## Cryptology ePrint Archive: Report 2020/1489

On the (Ir)Replaceability of Global Setups, or How (Not) to Use a Global Ledger

Christian Badertscher and Julia Hesse and Vassilis Zikas

Abstract: In a universally composable framework, a global setup is intended to capture the ideal behavior of a primitive which is accessible by multiple protocols, allowing them to share state. The ledger implemented by blockchain protocols such as Bitcoin is a representative example of such global setup, since the Bitcoin ledger is known to be useful in various scenarios. Therefore, it has become increasingly popular to capture such ledgers as a global setup. One would hope that this allows one to make security statements about protocols that use such a global setup, e.g., a global ledger, which can then be automatically translated into the setting where the setup is replaced by a protocol implementing it, such as Bitcoin.

We show that the above reasoning is flawed and such a generic security-preserving replacement can only work under very (often unrealistic) strong conditions on the global setup. For example, the composable security of Bitcoin, cast as realizing an ideal ledger such as the one by Badertscher et al. [CRYPTO'17], is not sufficient per se to allow us to replace the ledger by Bitcoin when used as a global setup and to expect that security statements that are made in the global ledger-hybrid world would be preserved.

On the positive side, we provide characterizations of security statements for protocols that make use of global setups, for which the replacement is sound. Our results can be seen as a first guide on how to navigate the very tricky question of what constitutes a good'' global setup and how to use it in order to keep the modular protocol-design approach intact.

Category / Keywords: foundations / Composable Security, Global Setup

Date: received 27 Nov 2020, last revised 2 Mar 2021

Contact author: christian badertscher at iohk io,jhs@zurich ibm com,vzikas@inf ed ac uk

Available format(s): PDF | BibTeX Citation

Note: Minor revision of presentation of the results

Short URL: ia.cr/2020/1489

[ Cryptology ePrint archive ]