
machines. ✸
Definition 2.6 (Synchronous Runs and Views) Given a configuration conf = (Mˆ ,S ,H,A) along with a
clocking scheme κ for n ∈ N, runs are defined as follows: Each global round i has n subrounds, where we
denote the j-th subround of global round i by [i.j]. In subround j ∈ {1, . . . , n} all machines M ∈ κ(j)
switch simultaneously, i.e., each state-transition function δM is applied to M’s current input yielding a new
state and output (probabilistically). The output at a port p! is available as input at p? until the machine
with port p? is switched. If several inputs arrive until that time, they are concatenated. Similar to the
asynchronous case, this gives a family of random variables
runconf ,κ = (runconf ,κ,k)k∈N.
More precisely, each run is a function mapping each triple (M, i, j) ∈ Mˆ ∪ {H,A} × N × {1, . . . , n} to a
quadruple (s, I ′, s′, O) of the old state, inputs (with I ′ := I⌈lM(s) again), new state, and outputs of machine
M in subround [i.j], with I ′ ≡ ǫ, O ≡ ǫ, and s = s′ if M is not switched in this subround. The view of a
subset M ⊂ Mˆ ∪ {H,A} in a run r is the restriction of r to M × N × {1, . . . , n}. This gives a family of
random variables
viewconf ,κ(M ) = (viewconf ,κ,k(M ))k∈N,
and we omit the subscript κ if it is clear from the context. ✸
Again, the view of a polynomial-time machine can easily be shown to be of polynomial size.
Remark 2.1. Alternatively, we can consider runs as a sequence of seven-tuples (M, i, j, s, I ′, s′, O) for as-
cending values of i and j. More formally, we first have all tuples (M, 1, 1, s, I ′, s′, O) for M ∈ κ(1). The
order of these tuples can be chosen arbitrary since they switch simultaneously and do not influence each
other. After that, we have the steps (M, 1, 2, s, I ′, s′, O) for all M ∈ κ(2) and so on, until we finally have
steps of the form (M, 1, n, s, I ′, s′, O) for all M ∈ κ(n). We then continue with (M, 2, 1, s, I ′, s′, O) etc.
Obviously, this characterization of runs is equivalent to the original one (we just expanded the function), but
it is better suited for relating synchronous runs and “corresponding” asynchronous runs, which we will do
in our upcoming proofs. ◦
Instead of arbitrary clocking schemes as in the above definition of runs, the authors of [10] focus on only
one special clocking scheme κ, given by (Mˆ ∪ {H}, {A}, {H}, {A}). Clocking the adversary between the
correct machines is the well-known model of “rushing adversaries”, where [82] is the earliest reference that
we are aware of. In [10], it has been shown that this clocking scheme does not restrict the possibilities
of the adversary, hence we can use it without loss of generality. Moreover, we restrict ourselves to those
configurations where the honest user and the adversary are only connected via one duplex channel. This is
indeed no restriction to generality in the synchronous model, because outputs at several ports to the same
machine can simply be concatenated using a separation symbol and decomposed again, respectively. In the
following, we give these two channels fixed names pA H and pH A, i.e., pA H! sends messages from A to H
and vice versa.
10
2.5 Simulatability
The definition of one system securely implementing another one is based on the common concept of sim-
ulatability. Simulatability essentially means that whatever might happen to an honest user in a real system
Sys real can also happen in an ideal (abstract) system Sys id: For every structure struc1 ∈ Sys real, every user
H, and every adversary A1, there exists an adversary A2 on a corresponding ideal structure struc2 such that
the view of H is indistinguishable in the two configurations. Indistinguishability (“≈”) is a well-defined
cryptographic notion from [83]. We only give the definition of computational indistinguishability; a more
comprehensive definition is given in the Appendix.
Definition 2.7 (Computational Indistinguishability) Two families (vark)k∈N and (var′k)k∈N of random
variables (or probability distributions) on common domains Dk are computationally indistinguishable (“≈”)
if for every algorithm Dis (the distinguisher) that is probabilistic polynomial-time in its first input,
|P (Dis(1k, vark) = 1)− P (Dis(1
k, var′k) = 1)| ∈ NEGL.
3
Intuitively, given the security parameter and an element chosen according to either vark or var′k, Dis tries to
guess which distribution the element came from. ✸
Corresponding structures in the simulatability definition are designated by a function f from Sys real to
the powerset of Sys id. The function f is called valid if it maps structures with the same set of specified
ports, so that the same user can connect. For many systems there is only one possible mapping that meets
this requirement, because the service ports of the structures correspond one-to-one to different sets of non-
corrupted machines. This mapping is then called canonical. We only give the definition of simulatability
based on computational indistinguishability, which captures the most common case when applying sim-
ulatability to cryptographic protocols. A more comprehensive definition based on the remaining notions
of indistinguishability is again postponed to the Appendix; our results hold as well for this more general
definition.
Definition 2.8 (Simulatability) Let systems Sys1 and Sys2 with a valid mapping f be given. We say
Sys1 ≥
f Sys2 (at least as secure as) if for every polynomial-time configuration conf 1 = (Mˆ1,S ,H,A1) ∈
Conf(Sys1), there exists a polynomial-time configuration conf 2 = (Mˆ2,S ,H,A2) ∈ Conf(Sys2) with
(Mˆ2,S ) ∈ f(Mˆ1,S ) (and the same H) such that viewconf 1(H) ≈ viewconf 2(H). ✸
This is shown in Figure 3. In the following, we augment ≥ with a subscript sync or async to distinguish the
H
A
1
S
M
1
H
A
2
M
2
S
Figure 3: Overview of the simulatability definition.
definition of the synchronous and asynchronous case. In a typical ideal system, each structure contains only
one machine TH called trusted host, which serves as an ideal functionality of the real system. The machine
TH is usually deterministic and maintains a very simple transition function, hence validation based on this
ideal functionality is in scope of current verification techniques.
3The class NEGL denotes the set of all negligible functions, i.e., g : N → R≥0 ∈ NEGL if for all positive polynomials Q,
∃k0∀k ≥ k0 : g(k) ≤ 1/Q(k).
11
3 Idea and Definition of the Embedding
The informal idea of the embedding ϕSys is to add an explicit master scheduler that should simulate the
synchronous run induced by the given clocking scheme. However, due to the general distributed scheduling
(cf. Definition 2.4), leaving the actual machines unmodified leads to non-simulatable situations, as these
machines can clock themselves without ever giving control to this explicit master scheduler.
Hence, we first define a mapping ϕM from “synchronous” machines, i.e., from machines that do not have
any of the scheduling ports but only ports for usual message transmission, to “asynchronous” machines, i.e.,
to machines which might additionally have clock-out ports.
Intuitively, this mapping surrounds single synchronous machines with an “asynchronous coat”. More
precisely, if a synchronous machine makes a transition, it obtains all inputs at once that arrived since its
last scheduling, whereas in asynchronous scenarios, these inputs come one by one and have to be processed
in several transitions. Thus, the surrounding asynchronous machine stores all inputs internally, until it is
asked to perform the transition of its synchronous submachine. It then schedules this submachine with
the collected inputs and forwards its outputs. As these asynchronous machines do not produce any clock
outputs, the master scheduler can try to simulate the synchronous time by a suitable scheduling strategy.
Definition 3.1 (Mapping ϕM) ϕM is a mapping on single synchronous machines that assigns every ma-
chine Msync an asynchronous machine Masync := ϕM(Msync) by the following rules:
• The ports of Masync are given by PortsMasync := PortsMsync ◦(pMsync?), where ◦ denotes concatenation
of sequences.
• Internally, Masync maintains arrays (input storeMsync,p?)p?∈in(PortsMsync ) over Σ
∗ initialized with ǫ ev-
erywhere, which are used for storing incoming messages at each port of Msync.
• Masync has the machine Msync as a blackbox submachine, i.e., it has its transition function δMsync .
• Internally, Masync maintains a superset of the states of Msync (the additional states are only used to
model appropriate length functions). Moreover, the initial and final states of both machines are equal.
• On input i at p? 6= pMsync?: It concatenates i to the element of input storeMsync,p?, i.e., it stores all
inputs until the machine Msync is eventually switched. The length function for such a port p? is defined
as lMsync(s)p? − |input storeMsync,p?|, where lMsync(s)p? is the length function of the machine Msync at
port p? in its current state s and |input storeMsync,p?| is the number of elements in input storeMsync,p?.
• On input i at pMsync?: It applies the state transition function δMsync on the contents of the arrays
input storeMsync,p? yielding a tuple (s′,O). Masync now assigns ǫ to input storeMsync,p? for all
p? ∈ in(PortsMsync), switches to the state s′ and outputs the tuple O. The length function for this
port is defined to be zero if the lists input storeMsync,p? are empty for all ports p?; otherwise it is
the runtime of Msync. This case corresponds to the scheduling of the synchronous machine; the port
pMsync? will be connected to the explicit master scheduler.
