Journal of Cryptology

, Volume 26, Issue 3, pp 375–441 | Cite as

Polynomial Runtime and Composability

  • Dennis Hofheinz
  • Dominique Unruh
  • Jörn Müller-Quade
Article

Abstract

We devise a notion of polynomial runtime suitable for the simulation-based security analysis of multi-party cryptographic protocols. Somewhat surprisingly, straightforward notions of polynomial runtime lack expressivity for reactive tasks and/or lead to an unnatural simulation-based security notion. Indeed, the problem has been recognized in previous works, and several notions of polynomial runtime have already been proposed. However, our new notion, dubbed reactive polynomial time, is the first to combine the following properties:
  • it is simple enough to support simple security/runtime analyses,

  • it is intuitive in the sense that all intuitively feasible protocols and attacks (and only those) are considered polynomial-time,

  • it supports secure composition of protocols in the sense of a universal composition theorem.

We work in the Universal Composability (UC) protocol framework. We remark that while the UC framework already features a universal composition theorem, we develop new techniques to prove secure composition in the case of reactively polynomial-time protocols and attacks.

Key words

Universal composability Polynomial runtime Multi-party protocols Protocol composition 

References

  1. [1]
    M. Backes, Cryptographically sound analysis of security protocols. Ph.D. thesis, Universität des Saarlandes, 2002. Online available at http://www.infsec.cs.uni-sb.de/~backes/papers/PhDthesis.ps.gz
  2. [2]
    M. Backes, B. Pfitzmann, M. Waidner, A composable cryptographic library with nested operations, in 10th ACM Conference on Computer and Communications Security, Proceedings of CCS 2003 (ACM, New York, 2003), pp. 220–230. Extended abstract, extended version online available at http://eprint.iacr.org/2003/015.ps Google Scholar
  3. [3]
    M. Backes, B. Pfitzmann, M. Waidner, A general composition theorem for secure reactive systems, in Theory of Cryptography, Proceedings of TCC 2004, ed. by M. Naor. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 336–354. Online available at http://www.zurich.ibm.com/security/publications/2004/BaPfWa2004MoreGeneralComposition.pdf Google Scholar
  4. [4]
    M. Backes, B. Pfitzmann, M. Waidner, Secure asynchronous reactive systems. IACR ePrint Archive, March 2004. Online available at http://eprint.iacr.org/2004/082.ps
  5. [5]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2001 (IEEE Comput. Soc., Los Alamitos, 2001), pp. 136–145. Full version online available at http://www.eccc.uni-trier.de/eccc-reports/2001/TR01-016/revisn01.ps Google Scholar
  6. [6]
    R. Canetti, On universally composable signature, certification and authentication. IACR ePrint 2003/239, June 2004. Version of 2004-06-26 Google Scholar
  7. [7]
    R. Canetti, On universally composable signature, certification and authentication. IACR ePrint 2003/239, August 2004. Version of 2004-08-15 Google Scholar
  8. [8]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols. IACR ePrint 2000/067, December 2005. Version of 2005-12-14 Google Scholar
  9. [9]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols. IACR ePrint 2000/067, January 2005. Version of 2005-01-28 Google Scholar
  10. [10]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols. Manuscript (2008) Google Scholar
  11. [11]
    R. Canetti, L. Cheung, D. Kaynar, M. Liskov, N. Lynch, O. Pereira, R. Segala, Task-structured probabilistic I/O automata. Technical Report MIT-CSAIL-TR-2006-060, MIT CSAIL, September 2006. Online available at http://dspace.mit.edu/handle/1721.1/33964
  12. [12]
    R. Canetti, L. Cheung, D.K. Kaynar, M. Liskov, N.A. Lynch, O. Pereira, R. Segala, Time-bounded task-PIOAs: A framework for analyzing security protocols, in DISC (2006), pp. 238–253 Google Scholar
  13. [13]
    R. Canetti, J. Kilian, E. Petrank, A. Rosen, Concurrent zero-knowledge requires \(\tilde{\varOmega}(\log n)\) rounds, in 33rd Annual ACM Symposium on Theory of Computing, Proceedings of STOC 2001 (ACM, New York, 2001), pp. 570–579 Google Scholar
  14. [14]
    A. Datta, R. Küsters, J.C. Mitchell, A. Ramanathan, On the relationships between notions of simulation-based security, in Theory of Cryptography, Proceedings of TCC 2005, ed. by J. Kilian. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 476–494. Online available at http://www.ti.informatik.uni-kiel.de/~kuesters/publications_html/DattaKuestersMitchellRamanathan-TCC-2005.ps.gz Google Scholar
