How to guarantee security in complex protocol environments?

Traditional approach: keep writing more sophisticated definitions, that capture more scenarios…
- Ever more complex
- No guarantee that “we got it all”.
- No general view
An alternative approach:
- Prove security of a protocol as stand-alone (single execution, no other parties).
- Use a general secure composition theorem to deduce security in arbitrary execution environments.

Traditional approach: keep writing more sophisticated definitions, that capture more scenarios…