The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 1 The Power of Simulation Relations Roberto.

Slides:



Advertisements
Similar presentations
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Key Exchange Using Passwords and Long Keys Vladimir Kolesnikov Charles Rackoff Comp. Sci. University of Toronto.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Luca de Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley Compositional Methods for Probabilistic Systems.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
CS 395T Computational Soundness of Formal Models.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
1 Principles of Reliable Distributed Systems Lecture 6: Synchronous Uniform Consensus Spring 2005 Dr. Idit Keidar.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
1 Principles of Reliable Distributed Systems Lecture 3: Synchronous Uniform Consensus Spring 2006 Dr. Idit Keidar.
Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
1 © IBM, A Reactively Secure Dolev-Yao-style Cryptographic Library DIMACS, June 2004 Michael Backes, Birgit Pfitzmann, Michael Waidner IBM Research,
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
PSPACE  IP Proshanto Mukherji CSC 486 April 23, 2001.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月.
HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
8. Data Integrity Techniques
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Modelling III: Asynchronous Shared Memory Model Chapter 9 by Nancy A. Lynch presented by Mark E. Miyashita.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Timed I/O Automata: A Mathematical Framework for Modeling and Analyzing Real-Time Systems Frits Vaandrager, University of Nijmegen joint work with Dilsun.
© UCL Crypto group Nov-15 Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson (ENS), O. Chevassut (LBL, UCL), O. Pereira (UCL)
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
MPRI 3 Dec 2007Catuscia Palamidessi 1 Why Probability and Nondeterminism? Concurrency Theory Nondeterminism –Scheduling within parallel composition –Unknown.
1 Nancy Lynch MIT, EECS, CSAIL Workshop on Discrete Event Systems (Wodes ’06) Ann Arbor, Michigan July 11, 2006 Analyzing Security Protocols using Probabilistic.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
CSCI1600: Embedded and Real Time Software Lecture 28: Verification I Steven Reiss, Fall 2015.
Chapter 21 Asynchronous Network Computing with Process Failures By Sindhu Karthikeyan.
多媒體網路安全實驗室 Anonymous Authentication Systems Based on Private Information Retrieval Date: Reporter: Chien-Wen Huang 出處: Networked Digital Technologies,
Pseudo-random generators Talk for Amnon ’ s seminar.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
Authenticated encryption
Digital signatures.
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Topic 13: Message Authentication Code
Presentation transcript:

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 1 The Power of Simulation Relations Roberto Segala University of Verona

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 2 Hierarchical Verification I 11 I 12 I2I2 I3I3 S S1S1 S2S2 S3S3 Some properties verified here Modules verified separately

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 3 Implementation Some form of behavioral inclusion –Traces, Failures, Tests, … Features –Preserves properties of interest –Transitive –Compositional –Affine with logical implication … when properties are sets of behaviors Hard to check –Often Pspace-complete –But simulation relations help

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 4 Automata A = (Q, q 0, E, H, D) coffee q0q0 q2q2 q1q1 q4q4 q3q3 q5q5 d n n n choc ch Execution: q 0 n q 1 n q 2 ch q 3 coffee q 5 Trace: n n coffee

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 5 Forward Simulations Forward simulation from A 1 to A 2 (A 1  F  A 2 ) Relation R  Q 1 x Q 2 such that q q s s a a R R  q, s, a, q  s q0q0 q1q1 q3q3 q2q2 q4q4 s0s0 s1s1 s3s3 s4s4 aa cb a bc

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 6 Simulation Implies Trace Inclusion The step condition can be applied repeatedly q qq s ss a a qq ss b b qq ss c c qq ss d d … … Thus existence of simulation implies trace inclusion –Even more it implies a close correspondence between executions

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 7 Application of Simulation Relations Distributed Systems –Automata, I/O Automata Real-Time Systems –Add time component to states –Add time-passage actions or trajectories Time-passage modifies only time component Hybrid Systems –Time passage modifies entire state Randomized Systems –Transitions lead to probability measures

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 8 Example: Probabilistic Automata q0q0 qhqh qtqt qpqp flip 1/2 2/3 1/3 beep qzqz buzz

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 9 Example: Probabilistic Automata q0q0 q1q1 q2q2 q3q3 q4q4 q5q5 fair unfair flip 1/2 2/3 1/3 beep What is the probability of beeping?

