Simulatability and Universal Composition - Extending the CVJ Framework to Java Concurrency 37

3. Extending the CVJ Framework to Java Concurrency 37

3.4. Simulatability and Universal Composition

That is, as long as, at the end of the two runs, the variable^resultis the same (up to negligible probability), the two systems are said to be computationally equivalent.

Definition 3.19 (Computational indistinguishability). Let S1 and S2 be environmentally I-bounded (possibly multi-threaded) systems. Then S1and S2arecomputationally indistinguishable w.r.t.I, written S1 ≈^I,MTcomp S2, if

i) S1and S2use the same interface, and

ii) for every bounded I-environment E for S1(and hence, S2) and for every bounded scheduler S we have that{E·S1}S ≡comp {E·S2}S.

This definition is typically applied to programs that do not use the statement^abort. However, our results also work in this case.

Moreover, we note that we do neither requireS1/S2 norE to necessarily be multi-threaded systems: it is enough that one of them is multi-threaded to obtain a multi-threaded composed program. This becomes relevant in the extension of the indistinguishability and simulatability results already stated w.r.t. single-threaded adversaries. In Section 3.8, we formally state and prove under which assumptions the level of security of a single-threaded systems remains unchanged when composed with a multi-threaded adversary.

The above definition of indistinguishability is w.r.t. uniform environments. A definition w.r.t. non-uniform environments (i.e., environments which use also some external interface) can be obtained in a straightforward way by giving the environment additional auxiliary input (besides the security parameter).

Furthermore, we point out that in the above definition two cases can occur: (1)^mainis defined inE or (2)^mainis defined in bothS1andS2. In the first case, E can freely create objects of classes in the interfaceI (which is a subset of classes ofS1/S2) and initiate calls. Eventually, even in case of exceptions,Ecan get back control (method calls return a value toEandE can catch exceptions if necessary), unlessS1/S2uses^abort. On the other hand, the kind of controlEhas in the case (2), heavily depends on the specification ofS1/S2. This can go from having as much control as in case (1) to being basically a passive observer. For example,^main(as specified in S1/S2) could call a method ofEand from then onEcan use the possibly very rich interfaceI as in case (1). The other extreme is thatIis empty, say, soE cannot create objects of (classes of)S1/S2by itself, onlyS1/S2can create objects of (classes of)E and ofS1/S2. Hence,S1/S2has more control and can decide, for instance, how many and which objects are created and whenE is contacted. Still even in this case, if so specified,S1/S2could giveEbasically full control by callback objects (see Section 3.3.1). To further illustrate the richness of the interfaces compared to Turing machine models, we also note thatEcould also extend classes ofS1/S2and by this, if not properly protected, might get access to information kept in these classes.

3.4. Simulatability and Universal Composition Our formulation of the realization of one system by another follows the spirit of strong simulatability in the simulation-based approach (see e.g., [Küs06]). In a nutshell, the definition says that, given (real) systemR, it realizes an (ideal) systemF if there exists a simulatorSsuch thatRandS·Fbehave almost the same in every bounded environment.

Definition 3.20(Strong Simulatability). Let Iin,Iout,IE,ISbe disjoint interfaces. Let F and R be two (possibly multi-threaded) systems. Then RrealizesF w.r.t. the interfacesIout,Iin,IE, and IS, written R≤^(I^out^,Iⁱⁿ^,I^E^,I^S^),^MT F or simply R≤^MT F, if

i) IE∪Iin`R:Ioutand IE∪Iin∪IS`F:Iout;

ii) either both F and R or neither of these systems contain the method^main; iii) R is an environmentally Iout-bounded system (F does not need to be);

iv) there exists a (possibly multi-threaded) system S, the simulator, such that S does not contain

main, IE`S:IS, S·F is environmentally Iout-bounded, and R ≈^I^comp^out^,MT S·F.

The intuition behind the way the interfaces between the different components (environment, ideal and real functionalities, simulator) are defined is as follows: BothRandFprovide the same kind of functionality/service, specified by the interfaceIout. They may require some (trusted) servicesIinfrom another system component and some servicesIE from an (untrusted) environment, for example, networking and certain other libraries. In addition, the ideal functionality F may require servicesISfrom the simulatorS, which in turn may require servicesIE from the environment. We recall from the discussion in Section 3.3.1 that the interfaces can be very rich, as they model communication and method calls in both directions.

In the applications we envisionF will typically be an ideal functionality for one or more cryptographic primitives and its realizationRwill basically be the actual cryptographic schemes.

The notion of strong simulatability, as introduced above, enjoys important basic properties, namely, reflexivity and transitivity, and allows one to prove a fundamental composition theorem.

To show these results, we need the following lemma.

