1. Universal Composability with Documented Ideal Protocols Dominic Mayers Caltech, USA

2. Tree Protocols A tree protocols is a tree in which each node corresponds to a sub-protocol Primitives Sub-protocol A tree protocol For example, Bit Commitments Modules

3. From DAG to Tree Protocols One can redefine the call-structure of a DAG protocol and the ideal protocols for its sub- protocols so that it becomes a tree protocol. Q RS Q R S’ In this example, S’ is identical to S except that I(S’) = I(S) + I(R). No change in the protocol

4. Usual Way to Analyze Protocols For example, Bit Commitments First, we obtain properties for the primitives (e.g., some binding and concealing conditions, ). This is just to reflect on what we do all the times as a collectivity (without UC)

5. Usual Way to Analyze Protocols For example, binding and concealing conditions Next, you use these properties, to obtain other properties for the parent sub-protocols (e.g. zero knowledge proof), … Properties for BC

6. … and so on until you traversed the entire tree bottom-up and reached the root of the tree. There is no rule in this bottom-up traversal, except the general framework of mathematics. Zero Knowledge Properties (soundness, etc.) Usual Way to Analyze Protocols

7. Universal Composability Informally, the UC definition says that we can replace the protocol by an ideal protocol and a simulator, and no application + adversary will see the difference. We use this definition at every node in a bottom-up traversal: I S I S I S I SS II S S I(P)  S(P) A more structured way to traverse the tree bottom-up.

8. We obtain that the entire protocol P below can be replaced by an ideal protocol I(P) and a simulator S(P), which is the sum of all simulators used in the bottom-up traversal. Universal Composability I S I S I S I S S II S S I(P)  S(P)

9. Why it is Powerful At every step of the bottom-up traversal, the visited module calls ideal protocols. A module that calls ideal protocols is much easier to analyze than a module that calls arbitrary sub-protocols… …with some properties. Moreover, these properties (e.g. binding and concealing) are often too weak! II

10. Toward a formal UC definition I S I SS I S Definition: The protocol Q s.r. I(Q) if, for every environment (APP + Adv), there exists a simulator (ideal adversary) S(Q) such that App + Adv + Q  App + Adv + S(P) + I(Q). Analyzed Protocol Q I Part of Adversary Adv S(Q) I(Q) Ideal Protocol + Simulator Consider what is needed for a single step in the bottom-up traversal Part of Application Protocol App

11. What is missing? 1.A model for the protocol, the adversary, the ideal protocol and the simulator. a)It must define the rules of the game between the adversary (+ the application) and the simulator. In particular, it must allow the corruption of parties. b)It must have a partially defined “+” such as in App + Adv + Q. 2.A definition for A  B (non-distinguishability) that respects (A 1  A 2 )  …  (A p(n)-1  A p(n) )  A 1  A p(n) where p(n) is polynomial.

12. The Model of Ben-Or and Mayers

13. Protocols Quantum Register: Hilbert Space of finite dimension. Classical Register: Set {0,1} k. Usually k = 1: a bit. Quantum Gate: Unitary transformation on a finite set of registers. Classical Gate: Permutation on {0,1} k1  … {0,1} kq Unit-circuit: Partially ordered set of gates in which every two gates that share a register are ordered. Protocol: Union of unit-circuits that respects some condition. Essentially, it must be a partially ordered set of gates (more later).

14. Set of registers of a gate (Comments) The set of registers of a controlled gate that is turned off is empty when we compute the order of two gates. Alice unit-circuit Classical bit = 01 The partial order condition hold, if for every value of the controlling (read-only) registers, no cycle is created by the ordered pairs. Read-Only

15. Distinct unit-circuits have disjoint sets of registers, but can share communication registers with the Communication Center Communication Alice unit-circuit Communication registers Bob unit-circuit Communication Center

16. A transmission gate is a swap gate between a local register and a communication register. A reception gate is a swap gate between a local register and a communication register. Alice unit-circuit Communication registers Bob unit-circuit Communication Swap Gates If no corruption |0 

17. Conditions on Protocols The set of pairs (transmission gate, reception gate) between unit-circuits together with all ordered pairs of gates inside these unit-circuits must constitute a partially ordered set: no cycle in the graph. Alice unit-circuit Communication register Bob unit-circuit

