On the Limitations of Universally Composable Two-Party Computation without Set-up Assumptions

The recently proposed universally composable (UC) security framework, for analyzing security of cryptographic protocols, provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when deployed in arbitrary multi-party, multi-protocol, multi-execution environments. Protocols for securely carrying out essentially any cryptographic task in a universally composable way exist, both in the case of an honest majority (in the plain model, i.e., without set-up assumptions) and in the case of no honest majority (in the common reference string model). However, in the plain model, little was known for the case of no honest majority and, in particular, for the important special case of two-party protocols. We study the feasibility of universally composable two-party function evaluation in the plain model. Our results show that very few functions can be computed in this model so as to provide the UC security guarantees. Specifically, for the case of deterministic functions, we provide a full characterization of the functions computable in this model. (Essentially, these are the functions that depend on at most one of the parties' inputs, and furthermore are "efficiently invertible" in a sense defined within.) For the case of probabilistic functions, we show that the only functions computable in this model are those where one of the parties can essentially uniquely determine the joint output.

[1]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[2]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[3]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[4]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[5]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[6]  Eyal Kushilevitz,et al.  A zero-one law for Boolean privacy , 1989, STOC '89.

[7]  Eyal Kushilevitz,et al.  Privacy and communication complexity , 1989, 30th Annual Symposium on Foundations of Computer Science.

[8]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[9]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[10]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[11]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[12]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[13]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[14]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[15]  Donald Beaver,et al.  Adaptive zero knowledge and computational equivocation (extended abstract) , 1996, STOC '96.

[16]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[17]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[18]  Joe Kilian,et al.  On the Concurrent Composition of Zero-Knowledge Proofs , 1999, EUROCRYPT.

[19]  Silvio Micali,et al.  The All-or-Nothing Nature of Two-Party Secure Computation , 1999, CRYPTO.

[20]  Joe Kilian More general completeness theorems for secure two-party computation , 2000, STOC '00.

[21]  Juan A. Garay,et al.  Concurrent oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[22]  Rafail Ostrovsky,et al.  Reducibility and Completeness in Private Computations , 2000, SIAM J. Comput..

[23]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[24]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[25]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[26]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[27]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[28]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[29]  Jörn Müller-Quade,et al.  On Modeling IND-CCA Security in Cryptographic Protocols , 2003, IACR Cryptol. ePrint Arch..

[30]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[31]  Yehuda Lindell,et al.  Lower Bounds for Concurrent Self Composition , 2004, TCC.

[32]  Moni Naor,et al.  Completeness in two-party secure computation: a computational view , 2004, STOC.

[33]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.