The Power of Simulation Relations Sixty and Beyond

1
The Power ofSimulation Relations

• Roberto Segala
• University of Verona

2
Hierarchical Verification
S
Some properties verified here
Modules verified separately
3
Implementation

• Some form of behavioral inclusion
• Traces, Failures, Tests,
• Features
• Preserves properties of interest
• Transitive
• Compositional
• Affine with logical implication
• when properties are sets of behaviors
• Hard to check
• Often Pspace-complete
• But simulation relations help

4
Automata
A (Q , q0 , E , H , D)
Execution q0 n q1 n q2 ch q3 coffee q5
Trace n n coffee
5
Forward Simulations
Forward simulation from A1 to A2 (A1 F A2)
Relation R Í Q1 x Q2 such that
" q, s, a, q s
q0
s0
a
a
a
s1
q1
q2
c
b
b
c
s3
s4
q3
q4
6
Simulation Implies Trace Inclusion

• The step condition can be applied repeatedly

a
b
c
d

s1
s2
s3
s4
s
a
b
c
d

q1
q2
q3
q4
q

• Thus existence of simulation implies trace
  inclusion
• Even more it implies a close correspondence
  between executions

7
Application of Simulation Relations

• Distributed Systems
• Automata, I/O Automata
• Real-Time Systems
• Add time component to states
• Add time-passage actions or trajectories
• Time-passage modifies only time component
• Hybrid Systems
• Time passage modifies entire state
• Randomized Systems
• Transitions lead to probability measures

8
Example Probabilistic Automata
9
Example Probabilistic Automata
What is the probability of beeping?
10
Probabilistic Executions
flip
beep
1/2
fair
1/2
q0
q1
q3
q5
1/2
m(beep) 1/2
q4
beep
2/3
q3
q5
m(beep) 2/3
2/3
q0
q2
q4
unfair
flip
1/3
11
Example Probabilistic Executions
q3
q5
flip
1/4
beep
1/2
q1
1/2
fair
q4
1/2
7/12
q0
q3
q5
1/2
2/6
unfair
beep
2/3
q2
1/3
q4
flip
12
Forward Simulations
Forward simulation from A1 to A2 (A1 F A2)
Relation R Í Q1 x Q2 such that
" q, s, a, m s
s1
1/3
1/3
1/2
q1
1/6
s2
1/3
1/6
q2
1/2
1/3
s3
1/3
Lifting of R
13
Lifting and Transfer of Masses
q1
q2
s1
s2
s3
14
Simulation Implies Behavioral Inclusion

• The step condition can be applied repeatedly

r1
r2
r3
r4
s

m1
m2
m3
m4
q
15
A Potential Area of ApplicationSecurity

• With simulations
• Global properties validated via local properties
• almost as proving a property by induction
• Can we use simulations for security?
• Properties are typically global
• There is randomization
• Challenges
• Specifications do not fail
• Implementations fail with negligible probability
• Some approximations appear to be necessary
• Need for computational assumptions

16
Bellare and Rogaway MAP1 Protocol
RA
A
B
B.A.RA.RBs
A.RBs

• Nonces are generated randomly
• The key s is the secret for a Message
  Authentication Code
• Specifically, MAC based on pseudo-random functions

17
Nonces

• Number ONCE
• Typically drawn randomly
• Claim
• For each constant c and polynomial p
• There exists k such that for each k ³ k
• If n1,n2,,np(k) are random nonces from 0,1k
• Then Pri¹ j ni njltk-c

18
Message Authentication Code

• Triple (G,A,V)
• G on input 1k generates s Î 0,1k
• For each s and each a
• PrV(s,a,A(s,a))11
• Forger
• On input 1k obtains MAC of strings of its choice
• Outputs a pair (a,b)
• Successful if V(s,a,b)1 and a different from
  previous queries
• Secure MAC
• Every feasible forger succeeds with negligible
  probability

19
MAP1 Matching Conversations

• Matching conversation between A and B
• Every message from A to B delivered unchanged
• Possibly last message lost
• Response from B returned to A
• Every message received by A generated by B
• Messages generated by B delivered to A
• Possibly last message lost
• Correctness condition
• Matching conversation implies acceptance
• Negligible probability of acceptance without
  matching conversation

20
MAP1 Correctness Proof

• Let A be a PPT machine that interacts with the
  agents
• Show that A induces no-match with negligible
  probability
• Argue that repeated nonces occur with negligible
  probability
• Argue that A is an attack against a message
  authentication code
• Features
• Relies on underlying pseudo-random functions
• Proves correctness assuming truly random
  functions
• Builds a distinguisher for PRFs if an attack
  exists
• Criticism
• The arguments are semi-formal and not immediate
• Three different concepts intermixed
• Nonces
• Message authentication codes
• Matching conversations

21
MAP1 Hierarchical Analysis
Key generator
Nonce generator (coin flip)
A1
A2
A3
A4
A5
Adversary Keeps history (PPT function f)

• Agents indexed by X, Y, t

22
Nonce Generators

• State
• valueX,Y,t initially
• FreshNonces initially 0,1k
• Transitions
• Input NonceRequestX,Y,t
• Effect
• Let v ÎR 0,1k
• valueX,Y,t v
• FreshNonces FreshNonces-v
• Output NonceResponseX,Y,t(n)
• Precondition
• n valueX,Y,t
• Effect
• valueX,Y,t

