Paper 2006/132

Conditional Reactive Simulatability

Michael Backes, Markus Duermuth, Dennis Hofheinz, and Ralf Kuesters


Simulatability has established itself as a salient notion for defining and proving the security of cryptographic protocols since it entails strong security and compositionality guarantees, which are achieved by universally quantifying over all environmental behaviors of the analyzed protocol. As a consequence, however, protocols that are secure except for certain environmental behaviors are not simulatable, even if these behaviors are efficiently identifiable and thus can be prevented by the surrounding protocol. We propose a relaxation of simulatability by conditioning the permitted environmental behaviors, i.e., simulation is only required for environmental behaviors that fulfill explicitly stated constraints. This yields a more fine-grained security definition that is achievable i) for several protocols for which unconditional simulatability is too strict a notion or ii) at lower cost for the underlying cryptographic primitives. Although imposing restrictions on the environment destroys unconditional composability in general, we show that the composition of a large class of conditionally simulatable protocols yields protocols that are again simulatable under suitable conditions. This even holds for the case of cyclic assume-guarantee conditions where protocols only guarantee suitable behavior if they themselves are offered certain guarantees. Furthermore, composing several commonly investigated protocol classes with conditionally simulatable subprotocols yields protocols that are again simulatable in the standard, unconditional sense.

Note: Added PDF Version

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
SimulatabilityUniversal ComposabilityImpossibility resultsSoundness
Contact author(s)
backes @ cs uni-sb de
2007-05-01: revised
2006-04-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Michael Backes and Markus Duermuth and Dennis Hofheinz and Ralf Kuesters},
      title = {Conditional Reactive Simulatability},
      howpublished = {Cryptology ePrint Archive, Paper 2006/132},
      year = {2006},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.