Unifying Equivalence-Based Definitions of Protocol Security A. Datta, R. Küsters, J. C. Mitchell, A. Ramanathan, V. Shmatikov Stanford University SRI International

Main Result uUniversal composability, black box simulatability and process equivalence express the same properties of a protocol (with asynchronous communication) Result holds for any computational model satisfying standard process calculus equational principles

Outline uEquivalence-Based Specification Main Idea, Examples, Advantages u3 Approaches Models: Turing Machines, IO Automata, Process Calculus Security Notions: UC, BB, PE uComparative Study Relating Security Notions Relating models (WIP)

General approach uReal protocol The protocol we want to use Expressed precisely in some formalism uIdeal protocol Defines the behavior we want from real protocol May use unrealistic mechanisms (e.g., private channels) Expressed precisely in same formalism uSpecification Real protocol indistinguishable from ideal protocol Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91 Depends on some characterization of observability uAchieves compositionality

Secrecy for Challenge-Response uReal Protocol P A  B: { i } K B  A: { f(i) } K uIdeal Protocol Q A  B: { random_number } K B  A: { random_number } K

Specification with Authentication uReal Protocol P A  B: { random i } K B  A: { f(i) } K A  B: “OK” if f(i) received uIdeal Protocol Q A  B: { random i } K B  A: { random j } K i, j A  B: “OK” if private i, j match public msgs public channel private channel public channel private channel

Pseudo-random number generators uSequence from random seed (Real protocol) P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence (Ideal protocol) Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random number generator P  Q Equivalence is asymptotic in security parameter n

Many more… uCommitment Schemes uSignature Schemes uKey Exchange uSecure channels uSecure Multiparty Computation

Compositionality uCrypto primitives Cipher text indistinguishable from noise  encryption secure in all protocols uProtocols Protocol indistinguishable from ideal key distribution  protocol secure in all systems that rely on secure key distributions

Outline uEquivalence-Based Specification u3 Schools of Thought Models: Turing Machines, IO Automata, Process Calculus Security Notions: UC, BB, PE uComparative Study

Three technical settings uCan, …: Universal composability Condition: two adversaries and environment Computation: Communicating Turing machines uPW, … : Black-box simulatability Condition: one adversary, simulator, environment Computation: I/O automata uAG,LMMRST, …: Process equivalence Condition: observational equivalence Computation: ppoly or nondet process calculus

More Background Universal Compos. Black-box Simulat. Observ. Equiv. Communicating Turing Machines Canetti I/O AutomataPfitz-W Nondet. Process Calculus Spi, Applied  Prob Poly Process Calculus LMMRST

This study Universal Compos. Black-box Simulat. Observ. Equiv. Communicating Turing Machines Canetti I/O AutomataPfitz-W Nondet. Process Calculus Spi, Applied  Prob Poly Process Calculus LMMRST Axiomatic Calculus UC BB PE Compare conditions over uniform computation model

Ideal functionality (UC,BB) uWhat is the ideal key exchange protocol? Clients ask server for key, receive response? Server chooses keys and sends secretly? uIssue Easy to distinguish number of messages No “canonical” key exchange protocol is equivalent to all secure key exchange protocols uIdeal functionality Not a protocol with number of messages, etc. A functionality that can be used to create ideal protocols

Adversary vs. Environment (UC,BB) uAdversary Interacts with protocol over network Does not choose messages to send, contract to sign, certificate authority,… uEnvironment Represents the configuration of honest users who are trying to use the protocol Provides input to and observes output of protocol Example –Kerberos TGS, KDC, clients, servers set by environment Separation of net and io channels of a protocol

Universal composability (UC) uGiven Protocol P Ideal functionality F uRequire For every adversary A 1 for P, there exists an adversary A 2 for F revealing same information in any environment E PA1A1 A2A2 F  io net E E   

Black-box simulatability uGiven Protocol P Ideal functionality F uRequire There exists a simulator S such that for any adversary A, protocols P and S  F reveal same information in any environment E PAA  io net E E FS sim    

Observational Equivalence uGiven Protocol P Ideal protocol Q (not functionality F) uRequire Protocols P and Q reveal same information in any context C[] Context = attacker + environment PQ  C[]= E + A  ionetionet

Comparison uUC and BB + ideal functionality: allows single specification, regardless of communication pattern of protocol - Separate adversary and environment :Not clear if useful, except in exposition uObservational equivalence + Standard relation, well-known properties + Bisimulation technique + Proof system - No ideal functionality

Process Equivalence uGiven Protocol P Ideal functionality F uRequire There exists a simulator S such that protocols P and S  F reveal same information in any context C[] Context = attacker + environment PF  C[]= E + A  ionetionet S sim

Outline uEquivalence-Based Specification u3 Schools of Thought uComparative Study Process calculus Equational Principles Security Definitions Results

Process Calculus uSyntax P :: = 0 | out(c,T). P send | in(c,x). P receive |  c. (P) private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication

Equational principles uP | Q  Q | P uP | (Q | R)  (P | Q) | R uP | 0  P u  c. P   d. [d/c]P u  c. C[P]  C[  c.P] c  channels( C[0] ) uP  Q  Q  P uP  Q, Q  R  P  R uP  Q  C[P]  C[Q] Prove results using these properties of process calculus

Formal definitions uUniversal composability  A 1  A 2.  net (P | A 1 )   net (F | A 2 ) uBlack-box simulatability  S  A.  net (P | A)   net (  sim (F|S)|A) uProcess equivalence  S. P   sim (F | S) Notes Relation  includes quantifying over environments Divide channels into network channels, environment (io) channels

Results uUC and BB Equivalent w/synchronous communication Equivalent w/asynchronous communication uBB and Process Equivalence (PE) PE implies BB in synch communication PE equivalent BB with asynch communication Results hold for any computational framework satisfying standard equational principles (PPC, spi,…)

Proof sketch (also have nice pictures) uPE  BB  UC : Easy. Congruence and quantifier order. uUC  BB uBB  PE

Key Lemmas uLemma 6. Scope Extrusion  c. (P | Q)  (  c.P) | Q c  channels( Q ) uLemma 8. Double buffering One asynchronous buffer is indistinguishable from the composition of two uLemma 9. Dummy adversary and buffer Composing a dummy adversary (that just sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone

Synchronous communication uBuffering fails (BB does not imply PE) With synchronous communication, adding a buffer or dummy adversary can change the observable order of actions PAAS F net sim  PFS  io net

Conclusions and Future Work uUC, BB, PE: equivalent notions of security. So, use PE (simplest) uComplete this study Relate computational models Do results transfer?

Questions?

Language Approach uWrite protocol in process calculus Accepted and long-studied approach to concurrency uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Inherently compositional Context represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol