The IITM Model: A Simple and Expressive Model for Universal Composability

The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (“Inexhaustible Interactive Turing Machine”). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.

[1]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[4]  Yehuda Lindell,et al.  A Simpler Variant of Universally Composable Security for Standard Multiparty Computation , 2015, CRYPTO.

[5]  Ueli Maurer,et al.  Constructive Cryptography - A New Paradigm for Security Definitions and Proofs , 2011, TOSCA.

[6]  Ralf Küsters,et al.  iUC: Flexible Universal Composability Made Simple , 2019, IACR Cryptol. ePrint Arch..

[7]  Jörn Müller-Quade,et al.  Polynomial runtime in simulatability definitions , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[8]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[9]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[10]  Ralf Küsters,et al.  Joint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation , 2020, Journal of Cryptology.

[11]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Dennis Hofheinz,et al.  GNUC: A New Universal Composability Framework , 2015, Journal of Cryptology.

[13]  Ralf Küsters,et al.  Composition theorems without pre-established session identifiers , 2011, CCS '11.

[14]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[15]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[16]  C. A. R. Hoare,et al.  Notes on Communicating Sequential Systems , 1986 .

[17]  Ralf Küsters,et al.  On the Relationships between Notions of Simulation-Based Security , 2005, Journal of Cryptology.

[18]  Ralf Küsters,et al.  Universal Composition with Responsive Environments , 2016, ASIACRYPT.

[19]  Ran Canetti,et al.  Universal Composition with Joint State , 2003, CRYPTO.

[20]  Ran Canetti,et al.  Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols , 2006, TCC.

[21]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[22]  Ralf Küsters,et al.  Simulation-based security with inexhaustible interactive Turing machines , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[23]  Ran Canetti,et al.  Universally Composable Authentication and Key-Exchange with Global PKI , 2016, Public Key Cryptography.

[24]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[25]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[26]  Ralf Küsters,et al.  Universally Composable Symmetric Encryption , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[27]  Ralf Küsters,et al.  A Framework for Universally Composable Diffie-Hellman Key Exchange , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  Yehuda Lindell,et al.  Protocol Initialization for the Framework of Universal Composability , 2004, IACR Cryptol. ePrint Arch..

[29]  Dennis Hofheinz,et al.  Comparing Two Notions of Simulatability , 2005, TCC.

[30]  Ralf Küsters,et al.  Ideal Key Derivation and Encryption in Simulation-Based Security , 2011, CT-RSA.

[31]  Ran Canetti,et al.  Practical UC security with a Global Random Oracle , 2014, CCS.

[32]  Ralf Küsters,et al.  Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[33]  Ueli Maurer,et al.  Abstract Cryptography , 2011, ICS.

[34]  W. Marsden I and J , 2012 .

[35]  Jörn Müller-Quade,et al.  Polynomial Runtime and Composability , 2013, Journal of Cryptology.

[36]  Ran Canetti,et al.  Time-Bounded Task-PIOAs: A Framework for Analyzing Security Protocols , 2006, DISC.