IPAM ’06 Tutorial Security and Composition of Cryptographic Protocols Ran Canetti IBM Research.

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

Secure Multiparty Computations on Bitcoin
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell Bar-Ilan University.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Jointly Restraining Big Brother: Using cryptography to reconcile privacy with data aggregation Ran Canetti IBM Research.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Survey: Secure Composition of Multiparty Protocols Yehuda Lindell IBM T.J. Watson.
Tutorial on Secure Multi-Party Computation
Optimistic Synchronous Multi-Party Contract Signing N. Asokan, Baum-Waidner, M. Schunter, M. Waidner Presented By Uday Nayak Advisor: Chris Lynch.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Universally Composable Symbolic Analysis of Key-Exchange Protocols Jonathan Herzog (Joint work with Ran Canetti) 21 September 2004 The author's affiliation.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)
Computer Science Public Key Management Lecture 5.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Information-Theoretic Security and Security under Composition Eyal Kushilevitz (Technion) Yehuda Lindell (Bar-Ilan University) Tal Rabin (IBM T.J. Watson)
Adaptively Secure Broadcast, Revisited
8. Data Integrity Techniques
How to play ANY mental game
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/09/08 CRYP-202 Legally-Enforceable Fairness in Secure Two-Party Computation.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Fall 2002CS 395: Computer Security1 Chapter 11: Message Authentication and Hash Functions.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Rational Cryptography Some Recent Results Jonathan Katz University of Maryland.
6.897: Advanced Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
6.897: Selected Topics in Cryptography Lecturers: Ran Canetti, Ron Rivest Scribe?
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Universally Composable computation with any number of faults Ran Canetti IBM Research Joint works with Marc Fischlin, Yehuda Lindell, Rafi Ostrovsky, Tal.
6.897: Selected Topics in Cryptography Lectures 11 and 12 Lecturers: Ran Canetti, Ron Rivest Scribes?
SysRép / 2.5A. SchiperEté The consensus problem.
Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-106 Efficient Fully-Simulatable Oblivious Transfer.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Round-Efficient Multi-Party Computation in Point-to-Point Networks Jonathan Katz Chiu-Yuen Koo University of Maryland.
Universally Composable Authentication and Key-exchange with Global PKI Ran Canetti (TAU and BU) Daniel Shahaf (TAU) Margarita Vald(TAU) PKC2016 Taipei,
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Topic 36: Zero-Knowledge Proofs
6.897: Selected Topics in Cryptography Lectures 7 and 8
Presentation transcript:

IPAM ’06 Tutorial Security and Composition of Cryptographic Protocols Ran Canetti IBM Research

Nice sun...

yeah...

You know, I lost more than you in the stock market.

No way. How much did you lose?

I won’t tell you… How much did you lose?

You tell first!

No, you tell first!

No, you tell first!

I lost X $ is X>Y? I lost Y $

I lost X $ is X>Y? I lost Y $ The millionaires problem [Yao82]

Cryptographic protocol problems Two or more parties want to perform some joint computation, while guaranteeing “security” against “adversarial behavior”.

Some security concerns Correctness of local outputs: –As a function of all inputs –Distributional and bias guarantees –Unpredictability Secrecy of local data and inputs Privacy Fairness Accountability Availability

Cryptographic protocol problems: Secure Communication Two (or more) parties want to communicate “securely”: Authentication: Recipient will accept only messages that were sent by the specified sender. Secrecy: Contents of messages should remain unknown to third parties. Related tasks: Key-exchange: The parties agree on a random key that remains secret to eavesdroppers. Encryption (shared key, public key) Digital signatures (shared key, public key) (Here the adversary is an “external entity”) Very prevalent in practice (SSL,TLS,IPSEC,SSH,PGP,…)

Cryptographic protocol problems: Two-party tasks Coin tossing [Blum 82] Generate a common uniformly distributed bit (or string). The output should be “unbiased” and “unpredictable”. Zero-Knowledge [Goldwasser-Micali-Rackoff 85] P proves to V that x L “without revealing extra info”. Commitment [Blum 82] Two stage process: - C gives x to V “in an envelope” (i.e., x is fixed but remains unknown to V). - C enables V to “open the envelope” (i.e., retrieve x). (Here the parties typically dont trust each other.)

Cryptographic protocol problems: Multiparty tasks and applications Electronic voting: Correctness, acountability, privacy, coersion-freeness... “E-commerce”: Fairness, accountability –On-line Auctions, trading and financial markets, shopping On-line gambling: Unpredictability, accountability... Computations on databases: Privacy –Private information retrieval –Database pooling Secure distributed storage: Availability, integrity, secrecy –Centrally controlled –Open, peer-to-peer systems

Many cryptographic protocols were developed over the years: General constructions (given authenticated comunication): can evaluate any function of the inputs of the parties “in a secure way” [Y86,GMW87,BGW88,RB89,...] Obtaining authenticated and secure communication [DH78,NS78,B+91,BR93...] More efficient constructions for specific problems Deployed systems A plethora of cryptographic protocols

But, what does it really mean that a protocol is “secure”? Rigorously capturing the intuitive notion of security is a tricky business… Main stumbling points: Unexpected inter-dependence between security requirements Unexpected bad interactions between different protocol instances in a system ➔ Security is very sensitive to the execution environment.

Developing notions of security Initially, notions of security were problem-specific (e.g., Encryption, Coin-tossing, Zero-Knowledge, Signatures...) Subsequently, general frameworks for caprturing security of tasks were developed, e.g. [Goldwasser- Levin90,Micali-Rogaway91,Beaver91,C95,C00, Dodis-Micali00, Pfitzmann-Waidner 00&01, C01, Mitchell-Scedrov-Ramanathan- Teague01, Mateus-Mitchell-Scedrov03, Kuesters06 ] –All of these frameworks follow (in one way or another) a single paradigm: “The trusted party paradigm”.

In favor of a general notion of security Provides better understanding of security concerns, various primitives, and the relations among them. Provides a basis for making claims about behavior of protocols in unknown environments: –“A protocol that realizes a task can be used in conjunction with any protocol that uses the task” –“Protocols that realize this task continue to realize it in any execution environment”

In this tutorial: Part 1: Basic security Motivate and present the “Trusted party paradigm”. Review a basic formalization of the approach (based on [C, JoC 00]). See examples. Discuss feasibility. Part 2: Security and composition Discuss secure protocol composition: –Show what can go wrong –Discuss settings and requirements Demonstrate the limited compositional properties of the basic definition Part 3: Universally Composable security Present the notion (based on [C, FOCS'01]) Demonstrate secure composability properties Discuss feasibility, possible relaxations. Explore connections to “formal analysis” of protocols.

Defining security: First attempts Let's start with a simple setting: Two parties Function evaluation: –There is a known function f –Party P i (i=1,2) has input x i –Both parties wish to “securely” obtain y=f(x 1,x 2 ). The only potentially adversarial entities are the parties themselves.

What are the security requirements?

Correctness: The honest party (parties) output a correct function value of the inputs of the parties. Secrecy: Each party learns only the function value. (“The view of each party can be generated given only its input and output.”)

What are the security requirements? Correctness: The honest party (parties) output a correct function value of the inputs of the parties. Secrecy: Each party learns only the function value. (“The view of each party can be generated given only its input and output.”) Are we done?

But... The “function value” depends on the inputs provided by the parties. How to define these inputs? –Given from above? Unrealizable... –Chosen during the run of the protocol? Dangerous...

Example Function: f(x 1,x 2 ) = x 1 xor x 2 Protocol: –P 1 sends x 1 to P 2. –P 2 sends x 2 to P 1. –Both parties output x 1 xor x 2. Is the protocol secure? P 2 can decide the function value as a function of x 1. But: the protocol satisfies: –Correctness: The parties output the correct function of the inputs –Secrecy: trivial, since x 1 is computable from x 2 and x 1 xor x 2.

Conclusions: The definition should also limit the way the inputs to the computation are chosen. Secrecy and correctness are “weaved together”: –Correctness requires some flavor of secrecy –Secrecy depdends on the correctness

Conclusions: The definition should also limit the way the inputs to the computation are chosen. Secrecy and correctness are “weaved together”: –Correctness requires some flavor of secrecy –Secrecy depdends on the correctness What about the case where parties are guaranteed to follow the protocol? Here the inputs are well defined and correctness seems straighforward. Is the definition adequate there?

Another example Function: f(x 1,x 2 ) = r R {0,1} k Protocol: –Let f be a one-way permutation on {0,1} k. –P 1 chooses s R {0,1} k, and sends r=f(s) to P 2. –Both parties output r. Is the protocol secure? P 1 knows a “trapdoor information” on r. P 2 cannot feasibly compute this information. (Why is this bad?) But: the protocol satisfies: –Correctness: The output is distributed uniformly in {0,1} k. –Secrecy: Trivial, there are no inputs.

Conclusion: The definition should also specify the process by which the outputs are chosen, not just the distribution.

The general definitional approach [Goldreich-Micali-Wigderson87] ‘A protocol is secure for some task if it “emulates” an “ideal process” where the parties hand their inputs to a “trusted party”, who locally computes the desired outputs and hands them back to the parties.’ But, how to formalize?

