Can universally composable cryptographic protocols be practical?

István Vajda
2015 International Journal of Computer Network and Information Security  
The Universal Composability (UC) framework provides provable security guaranties for harsh application environment, where we want to construct protocols which keep security guarantees even when they are concurrently composed with arbitrary number of arbitrary (even hostile) protocols. This is a very strong guarantee. The UC-framework inherently supports the modular design, which allows secure composition of arbitrary number of UC-secure components with an arbitrary protocol. In contrast,
more » ... onal analysis and design is a stand alone analysis where security of a single instance is considered, i.e. an instance which is not in potential interaction with any concurrent instances. Furthermore, a typical traditional analysis is informal, i.e. without a formal proof. In spite of these facts, beyond the task of key-exchange this technology have not really took the attention of the community of applied cryptography. From practitioner's point of view the UC-world may seem more or less an academic interest of theoretical cryptographers. Accordingly we take a pragmatic approach, where we concentrate on meaningful compromises between the assumed adversarial strength, ideality wishes and realization complexity while keeping provable security guarantees within the UC-framework. We believe that even modest but provable goals (especially, if tunable to application scenarios) are interesting if a wider penetration of the UC-technology is desired into the daily-practice of protocol applications. Index Terms-Cryptographic protocols, provable security, universal composability. Can universally composable cryptographic protocols be practical? Copyright © 2015 MECS I.J. Computer Network and Information Security, 2015, 10, 23-34 grab the computational complexity at this high level of simulation requirements and not by the number of public key operations. Similarly we will not touch the communication complexity of construct, as it is typically less costly than high computational complexity in usual scenarios as well as strongly related to concrete implementations. We distinguish standard, standard secure and UCsecure primitives. Standard primitives are the primitives of daily use, which are not provably secure (e.g. AES symmetric key encryption, RSA public key encryption, standard RSA digital signature), standard secure primitives provably satisfy standard security definitions (e.g. ind cpa/cca2 secure encryption, EU-CMA secure digital signature) while UC-secure primitives (and macro primitives) typically provide additional extractability and/or equivocability properties depending on the adversarial setting. Standard secure primitives support indistinguishability, however the other two properties, especially, equivocability requires enhancement of primitives or macro primitives, which step boosts their computational complexity. The hardest adversarial setting is Byzantine adaptive. If we can avoid adaptivity or circumvent its simulation implications, we can make a considerable step in relaxing the complexity of the design. There are only a few protocols, which have been found to be UC-secure (with standard secure primitives) and are actually deployed in the real world, coming almost exclusively from the field of key exchange protocols [4], [13], [14], [17], [23], [26]. Here arises the question of what is the practical value of such result for applications if in practice these protocols are used with standard (i.e. not provably secure) primitives. The computational complexity of a macro primitive indicates the total amount of work performed by participants and is often given in form of costly publickey operations (e.g. modular exponentiations). There is a growing intention among the researchers in the field of UC-security to pay more and more attention to the efficiency problem of the designs of UC-secure macroprimitives (e.g. see [19], [20] for oblivious transfer, [6] for zero knowledge and [27] for commitment task). Still, we think, it is not the best way for a traditional designer aiming to get a view of practical potentials of the UCtechnology to dive right away into these special, highly technical works written, as normal, for communication mainly between (top) experts of the field. Instead, we think that highlighting practical trade offs (tuning points) between the strength of formal guaranties, application scenarios and the complexity of realization is a better way for raising an interest. We follow such an approach. Accordingly, we tried to find a balance between technical aspects and wider accessibility from potential readers. The style of presentation is via showing plenty of examples for applications and proof techniques and summarizing our messages into guidelines accompanied with arguments. We are not aware of other work with a similar goal of making steps of building interface towards traditional (non-UC) designers who are uncertain (or concerned) about the cost of UC-constructs. By space Can universally composable cryptographic protocols be practical?
doi:10.5815/ijcnis.2015.10.03 fatcat:bgtg43fesjfhbdat24ixsvbw5u