{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:00Z","timestamp":1778040900373,"version":"3.51.4"},"reference-count":26,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2025,10,6]],"date-time":"2025-10-06T00:00:00Z","timestamp":1759708800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"<jats:p>Introduced by Canetti in 2001, Universal Composability (UC) is a widely adopted security model that enables the specification and proof of security for a broad range of protocols, offering strong security guarantees. At its core lies the universal composition theorem (UC theorem), which ensures that protocols proven secure within the framework remain secure even when deployed in real-world environments with multiple instances of them.<\/jats:p>\n                  <jats:p>In this work, we present two key contributions. First, we identify several problems with the UC framework, in particular the UC Theorem. They include counterexamples, limitations that make it unusable for important classes of protocols, and weaknesses in its proof. These problems reveal flaws in nearly all the fundamental concepts of UC.<\/jats:p>\n                  <jats:p>Second, we propose a revised formulation of the main concepts of UC to address these issues. Although the resulting modifications are nontrivial, our updated definitions are designed to remain as faithful as possible to the structure and intent of the original model.<\/jats:p>","DOI":"10.62056\/a6n56chdj","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Diving Deep Into UC"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-4231-4958","authenticated-orcid":false,"given":"C\u00e9line","family":"Chevalier","sequence":"first","affiliation":[{"name":"CRED, Paris-Panth\u00e9on-Assas University","place":["Paris, France"]},{"name":"DIENS, \u00c9cole normale sup\u00e9rieure","place":["Paris, France"]},{"name":"CNRS","place":["France"]},{"name":"PSL University","place":["France"]},{"name":"Inria","place":["France"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-1612-8209","authenticated-orcid":false,"given":"\u00c9ric","family":"Sageloli","sequence":"additional","affiliation":[{"name":"Thales","place":["France"]},{"name":"DIENS, \u00c9cole normale sup\u00e9rieure","place":["Paris, France"]},{"name":"CNRS","place":["France"]},{"name":"PSL University","place":["France"]},{"name":"Inria","place":["France"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:FOCS:Canetti01","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1109\/SFCS.2001.959888","article-title":"Universally Composable Security: A New Paradigm for\n  Cryptographic Protocols","author":"Ran Canetti","year":"2001"},{"key":"ref2:EC:JarKraXu18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"456","DOI":"10.1007\/978-3-319-78372-7_15","article-title":"OPAQUE: An Asymmetric PAKE Protocol Secure Against\n  Pre-computation Attacks","volume":"10822","author":"Stanislaw Jarecki","year":"2018"},{"key":"ref3:SCN:Hesse20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1007\/978-3-030-57990-6_29","article-title":"Separating Symmetric and Asymmetric Password-Authenticated\n  Key Exchange","volume":"12238","author":"Julia Hesse","year":"2020"},{"key":"ref4:C:CNPR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"668","DOI":"10.1007\/978-3-031-15979-4_23","article-title":"CHIP and CRISP: Protecting All Parties Against\n  Compromise Through Identity-Binding PAKEs","volume":"13508","author":"Cas Cremers","year":"2022"},{"key":"ref5:C:BGHJ24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"183","DOI":"10.1007\/978-3-031-68379-4_6","article-title":"Bare PAKE: Universally Composable Key Exchange from Just\n  Passwords","volume":"14921","author":"Manuel Barbosa","year":"2024"},{"key":"ref6:PKC:MPCPPS25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-91820-9","volume-title":"Public-Key Cryptography \u2013 PKC 2025","author":"Megan Chen","year":"2025"},{"key":"ref7:ACNS:BlaChe15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/978-3-319-28166-7_4","article-title":"Generic Construction of UC-Secure Oblivious Transfer","volume":"9092","author":"Olivier Blazy","year":"2015"},{"key":"ref8:C:DFGHHH23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"330","DOI":"10.1007\/978-3-031-38551-3_11","article-title":"Security Analysis of the WhatsApp End-to-End Encrypted\n  Backup Protocol","volume":"14084","author":"Gareth T. Davies","year":"2023"},{"key":"ref9:C:CJSV22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-15979-4_1","article-title":"Universally