A Simpler Variant of Universally Composable Security for Standard - - PowerPoint PPT Presentation

A Simpler Variant of Universally Composable Security for Standard Multi Party Computation

Chlo´ e H´ ebant

Ecole Normale Sup´ erieure

February 22, 2018

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 1 / 18

1

Introduction Definition Interest Difficulties

2

SUC Model Communication model and rules π SUC-securely computes F SUC composition theorem

3

Conclusion

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 2 / 18

Introduction Definition

Context

Protocol

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Context

Protocol Proof of security

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Context

Protocol Proof of security Adversary model → who? → capabilities? → goals?

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Context

Protocol Proof of security Adversary model → who? → capabilities? → goals? Security model

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Context

Protocol Proof of security Adversary model → who? → capabilities? → goals? Security model Indistinguishability → Find-then-Guess → Real-or-Random

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Context

Protocol Proof of security Adversary model → who? → capabilities? → goals? Security model Indistinguishability → Find-then-Guess → Real-or-Random Simulation → Classical Simulation → Universal Composability

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 3 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more based on a simulation between a Real World and an Ideal World

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more based on a simulation between a Real World and an Ideal World

Real World: protocol, players, adversary Ideal World: ideal protocol, virtual players, ideal adversary

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more based on a simulation between a Real World and an Ideal World

Real World: protocol, players, adversary Ideal World: ideal functionality, virtual players, ideal adversary

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more based on a simulation between a Real World and an Ideal World

Real World: protocol, players, adversary Ideal World: ideal functionality, virtual players, simulation of the adversary

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

Universal Composability model is a security model for Multi Party Computation: n players Pi owning xi, n-variable function f , Compute f (x1, · · · , xn) = (y1, · · · , yn) s.t. each Pi learns yi and nothing more based on a simulation between a Real World and an Ideal World

Real World: protocol, players, adversary Ideal World: ideal functionality, virtual players, simulation of the adversary

Ensure that an environment Z can’t distinguish between both worlds

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 4 / 18

Introduction Definition

Definition

F

P1

x1 y1

P2

x2 y2

· · · Pn

xn yn

Figure 1: Ideal World

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 5 / 18

Introduction Definition

Definition

F

P1

x1 y1

P2

x2 y2

· · · Pn

xn yn

Figure 1: Ideal World

Construction of UC protocols: Define the ideal Functionality F Construct a protocol Π that realises F Make the proof: construct a simulator S

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 5 / 18

Introduction Interest

Interest 1: A can choose a distribution for the inputs

In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

Introduction Interest

Interest 1: A can choose a distribution for the inputs

In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests The execution is taken as a whole: Z chooses the inputs of Pi and A

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

Introduction Interest

Interest 1: A can choose a distribution for the inputs

In the UC model, no description of: what are the possible actions of the adversary the order of the requests the number of requests The execution is taken as a whole: Z chooses the inputs of Pi and A ⇒ Model attacks where the inputs are not uniform

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 6 / 18

Introduction Interest

Interest 2: The composition theorem

Most important interest: If a protocol is UC secure then it is secure for concurrent executions

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

Introduction Interest

Interest 2: The composition theorem

Most important interest: If a protocol is UC secure then it is secure for concurrent executions Example 1: UC-commitments → ZK Example 2: UC-secure authenticated key exchange + secure symmetric encryption → Secure channels

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

Introduction Interest

Interest 2: The composition theorem

Most important interest: If a protocol is UC secure then it is secure for concurrent executions Example 1: UC-commitments → ZK Example 2: UC-secure authenticated key exchange + secure symmetric encryption → Secure channels ⇒ Because of these 2 points, the UC model is more secure than the Find-then-Guess or Real-or-Random models

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 7 / 18

Introduction Difficulties

Difficulty to define the ideal functionality

Ideal Functionality for Secure Message Transfer

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

Introduction Difficulties

Difficulty to define the ideal functionality

Ideal Functionality for Secure Message Transfer Fl

STM proceeds as follows:

parameterized by leakage function l : {0, 1}⋆ → {0, 1}⋆, Upon receiving an input (Send, sid, m) from S, verify that sid = (S, R, sid′) for some R, else ignore the input. Next, send (Sent, sid, l(m), m) to R. text = private content

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

Introduction Difficulties

Difficulty to define the ideal functionality

Ideal Functionality for Secure Message Transfer Fl

STM proceeds as follows:

parameterized by leakage function l : {0, 1}⋆ → {0, 1}⋆, Upon receiving an input (Send, sid, m) from S, verify that sid = (S, R, sid′) for some R, else ignore the input. Next, send (Sent, sid, l(m), m) to R. text = private content For example: leaking l(m) = length(m) is important because no cryptosystem can fully hide the size of the information being encrypted

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 8 / 18

Introduction Difficulties

Difficulties in proofs

In UC model, proofs more complex than in game based security: no rewind, need extractable inputs ⇒ protocol more complex no end when the adversary wins ⇒ proofs more complex

