Results 1 
8 of
8
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 833 (37 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Computationally sound compositional logic for key exchange protocols
 In Proceedings of 19th IEEE Computer Security Foundations Workshop
, 2006
"... We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs ..."
Abstract

Cited by 38 (9 self)
 Add to MetaCart
(Show Context)
We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs of a protocol involves inductionlike arguments about properties preserved by each run, we formulate a specification of secure key exchange that is closed under general composition with steps that use the key. We present formal proof rules based on this gamebased condition, and prove that the proof rules are sound over a computational semantics. The proof system is used to establish security of a standard protocol in the computational model. 1
Taskstructured probabilistic I/O automata
, 2006
"... Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, ..."
Abstract

Cited by 22 (10 self)
 Add to MetaCart
Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, nondeterministic choices have traditionally been resolved by schedulers that have perfect information about the past execution. However, such schedulers are too powerful for certain settings, such as cryptographic protocol analysis, where information must sometimes be hidden. Here, we propose a new, less powerful nondeterminismresolution mechanism for PIOAs, consisting of tasks and local schedulers. Tasks are equivalence classes of system actions that are scheduled by oblivious, global task sequences. Local schedulers resolve nondeterminism within system components, based on local information only. The resulting taskPIOA framework yields simple notions of external behavior and implementation, and supports simple compositionality results. We also define a new kind of simulation relation, and show it to be sound for proving implementation. We illustrate the potential of the taskPIOA framework by outlining its use in verifying an Oblivious Transfer protocol.
Analyzing Security Protocols Using TimeBounded TaskPIOAs
, 2007
"... This paper presents the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic Input/Output Automata (PIOA) framework that can be used for modeling and verifying security protocols. Timebounded taskPIOAs can describe probabilistic and nondeterministic behavior, as well as tim ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
This paper presents the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic Input/Output Automata (PIOA) framework that can be used for modeling and verifying security protocols. Timebounded taskPIOAs can describe probabilistic and nondeterministic behavior, as well as timebounded computation. Together, these features support modeling of important aspects of security protocols, including secrecy requirements and limitations on the computational power of adversarial parties. They also support security protocol verification using methods that are compatible with less formal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a wellknown Oblivious Transfer protocol.
Approximated Computationally Bounded Simulation Relations for Probabilistic Automata
, 2007
"... We study simulation relations for Probabilistic Automata that require transitions to be matched up to negligible sets provided that computation lengths are polynomially bounded. These relations are meant to provide rigorous grounds to parts of correctness proofs for cryptographic protocols that are ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
We study simulation relations for Probabilistic Automata that require transitions to be matched up to negligible sets provided that computation lengths are polynomially bounded. These relations are meant to provide rigorous grounds to parts of correctness proofs for cryptographic protocols that are usually carried out by semiformal arguments. We illustrate our ideas by recasting a correctness proof of Bellare and Rogaway based on the notion of matching conversation.
Key Exchange Protocols: Security Definition, Proof Method and Applications
 In 19th IEEE Computer Security Foundations Workshop (CSFW 19
, 2006
"... We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of r ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs of a protocol involves inductionlike arguments about properties preserved by each run, we formulate a specification of secure key exchange that, unlike conventional key indistinguishability, is closed under general composition with steps that use the key.
T.: Relationship of three cryptographic channels
 in the UC framework. In: ProvSec. LNCS
, 2008
"... Abstract. The relationship of three cryptographic channels, secure channels (SC), anonymous channels (AC) and directionindeterminable channels (DIC), was investigated by Okamoto. He showed that the three cryptographic channels are reducible to each other, but did not consider communication schedu ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. The relationship of three cryptographic channels, secure channels (SC), anonymous channels (AC) and directionindeterminable channels (DIC), was investigated by Okamoto. He showed that the three cryptographic channels are reducible to each other, but did not consider communication schedules clearly as well as composable security. This paper refines the relationship of the three channels in the light of communication schedules and composable security. We model parties by the taskprobabilistic input/output automata (PIOA) to treat communication schedules, and adopt the universally composable (UC) framework by Canetti to treat composable security. We show that a class of anonymous channels, twoanonymous channels (2AC), and DIC are reducible to each other under any schedule and that DIC and SC are reducible to each other under some types of schedules, in the UC framework with the PIOA model.
Computationally Sound Compositional Logic for Security Protocols
"... Abstract. We have been developing a cryptographically sound formal logic for proving protocol security properties without explicitly reasoning about probability, asymptotic complexity, or the actions of a malicious attacker. The approach rests on a probabilistic, polynomialtime semantics for a prot ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We have been developing a cryptographically sound formal logic for proving protocol security properties without explicitly reasoning about probability, asymptotic complexity, or the actions of a malicious attacker. The approach rests on a probabilistic, polynomialtime semantics for a protocol security logic that was originally developed using nondeterministic symbolic semantics. This workshop presentation will discuss ways in which the computational semantics lead to different reasoning methods and report our progress to date in several directions. One significant difference between the symbolic and computational settings results from the computational difference between efficiently recognizing and efficiently producing a value. Among the more recent developments are a compositional method for proving cryptographically sound properties of key exchange protocols, and some work on secrecy properties that illustrates the computational interpretation of inductive properties of protocol roles. 1