Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation

Composition theorems in simulation-based approaches allow to build complex protocols from sub-protocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-keyencryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that cipher texts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulation-based security by K{\"u}sters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti's UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.

[1]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[2]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[3]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[4]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.

[5]  Birgit Pfitzmann,et al.  Secure Asynchronous Reactive Systems , 2004 .

[6]  Ralf Küsters,et al.  On the Relationships Between Notions of Simulation-Based Security , 2005, TCC.

[7]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[8]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[9]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[10]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[11]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[12]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[13]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[14]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[15]  Jörn Müller-Quade,et al.  Polynomial runtime in simulatability definitions , 2009, J. Comput. Secur..

[16]  Jörn Müller-Quade,et al.  On Modeling IND-CCA Security in Cryptographic Protocols , 2003, IACR Cryptol. ePrint Arch..

[17]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[20]  Véronique Cortier,et al.  A Cryptographic Model for Branching Time Security Properties - The Case of Contract Signing Protocols , 2007, ESORICS.

[21]  Birgit Pfitzmann,et al.  Reactively Simulatable Certified Mail , 2006, IACR Cryptol. ePrint Arch..

[22]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[23]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[24]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.