Simulatable security for quantum protocols

The notion of simulatable security (reactive simulatability, universal composability) is a powerful tool for allowing the modular design of cryptographic protocols (composition of protocols) and showing the security of a given protocol embedded in a larger one. Recently, these methods have received much attention in the quantum cryptographic community. We give a short introduction to simulatable security in general and proceed by sketching the many different definitional choices together with their advantages and disadvantages. Based on the reactive simulatability modelling of Backes, Pfitzmann and Waidner we then develop a quantum security model. By following the BPW modelling as closely as possible, we show that composable quantum security definitions for quantum protocols can strongly profit from their classical counterparts, since most of the definitional choices in the modelling are independent of the underlying machine model. In particular, we give a proof for the simple composition theorem in our framework.Comment: Added proof of combination lemma; added comparison to the model of Ben-Or, Mayers; minor correction

Universal Composition with Responsive Environments

In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, and corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural for adversaries/environments to provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability is this guaranteed. We call this the \emph{non-responsiveness problem}. As we will discuss in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do no longer have to worry about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, and composition theorems) provided for the IITM model

Cryptographically sound analysis of security protocols

In this thesis, we show how formal methods can be used for the cryptographically sound verification of concrete implementations of security protocols in order to obtain trustworthy and meaningful proofs, and to eliminate human inaccuracies. First, we show how to derive secure concrete implementations of a given abstract specification. The security proofs are essentially based on the well-established approach of bisimulation which can be formally verified yielding rigorous proofs. As an example, we present both a specification and a secure implementation of secure message transmission with ordered channels. Moreover, the example comprises a general methodology how secure implementation of arbitrary specifications can be obtained. Thereafter, we concentrate on the actual goals the protocol should fulfill. Thus, we define integrity properties in our underlying model and we show that logic derivations among them carry over specification to the concrete implementation, which makes them accessible for tool-assisted verification. As an example, we formally verify one concrete protocol using the theorem prover PVS yielding the first machine-aided and sound proof of a cryptographic protocol. As additional properties of security protocols, we consider liveness and noninterference. The standard definition of these properties is not suited to cope with protocols involving real cryptographic primitives, so we introduce new definitions which are restricted to polynomial runs and include error probabilities. We show that both properties carry over from the specification to the concrete implementation, and we present two examples, one for each property, which we prove to fulfill our definitions.Diese Arbeit behandelt formale Verifikation von Sicherheitsprotokollen mit dem Ziel,maschinell verifizierte Beweise zu ermöglichen, die die kryptographische Semantik respektieren, d.h., deren Aussagen bzgl. der zugrundeliegenden Kryptographie und den kryptographischen Sicherheitsdefinitionen gültig sind (engl. cryptographically sound proofs).Als erstes zeigen wir, wie formale Methoden benutzt werden können, um sichere konkrete Implementationen anhand einer gegebenen abstrakten Spezifikation herzuleiten. Wir geben dafür eine allgemeingültige Methodologie an, die auf formal verifizierten Bisimulationen basiert, was uns rigorose und glaubhafte Sicherheitsbeweise liefert. Als Beispiel geben wir eine Spezifikation und eine konkrete Implementation für sichere geordnete Nachrichtenübertragung an. Die im Sicherheitsbeispiel der Implementation auftretende Bisimulation verifizieren wir mit Hilfe des Theorembeweisers PVS. Als zweites konzentrieren wir uns auf die Ziele, die ein Sicherheitsprotokoll erfüllen soll. Wir definieren Integritätseigenschaften in unserem zugrundeliegenden Modell, und wir beweisen, dass sich logische Schlussfolgerungen bzgl. dieser Eigenschaften von der Spezifikation auf die Implementation übertragen, was eine essentielle Voraussetzung für maschinelle Verifikation darstellt. Als Beispiel verifizieren wir ein konkretes Protokoll mit Hilfe des Theorembeweisers PVS, was uns den ersten Beweis eines Sicherheitsprotokolls liefert, der sowohl maschinell verifiziert ist als auch der kryptographischen Semantik "treu'; bleibt, d.h., der wirklich ein Beweis gegen die kryptographischen Primitive und deren kryptographische Sicherheitsdefinitionen ist. Als zusätzliche Eigenschaften von Sicherheitsprotokollen betrachten wir Lebendigkeit (engl. liveness) und Unbeeinflussbarkeit (engl. non-interference). Da sich die Standarddefinition dieser wichtigen Eigenschaften als ungeeignet für echte Kryptographie herausstellt, führen wir allgemeinere Definitionen ein, die auf polynomielle Länge beschränkt sind und Fehlerwahrscheinlichkeiten berücksichtigen.Wir zeigen, dass sich diese Eigenschaften von der Spezifikation auf die Implementation übertragen,was wiederum den Bezug zu formalen Methoden herstellt. Wir präsentieren zwei Beispiele, je eines für jede Eigenschaft, von denen wir beweisen, dass sie die entsprechende Definition erfüllen

