Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [universal-composability]

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols.

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols.

UC guarantees very strong security properties… protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol (without having access to the code).

The notion of security is derived by implication. Assume a protocol $P_1$ is secure per definition. If another protocol $P_2$ emulates protocol $P_1$ such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol $P_2$ is as secure as protocol $P_1$.

54 questions
10
votes
0 answers

How to write proofs for universal composable security?

Recently, I learn Ran Canetti's famous paper, "Universally Composable Security: A New Paradigm for Cryptographic Protocols". But I find it very difficult to grasp. When I read the paper that proves the security of the protocols in the UC-framework,…
user77340
  • 787
  • 4
  • 13
3
votes
1 answer

Why would someone prove security in the real-ideal model instead of Universal Composibility framework?

I am somewhat confused in the reasons why one would use the real-ideal model instead of the universal composibility framework. The UC framework seems to me, to provide a much stronger definition of security. Is there some explanation to this?
graphtheory92
  • 773
  • 5
  • 14
3
votes
0 answers

Detail about reactive simulatability framework

I'm trying to understand the framework of reactive simulatability using *"PfWa2_00AsyncModel"* from this publication which is a tech report behind the paper A model for Asynchronous Reactive Systems and its Applications to Secure Message…
student
  • 198
  • 3
2
votes
1 answer

Is UC security only meaningful in malicious setting

In my understanding, the main difference in the proof between UC and standalone model is the ability to "rewind", which appears to related to malicious security only. So if we are only interested in semi-honest security models, do we have to…
vince.h
  • 132
  • 5
2
votes
0 answers

Difference between Non-Concurrent Composition and Concurrent Composition

You can get access to this document via institutional login at https://www.researchgate.net/publication/220556089_Security_and_composition_of_cryptographic_protocols_A_tutorial So in Ran Canettis Tutorial on Composable Security I came across some…
killertoge
  • 299
  • 1
  • 8
1
vote
1 answer

Are there any ways to tell if a cryptographic protocol is UC-secure before formally proven its UC-security?

I do not quite understand the UC framework. Given a protocol to be proven, now I just know firstly we should write down the ideal functionality, and then the concrete protocol, then proving the protocol security realizes the ideal functionality by…
user77340
  • 787
  • 4
  • 13
1
vote
0 answers

Session IDs in (simple) universal composability

In the simple UC framework paper, there is a brief discussion on session identifiers (sids) on page 13. It states The main protocol is given a session identifier sid but it is not entirely clear to me how this happens. I understand that the (S)UC…
Sebastian
  • 461
  • 3
  • 7
1
vote
0 answers

Universal composability: Can an ideal functionality call other ideal functionalities?

I'm new to universal composability. I'm trying to define a protocol, $\pi$, in UC. The protocol involves 3 parties: A, B, and a smart contract $C$. Parties A and B interact with each other and with $C$. Each party, including $C$, makes calls to…
Aydin
  • 442
  • 2
  • 10
1
vote
1 answer

What is the border between an ideal functionality and a protocol?

In the context of the UC framework, what is the border between an ideal functionality and a protocol? It seems to me that it depends on the level of granularity required for proofs. For example, the same protocol ${\Pi}_{1}$ may be described in…
Lorenzo
  • 139
  • 8
1
vote
1 answer

What are limitations of Universally Composable (UC) framework?

I am beginning to read some UC framework papers, and I guess it is similar to the simulation-based security analysis. I can understand the main advantage of UC is to assist us to analyze the composable protocol. But I am wondering what are the main…
Z.P.
  • 353
  • 1
  • 6
1
vote
0 answers

Efficient universally composable protocols for aggregate statistics

Let's say we have multiple parties $P_1, \dots P_n$ that gather personal data, and a party $C$ that is interested in aggregate statistics on these data, i.e. the average value. An ideal functionality $\mathcal{F}$ would allow $C$ to register a…
bit
  • 33
  • 4
1
vote
0 answers

Are theorems 2 and 3 in the Town Crier paper (Zhang et al, 2016) proven using the UC framework?

I am reading the paper ‘Town Crier: An Authenticated Data Feed for Smart Contracts’ by Zhang et al (2016), but there is something I just cannot wrap my head around. In Section 7 and Appendix C, it is stated that three theorems (Authenticity, Gas…
Saffie
  • 131
  • 1
1
vote
0 answers

Intuition of the UC framework

I am trying to get into Universal Composable Security, but before diving deeper I would like to confirm my intuition of the framework. https://eprint.iacr.org/2000/067.pdf A protocol $\pi$ securely evaluates a function $\mathcal{f}$ if for any…
killertoge
  • 299
  • 1
  • 8
0
votes
2 answers

What is the difference between a cryptographic primitive and a functionality?

In the context of papers using the UC framework, I have seen the same cryptographic tools refereed as cryptographic primitives and functionalities. Are the two terms interchangeable? An example is here: Bulletin Boards and Smart Contracts are…
Lorenzo
  • 139
  • 8