CSE208: Advanced cryptography, Fall 2002

Lecture 9: Proof of the composition theorem

Protocol Composition

Last time we defined a synchronous execution model for distributed protocols, and defined their execution in the presence of an adversary that corrupts some of the parties. In summary, the execution model is defined by a set FF of randomized functions mapping n inputs to n outputs. A protocol is specified by n sequence of probabilistic polynomial time computable functions P[1],...,P[n], and sequence of r functions f[1],...,f[r] from FF. The computation proceeds in r rounds. The input to the program is a sequence of values X[0,...,n], and produces output values Y[0,...,n], where index 0 is used for the auxiliary input/output of the adversary. We define intermediate inputs and outputs X[i,j], Y[i,j] and states S[i,j] for every round j of the computation.

We say that a protocol computes (randomized) function f if the input-output relation defined by the protocol when all parties are honest has the same distribution as function f. Security is defined using a simulation argument: a protocol (P[],f[]) securely compute function F

Protocol composition is defined in the obvious way. Specifically, let (P[],f[]) be any protocol, and let (Q[],g[]) be a protocol to compute function f[i], i.e., the function used by P at round i. The composition P[Q/i] is defined as the protocol with r(P) + r(Q) - 1 rounds, where round i of protocol P is replaced by the r(Q) rounds of protocol Q. The sequence of round functions for the composed protocol is defined substituting f[i] with g[1],...,g[r(Q)]. The programs P[i] are defined similarly: we can assume wlog that functions P[] keep the current round number as part of the state. In the new program P', when the index reaches round i, the current state S[*,i] is temporarily saved, and for the following r(Q) rounds the prograpms Q[] are executed, starting from the empty state and input values X[*] as specified by X[*,i]. After the r(Q) rounds are executed, the execution of P is resumed, using the saved state S[*,i] and the output of Q as input values.

Composition theorem

We want to prove the following theorem. For any protocols (P[],f[]) and (Q[],g[]), if Q securely compute f[i], then the composed protocol P[Q/i] is at least as secure as P. Formally, for any adversary A' attacking P' = P[Q/i] there is an adversary A attacking P such that EXEC[P,f,A,B,X] = EXEC[P',f',A',B,X].

In particular, if P securely compute function F, i.e., for every adversary A there is a "simulator" such that EXEC[P,A,f,B,X] = EXEC[Id,F,S,B,X], then the composed protocol also securely compute F, i.e., for every adversary A' there is a "simulator" such that EXEC[P',A',f',B,X] = EXEC[Id,F,S,B,X].

Proof of the composition theorem

From the assumption that Q securely compute f[i] we know that for every adversary A'' attacking Q there is a simulator S such that for every set B and inputs X, EXEC[Q,A'',g,B,X] = EXEC[Id,f[i],S,B,X].

Let A' be an adversary attacking the composed protocol P'. We want to define an attack to the idealized protocol P where function f[i] is computed by a "trusted party". We consider a very special adversary A'' attacking Q. This adversary will be used to obtain a simulator S (for Q) that can be used to transform A' into A.

The attack A'' works as follow:

We know that there exists a simulator S that produces the same output as A'' when interacting with a trusted party evaluation function f[i]. We use this simulator to modify the adversary A' into an adversary A. But before defining A, we make an important observation: A'' does not use the inputs X[B] to the bad players. So for the output of S to be the same as A'' for all inputs X, it must be that the output of S is independent of the values X[B] passed to the simulator. In particular, running S on input X[B]=0 produces the same distribution as running A'' on the real inputs X[B] (which are ignored by A'' anyway).

The new adversary A works as follows:

It is easy to see that if EXEC[P,f,A,B,X] can be distinguished from EXEC[P',f',A',B,X] then we can use the distinguisher to tell distributions EXEC[Q,g,A'',B,X] and EXEC[Id,f[i],S,B,X] apart.

Exercise: Prove a composition theorem for semihonest parties, i.e., show that for any two protocols P,Q that privately compute their respective functions, (and assuming the function computed by Q is the one used by P at round i), the composition P[Q/i] is also private.


We proved a composition theorem for multiparty computation. The notion of composition used correspond to sequential execution models, and non-adaptive adversary. Both concurrent execution and adaptive adversary raises complications. In particular, the notion of security defined and used in the proof does not seems to be preserved under concurrent composition or more powerful attacks. We will explore extensions to the composition theorem later on in the course.


The recommended references for the material presented in this lecture are

R. Canetti, Security and Composition of Multiparty Cryptographic Protocols, Journal of Cryptology, 13(1), 2000.

O. Goldreich, Secure Multi-Party Computation. manuscript