 Hi everyone. Welcome to the presentation about the paper Universal Composition with Global Subroutines, Capturing Global Setup within Plain UC. My name is Christian and this is joint work with Rangarnetti, Julia Hesse, Björn Tagmann and Vasily Stikas. This paper appears at the Theory of Cryptography Conference 2020 and this is the presentation for this paper. The paper is about two major concepts, improbable security. On one hand we will talk about composable security and on the other hand we will talk about global subroutines or global setup. Let me start with the first concept on this, namely global setup. Roughly speaking a global setup is a setup that your protocol assumes is available, but you must assume that this setup is not just there for you, there might be other protocols accessing it and modifying its date. Let's consider a first example, global blockchain. Assume you're designing a payment channel protocol and you use which enables a lot of off-change transactions, but eventually you settle or you close the channel and send transaction to a settlement layer to, for example, the Bitcoin blockchain. At the same time someone might be playing poker and pay out rewards also via the Bitcoin blockchain and in the future maybe other protocols join, for example, fair exchange of digital goods or implementing atomic swaps. And all of them they access the same Bitcoin blockchain and those transactions end up on the same chain, so these data coexist or a bit more technically speaking all these protocol sessions, they actually share a certain state among each other. A second prominent example is the use of PKI of a public key infrastructure. In this simple example a public key infrastructure is seen as the binding between an identity and public keys, which then could be used in a secure mail program as follows. If you want to send an email you encrypt it with the public key of the recipient that you look up in the PKI repository or if you receive an email you want to verify a signature for which you need the public verification key of the sender. Of course other programs might exist and your keys are seen by anyone if you use a publicly available PKI and hence also this PKI must be considered a global setup or a global subroutine that you invoke, but other protocol sessions might invoke the very same PKI infrastructure. The second important concept here is composable security. In composable security we are roughly speaking compared to worlds. The protocol is executed, there we model the real world network, we have an adversary that attacks, that corrupts parties, etc. We compare this to an ideal world that formalizes the task that the protocol should achieve in an idealized manner, for example using specifying it as an ideal functionality. The ideal functionality might say that you take the inputs of all parties and then you compute the function of it and you output this result to all parties again. However it's also important that in the ideal world and its ideal functionality you also specify what the adversary can at most learn about, for example, the party's inputs. You could specify that the adversary does not learn anything about the party's inputs, which gives a feeling of security just by looking at ideal functionality. Intuitively if no environment can tell the difference between the real world and its idealized version, then obviously this protocol must be secure. Intuitively why this is composable is also because you can also plug in this construction in another protocol and also this protocol obviously cannot see a difference because here we quantify over all environments. Let's be a bit more precise in terms of a UC statement and see here the structure of such a statement. So we have the environment on the left, that it interacts, it spawns one protocol session Pi, we have an adversary interfering with the protocol execution and in this example we assume that the protocol works in the presence of a common reference string, a CRS. CRS is typically used when you must assume the existence of a public infrastructure or in the blockchain setting you must have access to a Genesis block. The important thing here is that in standard UC the CRS is local to your protocol session. This means the environment and hence also no external protocol can access it, read it or even influence it. In the ideal world as I said before we have the ideal functionality and we have an ideal world attacker, which we call the simulator so it's a simulation based security framework. What we require is that we might see here immediately that there might be no chance that Pi and F, they exactly look the same, right? F is idealized, Pi sends a lot of messages. In order to make the transcripts indistinguishable we allow that the simulator can correct those differences. The security notion is that a protocol Pi securely realizes F. If for any real world attacker there is a simulator that simulates all these actions of the real world such that the two views, the two transcripts are just indistinguishable. Put differently this means that any real world attack can be translated to an attack in the ideal world but the ideal world as we know is secured by definition hence there can be no attack against the protocol either. Reflecting will be more in these standard UC statements. I said before that the CRS is local to the protocol session and this also makes the simulation task easier. Why? Because the simulator could lie to the environment in the sense that it could create an indistinguishable version of the CRS but some CRS with a backdoor inside. We know all these tricks in the Compulsive Security literature that are related to programming a certain setup assumption or for example the random oracle. You can only program the random oracle if it's also local to your session. In order to get closer or to close the gap between that in reality the CRS is shared with everyone and in the model as we have seen so far the CRS can be considered local and the simulator can apply some tricks. In order to close this gap to have a model that is closer to reality, Nathya Dal at TCC 2007 introduced a framework called externalized UC and global UC. In a nutshell, the externalized UC would now allow access to the CRS by the environment and hence also by any other protocol that is running in the world. The notion then is similar, you must be indistinguishable from an ideal world but here the task of simulating becomes substantially harder. As you see here the simulator must cope with the CRS. As is, he cannot program it, the CRS might even pre-exist before the protocol session even started. So the challenge of a GUC statement or a UC statement is