Position within the page tree

Start
Institute
Team
Rausch, Daniel

Dr.

Daniel Rausch

Postdoc
Institute of Information Security

Contact

+49 711 685-88357
Email

Universitaetsstrasse 38
70569 Stuttgart
Germany
Room: 2.458

Publications

2021
1. Christoph Egger, Mike Graf, Ralf Küsters, Daniel Rausch, Viktoria Ronge, and Dominique Schröder, “A Security Framework for Distributed Ledgers,” Cryptology ePrint Archive, Technical Report 2021/145, 2021.
  Abstract
  In the past few years blockchains have been a major focus for security research, resulting in significant progress in the design, formalization, and analysis of blockchain protocols. However, the more general class of distributed ledgers, which includes not just blockchains but also prominent non-blockchain protocols, such as Corda and OmniLedger, cannot be covered by the state-of-the-art in the security literature yet. These distributed ledgers often break with traditional blockchain paradigms, such as block structures to store data, system-wide consensus, or global consistency. In this paper, we close this gap by proposing the first framework for defining and analyzing the security of general distributed ledgers, with an ideal distributed ledger functionality at the core of our contribution. This functionality covers not only classical blockchains but also non-blockchain distributed ledgers in a unified way. To illustrate our ledger functionality, we first show that the prominent ideal blockchain functionalities from Badertscher et al. and its privacy preserving derivative from Kerber et al. realize (suitable instantiations of) our functionality, which precisely captures their security properties. This immediately implies that their respective implementations, including Bitcoin, Ouroboros Genesis, and Ouroboros Crypsinous, realize our ideal ledger functionality as well. Secondly, we demonstrate that our ideal ledger functionality is capable of precisely modeling also non-blockchain distributed ledgers by performing the first formal security analysis of such a distributed ledger, namely the prominent Corda protocol. Due to the wide spread use of Corda in the industry, in particular the financial sector, this analysis is of independent interest. These results also illustrate that our ideal ledger functionality not just generalizes the modular treatment of blockchains to distributed ledgers, but moreover helps to unify existing results.
  BibTeX
  @techreport{EggerGrafKuestersRauschRongeSchroeder-IACR-2021, abstract = {In the past few years blockchains have been a major focus for security research, resulting in significant progress in the design, formalization, and analysis of blockchain protocols. However, the more general class of distributed ledgers, which includes not just blockchains but also prominent non-blockchain protocols, such as Corda and OmniLedger, cannot be covered by the state-of-the-art in the security literature yet. These distributed ledgers often break with traditional blockchain paradigms, such as block structures to store data, system-wide consensus, or global consistency. In this paper, we close this gap by proposing the first framework for defining and analyzing the security of general distributed ledgers, with an ideal distributed ledger functionality at the core of our contribution. This functionality covers not only classical blockchains but also non-blockchain distributed ledgers in a unified way. To illustrate our ledger functionality, we first show that the prominent ideal blockchain functionalities from Badertscher et al. and its privacy preserving derivative from Kerber et al. realize (suitable instantiations of) our functionality, which precisely captures their security properties. This immediately implies that their respective implementations, including Bitcoin, Ouroboros Genesis, and Ouroboros Crypsinous, realize our ideal ledger functionality as well. Secondly, we demonstrate that our ideal ledger functionality is capable of precisely modeling also non-blockchain distributed ledgers by performing the first formal security analysis of such a distributed ledger, namely the prominent Corda protocol. Due to the wide spread use of Corda in the industry, in particular the financial sector, this analysis is of independent interest. These results also illustrate that our ideal ledger functionality not just generalizes the modular treatment of blockchains to distributed ledgers, but moreover helps to unify existing results.}, author = {Egger, Christoph and Graf, Mike and K{\"u}sters, Ralf and Rausch, Daniel and Ronge, Viktoria and Schr{\"o}der, Dominique}, institution = {Cryptology ePrint Archive}, number = {2021/145}, title = {{A Security Framework for Distributed Ledgers}}, url = {https://publ.sec.uni-stuttgart.de/eggergrafkuestersrauschrongeschroeder-iacr-2021.pdf}, year = 2021 }
  Link
  https://publ.sec.uni-stuttgart.de/eggergrafkuestersrauschrongeschroeder-iacr-2021.pdf
