Everlasting UC Commitments from Fully Malicious PUFs

Everlasting security models the setting where hardness assumptions hold during the execution of a protocol but may get broken in the future. Due to the strength of this adversarial model, achieving any meaningful security guarantees for composable protocols is impossible without relying on hardware assumptions (Müller-Quade and Unruh, JoC’10). For this reason, a rich line of research has tried to leverage physical assumptions to construct well-known everlasting cryptographic primitives, such as commitment schemes. The only known everlastingly UC secure commitment scheme, due to Müller-Quade and Unruh (JoC’10), assumes honestly generated hardware tokens. The authors leave the possibility of constructing everlastingly UC secure commitments from malicious hardware tokens as an open problem. Goyal et al. (Crypto’10) constructs unconditionally UC-secure commitments and secure computation from malicious hardware tokens, with the caveat that the honest tokens must encapsulate other tokens. This extra restriction rules out interesting classes of hardware tokens, such as physically uncloneable functions (PUFs). In this work, we present the first construction of an everlastingly UC-secure commitment scheme in the fully malicious token model without requiring honest token encapsulation. Our scheme assumes the existence of PUFs and is secure in the common reference string model. We also show that our results are tight by giving an impossibility proof for everlasting UC-secure computation from non-erasable tokens (such as PUFs), even with trusted setup.


Introduction
The security of almost all cryptographic schemes relies on certain hardness assumptions. These assumptions are believed to hold right now, and researchers are even fairly certain that they will not be broken in the near future. It is widely believed, for example, that the computational Diffie-Hellmann and the RSA assumptions hold in certain groups. But what about the security of these assumptions in 10, 20, or 100 years? Can we give any formal security guarantees for current constructions that remain valid in the distant future? This is certainly possible for information-theoretic schemes and properties. However, given that many interesting functionalities are impossible to realize in an information theoretic sense, this leaves us in a very unsatisfactory situation.
To overcome this problem, Müller-Quade and Unruh suggested a novel security notion widely known as everlasting universal composability security [26] (building on the work of Rabin on virtual satellites [34]). The basic idea of this security notion is to bound the running time of the attacker only during the protocol execution. After the protocol run is over, the attacker may run in super-polynomial time. This models the intuition that computational assumptions are believed to hold right now, and therefore, during the protocol run. However, at some point in the future, known computational assumptions may no longer hold. Everlasting UC security 1 refers to a composable protocol that remains secure in these settings. The everlasting UC security model has also been considered for quantum protocols [35]. Everlasting UC security is clearly a very desirable security notion, and since it is strictly weaker than statistical UC security, one may hope that it is easier to achieve. However, Müller-Quade and Unruh showed that everlasting UC commitments cannot be realized, not even in the common reference string (CRS), or with a public-key infrastructure (PKI) [27]. Everlasting UC Security From Hardware Assumptions The stark impossibility result of Müller-Quade and Unruh raises the question whether the notion is achievable at all. The authors answered this question affirmatively by presenting two constructions based on hardware assumptions. The first construction is based on a tailored-made hardware token that embeds a random oracle. The second construction relies on signature cards [27]. However, both constructions assume that the hardware token is honestly generated.
The authors left open the question whether it is possible to achieve everlasting security in the setting of maliciously generated hardware tokens. Goyal et al. [18] constructs unconditionally UC-secure commitments and secure computation (as opposed to everlasting) from malicious hardware tokens. However, the construction of [18] requires honest tokens to encapsulate other tokens, ruling out some classes of hardware tokens such as physically uncloneable functions (PUFs). Physically Uncloneable Functions (PUFs) In this work, we present an everlastingly UC secure commitment scheme assuming the existence of PUFs. Loosely speaking, PUFs are physical objects that can be queried by mapping an input to a specific stimulus and mapping an observable behaviour to an output set. The crucial properties for a PUF are (i) that it should be hard (if not impossible) to clone and (ii) that it should be hard to predict the output on any input without first querying the PUF on a close enough input.

Our Contributions
We initiate the study of everlasting UC security in the setting of maliciously generated hardware tokens, such as PUFs. Our model extends the frameworks of [4,8] by introducing fully malicious hardware tokens, whose state is not a-priori bounded, the generator of a token can install arbitrary code inside of it, and it can encapsulate (and decapsulate) other (possibly fully malicious) tokens within itself. Our contributions can be summarized as follows: • Aiming at bridging the gap between hardware tokens and PUFs, we propose a unified ideal functionality for fully malicious tokens that is general enough to capture hardware devices with arbitrary functionalities such as PUFs and signature cards. • We put forward a novel definition for unpredictability of PUFs. We argue that the formalization from prior works [3,24,30] is not sufficient for our setting because it does not exclude adversaries that may indeed predict the PUF responses for values never queried to the PUF. We demonstrate this fact in Sect. 4.1.1 by giving a concrete counterexample. • We show with an impossibility result that one cannot hope to achieve an everlastingly secure oblivious transfer (OT) (therefore, secure computation) in the malicious token setting by using non-erasable (honestly generated) tokens; non-erasable tokens can keep a state but are not allowed to erase previous states. • Finally, we present an everlastingly UC secure commitment scheme in the fully malicious token model. Our protocol assumes the existence of PUFs and allows for the PUF to be reused for polynomially many runs of the protocol. Our cryptographic building blocks can be instantiated from standard computational assumptions, such as the learning with errors (LWE) problem.

Related Work
Everlasting and Memory Bound Adversaries Everlasting security was first considered in the setting of memory-bounded adversaries [6,10], and later extended to the UC setting by Müller-Quade and Unruh [27]. Rabin [34] suggested a construction using distributed servers of randomness, called virtual satellites, to achieve everlasting security.
The resulting scheme remains secure if the attacker that accesses the communication between the parties and the distributed servers is polynomially bounded during the key exchange. Dziembowski and Maurer [15] showed that protocols in the bounded storage model do not necessarily stay secure when composed with other protocols.
Damgård [11] presented a statistical zero-knowledge protocol secure under concurrent composition. Although counterintuitive, statistical zero-knowledge may lose its everlasting property under composition. This was illustrated in [27] for statistically hiding UC commitments [16] which were shown to leak secrets under (even sequential) composition; they are composable and statistically hiding, but not at the same time (i.e. the composability only holds for the computational hiding property, intuitively). Technically, the reason for this is that the common reference string used by the simulator is not statistically indistinguishable. For the same reason, the protocol of Damgård [11] does not directly translate into an everlasting commitment scheme: for this specific case, the gap consists in extracting the witness from adversarial proofs using a common reference string that is statistically close to the honestly sampled one. (Malicious) Hardware Tokens A model proposed in [22] allows parties to build hardware tokens to compute functions of their choice, such that an adversary, given a hardware token T for a function F, can only observe the input and output behaviour of T . The motivation is that the existence of a tamper-proof hardware can be viewed as a physical assumption, rather than a trust assumption. The authors show how to implement UC-secure two-party computation using stateful tokens, under the DDH assumption. Shortly after, Moran and Segev [28] showed that in the hardware token model of [22] even unconditionally secure UC commitments are possible using stateful tokens. This result was later extended by [19] for unconditionally UC-secure computation, also using stateful tokens.
One limitation of the model of [22] is the assumption that all parties (including the adversary) know the code running inside the hardware token it produces; this assumption gives extra power to the simulator, allowing it to rewind the hardware token in the proofs of [19,22,28]. However, this assumption rules out real scenarios where the adversary can create a new hardware token that simply "encapsulates" a hardware token it receives from some party and that the adversary does not know the code running inside of it.
In this direction, Chandran et al. [8] extended the model of [22] to allow for the hardware tokens produced by the adversary to be stateful, to encapsulate other tokens inside of it and to be passed on to other parties. They constructed a computationally secure UC commitment protocol without setup, assuming the existence of stateless hardware tokens (signature cards). Unfortunately, the construction of [8] cannot fulfil the notion of unconditional (or everlasting) security since it requires perfectly binding, and therefore only computationally hiding, commitments as a building block.
Goyal et al. [18], following the model of [8], prove that statistically secure OT from stateless tokens is possible if (honest) tokens can encapsulate other tokens. However, honest token encapsulation is highly undesirable in practice, and in particular not even compatible with PUFs as they are physical objects. Interestingly, the authors also show that statistically secure OT (and therefore secure computation) is impossible to achieve when one considers only stateless tokens that cannot be encapsulated. To circumvent this impossibility result, Döttling et al. [13,14] studied the feasibility of secure computation in the stateful token model, where the adversary is not allowed to rewind the token arbitrarily. Although this model has a practical significance, it does not cover certain classes of hardware tokens, such as PUFs. Later, a rich line of research investigated on the round complexity of secure computation using stateless hardware tokens [20,25] in the computational setting. Unfortunately, it seems that the security guarantees of these  [17] have made partial progress on this question presenting a commitment scheme with unconditional security based on PUFs. However, as shown by [4] in the form of an attack, the construction of [17] completely breaks when the adversary is allowed to generate encapsulated PUFs. Dachman-Soled, Fleischhacker, Katz, Lysyanskaya, and Schröder [12] investigated the possibility of secure two-party computation based on malicious PUFs. Badrinarayanan, Khurana, Ostrovsky, and Visconti [4] introduced a model where the adversary is allowed to generate malicious PUFs that encapsulate other PUFs inside of it; the outer PUF has oracle access to all its inner PUFs. The security of their scheme assumes a bound on the memory of adversarially generated PUFs.
In Table 1, we show a comparison of UC schemes based on malicious hardware tokens (including PUFs).

Technical Overview
In the following, we give an informal overview of our everlasting UC commitment scheme construction, and we introduce the main ideas behind our proof strategy. Besides PUFs, our protocol assumes the existence of the following cryptographic building blocks: • A non-interactive statistically hiding (NI-SH) UC-secure commitment (Com).
• A strong randomness extractor H .
The message flow of our protocol is shown in Fig. 1. The protocol is executed by a committer (Alice) and a recipient (Bob). We assume that both parties have access to a uniformly sampled common reference string that contains a random image of a one-way permutation y = f (x). Protocol Overview At the beginning of a commitment execution, Bob prepares a series of random string-pairs ( p 0 i , p 1 i ), and queries them to the PUF to obtain the corresponding pair (q 0 i , q 1 i ); the PUF is then transferred to Alice. Here, we make the simplifying assumption that a PUF is used only for a single run of the commitment. Note, however, that one can reuse the same PUF by having Bob computing as many tuples ( p 0 i , p 1 i ) as needed, and by querying the PUF on all of these values before passing it to Alice.
Alice samples a random string k ∈ {0, 1} (λ) and engages Bob in many parallel OT instances, where Alice receives p k i i , and where k i denotes the i-th bit of k. Alice queries the strings p k i i to the PUF and sends to Bob: • a set of NI-SH commitments (com 1 , . . . , com (λ) ) to the outputs of the PUF, • an (NI-SH) commitment com to m, and • the string ω := H (seed, k) ⊕ m decom.
Alice then produces a SWIAoK that certifies that either (i) all of her messages were honestly generated, or (ii) she knows a pre-image x such that f (x) = y.
The idea here is that, if an algorithm recovers k, then it can also recompute H (seed, k) and extract the message m. Note that the value of k is "encoded" in the OT bits of Alice for the p k i i , and those values are queried by Alice to the PUF. Therefore, an extractor that sees the queries of Alice can easily recover the message m. What is not clear at this point is how to enforce Alice to query the PUF on the correct p k i i and not on some other random string. For this reason, we introduce an additional authentication step where Bob publishes all the pairs (q 0 i , q 1 i ). In the opening phase, Alice proves (with a SWIAoK) to Bob that the vector of commitments sent in the previous interaction opens indeed to q k 1 1 , . . . , q k (λ) (λ) , up to small errors (or she knows the pre-image of y). Intuitively, Alice cannot convince Bob without querying all the p k i i , since she would need to guess some q k i i without knowing the pre-image p k i i (due to the security of the OT). In the proof, the extractor can recover k by just looking at the queries Alice made to the PUF.
To see why the commitment is hiding, it is sufficient to observe that k hides the message in an information theoretic sense, under the assumption that the OT and SWIAoK protocols are secure. One subtlety that we need to address is that some bits of k might be revealed by the aborts of Alice. For this reason, we one-time-pad the message m with H (seed, k): the strong randomness extractor guarantees that the value H (seed, k) is still uniformly distributed even if some bits of k are leaked. Proof Sketch (Hiding) We show that our commitment scheme is hiding through a series of hybrids where at the last step Alice can equivocate the commitment to any message of her choice. Note that every step is information-theoretic. H 1 : Alice uses x, the pre-image of y, as a witness to compute the SWIAoK. Since the AoK is statistically witness indistinguishable, this hybrid is statistically close to the original protocol.
H 2 : Alice uses the simulator for the OT protocols and extracts both values ( p 0 i , p 1 i ). Since the OT is statistically receiver-private, this hybrid is statistically close to the previous. In the full proof, this is shown via a hybrid argument. H 3 : Alice computes com i as commitment to a random string. A hybrid argument can be used to bound the distance of this hybrid with the previous by the statistically hiding property of the commitment scheme. H 4 : Alice chooses the value of k for all sessions upfront. Here, the change is only syntactical. H 5 : Alice no longer queries the PUF token but instead checks that the output pairs (q 0 i , q 1 i ) sent by Bob correspond to the correct outputs of the PUF on input ( p 0 i , p 1 i ). Note that the state of the PUF is fixed once the PUF is sent to Alice and therefore the consistency of all pairs (q 0 i , q 1 i ) is well defined. Note that the relation is not efficiently computable by Alice, but for information-theoretic security the fact that it is defined is enough. Since Alice retains the ownership of the PUF, this hybrid is identical to the previous. H 5 : Alice samples ω uniformly at random. Note that in H 4 the leakage of Alice of k is bounded by whether she aborts or not. Since Alice aborts at most once and since there are at most polynomially many sessions, we can bound the leakage of k to O(log λ) bits. Leveraging the randomness extractor H , we can argue that H 4 and H 5 are statistically indistinguishable. H 6 : Alice opens the commitment to a message of her choice. Note that in H 5 the original message m is information-theoretically hidden. Proof Sketch (Binding) To argue that the scheme is binding, we define the following extractor: the algorithm examines the list of queries made by Alice to the PUF and, for each i, it checks whether some query q is equal to p b i (for b ∈ {0, 1}), if this is the case then it sets k i = b. Once the full k is reconstructed, the extractor computes ω⊕H (seed, k) = m decom and outputs m. To show that the extractor always succeeds, we need to argue that: 1. The value of k is always well defined: if some q = p 0 i and some other query q = p 1 i , then the bit k i is not well defined. However, this means that Alice learned both p 0 i and p 1 i from the OT protocol, which is computationally infeasible. 2. The string k is always fully reconstructed: if no query q is equal to p 0 i or p 1 i , then the i-th bit of k is not defined. This implies that Alice never queried p 0 i or p 1 i to the PUF. However, note that Alice should produce a commitment com i to either PUF( p 0 i ) or PUF(p 0 i ) and prove consistency. This is clearly not possible without querying the PUF unless Alice breaks the binding of the commitment or proves a false statement in the SWIAoK. To establish the latter, we also need to rule out the case where Alice computes the SWIAoK using the knowledge of x, the pre-image of y. In the full proof, we show this via a reduction against the one-wayness of the one-way permutation f .
We are now in the position to show that the extracted message m is identical to the one that Alice decommits to. Recall that Alice proves that she committed to the values PUF( p k i i ) such that ω ⊕ H (seed, k) = m decom. It follows that, if k is uniquely defined, then the extractor always returns the correct m, unless Alice can break the soundness of the SWIAoK (or inverts the one-way permutation). By the above conditions, this happens with all but negligible probability. On the Common Reference String Our protocol needs to assume the existence of a common reference string to equivocate commitments in the security proof: having access to the generation of the crs, the simulator can craft proofs for false statements, simulate the OT, and extract the commitments. Note that the simulation has to be "straight-line", since we cannot rewind the adversary in the UC framework. A previous work [29] circumvented this issue by leveraging some computationally hard problem. Unfortunately, this class of techniques does not seem to apply to the everlasting setting since the environment can distinguish a simulated trace once it becomes unbounded. The work of [17] builds unconditionally secure commitments from PUFs without a CRS, but as shown by [4], the construction breaks down in our model where the adversary is allowed to generate encapsulated PUFs. It is not clear if the techniques of [17] can be adapted to our setting. We leave the question of removing the necessity of a common reference string from our protocol as a fascinating open problem.

