Cryptology ePrint Archive: Report 2006/132
Conditional Reactive Simulatability
Michael Backes and Markus Duermuth and Dennis Hofheinz and Ralf Kuesters
Abstract: Simulatability has established itself as a salient notion for defining
and proving the security of cryptographic protocols since it entails
strong security and compositionality guarantees, which are achieved by
universally quantifying over all environmental behaviors of the
analyzed protocol. As a consequence, however, protocols that are
secure except for certain environmental behaviors are not simulatable,
even if these behaviors are efficiently identifiable and thus can be
prevented by the surrounding protocol.
We propose a relaxation of simulatability by conditioning the
permitted environmental behaviors, i.e., simulation is only required
for environmental behaviors that fulfill explicitly stated
constraints. This yields a more fine-grained security definition that
is achievable i) for several protocols for which unconditional
simulatability is too strict a notion or ii) at lower cost for the
underlying cryptographic primitives. Although imposing restrictions
on the environment destroys unconditional composability in general, we
show that the composition of a large class of conditionally
simulatable protocols yields protocols that are again simulatable
under suitable conditions. This even holds for the case of cyclic
assume-guarantee conditions where protocols only guarantee suitable
behavior if they themselves are offered certain guarantees.
Furthermore, composing several commonly investigated protocol classes
with conditionally simulatable subprotocols yields protocols that are
again simulatable in the standard, unconditional sense.
Category / Keywords: foundations / Simulatability, Universal Composability, Impossibility results, Soundness
Date: received 2 Apr 2006, last revised 1 May 2007
Contact author: backes at cs uni-sb de
Available format(s): PDF | BibTeX Citation
Note: Added PDF Version
Version: 20070501:171826 (All versions of this report)
Short URL: ia.cr/2006/132
[ Cryptology ePrint archive ]