HOME

TheInfoList



OR:

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other
protocols Protocol may refer to: Sociology and politics * Protocol (politics), a formal agreement between nation states * Protocol (diplomacy), the etiquette of diplomacy and affairs of state * Etiquette, a code of personal behavior Science and technology ...
. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code). The notion of security is derived by implication. Assume a protocol P_1 is secure per definition. If another protocol P_2 emulates protocol P_1 such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol P_2 is as secure as protocol P_1.


Ideal functionality

An ideal functionality is a protocol in which a trusted party that can communicate over perfectly secure channels with all protocol participants computes the desired protocol outcome. We say that a cryptographic protocol that cannot make use of such a trusted party fulfils an ideal functionality, if the protocol can emulate the behaviour of the trusted party for honest users, and if the view that an adversary learns by attacking the protocol is indistinguishable from what can be computed by a
simulator A simulation is the imitation of the operation of a real-world process or system over time. Simulations require the use of models; the model represents the key characteristics or behaviors of the selected system or process, whereas the s ...
that only interacts with the ideal functionality.


Computation model

The computation model of universal composability is that of interactive
Turing machines A Turing machine is a mathematical model of computation describing an abstract machine that manipulates symbols on a strip of tape according to a table of rules. Despite the model's simplicity, it is capable of implementing any computer algori ...
that can activate each other by writing on each other's communication tapes. An interactive Turing machine is a form of multi-tape Turing machine and is commonly used for modelling the computational aspects of
communication network A telecommunications network is a group of nodes interconnected by telecommunications links that are used to exchange messages between the nodes. The links may use a variety of technologies based on the methodologies of circuit switching, messag ...
s in
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
.


Communication model

The communication model in the bare UC framework is very basic. The messages of a sending party are handed to the adversary who can replace these messages with messages of his own choice that are delivered to the receiving party. This is also the Dolev-Yao threat model. (Based on the computational model all parties are modeled as interactive turing machines) All communication models that add additional properties such as
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
,
authenticity Authenticity or authentic may refer to: * Authentication, the act of confirming the truth of an attribute Arts and entertainment * Authenticity in art, ways in which a work of art or an artistic performance may be considered authentic Music * A ...
,
synchronization Synchronization is the coordination of events to operate a system in unison. For example, the conductor of an orchestra keeps the orchestra synchronized or ''in time''. Systems that operate with all parts in synchrony are said to be synchronou ...
, or
anonymity Anonymity describes situations where the acting person's identity is unknown. Some writers have argued that namelessness, though technically correct, does not capture what is more centrally at stake in contexts of anonymity. The important idea he ...
are modeled using their own ideal functionality. An ideal communication functionality takes a message as input and produces a message as output. The (more limited) powers for the adversary \mathcal are modeled through the (limited) capacity of the adversary to interact with this ideal functionality.


Ideal authenticated channel

For an optimal ideal authenticated channel, the ideal functionality \mathcal_ takes a message m from a party with identity P as input, and outputs the same message together with the identity P to the recipient and the adversary. To model the power of the adversary to delay
asynchronous communication In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data f ...
the functionality \mathcal_ may first send a message to the adversary \mathcal and would only deliver the message m,P once it receives the command to do so as a reply.


Ideal secure channel

In an ideal
secure channel In cryptography, a secure channel is a means of data transmission that is resistant to overhearing and tampering. A confidential channel is a means of data transmission that is resistant to overhearing, or eavesdropping (e.g., reading the conten ...
, the ideal functionality \mathcal_ only outputs the identity of the sender to both the recipient and the adversary, while the message is only revealed to the recipient. This models the requirement that a secure channel is both authenticated and private. To model some leakage about the information that is being transferred, \mathcal_ may reveal information about the message to the adversary, e.g. the length of the message.
Asynchronous communication In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data f ...
is modeled through the same delay mechanism as for \mathcal_.


