On the Necessity of Rewinding in Secure Multiparty Computation

  • Michael Backes
  • Jörn Müller-Quade
  • Dominique Unruh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4392)


We investigate whether security of multiparty computation in the information-theoretic setting implies their security under concurrent composition. We show that security in the stand-alone model proven using black-box simulators in the information-theoretic setting does not imply security under concurrent composition, not even security under 2-bounded concurrent self-composition with an inefficient simulator and fixed inputs. This in particular refutes recently made claims on the equivalence of security in the stand-alone model and concurrent composition for perfect and statistical security (STOC’06). Our result strongly relies on the question whether every rewinding simulator can be transformed into an equivalent, potentially inefficient non-rewinding (straight-line) simulator. We answer this question in the negative by giving a protocol that can be proven secure using a rewinding simulator, yet that is not secure for any non-rewinding simulator.


Statistical Security Computational Security Secure Multiparty Computation Random Tape Perfect Simulation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Backes, M., Pfitzmann, B., Waidner, M.: Secure asynchronous reactive systems. IACR Cryptology ePrint Archive 2004/082 (Mar. 2004)Google Scholar
  2. 2.
    Beaver, D.: Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. Journal of Cryptology 4(2), 75–122 (1991)CrossRefMATHGoogle Scholar
  3. 3.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 3(1), 143–202 (2000)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 136–145 (2001) Extended version in Cryptology ePrint Archive, Report 2000/67,
  5. 5.
    Dodis, Y., Micali, S.: Parallel reducibility for information-theoretically secure computation. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 74–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Goldreich, O.: Foundations of Cryptography – Volume 2 (Basic Applications). Cambridge University Press, Cambridge (May 2004), Previous version online available at, Google Scholar
  7. 7.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game – or – a completeness theorem for protocols with honest majority. In: Proc. 19th Annual ACM Symposium on Theory of Computing (STOC), pp. 218–229. ACM Press, New York (1987)Google Scholar
  8. 8.
    Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  9. 9.
    Hofheinz, D., Müller-Quade, J., Unruh, D.: On the (im)possibility of extending coin toss. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 504–521. Springer, Heidelberg (2006), Full version online available at, CrossRefGoogle Scholar
  10. 10.
    Hofheinz, D., Unruh, D.: Comparing two notions of simulatability. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 86–103. Springer, Heidelberg (2005), Online available at, Google Scholar
  11. 11.
    Hofheinz, D., Unruh, D.: Simulatable security and polynomially bounded concurrent composition. In: IEEE Symposium on Security and Privacy, Proceedings of SSP ’06, pp. 169–182. IEEE Computer Society Press, Los Alamitos (2006), Full version online available at, Google Scholar
  12. 12.
    Kushilevitz, E., Lindell, Y., Rabin, T.: Information-theoretically secure protocols and security under composition. In: 38th Annual ACM Symposium on Theory of Computing, Proceedings of STOC 2006, pp. 109–118. ACM Press, New York (2006), Online available at, CrossRefGoogle Scholar
  13. 13.
    Lindell, Y.: Bounded-concurrent secure two-party computation without setup assumptions. In: 35th Annual ACM Symposium on Theory of Computing, Proceedings of STOC 2003, pp. 683–692. ACM Press, New York (2003)Google Scholar
  14. 14.
    Lindell, Y.: General composition and universal composability in secure multi-party computation. In: 44th Annual Symposium on Foundations of Computer Science, Proceedings of FOCS 2003, pp. 394–403. IEEE Computer Society Press, Los Alamitos (2003), Online available at, CrossRefGoogle Scholar
  15. 15.
    Lindell, Y.: Lower bounds for concurrent self composition. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 203–222. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
  17. 17.
    Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM Conference on Computer and Communications Security, pp. 245–254. ACM, New York (2000), Extended version (with Matthias Schunter) IBM Research Report RZ 3206, May 2000, CrossRefGoogle Scholar
  18. 18.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE Symposium on Security & Privacy, pp. 184–200. IEEE, Los Alamitos (2004), Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082, Google Scholar

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Michael Backes
    • 1
  • Jörn Müller-Quade
    • 2
  • Dominique Unruh
    • 1
  1. 1.Saarland University, SaarbrückenGermany
  2. 2.Universität KarlsruheGermany

Personalised recommendations