Skip to main content
SpringerLink
Log in

Limits of the BRSIM/UC soundness of Dolev–Yao-style XOR

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The abstraction of cryptographic operations by term algebras, called Dolev–Yao models, is essential in almost all tool-supported methods for proving security protocols. Recently significant progress was made in proving that Dolev–Yao models can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of blackbox reactive simulatability (BRSIM)/UC, a notion that essentially means the preservation of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to the Dolev–Yao models and natural implementations. However, these results are so far restricted to core cryptographic systems like encryption and signatures. Typical modern tools and complexity results around Dolev–Yao models also allow operations with more algebraic properties, in particular XOR because of its clear structure and cryptographic usefulness. We show that it is not possible to extend the strong BRSIM/UC results to XOR, at least not with remotely the same generality and naturalness as for the core cryptographic systems. We also show that for every potential soundness result for XOR with secrecy implications, one significant change to typical Dolev–Yao models must be made. On the positive side, we show the soundness of a rather general Dolev–Yao model with XOR and its realization in the sense of BRSIM/UC under passive attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. In: Proc. 31st International Colloquium on Automata, Languages and Programming (ICALP), LNCS, vol. 3124, pp. 46–58. Springer (2004)

  2. Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Proc. 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pp. 82–94 (2001)

  3. Abadi, M., Rogaway, P.: Reconciling two views of cryptography: The computational soundness of formal encryption. In: Proc. 1st IFIP International Conference on Theoretical Computer Science, LNCS, vol. 1872, pp. 3–22. Springer (2000)

  4. Backes, M.: A cryptographically sound Dolev–Yao style security proof of the Otway–Rees protocol. Research Report RZ 3539, IBM Research (2004)

  5. Backes, M., Dürmuth, M.: A cryptographically sound Dolev–Yao style security proof of an electronic payment system. In: Proc. 18th IEEE Computer Security Foundations Workshop (CSFW), pp. 78–93 (2005)

  6. Backes, M., Pfitzmann, B.: Computational probabilistic non- interference. In: Proc. 7th European Symposium on Research in Computer Security (ESORICS), LNCS, vol. 2502, pp. 1–23. Springer (2002)

  7. Backes M. and Pfitzmann B. (2004). A cryptographically sound security proof of the Needham–Schroeder–Lowe public-key protocol. IEEE J. Selected Areas Commun. 22(10): 2075–2086

    Article  Google Scholar 

  8. Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev–Yao style cryptographic library. In: Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pp. 204–218 (2004)

  9. Backes, M., Pfitzmann, B.: Limits of the cryptographic realization of Dolev–Yao-style XOR. In: Proc. 10th European Symposium on Research in Computer Security (ESORICS), LNCS, vol. 3679, pp. 178–196. Springer (2005)

  10. Backes M. and Pfitzmann B. (2005). Relating symbolic and cryptographic secrecy. IEEE Trans. Dependable Secure Comput. 2(2): 109–123

    Article  Google Scholar 

  11. Backes, M., Pfitzmann, B.: On the cryptographic key secrecy of the strengthened Yahalom protocol. In: 21st IFIP TC-11 International Information Security Conference (SEC’2006) (2006). To appear

  12. Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM Conference on Computer and Communications Security, pp. 220–230 (2003). Full version in IACR Cryptology ePrint Archive 2003/015, Jan. 2003, http://eprint.iacr.org/

  13. Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Proc. 8th European Symposium on Research in Computer Security (ESORICS), LNCS, vol. 2808, pp. 271–290. Springer (2003)

  14. Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. Int. J. Inf. Security (2004) (inpress)

  15. Baudet, M., Cortier, V., Kremer, S.: Computationally sound implementations of equational theories against passive adversaries. In: Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP), LNCS, vol. 3580, pp. 652–663. Springer (2005)

  16. Beaver D. (1991). Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. J. Cryptol. 4(2): 75–122

    Article  MATH  Google Scholar 

  17. Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Advances in Cryptology: CRYPTO ’95, LNCS, vol. 963, pp. 15–28. Springer (1995)

  18. Blanchet, B.: A computationally sound mechanized prover for security protocols. In: Proc. 27th IEEE Symposium on Security & Privacy, pp. 140–154 (2006)

  19. Canetti R. (2000). Security and composition of multiparty cryptographic protocols. J. Cryptol. 3(1): 143–202

    Article  MathSciNet  Google Scholar 

  20. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 136–145 (2001). Extended version in Cryptology ePrint Archive, Report 2000/67, http://eprint.iacr.org/

  21. Canetti, R., Herzog, J.: Universally composable symbolic analysis of mutual authentication and key exchange protocols. In: Proc. 3rd Theory of Cryptography Conference (TCC), LNCS, vol. 3876, pp. 380–403. Springer (2006)

  22. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie–Hellman exponentiation and products in exponents. In: Proc. 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS), pp. 124–135 (2003)

  23. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS), pp. 261–270 (2003)

  24. Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS), pp. 271–280 (2003)

  25. Comon-Lundh, H., Treinen, R.: Easy intruder deductions. Research Report LSV-03-8, Laboratoire Spécification et Vérification, ENS Cachan, France (2003)

  26. Datta, A., Derek, A., Mitchell, J., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP), LNCS, vol. 3580, pp. 16–29. Springer (2005)

  27. Delaune, S., Jacquemard, F.: Narrowing-based constraint solving for the verification of security protocols. Research Report LSV-04-8, Laboratoire Spécification et Vérification, ENS Cachan, France (2004)

  28. Denning, D.: Cryptography and Data Security. Addison-Wesley (1982)

  29. Dolev D. and Yao A.C. (1983). On the security of public key protocols. IEEE Trans. Inf. Theory 29(2): 198–208

    Article  MATH  MathSciNet  Google Scholar 

  30. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game—or—a completeness theorem for protocols with honest majority. In: Proc. 19th Annual ACM Symposium on Theory of Computing (STOC), pp. 218–229 (1987)

