Universal composability

Last updated June 19, 2024

The framework of universal composability (UC)^[1] is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code). The notion of security is derived by implication. Assume a protocol $P_{1}$ is secure per definition. If another protocol $P_{2}$ emulates protocol $P_{1}$ such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol $P_{2}$ is as secure as protocol $P_{1}$ .

Ideal functionality

An ideal functionality is a protocol in which a trusted party that can communicate over perfectly secure channels with all protocol participants computes the desired protocol outcome. We say that a cryptographic protocol that cannot make use of such a trusted party fulfils an ideal functionality, if the protocol can emulate the behaviour of the trusted party for honest users, and if the view that an adversary learns by attacking the protocol is indistinguishable from what can be computed by a simulator that only interacts with the ideal functionality.

Computation model

The computation model of universal composability is that of interactive Turing machines that can activate each other by writing on each other's communication tapes. An interactive Turing machine is a form of multi-tape Turing machine and is commonly used for modelling the computational aspects of communication networks in cryptography.

Communication model

The communication model in the bare UC framework is very basic. The messages of a sending party are handed to the adversary who can replace these messages with messages of his own choice that are delivered to the receiving party. This is also the Dolev-Yao threat model. (Based on the computational model all parties are modeled as interactive turing machines)

All communication models that add additional properties such as confidentiality, authenticity, synchronization, or anonymity are modeled using their own ideal functionality. An ideal communication functionality takes a message as input and produces a message as output. The (more limited) powers for the adversary ${\mathcal {A}}$ are modeled through the (limited) capacity of the adversary to interact with this ideal functionality.

Ideal authenticated channel

For an optimal ideal authenticated channel, the ideal functionality ${\mathcal {F}}_{\mathsf {Auth}}$ takes a message $m$ from a party with identity $P$ as input, and outputs the same message together with the identity $P$ to the recipient and the adversary. To model the power of the adversary to delay asynchronous communication the functionality ${\mathcal {F}}_{\mathsf {Auth}}$ may first send a message to the adversary ${\mathcal {A}}$ and would only deliver the message $m,P$ once it receives the command to do so as a reply.

Ideal secure channel

In an ideal secure channel, the ideal functionality ${\mathcal {F}}_{\mathsf {Sec}}$ only outputs the identity of the sender to both the recipient and the adversary, while the message is only revealed to the recipient. This models the requirement that a secure channel is both authenticated and private. To model some leakage about the information that is being transferred, ${\mathcal {F}}_{\mathsf {Sec}}$ may reveal information about the message to the adversary, e.g. the length of the message. Asynchronous communication is modeled through the same delay mechanism as for ${\mathcal {F}}_{\mathsf {Auth}}$ .

More advanced channels

While the technical means, and the physical assumptions behind anonymous and pseudonymous communication are very different,^[2] the modeling of such channels using ideal functionalities is analogous. See also onion routing and Anonymous P2P. Similar functionalities can be defined for broadcast communication, or synchronous communication.

Ideal anonymous channel

In an ideal anonymous channel, the ideal functionality, ${\mathcal {F}}_{\mathsf {Anon}}$ takes a message $m$ from a party with identity $P$ as input, and outputs the same message but without disclosing the identity $P$ to the recipient and the adversary.

Ideal pseudonymous channel

In an ideal pseudonymous channel, the participating parties first register unique pseudonyms with the ideal functionality ${\mathcal {F}}_{\mathsf {Pseu}}$ . To do a transfer ${\mathcal {F}}_{\mathsf {Pseu}}$ takes a message $m$ and the pseudonym $nym$ of the recipient as input. The ideal functionality looks up the owner of the pseudonym and transfers the message $m,nym$ without revealing the identity of the sender.

These formalisations abstract from the implementation details of the concrete systems that implement such channels. In their pure form an ideal functionality may be found to be unrealizable. It may be necessary to relax the functionality by leaking more information to the adversary (degree of anonymity). On the other hand communication channels can be physical,^[3]^[4] e.g. a mobile device can achieve an anonymous channel by constantly changing its location before transmitting messages that do not contain identifiers.

Impossibility results

There exists no bit commitment protocol that is universally composable in the Standard Model. The intuition is that in the ideal model, the simulator has to extract the value to commit to from the input of the environment. This would allow the receiver in the real protocol to extract the committed value and break the security of the protocol. This impossibility result can be applied to other functionalities.

Setup and trust assumptions

To circumvent the above impossibility result, additional assumptions are required. Additional setup and trust assumptions, such as the common reference string model and the assumption of a trusted certification authority are also modeled using ideal functionalities in UC.

Controversy and other models

Reactive Simulatability ^[5] is a similar model developed concurrently with the universal composability model.
Abstract/Constructive Cryptography ^[6]^[7] is a more recent general-purpose model for the composable analysis of cryptographic protocols.
The GNUC and IITM model are reformulations of universal composability by other researcher (prominently, Victor Shoup and Ralf Kuesters) that influenced new versions of the canonical model by Ran Canetti.

Related Research Articles

In computational complexity theory, an interactive proof system is an abstract machine that models computation as the exchange of messages between two parties: a prover and a verifier. The parties interact by exchanging messages in order to ascertain whether a given string belongs to a language or not. The prover possesses unlimited computational resources but cannot be trusted, while the verifier has bounded computation power but is assumed to be always honest. Messages are sent between the verifier and prover until the verifier has an answer to the problem and has "convinced" itself that it is correct.

