Journal of Cryptology

, Volume 24, Issue 3, pp 517–544 | Cite as

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

  • Dafna Kidron
  • Yehuda Lindell


Universal composability and concurrent general composition consider a setting where secure protocols are run concurrently with each other and with arbitrary other possibly insecure protocols. Protocols that meet the definition of universal composability are guaranteed to remain secure even when run in this strongly adversarial setting. In the case of an honest majority, or where there is a trusted setup phase of some kind (like a common reference string or the key-registration public-key infrastructure of Barak et al. in FOCS 2004), it has been shown that any functionality can be securely computed in a universally composable way. On the negative side, it has also been shown that in the plain model where there is no trusted setup at all, there are large classes of functionalities which cannot be securely computed in a universally composable way without an honest majority.

In this paper, we extend these impossibility results for universal composability. We study a number of public-key models and show for which models the impossibility results of universal composability hold and for which they do not. We also consider a setting where the inputs to the protocols running in the network are fixed before any execution begins. The majority of our results are negative and we show that the known impossibility results for universal composability in the case of no honest majority extend to many other settings.

Key words

Universal composability Impossibility results Concurrent general composition Public-key models 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    B. Barak, A. Sahai, How to play almost any mental game over the net—concurrent composition via super-polynomial simulation, in 46th FOCS (2005), pp. 543–552 Google Scholar
  2. [2]
    B. Barak, R. Canetti, J. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in 45th FOCS (2004), pp. 186–195 Google Scholar
  3. [3]
    B. Barak, R. Canetti, Y. Lindell, R. Pass, T. Rabin, Secure computation without authentication, in CRYPTO 2005. LNCS, vol. 3621 (Springer, Berlin, 2005), pp. 361–377 CrossRefGoogle Scholar
  4. [4]
    B. Barak, M. Prabhakaran, A. Sahai, Concurrent non-malleable zero-knowledge, in 47th FOCS (2006), pp. 345–354 Google Scholar
  5. [5]
    D. Beaver, Foundations of secure interactive computing, in CRYPTO’91. LNCS, vol. 576 (Springer, Berlin, 1991), pp. 377–391 Google Scholar
  6. [6]
    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in 20th STOC (1988), pp. 1–10 Google Scholar
  7. [7]
    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000) CrossRefzbMATHMathSciNetGoogle Scholar
  8. [8]
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS (2001), pp. 136–145 Google Scholar
  9. [9]
    R. Canetti, Universally composable signature, certification, and authentication, in 17th Computer Security Foundations Workshop (2004), pp. 219–235 Google Scholar
  10. [10]
    R. Canetti, M. Fischlin, Universally composable commitments, in CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 19–40 CrossRefGoogle Scholar
  11. [11]
    R. Canetti, R. Ostrovsky, Secure computation with honest-looking parties: What if nobody is truly honest? in 31st STOC (1999), pp. 255–264 Google Scholar
  12. [12]
    R. Canetti, O. Goldreich, S. Goldwasser, S. Micali, Resettable zero-knowledge, in 32nd STOC (2000), pp. 235–244 Google Scholar
  13. [13]
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party computation, in 34th STOC (2002), pp. 494–503 Google Scholar
  14. [14]
    R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universal composable two-party computation without set-up assumptions. J. Cryptol. 19(2), 135–167 (2006) CrossRefzbMATHMathSciNetGoogle Scholar
  15. [15]
    D. Chaum, C. Crépeau, I. Damgård, Multi-party unconditionally secure protocols, in 20th STOC (1988), pp. 11–19 Google Scholar
  16. [16]
    I. Damgård, J.B. Nielsen, C. Orlandi, On the necessary and sufficient assumptions for UC computation, in 7th TCC. LNCS, vol. 5978 (Springer, Berlin, 2010), pp. 109–127 Google Scholar
  17. [17]
    A. Datta, A. Derek, J.C. Mitchell, A. Ramanathan, A. Scedrov, Games and the impossibility of realizable ideal functionality, in 3rd TCC. LNCS, vol. 3876 (Springer, Berlin, 2006), pp. 360–379 Google Scholar
  18. [18]
    Y. Deng, G.D. Crescenzo, D. Lin, Concurrently non-malleable zero knowledge in the authenticated public-key model. Cryptology ePrint Archive, Report #2006/314, 2006 Google Scholar
  19. [19]
    O. Goldreich, Foundations of Cryptography: Volume 2—Basic Applications (Cambridge University Press, Cambridge, 2004) CrossRefGoogle Scholar
  20. [20]
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game—A completeness theorem for protocols with honest majority, in 19th STOC (1987), pp. 218–229 Google Scholar
  21. [21]
    S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in CRYPTO’90. LNCS, vol. 537 (Springer, Berlin, 1990), pp. 77–93 Google Scholar
  22. [22]
    Y. Kalai, Y. Lindell, M. Prabhakaran, Concurrent general composition of secure protocols in the timing model, in 37th STOC (2005), pp. 644–653 Google Scholar
  23. [23]
    E. Kushilevitz, Y. Lindell, T. Rabin, Information-theoretically secure protocols and security under composition, in 38th STOC (2006), pp. 109–118 Google Scholar
  24. [24]
    H. Lin, R. Pass, M. Venkitasubramaniam, A unified framework for concurrent security: Universal composability from stand-alone non-malleability, in 41st STOC (2009), pp. 179–188 Google Scholar
  25. [25]
    Y. Lindell, Composition of Secure Multi-Party Protocols—A Comprehensive Study, LNCS, vol. 2815 (Springer, Berlin, 2003) CrossRefzbMATHGoogle Scholar
  26. [26]
    Y. Lindell, General composition and universal composability in secure multi-party computation, in 44th FOCS (2003), pp. 394–403 Google Scholar
  27. [27]
    Y. Lindell, Lower bounds for concurrent self composition, in 1st Theory of Cryptography Conference (TCC). LNCS, vol. 2951 (Springer, Berlin, 2004), pp. 203–222 Google Scholar
  28. [28]
    S. Micali, P. Rogaway, Secure computation. Unpublished manuscript, 1992. Preliminary version in CRYPTO’91, LNCS, vol. 576 (Springer, Berlin, 1991), pp. 392–404 Google Scholar
  29. [29]
    R. Ostrovsky, G. Persiano, I. Visconti, Concurrent non-malleable witness indistinguishability and its applications. Cryptology ePrint Archive, Report #2006/256, 2006 Google Scholar
  30. [30]
    R. Pass, Simulation in quasi-polynomial time, and its application to protocol composition, in Eurocrypt 2003. LNCS, vol. 2656 (Springer, Berlin, 2003), pp. 160–176 CrossRefGoogle Scholar
  31. [31]
    M. Prabhakaran, A. Sahai, New notions of security: Universal composability without trusted setup, in 36th STOC (2004), pp. 242–251 Google Scholar
  32. [32]
    A. Yao, How to generate and exchange secrets, in 27th FOCS (1986), pp. 162–167 Google Scholar

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  1. 1.Department of Computer ScienceBar-Ilan UniversityRamat GanIsrael

Personalised recommendations