Universally Composable Incoercibility

Universally Composable Inoeribility

∗

Dominique Unruh

SaarlandUniversity

Jörn Müller-Quade

Universität Karlsruhe

Otober 27,2009

Abstrat

WepresenttheUC/framework,ageneraldenitionforseureandinoeriblemulti-party

protools. Ourframeworkallowsto model arbitraryreativeprotool tasks(by speifying

an ideal funtionality) and omes with a universal omposition theorem. We show that

givennaturalsetupassumptions,weanonstrutinoerible two-partyprotoolsrealising

arbitraryfuntionalities(withrespetto statiadversaries).

Contents

1 Introdution 2

1.1 Theintuition behindUC/ . 3

1.2 Related work . . . 4

2 The Composable Inoeribility

Framework (UC/) 5

2.1 TheUC framework . . . 5

2.2 The Composable

Inoeribil-ityframework(UC/) . . . . 6

2.3 Corruption shedules . . . 7

2.4 Erasing andnon-erasing parties 9

2.5 Basiproperties . . . 9

2.6 Universalomposition . . . . 12

3 Voting shemes 14

4 Inoerible two-party protools 18

4.1 ExternalizedUC framework . 18

4.2 EUCseurityimpliesUC/

se-urity . . . 20

5 Conlusions and open problems 27

Referenes 27

Index 29

∗

Partially funded by the Cluster of Exellene Multimodal Computing and Interation. Errata will be

Commonly, seurity of a ryptographi protool enompasses (very roughly) two aspets: The

protool should guarantee that the private data of the parties stays seret (privay), and it

should ensure thatall datatransferred or omputed isorret (integrity). Mostseurity

deni-tions ensure one or both of these requirements, and many protools are knownto satisfythese

denitions (e.g., [GMW87,BOGW88,CCD88 , CFGN96 , CLOS02℄).

There is,however, a requirement that doesnot fall into either ategory: oerion resistane

(rstnotedby[Her91,BT94 ℄). Toillustratethisproperty,weusetheexampleofavotingsheme.

In a voting sheme, itmight be possible for a voter to aquire a reeipt that he ast a spei

vote. Thisdoesnot violate the anonymity of the voter sine thevoter isnot required to reveal

orevenaquiresuhareeipt. Thus privayismaintained. Andgettingareeiptdoesnotallow

to falsify theoutome of the eletion. Thus the integrity of thesheme ismaintained. Yetthe

mere possibility of aquiring a reeipt may make a party oerible. A oerive adversary may

threaten ertainreprisalsifthe partydoesnotast aspei voteandprovesthis bydelivering

areeipttotheadversary. Thussuhaneletionprotoolwouldnotbeoerionresistant(short:

inoerible).

Inoeribilityisan important propertyinanysettinginwhih somemaliiousagent hasthe

power to harm and thus threaten other protool partiipants. Clearly, this is not restrited to

thesettingofvotingbutmaybetheaseinothersettings,too(e.g.,whennanial transations

areinvolved). Unfortunately,inoeribilityturnsouttobebothdiulttodeneandtoahieve.

Previous denitionsof inoeribility areusually restritedto speialdomainssuh asvoting

(e.g.,[BT94,JCJ05,DKR09 ℄). AnexeptionarethemodelsbyCanettiandGennaro[CG96℄and

byMoranandNaor[MN06℄whihgivegeneraldenitionsofinoeriblemulti-partyomputation.

Theirdenitionsare, however,restritedtotheaseofseurefuntionevaluation. Thatis,they

only onsiderprotools inwhih all parties need to rstontributetheir inputs,and thenfrom

these inputs the outputs for the parties areomputed. Reative protools, protools that have

multiple phases and where the inputs in one phase an depend on the outputs of an earlier

phase,areexluded. For example,theseurityofaommitment protoolouldnot bemodelled

intheir settings.

Besides theproblemof reative protools, the issueof omposability arises. When building

a omplex protool, it is often neessary to abstrat from ertain subprotools in the analysis

tomake theanalysismanageable. For example,onemightrstanalysetheprotoolassuming a

perfetlyseure mehanism for performing ommitments (modelled by atrustedmahine), and

thenlateronprovetheseurityofthesubprotoolthatisatuallyusedfortheommitments. To

do so,and also to have aguarantee thatthe protooldoesnot beome inseurewhen exeuted

togetherwithotherprotools or instanesof itself,one needsa seuritynotionthatomes with

aomposition theorem.

In thease of normalseure multi-party omputation (i.e.,without inoeribility) both the

problem of modelling reative protools and of giving strong ompositionality guarantees has

been solved by Canetti's UC model [Can01 ℄. In this model, we an dene a protool task by

speifying atrusted mahine, theideal funtionality,whih by denitionperformsthe required

protool task. Sinethis mahinean interat withitsenvironment inarbitraryways,the

seu-rityofverygeneral reative protools anbemodelled. Furthermore,theUCmodelguarantees

thatifa protoolis seure whenusing (asopposedto realising)an ideal funtionality,thenthe

protoolstaysseurewheninsteadoftheidealfuntionality,asubprotoolthatseurelyrealises

theideal funtionalityis used. The UCmodel, however, doesnot guarantee inoeribility.

Our ontribution. We dene the Composable Inoeribility framework (UC/) whih is an

olsseure withrespettoUC/areinoerible. To illustratethemodel,we showthatavoting

sheme that is UC/ seure is also inoerible withrespet to a denition tailored speially

to voting. Finally,we showthatintherestritedaseofstatioerions/deeptions(all

orrup-tions and oerionshappen at thebeginning of theprotool),arbitrary UC/ seure two-party

omputation ispossibleassuming the availabilityof seure hannels.

Organisation. InSetion1.1,weexplaintheintuitionbehindtheUC/framework. InSetion2

wedene theUC/ framework andpresent theuniversalompositiontheorem. InSetion 3we

illustrate our model by applying it to the setting of voting protools. In Setion 4 we show

that UC/ seure two-party protools exist for arbitrary funtionalities. In Setion 5 we give

diretionsfor further work.

1.1 The intuition behind UC/

TounderstandtheUC/model,werstneedtogetanintuitionofhowinoeribilityisahieved.

The goal of aninoerible protool isthefollowing: When anadversarytries to oere a party

into performing aertaination(suhasastingapartiular vote

v

∗

),thepartyshouldbeable

to perform the ationitoriginally intendedtoperform (astingavote

v

)withouttheadversary

notiing. Thatis,the adversaryshouldnotbeabletotellthedierene between aparty

P

that followsthe adversary'sinstrutions (a orrupted party, astingthevote

v

∗

) anda party

P

that onlytries tomake theadversarybelieve thatitfollowstheadversary'sinstrutions (a deeiving

party, astingthe vote

v

and givingfake evidene totheadversarythatit astthevote

v

∗

).

The mostnatural wayto dene inoeribilitywouldbeto requirethattheadversaryannot

distinguishbetweenaoeredandadeeiving party. This,however, usuallyannotbeahieved.

For example,ina votingprotoolthe adversarywill eventuallylearn thetally. Thedistribution

of the tally will, sine there are only polynomially manyvoters, slightly but notieably hange

when the vote of

P

hanges from

v

to

v

∗

. The adversary an hene distinguish oered and

deeiving partiesbyobserving thetally.

