Advertisement

Journal of Cryptology

, Volume 23, Issue 4, pp 594–671 | Cite as

Long-Term Security and Universal Composability

  • Jörn Müller-Quade
  • Dominique Unruh
Article

Abstract

Algorithmic progress and future technological advances threaten today’s cryptographic protocols. This may allow adversaries to break a protocol retrospectively by breaking the underlying complexity assumptions long after the execution of the protocol. Long-term secure protocols, protocols that after the end of the execution do not reveal any information to a then possibly unlimited adversary, could meet this threat. On the other hand, in many applications, it is necessary that a protocol is secure not only when executed alone, but within arbitrary contexts. The established notion of universal composability (UC) captures this requirement.

This is the first paper to study protocols which are simultaneously long-term secure and universally composable. We show that the usual set-up assumptions used for UC protocols (e.g. a common reference string) are not sufficient to achieve long-term secure and composable protocols for commitments or zero-knowledge protocols.

We give practical alternatives (e.g. signature cards) to these usual setup-assumptions and show that these enable the implementation of the important primitives commitment and zero-knowledge protocols.

Key words

Universal Composability Long-term security Zero-knowledge Commitment schemes 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Backes, D. Hofheinz, J. Müller-Quade, D. Unruh, On fairness in simulatability-based cryptographic systems, in Proceedings of the 2005 ACM Workshop on Formal Methods in Security Engineering (ACM, New York, 2005), pp. 13–22. Full version online available at http://eprint.iacr.org/2005/294. The definition of nontrivial protocols is only contained in the full version CrossRefGoogle Scholar
  2. [2]
    M. Backes, B. Pfitzmann, M. Waidner, The reactive simulatability (RSIM) framework for asynchronous systems. Inform. Comput. (2007). Preliminary version available at http://eprint.iacr.org/2004/082
  3. [3]
    B. Barak, R. Canetti, J.B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in 45th Symposium on Foundations of Computer Science. Proceedings of FOCS 2004, Rome, Italy, 17–19 October 2004 (IEEE Computer Society, Los Alamitos, 2004), pp. 186–195 CrossRefGoogle Scholar
  4. [4]
    D. Boneh, Twenty years of attacks on the RSA cryptosystem. Not. Am. Math. Soc. (AMS) 46(2), 203–213 (1999). Online available at http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html zbMATHMathSciNetGoogle Scholar
  5. [5]
    G. Brassard, D. Chaum, C. Crépeau, Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37, 156–189 (1988) zbMATHCrossRefGoogle Scholar
  6. [6]
    G. Brassard, C. Crépeau, D. Mayers, L. Salvail, Defeating classical bit commitments with a quantum computer. Los Alamos preprint arXiv:quant-ph/9806031, May 1999
  7. [7]
    C. Cachin, U. Maurer, Unconditional security against memory-bounded adversaries, in Advances in Cryptology, ed. by B.S. Kaliski Jr. Proceedings of CRYPTO ’97. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 292–306 Google Scholar
  8. [8]
    C. Cachin, C. Crépeau, J. Marcil, Oblivious transfer with a memory-bounded receiver, in 34th Annual ACM Symposium on Theory of Computing. Proceedings of STOC 2002 (ACM, New York, 2002), pp. 493–502 Google Scholar
  9. [9]
    J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in Proc. 3rd International Conference on Security in Communication Networks (SCN). LNCS, vol. 2576 (Springer, Berlin, 2002), pp. 268–289 Google Scholar
  10. [10]
    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  11. [11]
    R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in 42th Annual Symposium on Foundations of Computer Science. Proceedings of FOCS 2001 (IEEE Computer Society, Los Alamitos, 2001), pp. 136–145. Full and revised version is online available at http://eprint.iacr.org/2000/067 Google Scholar
  12. [12]
    R. Canetti, M. Fischlin, Universally composable commitments, in Advances in Cryptology, ed. by J. Kilian. Proceedings of CRYPTO ’01. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 19–40. Full version online available at http://eprint.iacr.org/2001/055 Google Scholar
  13. [13]
    R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in Advances in Cryptology—EUROCRYPT 2001, ed. by B. Pfitzmann. LNCS, vol. 2045 (Springer, Berlin, 2001), pp. 453–474 CrossRefGoogle Scholar
  14. [14]
    R. Canetti, T. Rabin, Universal composition with joint state, in Advances in Cryptology: CRYPTO 2003. LNCS, vol. 2729 (Springer, Berlin, 2003), pp. 265–281 CrossRefGoogle Scholar
  15. [15]
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in 34th Annual ACM Symposium on Theory of Computing. Proceedings of STOC 2002 (ACM, New York, 2002), pp. 494–503. Extended abstract, full version online available at http://eprint.iacr.org/2002/140 Google Scholar
  16. [16]
    R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions, in Advances in Cryptology, ed. by E. Biham. Proceedings of EUROCRYPT ’03. LNCS, vol. 2656 (Springer, Berlin, 2003), pp. 68–86. Full version online available at http://eprint.iacr.org/2004/116 Google Scholar
  17. [17]
    R. Canetti, Y. Dodis, R. Pass, S. Walfish, Universally composable security with global setup, in Theory of Cryptography. Proceedings of TCC 2007. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 61–85 CrossRefGoogle Scholar
  18. [18]
    I. Damgård, J.B. Nielsen, Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, in Advances in Cryptology, ed. by Y. Moti. Proceedings of CRYPTO ’02. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 581–596. Full version online available at http://eprint.iacr.org/2001/091 Google Scholar
  19. [19]
    I.B. Damgård, S. Fehr, L. Salvail, C. Schaffner, Cryptography in the bounded quantum-storage model, in Proceedings of FOCS 2005 (2005), pp. 449–458. A full version is available at http://arxiv.org/abs/quant-ph/0508222
  20. [20]
    W. Diffie, P.C. van Oorschot, M.J. Wiener, Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992) CrossRefMathSciNetGoogle Scholar
  21. [21]
    D. Dolev, C. Dwork, M. Naor, Non-malleable cryptography (extended abstract), in Proceedings of the Twenty Third Annual ACM Symposium on Theory of Computing (ACM, New York, 1991), pp. 542–552 CrossRefGoogle Scholar
  22. [22]
    S. Dziembowski, U. Maurer, On generating the initial key in the bounded-storage model, in Advances in Cryptology, ed. by C. Cachin, J. Camenisch. Proceedings of EUROCRYPT ’04. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 126–137 Google Scholar
  23. [23]
    U. Feige, A. Shamir, Witness indistinguishable and witness hiding protocols, in Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing (ACM, New York, 1990), pp. 416–426 CrossRefGoogle Scholar
  24. [24]
    U. Feige, D. Lapidot, A. Shamir, Multiple non-interactive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999) zbMATHCrossRefMathSciNetGoogle Scholar
  25. [25]
    Gesetz über Rahmenbedingungen für elektronische Signaturen. Bundesgesetzblatt I 2001, 876, May 2001. Online available at http://bundesrecht.juris.de/sigg_2001/index.html
  26. [26]
    O. Goldreich, Foundations of Cryptography—Volume 2 (Basic Applications) (Cambridge University Press, Cambridge, 2004). Preliminary version online available at http://www.wisdom.weizmann.ac.il/~oded/frag.html Google Scholar
  27. [27]
    O. Goldreich, H. Krawczyk, On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996) zbMATHCrossRefMathSciNetGoogle Scholar
  28. [28]
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986) MathSciNetGoogle Scholar
  29. [29]
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game—a completeness theorem for protocols with honest majority, in Nineteenth Annual ACM Symposium on Theory of Computing. Proceedings of STOC 1987 (ACM, New York, 1987), pp. 218–229. Extended abstract CrossRefGoogle Scholar
  30. [30]
    O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 690–728 (1991). Online available at http://www.wisdom.weizmann.ac.il/~oded/X/gmw1j.pdf MathSciNetGoogle Scholar
