Cryptology ePrint Archive: Report 2016/034

Universal Composition with Responsive Environments

Jan Camenisch and Robert R. Enderlein and Stephan Krenn and Ralf Kuesters and Daniel Rausch

Abstract: In universal composability frameworks, adversaries (or environments) and protocols/ideal functionalities often have to exchange meta-information on the network interface, such as algorithms, keys, signatures, ciphertexts, signaling information, and corruption-related messages. For these purely modeling-related messages, which do not reflect actual network communication, it would often be very reasonable and natural for adversaries/environments to provide the requested information immediately or give control back to the protocol/functionality immediately after having received some information. However, in none of the existing models for universal composability is this guaranteed. We call this the \emph{non-responsiveness problem}. As we will discuss in the paper, while formally non-responsiveness does not invalidate any of the universal composability models, it has many disadvantages, such as unnecessarily complex specifications and less expressivity. Also, this problem has often been ignored in the literature, leading to ill-defined and flawed specifications. Protocol designers really should not have to care about this problem at all, but currently they have to: giving the adversary/environment the option to not respond immediately to modeling-related requests does not translate to any real attack scenario.

This paper solves the non-responsiveness problem and its negative consequences completely, by avoiding this artificial modeling problem altogether. We propose the new concepts of responsive environments and adversaries. Such environments and adversaries must provide a valid response to modeling-related requests before any other protocol/functionality is activated. Hence, protocol designers do no longer have to worry about artifacts resulting from such requests not being answered promptly. Our concepts apply to all existing models for universal composability, as exemplified for the UC, GNUC, and IITM models, with full definitions and proofs (simulation relations, transitivity, equivalence of various simulation notions, and composition theorems) provided for the IITM model.

Category / Keywords: foundations / universal composability, protocol design, cryptographic security proofs, responsive environments

Original Publication (with major differences): ASIACRYPT 2016

Date: received 13 Jan 2016, last revised 8 Sep 2016

Contact author: kuesters at uni-trier de

Available format(s): PDF | BibTeX Citation

Note: Editorial changes only. This is the full version of the ASIACRYPT 2016 paper.

Version: 20160908:130230 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]