Universal Composability with Documented Ideal Protocols

advertisement
Universal Composability with
Documented Ideal Protocols
Dominic Mayers
Caltech, USA
Tree Protocols
A tree protocols is a tree in which each
node corresponds to a sub-protocol
A tree protocol
Modules
Sub-protocol
For example, Bit
Commitments
Primitives
From DAG to Tree Protocols
One can redefine the call-structure of a DAG
protocol and the ideal protocols for its subprotocols so that it becomes a tree protocol.
No change
Q
R
S
Q
S’
in the protocol
R
In this example, S’ is identical to S except that
I(S’) = I(S) + I(R).
Usual Way to Analyze Protocols
This is just to reflect on what we do
all the times as a collectivity (without UC)
For example, Bit
Commitments
First, we obtain properties for the primitives (e.g., some binding
and concealing conditions, ).
Usual Way to Analyze Protocols
Properties for BC
For example, binding and
concealing conditions
Next, you use these properties, to obtain other properties for the
parent sub-protocols (e.g. zero knowledge proof), …
Usual Way to Analyze Protocols
Zero Knowledge Properties
(soundness, etc.)
… and so on until you traversed the entire tree bottom-up and
reached the root of the tree. There is no rule in this bottom-up
traversal, except the general framework of mathematics.
Universal Composability
A more structured way to traverse the tree bottom-up.
Informally, the UC definition says that we can replace the
protocol by an ideal protocol and a simulator, and no
application + adversary will see the difference. We use this
definition at every node in a bottom-up traversal:
I(P)
I
I
S
I S I
I S I
S
S
S
S

S(P)
Universal Composability
We obtain that the entire protocol P below can be
replaced by an ideal protocol I(P) and a simulator
S(P), which is the sum of all simulators used in the
bottom-up traversal.
I(P)
I
I
S
I S I
I S I
S
S
S
S

S(P)
Why it is Powerful
At every step of the bottom-up traversal, the visited
module calls ideal protocols.
I
I
A module that calls ideal protocols is much easier to
analyze than a module that calls arbitrary sub-protocols…
…with some properties.
Moreover, these properties (e.g. binding and concealing) are
often too weak!
Toward a formal UC definition
Consider what is needed for a single
step in the bottom-up traversal
Ideal Protocol
Analyzed
+ Simulator
Protocol Q
Part of Application
Protocol App
I(Q)
S(Q)
I
I
I
I
S
S
S
S
Part of
Adversary Adv
Definition: The protocol Q s.r. I(Q) if, for every environment
(APP + Adv), there exists a simulator (ideal adversary) S(Q)
such that
App + Adv + Q  App + Adv + S(P) + I(Q).
What is missing?
1. A model for the protocol, the adversary, the ideal
protocol and the simulator.
a) It must define the rules of the game between the
adversary (+ the application) and the simulator. In
particular, it must allow the corruption of parties.
b) It must have a partially defined “+” such as in App
+ Adv + Q.
2. A definition for A  B (non-distinguishability) that
respects (A1  A2) … (Ap(n)-1  Ap(n))  A1  Ap(n)
where p(n) is polynomial.
The Model of
Ben-Or and Mayers
Protocols
Quantum Register: Hilbert Space of finite dimension.
Classical Register: Set {0,1}k . Usually k = 1: a bit.
Quantum Gate: Unitary transformation on a finite set of
registers.
Classical Gate: Permutation on {0,1}k1  … {0,1}kq
Unit-circuit: Partially ordered set of gates in which
every two gates that share a register are ordered.
Protocol: Union of unit-circuits that respects some
condition. Essentially, it must be a partially ordered set
of gates (more later).
Set of registers of a gate
(Comments)
The set of registers of a controlled gate that is turned
off is empty when we compute the order of two gates.
Classical bit = 01
Read-Only
Alice unit-circuit
The partial order condition hold, if for every value of
the controlling (read-only) registers, no cycle is
created by the ordered pairs.
Communication
Distinct unit-circuits have disjoint sets of
registers, but can share communication
registers with the Communication Center
Communication Center
Alice unit-circuit
Communication
registers
Bob unit-circuit
Communication
• A transmission gate is a swap gate between a
local register and a communication register.
• A reception gate is a swap gate between a local
register and a communication register.
If no
corruption
Alice unit-circuit
Communication
registers
|0
|0
Bob unit-circuit
Swap
Gates
Conditions on Protocols
The set of pairs (transmission gate, reception gate)
between unit-circuits together with all ordered pairs
of gates inside these unit-circuits must constitute a
partially ordered set: no cycle in the graph.
