Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato...
Transcript of Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato...
![Page 1: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/1.jpg)
Abstract Cryptographyand secure MPC
Ueli Maurer
ETH Zurich
joint work with Renato Renner
Secure Multi-Party Computation Workshop, Aarhus, June 2012.
![Page 2: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/2.jpg)
Abstraction
![Page 3: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/3.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉
![Page 4: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/4.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉
![Page 5: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/5.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
![Page 6: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/6.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
Levels of abstraction:
1. Abstract group: 〈G, ?, e, 〉
2. Instantiations: Integers, real number, elliptic curves
3. Representations: e.g. projective coordinates for ECs
![Page 7: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/7.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
What is the abstraction of:
• cryptosystem ?• digital signature scheme ?• MPC protocol ?• zero-knowledge proof ?• algorithm, distinguisher, hybrid argument, ...?
![Page 8: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/8.jpg)
Abstraction
Algebraic abstraction:
• group 〈G, ?, e, 〉• field 〈F,+, ·,0,1〉• vector space, graph, data structures, OSI layers, ...
Goals of abstraction:
• eliminate irrelevant details, minimality• simpler definitions• generality of results• simpler proofs• elegance• didactic suitability, understanding
![Page 9: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/9.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 10: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/10.jpg)
The construction paradigm
![Page 11: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/11.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
![Page 12: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/12.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
![Page 13: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/13.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
![Page 14: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/14.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
![Page 15: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/15.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
![Page 16: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/16.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
• An extractor constructs a uniform m-bit string Umfrom any RV X with min-entropy > m+ c and Us:
(X,Us)ext−→ Um
![Page 17: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/17.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k,m)-PRG constructs a uniform m-bit string
from a uniform k-bit string:
UkPRG−→ Um
![Page 18: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/18.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Examples:• A (k,m)-PRG constructs a uniform m-bit string
from a uniform k-bit string:
UkPRG−→ Um
• A key agreement protocol (KAP) constructs a sharedsecret n-bit key from ???:
??? KAP−→ KEYn
![Page 19: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/19.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: R α−→ S
Involved types:
• resource• constructor• construction notion
![Page 20: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/20.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Involved types:
• resource• constructor• construction notion• metric on space of resources
d(R,S) ≤ ε ⇐⇒ R ≈ε S
![Page 21: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/21.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
![Page 22: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/22.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
R(β, γ),ε−→ S :⇐⇒ S ≈ε β R γ
![Page 23: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/23.jpg)
The construction paradigm
Many scientific disciplines can be seen as being constructive.
Construct an object S from another object R via construction α.
Notation: Rα,ε−→ S
Examples:• A (k, n)-error-correcting code constructs a reliable channel
from a noisy channel:
NCn(enc,dec)−→ RCk
R(β, γ),ε−→ S :⇐⇒ S ≈ε β R γ
NCn(enc,dec),ε−→ RCk ⇐⇒ RCk ≈ε enc NCn dec
![Page 24: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/24.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 25: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/25.jpg)
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
![Page 26: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/26.jpg)
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
![Page 27: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/27.jpg)
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
![Page 28: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/28.jpg)
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
and generally composable if also:
2. R id−→ R
3. R α−→ S ⇒ R||Tα|id−→ S||T
![Page 29: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/29.jpg)
Constructions and composability
resource set 〈Ω, ||〉, constructor set 〈Γ, , | , id〉
Construction = subset of Ω× Γ×Ω
Possible notation: R α−→ S
Definition: A construction is serially composable if
1. R α−→ S ∧ Sβ−→ T ⇒ R
αβ−→ T
and generally composable if also:
2. R id−→ R
3. R α−→ S ⇒ R||Tα|id−→ S||T
∧ T||Rid|α−→ T||S
![Page 30: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/30.jpg)
One-time pad: A constructive perspective
1
C , C , ...1ciphertext
1 2
key21 key
21
2
2
addition modulo 2
M , M , ... M , M , ...plaintext plaintext
K , K , ... K , K , ...
![Page 31: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/31.jpg)
One-time pad: A constructive perspective
1
C , C , ...1ciphertext
1 2
key21 key
21
2
2
addition modulo 2
M , M , ... M , M , ...plaintext plaintext
K , K , ... K , K , ...
Perfect secrecy (Shannon):
C and M are statistically independent.
![Page 32: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/32.jpg)
One-time pad in constructive cryptography
.
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 33: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/33.jpg)
One-time pad in constructive cryptography
. .
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 34: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/34.jpg)
One-time pad in constructive cryptography
. .
