Innovations in Computer Science 2011

Abstract Cryptography
Ueli Maurer
1
Renato Renner
2
1
Department of Computer Science, ETH Zurich, Switzerland
2
Institute for Theoretical Physics, ETH Zurich, Switzerland
[email protected] [email protected]
Abstract: In the spirit of algebraic abstraction, this paper advocates the denition and use of higher levels
of abstraction in cryptography (and beyond). If contrasted with the standard bottom-up approach to dening
models of computation, algorithms, complexity, eciency, and then security of cryptographic schemes, our
approach is top-down and axiomatic, where lower abstraction levels inherit the denitions and theorems (e.g.
a composition theorem) from the higher level, but the denition or concretization of low levels is not required
for proving theorems at the higher levels. The goal is to strive for simpler denitions, higher generality of
results, simpler proofs, improved elegance, possibly better didactic suitability, and to derive new insights from
the abstract viewpoint.
In particular, we propose a general framework for dening and proving that a system satisfying an (abstract or
ideal) specication is constructed from some systems satisfying certain (concrete or real) specications. This
puts the well-known ideal-world real-world paradigm on a new theoretical foundation, applicable in various
cryptographic settings. Existing frameworks for proving composable security can be explained as special cases
of our framework, thereby allowing to distinguish between relevant and less relevant aspects of the underlying
technical denitions and to prove a single common composition theorem.
Some properties of our framework are as follows. It is independent of particular models of computation, com-
munication, and adversary behavior. It can be instantiated in many dierent ways, for example to arrive at
dierent notions of security or of eciency and infeasibility. It can precisely capture settings with no central
adversary where entities have potentially conicting goals (e.g. a coercion scenario). The relation between the
ideal and the real setting is tight, via an isomorphism notion for settings. The (desired) asymmetry between real
and ideal is captured in a formal abstraction notion (the ideal setting is an abstraction of the real setting). A
main theorem states that such an abstraction statement can be proved by using local (as opposed to monolithic)
simulators.
Keywords: foundations of cryptography, composable security.
1 Introduction
1.1 The quest for simplicity and
abstraction
In every mathematical discipline one tries to iden-
tify the key concepts and to formalize them in an
abstract manner. Abstraction means to eliminate ir-
relevant details from consideration, thereby focusing
only on the relevant aspects of a problem or con-
text. The purpose of abstraction is to provide, at
the same time, simpler denitions, higher generality of
results, simpler proofs, improved elegance, better di-
dactic suitability, and, perhaps most importantly, new
insights.
In many contexts, the highest achievable level of ab-
straction, once identied, appears natural and stable.
For example, the natural mathematical concepts of a
relation, a function, a graph, a group, a eld, or a vec-
tor space capture exactly, in a minimal manner, the
relevant notions.
In contrast, in cryptography (and in other areas of
computer science), denitions, theorems, and proofs
are generally highly technical and have substantial
complexity due to the technical artifacts of the par-
ticular model (e.g. dening the computational model
via Turing machines and communication via tapes,
using asymptotic denitions of systems and proto-
cols, dening eciency as polynomial-time, using a
particular adversarial model, etc.). This is often
considered unavoidable since, undoubtedly, denitions
must be precise. Nevertheless, more abstraction seems
possible. For example the notion of polynomial-time,
1
U. MAURER, R. RENNER
even though universally accepted and reasonable, can
probably not be seen as the ultimate (and only)
denition and abstraction of eciency and of
feasibility.
In view of this, it seems desirable to make cryp-
tographic denitions in an abstract way, for exam-
ple non-asymptotic, and to leave the technical as-
pects to a lower level of abstraction where systems
and their composition are dened, and where unavoid-
able artifacts (like asymptotics, required for a notion
of composability of ecient systems or algorithms)
are introduced. This allows for simplicity (e.g. non-
asymptotic denitions and proofs) and generality (e.g.
simultaneous treatment of dierent security notions,
like information-theoretic and computational).
1.2 Contributions and outline of this
paper
The paper makes several independent contributions,
some of which are explained in more detail in the fol-
lowing subsections. This section also provides an out-
line of the paper.
We propose (see Section 1.4) as a new paradigm
for developing a theory of cryptography (and
beyond) to dene levels of abstraction top-
down rather than bottom-up. We also propose a
hierarchy of levels of abstraction in a general
theory of systems (see Section 1.5), of which
we only formalize and use the top level in this
paper.
We dene and investigate (in Section 3) the most
abstract notion of a reduction, which captures
that realizing (or implementing) a certain ob-
ject (or module) is reduced to realizing some
other (simpler) objects.
1
When used iteratively,
reducing the simple objects to yet simpler ob-
jects, this is called step-wise renement, a cen-
tral paradigm in any constructive discipline. A
reduction is composable (Denition 7) if it sat-
ises some simple natural properties. Compos-
able reductions allow us to capture formally the
soundness of the step-wise renement paradigm.
We dene the general notion of a so-called n-
choice setting (see Section 4) which models any
setting where some number n of independent
choices (each from a specic domain) can be
made, and where for every xed list of choices
1
This includes as a special case the classical notion of a re-
duction in complexity theory, but also various types of reduc-
tions in cryptography, or any other constructive discipline.
an eect is dened.
2
Formally, such a choice set-
ting is a function from n choice domains to an
eect space. A choice can consist of xing an en-
tire (interactive) strategy.
3
We refer to Section
1.3 for a discussion of what this could mean in
cryptography.
Moreover, we introduce the notion of an isomor-
phism between such nchoice settings. Roughly
speaking, two n-choice settings are isomorphic
if each choice made in one has a corresponding
choice in the other, in such a way that the ef-
fects remain the same. This equivalence is the
strongest possible and holds no matter why the
particular choices are made (e.g. because par-
ties making the choices are honest, dishonest, cor-
rupted, collude, or are coerced).
We consider the notion of a set of choice settings,
called a specication (see Section 5), and dene
that a specication o is an abstraction of another
specication 1 if, roughly, every element of 1
has an isomorphic element in o.
4
Stated dier-
ently, an (ideal) specication o is an abstraction
of another (real) specication 1 if any element of
1 also meets the specication o, which implies
that the real specication inherits every property
of the ideal specication.
We also discuss the concept of an -region 1