Alice unit-circuit
Communication
register
Bob unit-circuit
A Simple Example
Module Coin Toss that calls Bit Commitment
CT-Alice : Pick x R{0,1}; Send input x to BC-Alice;
CT-Bob : Receive output OK from BC-Bob;
Pick y R{0,1}; Send y to CT-Alice;
CT-Alice: Receive y from CT-Bob; Send output wA = x  y
to App-Alice; Send input “open” to BC-Alice;
CT-Bob: Receive x* from BC-Bob; If (x* = Fail) do
{ set wB = y} else {set wB = x*  y};
Send output wB to App-Bob;
Four unit-circuits: CT-Alice, CT-Bob, BC-Alice and BC-Bob
Module CT(Alice,Bob) that calls BC(Alice,Bob)
x H
Alice y
wA
Open =1
x*
Bob y H
wB
OK
x
x*
y
wA
wB
Open
OK
Flip wB iff x* = 1
The adversary will
have some power here.
I/O
I/O
Internal
I/O
I/O
I/O
I/O
Corruptible Unit-Circuits
A corruptible unit-circuit r is a unit-circuit with a
corruption bit Cr. Every gate in the unit-circuit r
is turned “off” when Cr = 1.
Cr = 0
Local and
communication
registers
G2
G1
Corruptible unit-circuit r
Adversary Unit-Circuits
Every corruptible unit-circuit r is associated with an
adversary unit-circuit A(r). When the unit-circuit r is off, the
adversary unit-circuit A(r). is on and vice versa.
The adversary is the union of all adversary unit-circuits.
Part of the adversary,
but not part of A(r)
Cr = 0
Local and
communication
registers
NOT
G2
G1
G2*
Part of A(r)
Corruptible unit-circuit r and adversary unit-circuit A(r)
Conditions on the Adversary
• An adversary unit-circuit A(r) can access all
registers of r.
• In the case of communication registers, it can do it
on behalf of r. For example, even if the channel is
authenticated, the adversary unit-circuit A(r) can
transmit a message in this channel on behalf of r.
• It can also access any other communication
registers, but only in accordance with their
channel types.
Conditions on the adversary
• P + App + Adv must be a partially ordered set of
gates. (Same definition as for protocols)
• The set of corrupted unit-circuits must follow some
access rule.
• The size of App + Adv is often required to be a
polynomial in some security parameter.
Ideal Protocols
An ideal protocol I(P) for a protocol P is a protocol
that contains a unit-circuit I(r) for every r  PI/O  P
where PI/O contains every r  P that participates in
the input/output of P.
The ideal protocol I(P) also contains a trusted circuit
that is never corrupted and a devil circuit (strange
but convenient) that is always corrupted. Usually, an
ideal protocol uses perfect channels.
Ideal Protocols
The circuit I(r), r  PI/O, is off when Cr = 1 and
on when Cr = 0 (the same as r). The trusted
circuit and the adversary A(devil) are always on.
The devil circuit is just a trick to allow an ideal
protocol to communicate with the simulator
even when no party is corrupted. This is often
convenient to weaken the ideal protocol.
Simulators
The simulator S(P) for a protocol P contains a simulation
circuit S(r) for every unit-circuit r  P and an ideal
adversary circuit A(r) for every corruptible unit-circuit r 
I(P), including the devil circuit.
The simulator does not have access to the I/O
communication registers between the protocol and the
application, but has access to the internal communication
registers.
Simulators
Using the ideal adversary circuits A(r), the simulator is the
adversary to the ideal protocol. Using the circuits S(r), it
provides a simulation of the protocol P, but not of the
input/output.
The simulation unit-circuit S(r) is off when Cr = 1 and
when Cr = 0 (the same as r). The ideal adversary unitcircuit A(r) is off when Cr = 0 and on when Cr = 1 (as
usual for an adversary circuit).
As Promised
We have a model for protocols, adversaries, ideal
protocols and simulators.
a) It allows the corruption of parties with the help of
the corruption bits Cr and the adversary circuits A(r).
b) It has a partially defined “+” : the union of the gates
under the restriction that the union remains a partially
ordered sets.
c) The rules of the game between the simulator and the
adversary are well defined.
Definition of Non
Distinguishability
The Output Bit
The application protocol outputs a bit Z. We
denote Z(P + Adv + App) the output bit that is
computed by the setting P + Adv + App.
Definition: Let A and B be two distinct
settings.
A  B iff | Pr(Z(A) = 0) – Pr(Z(B) = 0) |  
A distinguishability that
depends on the environment
Not a practical definition, but convenient as a
preliminary step toward a better definition.
Definition: The protocol Q (n, E)-s.r. I(Q) if, for
every environment E = APP + Adv, there exists a
simulator S(Q) such that
E + Q (n, E) E + S(P) + I(Q).
Preliminary UC Theorem
Let QM be the variation on Q that calls ideal protocols.
Preliminary UC Theorem: If for every sub-protocol Q
of P, QM QM(n, E(QM) )-s.r. I(Q), then P P(n, E)- s.r.
I(P) where
P(n, E) = Q QM(n, E(QM))
Easily proven, but not convenient. To compute P(n,
E), when we traverse the tree bottom-up, we have to
keep track of all the simulators and ideal protocols in
the environment E(QM).
A distinguishability that
depends on the size |E|
This is already more convenient. To obtain an
upper bound on the distinguishability , one
obtains an upper bound for each QM(n, |E(QM)|)
and uses
P(n, |E|) = QQM(n, |E(QM)|)
Of course, assumptions (e.g. on |E|) are needed to
bound each QM(n, |E(QM)|).
Negligibility: Definition
Definition: A function (n, f(n)) is negligible if, for
all polynomials p(n), q(n) and all functions f(n) 
p(n), for n sufficiently large, (n, f(n))  1/ q(n).
To apply this definition, we need
|E|  p(n)  |E(QM)|  p’(n) for all Q.
We also need that the sum of polynomially many
negligible functions is negligible. See
Negligibility: Issues
For the most general functions QM(n, |E(QM)|),
the negligibility of
P(n, |E|) = Q QM(n, |E(QM)|)
is not obvious because the domain of the
summation is a function of n, and its size is
polynomial in n.
In addition, |E|  p(n)  |E(QM)|  p’(n) for all Q
is not obvious to obtain when Q runs over a set of
polynomial size.
Negligibility: Solutions
1. Assume that the set of protocol definitions in
the library is independent of the security
parameter n. (Very natural)
2. Require that the size of the simulator is
bounded by a polynomial that depends only
on the protocol definition (not on the copy in
execution). (Very natural)
3. Require that QM(n, |E(QM)|) depends only on
the protocol definition (not on the copy).
(Very natural)
Negligibility
(A point aside)
The technicality here is similar to the technicality
in the following related situation:
Let fk(n)  O(1) for k = 1,…n.
We do not have k=1..n fk(n)  O(1), even though
f0(n)  O(1) and S, f  O(1)  S + f  O(1).
The problem is that, for n fixed, fn(n) is a number,
not a function. Therefore, it makes no sense to
say that all terms in the sum are in O(1).
The Documented Ideal
Protocols Approach
A documented ideal protocol is an ordinary ideal
protocol that also contains two set of instructions.
One set of instructions to compute the non negligible
part of QM(n, E(QM)), if any. This non negligible part
is used as a signal alert that says that this ideal
protocol cannot be used in a given application
protocol.
The negligible part is managed as usual, and the proof
of the associated UC theorem is essentially the same.
The Documented Ideal
Protocols Approach
Another set of instructions to determine special
operations that can be executed in the environment of
I(Q). These special operations must be considered
when we analyze any protocol Q’M where Q < Q’ 
Par(Q) in the bottom-up traversal.
The nodes Q’ with Q < Q’  Par(Q) are the nodes in
between the visit of Q (where QM is replaced by I(Q)
+ S(Q)) and the visit of Parent of Q (where I(Q)
disappears).
Advantage & Disadvantage
Advantage: The simulator can execute these special
operations that have super-polynomial power.
Moreover, these operations can even access registers
in the application! This allows to prove this kind of
UC for much more protocols.
Disadvantage: The ideal protocol is not as
convenient. We must keep track of these instructions.
Documented-UC of Perm-BC
Perm-BC is the Bit Commitment that calls a one-way
permutation  : {0,1}k  {0,1}k with a hard bit B
:{0,1}k  {0,1}. For x randomly chosen, (x) is a
commitment to the random bit B(x).
There are no instruction in ID(Perm-BC) for the nonnegligible part because there is no non-negligible part.
However, there is a special operation in ID(Perm-BC) .
We only describe the special operation for the case
where the receiver, Bob, is corrupted.
Special operation in ID(Perm-BC)
Case where Receiver is corrupted: It is computationally
bounded (circuit of polynomial size). It must be
executed just after all gates that precedes the beginning
of the opening. It can only access the registers of the
environment E* of I(Perm-BC) that are required
between the beginning of the opening phase and the
beginning of the opening. Let A be the set of registers
that belong to a non-corrupted circuit in E* or is not
accessed by the special operation. The states of A with
or without the special operation must be
computationally indistinguishable.
Download