Abstract
Several compositional forms of simulation-based security have been proposed in the literature, including Universal Composability, Black-Box Simulatability, and variants thereof. These relations between a protocol and an ideal functionality are similar enough that they can be ordered from strongest to weakest according to the logical form of their definitions. However, determining whether two relations are in fact identical depends on some subtle features that have not been brought out in previous studies. We identify two main factors: the position of a “master process” in the distributed system and some limitations on transparent message forwarding within computational complexity bounds. Using a general computational framework, called Sequential Probabilistic Process Calculus (SPPC), we clarify the relationships between the simulation-based security conditions. Many of the proofs are carried out based on a small set of equivalence principles involving processes and distributed systems. These equivalences exhibit the essential properties needed to prove relationships between security notions and allow us to carry over our results to those computational models which satisfy these equivalences.
Article PDF
Similar content being viewed by others
References
M. Abadi, C. Fournet, Mobile values, new names, and secure communication, in 28th ACM Symposium on Principles of Programming Languages, 2001, pp. 104–115
M. Abadi, A.D. Gordon, A bisimulation method for cryptographic protocol, in Proc. ESOP’98. Lecture Notes in Computer Science, vol. 1381 (Springer, Berlin, 1998), pp. 12–26
M. Abadi, A.D. Gordon, A calculus for cryptographic protocols: the spi calculus, Inf. Comput. 143, 1–70 (1999). Expanded version available as SRC research report 149, January 1998
M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems, in Proceedings of the 1st Theory of Cryptography Conference (TCC 2004). Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 336–354
M. Backes, B. Pfitzmann, M. Waidner, Secure asynchronous reactive systems. Technical report 082, Eprint, 2004
M. Backes, B. Pfitzmann, M. Steiner, M. Waidner, Polynomial fairness and liveness, in Proceedings of 15th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, 2002, pp. 160–174
M. Backes, B. Pfitzmann, M. Waidner, Reactively secure signature schemes, in Proceedings of 6th Information Security Conference. Lecture Notes in Computer Science, vol. 2851 (Springer, Berlin, 2003), pp. 84–95
R. Canetti, Universally composable security: a new paradigm for cryptographic protocols. Technical report, Cryptology ePrint Archive, December 2005. Online available at http://eprint.iacr.org/2000/067.ps
R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in Proc. 42nd IEEE Symp. on the Foundations of Computer Science (IEEE, New York, 2001)
R. Canetti, Personal communication, 2004
R. Canetti, L. Cheung, D.K. Kaynar, M. Liskov, N.A. Lynch, O. Pereira, R. Segala, Time-bounded task-pioas: a framework for analyzing security protocols, in DISC, 2006, pp. 238–253
R. Canetti, M. Fischlin, Universally composable commitments, in Proc. CRYPTO 2001, Santa Barbara, California. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 19–40
R. Canetti, H. Krawczyk, Universally composable notions of key exchange and secure channels, in Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 337–351
R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions, in Advances in Cryptology—EUROCRYPT 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 68–86
R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in Proc. ACM Symp. on the Theory of Computing, 2002, pp. 494–503
A. Datta, R. Küsters, J. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security. Technical report 2006/153, Cryptology ePrint Archive, 2006
A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security, in Proceedings of the 2nd Theory of Cryptography Conference (TCC 2005), ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 476–494
A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, V. Shmatikov, Unifying equivalence-based definitions of protocol security, in ACM SIGPLAN and IFIP WG 1.7, 4th Workshop on Issues in the Theory of Security, 2004. No formal proceedings
C.A.R. Hoare, Communicating Sequential Processes (Prentice Hall, New York, 1985)
D. Hofheinz, J. Müller-Quade, D. Unruh, Polynomial runtime in simulatability definitions, in 18th IEEE Computer Security Foundations Workshop (CSFW-18 2005) (IEEE Computer Society, Los Alamitos, 2005), pp. 156–169
D. Hofheinz, D. Unruh, Comparing two notions of simulatability, in Theory of Cryptography, Proceedings of TCC 2005, ed. by J. Kilian. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 86–103
D. Hofheinz, D. Unruh, Simulatable security and concurrent composition, in Proceedings of the 2006 IEEE Symposium on Security and Privacy (IEEE Computer Society, Los Alamitos, 2006), pp. 169–183
R. Küsters, Simulation-based security with inexhaustible interactive Turing machines, in Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW-19 2006) (IEEE Computer Society, Los Alamitos, 2006), pp. 309–320
P.D. Lincoln, J.C. Mitchell, M. Mitchell, A. Scedrov, Probabilistic polynomial-time equivalence and security protocols, in Formal Methods World Congress, vol. I, Toulouse, France, ed. by J.M. Wing, J. Woodcock. Lecture Notes in Computer Science, vol. 1708 (Springer, Berlin, 1999), pp. 776–793
R. Milner, A Calculus of Communicating Systems (Springer, Berlin, 1980)
R. Milner, Communication and Concurrency. International Series in Computer Science (Prentice Hall, New York, 1989)
J.C. Mitchell, M. Mitchell, A. Scedrov, A linguistic characterization of bounded oracle computation and probabilistic polynomial time, in Proc. 39th Annual IEEE Symposium on the Foundations of Computer Science, Palo Alto, California (IEEE, New York, 1998), pp. 725–733
J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time calculus for the analysis of cryptographic protocols (preliminary report), in 17th Annual Conference on the Mathematical Foundations of Programming Semantics, Arhus, Denmark, May, 2001, ed. by S. Brookes, M. Mislove. Electronic Notes in Theoretical Computer Science, vol. 45, 2001
J.C. Mitchell, A. Ramanathan, A. Scedrov, V. Teague, A probabilistic polynomial-time process calculus for the analysis of cryptographic protocols, Theor. Comput. Sci. 353(1–3), 118–164 (2006)
B. Pfitzmann, M. Waidner, A model for asynchronous reactive systems and its application to secure message transmission, in IEEE Symposium on Security and Privacy (S&P 2001) (IEEE Computer Society Press, Los Alamitos, 2001), pp. 184–200
A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols. Unpublished, see http://www-cs-students.stanford.edu/~ajith/, 2004
A. Ramanathan, J.C. Mitchell, A. Scedrov, V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols, in FOSSACS 2004—Foundations of Software Science and Computation Structures. Lecture Notes in Computer Science, vol. 2987 (Springer, Berlin, 2004), pp. 468–483. Summarizes results in [31]
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Ran Canetti
Rights and permissions
About this article
Cite this article
Küsters, R., Datta, A., Mitchell, J.C. et al. On the Relationships between Notions of Simulation-Based Security. J Cryptol 21, 492–546 (2008). https://doi.org/10.1007/s00145-008-9019-9
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-008-9019-9