Universal Composition with Responsive Environments


Universal Composition with Responsive Environments


Jan Camenisch (IBM Research - Zurich) and Robert R. Enderlein (IBM Research - Zurich and ETH Zurich) and Stephan Krenn (AIT) and Ralf K√ľsters (University of Trier) and Daniel Rausch (University of Trier)


A increasingly popular approach to proving the security of protocols is to define the desired security and functional properties by an ideal functionality and then to prove that a protocol realizes the functionality within a universal composability framework. When specifying such ideal functionalities, one often requires the adversary (or environment) to provide some meta-information, such as cryptographic values of signatures, ciphertexts, and keys. Similarly, when designing protocols, the adversary/environment needs to provide, for example, signaling information and corruption statuses of protocol participants. Intuitively, one would expect that such requests are answered immediately. However, in none of the existing models for universal composability this is guaranteed: adversaries and environments can freely activate protocols and ideal functionalities without answering such requests, resulting in dangling and interleaving requests. We call this issue the non-responsiveness problem. It is typically very cumbersome to properly deal with such intermediate activations and interleaved requests and there is no generally applicable method to handle such activations. If fact, protocol designers often do not even consider this issue and miss to specify the behavior of their protocols and ideal functionalities in these situations. This unfortunately results in undefined or even flawed specifications, making it impossible to use such protocols/ideal functionalities in higher level protocols and carrying out rigorous security proofs. What makes the non-responsiveness problem and its consequences particularly disturbing is that they are merely a modeling artifact: it would be very natural if the mentioned requests were answered immediately by adversaries/environments as they are used for modeling purposes only and allowing adversaries/environments to not answer them immediately does not model any real attack.

This paper solves the non-responsiveness problem and its negative consequences by proposing a framework for universal composability with responsive environments and adversaries. In a nutshell, when a protocol or functionality sends what we call a restricting message to the adversary/environment, the latter must provide a valid response before any other protocol/functionality is activated. Hence, protocol designers can declare requests for meta-information to be restricting in order to guarantee that such requests are answered immediately, and hence, they do not have to worry about modeling artefacts resulting from such requests not being answered immediately. Our concepts apply to all existing models for universal composability, we provide formal theorems for the IITM model and discuss it the UC and GNUC models.


22nd International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2016)

Place and Date

Hanoi, Vietnam, December 4-8, 2016

Publication Reference

Jan Camenisch, Robert R. Enderlein, Stephan Krenn, Ralf K√ľsters, and Daniel Rausch, "¬†Universal Composition with Responsive Environments", IACR Cryptology ePrint Archive , 2016:034, 2016.


@inproceedings{cekkr16, author    = {Jan Camenisch and Robert R. Enderlein and Stephan Krenn and Ralf K{\"{u}}sters and Daniel Rausch}, title     = {{Universal Composition with Responsive Environments}}, booktitle = {Advances in Cryptology - {ASIACRYPT} 2016, Part {II}}, pages     = {807--840}, year      = {2016}, editor    = {Jung Hee Cheon and Tsuyoshi Takagi}, series    = {Lecture Notes in Computer Science}, volume    = {10032}, }