## Universally composable security: A new paradigm for cryptographic protocols (2013)

Citations: | 837 - 43 self |

### Citations

3916 |
Communication and Concurrency
- Milner
- 1989
(Show Context)
Citation Context ...notion of indistinguishability of distributions, and in particular the security notion of [c00]. Still, this notion is a relaxation of the notion of observational equivalence of processes (see, e.g., =-=[m89]-=-); indeed, observational equivalence essentially fixes the entire system outside the protocol instances, whereas protocol emulation allows the analyst to choose an appropriate simulator that will make... |

1981 |
Distributed Algorithms
- Lynch
- 1996
(Show Context)
Citation Context ...such a unit. Possible formalizations include an interactive Turing machine as in [gmra89, g01], a random-access-memory (RAM) machine, a process (as in [m89, m99, h85, lmms99]) an I/O automaton (as in =-=[ly96]-=-), a system in the Abstract Cryptography model [mr11], etc. For the rest of this section we’ll call such a unit a machine. 8The model of computation consists of several machines that run “concurrentl... |

1387 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...itions are insufficient in more complex contexts, where protocols are deployed within more general protocol environments. Some examples include encryption, where the basic notion of semantic security =-=[gm84]-=- was later augmented with several flavors of security against chosen ciphertext attacks [ny90, ddn00, rs91, bdpr98] and adaptive security [bh92, cfgn96], in order to address general protocol settings;... |

1369 | On the security of public key protocols - Dolev, Yao - 1983 |

1254 | The knowledge complexity of interactive proof-systems
- Goldwasser, Micali, et al.
- 1989
(Show Context)
Citation Context ...lgorithms. We 16proceed in two main steps. First (Section 3.1.1), we define a syntax, or a “programming language” for protocols. This language, which extends the notion of interactive Turing machine =-=[gmra89]-=-, allows expressing instructions and constructs needed for operating in a distributed system. Next (Section 3.1.2), we define the semantics of a protocol, namely an execution model for distributed sys... |

919 | A calculus for cryptographic protocols: The spi calculus
- Abadi, Gordon
- 1997
(Show Context)
Citation Context ... list includes the CSP model of Hoare [h85], the CCS model and π-calculus of Milner [m89, m99] (that is based on the λ-calculus as its basic model of computation), the spicalculus of Abadi and Gordon =-=[ag97]-=- (that is based on π-calculus), the framework of Lincoln et. al. [lmms98] (that uses the functional representation of probabilistic polynomial time from [mms98]), the I/O automata of Merritt and Lynch... |

846 | Completeness theorems for non-cryptographic fault-tolerant distributed computation - Ben-Or, Goldwasser, et al. - 1988 |

643 | Timing attacks on implementations of Diffie-Hellman - Kocher - 1996 |

592 | A randomized protocol for signing contracts - Even, Goldreich, et al. - 1985 |

580 | Entity authentication and key distribution - Bellare, Rogaway - 1993 |

562 | Theory and applications of trapdoor functions - Yao - 1982 |

548 |
How to play any mental game
- Goldreich, Micali, et al.
(Show Context)
Citation Context ... appears in [c06]. The overall definitional approach is the same as in most other general definitional frameworks mentioned above, and goes back to the seminal work of Goldreich, Micali and Wigderson =-=[gmw87]-=-: In order to determine whether a given protocol is secure for some cryptographic task, first envision an ideal process for carrying out the task in a secure way. In the ideal process all parties hand... |

511 | Relations among notions of security for public-key encryption schemes - Bellare, Desai, et al. - 1998 |

485 | Non-malleable cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ... represent the given environment or application within an extended definition of security. Such an approach is taken, for instance in the cases of key-exchange [br93, ck01], non-malleable commitments =-=[ddn00]-=-, concurrent zero-knowledge [dns98] and general concurrently secure protocols [p04, bs05, g11], where the definitions explicitly model several adversarially coordinated instances of the protocol in qu... |

462 | Security and composition of multiparty cryptographic protocols - Canetti |

460 | Communicating and Mobile Systems - The Pi Calculus - Milner - 1999 |

396 | On the importance of checking cryptographic protocols for faults - Boneh, DeMillo, et al. - 2001 |