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 9 / 18

SUC Model

1

Introduction Definition Interest Difficulties

2

SUC Model Communication model and rules π SUC-securely computes F SUC composition theorem

3

Conclusion

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 10 / 18

SUC Model Communication model and rules

Communication model and rules

F router P1 P2 · · · Pn

Figure 2: SUC communication model

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 11 / 18

SUC Model Communication model and rules

Communication model and rules

F router P1 P2 · · · Pn Z

provide inputs read outputs (to all Pi)

Figure 2: SUC communication model

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 11 / 18

SUC Model Communication model and rules

Communication model and rules

F router P1 P2 · · · Pn Z

provide inputs read outputs (to all Pi)

A

Figure 2: SUC communication model

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 11 / 18

SUC Model Communication model and rules

Communication model and rules

F router P1 P2 · · · Pn Z

provide inputs read outputs (to all Pi)

A

(⋆)

Figure 2: SUC communication model

(⋆) Router sends all messages to A and delivers them when instructed by A Messages are of the format (sender,receiver;content) Router only sends public header of messages to and from F to A (so A does not see the private content) A notifies the router when to deliver messages but has no influence beyond that

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 11 / 18

SUC Model π SUC-securely computes F

π SUC-securely computes F

Definition Let π be a protocol for up to m parties and let F be an ideal functionality. We say that π SUC-securely computes F if for every PPT real model adversary A there exists a PPT ideal-model adversary S such that for every PPT balanced environment Z and every constant d ∈ N, there exists a negligible function µ(·) such that for every n ∈ N and every z ∈ {0, 1}⋆ of length at most nd, |Pr[SUC-IDEALF,S,Z(n, z) = 1] − Pr[SUC-REALπ,A,Z(n, z) = 1]| µ(n)

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 12 / 18

SUC Model SUC composition theorem

SUC composition theorem

Theorem Let π be a protocol for the F-hybrid model. Let ρ be a protocol that SUC-securely computes F in the G-hybrid model. Then, for every PPT real model adversary A there exists a PPT ideal-model adversary S such that for every PPT environment Z there exists a negligible function µ(·) such that for every z ∈ {0, 1}⋆ and every n ∈ N,

• Pr[SUC-HYBRIDG

πρ,S,Z(n, z) = 1] − Pr[SUC-HYBRIDF π,A,Z(n, z) = 1]

• µ(n)

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 13 / 18

SUC Model SUC composition theorem

SUC composition theorem

Corollary Let π be a protocol that SUC-securely computes a functionality H in the F-hybrid

• model. If protocol ρ SUC-securely computes F in the G-hybrid (resp. real) model,

then πρ SUC-securely computes H in the G-hybrid (resp. real) model. By a drawing:

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 14 / 18

SUC Model SUC composition theorem

SUC composition theorem

Corollary Let π be a protocol that SUC-securely computes a functionality H in the F-hybrid

• model. If protocol ρ SUC-securely computes F in the G-hybrid (resp. real) model,

then πρ SUC-securely computes H in the G-hybrid (resp. real) model. By a drawing: H π

F F F

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 14 / 18

SUC Model SUC composition theorem

SUC composition theorem

Corollary Let π be a protocol that SUC-securely computes a functionality H in the F-hybrid

• model. If protocol ρ SUC-securely computes F in the G-hybrid (resp. real) model,

then πρ SUC-securely computes H in the G-hybrid (resp. real) model. By a drawing: H π

F F F

+ F ρ

G G

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 14 / 18

SUC Model SUC composition theorem

SUC composition theorem

Corollary Let π be a protocol that SUC-securely computes a functionality H in the F-hybrid

• model. If protocol ρ SUC-securely computes F in the G-hybrid (resp. real) model,

then πρ SUC-securely computes H in the G-hybrid (resp. real) model. By a drawing: H π

F F F

+ F ρ

G G

⇒ H πρ

G G G

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 14 / 18

Conclusion

1

Introduction Definition Interest Difficulties

2

SUC Model Communication model and rules π SUC-securely computes F SUC composition theorem

3

Conclusion

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 15 / 18

Conclusion

Bonus: Differences SUC - UC

In SUC, more rigid network model: build-in authenticated channel no subroutines set of parties a priori fixed ⇒ No digital signatures in SUC because no a priori polynomial bound on the number of interactions (= number of signatures)

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 16 / 18

Conclusion

Conclusion

UC: Security model based on simulation to obtain Composition Theorem Composition Theorem: If a protocol is UC secure then it is secure for concurrent executions SUC: Simpler formalism for some protocols such that SUC-secure ⇒ UC secure ⇒ Simpler proofs without loss of security guarantees

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 17 / 18

Conclusion

References

CCL15 - A Simpler Variant of UC Security for Standard Multiparty Computation Che09 - Etude de protocoles cryptographiques ` a base de mots de passe Can01 - Universally Composable Security: A New Paradigm for Cryptographic Protocols

Chlo´ e H´ ebant (ENS) Working Group: SUC Security February 22, 2018 18 / 18