For a set Mˆ of synchronous machines, we define ϕM(Mˆ ) :=
⋃
Msync∈Mˆ
ϕM(Msync). ✸
Masync is polynomial-time by construction iff Msync is polynomial-time, since the machine Masync only
performs a polynomially bounded number of steps between two transitions of Msync (which is especially
ensured by the used length functions), since both machines always stay in the same state after a transition
of the blackbox submachine, and finally since their final states are equal. We stress that making the outer
machine Msync polynomial-time for a polynomial submachine is not as easy as one might expect, e.g., as the
12
outer machine may be triggered exponentially often at one port without causing the submachine to switch.
Note further that the length functions of Masync are always large enough by construction that inputs of Masync
are not ignored respectively truncated if they would be fully read by the machine Msync.
Based on this definition, we now formalize the desired mapping ϕSys on synchronous systems.
Definition 3.2 (Mapping ϕSys) Let an arbitrary synchronous system Syssync = {(Mˆsync,Ssync) | sync ∈ I }
for a finite index set I and a clocking scheme κ be given. We then define
ϕSys(Syssync) := {(ϕM(Mˆsync) ∪ {Xsync,κ},Ssync) | sync ∈ I }.
The machine Xsync,κ is an explicit master scheduler that has to be added to the considered structure to model
the synchronous clocking scheme κ in the asynchronous system. Its ports are given by
• {clk⊳?}: The master clock-in port.
• {p⊳! | p! ∈ Ports
Mˆsync
}: Ports for clocking all output ports of the given structure.
• {p⊳! | p? ∈ free(Mˆsync)}: Ports for clocking inputs of the systems (either made by H or A).
• {pA H
⊳!, pH A
⊳!}: Ports for clocking the connection between A and H.4
• {pM!, pM
⊳! |M ∈ (Mˆsync ∪ {H,A})}: Ports for clocking, i.e., giving control to, each machine.
The length functions are always set to infinity for all ports. Internally, it maintains a variable local rnd over
{1, . . . , n} and a variable global rnd over N both initialized with 1. For the sake of readability, we describe
the behavior of Xsync,κ using “for”-loops. This is just a notational convention that should be understood as
follows: every time Xsync,κ is scheduled, it performs the next step of the loop.
1. Schedule Current Machines: For all machines M ∈ κ(local rnd) output (global rnd , local rnd) at
pM!, 1 at pM⊳!. The order of the switched machines can be chosen arbitrary.
2. Schedule Outgoing Buffers: For all M ∈ κ(local rnd) output 1 at every port p⊳! with p! ∈ PortsM.
Here, the order of the switched machines can only be chosen arbitrary with the restriction that output
ports of the adversary are scheduled first if A ∈ κ(local rnd).5
3. Switch to next Round: Set local rnd := local rnd + 1. If local rnd > n, set global rnd :=
global rnd + 1 and local rnd := 1. Go to Phase (1).
✸
To put it all into a nutshell, the specific master scheduler simulates the clocking scheme κ by first scheduling
the machines that ought to switch in the particular subround (Step 1) and afterwards scheduling all buffers
that could be influenced by outputs of these machines (Step 2). Finally, it switches to the next subround
(Step 3) and continues with the first step again.
Moreover, we define a mapping ϕconf on synchronous configurations of a system Sys , i.e., configura-
tions which consist of synchronous machines only, by
ϕconf (Mˆsync,Ssync,H,A) := (ϕM(Mˆsync) ∪ {Xsync,κ},Ssync, ϕM(H), ϕM(A)),
with Xsync,κ given as in ϕSys for the particular structure. We will in the following simply write ϕ instead of
ϕSys , ϕM, and ϕconf if its meaning is clear from the context.
4Note, that Xsync,κ is defined independent from the honest user H and the adversary A, so it cannot know their ports. We
therefore restricted the configuration to a fixed number and fixed names of ports between H and A (cf. Section 2.4).
5Without this restriction, the behavior of the adversary at its switching time could depend on outputs of machines scheduled in
the same subround, which would lead to non-simulatable situations.
13
Async,1
Msync,1
confsync,1
 confasync,1
confasync,2confsync,2
 
Apply ϕconf 
ϕSys(Syssync,1) ≥f ϕSys(Syssync,2)
Reverse ϕSys
Masync,1
Masync,2Msync,2
ϕ(Hsync) ϕ(Async,1)
HsyncHsync
Hsync
Aasync,2
Hsync
Reverse ϕM
Define Async,2 
Async,2
ϕ(Hsync)
^
^
^
^
Figure 4: Synchronous Simulatability derived by Asynchronous Simulatability.
4 Preliminary Work for the Embedding Theorems
We now have to prove that the function ϕ has the desired properties with respect to simulatability, i.e.,
ϕSys(Syssync,1) ≥async ϕSys(Syssync,2)⇒ Syssync,1 ≥sync Syssync,2.
This captures the content of our first embedding theorem. Unfortunately, the converse direction does not
hold, but our second embedding theorem will state a weaker version that is still sufficient for our purpose.
4.1 Proof Overview
Before we turn our attention to the auxiliary lemmas for the embedding theorems we exemplarily present
an informal description of the proof of the first embedding theorem. The proof consists of four steps. A
graphical illustration is given in Figure 4.
1. Starting with a synchronous configuration confsync,1 ∈ Conf(Sys sync,1), we apply our embedding
function ϕconf which yields an asynchronous configuration confasync,1 ∈ Conf(ϕSys(Sys sync,1)). We
now define a mapping σ on the runs of the asynchronous system yielding runs of the synchronous sys-
tem. Intuitively, σ “compresses” an asynchronous run to its synchronous counterpart, which consists
of fewer steps. We then show in Theorem 4.1 that
viewconfsync,1(Hsync) = σ(viewconfasync,1(ϕ(Hsync))).
2. We can now apply our precondition ϕSys(Syssync,1) ≥
f
async ϕSys(Sys sync,2) yielding an indis-
tinguishable configuration confasync,2 ∈ Conf(ϕSys(Sys sync,2)), i.e., viewconfasync,1(ϕ(Hsync)) ≈
viewconfasync,2(ϕ(Hsync)). We then show that
σ(viewconfasync,1(ϕ(Hsync))) ≈ σ(viewconfasync,2(ϕ(Hsync))).
14
3. We finally reverse the function ϕ by removing the coating of the user and that of the machines of the
structure. Since we do not know anything about the newly derived adversary Aasync,2, i.e., in particular
it is not required that it fits the structure imposed by the mapping ϕ, we define a new adversary Async,2
using Aasync,2 as a black-box submachine, and we will show in Theorem 4.2 that
σ(viewconfasync,2(ϕ(Hsync))) = viewconfsync,2(Hsync).
4. Altogether, transitivity of the relation ≈ implies
viewconfsync,1(Hsync)) ≈ viewconfsync,2(Hsync).
We first take a look at the runs in a synchronous system Syssync and in its asynchronous counterpart
Sysasync := ϕ(Sys sync). In the following, we will simply write S instead of Ssync, because the set of
specified ports is not influenced by the mapping ϕ.
4.2 Compressing asynchronous runs to synchronous counterparts
In the following, let an arbitrary synchronous system Syssync with a clocking scheme κ and an arbitrary
configuration confsync = (Mˆsync,S ,Hsync,Async) ∈ Conf(Syssync) be given. Moreover, let an asynchronous
configuration confasync be given which fits the form confasync = (ϕ(Mˆsync) ∪ {Xsync,κ},S , ϕ(Hsync),A′)
(i.e., ϕ(confsync) but with an arbitrary adversary).6
First of all, note that runs of confasync always have a prescribed structure induced by the behavior of
the master scheduler Xsync,κ: they are built by “blocks”. The steps (Msync, i, j, s,I, s′,O) of the machines
Msync ∈ Mˆsync ∪ {Hsync} switched in round [i.j] in the synchronous run are represented by the following
two blocks in the asynchronous run.
1. The first block consists of the steps induced by clocking the machines ϕ(Msync) with Msync ∈ κ(j)
and A′ if Async ∈ κ(j), i.e., Step (1) in the definition of Xsync,κ. More precisely, the block is built by
|κ(j)| sub-blocks, one for every switched machine. Every sub-block is built by the following steps.
• The first step of the sub-block is always (Xsync,κ, s1,Iclk⊳?=1, s′1,OpMsync !=(i,j),pMsync⊳!=1) for
two arbitrary states s1, s′1 of Xsync,κ, i.e., the master scheduler schedules the machine ϕ(Msync)
respectively A′.
• After that, we have the transition of the scheduled buffer.
• We now have to distinguish the following two cases:
– If Msync 6= Async, there is a step (ϕ(Msync), s,IpMsync ?=(i,j), s
′, δMsync(input storeMsync))
and steps for the receiving buffers.