2020
1. Daniel Rausch, “Simple and flexible universal composability: definition of a framework and applications,” University of Stuttgart, Germany, Ph.D. Thesis, 2020.
  - BibTeX
  BibTeX
  @phdthesis{Rausch-DNB-2020, author = {Rausch, Daniel}, school = {University of Stuttgart, Germany}, title = {{Simple and flexible universal composability: definition of a framework and applications}}, year = 2020 }
2. Ralf Küsters, Max Tuengerthal, and Daniel Rausch, “Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation,” J. Cryptol., vol. 33, no. 4, pp. 1585--1658, 2020.
  Abstract
  Composition theorems in simulation-based approaches allow to build complex protocols from sub-protocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-key encryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulation-based security by Küsters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti's UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.
  BibTeX
  @article{KuestersTuengerthalRausch-JointState-JOC-2020, abstract = {Composition theorems in simulation-based approaches allow to build complex protocols from sub-protocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to so-called joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: public-key encryption, replayable public-key encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulation-based security by K{\"u}sters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti's UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.}, author = {K{\"u}sters, Ralf and Tuengerthal, Max and Rausch, Daniel}, journal = {J. Cryptol.}, note = {DOI: 10.1007/s00145-020-09353-0}, number = 4, pages = {1585--1658}, title = {{Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation}}, url = {https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-jointstate-joc-2020.pdf}, volume = 33, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-jointstate-joc-2020.pdf
3. Ralf Küsters, Max Tuengerthal, and Daniel Rausch, “The IITM Model: a Simple and Expressive Model for Universal Composability,” J. Cryptol., vol. 33, no. 4, pp. 1461--1584, 2020.
  Abstract
  The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine''). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.
  BibTeX
  @article{KuestersTuengerthalRausch-IITM-JOC-2020, abstract = {The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine''). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.}, author = {K{\"u}sters, Ralf and Tuengerthal, Max and Rausch, Daniel}, journal = {J. Cryptol.}, note = {DOI: 10.1007/s00145-020-09352-1}, number = 4, pages = {1461--1584}, title = {{The IITM Model: a Simple and Expressive Model for Universal Composability}}, url = {https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-iitm-joc-2020.pdf}, volume = 33, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-iitm-joc-2020.pdf
4. Mike Graf, Ralf Küsters, and Daniel Rausch, “Accountability in a Permissioned Blockchain: Formal Analysis of Hyperledger Fabric,” in IEEE European Symposium on Security and Privacy, EuroS&P 2020, Genoa, Italy, September 7-11, 2020, 2020, pp. 236--255.
  Abstract
  While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet. Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly. We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.
  BibTeX
  @inproceedings{GrafKuestersRausch-EuroSP-2020, abstract = {While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet. Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly. We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.}, author = {Graf, Mike and K{\"u}sters, Ralf and Rausch, Daniel}, booktitle = {{IEEE} European Symposium on Security and Privacy, EuroS{\&}P 2020, Genoa, Italy, September 7-11, 2020}, pages = {236--255}, publisher = {{IEEE}}, title = {{Accountability in a Permissioned Blockchain: Formal Analysis of Hyperledger Fabric}}, url = {https://publ.sec.uni-stuttgart.de/grafkuestersrausch-eurosp-2020.pdf}, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/grafkuestersrausch-eurosp-2020.pdf
5. Mike Graf, Ralf Küsters, and Daniel Rausch, “Accountability in a Permissioned Blockchain: Formal Analysis of Hyperledger Fabric,” Cryptology ePrint Archive, Technical Report 2020/386, 2020.
  Abstract
  While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet. Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly. We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.
  BibTeX
