Cryptography Reference
In-Depth Information
The above example is merely the tip of an iceberg, but it suces for
introducing the main lesson:
an adversary attacking several concurrent
executions of the same protocol may be able to cause more damage than
by attacking a single execution
(or several sequential executions) of the
same protocol. One may say that a protocol is
concurrently secure
if
whatever the adversary may obtain by invoking and controlling parties
in real concurrent executions of the protocol is also obtainable by a
corresponding adversary that controls corresponding parties making
concurrent functionality calls to a trusted party (in a corresponding
ideal model).
7
More generally, one may consider concurrent executions
of many sessions of
several
protocols, and say that a
set of protocols
is
concurrently secure
if whatever the adversary may obtain by invoking
and controlling such real concurrent executions is also obtainable by
a corresponding adversary that invokes and controls concurrent calls
to a trusted party (in a corresponding ideal model). Consequently, a
protocol is said to be
secure with respect to concurrent compositions
if
adding this protocol to
any set
of concurrently secure protocols yields
a set of concurrently secure protocols.
A much more appealing approach was recently suggested by
Canetti (34). Loosely speaking, Canetti suggests to consider a protocol
to be secure (called
environmentally-secure
(or
Universally Compos-
able secure
(34))) only if it remains secure when executed within any
(feasible) environment. Following the simulation paradigm, we get the
following definition:
Definition 7.2.
(environmentally-secure protocols (34) - a rough
sketch):
Let
f
be an
m
-ary functionality and Π be an
m
-party pro-
tocol, and consider the following real and ideal models.
7
One specific concern (in such a concurrent setting) is the ability of the adversary to “non-
trivially correlate the outputs” of concurrent executions. This ability, called
malleability
,
was first investigated by Dolev, Dwork and Naor (50). We comment that providing a
general definition of what “correlated outputs” means seems very challenging (if at all
possible). Indeed the focus of (50) is on several important special cases such as encryption
and commitment schemes.
