 Hello, everyone, and welcome to my Asia-Crypt 2021 virtual talk. So the topic of my presentation is algebraic adversaries in the universal compatibility framework and it is joint work with Michelle Abdallah, Manuel Barbosa, Jonathan Katz, and Julian Loss. So here's an outline of my talk. Our work combines two powerful models in cryptography. One is the universal compatibility or UC framework, and the other is the algebraic group model or AGM. So I will first provide a brief overview of these two existing models, and then I will introduce our UC-AGM framework, which defines AGM within UC. And finally, I will showcase two applications of our new model. One is the CHO and ORANDI OT protocol, and the other is a number of password-authenticated key exchange protocols. So now let's start the first part of the talk, which is the modeling. The universal compatibility framework or UC was proposed by Carnegie in 2001, and it has the strongest security definition framework in multi-party computation in the sense that it supports arbitrary protocol composition. It follows the real ideal paradigm in MPC. So the figures here are copied directly from Carnegie's original paper on UC. The left-hand side is the real world, where the M party is mu1 to muM in the protocol pi. And in an execution of the protocol pi, there are two additional parties, the adversary i.e., and the environment e. And these two parties can communicate with the protocol parties. And the right-hand side is the ideal world. So let me stress that the protocol in the ideal world can be any protocol, but usually the ideal protocol consists of a single ideal functionality f, and M dummy parties denoted d1 to dm here. So now we say that the protocol pi, UC emulates the ideal functionality f. If for any adversary in the real world, there is an adversary in the ideal world which simulates the environment's view. So one reason why UC is so powerful is the composition theorem, which says that if protocol pi, UC emulates ideal functionality f, then a protocol which has pi as a sub-protocol also UC emulates the protocol with pi replaced with f. So what does this mean? So this allows for using the ideal functionality instead of a UC secure protocol within a higher level protocol. The algebraic group model was introduced much later. It was formalized by Fosch-Bauer kills and loss in 2018. So it sits between the standard model and the general group model. So an algebraic adversary, whenever it outputs a group element, it must also output its so-called algebraic representation, which explains how this group element is computed from the adversary's view. So that is, so suppose the adversary's view consists of group elements x1 to xn, then whenever the adversary outputs another group element y, it must also output integers lambda 1 for lambda n on an auxiliary type called the algebraic type, such that y is equal to x1 to the power of lambda 1 times xn to the power of lambda n. So this is exactly how y is computed from the adversary's view. So the HGM mainly has two types of applications. The first one is it allows for either proving a stronger security notion or giving a tighter security bound for some schemes. One notable example is that in the HGM, you can avoid rewinding. So you can give a simple and tighter proof or say the snore signature. The other thing is HGM enables security proof for some schemes that are unlikely or perhaps even impossible to prove otherwise, such as some blind signature schemes. However, up to now, there have been no applications of the HGM that is in the simulation base setting, which severely limits its use in multi-party computation. So our work combines UC and HGM, and we propose the UC-HGM framework. Here we have two key issues to tackle. So the first one is which parties need to be algebraic. In the original HGM, there's only a single adversary, and we require that this adversary is algebraic. But in UC, there are actually three adversarial parties in a security definition. So there's the adversary A in the real world. There's the simulator S in the ideal world, and there's an environment E which tries to distinguish between the real world and the ideal world. So we require that all these three parties to be algebraic in UC-HGM. And then we need to decide what exactly it means to say that a party is algebraic. So recall that in the original HGM, this means that the adversary must write the algebraic representation whenever it sends a group element to some party. So here, when the adversary or the simulator communicates with a protocol party, we require the same thing. However, in order to make the composition theorem work, we need something additional. And in particular, we need to place some restriction on the environment as well. So we require that the environment needs to send the algebraic representation directly to the adversary. So why do we require this intuitively? This is because we want the simulator to receive the algebraic representations from all adversarial parties. Both the adversary and the environment. But the simulator cannot run the environment in UC. It can only run the adversary. So that is why we require that the environment sends the algebraic representation to the adversary. So in this way, the simulator can directly see the algebraic representations from the environment. For other communications, namely the adversary sending a group element to the environment or the simulator sending a group element to the environment. Or the environment sends some group elements to the protocol parties. So in all these cases, we don't require them to send the algebraic representations. So here is a graphic illustration of what I just said. The left-hand side is the real world, where the protocol role consists of parties as well as an ideal functionality F. In an execution of role, the communication channels where the parties must behave algebraically are in bloom. So again, the environment must be algebraic while sending some group elements to the adversary. And the adversary must behave algebraically when sending some group elements to the protocol parties, including the ideal functionality. On the right-hand side is the ideal world with the ideal protocol role. So usually a role is an ideal functionality. So again, the requirements of algebraic parties are in bloom. So having defined the exact meanings of algebraic adversaries, we cannot define UC-AGM emulation, which is the same with UC emulation except that all adversarial parties must be algebraic. And finally, we also prove that the conversation theorem still holds in this setting. So this shows that our UC-AGM framework is as useful as the original UC framework. So now let's see some applications of our new UC-AGM framework. So the first one is the Chouan-Orlandy OT protocol. So recall that a one-to-OT protocol is as follows. So a sender has two messages, M0 and M1, and a receiver has a bit B. At the end of their interaction, the receiver learns one of the messages, Mb, but not the other message, and the sender doesn't learn which message was sent. In 2015, Chouan-Orlandy wrote a paper with the title, the simplest protocol for oblivious transfer, in which they proposed a protocol and they claimed it to be UC secure, even in the adaptive corruption setting. So this protocol soon gained much attention, and the most efficient implementations nowadays are based on this protocol. However, in 2017, there were two papers showing three flaws in the original security proof in the Chouan-Orlandy paper. There's even an impossibility result which shows that a UC proof is impossible, assuming that a certain assumption holds. So this essentially leaves the protocol with no security proof at all. And we do the best thing possible, which is to show that the protocol is actually UC-AGM secure. And this gives the first security proof of the Chouan-Orlandy protocol. So let's see at a very high level how it overcomes the difficulties in the original proof. So here's the protocol. The receiver first sends a random group element, i.e., for the sender. And the sender sends back a group element, which may or may not be a one-time-packed encryption of this A, depending on the bit B. And then the receiver then derives a piece from the protocol transcript and encrypts its messages, m0 and m1, under these two keys. And it sends the cybertext to the receiver. The receiver can also derive the correct key, kb. And thus it can decrypt the correct cybertext and get the message. The other message cannot be decrypted and remains unknown from the receiver's view. So now if you want to prove the security of this protocol, the problematic scenario is the sender is statically corrupted and the receiver is adaptively corrupted. So what will happen here? So in this case, when the receiver is corrupted, the simulator must send the random nonce x to the adversary, which explains how the group element iu is computed. So this requires the simulator to know the discrete log of the group element a, which is y. But the simulator has no way to know this y, so it is done. But in the AGM, so this issue can be trivially resolved because an algebraic adversary must write this y on its algebraic type. So this is because y is how the group element a is computed. And therefore, this y can be seen by the simulator, and then the simulator can compute x accordingly. So in this way, we can bypass the problem and manage to prove the UC security of Trojan-Orlandy OT protocol. Here's another example, the aspect one, aspect two and C-PACE password authenticated key exchange protocols. For a password authenticated key exchange protocol or PIC, it allows two parties to establish a shared secret key in the following setting. Only a low entropy password is agreed on in advance, and there's no authenticated channel. So this is different from many protocols in MPC. In recent years, PIC gained much attention, and last year CFRG held a competition for the standardization of fake protocols. And two protocols made it to the final list. So one is aspect two, and the other is C-PACE. Eventually, C-PACE was selected and standardized. However, the landscape of both protocols, UC security analysis, has been kind of bumpy. So there are certain critical difficulties that when both of them are likely to be UC secure with respect to the standard UC functionality for PIC. Recently, in last year and also this year, there have been some work. By the way, I think one of these works also appeared in this year's Azure works. So these work proved that both aspect two and C-PACE are UC secure with respect to a relaxed UC functionality. The security guarantee of this relaxed functionality is kind of weak, and in particular, it is not very clear whether this functionality implies perfect forward sequencing, which is an important security property for PIC. And again here, we managed to prove that both aspect two and C-PACE are UC-AGM secure with respect to the standard UC functionality for PIC. As a bonus, we also proved that a variant called aspect one, so this aspect one has better security under some side channel attacks. So we proved that aspect one is also UC-AGM secure. And this is actually the first security proof ever for aspect one. So let's see how we managed to prove the UC security of these protocols. Here's the aspect protocol. It is essentially a harsh deployment where the protocol messages are encrypted under the password using the one hand path. So the difference between aspect one and aspect two is whether the password is part of the harsh input while deriving the session key. So if you want to prove the UC security, the UC simulator needs to extract the password from the protocol transcript and send this extracted password to the PIC functionality. But if you look at what the transcript is, so actually the transcript is a Peterson commitment to the password. So the password is information theoretically hidden and there's simply no way for the simulator to extract it. However, if we work in the AGM, then the adversary has to explain how the protocol messages say the group element X is computed, which requires the adversary to write the password on its outer bracket, which in turn can be seen by the UC simulator. So again, the UC simulator can continually see the critical information which allows it to complete the UC simulation. So note that this entire thing has nothing to do with what happens after the protocol messages are sent. And the differences between aspect one and two only appear in what the protocol party is to afterwards. So therefore, aspect one can be proven secure in the UC AGM in essentially the same manner. And C-PACE can be proven UC AGM secure as well, using a similar trick. If you are interested, then you can check our paper. So in summary, we make three major contributions. So first, we propose the UC AGM framework, which models an algebraic adversary in UC. And then we showcase two applications. So for Chouan or Lightning OT protocol, it cannot be proven secure in standard UC because of the impossibility result. For aspect one, there's no impossibility result, but it is also unlikely to be UC secure. For aspect two and C-PACE, it only has a weak security guarantee in UC. So for all the above protocols, we prove that they are UC AGM secure. So for Chouan or Lightning OT on aspect one, we prove something that when we prove the UC security in the AGM, which were unknown previously. And for aspect two and C-PACE, we achieve stronger security notion. OK, so this is the end of my talk. Our paper is on E-Print. You can check it out if you are interested. Thank you very much.