## Limits of the Cryptographic Realization of Dolev-Yao-style XOR (2005)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.infsec.cs.uni-sb.de]
- [www.infsec.cs.uni-saarland.de]
- DBLP

### Other Repositories/Bibliography

Venue: | Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science |

Citations: | 17 - 5 self |

### BibTeX

@INPROCEEDINGS{Backes05limitsof,

author = {Michael Backes and Birgit Pfitzmann},

title = {Limits of the Cryptographic Realization of Dolev-Yao-style XOR},

booktitle = {Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science},

year = {2005},

pages = {178--196},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

The abstraction of cryptographic operations by term algebras, called Dolev-Yao models, is essential in almost all tool-supported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.

### Citations

1081 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... Introduction Tool-supported verification of cryptographic protocols almost always relies on abstractions of cryptographic operations by term algebras, called Dolev-Yao models after the first authors =-=[25]-=-. The core of these term algebras are operations like en- and decryption which ideally have very few algebraic properties. However, if one wants to benefit from such abstractions in protocols that als... |

653 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
(Show Context)
Citation Context ...entation that allows arbitrary composition, was first defined generally in [44], based on simulatability definitions for secure (one-step) function evaluation [26, 27, 12, 38, 14]. It was extended in =-=[45, 15]-=-, called UC (universal composability) in the latter, and has since been used in many ways for proving individual cryptographic systems and general theorems. While the definitions of [45, 15] have not ... |

529 |
How to play any mental game – or – a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...simulatability, a notion of secure implementation that allows arbitrary composition, was first defined generally in [44], based on simulatability definitions for secure (one-step) function evaluation =-=[26, 27, 12, 38, 14]-=-. It was extended in [45, 15], called UC (universal composability) in the latter, and has since been used in many ways for proving individual cryptographic systems and general theorems. While the defi... |

515 | Cryptography and Data Security
- Denning
- 1983
(Show Context)
Citation Context ...ends the result to the adversary. The result can be cryptanalyzed if the texts are long enough, i.e., a real adversary can retrieve the two plaintexts, e.g., see the section on running-key ciphers in =-=[23]-=-. Hence we must model that an XOR leaks the underlying terms to the adversary unless we know that at least one of these terms is sufficiently 4sM 1 H M 2 A H TH Sim A Fig. 1. Overview of blackbox simu... |

404 | Security and composition of multi-party cryptographic protocols
- Canetti
- 2000
(Show Context)
Citation Context ...simulatability, a notion of secure implementation that allows arbitrary composition, was first defined generally in [44], based on simulatability definitions for secure (one-step) function evaluation =-=[26, 27, 12, 38, 14]-=-. It was extended in [45, 15], called UC (universal composability) in the latter, and has since been used in many ways for proving individual cryptographic systems and general theorems. While the defi... |

341 | Reconciling two views of cryptography: The computational soundness of formal encryption
- Abadi, Rogaway
- 1872
(Show Context)
Citation Context ...rties. Extensions of this simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only =-=[4, 3, 30]-=-. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in co... |

136 | A composable cryptographic library with nested operations (extended abstract
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ... important cryptographic system types can be implemented with real cryptographic systems secure according to standard cryptographic definitions in a way that offers reactive (blackbox) simulatability =-=[8]-=-. This security notion means that one system (here the cryptographic realization) can be plugged into arbitrary protocols instead of another (here the Dolev-Yao model) and retains essentially arbitrar... |

136 |
Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority
- Beaver
- 1991
(Show Context)
Citation Context ...simulatability, a notion of secure implementation that allows arbitrary composition, was first defined generally in [44], based on simulatability definitions for secure (one-step) function evaluation =-=[26, 27, 12, 38, 14]-=-. It was extended in [45, 15], called UC (universal composability) in the latter, and has since been used in many ways for proving individual cryptographic systems and general theorems. While the defi... |