  @techreport{GrafKuestersRausch-IACR-2020, abstract = {While accountability is a well-known concept in distributed systems and cryptography, in the literature on blockchains (and, more generally, distributed ledgers) the formal treatment of accountability has been a blind spot: there does not exist a formalization let alone a formal proof of accountability for any blockchain yet. Therefore, in this work we put forward and propose a formal treatment of accountability in this domain. Our goal is to formally state and prove that if in a run of a blockchain a central security property, such as consistency, is not satisfied, then misbehaving parties can be identified and held accountable. Accountability is particularly useful for permissioned blockchains where all parties know each other, and hence, accountability incentivizes all parties to behave honestly. We exemplify our approach for one of the most prominent permissioned blockchains: Hyperledger Fabric in its most common instantiation.}, author = {Graf, Mike and K{\"{u}}sters, Ralf and Rausch, Daniel}, institution = {Cryptology ePrint Archive}, number = {2020/386}, title = {{Accountability in a Permissioned Blockchain: Formal Analysis of Hyperledger Fabric}}, url = {https://publ.sec.uni-stuttgart.de/grafkuestersrausch-iacr-2020.pdf}, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/grafkuestersrausch-iacr-2020.pdf
6. Ralf Küsters, Julian Liedtke, Johannes Müller, Daniel Rausch, and Andreas Vogt, “Ordinos: A Verifiable Tally-Hiding Remote E-Voting System,” in IEEE European Symposium on Security and Privacy, EuroS&P 2020, Genoa, Italy, September 7-11, 2020, 2020, pp. 216--235.
  Abstract
  Modern electronic voting systems (e-voting systems) are designed to provide not only vote privacy but also (end-to-end) verifiability. Several verifiable e-voting systems have been proposed in the literature, with Helios being one of the most prominent ones. Almost all such systems, however, reveal not just the voting result but also the full tally, consisting of the exact number of votes per candidate or even all single votes. There are several situations where this is undesirable. For example, in elections with only a few voters (e.g., boardroom or jury votings), revealing the complete tally leads to a low privacy level, possibly deterring voters from voting for their actual preference. In other cases, revealing the complete tally might unnecessarily embarrass some candidates. Often, the voting result merely consists of a single winner or a ranking of candidates, so revealing only this information but not the complete tally is sufficient. This property is called tally-hiding and it offers completely new options for e-voting. In this paper, we propose the first provably secure end-to-end verifiable tally-hiding e-voting system, called Ordinos. We instantiated our system with suitable cryptographic primitives, including an MPC protocol for greater-than tests, implemented the system, and evaluated its performance, demonstrating its practicality. Moreover, our work provides a deeper understanding of tally-hiding in general, in particular in how far tally-hiding affects the levels of privacy and verifiability of e-voting systems.
  BibTeX
  @inproceedings{KuestersLiedtkeMuellerRauschVogt-EuroSP-2020, abstract = {Modern electronic voting systems (e-voting systems) are designed to provide not only vote privacy but also (end-to-end) verifiability. Several verifiable e-voting systems have been proposed in the literature, with Helios being one of the most prominent ones. Almost all such systems, however, reveal not just the voting result but also the full tally, consisting of the exact number of votes per candidate or even all single votes. There are several situations where this is undesirable. For example, in elections with only a few voters (e.g., boardroom or jury votings), revealing the complete tally leads to a low privacy level, possibly deterring voters from voting for their actual preference. In other cases, revealing the complete tally might unnecessarily embarrass some candidates. Often, the voting result merely consists of a single winner or a ranking of candidates, so revealing only this information but not the complete tally is sufficient. This property is called tally-hiding and it offers completely new options for e-voting. In this paper, we propose the first provably secure end-to-end verifiable tally-hiding e-voting system, called Ordinos. We instantiated our system with suitable cryptographic primitives, including an MPC protocol for greater-than tests, implemented the system, and evaluated its performance, demonstrating its practicality. Moreover, our work provides a deeper understanding of tally-hiding in general, in particular in how far tally-hiding affects the levels of privacy and verifiability of e-voting systems.}, author = {K{\"u}sters, Ralf and Liedtke, Julian and M{\"u}ller, Johannes and Rausch, Daniel and Vogt, Andreas}, booktitle = {{IEEE} European Symposium on Security and Privacy, EuroS{\&}P 2020, Genoa, Italy, September 7-11, 2020}, pages = {216--235}, publisher = {{IEEE}}, title = {{Ordinos: A Verifiable Tally-Hiding Remote E-Voting System}}, url = {https://publ.sec.uni-stuttgart.de/kuestersliedtkemuellerrauschvogt-eurosp-2020.pdf}, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/kuestersliedtkemuellerrauschvogt-eurosp-2020.pdf