A basic formalization (based on [Goldwasser-Levin90,Micali-Rogaway91,Beaver91,C95,C00]) Formalize the process of protocol execution in presence of an adversary Formalize the “ideal process” for realizing the functionality Formalize the notion of “a protocol emulates the ideal process for a functionality.”

The model for protocol execution : P1P1 P3P3 P4P4 P2P2 A Participants: Parties P 1 …P n Adversary A, controlling the corrupted parties.

The model for protocol execution : P1P1 P3P3 P4P4 P2P2 A The parties and the adversary get external input. Participants: Parties P 1 …P n Adversary A, controlling the corrupted parties.

The model for protocol execution : P1P1 P3P3 P4P4 P2P2 A The parties and the adversary get external input. The parties and adversary interact (parties running the protocol, A interferes according to the model.) Participants: Parties P 1 …P n Adversary A, controlling the corrupted parties.

The model for protocol execution : P1P1 P3P3 P4P4 P2P2 A The parties and the adversary get external input. The parties and adversary interact (parties running the protocol, A interferes according to the model.) The parites and the adversary generate their local outputs. Participants: Parties P 1 …P n Adversary A, controlling the corrupted parties.

The ideal process (for evaluating function F): P1P1 P3P3 P4P4 P2P2 S Participants: Parties P 1 …P n Adversary S, controlling the corrupted parties. The ideal process (for evaluating function F):

P1P1 P3P3 P4P4 P2P2 S The parties and the adversary get external input. Participants: Parties P 1 …P n Adversary S, controlling the corrupted parties. The ideal process (for evaluating function F):

P1P1 P3P3 P4P4 P2P2 F S The parties and the adversary get external input. The parties and adversary hand Their inputs to a “trusted party”. The trusted party locally evaluates F on the parties' inputs and hands each party Its prescribed output. Participants: Parties P 1 …P n Adversary S, controlling the corrupted parties. The ideal process (for evaluating function F):

P1P1 P3P3 P4P4 P2P2 F S The parties and the adversary get external input. The parties and adversary hand Their inputs to a “trusted party”. The trusted party locally evaluates F on the parties' inputs and hands each party Its prescribed output. The parties output the value received from F; the adversary outputs an arbitrary value. Participants: Parties P 1 …P n Adversary S, controlling the corrupted parties. The ideal process (for evaluating function F):

A protocol emulates the ideal process for evaluating F if for any (PPT) adversary A there exists a (PPT) adversary S such that for any set of external inputs: The outputs of the uncorr. parties running with A in the ideal process with S The output of A ~ The output of S In this case, we say that securely realizes functionality F. Definition of security ~

Correctness : In the ideal process the parties get the “correct” outputs, based on the inputs of all parties. Consequently, the same must happen in the protocol execution (or else the first condition will be violated). Secrecy: In the ideal process the adversary learns nothing other than the outputs of bad parties. Consequently, the same must happen in the protocol execution (or else the second condition will be violated). “Input independence:” The bad parties cannot choose their inputs based on the inputs of the honest parties (since they cannot do so in the ideal process). … Implications of the definition

Example: The millionaires functionality 1.Receive (x 1 ) from party P 1 2.Receive (x 2 ) from party P 2 3.Set b = (x 1 >x 2 ). output b to both parties. Note: Both parties are assured that they receive the correct bit Neither party learns any information other than the bit b.

Example: The xor function 1.Receive (x 1 ) from party P 1 2.Receive (x 2 ) from party P 2 3.Set b = (x 1 xor x 2 ). output b to both parties.

Example: The xor function 1.Receive (x 1 ) from party P 1 2.Receive (x 2 ) from party P 2 3.Set b = (x 1 xor x 2 ). output b to both parties. What about the above “bad protocol”?

Reminder: The bad protocol –P 1 sends x 1 to P 2. –P 2 sends x 2 to P 1. –Both parties output x 1 xor x 2.

Example: The xor function 1.Receive (x 1 ) from party P 1 2.Receive (x 2 ) from party P 2 3.Set b = (x 1 xor x 2 ). output b to both parties. The above “bad protocol” is no longer secure. Assume x 1 is random: In the protocol execution A (controlling P 2 ) can always force the output of P 1 to be 0. In the ideal process, P's output is always random (since P's input is independent from x 1 ).

Example: The coin tossing functionality 1.Receive “start” from P 1 2.Receive “start” from P 2 3.Choose r  R {0,1} k, output r to the parties.