18. A Simple Example Module Coin Toss that calls Bit Commitment CT-Alice : Pick x  R {0,1}; Send input x to BC-Alice; CT-Bob : Receive output OK from BC-Bob; Pick y  R {0,1}; Send y to CT-Alice; CT-Alice: Receive y from CT-Bob; Send output w A = x  y to App-Alice; Send input “open” to BC-Alice; CT-Bob: Receive x* from BC-Bob; If (x* = Fail) do { set w B = y} else {set w B = x*  y}; Send output w B to App-Bob; Four unit-circuits: CT-Alice, CT-Bob, BC-Alice and BC-Bob

19. Module CT(Alice,Bob) that calls BC(Alice,Bob) I/O x y Open wAwA x H y wAwA Open =1 Alice Internal I/O OK wBwB x* Flip w B iff x* = 1 OK y H x* wBwB Bob Internal y The adversary will have some power here.

20. Corruptible Unit-Circuits A corruptible unit-circuit r is a unit-circuit with a corruption bit C r. Every gate in the unit-circuit r is turned “off” when C r = 1. C r = 0 G1 G2 Corruptible unit-circuit r Local and communication registers

21. Adversary Unit-Circuits Every corruptible unit-circuit r is associated with an adversary unit-circuit A(r). When the unit-circuit r is off, the adversary unit-circuit A(r). is on and vice versa. The adversary is the union of all adversary unit-circuits. G1 G2 Corruptible unit-circuit r and adversary unit-circuit A(r) Local and communication registers C r = 0 G2* NOT G2 Part of the adversary, but not part of A(r) Part of A(r)

22. Conditions on the Adversary An adversary unit-circuit A(r) can access all registers of r. In the case of communication registers, it can do it on behalf of r. For example, even if the channel is authenticated, the adversary unit-circuit A(r) can transmit a message in this channel on behalf of r. It can also access any other communication registers, but only in accordance with their channel types.

23. Conditions on the adversary P + App + Adv must be a partially ordered set of gates. (Same definition as for protocols) The set of corrupted unit-circuits must follow some access rule. The size of App + Adv is often required to be a polynomial in some security parameter.

24. Ideal Protocols An ideal protocol I(P) for a protocol P is a protocol that contains a unit-circuit I(r) for every r  P I/O  P where P I/O contains every r  P that participates in the input/output of P. The ideal protocol I(P) also contains a trusted circuit that is never corrupted and a devil circuit (strange but convenient) that is always corrupted. Usually, an ideal protocol uses perfect channels.

25. Ideal Protocols The circuit I(r), r  P I/O, is off when C r = 1 and on when C r = 0 (the same as r). The trusted circuit and the adversary A(devil) are always on. The devil circuit is just a trick to allow an ideal protocol to communicate with the simulator even when no party is corrupted. This is often convenient to weaken the ideal protocol.

26. Simulators The simulator S(P) for a protocol P contains a simulation circuit S(r) for every unit-circuit r  P and an ideal adversary circuit A(r) for every corruptible unit-circuit r  I(P), including the devil circuit. The simulator does not have access to the I/O communication registers between the protocol and the application, but has access to the internal communication registers.

27. Simulators Using the ideal adversary circuits A(r), the simulator is the adversary to the ideal protocol. Using the circuits S(r), it provides a simulation of the protocol P, but not of the input/output. The simulation unit-circuit S(r) is off when C r = 1 and when C r = 0 (the same as r). The ideal adversary unit- circuit A(r) is off when C r = 0 and on when C r = 1 (as usual for an adversary circuit).

28. As Promised We have a model for protocols, adversaries, ideal protocols and simulators. a) It allows the corruption of parties with the help of the corruption bits C r and the adversary circuits A(r). b)It has a partially defined “+” : the union of the gates under the restriction that the union remains a partially ordered sets. c)The rules of the game between the simulator and the adversary are well defined.

29. Definition of Non Distinguishability

30. The Output Bit The application protocol outputs a bit Z. We denote Z(P + Adv + App) the output bit that is computed by the setting P + Adv + App. Definition: Let A and B be two distinct settings. A   B iff | Pr(Z(A) = 0) – Pr(Z(B) = 0) |  

31. A distinguishability that depends on the environment Not a practical definition, but convenient as a preliminary step toward a better definition. Definition: The protocol Q  (n, E)-s.r. I(Q) if, for every environment E = APP + Adv, there exists a simulator S(Q) such that E + Q   (n, E) E + S(P) + I(Q).