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 35: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/35.jpg)
One-time pad in constructive cryptography
. otp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 36: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/36.jpg)
One-time pad in constructive cryptography
. otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 37: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/37.jpg)
One-time pad in constructive cryptography
. otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 38: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/38.jpg)
One-time pad in constructive cryptography
. .
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 39: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/39.jpg)
One-time pad in constructive cryptography
.
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 40: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/40.jpg)
One-time pad in constructive cryptography
.
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 41: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/41.jpg)
One-time pad in constructive cryptography
.
|.|
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
![Page 42: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/42.jpg)
One-time pad in constructive cryptography
. .
|.|
$
sim
BA
ESEC
otp−decotp−enc
A B
E
AUT
A
E
B
$KEY
otp-decB otp-encA [KEY,AUT] ≡ simE SEC
written as a construction: [KEY,AUT]OTP−→ SEC
![Page 43: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/43.jpg)
Symmetric encryption in CC
.
|.|
$
sim
SEC
A B
E
dec
D
enc
EA B
E
AUT
A
E
B
$KEY
decB encA [KEY,AUT] ≈ simE SEC
written as a construction: [KEY,AUT]tSYMt−→ SEC
![Page 44: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/44.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 45: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/45.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 46: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/46.jpg)
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
![Page 47: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/47.jpg)
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
![Page 48: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/48.jpg)
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
R π−→ S :⇔ ∃σ : π1A π2
B R ≈ σE S
![Page 49: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/49.jpg)
Constructive cryptography
Resource S is constructed from R by protocol π:
R π−→ S
Example: Alice-Bob-Eve setting, π = (π1, π2)
R π−→ S :⇔ ∃σ : π1A π2
B R ≈ σE S
and
π1A π2
B ⊥E R ≈ ⊥E S
![Page 50: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/50.jpg)
Proof of composition theorem for ABE-setting
SR
σ
E
BAπ2π1
E
BA
![Page 51: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/51.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
E
BAπ2π1
E
BA
![Page 52: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/52.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
![Page 53: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/53.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
![Page 54: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/54.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′1
E
BAπ′1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
![Page 55: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/55.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ′
B
E
Aπ′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
![Page 56: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/56.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ
σ′
B
E
A
σ
π′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
![Page 57: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/57.jpg)
Proof of composition theorem for ABE-setting
TS
SR
σ
σ′
B
E
A
σ
π′2π′
1E
BA
σ
π′2π′
1E
BAπ′2π′
1 π2π1
E
BA
Definition: d non-expanding: d(αiR,αiS) ≤ d(R,S)
Example: efficient (e.g. poly-time) implementable systems
![Page 58: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/58.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 59: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/59.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1
![Page 60: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/60.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1α
![Page 61: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/61.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1
β
α
![Page 62: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/62.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
![Page 63: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/63.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
Resource set Φ (here for interface set I = 1,2,3,4)Converter set Σ
![Page 64: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/64.jpg)
Cryptographic algebra 〈Φ,Σ〉
R2
3
4
1 γ
β
α
Resource set Φ (here for interface set I = 1,2,3,4)Converter set Σ
Algebraic laws:
• αiR ∈Φ for all R ∈Φ, α ∈Σ, i ∈ I• αiβjR = βjαiR for all i 6= j
• 1iR = R for all i
![Page 65: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/65.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 66: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/66.jpg)
Games and isomorphisms
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 67: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/67.jpg)
Games and isomorphisms
1,2 1,2,31
2
1 2 3
5 7
3 3
8
7
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 68: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/68.jpg)
Games and isomorphisms
?=~
1,2 1,2,312
1 2 35 7
3 3
8
7
outcome
1,2 1,2,312
1 2 38 8
5 3
7
5
Alice Bob
outcome
![Page 69: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/69.jpg)
Games and isomorphisms
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 70: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/70.jpg)
Games and isomorphisms
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 71: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/71.jpg)
Games and isomorphisms
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 72: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/72.jpg)
Games and isomorphisms
=~
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
![Page 73: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/73.jpg)
Games and isomorphisms
=~
a,b,c 1,2a
b
1 2
3 5
7
3 5c
8
outcome
1,2 1,2,31
2
1 2 3
8 8
5 3
7
5
Alice Bob
outcome
Complete local relations
![Page 74: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/74.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 75: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/75.jpg)
Levels of abstraction in AC
# main concept concepts treated at this level
0. Constructions composability, construction trees
0’. Games isomorphism
1. Abstract systems cryptographic algebras
2. Discrete systems indistinguishability proofs
3. System implem. complexity, efficiency, asymptotics
![Page 76: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/76.jpg)
Resource isomorphisms
SR1
2
3
4
2
3
4
1
π
![Page 77: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/77.jpg)
Resource isomorphisms
SR
β4
β3
β2
β11
2
3
4
α4
α3
α2
α1
2
3
4
1
π
![Page 78: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/78.jpg)
Resource isomorphisms
SR
β4
β3
β2
β11
2
3
4
α4
α3
α2
α1
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 79: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/79.jpg)
Resource isomorphisms
SR
β4
1
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 80: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/80.jpg)
Resource isomorphisms
SR
β4
π4 β4
1
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 81: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/81.jpg)
Resource isomorphisms
SR
π4
π3
π2
π11
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 82: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/82.jpg)
Resource isomorphisms
SR1
2
3
4
α4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 83: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/83.jpg)
Resource isomorphisms
SR
α4
σ4
1
2
3
4
α4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 84: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/84.jpg)
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π
Theorem: R is isomorphic to S ....
