Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Philosophy

1

advertisement 
1
>> Seny Kamara: Okay. So it's a pleasure to have Juan Garay speaking today. Juan
is a researcher at AT&T and he'll be speaking about sound specifications of
cryptographic tasks.
>> Juan Garay: Thanks, Seny. Good to be here. So I'm going to talk about a framework
for the sound specification of cryptographic tasks. This is work with Aggelos
Kiayias and Hong-Sheng Zhou, who just started a post-doc at the university of
Maryland.
And I thought about talking about this, because we've been working on this a couple
of years, but it was just recently presented at CSF, Computer Security Foundations
in Scotland, and I figure not too many people had listened to this talk, except now
then I found out that a few people had listened to the talk, including [indiscernible]
and others. But this was a couple years ago, or a year ago, and I'm told that I
became a much better speaker in the past year or so. So bear with me.
So cryptographic tasks, what I mean by that is these creatures. Encryption, digital
signature, zero-knowledge, commitment, key exchange, and have associated with
security notions that you might recognize, such as CPA security, plain text tax
security, CCA. Shows message attack for digital signatures or forgeability, you
know, zero-knowledge with these properties, commitment, key exchange. Here I'm
just mentioning one, it's called session key security by [indiscernible]. 2001 or
something.
Anyway, so they are cryptographic tasks, and these are select security notions you
might have heard of, all right? So let me now show a timeline of these security
notions, probably starting with the notion of CPA back in 1984, or actually Symantec
security was a little bit earlier. This was where -- the equivalence between CPA
and when the security was established.
And, you know, some other notions that came about.
So what year was this? What year was this?
At different points in time.
>>: [inaudible].
>> Juan Garay: Just checking. All right. So there was a time where all these
security notions came about. And this, in fact, were, you know, we call them
traditional security notions. And they were proven in, you know, isolation or very
controlled settings, such as, for example, zero-knowledge here, prover and verifier
2
protocol, and those notions would have to be satisfied, okay?
So later on, we had this, you know, more things going on. We have this call it notion
that we, you know, try to achieve internet security where there are open networks,
you know, there are multiparty tasks. There might be concurrent execution of these
tasks. The execution could be asynchronous. There will be malicious attackers and
so forth.
So a lot of things going on. Which sort of, you know, researchers are working on
this stuff. At some point in time, this is simplified the timeline version of things
anyway. Around 2001, you see known as UAC. This I know as a joke. Nobody else
does. For Anno Compositi. For Anno Canetti, where instead of defining of these
security notions separately in isolation, there will be a single notion to capture
the properties to secure the purpose of the task and these notions were called
functionalities.
Okay. So we have a notion of functionality for public encryption, signature,
commitments, zero-knowledge and so forth. As you say, that is just a simplified
version, notion, you know, presentation of things because, you know, all these
notions started happening before, when people started talking about the simulation,
paradigm and way to prove things secure and so forth. Again, these are simplified
version of things.
Okay. So we have this concept of a single notion to capture all the properties of
a task.
Okay. And this talk, we focus on this particular Canetti framework called universal
composability framework, but some of these things can be applied elsewhere, which,
in fact, build on a, you know, series of security definitions. Starting with
[indiscernible] in '87 and follow-ups. And as I said, this is just one framework.
There are similarity frameworks such as Fisher Widener and also in '01, and, you
know, other follow-ups.
All right. So one important aspect of this, as I mentioned before, is simulation
based security, which we'll get into. Allows the modular construction of larger
protocols. Protocols can be arbitrarily interleaved. And when they are composed,
they remain secure. If this means something to you, think of object oriented and
thread safe.
>>: What does this mean, object oriented and thread safe?
3
>> Juan Garay: Object oriented [indiscernible] programming type thing. Just you
have an object and you plug it in, it's going to do -- you don't care about the
internals. Thread safe it's going to keep doing what it's doing, regardless of what
other things are going on. That exhausts my knowledge of this terminology.
Okay. So here's a comparison. This was what we call the traditional classical
notions that were designed for specific environments, standalone environments.
There were several properties were specified separately. And in contrast, these
UC notions that would apply to arbitrary environments, a lot of things can be going
on concurrently. And as I said, all the properties would be specified at once, okay?
So I mentioned a simulation paradigm. And I'll get to say a few things about that
before continuing. This, as I mentioned, started with work by [indiscernible]. To
prove that a protocol is secure is basically this type of comparison where you have
a real world, you know, running a protocol, call it pi, and this arrow is representing
interactions between the parties. And some idealized world, where, you know, this
is trusted entity, I'll call that. Thus, what the task is supposed to be doing and
notice that the communication is [indiscernible] the parties this idea of the ideal
entity, okay. So if you have to compute some function, then in the ideal world,
inputs go to the party, you know, all the inputs go. The party can view the function.
They'll process the output and that's it.
Here we're calling this task G that's going to be the F that we talked about earlier.
And, of course, in this crypto world, our parties can be corrupted, misbehave, you
know, do weird things. And these are the parties corrupting their -- in the real
execution. These would be the parties corrupted in the ideal execution -- you know,
execution or this trying to achieve this task.
These parties here are thought of or [indiscernible] as adversary A. And here, we
have this idea, the process ideal world adversary called the simulator that's is
going to try, knowing pretty much what the real adversary knows, is going to try
to create an execution that is indistinguishable from this execution. Okay. And
more formally, some sort of that finishing that we would say that the protocol pi
running here would securely realize this task, G. This if were all input vectors,
some security parameter, for whatever the adversary does, there's a simulator
strategy such that the views, okay, in both worlds are indistinguishable. This can
be defined in different ways.
Proper distribution of inputs/outputs, communication on both sides, okay?
If
4
you're able to do this because I mention the communication between the parties and
the trusted parties, and these channels are ideally secure, and this guy is good,
it's going to do what it's supposed to do. So regardless of what the other study,
whatever study does, the simulators manage to do the same thing. The view is
indistinguishable, then the protocol is secure, okay?
So this is pretty much the basis of UC security, except that here there's another
entity called the environment. You know, which we saw these two distributions being
distinguishable. The environment you can think of as the distinguisher, and it's
going to try to produce, induce, try all possible things so that, you know, both -- so
that he can figure out whether the distributions are equal are not or, you know,
indistinguishable or not.
And you can see that here, the environment [indiscernible] controls again by
providing, you know, these inputs for the parties plus human outputs, communicating
with the adversary, so forth.
Here we have this extra quantifier saying for all these environments, then these
two views are going to be indistinguishable. Okay? So that's a two-minute overview
of the this simulation paradigm thing which is used in the UC security framework.
And so we saw this trusted party here executing the task, right? This is what the
task is supposed to be, to do. This is what this box is going to be doing. That
is what is called the functionality in the earlier pictures that we saw. And here
are the identities that live in this ideal world, okay? So we have the environment,
Z. This adversarial, this ideal world adversary called S, the simulator, and these
are the parties. In this case for our essential application would be signer and
verifier, for example. And some communication between the entities that we'll talk
more about later.
Okay. Any questions so far? So this trusted third party executing this idea of
functionality. Let's go back a little bit and see what ideal means in the
dictionary. Something, you know, pure, uncorrupted, perfect, and so forth. Since
Aggelos, one of my co-authors, is Greek, this is his example of an ideal object.
See how that was, you know, how this ideal functionality [indiscernible] made sense
in the beginning. For example, it's just an ideal functionality for zero-knowledge.
According to zero-knowledge, you're trying to prove the veracity of a statement
without revealing anything else. This case, it's for the argument of knowledge case
where there's a binary relation. The prover is polynomial time bounded, and there's
5
a common input to both parties, prover and verifier. And the prover has some other
element called the witness, and it's trying to prove to the verifier that it exceeds
[indiscernible] a witness satisfies, some element has satisfied this relation and
nothing else. So that's all the verifier learns. Okay?
This is supposed to the capture what's going on. This the functionality, this the
code that the functionalities will be executing. When it receives a message, it
has some form of ZK prover, from PI, and get these two values, you know, the common
input on the witness. The functionality verifies that the relation holds, right.
And if it does, then it sends to the verifier, to the verifier PJ, you know, this
is it. You know, there exists a witness such as that the relation holds. Otherwise,
doesn't do anything. Okay. Notice that here, just by sending this message to the
verifier, the verifier didn't learn anything new. X was the common input to both
parties.
Okay. So you can look at this and say this is what zero-knowledge functionality
should look like, simply enough. If we're able to achieve this, you know, our
protocol that realizes this should be secure. So simple enough code.
So let me show you what these ideal functionalities have become more recently. Now,
don't worry about deciphering it or reading it. This is just one example due to
myself. This is due to my co-author. It is used for the blind signature
functionality. So the point is that who knows what's going on here? It's going
to be very difficult to -- there's a semicolon I'm missing here, there's some action
that is missing or is, you know, it's incorrect and so forth.
Okay. And in some sense, it's what motivated our work.
Because classical notions, these notions that we talked about, CPA, CCA, you know,
were stable, a bit understood. But these notions, while they were supposed to work
for arbitrary environments, you know, capture all the properties, it was, it seemed
to be like a challenging task to do that, right. Because there would be multiple
candidate specifications for the same task with subtle differences that you couldn't
figure out or people figured out for, like, some cases.
There's a case of digital signatures where there was an original proposal by Canetti.
Then this Backus and Hofhines show that the specification had a problem, and then
Canetti then later specified that this specification had a problem and so forth.
So it's very hard to get this thing to do what it's supposed to do.
