We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is maintained under a general protocol composition operation, called universal composition. The proposed framework with its security-preserving composition property allow for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security within any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
This is an updated version. While the overall spirit and the structure of the definitions and results in this paper has remained the same, many important details have changed. We point out and motivate the main differences as we go along. We have also listed the main changes in Appendix B. Earlier versions of this work appeared in June 2013, January 2005 and October 2001, under the same title, and in December 2000 under the title "A unified framework for analyzing security of protocols". These earlier versions can be found on this site, and also at the IACR Eprint archive entry 2000/067; however they are not needed for understanding this work and have only historic significance.
Building on known definitions, we present a unified general framework for
defining and analyzing security of cryptographic protocols. The framework
allows specifying the security requirements of a large number of
cryptographic tasks, such as signature, encryption, authentication, key
exchange, commitment, oblivious transfer, zero-knowledge, secret sharing,
general function evaluation, and more. Furthermore, within this framework
security of protocols is preserved under general composition with any other
set of protocols that may be running {\em concurrently} in the same system.
This holds in a number of standard models of computation, including the
challenging setting of asynchronous networks where the communication is
public and security holds only for computationally bounded adversaries.
Indeed, the proposed framework allows for modular design and analysis of
complex protocols from relatively simple building blocks. Moreover, secure
protocols are guaranteed to maintain their functionality within any
application, even when an unbounded number of protocols are running
concurrently in an adversarially controlled manner.
Definitions of security in this framework are often more stringent
than other definitions. Nonetheless, we show that in many cases
they are satisfied by known protocols. (In fact, practically {\em any
cryptographic task} can be realized in the synchronous version of the above
setting, as long as only a minority of the participants are corrupted.)
In other cases satisfying the definitions is left open.
Building on known definitions, we present a unified general framework for
defining and analyzing security of cryptographic protocols. The framework
allows specifying the security requirements of a large number of
cryptographic tasks, such as signature, encryption, authentication, key
exchange, commitment, oblivious transfer, zero-knowledge, secret sharing,
general function evaluation, and more. Furthermore, within this framework
security of protocols is preserved under general composition with any other
set of protocols that may be running {\em concurrently} in the same system.
This holds in a number of standard models of computation, including the
challenging setting of asynchronous networks where the communication is
public and security holds only for computationally bounded adversaries.
Indeed, the proposed framework allows for modular design and analysis of
complex protocols from relatively simple building blocks. Moreover, secure
protocols are guaranteed to maintain their functionality within any
application, even when an unbounded number of protocols are running
concurrently in an adversarially controlled manner.
Definitions of security in this framework are often more stringent
than other definitions. Nonetheless, we show that in many cases
they are satisfied by known protocols. (In fact, practically {\em any
cryptographic task} can be realized in the synchronous version of the above
setting, as long as only a minority of the participants are corrupted.)
In other cases satisfying the definitions is left open.
We present a general framework for representing cryptographic protocols
and analyzing their security. The framework allows specifying the security
requirements of practically any cryptographic task in a unified and systematic
way. Furthermore, in this framework the security of protocols
is maintained under a general protocol composition operation, called
universal composition.
The proposed framework with its security-preserving composition property
allow for modular design and analysis of complex cryptographic protocols
from relatively simple building blocks. Moreover, within this framework,
protocols are guaranteed to maintain their security within any context,
even in the presence of an unbounded number of arbitrary protocol
instances that run concurrently in an adversarially controlled manner.
This is a useful guarantee, that allows arguing about the security of
cryptographic protocols in complex and unpredictable environments such
as modern communication networks.
We propose a new paradigm for defining security of cryptographic protocols,
called universally composable security. A salient property of
definitions that follow this paradigm is that they guarantee security
even when the analyzed protocol runs alongside an unbounded
number of unknown (even maliciously designed) protocols, or
more generally when the protocol is used as a component of an arbitrary
distributed system.
This property is essential for maintaining security of
cryptographic protocols in complex and unpredictable environments, such
as the global Internet. In addition, it allows for very
modular design and analysis of protocols.
We formulate a general framework that allows writing universally
composable definitions of security for practically any cryptographic task.
We then exemplify the expressive power
of this framework by capturing within it a number of
standard communication models and cryptographic primitives that were
traditionally defined in a variety of different ways.
We propose a new paradigm for defining security of cryptographic protocols,
called {\sf universally composable security.} The salient property of
universally composable definitions of security is that they guarantee security
even when a secure protocol is composed with an arbitrary set of protocols, or
more generally when the protocol is used as a component of an arbitrary
system. This is an essential property for maintaining security of
cryptographic protocols in complex and unpredictable environments such
as the Internet. In particular, universally composable definitions guarantee
security even when an unbounded number of protocol instances are executed
concurrently in an adversarially controlled manner, they guarantee
non-malleability with respect to arbitrary protocols, and more.
We show how to formulate universally composable
definitions of security for practically any cryptographic task. Furthermore,
we demonstrate that practically any such definition can be realized using
known general techniques, as long as only a minority of the participants
are corrupted. We then proceed to formulate universally composable
definitions of a wide array of cryptographic tasks, including
authenticated and secure communication, key-exchange, public-key encryption,
signature, commitment, oblivious transfer, zero-knowledge, and more.
We also make initial steps towards studying the realizability of the
proposed definitions in other natural settings.
Building on known definitions, we present a unified general framework for
defining and analyzing security of cryptographic protocols. The framework
allows specifying the security requirements of a large number of
cryptographic tasks, such as signature, encryption, authentication, key
exchange, commitment, oblivious transfer, zero-knowledge, secret sharing,
general function evaluation, and more. Furthermore, within this framework
security of protocols is preserved under general composition with any other
set of protocols that may be running {\em concurrently} in the same system.
This holds in a number of standard models of computation, including the
challenging setting of asynchronous networks where the communication is
public and security holds only for computationally bounded adversaries.
Indeed, the proposed framework allows for modular design and analysis of
complex protocols from relatively simple building blocks. Moreover, secure
protocols are guaranteed to maintain their functionality within any
application, even when an unbounded number of protocols are running
concurrently in an adversarially controlled manner.
Definitions of security in this framework are often more stringent
than other definitions. Nonetheless, we show that in many cases
they are satisfied by known protocols. (In fact, practically {\em any
cryptographic task} can be realized in the synchronous version of the above
setting, as long as only a minority of the participants are corrupted.)
In other cases satisfying the definitions is left open.