7. Ralf Küsters, Julian Liedtke, Johannes Müller, Daniel Rausch, and Andreas Vogt, “Ordinos: A Verifiable Tally-Hiding E-Voting System,” Cryptology ePrint Archive, Technical Report 2020/405, 2020.
  Abstract
  Modern electronic voting systems (e-voting systems) are designed to provide not only vote privacy but also (end-to-end) verifiability. Several verifiable e-voting systems have been proposed in the literature, with Helios being one of the most prominent ones. Almost all such systems, however, reveal not just the voting result but also the full tally, consisting of the exact number of votes per candidate or even all single votes. There are several situations where this is undesirable. For example, in elections with only a few voters (e.g., boardroom or jury votings), revealing the complete tally leads to a low privacy level, possibly deterring voters from voting for their actual preference. In other cases, revealing the complete tally might unnecessarily embarrass some candidates. Often, the voting result merely consists of a single winner or a ranking of candidates, so revealing only this information but not the complete tally is sufficient. This property is called tally-hiding and it offers completely new options for e-voting. In this paper, we propose the first provably secure end-to-end verifiable tally-hiding e-voting system, called Ordinos. We instantiated our system with suitable cryptographic primitives, including an MPC protocol for greater-than tests, implemented the system, and evaluated its performance, demonstrating its practicality. Moreover, our work provides a deeper understanding of tally-hiding in general, in particular in how far tally-hiding affects the levels of privacy and verifiability of e-voting systems.
  BibTeX
  @techreport{KuestersLiedtkeMuellerRauschVogt-IACR-2020, abstract = {Modern electronic voting systems (e-voting systems) are designed to provide not only vote privacy but also (end-to-end) verifiability. Several verifiable e-voting systems have been proposed in the literature, with Helios being one of the most prominent ones. Almost all such systems, however, reveal not just the voting result but also the full tally, consisting of the exact number of votes per candidate or even all single votes. There are several situations where this is undesirable. For example, in elections with only a few voters (e.g., boardroom or jury votings), revealing the complete tally leads to a low privacy level, possibly deterring voters from voting for their actual preference. In other cases, revealing the complete tally might unnecessarily embarrass some candidates. Often, the voting result merely consists of a single winner or a ranking of candidates, so revealing only this information but not the complete tally is sufficient. This property is called tally-hiding and it offers completely new options for e-voting. In this paper, we propose the first provably secure end-to-end verifiable tally-hiding e-voting system, called Ordinos. We instantiated our system with suitable cryptographic primitives, including an MPC protocol for greater-than tests, implemented the system, and evaluated its performance, demonstrating its practicality. Moreover, our work provides a deeper understanding of tally-hiding in general, in particular in how far tally-hiding affects the levels of privacy and verifiability of e-voting systems.}, author = {K{\"{u}}sters, Ralf and Liedtke, Julian and M{\"{u}}ller, Johannes and Rausch, Daniel and Vogt, Andreas}, institution = {Cryptology ePrint Archive}, number = {2020/405}, title = {Ordinos: {A} Verifiable Tally-Hiding E-Voting System}, url = {https://publ.sec.uni-stuttgart.de/kuestersliedtkemuellerrauschvogt-iacr-2020.pdf}, year = 2020 }
  Link
  https://publ.sec.uni-stuttgart.de/kuestersliedtkemuellerrauschvogt-iacr-2020.pdf
2019
1. Jan Camenisch, Stephan Krenn, Ralf Küsters, and Daniel Rausch, “iUC: Flexible Universal Composability Made Simple,” in Advances in Cryptology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part III, 2019, vol. 11923, pp. 191--221.
  Abstract
  Proving the security of complex protocols is a crucial and very challenging task. A widely used ap- proach for reasoning about such protocols in a modular way is universal composability. Several models for this approach exist, including the UC, GNUC, and IITM models. Despite the wide spread use of the universal composability approach, none of the existing models are fully satisfying. They all lack either soundness, flexibility, or usability. As a result, proofs in the litera- ture are very often formally incorrect, protocols cannot be modeled faithfully, and/or using these models is a burden rather than a help. Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows. As the IITM model appears to be closest to this goal in terms of soundness and flexibility, we build our framework, called iUC, on top of the IITM model. At the core of iUC is a single simple template for spec- ifying essentially arbitrary protocols in a convenient, formally precise, and flexible way, which allows protocol designers to concentrate on the core logic of a protocol. We illustrate the main features of our framework with example functionalities and realizations.
