Abstract
Proving the security of complex protocols is a crucial and very challenging task. A widely used approach for reasoning about such protocols in a modular way is universal composability. A perfect model for universal composability should provide a sound basis for formal proofs and be very flexible in order to allow for modeling a multitude of different protocols. It should also be easy to use, including useful design conventions for repetitive modeling aspects, such as corruption, parties, sessions, and subroutine relationships, such that protocol designers can focus on the core logic of their protocols.
While many models for universal composability exist, including the UC, GNUC, and IITM models, none of them has achieved this ideal goal yet. As a result, protocols cannot be modeled faithfully and/or using these models is a burden rather than a help, often even leading to underspecified protocols and formally incorrect proofs.
Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability in an unmatched way. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows.
We build our framework, called iUC, on top of the IITM model, which already provides soundness and flexibility while lacking sufficient usability. At the core of iUC is a single simple template for specifying essentially arbitrary protocols in a convenient, formally precise, and flexible way. We illustrate the main features of our framework with example functionalities and realizations.
This work was in part funded by the European Commission through grant agreements n\(^\circ \)s 321310 (PERCY) and 644962 (PRISMACLOUD), and by the Deutsche Forschungsgemeinschaft (DFG) through Grant KU 1434/9-1. We would like to thank Robert Enderlein for helpful discussions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The environment can claim arbitrary PIDs and SIDs as sender.
- 2.
The environment can choose the number that it claims as a sender as long as it does not collide with a number used by another (higher-level) role in the protocol.
- 3.
Recall from Sect. 2.1 that by sending a restricting message, the adversary is forced to answer, and hence, decide upon corruption right away, before he can interact in any other way with the protocol, preventing artificial interference with the protocol run. This is a very typical use of restricting messages, which very much simplifies corruption modeling (see also [1]).
- 4.
This operation is purely for modeling purposes and does of course not exist in reality. It is crucial for obtaining a reasonable realization relation: The environment needs a way to check that the simulator in the ideal world corrupts exactly those entities that are corrupted in the real world, i.e., the simulation should be perfect also with respect to the corruption states. If we did not provide such a mechanism, the simulator could simply corrupt all entities in the ideal world which generally allows for a trivial simulation of arbitrary protocols.
- 5.
We emphasize that we do not put any restrictions on the graph that the subroutine relationships of machines of several protocols form. For example, it is entirely possible to have machines in two different protocols that specify each other as subroutines.
- 6.
As mentioned in Sect. 2.3, if an entity is explicitly corrupted, it instead acts as a forwarder for messages to and from the adversary.
- 7.
Intuitively, the role names are used to determine which parts of \(\mathcal {F}\) are realized by which parts of \(\mathcal {P}\), hence they must have the same sets of public roles.
- 8.
Since we need only a single key pair per party, we set \(sid'\) to be the fixed value \(\epsilon \), i.e., the empty string.
- 9.
Note that this is true in all UC-like models that can express this setting: the assumption of disjoint sessions, which is necessary for performing a single session analysis, is simply not fulfilled by this protocol. This issue cannot even be circumvented by using a so-called joint-state realization for digital signatures, as such a realization not only requires global SIDs (cf. Sect. 4.3) but also changes the messages that are signed, thus creating a modified protocol with different security properties.
- 10.
This is because such a higher level protocol would then access the same subroutine session throughout many different higher-level sessions, which violates session disjointness as required by both UC and GNUC.
References
Camenisch, J., Enderlein, R.R., Krenn, S., Küsters, R., Rausch, D.: Universal composition with responsive environments. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 807–840. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_27
Camenisch, Krenn, S., Küsters, R., Rausch, D.: iUC: flexible universal composability made simple (full version). Technical report 2019/1073, Cryptology ePrint Archive (2019). http://eprint.iacr.org/2019/1073
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Technical report 2000/067, Cryptology ePrint Archive (2000). http://eprint.iacr.org/2000/067 with new versions from December 2005, July 2013, December 2018
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS 2001, pp. 136–145. IEEE Computer Society (2001)
Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_4
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22
Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16
Canetti, R., Chari, S., Halevi, S., Pfitzmann, B., Roy, A., Steiner, M., Venema, W.: Composable security analysis of OS services. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 431–448. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_25
Canetti, R., et al.: Analyzing security protocols using time-bounded task-PIOAs. Discret. Event Dyn. Syst. 18(1), 111–159 (2008)
Canetti, R., Cohen, A., Lindell, Y.: A simpler variant of universally composable security for standard multiparty computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_1
Canetti, R., Hogan, K., Malhotra, A., Varia, M.: A universally composable treatment of network time. In: CSF 2017, pp. 360–375. IEEE Computer Society (2017)
Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key-exchange with global PKI. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016, Part II. LNCS, vol. 9615, pp. 265–296. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49387-8_11
Chaidos, P., Fourtounelli, O., Kiayias, A., Zacharias, T.: A universally composable framework for the privacy of email ecosystems. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 191–221. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_8
Chari, S., Jutla, C.S., Roy, A.: Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive 2011/526 (2011)
Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. J. Cryptol. 28(3), 423–508 (2015)
Hogan, K., et al.: On the Universally Composable Security of OpenStack. IACR Cryptology ePrint Archive 2018/602 (2018)
ISO/IEC IS 9798–3, Entity authentication mechanisms – Part 3: Entity authentication using assymetric techniques (1993)
Küsters, R.: Simulation-based security with inexhaustible interactive turing machines. In: CSFW 2006, pp. 309–320. IEEE Computer Society (2006). See [22] for a full and revised version
Küsters, R., Rausch, D.: A framework for universally composable Diffie-Hellman key exchange. In: S&P 2017, pp. 881–900. IEEE Computer Society (2017)
Küsters, R., Tuengerthal, M.: Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: CSF 2008, pp. 270–284. IEEE Computer Society (2008). The full version is available at https://eprint.iacr.org/2008/006 and will appear in Journal of Cryptology
Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: CCS 2011, pp. 41–50. ACM (2011)
Küsters, R., Tuengerthal, M., Rausch, D.: The IITM model: a simple and expressive model for universal composability. Technical report 2013/025, Cryptology ePrint Archive (2013). http://eprint.iacr.org/2013/025. To appear in Journal of Cryptology
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_3
Maurer, U., Renner, R.: Abstract cryptography. In: Chazelle, B. (ed.) Innovations in Computer Science - ICS 2010. Proceedings, pp. 1–21. Tsinghua University Press (2011)
Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: S&P 2001, pp. 184–201. IEEE Computer Society (2001)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Camenisch, J., Krenn, S., Küsters, R., Rausch, D. (2019). iUC: Flexible Universal Composability Made Simple. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11923. Springer, Cham. https://doi.org/10.1007/978-3-030-34618-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-34618-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34617-1
Online ISBN: 978-3-030-34618-8
eBook Packages: Computer ScienceComputer Science (R0)