of
a specication 1, allowing to dene approximate
(within ) abstraction.
Theorem 1 states that abstraction (or approxi-
mate abstraction) is a composable reduction.
Section 6 presents a theory of abstract systems,
which is also of independent interest. At this
highest level of abstraction, a system is an ab-
stract object with interfaces. Two systems can
be composed (similar to an algebraic composition
operation) into a single system by connecting one
interface from each system.
At this abstract level we dene the notion of
a cryptographic algebra, consisting of a set of
resource systems, a set of (so-called) converter
2
One can think of the choices as being made by parties,
where one party can also make several of the choices. Also, the
choices of several parties modeled to act consistently can me
modeled as a single choice. The notion of an n-choice setting is
more general than the notion of an n-party game in game theory
where the eect is described specically by utility functions of
the parties making the choices.
3
Modeling such a strategy as one choice or as many choices
is both possible and corresponds, for example, to modeling
whether or not a party can (or is assumed to) change its goals
during time, for example due to coercion.
4
This abstraction notion is discussed here only in our spe-
cic context but is actually applicable in more general contexts
where an isomorphism (or equivalence) notion is dened on a
set.
2
ABSTRACT CRYPTOGRAPHY
systems, and a set of distinguisher systems, sat-
isfying certain axioms. Resources (e.g. a commu-
nication channel or a commitment functionality)
can be understood as providing (at their inter-
faces) certain functionalities to parties connected
to the resource. A converter system attached to
an interface of a resource corresponds to a pro-
gram (or protocol engine, e.g. an encryption en-
gine) transforming the interface into a dierent
interface (see Section 1.3). A (local) simulator is
also a converter.
Cryptographic algebras can be instantiated in
dierent ways, corresponding to dierent security
notions. For example, if all three system classes
are arbitrary (no computational restriction), this
results in the notion of information-theoretic se-
curity. If the classes are restricted to eciently
implementable systems, for an arbitrary compos-
able notion of eciency, then this results in the
notion of computational security. Other notions
also exist.
Section 7 brings together all the previously de-
ned concepts: n-choice settings correspond to
n-interface resources, choices correspond to con-
verters, an eect is again an n-interface resources
(resulting when the converters are attached), and
a pseudo-metric on the set of resource systems is
dened as the maximal distinguishing advantage
of a certain distinguisher class.
We dene an important class of (resource) speci-
cations, called filtered specications. Roughly,
a ltered specication is described by a resource
system and, for each interface, a lter (a con-
verter), where the meaning is that the party con-
nected to the interface is guaranteed to have l-
tered access to the resource but that it is also
possible (but not guaranteed) that it has more
powerful access, up to possibly unltered access.
This allows to capture exactly what it means
that a system satisfying an (ideal) specication is
constructed from a list of systems satisfying cer-
tain (real) specications, putting the well-known
ideal-world real-world paradigm on an exact
theoretical foundation, applicable in any con-
structive setting (including, for example, channel
coding in information theory).
A main theorem (Theorem 2) of this part shows
how to prove abstraction statements by invoking
the concept of local simulators.
Existing frameworks, such as Canettis UC frame-
work [3], can be explained as special cases of our
framework. For example, the dierent composition
theorems can be seen as implications of our general
composition theorem.
Our theory can explain a large number of results
in a unied and generalized manner. For example, in
Appendix C we prove by algebraic equations a gen-
eralization of the celebrated impossibility results of
realizing UC secure commitments [5]. In Appendix D
we prove the impossibility result of Canetti et al. [6]
of realizing a random oracle.
The paper also makes a number of observations fol-
lowing from the abstract viewpoint. Some implica-
tions on the ideal-world real-world paradigm are
discussed in Section 1.6, and possible implications on
conventional cryptography are discussed in Section
1.7.
1.3 A cryptographic example
We give a rst high-level example of how the con-
cepts of the previous section could be interpreted in a
concrete cryptographic context. We also refer to [12]
for a discussion of concrete examples of resources and
converters in a cryptographic context.
Consider a resource system consisting of an authen-
ticated (but not condential) channel from A to B,
accessible to an eavesdropper E, and (in parallel) a
system providing a secret key to A and B (and noth-
ing to E). A choice for A is to apply (at its interface of
the channel) a converter system, with an outside and
an inside interface, that fetches a key at the inside
interface, accepts messages at the outside interface,
encrypts each message with the key, and sends it at
the inside interface as input to the channel. A choice
for B is to apply a similar decryption converter. We
want to argue that a secure channel (one that does
not leak the transmitted message, only its length) is
an abstraction of the above resource (authenticated
channel and key).
Here we have assumed somehow that A and B in-
deed make these choices, and we make no statement
otherwise. However, in a setting where As (and Bs)
other choices should also be considered (because we
want to make a statement even if A deviates from the
normal behavior), then it will turn out that secure
channel which is the abstraction has the special fea-
ture that A and B could potentially leak the message
to E (e.g. by pressing a certain button). This captures
the well-known fact that by encrypting a message, one
may have the capability of convincing E about the
3
U. MAURER, R. RENNER
message sent. This is usually captured by terms like
coercibility, but in our view it is just an interpretation
of properties of the abstracted resource.
1.4 Levels of abstraction: bottom-up
vs. top-down
The traditional approach in theoretical computer
science, and more specically in complexity theory
and cryptography, is bottom-up. One rst denes (at
a low level) a computational model (e.g. a Turing
machine or a circuit), based on which one denes the
concept of an algorithm for the model and a communi-
cation model (e.g. based on tapes). One then denes
a complexity notion for an algorithm (e.g. the number
of steps), and then a notion of eciency (e.g. polyno-
mial in some parameter(s), in an asymptotic sense).
Finally, based on all these notions, one denes the se-
curity of a cryptosystem, typically as the infeasibility
of a specic game.
This approach is based on the view that without
dening all these low-level concepts, one can not state
precise denitions of higher-level concepts, let alone
prove theorems. However, while this established ap-
proach is perfectly sound in principle, it is perhaps fair
to say that many papers using this approach fall short
of being completely precise and are in some cases even
wrong in technical details, thus missing the promise of
the bottom-up approach of being precise down to the
last detail.
The paradigm shift we propose is to use a top-down
approach. In order the state denitions and develop
a theory, one starts from the other end, the highest
possible level of abstraction, and proceeds downwards,
introducing in each new lower level only the minimal
necessary specializations of that level necessary for ex-
pressing what one wants to capture.
In the context of this paper, the concept of a re-
duction can be seen as standing at the highest level of
abstraction in our paper. The notion of an n-choice
setting (including the concepts of isomorphism, speci-
cation, and abstraction of specications) is indepen-
dent of the reduction concept, but in the way it is used
here it appears at a next lower level. The abstraction
hierarchy of a theory of systems (Section 1.5) can also
be seen as independent, but again in the way it is used
here it can also be seen as constituting the next lower
levels.
1.5 Abstraction levels of a system
theory
We dene the following abstraction levels of a the-
ory of systems, to be used beyond the scope of this
paper, for example in complexity theory.
Level 1 captures the most general notion of a
system and of the composition of systems. The
composition laws are described by simple alge-
braic rules.
Level 2 captures the most general notion of a
discrete system, the typical level at which crypto-
graphic systems are considered. We need a theory
of discrete systems corresponding to an exten-
sion of Maurers random system framework [8]
for single-interface systems to multiple-interface
systems and to the composition of systems (work
in progress). The language in which discrete sys-
tems are described (e.g. text, pseudo-code, or
conditional probability distributions) is not di-
rectly relevant.
Level 3 denes the implementation of systems.
At this level one can dene (still) abstract com-
plexity and eciency notions (e.g. polynomial-
time). This level is not required if one considers
only information-theoretic security.
A lower level can dene the particular computational
model, the particular complexity or cost function for
that model, etc. A still lower level can dene tim-
ing aspects, and a further level can dene physi-
cal aspects, including for example side channels in
cryptography.
It is important to point out that theorems proved
at a certain (high) level of abstraction are completely
precise (as they are mathematical theorems). This is
true without instantiations of the lower levels, which is
exactly the point of abstraction. The denitions and
theorems are inherited by the lower levels, provided
(of course) that the lower levels satisfy the postulated
properties or axioms of the higher levels. It is hence
strictly more desirable to prove theorems at higher
levels of abstraction; nothing is lost by doing this, and
certainly not precision.
For example, if one proves a theorem at level 1 for
an algebra of composable systems, then this theorem
holds in particular for a specic theory of eciently
implementable discrete systems where eciency is de-
ned in a composable manner, and it holds also in the
more specialized setting where eciency is dened as
(some form of) polynomial-time. A main benet from
4
ABSTRACT CRYPTOGRAPHY
such an abstract treatment is that concrete results
(e.g. the proof of a composition theorem or an impos-
sibility proof) become at the same time substantially
simpler and more general.
This paper deals with level 1, while examples also
live at level 2, without this level being formalized as
a full formalization of level 2 would allow. But our
level of formality (e.g. in describing the specication
of a commitment functionality) is comparable to the
formality of papers written in the traditional style,
and it is sucient to be precise.
1.6 Implications on the ideal-world
real-world paradigm and related
Work
The so-called ideal-world real-world paradigm, as
explained in the frameworks of Canetti [3] (universal
composability) and of Backes, Ptzmann and Waidner
[2, 13] (reactive simulatability) is of paramount impor-
tance in cryptography. It is also used in other frame-
works, for example indierentiability theory by Mau-
rer, Renner, and Holenstein [11], the generalized UC
framework of Canetti, Dodis, Pass, and Walsh [4],
collusion-free computation by Alwen, shelat, and Vis-
conti [1], or for the notion of splittability [14]. These
frameworks can be explained as special cases of our
framework.
In these frameworks, the basic and ingenious idea
[3, 13] is to consider an ideal system (often called
a functionality) capturing the goal one wants to se-
curely realize, when given a complete asynchronous
network and possibly a set-up, using a protocol spec-
ifying what the parties have to do. The denition of
what it means to securely realize involves an ad-
versary who can corrupt certain parties, and captures
the idea that whatever the adversary can achieve in
the ideal world he could also achieve in the real world.
This is made precise by means of a so-called simula-
tor, an ingenious concept introduced by Goldwasser,
Micali, and Racko [7] to dene zero-knowledge pro-
tocols.
Despite their success, the current simulation-based
frameworks ([1-4, 11, 13] and others) have several limi-
tations and drawbacks, in addition to the above men-
tioned lack of abstraction. Some of the limitations,
which are eliminated by our framework, are briey
discussed below.
1. The concept of a (central) adversary is essential
in most previous frameworks. However, this makes it
impossible to model settings where parties have con-
icting goals but are not corrupted by the same adver-
sary.
5
In contrast, in our framework there is no adver-
sary (but such a setting can be modeled as a special
case). A consequence of our approach is that in our
framework, there is no monolithic simulator, but a
(local) simulator for every party.
2. The communication model (the network), and
other aspects, are an intrinsic part of the model. This
makes it impossible to consider the absence of certain
channels, as is for example required in the context
of collusion-free computation [1] (a notion that is not
composable) and in other contexts, or other types of
network models. In contrast, our theory of reductions
between resources makes every resource explicit, in-
cluding a possibly available network.
3. The security denition (e.g. computational or
information-theoretic security) is usually hard-coded
into the model.
4. The ideal functionality is a xed system. This
means that a certain action is either guaranteed to
be available or guaranteed to be unavailable to a cer-
tain party. In contrast, a specication in our frame-
work models that certain choices are guaranteed, while
others might be available. This allows to model no-
tions like incoercibility or coercibility naturally as a
property of the ideal specication, not as a separate
security notion [15].
5. The complexity notions of eciency (what hon-
est parties can do) and feasibility (what an adver-
sary is assumed to be able to do) are both dened
in a xed manner as (some form of) polynomial-time.
It is not even clear that one could (and should) dis-
tinguish between these notions. We point out that
these notions are distinct and can be instantiated ar-
bitrarily as composable notions, for example ecient
as polynomial-time and feasible as some form of sub-
exponential time.
6. Security is dened via the notion of a (monolithic)
simulator. In our framework, simulators are local (one
simulator per choice domain), and they are not part
of the denition of what it means to securely realize
a certain functionality, but it is only a tool in the
proof.
5
A rst paper giving up the notion of a central adversary
was [1].
5
U. MAURER, R. RENNER
1.7 Implications on conventional
cryptography
Security denitions of conventional cryptographic
primitives can (and should?!) be made as constructive
statements rather than by describing attack games.
This approach, which can be derived as a special case
of our framework, was called constructive cryptography
in [10] and is used in [12] to investigate what encryp-
tion achieves when used on an insecure channel as in
the authenticate-then-encrypt paradigm.
The problem with attack-based denitions is that
the security of the composition of several individually
secure schemes may not be clear. In a constructive
denition, composability is guaranteed. For example,
a message authentication scheme can be dened to be
secure if it constructs (or realizes) an authenticated
communication channel from a resource consisting of
an insecure communication channel and a secret key,
and a symmetric encryption scheme can be dened
to be secure if it constructs a secure communication
channel from an authenticated communication chan-
nel and a secret key. The general composition theorem
implies that the combination of a secure MAC and se-
cure encryption scheme constructs a secure channel
from an insecure channel and two secret keys (which
can be constructed from a single secret key using a
pseudo-random generator).
1.8 Limitations and future work
This paper describes the basic theory of abstract
cryptography, without providing many examples. We
are aware that it may not be easy to judge the use-
fulness of the framework without seeing a list of con-
vincing examples, but we hope that the few exam-
ples mentioned here give at least an idea and a taste.
Also, the comparison with prior work is not yet worked
out in detail, and many references relevant in such a
comparison are still missing. It is the goal of future
papers, hopefully also by other authors, to formalize
lower levels of abstraction, to discuss new application
areas of this theory, to work out examples, and to es-
tablish the relation to (and generalizations of) prior
work at a technical level. We welcome feedback on
this rst (primarily theoretical) paper on the subject
and pointers to related work.
2 Preliminaries
In the following two subsections, we briey review
some well known facts about relations, equivalence re-
lations, and pseudo-metrics.
2.1 Relations
A relation from a set A to a set B (also called
an (A, B)-relation) is a subset of A B. An (A, A)-
relation is also called a relation on A. If (a, b) is in the
relation r, i.e., (a, b) , one writes a r b or, alterna-
tively, r(a, b). An (A, B)-relation is also an (A

