abstract cryptography joint work with renato rennercs.au.dk/fileadmin/ · joint work with renato...
TRANSCRIPT
Abstract Cryptographyand secure MPC
Ueli Maurer
ETH Zurich
joint work with Renato Renner
Secure Multi-Party Computation Workshop, Aarhus, June 2012.
Abstraction
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
Levels of abstraction:
1. Abstract group: 〈G, ?, e, 〉
2. Instantiations: Integers, real number, elliptic curves
3. Representations: e.g. projective coordinates for ECs
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
What is the abstraction of:
• cryptosystem ?• digital signature scheme ?• MPC protocol ?• zero-knowledge proof ?• algorithm, distinguisher, hybrid argument, ...?
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
Goals of abstraction:
• eliminate irrelevant details, minimality• simpler definitions• generality of results• simpler proofs• elegance• didactic suitability, understanding
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
The construction paradigm
The construction paradigm
Many scientific disciplines can be seen as being constructive.
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
• An extractor constructs a uniform m-bit string Umfrom any RV X with min-entropy > m+ c and Us:
(X,Us)ext−→ Um
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k,m)-PRG constructs a uniform m-bit string
from a uniform k-bit string:
UkPRG−→ Um
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k,m)-PRG constructs a uniform m-bit string
from a uniform k-bit string:
UkPRG−→ Um
• A key agreement protocol (KAP) constructs a sharedsecret n-bit key from ???:
??? KAP−→ KEYn
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Involved types:
• resource• constructor• construction notion
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Involved types:
• resource• constructor• construction notion• metric on space of resources
d(R,S) ≤ ε ⇐⇒ R ≈ε S
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
R(β, γ),ε−→ S :⇐⇒ S ≈ε β R γ
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
R(β, γ),ε−→ S :⇐⇒ S ≈ε β R γ
NCn(enc,dec),ε−→ RCk ⇐⇒ RCk ≈ε enc NCn dec
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
and generally composable if also:
2. R id−→ R
3. R α−→ S ⇒ R||Tα|id−→ S||T
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
and generally composable if also:
2. R id−→ R
3. R α−→ S ⇒ R||Tα|id−→ S||T
∧ T||Rid|α−→ T||S
One-time pad: A constructive perspective
1
C , C , ...1ciphertext
1 2
key21 key
21
2
2
addition modulo 2
M , M , ... M , M , ...plaintext plaintext
K , K , ... K , K , ...
One-time pad: A constructive perspective
1
C , C , ...1ciphertext
1 2
key21 key
21
2
2
addition modulo 2
M , M , ... M , M , ...plaintext plaintext
K , K , ... K , K , ...
Perfect secrecy (Shannon):
C and M are statistically independent.
One-time pad in constructive cryptography
.
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. .
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. .
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. otp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. .
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
.
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
.
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
.
|.|
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
One-time pad in constructive cryptography
. .
|.|
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
written as a construction: [KEY,AUT]OTP−→ SEC
Symmetric encryption in CC
.
|.|
$
sim
SEC
A B
E
dec
D
enc
EA B
E
AUT
A
E
B
$KEY
decB encA [KEY,AUT] ≈ simE SEC
written as a construction: [KEY,AUT]tSYMt−→ SEC
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
R π−→ S :⇔ ∃σ : π1A π2
B R ≈ σE S
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
R π−→ S :⇔ ∃σ : π1A π2
B R ≈ σE S
and
π1A π2
B ⊥E R ≈ ⊥E S
Proof of composition theorem for ABE-setting
SR
σ
E
BAπ2π1
E
BA
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
E
BAπ2π1
E
BA
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
Proof of composition theorem for ABE-setting
TS
SR
σ
σ′
B
E
A
σ
π′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
Proof of composition theorem for ABE-setting
TS
SR
σ
σ′
B
E
A
σ
π′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1α
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1
β
α
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
Resource set Φ (here for interface set I = 1,2,3,4)Converter set Σ
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
Resource set Φ (here for interface set I = 1,2,3,4)Converter set Σ
Algebraic laws:
• αiR ∈Φ for all R ∈Φ, α ∈Σ, i ∈ I• αiβjR = βjαiR for all i 6= j
• 1iR = R for all i
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Games and isomorphisms
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
1,2 1,2,31
2
1 2 3
5 7
3 3
8
7
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
?=~
1,2 1,2,312
1 2 35 7
3 3
8
7
outcome
1,2 1,2,312
1 2 38 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
=~
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Games and isomorphisms
=~
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Complete local relations
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
Resource isomorphisms
SR1
2
3
4
2
3
4
1
π
Resource isomorphisms
SR
β4
β3
β2
β11
2
3
4
α4
α3
α2
α1
2
3
4
1
π
Resource isomorphisms
SR
β4
β3
β2
β11
2
3
4
α4
α3
α2
α1
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
β4
1
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
β4
π4 β4
1
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
π4
π3
π2
π11
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR1
2
3
4
α4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
α4
σ4
1
2
3
4
α4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S ....