125 |
LFSR-based Hashing and Authentication
- Krawczyk
- 1994
(Show Context)
Citation Context ...ient and medieval times, over the one-time pad and the work of Shannon, to its widespread use in modern cryptography where it constitutes an essential component in many cryptographic protocols, e.g., =-=[29, 13, 46]-=-. To the best of our knowledge, the XOR operation in symbolic analysis of cryptographic protocols has first been mentioned by Meadows [35] as a possible extension of the NRL analyzer, and has since th... |

121 | XOR MACs: New methods for message authentication using finite pseudorandom functions
- Bellare, Guerin, et al.
- 1995
(Show Context)
Citation Context ...ient and medieval times, over the one-time pad and the work of Shannon, to its widespread use in modern cryptography where it constitutes an essential component in many cryptographic protocols, e.g., =-=[29, 13, 46]-=-. To the best of our knowledge, the XOR operation in symbolic analysis of cryptographic protocols has first been mentioned by Meadows [35] as a possible extension of the NRL analyzer, and has since th... |

113 | A probabilistic poly-time framework for protocol analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ... the interface from TH or M1 and M2, respectively, to the entirety of users H. Similar concepts exist in all variants, in particular [44, 45, 15] and when extending the observational equivalence from =-=[34]-=- by simulators, e.g., the input and output formats of the ideal and real functionality in [15] and the free channel types in [34]. Syntactically different user interfaces would either simply prevent t... |

111 |
Secure computation
- Micall, Rogaway
- 1991
(Show Context)
Citation Context |

100 | Fair computation of general functions in presence of immoral majority
- Goldwasser, Levin
- 1990
(Show Context)
Citation Context |

98 | Formal eavesdropping and its computational interpretation
- Abadi, Jürjens
- 2001
(Show Context)
Citation Context ...rties. Extensions of this simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only =-=[4, 3, 30]-=-. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in co... |

92 | Privacy and Authentication: An Introduction to Cryptography - Diffie, Hellman - 1979 |

86 | Soundness of formal encryption in the presence of active adversaries
- Micciancio, Warinschi
- 2004
(Show Context)
Citation Context ... simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only [4, 3, 30]. Later papers =-=[39, 33, 16]-=- consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in common that they only conside... |

83 | An np decision procedure for protocol insecurity with xor
- Chevalier, Küsters, et al.
- 2005
(Show Context)
Citation Context ...ons in protocols that also contain operations with more algebraic properties, those operations have to be given a similar specification. A typical such operation is the exclusive or (XOR), see, e.g., =-=[40, 18, 19]-=-, because it is commutative and associative and has significant uses in cryptology, e.g., as the one-time pad, in modes of operation of block ciphers, and in some protocols. Recent work has essentiall... |

79 | Deciding Knowledge in Security Protocols under Equational Theories
- Abadi, Cortier
- 2004
(Show Context)
Citation Context ...There, it was particularly shown that protocol insecurity with XOR is in NP for a certain protocol class. This line of work typically continues with abstractions of more general Abelian groups, e.g., =-=[20, 22, 2]-=-, and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., [37, 28, 42, 21, 17, 47, 1]. While 2swe have not yet considered these extensions,... |

76 | Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ...ons in protocols that also contain operations with more algebraic properties, those operations have to be given a similar specification. A typical such operation is the exclusive or (XOR), see, e.g., =-=[40, 18, 19]-=-, because it is commutative and associative and has significant uses in cryptology, e.g., as the one-time pad, in modes of operation of block ciphers, and in some protocols. Recent work has essentiall... |

70 | Semantics and program analysis of computationally secure information flow
- Laud
- 2001
(Show Context)
Citation Context ...rties. Extensions of this simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only =-=[4, 3, 30]-=-. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in co... |

68 |
L.: OFMC: A symbolic model checker for security protocols
- Basin, Mödersheim, et al.
(Show Context)
Citation Context ... first been mentioned by Meadows [35] as a possible extension of the NRL analyzer, and has since then been incorporated in many formal proof tools, e.g., NRL [36], CAPSL [41], Isabelle [43], and OFMC =-=[10]-=-. Recent papers on XOR in Dolev-Yao models were mainly concerned with the decidability of the insecurity of cryptographic protocols against a Dolev-Yao attack in the presence of deduction rules for th... |

58 | Symmetric encryption in a simulatable Dolev-Yao style cryptographic library
- Backes, Pfitzmann
- 2004
(Show Context)
Citation Context ...s essentially arbitraryssecurity properties; it is also called UC for its universal composition properties. Extensions of this simulatability result to more cryptographic primitives were presented in =-=[9, 7]-=- and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only [4, 3, 30]. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties ... |

56 | Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents
- Chevalier, Küsters, et al.
- 2003
(Show Context)
Citation Context ...lly continues with abstractions of more general Abelian groups, e.g., [20, 22, 2], and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., =-=[37, 28, 42, 21, 17, 47, 1]-=-. While 2swe have not yet considered these extensions, we are convinced that a general use of such operations on other terms would lead to similar problems as with XOR. In the case of exponentiations,... |

53 | Symmetric encryption in automatic analyses for confidentiality against active adversaries
- Laud
- 2004
(Show Context)
Citation Context ... simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only [4, 3, 30]. Later papers =-=[39, 33, 16]-=- consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in common that they only conside... |

52 | Computationally Sound Implementations of Equational Theories Against Passive Adversaries
- Baudet, Cortier, et al.
- 2005
(Show Context)
Citation Context ...tations, not the typical general encryptions etc. of other Dolev-Yao models, and only for passive attacks, was presented in [31, 32]. Another sound formal abstraction of XOR was recently presented in =-=[11]-=-, but only if XOR is restricted to terms whose corresponding bitstrings are generated according to a uniform distribution, and only for passive attacks. The security notion of reactive simulatability,... |

46 | Just Fast Keying in the Pi Calculus
- Abadi, Blanchet, et al.
- 2004
(Show Context)
Citation Context ...lly continues with abstractions of more general Abelian groups, e.g., [20, 22, 2], and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., =-=[37, 28, 42, 21, 17, 47, 1]-=-. While 2swe have not yet considered these extensions, we are convinced that a general use of such operations on other terms would lead to similar problems as with XOR. In the case of exponentiations,... |

42 | A model of computation for the NRL Protocol Analyzer
- Meadows
- 1994
(Show Context)
Citation Context ...ic analysis of cryptographic protocols has first been mentioned by Meadows [35] as a possible extension of the NRL analyzer, and has since then been incorporated in many formal proof tools, e.g., NRL =-=[36]-=-, CAPSL [41], Isabelle [43], and OFMC [10]. Recent papers on XOR in Dolev-Yao models were mainly concerned with the decidability of the insecurity of cryptographic protocols against a Dolev-Yao attack... |

35 | Symmetric authentication within a simulatable cryptographic library
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...raphic schemes S (S may 19 ✸scurrently contain symmetric and asymmetric encryption schemes, signature schemes, and MACs) that satisfy their respective security definitions against active attacks, cf. =-=[8, 9, 7]-=-, and length functions and bounds L ′ . For (n,S, L ′ cry XOR,real ) ∈ RPar, let Sysn,S,L ′ be the resulting real cryptographic library. Further, let the corresponding length functions and bounds of t... |

33 | A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol
- Backes, Pfitzmann
(Show Context)
Citation Context ...it is also called UC for its universal composition properties. Extensions of this simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in =-=[6, 5]-=-. Earlier results considered passive attacks only [4, 3, 30]. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties and/or less general protocol classes allow si... |

31 | A derivation system for security protocols and its logical formalization
- Datta, Derek, et al.
- 2003
(Show Context)
Citation Context ...lly continues with abstractions of more general Abelian groups, e.g., [20, 22, 2], and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., =-=[37, 28, 42, 21, 17, 47, 1]-=-. While 2swe have not yet considered these extensions, we are convinced that a general use of such operations on other terms would lead to similar problems as with XOR. In the case of exponentiations,... |