Ideal
Coin flip

• Let v ÎR FreshNonces

23
Adversary

• Keeps a variable history
• Holds all previous messages
• Real adversary
• Runs a cycle where
• Computes the next message to send using a PPT
  function f
• Sends the message
• Waits for the answer if expected
• Ideal adversary
• Highly nondeterministic
• Stores all input
• Sends messages that do not contain forged
  authentications

24
Problems with Simulations
Key generator
Nonce generator (coin flip)
A1
A2
A3
A4
A5
Adversary Keeps history (PPT function f)

• Consider a transition of the real nonce generator
• With some probability there is a repeated nonce
• The ideal nonce generator does not repeat nonces
• Thus, we cannot match the step

25
Approximated Simulations ST07

• Change lifting on measures
• m1 ºe m2 iff
• m1 (1-e)m1 em1
• m2 (1-e)m2 em2
• m1 º m2

(1-e)
e
m2
m2
m2
º
m1
m1
m1
26
Approximated Simulations

• Ak Rk Bk
• For each constant c and polynomial p
• There exists k such that for each k ³ k
• Whenever
• n1 reached within p(k) steps in Ak
• n1 L(Rk,g) n2
• n1 n1
• There exists n2 such that
• n2 n2
• n1 L(Rk,gk-c) n2

n2
n2
g
gk-c
n1
n1
27
Approximated SimulationsStep Condition
g
n2
(1-g-k-c)
k-c
g
n2
(1-g)
º
n1
g
(1-g)
g
n1
(1-g-k-c)
k-c
28
Simulation Implies Behavioral Inclusion

• The step condition can be applied repeatedly

rp(k)
r1
r2
r3

s
0
k-c
2k-c
3k-c
p(k)k-c
mp(k)
m1
m2
m3

q

• Observation
• p(k)k-c can be smaller than any k-c by choosing
  ccdegree(p)

29
Example Approximate SimulationsBellare-Rogaway
MAP1 Protocol
Key generator
Nonce generator (ideal)
Key generator
Nonce generator (ideal)
Key generator
Nonce generator (coin flip)
1
2
A1
A2
A3
A4
A5
A1
A2
A3
A4
A5
A1
A2
A3
A4
A5
Adversary Keep history (no forged signatures)
Adversary Keeps history (PPT function f)
Adversary Keeps history (PPT function f)

• Negation of the step condition
• 1 Two random nonces are equal with high
  probability
• 2 Function f defines a forger for a signature
  scheme

30
Step Condition

• Ak Rk Bk
• For each constant c and polynomial p
• There exists k for each k ³ k
• Whenever
• n1 reached within p(k) steps in Ak
• n1 L(Rk,g) n2
• n1 n1
• There exists n2 such that
• n2 n2
• n1 L(Rk,gk-c) n2

n2
n2
g
gk-c
n1
n1
31
Negation of Step Condition

• Ak Rk Bk
• There exists constant c and polynomial p
• For each k there exists k ³ k
• There exists
• n1 reached within p(k) steps in Ak
• n1 L(Rk,g) n2
• n1 n1
• There is no n2 such that
• n2 n2
• n1 L(Rk,gk-c) n2

n2
n2
g
gk-c

• Signature forged in n1
• Probability at least k-c

• Nonce replicated in n1
• Probability at least k-c

n1
n1
32
Nonces

• Number ONCE
• Typically drawn randomly
• Claim
• For each constant c and polynomial p
• There exists k such that for each k ³ k
• If n1,n2,,np(k) are random nonces from 0,1k
• Then Pri¹ j ni njltk-c

33
Example Approximate SimulationsBellare-Rogaway
MAP1 Protocol
Key generator
Nonce generator (ideal)
Key generator
Nonce generator (ideal)
Key generator
Nonce generator (coin flip)
1
2
A1
A2
A3
A4
A5
A1
A2
A3
A4
A5
A1
A2
A3
A4
A5
Adversary Keep history (no forged signatures)
Adversary Keeps history (PPT function f)
Adversary Keeps history (PPT function f)

• Proof Completed

34
Problems with NondeterminismMAP1 Protocol BR93
Key generator
Nonce generator (coin flip)

• Potential problems
• Let s be the shared key
• Adversary queries k agents
• Agent i replies if ith bit of s is 1
• The adversary knows the shared key
• Solution
• One query at a time
• Wait for the answer (agents as oracles)

A1
A2
A3
A4
A5
Adversary Keeps history (PPT function f)
35
We Are Not Alone

• Mitchell, Ramanathan, Scedrov, Teague
• Probabilistic polynomial time calculus
• Canetti, Cheung, Kaynar, Liskov, Lynch, Pereira,
  Segala
• Task Probabilistic I/O Automata
• Chatzikokolakis, Palamidessi
• Syntactic restrictions for schedulers
• Canetti
• UC framework
• Backes, Pfitzmann, Waidner
• Reactive simulatability Framework
• Van Breugel, Worrel
• Metrics and approximation
• Desharnais, Gupta, Jagadeesan, Panangaden
• Metrics and approximation

36
Work in Progress

• Applications
• Soundness of Dolev-Yao model
• Analysis of the Crypto-Library
• Approximated simulations versus
• Approximated language inclusion (Task PIOAs)
• Restricted schedulers
• Metrics
• Flexibility on restrictions
• Many ways to restrict
• Are we restricting too much?

37
Summing Up

• Simulation relations are powerful
• Interact well with hierarchical verification
• Global properties verified via local arguments
• Apply to several frameworks
• Security is a new interesting area
• We have interesting case studies
• We have still many open questions
• We are having a lot of fun