1

I do not quite understand the UC framework. Given a protocol to be proven, now I just know firstly we should write down the ideal functionality, and then the concrete protocol, then proving the protocol security realizes the ideal functionality by constructing several simulators. May I ask if it is true that we can tell if a protocol is UC-secure just from its ideal functionality?

Besides, in page 76 of Canetti's tutorial for UC framework: https://www.cs.tau.ac.il/~canetti/materials/sp09-sem-lec9.pdf, he gives an attack on the insecure composited protocol. My question is how to modify this composited protocol into a UC-secure one?

user77340
  • 787
  • 4
  • 13

1 Answers1

4

May I ask if it is true that we can tell if a protocol is UC-secure just from its ideal functionality?

I think the question is posed in the wrong direction. The principle behind UC security is that the ideal functionality is by definition the functionality that is desired. The functionality itself is neither secure nor insecure, it just is a model of the desired task.

A protocol, on the other hand, is considered secure, iff you can give a simulator that fakes a protocol run (transcript) that looks indistinguishable from the transcript of a real protocol run. The difficulty of the simulator is to come up with protocol messages that are consistent with the information provided from and given to the ideal functionality.

My question is how to modify this composited protocol into a UC-secure one?

Well, in general you would have to identify which information leaks from the protocol which does not leak from the ideal functionality that you try to realize. Unfortunately, I did not find a definition of the key exchange functionality that this protocol tries to realize in your reference. Therefore, you have to specify what exactly you are trying to model with the protocol in the first place.

Nicholas Brandt
  • 161
  • 3