>>: So why don't you -- sounds like you're saying with dual functionality so
6
complicated, maybe doesn't do what you want. It's kind of take it, you know, I don't
know this, but arguably you can see this problem a if you make one page that do
functionality without proving it secure. Which issue is more serious. You have
plenty of functionality, it's like all those things now you have a protocol, but
to prove it secure [indiscernible] simulators and you need to [indiscernible] is
impossible.
>> Juan Garay: You're saying that the proof itself, the proof effort itself is
complicated and.
>>: So which one is more important for the purposes of your talk?
>> Juan Garay: No, I'm assuming for now that once you give a -- I'm ignoring the
complexity of the proof, [indiscernible] specification.
>>: [indiscernible].
>> Juan Garay: That's the next research project due, you know, negative proofs. In
fact, people have been trying to do it, the proof system systematic and the method
systematic and so forth. So now I'm talking, trying to capture even the properties
of the task, that you more or less intuitively would know, try to lay them down on
paper, you know, as a code for the ideal functionality. Try to get it right.
>>: I'm just saying it happened to myself a few times. That's why I no longer work
in this field. But just, you know, you have something here, a protocol initially
some security [indiscernible] you say okay, forget about the proof. Then you find
that out, you say oh, yeah, that's proof, you're right. There is that one little
things that I miss, that's exactly where that comes through. So to me, the ideal
functionality, I mean [indiscernible] this thing is complicated. It's very easy
to make a mistake.
>> Juan Garay: Okay. Well, assuming that you made a few mistakes on top, you make
them on top of a, you know, ill-defined functionality.
>>: [indiscernible].
>> Juan Garay: So they're not in a post, you see, model here.
So that was the -- was this clear? So we have cryptographic task. We have this
sort of idea [indiscernible] task and the purpose of this talk is to have some
7
methodology to define those specifications, you know, in a consistent way and
hopefully a simple way.
And so related to Evgeni's question is so because what happens when you have an
ill-defined functionality. There we are. So the reasons for not being able to
specify this is that as we said, you know, you're given a task, the functionality,
you're to specify how to generate the parties' outputs. You have input, output,
this is what the output should be, except that we have all these, you know, privacy,
confidentiality requirements in crypto. And this framework, using this simulation
paradigm thing, you have this entity, the simulator, they're supposed to arbitrate
things and play around with things so that, you know, if there's something
distinguishable, so forth. So there's a back channel functionality with simulator
from the functionality that is complicating things, right. And that's what this
text is supposed to say.
Because there are a lot of issues that you have to specify its functionality when
to talk to the simulator, what information should the simulator know. Some
synchronization issues between what's going on in the real world and the ideal world
and so forth. So these are reasons for why getting these things right are ->>: [indiscernible] talk about the simulators.
>> Juan Garay: No, you do. You send something to a simulator, also it's important
to at what point in doing the execution do you send something to a simulator? And
I might even -- that might even show in the zero-knowledge case, right, some
communication with a simulator. The fact that there's this notion of delayed output
that then the simulator has to, you know, host a different version ways of doing
this but maybe be a [indiscernible] doesn't get it but it goes to the simulator who
is going to decide at what time to give the output to the verifier in this case,
you know, depending on what's going on in the real world execution.
Okay. So we were here. So as we said, there is some natural communication going
on. Input/output communication. You can think of these channels as being the I/O
channels come from the environment. We want the environment process inputs, gets
outputs, okay.
There's going to be some internal communication here, which we're going to be calling
the leak influence channels. So when there is some input of the functionality to
receive, depending on the task, the real world adversary might know something about
the input. For example, the length of the message. Okay, so the entity is going
8
to also learn that value.
Also here, we're giving the chance, the simulator to talk to the functionality at
the back. We'll, you know, explain more about this later. That is looking forward.
This is going to be our channels, communication channels.
And relating to Egveni's comments, so what are the consequences of not
defining -- not getting a functionality to the right? If you under specify, then
you're missing some security properties. If you are over specifying, you know, it's
going to be as I said hard to understand and you might pay some, you know, efficiency
and necessary costs, or, you know, you might never be able to realize it to come
up with a protocol that realizes that specification.
So in this work, what we are trying to do is provide a methodology that is sound,
that gets the functionality right, and it's syntactically concise, and you're going
to be, you know, adjust for that. To write and reason about UC functionalities.
Okay. The properties that we're looking at for is the issue of the same structure
for many tasks. Should look the same for many tasks. They are for different
functionalities, you know, capturing probably the same tasks. Now, if you have the
same format, it should be easier to compare them. We can put together, we can combine
functionalities, you know. We can define functionality for one property and combine
them. And in particular, I said property. There are lots of security properties
that have been proved in a so-called game based definition. We'll talk a little
bit more about that later.
So if that's the case, if we only have a game based definition, we have a translation
from that game definition to give you the corresponding functionality. This allows
us to also debug some of the existing functionalities.