<span class="mw-page-title-main">Coding theory</span> Study of the properties of codes and their fitness

Coding theory is the study of the properties of codes and their respective fitness for specific applications. Codes are used for data compression, cryptography, error detection and correction, data transmission and data storage. Codes are studied by various scientific disciplines—such as information theory, electrical engineering, mathematics, linguistics, and computer science—for the purpose of designing efficient and reliable data transmission methods. This typically involves the removal of redundancy and the correction or detection of errors in the transmitted data.

Identity-based encryption (IBE), is an important primitive of identity-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In computational complexity theory, a complexity class is a set of computational problems "of related resource-based complexity". The two most commonly analyzed resources are time and memory.

A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used and includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program.

Secure multi-party computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants, the cryptography in this model protects participants' privacy from each other.

In computational complexity theory, DSPACE or SPACE is the computational resource describing the resource of memory space for a deterministic Turing machine. It represents the total amount of memory space that a "normal" physical computer would need to solve a given computational problem with a given algorithm.

In quantum information theory, a quantum channel is a communication channel which can transmit quantum information, as well as classical information. An example of quantum information is the state of a qubit. An example of classical information is a text document transmitted over the Internet.

In computational complexity theory, P/poly is a complexity class representing problems that can be solved by small circuits. More precisely, it is the set of formal languages that have polynomial-size circuit families. It can also be defined equivalently in terms of Turing machines with advice, extra information supplied to the Turing machine along with its input, that may depend on the input length but not on the input itself. In this formulation, P/poly is the class of decision problems that can be solved by a polynomial-time Turing machine with advice strings of length polynomial in the input size. These two different definitions make P/poly central to circuit complexity and non-uniform complexity.

Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of indistinguishability under chosen plaintext attack is considered a basic requirement for most provably secure public key cryptosystems, though some schemes also provide indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack. Indistinguishability under chosen plaintext attack is equivalent to the property of semantic security, and many cryptographic proofs use these definitions interchangeably.

In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish between a function chosen randomly from the PRF family and a random oracle. Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes.

The Dolev–Yao model, named after its authors Danny Dolev and Andrew Yao, is a formal model used to prove properties of interactive cryptographic protocols.

Entanglement distillation is the transformation of N copies of an arbitrary entangled state $into some number of approximately pure Bell pairs, using only local operations and classical communication.$

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best known example of quantum cryptography is quantum key distribution, which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed due to wave function collapse. This could be used to detect eavesdropping in quantum key distribution (QKD).

The noisy-storage model refers to a cryptographic model employed in quantum cryptography. It assumes that the quantum memory device of an attacker (adversary) trying to break the protocol is imperfect (noisy). The main goal of this model is to enable the secure implementation of two-party cryptographic primitives, such as bit commitment, oblivious transfer and secure identification.

Consider two remote players, connected by a channel, that don't trust each other. The problem of them agreeing on a random bit by exchanging messages over this channel, without relying on any trusted third party, is called the coin flipping problem in cryptography. Quantum coin flipping uses the principles of quantum mechanics to encrypt messages for secure communication. It is a cryptographic primitive which can be used to construct more complex and useful cryptographic protocols, e.g. Quantum Byzantine agreement.

In cryptography, indistinguishability obfuscation is a type of software obfuscation with the defining property that obfuscating any two programs that compute the same mathematical function results in programs that cannot be distinguished from each other. Informally, such obfuscation hides the implementation of a program while still allowing users to run it. Formally, iO satisfies the property that obfuscations of two circuits of the same size which implement the same function are computationally indistinguishable.

The Hidden Matching Problem is a computation complexity problem that can be solved using quantum protocols: Let $be a positive even integer. In the Hidden Matching Problem, Alice is given and Bob is given (denotes the family of all possible perfect matchings on nodes). Their goal is to output a tuple such that the edge belongs to the matching and .$

References

↑ R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols.
↑ Douglas Wikström: "A Universally Composable Mix-Net". TCC 2004: 317-335. doi : 10.1007/978-3-540-24638-1_18
↑ Tatsuaki Okamoto: "On the Relationship among Cryptographic Physical Assumptions". ISAAC 1993: 369-378
↑ Waka Nagao, Yoshifumi Manabe, Tatsuaki Okamoto: "Relationship of Three Cryptographic Channels in the UC Framework". ProvSec 2008: 268-282. doi : 10.1007/978-3-540-88733-1_19
↑ Michael Backes and Birgit Pfitzmann and Michael Waidner. The Reactive Simulatability (RSIM) Framework for Asynchronous Systems. Cryptology ePrint Archive: Report 2004/082
↑ Ueli Maurer, Renato Renner: Abstract Cryptography. ICS 2011: 1-21
↑ Ueli Maurer. Constructive Cryptography - A New Paradigm for Security Definitions and Proofs. TOSCA 2011: 33-56

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] R. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols.

[2] Douglas Wikström: "A Universally Composable Mix-Net". TCC 2004: 317-335. doi : 10.1007/978-3-540-24638-1_18

[3] Tatsuaki Okamoto: "On the Relationship among Cryptographic Physical Assumptions". ISAAC 1993: 369-378

[4] Waka Nagao, Yoshifumi Manabe, Tatsuaki Okamoto: "Relationship of Three Cryptographic Channels in the UC Framework". ProvSec 2008: 268-282. doi : 10.1007/978-3-540-88733-1_19

[5] Michael Backes and Birgit Pfitzmann and Michael Waidner. The Reactive Simulatability (RSIM) Framework for Asynchronous Systems. Cryptology ePrint Archive: Report 2004/082

[6] Ueli Maurer, Renato Renner: Abstract Cryptography. ICS 2011: 1-21

[7] Ueli Maurer. Constructive Cryptography - A New Paradigm for Security Definitions and Proofs. TOSCA 2011: 33-56

[1]

[2]

[3]

[4]

[5]

[6]

[7]