Longterm UC

1
Long-term UC

• Dominique Unruh
• Joint work with Jörn-Müller Quade
• Universität Karlsruhe (TH)

2
Overview

• Motivation
• Definition Discussion
• (Im)possibility results with CRS coin toss
• Other setup-assumptions Signature cards, etc.
• Quantum long-term UC

3
The long-term threat

• VENONA project
• NSA and GCHQ stored Russian ciphersfor years
• Unbreakable ciphers became breakable
• BSI key length recommendations
• Only for 6 years
• Quantum computers might break most asymmetric
  systems

4
Long-term security

• We believe in complexity assumptions for todays
  adversaries
• But adversaries may store data
• Long-term security
• Adversary is computationally limited during
  protocol run
• But unlimited afterwards
• Secrets must stay secrets forever

5
Examples

• Statistical zero-knowledge arguments NOVY98
• Unconditionally hiding commitments NOVY98
• Bounded storage modelkey exchange, OT
  DM02,CCM02
• Quantum key exchange with computational
  authentication
• But do these protocols compose?

6
Universal Composability

• Composition of protocols can be problematic
• Especially zero-knowledge is known to produce
  surprising effects
• Plug-and-play all-round solutionUniversal
  Composability (UC)
• I want it all! Long-term UC

7
Long-term UC
computational
statisticallyindistinguishableviews
8
Strict but necessary

• Long-term UC very strict
• Is it necessary?
• Long-term stand-alone security Composability?
  Long-term UC Lin03
• Open Is there a weaker definition of long-term
  stand-alone security?

9
Seems easy but isnt

• What about
• Unconditionally hiding UC commitments DN02
• Statistical UC zero knowledge arguments
• Both using only a CRS
• Below No CRS-based scheme for commitment or ZK
  is long-term UC
• So these are not long-term UC

10
Impossibility of commitments
indep. of b
OK
b
b independent of b ? Contradiction.
11
Only temporarily secret

• We only used one property of
• The senders communication with the functionality
  can be (efficiently or inefficiently) calculated
  from the other parties view.
• We call this Only temporarily secret for S
• Corollary If is temporarily secret for
  S, we cannot use it for commitment

12
Impossibility of ZK

• Can we use the same proof idea for ZK?
• Witness w independent of w
• Infeasible for SAT if NP?P/poly

13
CRS is useless

• Coin toss, CRS and others
• Cannot be used for long-term UC commitment and
  SAT-ZK
• Other proof CRS cannot be used for nontrivial ZK
• But can nontrivial ZK be realised using coin
  toss? Surely not!

14
No ZK from coin toss

• If simulator takes role of prover
• Witness (information-theoretically) not contained
  in interaction.
• If simulator takes role of verifier
• Witness (information-theoretically) contained in
  interaction.
• Both interactions statistically
  indistinguishable
• Witness contained and not contained at the same
  time ? ZK impossible from coin toss.
• Wrong!

15
Blum-Integer ZK

• Prover knows factorisation of npq.

n
npq
V
r
r

• Simulator can choose r together with a root
• This allows simulation and extraction
• Protocol is long-term UC zero-knowledge

16
Other setup-assumptions

• Random-Oracle
• Trusted Pseudorandom Function
• Looks like RO, but can be broken in retrospect
• Signature Card
• Even the legitimate user does not know the
  secret key
• Available today! And growing
• They all allow long-term UC commitment ZK

17
Using signature cards

• P wants to prove x.
• P proves to V (with statistical ZK)
• I know my secret key or
• I know a signed witness
• Simulator can perform this proof,because he
  knows all secret keys
• Simulator can extract,because he learns signed
  witness
• Long-term UC zero-knowledge argument

18
Long-term quantum OT

• Impossible from scratch
• Possible given signature cards
• Signature cards ? Commitments (classical)
• Can be lifted to quantum
• Commitments ? OT (quantum) Yao95,HMQ95
• Composition theorem Long-term quantum OT from
  signature cards

19
Again Statistically hiding UC commitments

• We know Statistically hiding UC commitments are
  not necessarilylong-term UC
• But where do they fail?
• CRS ? Statistically hiding UC commitments
• Statistically hiding UC commitments ? OT
• But long-term quantum OT from CRS is impossible

20
Conclusions

• Long-term UC is desirable
• But very strict
• CRS useless
• Coin-toss almost useless
• Signature cards useful
• SC quantum channel especially useful

21
Outlook

• Beyond ZKCOM
• Equals passive unconditional security?
• Other assumptions (whats out there?)
• Efficient protocols (ours are not)
• Long-term UC key-exchange
• Probably impossible with most primitives
• Easy with quantum

22
The End
Thank you for your attention