Questions tagged [universal-composability]
The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols.
65 questions
1
vote
1
answer
82
views
Definition of UC security
Universally composable (UC) security is defined in the ideal/real model paradigm. In this paradigm, a real protocol $\Pi$ is defined to be secure when the outputs of this protocol are ...
- 111
1
vote
0
answers
53
views
Simulation Based Proofs in 2-Party Computation
I was reading the paper How to simute it - A Tutorial on the Simulation Proof Technique by Yehuda Lindell, where he considers the Oblivious Transfer problem. (page 11)
Basically, Oblivious Transfer is ...
- 11
6
votes
0
answers
124
views
Domain Separation vs. UC-secure random oracles
All the time I see cryptographic engineers praising the virtues of domain separation. Frequently, papers describing vulnerabilities in real-world protocols find domain separation problems. The core ...
- 1,920
1
vote
2
answers
211
views
Is the sum of indistinguishable independent variables indistinguishable?
Suppose a key $K$, two messages $X,Y \in \{0,1\}^n$ and a encryption function $\text{Enc}_K(\cdot)$ that produces independent indistinguishable from uniform cyphertexts in $\{0,1\}^m$. Is $\text{Enc}...
- 35
2
votes
1
answer
220
views
Simulation Based Proof: Encryption scheme example
I was reading the book “Introduction to Modern Cryptography”, 2nd edition by Jonathan Katz and Yehuda Lindell. Page 67 of the book gives a scheme (Construction 3.17) similar to One-Time Pad, but with ...
- 35
3
votes
1
answer
110
views
'Subroutine respecting' in the Universal Composability Framework?
I've been trying to understand the execution model in the UC framework.
Suppose Alice (A) wants to communicate to Bob (B) via a channel (Ch). I have a mental picture that looks like the following:
<...
- 232
3
votes
1
answer
89
views
Can environment 'count' scheduling decisions in Universal Composability?
The following question is intentionally informal because I don't understand things well enough to make them entirely formal. The topic is Universal Composability.
An important notion in the definition ...
- 232
2
votes
2
answers
136
views
Question about UC Execution
Consider the following simple UC module, described via pseudocode:
Read input from environment, and save it to var
Send var to adversary
Send var to environment
If I understand correctly, this can be ...
- 232
2
votes
1
answer
101
views
'Callbacks' in UC?
In UC, consider the protocol ρ^φ, which uses the protocol φ 'as a subroutine'. If I understand correctly, ρ would call φ with arguments, which would then perform computations, perhaps even calling its ...
- 232
2
votes
1
answer
130
views
Parallel Composition in UC / CC?
I was learning about composable security frameworks, and I was wondering about the following when I was learning about Constructive Cryptography here (https://youtu.be/l7vyzRtLQCM?feature=shared&t=...
- 232
0
votes
1
answer
127
views
Question about Environment Set in Universally Composable Security Proof
I have read into many papers and tutorials regarding "Universally Composable Security Proofs." I still have one confusion about the initial setup by the environment. On one hand, I got that ...
- 101
2
votes
1
answer
102
views
Is the Simplest OT universally composable against a semi-honest adversary?
I started learning about cryptography very recently, and I got interested in the Simplest-OT protocol of Chou and Orlandi. However (as the authors themselves noted) the protocol is not UC-secure ...
- 121
2
votes
1
answer
160
views
Is UC security only meaningful in malicious setting
In my understanding, the main difference in the proof between UC and standalone model is the ability to "rewind", which appears to related to malicious security only.
So if we are only ...
- 304
3
votes
1
answer
315
views
Resources for simple MPC proofs
Could anyone direct me to literature regarding privacy proofs in the MPC setting.
For example, how can one prove the following simple problem:
Suppose a setting with $n$ parties $S_1, \ldots, S_n$ ...
- 165
3
votes
1
answer
415
views
Fischlin vs. Fiat-Shamir Performance
Using Fiat-Shamir, an interactive 3-round sigma protocol can be compiled into a non-interactive zero-knowledge proof in the random oracle model.
A NIZK through Fiat-Shamir is not UC-Secure due to ...
- 155
2
votes
0
answers
105
views
Claims about universally composable oblivious transfer, which ones are correct?
There are two papers that propose oblivious transfer protocols, both claiming to be universally composable (UC). The first protocol is more complex, and I am convinced that it is indeed UC. The second ...
- 358
2
votes
1
answer
287
views
Expanding stand-alone simulation-based proofs to UC proofs
This is a follow-up question to Mikero’s answer to Simulation-based proofs and universal composability proofs.