Preliminaries
In the following, we introduce the notation and the building blocks necessary for our results.

Notations
An algorithm A is probabilistic polynomial time (PPT) if A is randomized and for any input x, r ∈ {0, 1} * the computation of A(x; r ) terminates in at most poly(|x|) steps. We denote with λ ∈ N the security parameter. A function negl is negligible, if for any positive polynomial p and sufficiently large k, negl(k) < 1/ p(k). A relation R ∈ {0, 1} * × {0, 1} * is an N P relation if there is a polynomial-time algorithm that decides (x, w) ∈ R. If (x, w) ∈ R, then we call x the statement and x witness for x. We denote by hd(x, x ) the Hamming distance between two bitstrings x and x . Given two ensembles X = {X λ } λ∈N and Y = {Y λ } λ∈N , we write X ≈ Y to denote that the two ensembles are statistically indistinguishable, and X ≈ c Y to denote that they are computationally indistinguishable. We denote the set {1, . . . , n} by [n]. We recall the definition of statistical distance. Definition 1. (Statistical Distance) Let X and Y be two random variables over a finite set U. The statistical distance between X and Y is defined as

Cryptographic Building Blocks
One Way Function A one-way function is a function that is easy to compute and hard to invert. It is the building block of almost all known cryptographic primitives.
where the probability is taken over the random choice of x. Moreover, we say that f is a one-way permutation whenever the domain and range of f are of the same size. For convenience, we assume that the verification is deterministic and canonical (i.e. it takes as input the random coins used in the commitment phase and checks whether the commitment was correctly computed).

Non-interactive Commitment Scheme
We require commitments to be (stand-alone) statistically hiding. Let A be a nonuniform adversary against C and define its hiding-advantage as Furthermore, we require the commitments to be UC-secure: roughly speaking, an equivocator (with the help of a trapdoor in the CRS) can open the commitments arbitrarily.
On the other hand, we require the existence of a computationally indistinguishable CRS (in extraction mode) where commitments are statistically binding and can be efficiently extracted via the knowledge of a trapdoor. Such commitments can be constructed in the CRS model from a variety of assumptions [32], including the learning with errors (LWE) problem. For a precise functionality, we refer the reader to Sect. 3.3.
Oblivious Transfer A 2 1 -Oblivious transfer (OT) is a protocol executed between two parties called sender S (i.e. Alice) with input bits (s 0 , s 1 ) and receiver R (i.e. Bob) with input bit b. Bob wishes to retrieve s b from Alice in such a way that Alice does not learn anything about Bob's choice b and Bob learns nothing about Alice's remaining input s 1−b . In this work, we require a 2-round protocol (Sender OT , Receiver OT ) secure in the CRS model, which satisfies (stand-alone) statistical receiver privacy. We define the sender Alice's advantage of breaking the security of Bob to be Definition 4. (Statistical Receiver Privacy) (Sender OT , Receiver OT ) is statistically receiver-private if the advantage function Adv OT S is a negligible function for all unbounded adversaries A.
In addition, we require our OT to be UC-secure: for a well-formed CRS, there exists an efficient equivocator that can (non-interactively) recover both messages of the sender. Furthermore, there exists an alternative CRS distribution (which is computationally indistinguishable from the original one) and an efficient non-interactive extractor that is able to uniquely recover the message of the receiver using the knowledge of a trapdoor. Such 2-round OT can be constructed from a variety of assumptions [31], including LWE [33]. For a precise description of the ideal functionality, we refer the reader to Sect. 3.3. Statistical Witness-Indistinguishable Argument of Knowledge (SWIAoK) A witnessindistinguishable argument is a proof system for languages in N P that does not leak any information about which witness the prover used, not even to a malicious verifier. If the prover is a PPT algorithm, then we call such a system an argument system, and if it is unbounded, we call it a proof system. For witness-indistinguishable arguments of knowledge, we formally introduce the following notation to represent interactive executions between algorithms P and V. By P(y), V(z) (x), we denote the view (i.e. inputs, internal coin tosses, incoming messages) of V when interacting with P on common input x, when P has auxiliary input y and V has auxiliary input z. Some of the following definitions are based on [29].

Definition 5. (Witness Relation)
A witness relation for a N P language L is a binary relation R that is polynomially bounded, polynomial time recognizable, and characterizes L by L = {x : ∃w s.t. (x, w) ∈ R}. We say that w is a witness for x ∈ L if (x, w) ∈ R. Definition 6. (Interactive Argument System) A two-party game P, V is called an Interactive Argument System for a language L if P, V are PPT algorithms and the following two conditions hold: • Soundness: For every x / ∈ L and every PPT algorithm P * , there exists a negligible function negl(·), such that, Pr P * , V (x) = 1 ≤ negl(|x|).

Definition 7. (Witness Indistinguishability)
Let L ∈ N P and (P, V) be an interactive argument system for L with perfect completeness. The proof system (P, V) is witness indistinguishable (WI) if for every PPT algorithm V * , and every two sequences {w 1 x } x∈L and {w 2 x } x∈L such that w 1 x , w 2 x ∈ R, the following sequences are witness indistinguishable: Next, we define the notion of extractability for SWIAoKs.

Definition 8. (Argument of Knowledge)
Let L ∈ N P and (P, V) be an interactive argument system for L with perfect completeness. The proof system (P, V) is an argument of knowledge (AoK) if there exists a PPT algorithm Ext, called the extractor, a polynomial p, and a constant c such that, for every PPT machine P * , every x ∈ L, auxiliary input z, and random coins r , there exists a negligible function negl such that Strong Randomness Extractor A strong randomness extractor is a function that, applied to some input with high min-entropy, returns some uniformly distributed element in the range.
we have that, and L = t − c is called the entropy loss of H .

Universal Composability Framework
In this section, we recall the basics of the Universal Composability (UC) framework of Canetti [5], and later we discuss the Everlasting Universal Composability framework 2 following [27] closely. We refer the reader to [5,27] for a more comprehensive description.

