Results 1  10
of
75
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 833 (37 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (20 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
Universally composable signature, certification, and authentication
 In CSFW 2004
, 2004
"... Recently some efforts were made towards capturing the security requirements from digital signature schemes as an ideal functionality within a composable security framework. This modeling of digital signatures potentially has some significant analytical advantages (such as enabling componentwise ana ..."
Abstract

Cited by 63 (9 self)
 Add to MetaCart
Recently some efforts were made towards capturing the security requirements from digital signature schemes as an ideal functionality within a composable security framework. This modeling of digital signatures potentially has some significant analytical advantages (such as enabling componentwise analysis of complex systems that use signature schemes, as well as symbolic and automatable analysis of such systems). However, it turns out that formulating ideal functionalities that capture the properties expected from signature schemes in a way that is both sound and enjoys the above advantages is not a trivial task. This work has several contributions. We first correct some flaws in the definition of the ideal signature functionality of Canetti, 2001, and subsequent formulations. Next we provide a minimal formalization of “ideal certification authorities ” and show how authenticated communication can be obtained using ideal signatures and an ideal certification authority. This is done while guaranteeing full modularity (i.e., each component is analyzed as standalone), and in an unconditional and errorless way. This opens the door to symbolic and automated analysis of protocols for these tasks, in a way that is both modular and cryptographically sound.
InformationTheoretic Cryptography (Extended Abstract)
, 1999
"... We discuss several applications of information theory in cryptography, both for unconditional and for computational security. Unconditionallysecure secrecy, authentication, and key agreement are reviewed. It is argued that unconditional security can practically be achieved by exploiting the fact th ..."
Abstract

Cited by 63 (11 self)
 Add to MetaCart
(Show Context)
We discuss several applications of information theory in cryptography, both for unconditional and for computational security. Unconditionallysecure secrecy, authentication, and key agreement are reviewed. It is argued that unconditional security can practically be achieved by exploiting the fact that cryptography takes place in a physical world in which, for instance due to noise, nobody can have complete information about the state of a system. The general concept of an informationtheoretic cryptographic primitive is proposed which covers many previously considered primitives like oblivious transfer, noisy channels, and multiparty computation. Many results in informationtheoretic cryptography can be phrased as reductions among such primitives We also propose the concept of a generalized random oracle which answers more general queries than the evaluation of a random function. They have applications in proofs of the computational security of certain cryptographic schemes.
Examining IndistinguishabilityBased Proof Models for Key Establishment Protocols (Full version available from http: //eprint.iacr.org/2005/270
, 2005
"... Abstract. We examine various indistinguishabilitybased proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof m ..."
Abstract

Cited by 57 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We examine various indistinguishabilitybased proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a nonimplication), we provide proofs or counterexamples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed. 1
The universal composable security of quantum key distribution
 Theory of Cryptography: Second Theory of Cryptography Conference, volume 3378 of Lecture
, 2005
"... The existing unconditional security definitions of quantum key distribution (QKD) do not apply to joint attacks over QKD and the subsequent use of the resulting key. In this paper, we close this potential security gap by using a universal composability theorem for the quantum setting. We first deriv ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
(Show Context)
The existing unconditional security definitions of quantum key distribution (QKD) do not apply to joint attacks over QKD and the subsequent use of the resulting key. In this paper, we close this potential security gap by using a universal composability theorem for the quantum setting. We first derive a composable security definition for QKD. We then prove that the usual security definition of QKD still implies the composable security definition. Thus, a key produced in any QKD protocol that is unconditionally secure in the usual definition can indeed be safely used, a property of QKD that is hitherto unproven. We propose two other useful sufficient conditions for composability. As a simple application of our result, we show that keys generated by repeated runs of QKD degrade slowly. 1
A formal treatment of onion routing
 In Advances in Cryptology—CRYPTO 2005, Lecture Notes in Computer Science 3621
, 2005
"... Abstract. Anonymous channels are necessary for a multitude of privacyprotecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
Abstract. Anonymous channels are necessary for a multitude of privacyprotecting protocols. Onion routing is probably the best known way to achieve anonymity in practice. However, the cryptographic aspects of onion routing have not been sufficiently explored: no satisfactory definitions of security have been given, and existing constructions have only had adhoc security analysis for the most part. We provide a formal definition of onionrouting in the universally composable framework, and also discover a simpler definition (similar to CCA2 security for encryption) that implies security in the UC framework. We then exhibit an efficient and easy to implement construction of an onion routing scheme satisfying this definition. 1
Relating Symbolic and Cryptographic Secrecy
 IN PROC. IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2004
"... We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symboli ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially
A probabilistic polynomialtime calculus for analysis of cryptographic protocols
 Electronic Notes in Theoretical Computer Science
, 2001
"... We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a spec ..."
Abstract

Cited by 48 (8 self)
 Add to MetaCart
(Show Context)
We prove properties of a process calculus that is designed for analyzing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomialtime expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, wellknown in cryptography, that ElGamal encryption’s semantic security is equivalent to the (computational) Decision DiffieHellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.
Probabilistic PolynomialTime Process Calculus and Security Protocol Analysis
 Theoretical Computer Science
, 2006
"... Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol step ..."
Abstract

Cited by 38 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our longterm goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomialtime protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence. The process calculus is a variant of CCS, with bounded replication and probabilistic polynomialtime expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over all possible environments that might interact with the protocol. We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, wellknown in cryptography, that El Gamal encryption’s semantic security is equivalent to the (computational) Decision DiffieHellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.