a simpler variant of universally composable security for
play

A Simpler Variant of Universally Composable Security for Standard - PowerPoint PPT Presentation

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo e H ebant Ecole Normale Sup erieure February 22, 2018 Chlo e H ebant (ENS) Working Group: SUC Security February 22, 2018 1 / 18


  1. A Simpler Variant of Universally Composable Security for Standard Multi Party Computation Chlo´ e H´ ebant Ecole Normale Sup´ erieure February 22, 2018 Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 1 / 18

  2. Introduction 1 Definition Interest Difficulties SUC Model 2 Communication model and rules π SUC-securely computes F SUC composition theorem Conclusion 3 Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 2 / 18

  3. Introduction Definition Context Protocol Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  4. Introduction Definition Context Protocol Proof of security Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  5. Introduction Definition Context Protocol Proof of security Adversary model → who? → capabilities? → goals? Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  6. Introduction Definition Context Protocol Proof of security Security model Adversary model → who? → capabilities? → goals? Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  7. Introduction Definition Context Protocol Proof of security Security model Adversary model → who? → capabilities? → goals? Indistinguishability → Find-then-Guess → Real-or-Random Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  8. Introduction Definition Context Protocol Proof of security Security model Adversary model → who? → capabilities? → goals? Indistinguishability Simulation → Find-then-Guess → Classical Simulation → Real-or-Random → Universal Composability Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

  9. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  10. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  11. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more based on a simulation between a Real World and an Ideal World Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  12. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more based on a simulation between a Real World and an Ideal World Real World : protocol, players, adversary Ideal World : ideal protocol, virtual players, ideal adversary Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  13. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more based on a simulation between a Real World and an Ideal World Real World : protocol, players, adversary Ideal World : ideal functionality, virtual players, ideal adversary Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  14. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more based on a simulation between a Real World and an Ideal World Real World : protocol, players, adversary Ideal World : ideal functionality, virtual players, simulation of the adversary Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  15. Introduction Definition Definition Universal Composability model is a security model for Multi Party Computation : n players P i owning x i , n -variable function f , Compute f ( x 1 , · · · , x n ) = ( y 1 , · · · , y n ) s.t. each P i learns y i and nothing more based on a simulation between a Real World and an Ideal World Real World : protocol, players, adversary Ideal World : ideal functionality, virtual players, simulation of the adversary Ensure that an environment Z can’t distinguish between both worlds Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

  16. Introduction Definition Definition F x 1 y n x 2 x n y 2 y 1 P 1 P n · · · P 2 Figure 1: Ideal World Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 5 / 18

  17. Introduction Definition Definition F x 1 y n x 2 x n y 2 y 1 P 1 P n · · · P 2 Figure 1: Ideal World Construction of UC protocols: Define the ideal Functionality F Construct a protocol Π that realises F Make the proof: construct a simulator S Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 5 / 18

  18. Introduction Interest Interest 1: A can choose a distribution for the inputs In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

  19. Introduction Interest Interest 1: A can choose a distribution for the inputs In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests The execution is taken as a whole: Z chooses the inputs of P i and A Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

  20. Introduction Interest Interest 1: A can choose a distribution for the inputs In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests The execution is taken as a whole: Z chooses the inputs of P i and A ⇒ Model attacks where the inputs are not uniform Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

  21. Introduction Interest Interest 2: The composition theorem Most important interest: If a protocol is UC secure then it is secure for concurrent executions Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

  22. Introduction Interest Interest 2: The composition theorem Most important interest: If a protocol is UC secure then it is secure for concurrent executions Example 1: UC-commitments → ZK Example 2: UC-secure authenticated key exchange + secure symmetric encryption → Secure channels Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

  23. Introduction Interest Interest 2: The composition theorem Most important interest: If a protocol is UC secure then it is secure for concurrent executions Example 1: UC-commitments → ZK Example 2: UC-secure authenticated key exchange + secure symmetric encryption → Secure channels ⇒ Because of these 2 points, the UC model is more secure than the Find-then-Guess or Real-or-Random models Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

  24. Introduction Difficulties Difficulty to define the ideal functionality Ideal Functionality for Secure Message Transfer Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

  25. Introduction Difficulties Difficulty to define the ideal functionality Ideal Functionality for Secure Message Transfer F l STM proceeds as follows: parameterized by leakage function l : { 0 , 1 } ⋆ → { 0 , 1 } ⋆ , Upon receiving an input (Send , sid , m ) from S , verify that sid = ( S , R , sid ′ ) for some R , else ignore the input. Next, send (Sent , sid , l ( m ) , m ) to R . text = private content Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

  26. Introduction Difficulties Difficulty to define the ideal functionality Ideal Functionality for Secure Message Transfer F l STM proceeds as follows: parameterized by leakage function l : { 0 , 1 } ⋆ → { 0 , 1 } ⋆ , Upon receiving an input (Send , sid , m ) from S , verify that sid = ( S , R , sid ′ ) for some R , else ignore the input. Next, send (Sent , sid , l ( m ) , m ) to R . text = private content For example: leaking l ( m ) = length( m ) is important because no cryptosystem can fully hide the size of the information being encrypted Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

  27. Introduction Difficulties Difficulties in proofs In UC model, proofs more complex than in game based security: no rewind, need extractable inputs ⇒ protocol more complex no end when the adversary wins ⇒ proofs more complex Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 9 / 18

Recommend


More recommend