ILC: A Calculus for Composable, Computational Cryptography Kevin Liao Matthew A. Hammer Andrew Miller University of Illinois DFINITY, USA University of Illinois Urbana-Champaign, USA [email protected] Urbana-Champaign, USA [email protected] [email protected] Abstract 1 Introduction The universal composability (UC) framework is the estab- In cryptography, a proof of security in the simulation-based lished standard for analyzing cryptographic protocols in a universal composability (UC) framework is considered the modular way, such that security is preserved under concur- gold standard for demonstrating that a protocol “does its job rent composition with arbitrary other protocols. However, securely” [16]. In particular, a UC-secure protocol enjoys the although UC is widely used for on-paper proofs, prior at- strongest notion of compositionality—it maintains all secu- tempts at systemizing it have fallen short, either by using a rity properties even when run concurrently with arbitrary symbolic model (thereby ruling out computational reduction other protocol instances. This is in contrast with weaker proofs), or by limiting its expressiveness. property-based notions that only guarantee security in a In this paper, we lay the groundwork for building a con- standalone setting [37] or under sequential composition [26]. crete, executable implementation of the UC framework. Our Thus, the benefit of using UC is modularity—it supports an- main contribution is a process calculus, dubbed the Inter- alyzing complex protocols by composing simpler building active Lambda Calculus (ILC). ILC faithfully captures the blocks. However, the cost of using UC is that security proofs computational model underlying UC—interactive Turing tend to be quite complicated. We believe that applying a PL- machines (ITMs)—by adapting ITMs to a subset of the c- style of systemization to UC can help simplify its use, bring calculus through an affine typing discipline. In other words, new clarity, and provide useful tooling. We envision a future well-typed ILC programs are expressible as ITMs. In turn, ILC’s where modularity of cryptographic protocol composition strong confluence property enables reasoning about crypto- translates to modular implementation as well. graphic security reductions. We use ILC to develop a simpli- Reviewing prior efforts of applying PL techniques to cryp- fied implementation of UC called SaUCy. tography, we find they run up against challenges when im- porting the existing body of UC theory. Either they do not CCS Concepts • Security and privacy → Formal secu- support computational reasoning (which considers issues rity models. of probability and computational complexity) [10], do not Keywords Provable security, universal composability, pro- support message-passing concurrency for distributed proto- cess calculus, type systems cols [4], or are too expressive (allow for expressing nonde- terminism with no computational interpretation) [2]. ACM Reference Format: Our observation is that these approaches diverge from Kevin Liao, Matthew A. Hammer, and Andrew Miller. 2019. ILC: UC at a low level: UC is defined atop the underlying (con- A Calculus for Composable, Computational Cryptography. In Pro- current) computational model of interactive Turing machines ceedings of the 40th ACM SIGPLAN Conference on Programming (ITMs). The significance of ITMs is that they have a clear com- Language Design and Implementation (PLDI ’19), June 22–26, 2019, putational interpretation, so it is straightforward to relate Phoenix, AZ, USA. ACM, New York, NY, USA, 31 pages. https: execution traces to a probabilistic polynomial time computa- //doi.org/10.1145/3314221.3314607 tion, as is necessary for cryptographic reduction proofs. The presence of (non-probabilistic) nondeterminism in alterna- Permission to make digital or hard copies of all or part of this work for tive models of concurrency would frustrate such reduction personal or classroom use is granted without fee provided that copies are not proofs. ITMs sidestep this issue by having a deterministic made or distributed for profit or commercial advantage and that copies bear (modulo random coin tosses), “single-threaded” execution se- this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with mantics. That is, processes pass control from one to another credit is permitted. To copy otherwise, or republish, to post on servers or to each time a message is sent so that exactly one process is ac- redistribute to lists, requires prior specific permission and/or a fee. Request tive at any given time, and, moreover, the order of activations permissions from [email protected]. is fully determined. PLDI ’19, June 22–26, 2019, Phoenix, AZ, USA In this paper, we take up the challenge of faithfully cap- © 2019 Association for Computing Machinery. turing these idioms by designing a new process calculus ACM ISBN 978-1-4503-6712-7/19/06...