Comparing Two Notions of Simulatability
In this work, relations between the security notions standard simulatability and universal simulatability for cryptographic protocols are investigated.
A simulatability-based notion of security considers a protocol π as secure as an idealization τ of the protocol task, if and only if every attack on π can be simulated by an attack on τ.
Two formalizations, which both provide secure composition of protocols, are common: standard simulatability means that for every π-attack and protocol user H, there is a τ-attack, such that H cannot distinguish π from τ. Universal simulatability means that for every π-attack, there is a τ-attack, such that no protocol user H can distinguish π from τ.
Trivially, universal simulatability implies standard simulatability. We show: the converse is true with respect to perfect security, but not with respect to computational or statistical security.
Besides, we give a formal definition of a time-lock puzzle, which may be of independent interest. Although the described results do not depend on any computational assumption, we show that the existence of a time-lock puzzle gives an even stronger separation of standard and universal simulatability with respect to computational security.
KeywordsReactive simulatability universal simulatability protocol composition
- [Bac04]Backes, M.: E-mail communication with the authors (June 2004)Google Scholar
- [BPW04a]Backes, M., Pfitzmann, B., Waidner, M.: A general composition theorem for secure reactive systems. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 336–354. Springer, Heidelberg (2004), Online available at http://www.zurich.ibm.com/security/publications/2004/BaPfWa2004MoreGeneralComposition.pdf CrossRefGoogle Scholar
- [BPW04b]Backes, M., Pfitzmann, B., Waidner, M.: Secure asynchronous reactive systems. IACR ePrint Archive (March 2004), Online available at http://eprint.iacr.org/2004/082.ps
- [Can01]Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001, pp. 136–145. IEEE Computer Society, Los Alamitos (2001), Full version online available at http://eprint.iacr.org/2000/067.ps Google Scholar
- [Can04]Canetti, R.: Personal communication with one of the authors at TCC (February 2004)Google Scholar
- [CLOS02]Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th Annual ACM Symposium on Theory of Computing, Proceedings of STOC 2002, pp. 494–503. ACM Press, New York (2002), Extended abstract, full version online available at http://eprint.iacr.org/2002/140.ps CrossRefGoogle Scholar
- [Lin03]Lindell, Y.: General composition and universal composability in secure multi-party computation. In: 44th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2003, pp. 394–403. IEEE Computer Society, Los Alamitos (2003), Online available at http://www.research.ibm.com/people/l/lindell/PAPERS/ gc-uc.ps.gz CrossRefGoogle Scholar
- [PW00]Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: 7th ACM Conference on Computer and Communications Security, Proceedings of CCS 2000, pp. 245–254. ACM Press, New York (2000), Extended version online available at http://www.semper.org/sirene/publ/PfWa_00CompInt.ps.gz CrossRefGoogle Scholar
- [PW01]Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE Symposium on Security and Privacy, Proceedings of SSP 2001, pp. 184–200. IEEE Computer Society, Los Alamitos (2001), Full version online available at http://eprint.iacr.org/2000/066.ps CrossRefGoogle Scholar
- [RSW96]Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684, Massachusetts Institute of Technology (February 1996), Online available at http://theory.lcs.mit.edu/~rivest/RivestShamirWagner-timelock.ps