Paper 2022/224

Embedding the UC Model into the IITM Model

Daniel Rausch, Ralf Kuesters, and Céline Chevalier


Universal Composability is a widely used concept for the design and analysis of protocols. Since Canetti's original UC model and the model by Pfitzmann and Waidner several different models for universal composability have been proposed, including, for example, the IITM model, GNUC, CC, but also extensions and restrictions of the UC model, such as JUC, GUC, and SUC. These were motivated by the lack of expressivity of existing models, ease of use, or flaws in previous models. Cryptographers choose between these models based on their needs at hand (e.g., support for joint state and global state) or simply their familiarity with a specific model. While all models follow the same basic idea, there are huge conceptually differences, which raises fundamental and practical questions: (How) do the concepts and results proven in one model relate to those in another model? Do the different models and the security notions formulated therein capture the same classes of attacks? Most importantly, can cryptographers re-use results proven in one model in another model, and if so, how? In this paper, we initiate a line of research with the aim to address this lack of understanding, consolidate the space of models, and enable cryptographers to re-use results proven in other models. As a start, here we focus on Canetti's prominent UC model and the IITM model proposed by Kuesters et al. The latter is an interesting candidate for comparison with the UC model since it has been used to analyze a wide variety of protocols, supports a very general protocol class and provides, among others, seamless treatment of protocols with shared state, including joint and global state. Our main technical contribution is an embedding of the UC model into the IITM model showing that all UC protocols, security and composition results carry over to the IITM model. Hence, protocol designers can profit from the features of the IITM model while being able to use all their results proven in the UC model. We also show that, in general, one cannot embed the full IITM model into the UC model.

Available format(s)
Publication info
A major revision of an IACR publication in EUROCRYPT 2022
Universal ComposabilityUC ModelIITM Model
Contact author(s)
daniel rausch @ sec uni-stuttgart de
ralf kuesters @ sec uni-stuttgart de
celine chevalier @ ens fr
2022-02-25: received
Short URL
Creative Commons Attribution


      author = {Daniel Rausch and Ralf Kuesters and Céline Chevalier},
      title = {Embedding the {UC} Model into the {IITM} Model},
      howpublished = {Cryptology ePrint Archive, Paper 2022/224},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.