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 10 Probabilistic Executions q0q0 q1q1 q3q3 q4q4 q5q5 1/2 q0q0 q2q2 q3q3 q4q4 q5q5 unfair flip 2/3 1/3 beep  (beep) = 2/3  (beep) = 1/2 fair beep flip 1/2 2/3

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 11 Example: Probabilistic Executions q0q0 q1q1 q2q2 q3q3 q4q4 q3q3 q4q4 q5q5 q5q5 fair unfair flip beep 1/2 2/3 1/3 1/2 1/4 2/6 7/12

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 12 Forward Simulations Forward simulation from A 1 to A 2 (A 1  F  A 2 ) Relation R  Q 1 x Q 2 such that q  s  a a R R  q, s, a,    q1q1 q2q2 s1s1 s2s2 s3s3 1/2 1/3 1/6 1/3 Lifting of R

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 13 Lifting and Transfer of Masses q1q1 q2q2 s1s1 s2s2 s3s3 q1q1 q2q2 s1s1 s2s2 s3s3 1/2 1/3 1/6 1/3

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 14 Simulation Implies Behavioral Inclusion The step condition can be applied repeatedly q  s        … … q    

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 15 A Potential Area of Application Security With simulations –Global properties validated via local properties –… almost as proving a property by induction Can we use simulations for security? –Properties are typically global –There is randomization Challenges –Specifications do not fail –Implementations fail with negligible probability –Some approximations appear to be necessary –Need for computational assumptions

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 16 Bellare and Rogaway MAP1 Protocol Nonces are generated randomly The key s is the secret for a Message Authentication Code –Specifically, MAC based on pseudo-random functions AB RARA [B.A.R A.R B ] s [A.R B ] s

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 17 Nonces Number ONCE –Typically drawn randomly Claim –For each constant c and polynomial p –There exists k such that for each k  k –If n 1,n 2,…,n p(k) are random nonces from {0,1} k –Then Pr[  i  j  n i  n j ]< k -c

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 18 Message Authentication Code Triple (G,A,V) –G on input 1 k generates s   {0,1} k –For each s and each a Pr[V( s,a, A( s,a ))=1]=1 Forger –On input 1 k obtains MAC of strings of its choice –Outputs a pair ( a,b ) –Successful if V( s,a,b )=1 and a different from previous queries Secure MAC –Every feasible forger succeeds with negligible probability

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 19 MAP1: Matching Conversations Matching conversation between A and B –Every message from A to B delivered unchanged Possibly last message lost Response from B returned to A –Every message received by A generated by B Messages generated by B delivered to A Possibly last message lost Correctness condition –Matching conversation implies acceptance –Negligible probability of acceptance without matching conversation

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 20 MAP1: Correctness Proof Let A be a PPT machine that interacts with the agents Show that A induces “no-match” with negligible probability –Argue that repeated nonces occur with negligible probability –Argue that A is an attack against a message authentication code Features –Relies on underlying pseudo-random functions –Proves correctness assuming truly random functions –Builds a distinguisher for PRFs if an attack exists Criticism –The arguments are semi-formal and not immediate –Three different concepts intermixed Nonces Message authentication codes Matching conversations

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 21 MAP1: Hierarchical Analysis Agents indexed by X, Y, t Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (coin flip) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keep history (no forged signatures) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 22 Nonce Generators State –value X,Y,t initially  –FreshNonces initially {0,1} k Transitions –Input NonceRequest X,Y,t –Effect Let v  R {0,1} k value X,Y,t = v FreshNonces = FreshNonces -{ v } –Output NonceResponse X,Y,t ( n ) –Precondition n = value X,Y,t –Effect value X,Y,t =  Let v  R FreshNonces IdealCoin flip

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 23 Adversary Keeps a variable history –Holds all previous messages Real adversary –Runs a cycle where Computes the next message to send using a PPT function f Sends the message Waits for the answer if expected Ideal adversary –Highly nondeterministic –Stores all input –Sends messages that do not contain forged authentications

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 24 Problems with Simulations –Consider a transition of the real nonce generator –With some probability there is a repeated nonce –The ideal nonce generator does not repeat nonces –Thus, we cannot match the step Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (coin flip) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keep history (no forged signatures) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 25 Approximated Simulations [ST07] Change lifting on measures –  1    2 iff  1 = (1-  )  1 ’ +  1 ’’  2 = (1-  )  2 ’ +  2 ’’  1 ’  2 ’ 1’1’  1 ’’ 2’2’  2 ’’ (1-  )   11 22 {2/3 q 1, 1/3 q 2 } = 2/3 {1/2 q 1, 1/2 q 2 } + 1/3{1 q 1 } {1/3 s 1, 1/3 s 2, 1/3 s 3 } = 2/3 {1/2 s 1, 1/2 s 2 } + 1/3{1 s 3 } ?  = 1/3