32. Preliminary UC Theorem Let Q M be the variation on Q that calls ideal protocols. Preliminary UC Theorem: If for every sub-protocol Q of P, Q M  Q M (n, E(Q M ) )-s.r. I(Q), then P  P (n, E)- s.r. I(P) where  P (n, E) =  Q  Q M (n, E(Q M )) Easily proven, but not convenient. To compute  P (n, E), when we traverse the tree bottom-up, we have to keep track of all the simulators and ideal protocols in the environment E( Q M ).

33. A distinguishability that depends on the size |E| This is already more convenient. To obtain an upper bound on the distinguishability , one obtains an upper bound for each  Q M (n, |E(Q M )|) and uses  P (n, |E|) =  Q  Q M (n, |E(Q M )|) Of course, assumptions (e.g. on |E|) are needed to bound each  Q M (n, |E(Q M )|).

34. Negligibility: Definition Definition: A function  (n, f(n)) is negligible if, for all polynomials p(n), q(n) and all functions f(n)  p(n), for n sufficiently large,  (n, f(n))  1/ q(n). To apply this definition, we need |E|  p(n)  |E(Q M )|  p’(n) for all Q. We also need that the sum of polynomially many negligible functions is negligible. See

35. Negligibility: Issues For the most general functions  Q M (n, |E(Q M )|), the negligibility of  P (n, |E|) =  Q  Q M (n, |E(Q M )|) is not obvious because the domain of the summation is a function of n, and its size is polynomial in n. In addition, |E|  p(n)  |E(Q M )|  p’(n) for all Q is not obvious to obtain when Q runs over a set of polynomial size.

36. Negligibility: Solutions 1.Assume that the set of protocol definitions in the library is independent of the security parameter n. (Very natural) 2.Require that the size of the simulator is bounded by a polynomial that depends only on the protocol definition (not on the copy in execution). (Very natural) 3.Require that  Q M (n, |E(Q M )|) depends only on the protocol definition (not on the copy). (Very natural)

37. Negligibility (A point aside) The technicality here is similar to the technicality in the following related situation: Let f k (n)  O(1) for k = 1,…n. We do not have  k=1..n f k (n)  O(1), even though f 0 (n)  O(1) and S, f  O(1)  S + f  O(1). The problem is that, for n fixed, f n (n) is a number, not a function. Therefore, it makes no sense to say that all terms in the sum are in O(1).

38. The Documented Ideal Protocols Approach A documented ideal protocol is an ordinary ideal protocol that also contains two set of instructions. One set of instructions to compute the non negligible part of  Q M (n, E(Q M )), if any. This non negligible part is used as a signal alert that says that this ideal protocol cannot be used in a given application protocol. The negligible part is managed as usual, and the proof of the associated UC theorem is essentially the same.

39. The Documented Ideal Protocols Approach Another set of instructions to determine special operations that can be executed in the environment of I(Q). These special operations must be considered when we analyze any protocol Q’ M where Q < Q’  Par(Q) in the bottom-up traversal. The nodes Q’ with Q < Q’  Par(Q) are the nodes in between the visit of Q (where Q M is replaced by I(Q) + S(Q)) and the visit of Parent of Q (where I(Q) disappears).

40. Advantage & Disadvantage Advantage: The simulator can execute these special operations that have super-polynomial power. Moreover, these operations can even access registers in the application! This allows to prove this kind of UC for much more protocols. Disadvantage: The ideal protocol is not as convenient. We must keep track of these instructions.

41. Documented-UC of Perm-BC Perm-BC is the Bit Commitment that calls a one-way permutation  : {0,1} k  {0,1} k with a hard bit B :{0,1} k  {0,1}. For x randomly chosen,  (x) is a commitment to the random bit B(x). There are no instruction in I D (Perm-BC) for the non- negligible part because there is no non-negligible part. However, there is a special operation in I D (Perm-BC). We only describe the special operation for the case where the receiver, Bob, is corrupted.

42. Special operation in I D (Perm-BC) Case where Receiver is corrupted: It is computationally bounded (circuit of polynomial size). It must be executed just after all gates that precedes the beginning of the opening. It can only access the registers of the environment E* of I(Perm-BC) that are required between the beginning of the opening phase and the beginning of the opening. Let A be the set of registers that belong to a non-corrupted circuit in E* or is not accessed by the special operation. The states of A with or without the special operation must be computationally indistinguishable.

43. An Example Alice and Bob forget the acknowledgement reception Photons OK Bases Photons OK Bases Photons OK Bases H Alice Bob Eve cannot do that because it creates a cycle Eve’s Probe Authenticated Public = 1Public = 0 Now, Eve can do that because no cycle is created