More advanced channels

While the technical means, and the physical assumptions behind anonymous and pseudonymous communication are very different, the modeling of such channels using ideal functionalities is analogous. See also
onion routing Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is transmitted through a series of net ...
and
Anonymous P2P An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routi ...
. Similar functionalities can be defined for broadcast communication, or
synchronous communication Synchronous serial communication describes a serial communication protocol in which "data is sent in a continuous stream at constant rate." Synchronous communication requires that the clocks in the transmitting and receiving devices are ''synchro ...
.


Ideal anonymous channel

In an ideal anonymous channel, the ideal functionality, \mathcal_ takes a message m from a party with identity P as input, and outputs the same message but without disclosing the identity P to the recipient and the adversary.


Ideal pseudonymous channel

In an ideal pseudonymous channel, the participating parties first register unique pseudonyms with the ideal functionality \mathcal_. To do a transfer \mathcal_ takes a message m and the pseudonym nym of the recipient as input. The ideal functionality looks up the owner of the pseudonym and transfers the message m, nym without revealing the identity of the sender. These formalisations abstract from the implementation details of the concrete systems that implement such channels. In their pure form an ideal functionality may be found to be unrealizable. It may be necessary to relax the functionality by leaking more information to the adversary ( degree of anonymity). On the other hand communication channels can be physical, e.g. a
mobile device A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physical ...
can achieve an anonymous channel by constantly changing its location before transmitting messages that do not contain
identifiers An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique ''class'' of objects, where the "object" or class may be an idea, physical countable object (or class thereof), or physical noncountable ...
.


Impossibility results

There exists no bit commitment protocol that is universally composable in the
Standard Model The Standard Model of particle physics is the theory describing three of the four known fundamental forces (electromagnetism, electromagnetic, weak interaction, weak and strong interactions - excluding gravity) in the universe and classifying a ...
. The intuition is that in the ideal model, the simulator has to extract the value to commit to from the input of the environment. This would allow the receiver in the real protocol to extract the committed value and break the security of the protocol. This impossibility result can be applied to other functionalities.


Setup and trust assumptions

To circumvent the above impossibility result, additional assumptions are required. Additional setup and trust assumptions, such as the
common reference string model Common may refer to: Places * Common, a townland in County Tyrone, Northern Ireland * Boston Common, a central public park in Boston, Massachusetts * Cambridge Common, common land area in Cambridge, Massachusetts * Clapham Common, originally com ...
and the assumption of a trusted
certification authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...
are also modeled using ideal functionalities in UC.


Controversy and other models

* Reactive Simulatability is a similar model developed concurrently with the universal composability model. * Abstract/Constructive Cryptography Ueli Maurer. Constructive Cryptography - A New Paradigm for Security Definitions and Proofs. TOSCA 2011: 33-56 is a more recent general-purpose model for the composeable analysis of cryptographic protocols. * The GNUC and IITM model are reformulations of universal composability by other researcher (prominently,
Victor Shoup Victor Shoup is a computer scientist and mathematician. He obtained a PhD in computer science from the University of Wisconsin–Madison in 1989, and he did his undergraduate work at the University of Wisconsin-Eau Claire. He is a professor at ...
and Ralf Kuesters) that influenced new versions of the canonical model by
Ran Canetti Ran Canetti (Hebrew: רן קנטי) is a professor of Computer Science at Boston University. and the director of the Check Point Institute for Information Security and of the Center for Reliable Information System and Cyber Security. He is also ...
.


See also

*
Abstraction Abstraction in its main sense is a conceptual process wherein general rules and concepts are derived from the usage and classification of specific examples, literal ("real" or "concrete") signifiers, first principles, or other methods. "An abstr ...
* Burrows-Abadi-Needham logic *
Mathematical model A mathematical model is a description of a system using mathematical concepts and language. The process of developing a mathematical model is termed mathematical modeling. Mathematical models are used in the natural sciences (such as physics, ...
*
Secure multi-party computation Secure multi-party computation (also known as secure computation, multi-party computation (MPC) or privacy-preserving computation) is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their ...


References

{{Cryptography navbox Theory of cryptography