  31. [31]
    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988). Online available at http://theory.lcs.mit.edu/~rivest/GoldwasserMicaliRivest-ADigitalSignatureSchemeSecureAgainstAdaptiveChosenMessageAttacks.ps zbMATHCrossRefMathSciNetGoogle Scholar
  32. [32]
    C. Günther, An identity-based key-exchange protocol, in Advances in Cryptology—EUROCRYPT ’89, ed. by J.-J. Quisquater, J. Vandewalle. vol. 434 (Springer, Berlin, 1990), pp. 29–37 Google Scholar
  33. [33]
    I. Haitner, O. Reingold, Statistically-hiding commitment from any one-way function, in STOC ’07: Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing (ACM, New York, 2007), pp. 1–10 CrossRefGoogle Scholar
  34. [34]
    D. Hofheinz, J. Müller-Quade, Universally composable commitments using random oracles, in Theory of Cryptography, ed. by M. Naor. Proceedings of TCC 2004. LNCS, vol. 2951 (Springer, Berlin, 2004), pp. 58–76 CrossRefGoogle Scholar
  35. [35]
    D. Hofheinz, J. Müller-Quade, D. Unruh, Polynomial runtime in simulatability definitions, in 18th IEEE Computer Security Foundations Workshop. Proceedings of CSFW 2005 (IEEE Computer Society, Los Alamitos, 2005), pp. 156–169. Online available at http://iaks-www.ira.uka.de/home/unruh/publications/hofheinz05polynomial.html CrossRefGoogle Scholar
  36. [36]
    D. Hofheinz, J. Müller-Quade, R. Steinwandt, On modeling IND-CCA security in cryptographic protocols. Tatra Mt. Math. Publ. 33, 83–97 (2006). Full version available at http://eprint.iacr.org/2003/024 zbMATHMathSciNetGoogle Scholar
  37. [37]
    D. Hofheinz, J. Müller-Quade, D. Unruh, On the (im)possibility of extending coin toss, in Advances in Cryptology, ed. by S. Vaudenay. Proceedings of EUROCRYPT ’06. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 504–521. Full version available at http://eprint.iacr.org/2006/177 Google Scholar
  38. [38]
    D. Hofheinz, D. Unruh, J. Müller-Quade, Universally composable zero-knowledge arguments and commitments from signature cards. Tatra Mt. Math. Publ. 37, 93–103 (2007) MathSciNetGoogle Scholar
  39. [39]
    Y. Lindell, General composition and universal composability in secure multi-party computation, in 44th Annual Symposium on Foundations of Computer Science. Proceedings of FOCS 2003 (IEEE Computer Society, Los Alamitos, 2003), pp. 394–403. Online available at http://eprint.iacr.org/2003/141 Google Scholar
  40. [40]
    U.M. Maurer, K. Pietrzak, R. Renner, Indistinguishability amplification, in Proceedings of Crypto’07, ed. by A. Menezes. LNCS, vol. 4622 (Springer, Berlin, 2007), pp. 130–149 Google Scholar
  41. [41]
    J. Müller-Quade, Temporary assumptions—quantum and classical, in The 2005 IEEE Information Theory Workshop On Theory and Practice in Information-Theoretic Security (2005). Abstract Google Scholar
  42. [42]
    J. Müller-Quade, D. Unruh, Long-term security and universal composability, in Theory of Cryptography, Proceedings of TCC 2007. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 41–60 CrossRefGoogle Scholar
  43. [43]
    M. Naor, R. Ostrovsky, R. Venkatesan, M. Yung, Perfect zero-knowledge arguments for NP using any one-way permutation. J. Cryptol. 11(2), 87–108 (1998) zbMATHCrossRefMathSciNetGoogle Scholar
  44. [44]
    M.O. Rabin, Hyper-encryption by virtual satellite. Science Center Research Lecture Series, December 2003. Online available at http://athome.harvard.edu/programs/hvs/
  45. [45]
    J. Rompel, One-way functions are necessary and sufficient for secure signatures, in Twenty-Second Annual ACM Symposium on Theory of Computing. Proceedings of STOC 1990 (ACM, New York, 1990), pp. 387–394 CrossRefGoogle Scholar
  46. [46]
    S. Wehner, J. Wullschleger, Composable security in the bounded-quantum-storage model, in ICALP 2008, Track C. LNCS (Springer, Berlin, 2008), pp. 604–615. Full available at http://arxiv.org/abs/0709.0492v1 Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.IKSUniversität KarlsruheKarlsruheGermany
  2. 2.Saarland UniversitySaarbrückenGermany

Personalised recommendations