![Page 85: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/85.jpg)
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S ....
![Page 86: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/86.jpg)
Resource isomorphisms
SR
σ4
σ3
σ2
σ11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
![Page 87: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/87.jpg)
Resource isomorphisms
SR
σ4
σ3
π2
π11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
![Page 88: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/88.jpg)
Resource isomorphisms
SR σ3
σ2
σ1
π4
1
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
![Page 89: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/89.jpg)
Resource isomorphisms
SR
σ4
σ2
π3π11
2
3
4
2
3
4
1
π = (π1, . . . ,πn) σ = (σ1, . . . ,σn)
Theorem: R is isomorphic to S via π, denoted R ∼=π S, if
∃σ ∀P ⊆ I : πP R ≡ σP S
![Page 90: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/90.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
![Page 91: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/91.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
⇔ abstract UC
![Page 92: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/92.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
![Page 93: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/93.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
![Page 94: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/94.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 95: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/95.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 96: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/96.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 97: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/97.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
C
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 98: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/98.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
C
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 99: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/99.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
CC
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 100: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/100.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
?CC α
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 101: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/101.jpg)
Example: 2-party resources
R ∼=π S :⇐⇒
π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2π1Rπ2 ≈ σ1Sσ2
Special case: R = channel (neutral element, e.g. π1R = π1)
Theorem: A resource S such that SαS 6≈ S for all α cannotbe constructed from a communication channel.
Corollary [CF01]: Commitment cannot be constructed (froma communication channel).
Corollary: A delayed communication channel cannot beconstructed (from a communication channel).
⇒ π1π2 ≈ Sσ2σ1S ≈ S
![Page 102: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/102.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
![Page 103: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/103.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
![Page 104: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/104.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
guaranteed choice space
![Page 105: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/105.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
guaranteed choice space
possible choice space
![Page 106: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/106.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
![Page 107: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/107.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
![Page 108: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/108.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
![Page 109: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/109.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
actual choice space
guaranteed choice space
possible choice space
S
ψ4
ψ3
ψ2
ψ1
2
3
4
1
![Page 110: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/110.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
Definition: S is an abstraction of R via π:
R vπ S :⇐⇒ ∀R∈R ∃S∈S : R ∼=π S
![Page 111: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/111.jpg)
Abstraction by sets of resources
Definition: A specification is a setR of resources.
Of special interest: Specifications with (for each party)• a guaranteed choice space• a possible choice space
Definition: S is an abstraction of R via π:
R vπ S :⇐⇒ ∀R∈R ∃S∈S : R ∼=π S
Theorem: R vπ S is generally composable.
![Page 112: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/112.jpg)
Example: Encryption, capturing coercibility
|.|
$
sim_E
SEC
dec
D
enc
EA B
E
AUT
A
E
B
$KEY
![Page 113: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/113.jpg)
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
![Page 114: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/114.jpg)
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
![Page 115: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/115.jpg)
Example: Encryption, capturing coercibility
sim_B
|.|
$
sim_E
SEC
enc
EA B
E
AUT
A
E
B
$KEY
Theorem: An unleakable (uncoercible) securecommunication channel cannot be constructed from anauthenticated channel and a secret key.
![Page 116: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/116.jpg)
Some Features of Abstract Cryptography
![Page 117: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/117.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
![Page 118: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/118.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
![Page 119: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/119.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
![Page 120: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/120.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
![Page 121: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/121.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
![Page 122: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/122.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
• specifications: guaranteed/possible choice domains
![Page 123: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/123.jpg)
Some Features of Abstract Cryptography
• top-down abstraction
• isomorphism: exact relation between ideal and real
• no central adversary; local simulators
• all resources captured– communication model not hard-wired into the model– absence can be modeled
• feasibility/efficiency notions free; not hard-wired
• specifications: guaranteed/possible choice domains
• existing frameworks can be captured as special cases– universal composability (UC) by Canetti– reactive simulatability by Pfitzmann/Waidner/Backes– indifferentiability [MRH04]– collusion-preserving computation [AKMZ12]
![Page 124: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/124.jpg)
Thank you!
