## Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions (2003)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.zurich.ibm.com]
- [www.zurich.ibm.com]
- [www.infsec.cs.uni-sb.de]
- [www.infsec.cs.uni-saarland.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Concurrency Theory, Proceedings of CONCUR 2003 |

Citations: | 9 - 3 self |

### BibTeX

@INPROCEEDINGS{Backes03unifyingsimulatability,

author = {Michael Backes},

title = {Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions},

booktitle = {Concurrency Theory, Proceedings of CONCUR 2003},

year = {2003},

pages = {350--365},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

The cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models of Pfitzmann et. al., which are seminal in using this concept in order to bridge the gap between the formal-methods and the cryptographic community. We show that the synchronous model can be seen as a special case of the asynchronous one with respect to simulatability, i.e., we present an embedding between both models that we show to preserve simulatability.

### Citations

1543 | A.: Distributed Algorithms - Lynch - 2007 |

1144 | A Logic of Authentication - Burrows, Abadi, et al. - 1989 |

1053 | On the security of public key protocols - Dolev, Yao - 1981 |

1049 | C.: The knowledge complexity of interactive proof-systems (extended abstract - Goldwasser, Micali, et al. - 1985 |

786 | A Calculus for Cryptographic Protocols: The SPI Calculus - Abadi, Gordon - 1999 |

631 | Universally composable security: a new paradigm for cryptographic protocols - Canetti |

614 | Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR - Lowe - 1996 |

539 | PVS: A Prototype Verification System - Owre, Rushby, et al. - 1992 |

537 | Protocols for secure computations - Yao - 1982 |

517 |
Theory and application of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...opping. Consequently, it was not necessary to choose a reactive model of a system and its honest users, and the notion of simulatability could be replaced by the weaker notion of indistinguishability =-=[34]. Gu-=-ttman et. al. showed in [17] that the probability of two executions of the same protocol – either executed in a Dolev-Yao-like framework or using real cryptographic primitives – may deviate from e... |

409 | The inductive approach to verifying cryptographic protocols - Paulson - 1998 |

395 | Security and composition of multiparty cryptographic protocols - Canetti - 2000 |

374 | Kerberos: An Authentication Service for Computer Networks - Neuman, Ts’o - 1994 |

335 | Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption - Abadi, Rogaway - 2002 |

271 | Probabilistic simulations for probabilistic processes - Segala, Lynch - 1995 |

226 | A Modular Approach to the Design and Analysis of Authentication and Key Exchange Protocols - Bellare, Canetti, et al. - 1998 |

161 | A.: Concurrent zero-knowledge - Dwork, Naor, et al. - 1998 |

155 | M.: A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
(Show Context)
Citation Context ... have been scheduled to schedule certain (statically fixed) other machines themselves. Based on these requirements, several general definitions of secure protocols were developed over the years, e.g. =-=[15, 7, 28, 11, 30, 12]-=-, which are all potential candidates for such a framework. To allow for a faithful analysis of cryptographic protocols, it is well-known that such models not only have to capture probabilistic behavio... |

140 | Composition and integrity preservation of secure reactive systems - Pfitzmann, Waidner - 2000 |

136 | Three systems for cryptographic protocol analysis - Kemmerer, Meadows, et al. - 1994 |

135 | Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority - Beaver - 1991 |

135 | M.: A composable cryptographic library with nested operations
- Backes, Pfitzmann, et al.
(Show Context)
Citation Context ...e or a concurrent protocol run. A full cryptographic justification for a Dolev-Yao model, i.e., for arbitrary active attacks and within arbitrary surrounding interactive protocols, was first given in =-=[34]-=-. Based on the specific Dolev-Yao model whose soundness was proven in [34], the well-known Needham-Schroeder-Lowe protocol was proved in [35]. This shows that in spite of adding certain operators and ... |

128 | Universally composable twoparty and multi-party secure computation
- Canetti, Lindell, et al.
- 2002
(Show Context)
Citation Context ...2], and again by the one in [51]). Now on the one hand, Canetti’s model has been used to address more 5sabstractions of stand-alone cryptographic primitives so far like secure multi-party computation =-=[52]-=- or commitments [53]. On the other hand, the asynchronous model of Pfitzmann et al. was used to solve the long-standing open problem of justifying a Dolev-Yao type model of cryptography as used in vir... |

111 | A probabilistic poly-time framework for protocol analysis - Lincoln, Mitchell, et al. - 1998 |

111 | Secure computation - Micall, Rogaway - 1991 |

104 | Universally composable notions of key exchange and secure channels
- Canetti, Krawczyk
- 2002
(Show Context)
Citation Context ...Each of the three considered models was already successfully used to built up sound abstractions of various cryptographic primitives like secure channels [11,12], certified mail [47], or key exchange =-=[48,49]-=-. Comparing the models of Canetti and Pfitzmann et al., we can first state that both models enjoy very general composition theorems (where the first composition theorems in [50,11] were superseded by ... |

98 | Formal Verification of Cryptographic Protocols: A - Meadows - 1994 |

97 | L.A.: Fair computation of general functions in presence of immoral majority - Goldwasser, Levin - 1990 |

96 | Formal eavesdropping and its computational interpretation - Abadi, Jürjens - 2001 |

94 | spaces: Why is a security protocol correct - Thayer-Fabrega, Herzog, et al. - 1998 |

85 | B.: Soundness of formal encryption in the presence of active adversaries
- Micciancio, Warinschi
- 2004
(Show Context)
Citation Context ...ng protocols to straight-line programs in a specific language, and does not address a connection to the remaining primitives of the Dolev-Yao model. Herzog et al. [40,41] and Micciancio and Warinschi =-=[42]-=- have recently also given a cryptographic underpinning under active attacks. Their results are considerably weaker than the one in [34] since they are specific for public-key encryption; moreover, the... |

76 | Studies in Secure Multiparty Computation and Applications - Canetti - 1995 |

72 | Player Simulation and General Adversary Structures in Perfect Multiparty Computation - Hirt, Maurer |

70 | Semantics and program analysis of computationally secure information flow - Laud - 2001 |

68 | A general composition theorem for secure reactive systems
- Backes, Pfitzmann, et al.
- 2004
(Show Context)
Citation Context ...nn et al., we can first state that both models enjoy very general composition theorems (where the first composition theorems in [50,11] were superseded by the theorem in [12], and again by the one in =-=[51]-=-). Now on the one hand, Canetti’s model has been used to address more 5sabstractions of stand-alone cryptographic primitives so far like secure multi-party computation [52] or commitments [53]. On the... |

60 | Analyzing encryption protocols using formal veri cation techniques - Kemmerer - 1994 |

57 | B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library
- Backes, Pfitzmann
- 2004
(Show Context)
Citation Context ...y developed by Warinschi [36]. The proof establishes a stronger security property but is conducted from scratch in the cryptographic approach which takes it out of the scope of formal proof tools. In =-=[37,38]-=- it was shown how the library, in other words the term algebra and rules, can be modularly extended by additional cryptographic primitives, using the example of symmetric authentication and symmetric ... |

54 | M.: A universally composable cryptographic library - Backes, Pfitzmann, et al. - 2003 |

52 | Composition and behaviors of probabilistic I/O automata - Wu, Smolka, et al. - 1997 |

52 | Symmetric encryption in automatic analyses for confidentiality against active adversaries
- Laud
- 2004
(Show Context)
Citation Context ... the library, in other words the term algebra and rules, can be modularly extended by additional cryptographic primitives, using the example of symmetric authentication and symmetric encryption. Laud =-=[39]-=- has presented a cryptographic underpinning for a Dolev-Yao model of symmetric encryption under active attacks. His work enjoys a direct connection with a formal proof tool, but it is specific to cert... |

51 | Verifying secrets and relative secrecy - Volpano, Smith - 2000 |

46 | Cryptographic Security of Reactive Systems - Pfitzmann, Schunter, et al. |

34 | M.: Symmetric authentication within a simulatable cryptographic library
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...y developed by Warinschi [36]. The proof establishes a stronger security property but is conducted from scratch in the cryptographic approach which takes it out of the scope of formal proof tools. In =-=[37,38]-=- it was shown how the library, in other words the term algebra and rules, can be modularly extended by additional cryptographic primitives, using the example of symmetric authentication and symmetric ... |

32 | L.: The faithfulness of abstract protocol analysis: message authentication - Guttman, Fabrega, et al. - 2001 |

32 | B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol
- Backes, Pfitzmann
- 2004
(Show Context)
Citation Context ...rary surrounding interactive protocols, was first given in [34]. Based on the specific Dolev-Yao model whose soundness was proven in [34], the well-known Needham-Schroeder-Lowe protocol was proved in =-=[35]-=-. This shows that in spite of adding certain operators and rules compared with simpler Dolev-Yao models (in order to be able to use arbitrary cryptographically secure primitives without too many chang... |

29 | C.: Cryptographically sound and machineassisted verification of security protocols - Backes, Jacobi - 2003 |

29 | S.: Plaintext awareness via key registration
- Herzog, Liskov, et al.
- 2003
(Show Context)
Citation Context ...y properties, restricts the surrounding protocols to straight-line programs in a specific language, and does not address a connection to the remaining primitives of the Dolev-Yao model. Herzog et al. =-=[40,41]-=- and Micciancio and Warinschi [42] have recently also given a cryptographic underpinning under active attacks. Their results are considerably weaker than the one in [34] since they are specific for pu... |

25 | A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time
- Mitchell, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...ryptographic basis. Another cryptographically sound proof of 1 Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[17,7,18,19]-=- and, as a second step, to encode them into proof tools. However, this approach can not yet handle protocols with any degree of automation. Generally it should be seen as complementary to, rather than... |

24 | B.M.: Logics for reasoning about cryptographic constructions
- Impagliazzo, Kapron
- 2003
(Show Context)
Citation Context ...ryptographic basis. Another cryptographically sound proof of 1 Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[17,7,18,19]-=- and, as a second step, to encode them into proof tools. However, this approach can not yet handle protocols with any degree of automation. Generally it should be seen as complementary to, rather than... |

24 | A computational analysis of the NeedhamSchroeder-(Lowe) protocol
- Warinschi
- 2003
(Show Context)
Citation Context ...roach of getting simple deterministic abstractions of cryptography and working with those wherever cryptography is only used in a blackbox way. 4sthis protocol was concurrently developed by Warinschi =-=[36]-=-. The proof establishes a stronger security property but is conducted from scratch in the cryptographic approach which takes it out of the scope of formal proof tools. In [37,38] it was shown how the ... |