Universally composable symbolic security analysis

Ran Canetti*, Jonathan Herzog

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


In light of the growing complexity of cryptographic protocols and applications, it becomes highly desirable to mechanize-and eventually automate-the security analysis of protocols. A natural step towards automation is to allow for symbolic security analysis. However, the complexity of mechanized symbolic analysis is typically exponential in the space and time complexities of the analyzed system. Thus, full automation via direct analysis of the entire given system has so far been impractical even for systems of modest complexity. We propose an alternative route to fully automated and efficient security analysis of systems with no a priori bound on the complexity. We concentrate on systems that have an unbounded number of components, where each component is of small size. The idea is to perform symbolic analysis that guarantees composable security. This allows applying the automated analysis only to individual components, while still guaranteeing security of the overall system. We exemplify the approach in the case of authentication and key-exchange protocols of a specific format. Specifically, we formulate and mechanically assert symbolic properties that correspond to concrete security properties formulated within the Universally Composable security framework. As an additional contribution, we demonstrate that the traditional symbolic secrecy criterion for key exchange provides an inadequate security guarantee (regardless of the complexity of verification) and propose a new symbolic criterion that guarantees composable concrete security.

Original languageEnglish
Pages (from-to)83-147
Number of pages65
JournalJournal of Cryptology
Issue number1
StatePublished - Jan 2011


  • Automated analysis
  • Cryptographic protocols
  • Security analysis
  • Symbolic analysis
  • Universal composition


Dive into the research topics of 'Universally composable symbolic security analysis'. Together they form a unique fingerprint.

Cite this