So far, half hour, this is the motivation, high level results. And next, we're going
to be looking at some of these bullets. Now I'm going to talk about the notion of
ideal canonical functionality. Remember I said the same thing, the same
functionality should look the same for different tasks. And for that, we have to
get into a little bit of formal language, lingo.
So we have a cryptographic task that is determined by actions okay. For example,
for signatures, we call action a key generation sign verified. [Indiscernible]
prove, that would be an action. The commitment task would be commit and open. Those
are the actions as I showed you of the task.
9
So given that, this is going to be the format of all the -- remember, I mentioned
those channels. Everything that goes in those channels pretty much are this format.
Some action, for example, key generation, the speed that identifies the players,
the entities that are involved in this action, you know, prover, verifier plus some
other session ID information and so forth.
And each action we associate an action return. Look at this the output that the
action produces. For example, commit, it would be a commit, commit return. Send
it to the receiver. Called prove, prove return, send to the prover. May or may
not be this return thing, but it typically associated this to actions.
So if the task has, say, K actions so you an alphabet, associated with ST that are
all these possible pairs. So these are the symbols that we're going to be going
around in the I/O channels that we saw before.
We also said that there's some communication between the functionality and this ideal
world adversary, the simulator. So there are other symbols there that, you know,
that there's some traffic on those channels. One is the leak action. Verb[that
says if it was an action, this is what the simulator is allowed, the other side is
allowed to know from this action.
And this influ action is the influence that the simulator can impose on the
functionality to produce the output. So we have all these. I/O, we have the regular
symbols as I showed you with the task, and you have at least these two symbols in
the communication with the simulator.
So now we can talk about the language of the task. The I/O is all the symbols, okay,
that is what I said before. Between the functionality and the environment. And
we have the complete language for the task when we put all these symbols together.
The functionality environment and functionality and the simulator. Okay. That's
a formal language.
Okay. So this is the I/O language and this is -- everything that's goes on is this
language associated with the task. In some way, what we are going to be doing is
some sort of traffic police, you know, watching what's going to be flowing in these
channels to look for inconsistencies, okay? So that's the basic idea, at least for
consistency properties.
So we're combining the canonical functionality, right. So other things that is
going to be inside the canonical functionality is the well-formedness predicate.
10
Remember, I mentioned that actions has tasks. So the well-formedness predicate is
going to check that actions are regular inside the functionality. So it could not
be open before a commit for a commitment task. It should all be assigned before
a key generation action for signatures. So this well-formedness check, this is
going to be a history thing. You put all the symbols there. There's a fairly good
check that when there's a new symbol coming in, if it doesn't violate any consistency
thing, again, it couldn't be assigned if there was no key generation before.
And there's going to be public and secret outputs that basically also a function
that specify given the action, what is the public output that everybody is supposed
to learn from this action and what is the secret output nobody else except the
intended receiver should learn from this action. And examples of a secret output
would be there is no secret output because the verifier doesn't know anything. That
it's is not public. It just got convinced that the statement is true.
And the public output is basically everybody would know, the simulator in particular,
that a statement is true. There was a history, there was some symbol coming in.
It would be for this statement, the prover has to witness and that's the public
output. And that would go to the simulator, and the secret output would go to the
verifier. All right?
Oblivious transfer, which I will get to later.
So this is the basic block diagram for the canonical functionality for a task T.
Maintains a well-formed history using this predicate that we saw. Leaks to the other
side of the public outlet associated with the task. And furthermore, it's
parameterized by a suppress and validate functions.
Okay. We're almost done with the specification. Suppress is going to determine
basically when there is an action coming in, it's going to determine what gets leaked
to the -- what part of it gets leaked to the other side, and validate is going to,
when there's a message from the simulator saying now up with this, value it's going
to check that that action and the value makes sense. Again, this produces the actual
return. So it's a two-pass box. And we'll see examples shortly.
So suppress redacts information from the action symbol, and validate makes sure that
things make sense. It would instruct the functionality to halt if things in the
history or is inconsistent.
Okay.
So that was the canonical functionality supposed to be the same for everyone.
11
Might not be the most aesthetically pleasing function you've ever seen, but I just
show you, I gave you a preview. So this what it looked like. We're not going to
go over all the details. Okay, we'll ignore these two bullets for now. But it's
basically a four bullet thing.
Some [indiscernible] react when there is an action, okay, and you see that one,
there's an action, there is some leak action. Two, the simulator that goes up, I'm
just going to go with some public output to the simulator, okay? And where there's
an [indiscernible] action from the simulator is going to do a bunch of checks. For
example this well-formedness thing, meaning that what the simulator instructs the
[indiscernible] to output makes sense and is going to output the secret output to
the party. Okay. So that's one box.
You do it once, and let me show you briefly examples of how these things would look
now for specific tasks. So now you have the big box. This is what the functionality
for signatures would look like. Okay, so you're basically instantiating all the
things, like the actions, well-formedness, public and secret output and these two
functions. We'll get to signatures on [indiscernible] later. But from the
somewhat ugly box, this is how it would look like for a specific task and this would
be the oblivious transfer functionality. Okay.
>>: So you're saying that [inaudible] date the canonical, you just need to define
these.
>> Juan Garay: So that's a canonical functionality. We mentioned these two
functions, right, suppress and validate. And you can think of those two knobs that
you can play with, like suppressing more or less, you know, validating, being more
relaxed in the validation or not. So that gives, just generates basically a class
of canonical functionality for the same task, okay.
Where the two extreme cases would be the dummy canonical functionality, which
basically doesn't do anything. You know, if there's something coming in, some
action coming in, it just passes up to the simulator and it doesn't
validate -- whatever the simulator tells the functionality to do, it just does it.
Dummy. It doesn't do anything. It's a pass-through functionality.
The top, on the other hand, is
it doesn't validate anything.
completeness purposes, right?
to combine two functionalities
the other extreme. It doesn't leak anything, and
It doesn't output anything. These are for
So now we can define what's in the middle and a way
with different values for suppress and validate.
12
Here I have for the same task, right, we have suppress one, validate one, suppress
two, validate two. We define an application called join between these two objects.
Define as follows.
Suppress is a composition of suppresses. Okay. If one doesn't leak something, the
other functionality doesn't leak something else, you know, both things are not going
to be suppressed. And validate is, you know, we make sure that separately, each
one does, you know, it consists of what the history of what went on so far. So far.
Okay. So getting more abstract, this thing, this class with this operation is
basically a commutative monoid with the dummy functionality as an identify element.
And never mind what that means. That is going to give us a lattice in a more abstract
algebraic sense. We'll see a picture soon. And this commutative monoid thing has
a preordered relation that is basically denoted by this that is saying that if F1
is less equal F2, if and only if there exist an F2 such that that this happens, okay?
If one, you get F2 by joining F1 with some other functionality.
This basically saying this is stricter from a security point of view than these two.
Okay? And we have some theorem saying you can always realize the dummy
functionality. Every [indiscernible] protocol can realize it. And that no
protocol -- you know the top functionality is not realizable, okay? But it is
basically what this slide is look like. In this case for the commitment property.
Here we have the top for the commitment task and the dummy. Here have the
functionalities corresponding to the properties you might have heard of for a
commitment. Correctness, binding and hiding. And the way you would get to the
commitment functionality is joining, you know, these pairs the way we described it.
Pictorially, also, we can put on this slide is realizability horizon, meaning that
there's no protocol that could realize this in the, you know, above this horizon
in the plain model. And this is allowing the possibility result. For those of you
who have heard of this, but know that any pair wise combination of the commitment
properties can be realized in the plain model.
So that was the lattice that I mentioned.
canonical functionality.
So we have this algebraic structure of
So how do you get these functionalities? So basically the way we have this box,
what we have to do now is specify the suppress and validate functions. And as I
mentioned from a task, you are able to identify its basic properties, which are
divided into consistency or integrity properties and privacy properties. So the
13
consistency properties are captured by the validate predicate that we mentioned.
It's basically what we already talked about. That all the symbols, you know, that
occur have to be in certain order to make sense. Again, they can be a sign action
before a verify action from the same party. Key generation action from the same
party. Okay? So that this is how the consistency properties are checked. And
basically, you check on that by defining a bad language. We have all the symbols.
What would be a bad language. It's a bad sequence of strings.
And here are some examples. Take, for example, the commitment case. This would
be a bad language for the binding property. Here we have a string that says commit
so there might be some other symbols interleaved here, right. There might be other
things going on. But we have a commit symbol. We have a -- to produce a committed
return. Then we have an open of that commitment, open return. Open in prime such
that, you know, prime is not M so that would violate the binding property, okay?
So basically, mechanically, you just go over these history sequencing symbols that
you have and look for this pattern. This is a bad language for this property. So
with zero-knowledge, and oblivious transfer, one half time to do it. That was the
validate function that we were trying to specify. We saw how to do it for the binding
property on commitment.
The privacy properties are captured by the suppress function, right. That's, you
know, it keeps things confidential, lets the simulator know what's going on. And
as we saw, if there is some action, there's going to be a leak symbol going to the
simulator, okay, and this value that is leaked is specified by this suppress
function.
Here we have an example where for zero-knowledge, we have a prove action for this
task. So the suppress is now going to, perhaps is going to leak the size of the
witness, but that's it.
For the case of signature, there's no privacy right now, confidentiality, so just
doesn't suppress anything. And I guess oblivious transfer, if you have a symbol
like this, because it's wrong, coming from the sender, so it's going to, it's not
going to let the simulator know what values the sender oblivious, transfer what
messages he has, but maybe the length of those messages, like string.
