CiteSeerX — Universally Composable Two-Party and Multi-Party Secure Computation

Computation



RanCanetti y

Yehuda Lindell z

Rafail Ostrovsky x

AmitSahai {

September 12,2002

Abstra t

Weshowhowtose urelyrealizeanytwo-partyandmulti-partyfun tionalityinauniversally

omposable way, regardless of the numberof orrupted parti ipants. That is, we onsider an

asyn hronousmulti-partynetworkwith open ommuni ationandanadversarythat anadap-

tively orruptasmanypartiesasitwishes. Inthissetting,ourproto olsallowanysubsetofthe

parties(withpairsofpartiesbeingaspe ial ase)tose urelyrealizeanydesiredfun tionalityof

theirlo alinputs,andbeguaranteedthatse urityispreservedregardlessofthea tivityinthe

restofthenetwork. Thisimpliesthatse urityispreservedunder on urrent ompositionofan

unboundednumberofproto olexe utions,itimpliesnon-malleabilitywithrespe ttoarbitrary

proto ols, andmore. Our onstru tionsare inthe ommon referen estringmodelandrelyon

standardintra tabilityassumptions.

Keywords: Two-party and multi-party ryptographi proto ols, se ure omposition of proto ols,

proofsof se urity.



Anextendedabstra tofthisworkappearedinthe34 th

STOC,2002.

y

IBMT.J.WatsonResear hCenter,email: anettiwatson.ibm. om.

z

IBM T.J. Watson Resear hCenter, email: lindellus.ibm. om. Most of thisworkwas arried out while the

authorwasattheWeizmannInstituteofS ien e,Israel.

x

Tel ordiaTe hnologies,email: rafailresear h.tel ordia. om.

{

Prin etonUniversity,email: sahai s.prin eton.edu.

1 Introdu tion 1

2 Overview 4

2.1 The model. . . 4

2.2 An outlineof theresultsand te hniques . . . 6

2.2.1 Two-party omputation inthe aseof semi-honestadversaries. . . 6

2.2.2 Obtaining two-party omputation se ureagainstmali iousadversaries . . . . 7

2.2.3 Extensions to multi-party omputation. . . 10

3 Preliminaries 11 3.1 Universally ComposableSe urity: The generalframework . . . 11

3.1.1 The basi framework . . . 12

3.1.2 The ompositiontheorem . . . 15

3.2 Universal CompositionwithJointState . . . 17

3.3 Well-FormedFun tionalities . . . 20

4 Two-party Se ure Computation for Semi-Honest Adversaries 21 4.1 Universally ComposableObliviousTransfer . . . 22

4.1.1 Stati UCOblivious Transfer . . . 22

4.1.2 Adaptive UC ObliviousTransfer . . . 24

4.2 The GeneralConstru tion . . . 27

5 Universally Composable Commitments 37 6 Universally Composable Zero-Knowledge 45 7 The Commit-and-ProveFun tionality F p 47 7.1 Se urelyRealizingF p forstati adversaries . . . 48

7.2 Se urelyRealizingF p foradaptiveadversaries . . . 52

8 Two-Party Se ure Computation for Mali ious Adversaries 56 8.1 The Proto ol Compiler. . . 56

8.2 Con lusions . . . 61

9 Multi-party Se ure Computation 62 9.1 Multi-partySe ure ComputationforSemi-HonestAdversaries . . . 62

9.2 Authenti atedBroad ast . . . 67

9.3 One-to-Many Commitment,Zero-Knowledgeand Commit-and-Prove . . . 68

9.4 Multi-partySe ure ComputationforMali iousAdversaries. . . 73

9.4.1 Con lusions . . . 76

Traditionally, ryptographi proto olproblemswere onsideredinamodelwheretheonlyinvolved

partiesarethea tualparti ipantsintheproto ol, andonlyasingleexe utionoftheproto oltakes

pla e. Thismodel allowed forrelatively on ise problemstatements, and simpliedthedesignand

analysis of proto ols. Indeed, thisrelativelysimplemodel is a natural hoi e forthe initialstudy

of proto ols.

However, thismodel of\stand-alone omputation" doesnotfully apturethe se urityrequire-

mentsfrom ryptographi proto ols in a modern omputer network. In su h networks, a proto ol

exe ution may run on urrently with an unknown number of other proto ols. These arbitrary

proto olsmaybe exe utedbythesame parties orother parties,they mayhave potentiallyrelated

inputsandthes hedulingofmessage deliverymaybeadversarially oordinated. Furthermore,the

lo al outputs of a proto ol exe ution may be used by other proto ols in an unpredi table way.

These on erns,or\atta ks" on a proto ol arenot apturedbythestand-alone model.

Onewaytoguaranteethatproto olswithstandsomespe i se uritythreatsinmulti-exe ution

environments is to expli itlyin orporatethese threats into the se uritymodel and analysis. Su h

an approa h was taken, for instan e,in the ase of non-malleabilityof proto ols [ddn00℄, and re-

gardingthe on urrent ompositionofzero-knowledge[dns98,rk99℄andoblivioustransfer[gm00℄.

However, thisapproa h isinherentlylimitedsin eit needsto expli itlyaddressea h new on ern,

whereasinarealisti networksetting,thethreatsmaybeunpredi table. Furthermore,itinevitably

resultsindenitionswith ever-growing omplexity.

In ontrast, we take theapproa h wherea proto ol isdesigned andanalyzed as\stand alone",

and se urityin amulti-exe utionenvironment is guaranteed via a se ure omposition theorem. In

parti ular, we use the re entlyproposed framework of universally omposable se urity [ 01℄. Here

a generi denition is given for what it means for a proto ol to \se urely realize a given ideal

fun tionality",wherean\idealfun tionality"isanaturalalgorithmi wayof apturingthedesired

fun tionality of the proto ol problemat hand. In addition, it is shown that se urity of proto ols

is preserved under a general omposition operation alled universal omposition. This essentially

means that any proto ol that se urely realizes an ideal fun tionality when onsidered as stand-

alone, ontinuesto se urelyrealizethesame fun tionalityeven when omposedwithanyother set

ofproto olsthatmayberunning on urrentlyinthesame system. Aproto olthatisse urewithin

the[ 01℄ framework is alleduniversally omposable (UC).

Ithasbeenshownthatany idealfun tionality anbese urelyrealizedinauniversally ompos-

able way usingknown onstru tions, aslongasa majorityofthe parti ipantsremain un orrupted

[ 01℄ (building upon [bgw88 , rb89, fgn96℄). However, this result does not hold when half or

more of the parties may be orrupted. In parti ular, it does not hold for the important ase of

two-party proto ols, where ea h party wishes to maintain its se urity even if the other party is

orrupted. In fa t, it was shown in [ f01, 01 ℄ that in the standard model, a number of basi

two-party fun tionalities(su h as ommitment,zero-knowledge,and ommon oin-tossing) annot

bese urelyrealizedinthisframeworkbytwo-partyproto ols. Nonetheless,proto olsthatse urely

realize the ommitment and zero-knowledge fun tionalities in the ommon referen e string (CRS)

modelwereshown in[ f01,d +

01℄. (In theCRSmodelall parties aregiven a ommon, publi ref-

eren e string that is ideally hosen from a givendistribution. This model wasoriginally proposed

in the ontext of non-intera tive zero-knowledge proofs [bfm88℄and sin ethen has proved useful

inother ases aswell.)

omposableway,intheCRSmodel,regardlessofthenumberof orruptedparties. Morespe i ally,

onsider an asyn hronous multi-party network where the ommuni ation is open and delivery of

messagesis notguaranteed. (For simpli ity,weassume thatdeliveredmessages areauthenti ated.

This an be a hieved using standard methods.) The network ontains an unspe ied number of

parties,andanynumberofthese parties anbeadaptively orruptedthroughoutthe omputation.

In this setting, we show how arbitrary subsets of parties an se urely realize any fun tionality of

their inputs in a universally omposable way. The fun tionality may be rea tive, namely it may

re eive inputs and generate outputs multiple times throughout the omputation. In addition to

a ommon referen e string,our proto ols assume that theparti ipantsin ea h proto ol exe ution

have a essto a broad ast hannelamong themselves.

1

In addition to our general onstru tions for two-party and multi-party omputation, we also

present a new adaptively se ure UC ommitment s heme in the CRS model, assuming only the

existen e of trapdoor permutations. (UC ommitment s hemesare proto ols that se urelyrealize

the ideal ommitment fun tionality [ f01 ℄. Existing onstru tions of UC ommitments [ f01,

dn01℄ rely on spe i ryptographi assumptions.) Sin e UC zero-knowledge an be obtained

given a UC ommitment s heme withoutadditional omputational assumptions[ f01℄,weobtain

an adaptively se ure UC zero-knowledge proto ol in the CRS model, for any NP relation, based

on anytrapdoorpermutation. Beyond beinginteresting inits ownright, we usethis ommitment

s heme inorder to baseour onstru tionson moregeneral ryptographi assumptions.

Outline of the onstru tion. Our onstru tion oftwo-partyand multi-partyproto ols follows

the general outline of the onstru tion of Goldrei h, Mi ali and Wigderson [gmw87 ℄, where the

basi primitives are repla ed with universally omposable ounterparts. On top of guaranteeing

universal omposability, this results in a modular onstru tion and analysis that highlights the

fun tionality and role of ea h ingredient in the onstru tion. We rst on entrate on the ase of

two-partyfun tionalities,whi h ontainsmostofthe ryptographi ideasinasimpliedform. Here,

webeginby onsideringsemi-honest(or, passive)adversaries. Wedeneanidealoblivioustransfer

(OT)fun tionalityand showhowtose urelyrealizeitinthefa eofsemi-honestadversaries. Then

we show that the [gmw87 ℄ onstru tion, given a ess to the ideal OT fun tionality, an be used

to se urelyrealizeanytwo-partyidealfun tionalityinauniversally omposableway. (No ommon

referen e stringis usedinthesemi-honest ase.)

Next we onstru taproto ol ompiler, analogoustothatof[gmw87 ℄, thattransforms anytwo-

party proto ol in the semi-honest model into a proto ol that guarantees equivalent input-output

relations in the presen e of general, mali ious adversaries. This is done as follows. Our starting

point is a new ideal fun tionality, alled ommit-and-prove, that blends together the notions of

ommitment and zero-knowledge. This fun tionalityallows a party to ommitto valuesand later

prove \in zero knowledge" some arbitrary NP-statements regarding the ommitted values. (This

notion is impli it inthe work of [gmw87 ℄, and was also dis ussed by Kilian[k89 ℄. We formalize

it asan ideal fun tionalityinthe UC framework.) We realize the ommit-and-prove fun tionality

given a ess to the ideal zero-knowledge fun tionality (whi h,as we have mentioned, an in turn

berealizedgivena essto theideal ommitmentfun tionality). Havingobtainedase ureproto ol

for the ommit-and-prove fun tionality, we onstru t the above-mentionedproto ol ompiler in a

1

Thisbroad ast hannelisformallymodeledby auniversally omposablebroad ast fun tionality. Insubsequent

worktoours,it was shownthatinthemodelwheredeliveryofmessagesisnotguaranteed,universally omposable

broad ast an be a hievedin O(1)rounds, for any numberof orrupted parties, and without any setup assump-

tions[gl02 ℄. Thus,ina tuality,weonlyneedtoassumea ommonreferen estringhere.

ompositiontheoremisusedto omposeall theingredientsintoa general,UCproto ol ompilerin

theCRS model. This ompiler transforms proto ols that areUC se ure inthesemi-honest model

into proto ols thatare UC se ure even in the presen e ofmali ious adversaries. Here we also use

universal omposition with joint state [ r02℄, whi h allows several proto ol instan es to use the

same instan e ofthe referen estring.

Finally, we extend our results from the two-party ase to the multi-party ase. The semi-

honest ase is treated as in [gmw87 ℄. For the ase of mali ious adversaries, we rst extend the

ommitment, zero-knowledge, and ommit-and-prove fun tionalities to allow a prover to ommit

and prove statements to a set of parties (rather than to a single party). Next, we generalize the

proto ol ompiler, whi h now hasideala ess to the multi-partyversionof the ommit-and-prove

fun tionality. Asbefore, we on lude by ompiling the semi-honestproto ol, therebyobtaining a

proto olthat maintainsse urityeven inthepresen e ofmali iousadversaries.

Adaptivese urity. Ourproto olistherstgeneral onstru tionthatguaranteesse urityagainst

adaptive adversaries in the two-party ase and in the ase of multi-party proto ols with honest

minority. (Wenotethatnoadaptivelyse uregeneral onstru tionwasknowninthese asesevenin

thetraditionalstand-alonemodel. Allpreviousadaptivelyse ureproto ols forgeneral multi-party

omputationassumed anhonest majority.) Weremarkthat, in ontrastto the ase ofstand-alone

proto ols, in our setting adaptive se urity is a relevant on ern even for proto ols with only two

parti ipants. Furthermore,itisimportanttoprote tevenagainstadversariesthateventuallybreak

into all the parti ipants in an intera tion. This is be ause we onsidermultiple intera tions that

take pla e between dierent sets of parties in the system. Therefore, all the parti ipants in one

intera tion may onstitutea propersubset of the parti ipantsin anotherintera tion. Our results

holdeven inamodelwhereno data an everbeerased.

Cryptographi assumptions. Ourproto olsarebasedonthefollowing ryptographi assump-

tions. For the non-adaptive ase (both semi-honest and mali ious) we assume the existen e of

trapdoor permutations only. For the adaptive ase we additionally assume the existen e of aug-

mented non- ommittingen ryption proto ols [ fgn96℄. The augmentation in ludesobliviouskey

generation and invertible samplability [dn00℄. Loosely speaking, oblivious key generation states

that publi keys an begenerated withoutknowing the orrespondingprivatekeys,and invertible

samplability states that given a publi /private key-pair it is possible to obtain the random oin

tosses of thekeygenerator when outputtingthiskey-pair (theobliviouskey generator shouldalso

beinvertible). Su hen ryptions hemesareknowntoexistundertheRSAand DDHassumptions.

As we have mentioned, our proto ols arein the CRSmodel. The above assumptionssuÆ eif

we usea ommonreferen e stringthatisnotuniformlydistributed(butisrathertaken from some

dierent distribution). If a uniformlydistributed ommon referen e string is to be used,then we

additionallyassumetheexisten e of dense ryptosystems [dp92 ℄.

Related work. In a on urrent and independent work [dn01℄, Damgard and Nielsen onsider

a fun tionality that has great resemblan e to our ommit-and-prove fun tionality, and onstru t

universally omposable proto ols that realize this fun tionality under spe i number-theoreti

assumptions. Our ommit-and-proveproto olisbasedonmore generalassumptions,whereastheir

proto olis onsiderablymore eÆ ient.

our onstru tion of UC two-party and multi-party proto ols. Se tion 3 ontains a number of

preliminaries: First, inSe tion 3.1, a more detaileddes riptionof the[ 01 ℄ frameworkand of the

omposition theorem is presented. Then, in Se tion 3.2, the issue of universal omposition with

joint state is dis ussed (this is important when a ommon referen e string is used, asis the ase

inour onstru tions). Finally,inSe tion 3.3,wedes ribethe lassofidealfun tionalitiesthatour

onstru tionsse urely realize.

We then begin our onstru tions with the two-party ase. First, in Se tion 4, we show how

to obtain UC two-party se ure omputation in the presen e of semi-honest adversaries. Next we

pro eed to the ase of mali ious adversaries. Here we lead up to the general proto ol ompiler

in a number of steps: In Se tion 5 we re all the ommitment fun tionality F

m om

and present

our new UC ommitment s heme. In Se tion 6, the ideal zero-knowledge fun tionality, F

zk , is

des ribedand known proto olsforrealizing it(either withideala essto F

m om

ordire tlyinthe

ommon referen e string model) are re alled. In Se tion 7 we dene the two-party ommit-and-

prove fun tionality,F

p

,and showhowto realizeitgiven ideala essto F

zk

. This isthenusedin

Se tion8to onstru tatwo-partyproto ol ompilerthattransformstheproto olofSe tion4into

a proto ol thatis se ureagainstmali iousadversaries.

Finally,inSe tion9,weextendourtwo-party onstru tionstothemulti-party ase. Wepresent

thetwo-party aseseparatelybe auseitissimplerandmostofthe ryptographi ideasalreadyarise

inthissetting.

2 Overview

Thisse tionprovidesahigh-leveloverviewofthemodelandour onstru tions. Se tion2.1 ontains

an overview ofthegeneralframework ofuniversal omposability,thedenitionof se urityandthe

ompositiontheorem. Then,in Se tion2.2we provideabriefoutline ofour onstru tionsfortwo-

partyandmulti-party omputation. The aimof thisoutlineis toprovidethe readerwiththe\big

pi ture",beforedelvingintodetails.

2.1 The model

We begin by outliningtheframework for universal omposability;formore detailssee Se tion3.1

and [ 01℄. The framework provides a rigorous method for dening the se urity of ryptographi

tasks,whileensuringthatse urityismaintainedunderageneral ompositionoperationinwhi ha

se ureproto olforthetaskinquestionisruninasystem on urrentlywithanunboundednumber

of other arbitrary proto ols. This ompositionoperation is alled universal omposition, and tasks

thatfulll thedenitionsof se urityinthisframeworkare alleduniversally omposable (UC).

Asinothergeneraldenitions(e.g.,[gl90 ,mr91,b91,pw00, 00℄), these urityrequirements

of a given task (i.e., the fun tionality expe ted from a proto ol that arries out the task) are

apturedvia a set ofinstru tions fora \trusted party"that obtainsthe inputsof theparti ipants

and providesthemwiththedesiredoutputs(inone ormoreiterations). We allthealgorithmrun

bythetrusted partyan idealfun tionality. Informally,a proto ol se urely arriesouta given task

if any adversary an gain nothing more from an atta k on a real exe ution of the proto ol, than

from an atta k on an ideal pro ess where the parties merely handtheir inputsto a trusted party

withtheappropriatefun tionalityandobtaintheiroutputsfrom it,withoutanyother intera tion.

Inotherwords,werequirethatareal exe ution anbeemulated intheaboveidealpro ess (where

no trustedpartyexistsand theparties intera tamongst themselvesonly.

Inorder toprove theuniversal ompositiontheorem,thenotionofemulationinthisframework

is onsiderably stronger than in previous ones. Traditionally,the model of omputation in ludes

the parties running the proto ol, plusan adversary A that ontrols the ommuni ation hannels

and potentially orrupts parties. Emulation means that for any adversary A atta king a real

proto olexe ution,there shouldexistan\ideal pro essadversary"orsimulatorS,that ausesthe

outputsofthepartiesintheidealpro esstobeessentiallythesameastheoutputsofthepartiesina

realexe ution. Intheuniversally omposableframework,anadditionaladversarialentity alledthe

environmentZisintrodu ed. Thisenvironmentgeneratestheinputstoallparties,readsalloutputs,

and inadditionintera tswiththeadversaryinanarbitrary waythroughoutthe omputation. (As

is hinted by its name, Z represents the external environment that onsists of arbitrary proto ol

exe utionsthatmayberunning on urrentlywiththegivenproto ol.) Aproto olissaidtose urely

realizeagivenidealfun tionalityFifforany\real-life"adversaryAthatintera tswiththeproto ol

there exists an \ideal-pro ess adversary" S, su h that no environment Z an tell whether it is

intera tingwithAand partiesrunningtheproto ol,orwithS and partiesthat intera twithF in

theidealpro ess. (Ina sense,here Z servesasan \intera tive distinguisher"betweena runofthe

proto olandtheidealpro esswitha esstoF. See[ 01 ℄formoremotivatingdis ussionontherole

oftheenvironment.) Notethatthedenitionrequires the\ideal-pro ess adversary" (orsimulator)

S to intera twithZ throughout the omputation. Furthermore,Z annotbe \rewound".

The following universal omposition theorem is proven in [ 01℄: Consider a proto ol  that

operatesinahybridmodelof omputationwhereparties an ommuni ateasusual,andinaddition

have ideala essto an unboundednumberof opiesofsome ideal fun tionalityF. (Thismodelis

alled theF-hybrid model.) Furthermore, let be a proto ol that se urely realizesF as sket hed

above, and let 



be the \ omposed proto ol". That is, 



is identi al to  with the ex eption

thatea h intera tionwiththeidealfun tionalityF isrepla ed witha allto (oran a tivation of)

an appropriate instan e of the proto ol . Similarly,-outputs are treated as values provided by

the fun tionality F. The theorem states that in su h a ase,  and 



have essentially the same

input/output behavior. Thus,  behavesjust like the ideal fun tionalityF, even when omposed

withan arbitraryproto ol . A spe ial ase ofthistheorem statesthat if se urelyrealizes some

idealfun tionalityG intheF-hybridmodel,then 



se urely realizesG from s rat h.

We onsider a network where the adversary sees all the messages sent, and delivers or blo ks

these messagesatwill. (Thefa tthatmessagedeliveryisnotguaranteedfreesusfromtheneedto

expli itlydealwiththe\early stopping"problemof proto ols runbetweentwo partiesoramongst

many parties where onlya minoritymaybe honest. Thisis be ause even theidealpro ess allows

the adversary to abort the exe ution at any time.) We note that although the adversary may

blo k messages, it annot modify messages sent by honest parties (i.e., the ommuni ation lines

are ideally authenti ated). Our proto ols are ast in a ompletely asyn hronous point-to-point

network (andthustheadversaryhasfull ontroloverwhen messagesaredelivered,ifat all). Also,

as usual, the adversary is allowed to orrupt parties. In the ase of stati adversaries the set of

orrupted parties is xed at the onset of the omputation. In the adaptive ase the adversary

orrupts parties at will throughout the omputation. We also distinguish between mali ious and

semi-honest adversaries: If the adversary is mali ious then orrupted parties follow the arbitrary

instru tionsof theadversary. Inthesemi-honest ase, even orrupted parties followthepres ribed

proto oland theadversaryessentially onlygetsread a essto thestates of orruptedparties.

In this se tion we provide a high-level des riptionof our proto ols for two-party and multi-party

omputation, and the te hniques used in obtaining them. Our onstru tion is on eptually very

similarto the onstru tion of Goldrei h, Mi ali and Wigderson [gmw87 , g98 ℄. This onstru tion

(whi h we all theGMW onstru tion)is omprised of two stages. First, they present a proto ol

forse urelyrealizing anyfun tionalityinthesemi-honestadversarialmodel. Next, they onstru t

a proto ol ompiler that takes any semi-honest proto ol and transforms it into a proto ol that

hasthesame fun tionalityinthe mali iousadversarial model. (However, asdis ussed above, they

onsideramodel whereonlya singleproto olexe utiontakespla e inthesystem. In ontrast,we

onstru t proto ols foruniversally omposablese ure omputation.) We beginby onsidering the

two-party ase.

2.2.1 Two-party omputation in the ase of semi-honest adversaries

Re all that in the ase of semi-honest adversaries, even the orrupted parties follow the proto ol

spe i ation. However, the adversary may attempt to learn more information than intended by

examining the trans ript of messages that it re eived during the proto ol exe ution. Despite the

seemingly weak nature of the adversarial model, obtaining proto ols se ure against semi-honest

adversaries isa non-trivial task.

Webeginbybrie yre allingthe[gmw87 ,g98 ℄ onstru tion forse uretwo-party omputation

in the semi-honestadversarial model. Let f be the two-party fun tionalitythat is to be se urely

omputed. Then,thepartiesaregivenanarithmeti ir uitoverGF(2)that omputesthefun tion

f. Theproto olstartswiththepartiessharingtheirinputswithea hotherusingbitwise-xorse ret

sharing,andthusfollowingthisstage,theybothholdsharesof theinputlinesofthe ir uit. That

is, forea h input linel, party A holds a value a

l

and partyB holdsa value b

l

,su h thatboth a

l

and b

l

are random under the onstraint that a

l +b

l

equals the value of the inputinto this line.

Next,the partiesevaluatethe ir uitgate-by-gate, omputingrandomshares oftheoutput lineof

thegatefromtherandomsharesoftheinputlinesto thegate. Therearetwo typesofgates inthe

ir uit: additiongatesandmultipli ationgates. Additiongatesareevaluatedbyea h partylo ally

adding its sharesof theinputvalues. Multipli ationgates are evaluatedusing1-out-of-4 oblivious

transfer (the oblivious transfer proto ol used is basi ally that of [egl85℄). In the above way, the

parties jointly omputethe ir uitand obtainshares of theoutput gates. The proto ol on ludes

with ea h party revealing the pres ribed shares to the other party (i.e, if a ertain output gate

provides abit ofA's input,then B willreveal itsshare of thisoutputlineto A).

Our general onstru tion is exa tly that of GMW, ex ept that the oblivioustransfer proto ol

used is universally omposable. That is, we rst dene an ideal oblivious transfer fun tionality,

F

ot

, and show that in the F

ot

-hybrid model, the GMW proto ol se urely realizes any two-party

fun tionalityin thepresen e of semi-honest, adaptive adversaries. Thisholdsun onditionally and

even ifthe adversary and environment are omputationallyunbounded. Of ourse, omputational

assumptionsareusedforse urelyrealizingF

ot

itself. (Our onstru tionisa tuallysomewhatmore

general than thatof GMW in that itdeals with rea tive fun tionalitiesthat have multiplestages

whi h are separately a tivated. This is a hieved by havingthe parties hold shares of the state of

theidealfun tionalitybetweena tivations.)

Nextwepresentproto olsthatse urelyrealizeF

ot

inthesemi-honest ase. Inthenon-adaptive

ase, theproto ol of [egl85, g98 ℄ suÆ es. Inthe adaptive ase, ourproto ol uses an augmented

version of non- ommitting en ryption [ fgn96℄. The augmentation onsists of two additional

properties. First, theen ryptions heme shouldhave an alternative keygenerationalgorithm that

standardand additionalkeygenerationalgorithmsshouldbe invertibleinthesensethatgiventhe

output key or keys, it is possible to nd the random oin tosses used in generating these keys.

(Following [dn00℄, we all these properties oblivious key generation and invertible samplability.)

All known non- ommitting en ryption s hemes have this properties. In parti ular, su h s hemes

exist undereither theRSA assumptionortheDDH assumption.) In all,we show:

Proposition 2.1 (semi-honest omputation { informal): Assume that trapdoor permutations ex-

ist. Then, for any two-party ideal fun tionality F, there exists a proto ol  that se urely realizes

F in the presen e of semi-honest, stati adversaries. Furthermore, if augmented two-party non-

ommittingen ryption proto ols exist, then thereexists a proto ol that se urelyrealizes F in the

presen e of semi-honest, adaptive adversaries.

Proposition2.1asstatedaboveisnotpre ise. Thisisduetotwote hni alitiesregardingthemodel

of omputation as dened in [ 01 ℄. We therefore dene a lass of fun tionalities for whi h these

te hni al problems do not arise and then onstru t se ure proto ols for any fun tionality in this

lass. SeeSe tion3.3 formoredis ussionand an exa t denition.

Another point where our results formally dier from Proposition 2.1 is due to the fa t that,

a ording to thedenitionsused here,proto ols whi hdo notgenerate any outputare te hni ally

se ure(foranyfun tionality). Thus, Proposition2.1asstated, an beeasily(butun-interestingly)

a hieved. In ontrast, we prove theexisten e of proto ols whi h do generate output and se urely

realize any fun tionality (we all su h a proto ol non-trivial; for more details, see the dis ussion

after Denition3.2inSe tion 3.1). Proposition2.1is formallyrestated inSe tion4.2.

2.2.2 Obtaining two-party omputation se ure against mali ious adversaries

Having onstru ted a proto ol that is universally omposable when the adversary is limited to

semi-honestbehavior,we onstru taproto ol ompilerthattransformsthisproto olintoone that

is se ureeven againstmali ious adversaries. From here on,we refer to theproto ol that isse ure

against semi-honest adversaries as the \basi proto ol". Re all that the basi proto ol is only

se ure in the ase that even the orrupted parties follow the proto ol spe i ation exa tly, using

a uniformly hosen random tape. Thus, in order to obtain a proto ol se ure against mali ious

adversaries, we needto enfor e potentially mali ious orruptedparties to behave ina semi-honest

manner. First and foremost, this involves for ing the parties to follow the pres ribed proto ol.

However,thisonlymakessenserelativetoagiveninputandrandomtape. Furthermore,amali ious

partymustbefor edintousingauniformly hosenrandomtape. Thisisbe ausethese urityofthe

basi proto olmaydependonthefa tthatthepartyhasnofreedominsettingitsownrandomness.

We beginwith ades riptionof theGMW ompiler.

Aninformaldes riptionof theGMW ompiler. TheGMW ompilerbeginsbyhavingea h

party ommittoitsinput. Next,thepartiesruna oin-tossingproto olinordertoxtheirrandom

tapes. Asimple oin-tossingproto olinwhi hbothparties re eive thesameuniformlydistributed

stringisnotsuÆ ienthere. Thisisbe ausetheparties'randomtapesmustremainse ret. Instead,

anaugmented oin-tossingproto olisused,whereonepartyre eivesauniformlydistributedstring

(to be used asits randomtape) and the other partyre eives a ommitment to that string. Now,

followingthese two steps, ea h partyholdsits own inputand uniformlydistributedrandomtape,

and a ommitmentto the otherparty'sinputand randomtape.

honest behavior. Observethata proto ol spe i ationisadeterministi fun tionofaparty'sview

onsistingof its input,randomtapeand messagesre eived sofar,and re allthatea h partyholds

a ommitment to the input and random tape of theother party. Observe also that the messages

sent sofar are publi . Therefore, theassertion that a new message is omputed a ording to the

proto ol is an NP statement (and the party sending the message knows an adequate NP-witness

to it). This means that the parties an use zero-knowledge proofs to show that their steps are

indeed a ording to the proto ol spe i ation. Therefore, in the proto ol emulation phase, the

parties send messages a ording to the instru tions of the basi proto ol, while proving at ea h

step thatthemessagessentare orre t. Thekey pointis that, dueto thesoundness ofthe proofs,

even a mali iousadversary annot deviate from theproto ol spe i ationwithoutbeingdete ted.

Therefore, the adversary is limited to semi-honest behavior. Furthermore, sin e the proofs are

zero-knowledge, nothing \more" is revealed in the ompiled proto ol than in the basi proto ol.

We on ludethat the se urityof the ompiled proto ol(against mali iousadversaries) is dire tly

derivedfrom these urityof thebasi proto ol(against semi-honestadversaries).

In summary, the GMW ompiler has three omponents: input ommitment, oin-tossing and

proto olemulation (wherethe parties prove that theirsteps area ording to theproto olspe i-

ation).

Universally omposable proto ol ompilation. A naturalwayof adapting theGMW om-

piler to the setting of universally omposable se ure omputation would be to take the same

ompiler, but rather use universally omposable ommitments, oin-tossing and zero-knowledge

as sub-proto ols. However, su h a strategy fails be ause the re eiver of a universally omposable

ommitmentre eivesno information aboutthevalue ommittedto. (Instead,there ipientre eives

onlyaformal\re eipt" assuringitthata value was ommittedto. SeeSe tion5formore details.)

Thus, there is no NP-statement that a party an prove relative to its input ommitment. This is

in ontrast to the GMW proto ol where standard (perfe tly binding) ommitments are used and

thusea h partyholdsa stringthat uniquelydeterminestheother party'sinputand randomtape.

A dierent strategy is therefore required for onstru ting a universally omposable ompiler.

Before des ribing our strategy, observe that in GMW the use of the ommitment s heme is not

standard. Spe i ally, although both parties ommit to their inputs et ., they never de ommit.

Rather, they prove NP-statements relative to their ommitted values. Thus, a natural primitive

to use would be a \ ommit-and-prove" fun tionality, whi h is omprised of two phases. In the

rst phase, a party \ ommits" (or is bound) to a spe i value. In the se ond phase, this party

proves NP-statements (in zero-knowledge) relative to the ommitted value. We formulate this

notion in a universally omposable ommit-and-prove fun tionality, denoted F

p

, and then use

this fun tionality to implement all three phases of the ompiler. More spe i ally, our proto ol

ompileruses the\ ommit"phase oftheF

p

fun tionalityinorder to exe utetheinputand oin-

tossing phases of the ompiler. The \prove" phase of the F

p

fun tionality is then used to for e

the adversary to send messages a ording to the proto ol spe i ation and onsistent with the

ommitted inputand therandom tape resultingfrom the oin-tossing. The result isa universally

omposableanalog to the GMW ompiler. We remarkthatin theF

p

-hybrid model the ompiler

is un onditionally se ureagainst adaptive adversaries, even ifthe adversary and the environment

are omputationally unbounded.

We show how to se urely realize F

p

in the F

zk

-hybrid model, i.e. in a hybrid model with

ideala ess to an idealzero-knowledge fun tionality,F

zk

. (Fun tionalityF

zk

expe ts to re eive a

statement x and a witness w fromthe prover. It then forwardsx to theverier,together with an

phase of the ommit-and-prove proto ol, the ommitter ommits to its inputvalue w using some

ommitment s heme C, and in addition it proves to the re eiver, using F

zk

with an appropriate

relation,that it\knows"the ommittedvalue. Intheprovephase,wherethe ommitterwishesto

assert that the ommitted value w stands in relationR with some publi value x, the ommitter

presents x and w to F

zk

again | but this time the relation used by F

zk

asserts two properties:

rst thatR (x;w) holds,and se ond thatw isthesame value thatwaspreviously ommitted to.

To guarantee se urityagainst stati adversaries, the ommitment s heme of Naor[n91 ℄ is suf-

 ient asan instantiation of the s heme C. We thus obtain a proto ol for se urely realizing F

p

in the F

zk

-hybrid model, based on any one-way fun tion. To guarantee se urity against adaptive

adversariesweneed\adaptivelyse ure" ommitments hemes,namely ommitments hemeswhere

a simulator an generate\dummy ommitments"whi h an belater opened inmultipleways. (In

fa t,aslightlystrongerpropertyisneededhere,seedetailswithin.) Su h ommitmentsexistassum-

ing theexisten e of trapdoor permutations, asis demonstrated byour onstru tion of universally

omposable ommitmentsinSe tion 5. Inall we obtain:

Theorem 2.2 (two-party omputation inthemali iousmodel { informal): Assume that trapdoor

permutations exist. Then, for any two-party ideal fun tionality F, there exists a proto ol  that

se urely realizes F in the F

zk

-hybrid model in the presen e of mali ious, stati adversaries. Fur-

thermore, if augmented two-party non- ommitting en ryption proto ols exist, then there exists a

proto ol  that se urelyrealizes F in the F

zk

-hybrid model in the presen e of mali ious, adaptive

adversaries.

Let F

rs

denote the ommon random string fun tionality (that is, F

rs

provides all parties with

a ommon, publi string drawn from a predened distribution). Then, as we show in Se tion 5,

universally omposable ommitments an be se urelyrealizedinthe F

rs

-hybridmodel,assuming

theexisten eoftrapdoorpermutations. Furthermore,[ f01℄showedthattheF

zk

fun tionality an

bese urelyrealizedgiven universally omposable ommitments. Combiningthese resultstogether,

we have that F

zk

an be se urely realized in the F

rs

-hybrid model, assuming the existen e of

trapdoor permutations. Using the omposition theorem we obtain a similar result to Theorem

2.2, withtheex eptionthatF isrealizedintheF

rs

-hybridmodel(ratherthanintheF

zk

-hybrid

model). As with Proposition 2.1, Theorem 2.2 is not stated exa tly. It is formally restated in

Se tion8.2.

On the distribution of the referen e string. In obtaining theabove orollary,the ommon

referen estringisusedonlyinthe onstru tionoftheuniversally omposable ommitments heme

(whi h is used for obtaining F

zk

). As we have mentioned, in the F

rs

-hybrid model, universally

omposable ommitments an be obtained assumingtheexisten e of trapdoorpermutations only.

However, in this ase, the ommon referen e string is not uniformlydistributed. Nevertheless, a

uniformlydistributedstring anbeused,undertheadditionalassumptionoftheexisten eofdense

ryptosystems [dp92℄. We therefore on lude that universally omposable two-party omputation

an be obtained with a uniformly distributed referen e string,under the assumption that the fol-

lowing primitives exist: trapdoor permutations, dense ryptosystems and augmented two-party

non- ommittingen ryption proto ols.

We now des ribe how the two-party onstru tion of Theorem 2.2 is extended to the setting of

multi-party omputation,whereanynumberofpartiesmaybe orrupt. Re allthatinthissetting,

ea h setof intera tingparties isassumed to have a essto an authenti ated broad ast hannel.

The outlineofour onstru tionisasfollows. Similarlyto thetwo-party ase, werst onstru t

a multi-party proto ol that is se ure against semi-honest adversaries (as above, this proto ol is

essentiallythatofGMW).Then,we onstru t aproto ol ompiler(again,likethatof GMW),that

transformssemi-honestproto olsintoonesthatarese ureevenagainstmali iousadversaries. This

proto ol ompileris onstru tedusingaone-to-many extensionofthe ommit-and-prove fun tion-

ality, denoted F 1:M

p

. The extensionof the proto ol that realizes two-party F

p

to a proto ol that

realizes one-to-many F 1:M

p

onstitutes the maindieren e between the two-party and multi-party

onstru tions. Therefore,inthisoutline,wefo usex lusivelyon howthisextensionis a hieved.

TherststepinrealizingF 1:M

p

,isto onstru tone-to-manyextensionsofuniversal ommitments

and zero-knowledge. In a one-to-many ommitment s heme, all parties re eive the ommitment

(and the ommitter is bound to the same value for all parties). Likewise, in one-to-many zero-

knowledge, all parties verify the proof (and they either all a ept or all reje t the proof). Now,

any non-intera tive ommitment s heme an be transformed into a one-to-many equivalent by

simply having the ommitter broad ast its message to all parties. Thus, this fun tionality is

immediatelyobtainedfromour ommitments hemeinSe tion5orfromthes hemeof[ f01℄(both

of these onstru tions are non-intera tive). However, obtaining one-to-many zero-knowledge is

moreinvolved,sin ewedonotknowhowto onstru tnon-intera tiveadaptively-se ureuniversally

omposable zero-knowledge.

2

Nevertheless, using the methodology of [g98 ℄, a one-to-many zero-

knowledge proto ol an be onstru ted as follows. The onstru tion is based on the universally-

omposablezero-knowledge proto ol of [ f01 ℄. Spe i ally,they show that parallel exe utions of

the3-roundzero-knowledgeproto olofHamiltoni ityisuniversally omposable,whenauniversally

omposable ommitments hemeisusedfortheprover's ommitments. Thus,theproverrunsa opy

oftheabove zero-knowledgeproto olwithea hre eiveroverthebroad ast hannel,usingtheone-

to-many ommitment s heme for its ommitments. Furthermore, ea h verifyingparty he ks that

theproofsofalltheother partiesarea epting(thisispossiblebe ause theproofofHamiltoni ity

is publi lyveriableand be ause all parties viewall the ommuni ation). Thus, at theendof the

proto ol, all honest parties agree (without any additional ommuni ation) on whether the proof

was su essful or not. (Note also that the adversary annot ause an honest prover's proof to be

reje ted.)

It remains to des ribe how to realize F 1:M

p

in the F 1:M

zk

-hybrid model. The basi idea is to

generalize the F

p

proto ol. As with zero-knowledge, this is not straightforward be ause in the

proto olforadaptive adversaries,the F

p

ommit-phase is intera tive. Nevertheless, thisproblem

issolvedbyhavingthe ommitter ommittoitsinputvaluewbyseparatelyrunningtheproto olfor

the ommit-phase of(two-party) F

p

witheverypartyoverthebroad ast hannel. Followingthis,

the ommitterusesone-to-manyzero-knowledgetoprovethatit ommittedtothesamevalueinall

ofthese ommitments. (Sin eea hpartyviewsthe ommuni ationfromallthe ommitments,every

party anverifythiszero-knowledgeproof.) Theprovephaseissimilartothetwo-party ase,ex ept

thatthe one-to-manyextension ofzero-knowledge isused (instead oftwo-party zero-knowledge).

Finally, we note that, as in the two-party ase, a multi-party proto ol ompiler an be on-

stru ted in the F 1:M

p

-hybrid model, with no further assumptions. Denoting the ideal broad ast

2

Inthe aseofstati adversaries, thenon-intera tivezero-knowledgeproto olof[d +

01 ℄suÆ es. Thus,here too,

theprovermessage ansimplybebroad astandone-to-manyzero-knowledgeisobtained.

b

Theorem 2.3 (multi-party omputationinthemali iousmodel{informal): Assumethattrapdoor

permutations exist. Then, for any multi-party ideal fun tionality F, there exists a proto ol  that

se urelyrealizes F in the (F

b

;F

rs

)-hybrid model in the presen e of mali ious,stati adversaries,

and for any number of orruptions. Furthermore, if augmented two-party non- ommitting en ryp-

tionproto ols exist, then thereexists aproto ol  that se urelyrealizes F in the(F

b

;F

rs

)-hybrid

model in the presen eof mali ious,adaptive adversaries, and for any number of orruptions.

AswithProposition2.1, Theorem2.3isnotstated exa tly. It isformally restated inSe tion9.4.

3 Preliminaries

Se tion3.1reviewstheframeworkof[ 01 ℄andtheuniversal ompositiontheorem. InSe tion3.2we

dis ussissuesthatariseregardinguniversal ompositionwhensome amountof jointstate between

proto olsisdesired. Finally,Se tion3.3presentsthe lassoffun tionalitieswhi hwewillshowhow

tose urelyrealize. Beforepro eeding,were allthedenitionof omputationalindistinguishability.

A distribution ensemble X = fX(k;a)g

k2N;a2f0;1g

 is an innite set of probability distributions,

where a distribution X(k;a) is asso iated with ea h k 2 N and a 2 f0;1g



. The ensembles

onsideredinthisworkdes ribeoutputswheretheparameterarepresentsinput,andtheparameter

k is taken to be the se urity parameter. A distribution ensemble is alled binary if it onsists only

of distributionsoverf0;1g. Then,

Denition 3.1 Two binary distributionensembles X andY are indistinguishable(written X

Y)

if for any 2N there exists k

0

2N su h that for all k >k

0

and for all awe have

jPr(X(k;a)=1) Pr(Y(k;a)=1)j<k

:

3.1 Universally Composable Se urity: The general framework

We start byreviewingthe syntax of message-driven proto olsinasyn hronousnetworks. We then

present thereal-lifemodelof omputation,theidealpro ess,and thegeneraldenitionofse urely

realizing an ideal fun tionality. Next we present the hybrid model and the ompositiontheorem.

The text is somewhat informal for larity and brevity, and is mostly taken from the Overview

se tion of[ 01 ℄. Forfulldetailsseethere.

Proto ol syntax. Following[gmr89,g01 ℄,aproto olisrepresentedasasystemofprobabilisti

intera tive Turingma hines (ITMs), where ea h ITM represents the program to be run within a

dierentparty. Spe i ally,theinputandoutputtapesmodelinputsandoutputsthatarere eived

from and given to other programs running on the same ma hine, and the ommuni ation tapes

model messages sent to and re eived from the network. Adversarial entities are also modeled as

ITMs. We on entrate ona modelwheretheadversarieshave anarbitrary additionalinput,oran

\advi e"string. Froma omplexity-theoreti pointofview,thisessentiallyimpliesthatadversaries

arenon-uniform ITMs.

In order to simplifytheexposition, we introdu ethefollowing onvention. We assumethat all

proto olsaresu hthatthepartiesreadtheirinputtapesonlyat theonset ofaproto olexe ution.

This aneasilybea hieved byhavingtheparties opytheirinputtapeonto aninternalworktape.

This onvention prevents problems that may o ur when parties' inputtapesare modied inthe

middleofa proto olexe ution(as isallowedinthe model).

Assket hedinSe tion2,proto ols thatse urely arryouta given task(or, proto olproblem)are

dened inthree steps, as follows. First, the pro ess of exe uting a proto ol in thepresen e of an

adversary and in a given omputational environment is formalized. Next, an \ideal pro ess" for

arrying outthe task at hand is formalized. In the ideal pro ess the parties do not ommuni ate

with ea h other. Instead they have a ess to an \ideal fun tionality", whi h is essentially an

in orruptible\trusted party"that isprogrammedto apturethedesired fun tionalityof thegiven

task. A proto ol is said to se urely realize an ideal fun tionality if the pro ess of running the

proto ol amounts to \emulating" the ideal pro ess for that ideal fun tionality. We overview the

modelforproto olexe ution( alledthereal-lifemodel),theidealpro ess,andthenotionofproto ol

emulation.

We on entrate on the following model of omputation, aimed at representing urrent realis-

ti ommuni ation networks (su h as the Internet). The ommuni ation takes pla e in an asyn-

hronous, publi network, withoutguaranteed delivery of messages. We assume thatthe ommu-

ni ation is authenti ated and thus theadversary annot modifymessages sent by honest parties.

3

Furthermore, the adversary may onlydeliver messages that were previously sent by parties, and

may deliverea h message sent only on e. The fa t that thenetwork is asyn hronousmeans that

the messages are not ne essarily delivered in the order whi h they are sent. Parties may be bro-

ken into (i.e., be ome orrupted) throughout the omputation, and on e orrupted their behavior

is arbitrary (or, mali ious). (Thus, our main onsideration is that of mali ious, adaptive adver-

saries. However, belowwepresent themodi ationsne essary formodelingstati andsemi-honest

adversaries.) We do not trust data erasures; rather, we postulate that past states are available

to the adversary upon orruption. Finally, all the involved entities are restri ted to probabilisti

polynomialtime(or\feasible") omputation.

Proto olexe utioninthereal-lifemodel. Wesket hthepro essofexe utingagivenproto ol

 (run by parties P

1

;:::;P

n

) with some adversary A and an environment ma hine Z with input

z. All parties have a se urity parameter k 2 N and are polynomial in k. The exe ution onsists

of a sequen e of a tivations, where in ea h a tivation a single parti ipant (either Z, A, or some

P

i

)is a tivated. Theenvironmentis a tivatedrst. Inea h a tivation itmayreadthe ontents of

theoutput tapesof all theun orrupted parties 4

and the adversary,and may writeinformationon

the input tape of one of the parties or of the adversary. On e the a tivation of the environment

is omplete(i,e, on ethe environment enters a spe ialwaiting state), the entitywhose inputtape

was writtenonis a tivatednext.

On e the adversary is a tivated, it may read its own tapes and the outgoing ommuni ation

tapes of all parties. It may either deliver a message to some party by writing thismessage on the

party'sin oming ommuni ationtapeor orruptaparty. Onlymessagesthatweresentinthepast

bysome party an bedelivered,andea hmessage anbedeliveredatmoston e. Upon orrupting

aparty,theadversary gainsa essto all thetapesofthatpartyand ontrolsall theparty'sfuture

a tions. (We assume that the adversary also learns all the past internal states of the orrupted

3

We remark that the basi model in[ 01℄ postulates unauthenti ated ommuni ation, i.e. the adversary may

delete,modify,andgeneratemessagesatwish.Herewe on entrateonauthenti atednetworksforsakeofsimpli ity.

Authenti ation anbeaddedinstandardways. Formally,themodelhere orrespondstotheFauth-hybridmodelin

[ 01 ℄.

4

Theadversaryisnotgivenreada esstothe orruptedparties'outputtapesbe auseon eapartyis orrupted,

itisnolongera tivated. Rather,theadversarysendsmessagesinitsname. Therefore,theoutputtapesof orrupted

partiesare notrelevant.

addition,wheneverapartyis orruptedtheenvironmentisnotied(say,viaamessagethatisadded

to the output tape of the adversary). If the adversary delivered a message to some un orrupted

partyinitsa tivation thenthispartyisa tivatedon ethea tivation oftheadversary is omplete.

Otherwisethe environment isa tivated next.

On e apartyisa tivated(eitherdueto aninputgivenbytheenvironmentorduetoa message

delivered by the adversary), it follows its ode and possibly writes lo al outputs on its output

tape and outgoing messages on its outgoing ommuni ation tape. On e the a tivation of the

partyis ompletetheenvironmentisa tivated. Theproto olexe utionendswhentheenvironment

ompletesana tivationwithoutwritingontheinputtapeofanyentity. Theoutputoftheproto ol

exe ution is theoutput of theenvironment. We assume that thisoutput onsistsof only a single

bit.

Let real

;A;Z

(k;z;r) denote theoutput ofenvironmentZ when intera tingwith adversary A

andpartiesrunningproto olonse urityparameterk,inputzandrandomtapesr=r

Z

;r

A

;r

1

;:::;r

n

as des ribed above (z and r

Z

for Z, r

A

for A; r

i

for party P

i

). Let real

;A;Z

(k;z) denote the

random variable des ribing real

;A;Z

(k;z;r) when r is uniformly hosen. Let real

;A;Z

denote

theensemble freal

;A;Z (k;z)g

k2N;z2f0;1g



.

The ideal pro ess. Se urityofproto ols isdenedvia omparingtheproto ol exe utioninthe

real-life model to an ideal pro ess for arrying out(a single instan e of) the task at hand. A key

ingredient in the idealpro ess is the ideal fun tionality that aptures the desired fun tionality,or

the spe i ation, of that task. The ideal fun tionality is modeled as another ITM that intera ts

withtheenvironment andtheadversary viaa pro essdes ribedbelow. Morespe i ally,theideal

pro essinvolvesanidealfun tionalityF,anidealpro essadversaryS,anenvironmentZwithinput

z,and a setof dummy parties

~

P

1

;:::;

~

P

n .

Asinthepro essof proto olexe utioninthereal-lifemodel,theenvironmentisa tivatedrst.

Asthere,inea ha tivationitmayreadthe ontentsoftheoutputtapesofall(dummy)partiesand

theadversary,and maywriteinformationon theinputtape of either one of the (dummy) parties

or of the adversary. On e the a tivation of the environment is omplete the entity whose input

tape waswritten onis a tivatednext.

The dummy parties are xed and simple ITMs: Whenever a dummy party is a tivated with

inputx,itforwardsxtotheidealfun tionalityF,saybywritingxonthein oming ommuni ation

tapeofF. Inthis aseF isa tivatednext,andanotethatthepartysentamessagetoF iswritten

on thein oming ommuni ationtapeof S. Whenevera dummypartyisa tivated dueto delivery

of some message (fromF),it opiesthismessage to its output. Inthis ase Z is a tivatednext.

On e F isa tivated, itreadsthe ontents ofits in oming ommuni ationtape,andpotentially

sends messages to the parties and to the adversary by writing these messages on its outgoing

ommuni ation tape. On e the a tivation of F is omplete, the entity that was last a tivated

before F isa tivated again. In the ase thisentitywasone of the dummyparties, itimmediately

relinquishes ontrolto Z.

On e theadversary S isa tivated, itmayread its owninput tape and inaddition it an read

thedestinations ofthemessagesontheoutgoing ommuni ationtapeof F. Thatis,S anseethe

identityof there ipientof ea h message sent byF,but it annot seethe ontents of thismessage

(unlessthere ipientofthemessageisSora orruptedparty 5

). S mayeitherdeliveramessagefrom

5

Notethattheideal pro essallows S to obtaintheoutputvaluessentby F tothe orruptedpartiesassoonas

theyaregenerated. Furthermore,ifatthetimethatS orruptssomepartyPitherearemessagessentfromF toPi,

thenS immediatelyobtainsthe ontentsofthesemessages.

a message from itself on F's in oming ommuni ation tape 6

,or orrupt a party. Upon orrupting

a party,bothZ and F learnthe identity ofthe orrupted party(say,a spe ialmessage iswritten

on theirrespe tivein oming ommuni ationtapes).

7

Inaddition,theadversarylearns allthepast

inputsand outputs of theparty. Finally,theadversary ontrolsthe party's a tions from thetime

thatthe orruptiontakes pla e.

Iftheadversary deliveredamessageto someun orrupted(dummy)partyinana tivationthen

thispartyisa tivatedon ethea tivationoftheadversaryis omplete. Otherwisetheenvironment

isa tivated next.

As in the real-life model, the proto ol exe ution ends when the environment ompletes an

a tivationwithoutwritingontheinputtape ofanyentity. Theoutputof theproto olexe utionis

the(one bit)output of Z.

Letideal

F;S;Z

(k;z;r)denotetheoutputofenvironmentZ afterintera tingintheidealpro ess

with adversary S and idealfun tionality F, on se urityparameter k, input z, and random input

r=r

Z

;r

S

;r

F

asdes ribedabove(zandr

Z

forZ,r

S

forS;r

F

forF). Letideal

F;S;Z

(k;z) denote

the random variable des ribing ideal

F;S;Z

(k;z;r) when r is uniformly hosen. Let ideal

F;S;Z

denote theensemblefideal

F;S;Z (k;z)g

k2N;z2f0;1g



.

Se urely realizing an ideal fun tionality. We say thata proto ol se urely realizesan ideal

fun tionalityFifforanyreal-lifeadversaryAthereexistsanideal-pro essadversarySsu hthatno

environmentZ,onanyinput, antellwithnon-negligibleprobabilitywhetheritisintera tingwith

A andparties running inthereal-life pro ess,orwithS and F inthe idealpro ess. Thismeans

that, fromthepoint ofview oftheenvironment,runningproto ol is`justasgood'asintera ting

withan idealpro ess forF. (In a way,Z servesasan \intera tivedistinguisher"betweenthe two

pro esses. Hereit is important that Z an providethepro ess in questionwithadaptively hosen

inputsthroughout the omputation.) We have:

Denition 3.2 Let n2N. Let F be an ideal fun tionality and let  be an n-party proto ol. We

say that  se urely realizesF if for any adversary A there existsan ideal-pro ess adversary S su h

that for any environment Z,

ideal

F;S;Z

real

;A;Z

: (1)

Non-trivial proto ols and the requirement to generate output. Re all that the ideal

pro ess doesnotrequire theideal-pro ess adversary to deliver messagesthatare sent bytheideal

fun tionality to the dummy parties. Consequently, the denition provides no guarantee that a

proto olwillevergenerateoutputor\return"tothe allingproto ol. Indeed,inoursettingwhere

message delivery is not guaranteed, it is impossible to ensure that a proto ol \terminates" or

generates output. Rather,thedenition on entrates onthese urityrequirementsin the asethat

the proto ol generates output.

6

Manynatural ideal fun tionalitiesindeed sendmessagesto the adversaryS (see thezero-knowledgeand om-

mitmentsfun tionalitiesofSe tions6and5forexamples). Ontheotherhand,havingtheadversarysendmessages

to F is less ommon. Nevertheless, this option anbe usefulin orderto relaxthe requirementsonproto ols that

realizethefun tionality. Forexample,itmaybeeasiertoobtain oin-tossingiftheadversaryisallowedtobiassome

ofthebitsoftheresult. Ifthisis a eptablefor theappli ationinmind,we anallowtheadversarythis apability

byhavingitsenditsdesiredbiastoF.

7

AllowingFtoknowwhi hpartiesare orruptedgivesit onsiderablepower. Thispowerprovidesgreaterfreedom

informulatingidealfun tionalitiesfor apturingtherequirementsofgiventasks. Ontheotherhand,italsoinherently

limitsthes opeofgeneralrealizabilitytheorems. Seemoredis ussioninSe tion3.3.

generates output, se urely realizes any ideal fun tionality. Thus, inorder to obtain a meaningful

feasibilityresult,we introdu ethenotionofanon-trivialproto ol. Su haproto olhastheproperty

thatifthereal-lifeadversarydeliversallmessagesand doesnot orruptanyparties,thentheideal-

pro ess adversary also delivers all messages (and does not orrupt any parties). Note that in a

non-trivial proto ol, a party may not ne essarily re eive output. However, this only happens if

either thefun tionalitydoesnotspe ifyoutput forthisparty,orifthe real-life adversary a tively

interferes in the exe ution (by either orrupting parties or refusing to deliver some messages).

Our main result is to show the existen e of non-trivial proto ols for se urely realizing any ideal

fun tionality. All ourproto ols are in fa t learly non-trivial; therefore, we ignore thisissue from

hereon.

Relaxations of Denition 3.2. Were all two standardrelaxations ofthe denition:

 Stati (non-adaptive)adversaries. Denition3.2allowstheadversaryto orruptpartiesthrough-

outthe omputation. Asimpler(andsomewhatweaker) variant for esthereal-lifeadversaryto

orruptpartiesonlyat theonset ofthe omputation, beforeanyun orruptedpartyisa tivated.

We allsu h adversariesstati .

 Passive (semi-honest) adversaries. Denition 3.2 gives the adversary omplete ontrol over

orrupted parties (su h an adversary is alled mali ious). Spe i ally, the model states that

fromthetimeof orruptionthe orruptedpartyisnolongera tivated,andinsteadtheadversary

sendsmessages inthe name of that party. In ontrast, when a semi-honest adversary orrupts

a party, the party ontinues to follow the pres ribed proto ol. Nevertheless, the adversary is

given reada ess to theinternalstate of theparty at all times, and is also able to modifythe

values that the environment writes on the orrupted parties' input tapes.

8

Formally, if in a

given a tivation, theenvironment wishesto writeinformationon theinputtape of a orrupted

party,thentheenvironmentrstpassestheadversarythevalue xthatitwishestowrite(along

withtheidentityofthepartywhoseinputtapeitwishestowriteto). Theadversarythenpasses

a (possibly dierent)value x 0

ba k to the environment. Finally,the environment writes x 0

on

the input tape of the orrupted party, following whi h the orrupted party is a tivated. We

stress that when the environment writes on the input tape of an honest party, the adversary

learns nothingof the value and annot modifyit. Everything elseremains the same as inthe

above-des ribed mali iousmodel. We saythat proto ol  se urely realizes fun tionalityF for

semi-honestadversaries,ifforanysemi-honestreal-lifeadversaryAthereexistsanideal-pro ess

semi-honestadversary S su hthat Eq. (1)holdsforanyenvironment Z.

3.1.2 The omposition theorem

The hybrid model. In order to state the omposition theorem, and in parti ular in order to

formalize thenotion of a real-life proto ol with a essto multiple opies of an idealfun tionality,

thehybridmodelof omputationwitha essto anidealfun tionalityF (or, inshort,theF-hybrid

model) is formulated. This model is identi al to the real-life model, with thefollowing additions.

Ontop ofsendingmessages to ea h other,theparties may sendmessagesto and re eive messages

from an unbounded number of opies of F. Ea h opy of F is identied via a unique session

8

Allowingasemi-honestadversarytomodifya orruptedparty'sinputissomewhatnon-standard. However,this

simpliesthepresentationofthiswork(andinparti ulartheproto ol ompiler).Alltheproto olspresentedforthe

semi-honestmodelinthispaperarese urebothwhentheadversary anmodifya orruptedparty'sinputtapeand

whenit annot.

orresponding SID. (Sometimes a opy of F will intera t only with a subset of the parties. The

identitiesofthese parties isdetermined by theproto ol intheF-hybrid model.)

The ommuni ation between the parties and ea h one of the opies of F mimi s the ideal

pro ess. Thatis,on e apartysendsa message mto a opyof F witha parti ularSID, that opy

is immediatelya tivated to re eive thismessage. (If no su h opy of F existsthen a new opy of

F is reatedandimmediatelya tivatedto re eivem.) Furthermore,althoughtheadversaryinthe

hybridmodelisresponsiblefordeliveringthemessagesfromthe opiesof F to theparties,itdoes

nothave a essto the ontentsof these messages.

The hybridmodeldoesnotspe ifyhowtheSIDs aregenerated, nordoesitspe ifyhowparties

\agree" on the SID of a ertain proto ol opy that is to be run by them. These tasks are left

to the proto ol in the hybrid model. This onvention simplies formulating ideal fun tionalities,

and designingproto ols that se urely realize them, by freeing the fun tionality from the need to

hoose the SIDsand guarantee theiruniqueness. Inaddition, it seemsto re e t ommon pra ti e

of proto ol designinexisting networks. Seemore dis ussionfollowingTheorem 3.3below.

Let exe F

;A;Z

(k;z) denotetherandomvariabledes ribing theoutputofenvironmentma hine

Z oninputz,afterintera tingintheF-hybridmodelwithproto ol,adversaryA,analogouslyto

thedenitionofreal

;A;Z

(k;z). (Westressthathere isahybridofareal-lifeproto olwithideal

evaluation allsto F.) Letexe F

;A;Z

denotethe distributionensemblefexe F

;A;Z g

k2N;z2f0;1g

.

Repla ing a all to F with a proto ol invo ation. Let  be a proto ol in the F-hybrid

model,and let bea proto olthatse urely realizesF (withrespe tto some lassof adversaries).

The omposed proto ol 



is onstru ted by modifying the ode of ea h ITM in  so that the

rst message sent to ea h opy of F is repla ed withan invo ationof a new opyof  with fresh

randominput,withthesameSID,andwiththe ontentsofthatmessageasinput. Ea hsubsequent

message to that opyof F is repla ed withan a tivation of the orresponding opyof , withthe

ontents of that message given to  asnew input. Ea h output value generated by a opyof  is

treatedasa messagere eivedfromthe orresponding opyofF. (See[ 01℄formore detailsonthe

operation of \ omposed proto ols", where a party, i.e. an ITM, runs multiple proto ol-instan es

on urrently.)

Ifproto olisaproto olinthereal-lifemodelthensois



. Ifisaproto olinsomeG-hybrid

model (i.e., uses idealevaluation alls to some fun tionalityG) thenso is



.

Theorem statement. In its general form, the omposition theorem basi allysays that if se-

urelyrealizesFintheG-hybridmodelforsomefun tionalityG,thenanexe utionofthe omposed

proto ol



,runningintheG-hybridmodel,\emulates"anexe utionofproto ol intheF-hybrid

model. That is,for any adversary A in theG-hybridmodelthere exists an adversary S in theF-

hybridmodelsu hthatnoenvironmentma hineZ an tellwithnon-negligibleprobabilitywhether

it is intera ting with A and 



in the G-hybrid model or it is intera ting with S and  in the

F-hybrid model.

A orollary ofthegeneraltheorem statesthat if se urelyrealizessome fun tionalityI inthe

F-hybrid model, and  se urely realizes F in the G-hybrid model, then 



se urely realizes I in

the G-hybrid model. (Here one has to dene what it means to se urely realizefun tionalityI in

theF-hybridmodel. Thisis doneinthenaturalway.) That is:

Theorem 3.3 ([ 01℄) Let F;G;I be ideal fun tionalities. Let  bean n-party proto ol in the F-

hybrid model, andlet  bean n-party proto ol that se urely realizes F in the G-hybrid model. Then

that for any environment ma hine Z we have:

exe G





;A;Z

exe F

;S;Z

: (2)

In parti ular, if  se urely realizes fun tionality I in the F-hybrid model then 



se urely realizes

I in the G-hybrid model.

OntheuniquenessofthesessionIDs. ThesessionIDsplaya entralroleinthehybridmodel

and the omposition operation, in that they enable the parties to distinguish dierent instan es

of a proto ol. Indeed, dierentiating proto ol instan es via session IDs is a naturaland ommon

me hanisminproto oldesign.

Yet, the urrent formulationofthehybridmodelprovidesasomewhatover-idealizedtreatment

of sessionIDs. Spe i ally, itis assumed that the sessionIDs are globally unique and ommon to

all parties. That is,itisassumedthatnotwo opiesofanidealfun tionalitywiththesame session

IDexist,even ifthetwo opieshave dierent(andevendisjoint)setsofparti ipants. Furthermore,

all partiesareassumed tohold thesameSID(andthey mustsomehow have agreed uponit). This

treatment greatlysimplies theexpositionof the model and thedenition of idealfun tionalities

and proto ols that realize them. Nonetheless, it is somewhat restri tive in that it requires the

proto ol in the hybrid model to guarantee global uniqueness of ommon session IDs. This may

be hard(or even impossible)to a hieve in the ase that the proto ol in thehybridmodelis truly

distributedanddoesnotinvolveglobal oordination. See[llr02℄formore dis ussiononthispoint.

Moreelaborate ways ofdeningsessionIDssoas notto requireglobaluniqueness exist. We leave

thisissueforfuture work.

3.2 Universal Composition with Joint State

Traditionally, omposition operations among proto ols assume that the omposed proto ol in-

stan es have disjoint states, and in parti ular independent lo al randomness. The universal om-

positionoperation is no ex eption: ifproto ol  se urely realizes some ideal fun tionalityF, and

proto ol  in the F-hybrid model uses m opies of F, then the omposed proto ol 



uses m

independent opiesof ,and no two opiesof share anyamount ofstate.

This propertyofuniversal omposition(andof proto ol ompositioningeneral) is bothersome

in our ontext, where we wishto onstru t and analyze proto ols inthe ommon referen e string

(CRS)model. Letuselaborate. AssumethatwefollowthenaturalformalizationoftheCRSmodel

asthe F

rs

-hybrid model,where F

rs

isthe fun tionalitythat hooses a string from the spe ied

distributionand handsit to all parties. Now, assume that we onstru t a proto ol  that realizes

some idealfun tionalityF in theF

rs

-hybrid model (say, letF be the ommitment fun tionality,

F

om

). Assume further that some higher level proto ol  (in the F-hybrid model) uses multiple

opies of F, and that we use the universal ompositionoperation to repla e ea h opyof F with

an instan e of . We now obtain a proto ol 



that runs in the F

rs

-hybrid model and emulates

. However, this proto ol is highly wasteful of the referen e string. Spe i ally, ea h instan e of

 in 



has its own separate opy of F

rs

, or in other words ea h instan e of  requires its own

independent opyof the referen e string. This standsin sharp ontrastwith our ommon view of

theCRSmodel,whereanunboundednumberof proto olinstan esshouldbe abletousethesame

opy of thereferen e string.

One way to get around this limitation of universal omposition(and omposition theoremsin

general) is to treat the entire, multi-session intera tion as a single instan e of a more omplex