The IITM Model: a Simple and Expressive Model for Universal Composability

The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine\u27\u27). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model

Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions

AbstractThe cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models of Pfitzmann et al., which are seminal in using this concept in order to bridge the gap between the formal-methods and the cryptographic community. We show that the synchronous model can be seen as a special case of the asynchronous one with respect to simulatability, i.e., we present an embedding from the synchronous model into the asynchronous one that we show to preserve simulatability. We show that this result allows for carrying over lemmas and theorems that rely on simulatability from the asynchronous model to its synchronous counterpart without any additional work, hence future work on enhancing simulatability-based models can concentrate on the more general asynchronous case

Cryptographically sound analysis of security protocols

In this thesis, we show how formal methods can be used for the cryptographically sound verification of concrete implementations of security protocols in order to obtain trustworthy and meaningful proofs, and to eliminate human inaccuracies. First, we show how to derive secure concrete implementations of a given abstract specification. The security proofs are essentially based on the well-established approach of bisimulation which can be formally verified yielding rigorous proofs. As an example, we present both a specification and a secure implementation of secure message transmission with ordered channels. Moreover, the example comprises a general methodology how secure implementation of arbitrary specifications can be obtained. Thereafter, we concentrate on the actual goals the protocol should fulfill. Thus, we define integrity properties in our underlying model and we show that logic derivations among them carry over specification to the concrete implementation, which makes them accessible for tool-assisted verification. As an example, we formally verify one concrete protocol using the theorem prover PVS yielding the first machine-aided and sound proof of a cryptographic protocol. As additional properties of security protocols, we consider liveness and noninterference. The standard definition of these properties is not suited to cope with protocols involving real cryptographic primitives, so we introduce new definitions which are restricted to polynomial runs and include error probabilities. We show that both properties carry over from the specification to the concrete implementation, and we present two examples, one for each property, which we prove to fulfill our definitions.Diese Arbeit behandelt formale Verifikation von Sicherheitsprotokollen mit dem Ziel,maschinell verifizierte Beweise zu ermöglichen, die die kryptographische Semantik respektieren, d.h., deren Aussagen bzgl. der zugrundeliegenden Kryptographie und den kryptographischen Sicherheitsdefinitionen gültig sind (engl. cryptographically sound proofs).Als erstes zeigen wir, wie formale Methoden benutzt werden können, um sichere konkrete Implementationen anhand einer gegebenen abstrakten Spezifikation herzuleiten. Wir geben dafür eine allgemeingültige Methodologie an, die auf formal verifizierten Bisimulationen basiert, was uns rigorose und glaubhafte Sicherheitsbeweise liefert. Als Beispiel geben wir eine Spezifikation und eine konkrete Implementation für sichere geordnete Nachrichtenübertragung an. Die im Sicherheitsbeispiel der Implementation auftretende Bisimulation verifizieren wir mit Hilfe des Theorembeweisers PVS. Als zweites konzentrieren wir uns auf die Ziele, die ein Sicherheitsprotokoll erfüllen soll. Wir definieren Integritätseigenschaften in unserem zugrundeliegenden Modell, und wir beweisen, dass sich logische Schlussfolgerungen bzgl. dieser Eigenschaften von der Spezifikation auf die Implementation übertragen, was eine essentielle Voraussetzung für maschinelle Verifikation darstellt. Als Beispiel verifizieren wir ein konkretes Protokoll mit Hilfe des Theorembeweisers PVS, was uns den ersten Beweis eines Sicherheitsprotokolls liefert, der sowohl maschinell verifiziert ist als auch der kryptographischen Semantik "treu\u27; bleibt, d.h., der wirklich ein Beweis gegen die kryptographischen Primitive und deren kryptographische Sicherheitsdefinitionen ist. Als zusätzliche Eigenschaften von Sicherheitsprotokollen betrachten wir Lebendigkeit (engl. liveness) und Unbeeinflussbarkeit (engl. non-interference). Da sich die Standarddefinition dieser wichtigen Eigenschaften als ungeeignet für echte Kryptographie herausstellt, führen wir allgemeinere Definitionen ein, die auf polynomielle Länge beschränkt sind und Fehlerwahrscheinlichkeiten berücksichtigen.Wir zeigen, dass sich diese Eigenschaften von der Spezifikation auf die Implementation übertragen,was wiederum den Bezug zu formalen Methoden herstellt. Wir präsentieren zwei Beispiele, je eines für jede Eigenschaft, von denen wir beweisen, dass sie die entsprechende Definition erfüllen

