Security Notions


In order to be able to talk about the security of a cryptographic protocol, a (mathematical) security definition, which specifies the desired properties, is required.

For this purpose, "game-based" definitions have often been used in the literature, with each game covering a single aspect such as confidentiality. These are easy to define, but it is often unclear whether the considered security games represent all relevant attack vectors.

As an alternative, security frameworks have been designed that follow the real ideal paradigm [GMW87]. These compare the execution of a real protocol by real parties with secret input with an idealized execution where all computations are performed by a trusted entity. The ideal execution is obviously secure by design. If it is not possible to distinguish between the real and ideal execution, the real protocol provides all properties that are modeled in the ideal execution.

Both approaches generally only consider the execution of one instance of the one protocol to be analyzed, and therefore do not provide information about interactions ("composition"), i.e. whether the security properties are still valid if one party is involved in other protocol executions concurrently.

The so-called UC framework (from "Universal Composability") [Can01] considers a stronger form of the real-ideal paradigm, which additionally guarantees the security of a protocol in any context, i.e. independently of other protocols running alongside it. This is especially valuable in practice, since protocols are usually designed independently, but used together. Weaker security notions offer no guarantees in this setting.

However, the stronger guarantees of UC security are gained at the expense of many disadvantages. For example, it is possible to construct a protocol under very weak assumptions, such as authenticated channels, which realizes (almost) every functionality in a real-ideal secure way. Although this is also possible in the UC framework, much stronger trust assumptions are required, as has been shown in a number of impossibility results. Due to their high complexity and low efficiency, many UC-secure protocols are also of more theoretical interest than practical relevance.

Our research

Since UC security can only be achieved with the help of trust assumptions, we have been working for many years on the question of what the weakest possible trust assumptions could look like. This question has been investigated especially in the context of secure hardware. An example of this are signature cards that are exchanged between the parties at the beginning of the protocol. As long as one party trusts the signature card that it has sent itself, UC-secure multi-party computing can be realized. Conversely, the receiving party is protected in any case, even if the signature card is malicious.

Besides finding the weakest possible trust assumptions, it is of interest to consider notions based on UC security that offer the strongest possible security guarantees but can be realized without UC complete trust assumptions. In the "Shielded-Oracles" framework, the first composing protocol for generic secure multi-party computation could be constructed which only requires a constant number of rounds and can be realized black-box under standard assumptions.

Another question is, which guarantees going beyond UC security are achievable with the help of further assumptions and how these can be modeled. At this chair, a variant of the UC framework was developed that models isolation guarantees, such as those of data diodes or switches that allow the network connection to be disconnected. In this framework, a protocol for secure multi-party computation could be constructed, which offers novel and previously unattained security guarantees in case of corruption during the computation: In contrast to classical adaptive UC security, where inputs and outputs of adaptively corrupted parties (for example by a hacker attack) are not protected, integrity and confidentiality are preserved.

Our teaching

Every winter semester, a lecture entitled "Universal Composability in Cryptography" (3 ECTS) is offered. The topic of this lecture is advanced topics in the study of cryptographic network protocols, especially with respect to universally composable protocols.

Furthermore, bachelor and master theses in the field of security notions are regularly assigned.


[GMW87] Oded Goldreich, Silvio Micali, Avi Wigderson: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: 218-229

[Can01] Ran Canetti: Universally Composable Security: A New Paradigm for Cryptographic Protocols. FOCS 2001: 136-145