Okay. Here we define some rules, like always the same portion of the action is
suppressed. The length is always revealed. And the simulator is kept abreast, you
14
know. It keeps -- whenever there's an action, there is some leak going on so the
simulator knows what's going on for each action.
>>: [inaudible].
>> Juan Garay: Of the input.
>>: [inaudible].
>> Juan Garay: You look at it, it's a big string, because we want to be able to compose
them with two different suppress. So you just basically say the left half of the,
you know, that kind of thing. Nothing.
Okay. So how do we derive now a canonical ideal functionality for a cryptographic
task. We define one canonical functionality for each property. We then combine
them automatically with this join operation that we saw. Okay? And this is the
case of commitment that we saw.
All right.
definitions
translation
go over it,
So it turns out that as I mentioned, there are lots of security
that are called game based. And in that case, we have a sort of automatic
to go from the game to a functionality. Okay. We don't have time to
to look at the paper for that.
So basically, if this was sort of a game, this is the unforgeability attack, whether
it's a public key generation. The attacker, the adversary asks for, you know, signed
message, get messages, at some point it's supposed to generate a megs that's not
signed [indiscernible] forgeability attack.
So we go by assigning things to this idea for entities in some way. Okay. And
basically we come up with this for this particular property, unforgeability, we got
this unforgeability, the CMA game, we derive the bad language for the unforgeability
property. Okay? This is going to be a sequence of elements, you know, key
generation sign, sign, you know, bunch of times and verifies. And then there should
not be a message, a signed message that verifies that was not signed before. Right.
So this would be a sequence of symbols that is called bad language for this particular
property or the task.
And what we can show is that if you apply this methodology, and you have a product
called user realizes they the canonical functionality derive from this consistency
game as we saw, then the corresponding cryptographic scheme satisfies the properly
15
defined by G. So this transformation is sound and, in fact, it's both ways for
consistency property. So the consequence of this is that we are lifting a game based
security definition traditionally assigned for the new model for this UC
functionality world. Yes?
>>: Where does [inaudible] come in this game based definition that you talked about
[inaudible].
>> Juan Garay: So we defined something that is a functionality in the UC framework.
UC have to come up with a protocol that realizes that functionality. But the
functionality itself, you can invoke ->>: But if it's using basically [inaudible].
>> Juan Garay: No, so it's both ways. Transformation. So you can go from the game
based definition to obtain this functionality for a consistent property. And from
a functionality, you can reverse if you want the transformation to get a game based
definition than the standalone thing. There's nothing else going on.
>>: So the thing is, sorry, but I guess I was also wondering the same as Melissa.
So many games, like you can define zero-knowledge, which is not composable
[inaudible] if you're saying that any game automatically get this UC
functionality ->> Juan Garay: Applying this transformation.
>>: Sorry?
>> Juan Garay: So it's not a -- you don't add anything new. You apply this
transformation to make sure how things work to make it into a functionality.
>>: It defines the game [indiscernible] it defines the functionality, and it's UC
using functionality and UC using functionality is always composable.
>> Juan Garay: So this is saying that the transformation is sound.
transformation is sound.
Our
>>: So it doesn't implies it's a game ->> Juan Garay: Right.
If you have a well-established game in a standalone setting,
16
you apply this transformation, you get something.
>>: [indiscernible].
>> Juan Garay: What's that?
>>: The transform game and the new one, that is [indiscernible].
the knowledge [indiscernible].
It does not apply
>> Juan Garay: [indiscernible]. We define it, you know, the environment,
the -- what the simulator does and we get the code for the functionality this way.
So if you have a protocol realizes that, then scheme satisfy that. Original scheme
satisfy that game. Privacy game is similar okay.
So this is just an overview of how -- you know, sort of systematic translation from
the game-based definition world to the ideal functionality UC security world.
So this way, we get a single template functionality for all or many tasks. And these
are the basic things that we talked about. We talked about this well-formedness
predicate. We talked about suppress function, devalued function. One thing we did
not talk about is this corruption verbs that we saw before. There were these two
bullets in the box that we didn't talk about. So mention those briefly.
So another symbol that may come down from the simulator this corrupt party that is
common in the UC framework, that when a party gets corrupted in the ideal world,
the simulator should know, should learn whatever the real life adversary learned.
I mean its internal state. So this is their response to this corrupt symbol, and
another symbol is going to be a patch which allows the simulator to change history
as long as no honest party was involved in the execution.
Okay. So it has the flexibility of making things change when -- once a party is
corrupted, okay. There are some other details for cases where you're not supposed
to do that when like some properties, a party was involved. That's how basically
we get to that.
So here we have the corrupt bullet and the patch bullet, kind of from the simulator,
all right. And that was a template. And let me just finish with this example for
signatures where we have all the constituent functionalities. This is
unforgeability that we already saw. Consistency and correctness. So the idea is
once you have that, define [indiscernible] for each property and then we'll combine
17
them.