  BibTeX
  @inproceedings{CamenischKrennKuestersRausch-ASIACRYPT-iUC-2019, abstract = {Proving the security of complex protocols is a crucial and very challenging task. A widely used ap- proach for reasoning about such protocols in a modular way is universal composability. Several models for this approach exist, including the UC, GNUC, and IITM models. Despite the wide spread use of the universal composability approach, none of the existing models are fully satisfying. They all lack either soundness, flexibility, or usability. As a result, proofs in the litera- ture are very often formally incorrect, protocols cannot be modeled faithfully, and/or using these models is a burden rather than a help. Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows. As the IITM model appears to be closest to this goal in terms of soundness and flexibility, we build our framework, called iUC, on top of the IITM model. At the core of iUC is a single simple template for spec- ifying essentially arbitrary protocols in a convenient, formally precise, and flexible way, which allows protocol designers to concentrate on the core logic of a protocol. We illustrate the main features of our framework with example functionalities and realizations.}, author = {Camenisch, Jan and Krenn, Stephan and K{\"{u}}sters, Ralf and Rausch, Daniel}, booktitle = {Advances in Cryptology - {ASIACRYPT} 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part {III}}, pages = {191--221}, publisher = {Springer}, series = {Lecture Notes in Computer Science}, title = {{iUC: Flexible Universal Composability Made Simple}}, url = {https://publ.sec.uni-stuttgart.de/camenischkrennkuestersrausch-asiacrypt-iuc-2019.pdf}, volume = 11923, year = 2019 }
  Link
  https://publ.sec.uni-stuttgart.de/camenischkrennkuestersrausch-asiacrypt-iuc-2019.pdf
2. Jan Camenisch, Stephan Krenn, Ralf Küsters, and Daniel Rausch, “iUC: Flexible Universal Composability Made Simple,” Cryptology ePrint Archive, Technical Report 2019/1037, 2019.
  Abstract
  Proving the security of complex protocols is a crucial and very challenging task. A widely used ap- proach for reasoning about such protocols in a modular way is universal composability. Several models for this approach exist, including the UC, GNUC, and IITM models. Despite the wide spread use of the universal composability approach, none of the existing models are fully satisfying. They all lack either soundness, flexibility, or usability. As a result, proofs in the litera- ture are very often formally incorrect, protocols cannot be modeled faithfully, and/or using these models is a burden rather than a help. Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows. As the IITM model appears to be closest to this goal in terms of soundness and flexibility, we build our framework, called iUC, on top of the IITM model. At the core of iUC is a single simple template for spec- ifying essentially arbitrary protocols in a convenient, formally precise, and flexible way, which allows protocol designers to concentrate on the core logic of a protocol. We illustrate the main features of our framework with example functionalities and realizations.
  BibTeX
  @techreport{CamenischKrennKuestersRausch-TR-iUC-2019, abstract = {Proving the security of complex protocols is a crucial and very challenging task. A widely used ap- proach for reasoning about such protocols in a modular way is universal composability. Several models for this approach exist, including the UC, GNUC, and IITM models. Despite the wide spread use of the universal composability approach, none of the existing models are fully satisfying. They all lack either soundness, flexibility, or usability. As a result, proofs in the litera- ture are very often formally incorrect, protocols cannot be modeled faithfully, and/or using these models is a burden rather than a help. Given this dire state of affairs, the goal of this work is to provide a framework for universal composability which combines soundness, flexibility, and usability. Developing such a security framework is a very difficult and delicate task, as the long history of frameworks for universal composability shows. As the IITM model appears to be closest to this goal in terms of soundness and flexibility, we build our framework, called iUC, on top of the IITM model. At the core of iUC is a single simple template for spec- ifying essentially arbitrary protocols in a convenient, formally precise, and flexible way, which allows protocol designers to concentrate on the core logic of a protocol. We illustrate the main features of our framework with example functionalities and realizations.}, author = {Camenisch, Jan and Krenn, Stephan and K{\"{u}}sters, Ralf and Rausch, Daniel}, institution = {Cryptology ePrint Archive}, number = {2019/1037}, title = {{iUC: Flexible Universal Composability Made Simple}}, url = {https://publ.sec.uni-stuttgart.de/camenischkrennkuestersrausch-tr-iuc-2019.pdf}, year = 2019 }
