Universal Composability with Documented Ideal Protocols Dominic Mayers Caltech, USA Tree Protocols A tree protocols is a tree in which each node corresponds to a sub-protocol A tree protocol Modules Sub-protocol For example, Bit Commitments Primitives From DAG to Tree Protocols One can redefine the call-structure of a DAG protocol and the ideal protocols for its subprotocols so that it becomes a tree protocol. No change Q R S Q S’ in the protocol R In this example, S’ is identical to S except that I(S’) = I(S) + I(R). Usual Way to Analyze Protocols This is just to reflect on what we do all the times as a collectivity (without UC) For example, Bit Commitments First, we obtain properties for the primitives (e.g., some binding and concealing conditions, ). Usual Way to Analyze Protocols Properties for BC For example, binding and concealing conditions Next, you use these properties, to obtain other properties for the parent sub-protocols (e.g. zero knowledge proof), … Usual Way to Analyze Protocols Zero Knowledge Properties (soundness, etc.) … and so on until you traversed the entire tree bottom-up and reached the root of the tree. There is no rule in this bottom-up traversal, except the general framework of mathematics. Universal Composability A more structured way to traverse the tree bottom-up. Informally, the UC definition says that we can replace the protocol by an ideal protocol and a simulator, and no application + adversary will see the difference. We use this definition at every node in a bottom-up traversal: I(P) I I S I S I I S I S S S S S(P) Universal Composability We obtain that the entire protocol P below can be replaced by an ideal protocol I(P) and a simulator S(P), which is the sum of all simulators used in the bottom-up traversal. I(P) I I S I S I I S I S S S S S(P) Why it is Powerful At every step of the bottom-up traversal, the visited module calls ideal protocols. I I A module that calls ideal protocols is much easier to analyze than a module that calls arbitrary sub-protocols… …with some properties. Moreover, these properties (e.g. binding and concealing) are often too weak! Toward a formal UC definition Consider what is needed for a single step in the bottom-up traversal Ideal Protocol Analyzed + Simulator Protocol Q Part of Application Protocol App I(Q) S(Q) I I I I S S S S Part of Adversary Adv Definition: The protocol Q s.r. I(Q) if, for every environment (APP + Adv), there exists a simulator (ideal adversary) S(Q) such that App + Adv + Q App + Adv + S(P) + I(Q). What is missing? 1. A model for the protocol, the adversary, the ideal protocol and the simulator. a) It must define the rules of the game between the adversary (+ the application) and the simulator. In particular, it must allow the corruption of parties. b) It must have a partially defined “+” such as in App + Adv + Q. 2. A definition for A B (non-distinguishability) that respects (A1 A2) … (Ap(n)-1 Ap(n)) A1 Ap(n) where p(n) is polynomial. The Model of Ben-Or and Mayers Protocols Quantum Register: Hilbert Space of finite dimension. Classical Register: Set {0,1}k . Usually k = 1: a bit. Quantum Gate: Unitary transformation on a finite set of registers. Classical Gate: Permutation on {0,1}k1 … {0,1}kq Unit-circuit: Partially ordered set of gates in which every two gates that share a register are ordered. Protocol: Union of unit-circuits that respects some condition. Essentially, it must be a partially ordered set of gates (more later). Set of registers of a gate (Comments) The set of registers of a controlled gate that is turned off is empty when we compute the order of two gates. Classical bit = 01 Read-Only Alice unit-circuit The partial order condition hold, if for every value of the controlling (read-only) registers, no cycle is created by the ordered pairs. Communication Distinct unit-circuits have disjoint sets of registers, but can share communication registers with the Communication Center Communication Center Alice unit-circuit Communication registers Bob unit-circuit Communication • A transmission gate is a swap gate between a local register and a communication register. • A reception gate is a swap gate between a local register and a communication register. If no corruption Alice unit-circuit Communication registers |0 |0 Bob unit-circuit Swap Gates Conditions on Protocols The set of pairs (transmission gate, reception gate) between unit-circuits together with all ordered pairs of gates inside these unit-circuits must constitute a partially ordered set: no