Thus,wehavetoweakentherequirement. Theadversaryshouldnotbeabletodistinguisha

oeredandadeeivingpartyanybetterthanheoulddogivenonlyinformationthatislegally

available to him (the tally in our example). In general, however, it is not straightforward to

denewhatinformationislegally availabletotheadversaryinanypartiularsituation. Neither

is itstraightforward to determine howmuh distinguishing advantage the adversary would get

givenonly thatinformation.

In order to irumvent this problem, we use a slightly dierent approah: We rst dene

an ideal model inwhih theadversary has, bydenition, only aess to the legally available

information. In the aseofvoting,suhan idealmodelwouldonsistof atrustedmahine(the

ideal voting funtionality

F

) that ollets thevotes from all partiesand givesonly the tallyto theadversary. Inthe ideal model, thedistinguishing advantage between a oered party (that

gives

v

∗

to

F

) anda deeivingparty(that gives

v

to

F

)is, bydenition, exatlytheadvantage theadversary getsfrom thelegally available information (thetally).

Tomake thisdenitionmore formal,weintrodue anadditional entity,thedeeiver [For91 ℄.

Thetaskofthedeeiveristoinstrutadeeivingpartywhatitshoulddo(i.e.,howtodeeivethe

adversary). Moreformally, a deeiving partywill not run anyprogram of its own, but instead

followtheinstrutions ofthedeeiver. (Inasense,thedeeivermodelstheparty'sfreewill.) In

partiular, the deeiver mayinstrut a party to ast a vote

v

and to send to theadversarythe

fakenotiationthatitastvote

v

∗

. (Sineweareintheidealmodel, noryptographireeipts

or similar need to be faked.) A orrupted party, on theother hand, will follow theadversaries

ionsituation thatan ourinthe idealmodel. Todene whatitmeans thatthereal protool

is inoerible (or more preisely, as inoerible as the ideal model), we will use theonept of

simulation thatunderlies many ryptographidenitions suh asmulti-partyomputation and

zero-knowledge: We showthatforanyadversaryinthereal modelthatperformssome oerion

attak, thereis another adversary intheideal model(alled theadversary-simulator) that

per-forms a orresponding attak with as muh suess. In other words, we require that for any

deeiver (speifying what a partywouldideally want to do), and for anyadversary inthe real

model (trying to oere parties), there is an adversary-simulator in the ideal model suh that

thereal andthe ideal model areindistinguishable.

Weare,however, missingoneingredient: Weneed tospeifyhowtheidealdeeptions

(spe-ied in terms of inputs to the ideal funtionalities) translate into real deeptions (speied in

terms of faked messages et.). This is done by introduing a deeiver in the real model, too,

alled the deeiver-simulator. We then require that for any deeiver in the ideal model

(rep-resenting a possible deeption) there is a deeiver-simulator in the real model (that performs

the orresponding real deeptions) suh that for any adversary in the real model there is a

adversary-simulator inthe ideal modelsuh thatthetwo modelsare indistinguishable.

Finally, to model the indistinguishability of the two models, we follow the ideas from the

UC framework and introdue a further mahine, the environment, that either ommuniates

with the mahines in the real model or with the mahines in the ideal model and that hasto

guess whih model it is in. (For details on how this indistinguishability atually ensures that

the adversary's advantage in distinguishing orrupted and deeiving parties arries over from

theideal to the real modelwe referto theexample inSetion 3.)

1.2 Related work

We are aware of only two worksthat takle the problem of dening inoeribility or a similar

propertyina general fashion (i.e.,not speialisedto apartiular protooltasksuh asvoting).

Inoerible seure funtion evaluation. Canetti and Gennaro [CG96 ℄ present a model for

dening inoerible seure funtion evaluation whih was subsequently rened by Moran and

Naor [MN06℄. The model by Moran and Naor is based on the so-alled stand-alone model

[Can00 ,Gol04 , Ch.7℄. Inthismodel, oneassumesthattheinputsofallhonestpartiesarexed

before the beginning of the protool. This has several impliations: First, reative protools

where parties may deide on their inputs in later phases annot be modelled. Seond, when

atually deployingtheprotool, onewouldhave toensureverystrongsynhronisation: Inorder

not to introdue possibilities for attaks not overed by the model, we have to ensure that no

protool message is sent until all honest parties have deided on their input. Third, the

stand-alonemodelonly guaranteessequential omposability. 1

That is, we have noguaranteethatthe

protool stays seure when running onurrently with other protools (whih usually happens

inreal-lifenetworks).

SinethemodelbyMoranandNaorisbasedonthestand-alonemodel,inthismodeloered

partiesonly needto lieabouttheir initialinputs. Beauseofthis,Moranand Naordo notneed

to introdue an expliitdeeiver; anydeeptiona partymightwant to perform anbe enoded

byspeifyingaseondinput,theso-alledfakeinput. Inontrast,themoreomplexdeeptions

thatarepossible inour settingneessitatetheintrodutionof anexpliitmahine, thedeeiver,

to speifythedeeptions.

1

Notethat ithas notbeen shownthat the variant ofthe stand-alonemodelpresented by Moran and Naor

Canetti and Gennaro [CG96 ℄. Furthermore, the model by Canetti and Gennaro only models

a very weak form of oerion-resistane; the adversary may instrut a oered party to use a

dierentinput,buthemaynotinstrutthatpartytodeviatefromtheprotool. Foradisussion

ofthe dierenebetween themodelsbyMoran andNaorandbyCanettiandGennaro, werefer

to [MN06 ℄.

Externalized UC. Another approah to dene properties similar to inoeribility for general

protools is the Externalized UC (EUC) framework proposed by Canetti, Dodis, Pass, and

Walsh [CDPW07 ℄ (also known as Generalized UC, UC with global setup, or, proposed

inde-pendently byHofheinz,Müller-Quade, and Unruh[HUMQ07℄,UC withatalysts).

This framework is, like ours, an extension of the UC framework and inherits its support

for reative protools and its universal omposition theorem. TheEUC framework diers from

the UC framework by allowing the environment to diretly aessthe ideal funtionality used

in the real protool. As explained in [CDPW07 ℄, seurity in the EUC framework implies a

property alled deniability. This means that no (maliious) protool party

P

an ollet any information during the protool run that an later be used to prove to an outsider that some

party

Q

partiipated in the protool. (An example for suh inriminating information would bea message signed by

Q

.) Inother words,

Q

an plausiblylaim that thewholeprotooldid not take plae. Obviously, suh a laim is only realisti with respet to an outsider who did

not himself ommuniate with

Q

during the protool exeution. In ontrast, inoeribility as

understoodbythis papermeans that a party an lie about its ationstowards an insider (e.g.,

a partyouldlie even towards anothervoter about thevoteithasast).

Thus the two models (EUC and UC/) have very dierent aims. Tehnially they are,

however, related: In Setion 4.2 we show that under ertain onditions, EUC seurity implies

UC/ seurity.

2 The Composable Inoeribility Framework (UC/)

2.1 The UC framework

Our model is based on the Universal Composability(UC) framwork [Can01 ℄. For self

ontain-ment and to x notation, we give a short overview over the UC framework. An interative

Turingmahine(ITM) is aTuringmahinethat hasadditional tapesfor inoming and for

out-goingommuniation. An ITMmaybeativatedbya messageon aninoming ommuniation

tape. Atthe endof anativation,theITMmaysendamessage onanoutgoing ommuniation

tape to another ITM. The reipient of a message is addressed by the unique identity of that

ITM. The ations of an ITM may depend on a global parameter

k

∈

N, the so-alled seurity parameter.

A network ismodeledasa (possiblyinnite)set ofITMs. 2

Weall a network

S

exeutable ifitontains anITM

Z

withdistinguished inputand outputtape andwiththespeialidentity

env

. An exeution of

S

with input

z

∈ {

0

,

1

}

∗

and seurity parameter

k

∈

N is the following random proess: First,

Z

isativatedwiththemessage

z

onits inputtape. WheneveranITM

M

1

∈

S

nishesanativationwithanoutgoingmessage

m

addressedtoanotherITM

M

2

∈

S

on

itsoutgoingommuniationtape,theotherITM

M

2

isinvoked withinomingmessage

m

onits inomingommuniationtape(taggedwiththeidentityofthesender

M

1

). IfanITMterminates

itsativation withoutan outgoing messageor sendsa messageto anon-existing ITM,theITM

2

Inthease ofinnitenetworkswerequirethenetworktobeuniforminthesensethatgiventheidentityof

Z

is ativated. When the ITM

Z

sends a message on its output tape (not theommuniation

tape!),theexeutionof

S

terminates. Theoutputof

Z

wedenote by

EXEC

S

(

k, z

)

. AnITM

Z

with identity

env

we allan environment andan ITM

A

withidentity

adv

we allan adversary. A protool isa network thatdoesnotontain an environment or an adversary.

We all networks

S, S

′

indistinguishable if there is a negligible funtion

µ

suh that for all

k

∈

N,

z

∈ {

0

,

1

}

∗

, we have that

|

Pr[EXEC

S

(

k, z

) = 1]

−

Pr[EXEC

S

′

(

k, z

) = 1]

| ≤

µ

(

k

)

. We all

S, S

′

perfetly indistinguishable if

µ

= 0

.

Using the above network model, seurityis dened byomparison. We rst dene anideal

protool

ρ

that speies the intended protool behaviour. Then we dene what it means that another protool

π

(seurely)emulates

ρ

:

Denition 1 (UC [Can01℄) Let

π

and

ρ

be protools. We say that

π

UC emulates

ρ

if for any polynomial-time adversary

A

there exists a polynomial-time adversary

S

(the adversary-simulator)suhthat forany polynomial-time environment

Z

thenetworks

π

∪ {A

,

Z}

(alled the real model) and

ρ

∪ {S

,

Z}

(alled the ideal model) are indistinguishable.

In the UCframework, one an model seure hannels (that do not even leak the length of the

transmitted message) by diret ommuniation between the ITMs; inseure hannels an be

modelled by sending messages to the adversary; seure hannels that leak the length of the

message,aswell asauthentiated hannels an bemodelled asan ideal funtionality.

Corruptionsaremodelledasfollows: Theenvironment

Z

ansendspeialorruptionrequests toprotoolparties(whihareITMsin

π

). Ifaprotoolpartyreeivessuharequest,itsendsits

urrent stateto the adversary andfrom thenonisontrolled bytheadversary(i.e.,itforwards

all inomingommuniation to theadversaryand vieversa).

Usually, the ideal model will be desribed by a so-alled ideal funtionality. Suh an ideal

funtionality is an inorruptible ITM that an be seen as a trusted third party aessible to

theprotoolparties. Theideal protoolorresponding to

F

onsistsof

F

itself anda so-alled dummy-party

P

˜

for eah party

P

in the real model. The dummy-party

P

˜

simply forwards

all messages reeived from the environment to

F

and vie versa. In slight abuse of notation, we write

F

for the ideal protool orresponding to

F

. Note that the dummy-parties an be orrupted, hene the inputs and outputs to

F

fromorrupted partiesan be inuened bythe adversary-simulator. Using the oneptof an idealfuntionality,we an expressmany protool

tasksby rstspeifyingan idealfuntionality

F

thatfullstheprotooltaskbydenition, and thenrequiringthatthe protool

π

UCemulates

F

.

Wean also onsiderrealprotools

π

whih ontainideal funtionalities

F

(e.g.,a funtion-alitymodelling a CRS).These funtionalitiesan thenbe aessed by all parties. We thensay

that

π

isaprotoolinthe

F

-hybrid model.

For moredetails,werefer thereader tothe fullversionof [Can01 ℄.

2.2 The Composable Inoeribility framework (UC/)

Inourframework(UC/)thepossibilityofoerionsismodelledbythepreseneofanadditional

adversarialentity,alledthedeeiver. Formally,adeeiverisanITM

D

withthespeialidentity

dec

. We further renethenotion of a protool: Aprotool isa network that does not ontain

an environment, adversary, ordeeiver.

A typial network would onsist of a protool

π

, an adversary

A

, a deeiver

D

, and an environment

Z

(where the adversary and the deeiver may also be alled adversary-simulator and deeiver-simulator for larity depending on their role in theprotool). Both theadversary

deeiving. We say a party is ontrolled if it is orrupted or deeiving. Initially, all mahines

are unontrolled. Unontrolled parties behave aording to the protool speiation. If the

environment

Z

sendsaorruptionrequest toanunontrolledparty,thepartybeomesorrupted. Ifthe environment sendsa deeption request to an unontrolledor a orrupted party,the party

beomes deeiving. When a party beomes orrupted or deeiving, it sends its state to the

adversary or the deeiver, respetively. From then on, it is ontrolled bythe adversary or the

deeiver,respetively(thatis,itforwardsallinomingommuniationtotheontrollingmahine

and sends messages as instruted by theontrolling mahine). The only exeption is that if a

orruptedmahinereeivesadeeptionrequest,itwillnotforwardthatrequesttotheadversary,

beauseinthatmoment,itwillbeomedeeivingandhenebeundertheontrolofthedeeiver.

Weassumethe existeneof agloballyreadable register thatontains thestateofeah party

(whether it is unontrolled, orrupted, or deeiving). However, when the adversary reads this

register,thestate ofanydeeivingmahinewillbereportedasorrupted. (Thisreetsthefat

that the adversary should not be able to know whih mahine is deeiving.) Protool parties

will not usuallyreadthis register;insomeases,however, itmight beuseful ifthebehaviourof

an ideal funtionalityan depend on whethera mahineis ontrolled or not. 3

We are now ready to speify the notion of UC/ seurity. In this notion, we do not only

require theadversary-simulator (inthe ideal model) to simulate theadversary's ations(inthe

realmodel),butsimultaneouslyrequirethatthedeeiver-simulator (intherealmodel)simulates

theationsof the deeiver(inthe idealmodel).

Denition 2 (UC/) Let

π

and

ρ

be protools. We say that

π

UC/ emulates

ρ

if for any polynomial-time deeiver

D

there exists a polynomial-time deeiver

D

S

(the deeiver-simulator) suhthat foranypolynomial-timeadversary

A

thereexistsa polynomial-time adversary

A

S

(the adversary-simulator) suh that for any polynomial-time environment

Z

the following networks are indistinguishable:

π

∪ {A

,

D

S

,

Z}

and

ρ

∪ {A

S

,

D

,

Z}

.

Why is the adversary not informed about deeiving parties? The reader may notie

an asymmetry inthe denition: While the deeiver learns whih partyis orrupted and whih

party is deeiving, the adversary will be told that a party is orrupted even if it is deeiving.

This is neessary beause during a deeption, the goal is to heat the adversary into thinking

thatonebehavesasheinstruts(i.e.,thatoneisorrupted). Thereforeorruptedanddeeiving

partiesshould beindistinguishable from thepoint of viewof theadversary.

Whyandeeivingpartynotbeomeorrupted? Anotherasymmetryisthataorrupted

party an later beome deeiving while the model does not allow to orrupt parties that are

deeiving. Although formally both diretions ould be allowed, we have exluded the latter

beause we ould not nd an interpretation for suh a senario. For an interpretation of the

former diretion (bad-guyoerions),seethenext setion.

2.3 Corruption shedules

Thenotion ofUC/(Denition2) allowstheenvironment toorruptor oereanypartyatany

point of time. This leads to a very strit denition. To get a denition that is more lenient

3

Atypialexampleisthekeyexhangefuntionality,whihreturnsarandomkeyforbothparties[Can05 ℄. If

oneofthepartiesisorrupted,thekeyisinsteadhosenbytheadversary. Thusthefuntionalityneedstoknow

performedbythe environment. Weall suh arestrition a orruptionshedule.

Bad-guyoerions. Therearenorestritionsontheenvironment(exeptthattheenvironment

annotorruptadeeiving party,thisisimpliitinthemodellingoftheorruptionmehanism).

We all this notion bad-guy oerions beause the environment may rst orrupt a party

(make it a bad-guy) and then later oere it. It is very diult to design protools that are

seure againstbad-guy oerionsbeauseaorrupted partymaybeinstrutedbytheadversary

to atively deviatefromtheprotoolto produe evideneagainstitselfandthus thwartitsown

deniability. (Inontrast,a deeivingpartywould,giventhesameinstrutions,onlytryto make

theadversary believe thatitfollowsthese instrutions.)

Forexample,insomeprotooltheabilitytodeeivetheadversary(andthustheinoeribility

of the protool) might be based on the following fat: When the adversary requests a private

seret

m

of some party, that party may send a dierent seret

m

′

instead whih ontains a

trapdoor. This trapdoor then is later essential for ahieving inoeribility. In the setting of

bad-guy oerions, a party might rst be orrupted and then reveal the true seret

m

to the adversary. Thisseret

m

doesnotontainatrapdoor. Thenlater,ifthepartybeomesdeeiving,

it will be unable to follow its deeptionstrategy beause it does not know any trapdoor for

m

. In anutshell, while orrupted, a party mayatively try to prevent its owninoeribility. Thus

weexpetthatUC/ seurity withrespetto bad-guy oerionsis veryhard to ahieve.

In pratise, bad-guy oerions are arguably a very rare event. A possible motivation for

bad-guy oerions is the following thought experiment: A member(say, Bob) of a riminal

or-ganisation is required by the rules of that organisation to atively produe and deliver some

evidene (e.g.,ertain keys)againsthimself to thatorganisation. While Bobstill worksfor the

organisation, he will not try to irumvent these rules and will deliver this evidene. But if

Bob later deides to leave the riminal organisation and to ooperate with the polie

(under-over), Bobmayhaveto onviningly atasifhewasstillfollowing theriminalorganisation's

instrutions. Thisis exatlytheasethatis modelled by bad-guyoerions.

In most ases, however, UC/ withbad-guy oerions willbe muh to strong anotion, and

thenotion ofgood-guyoerions(below) will be preferred.

Good-guy oerions. The environment may orrupt parties at any time and may send

de-eption requeststo unontrolledparties at anytime. Theenvironment maynot senddeeption

requeststo orrupted parties.

Reeipt-freeness. Theenvironment mayorruptpartiesatanytime, andmaysenddeeption

requests to unontrolled parties after the end of theprotool (so that theadversary gets their

state). Theenvironmentmaynotsenddeeptionrequeststoaorruptedparty. Reeipt-freeness

implies that an honest party does not learn any data during the protool that ould later be

usedtoproveaftertheprotoolexeutionthatthepartyperformedaertaination. (Notethat

witherasing parties,reeipt-freeness isprobablyeasy to ahieve: anhonest partysimplyerases

all intermediateprotool data.)

Stati orruptions/deeptions. All orruption and deeption requests must be sent at the

verybeginningoftheprotoolexeution. Inpartiular,thisimpliesthattheenvironmentannot

hoosewhihpartiestoorruptdependingonmessagesitobservesduringtheprotoolexeution.

Only orruptions. The environment may not send deeption requests. UC/ with only

or-ruptionsis equivalent to the UCnotion from[Can01℄.

Combinations. Theaboveorruptions shedules maybeombined byrequiringthatthe

Alie andgood-guyoerionsfor Bob.

2.4 Erasing and non-erasing parties

We an distinguish two kinds of honest parties: Erasing and non-erasing parties. An erasing

party is able to delete information when the protool instrutsit to do so. In ontrast, a

non-erasingpartywill make a snapshot of its wholememory inevery omputation step inaspeial

log;whenthepartybeomesoered/deeiving,theadversary/deeivergetsthewholelog.

Non-erasingpartiesmodelthe fatthatitmaybediulttoreliablyeraseinformation,aseretmay

end up, e.g., in the swap partition. However, we allow orrupted parties to erase their state.

This isdue to the fatthatwe also annotexpetto reliablyreover state whih theadversary

hasordered destroyed. Sine a deeiving party will stay inthatstate forever (theenvironment

is not allowed to send orruption requests to a deeiving party), it doesnot matter whether a

deeiving party may or may not erase information. For onreteness, we x that a deeiving

partymay eraseinformation.

Summarising, anon-erasing partystores allits states whenunontrolled, andmay erase its

state whenontrolled. An erasingpartymay eraseits state at anypoint.

In the following, we onsider non-erasing parties. We wish to stress, however, that our

modellingappliesto erasingparties aswell. Being abletoerase datamaybeveryhelpful inthe

design of inoerible protools: If a party deletes some data, it may later redibly laim that

it annot reveal that data. However, one should keep in mind that implementing non-erasing

protoolsmaybemorediultbeauseoneneedstoativelykeeptrakofallopies ofaertain

datumin memoryand on disk.

Itisalsopossibletoimagineasettinginwhihamahineispartiallyerasing. Suhamahine

would have a ertain memory area that an be erased, while the main part of the memory is

assumed to be non-erasable. Suh a modelling might be motivated, e.g., by the useof trusted

platform modules [Tru07℄, or by operating system extensions that alloate bloks of memory

thatareguaranteedneverto bewritten to thedisk.

2.5 Basi properties

Transitivity, reexivity. The following lemma statesthat UC/ emulationis a reexive and

transitive relation. Reexivity an be seen as a sanity hek for the denition if a protool

would not UC/ emulate itself, something would probably be wrong. Transitivity is neessary

to usetheuniversalomposition theorem,see Corollary 8below.

Lemma 3 (Reexivity, transitivity) Let

π

,

ρ

,and

σ

be protools. Then

π

UC/emulates

π

. If

π

UC/ emulates

ρ

, and

ρ

UC/ emulates

σ

, then

π

UC/ emulates

σ

.

Proof. For any polynomial-time deeiver

D

, any polynomial-time adversary

A

, and any polynomial-time environment

Z

, we have with

D

S

:=

D

, and

A

S

:=

A

that

π

∪ {A

,

D

S

,

Z}

and

π

∪ {A

S

,

D

,

Z}

areequaland thus (perfetly) indistinguishable. Hene

π

UC/ emulates

ρ

.

Assume now that

π

UC/ emulates

ρ

,and

ρ

UC/ emulates

σ

. Then, bydenition, for any polynomial-time deeiver

D

ρ

, there is a polynomial-time deeiver-simulator

D

π

S

(

D

ρ

)

, and for anypolynomial-timedeeiver

D

ρ

andanypolynomial-timeadversary

A

π

,there isan

adversary-simulator

A

ρ

S

(

D

ρ

,

A

π

)

suhthatfor all polynomial-time environments

Z

,

π

∪ {A

π

_,

_D

π

S

(

D

ρ

)

,

Z}

and

ρ

∪ {A

ρ

areindistinguishable. Similarly,foranypolynomial-timedeeiver

D

σ

,thereisapolynomial-time

deeiver-simulator

D

ρ

S

(

D

σ

₎

, andfor anypolynomial-timedeeiver

D

σ

andanypolynomial-time

adversary

A

ρ

, there is an adversary simulator

A

σ

S

(

D

σ

,

A

ρ

)

suh that for all polynomial-time environments

Z

,

ρ

∪ {A

ρ

,

D

_S

ρ

(

D

σ

)

,

Z}

and

σ

∪ {A

σ

S

(

D

σ

,

A

ρ

)

,

D

σ

,

Z}

(2)

areindistinguishable.

Then, for a given polynomial-time deeiver

D

ˆ

σ

and a given polynomial-time

adver-sary

ˆ

A

π

, set

ˆ

D

π

S

(

D

σ

) :=

D

S

π

(

D

ρ

S

( ˆ

D

σ

))

and

ˆ

A

σ

S

( ˆ

D

σ

,

A

ˆ

π

) :=

A

σ

S

( ˆ

D

σ

,

A

ρ

S

(

D

ρ

S

( ˆ

D

σ

)

,

A

ˆ

π

))

.

From (1), we have that for all polynomial-time environments

Z

,

π

∪ {

A

ˆ

π

_,

_D

_ˆ

π

S

( ˆ

D

σ

)

,

Z}

and

ρ

∪ {A

ρ

S

(

D

ρ

S

( ˆ

D

σ

)

,

A

ˆ

π

)

,

D

ρ

S

( ˆ

D

σ

)

,

Z}

are indistinguishable. And from (2), we have

that for all polynomial-time environments

Z

,

ρ

∪ {A

ρ

S

(

D

ρ

S

( ˆ

D

σ

)

,

A

ˆ

π

)

,

D

ρ

S

( ˆ

D

σ

)

,

Z}

and

σ

∪

{

A

ˆ

σ

S

( ˆ

D

σ

,

A

ˆ

π

)

,

D

ˆ

σ

,

Z}

are indistinguishable. Sine indistinguishability is transitive,

π

∪

{

A

ˆ

π

_,

_D

_ˆ

π

S

( ˆ

D

σ

)

,

Z}

and

σ

∪ {

A

ˆ

σ

S

( ˆ

D

σ

,

A

ˆ

π

)

,

D

ˆ

σ

,

Z}

areindistinguishable for allpolynomial-time

Z

.

Thus, for every polynomial-time deeiver

D

σ

there existsa polynomial-time deeiver-simulator

ˆ

D

π

S

:= ˆ

D

S

π

( ˆ

D

σ

)

suh that for every polynomial-time adversary

ˆ

A

π

there exists a

polynomial-time adversary-simulator

A

ˆ

σ

S

:= ˆ

A

σ

S

( ˆ

D

σ

,

A

ˆ

π

)

suhthatfor all polynomial-time environments

Z

,

π

∪ {

A

ˆ

π

_,

_D

_ˆ

π

S

,

Z}

and

σ

∪ {

A

ˆ

σ

S

,

D

ˆ

σ

,

Z}

areindistinguishable. Thus

π

UC/ emulates

ρ

.

Dummy adversary and deeiver. A dummy-adversary is an adversary that just follows

the instrutions of the environment. More preisely,it forwards all messages itreeives to the

environment, and sends only the messages theenvironment instrutsit to send. It was shown

by Canetti [Can01 ℄ in theUC setting that thedummy-adversary is omplete, that is, without

lossofgeneralitywean onsideronlythedummy-adversary. Thereforeweonlyhaveto speify

the adversary-simulator for the dummy-adversary instead of having to speify the

adversary-simulator for every possible adversary. Thissimplies proofs.

In the setting of UC/, we an additionally onsider the dummy-deeiver that just follows

theinstrutions ofthe environment. Below, we will show that both the dummy-adversary and

thedummy-deeiverare omplete. Besides strongly simplifyingproofs, theompleteness ofthe

dummy-deeiverhasanadditionaloneptualadvantage. Thedeeiver-simulator orresponding

tothedummy-deeiverenodesauniversaldeeptionstrategy. Thatis,foranyidealdeeption,

ittells us how to perform this deeptionin therealprotool. Theexisteneof suh a universal

deeptionstrategyisveryimportant inreallife,protoolusersneedto have anexpliitstrategy

howto lieinwhih situation;it isnot suient that suha strategy existsfor eahsituation.

Denition 4 (Dummy-adversary, dummy-deeiver) The dummy-adversary

A

˜

is an ad-versary that, when reeiving a message

(

id

, m

)

from the environment, sends

m

to the party withidentity

id

, and that, when reeiving

m

from a party with identity

id

, sends

(

id

, m

)

to the environment. The dummy-deeiver

D

˜

is dened analogously.

Denition 5 (UC/ with respet to dummy-adversary/deeiver) Let

π

and

ρ

be proto-ols. We say that

π

UC/ emulates

ρ

with respet to the dummy-adversary/deeiver if there

existsapolynomial-timedeeiver

˜

D

S

(thedummy-deeiver-simulator) andapolynomial-time

ad-versary

˜

A

S

(the dummy-adversary-simulator)suh thatfor any polynomial-time environment

Z

the following networks are indistinguishable:

π

∪ {

A

˜

,

D

˜

S

,

Z}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z}

Lemma 6 (Completeness of dummy-adversary and dummy-deeiver) Let

π

and

ρ

be

(a)

Z

A

D

˜

D

S

π

D

S

≈

(b)

Z A

_A

˜

D

˜

D

S

π

Z

D

,

A

≈

()

Z A

A

˜

S

D

˜

D

ρ

Z

D

,

A

≈

(d)

Z A

A

˜

S

D

ρ

A

S

Figure 1: Networks in the proof of Lemma 6. Dashed lines denote mahines that internally

simulate othermahines.

Proof. If

π

UC/ emulates

ρ

,then we immediately have that

π

UC/ emulates

ρ

with respet to the dummy-adversary/deeiver. For the opposite diretion,assume that

π

UC/ emulates

ρ

with respetto the dummy-adversary/deeiver.

Let

D

˜

and

A

˜

be the dummy-deeiver and the dummy-adversary. Let

D

˜

S

and

A

˜

S

be the dummy-deeiver-simulator and thedummy-adversary-simulator (asin Denition5).

For an environment

Z

,a deeiver

D

,and an adversary

A

,we dene the environment

Z

D

,

A

asfollows (see also Figures 1(b) and ()):

Z

D

,

A

internally simulates

Z

,

D

,and

A

. All ommu-niationbetweenthe internallysimulated

Z

and the(external) protoolisforwarded. Messages sent from

Z

to the deeiverand adversary areforwarded to the internally simulated

D

and

A

. Inoming ommuniationfor

Z

from

D

and

A

isis forwarded to

Z

. Messages

m

that

D

and

A

send to a protool party with identity

id

are sent by

Z

D

,

A

as

(

id

, m

)

to the external deeiver or adversary. That is, assuming the external deeiver or adversary is the dummy-deeiver or

dummy-adversary,

Z

D

,

A

instrutsthedummy-deeiver/adversarytodeliverthemessagesentby theinternallysimulated

D

or

A

. Inomingmessages

(

id

, m

)

fromtheexternaladversary/deeiver arepassed to the internallysimulated

D

and

A

as

m

.

For an adversary

A

, we dene the adversary-simulator

A

S

=

A

S

(

A

)

as follows (see also Figure 1(d)):

A

S

internally simulates

A

and

A

˜

S

. Communiation between the external envi-ronment and the internally simulated

A

is forwarded. Communiation between the external protool andthe internally simulated

A

˜

S

is forwarded. When

A

sends amessage

m

to a proto-ol mahine withidentity

id

,

(

id

, m

)

is instead passed to

A

˜

S

as oming from theenvironment. Messages

(

id

, m

)

from the internally simulated

A

˜

S

to the environment are passed to

A

as

m

. (This isanalogous to how

Z

D

,

A

reroutesbetween

A

andtheprotool.)

For adeeiver

D

,

D

S

(

D

)

is dened analogouslyto

A

S

(

A

)

. See Figure1(a).

Wethenhavethatthefollowingnetworksareperfetlyindistinguishableforallenvironments

Z

:

π

∪ {A

,

D

S

,

Z}

and

π

∪ {

˜

A

,

D

˜

S

,

Z

D

,

A

}

(Figures 1(a)and (b)). Thisis due to the fatthat

thedummy-adversary

A

˜

just forwards themessages between

π

and the adversary

A

simulated by

Z

D

,

A

, and that

D

S

bydenition onsistsof

D

(simulated by

Z

in theseond network) and

˜

D

S

.

Analogously, the following networks are perfetly indistinguishable for all environments

Z

:

ρ

∪ {A

S

,

D

,

Z}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

D

,

A

}

. Cf. Figures1(d) and().

Furthermore, sine

π

UC/ emulates

ρ

withrespet to the dummy-adversary/deeiver, for

all polynomial-time environments

Z

D

,

A

,

π

∪ {

˜

A

,

D

˜

S

,

Z

D

,

A

}

and

ρ

∪ {

˜

A

S

,

D

˜

,

Z

D

,

A

}

are

indistin-guishable. Cf. Figures1(b)and ().

Sineindistinguishabilityistransitive,

π

∪{A

,

D

S

,

Z}

and

ρ

∪{A

S

,

D

,

Z}

areindistinguishable for all polynomial-time environments

Z

. Furthermore,

D

S

and

A

S

are polynomial-time, and their onstrution does not depend on

Z

, and the onstrution of

D

S

does not depend on

D

.

Z

σ

˜

A

σ

˜

D

σ

π

1

˜

A

1

˜

D

1

S

· · ·

π

i

−1

˜

A

i

−1

˜

D

i

_S

−1

π

˜

A

˜

D

S

ρ

i

+1

˜

A

i

_S

+1

˜

D

i

+1

· · ·

ρ

n

˜

A

n

S

˜

D

n

Z

i

Figure2: Hybridnetwork

π

∪{

A

˜

,

D

˜

S

,

Z

i

}

intheproofofTheorem7. Thehybridenvironment

Z

i

isdepitedbythe dashedline. Connetionsbetween

Z

andthedeeivers,aswellasonnetions between

σ

and the instanes of

π

are omitted. The onnetions between

Z

and the deeivers areanalogous to those between

Z

and theadversaries.

2.6 Universal omposition

One of the main advantages of the UC framework is the universal omposition theorem. This

theoremguaranteesthataUCseureprotool

π

anbeseurelyusedasasubprotoolofarbitrary

other protools

σ

, even when

σ

and polynomially many instanes of

π

run onurrently. The same ompositionalityresult alsoholds for theUC/seuritynotion.

Toformulatetheompositiontheorem,weintroduesomenotation. Let

π

and

σ

beprotools. Then let

σ

π

denote the protool where

σ

invokes a polynomial number of instanes of the

subprotool

π

. That is, mahines in

σ

may give inputs to mahines in

π

, these inputs are treated by

π

asoming fromtheenvironment. Whenthemahines in

π

giveoutputbaktothe environment,thesearesenttotheinvokingmahinesin

σ

. Thus,inasense,in

σ

π

,theprotool

σ

plays therole ofthe environment for the instanes of

π

. For example,if

σ

F

isa protool using

aommitmentfuntionality

F

(i.e.,

σ

F

isa protoolinthe

F

-hybrid model),then

σ

π

wouldbe

theprotoolthatusesthesubprotool

π

insteadofusingtheommitment funtionality

F

. The following theoremguarantees that, if

π

UC/ emulatessome otherprotool

ρ

(e.g.,

ρ

=

F

),we do notloose seurityifwe replaesubprotoolinvoationsof

ρ

bysubprotoolinvoationsof

π

.

Theorem 7 (Universal omposition) Let

π

,

ρ

,and

σ

be polynomial-time protools. Assume

that

π

UC/ emulates

ρ

. Then

σ

π

UC/ emulates

σ

ρ

.

Proof. Let

A

˜

and

D

˜

denote the dummy-adversary and the dummy-deeiver. Due to Lemma 6, it is suient to onstrut a polynomial-time deeiver-simulator

˜

D

∗

_S

and a polynomial-time

adversary-simulator

A

˜

∗

S

suh that for all polynomial-time environments

Z

, the networks

σ

π

_∪

{

A

˜

,

D

˜

∗

S

,

Z}

and

σ

ρ

_{∪ {}

_A

_˜

∗

S

,

D

˜

,

Z}

areindistinguishable. (Wewrite

A

˜

∗

S

and

D

˜

∗

S

todistinguishfrom

thesimulators

˜

A

S

and

˜

D

S

dened below.)

By assumption, there are a polynomial-time deeiver-simulator

D

˜

S

and a polynomial-time adversary-simulator

A

˜

S

suh that for all polynomial-time environments

Z

, the networks

π

∪

{

A

˜

,

D

˜

S

,

Z}

and

ρ

∪ {

˜

A

S

,

D

˜

,

Z}

are indistinguishable.

Let

n

be a polynomial upperbound on the number of instanes of

π

or

ρ

thatare invoked by

σ

.

Given an environment

Z

, we dene the hybrid environment

Z

i

.

Z

i

is depited inFigure 1 by the area enlosed by a dashed line.

Z

i

internally simulates the following mahines: The original environment

Z

; an instane of

σ

;

i

−

1

instanes of

π

,denoted

π

1

, . . . , π

i

−1

;

n

−

i

−

1

instanesof

ρ

,denoted

ρ

i

+1

, . . . , ρ

n

;aninstaneof

˜

A

,denoted

˜

A

σ

;

i

−

1

instanes of

˜

A

,denoted

˜

A

1

_{, . . . ,}

_A

_˜

i

−1

;

n

−

i

−

1

instanes of

A

˜

S

,denoted

A

˜

i

+1

S

, . . . ,

A

˜

n

S

; an instane of

D

˜

,denoted

D

σ

;

i

−

1

instanes of

D

˜

S

,denoted

D

˜

1

S

, . . . ,

D

˜

i

−1

S

;

n

−

i

−

1

instanes of

D

˜

,denoted

D

˜

i

+1

_{, . . . ,}

_D

_˜

n

For the sake of onreteness in the following speiation of the behaviour of

Z

, assume that

Z

is exeutedinanetwork withtheprotool

π

,thedummy-adversary

˜

A

,andthe

dummy-deeiver-simulator

D

˜

S

.

Messages of the form

(

id

, m

)

that

Z

sends to the adversary (meaning that

Z

instrutsthe adversarytodeliver

m

tothemahinewithidentity

id

)areroutedtooneoftheinstanesof

˜

A

or

˜

A

S

: If

id

isamahinein

σ

,themessage

(

id

, m

)

ispassedto theinternallysimulated

A

˜

σ

. If

id

is

amahineinthe

j

-thinstaneof

π

,wedistinguishthreeases: If

j < i

,then

(

id

, m

)

ispassedto

theinternallysimulated

˜

A

j

. If

j

=

i

,then

(

id

, m

)

ispassedtotheexternaladversary

A

. If

j > i

,

then

(

id

, m

)

ispassed to the internallysimulated

A

˜

j

S

. Similarly, we proeed for messagesfrom

Z

to the deeiver: These messages are forwarded to

D

˜

σ

,

D

˜

j

S

(

j < i

), the external

D

˜

S

(

j

=

i

),

or

D

˜

j

(

j > i

). Messages in the opposite diretion are handled analogously. Communiation between

σ

and

Z

isforwardednormally. Communiationbetween

σ

andsomeinstaneof

π

or

ρ

isforwardedtotheorrespondinginstaneof

π

. Thatis,if

σ

sendsamessagetoamahineinthe

j

-thinstaneof

π

or

ρ

,thismessageisforwardedtothe orrespondingmahineintheinternally

simulated

π

j

if

j < i

, inthe external protool

π

if

j

=

i

, and in the internally simulated

ρ

j

if

j > i

.

We observe the following fatsabout

Z

i

.

First, by onstrution, the networks

π

∪ {

A

˜

,

D

˜

S

,

Z

i

}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

i

+1

}

are perfetly indistinguishable.

Furthermore, sine the dummy-adversary only forwards messages between

Z

and the pro-tool, we an replae a single instane of the dummy-adversary that handles all instanes of

π

and

σ

(as in the network

σ

π

_{∪ {}

_A

_˜

_,

_D

_˜

∗

S

,

Z}

) by individual instanes of thedummy-adversary for eah protool instane (as in the network

π

∪ {

A

˜

,

D

˜

S

,

Z

n

}

). More preisely, the networks

π

∪ {

A

˜

,

D

˜

S

,

Z

n

}

and

σ

π

_{∪ {}

_A

˜

_,

_D

˜

∗

S

,

Z}

are perfetly indistinguishable if we dene

˜

D

_S

∗

to be the

(polynomial-time) deeiver-simulator that internallysimulates

D

˜

σ

_,

_D

_˜

1

S

, . . . ,

D

˜

n

−1

S

,

D

˜

S

. Similarly, we have that networks

ρ

∪ {

A

˜

S

,

D

˜

,

Z

1

}

and

σ

ρ

_{∪ {}

_A

_˜

∗

S

,

D

˜

,

Z}

are perfetly

indis-tinguishable if we dene

A

˜

∗

S

to be the (polynomial-time) adversary-simulator that internally

simulates

A

˜

σ

_,

_A

_˜

S

,

A

˜

2

_S

, . . . ,

A

˜

n

_S

.

Finally,welaimthatthenetworks

π

∪{

A

˜

,

D

˜

S

,

Z

n

}

and

ρ

∪{

A

˜

S

,

D

˜

,

Z

1

}

areindistinguishable (weshowthisbelow). Ifwehaveshownthislaim,Theorem7followssinethen

σ

π

_{∪ {}

_A

_˜

_,

_D

_˜

∗

S

,

Z}

and

σ

ρ

_{∪ {}

_A

_˜

∗

S

,

D

˜

,

Z}

areindistinguishable, and

A

˜

∗

S

and

D

˜

∗

S

areonstruted independently of

Z

and polynomial-time.

We proeedto showthat

π

∪ {

A

˜

,

D

˜

S

,

Z

n

}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

1

}

areindistinguishable. Let

Z

∗

be the environment whih on input

(

i, z

)

simulates

Z

i

with input

z

. By denition of

D

˜

S

and

A

˜

S

, the networks

π

∪ {

A

˜

,

D

˜

S

,

Z

∗

_}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

∗

_}

are indistinguishable. Thus,

there isanegligible funtion

µ

suh that

|

Pr[EXEC

_π

_∪{

_A

˜

_,

_D

˜

_S

_,

_Z

∗

_}

(

k,

(

i, z

)) = 1]

−

Pr[EXEC

_ρ

_∪{

_A

˜

_S

_,

_D

˜

_,

_Z

∗

_}

(

k,

(

i, z

)) = 1]

| ≤

µ

(

k

)

for all

k, i

∈

N,

z

∈ {

0

,

1

}

∗

. Byonstrution of

Z

∗

,this impliesthat

|

Pr[EXEC

_π

_∪{

_A

˜

_,

_D

˜

_S

_,

_Z

_i

_}

(

k, z

) = 1]

−

Pr[EXEC

_ρ

_∪{

_A

˜

_S

_,

_D

˜

_,

_Z

_i

_}

(

k, z

) = 1]

| ≤

µ

(

k

)

for all

k, i

∈

N,

z

∈ {

0

,

1

}

∗

. Using thetriangleinequality andthefatthat

π

∪ {

A

˜

,

D

˜

S

,

Z

i

}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

i

+1

}

are perfetly indistinguishable,we get

|

Pr[EXEC

_π

_∪{

_A

˜

_,

_D

˜

_S

_,

_Z

n

}

(

k, z

) = 1]

−

Pr[EXEC

ρ

∪{

A

˜

S

,

D

˜

,

Z

1

}

(

k, z

) = 1]

| ≤

nµ

(

k

)

.

Sine

n

isapolynomial,

nµ

isnegligible. Thus thenetworks

π

∪ {

A

˜

,

D

˜

S

,

Z

n

}

and

ρ

∪ {

A

˜

S

,

D

˜

,

Z

1

}

areindistinguishable.

Corollary 8 Let

π

and

σ

be polynomial-time protools, and

F

and

G

be polynomial-time fun-tionalities. Assume that

π

UC/ emulates

F

and that

σ

F

UC/ emulates

G

. Then

σ

π

UC/

emulates

G

.

Proof. Immediate from the universalomposition theorem(Theorem 7),and thetransitivityof

UC/ emulation (Lemma 3).

3 Voting shemes

Inthissetionweillustratethe UC/seuritynotionbyapplyingittothespeialaseofvoting

shemes. We give a denition of inoeribility that is tailored to the spei ase of voting

protools and showthatthis denitionis implied bythe UC/ seuritynotion.

Denition 9 (Voting sheme) Fix sets

V

(the set of votes),

T

(the set of tallies),

P

(theset of voters). A tally funtion isan eiently omputable funtion

tally : (

V ∪ {⊥}

)

P

_{→ T}

.

Avotingshemefor

tally

isatwo-stageprotool. Weallthestagesvotingphaseandtallying

phase. In suha protool, eah party

P

i

∈ P

getsan input

v

i

∈ V ∪ {⊥}

(thevote of

P

i

).

v

i

=

⊥

means that the

P

i

does not partiipate in the protool (abstention). In the end of the tallying

phase a distinguished party

T

outputs a value

t

∈ T

.

Typially,

V

would be the set of all andidates. In more omplex shemes, elements of

V

might be, e.g., ordered lists of andidates in order of dereasing preedene. The set of tallies

T

usually is the set of all funtions

V →

N

0

. Alternatively, in a voting sheme whih only

announesthewinner, we wouldhave have

T

=

V

. The tallyfuntion

tally(

v

1

, . . . , v

n

)

speies what theorrettally isfor thevotes

v

i

∈ V ∪ {⊥}

where

v

i

=

⊥

denotes abstention.

Notethatwedonotrequirethattheparties

P

i

6

=

T

areawarewhethertheyareinthetallying or thevoting phase. Suh a requirement might be diult to ensure in an asynhronous

envi-ronment. Inpartiular, votesast duringthe tallying phase(butbeforethetallyis announed)

might ormight not be ounted.

An ideal voting shemeis given bythefollowing funtionality:

Denition 10 (Voting funtionality) The voting funtionality

F

vote

=

F

tally

vote

expets (at

most one) message

v

i

∈ V

from eah party

P

i

∈ P

. When reeiving

tally

from

T

,

F

vote

sets

v

i

:=

⊥

for all

P

i

∈ P

fromwhihit didnotreeive a message

v

i

∈ V

yet. Then

F

vote

om-putes

t

:= tally(

v

i

, i

∈ P

)

(the tally) and sends

t

to the adversary. Then, when

F

vote

reeives

deliver

fromthe adversary, it sends

t

to the party

T

.

This funtionality models that the tally output by

T

is orretly omputed using thetally

funtion(aslongas

T

itselfisnot orrupted)andthattheindividualvotesareseret(even if

T

isorrupted).

Natural properties of voting shemes are, e.g., orretness (the tally is orret even in the

preseneofanadversary)andanonymity(theadversaryannottellwhovotedforwhom,exept

as deduible from the tally itself). We will not formalise these properties here, but it is easy

to seethatavotingsheme thatUCemulatesthevotingfuntionality

F

vote

satisesreasonable formalisations of these properties. Sine the UC/ seurity notion is stronger than UC, this

impliesthat theseelementary properties aresatisedbyUC/ seure voting sheme, too.

Inourontext,themostinterestingpropertyofavotingshemeisinoeribility. Wewillrst

formalisewhatinoeribilitymeansforvotingshemes (independently ofourframework). Then

wewillshowthatinoeribilityofvotingshemesisimplied byseurityintheUC/framework.

that if the adversary

A

fores a party

P

to deviate from the protool,

A

should not be able to tell the dierene between

P

obeying the adversary

A

, or the party

P

asting the vote

v

anyway(we say

P

deeives the adversary). Ofourse, sine theadversary learnsthe tally, this goal is unahievable the tally always leaks a non-negligible amount of information about the

vote of

P

(at least if thenumber of voters is polynomial). We an only ahieve the following: The adversary's advantage indistinguishing between

P

obeying and

P

deeiving isnot greater than theadvantage withwhih the adversary ould distinguish these two ases given only the

tally. Toformulate thisdenition, we rst introdue some notation:

Fix a voter

P

∈ P

and a vote

v

∈ V ∪ {⊥}

. Fix a distribution

B

on

(

V ∪ {⊥}

)

P\{

P

}

. (

B

represents thedistribution of the votes of the other voters.) Given a vote

v

,let

B

v

denote the distributionover

(

V ∪ {⊥}

)

P

thathoosesthevotesfor all

P

i

∈ P \ {

P

}

aordingto

B

anduses thevote

v

for

P

. Aordingly,

tally(

B

v

)

denotes thetallyresulting fromvoteshosenaording to

B

v

. Let

Adv

ideal

(

B

, v

) := max

v

∗

∆(

B

v

,

B

v

∗

)

where

v

∗

ranges over

V ∪ {⊥}

and

∆

denotesthe statistial distane. (

Adv

ideal

desribes how well an adversary an distinguish between being

obeyed andbeingdeeived using only thetally.)

A voting adversary is an adversary that ontrols a party

P

(however, depending on the

setting,

P

may hooseto ignore the instrutions given by theadversary) and that may deide whenthetallyingphasestarts. We requirethatavotingadversaryeventuallystartsthetallying

phase. Furthermore,whentheparty

T

outputsthetally,thetallyisgiventothevotingadversary.

Intheend, thevotingadversary output abit

b

.

Givenavotingadversary

A

,let

Pr

obey

(

A

,

B

)

betheprobabilitythat

A

outputs

1

inthease that the party

P

follows the instrutions of the adversary (i.e.,

P

is orrupted) and all other partieshonestly followtheprotool (withinputs hosenaording to

B

).

Given some program ode

d

(thedeeption strategy for

P

),let

Pr

deceive

(

A

,

d

,

B

)

denotethe probabilitythattheadversary

A

outputs

1

if

P

followstheinstrutionsin

d

andallotherparties honestly follow the protool (with inputs hosen aording to

B

). (Intuitively,

d

is a strategy thattells

P

how to votefor

v

andsimultaneously make theadversary believe that

P

obeysthe adversary.) We assume that

d

gets

v

and the identity of

P

as input. In the same setting, let

Tally

_deceive

(

A

,

d

,

B

)

denote the tally outputby

T

.

Denition 11 (Inoerible voting shemes) A votingsheme isinoerible ifthere isa

de-eptionstrategy

d

suhthatforeverypolynomial-timevotingadversary,everyvoter

P

∈ P

,every vote

v

∈ V

, and every eiently sampleable distribution

B

the following holds:

•

Thedeeptionstrategyaststherightvote: Therandomvariables

Tally

deceive

(

A

,

d

,

B

)

and

tally(

B

v

)

are omputationallyindistinguishable.

•

The adversary annot distinguish between being obeyed and being deeived: For some

negligible funtion

µ

we have that

Pr

_obey

(

A

,

B

)

−

Pr

_deceive

(

A

,

d

,

B

)

≤

Adv

_ideal

(

B

, v

) +

µ.

Many variants of this denition are possible. For example, one ould allow the voting

ad-versaryto orrupt additional partiesfrom

P \ {

P

}

. (In this ase, one wouldhave to adapt the denition of

Adv

ideal

.) For the sake of simpliity, we do not strive to nd the most general

formulation of Denition 11, espeially in view of the fat that the UC/ framework already

providesus witha very general denitionofinoeribility.

We will now show that inoeribility in the sense of Denition 11 is already implied by

UC/ seurity. We nd that the proof of the following theorem is very instrutive beause it