, B

)-
relation for any A

A and B

B.
Denition 1. An (A, B)-relation is called complete
if it has full domain (i.e., a A b B : a b) and
full range (i.e., b B a A : a b).
A function A B corresponds to the (A, B)-
relation (a, f(a)) : a A. Note that a relation
is complete if and only if it contains (as subsets) a
function A B and a function B A.
Since relations are sets, all operations dened for
sets (e.g. and ) are also dened for relations. In
addition, one can dene the composition operation
and a direct product for relations. The composition
of an (A, B)-relation and a (B, C)-relation is the
(A, C)-relation dened by
a ( ) c : b B : (a b) (b c).
We usually write instead of . The inverse of
an (A, B)-relation is the (B, A)-relation
1
dened
by b
1
a ab, and we have ()
1
=
1

1
.
The direct product of an (A
1
, B
1
)-relation and an
(A
2
, B
2
)-relation is the (A
1
A
2
, B
1
B
2
)-relation
dened by
(a
1
, a
2
) ( ) (b
1
, b
2
) :
(a
1
b
1
) (a
2
b
2
).
The operations and are both associative.
The following lemma is a direct consequence of the
distributive law for relations,
( ) (

)
= (

)(

)(

)(

).
Lemma 1. For relations
1
, . . . ,
n
and
1
, . . . ,
n
we have
6
n

i=1
(
i

i
) =
_
M{1,...,n}
_
_

jM

j


jM

j
_
_
.
6
Note that the terms on the right hand side of the equality
should be ordered according to their indices i. We hope that
our abbreviated notation does not cause confusion.
6
ABSTRACT CRYPTOGRAPHY
2.2 Pseudo-metrics and embeddings
A pseudo-metric
7
on a set is a function :
R
+
such that for all a, b, c
(i) (a, a) = 0
(ii) (a, b) = (b, a) (symmetry)
(iii) (a, c) (a, b) + (b, c) (triangle inequality).
Note that any pseudo-metric on a set induces
an equivalence relation ,:
a b : (a, b) = 0.
If a set is equipped with a pseudo-metric we can
dene an induced metric on the set of functions with
codomain .
Denition 2. Let T be a set of functions with
codomain and let be a pseudo-metric on . We
dene the induced metric on T by
(f, g) := sup
xX

_
f(x), g(x)
_
.
whenever f, g T have identical domains A, and
(f, g) = otherwise.
It is often natural to consider a pair of elements of
a set as an element of itself. For example, a pair
of random variables can naturally be considered as a
single random variable. Formally, we can consider the
set to be equipped with an embedding (or concate-
nation) operation mapping to .
8
Denition 3. A pseudo-metric for a set with
operation | is called |-non-expanding if (a|a

, b|b

)
(a, b) + (a

, b

) for all a, a

, b, b

.
9
As an example, let be the set of probability dis-
tributions, with P|P

dened as the product distribu-

tion between P and P

. Then the statistical distance

is |-non-expanding.
2.3 Isomorphisms of functions
Let be an (A, B)-relation and let be an (A

, B

)-
relation. These relations naturally induce a rela-
7
A metric is a pseudo-metric for which (a, b) = 0 implies
a = b.
8
Typically one would extend this consideration to lists (e.g.
lists of random variables), in which case one assumes to be
associative. However, while thinking of as an associative map-
ping is helpful and justied, in our treatment we do not have
to make this assumption.
9
In some contexts |-non-expanding is called stabilized. Note
that the condition is equivalent to (a|c, b|c) (a, b) and
(c|a, c|b) (a, b) for all a, b, c , which could be used
as an alternative denition of |-non-expanding.
tion, denoted (/), between functions A A

and
B B

as follows. Two functions, f : A A

and
g : B B

, are related, denoted f (/) g, if and

only if all related inputs a and b are mapped to re-
lated outputs. That is, formally,
f (/) g :
a b f(a) g(b) . (1)
We are interested in the particular case where all
functions have the same codomain and where is
an equivalence relation on , which we denote by .
Any (A, B)-relation then naturally gives rise to the
relation (/ ) between functions with domains A
and B, respectively. If is complete then the rela-
tion (/ ) can be seen as an isomorphism between
functions. This isomorphism is denoted by

and will
play a crucial role in this work (see Section 4).
Denition 4. Let be a complete relation between
two sets A and B, and let be a set equipped with
an equivalence relation . We say that two functions,
f : A and g : B , are isomorphic (via and
relative to ), denoted f

g if and only if all inputs a
and b related by are mapped to equivalent outputs,
i.e.,
f

g :
_
a b f(a) g(b)
_
.
Often it is convenient to think of the equivalence
relation as being simply equality (i.e., =). Indeed,
an alternative (and correct) view would be to consider
equivalence classes (of ) and to use the symbol =.
Furthermore, note that the images f(A) and g(B)
of two functions are identical if and only if there exists
a complete (A, B)-relation such that f

= g.
3 Reductions: formalizing step-wise
renement
A central paradigm in any constructive discipline,
for example in software design, the construction of
machines, and also in security engineering and cryp-
tography, is to construct a complex system from sim-
pler component systems, which each may consist of
yet simpler component systems, and so on. This im-
portant iterative construction paradigm is sometimes
called step-wise renement.
One can describe the overall construction as a tree
where each inner (non-leaf) node is labeled by a com-
ponent S and a constructor describing how compo-
nent S is obtained from components, say R
1
and R
2
,
7
U. MAURER, R. RENNER
at the children nodes. Then we write
R
1
|R
2

S.
This can be generalized to nodes with more than two
children.
10
There are two ways to think about such a construc-
tion step: top-down or bottom-up. Depending on the
view one can either say that S is reduced via use of
to R
1
and R
2
, or that S is realized from R
1
and R
2
via .
We mention a few instantiations of the reduction
concept. For example, the purpose of a software
component is to construct a system S from given li-
brary components R
1
, . . . , R
n
such that if these com-
ponents are correct, then S is correct. Similarly, the
purpose of applying error-correcting codes can be seen
as constructing a reliable channel S from an unreli-
able (error-prone) channel R. In the context of cryp-
tography, the purpose of encryption can be seen as
constructing (according to a simulation-based notion)
a secure communication channel S from two compo-
nents, R
1
and R
2
, where one is an authenticated chan-
nel and the other a secret key R
2
.
In the following, we formalize these notions.
Denition 5. A component set is a set equipped
with a (parallel composition) operation, denoted |. A
constructor set is a set equipped with a (serial com-
position) operation , a (parallel composition) opera-
tion [, and a special (neutral) element id.
Denition 6. A reduction for a component set
and a constructor set is a subset of .
A reduction is often denoted by an arrow, for
example, as follows: If (R, , S) is in the reduc-
tion, then we write R

S and say that S can be
reduced to R by or, equivalently, that S can be real-
ized (or constructed) from R by . We write R S
if there exists an such that R

S.
A reduction for a component set and a con-
structor set can equivalently be interpreted as a col-
lection

of relations on , indexed by ele-

ments of .
We now dene natural composability properties of
a reduction.
10
If there are d children R
1
, . . . , R
d
, one can write
R
1
| |R
d

S. If | is not associative, appropriate paren-

theses are required in the expression R
1
| |R
d
.
Denition 7. A reduction for and is called
serially composable if the following properties hold for
all R, S, T and , :
(i) R

S S

T = R

T
(ii) R
id
R.
Furthermore, is called context-insensitive if
(iii) R

S = R|T
|id
S|T T|R
id|
T|S.
A reduction that is both serially composable and
context-insensitive is called generally composable (or
just composable).
Property (i) implies transitivity of the relation
and Property (iii) states that R

S remains true
independently of the environment or context, i.e., in-
dependently of which systems are available in parallel.
Properties (i) to (iii) together imply that the reduction
is parallelly composable, in the following sense:
11
R

S R

= R|R

S|S

,
where = ([id)(id[

).
It is intuitively clear that general composability is
sucient (and necessary) for the step-wise renement
paradigm to work in the following sense. Given a tree
representing a construction as described above where
the relation R
1
|R
2

S holds for any node S and its

children R
1
and R
2
, the relation also holds between
the root and the leaves. We refer to Appendix A for
a formal version of this claim.
4 Choice settings
4.1 Choices and their eects
We consider a general setting where n choices are
made, e.g., by n parties who do not necessarily col-
laborate. Each n-tuple of choices results in a certain
eect, which we simply model as an element from a
set . For example, could be the set of real num-
bers, the set of vectors of real numbers, or anything
else. We will call such a setting an n-choice setting or,
simply a setting.
Denition 8. An n-choice setting is a function
R : A
1
A
n
,
where A
1
, . . . , A
n
are arbitrary sets and is a set
equipped with an equivalence relation . The set A
i
11
One could naturally postulate that ([id)(id[

) = [

, but
this is not necessary.
8
ABSTRACT CRYPTOGRAPHY
is called the ith choice domain, and is called the
eect space.
The notion of a choice is very general; for example,
in a setting where parties p
1
, . . . , p
n
interact with each
other in multiple rounds, a choice a
i
A
i
may be the
entire reactive strategy of party p
i
for computing the
answers depending on the inputs received from the
other parties.
The eect space will often be equipped with a
pseudo-metric which is compatible with the equiva-
lence relation in the sense that
(,

) = 0

. (2)
This pseudo-metric on the eect space induces
a pseudo-metric on the choice settings (see Denition
2), which we also denote by .
4.2 Isomorphisms between choice
settings
We now consider isomorphisms between choice set-
tings. Roughly speaking, two settings, R and S, are
isomorphic if the same eects can be obtained by an
appropriate relabeling of the individual choices. The
idea is that if R and S are isomorphic then they can
be considered equivalent, in the sense that no choice-
making party would prefer one setting over the other.
A relabeling of the choices is naturally represented
using the notion of complete relations. Let A
1
, . . . , A
n
and B
1
, . . . , B
n
be the choice sets of R and S, respec-
tively. Each choice a
i
A
i
shall be related to a corre-
sponding choice b
i
B
i
, and vice-versa. The resulting
correspondence between the n-tuple of choices can be
seen as a complete relation from A
1
A
n
to
B
1
B
n
, which is factorizable in the following
sense.
Denition 9. Let A
1
, . . . , A
n
and B
1
, . . . , B
n
be sets.
A relation from A
1
A
n
to B
1
B
n
is
called factorizable if =
1

n
, where
i
are
(A
i
, B
i
)-relations.
A complete factorizable relation is abbreviated as
CFR; it is the product of complete relations
i
from A
i
to B
i
. For CFRs =
1

n
and

n
,
we have

= (
1

1
) (
n

n
), as is easily
veried.
Lemma 2. The composition

of CFRs and

is a CFR.
Any CFR induces an isomorphism

between
choice settings (see Denition 4). More precisely, let
=
1

n
be a CFR from A
1
A
n
to B
1
B
n
. Two n-choice settings R and S
with choice domains A
1
, . . . , A
n
and B
1
, . . . , B
n
, re-
spectively, are isomorphic (via and relative to ) if
any choices (a
1
, . . . , a
n
) and (b
1
, . . . , b
n
) related by
result in equivalent eects, i.e.,
R

S :
(i : a
i

i
b
i
) R(a
1
, . . . , a
n
) S(b
1
, . . . , b
n
) .
In other words, two n-choice settings R and S are
isomorphic via if the same eects can be obtained
by a relabeling of the individual choices according
to the prescription . This isomorphism plays a cru-
cial role in our framework. It captures the idea that,
as long as all relevant consequences of an n-tuple of
choices a
1
, . . . , a
n
are described as part of the eect,
R(a
1
, . . . , a
n
), then a party (who can, for example,
make a choice a
i
from the ith choice domain A
i
) would
not prefer R over an isomorphic setting S (where
she could make a choice b
i
from a set B
i
), or vice
versa. This argument is described in more detail in
Appendix B.
Consider an n-choice setting R with choice domains
A
1
, . . . , A
n
. A simple example of a setting

R that is
isomorphic to R, i.e.,

R

R, is obtained by simply
extending the choice domains A
i
to choice domains

A
i
A
i
by adding further choices that are equivalent
to choices in A
i
, i.e., such that several choices of

A
i
can correspond to a single choice in A
i
. In this case,
the relation is simply the one relating each choice in

A
i
to an equivalent one in A
i
.
For later use, we dene the extension of R, denoted
ext(R), as the set consisting of all settings

R that
can be obtained from R by such trivial domain exten-
sions.
12
5 Specications and their abstraction
5.1 Specications and guaranteed
choice spaces
In the following we consider sets of n-choice set-
tings. In general, a set captures those properties (of
its elements) that are relevant in a certain step of an
abstraction, while ignoring those aspects that are not
12
Formally, this set is given by
ext(R) :=

R : id :

R

R
where id = 1
A
1
1
A
n
is the CFR consisting of the identity
relations on A
i
.
9
U. MAURER, R. RENNER
relevant (namely, which element of the set it is). One
does not care which elements of the set is given, as
long as it is guaranteed that it is one of the set.
More specically, we will introduce the notion of a
specication, which is simply the set of all settings that
have the properties we are interested in on a certain
level of abstraction.
Denition 10. An n-choice setting specication (or
simply n-specication) 1 is a set of n-choice settings,
together with an n-tuple of sets, (

A
1
, . . . ,

A
n
), such
that for all i,

A
i
is a subset of the ith choice domain
of every setting in 1. The set

A
i
is called the ith
guaranteed choice domain of 1.
Consider, as an example, a setting consisting of n
parties p
1
, . . . , p
n
, each of whom can make an indi-
vidual choice. The eects of their choices can then
be specied by an n-specication 1 consisting of n-
choice settings R with choice spaces A
R
1
, . . . A
R
n
. This
specication tells us that p
i
s choice will be an ele-
ment from the union of all ith choice domains,
R
A
R
i
.
Furthermore, the specication guarantees that p
i
can
always make a choice from the ith guaranteed set

A
i

R
A
R
i
. In other words, party i can count on
having any choice from the guaranteed set available,
but may have other choices available.
5.2 Abstraction of specications
Abstraction means to simplify a context by ignor-
ing certain details considered irrelevant. Here we con-
sider abstracting an n-specication 1 by another n-
specication o that is (generally) simpler to analyze.
Any property that holds for the abstract specication
o also holds for the concrete specication 1 (but not
necessarily vice versa). This means that one can per-
form an analysis in the abstract setting and carry it
over to the concrete setting.
Denition 11. Consider n-specications 1 and
o with guaranteed choice spaces

A
1
, . . . ,

A
n
and

B
1
, . . . ,

B
n
, respectively. Let = (
1
, . . . ,
n
) be an
n-tuple where

i
:

B
i


A
i
is a function (i = 1, . . . , n). We say that o is a -
abstraction of 1, denoted
13
1 _

o, (3)
13
The symbol [shows that abstraction is a generalized subset
relation.
if for every R 1 there exists an S o and a CFR
= (
1
, . . . ,
n
), such that
(i) R

S
(ii)
1
i

i
for all i.
14
If 1 _

o, then 1 and o are often called the con-

crete and the abstract specication, respectively. Fur-
thermore, the abstract specication o will often be
dened as the -extension of another specication

o,
i.e., the set

o

consisting of all settings that approxi-

mate

o to accuracy (see Denition 12 below).
The relation 1 _

o captures the idea that the

concrete specication 1 has all the relevant properties
of the abstract specication o. In other words, if an
analysis is performed for the abstract specication o,
leading for example to the insight that a cryptographic
scheme is secure, than this conclusion also holds for
the concrete specication 1.
As a generic example, consider a situation where
each of n parties p
1
, . . . , p
n
can make a choice. As-
sume that party p
i
has performed an analysis of the
abstract specication o from which she concludes that
she should make a certain choice b
i
, which is an ele-
ment of the guaranteed choice domain

B
i
. Relation
(3) now tells her that if she is confronted with a con-
crete setting R that satises specication 1, then she
could equivalently make the choice a
i
= (b
i
). In fact,
Property (i) guarantees that there is a setting S sat-
isfying o that is isomorphic to R (see Section 4.2).
Furthermore, Property (ii) ensures that the choice a
i
in the concrete setting can be inferred from the choice
b
i
in the abstract setting, and that a
i
is among the
guaranteed choices, i.e., a
i


