The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other
protocols
Protocol may refer to:
Sociology and politics
* Protocol (politics), a formal agreement between nation states
* Protocol (diplomacy), the etiquette of diplomacy and affairs of state
* Etiquette, a code of personal behavior
Science and technology
...
. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code). The notion of security is derived by implication. Assume a protocol
is secure per definition. If another protocol
emulates protocol
such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol
is as secure as protocol
.
Ideal functionality
An ideal functionality is a protocol in which a trusted party that can communicate over perfectly secure channels with all protocol participants computes the desired protocol outcome. We say that a cryptographic protocol that cannot make use of such a trusted party fulfils an ideal functionality, if the protocol can emulate the behaviour of the trusted party for honest users, and if the view that an adversary learns by attacking the protocol is indistinguishable from what can be computed by a
simulator
A simulation is the imitation of the operation of a real-world process or system over time. Simulations require the use of models; the model represents the key characteristics or behaviors of the selected system or process, whereas the s ...
that only interacts with the ideal functionality.
Computation model
The computation model of universal composability is that of interactive
Turing machines
A Turing machine is a mathematical model of computation describing an abstract machine that manipulates symbols on a strip of tape according to a table of rules. Despite the model's simplicity, it is capable of implementing any computer algori ...
that can activate each other by writing on each other's communication tapes. An interactive Turing machine is a form of
multi-tape Turing machine and is commonly used for modelling the computational aspects of
communication network
A telecommunications network is a group of nodes interconnected by telecommunications links that are used to exchange messages between the nodes. The links may use a variety of technologies based on the methodologies of circuit switching, messag ...
s in
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
.
Communication model
The communication model in the bare UC framework is very basic. The messages of a sending party are handed to the adversary who can replace these messages with messages of his own choice that are delivered to the receiving party. This is also the
Dolev-Yao threat model. (Based on the computational model all parties are modeled as interactive turing machines)
All communication models that add additional properties such as
confidentiality
Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.
Legal confidentiality
By law, lawyers are often required ...
,
authenticity
Authenticity or authentic may refer to:
* Authentication, the act of confirming the truth of an attribute
Arts and entertainment
* Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic
Music
* A ...
,
synchronization
Synchronization is the coordination of events to operate a system in unison. For example, the conductor of an orchestra keeps the orchestra synchronized or ''in time''. Systems that operate with all parts in synchrony are said to be synchronou ...
, or
anonymity
Anonymity describes situations where the acting person's identity is unknown. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea he ...
are modeled using their own ideal functionality. An ideal communication functionality takes a message as input and produces a message as output. The (more limited) powers for the adversary
are modeled through the (limited) capacity of the adversary to interact with this ideal functionality.
Ideal authenticated channel
For an optimal ideal authenticated channel, the ideal functionality
takes a message
from a party with identity
as input, and outputs the same message together with the identity
to the recipient and the adversary. To model the power of the adversary to delay
asynchronous communication
In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data f ...
the functionality
may first send a message to the adversary
and would only deliver the message
once it receives the command to do so as a reply.
Ideal secure channel
In an ideal
secure channel
In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
, the ideal functionality
only outputs the identity of the sender to both the recipient and the adversary, while the message is only revealed to the recipient. This models the requirement that a secure channel is both authenticated and private. To model some leakage about the information that is being transferred,
may reveal information about the message to the adversary, e.g. the length of the message.
Asynchronous communication
In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data f ...
is modeled through the same delay mechanism as for
.
More advanced channels
While the technical means, and the physical assumptions behind anonymous and pseudonymous communication are very different, the modeling of such channels using ideal functionalities is analogous. See also
onion routing
Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of net ...
and
Anonymous P2P
An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routi ...
. Similar functionalities can be defined for
broadcast communication, or
synchronous communication Synchronous serial communication describes a serial communication protocol in which "data is sent in a continuous stream at constant rate."
Synchronous communication requires that the clocks in the transmitting and receiving devices are ''synchro ...
.
Ideal anonymous channel
In an ideal
anonymous channel, the ideal functionality,
takes a message
from a party with identity
as input, and outputs the same message but without disclosing the identity
to the recipient and the adversary.
Ideal pseudonymous channel
In an ideal
pseudonymous channel, the participating parties first register unique pseudonyms with the ideal functionality
. To do a transfer
takes a message
and the pseudonym
of the recipient as input. The ideal functionality looks up the owner of the pseudonym and transfers the message
without revealing the identity of the sender.
These formalisations abstract from the implementation details of the concrete systems that implement such channels. In their pure form an ideal functionality may be found to be unrealizable. It may be necessary to relax the functionality by leaking more information to the adversary (
degree of anonymity). On the other hand communication channels can be physical, e.g. a
mobile device
A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physical ...
can achieve an anonymous channel by constantly changing its location before transmitting messages that do not contain
identifiers
An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique ''class'' of objects, where the "object" or class may be an idea, physical countable object (or class thereof), or physical noncountable ...
.
Impossibility results
There exists no
bit commitment protocol that is universally composable in the
Standard Model
The Standard Model of particle physics is the theory describing three of the four known fundamental forces (electromagnetism, electromagnetic, weak interaction, weak and strong interactions - excluding gravity) in the universe and classifying a ...
.
The intuition is that in the ideal model, the simulator has to extract the value to commit to
from the input of the environment. This would allow the receiver in the real protocol to extract
the committed value and break the security of the protocol. This impossibility result can be
applied to other functionalities.
Setup and trust assumptions
To circumvent the above impossibility result, additional assumptions are required.
Additional setup and trust assumptions, such as the
common reference string model
Common may refer to:
Places
* Common, a townland in County Tyrone, Northern Ireland
* Boston Common, a central public park in Boston, Massachusetts
* Cambridge Common, common land area in Cambridge, Massachusetts
* Clapham Common, originally com ...
and the assumption of a trusted
certification authority
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
are also modeled using ideal functionalities in UC.
Controversy and other models
* Reactive Simulatability is a similar model developed concurrently with the universal composability model.
* Abstract/Constructive Cryptography
[Ueli Maurer.
Constructive Cryptography - A New Paradigm for Security Definitions and Proofs. TOSCA 2011: 33-56] is a more recent general-purpose model for the composeable analysis of cryptographic protocols.
* The GNUC and IITM model are reformulations of universal composability by other researcher (prominently,
Victor Shoup
Victor Shoup is a computer scientist and mathematician. He obtained a PhD in computer science from the University of Wisconsin–Madison in 1989, and he did his undergraduate work at the University of Wisconsin-Eau Claire. He is a professor at ...
and Ralf Kuesters) that influenced new versions of the canonical model by
Ran Canetti
Ran Canetti (Hebrew: רן קנטי) is a professor of Computer Science at Boston University. and the director of the Check Point Institute for Information Security and of the Center for Reliable Information System and Cyber Security. He is also ...
.
See also
*
Abstraction
Abstraction in its main sense is a conceptual process wherein general rules and concepts are derived from the usage and classification of specific examples, literal ("real" or "concrete") signifiers, first principles, or other methods.
"An abstr ...
*
Burrows-Abadi-Needham logic
*
Mathematical model
A mathematical model is a description of a system using mathematical concepts and language. The process of developing a mathematical model is termed mathematical modeling. Mathematical models are used in the natural sciences (such as physics, ...
*
Secure multi-party computation
Secure multi-party computation (also known as secure computation, multi-party computation (MPC) or privacy-preserving computation) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their ...
References
{{Cryptography navbox
Theory of cryptography