Search the Dagstuhl Website
Looking for information on the websites of the individual seminars? - Then please:
Not found what you are looking for? - Some of our services have separate websites, each with its own search option. Please check the following list:
Schloss Dagstuhl - LZI - Logo
Schloss Dagstuhl Services
Within this website:
External resources:
  • DOOR (for registering your stay at Dagstuhl)
  • DOSA (for proposing future Dagstuhl Seminars or Dagstuhl Perspectives Workshops)
Within this website:
External resources:
Within this website:
External resources:
  • the dblp Computer Science Bibliography

Dagstuhl Seminar 19042

Practical Yet Composably Secure Cryptographic Protocols

( Jan 20 – Jan 25, 2019 )

Please use the following short url to reference this page:





The number as well as the complexity of the cryptographic protocols that are used in practice has increased substantially in the last few years. Unfortunately, cryptographic protocols used in practice often do not come with proper security proofs but rather with hand wavy arguments that they will fulfill their requirements. In the past two decades, the cryptographic community has made substantial progress in modeling cryptographic protocols and proving their security: a number of security frameworks have emerged that guarantee that a cryptographic protocol remains secure under composition, i.e., it remains secure no matter in what environment it is used. While this is the kind of security guarantee that is needed for all cryptographic protocols and in particular those used in practice, protocols designed in these composable security frameworks tend to be not sufficiently efficient to be usable in practice.

The main goal of this Dagstuhl Seminar is to assess the state of the art of the design, modeling, and security analysis of cryptographic protocols and to identify new approaches and directions that allow one to design cryptographic protocols that are efficient and yet offer the strongest security guarantees. To this end, we aim to identify hurdles preventing provably secure protocols from being efficient, and to compare the different composability frameworks proposed in the literature with respect to their ability to analyze practical protocols.

The topics to be considered in more detail in the seminar include the following ones:

  • Design of practical yet provably secure cryptographic protocols
  • Identification of hurdles for achieving efficient and provable UC security, identification of solutions
  • Modeling and comparison of different set-up assumptions and their implications
  • Comparison of the different composability frameworks

We plan to strike a balance between talks and open discussion sessions in order to identify and ignite future research towards security composition frameworks that facilitate the design and analysis of efficient cryptographic protocols. In accordance with the philosophy of Dagstuhl Seminars, we want to provide an inspiring environment for thought and discussion.

Copyright Jan Camenisch, Ralf Küsters, Anna Lysyanskaya, and Alessandra Scafuro


We began by having survey talks on four research threads that had laid foundations of such models. Specifically, Ran Canetti presented his Universal Composability model, Dennis Hofheinz presented his work on the GNUC model, Ralf Küsters presented his IITM/iUC model, and Ueli Maurer presented the model of Constructive Cryptography.

Following these tutorials, we had several talks on how specific security goals and protocols are modeled and proved secure. Björn Tackmann presented a way to model a zero-knowledge proof protocol that made statements about knowledge of certain inputs to ideal functionalities. Manu Drijvers presented a way to model the global random oracle that can be used by participants in different protocols in a composable way.

Once the details of the specific models and how to use them were fresh in everyone's minds, we split up into working groups. In order to do this, we first had a discussion on what problems we believed were worth tackling; we proposed many problems, and then agreed to discuss a subset of them.

The topics explored by the working groups are discussed in detail below, in the "results" section of this report. The following additional topics were proposed for discussion (but were not discussed):

  • Model asynchrony and time
  • Anonymous communication
  • Global random oracles in CC
  • Secure Message Transfer in various model
  • Concrete security in UC/IITM
  • Finalise F_sig (with reasons why certain choices are better than others)

Additionally, we had several talks on recent and ongoing research projects. Marc Fischlin on composition of key agreement; Markulf Kohlweiss on structuring game-based proofs; Ran Cohen on probabilistic termination in cryptographic protocols; Antigoni Polychandrou presented two-round two-party computation; Vassilis Zikas modeling the public ledger functionality; Ran Canetti talking about using the EasyCrypt software to aid in cryptographic proofs and verification.

The following is a summary of the workshop results:

  1. The relationship between the UC and IITM model was intensively discussed, concluding that the models are very close and that it is possible to unify the two models. The unification also seamlessly includes JUC, GUC, and SUC.
  2. The working group on SNARKs (recursive composition of succinct proofs) achieved initial modeling success and crystallization of what's actually challenging.
  3. The working group on modeling F_vrf and constricting it from F_sig, F_ro figured out what the stumbling blocks were and what was fundamental.
  4. The working group on F_NIZK and proofs about signatures in Constructive Crypto started to model typical UC functionality in the Constructive Crypto framework and then inspected how they could be composed.
  5. The working group on building threshold primitives from single primitive (e.g. threshold signatures from signatures, threshold encryption from encryption etc) came up with a candidate for a "thresholdizer" functionality, and found some subtleties in defining threshold behavior in the ideal world. The also found a
  6. The working group on setup assumptions analyzed the assumptions used for constructing composable protocols in terms of practicality and security provided.
  7. The working group on delegating secret keys - discovered a simple interface that can be added to F_sig to make it possible to delegate from one user to another well-defined user. Next steps are to investigate if it generalizes to other functionalities and to delegation that's based on knowledge transfer rather than explicit authorization of identity.
Copyright Jan Camenisch, Ralf Küsters, Anna Lysyanskaya, and Alessandra Scafuro

  • Jan Camenisch (Dfinity Foundation - Zug, CH) [dblp]
  • Ran Canetti (Tel Aviv University, IL) [dblp]
  • Celine Chevalier (University Paris II, FR) [dblp]
  • Ran Cohen (MIT - Cambridge, US) [dblp]
  • Manu Drijvers (Dfinity - Zürich, CH) [dblp]
  • Marc Fischlin (TU Darmstadt, DE) [dblp]
  • Dov Gordon (George Mason University - Fairfax, US) [dblp]
  • Jens Groth (London, GB) [dblp]
  • Timo Hanke (Dfinity Foundation - Zug, CH) [dblp]
  • Dennis Hofheinz (KIT - Karlsruher Institut für Technologie, DE) [dblp]
  • Markulf Kohlweiss (University of Edinburgh, GB) [dblp]
  • Stephan Krenn (AIT - Austrian Institute of Technology - Wien, AT) [dblp]
  • Ralf Küsters (Universität Stuttgart, DE) [dblp]
  • Anna Lysyanskaya (Brown University - Providence, US) [dblp]
  • Mary Maller (University College London, GB) [dblp]
  • Ueli Maurer (ETH Zürich, CH) [dblp]
  • Arpita Patra (Indian Institute of Science - Bangalore, IN) [dblp]
  • Antigoni Polychroniadou (Cornell Tech - New York, US) [dblp]
  • Daniel Rausch (Universität Stuttgart, DE) [dblp]
  • Alessandra Scafuro (North Carolina State University - Raleigh, US) [dblp]
  • Daniel Slamanig (AIT - Austrian Institute of Technology - Wien, AT) [dblp]
  • Björn Tackmann (IBM Research-Zurich, CH) [dblp]
  • Muthuramakrishnan Venkitasubramaniam (University of Rochester, US) [dblp]
  • Ivan Visconti (University of Salerno, IT) [dblp]
  • Sophia Yakoubov (MIT Lincoln Laboratory - Lexington, US) [dblp]
  • Vassilis Zikas (University of Edinburgh, GB) [dblp]

  • security / cryptology

  • Security Models
  • Universally Composability
  • Provably Secure Protocols
  • Applied Cryptography
  • Cryptographic Protocols
  • Practical Protocols.