$15.00 https://doi.org/10.1145/3314221.3314607 called the Interactive Lambda Calculus (ILC), which adapts PLDI ’19, June 22–26, 2019, Phoenix, AZ, USA Kevin Liao, Matthew A. Hammer, and Andrew Miller ITMs to a subset of the c-calculus [43] through an affine 2 Overview typing discipline. In other words, well-typed ILC programs We first provide background on the universal composability are expressible as ITMs. We then use ILC to build a concrete, framework and then give a tour of ILC. executable implementation of a simplified UC framework, dubbed SaUCy. 2.1 Background on Universal Composability Security proofs in the UC framework follow the real/ideal 1.1 Interactive Lambda Calculus paradigm [26]. To carry out some cryptographic task in the real world, we define a distributed protocol that achieves the Why do we need another process calculus in the first place? task across many untrusted processes. Then, to show that it Where do existing ones fall short? On the one hand, process is secure, we compare it with an idealized protocol in which calculi such as the c-calculus [43] and its cryptography- processes simply rely on a single trusted process to carry out oriented variants [1, 2, 35] are not a good fit to ITMs, since the task for them (and so security is satisfied trivially). they permit non-confluent reductions by design (i.e., non- The program for this single trusted process is called an probabilistic nondeterminism). On the other hand, various ideal functionality as it provides a uniform way to describe all other calculi that do enjoy confluence are overly restrictive, the security properties we want from the protocol. Roughly only allowing for fixed or two-party communications [10, speaking, we say a protocol c realizes an ideal functionality 24, 30]. F (i.e., it meets its specification) if every adversarial behavior ILC fills this gap by adapting ITMs to a subset ofthe c- in the real world can also be exhibited in the ideal world. calculus through an affine typing discipline. To maintain Once we have defined c and F , proving realization for- that only one process is active (can write) at any given time, mally follows a standard rhythm: processes implicitly pass around an affine “write token” by virtue of where they perform read and write effects: When 1. The first step is a construction: We must provide a sim- c process 퐴 writes to process 퐵, process 퐴 “spends” the write ulator S that translates any attack A on the protocol token and process 퐵 “earns” the write token. Moreover, to into an attack on F . maintain that the order of activations is fully determined, 2. The second step is a relational analysis: We must show c the read endpoints of channels are (non-duplicable) affine that running under attack by any adversary A (the real resources, and so each write operation corresponds to a world) is indistinguishable from running F under attack single, unique read operation. Together, these give ILC its by S (the ideal world) to any distinguisher Z called the central metatheoretic property of confluence. environment. The importance of confluence is that the only nondeter- In particular, Z is an adaptive distinguisher: It interacts with minism in an ILC program is due to random coin tosses taken both the real world and the ideal world, and the simulation by processes, which have a well-defined distribution. Addi- is sound if no Z can distinguish between the two. tionally, any apparent concurrency hazards, such as adversar- As mentioned, the primary goal of this framework is com- ial scheduling of messages in an asynchronous network, are positionality. Suppose a protocol c is a protocol module that due to an explicit adversary process rather than uncertainty realizes a functionality F (a specification of the module), built into the model itself. This eliminates non-probabilistic and suppose a protocol d, which relies on F as a subroutine, nondeterminism, and so ILC programs are amenable to the in turn realizes an application specification functionality G. reasoning patterns necessary for establishing computational Then, the composed protocol d ◦ c, in which calls to F are security guarantees. replaced by calls to c, also realizes G. Instead of analyzing the composite protocol consisting of d and c, it suffices to analyze the security of d itself in the simpler world with F , 1.2 Contributions the idealized version of c. To summarize, our main contributions are these: Finally, the UC framework is defined atop the underlying computational model of interactive Turing machines (ITMs). • We design a foundational calculus for the purpose of sys- In the ITM model, processes pass control from one to another temizing UC called the Interactive Lambda Calculus, which each time a message is sent so that exactly one process is active exhibits confluence and is a faithful abstraction of ITMs. at any given time, and, moreover, the order of activations • We use ILC to build a concrete, executable implementation is fully determined.