– If Msync = Async, we have a step (A′, s,IpAsync ?=(i,j), s
′,O). If O 6= Oǫ we have steps for
the receiving buffers. If there are nonempty outputs at ports p! and p⊳! (which has to be
a self-loop because there are no free clock-in ports in the system), there is furthermore a
clocking step for this particular buffer. In this case, the adversary is scheduled again, so
this sub-point of the block is repeated until the self-loop of the adversary either ends or it is
repeated forever in case of divergence, i.e., we obtain a step (A′, s′,I ′, s′′,O) where I ′ is
now given by I ′ := Ip?=Op! and so on.
6Note that we investigate the more general case here that A′ can be chosen arbitrarily instead of being the embedded adversary
ϕM(A). This generality will be helpful during the upcoming proofs.
15
2. The second block consists of the steps induced by clocking the outgoing messages of the switched
machines, i.e., Step (2) in the definition of Xsync,κ. Now the buffers of the output ports are switched
by the master scheduler. This is done similar as in the first part with the restriction that output ports
of A′ are clocked first if Async ∈ κ(j). The block again has |κ(j)| sub-blocks built by the following
steps.
• The first step of the sub-block is given by (Xsync,κ, s1,Iclk⊳?=1, s′1,Op⊳!=1) for the first output
port p! ∈ ports(Msync) and two arbitrary states s1, s′1 of Xsync,κ.
• The step of the clocked buffer.
• In case of a nonempty output let M′ denote the unique machine with p? ∈ ports(M′). We now
have to distinguish two cases:
– If M′ 6= A′, there is a step (M′, s,I ′, s′,Oǫ), where I ′ consists of the output of ϕ(Msync) at
p!.
– If M′ = A′, we obtain a step (A′, s,I ′, s′,O), where I ′ consists of the output of ϕ(Msync)
respectively A′ at p!. If O 6= Oǫ we have steps for the receiving buffers. If O has a clocked
self-loop, we proceed identical to the first block.
• The three previous steps are repeated for every output port of every machine Msync ∈ κ(j).
After this detailed description of the run, (i.e., its blocks) the mapping σ can be defined. Informally, it
combines the blocks of all machines Msync ∈ κ(j) yielding the synchronous steps of every machine Msync
that switches in the j-th subround of the particular global round.
Definition 4.1 (Mapping σ) Let an arbitrary synchronous system Syssync with a clocking scheme κ and an
arbitrary configuration confsync = (Mˆsync,S ,Hsync,Async) ∈ Conf(Syssync) be given. For a given asyn-
chronous configuration confasync which fits the form confasync = (ϕ(Mˆsync) ∪ {Xsync,κ},S , ϕ(Hsync),A′),
we define the mapping σ on the runs of confasync by the following algorithm. The algorithm has internal
arrays (inputsM,p?) for M ∈ ϕ(Mˆsync) ∪ {ϕ(Hsync),A′} and p? ∈ in(PortsM). It goes from block to block
modifying them as follows.
1. Every step of a buffer is deleted from the run.
2. The two remaining steps of the first block are modified as follows. If the scheduled machine is
ϕ(Msync) 6= A
′
, then the block is replaced by (Msync, i, j, s, inputsMsync , s
′, δMsync(inputsMsync)). If A
′
is scheduled, the block is replaced by (A′, i, j, s, inputsAsync , s′,OA′). Here, s denotes the state of A′
when it is switched by Xsync,κ, and s′ and OA′ are the state and the output of the last step of the block,
respectively (In case of divergence, the algorithm for defining the mapping σ diverges, too.).
3. The algorithm starts searching through the second block doing the following. If a machine M′ receives
a message i at p? in the second block, i is concatenated to the array inputsM′,p?.
4. Finally, every step of the second block is deleted from the run.
✸
Note that all necessary information (e.g., Msync, i, j, s, s′ etc.) is already given by the block except for the
inputs of each machine in the synchronous case. At this point, it also becomes clear why we defined the
master scheduler to schedule each machine specifically with a tuple (i, j) indicating the current global and
local round, since this information would otherwise not be contained in the asynchronous run.
16
To overcome the absence of the gathered inputs in the run, the algorithms has to collect all “partial”
inputs itself in its third step, and it can use this information to calculate the outputs of each machine (although
for this, it could as well use the information contained in the run). Moreover, the new blocks built by the
mapping σ in one particular subround do not depend on the second block of this subround. The mapping
σ is obviously also defined on the view of arbitrary subsets of machines, because the step in the first block,
carrying the information of the step, and the message-receiving steps in the second block will also be part of
the view of the considered machine. Furthermore, note that the mapping σ is explicitly defined for arbitrary
adversaries A′ (not only for ϕ(Async)) which we will need in Theorem 4.2. Furthermore, the following
lemma establishes a computational bound on the mapping σ in polynomial-time configurations:
Lemma 4.1 If confasync is a polynomial-time configuration that fits the form required by Definition 4.1, then
σ applied to the view of the honest user and the adversary is computable in polynomial-time. ✷
Proof. (Lemma 4.1) In case of a polynomial configuration, especially the adversary has to be polynomial-
time. This implies that there cannot be any infinite successive clocked self-loops, so the steps of every
sub-block are bounded by a polynomial in the security parameter k. Moreover, both the adversary and the
honest user will reach final state after a polynomial number of blocks, so the algorithm for σ applied to the
view either of the honest user or the adversary only makes a polynomial number of transition, each one with
a polynomial number of steps. This implies that σ is computable in polynomial-time when applied to the
view of the honest user and the adversary if it is used in a polynomial-time configuration.
4.3 Auxiliary Theorems
The following theorem captures the first step of our proofsketch of Section 4.1.
Theorem 4.1 Let a synchronous system Syssync, a clocking scheme κ, and a configuration confsync =
(Mˆsync,S ,Hsync,Async) ∈ Conf(Syssync) be given, and set confasync := ϕ(confsync). Then
viewconfsync(Msync) = σ(viewconfasync(ϕ(Msync)))
for every Msync ∈ (Mˆsync ∪ {Hsync,Async}). confasync is polynomial-time iff confsync is polynomial-time. ✷
Proof. Note that the view of ϕ(Msync) does only contain the steps of its internal blackbox function-call
after being modified by the mapping σ. Thus, it is sufficient to show that the inputs of the blackbox call
in confasync and the original inputs of Hsync in confsync are equal. It is quite easy to see that the arrays
input storeMsync and inputsMsync are always equal if the machine Msync is switched. This can easily be
proven by induction over the number of (sub-)rounds. In the first round, both arrays are empty yielding
a correct start of the induction. Starting with the second round, the contents of these arrays are totally
determined by the inputs at the ports of Msync. However, these inputs only depend on prior outputs of other
machines M . Moreover, these outputs have to be equal because these machines used the same input tuple
in both configurations, since we have input storeM = inputsM for all M ∈ M by induction hypothesis.
Therefore, the arrays inputsMsync and input storeMsync must be equal at replacing the block by construction
of the algorithm, so δMsync(s, inputsMsync) = δMsync(s, input storeMsync) also holds. We do not have to worry
about the arrangement of the blocks because of the following reasons. First of all, note that we first switch
all machines in a subround and schedule the outgoing messages afterwards. Moreover, messages sent by the
adversary are always scheduled first if the adversary is scheduled in the considered subround. This prevents
that machines which should switch simultaneously in the synchronous system influence each other in the
asynchronous system in the same subround. If we did not consider this restriction, the adversary would be
17
able to create a message that is scheduled in this particular subround, but nevertheless depends on inputs
arriving in this subround.
Putting it all together, the runs induced by the mapping σ in confasync and the original runs are equal by
definition of σ, so we finally obtain
viewconfsync(Msync) = σ(viewconfasync(ϕ(Msync)))
for an arbitrary configuration confsync ∈ Conf(Sys sync), confasync := ϕ(confsync), and an arbitrary Msync ∈
(Mˆsync ∪ {Hsync,Async}). As a special case, this implies
viewconfsync(Hsync) = σ(viewconfasync(ϕ(Hsync)))
which finishes our proof.
After performing this first step of the proof, asynchronous simulatability can now be applied. In order
to convert the derived asynchronous configuration into a synchronous configuration again (cf. Step 3 of our
proofsketch), we present the following theorem.
Theorem 4.2 Let an arbitrary synchronous system Syssync and a clocking scheme κ be given such that
every machine and the honest user are clocked at most once between two successive clockings of the ad-
versary. Furthermore, let an arbitrary configuration confasync ∈ Conf(ϕ(Sys sync)) of the form confasync =
(ϕ(Mˆsync) ∪ {Xsync,κ},S , ϕ(Hsync),Aasync) be given. Then there exists an adversary Async using Aasync as
a blackbox such that for confsync := (Mˆsync,S ,Hsync,Async), it holds
viewconfsync(Msync) = σ(viewconfasync(ϕ(Msync)))
for every Msync ∈ (Mˆsync ∪ {Hsync}). confasync is polynomial-time iff confsync is polynomial-time. ✷
Note, that the standard clocking scheme (Mˆ ∪{H}, {A}, {H}, {A}) fulfills the postulated requirement. The
proof of Theorem 4.2 is quite technical and hence postponed to Appendix B for the sake of readability.
