This tutorial studies a general methodology for defining security of cryptographic protocols. The methodology, often dubbed the "trusted party paradigm", allows for defining the security requirements of practically any cryptographic task in a unified and natural way. We first review a basic formulation that captures security in isolation from other protocol instances. Next we address the secure composition problem, namely the vulnerabilities resulting from the often unexpected interactions among different protocol instances that run alongside each other in the same system. We demonstrate the limitations of the basic formulation and review a formulation that guarantees security of protocols even in general composite systems.
Category / Keywords: cryptographic protocols / notions of security, secure composition Publication Info: This is an updated version of a two-part contribution to the Distributed Computing column of SIGACT News, Vol. 37, Nos. 3 and 4, 2006. Date: received 7 Dec 2006, last revised 17 Dec 2006 Contact author: canetti at csail mit edu Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation Version: 20061218:060209 (All versions of this report) Discussion forum: Show discussion | Start new discussion