Universal composability

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code). The notion of security is derived by implication. Assume a protocol P 1 {displaystyle P_{1}} is secure per definition. If another protocol P 2 {displaystyle P_{2}} emulates protocol P 1 {displaystyle P_{1}} such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol P 2 {displaystyle P_{2}} is as secure as protocol P 1 {displaystyle P_{1}} . The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code). The notion of security is derived by implication. Assume a protocol P 1 {displaystyle P_{1}} is secure per definition. If another protocol P 2 {displaystyle P_{2}} emulates protocol P 1 {displaystyle P_{1}} such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol P 2 {displaystyle P_{2}} is as secure as protocol P 1 {displaystyle P_{1}} . An ideal functionality is a protocol in which a trusted party that can communicate over perfectly secure channels with all protocol participants computes the desired protocol outcome. We say that a cryptographic protocol that cannot make use of such a trusted party fulfils an ideal functionality, if the protocol can emulate the behaviour of the trusted party for honest users, and if the view that an adversary learns by attacking the protocol is indistinguishable from what can be computed by a simulator that only interacts with the ideal functionality. The computation model of universal composability is that of interactive Turing machines that can activate each other by writing on each other's communication tapes. An interactive Turing machine is a form of multi-tape Turing machine and is commonly used for modelling the computational aspects of communication networks in cryptography. The communication model in the bare UC framework is very basic. The messages of a sending party are handed to the adversary who can replace these messages with messages of his own choice that are delivered to the receiving party. This is also the Dolev-Yao threat model. (Based on the computational model all parties are modeled as interactive turing machines) All communication models that add additional properties such as confidentiality, authenticity, synchronization, or anonymity are modeled using their own ideal functionality. An ideal communication functionality takes a message as input and produces a message as output. The (more limited) powers for the adversary A {displaystyle {mathcal {A}}} are modeled through the (limited) capacity of the adversary to interact with this ideal functionality. Ideal authenticated channel: For an optimal ideal authenticated channel, the ideal functionality F A u t h {displaystyle {mathcal {F}}_{mathsf {Auth}}} takes a message m {displaystyle m} from a party with identity P {displaystyle P} as input, and outputs the same message together with the identity P {displaystyle P} to the recipient and the adversary. To model the power of the adversary to delay asynchronous communication the functionality F A u t h {displaystyle {mathcal {F}}_{mathsf {Auth}}} may first send a message to the adversary A {displaystyle {mathcal {A}}} and would only deliver the message m , P {displaystyle m,P} once it receives the command to do so as a reply. Ideal secure channel: In an ideal secure channel, the ideal functionality F S e c {displaystyle {mathcal {F}}_{mathsf {Sec}}} only outputs the identity of the sender to both the recipient and the adversary, while the message is only revealed to the recipient. This models the requirement that a secure channel is both authenticated and private. To model some leakage about the information that is being transferred, F S e c {displaystyle {mathcal {F}}_{mathsf {Sec}}} may reveal information about the message to the adversary, e.g. the length of the message. Asynchronous communication is modeled through the same delay mechanism as for F A u t h {displaystyle {mathcal {F}}_{mathsf {Auth}}} . While the technical means, and the physical assumptions behind anonymous and pseudonymous communication are very different, the modeling of such channels using ideal functionalities is analogous. See also onion routing and Anonymous P2P. Similar functionalities can be defined for broadcast communication, or synchronous communication. Ideal anonymous channel: In an ideal anonymous channel, the ideal functionality, F A n o n {displaystyle {mathcal {F}}_{mathsf {Anon}}} takes a message m {displaystyle m} from a party with identity P {displaystyle P} as input, and outputs the same message but without disclosing the identity P {displaystyle P} to the recipient and the adversary.