Equivalence-Based Security Specifications A. Datta, R Küsters, J. Mitchell, A. Ramanathan, V. Shmatikov A. Scedrov, V. Teague, P. Mateus

General approach uReal protocol The protocol we want to use Expressed precisely in some formalism uIdealized protocol May use unrealistic mechanisms (e.g., private channels) Defines the behavior we want from real protocol Expressed precisely in same formalism uSpecification Real protocol indistinguishable from ideal protocol Beaver ‘91, Goldwasser-Levin ‘90, Micali-Rogaway ’91 Depends on some characterization of observability uAchieves compositionality

Secrecy for Challenge-Response uProtocol P A  B: { i } K B  A: { f(i) } K u“Obviously’’ secret protocol Q A  B: { random_number } K B  A: { random_number } K

Specification with Authentication uProtocol P A  B: { random i } K B  A: { f(i) } K A  B: “OK” if f(i) received u“Obviously’’ authenticating protocol Q A  B: { random i } K B  A: { random j } K i, j A  B: “OK” if private i, j match public msgs public channel private channel public channel private channel

Pseudo-random number generators uSequence generated from random seed P n : let b = n k -bit sequence generated from n random bits in PUBLIC  b  end uTruly random sequence Q n : let b = sequence of n k random bits in PUBLIC  b  end uP is crypto strong pseudo-random number generator P  Q Equivalence is asymptotic in security parameter n

Compositionality (intuition) uCrypto primitives Ciphertext indistinguishable from noise  encryption secure in all protocols uProtocols Protocol indistinguishable from ideal key distribution  protocol secure in all systems that rely on secure key distributions

Compositionality uIntuitively, if: Q securely realizes I, R securely realizes J, R, J use I as a component, uthen R{Q/I} securely realizes J u Fits well with process calculus because  is a congruence Q  I  C[Q]  C[I] contexts constructed from R, J, simulators

Three technical settings uCanetti – Universal composability Condition: two adversaries and environment Computation: Communicating Turing machines uPW, … – Black-box simulatability Condition: one adversary, simulator, environment Computation: I/O automata (or CT machines) uAG,LMMRST… - Process equivalence Condition: observational equivalence Computation: ppoly or nondet process calculus Compare symmetric version of conditions over uniform computation model

More Background Universal Compos. Black-box Simulat. Observ. Equiv. Communicating Turing Mach Canetti I/O AutomataPfitz-W Nondet. Process Calc Spi, Applied  Prob Poly Process Calc LMMRST

This study Universal Compos. Black-box Simulat. Observ. Equiv. Communicating Turing Mach Canetti I/O AutomataPfitz-W Nondet. Process Calculus Spi, Applied  Prob Poly Process Calculus LMMRST Axiomatic Calculus UC BB PE

Ideal functionality (UC,BB) uWhat is the ideal key exchange protocol? Clients ask server for key, receive response? Server chooses keys and sends secretly? uIssue Easy to distinguish number of messages No “canonical” key exchange protocol is equivalent to all secure key exchange protocols uIdeal functionality Not a protocol with number of messages, etc. A functionality that can be used to create ideal protocols

Adversary vs Environment (UC,BB) uAdversary Interacts with protocol over network Does not choose messages to send, contract to sign, certificate authority,… uEnvironment Represents the configuration of honest users who are trying to use the protocol Input to general protocol Example –Kerberos TGS, KDC, clients, servers set by environment

Universal composability (UC) uGiven Protocol P Ideal functionality F uRequire For every attack A 1 on P, there exists an attack A 2 on F revealing same information in any environment E And conversely (in symmetric form of UC)

Black-box simulatability uGiven Protocol P Ideal functionality F uRequire There exists a simulator S such that for any attacker A, protocols P and S  F reveal same information in any environ E

Observational Equivalence uGiven Protocol P Ideal protocol Q (not functionality F) uRequire Protocols P and Q reveal same information in any context No simulator, context = attacker + env

Comparison uUC and BB use “ideal functionality” + Allows single specification, regardless of communication pattern of protocol uObservational equivalence + Standard relation, well-known properties + Bisimulation technique + Proof system uSeparate adversary and environment - Not clear if useful, except in exposition Add ideal functionality to specification using process equivalence

Language Approach uWrite protocol in process calculus Accepted and long-studied approach to concurrency uExpress security using observational equivalence Standard relation from programming language theory P  Q iff for all contexts C[ ], same observations about C[P] and C[Q] Inherently compositional Context represents adversary uUse proof rules for  to prove security Protocol is secure if no adversary can distinguish it from some idealized version of the protocol

BB UC PE

Rest of talk uProcess calculus summary uFormal definition of relations uSketch proof of equivalences uFuture directions

Syntax uBounded  -calculus with integer terms P :: = 0 | c q(|n|)  T  send up to q(|n|) bits | c q(|n|) (x). P receive |  c q(|n|). P private channel | [T=T] P test | P | P parallel composition | ! q(|n|). P bounded replication Terms may contain symbol n; channel width and replication bounded by poly in |n|

Equational principles uP | Q  Q | P uP | (Q | R)  (P | Q) | R uP | 0  P u  c. P   d. [d/c]P same bandwidth, … u  c. C[P]  C[  c.P] c  channels( C[0] ) uP  Q  Q  P uP  Q, Q  R  P  R uP  Q  C[P]  C[Q] Prove results using these properties of process calculus; true for TM, IOA

Formal definitions uUniversal composability  A 1  A 2.  net (P | A 1 )   net (F | A 2 ) uBlack-box simulability  S  A.  net (P | A)   net (  sim (F|S)|A) uProcess equivalence  S. P   sim (F | S) Notes Relation  includes quantifying over environments Divide channels into network channels, simulator channels, environment channels

Results uUC and BB Equivalent w/synchronous communication Equivalent w/asynchronous communication uBB and Process Equivalence (PE) PE implies BB in synch communication PE equivalent BB with asynch communication These results are proved formally in process calculus (we worked out soundness for PPC and spi-calculus). Results hold for any computational framework satisfying equational principles given in earlier slide

Proof sketch (also have nice pictures) uPE  BB  UC : Easy. Congruence and quantifier order. uUC  BB uBB  PE

Key Lemmas uLemma 6. Scope Extrusion  c. (P | Q)  (  c.P) | Q c  channels( Q ) uLemma 8. Double buffering One asynchronous buffer is indistinguishable from the composition of two uLemma 9. Dummy adversary and buffer Composing a dummy adversary (that just sends network information to the environment) with asynchronous buffer is indistinguishable from a buffer alone

Synchronous communication uBuffering fails With synchronous communication, adding a buffer or dummy adversary can change the observable order of actions

Some future directions uComplete this study Relate computational models Look at asymmetric specifications –P is at least as secure as Q uRelate logical specification methods Equivalence P  Q –P is detailed, Q more abstract Properties of Q –Prove Q achieves authenticated key exchange