Theory of Cryptography: 18th International Conference, TCC 2020, Durham, NC, USA, November 16–19, 2020, Proceedings, Part III

The Global and Externalized UC frameworks [CanettiDodis-Pass-Walfish, TCC 07] extend the plain UC framework to additionally handle protocols that use a “global setup”, namely a mechanism that is also used by entities outside the protocol. These frameworks have broad applicability: Examples include public-key infrastructures, common reference strings, shared synchronization mechanisms, global blockchains, or even abstractions such as the random oracle. However, the need to work in a specialized framework has been a source of confusion, incompatibility, and an impediment to broader use. We show how security in the presence of a global setup can be captured within the plain UC framework, thus significantly simplifying the treatment. This is done as follows: – We extend UC-emulation to the case where both the emulating protocol π and the emulated protocol φ make subroutine calls to protocol γ that is accessible also outside π and φ. As usual, this notion considers only a single instance of φ or π (alongside γ). – We extend the UC theorem to hold even with respect to the new notion of UC emulation. That is, we show that if π UC-emulates φ in the presence of γ, then ρφ→π UC-emulates ρ for any protocol ρ, even when ρ uses γ directly, and in addition calls many instances of φ, all C. Badertscher—Work done while author was at the University of Edinburgh, Scotland. R. Canetti—Member of the CPIIS. Supported by NSF Awards 1931714, 1801564, 1414119, and the DARPA DEVE program. B. Tackmann—Work partly done while author was at IBM Research – Zurich, supported in part by the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 780477 PRIViLEDGE. c © International Association for Cryptologic Research 2020 R. Pass and K. Pietrzak (Eds.): TCC 2020, LNCS 12552, pp. 1–30, 2020. https://doi.org/10.1007/978-3-030-64381-2_1 2 C. Badertscher et al. of which use the same instance of γ. We prove this extension using the existing UC theorem as a black box, thus further simplifying the treatment. We also exemplify how our treatment can be used to streamline, within the plain UC model, proofs of security of systems that involve global set-up, thus providing greater simplicity and flexibility.

[1]  Russell Impagliazzo,et al.  Hard-core distributions for somewhat hard problems , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[2]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[3]  Ueli Maurer,et al.  Computational Indistinguishability Amplification: Tight Product Theorems for System Composition , 2009, IACR Cryptol. ePrint Arch..

[4]  Ran Raz,et al.  A Time-Space Lower Bound for a Large Class of Learning Problems , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[5]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[6]  Russell Impagliazzo,et al.  Approximately List-Decoding Direct Product Codes and Uniform Hardness Amplification , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[7]  Moses D. Liskov Constructing an Ideal Hash Function from Weak Ideal Compression Functions , 2006, Selected Areas in Cryptography.

[8]  Peter Nelson,et al.  Almost all matroids are nonrepresentable , 2016, 1605.04288.

[9]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[10]  Thomas Peyrin,et al.  From Collisions to Chosen-Prefix Collisions - Application to Full SHA-1 , 2019, IACR Cryptol. ePrint Arch..

[11]  Ueli Maurer Conditional equivalence of random systems and indistinguishability proofs , 2013, 2013 IEEE International Symposium on Information Theory.

[12]  Vinod Vaikuntanathan,et al.  Towards Breaking the Exponential Barrier for General Secret Sharing , 2017, IACR Cryptol. ePrint Arch..

[13]  Stefano Tessaro,et al.  Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma , 2011, TCC.

[14]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[15]  Ran Canetti,et al.  Universally Composable Security , 2020, J. ACM.

[16]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[17]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[18]  Murali K. Ganapathy,et al.  On the number of zero-patterns of a sequence of polynomials , 2001 .

[19]  Ran Raz,et al.  Time-space hardness of learning sparse parities , 2017, Electron. Colloquium Comput. Complex..

[20]  Ueli Maurer,et al.  Composition of Random Systems: When Two Weak Make One Strong , 2004, TCC.