388 | Reconciling two views of cryptography (the computational soundness of formal encryption - Abadi, Rogaway |

380 | How to exchange secrets by oblivious transfer - Rabin - 1981 |

366 | Probabilistic simulations for probabilistic processes - Lynch - 1994 |

348 | Minimum Disclosure Proofs of Knowledge - Brassard, Chaum, et al. - 1988 |

310 | Differential Fault Analysis of Secret Key Cryptosystems - Biham, Shamir - 1997 |

281 | M.: Public-key cryptosystems provably secure against chosen ciphertext attack - Naor, Yung - 1990 |

251 | A modular approach to the design and analysis of authentication and key exchange protocols - Bellare, Canetti, et al. - 1998 |

251 |
Foundations of Cryptography
- Goldreich
- 2001
(Show Context)
Citation Context ...the definition of security would require that the two output ensembles execπ,A,E and execφ,S,E (that would no longer be binary) be computationally indistinguishable, as defined by Yao [y82] (see also =-=[g01]-=-). It is easy to see, however, that this extra generality results in a definition that is equivalent to Definition 5. We leave the proof as an exercise. On deterministic environments. Since we conside... |

237 | How to Go Beyond the Black-Box Simulation Barrier - Barak |

209 | On the Composition of Zero-Knowledge Proof Systems
- Goldreich, Krawczyk
- 1990
(Show Context)
Citation Context ... π′ /F does not emulate ρ. 15 We thank Manoj Prabhakaran and Amit Sahai for this example. 56In order to define F, we first recall the definition of pseudorandom ensembles of evasive sets, defined in =-=[gk89]-=- for a related purpose. An ensemble S = {Sk}k∈N where each Sk = {sk,i} i∈{0,1} k and each sk,i ⊂ {0, 1} k is a pseudorandom evasive set ensemble if: (a) S is pseudorandom, that is for all large enough... |

179 | A model for asynchronous reactive systems and its application to secure message transmission - Pfitzmann, Waidner - 2001 |

174 | Concurrent zero-knowledge
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ... application within an extended definition of security. Such an approach is taken, for instance in the cases of key-exchange [br93, ck01], non-malleable commitments [ddn00], concurrent zero-knowledge =-=[dns98]-=- and general concurrently secure protocols [p04, bs05, g11], where the definitions explicitly model several adversarially coordinated instances of the protocol in question. This approach, however, res... |

167 | How to construct constant-round zero-knowledge proof systems for np - Goldreich, Kahan - 1996 |

152 | Composition and integrity preservation of secure reactive systems
- Pfitzmann, Waidner
(Show Context)
Citation Context ...alent to the general (non black-box) notion of security. We remark that the present formulation of black-box simulation is reminiscent of the notions of strong black-box simulation in [dkmr05] and in =-=[pw00]-=- (except for the introduction of the shell adversary). However, in these works this notion is not equivalent to the standard one, due to different formalizations of probabilistic polynomial time. 4.4.... |

150 | Three systems for cryptographic protocol analysis - Kemmerer, Meadows, et al. - 1994 |

146 | Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority - Beaver - 1991 |

129 | Definitions and Properties of Zero-Knowledge Proof Systems - Goldreich, Oren - 1994 |

118 | A probabilistic poly-time framework for protocol analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...us of Milner [m89, m99] (that is based on the λ-calculus as its basic model of computation), the spicalculus of Abadi and Gordon [ag97] (that is based on π-calculus), the framework of Lincoln et. al. =-=[lmms98]-=- (that uses the functional representation of probabilistic polynomial time from [mms98]), the I/O automata of Merritt and Lynch [ly96], the probabilistic I/O automata of Lynch, Segala and Vaandrager [... |

115 | Coin Flipping by Telephone - Blum - 1982 |

115 | Simplified VSS and fast-track multi-party computations with applications to threshold cryptography - Gennaro, Rabin, et al. - 1998 |

