Security Notions


In order to be able to talk about the security of a cryptographic protocol, a (mathematical) security definition, which specifies the desired properties, is required.

For this purpose, "game-based" definitions have often been used in the literature, with each game covering a single aspect such as confidentiality. These are easy to define, but it is often unclear whether the considered security games represent all relevant attack vectors.

As an alternative, security frameworks have been designed that follow the real ideal paradigm [GMW87]. These compare the execution of a real protocol by real parties with secret input with an idealized execution where all computations are performed by a trusted entity. The ideal execution is obviously secure by design. If it is not possible to distinguish between the real and ideal execution, the real protocol provides all properties that are modeled in the ideal execution.

Both approaches generally only consider the execution of one instance of the one protocol to be analyzed, and therefore do not provide information about interactions ("composition"), i.e. whether the security properties are still valid if one party is involved in other protocol executions concurrently.

The so-called UC framework (from "Universal Composability") [Can01] considers a stronger form of the real-ideal paradigm, which additionally guarantees the security of a protocol in any context, i.e. independently of other protocols running alongside it. This is especially valuable in practice, since protocols are usually designed independently, but used together. Weaker security notions offer no guarantees in this setting.

However, the stronger guarantees of UC security are gained at the expense of many disadvantages. For example, it is possible to construct a protocol under very weak assumptions, such as authenticated channels, which realizes (almost) every functionality in a real-ideal secure way. Although this is also possible in the UC framework, much stronger trust assumptions are required, as has been shown in a number of impossibility results. Due to their high complexity and low efficiency, many UC-secure protocols are also of more theoretical interest than practical relevance.

Our research

Since UC security can only be achieved with the help of trust assumptions, the ITI has been working for many years on the question of what the weakest possible trust assumptions could look like. This question has been investigated especially in the context of secure hardware. An example of this are signature cards that are exchanged between the parties at the beginning of the protocol. As long as one party trusts the signature card that it has sent itself, UC-secure multi-party computing can be realized. Conversely, the receiving party is protected in any case, even if the signature card is malicious.

Besides finding the weakest possible trust assumptions, it is of interest to consider notions based on UC security that offer the strongest possible security guarantees but can be realized without UC complete trust assumptions. In the "Shielded-Oracles" framework, the first composing protocol for generic secure multi-party computation could be constructed which only requires a constant number of rounds and can be realized black-box under standard assumptions.

Another question is, which guarantees going beyond UC security are achievable with the help of further assumptions and how these can be modeled. At the ITI, a variant of the UC framework was developed that models isolation guarantees, such as those of data diodes or switches that allow the network connection to be disconnected. In this framework, a protocol for secure multi-party calculation could be constructed, which offers novel and previously unattained security guarantees in case of corruption during the calculation: In contrast to classical adaptive UC security, where inputs and outputs of parties adaptively corrupted (for example by a hacker attack) are not protected,  integrity and confidentiality are preserved.

Unsere Lehre