5 The Embedding Theorems
This section contains our two main theorems. We start with a lemma capturing some simple properties of
indistinguishable random variables. The lemma is well-known and easily proved.
Lemma 5.1 Indistinguishability of two families of random variables implies indistinguishability of any
function σ of them. For the polynomial case, the function σ has to be polynomial-time computable. More-
over, identically distributed variables are indistinguishable and indistinguishability is an equivalence rela-
tion. ✷
Theorem 5.1 (First Embedding Theorem) Let two arbitrary synchronous systems Syssync,1 and Syssync,2
with clocking schemes κ1 and κ2 be given such that κ2 fulfills the property that every machine of the system
and the user is clocked at most once between two successive clockings of the adversary. Furthermore,
ϕ(Sys sync,1) ≥
f
async ϕ(Sys sync,2) should hold for a valid mapping f . Then
Syssync,1 ≥
f ′
sync Syssync,2,
where f ′ is derived from f by (Mˆ2,S2) ∈ f ′(Mˆ1,S1)⇔ ϕ(Mˆ2,S2) ∈ f(ϕ(Mˆ1,S1)). ✷
18
Using the result of the previous theorems, the proof will be rather simple, cf. the illustration in Figure 4.
Proof. Let an arbitrary configuration confsync,1 = (Mˆsync,1,S ,Hsync,Async,1) ∈ Conf(Syssync,1) be given.
1. We apply ϕconf on confsync,1 yielding a configuration confasync,1 = (ϕ(Mˆsync,1) ∪ {Xsync,1,κ1},S ,
ϕ(Hsync), ϕ(Async,1)) ∈ Conf(Sysasync,1). According to Theorem 4.1, applying the mapping σ to the
runs of confasync,1 yields
viewconfsync,1(Hsync) = σ(viewconfasync,1(ϕ(Hsync))). (1)
Moreover, if confsync,1 is polynomial-time then confasync,1 is also polynomial-time, and the mapping
σ is polynomial-time computable.
2. Thus, the precondition ϕ(Sys sync,1) ≥
f
async ϕ(Sys sync,2) can be applied yielding a configuration
confasync,2 = (ϕ(Mˆsync,2) ∪ {Xsync,2,κ2},S , ϕ(Hsync),Aasync,2) ∈ Conf(Sysasync,2) with
viewconfasync,1(ϕ(Hsync)) ≈ viewconfasync,2(ϕ(Hsync))
and ϕ(Mˆsync,2,S ) ∈ f(ϕ(Mˆsync,1,S )). Moreover, in the computational case, confasync,2 is
polynomial-time, so the mapping σ is polynomial-time computable. Using Lemma 5.1, this yields
σ(viewconfasync,1(ϕ(Hsync))) ≈ σ(viewconfasync,2(ϕ(Hsync))). (2)
3. We now apply Theorem 4.2 to the configuration confasync,2, which yields a configuration confsync,2 =
(Mˆsync,S ,Hsync,Async,2) ∈ Conf(Syssync,2) with
σ(viewconfasync,2(ϕ(Hsync))) = viewconfsync,2(Hsync). (3)
According to Theorem 4.2, confsync,2 is a polynomial-time configuration iff confasync,2 is polynomial.
4. Now Equation 1-3 together with Lemma 5.1 imply viewconfsync,1(Hsync) ≈ viewconfsync,2(Hsync).
Hence, confsync,2 is an indistinguishable configuration for confsync,1. Moreover, we have
ϕ(Mˆsync,2,S ) ∈ f(ϕ(Mˆsync,1,S )), i.e., (Mˆsync,2,S ) ∈ f ′(Mˆsync,1,S ) which yields the desired re-
sult Syssync,1 ≥
f ′
sync Syssync,2.
Note that the theorem is applicable to the standard clocking scheme. So far, we have shown that asyn-
chronous simulatability among these asynchronous representations implies synchronous simulatability, i.e.,
ϕSys(Syssync,1) ≥async ϕSys(Syssync,2)⇒ Syssync,1 ≥sync Syssync,2.
We already briefly stated in the previous section that the converse implication does not hold in general. We
had to show that for each configuration confasync,1 ∈ Conf(ϕSys(Syssync,1)) there exists an indistinguishable
configuration confasync,2 ∈ Conf(ϕSys(Sys sync,2)) provided that Syssync,1 ≥sync Syssync,2.
However, both the honest user and the adversary may have clock-out ports and they can alternately
schedule each other (and also the system erratically), which we cannot capture by a fixed synchronous
clocking scheme, so we cannot exploit our assumption Syssync,1 ≥sync Syssync,2.
Anyhow, it is sufficient for our purpose to show that the claim holds for at least those configurations
where the honest user Hasync fits the form ϕM(Hsync) for a synchronous machine Hsync. We denote this
version of simulatability for the restricted class of users by ≥async,H in the sequel. Looking at the proof of
19
the first embedding theorem, it is immediately clear that the theorem also holds for the weaker precondition
ϕSys(Syssync,1) ≥async,H ϕSys(Syssync,2), since we only need to derive an indistinguishable configuration
for users of the special form ϕ(Hsync), and the user remains unchanged at simulatability. We can now capture
the content of the second embedding theorem as
Syssync,1 ≥sync Syssync,2 ⇒ ϕSys(Syssync,1) ≥async,H ϕSys(Syssync,2).
Theorem 5.2 (Second Embedding Theorem) Let two arbitrary synchronous systems Syssync,1 and
Syssync,2 with clocking schemes κ1 and κ2 be given such that κ1 fulfills the property that every machine
of the system and the user is clocked at most once between two successive clockings of the adversary. Fur-
thermore, Syssync,1 ≥
f
sync Syssync,2 should hold for a valid mapping f . Then
ϕ(Syssync,1) ≥
f ′
async,H ϕ(Sys sync,2)
where f ′ is derived from f by ϕ(Mˆ2,S2) ∈ f ′(ϕ(Mˆ1,S1)) :⇔ (Mˆ2,S2) ∈ f(Mˆ1,S1). ✷
Before we turn our attention to the actual proof, we state the following lemma which captures that we can
“locally reverse” the function σ for the honest user.
Lemma 5.2 Let a synchronous system Syssync, a clocking scheme κ and a configuration confsync =
(Mˆsync,S ,Hsync,Async) ∈ Conf(Syssync) be given. Let confasync = (ϕ(Mˆsync)∪ {Xsync,κ},S , ϕ(Hsync),A′)
be an arbitrary asynchronous configuration. If we now have given σ(viewconfasync(ϕ(Hsync))) then we can
“locally reverse” the function σ for the view of the user, i.e., we can define a function σ−1H on the runs of the
synchronous configuration, such that
viewconfasync(ϕ(Hsync)) = σ
−1
H
(
σ(view confasync(ϕ(Hsync)))
)
holds. If confasync is polynomial-time, then σ−1H is polynomial-time computable. ✷
The proof of the lemma is postponed to Appendix B.
Proof. (Theorem 5.2) For readability, we again set Sysasync,1 := ϕ(Sys sync,1) and Sysasync,2 :=
ϕ(Sys sync,2). Let now an arbitrary configuration confasync,1 = (ϕ(Mˆsync,1) ∪ {Xsync,1,κ1},S ,
ϕ(Hsync),Aasync,1) ∈ Conf(Sysasync,1) be given.
1. We apply Theorem 4.2 on confasync,1 which yields a synchronous configuration confsync,1 =
(Mˆsync,1,S ,Hsync,Async,1) ∈ Conf(Syssync,1) with
σ(viewconfasync,1(ϕ(Hsync))) = viewconfsync,1(Hsync).
Moreover, if confasync,1 is polynomial-time then confsync,1 is also polynomial-time, and the mapping
σ is polynomial-time computable.
2. Now the precondition Syssync,1 ≥sync Syssync,2 can be applied yielding a configuration confsync,2 =
(Mˆsync,2,S ,Hsync,Async,2) ∈ Conf(Syssync,2) with
viewconfsync,1(Hsync) ≈ viewconfsync,2(Hsync)
and (Mˆsync,2,S ) ∈ f(Mˆsync,1,S ). Moreover, in the computational case, confsync,2 is polynomial-time.
20
3. We now apply Theorem 4.1 to the configuration confsync,2 which yields a configuration confasync,2 =
(ϕ(Mˆsync,2) ∪ {Xsync,2,κ2},S , ϕ(Hsync), ϕ(Async,2)) with
viewconfsync,2(Hsync) = σ(viewconfasync,2(ϕ(Hsync))).
Moreover, confasync,2 is a polynomial configuration iff confsync,2 is polynomial, according to Theo-
rem 4.1.
4. Putting it all together, we have
• σ(view confasync,1(ϕ(Hsync))) = viewconfsync,1(Hsync)
• viewconfsync,1(Hsync) ≈ viewconfsync,2(Hsync)
• viewconfsync,2(Hsync)) = σ(viewconfasync,2(ϕ(Hsync)))
Using Lemma 5.1, we obtain
σ(viewconfasync,1(ϕ(Hsync))) ≈ σ(viewconfasync,2(ϕ(Hsync))).
We now finally apply our “reversing” function σ−1H (cf. Lemma 5.2) on the above equation. Together
with Lemma 5.1, we obtain
viewconfasync,1(ϕ(Hsync)) ≈ viewconfasync,2(ϕ(Hsync)).
Hence, confasync,2 is an indistinguishable configuration for confasync,1. Moreover, we have
(Mˆsync,2,S ) ∈ f(Mˆsync,1,S ), i.e., ϕ(Mˆsync,2,S ) ∈ f ′(ϕ(Mˆsync,1,S )), which yields the desired re-
sult ϕ(Sys sync,1) ≥
f ′
async,H ϕ(Sysasync,2).
6 Deriving Synchronous Theorems from Asynchronous Ones
Recall that our long-term goal is to avoid proving each and every theorem and lemma for both models. We
now briefly show how our two embedding theorems can be used for circumventing this problem. One of the
most important theorems of both models is transitivity of the relation ≥.
Lemma 6.1 (Transitivity) If Sys1 ≥f1 Sys2 and Sys2 ≥f2 Sys3, then Sys1 ≥f3 Sys3, where f3 := f2 ◦ f1
is defined as f3(Mˆ1,S ) being the union of the sets f2(Mˆ2,S ) with (Mˆ2,S ) ∈ f1(Mˆ1,S ). ✷
This has been proven in [10] for the synchronous and in [13] for the asynchronous model. We now exem-
plarily show how to derive the synchronous version from the asynchronous one using our previous results.
Lemma 6.2 Assume that the asynchronous version of the transitivity lemma (Lemma 6.1) has already been
proven, then the synchronous version holds as well. ✷
Proof. We omit the superscripts fi for the sake of readability. Let arbitrary synchronous systems Sys1, Sys2,
and Sys3 be given such that Sys1 ≥sync Sys2 and Sys2 ≥sync Sys3. We have to show that Sys1 ≥sync Sys3
holds, provided that asynchronous transitivity has already been proven. According to our second embedding
theorem, we know that
ϕ(Sys1) ≥async,H ϕ(Sys2) and ϕ(Sys2) ≥async,H ϕ(Sys3).
21
Obviously, the asynchronous version of transitivity is applicable to the relation ≥async,H instead of ≥async as
well, since it is a special case only, and the honest user remains unchanged at simulatability. Thus, we can
apply our (already proven) asynchronous version of the transitivity lemma, which yields
ϕ(Sys1) ≥async,H ϕ(Sys3).
Now, we use our first embedding theorem in conjunction with its subsequent remarks (stating that the theo-
rem holds as well for the restricted version ≥async,H of simulatability) yielding Sys1 ≥sync Sys3.
This proof technique is applicable to almost all theorems that rely on simulatability. As the most important
example, we name the preservation theorem [71, 45], which states that integrity properties expressed in
linear-time logic are preserved under simulatability. The proof of this theorem is difficult and comprises
several pages for both models. Using our work, the synchronous proof could as well be omitted.
Acknowledgments
This work benefited from fruitful discussions with Dennis Hofheinz, Birgit Pfitzmann, and Michael Waidner.
References
[1] M. Backes, Unifying simulatability definitions in cryptographic systems under different timing as-
sumptions (extended abstract), in: Proceedings of 14th International Conference on Concurrency
Theory (CONCUR), Vol. 2761 of Lecture Notes in Computer Science, Springer, 2003, pp. 350–365,
preprint on IACR ePrint 2003/114.
[2] M. Backes, Unifying simulatability definitions in cryptographic systems under different timing as-
sumptions, Journal of Logic and Algebraic Programming (JLAP) 2 (2005) 157–188.
[3] R. Segala, N. Lynch, Probabilistic simulation for probabilistic processes, Nordic Journal of Computing
2 (2) (1995) 250–273.
[4] S.-H. Wu, S. A. Smolka, E. W. Stark, Composition and behaviors of probabilistic I/O automata, Theo-
retical Computer Science 176 (1–2) (1997) 1–38.
[5] R. Canetti, Studies in secure multiparty computation and applications, Department of Computer Sci-
ence and Applied Mathematics, The Weizmann Institute of Science, revised March 1996 (Jun. 1995).
[6] S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in:
Advances in Cryptology: CRYPTO ’90, Vol. 537 of Lecture Notes in Computer Science, Springer,
1990, pp. 77–93.
[7] S. Micali, P. Rogaway, Secure computation, in: Advances in Cryptology: CRYPTO ’91, Vol. 576 of
Lecture Notes in Computer Science, Springer, 1991, pp. 392–404.
[8] D. Beaver, Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority,
Journal of Cryptology 4 (2) (1991) 75–122.
[9] P. Lincoln, J. Mitchell, M. Mitchell, A. Scedrov, A probabilistic poly-time framework for protocol
analysis, in: Proc. 5th ACM Conference on Computer and Communications Security, 1998, pp. 112–
121.
22
[10] B. Pfitzmann, M. Schunter, M. Waidner, Secure reactive systems, Research Report RZ 3206, IBM
Research, http://www.semper.org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz
(May 2000).
[11] M. Hirt, U. Maurer, Player simulation and general adversary structures in perfect multiparty computa-
tion, Journal of Cryptology 13 (1) (2000) 31–60.
[12] R. Canetti, Security and composition of multiparty cryptographic protocols, Journal of Cryptology
3 (1) (2000) 143–202.
[13] B. Pfitzmann, M. Waidner, A model for asynchronous reactive systems and its application to secure
message transmission, in: Proc. 22nd IEEE Symposium on Security & Privacy, 2001, pp. 184–200.
[14] R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in: Proc.
42nd IEEE Symposium on Foundations of Computer Science (FOCS), 2001, pp. 136–145, extended
version in Cryptology ePrint Archive, Report 2000/67, http://eprint.iacr.org/.
[15] M. Backes, B. Pfitzmann, M. Waidner, Secure asynchronous reactive systems, IACR Cryptology ePrint
Archive 2004/082 (Mar. 2004).
[16] M. Backes, C. Jacobi, B. Pfitzmann, Deriving cryptographically sound implementations using compo-
sition and formally verified bisimulation, in: Proc. 11th Symposium on Formal Methods Europe (FME
2002), Vol. 2391 of Lecture Notes in Computer Science, Springer, 2002, pp. 310–329.
[17] M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive system,
in: Proceedings of 1st Theory of Cryptography Conference (TCC), Vol. 2951 of Lecture Notes in
Computer Science, Springer, 2004, pp. 336–354.
[18] M. Backes, B. Pfitzmann, M. Waidner, The reactive simulatability framework for asynchronous sys-
tems, Information and Computation (2007) 1685–1720.
[19] M. Bellare, R. Canetti, H. Krawczyk, A modular approach to the design and analysis of authentica-
tion and key exchange protocols, in: Proc. 30th Annual ACM Symposium on Theory of Computing
(STOC), 1998, pp. 419–428.
[20] C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge, in: Proc. 30th Annual ACM Symposium
on Theory of Computing (STOC), 1998, pp. 409–418.
[21] B. Neuman, T. Ts’o, Kerberos: An authentication service for computer networks, IEEE Communica-
tions Magazine 32 (9) (1994) 33–38.
[22] J. Mitchell, M. Mitchell, A. Scedrov, A linguistic characterization of bounded oracle computation and
probabilistic polynomial time, in: Proc. 39th IEEE Symposium on Foundations of Computer Science
(FOCS), 1998, pp. 725–733.
[23] J. Mitchell, M. Mitchell, A. Scedrov, V. Teague, A probabilistic polynominal-time process calculus
for analysis of cryptographic protocols (preliminary report), Electronic Notes in Theoretical Computer
Science 47 (2001) 1–31.
[24] R. Impagliazzo, B. M. Kapron, Logics for reasoning about cryptographic constructions, in: Proc. 44th
IEEE Symposium on Foundations of Computer Science (FOCS), 2003, pp. 372–381.
23
[25] D. Dolev, A. C. Yao, On the security of public key protocols, IEEE Transactions on Information Theory
29 (2) (1983) 198–208.
[26] J. K. Millen, The interrogator: A tool for cryptographic protocol security, in: Proc. 5th IEEE Sympo-
sium on Security & Privacy, 1984, pp. 134–141.
[27] C. Meadows, Using narrowing in the analysis of key management protocols, in: Proc. 10th IEEE
Symposium on Security & Privacy, 1989, pp. 138–147.
[28] R. Kemmerer, Analyzing encryption protocols using formal verification techniques, IEEE Journal on
Selected Areas in Communications 7 (4) (1989) 448–457.