So these are the bad languages for the properties. We already saw the
unforgeability. Bad language. A bunch of signed verify, verity for a message that
was not signed.
Let's see. Consistency says, you know, same signed message, verified or not
verified, okay. Two verifiers, same message and signature, and this is yes and no.
And the completeness says the ones you signed should always verify. In this case,
it didn't verify, that's why it's the bad language.
Okay. So those are the three bad languages associated with signatures. This is
the function for signatures. We have the three actions. Well-formedness is that
any sign, symbol must be preceded by a key generation symbol. Public and secret
outputs, that's probably, you know, the message is always -- depending on the action,
the message is always leaked to the adversary so that's a public output.
Suppress doesn't suppress anything. We said this before, okay. You have an action
P and an input X, it doesn't suppress. And validate is basically, is the combination
of all these -- this strength, the history that we've obtained is validated. So
history should not belong, you know, should not be in any of these bad languages
corresponding to the three properties. Okay.
So that was signatures.
So I'm out of time, but one thing that we show with this is -- now, we got this box,
tried to prove is see what happens with existing functionalities for those tasks.
Okay. We tried to prove that they're equivalent in some way. So one of the things
we found out is with respect to this, this equivalent to one of the latest signature
functionalities, by Canetti, except that this functionality is sort of obtained
accidentally from the translation that was done from some scheme.
And basically, the translation that Canetti performed from the GMR signature for
the consistency property basically assumes an honest key generation, okay, while
this consistency that we saw, it strictly doesn't care about an honest key
generation, but all is verified that, you know, either signatures verify or do not
verify, but you can't have it both ways.
Okay. So this is -- you always check. This only checks when there's an honest key
generation that it was registered by the functionality. And therefore, it's
stricter than this. This is stricter than that. Again, therefore the
18
[indiscernible] would have obtained this functionality was just slower than the
signature functionality.
>>: Can you say what the difference is again?
>> Juan Garay: The [indiscernible] basically assumed it was an honest key
generation. By honest, I mean, you know, a corrupt signer has to register to a key
generation basically with the functionality.
>>: [indiscernible].
>> Juan Garay: Okay, so that's one example of what things go on. We have another
example for -- this is how oblivious transfer functionality would look like. The
actual is transfer. It comes from both parties, sender and receiver. The
well-formedness predicate says any transfer returned should be preceded by a
transfer symbol.
The public and secret outputs, there's no public outputs, and the secret output is
basically the message that the receiver chose, okay, satisfying this condition.
And the suppress function is, you know, nothing goes on to -- the simulation don't
know what values these guys are talking about, and the validate predicate says, you
know, make sure that the string is not in this correctness bad language for the
correctness property, which would -- which goes like this. There should not be a
sub sequence, a string and all these symbols such that it was a transfer of M zero
and one. There was a selection of, you know, one of its messages, and there was
a transfer and output of M prime such as M prime is not one of the messages that
happened in this transfer symbol.
Okay. Basically, all the transfers, all the messages that were in this input, right,
should be transferred. That's a correctness property. That's also send us
security receiver. Security thus captured by a suppress function.
Okay. So to wrap up, we can argue this ideal functionality was, you know, not that
ideal and easy to look at. Notice that the definitional approach in this line of
work has been usually top down. You define a very ideal thing and then you try to
defile it, make it dirty so that it can be realized and all these talks
[indiscernible] and so forth.
Our approach was sort of the opposite.
It's bottom up, right.
So we start with
19
some existing, you know, natural problems for the tasks.
for those tasks and we combine them, we go up.
Define [indiscernible]
We have this concise syntax two-pass in this functionality box and that's common
to many tasks. And we didn't see it, but I mentioned that in case you have a
game-based security definition, you sort of an automatic translation from the
definition to a functionality for our property.
We illustrate this approach in signature and the transfer we saw. Commitment and
zero-knowledge proofs. We showed that commitment and zero-knowledge
functionalities were equivalent to existing definitions. For signatures and OT,
they were not. We saw the signature example indicating OT. There are some issues
related to this delayed output that the framework has. Which gets, it doesn't work
when you have two parties about to receive outputs, okay. So that's why this
influence way of doing things that we saw is -- fixes that.
And what we did not do in this current version is functionalities are deterministic.
We didn't look at things like fairness, forward secrecy or something called object
insulation, which in some cases -- which is about -- the adversary in some cases
should not know what's going on, okay. So the [indiscernible] issue become an object
which is transfer without the adversary having much to say about it and there are
examples for signatures doing that. So we -- this could be incorporating our
framework but we haven't looked at it.
Okay. And that's it. So this was recently presented at CSF, and there's an outdated
version of the E-print archive. Thank you very much.
>>: So your functionalities are much simpler, but you still have to find the bad
language, right? So in the cases you use bad languages [inaudible] are
straightforward, but for certain functionality can they get pretty subtle
[inaudible] or, you know, [inaudible] define guideline can actually [inaudible].
