Composability Of Long-Lived Security Solutions

Jörn Müller-Quade

Unconditionally hiding commitments have the property of everlasting security. I.e. their security cannot be compromised after termination of the protocol, even if the adversary becomes computationally unlimited. A natural question to ask is, wether one can build more elaborate protocols with everlasting security on top of an unconditionally hiding commitment. This question is studied in a variant of the UC framework, where the environment machine (which tries to distinguish a real protocol with a real adversary from an ideal functionality with a simulator) becomes unlimited after termination of the protocol.

Unconditionally hiding commitments are possible in the UC framework given a trusted Common Reference String (CRS). Interestingly these commitmens do not have everlasting security. The reason seems artificial, because the environment machine will, after becoming unlimited, distinguish the trusted CRS of the real model from the simulated CRS in the ideal model. Therefore we discuss variants of the UC framework which need no trusted setup and introduce the idea to allow the simulator to rewind the environment machine to be able to extract unconditionally concealing commitments for the simulation. This rewinding is only possible if the environment machine is a classical machine not using any quantum computations. For the quantum case we even show that no composable notion of security allows for everlastingly secure commitments from (temporary) computational assumptions.

As an outlook we conjecture that in a model where quantum information cannot be stored only for a bounded time (temporary) computational assumptions suffice to obtain composable commitments with everlasting security and, together with a quantum channel, allow for arbitrary multiparty computations with everlasting security.