Universally Composable
Symbolic Analysis of
Security Protocols
Jonathan Herzog
(Joint work with Ran Canetti)
7 June 2004
The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's
concurrence with, or support for, the positions, opinions or viewpoints expressed by the author.
Introduction


This talk: symbolic analysis can guarantee universally
composable (UC) security
Dolev-Yao (symbolic) model
Adversary extremely limited
 Proofs simple, can even be automated


UC (concrete) framework
Complexity- and information-theoretic approach
 Guarantees strong security and composability properties
 Requires “hand-crafted” proofs


Symbolic security proofs are sound in UC framework
Traditional (symbolic) mutual-authentication definitions suffice
 Need strengthened notion of symbolic key-exchange

Analysis strategy
Symbolic
protocol
Symbolic
property
Simple, automated
Main result
Natural
of talk:
translation for
mutual
authentication
encryption-based
Would
like
and key exchange
protocols
Concrete
protocol
UC security
Simplify
Analysis strategy (expanded)
Symbolic singleinstance protocol
Symbolic
property
Single-instance
Setting
Security using
UC encryption
Ideal
cryptography
Security for
multiple instances
Concrete
protocol
UC concrete
security
UC
theorem
UC w/
joint
state
Prior work

Abadi-Rogaway/Abadi-Jürjens
First connection of formal, computational
 Passive adversary


Micciancio-Warinschi
Trace properties (e.g. mutual authentication)
 No intermediate composition





Complex analysis
No composition guarantees
We lift to UC
Backes, Pfitzmann, Waidner
UC library of primitives (including symmetric encryption, sigs)
 Multi-instance
 Primitive vs. protocol (at level 2)

Overview of talk


Describe UC framework
Describe Dolev-Yao model



Mutual authentication result
Key-exchange results


Extended with local outputs
Strengthened symbolic definition
Future work
Traditional (non-UC) security
"Functionality” specifies:
P does,
what protocol
what info released to
adversary
P
P
S
∏
P
A
F
Security: A, S : ViewReal(A) = ViewIdeal(A)
Adversary learns only what allowed by F, even in real protocol
A
Desired: Composition
(Higher-level
protocol)
Q
Q
A
=
Q
A
Q
F
F
F
Achieving Composition
P
P
P

A
P
S
F
Adversary now sets participant input, sees output
Simulator sees neither!
 Adversary given special name: “environment”

A
Achieving Composition

UC security:
A, S : ViewReal(A) = ViewIdeal(A)

Enforces that protocol messages and protocol
outputs are independent

Strongest known (computational) notion of
protocol security
The Dolev-Yao model

Messages modeled symbolically


Symbols might be compound (crypto operations)
Participant hears symbol, replies with symbol
M1
L
P1
P2
M2

New: local output

A
Not seen by adversary
The Dolev-Yao adversary

Adversary maintains set of knowledge:
P1
P2
Know
Application of
deduction
A
Dolev-Yao adversary powers

Only four possible deductions:
Already in Know
M1 , M2
Pair(M1, M2)
Can add to Know
Pair(M1, M2)
M1 and M2
M, K
Enc(M, K), K-1

(Always in Know:
• Randomness generated by adversary
• Private keys generated by adversary
• All public keys)
Enc(M,K)
M
The Dolev-Yao adversary
Know
P1
P2
A
Mutual Authentication



UC: need only consider a single (two-party) instance
Symbolic condition: Adversary cannot make party Pi
(locally) output
(finished Pi Pj)
before both Pi and Pj output
(starting Pj Pi)
UC: FMA only sends (success) to participants after
both submit (start)
Mutual Authentication Results

Theorem: let  be a concrete protocol that uses ideal
encryption. Then:
DY() achieves mutual auth iff
 securely realizes FMA

Cor:let  be a concrete protocol that uses concrete (UC)
encryption. Then:
DY() achieves mutual auth iff
 securely realizes FMA
(Note: UC analog to MW04)
Key exchange


UC: FKE creates single new key, sends to
requesting participants (but not adversary)
Symbolic:
1.
2.

Key Agreement: If P1 outputs (Finished P1
P2 K) and P2 outputs (Finished P2 P1 K’)
then K = K’.
Traditional Dolev-Yao secrecy: If Pi outputs
(Finished Pi Pj K), then K can never be in
adversary’s set Know
Not strong enough!
Composition and secrecy

Traditional secrecy goals fail under composition


Session key used in higher-level protocol
Example: let  satisfy traditional secrecy for K
P1
Outputs session
key: K


P2
{K}K2
K
Modified protocol still satisfies traditional secrecy

Might be insecure when used as sub-protocol
Real-or-random (1/3)

Need: real-or-random property for session keys
Can think of traditional goal as “computational”
 Need a stronger “decisional” goal
 Expressed in Dolev-Yao framework





Let  be a protocol
Let r be , except that when participant outputs
(Finished Pi Pj Kr), Kr added to Know
Let f be , except that when any participant outputs
(Finished Pi Pj Kr), fresh key Kf added to
adversary set Know
Want: adversary can’t distinguish two protocols
Real-or-random (2/3)

Let S be a strategy

Sequence of deductions and transmissions

Attempt 1: For any strategy,
Trace(S, r) = Traces(S, f)
Problem: Kf not in any traces of r
Attempt 2:

Trace(S, r) = Rename(Trace(S, f), Kf  Kr)
Sufficient for “if,” too strong for “only if”



Two different traces may ‘appear’ the same to adversary
Real-or-random (3/3)

Observable part of trace: Abadi-Rogaway pattern


Undecipherable encryptions replaced by “blob”
Example:
t = {N1, N2}K1, {N2}K2, K1-1
Pattern(t) = {N1, N2}K1, K2, K1-1

Final condition: for any strategy:
Pattern(Trace(S, r))
=
Pattern(Rename(Trace(S, f), Kf  Kr)))
Main results

Theorem: let  be a concrete protocol that uses (UC)
ideal encryption. Then:
 securely realizes FKE iff DY() satisfies
1.
2.
3.
Key agreement
Traditional Dolev-Yao secrecy of session key
Real-or-random
(Note: condition 3 implies 2 for Dolev-Yao message
space with equality checks.)

Cor: same for  that uses concrete UC encryption
Future work

How to prove Dolev-Yao real-or-random?
Needed for UC security
 Not previously considered in the Dolev-Yao literature
 Can it be automated?
 Simpler form?



Similar results for protocols using symmetric encryption,
signatures, Diffie-Hellman?
Symbolic representation of other types of tasks
Zero-Knowledge from ideal commitment
 Secure function evaluation from ideal Oblivious Transfer
 Etc.

Backup-slides
“Simple” protocols


Concrete protocols that map naturally to Dolev-Yao framework
Two cryptographic operations:
Randomness generation
 Encryption/decryption



(This talk: asymmetric encryption)
Example: Needham-Schroeder-Lowe
{P1, N1}K2
P1
{P2, N1, N2}K1
{N2}K2
P2
UC Key-Exchange Functionality
(P1 P2)
P1
Key k
(P1 P2)
k  {0,1}n
(P1 P2)
Key P1
Key P2
A
(P2 P1)
P2
(P2 P1)
(P2 P1)
Key k
FKE
Key P2
Goal of the adversary





Recall that the adversary A sees outputs of participants
Goal: distinguish real protocol from simulation
In protocol execution, output of participants (session key) related to
protocol messages
In ideal world, output independent of simulated protocol
If there exists a detectable relationship between session key and
protocol messages, adversary can distinguish
Example: last message of protocol is {“confirm”}K where K is session
key
 Can decrypt with participant output from real protocol
 Can’t in simulated protocol
