TY - JOUR
T1 - General composition and universal composability in secure multiparty computation
AU - Lindell, Yehuda
PY - 2009/7
Y1 - 2009/7
N2 - Concurrent general composition relates to a setting where a secure protocol is run in a network concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols are executed concurrently. Canetti (FOCS 2001) introduced the notion of universal composability and showed that security under this definition is sufficient for achieving concurrent general composition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (In newer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all its variants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of two-party functionalities for which it is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not "black-box," and apply even to non-black-box simulation. Our main result also demonstrates that the definition of universal composability is somewhat "minimal" in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is not overly restrictive.
AB - Concurrent general composition relates to a setting where a secure protocol is run in a network concurrently with other, arbitrary protocols. Clearly, security in such a setting is what is desired, or even needed, in modern computer networks where many different protocols are executed concurrently. Canetti (FOCS 2001) introduced the notion of universal composability and showed that security under this definition is sufficient for achieving concurrent general composition. However, it is not known whether or not the opposite direction also holds. Our main result is a proof that security under concurrent general composition, when interpreted in the natural way under the simulation paradigm, is equivalent to a variant of universal composability, where the only difference relates to the order of quantifiers in the definition. (In newer versions of universal composability, these variants are equivalent.) An important corollary of this theorem is that existing impossibility results for universal composability (for all its variants) are inherent for definitions that imply security under concurrent general composition, as formulated here. In particular, there are large classes of two-party functionalities for which it is impossible to obtain protocols (in the plain model) that remain secure under concurrent general composition. We stress that the impossibility results obtained are not "black-box," and apply even to non-black-box simulation. Our main result also demonstrates that the definition of universal composability is somewhat "minimal" in that the composition guarantee provided by universal composability implies the definition itself. This indicates that the security definition of universal composability is not overly restrictive.
KW - Concurrent general composition
KW - Secure computation
KW - Universal composability
UR - http://www.scopus.com/inward/record.url?scp=65049089377&partnerID=8YFLogxK
U2 - 10.1007/s00145-008-9021-2
DO - 10.1007/s00145-008-9021-2
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:65049089377
SN - 0933-2790
VL - 22
SP - 395
EP - 428
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 3
ER -