A
i
.
5.3 Composability of abstraction
As we shall see, the relation 1 _

o denes a reduc-
tion (as dened in Section 3) between n-specications.
The component set of the reduction will be the set of
specications, and the constructor set will be the set
of n-tuples = (
1
, . . . ,
n
), where
i
are functions
from choice domains to choice domains. In the fol-
lowing, we dene this reduction and show that it is
generally composable.
We rst need to equip the set of specications,
which will form the component set, with a parallel
14
Note that only the part of the relations
i
dened by
i
is common for all R 1, the rest of the relation
i
can be
dierent for every R.
10
ABSTRACT CRYPTOGRAPHY
composition operation. To dene this relation, con-
sider two n-choice settings, R : A
1
A
n

and S : B
1
B
n
. Furthermore, assume
that the eect space is equipped with an embedding
operation , denoted by |. The direct
product of R and S (as functions) then yields, as
the combined n-choice setting R S, the function
(A
1
B
1
) (A
n
B
n
) with
(R S)((
1
,
1
), . . . , (
n
,
n
)) =
R(
1
, . . . ,
n
) | S(
1
, . . . ,
n
) .
The composition operation [[ for specications can
then be dened as
1[[o := R S : R 1, S o .
Similarly, we equip the set of n-tuples =
(
1
, . . . ,
n
), which will form the set of constructors,
with a serial and a parallel composition operation.
We do this by simply dening these operations as the
corresponding serial and parallel composition opera-
tion on functions. That is, for = (
1
, . . . ,
n
) and

= (

1
, . . . ,

n
),

= (
1

1
), . . . , (
n

n
)
and, similarly,
[

= (
1

1
, . . . ,
n

n
) .
Finally, the neutral element in the set of constructors
is dened as the n-tuple id = (1, . . . , 1), where 1 are
the identity functions.
Then, according to Denition 6, 1 _

o is a reduc-
tion, where the component set is the set of specica-
tions, and the set of constructors is the set of n-tuples
= (
1
, . . . ,
n
).
Theorem 1. 1 _

o is a generally composable re-

duction.
Proof. We have already shown that 1 _

o is a
reduction. To prove Condition (i) of Denition 7, as-
sume that 1 _

o and o _

T . Then, for every

R 1 there exists S o and =
1

n
with

1
i

i
such that R

S. For this S, there exists
T T and

n
with
1
i

i
such that
S

T. It follows that for every R there exists T T

with R

T, and where (
i

i
)
1

.
Condition (ii) of Denition 7 is trivially satised be-
cause R is isomorphic to itself via the identity relation,
id.
To prove Condition (iii) of Denition 7, we need to
show that 1 _

o implies 1[[T _
|id
o[[T . This is
however a direct consequence of the fact that R

S
implies R T
id
S T, for any T T .
5.4 Approximation and abstraction
As we have seen, the notion of an abstraction cap-
tures the idea of describing an object only by certain
relevant properties without specifying (unimportant)
details. In other words, an abstract specication of an
object is the set all objects that have certain proper-
ties we are interested in.
When specifying the relevant properties of an ob-
ject, it is often irrelevant whether these properties are
met precisely or whether they are only approximated.
This means that, given a specication, we may also
want to consider all settings that approximate the
specication.
In this section, we formalize this idea by introducing
the notion of an -extension 1

of an n-specication
1. It is dened as the set consisting of all n-settings
that are close to an element in the extension ext(1) :=

RR
ext(R) of 1, with respect to some metric.
Denition 12. Let 1 be a specication for eect
space , equipped with a pseudo-metric compatible
with the equivalence relation on (see Eq. (2)).
The -extension of 1, denoted 1

, is given by
1

:=
_
R :

R ext(1) : (R,

R)
_
.
where is the pseudo-metric on the set of n-choice
settings induced by the pseudo-metric on (see Def-
inition 2).
In an argument consisting of several abstraction
steps, we typically want to combine the approxima-
tions made within the individual steps into one for
the entire abstraction, in the sense that
1 _

o _

= 1 _

T
+

.
This property is essentially a consequence of the fol-
lowing lemma and the triangle inequality (see the re-
mark below).
Lemma 3. For any specications 1 and o and for
any 0,
1 _

o = 1

.
Proof. Let R be any element from 1

. By Denition
12, there exists R

1 such that (R, R

) , where
11
U. MAURER, R. RENNER
is the induced pseudo-metric on the eect space.
Hence, there exists a CFR =
1

n
and an
element S

o such that R

and
1
i

i
.
Let A
1
, . . . , A
n
and B
1
, . . . , B
n
be the choice spaces
of R

and S

, respectively. Since the relations

i
(for any i 1, . . . , n) are complete, there exist
functions f
i
: B
i
A
i
such that f
1
i

i
and which
are identical to
1
i
on their common domain. Fur-
thermore, by choosing an appropriate setting

S

o,
the functions f
i
can be extended to functions

f
i
:

B
i

A
i
that have full range, i.e.,

f
i
(

B
i
) = A
i
. We can now
dene a choice setting

S with choice spaces

B
1
, . . . ,

B
n
by

S(b
1
, . . . , b
n
) := R(

f
1
(b
1
), . . . ,

f
n
(b
n
))
It is easy to verify that

S is isomorphic to R via a
CFR

n
satisfying
1
i

i
, i.e.,
R

S .
Furthermore, because is an induced metric, the dis-
tance cannot increase when prepending a function,
i.e.,
(

S,

S

) (R, R

) .
This implies that

S o

and thus concludes the

proof.
Remark 1. Lemma 3 together with the triangle in-
equality implies
o _

= o

T
+

for any ,

0.
6 Theory of systems
6.1 Systems: resources, converters,
and distinguishers
At the highest level of abstraction, a system is an
abstract object with interfaces by which it interacts
with its environment and with other systems. Inter-
faces are labeled with elements of a label set. Two
systems can be composed into a single system by con-
necting one interface from each system.
15
15
At this level of abstraction there is no need to model dif-
ferent types of interfaces. It need not be dened how systems
interact (analog or digital communication, one message or a
ping-pong protocol, synchronous or asynchronous communica-
tion, etc.). All that is required is that the composition of sys-
tems is dened, at least for those types of composition we are
interested in. Of course, at lower levels of abstraction, the def-
inition of the interface will matter.
A key property of a reasonable abstract theory of
systems is composition-order independence, which is a
type of generalized associativity.
Denition 13. A set of systems with composition
operations is composition-order independent if for any
system composed of several systems, the order in
which the systems are composed does not matter.
16
In this paper we consider only three special types of
systems: resource systems, converter systems, and dis-
tinguishers.
17
A resource system (or simply resource),
usually denoted by capital letters (e.g. R or S), is a
system with interface label set 1 (e.g. 1 = 1, . . . , n
or 1 = A, B, E). Typically (but not only) one can
think of each interface being accessible to one party.
A converter system (or simply converter)
18
, usually
denoted by a Greek letter (e.g. or ), is a system
with two interfaces, where one interface is designated
as the outside interface and the other as the inside in-
terface. The inside interface of a converter can be
connected to interface i 1 of a resource system R;
the outside interface of serves as the new interface
i of the combined system, which is again a resource
system and is denoted
i
R.
19
We can consider a resource construction, say Z,
which takes as an argument a resource, say R. (For-
mally, the system Z is a special type of system with
2n interfaces.) The combined resource is denoted as
Z(R) or simply ZR. In particular, let [[[S] be the
resource construction which simulates the resource S
and makes it available in parallel (on the right side)
to the argument of the construction. In other words,
[[[S]R = R[[S for any R. Moreover, [S[[] is dened
analogously.
We will often consider vectors = (
i
)
iI
of con-
verters, one for each interface of a resource. Such a
list is denoted by a boldface Greek letter. For conve-
nience, we will often assume that 1 = 1, , . . . , n, for
16
This is, for example, what one has in mind when draw-
ing a congurations of several composed systems as a diagram,
with systems being boxes and interfaces being lines leaving the
boxes. The very fact that the order in which one draws such a
diagram is irrelevant implies that one postulates composition-
order independence.
17
They allow to model all systems occurring in a crypto-
graphic context, e.g. protocols, simulators, adversaries, etc.
18
One can think of such a system as converting or transform-
ing an interface into an interface with a dierent behavior.
19
A system composed of a resource and converters has a star-
shaped topology, with a resource in the center and a (possibly
empty) chain of converter systems attached to each interface.
The resulting system is again a resource with the same interface
set.
12
ABSTRACT CRYPTOGRAPHY
example = (
1
, . . . ,
n
), but we continue to state
results for a general interface set 1 when appropriate.
When
i
is connected to interface i of R we usually
write
i
R instead of
i
i
R. Applying to R is de-
ned naturally: R =
1

2

n
R. For a vector
= (
1
, . . . ,
n
) of converter systems and for a sub-
set T 1 of the interfaces, we denote by
P
the
vector with components only T, and
P
R is under-
stood as the resource resulting when for every i T,

i
is attached to interface i of R.
A distinguisher D (for n-interface resources) is a
system with n + 1 interfaces, where n interfaces con-
nect to the interfaces of a resource R and the other
(outside) interface outputs a bit. When a distin-
guisher D is connected to resource R we write DR
for the resulting system. Note that DR is simply a
binary random variable.
The typical pseudo-metrics in cryptography are
distinguisher-based metrics, i.e., the distance between
two resource systems is the best advantage a dis-
tinguisher in a certain class T of distinguishers can
achieve:
R

S :
D
(R, S) ,
where T is, for example, either the set of all distin-
guishers (information-theoretic security) or the set of
feasible distinguishers (computational security). Here

D
(R, S) = sup
DD

D
(R, S),
where
D
(R, S) is the advantage of D in distinguish-
ing R nd S, i.e., the statistical distance of the binary
random variables DR and DS.
We write
R S
instead of R
0
S to denote that R and S are equiva-
lent (according to the equivalence relation implied by

D
). We point out that for describing most crypto-
graphic settings it suces to consider an equivalence
relation rather than a (more general) pseudo-metric.
In an asymptotic setting, the metric is 0/1-valued (0
corresponding to negligible, and 1 corresponding to
not negligible).
6.2 Cryptographic algebras
We are now formalizing the notions introduced
above.
Denition 14. A cryptographic algebra , , ) for
an interface set 1 consists of a set of 1-resources
with a parallel composition operation [[
20
, a set of
converters, and an equivalence relation on the set ,
together with a mapping
21
1 dening
the resource obtained when converter is attached to
interface i of resource R, denoted as
i
R, such that
(i) Converter application at dierent interfaces com-
mutes:
i

j
R
j

i
R for all i ,= j, R , and
.
(ii) Attaching no converter is dened as a special
neutral converter 1 : 1
i
R R for all i 1
and R .
22
(iii) If R S then
i
R
i
S.
(iv) If R S then (R[[T) (S[[T) and (T[[R)
(T[[S).
The commutativity condition of the above deni-
tion is the specialization of the previously mentioned
composition-order independence to the specic setting
with resources and converters. It states that if two
converters are connected to distinct interfaces, then
the order in which these operations are performed is
irrelevant.
One can naturally dene serial and parallel compo-
sition operations on the converter set as follows:
serial composition: (or ) is dened by
()
i
R :=
i

i
R
for all i and R. This composition operation
is associative because function composition is:
() = (). Note that 1 = 1 = .
parallel composition: [[ is dened by
([[)
i
(R[[S) :=
i
R[[
i
S
for all i and R, S .
23
Denition 15. A distinguisher D is a mapping from
to the set of binary distributions
D : R DR .
A distinguisher D emulating a converter
i
at
interface i induces a new distinguisher, denoted D
i
,
20
For every i 7, the i-interface of R[[S consists of the two
i-interfaces of R and S merged into a single interface, by some
addressing mechanism that is not (yet) of interest at this level
of abstraction.
21
This may be a partial mapping, i.e., dened on a subset
only.
22
We do not postulate that there is a converter system that
behaves like 1, for example by forwarding all messages, but it
may be reasonable to assume that 1 is an actual system.
23
Note that ([[)
i
T need not be explicitly dened if T is not
of a the form T = R[[S. Note also that [[1 ,= .
13
U. MAURER, R. RENNER
dened by
(D
i
) : R D(
i
R) .
Similarly, a distinguisher emulating a resource S
in parallel induces a new distinguisher, denoted
T[[[S] T, and dened by
T[[[S] : R D(R[[S) .
Denition 16. A distinguisher class T is said to be
compatible with a cryptographic algebra , , ) if
the following holds
T
i
T for i 1, i.e. T is closed under emula-
tion of a converter in .
24
T[[[] T, i.e. T is closed under emulation of a
resource in .
If R S then DR = DS, for any D T.
6.3 Eciency, feasibility and types of
security
Systems (resources, converters, distinguishers) can
be implemented by algorithms. We need to dene two
complexity notions for algorithms for implementing
systems: ecient and feasible. Honest parties are gen-
erally restricted to ecient computation and dishon-
est parties are (in a computational setting) restricted
to feasible computation, where the feasible complex-
ity class includes the ecient complexity class. In
traditional cryptography, no distinction between e-
cient and feasible is made and they are both dened
as polynomial-time (in some suitable manner). In our
abstract context, it suces to postulate certain clo-
sure properties (which a reasonable polynomial-time
notion satises).
More specically, we consider a feasibility notion
which is dened by a class of feasible resource systems,

f
, a class of feasible converters
f
, and a
class of feasible distinguishers T
f
T. Similarly, an
eciency notion is dened by a set of ecient con-
verters,
e
. We postulate that these obey certain
closure properties.
Denition 17. A feasibility notion (
f
,
f
, T
f
) is said
to be closed if the cryptographic algebra restricted to
the sets
f
and
f
is still a cryptographic algebra,
and the distinguisher class T
f
is compatible with this
algebra.
Furthermore, an eciency notion
e
is said to be
compatible with the feasibility notion, if
e

f
and

e

e

e
.
24
T
i
is dened naturally: T
i
= D
i
: D T, .
By choosing the sets in the feasibility notion appro-
priately, we obtain dierent security notions:
The notion dened by (
f
,
f
, T
f
) corresponds to
computational security, if we request the protocol
converters
i
to be in
e
. The pseudo-metric
D
f
is 0/1-valued, where the value 0 means that the
distinguishing advantage for the two (asymptotic
families of) resources is negligible.
The notion dened by the classes of unbounded
systems (superscript u), (
u
,
u
, T
u
), corre-
sponds to information-theoretic security.
Ecient information-theoretic security is dened
like information-theoretic security, but where the
protocol converters
i
are required to be in
e
.
The latter distinction is meaningful and neces-
sary since information-theoretic security does not im-
ply computational security, but ecient information-
theoretic security does.
7 Filtered resources as specications
We now make the n-choice specications introduced
in Section 5 more concrete by describing their ele-
ments, the choice settings, using the notion of systems
introduced in Section 6.
7.1 Resource systems as choice
settings
Cryptographic algebras are a concretization of the
concepts introduced in Section 4. A resource system
R is a choice setting in the sense introduced in Section
4, namely a function from choice spaces to an eect
space. The choices are converters (a party can apply
to a resource) and the eect is the resulting resource
when the converters are applied to R. More precisely,
each partys choice space is (or a subset of ), and a
resource system R corresponds to the function
n

dened by R, where = (
1
, . . . ,
n
) and

i
is party is choice. Note that = , i.e., the
eect space is the resource set , equipped with the
equivalence relation .
7.2 Filtered specications: guaranteed
and possible choice spaces
In the following we consider special resource speci-
cations where for each interface i the choice domain
A
i
is known to be between a guaranteed choice space
14
ABSTRACT CRYPTOGRAPHY
of the form

i
=
i
:
for some converter
i
, and the possible (full) choice
space :

i
A
i
. (4)
Here
i
can be seen as a lter restricting access to
R. A guaranteed choice
i

i

i
is specied by
the converter
i
. Similarly, the possible choices are
those potentially (but not guaranteed to be) available
to a party behaving dishonestly. Such a party can
be thought of as removing the lter
i
and therefore
having possibly more powerful access to R than an
honest party.
Denition 18. Let
1
, . . . ,
n
be converters and
let = (
1
, . . . ,
n
). Then R

denotes the n-
specication dened as the set of all resources R,
where at each interface i the choice domain A
i
satis-
es (4). An n-specication of this form will be called
ltered.
Note that by considering this set of resources, it is
(by denition) considered irrelevant what the actual
choice spaces for the parties are, as long as the guar-
anteed choices are available and not more than the
maximal choices are available. As mentioned, the set
captures that we do not know (or care to state) the
particular actual choice spaces.
A canonical way to think of such ltered n-
specications is as follows: The resource R has but-
tons for some or all of the parties which, when pressed,
gives that party additional functionality. The role of
the lters
i
is to shield the button, i.e., to make it un-
available. The act of removing the lter can (but need
not) be considered as a corruption bit by which a
party declares to want to have access to the possible
choice space.
Example 1. A resource modeling the secret key gen-
erated by a typical key-agreement protocol (e.g. stan-
dard Die-Hellman) has the property that at least
one party can inuence the key. This can be mod-
eled by a button which, if pressed, gives the party the
capability to set the key. It is important that this fea-
ture (the button) is not guaranteed (i.e.. ltered) since
an actual protocol typically does not guarantee (but
only not exclude) that a party can freely choose the
key. In contrast, a resource without buttons models
the stronger primitive generating a common random
string.
7.3 Abstraction of ltered specica-
tions
Recall the notion of an abstraction of a resource
specication. To apply this notion to ltered speci-
cations R

and S

, we require an explicit mapping

from the guaranteed choices of S

to the guaranteed
choices of R

, i.e., a mapping from

i
to
i
, for
all i 1. This mapping is achieved by means of a
converter
i
, as follows:

i

i
:
i

i

i
.
Let = (
1
, . . . ,
n
). If we understand
i
as a
function, as just described, then S

is a -abstraction
of R

, denoted
R

,
if for every R

there exists S

and a CFR
=
1

n
between the choice spaces A
1
A
n
of R

and B
1
B
n
of S

such that
R

and, for all i,

(
i

i
,
i
) :
i
.
7.4 Proving abstraction using local
simulators
We can now state a central theorem in our abstract
theory of cryptography which allows to prove state-
ments of the form R

. What is crucial is that

the simulation can be performed locally (rather than
jointly) and, in contrast to [1], the simulation must be
ongoing, not only for the nal transcript (or view).
Theorem 2. Let , , ) be a cryptographic algebra
and, for any i 1, let
i
,
i
,
i
,
i
be converters.
Then
T 1 :
P

P
R
P

P
S
= R

.
Proof. For xed T 1, the equation

P
R
P

P
S
means that R S for all = (
1
, . . . ,
n
) and
= (
1
, . . . ,
n
) such that
(
i
,
i
)
_
(
i

i
,
i
) : if i T
(,
i
) : if i T,
i.e., such that
15
U. MAURER, R. RENNER
(, )

iP
(
i

i
,
i
) :

iP
(,
i
) : .
Hence the left side of Theorem 2 (i.e., T 1 :

P
R
P

P
S) is equivalent to R S for
all and with (, ) , where
=
_
_
_
P{1,...,n}

iP
(
i

i
,
i
) :

iP
(,
i
) :
_
_
.
According to Lemma 1, we have =

n
i=1

i
with

i
= (
i

i
,
i
) : (,
i
) : .
Let now R

be any resource in R

with choice space

A
1
A
n
, where
i
A
i
. We consider S

in S

with choice space B

1
B
n
, where
B
i
=
i
A
i

i
and claim that R

. If we restrict the relation

i
from above to

i
= (
i

i
,
i
) : (,
i
) : A
i
,
then the two conditions required by Denition 11 are
satised: We have both (
i

i
,
i
) :

i
,
and

is a CFR on the action spaces of R

and S

such that R

.
Acknowledgments
This work was developed, rened, and used in teach-
ing over many years.
25
Many people have given feed-
back. In particular, it is a pleasure to thank Joel Al-
wen, Zuzana Beerliova, Martin Hirt, Dennis Hofheinz,
Christoph Lucas, Dominik Raub, Bjorn Tackmann,
Stefano Tessaro, and Vassilis Zikas for very helpful
discussions.
References
[1] J. Alwen, A. Shelat, and I. Visconti. Collusion-
free protocols in the mediated model. InD. Wag-
ner, ed-itor, Advances in Cryptology-CRYPTO
2008, vol-ume 5157 of Lecture Notes in Computer
Science, pages 497-514. Springer, 2008.
25
Some concepts of this paper were presented in an invited
lecture at CRYPTO 2009 [9]. A video of the talk is available at
http://www.iacr.org/conferences/ crypto2009/videos/.
[2] M. Backes, B. Ptzmann, and M. Waidner. A
gen-eral composition theorem for secure reactive
sys-tems. In M. Naor, editor, Theory of Cryptog-
raphy, TCC 2004, volume 2951 of Lecture Notes
in Com-puter Science, pages 336-354. Springer,
2004.
[3] R. Canetti. Universally composable security: A
new paradigm for cryptographic protocols. In
FOCS, pages 136-145, 2001.
[4] R. Canetti, Y. Dodis, R. Pass, and S. Wal-
sh. Uni-versally composable security with global
setup. In S.P.Vadhan, editor, Theory of Cryptog-
raphy, TCC 2007, volume 4392 of Lecture Notes
in Computer Science, pages 61-85. Springer,
2007.
[5] R. Canetti and M. Fischlin. Universally compos-
able commitments. In J. Kilian, editor, Advances
in Cryptology-CRYPTO 2001, volume 2139 of
Lecture Notes in Computer Science, pages 19-40.
Springer, 2001.
[6] R. Canetti, O. Goldreich, and S. Halevi. The ran-
dom oracle methodology, revisited (preliminary
version). In STOC, pages 209-218, 1998.
[7] S. Goldwasser, S. Micali, and C. Racko. The
knowledge complexity of interactive proof sys-
tems. SIAMJ. Comput., 18(1): 186-208, 1989.
[8] U. Maurer. Indistinguishability of random sys-
tems. In L.R.Knudsen, editor, Advances in Cryp-
tology-EUROCRYPT 2002, volume 2332 of Lec-
ture Notes in Computer Science, pages 110-132.
Springer, 2002.
[9] U. Maurer. Abstraction in cryptography. In S.
Halevi, editor, Advances in Cryptology-CRYPTO
2009, volume 5677 of Lecture Notes in Computer
Science, page 465. Springer, 2009.
[10] U. Maurer. Constructive cryptography-a primer.
In R.Sion, editor, Financial Cryptography, vol-
ume 6052 of Lecture Notes in Computer Science,
page1. Springer, 2010.
[11] U. Maurer, R. Renner, and C. Holenstein. Indif-
ferentiability, impossibility results on reductions,
and applications to the random oracle methodol-
ogy. In M. Naor, editor, Theory of Cryptography,
TCC 2004, volume 2951 of Lecture Notes in Com-
puter Science, pages 21-39. Springer, 2004.
[12] U. Maurer and B. Tackmann. On the soundness
of authenticate-then-encrypt. In ACM Confer-
ence on Computer and Communications Security,
pages 505-515, 2010.
16
ABSTRACT CRYPTOGRAPHY
[13] B. Ptzmann and M. Waidner. Composition and
integrity preservation of secure reactive systems.
In ACM Conference on Computer and Communi-
cations Security, pages 245-254, 2000.
[14] M. Prabhakaran and M.Rosulek. Cryptographic
complexity of multi-party computation problems:
Classications and separations. In D. Wagner,
editor, Advances in Cryptology-CRYPTO 2008,
vol-ume 5157 of Lecture Notes in Computer Sci-
ence, pages 262-279. Springer, 2008.
[15] D.Unruh and J.M uller-Quade. Universally com-
posable incoercibility. In T.Rabin, editor, Ad-
vances in Cryptology-CRYPTO 2010, volume
6223 of Lecture Notes in Computer Science, pages
411-428. Springer, 2010.
A Soundness of step-wise renement
Here we formalize the claim that general compos-
ability (cf. Denition 7) is sucient for the step-wise
renement paradigm to work.
For this, we think of a construction represented by
a tree as follows. Any node v of the tree labels a
component, called S
v
, as well as, if v is not a leaf, a
constructor, called
v
. Furthermore, for any non-leaf
node v we dene the constructor

v
of the underlying
tree inductively as

v
=
_
id if v is a leaf

v

_

v
1
[ [

v
d
_
otherwise.
We now formalize what it means for the step-wise
renement paradigm to work.
Denition 19. A reduction

for component
set and constructor set is called sound for step-
wise renement if for every tree the following holds:
If at every node v of the tree we have
S
v
1
[[ [[S
v
d

v
S
v
(a local property in the tree), then for the root r and
the leaves
1
, . . . ,
k
we have
S

1
[[ [[S

r
S
r
(a global property of the tree).
By induction over the tree it is straightforward to
prove the following theorem, which ultimately justies
our denition of general composability (Denition 7).
Theorem 3. A reduction

(for component
set and constructor set ) is sound for step-wise
renement if and only if it is generally composable.
B Explanation for the denition of
isomorphism
The following is a more detailed description of the
argument sketched in Section 4.2, which justies the
use of the relation R

S. For the matter of con-
creteness, one may think of n parties who, in a setting
R, interact using a given device. Each of the par-
ties chooses a strategy a
i
from a set A
i
of possible
strategies. The use of the device according to these
strategies will result in a particular eect, specied by
R(a
1
, . . . , a
n
). We compare this setting to an alter-
native setting, S, where the n parties use a dierent
device. Here they can choose strategies b
i
B
i
, and
the eect is given by S(b
1
, . . . , b
n
).
We will now show that if the eect captures all as-
pects that may be relevant to any of the parties, then
none of them would prefer one of two isomorphic set-
tings, R or S, over the other. Our argument is by
induction over n.
For n = 1, i.e., one single party making a choice,
the existence of an isomorphism between R and S via
a relation =
1
immediately implies that equiva-
lent eects can be reached in the two settings, i.e.,
formally,
26
R

S = R(A
1
) S(B
1
).
Since, by assumption, all relevant aspects of the set-
ting are captured by the eect, the condition on the
right hand side, R(A
1
) S(B
1
) is sucient to in-
fer that no setting is preferable over the other. This
already concludes the argument for n = 1.
For the induction step, we consider two n-choice
settings R and S which are isomorphic via some xed
CFR =
1

n
. Note that if the nth party
xes a strategy a
n
A
n
in setting R, one obtains the
(n 1)-choice setting R( , a
n
) : A
1
A
n1

. Hence, we can interpret R as a 1-choice setting,
denoted
R
n
: A
n

A
n
: a
n
R( , a
n
)
(for the nth party), whose eect space
A
n
is the set
of (n 1)-choice settings A
1
A
n1
(for
26
The equivalence between sets is dened such that for any
element in one there is an equivalent element in the other.
17
U. MAURER, R. RENNER
the rst n 1 parties). Similarly, for the setting S,
we can dene a 1-choice setting S
1
with eect space

B
n
:= (B
1
B
n1
) ).
Let us now compare the (n 1)-choice settings
R
n
(a
n
) and S
n
(b
n
) that are obtained when the nth
party makes a choice a
n
or b
n
in the original settings
R and S, respectively. By the assumption of our in-
duction step, we already know that none of the two
settings is preferable over the other if the two settings
are related via a CFR

=
1

n1
, i.e., if
R
n
(a
n
)

S
n
(b
n
) .
Therefore, in order to show that none of R or S is
preferable it is sucient to verify that any choice a
n
is
mapped via
n
to a choice b
n
such that R
n
(a
n
) and
S
n
(b
n
) satisfy the above condition, and vice versa,
i.e.,
a
n
, b
n
: a
n

n
b
n
R
n
(a
n
)

S
n
(b
n
) .
This corresponds to the relation R
n
(
n
/

) S
n
(see
Eq. 1), which is equivalent to R

S. We have thus
shown that, whenever the latter relation holds for two
n-choice settings R and S, then none of them is prefer-
able over the other.
C The Two-party case
The following appendices describe how the abstrac-
tion ideas of the framework can be used in explain
known contexts and results. However, while here we
stay close to the language used in the literature (e.g.
the concept of honest and dishonest parties), later de-
scriptions of these results in abstract cryptography my
look quite dierent, focusing on the abstraction no-
tion.
C.1 The equations for unltered
resources
In this section we look at the special case of two
parties (n = 2) and where only unltered resources
(i.e., singleton sets) R and S are considered, i.e., where
the guaranteed and the possible choice space are both
.
For n = 2, one can write the algebraic expressions
involving systems in a simple form, by considering the
left and the right side of a resource R as the two in-
terfaces. For example, if converter () is attached
to the rst (second) interface of R, then we can write
simply R instead of
1