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
Resource isomorphisms
SR
σ4
σ3
π2
π11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
Resource isomorphisms
SR σ3
σ2
σ1
π4
1
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
Resource isomorphisms
SR
σ4
σ2
π3π11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
⇔ abstract UC
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
C
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
C
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
CC
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
?CC α
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
Corollary: A delayed communication channel cannot beconstructed (from a communication channel).
⇒ π1π2 ≈ Sσ2σ1S ≈ S
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
guaranteed choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
guaranteed choice space
possible choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
S
ψ4
ψ3
ψ2
ψ1
2
3
4
1
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
Definition: S is an abstraction of R via π:
R vπ S :⇐⇒ ∀R∈R ∃S∈S : R ∼=π S
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
Definition: S is an abstraction of R via π:
R vπ S :⇐⇒ ∀R∈R ∃S∈S : R ∼=π S
Theorem: R vπ S is generally composable.
Example: Encryption, capturing coercibility
|.|
$
sim_E
SEC
dec
D
enc
EA B
E
AUT
A
E
B
$KEY
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
Theorem: An unleakable (uncoercible) securecommunication channel cannot be constructed from anauthenticated channel and a secret key.
Some Features of Abstract Cryptography
Some Features of Abstract Cryptography
• top-down abstraction
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
• specifications: guaranteed/possible choice domains
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
• specifications: guaranteed/possible choice domains
• existing frameworks can be captured as special cases– universal composability (UC) by Canetti– reactive simulatability by Pfitzmann/Waidner/Backes– indifferentiability [MRH04]– collusion-preserving computation [AKMZ12]
Thank you!
Constructing channels and keys: •-calculus
A−−−→ B (insecure) channel from A to B
The symbol “•” stands for exclusive access to the channel.
“•” at output: receiver is exclusive −→ confidentiality
“•” at input: sender is exclusive −→ authenticity
A−−−→•B secret channel from A to B
A •−−−→ B authentic channel from A to B
A •−−−→•B secure channel from A to B (secret and authentic)
A •===• B secret key shared by A and B
A ===• B one-sided key: A knows that at most B knowsthe key, but B does not know who holds the key.
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
At1t2−−−→•B
KT−→ At2
===• B
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
At1t2−−−→•B
KT−→ At2
===• B
Attention: A •t1t2−−−→ B
KT−→/ At2•=== B
Symmetric cryptosystem in CC
At1
===• BA
t2t3−−−→ Bt2 ≥ t1
SYM−→ A
t2t3−−−→•B
Symmetric cryptosystem in CC
At1
===• BA
t2t3−−−→ Bt2 ≥ t1
SYM−→ A
t2t3−−−→•B
At1
===• BA •
t2t3−−−→ Bt2 ≥ t1
SYM−→ A •
t2t3−−−→•B
MACs in CC
At1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
MACs in CC
At1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
At1•=== B
At2t3−−−→•Bt2 ≥ t1
MAC−→ A •
t2t3−−−→•B
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
Encrypt-then-MAC:A
t1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
At1
===• BA •
t2t3−−−→ Bt2 ≥ t1
SYM−→ A •
t2t3−−−→•B
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
MAC-then-encrypt:A
t1===• B
At2t3−−−→ B
t2 ≥ t1
SYM−→ A
t2t3−−−→•B
At1•=== B
At2t3−−−→•Bt2 ≥ t1
MAC−→ A •
t2t3−−−→•B
Public-key cryptosystems in CC
A •t1t2−−−→ B
At4t3←−−− B
t3 > t2
PKC−→ A •
t4t3←−−− B
Public-key cryptosystems in CC
A •t1t2−−−→ B
At4t3←−−− B
t3 > t2
PKC−→ A •
t4t3←−−− B
A •t1t2−−−→ B
At4t3←−−−•B
t3 > t2
PKC−→ A •
t4t3←−−−•B
Diffie-Hellman key agreement in CC
A •−−−→ B
A←−−−•B
DH−→ A •===• B
Diffie-Hellman key agreement in CC
A •−−−→ B
A←−−−•B
DH−→ A •===• B
A •−−−→ B
A←−−−B
DH−→/ A •=== B
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
Note: Conservation law of the •-calculus.
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
Note: Conservation law of the •-calculus.
Are there any other cryptographic transformations?