I am somewhat confused in the reasons why one would use the real-ideal model instead of the universal composibility framework.
The UC framework seems to me, to provide a much stronger definition of security. Is there some explanation to this?
Asked
Active
Viewed 218 times
1 Answers
1
Try to prove something non-trivial using the universal composability framework and you will quickly understand why few people use it.
EDIT: Snide remarks aside, it is pretty widely acknowledge that universal composability is really hard to use in papers. It's even hard to typeset - I've seen proofs with UC functionalities that don't fit on a single page! A colleague of mine has said that proving non-trivial things using UC is like writing a web server in assembly language.
Aside from the practical difficulty of writing proofs with it, there's a more fundamental difference between UC and the real-ideal paradigm: the latter has an intuitive philosophical appeal that comports with the way people think about security. The former doesn't have the same "interpretability" IMO.
pg1989
- 4,636
- 23
- 42
-
A part from simplicity of writing proofs, I don't understand if UC would provide stronger security. – graphtheory92 Apr 26 '17 at 21:54
-
Hmm... I don't know enough about UC to give a rule of thumb for comparing strength of results. In some ways UC is too strong - for example, commitments are not straightforward to prove secure in UC, and most commitment schemes can't be proven secure in the basic UC model. – pg1989 Apr 26 '17 at 22:10