The Limits of Composable Crypto with Transferable Setup Devices

UC security realized with setup devices imposes that single instances of these setups are used. In most cases, UC-realization relies further on other properties of the setups devices, like tamper-resistance. But what happens in stronger versions of the UC framework, like EUC or JUC, where multiple instances of these setups are allowed? Can we formalise what it is about setups like these which makes them sometimes hinder UC, JUC, EUC realizability? In this paper, we answer this question. As such, we formally introduce transferable setups, which can be viewed as setup devices that do not (publicly) disclose if they have been maliciously passed on. Further, we prove the general result that one cannot realize oblivious transfer (OT) or any "interesting" 2-party protocol using transferable setups in the EUC model. As a by-product, we show that physically unclonable functions (PUFs) themselves are transferable devices, which means that one cannot use PUFs as a global setups; this is interesting because non-transferability is a weaker requirement than locality, which until now was the property informally blamed for UC-impossibility results regarding PUFs as global setups. If setups are transferable (i.e., they can be passed on from one party to another without explicit disclosure of a malicious transfer), then they will not intrinsically leak if a relay attack takes place. Indeed, we further prove that if relay attacks are possible then oblivious transfer cannot be realized in the JUC model. Linked to the prevention of relaying, authenticated channels have historically been an essential building stone of the UC model. Related to this, we show how to strengthen some existing protocols UC-realized with PUFs, and render them not only UC-secure but also JUC-secure.