The framework of universal composability (UC)[1] is a general-purpose model for the analysis of cryptographic protocols.
Security is defined in the sense of protocol emulation.
Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions.
We say that a cryptographic protocol that cannot make use of such a trusted party fulfils an ideal functionality, if the protocol can emulate the behaviour of the trusted party for honest users, and if the view that an adversary learns by attacking the protocol is indistinguishable from what can be computed by a simulator that only interacts with the ideal functionality.
The computation model of universal composability is that of interactive Turing machines that can activate each other by writing on each other's communication tapes.
An interactive Turing machine is a form of multi-tape Turing machine and is commonly used for modelling the computational aspects of communication networks in cryptography.
The communication model in the bare UC framework is very basic.
are modeled through the (limited) capacity of the adversary to interact with this ideal functionality.
To model the power of the adversary to delay asynchronous communication the functionality
This models the requirement that a secure channel is both authenticated and private.
Asynchronous communication is modeled through the same delay mechanism as for
While the technical means, and the physical assumptions behind anonymous and pseudonymous communication are very different,[2] the modeling of such channels using ideal functionalities is analogous.
as input, and outputs the same message but without disclosing the identity
In an ideal pseudonymous channel, the participating parties first register unique pseudonyms with the ideal functionality
The ideal functionality looks up the owner of the pseudonym and transfers the message
In their pure form an ideal functionality may be found to be unrealizable.
It may be necessary to relax the functionality by leaking more information to the adversary (degree of anonymity).
On the other hand communication channels can be physical,[3][4] e.g. a mobile device can achieve an anonymous channel by constantly changing its location before transmitting messages that do not contain identifiers.
There exists no bit commitment protocol that is universally composable in the standard model of cryptography.
The intuition is that in the ideal model, the simulator has to extract the value to commit to from the input of the environment.
To circumvent the above impossibility result, additional assumptions are required.
Additional setup and trust assumptions, such as the common reference string model and the assumption of a trusted certification authority are also modeled using ideal functionalities in UC.