>> Juan Garay: Yes. Actually, the -- what makes it hard, so once we have this bad
language, you have to also show that it's a decidable problem or disvalidate. You're
going to have some string and you're looking for some pattern, right? So what makes
it more difficult is that this can be embedded with a, you know, there are a lot
of things going on, right, multiple sessions and so forth.
So you really have to make sure that you're able to extract it. Let me give you
the worst bad language that we found. This is a [indiscernible] general. Although
20
we don't have the proof all the tasks, this is captured by I/O, but this is basically
saying so this is the subsequence symbol, right. So here you're trying to identify
this bad sequence.
Okay. So here the sequence belongs to the unforgeability bad language. But
intuitively, it should be there. It gives the unforgeability as you cannot extract,
check for all subsequences because if you drop, say, one verify, right, how does
it work? So you have sound verify, sound verify, and you have verify. You can't
do all the subsequences there, because for sure you're going to find that there's
a bad string. You get the -- you try, you're figuring out all the subsequences,
you're going to have -- you can drop one sign. That's a valid, you know, that's
a good language string.
>>: So then the approach simplifies investigation of the functionality, sure, but
if a lot of the complexity is pushed towards specifying bad language, is it really
making things easier or -- so for certain examples that you showed maybe for games,
[inaudible].
>> Juan Garay: Right, so we hope. So far, all the things that we looked at are
captured by -- and again, it's not something to do with the task, right. It's
because of this use, you know, might be interleaved with a bunch of other things.
But at least we narrow it down, you know. Indeed, it's the only case that
gives -- you forget unforgeability, then everything else, they are very simple
languages. By the way, you have to prove that each language is decidable. Yeah,
so there's some effort there. But for most tasks, it's this symbol.
>>: So how much work was it to compare functionalities [inaudible].
an easy thing to do, or is it automated, or [inaudible]?
Like was it
>> Juan Garay: It's not difficult. So basically, you basically have a dummy
protocol. It accesses the functionality and you have to show that that realizes
that functionality and the other way around.
>>: It's essentially like [inaudible] or realizing [inaudible].
>> Juan Garay: That what?
>>: That some protocol realizes that ->> Juan Garay: No, you want to show the two functionality is prevalent so you use
21
a dummy, very stupid protocol that only calls for functionality and that invoke,
realizes the other functionality.
>>: Is another thing [inaudible].
>> Juan Garay: Yeah. It involves also using, you know, the [indiscernible].
conceptually, it's not, it's not difficult.
But
>>: [inaudible] it could be automated, check on the two functionalities [inaudible].
>> Juan Garay: Yes.
>>: Would there be a way the functionality -- [indiscernible].
>> Juan Garay: Yeah, task. So that would mean that it's a task that in a way that
you can't identify what properties, what the task is doing. So the intuition is
maybe, but intuition is, you know -- one, you basically have an underlying knowledge
right off what commitment does and all these things too, right.
>>: For commitment and signatures we already understand the basic element, so it's
easy to say something about it. But for the tasks that's really complex, [inaudible]
you end up defining the whole system at the same time all right.
>> Juan Garay: So yeah, there could be larger tasks. There could be multiparty
tasks that do many things and still to be, you know, time tested.
>>: The point of your work, is this sort of a culmination of [inaudible] in some
way [inaudible] which functionalities might be not realizable? Does it actually
help you sort of figure that out in any way?
>> Juan Garay: Yeah, it's helped us. What I -- yeah, it was not our objective. But
for example, noticing that as I showed in the commitment lattice, right, there are
things, you know, if you drop one property, you can basically figure out why in the
same possibility result, you know, the kind of [indiscernible] of commitments, why
it breaks down by just, you know, realizing that, you know, if you combine two of
them, you know, you could -- you should come up with a protocol that realizes that.
So you have that sort of side effect.
>>: So it's not -- so from that line, I mean, it's one thing to sort of actually
know that that line exists, and then it's another thing to go, get that
22
[indiscernible].
>> Juan Garay: Right. So potentially, you can start from scratch so you didn't
follow the properties. Say let's see if we can -- there's no, you know, formal way.
But let's see if the protocol can realize this combination. Then you can draw your
own line. Here, we knew, right. I was trying figure where this is horizon go. And
then, you know, there were three protocols to realize the pair wise combination.
Thank you.
Related documents
Tips for Problem Solving
Tips for Problem Solving
(A: A: Can you do me a favor ? B: Sure. What’s
(A: A: Can you do me a favor ? B: Sure. What’s
INTERNET SAFETY QUIZ – Handout 1 GRADE LESSON
INTERNET SAFETY QUIZ – Handout 1 GRADE LESSON
Anne Frank – Anticipation Guide Discussion Rules
Anne Frank – Anticipation Guide Discussion Rules
Download
advertisement