  Link
  https://publ.sec.uni-stuttgart.de/camenischkrennkuestersrausch-tr-iuc-2019.pdf
2018
1. Ralf Küsters, Max Tuengerthal, and Daniel Rausch, “The IITM Model: a Simple and Expressive Model for Universal Composability,” Cryptology ePrint Archive, Technical Report 2013/025, 2018. Available at http://eprint.iacr.org/2013/025/. This is an updated version of the technical report from 2013. Compared to the previous version, we added a discussion on Canetti’s UC model, version July 2013. We provided more examples of how the IITM model can be used. The actual model did not change at all.
  Abstract
  The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine''). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.
  BibTeX
  @techreport{KuestersTuengerthalRausch-TR-IITM-2018, abstract = {The universal composability paradigm allows for the modular design and analysis of cryptographic protocols. It has been widely and successfully used in cryptography. However, devising a coherent yet simple and expressive model for universal composability is, as the history of such models shows, highly non-trivial. For example, several partly severe problems have been pointed out in the literature for the UC model. In this work, we propose a coherent model for universal composability, called the IITM model (``Inexhaustible Interactive Turing Machine''). A main feature of the model is that it is stated without a priori fixing irrelevant details, such as a specific way of addressing of machines by session and party identifiers, a specific modeling of corruption, or a specific protocol hierarchy. In addition, we employ a very general notion of runtime. All reasonable protocols and ideal functionalities should be expressible based on this notion in a direct and natural way, and without tweaks, such as (artificial) padding of messages or (artificially) adding extra messages. Not least because of these features, the model is simple and expressive. Also the general results that we prove, such as composition theorems, hold independently of how such details are fixed for concrete applications. Being inspired by other models for universal composability, in particular the UC model and because of the flexibility and expressivity of the IITM model, conceptually, results formulated in these models directly carry over to the IITM model.}, author = {K{\"u}sters, Ralf and Tuengerthal, Max and Rausch, Daniel}, institution = {Cryptology ePrint Archive}, note = {Available at \url{http://eprint.iacr.org/2013/025/}. This is an updated version of the technical report from 2013. Compared to the previous version, we added a discussion on Canetti's UC model, version July 2013. We provided more examples of how the IITM model can be used. The actual model did not change at all.}, number = {2013/025}, title = {{The IITM Model: a Simple and Expressive Model for Universal Composability}}, url = {https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-tr-iitm-2018.pdf}, year = 2018 }
  Link
  https://publ.sec.uni-stuttgart.de/kuesterstuengerthalrausch-tr-iitm-2018.pdf
2017
1. Ralf Küsters and Daniel Rausch, “A Framework for Universally Composable Diffie-Hellman Key Exchange,” in IEEE 38th Symposium on Security and Privacy (S&P 2017), 2017, pp. 881--900.
  Abstract
  The analysis of real-world protocols, in particular key exchange protocols and protocols building on these protocols, is a very complex, error-prone, and tedious task. Besides the complexity of the protocols itself, one important reason for this is that the security of the protocols has to be reduced to the security of the underlying cryptographic primitives for every protocol time and again. We would therefore like to get rid of reduction proofs for real-world key exchange protocols as much as possible and in many cases altogether, also for higher-level protocols which use the exchanged keys. So far some first steps have been taken in this direction. But existing work is still quite limited, and, for example, does not support Diffie-Hellman (DH) key exchange, a prevalent cryptographic primitive for real-world protocols. In this paper, building on work by Küsters and Tuengerthal, we provide an ideal functionality in the universal composability setting which supports several common cryptographic primitives, including DH key exchange. This functionality helps to avoid reduction proofs in the analysis of real-world protocols and often eliminates them completely. We also propose a new general ideal key exchange functionality which allows higher-level protocols to use exchanged keys in an ideal way. As a proof of concept, we apply our framework to three practical DH key exchange protocols, namely ISO 9798-3, SIGMA, and OPTLS.
