Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [universal-composability]

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols.

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols.

UC guarantees very strong security properties… protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code).

The notion of security is derived by implication. Assume a protocol $P_1$ is secure per definition. If another protocol $P_2$ emulates protocol $P_1$ such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol $P_2$ is as secure as protocol $P_1$.

64 questions
22
votes
1 answer

What are the roles of the simulator in simulation based proofs

I'm trying to better understand simulation based proofs in the UC model - but the guidelines to construct a simulator confuse me. To my understanding, the simulator is activated in two ways: Outbound: S simulates the real world adv. A and as such,…
Indcca
  • 221
  • 1
  • 3
19
votes
2 answers

Simulation-based proofs and universal composability proofs

I recently read Ran Canetti's famous UC paper but I'm still trying to wrap my head around the concepts. I think this answer has me confused a bit, particularly where it says The stand-alone simulation-based definitions give you security under…
Luke
  • 317
  • 1
  • 3
  • 9
15
votes
1 answer

What is universal composability guaranteeing, specifically? Where does it apply, and where does it not?

I don't have a proper computer science education, so bear with my misunderstandings. UC is supposed to "guarantee strong security properties". From what I stand, if you have some secure protocol, such as a strong block cipher mode of operation, you…
Expectator
  • 362
  • 3
  • 10
12
votes
3 answers

Examples of protocols that are insecure when run concurrently

I was reading Canetti00 Universally Composable security paper. The first page of introduction says that there are some MPC protocols and Zero knowledge protocols that are insecure under concurrent composition. I don't see why protocols might break…
satya
  • 1,484
  • 10
  • 32
10
votes
0 answers

How to write proofs for universal composable security?

Recently, I learn Ran Canetti's famous paper, "Universally Composable Security: A New Paradigm for Cryptographic Protocols". But I find it very difficult to grasp. When I read the paper that proves the security of the protocols in the UC-framework,…
Eric_Qin
  • 807
  • 7
  • 13
6
votes
1 answer

Is a composition of clocked entities a clocked entity in the UC model?

In the book titled "Secure Multiparty Computation and Secret Sharing" the authors define an interactive agent and an interactive system. Further, the author defines a clocked entity for considering both synchronous and asynchronous protocols in the…
sun
  • 540
  • 2
  • 12
6
votes
0 answers

Domain Separation vs. UC-secure random oracles

All the time I see cryptographic engineers praising the virtues of domain separation. Frequently, papers describing vulnerabilities in real-world protocols find domain separation problems. The core issue seems to be: you should really be using a…
Sam Jaques
  • 1,808
  • 9
  • 13
5
votes
1 answer

Formal Verification for Multiparty Computation and Homomorphic Encryption?

I've recently found some work on the use of Formal Verification Software, like ProVerif for enclaves. I wonder is if its feasible to have something similar for MPC and Homomorphic Encryption and their applications? I always thought there were…
DaWNFoRCe
  • 892
  • 7
  • 17
5
votes
1 answer

Does simulation extractability require that the protocol have a backdoor in it?

As I understand it, one of the properties required to prove UC-security is simulation extractability. One example is the paper by Kosba et al adapting NIZKs to the UC model, but in their construction the witness is encrypted and the ciphertext…
Ian MathWiz
  • 505
  • 3
  • 12
5
votes
1 answer

What's the principle to design the functionality under UC framework?

Though I can get the basic idea of UC Framework, namely let the environment cannot distinguish the real protocol with the real adversary and the functionality with the simulator, I am still puzzled in details: What's the principle to design the…
phan
  • 629
  • 3
  • 8
4
votes
0 answers

Security proof regarding a zero-knowledge counterexample that is secure in the stand-alone model but insecure in the UC model

Background The following zero-knowledge (ZK) counterexample is described in Canetti's work [Security and Composition of Cryptographic Protocols: A Tutorial, page 26] to show that there exists some protocol that is secure in the stand-alone model but…
X. G.
  • 424
  • 2
  • 7
4
votes
1 answer

Variants of universal composability in security proofs

Universal composability (UC) framework seems to be a powerful framework for proving security of protocols, which guarantees security even in the presence of concurrent composition. Though, I see there are multiple variants of the original UC…
user4936
4
votes
2 answers

passive corruption ?= Byzantine corruption in the UC framework?

Notations: We follow the convention in the UC framework. We use $\mathcal{A}$ to denote the adversary, $\mathcal{P}$ to denote a party in the model. We focus on two types of corruption in the UC framework, which we rephrase now. Byzantine…
Weikeng Chen
  • 564
  • 3
  • 13
4
votes
0 answers

Are zkSTARKs simulation sound extractable in the random oracle model?

I've recently become interested in simulation sound extractable zero-knowledge proofs for use in UC-secure protocols. I've also become interested in the recent instantiation of PCIPs called zkSTARKs. Are zkSTARKs simulation sound extractable as they…
Ian MathWiz
  • 505
  • 3
  • 12
4
votes
2 answers

Modelling broadcast functionality in Universally Composable Framework

I'm studying the UC framework by Canetti. While I understand the basic idea, there are still a lot of details that I need to work through. One thing that's puzzling me is how to achieve concurrency under the UC execution mode. For example, in many…
lamba
  • 1,395
  • 8
  • 18
1
2 3 4 5