Lower Bounds for Concurrent Self Composition

  • Yehuda Lindell
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2951)


In the setting of concurrent self composition, a single protocol is executed many times concurrently by a single set of parties. In this paper, we prove that there exist many functionalities that cannot be securely computed in this setting. We also prove a communication complexity lower bound on protocols that securely compute a large class of functionalities in this setting. Specifically, we show that any protocol that computes a functionality from this class and remains secure for m concurrent executions, must have bandwidth of at least m bits. Our results hold for the plain model (where no trusted setup phase is assumed), and for the case that the parties may choose their inputs adaptively, based on previously obtained outputs. While proving our impossibility result, we also show that for many functionalities, security under concurrent self composition (where a single secure protocol is run many times) is actually equivalent to the seemingly more stringent requirement of security under concurrent general composition (where a secure protocol is run concurrently with other arbitrary protocols). This observation has significance beyond the impossibility results that are derived by it for concurrent self composition.


Impossibility Result Oblivious Transfer Auxiliary Input Honest Party Real Execution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barak, B.: How to Go Beyond the Black-Box Simulation Barrier. In: 42nd FOCS, pp. 106–115 (2001)Google Scholar
  2. 2.
    Beaver, D.: Foundations of Secure Interactive Computing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992)Google Scholar
  3. 3.
    Canetti, R.: Security and Composition of Multiparty Cryptographic Protocols. Journal of Cryptology 13(1), 143–202 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd FOCS, pp. 136–145 (2001)Google Scholar
  5. 5.
    Canetti, R., Fischlin, M.: Universally Composable Commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-Box Concurrent Zero-Knowledge Requires Ω̃ (log n) Rounds. In: 33rd STOC, pp. 570–579 (2001)Google Scholar
  7. 7.
    Canetti, R., Kushilevitz, E., Lindell, Y.: On the Limitations of Universal Composition Without Set-Up Assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 68–86. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Computation. In: 34th STOC, pp. 494–503 (2002)Google Scholar
  9. 9.
    Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-Knowledge. In: 30th STOC, pp. 409–418 (1998)Google Scholar
  10. 10.
    Feige, U., Shamir, A.: Witness Indistinguishability and Witness Hiding Protocols. In: 22nd STOC, pp. 416–426 (1990)Google Scholar
  11. 11.
    Goldreich, O., Micali, S., Wigderson, A.: How to Play any Mental Game – A Completeness Theorem for Protocols with Honest Majority. In: 19th STOC, pp. 218–229 (1987)Google Scholar
  12. 12.
    Goldwasser, S., Levin, L.: Fair Computation of General Functions in Presence of Immoral Majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  13. 13.
    Kelsey, J., Schneier, B., Wagner, D.: Protocol Interactions and the Chosen Protocol Attack. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. 14.
    Lindell, Y.: Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions. In: 35th STOC, pp. 683–692 (2003) (See [15] for a full version of the upper bound from this paper)Google Scholar
  15. 15.
    Lindell, Y.: Protocols for Bounded-Concurrent Secure Two-Party Computation Without Setup Assumptions. Cryptology ePrint Archive, Report #2003/100 (2003),
  16. 16.
    Lindell, Y.: General Composition and Universal Composability in Secure Multi- Party Computation. In: 44th FOCS, pp. 394–403 (2003)Google Scholar
  17. 17.
    Micali, S., Rogaway, P.: Secure Computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992) (unpublished manuscript)Google Scholar
  18. 18.
    Pass, R., Rosen, A.: Bounded-Concurrent Secure Two-Party Computation in a Constant Number of Rounds. In: 44th FOCS (2003)Google Scholar
  19. 19.
    Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. In: 7th CCS, pp. 245–254 (2000)Google Scholar
  20. 20.
    Richardson, R., Kilian, J.: On the Concurrent Composition of Zero-Knowledge Proofs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 415–431. Springer, Heidelberg (1999)Google Scholar
  21. 21.
    Yao, A.: How to Generate and Exchange Secrets. In: 27th FOCS, pp. 162–167 (1986)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Yehuda Lindell
    • 1
  1. 1.IBM T.J. WatsonHawthorneUSA

Personalised recommendations