2015-01-15 14:00
Ueli Maurer ETH Zürich, Switzerland
E1.5 0.02

Constructive Cryptography and Modular Protocol Design, Ueli Maurer

Title : Constructive Cryptography and Modular Protocol Design


There is a significant and surprising discrepancy between the
(generally) mathematically rigorous cryptographic literature and the
reality of practical cryptographic protocol design. While the security
of cryptographic schemes (such as various types of encryption,
signatures, etc.) is usually rigorously defined and proven (based on
some intractability assumptions), practical cryptographic protocols
such as TLS that make use of these schemes are often broken, patched,
again broken, etc. Why can’t we design provably secure protocols, in
the same sense as we seem to be able to design provably secure
cryptographic schemes?

Constructive cryptography, developed jointly with Renato Renner, is an
alternative paradigm for designing cryptographic protocols and proving
their security; the goal is to avoid the above-mentioned discrepancy.
In constructive cryptography, a cryptographic scheme (e.g. encryption)
is seen as constructing a certain resource (e.g. a secure channel)
from another resource (e.g. an authenticated channel and a secret
key), for a well-defined notion of construction. The construction
notion is composable; for example, a key constructed by a secure
key-agreement protocol can provably be used as the key in any
application that requires a secret key. Composition allows to design
complex protocols in a modular, layered manner. The security proofs of
the modules (e.g. encryption, authentication, key agreement, or
signatures) directly compose to a security proof for the entire

A treatment of cryptographic statements in constructive cryptography
comes with several advantages, including reusability, clear semantics
of security definitions, simplicity due to an abstract treatment freed
from artifacts (like Turing machines, asymptotics, polynomial-time,
communication tapes, corruption messages, etc.), capturing different
security notions (such as information-theoretic and computational
security) in a single treatment, and possibly also suitability for a
treatment with formal methods.

Based on joint works with several coauthors, including Sandro Coretti,
Christian Matt, Renato Renner, Bjoern Tackmann.