Lemma 3.1. Let IE and I be disjoint interfaces and let S1and S2be environmentally I-bounded systems such that S1 ≈^I,MTcomp S2(in particular, S1and S2use the same interface) and IE`S1:I, and hence, IE `S2:I. Let E be a not necessarily bounded SyncJinja+ I-environment for S1(and hence, S2) with I`E:IE such that E·S1is almost bounded. Then E·S2is almost bounded and for each bounded schedulerS we have{E·S1}S ≡comp {E·S2}S.

Proof. LetI,IE,S1,S2,E, andS be given as stated in the lemma. We need to show thatE·S2is almost bounded and that{E·S1}S ≡^comp {E·S2}S.

SinceE·S1is almost bounded, for each bounded schedulerS there exists a polynomialpsuch that the probability that the sum of the length of the run of the schedulerS and of the length of the run of the systemE·S1with security parameterη(and integer sizeintsize(η)) exceeds p(η) is negligible. Now let us denote by[E]the system that is defined just asE, but which in addition has a private static counter (defined in some new class in[E]) and where the code ofEis modified such that whenever a step in the code ofE is performed (according to the small-step SyncJinja+

semantics), then the counter is increased. Once the bound p(η)is reached,[E]performs^abort.

By construction of[E]it is easy to see that[E]is a bounded environment because[E]does not simulate more thanp(η)steps ofE, where each step ofE can be simulated in a number of steps bounded by a constant. Also,[E]behaves exactly likeEup to the point where the boundp(η)is reached.

LetS be a bounded scheduler. As further explained below, from the construction of[E]we obtain:

{E·S1}S ≡comp {[E]·S1}S ≡comp {[E]·S2}S

≡comp {E·S2}S.

The first equivalence holds because, sinceE·S1is almost bounded,E reaches the boundp(η) when running withS1only with negligible probability. Hence, the assignment ofE and[E]to

resultis the same with overwhelming probability.

The second equivalence is true becauseS1 ≈^I,MT^comp S2,S is bounded and[E]is abounded I-environment forS1andS2.

The third equivalence holds because in the system{E·S2}S the boundp(η)is reached also only with negligible probability: Otherwise, we could easily turn[E]into a bounded environment E⁰that distinguishesS1andS2, namely,E⁰works just as[E]but outputs^true, i.e., assigns^true to the variable^resultif and only if the bound p(η)is reached. So, if, whenEinteracts withS2, the bound were reached with non-negligible probability,E⁰could distinguish betweenS1andS2. It follows thatE·S2is also almost bounded and that the last equivalence holds.

Now we can prove reflexivity and transitivity of strong simulatability. The proofs are similar to those for Jinja+ systems in [KTG12a].

Lemma 3.2(Reflexivity of strong simulatability). Let Iout, Iin, and IE be disjoint interfaces and let R be a system such that IE∪Iin`R:Iout and R is environmentally Iout-bounded. Then, R≤^MT R, i.e., R realizes itself.

Proof. We defineS=/0 i.e.,Sdoes not contain any class, and immediately obtain thatR ≈^I^comp^out^,MT R=S·R.

Lemma 3.3 (Transitivity of strong simulatability). Let Iout, Iin, IE, I_S⁰, and I_S¹ be disjoint interfaces and let R0, R1, and R2be environmentally I-bounded systems. If R1≤^(I^out^,Iⁱⁿ^,I^E^∪^I^S¹^,I^S⁰^),^MT R0and R2≤^(I^out^,Iⁱⁿ^,I^E^,I^S¹^),^MT R1, then R2≤^(I^out^,Iⁱⁿ^,I^E^,I⁰^S^∪I^S¹^),^MT R0.

Proof. Under the assumption of the lemma, we know that there existS0andS1such thatIE∪I_S¹` S0:I_S⁰,IE`S1:I_S¹,S0·R0andS1·R1are environmentallyIout-bounded, andR1 ≈^Icomp^out^,MT S0·R0

andR2 ≈^Icomp^out^,MT S1·R1. We defineS=S0·S1. Obviously, we have thatIE `S:I_S⁰∪I_S¹. Now let Ebe a boundedIout-environment forR2and letS be a bounded scheduler. Then, we obtain:

{E·R2}S ≡comp {E·S1·R1}S ≡comp {E·S1·S0·R0}S

≡comp {E·S·R0}S .

The first equivalence holds because of our assumptions. For the second equivalence, first note that{E·S1·R1}S is almost bounded andR1 ≈^I^comp^out^,MT S0·R0. By Lemma 3.1, we now obtain that {E·S1·S0·R0}S is almost bounded and that the second equivalence holds.

3.5. From Perfect to Computational Indistinguishability

Im Dokument Implementation-level analysis of cryptographic protocols and their applications to e-voting systems (Seite 52-55)