2
R.
27
For a protocol = (
1
,
2
) we have

1
,
2
:
_

1
R
2
S

1
R S
2
R
2

1
S
R
1
S
2
_

_
R _

S. (5)
The direction = follows from Theorem 2. To see
the direction =, consider the relation =
1

2
guaranteed to exist according to the denition of R _

S, namely such that R

S. Since
i
is complete,
(1,
i
)
i
for some
i
. Now we can let
i
=
i
.
If the UC framework for two parties is phrased ab-
stractly, then one arrives at the rst three equations of
(5). Since in the UC framework, the case where both
parties are corrupted is not considered, the fourth
equation is not present. For n 3, the UC frame-
work is in a strict sense a special case since it involves
only a single simulator.
C.2 Communication channel as a
neutral resource
We now consider a further special case where R is a
communication channel C, which is a neutral resource.
For example,
1
C
2
=
1

2
since C only connects
1
and
2
.
Denition 20. A plain communication channel is the
2-party resource C for which C = for all ,
.
Of particular interest in cryptography is the ques-
tion which resources can be obtained from a commu-
nication channel, i.e., for which R we have C _

R
for some protocol = (
1
,
2
).
C.3 An impossibility result
We now prove a general impossibility result which
implies, as a special case, the impossibility of realizing
universally composable commitments from a commu-
nication channel proved originally in [5]. Note that in
the 2-party case, a resource can also be considered as
a converter (as in the expression SS below).
Theorem 4. If SS , S for all , then there
27
For n 3 interfaces, putting the interface index as a super-
scripts is necessary to maintain linear expressions for composed
systems. An alternative would be to use formulas that are not
linear but make use of the two-dimensional plain.
18
ABSTRACT CRYPTOGRAPHY
exists no protocol = (
1
,
2
) such that C _

S.
Proof. C _

S means that
1

2
S and
1
S
2
and
2

1
S for some
1
and
2
. Replacing
1
in

2
S using
1
S
2
yields
S
1

2
S.
Now replacing
2
using
2

1
S yields
S
1

2
S S,
which contradicts : SS , S (one can choose =

2
).
The commitment resource Com is dened as fol-
lows. At interface 1 one can input a value v (from a
certain set). Then a committed message is output
at interface 2. After that an open message can be
input at interface 1, which causes v to be output at
interface 2.
Corollary 1. There exists no protocol = (
1
,
2
)
such that C _

Com.
Proof. To prove that
Com Com , Com
for all , we consider the distinguisher for re-
sources Com Com and Com which commits to a
random message and opens the message and outputs
the bit 1 if and only if in the commitment phase the
resource outputs committed and if in the opening
phase the correct message is output.
For the resource Com Com, either no message
is committed to in the second copy of Com, or the
message output at the opening phase is independent of
the committed message. The distinguishing advantage
is at least 1 1/k, where k is the cardinality of the
message space of Com.
A delay channel Del is a resource which takes as in-
put a message from a domain at the rst interface and,
after a xed time t, outputs the message at the sec-
ond interface. Such a resource would be of substantial
interest, as it would for example allow to implement
fair exchange between two parties.
Corollary 2. There exists no protocol = (
1
,
2
)
such that C _

Del.
Proof. The following distinguisher has advantage 1 in
distinguishing Del from DelDel for any . It in-
puts a message and checks whether the message is
output after time t.
D Modeling indierentiability
In this section we give a simple explanation of the
theory of indierentiability [11], as a special case of our
abstraction notion. Indierentiability is used today as
a key tool for proving the soundness of hash function
constructions.
By R S we denote the information-theoretic
equivalence of resources R and S [8] (i.e., R and S
have the identical behavior).
Denition 21. For a 1-interface resource R, let R
denote the 2-interface resource that behaves (identi-
cally) at both interfaces as (the same instantiation of)
R.
For example, if R is a uniform random function,
then R is a uniform random function accessible (iden-
tically) at two interfaces. Let is the special con-
verter that blocks access to an interface.
Denition 22. A resource T is out-bound at interface
i if
i

i
T
i
T for all , i.e., if no converter can
have an eect at the other interfaces.
In the plain form of indierentiability, one considers
single resources of the type R which are out-bound (at
both interfaces), where the rst interface is modeled as
honest and the second interface is modeled as dishon-
est. This allows to model a resource providing public
randomness which is also accessible to the adversary.
Examples of such public randomness resources are a
public random string required for implementing a hash
function, and a public random oracle (see below).
In the described setting, one can show that the four
conditions of (5) are reduced to the single condition,
given in [11]:
Denition 23. S is reducible to R in the sense of
indierentiability if
R S
for some converters and .
This denition captures both the information-
theoretic and the computational setting.
We now prove an impossibility result.
Assume that for resource R the entire randomness
can eciently be read out. Formally, there exists an
ecient converter which in a rst phase interacts
only at its inner interface and, in a second phase, only
interacts at its outside interface, such that
19
U. MAURER, R. RENNER
R R,
i.e., can reproduce the behavior of R after having
read out its randomness. Let H(R) be the entropy of
R, i.e., the entropy of the random variable passed in
between the rst and the second phase.
Theorem 5. If one can (eciently) extract all the
randomness from R and one can (eciently) extract
(considerably) more than H(R) entropy from S, then
S is not reducible to R in the sense of indierentiabil-
ity.
Proof. We need to prove that there are no and
such that
R S.
Let be the converter that extracts the randomness
from R, as described above. Then
R R
is a symmetric resource. In contrast,
S
is not symmetric and one can easily detect this by
reading out suciently much entropy at the left in-
terface of S and testing for equality with the cor-
responding output at the right interface. For R
equality will hold while for S it will not (with high
probability), hence this gives a distinguisher.
A (public) random oracle is a resource with two
interfaces which provides at both interfaces access to
the same random function. A (public) random string
is a resource with two interfaces which provides at
both interfaces access to the same uniform random
string of xed (i.e. small) length.
The following corollary corresponds to the impossi-
bility result of [6, 11], by considering the hash function
as the converter which at its inside interface reads
a (public) hash function parameter and at its outside
interface answers hashing queries.
Corollary 3. A (public) random oracle is not re-
ducible (in the sense of indierentiability) to a (public)
nite random string.
E The Alice-Bob-Eve setting with
honest Alice and Bob
A standard cryptographic setup consists of two hon-
est parties, Alice and Bob, connected by a certain
communication resource (e.g., an insecure channel)
that may be partially controlled by an adversary, Eve.
The 2
3
= 8 conditions of Theorem 2 can be shown to
reduce to the following two conditions, phrased here
for singleton specications (no lters). (See also [12]
for a more detailed discussion of the two conditions.)
The rst condition models availability and states
what must be achieved if no adversary is present.

A
1

B
2

E
R
E
S.
For example, if R is an insecure channel in parallel
to a secret key, S is an authenticated channel, and
1
and
2
are the protocol engines that append a MAC
and check a MAC, respectively, then the above con-
dition states that if Eve is not present, the message
must be delivered.
The second condition models security and states if
Eve is present, anything she could do in the real set-
ting she could also do in the ideal setting:

A
1

B
2
R
E
S.
F Encryption and leakable channels
In this section we briey explain how one can model
what encryption achieves, in a context where Alice,
Bob, and Eve could all be potentially dishonest. This
leads to making the coercibility of encryption explicit.
We consider resources with interface set 1 =
A, B, E. The real resource specication R consists
of a secret key and an authenticated channel from A
to B, which is potentially accessible to E, modeled by
a button for E which (potentially) releases the mes-
sage or parts of it to E. The lters
A
and
B
are
trivial (i.e., 1), and
E
hides the button.
The ideal resource specication S consists of a se-
cure channel from A to B, which is leakable in the
sense that both A and B have a button they can press,
in which case the message is (potentially) released to
E. The lters
A
and
B
hide the corresponding but-
tons.
28
This feature is necessary to achieve the strong ab-
straction notion, R

, i.e., local simulatability.

This models the fact that Alice and Bob are coercible
since they potentially have the possibility to leak the
message.
28
Formally, also E has a button, hidden by
E
, but not dis-
cussed further here.
20
ABSTRACT CRYPTOGRAPHY
Note that it is crucial that the buttons are ltered
since otherwise, if the leaking feature were guaran-
teed, then an encryption scheme could be used as a
commitment scheme (from A to E) which, as we saw,
is impossible to realize from plain communication. In
other words, the ltered resource specication models
that the message could potentially leak, but that this
is not guaranteed.
Actually, S also consist of a secret key with leakage
buttons. This is necessary for the simulation to work
and makes explicit that in encryption, sender and re-
ceiver become potentially committed to the key they
used (i.e., could possibly be coerced to leak it).
We point out that the term coercibility can be used
to interpret the feature of the specication S

that A
and B have the leakage buttons. In our framework, it
does not correspond to a new security notion.
In view of the above it seems desirable to realize
an unleakable channel, i.e., with no leakage buttons
for A and B. Unfortunately this can be shown to
be impossible. The proof is similar in spirit to the
impossibility proof for commitments.
Theorem 6. An unleakable secure channel cannot
be realized from an authenticated channel and a secret
key.
21