Composable End-to-End Secure Messaging","volume":"13508","author":"Ran Canetti","year":"2022"},{"key":"ref10:JC:BMTZ24","doi-asserted-by":"publisher","first-page":"18","DOI":"10.1007\/s00145-024-09493-7","article-title":"Bitcoin as a Transaction Ledger: A Composable\n  Treatment","volume":"37","author":"Christian Badertscher","year":"2024","journal-title":"Journal of Cryptology"},{"key":"ref11:CanettiJACM2020","doi-asserted-by":"publisher","DOI":"10.1145\/3402457","article-title":"Universally Composable Security","volume":"67","author":"Ran Canetti","year":"2020","journal-title":"J. ACM"},{"key":"ref12:C:CanRab03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/978-3-540-45146-4_16","article-title":"Universal Composition with Joint State","volume":"2729","author":"Ran Canetti","year":"2003"},{"key":"ref13:TCC:CDPW07","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1007\/978-3-540-70936-7_4","article-title":"Universally Composable Security with Global Setup","volume":"4392","author":"Ran Canetti","year":"2007"},{"key":"ref14:EPRINT:CamDriTac19","volume-title":"Multi-Protocol UC and its Use for Building Modular and\n  Efficient Protocols","author":"Jan Camenisch","year":"2019"},{"key":"ref15:EPRINT:CheSag25","volume-title":"Diving Deep Into UC: Uncovering and Resolving Issues in\n  Universal Composability","author":"C\u00e9line Chevalier","year":"2025"},{"key":"ref16:TCC:BCHTZ20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-030-64381-2_1","article-title":"Universal Composition with Global Subroutines: Capturing\n  Global Setup Within Plain UC","volume":"12552","author":"Christian Badertscher","year":"2020"},{"key":"ref17:AC:CKKR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-030-34618-8_7","article-title":"iUC: Flexible Universal Composability Made Simple","volume":"11923","author":"Jan Camenisch","year":"2019"},{"key":"ref18:JC:KusTueRau20a","doi-asserted-by":"publisher","first-page":"1461","DOI":"10.1007\/s00145-020-09352-1","article-title":"The IITM Model: A Simple and Expressive Model for\n  Universal Composability","volume":"33","author":"Ralf K\u00fcsters","year":"2020","journal-title":"Journal of Cryptology"},{"key":"ref19:EC:RauKusChe22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"242","DOI":"10.1007\/978-3-031-07085-3_9","article-title":"Embedding the UC Model into the IITM Model","volume":"13276","author":"Daniel Rausch","year":"2022"},{"key":"ref20:10.1007\/978-3-642-27375-9_3","isbn-type":"print","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-642-27375-9_3","article-title":"Constructive Cryptography \u2013 A New Paradigm for Security\n  Definitions and Proofs","author":"Ueli Maurer","year":"2012","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642273759"},{"key":"ref21:JC:HofSho15","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/s00145-013-9160-y","article-title":"GNUC: A New Universal Composability Framework","volume":"28","author":"Dennis Hofheinz","year":"2015","journal-title":"Journal of Cryptology"},{"key":"ref22:C:CanCohLin15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-662-48000-7_1","article-title":"A Simpler Variant of Universally Composable Security for\n  Standard Multiparty Computation","volume":"9216","author":"Ran Canetti","year":"2015"},{"key":"ref23:EC:HesRos25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1007\/978-3-031-91124-8_14","article-title":"PAKE Combiners and Efficient Post-quantum Instantiations","volume":"15602","author":"Julia Hesse","year":"2025"},{"key":"ref24:EC:LyuLiu25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"421","DOI":"10.1007\/978-3-031-91124-8_15","article-title":"Hybrid Password Authentication Key Exchange in the UC\n  Framework","volume":"15602","author":"You Lyu","year":"2025"},{"key":"ref25:EC:BDFH25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"332","DOI":"10.1007\/978-3-031-91101-9_12","article-title":"The 2Hash OPRF Framework and Efficient Post-quantum\n  Instantiations","volume":"15608","author":"Ward Beullens","year":"2025"},{"key":"ref26:USENIX:HesSinSor23","first-page":"3047","article-title":"How to Bind Anonymous Credentials to Humans","author":"Julia Hesse","year":"2023"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:00:56Z","timestamp":1778040056000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":26,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/a6n56chdj","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2025-10-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-40"}}