that the simulation in general needs to deal with the setup as it's defined and he cannot implant anything a priori and even worse this global subroutine might be influenced by the environment directly and its state might be changing which is not under the control of the simulator. So you might ask isn't GUC therefore already here and as our work reveals there are some subtleties in the definition of the GUC framework. So in a nutshell GUC defines that besides the challenge session Pi other machines can be created. So other machines can coexist that they might try to interfere with the challenge session or its subroutines and what we saw is that if the environment is really unconstrained in such a strong manner then it's hard to prove security of protocols. For example consider a simplified ideal world where the environment interacts with an ideal functionality and now consider the following in GUC that could just spawn another protocol Pi with the same session ID and presumably there is no interference between F and Pi if F is defined nicely as is typically the case but now we switch to the real world and we instantiate F with the protocol Pi then by doing the very same thing as before there might be interference now in particular this session already exists now and it's simply not clear what would happen there might be interference the environment might realize that only one session is running and not two so this is all a bit undefined and this 30 trick has basically many phases so there are a lot of these steps where things are a bit unclear which could lead or which overly to distinguishing attacks and those distinguishing attacks more importantly they have nothing to do with the protocol it's just these are modeling attacks without a real world analog on so to speak a further complication is that while GUC is defined as a new model on top of UC and while UC progressed considerably GUC would actually have to be made up to speed otherwise this mismatch between the two models becomes too big they're not maintained at the same speed and so this causes some mismatch and as I said before the not all definitions in the GUC framework do actually define exactly how the machines are created so governing aspects like the identities of protocols and so on this is all a bit left aside and so it's actually the expectation that UC would actually give us all this information and so that kind of asks for whether there is a better way to do it closer to UC externalized UC on the other hand is a bit simpler so in some sense as you saw before in UC the environment yeah it can spawn only once protocol session and there is one dedicated machine via which you share state with the world it has similar complications because it lives as a subset of as it is a subset of GUC it has a bit of the similar problems there is a theorem that also establishes that when you prove something secure in UC then this implies GUC security of certain form intuitively this would amount to show that for this class of protocols at least the GUC environment all actions of a GUC environment can actually be replicated by an EUC distinguishing environment and this seems also to be a bit hard without further assumptions that are not yet stated in that theorem for example in GUC you can spawn machines that you then can corrupt which can interact with the protocol however those machines do not even exist in EUC because in EUC you can only spawn the test session and so it's not clear what happens to the corruption what happens to corruption how would you represent corrupted identities in this model so I'm sure this can be done but a nicer way would be to answer the following question which would get rid of all these issues namely whether it's possible to model global behavior already in standard UC in order to work in the same formalism then we don't have to invent new big concepts we can just work along the lines of EUC and inherit all basic definitions that this framework already gives us and the answer is yes we can do that and the answer is our paper and the first attempt to approach this would be to say well if we are aiming at a security notion at the composable notion that so we have pi and f and they access the global subroutine why don't we just consider this as one protocol so we merge G we see G as a protocol on its own that is called by pi so we just put both in parallel and say this is a protocol that gives you access to pi and gives you access to G and then realizing in the presence of a global subroutine the amount of saying well P with this, pi with this G UC realizes f with this G in parallel however one shortcoming here is that we tie together pi and G very strictly which means we cannot kind of spawn new global subroutines without necessarily spawning also protocol machines pi so it does not really handle the dynamic creation of sessions of independent or almost independent session the protocol and the global subroutine they are stuck together which is however fine if you work in frameworks that have a more static way of interacting that's fixed a set of machines that exist and also fix the ports or interfaces via which they can communicate so for them such a composition merging operation might already solve the problem however in UC the spirit of UC is that machines can be dynamically created the identities need not be fixed you could determine the identity on the fly and then spawn such a new machine and address it in such a dynamic fashion and for this this solution will be too strict so we have to follow another approach and this is what we then figured out what we can do is the following we can create, design a standard UC protocol that we call the management protocol that ensures that we can create many sessions of the global subroutine and that environment has access to these global subroutines and we can design it in such a generic and oblivious way that it's a simple and overlay structure that doesn't change any behavior but it simply allows access by any protocol to the global subroutine it's probably easiest to think of this as a transformation take the protocol Pi as defined which presumably makes subroutine calls to a global subroutine G and then our management protocol is a transformation that converts this setting into a standard UC protocol such that the environment can via Mew the management protocol access Pi and create instance of Pi and as well create instances of G overall the behavior that we have from before is not changed, we just changed who can access and who can spawn machines overall this is an oblivious overlay of the protocol that we try to analyze there is some freedom in designing this management protocol the management protocol in the first or the major, the most important thing about management protocol is that it's a conceptual piece it conceptually shows you how to unify two things and still have them in some sense decoupled in our paper we give one concrete instantiation of such a management protocol but we might consider also giving alternative version so the important thing is that it's conceptually a reasonable protocol or a conceptually reasonable approach that it works so the apology of a UCGS statement universal composition with global subroutines they look now like this we still have the environment and it can access Pi and G but it does so through this management protocol and on the right hand side we have the ideal world where again the environment accesses F and G also through the management protocol and if both worlds are indistinguishable following analogously the notation and the phrasing of Senate UC Pi realizes F in the presence of global subroutine G if those worlds are indistinguishable so in the remainder of this talk I would very briefly discuss some technical aspects or technical terms that you will find in the paper I would also like to mention the main theorem and illustrate how it could be applied so in order to have our theorems sound we need some technical precondition about global subroutine the first thing which is also quite natural is that we would like that the global subroutine interacts with the rest of the world only through its top level machines and that there is no interference with the challenge protocol for example G and Pi don't share behind the scenes a common subroutine and that G only provides outputs to machines it knows such that it doesn't decide on its own to spawn new sessions we call this regularity regularity is not just kind of a natural thing it's also used currently in the vast majority of the externalized and global UC literature for example registration commands to global setups are quite prominent for example in the global lecture or global clock setting parties need to register to this setup in order to request the services regarding regularity I just note in passing that an interesting future work could be to find out whether regularity is indeed necessary we know it's sufficient the way we define it in paper but is it also necessary that's still no question the second major concept in UC that many of you might be familiar with is subroutine respecting so if you look at the global view of different protocols executing you will see that subroutine respecting actually implies that the only allow communication between two sessions is via the top level machines top level machines of a protocol they act as the interface to the rest of the world and all subroutines of this session they are in this bubble of the session we need to relax this a little bit so we say that the interaction as before is allowed but on top of that both sessions can also invoke top level instances or top level machines of a global subroutine and this is where those sessions they could start sharing a state or even there is information flow from one session to the next coupled with regularity this gives actually a very structured machine interaction which helps us improving the composition theorem but also it assists when you design protocols in having a clean dynamics which helps in the security proofs so the main theorem of the paper is the composition theorem which in its general form means that for any context protocol which also is allowed to access the global subroutine invocations of f can be replaced by its implementation pi if pi realizes f in the presence of global subroutine g in the ucgs sense so how we go about to prove this so per instance of this challenge protocol inside raw we actually first insert the management protocol without changing the behavior since mu the management protocol is a standard uc protocol we can now invoke the uc theorem as is in a black box way once we have done that we can remove this oblivious overlay structure that the management protocol gives us and this results in having applied the composition operation that's how the proof roughly works and why it works is roughly speaking because of the following if you have proven the precondition if pi realizes f in the presence of a global subroutine the management protocol kind of formalized the most permissive context so any protocol raw or the environment but then uses or access g in a at most so or in a at least restricted sense so this means what we have proven with management is kind of the most generous version and any context protocol obviously is less generous and and formulating or defining this would be outside the scope of this presentation but it relates to the concept of uc compliance which we also define in our paper how would you now use this composition theorem connecting to an example in the beginning of this talk you would have for example a secure mail program that you prove secure in the sense that it realizes an ideal functionality in the presence of a global pki and now you would have a context protocol where parties happily using this functionality so now you can say well take the first thing as precondition and then apply the ucgs theorem and this means that we can start using the ideal functionalities by the protocol that realizes it and overall we get the same security level when everybody is using the protocol and not the idealization of it which is exactly what we wanted to do this brings me to the conclusion of this talk so what did we do we introduced a uc protocol called the management protocol and this management protocol allows to model global access to setups but within while working in standard uc it comes with a composition theorem the ucgs theorem and shows you how to replace protocols in the presence of a global setup and I would like to take the chance to advertise a follow up work we are doing so so far we have focused the attention on replacing a protocol by its idealization in the presence of one specific global setup however there is a very tricky connected question to this if you pay attention to the or if you focus now your attention to the global setup an interesting question is whether you can replace this global setup by the protocol implementing it and preserving all security statements you have done before this is actually a very tricky question and it does not always go through and our follow up work gives you the conditions under which such a replacement of the global subroutine is sound and we also show examples when it is not sound in this sense stay tuned thanks for watching thanks for your attention and see you at the conference thank you