Universal Composition with Responsive Environments

  • Jan Camenisch
  • Robert R. Enderlein
  • Stephan Krenn
  • Ralf Küsters
  • Daniel Rausch
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)


In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, and corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural for adversaries/environments to provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability is this guaranteed. We call this the non-responsiveness problem. As we will discuss in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario.

This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do no longer have to worry about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, and composition theorems) provided for the IITM model.


Universal composability Protocol design Cryptographic security proofs Responsive environments 


  1. 1.
    Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_26 CrossRefGoogle Scholar
  2. 2.
    Backes, M., Dürmuth, M., Hofheinz, D., Küsters, R.: Conditional reactive simulatability. Int. J. Inf. Secur. (IJIS) 7(2), 155–169 (2008)CrossRefGoogle Scholar
  3. 3.
    Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (RSIM) framework for asynchronous systems. Inf. Comput. 205(12), 1685–1720 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Backes, M., Hofheinz, D.: How to break and repair a universally composable signature functionality. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 61–72. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30144-8_6 CrossRefGoogle Scholar
  5. 5.
    Camenisch, J., Dubovitskaya, M., Haralambiev, K., Kohlweiss, M.: Composable & modular anonymous credentials: definitions and practical constructions. In: ASIACRYPT 2015 (2015)Google Scholar
  6. 6.
    Camenisch, J., Enderlein, R.R., Krenn, S., Küsters, R., Rausch, D.: Universal composition with responsive environments. Technical report, Cryptology ePrint Archive, Report 2016/034 (2016).
  7. 7.
    Canetti, R.: Universally composable signature, certification, and authentication. In: CSFW 2004, pp. 219–233. IEEE (2004)Google Scholar
  8. 8.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001. For full and previous versions
  9. 9.
    Canetti, R., Cheung, L., Kaynar, D., Liskov, M., Lynch, N., Pereira, O., Segala, R.: Time-bounded task-PIOAs: a framework for analyzing security protocols. In: Dolev, S. (ed.) DISC 2006. LNCS, vol. 4167, pp. 238–253. Springer, Heidelberg (2006). doi: 10.1007/11864219_17 CrossRefGoogle Scholar
  10. 10.
    Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-70936-7_4 CrossRefGoogle Scholar
  11. 11.
    Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30576-7_9 CrossRefGoogle Scholar
  12. 12.
    Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_33 CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Shahaf, D., Vald, M.: Universally composable authentication and key-exchange with global PKI. Cryptology ePrint Archive, Report 2014/432 (2014)Google Scholar
  14. 14.
    Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006). doi: 10.1007/11818175_5 CrossRefGoogle Scholar
  15. 15.
    Damgård, I., Hofheinz, D., Kiltz, E., Thorbek, R.: Public-key encryption with non-interactive opening. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 239–255. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-79263-5_15 CrossRefGoogle Scholar
  16. 16.
    Dowsley, R., Müller-Quade, J., Otsuka, A., Hanaoka, G., Imai, H., Nascimento, A.C.A.: Universally composable and statistically secure verifiable secret sharing scheme based on pre-distributed data. IEICE Trans. 94–A(2), 725–734 (2011)CrossRefGoogle Scholar
  17. 17.
    Freire, E.S.V., Hesse, J., Hofheinz, D.: Universally composable non-interactive key exchange. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 1–20. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-10879-7_1 Google Scholar
  18. 18.
    Hazay, C., Venkitasubramaniam, M.: On black-box complexity of universally composable security in the CRS model. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 183–209. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48800-3_8 CrossRefGoogle Scholar
  19. 19.
    Hofheinz, D., Shoup, V.: GNUC: a new universal composability framework. Cryptology ePrint Archive, Report 2011/303 (2011)Google Scholar
  20. 20.
    Hofheinz, D., Unruh, D., Müller-Quade, J.: Polynomial runtime and composability. J. Cryptology 26(3), 375–441 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Kurosawa, K., Furukawa, J.: Universally composable undeniable signature. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 524–535. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70583-3_43 CrossRefGoogle Scholar
  22. 22.
    Küsters, R.: Simulation-based security with inexhaustible interactive turing machines. In: CSFW 2006, pp. 309–320. IEEE (2006)Google Scholar
  23. 23.
    Küsters, R., Tuengerthal, M.: Joint state theorems for public-key encryption and digital signature functionalities with local computation. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), pp. 270–284. IEEE Computer Society (2008)Google Scholar
  24. 24.
    Küsters, R., Tuengerthal, M.: The IITM model: a simple and expressive model for universal composability. Cryptology ePrint Archive, Report 2013/025 (2013)Google Scholar
  25. 25.
    Laud, P., Ngo, L.: Threshold homomorphic encryption in the universally composable cryptographic library. Cryptology ePrint Archive, Report 2008/367 (2008)Google Scholar
  26. 26.
    Matsuo, T., Matsuo, S.: On universal composable security of time-stamping protocols. In: IWAP 2005, pp. 169–181 (2005)Google Scholar
  27. 27.
    Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-27375-9_3 CrossRefGoogle Scholar
  28. 28.
    Maurer, U., Renner, R.: Abstract cryptography. In: ICS 2011, pp. 1–21. Tsinghua University Press (2011)Google Scholar
  29. 29.
    Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: ACM CCS 2000, pp. 245–254. ACM Press (2000)Google Scholar
  30. 30.
    Tian, Y., Peng, C.: Universally composable secure group communication. Cryptology ePrint Archive, Report 2014/647 (2014).
  31. 31.
    Zhao, S., Zhang, Q., Qin, Y., Feng, D.: Universally composable secure tnc protocol based on IF-T binding to TLS. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 110–123. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11698-3_9 Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Robert R. Enderlein
    • 1
    • 2
  • Stephan Krenn
    • 3
  • Ralf Küsters
    • 4
  • Daniel Rausch
    • 4
  1. 1.IBM Research – ZurichRüschlikonSwitzerland
  2. 2.Department of Computer Science, ETH ZürichZürichSwitzerland
  3. 3.AIT Austrian Institute of Technology GmbHViennaAustria
  4. 4.University of TrierTrierGermany

Personalised recommendations