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 26 Approximated Simulations { A k } { R k } { B k } For each constant c and polynomial p There exists k such that for each k  k Whenever – 1 reached within p ( k ) steps in A k – 1 L ( R k,  ) 2 – 1  1 ’ There exists 2 ’ such that – 2  2 ’ – 1 ’ L ( R k,  + k -c ) 2 ’ ’   +k -c

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 27 Approximated Simulations Step Condition (1-  )   1 2 (1-  -k -c )  2 ’  1 ’ (1-  -k -c ) k -c  (1-  )

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 28  p(k)  p(k) Simulation Implies Behavioral Inclusion The step condition can be applied repeatedly q  s      … … 0k -c 2k -c 3k -c p(k)k -c Observation –p  k  k -c can be smaller than any k -c’ by choosing c=c’+degree(p)

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 29 Example: Approximate Simulations Bellare-Rogaway MAP1 Protocol Negation of the step condition –1: Two random nonces are equal with high probability –2: Function f defines a forger for a signature scheme Adversary Keep history (no forged signatures) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (coin flip) A5A5 12

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 30 Step Condition { A k } { R k } { B k } For each constant c and polynomial p There exists k for each k  k Whenever – 1 reached within p ( k ) steps in A k – 1 L ( R k,  ) 2 – 1  1 ’ There exists 2 ’ such that – 2  2 ’ – 1 ’ L ( R k,  + k -c ) 2 ’ ’   +k -c

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 31 Negation of Step Condition { A k } { R k } { B k } There exists constant c and polynomial p For each k there exists k  k There exists – 1 reached within p ( k ) steps in A k – 1 L ( R k,  ) 2 – 1  1 ’ There is no 2 ’ such that – 2  2 ’ – 1 ’ L ( R k,  + k -c ) 2 ’ ’   +k -c Signature forged in 1 ’ –Probability at least k -c Nonce replicated in 1 ’ –Probability at least k -c (1-  )   1 2 (1-  -k -c )  2 ’  1 ’ (1-  -k -c ) k -c  (1-  )

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 32 Nonces Number ONCE –Typically drawn randomly Claim –For each constant c and polynomial p –There exists k such that for each k  k –If n 1,n 2,…,n p(k) are random nonces from {0,1} k –Then Pr[  i  j  n i  n j ]< k -c

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 33 Example: Approximate Simulations Bellare-Rogaway MAP1 Protocol Proof Completed Adversary Keep history (no forged signatures) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (ideal) A5A5 Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (coin flip) A5A5 12

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 34 Problems with Nondeterminism MAP1 Protocol [BR93] Potential problems –Let s be the shared key –Adversary queries k agents –Agent i replies if i th bit of s is 1 –The adversary knows the shared key Solution –One query at a time –Wait for the answer (agents as oracles) Adversary Keeps history (PPT function f) A1A1 A2A2 A3A3 A4A4 Key generator Nonce generator (coin flip) A5A5

We Are Not Alone Mitchell, Ramanathan, Scedrov, Teague –Probabilistic polynomial time calculus Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira, Segala –Task Probabilistic I/O Automata Chatzikokolakis, Palamidessi –Syntactic restrictions for schedulers Canetti –UC framework Backes, Pfitzmann, Waidner –Reactive simulatability Framework Van Breugel, Worrel –Metrics and approximation Desharnais, Gupta, Jagadeesan, Panangaden –Metrics and approximation The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 35

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 36 Work in Progress Applications –Soundness of Dolev-Yao model –Analysis of the Crypto-Library Approximated simulations versus –Approximated language inclusion (Task PIOAs) –Restricted schedulers –Metrics Flexibility on restrictions –Many ways to restrict –Are we restricting too much?

The Power of Simulation Relations Sixty and Beyond Toronto, August 20, 2008 Roberto Segala - University of Verona 37 Summing Up Simulation relations are powerful –Interact well with hierarchical verification –Global properties verified via local arguments –Apply to several frameworks Security is a new interesting area –We have interesting case studies –We have still many open questions We are having a lot of fun

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.