29 | Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange
- Canetti, Herzog
- 2006
(Show Context)
Citation Context ... simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in [6, 5]. Earlier results considered passive attacks only [4, 3, 30]. Later papers =-=[39, 33, 16]-=- consider to what extent restrictions to weaker security properties and/or less general protocol classes allow simplifications compared with [8]. All these papers have in common that they only conside... |

27 | A unification algorithm for the group Diffie-Hellman protocol
- Meadows, Narendran
- 2002
(Show Context)
Citation Context |

25 | A cryptographically sound Dolev-Yao style security proof of the OtwayRees protocol
- Backes
(Show Context)
Citation Context ...it is also called UC for its universal composition properties. Extensions of this simulatability result to more cryptographic primitives were presented in [9, 7] and actual uses in protocol proofs in =-=[6, 5]-=-. Earlier results considered passive attacks only [4, 3, 30]. Later papers [39, 33, 16] consider to what extent restrictions to weaker security properties and/or less general protocol classes allow si... |

22 |
Using narrowing in the analysis of key management protocols
- Meadows
- 1989
(Show Context)
Citation Context ...tial component in many cryptographic protocols, e.g., [29, 13, 46]. To the best of our knowledge, the XOR operation in symbolic analysis of cryptographic protocols has first been mentioned by Meadows =-=[35]-=- as a possible extension of the NRL analyzer, and has since then been incorporated in many formal proof tools, e.g., NRL [36], CAPSL [41], Isabelle [43], and OFMC [10]. Recent papers on XOR in Dolev-Y... |

20 | An E-unification algorithm for analyzing protocols that use modular exponentiation,” in Rewriting Techniques and Applications
- Kapur, Narendran, et al.
- 2003
(Show Context)
Citation Context |

7 | Computationally secure information flow
- Laud
- 2002
(Show Context)
Citation Context ...nd formal abstraction of XOR, but only in connection with pseudorandom permutations, not the typical general encryptions etc. of other Dolev-Yao models, and only for passive attacks, was presented in =-=[31, 32]-=-. Another sound formal abstraction of XOR was recently presented in [11], but only if XOR is restricted to terms whose corresponding bitstrings are generated according to a uniform distribution, and o... |

3 | Narrowing-Based Constraint Solving for the Verification of Security Protocols
- Delaune, Jacquemard
- 2004
(Show Context)
Citation Context ...There, it was particularly shown that protocol insecurity with XOR is in NP for a certain protocol class. This line of work typically continues with abstractions of more general Abelian groups, e.g., =-=[20, 22, 2]-=-, and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., [37, 28, 42, 21, 17, 47, 1]. While 2swe have not yet considered these extensions,... |

1 |
Easy intruder deductions. Research Report LSV-03-8, Laboratoire Spécification et Vérification
- Comon-Lundh, Treinen
- 2003
(Show Context)
Citation Context ...There, it was particularly shown that protocol insecurity with XOR is in NP for a certain protocol class. This line of work typically continues with abstractions of more general Abelian groups, e.g., =-=[20, 22, 2]-=-, and the exponentiation function as used in many cryptographic systems based on the discrete-logarithm problem, e.g., [37, 28, 42, 21, 17, 47, 1]. While 2swe have not yet considered these extensions,... |

1 | Pseudorandom permutations and equivalence of formal expressions (abstract
- Laud
- 2002
(Show Context)
Citation Context ...nd formal abstraction of XOR, but only in connection with pseudorandom permutations, not the typical general encryptions etc. of other Dolev-Yao models, and only for passive attacks, was presented in =-=[31, 32]-=-. Another sound formal abstraction of XOR was recently presented in [11], but only if XOR is restricted to terms whose corresponding bitstrings are generated according to a uniform distribution, and o... |