Joint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation
- PDF / 2,852,314 Bytes
- 74 Pages / 439.37 x 666.142 pts Page_size
- 64 Downloads / 127 Views
Joint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation∗ Ralf Küsters University of Stuttgart, Stuttgart, Germany [email protected]
Max Tuengerthal Siemens Mobility, Erlangen, Germany [email protected]
Daniel Rausch University of Stuttgart, Stuttgart, Germany [email protected] Communicated by Kenneth G. Paterson Received 30 August 2013 / Revised 3 July 2019
Abstract. In frameworks for universal composability, complex protocols can be built from sub-protocols in a modular way using composition theorems. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state (composition) theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-key encryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations proposed in the literature are shown to be unsuitable. Our work is based on the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model. Keywords. Universal composability, IITM model, Joint state composition, Ideal functionalities, Public-key encryption, Digital signatures. ∗ This work is an extended and updated version of the paper [22]
© The Author(s) 2020
R. Küsters et al.
1. Introduction In frameworks for universal composability (see, e.g., [6,7,9,15,18–21,24,26]) the security of protocols is defined in terms of an ideal protocol (also called an ideal functionality). A real protocol securely realizes the ideal protocol if every attack on the real protocol can be translated to an “equivalent” attack on the ideal protocol, where equivalence is specified based on an environment trying to distinguish the real attack from the ideal one. That is, for every real adversary on the real protocol, there must exist an ideal adversary (also called a simulator) on the ideal protocol such that no environment can distinguish whether it interacts with the re
Data Loading...