Let there be some protocol $\pi$ running between two parties $A$ and $B$.
Furthermore, ...
- 23
2
votes
0
answers
67
views
Difference between Non-Concurrent Composition and Concurrent Composition
You can get access to this document via institutional login at https://www.researchgate.net/publication/220556089_Security_and_composition_of_cryptographic_protocols_A_tutorial
So in Ran Canettis ...
- 309
1
vote
0
answers
176
views
Intuition of the UC framework
I am trying to get into Universal Composable Security, but before diving deeper I would like to confirm my intuition of the framework.
https://eprint.iacr.org/2000/067.pdf
A protocol $\pi$ securely ...
- 309
2
votes
0
answers
179
views
A Question on the "rewinding" technique in secure computation
Consider secure two-party computation against malicious adversaries in the standalone model.
I know that the "rewinding" technique can be used to extract the corrupt party's input, e.g., in $...
- 424
4
votes
0
answers
221
views
How to get started with Simulation and UC proofs?
I've been in my PhD program for a few months, and every time I try to understand the simulation and UC proof-paradigms I get so confused.
I feel like what I really need is an easy set of (guided) ...
- 41
1
vote
1
answer
269
views
Are there any ways to tell if a cryptographic protocol is UC-secure before formally proven its UC-security?
I do not quite understand the UC framework. Given a protocol to be proven, now I just know firstly we should write down the ideal functionality, and then the concrete protocol, then proving the ...
- 807
5
votes
1
answer
366
views
Formal Verification for Multiparty Computation and Homomorphic Encryption?
I've recently found some work on the use of Formal Verification Software, like ProVerif for enclaves. I wonder is if its feasible to have something similar for MPC and Homomorphic Encryption and ...
- 892
2
votes
0
answers
84
views
Why a simulator can obtain a corrupted party's input to some subrountine ideal functionality $F$ "for free" in $F$-hybrid model?
In "How To Simulate It" (page 45, line 10), Lindell noted that, in the $f_{\textsf{zk}}$-hybrid model (where $f_{\textsf{zk}}$ denotes the ideal zero-knowledge functionality) in the stand-...
- 424
4
votes
0
answers
76
views
Security proof regarding a zero-knowledge counterexample that is secure in the stand-alone model but insecure in the UC model
Background
The following zero-knowledge (ZK) counterexample is described in Canetti's work [Security and Composition of Cryptographic Protocols: A Tutorial, page 26] to show that there exists some ...
- 424
1
vote
1
answer
1k
views
MPC Definitions: UC-Security vs. Real-Ideal Simulation?
I consider the "standard" definition of maliciously-secure 2PC to be the simulation-based, ideal–real-world indistinguishability definition of e.g. Lindell's How to Simulate It [Lin17, ...
- 155
2
votes
1
answer
99
views
Specialized simulators in Universal composability
The UC framework [Can00 (version of 2020-02-11)] defines security (defn 9) as for all adversaries there exists a simulator such that for all environments the environment output is indistinguishable in ...
- 461
1
vote
0
answers
168
views
Session IDs in (simple) universal composability
In the simple UC framework paper, there is a brief discussion on session identifiers (sids) on page 13. It states
The main protocol is given a session identifier sid
but it is not entirely clear to ...
- 461
10
votes
0
answers
965
views
How to write proofs for universal composable security?
Recently, I learn Ran Canetti's famous paper, "Universally Composable Security: A New Paradigm for Cryptographic Protocols". But I find it very difficult to grasp. When I read the paper that ...
- 807
2
votes
0
answers
41
views
Failure of parallel composition [duplicate]
Is there a simple example of a cryptographic protocol that is secure when used on its own (with only one instance active at a time) but becomes insecure in a concurrent setting, i.e., a failure of ...
- 37.1k
3
votes
1
answer
173
views
Is the following PAKE protocol UC secure?
Consider the following (simplification of a) PAKE protocol: Alice and Bob start with a pre-agreed password pw. To establish a new session key $k$, first Alice samples a random nonce $r$ and sends it ...
- 33
3
votes
2
answers
310
views
Why does the PAKE ideal functionallity allow the keys to be the same when the passwords differ?
My intuition for the security a symmetric PAKE is supposed to provide comes from the example of a login page. Both the user and the server know the password (assuming unhashed passwords), and the ...
- 258
15
votes
1
answer
4k
views
What is universal composability guaranteeing, specifically? Where does it apply, and where does it not?
I don't have a proper computer science education, so bear with my misunderstandings.