Basics of the UC Framework
Our description of the UC framework follows [27] closely. The composition of two provably secure protocols does not necessarily preserve the security of each protocol and the result may also be no longer secure. A framework that analyses the security of composed protocols and which is able to provide security guarantees is the Universal Composability framework (UC) due to Canetti [5].
The main idea of this security notion is to compare a real protocol π with some ideal protocol ρ. In most cases, this ideal protocol ρ will consist of a single machine, a socalled ideal functionality. Such a functionality can be seen as a trusted machine that implements the intended behaviour of the protocol. For example, a functionality F for commitment would expect a value m from a party C. Upon receipt of that value, the recipient R would be notified by F that C has committed to some value (but F would not reveal that value). When C sends an unveil request to F, the value m will be sent to R (but F will not allow C to unveil a different value).
Given a real protocol π and an ideal protocol ρ, we say that π realizes ρ (also called "implements", "emulates", or "is as secure as") if for any adversary A attacking the protocol π there is a simulator S performing an attack on the ideal protocol ρ such that no environment Z can distinguish between π running with A and ρ running with Z. Here, Z may choose the protocol inputs and read the protocol outputs and may communicate with the adversary or simulator (but Z is, of course, not informed whether it communicates with the adversary or the simulator). First, the environment may communicate with the adversary during the protocol execution, and second, the environment does not need to choose the inputs at the beginning of the protocol execution; it may adaptively send inputs to the protocol parties at any time, and it may choose these inputs depending upon the outputs and the communication with the adversary. These modifications are the reason for the very strong composability properties of the UC model. Network Execution In the UC framework, all protocol machines and functionalities, as well as the adversary, the simulator and the environment are modelled as interactive Turing machines (ITM). Throughout a protocol execution, an integer k called the security parameter is accessible to all parties. At the beginning of the execution of a network consisting of π , A, and Z, the environment Z is invoked with an initial input z. From then on, every machine M that is activated can send a message m to a single other machine M . Then that machine M is activated and given the message m and the id of the originator M . If in some activation a machine does not send a message, the environment Z is activated again. Additionally the environment may issue corruption requests for some party P. From then on, the machines corresponding to the party P are controlled by the adversary (i.e. it can send and receive messages in the name of that machine, and it can read the internal state of that machine). Finally, at some point the environment Z gives some output m which can be an arbitrary string. By EXC π,A,Z (k, z) we denote the distribution of that output m on security parameter k and initial input z. Analogously, we define EXC ρ,S,Z (k, z) for an execution involving the protocol ρ, the simulator S, and the environment Z.
We distinguish two different flavours of corruption. We speak of static corruption if the environment Z may only send corruption requests before the begin of the protocol, and of adaptive corruption if Z may send corruption requests at any time in the protocol, even depending on messages learned during the execution. In this paper, we will restrict our attention to the less strict security model using static corruption. We leave the case of adaptive corruptions, in which the environment may corrupt any party adaptively during the execution of the protocol as an interesting open problem. UC Definitions If the ideal protocol ρ consists of an ideal functionality F, for technical reasons we assume the presence of so-called dummy parties that forward messages between the environment Z and the functionality F. For example, assume that F is a commitment functionality. In an ideal execution, Z would send a value m to the party C (since it does not know of F and therefore will not send to F directly). Then, C would forward m to F. Then, F notifies R that a commitment has been performed. This notification is then forwarded to Z. With these dummy parties we have, at least syntactically, the same messages as in the real execution: Z sends m to C and receives a commit notification from R. Second, the dummy parties allow a meaningful corruption in the ideal model. If Z corrupts some party P, in the ideal model the effect would be that the simulator controls the corresponding dummy party P and thus can read and modify messages to and from the functionality F in the name of P. Thus, if we write EXC F ,S,Z , this is essentially an abbreviation for EXC ρ,S,Z where the ideal protocol ρ consists of the functionality F and the dummy parties. Having defined the families of random variables EXC π,A,Z (k, z) and EXC ρ,S,Z (k, z) we can now define security via indistinguishability.
Definition 10. (Universal Composability [5]) A protocol π UC realizes a protocol ρ, if for any polynomial-time adversary A there exists a polynomial-time simulator S, such that for any polynomial-time environment Z, Note that in this definition, it is also possible to only consider environments Z that give a single bit of output. As demonstrated in [5], this gives rise to an equivalent definition. However, in the case of everlasting UC below, this will not be the case, so we stress the fact that we allow Z to output arbitrary strings. In particular an environment machine can output its complete view.
Natural variants of this definition are statistical UC, where all machines (environment, adversary, simulator) are computationally unbounded and the families of random variables are required to be statistically indistinguishable, and perfect UC, where all machines are computationally unbounded and the families of random variables are required to have the same distribution. In these cases, one often additionally requires that if the adversary is polynomial time, so is the simulator. Composition For some protocol σ , and some protocol π , by σ π we denote the protocol where σ invokes (up to polynomially many) instances of π . 3 That is, in σ π the machines from σ and from π run together in one network, and the machines from σ access the inputs and outputs of π . (In particular, Z then talks only to σ and not to the subprotocol π directly.) A typical situation would be that σ F is some protocol that makes use of some ideal functionality F (say, a commitment) and then σ π would be the protocol resulting from implementing that functionality by some protocol π (say, a commitment protocol). One would hope that such an implementation results in a secure protocol σ π . That is, if π realizes F and σ F realizes G, then σ π realizes G. Fortunately, this is the case: Theorem 11. (Universal Composition Theorem [5]) Let π , ρ, and σ be polynomialtime protocols. Assume that π UC realizes ρ. Then, σ π UC realizes σ ρ .
The intuitive reason for this theorem is that σ can be considered as an environment for π or ρ, respectively. Since Definition 10 guarantees that π and ρ are indistinguishable by any environment, security follows. In a typical application of this theorem, one would first show that π realizes F and that σ F realizes G. Then using the composition theorem, one gets that σ π realizes σ F which in turn realizes G. Since the realizes relation is transitive (as can be easily seen from Definition 10), it follows that σ π realizes G. This composition theorem is the main feature of the UC framework. It allows us to build up protocols from elementary building blocks. This greatly increases the manageability of security proofs for large protocols. Furthermore, it guarantees that the protocol can be used in arbitrary contexts. Analogous theorems also hold for statistical and perfect UC. Dummy adversary When proving the security of a given protocol in the UC setting, a useful tool is the so-called dummy adversary. The dummy adversaryÃ is the adversary that simply forwards messages between the environment Z and the protocol (i.e. it is a puppet of the environment that does whatever Z instructs it to do). In [5], it is shown that UC security with respect to the dummy adversary implies UC security. The intuitive reason is that sinceÃ does whatever Z instructs it to do, it can perform arbitrary attacks and is therefore the worst-case adversary given the right environment (remember that we quantify over all environments).
We very roughly sketch the proof idea. Let protocols π and ρ and some adversary A be given. Assume that π UC realizes ρ with respect to the dummy adversaryÃ. We want to show that π UC realizes ρ with respect to A. Given an environment Z, we construct an environment Z A which simulates Z and A. Note that an execution of EXC π,Ã,Z A is essentially the same as EXC π,A,Z (up to a regrouping of machines). Then there is a simulatorS such that EXC π,Ã,Z A and EXC ρ,S,Z A are indistinguishable. Let S be the simulator that internally simulates the machines A andS and forwards all actions performed by A as instructions toS (remember thatS simulatesÃ, so it expects such instructions). Then, EXC ρ,S,Z A is again the same as EXC ρ,S,Z up to a regrouping of machines. Summarizing, we have that EXC π,A,Z and EXC ρ,S,Z are indistinguishable.
A nice property of this technique is that it is quite robust with respect to changes in the definition of UC security. For example, it also holds with respect to statistical and perfect UC security, as well as with respect to the notion of Everlasting UC from [27].

Everlasting UC Security
In this section, we present our definitions of everlasting UC security. Our formalization builds on Canetti's Universal Composability framework [5] and extends the notion of everlasting/long-term security due to Müller-Quade and Unruh [27]. Loosely speaking, everlasting security guarantees the "standard" notion of UC security during the execution of the protocol. This means that the security is guaranteed against polynomially bounded adversaries. Therefore, standard computational assumptions, such as the hardness of the decisional Diffie-Hellman problem and the existence of one-way functions can be used as hardness assumptions. However, after the execution of the protocol, we no longer assume that these assumptions hold, because they may be broken in the future. Müller-Quade and Unruh model this by letting the distinguisher become unbounded after the execution of the protocol. Everlasting security guarantees security and confidentiality in this setting.
They showed in [27] that everlasting UC commitments cannot be realized, not even in the common reference string (CRS) or the public-key infrastructure (PKI) model. 4 The fact that everlasting UC commitments cannot be constructed in the CRS model shows a strong separation between the everlasting UC and the computational UC security notion, because commitments schemes do exist (under standard assumptions) in the computational UC security model [7]. The stark impossibility result of Müller-Quade and Unruh motivated the use of other trust assumptions, such as trusted pseudorandom functions (TDF) and signature cards [27]. It is not hard to see that everlasting UC security is strictly stronger than computational UC security, since the adversary is allowed to become unbounded after the execution of the protocol, and it is strictly weaker than statistical UC security, since the adversary is polynomially bounded during the run of the protocol.