Example: The coin tossing functionality 1.Receive “start” from P 1 2.Receive “start” from P 2 3.Choose r  R {0,1} k, output r to the parties. What about the above “bad protocol” ?

Reminder: The bad protocol –Let f be a one-way permutation on {0,1} k. –P 1 chooses s R {0,1} k, and sends r=f(s) to P 2. –Both parties output r.

Example: The coin tossing functionality 1.Receive “start” from P 1 2.Receive “start” from P 2 3.Choose r  R {0,1} k, output s to the parties. The bad protocol still satisfies the definition: The uncorrupted party (P 2 ) outputs a random value in both cases In the ideal process, S gets r from F. But it can ignore r, and instead choose a random s and output (s,f(s)). This would have the right distribution... So, what's wrong?

A protocol emulates the ideal process for evaluating F if for any (PPT) adversary A there exists a (PPT) adversary S such that for any set of external inputs: The outputs of the uncorr. parties running with A in the ideal process with S The output of A ~ The output of S Reminder: Definition of security ~

A protocol emulates the ideal process for evaluating F if for any (PPT) adversary A there exists a (PPT) adversary S such that for any set of external inputs: The outputs of the uncorr. parties running with A in the ideal process with S The output of A ~ The output of S Weakness: Need to “tie together” the outputs of the adversary and of the uncorrupted parties. Reminder: Definition of security ~

A protocol emulates the ideal process for evaluating F if for any (PPT) adversary A there exists a (PPT) adversary S such that for any set of external inputs: [The outputs of all parties and A] ~ [The outputs of all parties and S] Corrected definition of security

Coin tossing once more 1.Receive “start” from P 1 2.Receive “start” from P 2 3.Choose r  R {0,1} k, output r to the parties. The bad protocol no longer satisfies the definition: The “global output” of the protocol execution is (r,f -1 (r)) In the ideal process, S gets r from F; to satisfy the definition, S now has to output f -1 (r)...

An alternative formulation: E Ideal process: Protocol execution: P1P1 P3P3 P4P4 P2P2 A P1P1 P3P3 P4P4 P2P2 F S securely realizes F if: For any A there is an S s.t no environment E can tell if it interacts with: - A run with and A - A run with F and S E

Another example: The ZK functionality, F ZK (for relation R) 1.Receive (x,w) from party P (“the prover”) 2.Receive (x) from party V (“the verifier”) 3.Output R(x,w) to V. Note: V is assured that it accepts only if R(x,w)=1 (soundness) P is assured that V learns nothing but R(x,w) (Zero-Knowledge)

Comparison with the traditional formulation Traditionally ZK is defined using three separate requirements (Completeness, Soundness, Zero-Knowledge) Here there is an apparent “proof of knowledge” requirement Still the two formalizations are “essentially equivalent”: Theorem: A protocol securely realizes F ZK for relation R if and only if it is a computationally sound ZK proof of knowledge for R (with non-black-box extractors). (Assume that there is an input # s.t. R(x,#)=0 for all x, else augment R accordingly.)

Additional “definitional details”: What is the model of communication: –Asynchronous? Synchronous? –Secret? Authenticated? Unauthenticated? –Point-to-point? broadcast? How do parties address each other? Can we model “open systems” where parties join during the computation? Can we model reactive tasks? How to model PPT computation in a meaningful way? Need a better model of computation...

The basic model: Highlights (based on [C, iacr eprint 2000/067, Dec 05]) The basic computing unit: PPT Interactive TM –Externally writable tapes: Input, incoming comm, subroutine output –Identity tape (identity “in software”) –Polytime in input length, minus length of inputs written to others ITMs can: – invoke other ITMs (specifying code and identity of invokee) –write to tapes of other ITMs (one write per activation). (subject to restrictions specified by a “control function”) Order of activations: An initial ITM is specified. ITM whose tape is last written to is activated next.

The protocol execution model: Highlights Environment: Invokes the adversary and as many parties as wants, gives inputs and identities, reads outputs. Parties: Run their code, send messages only to adversary. Adversary: Delivers arbitrary messages to parties. Notes: Captures asynchronous, unauthenticated comm. (To capture other comm. models, add structure) Party corruptions modeled as special messages from adv. Env gives one input to and reads one output from adv

The ideal process: Highlights Modeled as a special protocol within the general model: –All parties copy their inputs to a special ITM (“Ideal functionality”) F, –Copy the outputs from F to environment Can capture reactive tasks in a natural way (interactive F) F can interact directly with adversary, allowing for finer- grain specification of security properties: –Messages from Adv capture “allowed influence” –Messages to Adv captures “allowed info leakage” Pro: very expressive. Con: very expressive.

