Universally Composable Security

This work presents a general framework for describing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general composition operation, called universal composition. The proposed framework with its security-preserving composition operation allows for modular design and analysis of complex cryptographic protocols from simpler building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol sessions that run concurrently in an adversarially controlled manner. This is a useful guarantee, which allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.

[1]  Rafail Ostrovsky,et al.  Non-interactive and non-malleable commitment , 1998, STOC '98.

[2]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[3]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[4]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[5]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[6]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, Theory of Cryptography Conference.

[7]  Marc Fischlin,et al.  Efficient Non-malleable Commitment Schemes , 2000, Journal of Cryptology.

[8]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[9]  Birgit Pfitzmann,et al.  Cryptographic Security of Reactive Systems Extended Abstract , 2000 .

[10]  Ran Canetti,et al.  Universally Composable Symbolic Security Analysis , 2009, Journal of Cryptology.

[11]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[12]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[13]  Douglas Wikström Simplified Universal Composability Framework , 2016, TCC.

[14]  Ran Canetti,et al.  Studies in secure multiparty computation and applications , 1995 .

[15]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[16]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[17]  Ran Canetti,et al.  Universally Composable Security with Local Adversaries , 2012, SCN.

[18]  Ran Canetti,et al.  Obtaining Universally Compoable Security: Towards the Bare Bones of Trust , 2007, ASIACRYPT.

[19]  Juan A. Garay,et al.  Concurrent oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[20]  Ralf Küsters,et al.  On the Relationships between Notions of Simulation-Based Security , 2005, Journal of Cryptology.

[21]  Benny Chor,et al.  Solvability in Asynchronous Environments II: Finite Interactive Tasks , 1999, SIAM J. Comput..

[22]  Yehuda Lindell,et al.  Protocol Initialization for the Framework of Universal Composability , 2004, IACR Cryptol. ePrint Arch..

[23]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[24]  Yehuda Lindell,et al.  Resettably-sound zero-knowledge and its applications , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[25]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[26]  Benny Chor,et al.  Solvability in Asynchronous Environments (Extended Abstract) , 1989, IEEE Annual Symposium on Foundations of Computer Science.

[27]  Nancy A. Lynch,et al.  Compositionality for Probabilistic Automata , 2003, CONCUR.

[28]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[29]  Yehuda Lindell,et al.  General Composition and Universal Composability in Secure Multiparty Computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[30]  Benny Chor,et al.  Solvability in asynchronous environments , 1989, 30th Annual Symposium on Foundations of Computer Science.

[31]  Jörn Müller-Quade,et al.  A Synchronous Model for Multi-Party Computation and the Incompleteness of Oblivious Transfer , 2004, IACR Cryptol. ePrint Arch..

[32]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[33]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[34]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[35]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[36]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[37]  Ueli Maurer,et al.  Universally Composable Synchronous Computation , 2013, TCC.

[38]  John C. Mitchell,et al.  Composition of Cryptographic Protocols in a Probabilistic Polynomial-Time Process Calculus , 2003, CONCUR.

[39]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[40]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[41]  Richard E. Overill,et al.  Foundations of Cryptography: Basic Tools , 2002, J. Log. Comput..

[42]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[43]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[44]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[45]  Yehuda Lindell,et al.  A Simpler Variant of Universally Composable Security for Standard Multiparty Computation , 2015, CRYPTO.

[46]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[47]  Ran Canetti,et al.  Adaptively Secure Two-Party Computation from Indistinguishability Obfuscation , 2015, TCC.

[48]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[49]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[50]  Jonathan Katz,et al.  Adaptively-Secure, Non-interactive Public-Key Encryption , 2005, TCC.

[51]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[52]  Yehuda Lindell,et al.  Secure Computation Without Authentication , 2005, Journal of Cryptology.

[53]  Dennis Hofheinz,et al.  GNUC: A New Universal Composability Framework , 2015, Journal of Cryptology.

[54]  Ran Canetti,et al.  Asynchronous secure computation , 1993, STOC.

[55]  C. Papadimitriou,et al.  Introduction to the Theory of Computation , 2018 .