[29] M. Burrows, M. Abadi, R. Needham, A logic for authentication, Technical Report 39, SRC DIGITAL
(1990).
[30] C. Meadows, Formal verification of cryptographic protocols: A survey, in: Proc. ASIACRYPT ’94,
Vol. 917 of Lecture Notes in Computer Science, Springer, 1994, pp. 135–150.
[31] R. Kemmerer, C. Meadows, J. Millen, Three systems for cryptographic protocol analysis, Journal of
Cryptology 7 (2) (1994) 79–130.
[32] G. Lowe, Breaking and fixing the Needham-Schroeder public-key protocol using FDR, in: Proc.
2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems
(TACAS), Vol. 1055 of Lecture Notes in Computer Science, Springer, 1996, pp. 147–166.
[33] L. Paulson, The inductive approach to verifying cryptographic protocols, Journal of Cryptology 6 (1)
(1998) 85–128.
[34] F. J. Thayer Fabrega, J. C. Herzog, J. D. Guttman, Strand spaces: Why is a security protocol correct?,
in: Proc. 19th IEEE Symposium on Security & Privacy, 1998, pp. 160–171.
[35] M. Abadi, A. D. Gordon, A calculus for cryptographic protocols: The spi calculus, Information and
Computation 148 (1) (1999) 1–70.
[36] M. Abadi, P. Rogaway, Reconciling two views of cryptography: The computational soundness of
formal encryption, in: Proc. 1st IFIP International Conference on Theoretical Computer Science, Vol.
1872 of Lecture Notes in Computer Science, Springer, 2000, pp. 3–22.
[37] M. Abadi, J. Ju¨rjens, Formal eavesdropping and its computational interpretation, in: Proc. 4th Interna-
tional Symposium on Theoretical Aspects of Computer Software (TACS), 2001, pp. 82–94.
[38] P. Laud, Semantics and program analysis of computationally secure information flow, in: Proc. 10th
European Symposium on Programming (ESOP), 2001, pp. 77–91.
[39] M. Backes, B. Pfitzmann, M. Waidner, A composable cryptographic library with nested operations
(extended abstract), in: Proc. 10th ACM Conference on Computer and Communications Security,
2003, pp. 220–230, full version in IACR Cryptology ePrint Archive 2003/015, Jan. 2003, http:
//eprint.iacr.org/.
[40] M. Backes, B. Pfitzmann, M. Waidner, A universally composable cryptographic library, IACR Cryp-
tology ePrint Archive 2003 (2003) 15.
URL http://eprint.iacr.org/2003/015
24
[41] M. Backes, B. Pfitzmann, M. Waidner, Symmetric authentication within a simulatable cryptographic
library, in: Proceedings of 8th European Symposium on Research in Computer Security (ESORICS),
Vol. 2808 of Lecture Notes in Computer Science, Springer, 2003, pp. 271–290, preprint on IACR
ePrint 2003/145.
[42] M. Backes, B. Pfitzmann, M. Waidner, Symmetric authentication within a simulatable cryptographic
library, International Journal of Information Security (IJIS) 4 (3) (2005) 135–154.
[43] M. Backes, B. Pfitzmann, Limits of the cryptographic realization of Dolev-Yao-style XOR, in: Pro-
ceedings of 10th European Symposium on Research in Computer Security (ESORICS), Vol. 3679 of
Lecture Notes in Computer Science, Springer, 2005, pp. 178–196.
[44] M. Backes, B. Pfitzmann, M. Waidner, Limits of the reactive simulatability/UC of Dolev-Yao mod-
els with hashes, in: Proceedings of 11th European Symposium on Research in Computer Secu-
rity(ESORICS), Vol. 4189 of Lecture Notes in Computer Science, Springer, 2006, pp. 404–423.
[45] M. Backes, C. Jacobi, Cryptographically sound and machine-assisted verification of security protocols,
in: Proc. 20th Annual Symposium on Theoretical Aspects of Computer Science (STACS), Vol. 2607
of Lecture Notes in Computer Science, Springer, 2003, pp. 675–686.
[46] M. Backes, B. Pfitzmann, M. Steiner, M. Waidner, Polynomial fairness and liveness, in: Proceedings
of 15th IEEE Computer Security Foundations Workshop (CSFW), 2002, pp. 160–174.
[47] M. Backes, B. Pfitzmann, Computational probabilistic non-interference, in: Proceedings of 7th Eu-
ropean Symposium on Research in Computer Security (ESORICS), Vol. 2502 of Lecture Notes in
Computer Science, Springer, 2002, pp. 1–23.
[48] M. Backes, B. Pfitzmann, Intransitive non-interference for cryptographic purposes, in: Proc. 24th IEEE
Symposium on Security & Privacy, 2003, pp. 140–152.
[49] M. Backes, B. Pfitzmann, Relating symbolic and cryptographic secrecy, IEEE Transactions on De-
pendable and Secure Computing (TDSC) 2 (2) (2005) 109–123.
[50] M. Backes, Quantifying probabilistic information flow in computational reactive systems, in: Pro-
ceedings of 10th European Symposium on Research in Computer Security (ESORICS), Vol. 3679 of
Lecture Notes in Computer Science, Springer, 2005, pp. 336–354.
[51] C. Sprenger, M. Backes, D. Basin, B. Pfitzmann, M. Waidner, Cryptographically sound theorem prov-
ing, in: Proceedings of 19th IEEE Computer Security Foundations Workshop (CSFW), 2006, pp.
153–166.
[52] M. Backes, P. Laud, Computationally sound secrecy proofs by mechanized flow analysis, in: Proceed-
ings of 13th ACM Conference on Computer and Communications Security (CCS), 2006, pp. 370–379.
[53] M. Backes, B. Pfitzmann, A cryptographically sound security proof of the Needham-Schroeder-Lowe
public-key protocol, in: Proc. 23rd Conference on Foundations of Software Technology and Theoret-
ical Computer Science (FSTTCS), 2003, pp. 1–12, full version in IACR Cryptology ePrint Archive
2003/121, Jun. 2003, http://eprint.iacr.org/.
[54] M. Backes, A cryptographically sound dolev-yao style security proof of the Otway-Rees protocol, in:
Proceedings of 9th European Symposium on Research in Computer Security (ESORICS), Vol. 3193
of Lecture Notes in Computer Science, Springer, 2004, pp. 89–108.
25
[55] M. Backes, M. Duermuth, A cryptographically sound Dolev-Yao style security proof of an electronic
payment system, in: Proceedings of 18th IEEE Computer Security Foundations Workshop (CSFW),
2005, pp. 78–93.
[56] M. Backes, B. Pfitzmann, On the cryptographic key secrecy of the strengthened Yahalom protocol, in:
Proceedings of 21st IFIP International Information Security Conference (SEC), 2006, pp. 233–245.
[57] M. Backes, S. Moedersheim, B. Pfitzmann, L. Vigano, Symbolic and cryptographic analysis of the
secure WS-ReliableMessaging Scenario, in: Proceedings of Foundations of Software Science and
Computational Structures (FOSSACS), Vol. 3921 of Lecture Notes in Computer Science, Springer,
2006, pp. 428–445.
[58] M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, J.-K. Tsay, Cryptographically sound security
proofs for basic and public-key kerberos, in: Proceedings of 11th European Symposium on Research
in Computer Security(ESORICS), Vol. 4189 of Lecture Notes in Computer Science, Springer, 2006,
pp. 362–383, preprint on IACR ePrint 2006/219.
[59] B. Warinschi, A computational analysis of the Needham-Schroeder-(Lowe) protocol, in: Proc. 16th
IEEE Computer Security Foundations Workshop (CSFW), 2003, pp. 248–262.
[60] P. Laud, Symmetric encryption in automatic analyses for confidentiality against active adversaries,
manuscript, 2004.
[61] J. Herzog, Computational soundness of formal adversaries, Ph.D. thesis, MIT (2002).
[62] J. Herzog, M. Liskov, S. Micali, Plaintext awareness via key registration, in: Advances in Cryptology:
CRYPTO 2003, Vol. 2729 of Lecture Notes in Computer Science, Springer, 2003, pp. 548–564.
[63] D. Micciancio, B. Warinschi, Soundness of formal encryption in the presence of active adversaries,
in: Proc. 1st Theory of Cryptography Conference (TCC), Vol. 2951 of Lecture Notes in Computer
Science, Springer, 2004, pp. 133–151.
[64] J. D. Guttman, F. J. Thayer Fabrega, L. Zuck, The faithfulness of abstract protocol analysis: Message
authentication, in: Proc. 8th ACM Conference on Computer and Communications Security, 2001, pp.
186–195.
[65] D. Volpano, G. Smith, Verifying secrets and relative secrecy, in: Proc. 27th Symposium on Principles
of Programming Languages (POPL), 2000, pp. 268–276.
[66] A. C. Yao, Protocols for secure computations, in: Proc. 23rd IEEE Symposium on Foundations of
Computer Science (FOCS), 1982, pp. 160–164.
[67] B. Pfitzmann, M. Schunter, M. Waidner, Cryptographic security of reactive systems, Presented at the
DERA/RHUL Workshop on Secure Architectures and Information Flow, 1999, Electronic Notes in The-
oretical Computer Science (ENTCS), March 2000, http://www.elsevier.nl/cas/tree/
store/tcs/free/noncas/pc/menu.htm.
[68] B. Pfitzmann, M. Schunter, M. Waidner, Provably secure certified mail, Research Report RZ 3207,
IBM Research, http://www.semper.org/sirene/publ/PfSW2CertMail.ps.gz (Aug.
2000).
[69] M. Steiner, Secure group key agreement, Ph.D. thesis, Universita¨t des Saarlandes, http://www.
semper.org/sirene/publ/Stei_02.thesis-final.pdf (2002).
26
[70] R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels (ex-
tended abstract), in: Advances in Cryptology: EUROCRYPT 2002, Vol. 2332 of Lecture Notes in
Computer Science, Springer, 2002, pp. 337–351, extended version in IACR Cryptology ePrint Archive
2002/059, http://eprint.iacr.org/.
[71] B. Pfitzmann, M. Waidner, Composition and integrity preservation of secure reactive systems, in: Proc.
7th ACM Conference on Computer and Communications Security, 2000, pp. 245–254, extended ver-
sion (with Matthias Schunter) IBM Research Report RZ 3206, May 2000, http://www.semper.
org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz.
[72] M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems,
in: Proc. 1st Theory of Cryptography Conference (TCC), Vol. 2951 of Lecture Notes in Computer
Science, Springer, 2004, pp. 336–354.
[73] R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party
secure computation, in: Proc. 34th Annual ACM Symposium on Theory of Computing (STOC), 2002,
pp. 494–503.
[74] D. Hofheinz, J. Mu¨ller-Quade, Universally composable commitments using random oracles, in: Proc.
1st Theory of Cryptography Conference (TCC), Vol. 2951 of Lecture Notes in Computer Science,
Springer, 2004, pp. 58–76.
[75] S. Owre, N. Shankar, J. M. Rushby, PVS: A prototype verification system, in: Proc. 11th Interna-
tional Conference on Automated Deduction (CADE), Vol. 607 of Lecture Notes in Computer Science,
Springer, 1992, pp. 748–752.
[76] P. Lincoln, J. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and secu-
rity analysis, in: Proc. 8th Symposium on Formal Methods Europe (FME 1999), Vol. 1708 of Lecture
Notes in Computer Science, Springer, 1999, pp. 776–793.
[77] C. A. R. Hoare, Communicating Sequential Processes, International Series in Computer Science, Pren-
tice Hall, Hemel Hempstead, 1985.
[78] N. Lynch, Distributed Algorithms, Morgan Kaufmann Publishers, San Francisco, 1996.
[79] R. Segala, N. Lynch, Probabilistic simulation for probabilistic processes, in: Proc. 5th International
Conference on Concurrency Theory (CONCUR), Vol. 836 of Lecture Notes in Computer Science,
Springer, 1994, pp. 481–497.
[80] S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems, SIAM
Journal on Computing 18 (1) (1989) 186–207.
[81] J. Neveu, Mathematical Foundations of the Calculus of Probability, Holden-Day, 1965.
[82] A. Z. Broder, D. Dolev, Flipping coins in many pockets (byzantine agreement on uniformly random
values), in: Proc. 16th Annual ACM Symposium on Theory of Computing (STOC), 1984, pp. 157–
170.
[83] A. C. Yao, Theory and applications of trapdoor functions, in: Proc. 23rd IEEE Symposium on Foun-
dations of Computer Science (FOCS), 1982, pp. 80–91.
27
A Postponed Definitions
The following definition for indistinguishability of random variables is essentially from [83].
Definition A.1 (Indistinguishability) Two families (vark)k∈N and (var′k)k∈N of random variables (or prob-
ability distributions) on common domains Dk are
a) perfectly indistinguishable (“=”) if for each k, the two distributions vark and var′k are identical.
b) statistically indistinguishable (“≈SMALL”) for a suitable class SMALL of functions from N to R≥0 if
the distributions are discrete and their statistical distances
∆(vark, var
′
k) :=
1
2
∑
d∈Dk
|P (vark = d)− P (var
′
k = d)| ∈ SMALL
(as a function of k). SMALL should be closed under affine addition, and with a function g also contain
every function g′ ≤ g.
c) computationally indistinguishable (“≈poly”) if for every algorithm Dis (the distinguisher) that is prob-
abilistic polynomial-time in its first input,
|P (Dis(1k, vark) = 1)− P (Dis(1
k, var′k) = 1)| ∈ NEGL.
Intuitively, given the security parameter and an element chosen according to either vark or var′k, Dis
tries to guess which distribution the element came from. The class NEGL denotes the set of all
negligible functions, i.e., g : N → R≥0 ∈ NEGL if for all positive polynomials Q, ∃k0∀k ≥ k0 :
g(k) ≤ 1/Q(k).
We write ≈ if we want to treat all three cases simultaneously. ✸
For reasons of completeness, we now present the extended definition of simulatability, based on the three
different kinds of indistinguishability. Definition 2.8 was simplified in the sense that only computational
indistinguishability of views was covered, which represents the most common case when applying simu-
latability to cryptographic protocols.
Definition A.2 (Simulatability, extended version with three variants) Let systems Sys1 and Sys2 with a
valid mapping f be given.
a) We say Sys1 ≥f,perfsec Sys2 (perfectly at least as secure as) if for every configuration conf 1 = (Mˆ1,S ,
H,A1) ∈ Conf(Sys1), there exists a configuration conf 2 = (Mˆ2,S ,H,A2) ∈ Conf(Sys2) with
(Mˆ2,S ) ∈ f(Mˆ1,S ) (and the same H) such that
viewconf 1(H) = viewconf 2(H).
b) We say Sys1 ≥f,SMALLsec Sys2 (statistically at least as secure as) for a class SMALL if the same as
in a) holds with viewconf 1,l(H) ≈SMALL viewconf 2,l(H) for all polynomials l, i.e., statistical indistin-
guishability of all families of l-step prefixes of the views.
c) We say Sys1 ≥f,polysec Sys2 (computationally at least as secure as) if the same as in a) holds with
configurations from Confpoly(Sys1) and Confpoly(Sys2) and computational indistinguishability of the
families of views.
In all cases, we call conf 2 an indistinguishable configuration for conf 1. Where the difference between the
types of security is irrelevant, we simply write ≥fsec, and we omit the indices f and sec if they are clear from
the context. ✸
28
B Postponed Proofs
Proof. (Theorem 4.2) We first reverse our function ϕ on the structure (ϕ(Mˆsync) ∪ {Xsync,κ},S ) and on the
user ϕ(Hsync) yielding the structure (Mˆsync,S ) of Syssync,2 and the original honest user Hsync. Note, that we
cannot reverse the function ϕ on the new adversary Aasync in the same way, because we did not demand it to
have a similar internal structure, so we construct a new adversary Async for the synchronous configuration
as follows. The ports of Async are given by
{p | pC ∈ (ports(Mˆsync) ∪ ports(Hsync)) ∧ p 6∈ (ports(Mˆsync) ∪ ports(Hsync))},
i.e., it connects to all remaining free ports of Mˆsync and Hsync. Internally, Async maintains an array
(output storep!)p!∈out(ports(Aasync)) of lists over Σ∗ all initially empty.
Async has the adversary Aasync as a blackbox submachine and its behavior is defined as follows. If Async
is clocked in the synchronous system, it gets an input tuple I = (Ip?)p?∈in(ports(Async)). It now tries to restore
the order in which these messages would have arrived in the asynchronous system. More precisely, it knows
the clocking scheme κ, so it know which machines have been clocking after the last clocking of Async.
Moreover, it knows the order in which machines are switched by Xsync,κ in one particular subround. Using
the order on the ports of the asynchronous machines, it can finally decide in which order messages sent by
one machine on different ports would have arrived in the asynchronous system. The only problem which
might arise is that a machine has been clocked more then once since the last clocking of the adversary. This
might result in two inputs at the same port of Async which would be concatenated without any separation
symbol. Such an input would not be restorable into its original form, so we had to include the restriction to
the considered clocking scheme that every machine and the user are at most clocked once between two suc-
cessive clockings of the adversary. Note, that our usually used clocking scheme (Mˆ ∪ {H}, {A}, {H}, {A})
fulfills this requirement.
After restoring both the usual messages and their order, Async uses the blackbox function δAasync on
the first input yielding an output tuple O. This tuple O is appended to the array output store , i.e. each
component Op! is appended to output storep!. If there is a nonempty output c at a clock-out port p⊳!, we
would have a clocked self-loop in confasync if output storep![c] 6= ǫ. In this case, this component is removed
from the array and δAasync is called again with the new state and I := Ip?=output storep![c] and so on.