cycle in the graph. Alice unit-circuit Communication register Bob unit-circuit A Simple Example Module Coin Toss that calls Bit Commitment CT-Alice : Pick x R{0,1}; Send input x to BC-Alice; CT-Bob : Receive output OK from BC-Bob; Pick y R{0,1}; Send y to CT-Alice; CT-Alice: Receive y from CT-Bob; Send output wA = x y to App-Alice; Send input “open” to BC-Alice; CT-Bob: Receive x* from BC-Bob; If (x* = Fail) do { set wB = y} else {set wB = x* y}; Send output wB to App-Bob; Four unit-circuits: CT-Alice, CT-Bob, BC-Alice and BC-Bob Module CT(Alice,Bob) that calls BC(Alice,Bob) x H Alice y wA Open =1 x* Bob y H wB OK x x* y wA wB Open OK Flip wB iff x* = 1 The adversary will have some power here. I/O I/O Internal I/O I/O I/O I/O Corruptible Unit-Circuits A corruptible unit-circuit r is a unit-circuit with a corruption bit Cr. Every gate in the unit-circuit r is turned “off” when Cr = 1. Cr = 0 Local and communication registers G2 G1 Corruptible unit-circuit r Adversary Unit-Circuits Every corruptible unit-circuit r is associated with an adversary unit-circuit A(r). When the unit-circuit r is off, the adversary unit-circuit A(r). is on and vice versa. The adversary is the union of all adversary unit-circuits. Part of the adversary, but not part of A(r) Cr = 0 Local and communication registers NOT G2 G1 G2* Part of A(r) Corruptible unit-circuit r and adversary unit-circuit A(r) Conditions on the Adversary • An adversary unit-circuit A(r) can access all registers of r. • In the case of communication registers, it can do it on behalf of r. For example, even if the channel is authenticated, the adversary unit-circuit A(r) can transmit a message in this channel on behalf of r. • It can also access any other communication registers, but only in accordance with their channel types. Conditions on the adversary • P + App + Adv must be a partially ordered set of gates. (Same definition as for protocols) • The set of corrupted unit-circuits must follow some access rule. • The size of App + Adv is often required to be a polynomial in some security parameter. Ideal Protocols An ideal protocol I(P) for a protocol P is a protocol that contains a unit-circuit I(r) for every r PI/O P where PI/O contains every r P that participates in the input/output of P. The ideal protocol I(P) also contains a trusted circuit that is never corrupted and a devil circuit (strange but convenient) that is always corrupted. Usually, an ideal protocol uses perfect channels. Ideal Protocols The circuit I(r), r PI/O, is off when Cr = 1 and on when Cr = 0 (the same as r). The trusted circuit and the adversary A(devil) are always on. The devil circuit is just a trick to allow an ideal protocol to communicate with the simulator even when no party is corrupted. This is often convenient to weaken the ideal protocol. Simulators The simulator S(P) for a protocol P contains a simulation circuit S(r) for every unit-circuit r P and an ideal adversary circuit A(r) for every corruptible unit-circuit r I(P), including the devil circuit. The simulator does not have access to the I/O communication registers between the protocol and the application, but has access to the internal communication registers. Simulators Using the ideal adversary circuits A(r), the simulator is the adversary to the ideal protocol. Using the circuits S(r), it provides a simulation of the protocol P, but not of the input/output. The simulation unit-circuit S(r) is off when Cr = 1 and when Cr = 0 (the same as r). The ideal adversary unitcircuit A(r) is off when Cr = 0 and on when Cr = 1 (as usual for an adversary circuit). As Promised We have a model for protocols, adversaries, ideal protocols and simulators. a) It allows the corruption of parties with the help of the corruption bits Cr and the adversary circuits A(r). b) It has a partially defined “+” : the union of the gates under the restriction that the union remains a partially ordered sets. c) The rules of the game between the simulator and the adversary are well defined. Definition of Non Distinguishability The Output Bit The application protocol outputs a bit Z. We denote Z(P + Adv + App) the output bit that is computed by the setting P + Adv + App. Definition: Let A and B be two distinct settings. A B iff | Pr(Z(A) = 0) – Pr(Z(B) = 0) | A distinguishability that depends on the environment Not a practical definition, but convenient as a preliminary step toward a better definition. Definition: The protocol Q (n, E)-s.r. I(Q) if, for every environment E = APP + Adv, there exists a simulator S(Q) such that E + Q (n, E) E + S(P) + I(Q). Preliminary UC Theorem Let QM be the variation on Q that calls ideal protocols. Preliminary UC Theorem: If for every sub-protocol Q of P, QM QM(n, E(QM) )-s.r. I(Q), then P P(n, E)- s.r. I(P) where P(n, E) = Q QM(n, E(QM)) Easily proven, but not convenient. To compute P(n, E), when we traverse the tree bottom-up, we have to keep track of all the simulators and ideal protocols in the environment E(QM). A distinguishability that depends on the size |E| This is already more convenient. To obtain an upper bound on the distinguishability , one obtains an upper bound for each QM(n, |E(QM)|) and uses P(n, |E|) = QQM(n, |E(QM)|) Of course, assumptions (e.g. on |E|) are needed to bound each QM(n, |E(QM)|). Negligibility: Definition Definition: A function (n, f(n)) is negligible if, for all polynomials p(n), q(n) and all functions f(n) p(n), for n sufficiently large, (n, f(n)) 1/ q(n). To apply this definition, we need |E| p(n) |E(QM)| p’(n) for all Q. We also need that the sum of polynomially many negligible functions is negligible. See Negligibility: Issues For the most general functions QM(n, |E(QM)|), the negligibility of P(n, |E|) = Q QM(n, |E(QM)|) is not obvious because the domain of the summation is a function of n, and its size is polynomial in n. In addition, |E| p(n) |E(QM)| p’(n) for all Q is not obvious to obtain when Q runs over a set of polynomial size. Negligibility: Solutions 1. Assume that the set of protocol definitions in the library is independent of the security parameter n. (Very natural) 2. Require that the size of the simulator is bounded by a polynomial that depends only on the protocol definition (not on the copy in execution). (Very natural) 3. Require that QM(n, |E(QM)|) depends only on the protocol definition (not on the copy). (Very natural) Negligibility (A point aside) The technicality here is similar to the technicality in the following related situation: Let fk(n) O(1) for k = 1,…n. We do not have k=1..n fk(n) O(1), even though f0(n) O(1) and S, f O(1) S + f O(1). The problem is that, for n fixed, fn(n) is a number, not a function. Therefore, it makes no sense to say that all terms in the sum are in O(1). The Documented Ideal Protocols Approach A documented ideal protocol is an ordinary ideal protocol that also contains two set of instructions. One set of instructions to compute the non negligible part of QM(n, E(QM)), if any. This non negligible part is used as a signal alert that says that this ideal protocol cannot be used in a given application protocol. The negligible part is managed as usual, and the proof of the associated UC theorem is essentially the same. The Documented Ideal Protocols Approach Another set of instructions to determine special operations that can be executed in the environment of I(Q). These special operations must be considered when we analyze any protocol Q’M where Q < Q’ Par(Q) in the bottom-up traversal. The nodes Q’ with Q < Q’ Par(Q) are the nodes in between the visit of Q (where QM is replaced by I(Q) + S(Q)) and the visit of Parent of Q (where I(Q) disappears). Advantage & Disadvantage Advantage: The simulator can execute these special operations that have super-polynomial power. Moreover, these operations can even access registers in the application! This allows to prove this kind of UC for much more protocols. Disadvantage: The ideal protocol is not as convenient. We must keep track of these instructions. Documented-UC of Perm-BC Perm-BC is the Bit Commitment that calls a one-way permutation : {0,1}k {0,1}k with a hard bit B :{0,1}k {0,1}. For x randomly chosen, (x) is a commitment to the random bit B(x). There are no instruction in ID(Perm-BC) for the nonnegligible part because there is no non-negligible part. However, there is a special operation in ID(Perm-BC) . We only describe the special operation for the case where the receiver, Bob, is corrupted. Special operation in ID(Perm-BC) Case where Receiver is corrupted: It is computationally bounded (circuit of polynomial size). It must be executed just after all gates that precedes the beginning of the opening. It can only access the registers of the environment E* of I(Perm-BC) that are required between the beginning of the opening phase and the beginning of the opening. Let A be the set of registers that belong to a non-corrupted circuit in E* or is not accessed by the special operation. The states of A with or without the special operation must be computationally indistinguishable.