Paper 2000/067

Universally Composable Security: A New Paradigm for Cryptographic Protocols

Ran Canetti

Abstract

We propose a new paradigm for defining security of cryptographic protocols, called {\sf universally composable security.} The salient property of universally composable definitions of security is that they guarantee security even when a secure protocol is composed with an arbitrary set of protocols, or more generally when the protocol is used as a component of an arbitrary system. This is an essential property for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Internet. In particular, universally composable definitions guarantee security even when an unbounded number of protocol instances are executed concurrently in an adversarially controlled manner, they guarantee non-malleability with respect to arbitrary protocols, and more. We show how to formulate universally composable definitions of security for practically any cryptographic task. Furthermore, we demonstrate that practically any such definition can be realized using known general techniques, as long as only a minority of the participants are corrupted. We then proceed to formulate universally composable definitions of a wide array of cryptographic tasks, including authenticated and secure communication, key-exchange, public-key encryption, signature, commitment, oblivious transfer, zero-knowledge, and more. We also make initial steps towards studying the realizability of the proposed definitions in other natural settings.

Note: This is a new and updated version, containing more results and (hopefully) better eplanations and discussions.