We prove security of our protocol in the standard Universal Composability (UC) frame- work of Canetti [Can01], with static and adaptive corruptions. And we conclude this
section with the definition ofF-hybrid model, which is instrumental for security proofs in the UC model.
A.1 Static Security in the UC Model
In this model, the real world execution of protocolπis carried out between the honest partiesP1 andP2 and an adversaryAdv, in the presence of an external entity called
the environment Z. All the parties are PPT Turing machines andZ has an auxiliary informationz. At the outset of the protocol the environment initiates the parties with inputs and provides some initial information toAdv.Zis allowed to interact withAdv throughout the protocol. At the outset of the protocol,Advmay or may not corrupt a party. Upon corruption of a party,Advgets access to the internal state and input of that party. From now on the party will behave according toAdv’s instructions (since we are in the malicious model). At the end of the protocol, the honest parties send their output toZwhileAdvoutputs⊥on behalf of the corrupted parties and its internal state toZ. We denote the view ofZasREALF,Adv,Z(1κ, z).
In the ideal world we consider the honest partiesP1andP2, a PPT adversarySim,
Z and the functionalityF.Sim has a random tape r and security parameterκ. He simulates the role ofAdvin the ideal world and wheneverAdvcorrupts a party in the real worldSimcorrupts that party in the ideal world and gets access to its internal state. Siminvokes the algorithm ofAdv, in his head, in another internal protocol execution whereSimsimulates the view of the honest parties toAdv. We will denote this internal copy of Advas AdvInt. Based on the reply ofAdvInt in the internal execution,Sim
behaves accordingly in the ideal world execution. He extracts the inputs of the corrupted parties in the internal execution and invokesF in the ideal world with those inputs to obtain the output. In the internal execution he simulates the protocol in such a way thatAdvIntobtains that output. At the end of the protocol,AdvIntforwards his view to
Simwho forwards it toZ. We denote the view ofZas IDEALF,Sim,Z(1κ, z). We say
that a protocolπUC-securely implements a functionalityF in the presence of static adversaries if the real world and ideal world views are indistinguishable.
Definition 1. Letπbe a protocol for computing a functionalityF. We say thatπUC- securely computes the two party protocol functionalityFin the presence of static ad- versaries if for every PPT adaptive real-world adversaryAdvand every environment
Z, there exists a PPT ideal-world adversarySim, such that: REALF,Adv,Z(1κ, z)
c
≈IDEALF,Sim,Z(1κ, z)
A.2 Adaptive Security in the UC Model
In the adaptive setting,Z can ask the real world adversaryAdvto corrupt an honest party during the real world execution of the protocol or after the execution completes. During the execution,Advcan observe the public transcript of the protocol and based on that he can adaptively corrupt an honest party. Once a party gets corrupted,Adv gets access to the input and private randomness of the party, thus controlling the party from thereon. In case of post execution corruption, Advobserves the output and the
transcript of the protocol, and then he corrupts the honest party to get access to the input and private randomness of the party. After post execution corruption occurs,Adv forwards its view toZ. Based on that,Zconstructs its real world view, which we denote asREALF,Adv,Z(1κ, z).
Similarly, in the ideal worldZ can ask the ideal world adversarySimto corrupt an honest party during the ideal world execution of the protocol or after the execution completes. WhenZ instructsSimto corrupt an honest party in the ideal world,Sim obtains the input of the honest party, in the ideal world, and he instructs the internal world adversaryAdvIntto corrupt the corresponding honest party in the internal world.
Recall that Simsimulates the honest parties in the internal execution. When AdvInt
corrupts an honest party in the internal world,Simhas to produce a private randomness for the simulated honest party such that it matches with the input of the honest party and the simulated transcript produced bySim, in the internal world, on behalf of the honest party. Simprovides this matching randomness and the input of the simulated honest party toAdvIntin the internal world. In case of post execution corruption of an honest
party,Simobtains the honest party’s input in the ideal world and produces the matching randomness (corresponding to the simulated transcript) in a similar fashion toAdvIntin
the internal world. After post execution corruption occurs,Advforwards its view to Sim, who forwards it toZ. Based on that,Zconstructs its ideal world view, which we denote asIDEALF,Sim,Z(1κ, z). We say that a protocolπUC-securely implements a
functionalityFin the presence of adaptive adversaries if the real world and ideal world views are indistinguishable.
Definition 2. Letπbe a protocol for computing a functionalityF. We say thatπUC- securely computes the two party protocol functionalityF in the presence of adaptive adversaries if for every PPT adaptive real-world adversaryAdvand every environment
Z, there exists a PPT ideal-world adversarySim, such that: REALF,Adv,Z(1κ, z)
c
≈IDEALF,Sim,Z(1κ, z)
A.3 TheF-hybrid model.
In order to construct our protocols, we utilize other secure two-party protocols as sub- protocols. The standard way of doing this is to work in a “hybrid model” where both the parties interact with each other (as in the real model) in the outer protocol and use ideal functionality calls (as in the ideal world) for the subprotocols. The UC composi- tion theorem states that if a protocolρUC-securely implements a functionalityF, then any execution ofρin a bigger protocol can be replaced with ideal calls to the func- tionalityF. Specifically, while constructing a protocolπ that usesρas subprotocol, for securely computing some functionalityF, the parties can runπand invokeF. The execution ofπthat invokesF, for each execution ofρ, is called theF-hybrid execu- tion ofπand is denoted asπF. The hybrid ensembleHYBπF,
ADV,Z(1
κ, z)describes
Z’s output after interacting withAdvand the parties running protocolπF. Whereas, the execution ofπthat considers execution ofρis denoted asπρ. The hybrid ensem- bleHYBπρ,ADV,Z(1κ, z)describesZ’s output after interacting withAdvand the par-
ties running protocolπρ. By UC security, the two hybridsHYB
HYBπρ,ADV,Z(1κ, z)are indistinguishable. This permits replacing executions ofρ, in
π, with ideal calls to F functionality; thereby allowingπto execute in theF-hybrid model. It simplifies the security proof of πF as it can be performed in the F-hybrid model, instead of proving security ofρwithin the proof ofπρ.