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. Note: V is assured that the value it received in step 2 was fixed in step 1. P is assured that V learns nothing about x before it is opened.

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. But, need to allow the adverary to delay outputs of V, otherwise the requirement is unrealistically strong...

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to adv. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt.

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. 3.Upon receiving a “corrupt C” from Adv, hand x to Adv.

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. But, what if the commiter gets corrupted?

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. 3.Upon receiving a “corrupt C” from Adv, hand x to Adv. Is that enough?

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. 3.Upon receiving a “corrupt C” from Adv, hand x to Adv. Is that enough? What if the committer gets corrupted immediately after it was invoked, and the adversary changes the committed bit?

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. 3.Upon receiving a “corrupt C” from Adv, hand x to Adv. If V didnt yet get “receipt” then allow Adv to change x. Is this enough?

Example: The commitment functionality 1.Upon receiving (“commit”,C,V,x) from party C, record x, and send (C, “receipt”) to V. When adv says “OK”, send (C, “receipt”) to V. 2.Upon receiving (“open”) from C, send (C,x) to V and halt. 3.Upon receiving a “corrupt C” from Adv, hand x to Adv. If V didnt yet get “receipt” then allow Adv to change x. Is this enough? Seems so...

[Yao86]: Can realize any two-party functionality for honest-but-curious parties. [GMW87]: Given authenticated communication, can realize any ideal functionality: –with any number of faults (without guarantee termination) –With up to n/2 faults (with guaranteed termination) [Ben-Or-Goldwasser-Wigderson88, Chaum-Crepeau-Damgard88]: Assuming secure channels, can do: –Unconditional security with n/3 faults –Adaptive security Many improvements and extensions [RB89,CFGN95,GRR97,…] General feasibility results (with respect to this definition)

Represent the code of the trusted party as a circuit. Evaluate the circuit gate by gate in a secure way against honest-but-curious faults. “Compile” the protocol to obtain resilience to malicious faults: –[GMW87]: Use general ZK proofs –[BGW88,CCD88]: Use special-purpose algebraic proofs The basic technique

Part II: Security under protocol composition

So far, we considered only a single protocol execution, in isolation. Does security in this setting imply security in a multi-execution setting? Is security preserved under protocol composition?

So far, we considered only a single protocol execution, in isolation. Does security in this setting imply security in a multi-execution setting? Why should we care? –We can always directly analyze the entire system... Is security preserved under protocol composition?

Modular design and analysis of protocols: –Break down a complex system into simpler chunks. –Analyze protocols for each of the chunks (as stand-alone). –Deduce the security of the original, composite system. Security in unknown environments: –Guarantee security when the protocol is running alongside potentially unknown protocols (that may even be designed later, depending on the analyzed protocol). Two benefits of security-preserving composition of protocols

Parallel composition of ZK protocols [Goldreich-Krawczyk88] : Assume the following gadget. The verifier V can generate “puzzles” such that: –The prover P can solve puzzles –V cannot distinguish a solution from a random element (even for puzzles that it generated). Can be constructed either assuming P is unbounded, or under computational assumptions [Feige89]. Security under composition: 1 st Example

Take a ZK protocol and add the following: –P sends a puzzle p to V –If V gives a solution s to p then reveal the secret witness. –Else, if V returns a puzzle p' then send a solution s' for p'. Parallel composition of ZK protocols

Take a ZK protocol and add the following: –P sends a puzzle p to V –If V gives a solution s to p then reveal the secret witness. –Else, if V returns a puzzle p' then send a solution s' for p'. If the original protocol is ZK, then so is the modified protocol: –V will never solve the challenge puzzle p –The solution s' can be simulated by a random string (Indeed, in a stand-alone setting, the addition is harmless.) Parallel composition of ZK protocols

Assume V interacts with P in two sessions concurrently. Then there is an attack: V obtains p1 from P in session 1 V gives p1 as its “p'” in session 2, gets a solution s1 V gives s1 to P in session 1, and obtains the witness... Conclusion: Running even two instances of the same protocol in parallel is not secure... Parallel composition of ZK protocols

2 nd example: Key exchange and secure channels

Authenticated Key Exchange The goal: Two parties want to generate a common, random and secret key over an untrusted network. The main use is to set up a secure communication session: Each message is encrypted and authenticated using the generated key. AB

The basic security requirements Key agreement: If two honest parties locally generate keys associated with each other then the keys are identical. Key secrecy: The key must be unknown to an adversary.

Encryption-based protocol [based on Needham-Schroeder-Lowe,78+95] AB ENC EB (N A,A, B) ENC EA (N A, N B,A, B) ENC EB (N B ) If decryption and identity Checks are ok then Choose a random k-bit N B and send (knows B’s encryption key EB)(knows A’s encryption key EA) If nonce check is ok then Output N B Choose a random k-bit N A If identity and nonce checks are ok then output N B and send

The protocol satisfies the requirements: Key agreement: If A, B locally output a key with each other, then this key must be N B. (Follows from the “untamperability” of the encryption.) Key secrecy: The adversary only sees encryptions of the key, thus the key remains secret. (Follows from the secrecy of the encryption.) (Indeed, the protocol securely realizes the KE functionality under the basic definition)

Attack against the protocol: AB ENC EB (N A,A, B) ENC EA (N A, N B,A, B) ENC EB (N B ) Assume that A uses the generated key to encrypt a buy/sell message M, using one-time-pad: N B +M

Attack against the protocol: AB ENC EB (N A,A, B) ENC EA (N A, N B,A, B) ENC EB (N B ) Assume that A uses the generated key to encrypt a buy/sell message M, using one-time-pad: C=N B +M ENC EB (C+ “sell”) Attacker knows that either C=N B + “sell”, or C=N B + “buy”. This can be checked: If B accepts the exchange then M= “sell”...

The problem: The adversary uses B as an “oracle” for whether it has the right key. But the weakness comes to play only in conjunction with another protocol (which gives the adversary two posible candidates for the key...)

Example III: Malleability of commitment [Dolev-Dwork-Naor91] A naive auction protocol using commitments: Phase 1: Each bidder publishes a commitment to its bid. Phase 2: Bidders open their commitments.

Example III: Malleability of commitments [Dolev-Dwork-Naor91] A naive auction protocol using commitments: Phase 1: Each bidder publishes a commitment to its bid. P1 P2 A C=Com(v) C’ Phase 2: Bidders open their commitments. P1 P2 A v v+1 Attack:

The problem: The stand-alone definition does not guarantee that the committed values in different instances are independent from each other. This is a whole new security concern, that does not exist in the stand-alone model...

Non-malleable commitments [DDN91] Guarantee “input independence” for commitments in the case where two instances of the same commitment protocol run concurrently.

Non-malleable commitments [DDN91] Guarantee “input independence” for commitments in the case where two instances of the same commitment protocol run concurrently. What about multiple instances? Different protocols? Seems hopeless: Given a commitment protocol C, define the protocol C': –To commit to x, run C on x-1. Now, all the attacker has to do is to claim it uses C' and copy the commitment and decommitment messages...

Ways to compose protocols: S

Timing coordination: –Sequential, Non-concurrent, Parallel, Concurrent Input coordination: –Same input, Fixed inputs, Adaptively chosen inputs Protocol coordination: –Self composition, General composition State coordination: –Indepdendent states, Shared state Number of instances: –Fixed, Bounded, Unbounded Ways to compose protocols: Salient parameters

Universal composition (Idea originates in [Micali-Rogaway91]) The idea: Generalize “subroutine substitution” of sequential algorithms to distributed protocols. Start with: Protocol that uses calls to Protocol Construct the composed protocol : Each call to is replaced with a call to. Each value returned from is treated as coming from.

Universal Composition (single subroutine call) 

➔  ➔

Universal Composition (many subroutine calls) ➔

Can represent any of the composition scenarios discussed in the literature, by using the appropriate “calling protocol,”. ➔ Enough to consider a single composition operation... Why study universal composition?

What should be the security requirements under protocol composition?

Can have a list of properties to be preserved: –Correctness –Secrecy –Input independence –... ➔ But, again, how do we know we got it all... What should be the security requirements under protocol composition?

Recall the notion of protocol emulation: emulates if for any adversary A there exists an adversary S such that no environment E can tell if it runs with and A or with and S. Definition: emulates with -composable security if protocol emulates protocol. Goal: Find a definition that provides - composable security for as many protocols as possible. A proposed security requirement:

Intuitively, should be composable: It is explicitly required that no environment can tell the difference between running and running... As long as subroutine calls are non-concurrent, the intuition holds: What are the composability properties of basic security?

The non-concurrent composition theorem: [C. 00] If emulates and in no two protocol copies are running concurrently, then protocol emulates protocol. Corollary: If securely realizes functionality G then so does. (a similar composition theorem was proven in [Micali-Rogaway91] With respect to their notion, for info-theoretic funtion evaluation.)

Proof idea: –Given adv A against, construct an adv A against a single instance of. –Obtain a simulator S. –Construct an adversary that interacts with, given A and S. –Show validity by contradition...

We already saw counter examples: –Zero-Knowledge –Key Exchange –Commitment Other examples exist, even with information-theoretic security, and even with a single subroutine call... [Lindell-Lysyanskaya-Rabin02, Kushilevitz-Lindell- Rabin06] What about concurrent subroutine calls?

Part III: Universally Composable Security

Why isn't basic security preserved under concurrent composition? Recall the definition...

Basic security: E Ideal process: Protocol execution: P1P1 P3P3 P4P4 P2P2 A P1P1 P3P3 P4P4 P2P2 F S securely realizes F if: For any A there is an S s.t no environment E can tell if it interacts with: - A run with and A - A run with F and S E

Why isn't basic security preserved under concurent composition? The “information flow” between the extenal environment and the adversary is limited: –Initial input –Final output Instead, in concurrent executions there is often “circular adversarieal information flow” among executions: execution 1 -> execution 2 -> execution 1 these are not captured...

Universally Composable Security [C. 98,01] The main difference from the basic notion: The environment interacts with the adversary in an arbitrary way throughout the protocol execution. Also, add structure to the model to facilitate distinguishing among protocol instances in a system. (Add “a session identifier (SID)” as part of each ID.) Similar ideas appear in [Pfitzmann-Waidner00,01]

UC security: P1P1 P3P3 P4P4 P2P2 F P1P1 P3P3 P4P4 P2P2 S A E Ideal process: Protocol execution:

UC security: P1P1 P3P3 P4P4 P2P2 F P1P1 P3P3 P4P4 P2P2 S A E Protocol UC-realizes F if: For any adversary A There exists an adversary S Such that no environment E can tell whether it interacts with: - A run of with A - An ideal run with F and S Ideal process: Protocol execution:

The universal composition theorem: [C. 01] If UC-emulates then protocol UC-emulates protocol. Corollary: If UC-realizes functionality G then so does.

Proof idea: Same outline as the non-concurrent case: –Given adv A against, construct an adv A against a single instance of. –Obtain a simulator S. –Construct an adversary that interacts with, given A and multiple instances of S. –Show validity by contradition...

Implications of the UC theorem Modular protocol design and analysis Enabling sound formal and symbolic analysis Representing communication models as “helper” ideal functionalities

Questions: Are known protocols UC-secure? (Do these protocols realize the ideal functionalities that represent the corresponding tasks?) How to design UC-secure protocols? zcyk02]

Positive results: secure communication Can capture: –Message authentication –Entity authentication –Secure communication –Key exchange In a way that “accepts reasonable protocols” and matches (roughly) known definitions [C-Krawczyk*]. (MANY details swiped under the carpet...)

Positive results: Signatures and encryption Can also capture: –CCA-secure encryption –EU-CMA signatures

Positive results: General functionalities with honest majority Thm: If the corrupted parties are a minority then can realize any functionality. (e.g. use the protocols of [BenOr-Goldwasser-Wigderson88, Rabin-BenOr89,Canetti-Feige-Goldreich-Naor96] ).

What about two-party functionalities? Known protocols do not work. (“black-box simulation with rewinding” cannot be used). Many interesting functionalities (commitment, ZK, coin tossing, Oblivious Transfer, etc.) cannot be realized at all, even if authenticated communication is ideally given. Impossibility holds for large classes of functionalities [C-Kushilevitz-Lindell03,Datta etal06] Same for general multi-party computation without honest majority.

Theorem: There exists no two-party protocol that UC- realizes F com, even given authenticated communication. Proof Idea: Let P be a protocol that realizes F com in the plain model, and let S be an ideal-process adversary for P, for the case that the commiter is corrupted. Recall that S has to explicitly give the committed bit to F com before the opening phase begins. This means that S must be able to somehow “extract” the committed value b from the corrupted committer. However, in the UC framework S has no advantage over the real-life verifier. Thus, a corrupted verifier can essentialy run S and extract the committed bit b from an honest committer, before the opening phase begins, in contradiction to the secrecy of the commitment.

Is UC-security too strong? Can we have a weaker notion of security that would still meet our notion of composable security for any calling protocol, but will allow realization of, say, F com ? Note: In -composable security we only required that emulates, whereas here we get that UC-emulates.

Is UC-security too strong? Can we have a weaker notion of security that would still meet our notion of composable security for any calling protocol, but will allow realization of, say, F com ? Note: In -composable security we only required that emulates, whereas here we get that UC-emulates. But: Claim: Let and be protocols such that emulates for any protocol. Then UC-emulates. (Similar results in [Lindell 04].) So, if we relax UC-security, we either give up on composability or on basic security.

