nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

iUC: Flexible Universal Composability Made Simple

verfasst von : Jan Camenisch, Stephan Krenn, Ralf Küsters, Daniel Rausch

Erschienen in: Advances in Cryptology – ASIACRYPT 2019

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Proving the security of complex protocols is a crucial and very challenging task. A widely used approach for reasoning about such protocols in a modular way is universal composability. A perfect model for universal composability should provide a sound basis for formal proofs and be very flexible in order to allow for modeling a multitude of different protocols. It should also be easy to use, including useful design conventions for repetitive modeling aspects, such as corruption, parties, sessions, and subroutine relationships, such that protocol designers can focus on the core logic of their protocols.

While many models for universal composability exist, including the UC, GNUC, and IITM models, none of them has achieved this ideal goal yet. As a result, protocols cannot be modeled faithfully and/or using these models is a burden rather than a help, often even leading to underspecified protocols and formally incorrect proofs.

Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability in an unmatched way. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows.

We build our framework, called iUC, on top of the IITM model, which already provides soundness and flexibility while lacking sufficient usability. At the core of iUC is a single simple template for specifying essentially arbitrary protocols in a convenient, formally precise, and flexible way. We illustrate the main features of our framework with example functionalities and realizations.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Structure-Preserving and Re-randomizable RCCA-Secure Public Key Encryption and Its Applications

Nächstes Kapitel Leakage Resilience of the Duplex Construction

The environment can claim arbitrary PIDs and SIDs as sender.

The environment can choose the number that it claims as a sender as long as it does not collide with a number used by another (higher-level) role in the protocol.

Recall from Sect. 2.1 that by sending a restricting message, the adversary is forced to answer, and hence, decide upon corruption right away, before he can interact in any other way with the protocol, preventing artificial interference with the protocol run. This is a very typical use of restricting messages, which very much simplifies corruption modeling (see also [1]).

This operation is purely for modeling purposes and does of course not exist in reality. It is crucial for obtaining a reasonable realization relation: The environment needs a way to check that the simulator in the ideal world corrupts exactly those entities that are corrupted in the real world, i.e., the simulation should be perfect also with respect to the corruption states. If we did not provide such a mechanism, the simulator could simply corrupt all entities in the ideal world which generally allows for a trivial simulation of arbitrary protocols.

We emphasize that we do not put any restrictions on the graph that the subroutine relationships of machines of several protocols form. For example, it is entirely possible to have machines in two different protocols that specify each other as subroutines.

As mentioned in Sect. 2.3, if an entity is explicitly corrupted, it instead acts as a forwarder for messages to and from the adversary.

Intuitively, the role names are used to determine which parts of \(\mathcal {F}\) are realized by which parts of \(\mathcal {P}\), hence they must have the same sets of public roles.

Since we need only a single key pair per party, we set \(sid'\) to be the fixed value \(\epsilon \), i.e., the empty string.

Note that this is true in all UC-like models that can express this setting: the assumption of disjoint sessions, which is necessary for performing a single session analysis, is simply not fulfilled by this protocol. This issue cannot even be circumvented by using a so-called joint-state realization for digital signatures, as such a realization not only requires global SIDs (cf. Sect. 4.3) but also changes the messages that are signed, thus creating a modified protocol with different security properties.

This is because such a higher level protocol would then access the same subroutine session throughout many different higher-level sessions, which violates session disjointness as required by both UC and GNUC.

Camenisch, J., Enderlein, R.R., Krenn, S., Küsters, R., Rausch, D.: Universal composition with responsive environments. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 807–840. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_27CrossRef

Camenisch, Krenn, S., Küsters, R., Rausch, D.: iUC: flexible universal composability made simple (full version). Technical report 2019/1073, Cryptology ePrint Archive (2019). http://eprint.iacr.org/2019/1073

Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Technical report 2000/067, Cryptology ePrint Archive (2000). http://eprint.iacr.org/2000/067 with new versions from December 2005, July 2013, December 2018

Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145. IEEE Computer Society (2001)

Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_4CrossRef

Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22CrossRef

Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16CrossRef

Canetti, R., Chari, S., Halevi, S., Pfitzmann, B., Roy, A., Steiner, M., Venema, W.: Composable security analysis of OS services. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_25CrossRef

Canetti, R., et al.: Analyzing security protocols using time-bounded task-PIOAs. Discret. Event Dyn. Syst. 18(1), 111–159 (2008)CrossRef

10.

Canetti, R., Cohen, A., Lindell, Y.: A simpler variant of universally composable security for standard multiparty computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_1CrossRef

11.

Canetti, R., Hogan, K., Malhotra, A., Varia, M.: A universally composable treatment of network time. In: CSF 2017, pp. 360–375. IEEE Computer Society (2017)

12.

Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key-exchange with global PKI. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016, Part II. LNCS, vol. 9615, pp. 265–296. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_11CrossRefMATH

13.

Chaidos, P., Fourtounelli, O., Kiayias, A., Zacharias, T.: A universally composable framework for the privacy of email ecosystems. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 191–221. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_8CrossRef

14.

Chari, S., Jutla, C.S., Roy, A.: Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011/526 (2011)

15.

Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. J. Cryptol. 28(3), 423–508 (2015)MathSciNetCrossRef

16.

Hogan, K., et al.: On the Universally Composable Security of OpenStack. IACR Cryptology ePrint Archive 2018/602 (2018)

17.

ISO/IEC IS 9798–3, Entity authentication mechanisms – Part 3: Entity authentication using assymetric techniques (1993)

18.

Küsters, R.: Simulation-based security with inexhaustible interactive turing machines. In: CSFW 2006, pp. 309–320. IEEE Computer Society (2006). See [22] for a full and revised version

19.

Küsters, R., Rausch, D.: A framework for universally composable Diffie-Hellman key exchange. In: S&P 2017, pp. 881–900. IEEE Computer Society (2017)

20.

Küsters, R., Tuengerthal, M.: Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: CSF 2008, pp. 270–284. IEEE Computer Society (2008). The full version is available at https://eprint.iacr.org/2008/006 and will appear in Journal of Cryptology

21.

Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: CCS 2011, pp. 41–50. ACM (2011)

22.

Küsters, R., Tuengerthal, M., Rausch, D.: The IITM model: a simple and expressive model for universal composability. Technical report 2013/025, Cryptology ePrint Archive (2013). http://eprint.iacr.org/2013/025. To appear in Journal of Cryptology

23.

Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_3CrossRefMATH

24.

Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) Innovations in Computer Science - ICS 2010. Proceedings, pp. 1–21. Tsinghua University Press (2011)

25.

Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: S&P 2001, pp. 184–201. IEEE Computer Society (2001)

Titel: iUC: Flexible Universal Composability Made Simple
verfasst von: Jan Camenisch
Stephan Krenn
Ralf Küsters
Daniel Rausch
Verlag: Springer International Publishing
Buch: Advances in Cryptology – ASIACRYPT 2019
Print ISBN: 978-3-030-34617-1

Electronic ISBN: 978-3-030-34618-8

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-34618-8_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner