Computation
RanCanetti y
Yehuda Lindell z
Rafail Ostrovsky x
AmitSahai {
September 12,2002
Abstra t
Weshowhowtose urelyrealizeanytwo-partyandmulti-partyfun tionalityinauniversally
omposable way, regardless of the numberof orrupted parti ipants. That is, we onsider an
asyn hronousmulti-partynetworkwith open ommuni ationandanadversarythat anadap-
tively orruptasmanypartiesasitwishes. Inthissetting,ourproto olsallowanysubsetofthe
parties(withpairsofpartiesbeingaspe ial ase)tose urelyrealizeanydesiredfun tionalityof
theirlo alinputs,andbeguaranteedthatse urityispreservedregardlessofthea tivityinthe
restofthenetwork. Thisimpliesthatse urityispreservedunder on urrent ompositionofan
unboundednumberofproto olexe utions,itimpliesnon-malleabilitywithrespe ttoarbitrary
proto ols, andmore. Our onstru tionsare inthe ommon referen estringmodelandrelyon
standardintra tabilityassumptions.
Keywords: Two-party and multi-party ryptographi proto ols, se ure omposition of proto ols,
proofsof se urity.
Anextendedabstra tofthisworkappearedinthe34 th
STOC,2002.
y
IBMT.J.WatsonResear hCenter,email: anettiwatson.ibm. om.
z
IBM T.J. Watson Resear hCenter, email: lindellus.ibm. om. Most of thisworkwas arried out while the
authorwasattheWeizmannInstituteofS ien e,Israel.
x
Tel ordiaTe hnologies,email: rafailresear h.tel ordia. om.
{
Prin etonUniversity,email: sahai s.prin eton.edu.
1 Introdu tion 1
2 Overview 4
2.1 The model. . . 4
2.2 An outlineof theresultsand te hniques . . . 6
2.2.1 Two-party omputation inthe aseof semi-honestadversaries. . . 6
2.2.2 Obtaining two-party omputation se ureagainstmali iousadversaries . . . . 7
2.2.3 Extensions to multi-party omputation. . . 10
3 Preliminaries 11 3.1 Universally ComposableSe urity: The generalframework . . . 11
3.1.1 The basi framework . . . 12
3.1.2 The ompositiontheorem . . . 15
3.2 Universal CompositionwithJointState . . . 17
3.3 Well-FormedFun tionalities . . . 20
4 Two-party Se ure Computation for Semi-Honest Adversaries 21 4.1 Universally ComposableObliviousTransfer . . . 22
4.1.1 Stati UCOblivious Transfer . . . 22
4.1.2 Adaptive UC ObliviousTransfer . . . 24
4.2 The GeneralConstru tion . . . 27
5 Universally Composable Commitments 37 6 Universally Composable Zero-Knowledge 45 7 The Commit-and-ProveFun tionality F p 47 7.1 Se urelyRealizingF p forstati adversaries . . . 48
7.2 Se urelyRealizingF p foradaptiveadversaries . . . 52
8 Two-Party Se ure Computation for Mali ious Adversaries 56 8.1 The Proto ol Compiler. . . 56
8.2 Con lusions . . . 61
9 Multi-party Se ure Computation 62 9.1 Multi-partySe ure ComputationforSemi-HonestAdversaries . . . 62
9.2 Authenti atedBroad ast . . . 67
9.3 One-to-Many Commitment,Zero-Knowledgeand Commit-and-Prove . . . 68
9.4 Multi-partySe ure ComputationforMali iousAdversaries. . . 73
9.4.1 Con lusions . . . 76
Traditionally, ryptographi proto olproblemswere onsideredinamodelwheretheonlyinvolved
partiesarethea tualparti ipantsintheproto ol, andonlyasingleexe utionoftheproto oltakes
pla e. Thismodel allowed forrelatively on ise problemstatements, and simpliedthedesignand
analysis of proto ols. Indeed, thisrelativelysimplemodel is a natural hoi e forthe initialstudy
of proto ols.
However, thismodel of\stand-alone omputation" doesnotfully apturethe se urityrequire-
mentsfrom ryptographi proto ols in a modern omputer network. In su h networks, a proto ol
exe ution may run on urrently with an unknown number of other proto ols. These arbitrary
proto olsmaybe exe utedbythesame parties orother parties,they mayhave potentiallyrelated
inputsandthes hedulingofmessage deliverymaybeadversarially oordinated. Furthermore,the
lo al outputs of a proto ol exe ution may be used by other proto ols in an unpredi table way.
These on erns,or\atta ks" on a proto ol arenot apturedbythestand-alone model.
Onewaytoguaranteethatproto olswithstandsomespe i se uritythreatsinmulti-exe ution
environments is to expli itlyin orporatethese threats into the se uritymodel and analysis. Su h
an approa h was taken, for instan e,in the ase of non-malleabilityof proto ols [ddn00℄, and re-
gardingthe on urrent ompositionofzero-knowledge[dns98,rk99℄andoblivioustransfer[gm00℄.
However, thisapproa h isinherentlylimitedsin eit needsto expli itlyaddressea h new on ern,
whereasinarealisti networksetting,thethreatsmaybeunpredi table. Furthermore,itinevitably
resultsindenitionswith ever-growing omplexity.
In ontrast, we take theapproa h wherea proto ol isdesigned andanalyzed as\stand alone",
and se urityin amulti-exe utionenvironment is guaranteed via a se ure omposition theorem. In
parti ular, we use the re entlyproposed framework of universally omposable se urity [ 01℄. Here
a generi denition is given for what it means for a proto ol to \se urely realize a given ideal
fun tionality",wherean\idealfun tionality"isanaturalalgorithmi wayof apturingthedesired
fun tionality of the proto ol problemat hand. In addition, it is shown that se urity of proto ols
is preserved under a general omposition operation alled universal omposition. This essentially
means that any proto ol that se urely realizes an ideal fun tionality when onsidered as stand-
alone, ontinuesto se urelyrealizethesame fun tionalityeven when omposedwithanyother set
ofproto olsthatmayberunning on urrentlyinthesame system. Aproto olthatisse urewithin
the[ 01℄ framework is alleduniversally omposable (UC).
Ithasbeenshownthatany idealfun tionality anbese urelyrealizedinauniversally ompos-
able way usingknown onstru tions, aslongasa majorityofthe parti ipantsremain un orrupted
[ 01℄ (building upon [bgw88 , rb89, fgn96℄). However, this result does not hold when half or
more of the parties may be orrupted. In parti ular, it does not hold for the important ase of
two-party proto ols, where ea h party wishes to maintain its se urity even if the other party is
orrupted. In fa t, it was shown in [ f01, 01 ℄ that in the standard model, a number of basi
two-party fun tionalities(su h as ommitment,zero-knowledge,and ommon oin-tossing) annot
bese urelyrealizedinthisframeworkbytwo-partyproto ols. Nonetheless,proto olsthatse urely
realize the ommitment and zero-knowledge fun tionalities in the ommon referen e string (CRS)
modelwereshown in[ f01,d +
01℄. (In theCRSmodelall parties aregiven a ommon, publi ref-
eren e string that is ideally hosen from a givendistribution. This model wasoriginally proposed
in the ontext of non-intera tive zero-knowledge proofs [bfm88℄and sin ethen has proved useful
inother ases aswell.)
omposableway,intheCRSmodel,regardlessofthenumberof orruptedparties. Morespe i ally,
onsider an asyn hronous multi-party network where the ommuni ation is open and delivery of
messagesis notguaranteed. (For simpli ity,weassume thatdeliveredmessages areauthenti ated.
This an be a hieved using standard methods.) The network ontains an unspe ied number of
parties,andanynumberofthese parties anbeadaptively orruptedthroughoutthe omputation.
In this setting, we show how arbitrary subsets of parties an se urely realize any fun tionality of
their inputs in a universally omposable way. The fun tionality may be rea tive, namely it may
re eive inputs and generate outputs multiple times throughout the omputation. In addition to
a ommon referen e string,our proto ols assume that theparti ipantsin ea h proto ol exe ution
have a essto a broad ast hannelamong themselves.
1
In addition to our general onstru tions for two-party and multi-party omputation, we also
present a new adaptively se ure UC ommitment s heme in the CRS model, assuming only the
existen e of trapdoor permutations. (UC ommitment s hemesare proto ols that se urelyrealize
the ideal ommitment fun tionality [ f01 ℄. Existing onstru tions of UC ommitments [ f01,
dn01℄ rely on spe i ryptographi assumptions.) Sin e UC zero-knowledge an be obtained
given a UC ommitment s heme withoutadditional omputational assumptions[ f01℄,weobtain
an adaptively se ure UC zero-knowledge proto ol in the CRS model, for any NP relation, based
on anytrapdoorpermutation. Beyond beinginteresting inits ownright, we usethis ommitment
s heme inorder to baseour onstru tionson moregeneral ryptographi assumptions.
Outline of the onstru tion. Our onstru tion oftwo-partyand multi-partyproto ols follows
the general outline of the onstru tion of Goldrei h, Mi ali and Wigderson [gmw87 ℄, where the
basi primitives are repla ed with universally omposable ounterparts. On top of guaranteeing
universal omposability, this results in a modular onstru tion and analysis that highlights the
fun tionality and role of ea h ingredient in the onstru tion. We rst on entrate on the ase of
two-partyfun tionalities,whi h ontainsmostofthe ryptographi ideasinasimpliedform. Here,
webeginby onsideringsemi-honest(or, passive)adversaries. Wedeneanidealoblivioustransfer
(OT)fun tionalityand showhowtose urelyrealizeitinthefa eofsemi-honestadversaries. Then
we show that the [gmw87 ℄ onstru tion, given a ess to the ideal OT fun tionality, an be used
to se urelyrealizeanytwo-partyidealfun tionalityinauniversally omposableway. (No ommon
referen e stringis usedinthesemi-honest ase.)
Next we onstru taproto ol ompiler, analogoustothatof[gmw87 ℄, thattransforms anytwo-
party proto ol in the semi-honest model into a proto ol that guarantees equivalent input-output
relations in the presen e of general, mali ious adversaries. This is done as follows. Our starting
point is a new ideal fun tionality, alled ommit-and-prove, that blends together the notions of
ommitment and zero-knowledge. This fun tionalityallows a party to ommitto valuesand later
prove \in zero knowledge" some arbitrary NP-statements regarding the ommitted values. (This
notion is impli it inthe work of [gmw87 ℄, and was also dis ussed by Kilian[k89 ℄. We formalize
it asan ideal fun tionalityinthe UC framework.) We realize the ommit-and-prove fun tionality
given a ess to the ideal zero-knowledge fun tionality (whi h,as we have mentioned, an in turn
berealizedgivena essto theideal ommitmentfun tionality). Havingobtainedase ureproto ol
for the ommit-and-prove fun tionality, we onstru t the above-mentionedproto ol ompiler in a
1
Thisbroad ast hannelisformallymodeledby auniversally omposablebroad ast fun tionality. Insubsequent
worktoours,it was shownthatinthemodelwheredeliveryofmessagesisnotguaranteed,universally omposable
broad ast an be a hievedin O(1)rounds, for any numberof orrupted parties, and without any setup assump-
tions[gl02 ℄. Thus,ina tuality,weonlyneedtoassumea ommonreferen estringhere.
ompositiontheoremisusedto omposeall theingredientsintoa general,UCproto ol ompilerin
theCRS model. This ompiler transforms proto ols that areUC se ure inthesemi-honest model
into proto ols thatare UC se ure even in the presen e ofmali ious adversaries. Here we also use
universal omposition with joint state [ r02℄, whi h allows several proto ol instan es to use the
same instan e ofthe referen estring.
Finally, we extend our results from the two-party ase to the multi-party ase. The semi-
honest ase is treated as in [gmw87 ℄. For the ase of mali ious adversaries, we rst extend the
ommitment, zero-knowledge, and ommit-and-prove fun tionalities to allow a prover to ommit
and prove statements to a set of parties (rather than to a single party). Next, we generalize the
proto ol ompiler, whi h now hasideala ess to the multi-partyversionof the ommit-and-prove
fun tionality. Asbefore, we on lude by ompiling the semi-honestproto ol, therebyobtaining a
proto olthat maintainsse urityeven inthepresen e ofmali iousadversaries.
Adaptivese urity. Ourproto olistherstgeneral onstru tionthatguaranteesse urityagainst
adaptive adversaries in the two-party ase and in the ase of multi-party proto ols with honest
minority. (Wenotethatnoadaptivelyse uregeneral onstru tionwasknowninthese asesevenin
thetraditionalstand-alonemodel. Allpreviousadaptivelyse ureproto ols forgeneral multi-party
omputationassumed anhonest majority.) Weremarkthat, in ontrastto the ase ofstand-alone
proto ols, in our setting adaptive se urity is a relevant on ern even for proto ols with only two
parti ipants. Furthermore,itisimportanttoprote tevenagainstadversariesthateventuallybreak
into all the parti ipants in an intera tion. This is be ause we onsidermultiple intera tions that
take pla e between dierent sets of parties in the system. Therefore, all the parti ipants in one
intera tion may onstitutea propersubset of the parti ipantsin anotherintera tion. Our results
holdeven inamodelwhereno data an everbeerased.
Cryptographi assumptions. Ourproto olsarebasedonthefollowing ryptographi assump-
tions. For the non-adaptive ase (both semi-honest and mali ious) we assume the existen e of
trapdoor permutations only. For the adaptive ase we additionally assume the existen e of aug-
mented non- ommittingen ryption proto ols [ fgn96℄. The augmentation in ludesobliviouskey
generation and invertible samplability [dn00℄. Loosely speaking, oblivious key generation states
that publi keys an begenerated withoutknowing the orrespondingprivatekeys,and invertible
samplability states that given a publi /private key-pair it is possible to obtain the random oin
tosses of thekeygenerator when outputtingthiskey-pair (theobliviouskey generator shouldalso
beinvertible). Su hen ryptions hemesareknowntoexistundertheRSAand DDHassumptions.
As we have mentioned, our proto ols arein the CRSmodel. The above assumptionssuÆ eif
we usea ommonreferen e stringthatisnotuniformlydistributed(butisrathertaken from some
dierent distribution). If a uniformlydistributed ommon referen e string is to be used,then we
additionallyassumetheexisten e of dense ryptosystems [dp92 ℄.
Related work. In a on urrent and independent work [dn01℄, Damgard and Nielsen onsider
a fun tionality that has great resemblan e to our ommit-and-prove fun tionality, and onstru t
universally omposable proto ols that realize this fun tionality under spe i number-theoreti
assumptions. Our ommit-and-proveproto olisbasedonmore generalassumptions,whereastheir
proto olis onsiderablymore eÆ ient.
our onstru tion of UC two-party and multi-party proto ols. Se tion 3 ontains a number of
preliminaries: First, inSe tion 3.1, a more detaileddes riptionof the[ 01 ℄ frameworkand of the
omposition theorem is presented. Then, in Se tion 3.2, the issue of universal omposition with
joint state is dis ussed (this is important when a ommon referen e string is used, asis the ase
inour onstru tions). Finally,inSe tion 3.3,wedes ribethe lassofidealfun tionalitiesthatour
onstru tionsse urely realize.
We then begin our onstru tions with the two-party ase. First, in Se tion 4, we show how
to obtain UC two-party se ure omputation in the presen e of semi-honest adversaries. Next we
pro eed to the ase of mali ious adversaries. Here we lead up to the general proto ol ompiler
in a number of steps: In Se tion 5 we re all the ommitment fun tionality F
m om
and present
our new UC ommitment s heme. In Se tion 6, the ideal zero-knowledge fun tionality, F
zk , is
des ribedand known proto olsforrealizing it(either withideala essto F
m om
ordire tlyinthe
ommon referen e string model) are re alled. In Se tion 7 we dene the two-party ommit-and-
prove fun tionality,F
p
,and showhowto realizeitgiven ideala essto F
zk
. This isthenusedin
Se tion8to onstru tatwo-partyproto ol ompilerthattransformstheproto olofSe tion4into
a proto ol thatis se ureagainstmali iousadversaries.
Finally,inSe tion9,weextendourtwo-party onstru tionstothemulti-party ase. Wepresent
thetwo-party aseseparatelybe auseitissimplerandmostofthe ryptographi ideasalreadyarise
inthissetting.
2 Overview
Thisse tionprovidesahigh-leveloverviewofthemodelandour onstru tions. Se tion2.1 ontains
an overview ofthegeneralframework ofuniversal omposability,thedenitionof se urityandthe
ompositiontheorem. Then,in Se tion2.2we provideabriefoutline ofour onstru tionsfortwo-
partyandmulti-party omputation. The aimof thisoutlineis toprovidethe readerwiththe\big
pi ture",beforedelvingintodetails.
2.1 The model
We begin by outliningtheframework for universal omposability;formore detailssee Se tion3.1
and [ 01℄. The framework provides a rigorous method for dening the se urity of ryptographi
tasks,whileensuringthatse urityismaintainedunderageneral ompositionoperationinwhi ha
se ureproto olforthetaskinquestionisruninasystem on urrentlywithanunboundednumber
of other arbitrary proto ols. This ompositionoperation is alled universal omposition, and tasks
thatfulll thedenitionsof se urityinthisframeworkare alleduniversally omposable (UC).
Asinothergeneraldenitions(e.g.,[gl90 ,mr91,b91,pw00, 00℄), these urityrequirements
of a given task (i.e., the fun tionality expe ted from a proto ol that arries out the task) are
apturedvia a set ofinstru tions fora \trusted party"that obtainsthe inputsof theparti ipants
and providesthemwiththedesiredoutputs(inone ormoreiterations). We allthealgorithmrun
bythetrusted partyan idealfun tionality. Informally,a proto ol se urely arriesouta given task
if any adversary an gain nothing more from an atta k on a real exe ution of the proto ol, than
from an atta k on an ideal pro ess where the parties merely handtheir inputsto a trusted party
withtheappropriatefun tionalityandobtaintheiroutputsfrom it,withoutanyother intera tion.
Inotherwords,werequirethatareal exe ution anbeemulated intheaboveidealpro ess (where
no trustedpartyexistsand theparties intera tamongst themselvesonly.
Inorder toprove theuniversal ompositiontheorem,thenotionofemulationinthisframework
is onsiderably stronger than in previous ones. Traditionally,the model of omputation in ludes
the parties running the proto ol, plusan adversary A that ontrols the ommuni ation hannels
and potentially orrupts parties. Emulation means that for any adversary A atta king a real
proto olexe ution,there shouldexistan\ideal pro essadversary"orsimulatorS,that ausesthe
outputsofthepartiesintheidealpro esstobeessentiallythesameastheoutputsofthepartiesina
realexe ution. Intheuniversally omposableframework,anadditionaladversarialentity alledthe
environmentZisintrodu ed. Thisenvironmentgeneratestheinputstoallparties,readsalloutputs,
and inadditionintera tswiththeadversaryinanarbitrary waythroughoutthe omputation. (As
is hinted by its name, Z represents the external environment that onsists of arbitrary proto ol
exe utionsthatmayberunning on urrentlywiththegivenproto ol.) Aproto olissaidtose urely
realizeagivenidealfun tionalityFifforany\real-life"adversaryAthatintera tswiththeproto ol
there exists an \ideal-pro ess adversary" S, su h that no environment Z an tell whether it is
intera tingwithAand partiesrunningtheproto ol,orwithS and partiesthat intera twithF in
theidealpro ess. (Ina sense,here Z servesasan \intera tive distinguisher"betweena runofthe
proto olandtheidealpro esswitha esstoF. See[ 01 ℄formoremotivatingdis ussionontherole
oftheenvironment.) Notethatthedenitionrequires the\ideal-pro ess adversary" (orsimulator)
S to intera twithZ throughout the omputation. Furthermore,Z annotbe \rewound".
The following universal omposition theorem is proven in [ 01℄: Consider a proto ol that
operatesinahybridmodelof omputationwhereparties an ommuni ateasusual,andinaddition
have ideala essto an unboundednumberof opiesofsome ideal fun tionalityF. (Thismodelis
alled theF-hybrid model.) Furthermore, let be a proto ol that se urely realizesF as sket hed
above, and let
be the \ omposed proto ol". That is,
is identi al to with the ex eption
thatea h intera tionwiththeidealfun tionalityF isrepla ed witha allto (oran a tivation of)
an appropriate instan e of the proto ol . Similarly,-outputs are treated as values provided by
the fun tionality F. The theorem states that in su h a ase, and
have essentially the same
input/output behavior. Thus, behavesjust like the ideal fun tionalityF, even when omposed
withan arbitraryproto ol . A spe ial ase ofthistheorem statesthat if se urelyrealizes some
idealfun tionalityG intheF-hybridmodel,then
se urely realizesG from s rat h.
We onsider a network where the adversary sees all the messages sent, and delivers or blo ks
these messagesatwill. (Thefa tthatmessagedeliveryisnotguaranteedfreesusfromtheneedto
expli itlydealwiththe\early stopping"problemof proto ols runbetweentwo partiesoramongst
many parties where onlya minoritymaybe honest. Thisis be ause even theidealpro ess allows
the adversary to abort the exe ution at any time.) We note that although the adversary may
blo k messages, it annot modify messages sent by honest parties (i.e., the ommuni ation lines
are ideally authenti ated). Our proto ols are ast in a ompletely asyn hronous point-to-point
network (andthustheadversaryhasfull ontroloverwhen messagesaredelivered,ifat all). Also,
as usual, the adversary is allowed to orrupt parties. In the ase of stati adversaries the set of
orrupted parties is xed at the onset of the omputation. In the adaptive ase the adversary
orrupts parties at will throughout the omputation. We also distinguish between mali ious and
semi-honest adversaries: If the adversary is mali ious then orrupted parties follow the arbitrary
instru tionsof theadversary. Inthesemi-honest ase, even orrupted parties followthepres ribed
proto oland theadversaryessentially onlygetsread a essto thestates of orruptedparties.
In this se tion we provide a high-level des riptionof our proto ols for two-party and multi-party
omputation, and the te hniques used in obtaining them. Our onstru tion is on eptually very
similarto the onstru tion of Goldrei h, Mi ali and Wigderson [gmw87 , g98 ℄. This onstru tion
(whi h we all theGMW onstru tion)is omprised of two stages. First, they present a proto ol
forse urelyrealizing anyfun tionalityinthesemi-honestadversarialmodel. Next, they onstru t
a proto ol ompiler that takes any semi-honest proto ol and transforms it into a proto ol that
hasthesame fun tionalityinthe mali iousadversarial model. (However, asdis ussed above, they
onsideramodel whereonlya singleproto olexe utiontakespla e inthesystem. In ontrast,we
onstru t proto ols foruniversally omposablese ure omputation.) We beginby onsidering the
two-party ase.
2.2.1 Two-party omputation in the ase of semi-honest adversaries
Re all that in the ase of semi-honest adversaries, even the orrupted parties follow the proto ol
spe i ation. However, the adversary may attempt to learn more information than intended by
examining the trans ript of messages that it re eived during the proto ol exe ution. Despite the
seemingly weak nature of the adversarial model, obtaining proto ols se ure against semi-honest
adversaries isa non-trivial task.
Webeginbybrie yre allingthe[gmw87 ,g98 ℄ onstru tion forse uretwo-party omputation
in the semi-honestadversarial model. Let f be the two-party fun tionalitythat is to be se urely
omputed. Then,thepartiesaregivenanarithmeti ir uitoverGF(2)that omputesthefun tion
f. Theproto olstartswiththepartiessharingtheirinputswithea hotherusingbitwise-xorse ret
sharing,andthusfollowingthisstage,theybothholdsharesof theinputlinesofthe ir uit. That
is, forea h input linel, party A holds a value a
l
and partyB holdsa value b
l
,su h thatboth a
l
and b
l
are random under the onstraint that a
l +b
l
equals the value of the inputinto this line.
Next,the partiesevaluatethe ir uitgate-by-gate, omputingrandomshares oftheoutput lineof
thegatefromtherandomsharesoftheinputlinesto thegate. Therearetwo typesofgates inthe
ir uit: additiongatesandmultipli ationgates. Additiongatesareevaluatedbyea h partylo ally
adding its sharesof theinputvalues. Multipli ationgates are evaluatedusing1-out-of-4 oblivious
transfer (the oblivious transfer proto ol used is basi ally that of [egl85℄). In the above way, the
parties jointly omputethe ir uitand obtainshares of theoutput gates. The proto ol on ludes
with ea h party revealing the pres ribed shares to the other party (i.e, if a ertain output gate
provides abit ofA's input,then B willreveal itsshare of thisoutputlineto A).
Our general onstru tion is exa tly that of GMW, ex ept that the oblivioustransfer proto ol
used is universally omposable. That is, we rst dene an ideal oblivious transfer fun tionality,
F
ot
, and show that in the F
ot
-hybrid model, the GMW proto ol se urely realizes any two-party
fun tionalityin thepresen e of semi-honest, adaptive adversaries. Thisholdsun onditionally and
even ifthe adversary and environment are omputationallyunbounded. Of ourse, omputational
assumptionsareusedforse urelyrealizingF
ot
itself. (Our onstru tionisa tuallysomewhatmore
general than thatof GMW in that itdeals with rea tive fun tionalitiesthat have multiplestages
whi h are separately a tivated. This is a hieved by havingthe parties hold shares of the state of
theidealfun tionalitybetweena tivations.)
Nextwepresentproto olsthatse urelyrealizeF
ot
inthesemi-honest ase. Inthenon-adaptive
ase, theproto ol of [egl85, g98 ℄ suÆ es. Inthe adaptive ase, ourproto ol uses an augmented
version of non- ommitting en ryption [ fgn96℄. The augmentation onsists of two additional
properties. First, theen ryptions heme shouldhave an alternative keygenerationalgorithm that
standardand additionalkeygenerationalgorithmsshouldbe invertibleinthesensethatgiventhe
output key or keys, it is possible to nd the random oin tosses used in generating these keys.
(Following [dn00℄, we all these properties oblivious key generation and invertible samplability.)
All known non- ommitting en ryption s hemes have this properties. In parti ular, su h s hemes
exist undereither theRSA assumptionortheDDH assumption.) In all,we show:
Proposition 2.1 (semi-honest omputation { informal): Assume that trapdoor permutations ex-
ist. Then, for any two-party ideal fun tionality F, there exists a proto ol that se urely realizes
F in the presen e of semi-honest, stati adversaries. Furthermore, if augmented two-party non-
ommittingen ryption proto ols exist, then thereexists a proto ol that se urelyrealizes F in the
presen e of semi-honest, adaptive adversaries.
Proposition2.1asstatedaboveisnotpre ise. Thisisduetotwote hni alitiesregardingthemodel
of omputation as dened in [ 01 ℄. We therefore dene a lass of fun tionalities for whi h these
te hni al problems do not arise and then onstru t se ure proto ols for any fun tionality in this
lass. SeeSe tion3.3 formoredis ussionand an exa t denition.
Another point where our results formally dier from Proposition 2.1 is due to the fa t that,
a ording to thedenitionsused here,proto ols whi hdo notgenerate any outputare te hni ally
se ure(foranyfun tionality). Thus, Proposition2.1asstated, an beeasily(butun-interestingly)
a hieved. In ontrast, we prove theexisten e of proto ols whi h do generate output and se urely
realize any fun tionality (we all su h a proto ol non-trivial; for more details, see the dis ussion
after Denition3.2inSe tion 3.1). Proposition2.1is formallyrestated inSe tion4.2.
2.2.2 Obtaining two-party omputation se ure against mali ious adversaries
Having onstru ted a proto ol that is universally omposable when the adversary is limited to
semi-honestbehavior,we onstru taproto ol ompilerthattransformsthisproto olintoone that
is se ureeven againstmali ious adversaries. From here on,we refer to theproto ol that isse ure
against semi-honest adversaries as the \basi proto ol". Re all that the basi proto ol is only
se ure in the ase that even the orrupted parties follow the proto ol spe i ation exa tly, using
a uniformly hosen random tape. Thus, in order to obtain a proto ol se ure against mali ious
adversaries, we needto enfor e potentially mali ious orruptedparties to behave ina semi-honest
manner. First and foremost, this involves for ing the parties to follow the pres ribed proto ol.
However,thisonlymakessenserelativetoagiveninputandrandomtape. Furthermore,amali ious
partymustbefor edintousingauniformly hosenrandomtape. Thisisbe ausethese urityofthe
basi proto olmaydependonthefa tthatthepartyhasnofreedominsettingitsownrandomness.
We beginwith ades riptionof theGMW ompiler.
Aninformaldes riptionof theGMW ompiler. TheGMW ompilerbeginsbyhavingea h
party ommittoitsinput. Next,thepartiesruna oin-tossingproto olinordertoxtheirrandom
tapes. Asimple oin-tossingproto olinwhi hbothparties re eive thesameuniformlydistributed
stringisnotsuÆ ienthere. Thisisbe ausetheparties'randomtapesmustremainse ret. Instead,
anaugmented oin-tossingproto olisused,whereonepartyre eivesauniformlydistributedstring
(to be used asits randomtape) and the other partyre eives a ommitment to that string. Now,
followingthese two steps, ea h partyholdsits own inputand uniformlydistributedrandomtape,
and a ommitmentto the otherparty'sinputand randomtape.
honest behavior. Observethata proto ol spe i ationisadeterministi fun tionofaparty'sview
onsistingof its input,randomtapeand messagesre eived sofar,and re allthatea h partyholds
a ommitment to the input and random tape of theother party. Observe also that the messages
sent sofar are publi . Therefore, theassertion that a new message is omputed a ording to the
proto ol is an NP statement (and the party sending the message knows an adequate NP-witness
to it). This means that the parties an use zero-knowledge proofs to show that their steps are
indeed a ording to the proto ol spe i ation. Therefore, in the proto ol emulation phase, the
parties send messages a ording to the instru tions of the basi proto ol, while proving at ea h
step thatthemessagessentare orre t. Thekey pointis that, dueto thesoundness ofthe proofs,
even a mali iousadversary annot deviate from theproto ol spe i ationwithoutbeingdete ted.
Therefore, the adversary is limited to semi-honest behavior. Furthermore, sin e the proofs are
zero-knowledge, nothing \more" is revealed in the ompiled proto ol than in the basi proto ol.
We on ludethat the se urityof the ompiled proto ol(against mali iousadversaries) is dire tly
derivedfrom these urityof thebasi proto ol(against semi-honestadversaries).
In summary, the GMW ompiler has three omponents: input ommitment, oin-tossing and
proto olemulation (wherethe parties prove that theirsteps area ording to theproto olspe i-
ation).
Universally omposable proto ol ompilation. A naturalwayof adapting theGMW om-
piler to the setting of universally omposable se ure omputation would be to take the same
ompiler, but rather use universally omposable ommitments, oin-tossing and zero-knowledge
as sub-proto ols. However, su h a strategy fails be ause the re eiver of a universally omposable
ommitmentre eivesno information aboutthevalue ommittedto. (Instead,there ipientre eives
onlyaformal\re eipt" assuringitthata value was ommittedto. SeeSe tion5formore details.)
Thus, there is no NP-statement that a party an prove relative to its input ommitment. This is
in ontrast to the GMW proto ol where standard (perfe tly binding) ommitments are used and
thusea h partyholdsa stringthat uniquelydeterminestheother party'sinputand randomtape.
A dierent strategy is therefore required for onstru ting a universally omposable ompiler.
Before des ribing our strategy, observe that in GMW the use of the ommitment s heme is not
standard. Spe i ally, although both parties ommit to their inputs et ., they never de ommit.
Rather, they prove NP-statements relative to their ommitted values. Thus, a natural primitive
to use would be a \ ommit-and-prove" fun tionality, whi h is omprised of two phases. In the
rst phase, a party \ ommits" (or is bound) to a spe i value. In the se ond phase, this party
proves NP-statements (in zero-knowledge) relative to the ommitted value. We formulate this
notion in a universally omposable ommit-and-prove fun tionality, denoted F
p
, and then use
this fun tionality to implement all three phases of the ompiler. More spe i ally, our proto ol
ompileruses the\ ommit"phase oftheF
p
fun tionalityinorder to exe utetheinputand oin-
tossing phases of the ompiler. The \prove" phase of the F
p
fun tionality is then used to for e
the adversary to send messages a ording to the proto ol spe i ation and onsistent with the
ommitted inputand therandom tape resultingfrom the oin-tossing. The result isa universally
omposableanalog to the GMW ompiler. We remarkthatin theF
p
-hybrid model the ompiler
is un onditionally se ureagainst adaptive adversaries, even ifthe adversary and the environment
are omputationally unbounded.
We show how to se urely realize F
p
in the F
zk
-hybrid model, i.e. in a hybrid model with
ideala ess to an idealzero-knowledge fun tionality,F
zk
. (Fun tionalityF
zk
expe ts to re eive a
statement x and a witness w fromthe prover. It then forwardsx to theverier,together with an
phase of the ommit-and-prove proto ol, the ommitter ommits to its inputvalue w using some
ommitment s heme C, and in addition it proves to the re eiver, using F
zk
with an appropriate
relation,that it\knows"the ommittedvalue. Intheprovephase,wherethe ommitterwishesto
assert that the ommitted value w stands in relationR with some publi value x, the ommitter
presents x and w to F
zk
again | but this time the relation used by F
zk
asserts two properties:
rst thatR (x;w) holds,and se ond thatw isthesame value thatwaspreviously ommitted to.
To guarantee se urityagainst stati adversaries, the ommitment s heme of Naor[n91 ℄ is suf-
ient asan instantiation of the s heme C. We thus obtain a proto ol for se urely realizing F
p
in the F
zk
-hybrid model, based on any one-way fun tion. To guarantee se urity against adaptive
adversariesweneed\adaptivelyse ure" ommitments hemes,namely ommitments hemeswhere
a simulator an generate\dummy ommitments"whi h an belater opened inmultipleways. (In
fa t,aslightlystrongerpropertyisneededhere,seedetailswithin.) Su h ommitmentsexistassum-
ing theexisten e of trapdoor permutations, asis demonstrated byour onstru tion of universally
omposable ommitmentsinSe tion 5. Inall we obtain:
Theorem 2.2 (two-party omputation inthemali iousmodel { informal): Assume that trapdoor
permutations exist. Then, for any two-party ideal fun tionality F, there exists a proto ol that
se urely realizes F in the F
zk
-hybrid model in the presen e of mali ious, stati adversaries. Fur-
thermore, if augmented two-party non- ommitting en ryption proto ols exist, then there exists a
proto ol that se urelyrealizes F in the F
zk
-hybrid model in the presen e of mali ious, adaptive
adversaries.
Let F
rs
denote the ommon random string fun tionality (that is, F
rs
provides all parties with
a ommon, publi string drawn from a predened distribution). Then, as we show in Se tion 5,
universally omposable ommitments an be se urelyrealizedinthe F
rs
-hybridmodel,assuming
theexisten eoftrapdoorpermutations. Furthermore,[ f01℄showedthattheF
zk
fun tionality an
bese urelyrealizedgiven universally omposable ommitments. Combiningthese resultstogether,
we have that F
zk
an be se urely realized in the F
rs
-hybrid model, assuming the existen e of
trapdoor permutations. Using the omposition theorem we obtain a similar result to Theorem
2.2, withtheex eptionthatF isrealizedintheF
rs
-hybridmodel(ratherthanintheF
zk
-hybrid
model). As with Proposition 2.1, Theorem 2.2 is not stated exa tly. It is formally restated in
Se tion8.2.
On the distribution of the referen e string. In obtaining theabove orollary,the ommon
referen estringisusedonlyinthe onstru tionoftheuniversally omposable ommitments heme
(whi h is used for obtaining F
zk
). As we have mentioned, in the F
rs
-hybrid model, universally
omposable ommitments an be obtained assumingtheexisten e of trapdoorpermutations only.
However, in this ase, the ommon referen e string is not uniformlydistributed. Nevertheless, a
uniformlydistributedstring anbeused,undertheadditionalassumptionoftheexisten eofdense
ryptosystems [dp92℄. We therefore on lude that universally omposable two-party omputation
an be obtained with a uniformly distributed referen e string,under the assumption that the fol-
lowing primitives exist: trapdoor permutations, dense ryptosystems and augmented two-party
non- ommittingen ryption proto ols.
We now des ribe how the two-party onstru tion of Theorem 2.2 is extended to the setting of
multi-party omputation,whereanynumberofpartiesmaybe orrupt. Re allthatinthissetting,
ea h setof intera tingparties isassumed to have a essto an authenti ated broad ast hannel.
The outlineofour onstru tionisasfollows. Similarlyto thetwo-party ase, werst onstru t
a multi-party proto ol that is se ure against semi-honest adversaries (as above, this proto ol is
essentiallythatofGMW).Then,we onstru t aproto ol ompiler(again,likethatof GMW),that
transformssemi-honestproto olsintoonesthatarese ureevenagainstmali iousadversaries. This
proto ol ompileris onstru tedusingaone-to-many extensionofthe ommit-and-prove fun tion-
ality, denoted F 1:M
p
. The extensionof the proto ol that realizes two-party F
p
to a proto ol that
realizes one-to-many F 1:M
p
onstitutes the maindieren e between the two-party and multi-party
onstru tions. Therefore,inthisoutline,wefo usex lusivelyon howthisextensionis a hieved.
TherststepinrealizingF 1:M
p
,isto onstru tone-to-manyextensionsofuniversal ommitments
and zero-knowledge. In a one-to-many ommitment s heme, all parties re eive the ommitment
(and the ommitter is bound to the same value for all parties). Likewise, in one-to-many zero-
knowledge, all parties verify the proof (and they either all a ept or all reje t the proof). Now,
any non-intera tive ommitment s heme an be transformed into a one-to-many equivalent by
simply having the ommitter broad ast its message to all parties. Thus, this fun tionality is
immediatelyobtainedfromour ommitments hemeinSe tion5orfromthes hemeof[ f01℄(both
of these onstru tions are non-intera tive). However, obtaining one-to-many zero-knowledge is
moreinvolved,sin ewedonotknowhowto onstru tnon-intera tiveadaptively-se ureuniversally
omposable zero-knowledge.
2
Nevertheless, using the methodology of [g98 ℄, a one-to-many zero-
knowledge proto ol an be onstru ted as follows. The onstru tion is based on the universally-
omposablezero-knowledge proto ol of [ f01 ℄. Spe i ally,they show that parallel exe utions of
the3-roundzero-knowledgeproto olofHamiltoni ityisuniversally omposable,whenauniversally
omposable ommitments hemeisusedfortheprover's ommitments. Thus,theproverrunsa opy
oftheabove zero-knowledgeproto olwithea hre eiveroverthebroad ast hannel,usingtheone-
to-many ommitment s heme for its ommitments. Furthermore, ea h verifyingparty he ks that
theproofsofalltheother partiesarea epting(thisispossiblebe ause theproofofHamiltoni ity
is publi lyveriableand be ause all parties viewall the ommuni ation). Thus, at theendof the
proto ol, all honest parties agree (without any additional ommuni ation) on whether the proof
was su essful or not. (Note also that the adversary annot ause an honest prover's proof to be
reje ted.)
It remains to des ribe how to realize F 1:M
p
in the F 1:M
zk
-hybrid model. The basi idea is to
generalize the F
p
proto ol. As with zero-knowledge, this is not straightforward be ause in the
proto olforadaptive adversaries,the F
p
ommit-phase is intera tive. Nevertheless, thisproblem
issolvedbyhavingthe ommitter ommittoitsinputvaluewbyseparatelyrunningtheproto olfor
the ommit-phase of(two-party) F
p
witheverypartyoverthebroad ast hannel. Followingthis,
the ommitterusesone-to-manyzero-knowledgetoprovethatit ommittedtothesamevalueinall
ofthese ommitments. (Sin eea hpartyviewsthe ommuni ationfromallthe ommitments,every
party anverifythiszero-knowledgeproof.) Theprovephaseissimilartothetwo-party ase,ex ept
thatthe one-to-manyextension ofzero-knowledge isused (instead oftwo-party zero-knowledge).
Finally, we note that, as in the two-party ase, a multi-party proto ol ompiler an be on-
stru ted in the F 1:M
p
-hybrid model, with no further assumptions. Denoting the ideal broad ast
2
Inthe aseofstati adversaries, thenon-intera tivezero-knowledgeproto olof[d +
01 ℄suÆ es. Thus,here too,
theprovermessage ansimplybebroad astandone-to-manyzero-knowledgeisobtained.
b
Theorem 2.3 (multi-party omputationinthemali iousmodel{informal): Assumethattrapdoor
permutations exist. Then, for any multi-party ideal fun tionality F, there exists a proto ol that
se urelyrealizes F in the (F
b
;F
rs
)-hybrid model in the presen e of mali ious,stati adversaries,
and for any number of orruptions. Furthermore, if augmented two-party non- ommitting en ryp-
tionproto ols exist, then thereexists aproto ol that se urelyrealizes F in the(F
b
;F
rs
)-hybrid
model in the presen eof mali ious,adaptive adversaries, and for any number of orruptions.
AswithProposition2.1, Theorem2.3isnotstated exa tly. It isformally restated inSe tion9.4.
3 Preliminaries
Se tion3.1reviewstheframeworkof[ 01 ℄andtheuniversal ompositiontheorem. InSe tion3.2we
dis ussissuesthatariseregardinguniversal ompositionwhensome amountof jointstate between
proto olsisdesired. Finally,Se tion3.3presentsthe lassoffun tionalitieswhi hwewillshowhow
tose urelyrealize. Beforepro eeding,were allthedenitionof omputationalindistinguishability.
A distribution ensemble X = fX(k;a)g
k2N;a2f0;1g
is an innite set of probability distributions,
where a distribution X(k;a) is asso iated with ea h k 2 N and a 2 f0;1g
. The ensembles
onsideredinthisworkdes ribeoutputswheretheparameterarepresentsinput,andtheparameter
k is taken to be the se urity parameter. A distribution ensemble is alled binary if it onsists only
of distributionsoverf0;1g. Then,
Denition 3.1 Two binary distributionensembles X andY are indistinguishable(written X
Y)
if for any 2N there exists k
0
2N su h that for all k >k
0
and for all awe have
jPr(X(k;a)=1) Pr(Y(k;a)=1)j<k
:
3.1 Universally Composable Se urity: The general framework
We start byreviewingthe syntax of message-driven proto olsinasyn hronousnetworks. We then
present thereal-lifemodelof omputation,theidealpro ess,and thegeneraldenitionofse urely
realizing an ideal fun tionality. Next we present the hybrid model and the ompositiontheorem.
The text is somewhat informal for larity and brevity, and is mostly taken from the Overview
se tion of[ 01 ℄. Forfulldetailsseethere.
Proto ol syntax. Following[gmr89,g01 ℄,aproto olisrepresentedasasystemofprobabilisti
intera tive Turingma hines (ITMs), where ea h ITM represents the program to be run within a
dierentparty. Spe i ally,theinputandoutputtapesmodelinputsandoutputsthatarere eived
from and given to other programs running on the same ma hine, and the ommuni ation tapes
model messages sent to and re eived from the network. Adversarial entities are also modeled as
ITMs. We on entrate ona modelwheretheadversarieshave anarbitrary additionalinput,oran
\advi e"string. Froma omplexity-theoreti pointofview,thisessentiallyimpliesthatadversaries
arenon-uniform ITMs.
In order to simplifytheexposition, we introdu ethefollowing onvention. We assumethat all
proto olsaresu hthatthepartiesreadtheirinputtapesonlyat theonset ofaproto olexe ution.
This aneasilybea hieved byhavingtheparties opytheirinputtapeonto aninternalworktape.
This onvention prevents problems that may o ur when parties' inputtapesare modied inthe
middleofa proto olexe ution(as isallowedinthe model).
Assket hedinSe tion2,proto ols thatse urely arryouta given task(or, proto olproblem)are
dened inthree steps, as follows. First, the pro ess of exe uting a proto ol in thepresen e of an
adversary and in a given omputational environment is formalized. Next, an \ideal pro ess" for
arrying outthe task at hand is formalized. In the ideal pro ess the parties do not ommuni ate
with ea h other. Instead they have a ess to an \ideal fun tionality", whi h is essentially an
in orruptible\trusted party"that isprogrammedto apturethedesired fun tionalityof thegiven
task. A proto ol is said to se urely realize an ideal fun tionality if the pro ess of running the
proto ol amounts to \emulating" the ideal pro ess for that ideal fun tionality. We overview the
modelforproto olexe ution( alledthereal-lifemodel),theidealpro ess,andthenotionofproto ol
emulation.
We on entrate on the following model of omputation, aimed at representing urrent realis-
ti ommuni ation networks (su h as the Internet). The ommuni ation takes pla e in an asyn-
hronous, publi network, withoutguaranteed delivery of messages. We assume thatthe ommu-
ni ation is authenti ated and thus theadversary annot modifymessages sent by honest parties.
3
Furthermore, the adversary may onlydeliver messages that were previously sent by parties, and
may deliverea h message sent only on e. The fa t that thenetwork is asyn hronousmeans that
the messages are not ne essarily delivered in the order whi h they are sent. Parties may be bro-
ken into (i.e., be ome orrupted) throughout the omputation, and on e orrupted their behavior
is arbitrary (or, mali ious). (Thus, our main onsideration is that of mali ious, adaptive adver-
saries. However, belowwepresent themodi ationsne essary formodelingstati andsemi-honest
adversaries.) We do not trust data erasures; rather, we postulate that past states are available
to the adversary upon orruption. Finally, all the involved entities are restri ted to probabilisti
polynomialtime(or\feasible") omputation.
Proto olexe utioninthereal-lifemodel. Wesket hthepro essofexe utingagivenproto ol
(run by parties P
1
;:::;P
n
) with some adversary A and an environment ma hine Z with input
z. All parties have a se urity parameter k 2 N and are polynomial in k. The exe ution onsists
of a sequen e of a tivations, where in ea h a tivation a single parti ipant (either Z, A, or some
P
i
)is a tivated. Theenvironmentis a tivatedrst. Inea h a tivation itmayreadthe ontents of
theoutput tapesof all theun orrupted parties 4
and the adversary,and may writeinformationon
the input tape of one of the parties or of the adversary. On e the a tivation of the environment
is omplete(i,e, on ethe environment enters a spe ialwaiting state), the entitywhose inputtape
was writtenonis a tivatednext.
On e the adversary is a tivated, it may read its own tapes and the outgoing ommuni ation
tapes of all parties. It may either deliver a message to some party by writing thismessage on the
party'sin oming ommuni ationtapeor orruptaparty. Onlymessagesthatweresentinthepast
bysome party an bedelivered,andea hmessage anbedeliveredatmoston e. Upon orrupting
aparty,theadversary gainsa essto all thetapesofthatpartyand ontrolsall theparty'sfuture
a tions. (We assume that the adversary also learns all the past internal states of the orrupted
3
We remark that the basi model in[ 01℄ postulates unauthenti ated ommuni ation, i.e. the adversary may
delete,modify,andgeneratemessagesatwish.Herewe on entrateonauthenti atednetworksforsakeofsimpli ity.
Authenti ation anbeaddedinstandardways. Formally,themodelhere orrespondstotheFauth-hybridmodelin
[ 01 ℄.
4
Theadversaryisnotgivenreada esstothe orruptedparties'outputtapesbe auseon eapartyis orrupted,
itisnolongera tivated. Rather,theadversarysendsmessagesinitsname. Therefore,theoutputtapesof orrupted
partiesare notrelevant.
addition,wheneverapartyis orruptedtheenvironmentisnotied(say,viaamessagethatisadded
to the output tape of the adversary). If the adversary delivered a message to some un orrupted
partyinitsa tivation thenthispartyisa tivatedon ethea tivation oftheadversary is omplete.
Otherwisethe environment isa tivated next.
On e apartyisa tivated(eitherdueto aninputgivenbytheenvironmentorduetoa message
delivered by the adversary), it follows its ode and possibly writes lo al outputs on its output
tape and outgoing messages on its outgoing ommuni ation tape. On e the a tivation of the
partyis ompletetheenvironmentisa tivated. Theproto olexe utionendswhentheenvironment
ompletesana tivationwithoutwritingontheinputtapeofanyentity. Theoutputoftheproto ol
exe ution is theoutput of theenvironment. We assume that thisoutput onsistsof only a single
bit.
Let real
;A;Z
(k;z;r) denote theoutput ofenvironmentZ when intera tingwith adversary A
andpartiesrunningproto olonse urityparameterk,inputzandrandomtapesr=r
Z
;r
A
;r
1
;:::;r
n
as des ribed above (z and r
Z
for Z, r
A
for A; r
i
for party P
i
). Let real
;A;Z
(k;z) denote the
random variable des ribing real
;A;Z
(k;z;r) when r is uniformly hosen. Let real
;A;Z
denote
theensemble freal
;A;Z (k;z)g
k2N;z2f0;1g
.
The ideal pro ess. Se urityofproto ols isdenedvia omparingtheproto ol exe utioninthe
real-life model to an ideal pro ess for arrying out(a single instan e of) the task at hand. A key
ingredient in the idealpro ess is the ideal fun tionality that aptures the desired fun tionality,or
the spe i ation, of that task. The ideal fun tionality is modeled as another ITM that intera ts
withtheenvironment andtheadversary viaa pro essdes ribedbelow. Morespe i ally,theideal
pro essinvolvesanidealfun tionalityF,anidealpro essadversaryS,anenvironmentZwithinput
z,and a setof dummy parties
~
P
1
;:::;
~
P
n .
Asinthepro essof proto olexe utioninthereal-lifemodel,theenvironmentisa tivatedrst.
Asthere,inea ha tivationitmayreadthe ontentsoftheoutputtapesofall(dummy)partiesand
theadversary,and maywriteinformationon theinputtape of either one of the (dummy) parties
or of the adversary. On e the a tivation of the environment is omplete the entity whose input
tape waswritten onis a tivatednext.
The dummy parties are xed and simple ITMs: Whenever a dummy party is a tivated with
inputx,itforwardsxtotheidealfun tionalityF,saybywritingxonthein oming ommuni ation
tapeofF. Inthis aseF isa tivatednext,andanotethatthepartysentamessagetoF iswritten
on thein oming ommuni ationtapeof S. Whenevera dummypartyisa tivated dueto delivery
of some message (fromF),it opiesthismessage to its output. Inthis ase Z is a tivatednext.
On e F isa tivated, itreadsthe ontents ofits in oming ommuni ationtape,andpotentially
sends messages to the parties and to the adversary by writing these messages on its outgoing
ommuni ation tape. On e the a tivation of F is omplete, the entity that was last a tivated
before F isa tivated again. In the ase thisentitywasone of the dummyparties, itimmediately
relinquishes ontrolto Z.
On e theadversary S isa tivated, itmayread its owninput tape and inaddition it an read
thedestinations ofthemessagesontheoutgoing ommuni ationtapeof F. Thatis,S anseethe
identityof there ipientof ea h message sent byF,but it annot seethe ontents of thismessage
(unlessthere ipientofthemessageisSora orruptedparty 5
). S mayeitherdeliveramessagefrom
5
Notethattheideal pro essallows S to obtaintheoutputvaluessentby F tothe orruptedpartiesassoonas
theyaregenerated. Furthermore,ifatthetimethatS orruptssomepartyPitherearemessagessentfromF toPi,
thenS immediatelyobtainsthe ontentsofthesemessages.
a message from itself on F's in oming ommuni ation tape 6
,or orrupt a party. Upon orrupting
a party,bothZ and F learnthe identity ofthe orrupted party(say,a spe ialmessage iswritten
on theirrespe tivein oming ommuni ationtapes).
7
Inaddition,theadversarylearns allthepast
inputsand outputs of theparty. Finally,theadversary ontrolsthe party's a tions from thetime
thatthe orruptiontakes pla e.
Iftheadversary deliveredamessageto someun orrupted(dummy)partyinana tivationthen
thispartyisa tivatedon ethea tivationoftheadversaryis omplete. Otherwisetheenvironment
isa tivated next.
As in the real-life model, the proto ol exe ution ends when the environment ompletes an
a tivationwithoutwritingontheinputtape ofanyentity. Theoutputof theproto olexe utionis
the(one bit)output of Z.
Letideal
F;S;Z
(k;z;r)denotetheoutputofenvironmentZ afterintera tingintheidealpro ess
with adversary S and idealfun tionality F, on se urityparameter k, input z, and random input
r=r
Z
;r
S
;r
F
asdes ribedabove(zandr
Z
forZ,r
S
forS;r
F
forF). Letideal
F;S;Z
(k;z) denote
the random variable des ribing ideal
F;S;Z
(k;z;r) when r is uniformly hosen. Let ideal
F;S;Z
denote theensemblefideal
F;S;Z (k;z)g
k2N;z2f0;1g
.
Se urely realizing an ideal fun tionality. We say thata proto ol se urely realizesan ideal
fun tionalityFifforanyreal-lifeadversaryAthereexistsanideal-pro essadversarySsu hthatno
environmentZ,onanyinput, antellwithnon-negligibleprobabilitywhetheritisintera tingwith
A andparties running inthereal-life pro ess,orwithS and F inthe idealpro ess. Thismeans
that, fromthepoint ofview oftheenvironment,runningproto ol is`justasgood'asintera ting
withan idealpro ess forF. (In a way,Z servesasan \intera tivedistinguisher"betweenthe two
pro esses. Hereit is important that Z an providethepro ess in questionwithadaptively hosen
inputsthroughout the omputation.) We have:
Denition 3.2 Let n2N. Let F be an ideal fun tionality and let be an n-party proto ol. We
say that se urely realizesF if for any adversary A there existsan ideal-pro ess adversary S su h
that for any environment Z,
ideal
F;S;Z
real
;A;Z
: (1)
Non-trivial proto ols and the requirement to generate output. Re all that the ideal
pro ess doesnotrequire theideal-pro ess adversary to deliver messagesthatare sent bytheideal
fun tionality to the dummy parties. Consequently, the denition provides no guarantee that a
proto olwillevergenerateoutputor\return"tothe allingproto ol. Indeed,inoursettingwhere
message delivery is not guaranteed, it is impossible to ensure that a proto ol \terminates" or
generates output. Rather,thedenition on entrates onthese urityrequirementsin the asethat
the proto ol generates output.
6
Manynatural ideal fun tionalitiesindeed sendmessagesto the adversaryS (see thezero-knowledgeand om-
mitmentsfun tionalitiesofSe tions6and5forexamples). Ontheotherhand,havingtheadversarysendmessages
to F is less ommon. Nevertheless, this option anbe usefulin orderto relaxthe requirementsonproto ols that
realizethefun tionality. Forexample,itmaybeeasiertoobtain oin-tossingiftheadversaryisallowedtobiassome
ofthebitsoftheresult. Ifthisis a eptablefor theappli ationinmind,we anallowtheadversarythis apability
byhavingitsenditsdesiredbiastoF.
7
AllowingFtoknowwhi hpartiesare orruptedgivesit onsiderablepower. Thispowerprovidesgreaterfreedom
informulatingidealfun tionalitiesfor apturingtherequirementsofgiventasks. Ontheotherhand,italsoinherently
limitsthes opeofgeneralrealizabilitytheorems. Seemoredis ussioninSe tion3.3.
generates output, se urely realizes any ideal fun tionality. Thus, inorder to obtain a meaningful
feasibilityresult,we introdu ethenotionofanon-trivialproto ol. Su haproto olhastheproperty
thatifthereal-lifeadversarydeliversallmessagesand doesnot orruptanyparties,thentheideal-
pro ess adversary also delivers all messages (and does not orrupt any parties). Note that in a
non-trivial proto ol, a party may not ne essarily re eive output. However, this only happens if
either thefun tionalitydoesnotspe ifyoutput forthisparty,orifthe real-life adversary a tively
interferes in the exe ution (by either orrupting parties or refusing to deliver some messages).
Our main result is to show the existen e of non-trivial proto ols for se urely realizing any ideal
fun tionality. All ourproto ols are in fa t learly non-trivial; therefore, we ignore thisissue from
hereon.
Relaxations of Denition 3.2. Were all two standardrelaxations ofthe denition:
Stati (non-adaptive)adversaries. Denition3.2allowstheadversaryto orruptpartiesthrough-
outthe omputation. Asimpler(andsomewhatweaker) variant for esthereal-lifeadversaryto
orruptpartiesonlyat theonset ofthe omputation, beforeanyun orruptedpartyisa tivated.
We allsu h adversariesstati .
Passive (semi-honest) adversaries. Denition 3.2 gives the adversary omplete ontrol over
orrupted parties (su h an adversary is alled mali ious). Spe i ally, the model states that
fromthetimeof orruptionthe orruptedpartyisnolongera tivated,andinsteadtheadversary
sendsmessages inthe name of that party. In ontrast, when a semi-honest adversary orrupts
a party, the party ontinues to follow the pres ribed proto ol. Nevertheless, the adversary is
given reada ess to theinternalstate of theparty at all times, and is also able to modifythe
values that the environment writes on the orrupted parties' input tapes.
8
Formally, if in a
given a tivation, theenvironment wishesto writeinformationon theinputtape of a orrupted
party,thentheenvironmentrstpassestheadversarythevalue xthatitwishestowrite(along
withtheidentityofthepartywhoseinputtapeitwishestowriteto). Theadversarythenpasses
a (possibly dierent)value x 0
ba k to the environment. Finally,the environment writes x 0
on
the input tape of the orrupted party, following whi h the orrupted party is a tivated. We
stress that when the environment writes on the input tape of an honest party, the adversary
learns nothingof the value and annot modifyit. Everything elseremains the same as inthe
above-des ribed mali iousmodel. We saythat proto ol se urely realizes fun tionalityF for
semi-honestadversaries,ifforanysemi-honestreal-lifeadversaryAthereexistsanideal-pro ess
semi-honestadversary S su hthat Eq. (1)holdsforanyenvironment Z.
3.1.2 The omposition theorem
The hybrid model. In order to state the omposition theorem, and in parti ular in order to
formalize thenotion of a real-life proto ol with a essto multiple opies of an idealfun tionality,
thehybridmodelof omputationwitha essto anidealfun tionalityF (or, inshort,theF-hybrid
model) is formulated. This model is identi al to the real-life model, with thefollowing additions.
Ontop ofsendingmessages to ea h other,theparties may sendmessagesto and re eive messages
from an unbounded number of opies of F. Ea h opy of F is identied via a unique session
8
Allowingasemi-honestadversarytomodifya orruptedparty'sinputissomewhatnon-standard. However,this
simpliesthepresentationofthiswork(andinparti ulartheproto ol ompiler).Alltheproto olspresentedforthe
semi-honestmodelinthispaperarese urebothwhentheadversary anmodifya orruptedparty'sinputtapeand
whenit annot.
orresponding SID. (Sometimes a opy of F will intera t only with a subset of the parties. The
identitiesofthese parties isdetermined by theproto ol intheF-hybrid model.)
The ommuni ation between the parties and ea h one of the opies of F mimi s the ideal
pro ess. Thatis,on e apartysendsa message mto a opyof F witha parti ularSID, that opy
is immediatelya tivated to re eive thismessage. (If no su h opy of F existsthen a new opy of
F is reatedandimmediatelya tivatedto re eivem.) Furthermore,althoughtheadversaryinthe
hybridmodelisresponsiblefordeliveringthemessagesfromthe opiesof F to theparties,itdoes
nothave a essto the ontentsof these messages.
The hybridmodeldoesnotspe ifyhowtheSIDs aregenerated, nordoesitspe ifyhowparties
\agree" on the SID of a ertain proto ol opy that is to be run by them. These tasks are left
to the proto ol in the hybrid model. This onvention simplies formulating ideal fun tionalities,
and designingproto ols that se urely realize them, by freeing the fun tionality from the need to
hoose the SIDsand guarantee theiruniqueness. Inaddition, it seemsto re e t ommon pra ti e
of proto ol designinexisting networks. Seemore dis ussionfollowingTheorem 3.3below.
Let exe F
;A;Z
(k;z) denotetherandomvariabledes ribing theoutputofenvironmentma hine
Z oninputz,afterintera tingintheF-hybridmodelwithproto ol,adversaryA,analogouslyto
thedenitionofreal
;A;Z
(k;z). (Westressthathere isahybridofareal-lifeproto olwithideal
evaluation allsto F.) Letexe F
;A;Z
denotethe distributionensemblefexe F
;A;Z g
k2N;z2f0;1g
.
Repla ing a all to F with a proto ol invo ation. Let be a proto ol in the F-hybrid
model,and let bea proto olthatse urely realizesF (withrespe tto some lassof adversaries).
The omposed proto ol
is onstru ted by modifying the ode of ea h ITM in so that the
rst message sent to ea h opy of F is repla ed withan invo ationof a new opyof with fresh
randominput,withthesameSID,andwiththe ontentsofthatmessageasinput. Ea hsubsequent
message to that opyof F is repla ed withan a tivation of the orresponding opyof , withthe
ontents of that message given to asnew input. Ea h output value generated by a opyof is
treatedasa messagere eivedfromthe orresponding opyofF. (See[ 01℄formore detailsonthe
operation of \ omposed proto ols", where a party, i.e. an ITM, runs multiple proto ol-instan es
on urrently.)
Ifproto olisaproto olinthereal-lifemodelthensois
. Ifisaproto olinsomeG-hybrid
model (i.e., uses idealevaluation alls to some fun tionalityG) thenso is
.
Theorem statement. In its general form, the omposition theorem basi allysays that if se-
urelyrealizesFintheG-hybridmodelforsomefun tionalityG,thenanexe utionofthe omposed
proto ol
,runningintheG-hybridmodel,\emulates"anexe utionofproto ol intheF-hybrid
model. That is,for any adversary A in theG-hybridmodelthere exists an adversary S in theF-
hybridmodelsu hthatnoenvironmentma hineZ an tellwithnon-negligibleprobabilitywhether
it is intera ting with A and
in the G-hybrid model or it is intera ting with S and in the
F-hybrid model.
A orollary ofthegeneraltheorem statesthat if se urelyrealizessome fun tionalityI inthe
F-hybrid model, and se urely realizes F in the G-hybrid model, then
se urely realizes I in
the G-hybrid model. (Here one has to dene what it means to se urely realizefun tionalityI in
theF-hybridmodel. Thisis doneinthenaturalway.) That is:
Theorem 3.3 ([ 01℄) Let F;G;I be ideal fun tionalities. Let bean n-party proto ol in the F-
hybrid model, andlet bean n-party proto ol that se urely realizes F in the G-hybrid model. Then
that for any environment ma hine Z we have:
exe G
;A;Z
exe F
;S;Z
: (2)
In parti ular, if se urely realizes fun tionality I in the F-hybrid model then
se urely realizes
I in the G-hybrid model.
OntheuniquenessofthesessionIDs. ThesessionIDsplaya entralroleinthehybridmodel
and the omposition operation, in that they enable the parties to distinguish dierent instan es
of a proto ol. Indeed, dierentiating proto ol instan es via session IDs is a naturaland ommon
me hanisminproto oldesign.
Yet, the urrent formulationofthehybridmodelprovidesasomewhatover-idealizedtreatment
of sessionIDs. Spe i ally, itis assumed that the sessionIDs are globally unique and ommon to
all parties. That is,itisassumedthatnotwo opiesofanidealfun tionalitywiththesame session
IDexist,even ifthetwo opieshave dierent(andevendisjoint)setsofparti ipants. Furthermore,
all partiesareassumed tohold thesameSID(andthey mustsomehow have agreed uponit). This
treatment greatlysimplies theexpositionof the model and thedenition of idealfun tionalities
and proto ols that realize them. Nonetheless, it is somewhat restri tive in that it requires the
proto ol in the hybrid model to guarantee global uniqueness of ommon session IDs. This may
be hard(or even impossible)to a hieve in the ase that the proto ol in thehybridmodelis truly
distributedanddoesnotinvolveglobal oordination. See[llr02℄formore dis ussiononthispoint.
Moreelaborate ways ofdeningsessionIDssoas notto requireglobaluniqueness exist. We leave
thisissueforfuture work.
3.2 Universal Composition with Joint State
Traditionally, omposition operations among proto ols assume that the omposed proto ol in-
stan es have disjoint states, and in parti ular independent lo al randomness. The universal om-
positionoperation is no ex eption: ifproto ol se urely realizes some ideal fun tionalityF, and
proto ol in the F-hybrid model uses m opies of F, then the omposed proto ol
uses m
independent opiesof ,and no two opiesof share anyamount ofstate.
This propertyofuniversal omposition(andof proto ol ompositioningeneral) is bothersome
in our ontext, where we wishto onstru t and analyze proto ols inthe ommon referen e string
(CRS)model. Letuselaborate. AssumethatwefollowthenaturalformalizationoftheCRSmodel
asthe F
rs
-hybrid model,where F
rs
isthe fun tionalitythat hooses a string from the spe ied
distributionand handsit to all parties. Now, assume that we onstru t a proto ol that realizes
some idealfun tionalityF in theF
rs
-hybrid model (say, letF be the ommitment fun tionality,
F
om
). Assume further that some higher level proto ol (in the F-hybrid model) uses multiple
opies of F, and that we use the universal ompositionoperation to repla e ea h opyof F with
an instan e of . We now obtain a proto ol
that runs in the F
rs
-hybrid model and emulates
. However, this proto ol is highly wasteful of the referen e string. Spe i ally, ea h instan e of
in
has its own separate opy of F
rs
, or in other words ea h instan e of requires its own
independent opyof the referen e string. This standsin sharp ontrastwith our ommon view of
theCRSmodel,whereanunboundednumberof proto olinstan esshouldbe abletousethesame
opy of thereferen e string.
One way to get around this limitation of universal omposition(and omposition theoremsin
general) is to treat the entire, multi-session intera tion as a single instan e of a more omplex