Defining Everlasting UC Security.
The formalization of [27] is surprisingly simple and only extends the original UC definition by the requirement that the execution of the real protocol and of the functionality cannot be distinguished by an unbounded entity after the execution of the protocol is over (that is run by efficient adversaries and environments). Formally, this means that the output of the environment in the real and ideal worlds is statistically close. A comprehensive discussion is given in [27], and we briefly recall the definitions. In [27], the authors show that the composition theorem from [5] also holds with respect to Definition 12.A shortcoming of Definition 12, when applied to the token model, is that the distinguisher has no access to the hardware token after it becomes unbounded. Another issue is that Definition 12 does not model the case that the hardware assumption may be broken in the long-term.

Everlasting UC Security with Hardware Assumptions
We define a notion of everlasting security which allows the participants in a protocol to leak information in the long term.
With the exception of the environment Z and the adversary A, we give each instance of a Turing machine (ITI for short) in the protocol an additional output tape, that we call long-term output tape. We modify the execution model to handle the long-term tapes as follows. At the end of the execution of the protocol (i.e. when the environment Z produces its output m), adversary A is invoked once again, this time with all long-term tapes, and produces an output a. We define the new execution model to be EXC := (m, a). A formal definition follows.

Definition 13. (Everlasting UC with Long-term Tapes)
A protocol π everlastingly UC realizes an ideal protocol ρ if, for any PPT adversary A, there exists a PPT simulator S such that, for any PPT environment Z, In Definition 13, the distinguisher does not get the long-term tapes directly, instead, the tapes go through the adversary. The real adversary A can, wlog, let the tapes go unchanged to the distinguisher (i.e. dummy adversary). The simulator S can replace the long-term tapes by any simulated a of its choice. We point out that Definition 13 is equivalent to Definition 12 when none of the ITIs in π or ρ have long-term output tapes.
It is easy to show that the composition theorem from [27] carries over to our settings: the long-term tapes of the honest parties are also given to the adversary/simulator at the end of the protocol execution; however, the simulator (when communicating with the environment) can replace them with values of his choice. Formally, this means that the long-term tapes are just a message sent from protocol to adversary (in the same way as, e.g. the state is sent in the case of adaptive corruption), and consequently, when proving the composition theorem, those messages are handled in exactly the same way as the messages resulting from adaptive corruption.

Functionalities
In this section, we define some commonly used functionalities that we will need for our results. CRS The first functionality is the common reference string (CRS). Intuitively, the CRS denotes a string sampled uniformly from a given distribution G by some trusted party, and that is known to all parties prior to the start of the protocol. Multiple commitment Here, we recall the functionality for a commitment scheme. Throughout the following description, we implicitly assume that the attacker is informed about each invocation and that the attacker controls the output of the functionality. We omit those messages from the description of the functionalities for readability. Note that to securely realize this functionality, a protocol must guarantee independence among different executions of the commitment protocol.  command (commit, sid, x), where x ∈ {0, 1} (λ) , from S, send the message (committed, sid) to R. Upon command (unveil, sid) from S, send (unveiled, sid, x) to R (with the matching sid). Several commands (commit) or (unveil) with the same sid are ignored.

Oblivious Transfer Functionality
The oblivious transfer functionality allows for the receiver party to select a bit b and the sender party to send two messages m 0 and m 1 to the receiver in such a way that, the sender never learns the bit b the receiver chose, and the receiver learns only the message m b , and nothing else about m b−1 . Transfer (OT)) Let R and S be two parties. The functionality F S→R, OT behaves as follows: upon receiving the command (transfer, id, m 0 ,

Definition 16. (Oblivious
We call S the sender, and R the receiver.

Remark 17.
Looking ahead, we note that we cannot define the protocol of Sect. 6 in the F OT -hybrid model or in the F MCOM -hybrid model. The former is due to the protocol of Section 6 requiring an OT with the additional property of statistical receiver privacy, which is not the case of all OT protocols that realize the F OT functionality. The latter is due to the protocol requiring a commitment scheme with the additional property of statistical hiding, which is not the case of all commitment schemes that realize the F MCOM functionality. Moreover, the protocol of Sect. 6 requires to prove statements about the contents inside of a commitment, and as shown by [9] this is not possible using a UC commitment functionality.

Physical Assumptions
The functionality F HToken described in this section models generic fully malicious hardware tokens, including PUFs. A fully malicious hardware token is the one that its state is not bounded a-priori, its creator can install arbitrary code inside of it, and it can encapsulate an arbitrary number of (possibly fully malicious) tokens inside of itself, called children. As far as we know, this is the first functionality to integrate tamper-proof hardware tokens with PUFs, allowing us to design protocols that are transparent about the type of hardware token used, as the functionality can be instantiated with any of the former. Moreover, in the particular case of PUFs, our model extends the PUFs-inside-PUF model of [4] to the more general case of Tokens-inside-Token. 5 We handle encapsulated tokens in the functionality by allowing the parent token (i.e. the token that contains other token(s)) to have oracle access to all its children during its evaluation; we believe that token encapsulation models a realistic capability of an adversary and we believe that it is important to include it in our model for the soundness of the security analysis. We also note that F HToken is not PPT; this is because the functionality does not impose a restriction on the efficiency of the malicious code.
The functionality F HToken allows tokens to be transferred among parties by invoking handover; a token can only be queried by the party that currently owns the token by invoking query. Malicious tokens can be created by the adversary and it can contain other tokens inside of it. In contrast to [8], the adversary can "unwrap" encapsulated tokens by invoking openup and read malicious tokens' state by invoking readout.
Functionality F HToken F HToken is parameterized by an algorithm HTSamp, a PPT Turing machine M honest and a polynomial p(λ) that bounds the running time of M honest . F HToken runs on input the security parameter 1 λ , with parties P = {P 1 , · · · , P n }, and adversary A. The list L contains instances of tokens with the attributes id, st, M, children, owner, honest, that can be accessed with the notation token.attribute, and where id is a string that uniquely identifies a physical instance of the hardware token, st is the internal state of the token, M is a TM that contains the code to be executed, children is a list of children (tokens) that are contained within this token (can also be empty), owner is the party that currently owns the token (can be embedded in case of children), and honest is a boolean value that is true when the token was honestly generated, and false otherwise. For simplicity we omit the polynomial p(λ), since wlog any p(λ) can be considered. We note that F HToken is not PPT, and this is due to the fact that there is no runtime bound on M. The functionality F HToken receives commands and acts as follows.
• Upon command (create) from P ∈ P, create an empty token tok and do: • Upon command (handover, id, P j ) from P i ∈ P ∪ {A}, where P j ∈ P ∪ {A}: For all tok ∈ L s.t. tok.owner = P i and tok.id = id do.
• Upon command (query, id, q) from P ∈ P ∪ {A}: Define the recursive algorithm HTEval as follows. − Remove tok from L, and for each tok c ∈ tok.children: * Set tok c .owner := P, for some P ∈ P.
− Return ok to A.
• In all other cases, enter the waiting state without sending a message.
The long-term output tape a records all the information from the tokens in L such that tok.owner = A (or tokens owned by some other token that is owned by A, for any number of layers).

Physically Uncloneable Functions (PUFs)
In a nutshell, a PUF is a noisy source of randomness. It is a hardware device that, upon physical stimuli, called challenges, produces physical outputs (that are measured), called responses. The response measured for each challenge of the PUF is unpredictable, in the sense that it is hard to predict the response of the PUF on a given challenge without first measuring the response of the PUF on the same (or similar) challenge. When a PUF receives the same physical stimulus more than once, the responses produced may not be exactly equal (due to the added noise), but the Hamming distance of the responses are bounded by a parameter of the PUF. A family of PUFs is a pair of algorithms (PUFSamp, PUFEval), not necessarily PPT. PUFSamp models the manufacturing process of the PUF: on input the security parameter, it draws an index σ , that represents an instance of a PUF that satisfies the security definitions for the security parameter (that we define later). PUFEval models a physical stimulus applied to the PUF: Upon a challenge input x, it invokes the PUF with x and measures the response y, that is returned as the output. The length of a response y returned by algorithm PUFEval is a bitstring of size rg. A formal definition follows. • Sampling. Let I λ be an index set. On input the security parameter λ, the stateless and unbounded sampling algorithm PUFSamp outputs an index σ ∈ I λ . Each σ ∈ I λ corresponds to a family of distributions D σ . For each challenge x ∈ {0, 1} λ , D σ contains a distribution D σ (x) on {0, 1} rg(λ) . It is not required that PUFSamp is a PPT algorithm. • Evaluation. On input (1 λ , σ, x), where x ∈ {0, 1} λ , the evaluation algorithm PUFEval outputs a response y ∈ {0, 1} rg(λ) according to the distribution D σ (x). It is not required that PUFEval is a PPT algorithm.
Additionally, we require the PUF family to satisfy a reproducibility notion that we describe next. Reproducibility informally says that, the responses produced by the PUF when queried on the same random challenge are always close. Many PUF definitions in the literature [3,4,12,30] have had problems with the superpolynomial nature of PUFs. In particular, the possibility of PUFs solving hard computational problems, such as discrete logarithms or factoring, was not excluded, or excluded in an awkward way. We take our inspiration from the idea that a PUF can be thought as a function selected at random from a very large set, and therefore cannot be succinctly described; however, it can be efficiently simulated using lazy sampling. Conceptually, we will only consider PUFs that can be efficiently simulated by a stateful machine.
where st denotes the initial state of the TM M.

Security of PUFs
The security of PUFs has been mainly defined by the properties of unpredictability and uncloneability [1,3,4,24,30]. In Sect. 4.1.1, we introduce a novel unpredictability notion for PUFs, and we later discuss why the standard unpredictability notion is not suited for our setting.

Fully adaptive PUF Unpredictability.
In contrast to the standard definition of unpredictability [3], in this work we require a stronger notion of adaptive unpredictability. Loosely speaking, unpredictability should capture the fact that it is hard to learn the response of the PUF on a given challenge without first querying the PUF on a similar challenge. Note that this implies uncloneability: if one could clone the PUF, one could use the cloned PUF to predict the answers of the original PUF. We express the similarity of inputs/outputs of the PUF in terms of the Hamming distance hd, however, our results can be easily adapted to other metrics.
where Q is the list of all queries made by A.
The adaptive PUF unpredictability says that the only way to learn the output of PUFEval(1 λ , σ, x) is to query the PUF on x (or something close enough to x). Our definition captures this by allowing adversary A to know the challenge x before having oracle access to PUFEval. The unsuitability of the standard PUF unpredictability of [3]. We first recall the standard unpredictability definition of [3]. As the definition itself is based on the notion of average min-entropy, for convenience, we present that first. [3]) The average min-entropy of the measurement PUFEval(q) conditioned on the measurements of challenges Q ={q 1 , · · ·, q poly(λ) } for the PUF family PUF = (PUFSamp, PUFEval) is defined bỹ

Definition 23. (PUF Unpredictability
We now argue why Definition 23 is not suited for our setting. We present a PUF family that satisfies Definition 23 and yet allows for an adversary to predict the response of the PUF on a challenge never queried to the PUF (and far apart from the other queried challenges). We prove the following theorem next. Proof. Let PUF = (PUFSamp, PUFEval) be a PUF family for challenges of size (n + 1)-bits and responses of size n-bits, We construct the family PUF as follows: We first show how an adversary can predict with probability 1 the output of a PUF from the family described above on a fresh input. Given some arbitrary fresh challenge input b m, the adversary can find the corresponding response PUFEval(1 λ , σ, b m), without ever querying the PUF on b m, by doing the following: Compute x * := PUFEval(1 λ , σ, 0 n+1 ) and compute y := PUFEval(1 λ , σ,b m ⊕ x  *  ). Note that both queries are far apart from b m, yet the adversary learns y = PUFEval(1 λ , σ, Now we show that the PUF family described above satisfies Definition 23. 6 Fix any polynomial-size challenge list Q = {q 1 , . . . , q κ−1 } and any challenge query q κ such that, for any k ∈ [κ − 1] : hd(q κ , q k ) ≥ 1, which is clearly minimal. Since f is a random function, it holds that PUFEval(1 λ , σ, q) has maximal average min-entropy, unless the PUF is queried on two inputs (q i , q j ) that form a collision for f . Note that this happens only if q i ⊕ q j = 1 x * . Thus, all we need to show is that, for any fixed set of queries {q 1 , . . . , q κ } the probability that q i ⊕ q j = 1 x * is negligible, over the random choice of x * . This holds because by applying the Bernoulli inequality. The above expression approaches 0 exponentially fast, as n grows. This concludes our proof.
Contrasting our unpredictability definition with the one of [3]. The motivation behind our newly proposed adaptive unpredictability notion (Definition 21) is that the standard PUF unpredictability notion of [3] implicitly assumes that PUFs are only dependent on random physical factors (likely introduced during manufacturing), and in particular it does not capture families of PUFs that could have some programmability built in, allowing to predict the output of a PUF on an input by querying a completely different input. What our new PUF unpredictability notion explicitly captures is that a "good" PUF must solely depend on random physical factors, and in particular cannot have any form of programmability. On a more philosophical level, we believe that our new notion is what was meant to be modelled as a property for PUFs from the start. Since PUFs are inherently randomized devices that are specifically built to be unpredictable and uncontrollable, a PUF family such as the one described above should not be considered to be a "good" PUF family; however, the previous notion fails to capture this fact. 7 Overall, our new definition of unpredictability does not hinder in any way the progress and development of new real-world PUFs, but merely addresses a technical oversight by the previous unpredictability notion. Therefore, we conjecture that most real-world PUFs that satisfy the unpredictability notion of [3] will most likely also satisfy our unpredictability notion, since real PUFs are inherently randomized physical devices built to be unpredictable and uncontrollable.

Impossibility of Everlasting OT with Malicious Hardware
In this section, we prove the impossibility of realizing everlasting secure oblivious transfer (OT) in the hardware token model, even in the presence of a trusted setup. The result carries over immediately to any secure computation protocol due to the completeness of OT [23]. We consider honest tokens to be stateful but non-erasable (Definition 25) and the tokens produced by the adversary can be malicious but not encapsulate other tokens (note that this restriction on malicious tokens only makes our result stronger, as the impossibility holds even against an adversary that is more limited). The adversary A is PPT during the execution of the protocol, but A becomes unbounded after the execution is over (i.e. everlasting security). This extends the seminal result of Goyal et al. [18] that shows the impossibility of having statistically (as opposed to everlasting) UC secure oblivious transfer from stateless (as opposed to non-erasable) tokens. We stress, however, that our negative results does not contradict the work of Döttling et al. [13,14], since they assume honest tokens to be non-resettable or bounded-resettable (i.e. tokens cannot be reset to a previous state, or only reset up to an a-priori bound), whereas for our result to hold the token must be non-erasable.
In the following, we show the main theorem of the section. The result holds under the assumption that the token scheduling is fixed a-priori, which captures most of the known protocols for secure computation [13,14,20]. The scheduling of the tokens determines the exchange of the tokens among parties. We stress that we do not impose any restriction on which party will hold each hardware token in the end of the execution. For a formal definition of OT, we refer the reader to Sect. 2.2. We first define "non-erasability" for hardware tokens next.

