Universally Composable Protocols with Relaxed Set-Up Assumptions ¡ Boaz Barak Ran Canetti Jesper Buus Nielsen Rafael Pass Inst
Total Page:16
File Type:pdf, Size:1020Kb
Universally Composable Protocols with Relaxed Set-up Assumptions ¡ Boaz Barak Ran Canetti Jesper Buus Nielsen Rafael Pass Inst. for Advanced Study IBM Research ETH Zurich¨ MIT [email protected] [email protected] [email protected] [email protected] Abstract of instances of the protocol, as well as arbitrary other pro- tocols. Indeed, it has been demonstrated time and again A desirable goal for cryptographic protocols is to guar- that adversarially-coordinated interactions between differ- antee security when the protocol is composed with other ent protocol instances can compromise the security of pro- protocol instances. Universally Composable (UC) protocols tocols that were demonstrated to be secure when run in provide this guarantee in a strong sense: A protocol re- isolation (see, e.g., [GK90, DDN00, KSW97, DNS98]). A nat- mains secure even when composed concurrently with an un- ural way for guaranteeing security of protocols in such bounded number of instances of arbitrary protocols. How- complex execution environments is to require that pro- ever, UC protocols for carrying out general tasks are known tocols satisfy a notion of security that provides a gen- to exist only if a majority of the participants are honest, or eral secure composability guarantee. That is, it should in the common reference string (CRS) model where all par- be guaranteed that a secure protocol maintains its se- ties are assumed to have access to a common string that curity even when composed with (i.e., runs alongside) is drawn from some pre-defined distribution. Furthermore, arbitrary other protocols. Such a general notion of secu- carrying out many interesting tasks in a UC manner and rity is provided by the universally composable (UC) security without honest majority or set-up assumptions is impos- framework [C01], which provides a very general com- sible, even if ideally authenticated communication is pro- posability property: A secure protocol is guaranteed to vided. maintain its security (in the sense of emulating an ide- A natural question is thus whether there exist more re- ally trusted and secure service) even when run concurrently laxed set-up assumptions than the CRS model that still al- with multiple copies of itself, plus arbitrary network activ- low for UC protocols. We answer this question in the affir- ity. mative: we propose alternative and relaxed set-up assump- However, such strong secure composability properties tions and show that they suffice for reproducing the general come at a price: Carrying out many interesting crypto- feasibility results for UC protocols in the CRS model. These graphic tasks in the UC framework has been shown to be im- alternative assumptions have the flavor of a “public-key in- possible in the plain model, unless a majority of the partici- frastructure”: parties have registered public keys, no sin- pants are completely honest [C01, CF01, CKL03]. The impos- gle registration authority needs to be fully trusted, and no sibility holds even if ideally authenticated communication single piece of information has to be globally trusted and is guaranteed. Furthermore, it has been shown [L03, L04] available. In addition, unlike known protocols in the CRS that this impossibility is not a result of technical character- model, the proposed protocols guarantee some basic level istics of any particular framework; rather, they are inherent of security even if the set-up assumption is violated. to the strong composability requirements. In light of these results, researchers have turned to con- structing protocols under some setup assumptions. Specifi- cally, the common reference string (CRS) model was used. 1. Introduction In this model, originally proposed in [BFM88], all parties Designing protocols that guarantee security in open, have access to a common string ¢ that was ideally drawn multi-protocol, multi-party execution environments is a from some publicly known distribution. (In the case of challenging task. In such environments a protocol in- [BFM88], this was the uniform distribution.) It is further as- stance is executed concurrently with an unknown number sumed that no secret information correlated with this string is known. (It can be thought of as if this string is pub- Work done while visiting the IBM T.J. Watson Research Center. Sup- lished by some “trusted dealer” that plays no further part ported by NSF grants DMS-0111298 and CCR-0324906. ¡ in the protocol execution). Several strong feasibility results Work done while at the Royal Institute of Technology, Sweden. are known in the CRS model. In particular, it was shown of these scenarios. Then, we show how to reproduce the that practically any functionality can be realized by a UC above results given this service. All our results hold in face protocol in the CRS model, with any number of faults, as- of any number of adaptively corrupted parties. (Technically, suming authenticated communication [CF01, CLOS02]. Fur- the KR service is captured as an “ideal functionality” within thermore, non-interactive UC Zero-Knowledge protocols the UC framework. See details within.) were constructed in the CRS model model under similar as- The key registration service is parameterized by a func- sumptions (and assuming secure data erasure is possible) tion ¡£¢¥¤§¦©¨ ¤¦¨ (representing a method for de- [DDO 01, CLOS02]. riving the public key from a seed, that represents the secret Drawbacks of the CRS model. Security in the CRS model key), and provides roughly the following “ideal services”. depends in a crucial way on the fact that the common string Any party can register with the KR service and obtain a pub- is chosen properly. That is, the model provides no secu- lic key in return. In a “normal” registration process, the reg- ¡ ¢ rity guarantees in the case that the common string is chosen istering party obtains a public key for some uni- from a different distribution than the specified one, or when formly chosen ¢ that is known only to the service. (Such some “secret trapdoor information” correlated with the ref- keys are called safe.) In addition, a corrupted party may erence string is leaked. In fact, in most existing protocols in provide the service with any arbitrary ¢ and have its pub- ¡ the CRS model the security proof actually provides an ef- lic key set to ¢ . (Such keys are called well-formed.) Fur- ficient strategy for completely breaking the security of the thermore, uniqueness of keys is not guaranteed: the pub- protocol when the reference string can be chosen in a mali- lic key of any party may be set as equal to the public key cious way. In particular, if the CRS is chosen by a single en- of any other party, subject to the sole restriction that honest tity then this entity could, if it wished, read sensitive data, parties are assigned safe keys. Parties may also have multi- forge proofs, and in general completely undermine the se- ple keys. Whenever a party asks the service for the public curity of the protocol, all in a way that is undetectable by key of another party, the service returns one of the keys reg- the honest parties. This means that the naive way of realiz- istered for that party. ing the CRS model by letting a single entity choose the ref- This formulation of the KR service provides relatively erence string forces all the participants to put absolute trust weak security guaranteed to users. It captures either a sin- in this entity. gle entity that provides keys to all parties (such as in the case Our approach. We reproduce the above feasibility results, of a CRS), or a collection of separate entities, where no sin- proven in the CRS model, in a number of alternative mod- gle entity is trusted by all parties. The difference between els (or, “set-up assumptions”). The main advantage of these the powers of honest and corrupted registering parties, and alternative models is that they are realizable in ways that re- the ability to copy keys, models the fact that a party can duce the trust that the participants need to put in other enti- put less trust in registration services chosen be other par- ties. All these models have a common theme: They avoid ties than it can put in its own registration service. Specif- the need that all participants in a protocol execution put ically, a party can trust only its own key to be safe. Other complete trust in a single entity, or a single reference string. keys may be only well-formed. Instead, we adopt a trust model that somewhat resembles the We show how to realize any ideal functionality given trust model of a “public-key infrastructure.” That is, each a KR service with an appropriate choice of the derivation party registers a “public key” with a “registration author- function ¡ . Our constructions are natural adaptations of the ity” that it trusts. In order to engage in a joint computa- [CF01, CLOS02, DN02] constructions and rely on the same tion, the participants obtain the public keys of each other cryptographic assumptions. We also show how to construct from the respective authorities. The trust that each partici- non-interactive UC Zero-Knowledge protocols given a KR pant has to put in other authorities, except for the authority service with an appropriate ¡ . Here our construction is quite it is registered with, is quite minimal; thus no single entity different than existing ones, as no natural extension of the needs to be completely trusted by all participants. Our pro- existing constructions seems to work. tocols do not require parties to keep any secret data that is We show that the KR service can be easily realized in associated with their public keys. Furthermore, they are nat- a number of natural settings (or, trust models).