January 20 – 25 , 2019, Dagstuhl Seminar 19042

Practical Yet Composably Secure Cryptographic Protocols


Jan Camenisch (Dfinity Foundation – Zug, CH)
Ralf Küsters (Universität Stuttgart, DE)
Anna Lysyanskaya (Brown University – Providence, US)
Alessandra Scafuro (North Carolina State University – Raleigh, US)

For support, please contact

Dagstuhl Service Team


Dagstuhl Report, Volume 9, Issue 1 Dagstuhl Report
Aims & Scope
List of Participants
Dagstuhl Seminar Schedule [pdf]


We began by having survey talks on four research threads that had laid foundations of such models. Specifically, Ran Canetti presented his Universal Composability model, Dennis Hofheinz presented his work on the GNUC model, Ralf Küsters presented his IITM/iUC model, and Ueli Maurer presented the model of Constructive Cryptography.

Following these tutorials, we had several talks on how specific security goals and protocols are modeled and proved secure. Björn Tackmann presented a way to model a zero-knowledge proof protocol that made statements about knowledge of certain inputs to ideal functionalities. Manu Drijvers presented a way to model the global random oracle that can be used by participants in different protocols in a composable way.

Once the details of the specific models and how to use them were fresh in everyone's minds, we split up into working groups. In order to do this, we first had a discussion on what problems we believed were worth tackling; we proposed many problems, and then agreed to discuss a subset of them.

The topics explored by the working groups are discussed in detail below, in the "results" section of this report. The following additional topics were proposed for discussion (but were not discussed):

  • Model asynchrony and time
  • Anonymous communication
  • Global random oracles in CC
  • Secure Message Transfer in various model
  • Concrete security in UC/IITM
  • Finalise F_sig (with reasons why certain choices are better than others)

Additionally, we had several talks on recent and ongoing research projects. Marc Fischlin on composition of key agreement; Markulf Kohlweiss on structuring game-based proofs; Ran Cohen on probabilistic termination in cryptographic protocols; Antigoni Polychandrou presented two-round two-party computation; Vassilis Zikas modeling the public ledger functionality; Ran Canetti talking about using the EasyCrypt software to aid in cryptographic proofs and verification.

The following is a summary of the workshop results:

  1. The relationship between the UC and IITM model was intensively discussed, concluding that the models are very close and that it is possible to unify the two models. The unification also seamlessly includes JUC, GUC, and SUC.
  2. The working group on SNARKs (recursive composition of succinct proofs) achieved initial modeling success and crystallization of what's actually challenging.
  3. The working group on modeling F_vrf and constricting it from F_sig, F_ro figured out what the stumbling blocks were and what was fundamental.
  4. The working group on F_NIZK and proofs about signatures in Constructive Crypto started to model typical UC functionality in the Constructive Crypto framework and then inspected how they could be composed.
  5. The working group on building threshold primitives from single primitive (e.g. threshold signatures from signatures, threshold encryption from encryption etc) came up with a candidate for a "thresholdizer" functionality, and found some subtleties in defining threshold behavior in the ideal world. The also found a
  6. The working group on setup assumptions analyzed the assumptions used for constructing composable protocols in terms of practicality and security provided.
  7. The working group on delegating secret keys - discovered a simple interface that can be added to F_sig to make it possible to delegate from one user to another well-defined user. Next steps are to investigate if it generalizes to other functionalities and to delegation that's based on knowledge transfer rather than explicit authorization of identity.
Summary text license
  Creative Commons BY 3.0 Unported license
  Jan Camenisch, Ralf Küsters, Anna Lysyanskaya, and Alessandra Scafuro


  • Security / Cryptology


  • Security Models
  • Universally Composability
  • Provably Secure Protocols
  • Applied Cryptography
  • Cryptographic Protocols
  • Practical Protocols.


In the series Dagstuhl Reports each Dagstuhl Seminar and Dagstuhl Perspectives Workshop is documented. The seminar organizers, in cooperation with the collector, prepare a report that includes contributions from the participants' talks together with a summary of the seminar.


Download overview leaflet (PDF).

Dagstuhl's Impact

Please inform us when a publication was published as a result from your seminar. These publications are listed in the category Dagstuhl's Impact and are presented on a special shelf on the ground floor of the library.


Furthermore, a comprehensive peer-reviewed collection of research papers can be published in the series Dagstuhl Follow-Ups.