Universally composable security: a new paradigm for cryptographic protocols

We propose a novel paradigm for defining security of cryptographic protocols, called universally composable security. The salient property of universally composable definitions of security is that they guarantee security even when a secure protocol is composed of an arbitrary set of protocols, or more generally when the protocol is used as a component of an arbitrary system. This is an essential property for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Internet. In particular, universally composable definitions guarantee security even when an unbounded number of protocol instances are executed concurrently in an adversarially controlled manner, they guarantee non-malleability with respect to arbitrary protocols, and more. We show how to formulate universally composable definitions of security for practically any cryptographic task. Furthermore, we demonstrate that practically any such definition can be realized using known techniques, as long as only a minority of the participants are corrupted. We then proceed to formulate universally composable definitions of a wide array of cryptographic tasks, including authenticated and secure communication, key-exchange, public-key encryption, signature, commitment, oblivious transfer, zero knowledge and more. We also make initial steps towards studying the realizability of the proposed definitions in various settings.

[1]  Gilles Kahn,et al.  The Semantics of a Simple Language for Parallel Programming , 1974, IFIP Congress.

[2]  C. A. R. Hoare,et al.  Communicating sequential processes , 2021, CACM.

[3]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[4]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[5]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[6]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[7]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[8]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[9]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[10]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[11]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[12]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[13]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[14]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[15]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[16]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[17]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[18]  Benny Chor,et al.  Solvability in Asynchronous Environments (Extended Abstract) , 1989, IEEE Annual Symposium on Foundations of Computer Science.

[19]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[20]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[21]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[22]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[23]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[24]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[25]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[26]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[27]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[28]  R. Aho,et al.  Pruning Duplicate Nodes in Depth-First Search , 1993 .

[29]  Ran Canetti,et al.  Asynchronous secure computation , 1993, STOC.

[30]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[31]  Tal Rabin,et al.  Asynchronous secure computations with optimal resilience (extended abstract) , 1994, PODC '94.

[32]  Catherine A. Meadows,et al.  Formal Verification of Cryptographic Protocols: A Survey , 1994, ASIACRYPT.

[33]  Birgit Pfitzmann,et al.  A General Framework for Formal Notions of "Secure" Systems , 1994 .

[34]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[35]  Silvio Micali,et al.  Verifiable Secret Sharing as Secure Computation , 1994, EUROCRYPT.

[36]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[37]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[38]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[39]  Donald Beaver,et al.  Adaptive zero knowledge and computational equivocation (extended abstract) , 1996, STOC '96.

[40]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[41]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[42]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[43]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[44]  Rafail Ostrovsky,et al.  Randomness vs. fault-tolerance , 1997, PODC '97.

[45]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[46]  Donald Beaver,et al.  Plug and Play Encryption , 1997, CRYPTO.

[47]  John C. Mitchell,et al.  A linguistic characterization of bounded oracle computation and probabilistic polynomial time , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[48]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[49]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[50]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[51]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[52]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[53]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[54]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[55]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[56]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[57]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[58]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[59]  Benny Chor,et al.  Solvability in Asynchronous Environments II: Finite Interactive Tasks , 1999, SIAM J. Comput..

[60]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[61]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[62]  Rafail Ostrovsky,et al.  Randomness versus Fault-Tolerance , 2000, Journal of Cryptology.

[63]  Birgit Pfitzmann,et al.  Secure Reactive Systems , 2000 .

[64]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[65]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[66]  Juan A. Garay,et al.  Concurrent oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[67]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[68]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[69]  Ran Canetti,et al.  Maintaining Authenticated Communication in the Presence of Break-Ins , 2000, Journal of Cryptology.

[70]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[71]  Birgit Pfitzmann,et al.  Provably Secure Certified Mail , 2000 .

[72]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[73]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[74]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[75]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[76]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[77]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[78]  Yehuda Lindell,et al.  Resettably-sound zero-knowledge and its applications , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[79]  Yehuda Lindell,et al.  On the composition of authenticated byzantine agreement , 2002, STOC '02.

[80]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[81]  K. Roberts,et al.  Thesis , 2002 .

[82]  Oded Goldreich,et al.  Concurrent zero-knowledge with timing, revisited , 2002, STOC '02.

[83]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[84]  Oded Goldreich,et al.  Concurrent Zero-Knowledge With Timing , 2002 .

[85]  Silvio Micali,et al.  Physically Observable Cryptography , 2003, IACR Cryptol. ePrint Arch..

[86]  Jörn Müller-Quade,et al.  Initiator-Resilient Universally Composable Key Exchange , 2003, ESORICS.

[87]  Yehuda Lindell,et al.  General composition and universal composability in secure multi-party computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[88]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[89]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[90]  Rafael Pass,et al.  Bounded-concurrent secure two-party computation in a constant number of rounds , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[91]  Nancy A. Lynch,et al.  Compositionality for Probabilistic Automata , 2003, CONCUR.

[92]  John C. Mitchell,et al.  Composition of Cryptographic Protocols in a Probabilistic Polynomial-Time Process Calculus , 2003, CONCUR.

[93]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.