Definition 25.
(Non-erasable hardware token) A (stateful) hardware token is said to be non-erasable if any state ever recorded by the token can be efficiently retrieved.
Note in particular that stateless tokens are trivially non-erasable, as the former cannot keep any state. Theorem 26. Let be a hardware token-based everlasting OT protocol between Alice (i.e. sender) and Bob (i.e. receiver) where the honest tokens are non-erasable and the scheduling of the tokens is fixed. Then, at least one of the following holds: • There exists an everlasting adversary S that uses malicious and stateful hardware tokens such that Adv S ≥ (λ), or • there exists an everlasting adversary R that uses malicious and stateful hardware tokens such that Adv R ≥ (λ), for some non-negligible function (λ).
Proof. The proof consists of the following sequence of modified simulations. Let the game G 0 define an everlastingly secure OT protocol for S and R. Then, by assumption, we have that for all everlasting adversaries S and R , it holds that We define a quasi-semi-honest adversary to be an adversary that behaves semi-honestly but keeps a log of all queries ever made to the hardware token (i.e. the non-erasable token assumption). Let the game G 1 define an everlastingly secure OT protocol where S and R are quasi-semi-honest. Since we are strictly reducing the capabilities of the adversaries and the tokens are non-erasable, we can state the following lemma.
Let G 2 be the same as G 1 except that whenever S (resp. R ) queries a token from R (resp. S) that will return to R (resp. S), instead of making that query to the token, S queries directly R who answers it as the token would have. Since the distribution of the answers for the queries does not change, we can state the following lemma.

Lemma 28. For all quasi-semi-honest S and R , it holds that
Let game G 3 be exactly the same as G 2 except that whenever S (resp. R ) sends a token to R (resp. S) that will not return to S (resp. R ), then S sends a description of the token instead. Since we consider everlasting adversaries we assume that after the execution of the protocol all tokens can be read out. Therefore, both parties will have the description of all the tokens, even the ones that are not sent to the other party. Note that at this point there are no hardware tokens involved, and only description of tokens. Therefore, a quasi-semi-honest adversary is identical to a semi-honest everlasting one. 8
We point out that a semi-honest unbounded adversary S (resp. R ) is also a semi-honest everlasting adversary, since during the execution of the protocol it performs only the honest (PPT) actions. We are now in the position of stating the final lemma.

Lemma 30. For all semi-honest unbounded S and R , it holds that
It was shown [2] that it is not possible to build a secure OT protocol against semihonest unbounded adversaries (even in the presence of a trusted setup), what gives us a contradiction and concludes our proof.

Everlasting Commitment from Fully Malicious PUFs
In this section, we build an everlastingly secure UC commitment scheme from fully malicious PUFs. Let C = (Com, Open) be a statistically hiding UC-secure commitment scheme, let (Sender OT , Receiver OT ) be a 1-out-of-2 statistically receiver- and let We denote by (P 1 , V 1 ) and (P 2 , V 2 ) the statistically witness-indistinguishable arguments of knowledge (SWIAoK) for the relations R 1 and R 2 , respectively. Our commitment scheme is described next.

Everlasting Commitment scheme from PUF
Setup: Let G be the distribution for a random y in the range of the one-way permutation f , let seed be a random seed for the strong randomness extractor H , and let crs , be the CRS for the non-interactive commitment and crs OT for the OT protocol. The ideal functionality F G CRS samples a random crs from the distribution of valid values, where crs := (y, seed, crs , , crs OT ) and provides Alice and Bob with crs. We denote by x ∈ {0, 1} λ the pre-image such that f (x) = y, used by F G CRS to sample y.
Commitment: On input (commit, id, m), for a fresh id, Alice engages with Bob in the following interactive protocol.

