Abstract
The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (“Inexhaustible Interactive Turing Machine”). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.
Highlights
In the universal composability paradigm [5,36], the security of protocols is defined in such a way that security is preserved even if the protocols are used as components of an arbitrary distributed system
A real protocol securely realizes the ideal protocol if every attack on the real protocol can be translated into an “equivalent” attack on the ideal protocol, where equivalence is specified based on an environment trying to distinguish the real attack from the ideal one
None of the activated machines accepts m on tape c, but a fresh instance of a machine does: It holds that i = n + 1 and for all j ≤ n with c ∈ Tin(M j ) it holds that M j (CheckAddress, c, m) = reject but there is an interactive Turing Machine (IITM) M in P such that c ∈ Tin(M) and M(CheckAddress, c, m) = accept, where we identify M with its initial configuration, with 1η written on its security parameter tape and with α(n +1) written on the random tape of M
Summary
In the universal composability paradigm [5,36], the security of protocols is defined in such a way that security is preserved even if the protocols are used as components of an arbitrary (polynomially bounded) distributed system. The composition, joint state, and global setup theorems are very general: the class of protocols they cover is large, both in terms of the structure and the runtime of protocols. These theorems are stated and proven independently of many details fixed in other models (such as addressing of machines and corruption). The flexibility of the IITM model and the generality of its composition theorems allow us to directly support many forms of joint state and global setup, including arbitrary combinations of both, which have not been considered in the literature so far and would require extensions in other models Details omitted in the main body of the paper can be found in appendix
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call