![Page 125: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/125.jpg)
Constructing channels and keys: •-calculus
A−−−→ B (insecure) channel from A to B
The symbol “•” stands for exclusive access to the channel.
“•” at output: receiver is exclusive −→ confidentiality
“•” at input: sender is exclusive −→ authenticity
A−−−→•B secret channel from A to B
A •−−−→ B authentic channel from A to B
A •−−−→•B secure channel from A to B (secret and authentic)
A •===• B secret key shared by A and B
A ===• B one-sided key: A knows that at most B knowsthe key, but B does not know who holds the key.
![Page 126: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/126.jpg)
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
![Page 127: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/127.jpg)
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
At1t2−−−→•B
KT−→ At2
===• B
![Page 128: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/128.jpg)
Key transport in CC
A •t1t2−−−→•B
KT−→ At2•===• B
At1t2−−−→•B
KT−→ At2
===• B
Attention: A •t1t2−−−→ B
KT−→/ At2•=== B
![Page 129: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/129.jpg)
Symmetric cryptosystem in CC
At1
===• BA
t2t3−−−→ Bt2 ≥ t1
SYM−→ A
t2t3−−−→•B
![Page 130: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/130.jpg)
Symmetric cryptosystem in CC
At1
===• BA
t2t3−−−→ Bt2 ≥ t1
SYM−→ A
t2t3−−−→•B
At1
===• BA •
t2t3−−−→ Bt2 ≥ t1
SYM−→ A •
t2t3−−−→•B
![Page 131: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/131.jpg)
MACs in CC
At1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
![Page 132: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/132.jpg)
MACs in CC
At1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
At1•=== B
At2t3−−−→•Bt2 ≥ t1
MAC−→ A •
t2t3−−−→•B
![Page 133: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/133.jpg)
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
![Page 134: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/134.jpg)
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
![Page 135: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/135.jpg)
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
Encrypt-then-MAC:A
t1•=== B
At2t3−−−→ B
t2 ≥ t1
MAC−→ A •
t2t3−−−→ B
At1
===• BA •
t2t3−−−→ Bt2 ≥ t1
SYM−→ A •
t2t3−−−→•B
![Page 136: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/136.jpg)
Combining Encryption and MAC
Goal: At1•===• B
At2t3−−−→ B
t2 ≥ t1
???−→ A •
t2t3−−−→•B
Key expansion:
At1•===• B
PRG−→A
t1•===• BA
t1•===• B
MAC-then-encrypt:A
t1===• B
At2t3−−−→ B
t2 ≥ t1
SYM−→ A
t2t3−−−→•B
At1•=== B
At2t3−−−→•Bt2 ≥ t1
MAC−→ A •
t2t3−−−→•B
![Page 137: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/137.jpg)
Public-key cryptosystems in CC
A •t1t2−−−→ B
At4t3←−−− B
t3 > t2
PKC−→ A •
t4t3←−−− B
![Page 138: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/138.jpg)
Public-key cryptosystems in CC
A •t1t2−−−→ B
At4t3←−−− B
t3 > t2
PKC−→ A •
t4t3←−−− B
A •t1t2−−−→ B
At4t3←−−−•B
t3 > t2
PKC−→ A •
t4t3←−−−•B
![Page 139: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/139.jpg)
Diffie-Hellman key agreement in CC
A •−−−→ B
A←−−−•B
DH−→ A •===• B
![Page 140: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/140.jpg)
Diffie-Hellman key agreement in CC
A •−−−→ B
A←−−−•B
DH−→ A •===• B
A •−−−→ B
A←−−−B
DH−→/ A •=== B
![Page 141: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/141.jpg)
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
![Page 142: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/142.jpg)
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
![Page 143: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/143.jpg)
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
Note: Conservation law of the •-calculus.
![Page 144: Abstract Cryptography joint work with Renato Rennercs.au.dk/fileadmin/ · joint work with Renato Renner Secure Multi-Party Computation Workshop, Aarhus, June 2012. ... zero-knowledge](https://reader035.fdocument.pub/reader035/viewer/2022070612/5b7a046b7f8b9a6a498ebca7/html5/thumbnails/144.jpg)
Digital signature schemes in CC
A •t1t2−−−→ B
At3t4−−−→ B
t4 ≥ t2
DSS−→ A •
t3t4−−−→ B
A •t1t2−−−→ B
At3t4−−−→•Bt4 ≥ t2
DSS−→ A •
t3t4−−−→•B
Note: Conservation law of the •-calculus.
Are there any other cryptographic transformations?