The above steps are repeated with the second input and the new state of Aasync and so on until all inputs
have been considered. Finally, the blackbox function is used with IpAsync?=(i,j) where i denotes the global
round and j denotes the subround the adversary is clocked in. (The adversary obviously knows both i and
j because he knows the clocking scheme κ, so he may simply maintain two counters that he adapts every
time he is clocked.) This correspond to the clocking signal of Xsync,κ in the asynchronous system. The
output tuple is again concatenated to the same array and possible clocked self loops are considered again.
Finally, Async outputs the first elements of each list of output storep! with p!C ∈ ports(Mˆsync ∪{Hsync}) as
its output tuple O and removes these elements from the lists.
Note, that this newly defined adversary Async is polynomial iff Aasync is polynomial by construction.
Thus, if the original configuration confasync has been polynomial-time (i.e., the user ϕ(Hsync) and the adver-
sary Aasync must be polynomial-time) then the configuration confsync = (Mˆsync,S ,Hsync,Async) will also be
polynomial-time, since the runtime of Hsync is always bounded by ϕ(Hsync).
Async “reverse” the function ϕ by construction. The asynchronous adversary would receive many single
inputs, and it would produce outputs every time which would be stored in the outgoing buffers. Possible
clocked self-loops are handled by repeated calls of the transition function with correct inputs. If Aasync
is scheduled by Xsync,κ it again performs an arbitrary transition and the first element of its outgoing buffer
would be clocked. The synchronous adversary first splits its input messages into their original order and uses
the blackbox function one by one storing the outputs in output store . The split inputs correspond to the
29
Aasync
Aasync
   (Aasync)
ϕ(   (Aasync))
output_store
input_store
p1
pn
pn
p1




ϕ
ϕ
≈
Figure 5: Overview of the proof of Lemma B.1.
original inputs of the asynchronous system, so the output tuples are also equal after every step. Therefore,
the contents of output store always correspond to the outgoing buffers in the asynchronous system after a
clocking step of Aasync. If the synchronous adversary is clocked it again calls its blackbox function with the
correct input and stores the output in the array. After that, it outputs the first element of each list of the array
and removes these elements from the lists. In the asynchronous system messages stored in the outgoing
buffers are treated in the same way. More formally we can show the following lemma.
Lemma B.1 We denote this “reversion” of ϕM by ϕ¯M and the reversion of the whole configuration by ϕ¯conf
for the moment. Then for an arbitrary configuration confasync = (ϕ(Mˆsync)∪{Xsync,κ},S , ϕ(Hsync),Aasync)
we have
viewϕconf (ϕ¯conf (confasync))(ϕ(M)) = viewconfasync(ϕ(M))
for every M ∈ (Mˆsync ∪ {Hsync}) and
viewϕconf (ϕ¯conf (confasync))(Aasync) = viewconfasync(Aasync)
where the view of Aasync in the first configuration is given as a submachine of ϕM(ϕ¯M(Aasync)). ✷
Proof. The proof is illustrated in Figure 5. We first show that A′async := ϕM(ϕ¯M(Aasync)) behaves exactly as
Aasync, i.e., both machines are perfectly indistinguishable for their environment. This is already sufficient to
show that the views of ϕ(M) for every M ∈ (Mˆsync∪{Hsync}) are equal in both configurations because they
remain unchanged. We will also show that the view of Aasync is equal in both configurations which finishes
our proof.
We show that both adversaries A′async and Aasync behave identically between two successive clock-
ings. Moreover, we show that the content of array output storep! of A′async always equal the outgoing
buffers p˜ in the corresponding asynchronous configuration at every clocking of Aasync as a submachine of
A′async if we identify clockings of Aasync in both configurations in the natural way. More precisely, this
means that we identify the i-th clocking of Aasync in confasync with the i-th call of δAasync by A′async in
ϕconf (ϕ¯conf (confasync)). Furthermore, we show that outputs made by the adversary are always equal in
both configurations.
At the start of the run both buffers and arrays are empty which fulfills our claim. Now assume that A′async
receives an arbitrary input at p? 6= pAsync?. It stores the message in its array input storep? and gives the
control to the master scheduler. If A′async receives a non-empty input at pA? it applies the state transition
30
function δϕ¯M(Aasync) on the arrays input store . Now, the arrays input store are decomposed into single
inputs again preserving their original order, and the function δAasync is applied to every such input. Since
the inputs are obviously equal in both configuration, we obtain identical outputs, and moreover identical
views for Aasync. By precondition, the arrays output store are mapped to the outgoing buffers. After
one call of δAasync , every output at p! is stored either in output storep! or in p˜ at the same position, so
they remain validly mapped. Now, either the first component of output storep! or the first entry of p˜ for
p!C ∈ (ports(Mˆsync) ∪ {Hsync}) are output yielding identical outputs and therefore identical views for the
environment in both configurations, i.e.,
viewϕconf (ϕ¯conf (confasync))(ϕ(M)) = viewconfasync(ϕ(M))
for M ∈ (Mˆsync ∪ {Hsync}). We already showed that the views of Aasync are equal in both configurations
which finishes our proof.
According to Lemma B.1, the function ϕconf ◦ϕ¯conf yields identical views for ϕ(M) for every M ∈ (Mˆsync∪
{Hsync}) and the asynchronous adversary, i.e.,
• viewϕconf (ϕ¯conf (confasync))(ϕ(M)) = viewconfasync(ϕ(M)) and
• viewϕconf (ϕ¯conf (confasync))(Aasync) = viewconfasync(Aasync).
We already showed in Theorem 4.1 that viewconfsync(M) = σ(viewϕ(confsync)(ϕ(M))) holds for every
synchronous configuration confsync = (Mˆsync,S ,Hsync,Async) and for every machine M ∈ (Mˆsync ∪
{Hsync,Async}). If we now set confsync := ϕ¯conf (confasync), we obtain
• viewconfsync(M) = σ(viewϕconf (ϕ¯conf (confasync))(ϕ(M)))
Moreover, this implies
• viewconfsync(Async) = σ(viewϕconf (ϕ¯conf (confasync))(Aasync)))
since the views of Aasync and ϕ(ϕ¯(Aasync)) are identical. We apply the mapping σ on the first two equations
and, using Lemma 5.1, we obtain
• σ(viewϕconf (ϕ¯conf (confasync))(ϕ(M))) = σ(viewconfasync(ϕ(M))) and
• σ(viewϕconf (ϕ¯conf (confasync))(Aasync)) = σ(view confasync(Aasync))
Note, that σ is in fact defined on runs of these configuration because both the machines of the structure and
the honest user have the prescribed form. Using transitivity, we immediately obtain the desired result
viewconfsync(M) = σ(viewconfasync(ϕ(M)))
and
viewconfsync(Async) = σ(viewconfasync(Aasync))
As a special case we set M := Hsync which yields
viewconfsync(Hsync) = σ(viewconfasync(ϕ(Hsync))).
31
Proof. (Lemma 5.2) In order to prove the claim, we present an algorithm which undoes the changes of the
algorithm for deriving the mapping σ: It has an internal list over Σ+ initially empty, which will be used
to construct the desired view. For every subround j, it goes through all tuples (Msync, i, j, s,I, s′,O′)
modifying them as follows: If Msync = Hsync for one machine of this subround, it appends
(ϕ(Hsync), s,IpHsync ?=(i,j), s
′,O′) to its internal list. Note that this tuple precisely matches the original
asynchronous tuple for switching the honest user ϕ(Hsync) by the master scheduler. After that, it pro-
ceed through all tuples of this subround in precisely the same order they have been scheduled by the
master scheduler (the algorithm is surely allowed to know the clocking scheme). For a given tuple of
the form (Msync, i, j, s,I, s′,O′), it checks, whether there is a non-empty output at a port p! in O′ with
p? ∈ ports(ϕ(Hsync)). In this case, the honest user would be clocked in the second asynchronous block,
so we use the state transition function δϕ(Hsync) on the current state s of ϕ(Hsync) and input Ip?=O′p! which
yields a new state s′ and an (all-empty) output Oǫ. We then add a step (ϕ(Hsync), s,Ip?=O′
p!
, s′,Oǫ). This is
done for all ports of Msync according to their order and for all machines that switch in the consider subround.
Obviously, this algorithm reverses the mapping σ for the honest user by construction. In case of a polyno-
mial configuration, especially the adversary has to be polynomial-time. This implies that there cannot be any
infinite successive clocked self-loops. Moreover, both the adversary and the honest user will reach final state
after a polynomial number of blocks, so the algorithm for σ−1H applied to the view of the honest user will
only makes a polynomial number of transition, each one with a polynomial number of steps. This implies
that σ is computable polynomial-time applied to the view of the honest user if it is used in a polynomial-time
configuration.
32