UC is supposed to "guarantee strong security properties". From what I stand, if you have some secure ...
- 362
1
vote
0
answers
159
views
Universal composability: Can an ideal functionality call other ideal functionalities?
I'm new to universal composability.
I'm trying to define a protocol, $\pi$, in UC.
The protocol involves 3 parties: A, B, and a smart contract $C$. Parties A and B interact with each other and with $C$...
- 452
1
vote
2
answers
597
views
What is the difference between a cryptographic primitive and a functionality?
In the context of papers using the UC framework, I have seen the same cryptographic tools refereed as cryptographic primitives and functionalities. Are the two terms interchangeable?
An example is ...
- 149
1
vote
1
answer
435
views
What is the border between an ideal functionality and a protocol?
In the context of the UC framework, what is the border between an ideal functionality and a protocol?
It seems to me that it depends on the level of granularity required for proofs.
For example, ...
- 149
1
vote
0
answers
60
views
Abstract Cryptography: why local simulators?
In the paper that introduced Abstract Crypto [MauRen11], the Theorem 2 page 15 states that, basically, if there exists some local simulators that can be pluged on a resource $S$ such that this new ...
- 1,551
2
votes
1
answer
273
views
Extract adversary's secret input in simulation based security proofs
I am trying to understand the simulation-based security proofs (as well as the UC framework), I find that there is a basic assumption when proving the security, i.e., the simulator could extract the ...
- 41
0
votes
1
answer
186
views
Example of a problem for which Zero-Knowledge proof is not sequentially composable
There are notions that a Zero-knowledge proof with auxiliary input is necessary for sequential composition. However, the authors here give a very convoluted example of a system which is not ...
2
votes
1
answer
252
views
Where was the stand-alone model for simulation-based MPC proposed first?
The stand-alone model and the UC model for simulation-based proofs in multiparty computation differ in the guarantees that they provide: The stand-alone model provides security under sequential ...
- 4,122
1
vote
0
answers
317
views
Why is this functionality chosen for UC-NIZK?
A correct proof (a proof which is indistinguishable from previously sent proof) can be tagged as wrong by the ideal functionality here if the adversary sends no witness.
And, let's say P is a party ...
- 67
12
votes
3
answers
2k
views
Examples of protocols that are insecure when run concurrently
I was reading Canetti00 Universally Composable security paper. The first page of introduction says that there are some MPC protocols and Zero knowledge protocols that are insecure under concurrent ...
- 1,484
1
vote
1
answer
503
views
What are limitations of Universally Composable (UC) framework?
I am beginning to read some UC framework papers, and I guess it is similar to the simulation-based security analysis. I can understand the main advantage of UC is to assist us to analyze the ...
- 353
4
votes
1
answer
261
views
Variants of universal composability in security proofs
Universal composability (UC) framework seems to be a powerful framework for proving security of protocols, which guarantees security even in the presence of concurrent composition. Though, I see there ...
user4936
2
votes
0
answers
61
views
Can ideal functionalities share variables
I am trying to define an ideal world for a protocol that requires two functionalities to interact with each other. Lets call them $\mathcal{F}_1$ and $\mathcal{F}_2$.
Now $\mathcal{F}_1$ maintains a ...
- 88
1
vote
0
answers
62
views
Efficient universally composable protocols for aggregate statistics
Let's say we have multiple parties $P_1, \dots P_n$ that gather personal data, and a party $C$ that is interested in aggregate statistics on these data, i.e. the average value.
An ideal functionality ...
- 33
1
vote
1
answer
221
views
UC-framework: Simulating specific cases (proof in PVW)
I am struggling to understand the proof of security in the UC-framework of the OT by PVW.
The cases I don't understand are the cases where:
i) Both parties are corrupted. In this case, they say ...
- 516
3
votes
1
answer
120
views
What does "constant rate" mean in universal composable commitment scheme?
I'm wondering what does the "constant rate" mean in universal composable commitment scheme? I have known the rate of a commitment scheme is message length divided by the communication complexity of ...
- 942
1
vote
0
answers
64
views
Proofs of security for anonymity in a multi-party setting
I'm looking for material that proves the anonymity of parties in a non-interactive setting. I would like to know if there are simulation based proofs (UC) and property based proofs (game based) for ...
- 88
4
votes
2
answers
461
views
passive corruption ?= Byzantine corruption in the UC framework?
Notations: We follow the convention in the UC framework. We use $\mathcal{A}$ to denote the adversary, $\mathcal{P}$ to denote a party in the model.
We focus on two types of corruption in the UC ...
- 574