Results 1 
7 of
7
SimulationBased Security with Inexhaustible Interactive Turing Machines
 IN PROCEEDINGS OF THE 19TH IEEE COMPUTER SECURITY FOUNDATIONS WORKSHOP (CSFW19 2006
, 2006
"... Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general ..."
Abstract

Cited by 35 (9 self)
 Add to MetaCart
Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general computational model for systems of Interactive Turing Machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received. One distinguishing feature of our model is that the systems of ITMs that we consider involve a generic mechanism for addressing dynamically generated copies of ITMs. We study properties of such systems and, in particular, show that systems satisfying a certain acyclicity condition run in polynomial time. Based on our general computational model, we state di#erent notions of simulationbased security in a uniform and concise way, study their relationships, and prove a general composition theorem for composing a polynomial number of copies of protocols, where the polynomial is determined by the environment. The simplicity of our model is demonstrated by the fact that many of our results can be proved by mere equational reasoning based on a few equational principles on systems.
On the relationships between notions of simulationbased security
 In TCC 2005
, 2005
"... ..."
(Show Context)
Joint State Theorems for PublicKey Encryption and Digitial Signature Functionalities with Local Computation
 In Proc. 21st IEEE Computer Security Foundations Symposium (CSF’08
, 2008
"... Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionalit ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to socalled joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: publickey encryption, replayable publickey encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulationbased security by Küsters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.
Sequential probabilistic process calculus and simulationbased security
, 2004
"... Abstract Several compositional forms of simulationbased security have been proposed in the literature, including universal composability, blackbox simulatability, and variants thereof. These ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract Several compositional forms of simulationbased security have been proposed in the literature, including universal composability, blackbox simulatability, and variants thereof. These
SimulationBased Security with Inexhaustible Interactive Turing Machines
"... Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general ..."
Abstract
 Add to MetaCart
(Show Context)
Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general computational model for systems of Interactive Turing Machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received. One distinguishing feature of our model is that the systems of ITMs that we consider involve a generic mechanism for addressing dynamically generated copies of ITMs. We study properties of such systems and, in particular, show that systems satisfying a certain acyclicity condition run in polynomial time. Based on our general computational model, we state different notions of simulationbased security in a uniform and concise way, study their relationships, and prove a general composition theorem for composing a polynomial number of copies of protocols, where the polynomial is determined by the environment. The simplicity of our model is demonstrated by the fact that many of our results can be proved by mere equational reasoning based on a few equational principles on systems. 1.
Secure Pseudonymous Channels
"... Abstract. Channels are an abstraction of the many concrete techniques to enforce particular properties of message transmissions such as encryption. We consider here three basic kinds of channels—authentic, confidential, and secure—where agents may be identified by pseudonyms rather than by their r ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Channels are an abstraction of the many concrete techniques to enforce particular properties of message transmissions such as encryption. We consider here three basic kinds of channels—authentic, confidential, and secure—where agents may be identified by pseudonyms rather than by their real names. We define the meaning of channels as assumptions, i.e. when a protocol relies on channels with particular properties for the transmission of some of its messages. We also define the meaning of channels as goals, i.e. when a protocol aims at establishing a particular kind of channel. This gives rise to an interesting question: given that we have verified that a protocol P2 provides its goals under the assumption of a particular kind of channel, can we then replace the assumed channel with an arbitrary protocol P1 that provides such a channel? In general, the answer is negative, while we prove that under certain restrictions such a compositionality result is possible. 1
SimulationBased Security with Inexhaustible Interactive Turing Machines
"... Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general comp ..."
Abstract
 Add to MetaCart
(Show Context)
Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general computational model for systems of Interactive Turing Machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received. One distinguishing feature of our model is that the systems of ITMs that we consider involve a generic mechanism for addressing dynamically generated copies of ITMs. We study properties of such systems and, in particular, show that systems satisfying a certain acyclicity condition run in polynomial time. Based on our general computational model, we state different notions of simulationbased security in a uniform and concise way, study their relationships, and prove a general composition theorem for composing a polynomial number of copies of protocols, where the polynomial is determined by the environment. The simplicity of our model is demonstrated by the fact that many of our results can be proved by mere equational reasoning based on a few equational principles on systems. 1.