  BibTeX
  @inproceedings{kuestersrausch-sp-2017, abstract = {The analysis of real-world protocols, in particular key exchange protocols and protocols building on these protocols, is a very complex, error-prone, and tedious task. Besides the complexity of the protocols itself, one important reason for this is that the security of the protocols has to be reduced to the security of the underlying cryptographic primitives for every protocol time and again. We would therefore like to get rid of reduction proofs for real-world key exchange protocols as much as possible and in many cases altogether, also for higher-level protocols which use the exchanged keys. So far some first steps have been taken in this direction. But existing work is still quite limited, and, for example, does not support Diffie-Hellman (DH) key exchange, a prevalent cryptographic primitive for real-world protocols. In this paper, building on work by K{\"u}sters and Tuengerthal, we provide an ideal functionality in the universal composability setting which supports several common cryptographic primitives, including DH key exchange. This functionality helps to avoid reduction proofs in the analysis of real-world protocols and often eliminates them completely. We also propose a new general ideal key exchange functionality which allows higher-level protocols to use exchanged keys in an ideal way. As a proof of concept, we apply our framework to three practical DH key exchange protocols, namely ISO 9798-3, SIGMA, and OPTLS.}, author = {K{\"u}sters, Ralf and Rausch, Daniel}, booktitle = {{IEEE} 38th Symposium on Security and Privacy (S{\&}P 2017)}, pages = {881--900}, publisher = {{IEEE} Computer Society}, title = {{A Framework for Universally Composable Diffie-Hellman Key Exchange}}, url = {https://publ.sec.uni-stuttgart.de/kuestersrausch-sp-2017.pdf}, year = 2017 }
  Link
  https://publ.sec.uni-stuttgart.de/kuestersrausch-sp-2017.pdf
2. Ralf Küsters and Daniel Rausch, “A Framework for Universally Composable Diffie-Hellman Key Exchange,” Cryptology ePrint Archive, Technical Report 2017/256, 2017. Available at http://eprint.iacr.org/2017/256.
  Abstract
  The analysis of real-world protocols, in particular key exchange protocols and protocols building on these protocols, is a very complex, error-prone, and tedious task. Besides the complexity of the protocols itself, one important reason for this is that the security of the protocols has to be reduced to the security of the underlying cryptographic primitives for every protocol time and again. We would therefore like to get rid of reduction proofs for real-world key exchange protocols as much as possible and in many cases altogether, also for higher-level protocols which use the exchanged keys. So far some first steps have been taken in this direction. But existing work is still quite limited, and, for example, does not support Diffie-Hellman (DH) key exchange, a prevalent cryptographic primitive for real-world protocols. In this paper, building on work by Küsters and Tuengerthal, we provide an ideal functionality in the universal composability setting which supports several common cryptographic primitives, including DH key exchange. This functionality helps to avoid reduction proofs in the analysis of real-world protocols and often eliminates them completely. We also propose a new general ideal key exchange functionality which allows higher-level protocols to use exchanged keys in an ideal way. As a proof of concept, we apply our framework to three practical DH key exchange protocols, namely ISO 9798-3, SIGMA, and OPTLS.
  BibTeX
  @techreport{kuestersrausch-tr-fcryptodh-2016, abstract = {The analysis of real-world protocols, in particular key exchange protocols and protocols building on these protocols, is a very complex, error-prone, and tedious task. Besides the complexity of the protocols itself, one important reason for this is that the security of the protocols has to be reduced to the security of the underlying cryptographic primitives for every protocol time and again. We would therefore like to get rid of reduction proofs for real-world key exchange protocols as much as possible and in many cases altogether, also for higher-level protocols which use the exchanged keys. So far some first steps have been taken in this direction. But existing work is still quite limited, and, for example, does not support Diffie-Hellman (DH) key exchange, a prevalent cryptographic primitive for real-world protocols. In this paper, building on work by K{\"u}sters and Tuengerthal, we provide an ideal functionality in the universal composability setting which supports several common cryptographic primitives, including DH key exchange. This functionality helps to avoid reduction proofs in the analysis of real-world protocols and often eliminates them completely. We also propose a new general ideal key exchange functionality which allows higher-level protocols to use exchanged keys in an ideal way. As a proof of concept, we apply our framework to three practical DH key exchange protocols, namely ISO 9798-3, SIGMA, and OPTLS.}, author = {K{\"u}sters, Ralf and Rausch, Daniel}, institution = {Cryptology ePrint Archive}, note = {Available at \url{http://eprint.iacr.org/2017/256}.}, number = {2017/256}, title = {{A Framework for Universally Composable Diffie-Hellman Key Exchange}}, url = {https://publ.sec.uni-stuttgart.de/kuestersrausch-tr-fcryptodh-2016.pdf}, year = 2017 }
  Link
  https://publ.sec.uni-stuttgart.de/kuestersrausch-tr-fcryptodh-2016.pdf
2016
1. Jan Camenisch, Robert R. Enderlein, Stephan Krenn, Ralf Küsters, and Daniel Rausch, “Universal Composition with Responsive Environments,” in Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, 2016, pp. 807--840.
  Abstract
  In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural to expect that adversaries/environments provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability this is guaranteed. We call this the non-responsiveness problem. As discussed in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do not have to worry any longer about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, composition theorems) provided for the IITM model.
  BibTeX
  @inproceedings{CamenischEnderleinKrennKuestersRausch-ASIACRYPT-RespEnv-2016, abstract = { In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural to expect that adversaries/environments provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability this is guaranteed. We call this the \emph{non-responsiveness problem}. As discussed in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do not have to worry any longer about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, composition theorems) provided for the IITM model.}, author = {Camenisch, Jan and Enderlein, Robert R. and Krenn, Stephan and K{\"u}sters, Ralf and Rausch, Daniel}, booktitle = {Advances in Cryptology - {ASIACRYPT} 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security}, pages = {807--840}, publisher = {Springer}, title = {{Universal Composition with Responsive Environments}}, url = {https://publ.sec.uni-stuttgart.de/camenischenderleinkrennkuestersrausch-asiacrypt-respenv-2016.pdf}, year = 2016 }
  Link
  https://publ.sec.uni-stuttgart.de/camenischenderleinkrennkuestersrausch-asiacrypt-respenv-2016.pdf
2. Jan Camenisch, Robert R. Enderlein, Stephan Krenn, Ralf Küsters, and Daniel Rausch, “Universal Composition with Responsive Environments,” Cryptology ePrint Archive, Report 2016/034, 2016. Available at http://eprint.iacr.org/2016/034.
  Abstract
  In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural to expect that adversaries/environments provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability this is guaranteed. We call this the non-responsiveness problem. As discussed in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do not have to worry any longer about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, composition theorems) provided for the IITM model.
  BibTeX
  @techreport{CamenischEnderleinKrennKuestersRausch-TR-RespEnv-2016, abstract = { In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural to expect that adversaries/environments provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability this is guaranteed. We call this the \emph{non-responsiveness problem}. As discussed in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario. This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do not have to worry any longer about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, composition theorems) provided for the IITM model.}, author = {Camenisch, Jan and Enderlein, Robert R. and Krenn, Stephan and K{\"u}sters, Ralf and Rausch, Daniel}, institution = {Cryptology ePrint Archive, Report 2016/034}, note = {Available at \url{http://eprint.iacr.org/2016/034}.}, title = {{Universal Composition with Responsive Environments}}, url = {https://publ.sec.uni-stuttgart.de/camenischenderleinkrennkuestersrausch-tr-respenv-2016.pdf}, year = 2016 }
  Link
  https://publ.sec.uni-stuttgart.de/camenischenderleinkrennkuestersrausch-tr-respenv-2016.pdf

Are you a student and want to write a thesis / carry out a project at the SEC?

Please see our notes on theses and projects!

Daniel Rausch

Contact

Publications

2021

Abstract

BibTeX

Link

2020

BibTeX

Abstract

BibTeX

Link

Abstract

BibTeX

Link

Abstract

BibTeX

Link

Abstract

BibTeX

Link

Abstract

BibTeX

Link

Abstract

BibTeX

Link

2019

Abstract

BibTeX

Link

Abstract

BibTeX

Link

2018

Abstract

BibTeX

Link

2017

Abstract

BibTeX

Link

Abstract

BibTeX

Link

2016

Abstract

BibTeX

Link

Abstract

BibTeX

Link

Are you a student and want to write a thesis / carry out a project at the SEC?

Here you can reach us

Audience

Formalities

Services

Services