111 | On the Concurrent Composition of Zero-Knowledge Proofs. EuroCrypt - Richardson, Kilian - 1999 |

95 | Separating random oracle proofs from complexity theoretic proofs: The non-committing encryption case - Nielsen - 2002 |

90 | The Modelling and Analysis of Security Protocols: the CSP Approach - Ryan, Schneider - 2001 |

89 | On formal models for secure key exchange - Shoup - 1999 |

85 | Fair Computation of General Functions - Goldwasser, Levin - 1990 |

78 | A general composition theorem for secure reactive systems - Backes, Pfitzmann, et al. - 2004 |

74 | Multiset rewriting and the complexity of bounded security protocols - Durgin, Lincoln, et al. - 2004 |

74 | Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract - Hirt, Maurer - 1997 |

67 | Cryptographic protocols provably secure against dynamic adversaries - Beaver, Haber - 1992 |

63 | Information-theoretic cryptography
- Maurer
- 1999
(Show Context)
Citation Context ...active Turing machine as in [gmra89, g01], a random-access-memory (RAM) machine, a process (as in [m89, m99, h85, lmms99]) an I/O automaton (as in [ly96]), a system in the Abstract Cryptography model =-=[mr11]-=-, etc. For the rest of this section we’ll call such a unit a machine. 8The model of computation consists of several machines that run “concurrently” (i.e., alongside each other) and provide each othe... |

62 | Testing probabilistic automata - Segala - 1996 |

61 | Universally composable signature, certification, and authentication
- Canetti
- 2004
(Show Context)
Citation Context ...allowing such simple and powerful formulation of Fauth and similar functionalities has been one of the main motivations for the present formulation of the underlying computational model. 64Claim 17 (=-=[c04]-=-) Any protocol that UC-realizes Fauth in the bare model is useless. Still, there are a number of ways to realize Fauth in algorithmic ways, given some other abstractions on the system. Following the s... |

58 | Physically observable cryptography - Micali, Reyzin |

56 |
Adaptive secure computation
- Canetti, Feige, et al.
- 1996
(Show Context)
Citation Context ...herwise. Then: Claim 18 If E is semantically secure for domain D as in [gm84, g01] then πE UC realizes F lD smt in the presence of non-adaptive adversaries. Furthermore, if E is non-committing (as in =-=[cfgn96]-=-) then πE UC-realizes F lD smt with adaptive adversaries. This holds even if data erasures are not trusted and the adversary sees all the past internal states of the corrupted parties. Choosing new ke... |

54 | Secure reactive systems - Pfitzmann, Schunter, et al. - 2000 |

53 | Secure computation, unpublished manuscript - Micali, Rogaway - 1992 |

53 | New and improved constructions of non-malleable cryptographic protocols - Pass, Rosen - 2005 |

51 | Probabilistic Polynomial-time Equivalence and Security Analysis - Lincoln, Mitchell, et al. - 1999 |

45 | Bounded-Concurrent Secure Two-Party Computation in a Constant Number of Rounds - Pass, Rosen |

41 | Efficient Non-Malleable Commitment Schemes - Fischlin, Fischlin - 2000 |

38 | Incoercible multiparty computation
- Canetti, Gennaro
- 1996
(Show Context)
Citation Context ... the participants are humans that are susceptible to social pressure, such as in voting schemes. In the present framework, coercion attacks can be modeled in a straightforward way, along the lines of =-=[cg96]-=-. That is, upon receipt of a coercion message, the shell notifies the body of the corruption and follows the instructions of the body. This allows the attacked party to run some pre-determined algorit... |

38 | Introduction to the Theory of Computation: Second Edition
- Sipser
- 2006
(Show Context)
Citation Context ... locally within the same computing environment, and communication over an “untrusted medium”, say across a network. Definition 1 An interactive Turing machine (ITM) M is a Turing machine (as in, say, =-=[si05]-=-) with the following augmentations: Special tapes (i.e., data structures): • An identity tape. The contents of this tape is interpreted as two strings. The first string contains a description, using s... |

37 | The reactive simulatability (RSIM) framework for asynchronous systems - Backes, Pfitzmann, et al. |

35 | Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). http://eprint.iacr.org/2004/334 - Canetti, Herzog - 2005 |

34 | On the Composition of Authenticated Byzantine Agreement
- Lindell, Lysysanskaya, et al.
- 2002
(Show Context)
Citation Context ... unique is a strong and potentially unrealistic guarantee. Still, in some cases having unique identities available to the protocol is essential for a meaningful solution. (This fact is exemplified in =-=[llr02]-=- for the basic tasks of broadcast and Byzantine agreement.) We provide unique identities in order to facilitate representing protocols that used identities. Still, it is of course possible to study wi... |

33 | Cryptographically sound theorem proving - Sprenger, Backes, et al. - 2006 |

30 | General security definition and composability for quantum & classical protocols
- Ben-Or, Mayers
- 2004
(Show Context)
Citation Context ...depth, and with no increase in the simulation overhead. We omit further details. The fact that the UC theorem extends to arbitrary polynomial nesting of the UC operation was independently observed in =-=[bm04]-=- for their variant of the UC framework. Beyond PPT. The UC theorem is stated and proven for PPT systems of ITMs, namely for the case where all the involved entities are PPT. It is readily seen that th... |

29 | Secure computation without authentication - Barak, Canetti, et al. - 2005 |

28 | Plug and play encryption - Beaver - 1997 |

24 | How to play almost any mental game over the net-concurrent composition via super-polynomial simulation - Sahai - 2005 |

22 | Initiator-Resilient Universally Composable Key Exchange. ESORICS, 2003. Extended version at the eprint archive - Hofheinz, Mueller-Quade, et al. |

21 | M.: A general framework for formal notions of “secure” system - Pfitzmann, Waidner - 1994 |

20 | Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography - Abe, Fehr - 2004 |

20 | Security and composition of cryptographic protocols: a tutorial (part i - Canetti |

19 | A.: On the relationships between notions of simulation-based security
- Datta, Kuesters, et al.
(Show Context)
Citation Context ...inition is equivalent to the general (non black-box) notion of security. We remark that the present formulation of black-box simulation is reminiscent of the notions of strong black-box simulation in =-=[dkmr05]-=- and in [pw00] (except for the introduction of the shell adversary). However, in these works this notion is not equivalent to the standard one, due to different formalizations of probabilistic polynom... |

17 | Algorithmic Tamper-Proof Security: Theoretical Foundations for Security Against Tampering - Gennaro, Lysyanskaya, et al. - 2004 |

15 | Protocol Initialization for the Framework of Universal Composability. Manuscript. Available from the ePrint archive, report 2004/006 from http://eprint.iacr.org - Barak, Lindell, et al. |

10 | Using probabilistic I/O automata to analyze an oblivious transfer protocol - Canetti, Cheung, et al. - 2006 |

10 | Analysis of key exchange protocols and their use for building secure channels - Canetti, Krawczyk |

10 | A precise computational approach to knowledge
- Pass
- 2006
(Show Context)
Citation Context ... ability to jump to the beginning of the next incoming message. (In contrast, in a RAM machine model, such a provision would not be necessary.) A similar phenomenon has been independently observed in =-=[p06]-=- in the context of Zero-Knowledge protocols. Making the identities available to the code. In contrast with other formalisms (such as [dkmr05, k06, kt13]), The present formalism allows ITMs to read and... |

7 | The IITM Model: a Simple and Expressive Model for Universal Composability - Küsters, Tuengerthal |

6 | A logic for authentication,” DECSystems Research Center - Burrows, Abadi, et al. - 1990 |

6 | Universally composable security with local adversaries - Canetti, Vald |

6 | A synchronous model for multi-party computation and the incompleteness of oblivious transfer - Hofheinz, Müller-Quade |

5 |
Universally Composable Security with PreExisting Setup. The fourth Theory
- Canetti, Dodis, et al.
- 2007
(Show Context)
Citation Context ...ive formulation would allow E to invoke arbitrary ITIs with multiple different SIDs. This more general (but more complex) formulation captures a meaningful extension of the model. See more details in =-=[cdpw07]-=-. We also note that revious version of this work did not provide adequate treatment of the translation, done by the control function, from inputs provided by the environment to the values received by ... |

5 | Security analysis of network protocols compositional reasoning and complexity-theoretic foundations - Datta - 2005 |

5 |
General Composition and Universal Composability
- Lindell
- 2003
(Show Context)
Citation Context ...r variant of Definition 5, where the simulator S can depend on the code of the environment E. That is, for any A and E there should exist a simulator S that satisfies execφ,S,E ≈ execπ,A,E. Following =-=[l03]-=-, we call this variant security with respect to specialized simulators. We demonstrate that this variant is equivalent to the main definition (Definition 5). Claim 12 A protocol π UC-emulates protocol... |

4 |
Relaxing chosen ciphertext security of encryption schemes
- Canetti, Krawczyk, et al.
- 2003
(Show Context)
Citation Context ...of doing this is to use the same encryption scheme to encrypt all the messages sent to some party. Here the encryption scheme should have additional properties on top of being semantically secure. In =-=[ckn03]-=- it is shown that replayable chosen ciphertext security (RCCA) suffices for this purpose for the case of non-adaptive party corruptions. In the case of 66adaptive corruptions stronger properties and ... |

4 |
GNUC: A New Universal Composability Framework. IACR Cryptology ePrint Archive, report 2011/303
- Hofheinz, Shoup
- 2011
(Show Context)
Citation Context ...hat’s chosen at random from a large enough domain. Alternatively, one can use a hierarchical encoding where each new 26identity is pair (invoker ID, new ID). (Indeed, such a mechanism is mandated in =-=[hs11]-=-.) These methods can be regarded as ways to implement the abstraction of unique identities. On the SID mechanism. As argued in the preamble to the definition of protocol instances (Section 3.1.2), the... |

3 | Non-interactive and non-malleable commitment, 30th STOC - Crescenzo, Ishai, et al. - 1998 |

2 | Positive Results for Concurrently Secure Computation - Goyal |

2 |
A Linguistic Characterization of Bounded Oracle
- Mitchell, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...on), the spicalculus of Abadi and Gordon [ag97] (that is based on π-calculus), the framework of Lincoln et. al. [lmms98] (that uses the functional representation of probabilistic polynomial time from =-=[mms98]-=-), the I/O automata of Merritt and Lynch [ly96], the probabilistic I/O automata of Lynch, Segala and Vaandrager [sl95, lsv03], and the Abstract Cryptography model of Maurer and Renner [mr11]. Motivati... |

1 | The Full Abstraction of the UC Framework. BRICS - Almansa |

1 | Composable Formal Security Analysis: Juggling Soundness, Simplicity and Efficiency - Canetti |

1 | Composable Security Analysis of OS Services - Canetti, Chari, et al. |

1 | Adaptively Secure Non-Interactive Public-Key Encryption. 2nd theory of Cryptology Conference (TCC - Canetti, Halevi, et al. - 2005 |

1 |
Comparing Two Notions of Simulatability. 2nd theory of Cryptology Conference (TCC
- Hofheinz, Unruh
- 2005
(Show Context)
Citation Context ...stronger variant where the ideal adversary S is restricted to black-box access to the adversary A. (We remark that in other frameworks these variants result in different formal requirements; see e.g. =-=[hu05]-=-.) 1.2 Universal Composition Consider the following method for composing two protocols into a single composite protocol. (It may be useful to think of this composition operation as a generalization of... |

1 |
Concurrent Zero-Knowledge. Series on Information Security and Cryptography
- Rosen
- 2006
(Show Context)
Citation Context ...of components is fixed in advance. One example is the study of concurrent Zero-Knowledge, where the number of sessions depends on the adversary and cannot be bounded by any fixed polynomial. See e.g. =-=[r06]-=-.) Similarly, we would like to be able to model commonplace situations where programs are generated automatically, “downloaded”, and incorporated in a computation “on the fly”. The external write mech... |

1 | kmtz13] formulate synchronous variants of the UC - Katz |