Synchronous Universally Composable Computer Networks

Abstract

Designers of modern IT networks face tremendous security challenges. As systems grow ever more complex and connected it is essential that they resist even previously-unknown attacks. Using formal models to analyse the security of cryptographic protocols is a well-established practice. However, the security of complex networks is often still evaluated in an ad-hoc fashion. We analyse the applicability of formal security models for complex networks and narrow the gap between security proofs for abstract cryptographic protocols and real-world systems. Specifically we use the Universal Composability framework together with Katz et al.’s extensions for synchronous computation and bounded-delay channels [15]. This allows us to model availability guarantees. We propose a 5-phase paradigm for specifying protocols in a clear representation. To capture redundant formalisms and simplify defining network topologies, we introduce two functionalities \(\mathcal {F}_{\mathsf {wrap}}\) and \(\mathcal {F}_{\mathsf {net}}\). Demonstrating the applicability of our approach, we re-prove Lamport et al.’s well-known solution to the Byzantine Generals Problem [16] with four parties. We further complete a result of Achenbach et al. [1], proving that a “firewall combiner” for three network firewalls is available.

A Firewalls Revisited

We give the full proof for Theorem 2 here.

Theorem 2

\(\pi _{\mathsf {parallel}}\) realises \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) in the \(\mathcal {F}_{\mathsf {net}} ^{\mathsf {fw},\delta }\)-hybrid model.

Proof

We prove the lemma via game hopping, starting from the real model. In each step we will modify the ideal functionality and argue that the modification is indistinguishable. We will w.l.o.g. assume that \(\mathrm {fw}_3\) is corrupted. Encapsulate the network in a new machine \(\mathcal {S}\), introduce dummies for all \(\mathrm {fw}_i\) and \(\mathrm {hw}_i\), and construct a new machine \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) which connects the dummy machines with their counterparts in the (now simulated) real network. Modify \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) step-wise:

1. 1.

   Introduce variables to keep state for the firewalls. When receiving \((\mathsf {input},m)\) through \(\mathrm {hw}_k\), evaluate the firewall functionalities \(\mathrm {F}_{\mathrm {fw_1}}\) and \(\mathrm {F}_{\mathrm {fw_2}}\), update the respective firewall states and save the output packets \(p_1\) and \(p_2\) in a list \(\mathrm {Q}_k\) as \((\mathsf {in},1,p_1,2\delta )\) and \((\mathsf {in},2,p_2,2\delta )\). This modification stores additional information but does not alter the communication and is thus indistinguishable.

2. 2.

   When being advised to output a message p for a party \(\mathrm {hw}_k\) by the simulator, only do so if there is an entry \((\mathsf {in},i,p,d)\) in \(Q_k\) and delete that entry. Every message scheduled by the simulator in this manner was output by one of the firewalls in its simulation. Consequently, this message is also stored in \(Q_k\). The real protocol party \(\mathrm {fw}_k\) will internally delete all messages it outputs. Thus, this modification is indistinguishable.

3. 3.

   When a packet p is output based on any entry \((\dots ,i,p,d)\) in \(\mathsf {Q}_k\), check if there is another entry \((\dots ,j,p,d)\) with \(i \ne j\). If so, delete that entry as well. If not, add an entry \((\mathsf {missing},|i-3|,p,d)\) to \(\mathsf {Q}_k\). Further, when receiving \((\mathsf {input},m)\) through \(\mathrm {hw}_k\) and evaluating the firewall functionalities, before saving the resulting packets \(p_1\) and \(p_2\), check if there is an entry \((\mathsf {missing},1,p_1,2\delta )\) or \((\mathsf {missing},2,p_2,2\delta )\) in \(\mathsf {Q}_k\). If there is, remove that entry and do not save the resulting packet. This modification is indistinguishable as \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) now implements the exact behaviour of \(\mathrm {hw}_1\) and \(\mathrm {hw}_2\).

4. 4.

   Add \(\mathcal {F}_{\mathsf {wrap}}\) as a wrapper around \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\). When receiving \((\mathsf {RoundComplete})\) from \(\mathcal {F}_{\mathsf {wrap}}\), decrease the delay value d of each entry in \(\mathsf {Q}_1\) and \(\mathsf {Q}_2\) by 1. Send \((\mathsf {RoundComplete})\) to the simulator. When being advised to output a packet p for party \(\mathrm {hw}_k\) by the simulator, instead of outputting the packet immediately, replace the corresponding entry in \(\mathsf {Q}_k\) by \((\mathsf {deliver},i,p,d)\). When being asked to provide output for party \(\mathrm {hw}_j\) by \(\mathcal {F}_{\mathsf {wrap}}\), check if there is an entry in \(\mathsf {Q}_j\) with \(d=0\). If so, output that packet. If not, check if there is an entry marked for delivery. If so, output the corresponding packet. Always perform the output according to the mechanism described in Step 3.

The simulator’s simulation of the real network is not perfect after transformation step 4. Concretely, \(\mathcal {S}\) is not notified of the fourth activation (“output”) of honest protocol parties. However, as we argued in the proof of Theorem 1, the output decision is made during prior activations. Hence, by \(\mathcal {S}\) announcing output early to \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\), \(\mathcal {S}\) and \(\mathcal {F}_{\mathsf {fw\text {-}ideal}}\) perfectly emulate the real protocol. (\(\mathcal {F}_{\mathsf {wrap}}\) delivers output after the fourth activation only.)    \(\square \)