Inductive trace properties for computational security

Issue title: 7th International Workshop on Issues in the Theory of Security (WITS'07)

Guest editors: Riccardo Focardi

Article type: Research Article

Authors: Roy, Arnab^{a; *} | Datta, Anupam^b | Derek, Ante^a | Mitchell, John C.^a

Affiliations: [a] Stanford University, Stanford, CA, USA. E-mails: aderek@cs.stanford.edu, mitchell@cs.stanford.edu | [b] Carnegie Mellon University, Pittsburgh, PA, USA. E-mail: danupam@andrew.cmu.edu

Correspondence: [*] Corresponding author: Arnab Roy, Stanford University, 353 Serra Mall Rm 490, Stanford, CA 94040, USA. Tel.: +1 650 725 3110; Fax: +1 650 725 4671; E-mail: arnab@cs.stanford.edu.

Abstract: Protocol authentication properties are generally trace-based, meaning that authentication holds for the protocol if authentication holds for individual traces (runs of the protocol and adversary). Computational secrecy conditions, on the other hand, often are not trace based: the ability to computationally distinguish a system that transmits a secret from one that does not is measured by overall success on the set of all traces of each system. Non-trace-based properties present a challenge for inductive or compositional methods: induction is a natural way of reasoning about traces of a system, but it does not appear directly applicable to non-trace properties. We therefore investigate the semantic connection between trace properties that could be established by induction and non-trace-based security requirements. Specifically, we prove that a certain trace property implies computational secrecy and authentication properties, assuming the encryption scheme provides chosen ciphertext security and ciphertext integrity. We also prove a similar theorem for computational secrecy assuming Decisional Diffie–Hellman and a chosen plaintext secure encryption scheme.

Keywords: Inductive proofs, protocols, computational security

DOI: 10.3233/JCS-2009-389

Journal: Journal of Computer Security, vol. 18, no. 6, pp. 1035-1073, 2010