Journal of Cryptology

, Volume 26, Issue 3, pp 375–441

Polynomial Runtime and Composability

  • Dennis Hofheinz
  • Dominique Unruh
  • Jörn Müller-Quade

DOI: 10.1007/s00145-012-9127-4

Cite this article as:
Hofheinz, D., Unruh, D. & Müller-Quade, J. J Cryptol (2013) 26: 375. doi:10.1007/s00145-012-9127-4


We devise a notion of polynomial runtime suitable for the simulation-based security analysis of multi-party cryptographic protocols. Somewhat surprisingly, straightforward notions of polynomial runtime lack expressivity for reactive tasks and/or lead to an unnatural simulation-based security notion. Indeed, the problem has been recognized in previous works, and several notions of polynomial runtime have already been proposed. However, our new notion, dubbed reactive polynomial time, is the first to combine the following properties:
  • it is simple enough to support simple security/runtime analyses,

  • it is intuitive in the sense that all intuitively feasible protocols and attacks (and only those) are considered polynomial-time,

  • it supports secure composition of protocols in the sense of a universal composition theorem.

We work in the Universal Composability (UC) protocol framework. We remark that while the UC framework already features a universal composition theorem, we develop new techniques to prove secure composition in the case of reactively polynomial-time protocols and attacks.

Key words

Universal composability Polynomial runtime Multi-party protocols Protocol composition 

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Dennis Hofheinz
    • 1
  • Dominique Unruh
    • 2
  • Jörn Müller-Quade
    • 3
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.University of TartuTartuEstonia
  3. 3.Karlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations