Results 1  10
of
77
Universally Composable Security with Global Setup
 In Proceedings of the 4th Theory of Cryptography Conference
, 2007
"... Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls ..."
Abstract

Cited by 53 (5 self)
 Add to MetaCart
Cryptographic protocols are often designed and analyzed under some trusted setup assumptions, namely in settings where the participants have access to global information that is trusted to have some basic security properties. However, current modeling of security in the presence of such setup falls short of providing the expected security guarantees. A quintessential example of this phenomenon is the deniability concern: there exist natural protocols that meet the strongest known composable security notions, and are still vulnerable to bad interactions with rogue protocols that use the same setup. We extend the notion of universally composable (UC) security in a way that reestablishes its original intuitive guarantee even for protocols that use globally available setup. The new formulation prevents bad interactions even with adaptively chosen protocols that use the same setup. In particular, it guarantees deniability. While for protocols that use no setup the proposed requirements are the same as in traditional UC security, for protocols that use global setup the proposed requirements are significantly stronger. In fact, realizing Zero Knowledge or commitment becomes provably impossible, even in the Common Reference String model.
General Composition and Universal Composability in Secure Multiparty Computation
, 2007
"... Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Ca ..."
Abstract

Cited by 53 (9 self)
 Add to MetaCart
(Show Context)
Concurrent general composition relates to a setting where a secure protocol is run in anetwork concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols areexecuted concurrently. Canetti (FOCS 2001) introduced the notion of universal composability, and showed that security under this definition is sufficient for achieving concurrent generalcomposition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (Innewer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all itsvariants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of twoparty functionalities for whichit is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not &quot;blackbox&quot;, andapply even to nonblackbox simulation. Our main result also demonstrates that the definition of universal composability is somewhat&quot;minimal&quot;, in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is notoverly restrictive.
Universally Composable PasswordBased Key Exchange
 Advances in Cryptology  Eurocrypt 2005, LNCS
, 2005
"... We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not ad ..."
Abstract

Cited by 49 (9 self)
 Add to MetaCart
(Show Context)
We propose and realize a definition of security for passwordbased key exchange within the framework of universal composability (UC), thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, our definition does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of passwordbased secure channels, and show how to realize such channels given any passwordbased key exchange protocol. The passwordbased key exchange protocol shown here is in the common reference string model and relies on standard numbertheoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the “plain ” model (e.g., without
Universally composable symbolic analysis of mutual authentication and keyexchange protocols
 In Shai Halevi and Tal Rabin, editors, TCC, volume 3876 of LNCS
, 2006
"... Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on crypto ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how DolevYao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to DolevYao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UCsecure. For mutual authentication, our symbolic criterion is similar to the traditional DolevYao criterion. For key exchange, we demonstrate that the traditional DolevYao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent keyexchange protocols are UCsecure. 1
A probabilistic polynomialtime calculus for analysis of cryptographic protocols
 Electronic Notes in Theoretical Computer Science
, 2001
"... We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a spec ..."
Abstract

Cited by 48 (8 self)
 Add to MetaCart
We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomialtime expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, wellknown in cryptography, that ElGamal encryption’s semantic security is equivalent to the (computational) Decision DiffieHellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.
Security proofs for an efficient passwordbased key exchange
 In ACM Conference on Computer Communications Security
, 2003
"... Abstract. Passwordbased key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very effi ..."
Abstract

Cited by 45 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Passwordbased key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on passwordbased authenticated keyexchange methods, but for which actual security was an open problem. We analyze the AuthA key exchange scheme and give a complete proof of its security. Our analysis shows that the AuthA protocol and its multiple modes of operation are provably secure under the computational DiffieHellman intractability assumption, in both the randomoracle and the idealcipher models. 1
Probabilistic PolynomialTime Process Calculus and Security Protocol Analysis
 Theoretical Computer Science
, 2006
"... Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol step ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomialtime expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over all possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, wellknown in cryptography, that El Gamal encryption’s semantic security is equivalent to the (computational) Decision DiffieHellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.
On SimulationSound Trapdoor Commitments
 In proceedings of EUROCRYPT ’04, LNCS series
, 2003
"... We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct ..."
Abstract

Cited by 40 (2 self)
 Add to MetaCart
We study the recently introduced notion of a simulationsound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any oneway functions, and how to construct very efficient SSTC schemes based on specific numbertheoretic assumptions. We also show how to construct simulationsound, nonmalleable, and universallycomposable zeroknowledge protocols using SSTC schemes, yielding, for instance, the most efficient universallycomposable zeroknowledge protocols known. Finally, we explore the relation between SSTC schemes and nonmalleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are nonmalleable.
Strengthening ZeroKnowledge Protocols using Signatures
 IN PROCEEDINGS OF EUROCRYPT ’03, LNCS SERIES
, 2003
"... Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper, ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
Recently there has been an interest in zeroknowledge protocols with stronger properties, such as concurrency, unbounded simulation soundness, nonmalleability, and universal composability. In this paper,
Computationally sound compositional logic for key exchange protocols
 In Proceedings of 19th IEEE Computer Security Foundations Workshop
, 2006
"... We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs ..."
Abstract

Cited by 38 (9 self)
 Add to MetaCart
(Show Context)
We develop a compositional method for proving cryptographically sound security properties of key exchange protocols, based on a symbolic logic that is interpreted over conventional runs of a protocol against a probabilistic polynomialtime attacker. Since reasoning about an unbounded number of runs of a protocol involves inductionlike arguments about properties preserved by each run, we formulate a specification of secure key exchange that is closed under general composition with steps that use the key. We present formal proof rules based on this gamebased condition, and prove that the proof rules are sound over a computational semantics. The proof system is used to establish security of a standard protocol in the computational model. 1