  15. [15]
    U. Feige, Alternative models for zero knowledge interactive proofs. Ph.D. thesis, Weizmann Institute of Science (1990) Google Scholar
  16. [16]
    O. Goldreich, A. Kahan, How to construct constant-round zero-knowledge proof systems for NP. J. Cryptol. 9(3), 167–190 (1996) MathSciNetMATHCrossRefGoogle Scholar
  17. [17]
    S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989) MathSciNetMATHCrossRefGoogle Scholar
  18. [18]
    O. Goldreich, Foundations of Cryptography, vol. 1 (Basic Tools) (Cambridge University Press, Cambridge, 2001). Previous version online available at http://www.wisdom.weizmann.ac.il/~oded/frag.html CrossRefGoogle Scholar
  19. [19]
    O. Goldreich, Foundations of Cryptography, vol. 2 (Basic Applications) (Cambridge University Press, Cambridge, 2004). Previous version online available at http://www.wisdom.weizmann.ac.il/~oded/frag.html CrossRefGoogle Scholar
  20. [20]
    O. Goldreich, On expected probabilistic polynomial-time adversaries: A suggestion for restricted definitions and their benefits, in Theory of Cryptography, Proceedings of TCC 2007, ed. by S. Vadhan. Lecture Notes in Computer Science (Springer, Berlin, 2007), pp. 174–193. Online available at http://eprint.iacr.org/2006/277.ps Google Scholar
  21. [21]
    D. Hofheinz, J. Müller-Quade, D. Unruh, Polynomial runtime in simulatability definitions, in 18th IEEE Computer Security Foundations Workshop, Proceedings of CSFW 2005 (IEEE Comput. Soc., Los Alamitos, 2005), pp. 156–169. Online available at http://iaks-www.ira.uka.de/home/unruh/publications/hofheinz05polynomial.html Google Scholar
  22. [22]
    D. Hofheinz, V. Shoup, GNUC: A new universal composability framework. IACR ePrint 2011/303, June 2011 Google Scholar
  23. [23]
    D. Hofheinz, D. Unruh, Comparing two notions of simulatability, in Theory of Cryptography, Proceedings of TCC 2005, ed. by J. Kilian. Lecture Notes in Computer Science (Springer, Berlin, 2005), pp. 86–103. Online available at http://iaks-www.ira.uka.de/home/unruh/publications/hofheinz05comparing.html Google Scholar
  24. [24]
    D. Hofheinz, D. Unruh, Simulatable security and polynomially bounded concurrent composition, in IEEE Symposium on Security and Privacy, Proceedings of SSP ’06 (IEEE Comput. Soc., Los Alamitos, 2006), pp. 169–182. Full version online available at http://eprint.iacr.org/2006/130.ps Google Scholar
  25. [25]
    A. Juels, D. Catalano, M. Jakobsson, Coercion-resistant electronic elections, in Proc. 4th ACM Workshop on Privacy in the Electronic Society (WPES) (ACM, New York, 2005), pp. 61–70 Google Scholar
  26. [26]
    R. Küsters, Simulation-based security with inexhaustible interactive Turing machines, in CSFW 2006, Computer Security Foundations Workshop (IEEE Comput. Soc., Los Alamitos, 2006), pp. 309–320. Long version available as IACR eprint 2006/151 Google Scholar
  27. [27]
    Y. Lindell, General composition and universal composability in secure multi-party computation, in 44th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2003 (IEEE Comput. Soc., Los Alamitos, 2003), pp. 394–403. Online available at http://eprint.iacr.org/2003/141 CrossRefGoogle Scholar
  28. [28]
    A.C. Myers, M. Clarkson, S. Chong, Civitas: Toward a secure voting system, in IEEE Symposium on Security and Privacy (IEEE Press, New York, 2008), pp. 354–368 Google Scholar
  29. [29]
    B. Pfitzmann, M. Waidner, A model for asynchronous reactive systems and its application to secure message transmission, in IEEE Symposium on Security and Privacy, Proceedings of SSP ’01 (IEEE Comput. Soc., Los Alamitos, 2001), pp. 184–200. Full version online available at http://eprint.iacr.org/2000/066.ps Google Scholar
  30. [30]
    R.L. Rivest, A. Shamir, D.A. Wagner, Time-lock puzzles and timed-release crypto. Technical Report MIT/LCS/TR-684, Massachusetts Institute of Technology, February 1996. Online available at http://theory.lcs.mit.edu/~rivest/RivestShamirWagner-timelock.ps
  31. [31]
    D. Unruh, Protokollkomposition und Komplexität. Ph.D. thesis, Universität Karlsruhe (TH) (2006). In German, online available at http://www.infsec.cs.uni-sb.de/~unruh/publications/unruh06protokollkomposition.html

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Dennis Hofheinz
    • 1
  • Dominique Unruh
    • 2
  • Jörn Müller-Quade
    • 3
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.University of TartuTartuEstonia
  3. 3.Karlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations