Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Universal composability and concurrent general composition consider a setting where secure protocols are run concurrently with each other and with arbitrary other possibly insecure protocols. Protocols that meet the definition of universal composability are guaranteed to remain secure even when run in this strongly adversarial setting. In the case of an honest majority, or where there is a trusted setup phase of some kind (like a common reference string or the key-registration public-key infrastructure of Barak et al. in FOCS 2004), it has been shown that any functionality can be securely computed in a universally composable way. On the negative side, it has also been shown that in the plain model where there is no trusted setup at all, there are large classes of functionalities which cannot be securely computed in a universally composable way without an honest majority.In this paper, we extend these impossibility results for universal composability. We study a number of public-key models and show for which models the impossibility results of universal composability hold and for which they do not. We also consider a setting where the inputs to the protocols running in the network are fixed before any execution begins. The majority of our results are negative and we show that the known impossibility results for universal composability in the case of no honest majority extend to many other settings.

[1]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[2]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[3]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[4]  Ran Canetti,et al.  Universally Composable Commitments (Extended Abstract) , 2001, CRYPTO 2001.

[5]  Yehuda Lindell,et al.  Secure Computation Without Authentication , 2005, Journal of Cryptology.

[6]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[7]  Ran Canetti,et al.  Universally composable protocols with relaxed set-up assumptions , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[8]  Ivan Damgård,et al.  On the Necessary and Sufficient Assumptions for UC Computation , 2010, TCC.

[9]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[10]  Amit Sahai,et al.  Concurrent Non-Malleable Zero Knowledge , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[11]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[12]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[13]  Yehuda Lindell Composition of Secure Multi-Party Protocols , 2003, Lecture Notes in Computer Science.

[14]  John C. Mitchell,et al.  Games and the Impossibility of Realizable Ideal Functionality , 2006, TCC.

[15]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[16]  Yehuda Lindell,et al.  Concurrent general composition of secure protocols in the timing model , 2005, STOC '05.

[17]  Yehuda Lindell,et al.  Lower Bounds for Concurrent Self Composition , 2004, TCC.

[18]  Amit Sahai,et al.  New notions of security: achieving universal composability without trusted setup , 2004, STOC '04.

[19]  Rafael Pass,et al.  A unified framework for concurrent security: universal composability from stand-alone non-malleability , 2009, STOC '09.

[20]  Donald Beaver,et al.  Foundations of Secure Interactive Computing , 1991, CRYPTO.

[21]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[22]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[23]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions , 2003, EUROCRYPT.

[24]  Rafael Pass,et al.  Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition , 2003, EUROCRYPT.

[25]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[26]  Dongdai Lin,et al.  Concurrently Non-Malleable Zero Knowledge in the Authenticated Public-Key Model , 2006, IACR Cryptol. ePrint Arch..

[27]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[28]  Yehuda Lindell Composition of Secure Multi-Party Protocols: A Comprehensive Study , 2003 .

[29]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[30]  Rafail Ostrovsky,et al.  Secure Computation with Honest-Looking Parties: What If Nobody Is Truly Honest? (Extended Abstract) , 1999, STOC.

[31]  Yehuda Lindell,et al.  General Composition and Universal Composability in Secure Multiparty Computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[32]  Rafail Ostrovsky,et al.  Concurrent Non-Malleable Witness Indistinguishability and its Applications , 2006, Electron. Colloquium Comput. Complex..

[33]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[34]  Amit Sahai,et al.  How to play almost any mental game over the net - concurrent composition via super-polynomial simulation , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[35]  Yehuda Lindell,et al.  Information-theoretically secure protocols and security under composition , 2006, STOC '06.

[36]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.