[56]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[57]  Ran Canetti,et al.  Task-structured probabilistic I/O automata , 2006, J. Comput. Syst. Sci..

[58]  Nir Bitansky,et al.  Leakage-Tolerant Interactive Protocols , 2012, TCC.

[59]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[60]  Yehuda Lindell,et al.  On the composition of authenticated byzantine agreement , 2002, STOC '02.

[61]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[62]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[63]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[64]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[65]  Ran Canetti,et al.  Incoercible multiparty computation , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[66]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[67]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[68]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[69]  Douglas Wikström,et al.  On the security of mix-nets and hierarchical group signatures , 2005 .

[70]  Silvio Micali,et al.  Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[71]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[72]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[73]  Donald Beaver,et al.  Adaptive zero knowledge and computational equivocation (extended abstract) , 1996, STOC '96.

[74]  Ueli Maurer,et al.  Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract) , 1997, PODC '97.

[75]  Oded Goldreich,et al.  Concurrent zero-knowledge with timing, revisited , 2002, STOC '02.

[76]  Rafael Pass,et al.  A precise computational approach to knowledge , 2006 .

[77]  Rafael Pass,et al.  Bounded-concurrent secure multi-party computation with a dishonest majority , 2004, STOC '04.

[78]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[79]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[80]  Silvio Micali,et al.  Parallel Reducibility for Information-Theoretically Secure Computation , 2000, CRYPTO.

[81]  Yehuda Lindell,et al.  Concurrent general composition of secure protocols in the timing model , 2005, STOC '05.

[82]  Joe Kilian Secure Computation , 2011, Encyclopedia of Cryptography and Security.

[83]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[84]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[85]  M. Ben-Or,et al.  General Security Definition and Composability for Quantum & Classical Protocols , 2004, quant-ph/0409062.

[86]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[87]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[88]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[89]  Gilles Kahn,et al.  The Semantics of a Simple Language for Parallel Programming , 1974, IFIP Congress.

[90]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[91]  Jörn Müller-Quade,et al.  Polynomial Runtime and Composability , 2013, Journal of Cryptology.

[92]  Jörn Müller-Quade,et al.  Initiator-Resilient Universally Composable Key Exchange , 2003, ESORICS.

[93]  Dennis Hofheinz,et al.  Comparing Two Notions of Simulatability , 2005, TCC.

[94]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[95]  Amit Sahai,et al.  How to play almost any mental game over the net - concurrent composition via super-polynomial simulation , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[96]  Ran Canetti,et al.  Fast asynchronous Byzantine agreement with optimal resilience , 1993, STOC.

[97]  Jesús F. Almansa The Full Abstraction of the UC Framework , 2004, IACR Cryptol. ePrint Arch..

[98]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[99]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[100]  Anupam Datta,et al.  Security analysis of network protocols : compositional reasoning and complexity-theoretic foundations , 2005 .

[101]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[102]  Ralf Küsters,et al.  The IITM Model: A Simple and Expressive Model for Universal Composability , 2020, Journal of Cryptology.

[103]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[104]  John C. Mitchell,et al.  A linguistic characterization of bounded oracle computation and probabilistic polynomial time , 1998, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[105]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[106]  Ran Canetti,et al.  Composable Formal Security Analysis: Juggling Soundness, Simplicity and Efficiency , 2008, ICALP.

[107]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[108]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[109]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[110]  John C. Mitchell,et al.  A probabilistic poly-time framework for protocol analysis , 1998, CCS '98.

[111]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[112]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[113]  Stefano Tessaro,et al.  An equational approach to secure multi-party computation , 2013, ITCS '13.

[114]  Ran Canetti,et al.  Universally Composable Authentication and Key-Exchange with Global PKI , 2016, Public Key Cryptography.

[115]  Rafail Ostrovsky,et al.  New Techniques for Noninteractive Zero-Knowledge , 2012, JACM.

[116]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[117]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[118]  Serge Fehr,et al.  Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography , 2004, CRYPTO.

[119]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[120]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[121]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[122]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[123]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.