  31. Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Advances in Cryptology: CRYPTO ’90, LNCS, vol. 537, pp. 77–93. Springer (1990)

  32. Goldwasser S., Micali S. and Rivest R.L. (1988). A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2): 281–308

    Article  MATH  MathSciNet  Google Scholar 

  33. Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proc. 13th IEEE Computer Security Foundations Workshop (CSFW), pp. 255–268 (2000)

  34. Impagliazzo, R., Kapron, B.M.: Logics for reasoning about cryptographic constructions. In: Proc. 44th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 372–381 (2003)

  35. Krawczyk, H.: LFSR-based hashing and authentication. In: Advances in Crptology: CRYPTO 94, LNCS, vol. 839, pp. 129–139. Springer (1994)

  36. Laud, P.: Semantics and program analysis of computationally secure information flow. In: Proc. 10th European Symposium on Programming (ESOP), pp. 77–91 (2001)

  37. Laud, P.: Computationally secure information flow. Ph.D. thesis, Universität des Saarlandes (2002). http://www.cs.ut.ee/~peeter_l/research/csif/lqpp.ps.gz

  38. Laud, P.: Pseudorandom permutations and equivalence of formal expressions (abstract). In: 14th Nordic Workshop on Programming Theory, pp. 63–65 (2002)

  39. Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE Symposium on Security & Privacy, pp. 71–85 (2004)

  40. Laud, P.: Secrecy types for a simulatable cryptographic library. In: Proc. 12th ACM Conference on Computer and Communications Security, pp. 26–35 (2005)

  41. Lincoln, P., Mitchell, J., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: Proc. 5th ACM Conference on Computer and Communications Security, pp. 112–121 (1998)

  42. Meadows, C.: Using narrowing in the analysis of key management protocols. In: Proc. 10th IEEE Symposium on Security & Privacy, pp. 138–147 (1989)

  43. Meadows, C.: A model of computation for the NRL protocol analyzer. In: Proc. 7th IEEE Computer Security Foundations Workshop (CSFW), pp. 84–89 (1994)

  44. Micali, S., Rogaway, P.: Secure computation. In: Advances in Cryptology: CRYPTO ’91, LNCS, vol. 576, pp. 392–404. Springer (1991)

  45. Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Proc. 1st Theory of Cryptography Conference (TCC), LNCS, vol. 2951, pp. 133–151. Springer (2004)

  46. Millen, J.: CAPSL: Common Authentication Protocol Specification Language. Tech. Rep. MP 97B48, The MITRE Corporation (1997)

  47. Millen, J., Shmatikov, V.: Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In: Proc. 16th IEEE Computer Security Foundations Workshop (CSFW), pp. 47–61 (2003)

  48. Millen, J.K.: The interrogator: A tool for cryptographic protocol security. In: Proc. 5th IEEE Symposium on Security & Privacy, pp. 134–141 (1984)

  49. Millen, J.K.: The interrogator model. In: Proc. 16th IEEE Symposium on Security & Privacy, pp. 251–260 (1995)

  50. Mitchell, J., Mitchell, M., Scedrov, A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time. In: Proc. 39th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 725–733 (1998)

  51. Mitchell J., Mitchell M., Scedrov A. and Teague V. (2001). A probabilistic polynominal-time process calculus for analysis of cryptographic protocols (preliminary report). Electr. Notes Theor. Comput. Sci. 47: 1–31

    Google Scholar 

  52. Paulson L. (1998). The inductive approach to verifying cryptographic protocols. J. Cryptol. 6(1): 85–128

    Google Scholar 

  53. Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM on Computer and Communications Security, pp. 245–254 (2000). Extended version (with Matthias Schunter) IBM Research Report RZ 3206, May 2000, http://www.semper.org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz

  54. Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE Symposium on Security & Privacy, pp. 184–200 (2001). Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082, http://eprint.iacr.org/

  55. Roscoe, A.W.: Modelling and verifying key-exchange protocols using CSP and FDR. In: Proc. 8th IEEE Computer Security Foundations Workshop (CSFW), pp. 98–107 (1995)

  56. Sherman A.T. and McGrew D.A. (2003). Key establishment in large dynamic groups using one-way function trees. IEEE Trans. Softw. Eng. 29(5): 444–458

    Article  Google Scholar 

  57. Shmatikov, V.: Decidable analysis of cryptographic protocols with products and modular exponentiation. In: Proc. 13th European Symposium on Programming (ESOP), LNCS, vol. 2986, pp. 355–369. Springer (2004)

  58. Sprenger, C., Backes, M., Basin, D., Pfitzmann, B., Waidner, M.: Cryptographically sound theorem proving. In: Proc. 19th IEEE Computer Security Foundations Workshop (CSFW), pp. 153–166 (2006)

  59. Yao, A.C.: Theory and applications of trapdoor functions. In: Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982)

Download references

Author information

Authors and Affiliations

  1. Saarland University, Saarbrücken, Germany

    Michael Backes

  2. IBM Zurich Research Lab, Zurich, Switzerland

    Birgit Pfitzmann

Authors
  1. Michael Backes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Birgit Pfitzmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Backes.

Additional information

A preliminary version of this paper appeared in Proc. 10th European Symposium on Research in Computer Security [9]

Rights and permissions

Reprints and permissions

About this article

Cite this article

Backes, M., Pfitzmann, B. Limits of the BRSIM/UC soundness of Dolev–Yao-style XOR. Int. J. Inf. Secur. 7, 33–54 (2008). https://doi.org/10.1007/s10207-007-0040-z

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0040-z

Keywords

Search

Navigation