[21]  Vinod Vaikuntanathan,et al.  Conditional Disclosure of Secrets via Non-linear Reconstruction , 2017, CRYPTO.

[22]  Ueli Maurer,et al.  Bitcoin as a Transaction Ledger: A Composable Treatment , 2017, CRYPTO.

[23]  Ashrujit Ghoshal,et al.  The Memory-Tightness of Authenticated Encryption , 2020, IACR Cryptol. ePrint Arch..

[24]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[25]  Luca Trevisan,et al.  List-decoding using the XOR lemma , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[26]  Oded Goldreich,et al.  Candidate One-Way Functions Based on Expander Graphs , 2011, Studies in Complexity and Cryptography.

[27]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[28]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[29]  Yehuda Lindell,et al.  Secure Computation Without Authentication , 2005, Journal of Cryptology.

[30]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[31]  Xin Li,et al.  Three-Source Extractors for Polylogarithmic Min-Entropy , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.

[32]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[33]  Serge Vaudenay,et al.  Provable Security for Block Ciphers by Decorrelation , 1998, STACS.

[34]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[35]  D. Aldous Random walks on finite groups and rapidly mixing markov chains , 1983 .

[36]  Richard C. Singleton,et al.  Maximum distance q -nary codes , 1964, IEEE Trans. Inf. Theory.

[37]  Claude E. Shannon,et al.  The synthesis of two-terminal switching circuits , 1949, Bell Syst. Tech. J..

[38]  Gustavus J. Simmons,et al.  How to (Really) Share a Secret , 1988, CRYPTO.

[39]  Ran Raz,et al.  Extractors with weak random seeds , 2005, STOC '05.

[40]  Shachar Lovett,et al.  Rectangles Are Nonnegative Juntas , 2015, SIAM J. Comput..

[41]  Hoeteck Wee,et al.  Dual System Encryption via Predicate Encodings , 2014, TCC.

[42]  Ashrujit Ghoshal,et al.  On the Memory-Tightness of Hashed ElGamal , 2020, EUROCRYPT.

[43]  Toniann Pitassi,et al.  Lifting Nullstellensatz to monotone span programs over any field , 2018, Electron. Colloquium Comput. Complex..

[44]  Stefano Tessaro,et al.  Tight Time-Memory Trade-offs for Symmetric Encryption , 2019, IACR Cryptol. ePrint Arch..

[45]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[46]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[47]  Carles Padró,et al.  On secret sharing schemes, matroids and polymatroids , 2006, J. Math. Cryptol..

[48]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[49]  Leonid A. Levin,et al.  Pseudo-random Generation from one-way functions (Extended Abstracts) , 1989, STOC 1989.

[50]  Hung-Min Sun,et al.  Secret sharing in graph-based prohibited structures , 1997, Proceedings of INFOCOM '97.

[51]  Moni Naor,et al.  On the construction of pseudo-random permutations: Luby-Rackoff revisited (extended abstract) , 1997, STOC '97.

[52]  Noam Nisan,et al.  On Yao's XOR-Lemma , 1995, Electron. Colloquium Comput. Complex..

[53]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[54]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[55]  Avi Wigderson,et al.  Uniform direct product theorems: simplified, optimized, and derandomized , 2008, SIAM J. Comput..

[56]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[57]  Ran Raz,et al.  Fast Learning Requires Good Memory: A Time-Space Lower Bound for Parity Learning , 2016, 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS).

[58]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[59]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[60]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[61]  Ran Canetti,et al.  Universal Composition with Global Subroutines: Capturing Global Setup within plain UC , 2020, IACR Cryptol. ePrint Arch..

[62]  Stefano Tessaro,et al.  Provable Time-Memory Trade-Offs: Symmetric Cryptography Against Memory-Bounded Adversaries , 2018, TCC.

[63]  Ueli Maurer,et al.  But Why does it Work? A Rational Protocol Design Treatment of Bitcoin , 2018, IACR Cryptol. ePrint Arch..

[64]  Leonid A. Levin,et al.  One-way functions and pseudorandom generators , 1985, STOC '85.