Getting around the impossibility... Main approaches: Relax the formulation of the functionality (good for specific tasks...) Add set-up assumptions Relax the notion of security

Adding set-up assumptions The idea: Assume that the parties have access to some initial information that is generated “in a trusted way”. (Quite common in cryptography, e.g. PKI for secure communication.) Formally, add to the model an ideal functionality that provides the appropriate service to the parties.

The common reference string set-up The idea: All parties have access to a string that is drawn from a given distribution “in a trusted way”. Formalization: Functionality F CRS that simply chooses a string c with the specified ditrribution and hands it to all parties and the adversary.

Feasibility in the CRS model Can realize commitment, ZK [C-Fischlin 01] Can have non-interactive ZK [C-Lindell-Ostrovsky-Sahai02] Can realize any functionality with any number of faults [CLOS02, based on GMW87]

Drawbacks of the CRS model Requires putting much trust in a single construct (entity) The modeling is problematic: Implicitly assumes that the CRS is used only by a single protocol instance. One way to resolve: Design protocols in a specific way so that multiple instances can use the same CRS (use a “UC with joint state” theorem [C- Rabin03] ). But what about composition with arbitrary other protocols that use the same CRS? (A good example: Deniability)

The CRS model: Alternative formulation To capture the fact that the CRS can be used by other protocols, let F CRS give the chosen string also directly to the environment. Now can demonstrate that deniability is not a problem... But: Thm: The impossibility result for commitment holds even in the (modified) CRS model... [C-dodis-Pass-Walfish06] Are we back to square 1?

An alternative set-up assumption: The “key registration model” Each party registers a (secret, public) key pair with a “PKI authority”. The authority makes public keys available to anyone, and keeps secret keys to itself. Can relax: –Parties can copy keys of others –Honest parties need not know their secret keys Trust can be “distributed”

Feasibility in the KR model: Can reproduce the general feasibility results [Barak-C-Nielsen-Pass04] Can show that the results holds even if the same setup is used by arbitrary other protocols [CDPW06]

Anther set-up assumption: Signature card [Hofheinz,Quade-Muller,Unruh06]

Relaxing the notion of security [Prabhakaran-Sahai04, Barak-Sahai05, Malkin-Moriarty- Yakovenko06,...] -The basic idea: Allow the adversary in the ideal model to run in super-poylnomial time. Problems: Composability may no longer hold... But: can fine-tune the extra computational power so that a “UC-style theorem” holds. Even basic security may no longer hold... But: For most interesting ideal functionalities, the ideal process guarantees security even when the adversary is unbounded... Still, a weaker requirement for the “environment”... time

Connections with formal methods for protocol analysis A popular method for analyzing cryptographic protocols using formal methods: Model the cryptographic operations (encryption, signature, etc) as “symbolic operations” that assume “perfect cryptography”. A quintessential example: The [Dolev-Yao81] modeling of public-key encryption. Many follow-ups exist.

The “Dolev-Yao style” formal modeling Main advantage: Analysis is much simpler. In particular, is amenable to automation (e.g., via tools for automated program verification). Main drawback: Lack of soundness. There is no security guarantee once the symbolic operations are replaced with real cryptograpic protocols.

Using UC analysis to obtain cryptographically sound formal modeling The main idea [PW00,C01,Backes-PW 03,C-Herzog04]: Formalize ideal functionalities that capture the primitives in use (e.g., encryption, signatures). Translate the ideal functionalities to symbolic protocol moves. Use the universal composition theorem to deduce that properties of the symbolic protocol are retained by the concrete protocol.

Analysis strategy Concrete protocol UC security Symbolic protocol Symbolic property

Analysis strategy (expanded) [CH04] Concrete protocol UC concrete security Symbolic single- instance protocol Symbolic property Single-instance Setting Security using UC encryption Security for multiple instances Ideal cryptography UC theorem Simplify UC w/ joint state

Summary Reviewed a basic and general notion of security for cryptographic protocols. Motivated the need for security notions that guarantee security under composition. Showed that the basic notion guarantees secure composability in the non-concurrent case, but not in the concurrent case. Reviewed a general notion that guarantees security- preserving concurrent composition, feasibility results and potential relaxations for that notion. Explored connections with formal analysis methods.

Further Research Find better notions of security for cryptographic protocols: –More relaxed, while guaranteeing the desired properties. –Easier to work with. Find better set-up assumptions Find better proof techniques: –Use modularity –Use automated tools Make security analysis of protocols ubiquitous.

Final Word Security analysis of protocols is only as good as the security notion used --- and subtleties abound. It is imperative to use a security notion that is appropriate for the relevant setting.