Cryptology ePrint Archive: Report 2002/047

Universal Composition with Joint State

Ran Canetti and Tal Rabin

Abstract: Cryptographic systems often involve running multiple concurrent instances of some protocol, where the instances have some amount of joint state and randomness. (Examples include systems where multiple protocol instances use the same public-key infrastructure, or the same common reference string.) Rather than attempting to analyze the entire system as a single unit, we would like to be able to analyze each such protocol instance as stand-alone, and then use a general composition theorem to deduce the security of the entire system. However, no known composition theorem applies in this setting, since they all assume that the composed protocol instances have disjoint internal states, and that the internal random choices in the various instances are independent. We propose a new composition operation that can handle the case where different components have some amount of joint state and randomness, and demonstrate sufficient conditions for when the new operation preserves security. The new operation, which is called {\em universal composition with joint state} (and is based on the recently proposed universal composition operation), turns out to be very useful in a number of quite different scenarios such as those mentioned above.

Category / Keywords: foundations / Cryptographic protocols, protocol composition, security analysis

Publication Info: Extended abstract of this work appears in proceedings of Crypto 2003.

Date: received 18 Apr 2002, last revised 17 Nov 2003

Contact author: canetti at watson ibm com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation

Note: The main technical difference in the present revised version from the original one (from April 2002) is in the application of the JUC theorem to protocols using signature schemes. While the main results remain unchanged, the present version uses an improved and corrected abstraction of signatures.

In addition, the presentation was updated and improved throught the paper.

Version: 20031117:224736 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]