Bob samples a PUF token by querying
to Alice and outputs (commited, id).
Opening: On input (unveil, id), Alice parses (, , decom, ω, k, ) as the information generated in the commitment phase with the same id, if any, and m as the corresponding message. Then it interacts with Bob in the following manner.
We note that many instances of the previously described protocol (with a different id) may run concurrently. • and let (P 1 , V 1 ) and (P 2 , V 2 ) be SWIAoK systems for the relations R 1 and R 2 , respectively.
Then, the protocol above everlastingly UC-realizes the functionality F MCOM in the F PUFEval,PUFSamp HToken -hybrid model.
Proof. We consider the cases of the two corrupted parties separately. The proof consists of the description of a series of hybrids and we argue about the indistinguishability of neighbouring experiments. Then, we describe a simulator that reproduces the real-world protocol to the corrupted party while executing the protocol in interaction with the ideal functionality.
Corrupted Bob (recipient) Consider the following sequence of hybrids, with H 0 being the protocol as defined above in interaction with A and Z: H 1 : Defined exactly as in H 0 except that, for all executions of commitment and opening routines, the SWIAoK for R 1 and R 2 are computed using the knowledge of x, the preimage of y. This is possible as the F CRS functionality is simulated by the simulator that samples an f (x) = y such that it knows x. In order to avoid trivial distinguishing attack, we additionally require Alice to explicitly check that ∀i ∈ {[ (λ)]} : hd(β i , q k i i ) ≤ δ and abort (prior to computing the SWIAoK) if the condition is not satisfied. The two protocols are statistically indistinguishable due to the statistical witness indistinguishability of the SWIAoK scheme. In particular, for all unbounded distinguishers D querying the functionality polynomially many times, it holds that H 2 , . . . , H (λ)+1 : Each H 1+i for i ∈ [ (λ)] is defined exactly as H 1 except that in all of the sessions Alice uses the simulator of the statistical receiver private OT protocol (that implements the F OT functionality) to run the first i instances of the oblivious transfers. Note that the simulator (using the knowledge of the CRS trapdoor) returns both of the inputs of the sender, in this case ( p 0 i , p 1 i ). By statistical receiver privacy of the oblivious transfer, it holds that the simulated execution is statistically close to a honest run, and therefore, we have that for all unbounded distinguishers D that queries F PUFEval,PUFSamp HToken polynomially many times: with the difference that, in all of the sessions, the first i-many commitments com i are computed as Com(r i ), for some random r i in the appropriate domain. Note that the corresponding decommitments are no longer used in the computation of the SWIAoK. Therefore, the statistically hiding property of the commitment scheme guarantees that the neighbouring simulations are statistically close for all unbounded D. That is  H (seed, k i ) in the former case and a random string in the latter). Note that k i is used only in the computation of H i and that the only variable that depends on k i is γ . Since γ is from a set of size n + 1, we can bound from above the entropy loss of k i to log(n + 1)-many bits. Recall that (n + 1) 2 λ , therefore we have that (λ) − c > log(n + 1), for an appropriate choice of (). Hence, by the strong randomness of H we have that Since the distance between H 2· (λ)+4,0 and H 2· (λ)+4,n is the sum of the bounds obtained by the leftover hash lemma [21], we can conclude that H 2· (λ)+6 : Defined as H 2· (λ)+5 except that in all sessions com is a commitment to a random string s. Note that in the execution of H 2· (λ)+5 the value of decom is masked by a random string H i and therefore it is information theoretically hidden to the eyes of the adversary. By the statistically hiding property of Com, we have that for all unbounded distinguisher A the following holds: H 2· (λ)+7 : Defined as H 2· (λ)+6 except that Alice opens the commitment to an arbitrary message m . We observe that the execution of H 2· (λ)+6 is completely independent from the message m, except when m is sent to Bob in clear in the opening phase. Therefore, we have that for all unbounded distinguishers D that query the functionality polynomially many times: S: We now define S as a simulator in the ideal world that engages the adversary in the simulation of a protocol when queried by the ideal functionality on input (committed, sid). The interaction of S with the adversary works exactly as specified in H 2· (λ)+7 , with the only difference that the message m is set to be equal to x, where (unveil, sid, x) is the message sent by the ideal functionality with the same value of sid. Since the simulation is unchanged to the eyes of the adversary we have that By transitivity, we have that H 0 is statistically indistinguishable from S to the eyes of the environment Z. We can conclude that our protocol everlastingly UC-realizes the commitment functionality F MCOM for any corrupted Bob. We stress that that we allow Bob to be computationally unbounded and we only require that the number of sessions is bounded by some polynomial in λ. Corrupted Alice (committer) Let H 0 be the execution of the protocol as described above in interaction with A and Z. We define the following sequence of hybrids: H 1 : Defined as H 0 except that the following algorithm is executed locally by Bob at the end of the commit phase of each session, in addition to Bob's normal actions.
E(1 λ ): Let K be a bitstring of length (λ), the extractor parses the list of queries Q that Alice sent to F PUFEval,PUFSamp HToken before the last message of Bob in the commitment phase. Then, for all Q j ∈ Q it checks whether ∃ j ∈ [ (λ)] such that ∃z ∈ {0, 1} such that hd(Q j , p z i ) ≤ γ , where p z i is defined as in the original protocol. If this is the case the extractor sets K i = z. If the value of K i is already set to a different bit the extractor aborts. If at the end of list Q there is some i such that K i is undefined, the extractor aborts. Otherwise it parses ω ⊕ H (seed, K ) as m ||decom and it returns (m , decom).
Note that Bob does not use the output of E and therefore, for all distinguishers D, we have that: We first derive a bound for the probability that the event NoUnique happens. Consider the following sequence of hybrids.
The experiment H U 0 identical to H 2 except that we sample some j * from the identifiers associated to all sessions and some i * from [ (λ)]. Let n be a bound on the total number of session and let NoUnique( j * , i * ) be the event where NoUnique happens in session j * and for the i * -th bit. Since j * and i * are randomly chosen we have that H U 1 : The experiment H U 1 is defined as H U 0 except that it stops before the execution of the i * -th OT in session j * . Let st be the state of all the machines in the execution of H U 0 , the experiment does the following: • Continue the execution of H U 0 from st. • Input/output all the i * -th OT messages from session j * .
• Simulate all other messages internally.
The experiments sets the bit b = 1 if and only if the commitment of the j-th session succeeds. Let NoUnique * ( j * , i * ) be the event that K j * i * is not uniquely defined. Since the execution does not change to the eyes of Alice we have that H U 2 : Defined as H U 2 except that the CRS for the OT is sampled to be in extraction mode. By the computational indistinguishability of the CRS, it holds that H U 3 : Defined as H U 2 except that the extractor for the OT is used in the i * -th OT of the j * -th session. The experiment sets b = 1 if the simulation succeeds. Recall that the simulator outputs the choice of the receiver b i * and expects as input the value p b i * i * . Note that this implies that the value p is information theoretically hidden to the eyes of Alice. Also note that by the simulation security of the OT we can rewrite thus by Jensen's inequality we have that As we argued before the value of p is information theoretically hidden to the eyes of Alice. However, by definition of NoUnique * ( j * , i * ) Alice queries both ( p 0 i * , p 1 i * ) to the functionality F PUFEval,PUFSamp HToken . It follows that we can bound the probability of the event NoUnique * ( j * , i * ) to happen to a negligible function in the security parameter. Therefore, we have that Pr Abort : H 3 ≤ negl(λ) + Pr NoDefined : H 3 .
In order to show a bound on the probability of NoDefined to happen in H 2 , we define another sequence of hybrids.
The experiment H D 0 identical to H 2 except that we sample some j * from the identifiers associated to all sessions. Let n be a bound on the total number of session and let NoDefined( j * ) be the event where NoDefined happens for the session j. Since j * is randomly chosen we have that H D 1 : The experiment H B 1 is defined as H D 0 except that it stops before the execution of the SWIAoK in the commitment of session j * . Let st be the state of all the machines in the execution of H D 0 under the assumption that no machine keeps a copy of the pre-image x after generating crs. Let P * be the following algorithm: In the following analysis, we ignore the case where the two extracted witnesses are a valid trapdoor for the common reference string y, as this event can be easily ruled out with a reduction to the one-wayness of f . Let us denote by β i ← Open(com i , decom i ). Now it is now enough to observe that the successful termination of the protocol implies that for all i ∈ [ (λ)] we have that hd(q k i i , β i ) ≤ δ, for some k = k 1 || . . . ||k (λ). By definition of NoDefined * ( j * ) there exists some i * such that A never queried any p to F PUFEval,PUFSamp HToken such that neither hd( p , p 0 i * ) ≤ γ nor hd( p , p 1 i * ) ≤ γ , before seeing the last message of the commitment phase. By the unpredictability of the PUF, it follows that Pr (hd(m i * , q 0 i * ) ≤ δ) ∨ (hd(m i * , q 1 i * ) ≤ δ) ≤ negl(λ). We can conclude that there exists an i * such that β i * = m i * . Since decom i * and decom i * are valid opening information for m i * and β i * , respectively, then we can derive the following bound ; r : by the binding property of the commitment scheme. Therefore, we can conclude that Pr Abort : H 2 ≤ negl(λ).
This proves our lemma.
In order to conclude our proof, we need to show that the extractor always returns a valid message-decommitment pair for the same message that Alice outputs in the opening phase. More formally, let NoExt be the event such that for the output of the extractor (m , decom) ← E(1 λ ) it holds that m = Open(com, decom), where com is the variable sent by Alice in the same session. Additionally, let BadExt be the event such that the output of extractor (m , decom) is a valid opening for com but m = m, where m is the message sent by Alice in the opening for the same session. We are now going to argue that the probability that either NoExt or BadExt happens is bounded by a negligible function. We now observe that whenever the extractor of the SWIAoK is successful then, for all i ∈ [ (λ)] it holds that that β i ← Open(com i , decom i ) and that hd(q k i i , β i ) ≤ δ, for some k = k 1 || . . . ||k (λ) . Additionally, we have that H (k, seed) ⊕ ω is a valid decommitment information for com. By definition of NoExt, we have that m = Open(com, decom), where (m , decom) is the output of E and it is defined as ω ⊕ H (seed, K ). This implies that K = k, since the function H is deterministic. Therefore, there must exists some i * such that K i * = k i * . By Lemma 32, we know that K is uniquely defined and therefore Alice did not query F PUFEval,PUFSamp HToken for any p such that hd( p z i i , p ) ≤ γ for z i = K i , and therefore for all i ∈ [ (λ)] it holds, by the unpredictability of the PUF, that Pr hd(β i , q 1−K i i ) ≤ δ ≤ negl(λ), and in particular we have that β i * = m i * . Since decom i * and decom i * are valid openings for m i * and β i * with respect to com i * , the probability of NoExt * ( j * ) to happen in H D 4 can be bound to a negligible function by the binding property of the commitment scheme. This proves the initial lemma. Proof. The formal argument follows along the same lines as the proof of Lemma 33. The main observation here is that the argument implies that the output of E and the tuple (m, decom), where m is sent in plain by Alice and decom is the output of the extractor for the SWIAoK, must be identical with overwhelming probability.

S:
We can now define the simulator S that is identical to H 2 except that the output m of the algorithm E (defined as above) is used in the message (commit, sid, m ) to the ideal functionality F MCOM . The corresponding decommitment message (unveil, sid) is sent when the adversary returns a valid decommitment to some message m. Since the interaction is unchanged to the eyes of the adversary, we have that This implies that our protocol everlastingly UC-realizes the commitment functionality F MCOM for any corrupted Alice and concludes our proof.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.