On the (Im-)Possibility of Extending Coin Toss

We consider the task of extending a given coin toss. By this, we mean the two-party task of using a single instance of a given coin toss protocol in order to interactively generate more random coins. A bit more formally, our goal is to generate n common random coins from a single use of an ideal functionality that gives m < n common random coins to both parties. In the framework of universal composability, we show the impossibility of securely extending a coin toss for statistical and perfect security. On the other hand, for computational security, the existence of a protocol for coin toss extension depends on the number m of random coins that can be obtained “for free.” For the case of stand-alone security, i.e., a simulation-based security definition without an environment, we present a protocol for statistically secure coin toss extension. Our protocol works for superlogarithmic m, which is optimal as we show the impossibility of statistically secure coin toss extension for smaller m. Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible

On Fairness in Simulatability-based Cryptographic Systems

Simulatability constitutes the cryptographic notion of a secure refinement and has asserted its position as one of the fundamental concepts of modern cryptography. Although simulatability carefully captures that a distributed protocol does not behave any worse than an ideal specification, it however does not capture any form of liveness guarantees, i.e., that something good eventually happens in the protocol. We show how one can extend the notion of simulatability to comprise liveness guarantees by imposing specific fairness constraints on the adversary. As the common notion of fairness based on infinite runs and eventual message delivery is not suited for reasoning about polynomial-time, cryptographic systems, we propose a new definition of fairness that enforces the delivery of messages after a polynomial number of steps. We provide strengthened variants of this definition by granting the protocol parties explicit guarantees on the maximum delay of messages. The variants thus capture fairness with explicit timeout signals, and we further distinguish between fairness with local timeouts and fairness with global timeouts. We compare the resulting notions of fair simulatability, and provide separating examples that help to classify the strengths of the definitions and that show that the different definitions of fairness imply different variants of simulatability

Polynomial Runtime and Composability

To prove security of a multi-party cryptographic protocol, one often reduces attacks on the protocol to attacks on a suitable computational problem. Thus, if the computational problem is hard, then the protocol is secure. But to allow for a security reduction, the protocol itself and the attack on the protocol must be efficient, i.e., polynomial-time. Of course, the obvious way to enforce an overall polynomial runtime of the protocol is to require each individual protocol machine and adversarial entity to be polynomial-time. However, as the specific case of zero-knowledge protocols demonstrates, an a priori polynomial-time bound on all entities may not be an optimal choice because the running time of some machines needs to depend on that of others. As we want to be able to model arbitrary protocol tasks, we work in the Universal Composability framework (UC). This framework additionally provides strong composability guarantees. We will point out that in the UC setting, finding a useful notion of polynomial-time for the analysis of general protocols is a highly non-trivial task. Our goal in this work is to find a good and useful definition of polynomial-time for multi-party protocols in the UC setting that matches the intuition of what is feasible. A good definition should have the following properties: * Flexibility: All intuitively feasible protocols and protocol tasks should be considered polynomial-time. * Soundness: All intuitively feasible attacks (i.e., adversaries) should be considered polynomial-time. * Completeness: Only intuitively feasible attacks should be considered polynomial-time. In particular, this implies that the security of protocols can be reduced to computational hardness assumptions. * Composability: The induced security notion should support secure (universal) composition of protocols. * Simplicity: The notion should be easy to formulate, and for all practical cases, it should be easy to decide whether a protocol or attack runs in polynomial time. The problem of finding a good definition of polynomial time in the UC framework has been considered in a number of works, but no definition satisfying the five above criteria had been found so far. This seemingly simple problem is surprisingly elusive and it is hard to come up with a definition that does not involve many technical artifacts. In this contribution, we give a definition of polynomial time for cryptographic protocols in the UC model, called reactively polynomial, that satisfies all five properties. Our notion is simple and easy to verify. We argue for its flexibility, completeness and soundness with practical examples that are problematic with previous approaches. We give a very general composition theorem for reactively polynomial protocols. The theorem states that arbitrarily many instances of a secure protocol can be used in any larger protocol without sacrificing security. Our proof is technically different from and substantially more involved than proofs for previous protocol composition theorems (for previous definitions of polynomial runtime). We believe that it is precisely this additional proof complexity, which appears only once and for all in the proof of the composition theorem, that makes a useful definition as simple as ours possible