1 Introduction

Minimizing the round complexity of cryptographic protocols has been a central theme of research in the past few decades. Much of this research focused on the question of minimizing the round complexity of protocols for secure multiparty computation (MPC), both in the general case as well as for special tasks of interest such as zero-knowledge proofs, oblivious transfer (OT), or coin-tossing. This question is motivated not only by its direct relevance to the latency of protocols running over real-life networks, but also as an intriguing theoretical challenge that often inspires new ideas and serves as a test bed for new techniques.

The round complexity of MPC. We consider the standard setting of MPC with an arbitrary number of malicious parties, namely parties that are corrupted by a central adversary who may arbitrarily change their behavior. What do we know about the round complexity of MPC in this setting? Allowing a common random string (CRS) setup, it was recently shown [13, 28] that 2-round MPC protocols are possible under the (minimal) assumption that 2-round OT exists in the CRS model. This round complexity is clearly optimal, even in the easier setting of semi-honest adversaries who send messages as instructed by the protocol. In the plain model, without any setup, a long line of works [6, 9, 10, 15, 19, 27, 40, 54] has culminated in 4-round protocols that rely on the minimal assumption that a 4-round OT protocol exists [19]. This round complexity is known to be optimal for protocols that admit a black-box simulator [27, 30, 52]. All of the above 4-round protocols are of this kind.

Black-box constructions. Another central research theme in cryptography is obtaining black-box constructions of higher-level primitives from simpler lower-level primitives. A black-box construction of X from Y, also known as a (fully) black-box reduction from X to Y [59], specifies an implementation of X that only has oracle access to the input-output relation of Y, without being given any explicit representation of Y, e.g., in the form of a Boolean circuit or a Turing Machine. Moreover, it is required that the security reduction be black-box in the sense that any adversary \(A_X\) “attacking” X can be used as a black-box to obtain an adversary \(A_Y\) who obtains a similar advantage in attacking Y. Originating from the pioneering work of Impagliazzo and Rudich [43], a long line of works study the landscape of black-box reductions between natural cryptographic primitives. More relevant to our work is the effort to replace known instances of non-black-box constructions, where X requires access to the code of Y, by black-box constructions.

In the MPC context, early examples of results along this line include a black-box construction of constant-round honest-majority MPC protocols from one-way functions [22] (replacing an earlier non-black-box construction from [12]) and a black-box construction of malicious-secure OT from semi-honest OT [39] (replacing a non-black-box construction of [31]). Beyond the theoretical interest in understanding the tightness of the relation between primitives, the goal of replacing non-black-box constructions by black-box counterparts is strongly motivated by asymptotic and concrete efficiency. A well-known example in the context of MPC is the non-black-box OT extension construction of Beaver [11], which was replaced by a much more efficient black-box construction from [44] that is commonly used as a basis for fast MPC implementations. We use the term black-box MPC to refer generically to an MPC protocol obtained via a black-box construction from simple low-level primitives (such as OT) that can be easily and efficiently constructed from standard cryptographic assumptions.

Round complexity of black-box MPC. Interestingly, all of the round-optimal MPC protocols in the standard setting we consider, including those mentioned above, make non-black-box use of the underlying primitives. In the case of 2-round MPC protocols in the CRS model, this is known to be inherent (even for the easier goal of semi-honest security), at least for black-box constructions from 2-round OT or any other 2-party protocol [7]. However, no such impossibility result is known for 4-round MPC protocols in the plain model.

In the two-party case, a 4-round black-box protocol is known for one-sided functionalities that deliver output to only one of the two parties [24, 57]. The most general protocol of this kind makes a black-box use of any public-key encryption (\(\mathsf {PKE}\)) with pseudorandom public keys, which can be easily constructed from most standard cryptographic assumptions [24]. This implies a similar 5-round protocol for two-sided functionalities.

In contrast, for a general number of parties, all known constant-round protocols are either complex and inefficient, or resort to idealized models such as the Random Oracle (RO) model to achieve better efficiency but only heuristic security. Despite the significant body of work on the round complexity of black-box MPC and related primitives in the plain model, the best exact round complexity that follows from existing works [32, 49, 60] is greater than 15 (see Sect. 1.2). Recent attempts to minimize round complexity [6, 9, 10, 15, 19, 27, 54] have led to complex protocols that make heavy non-black-box use of cryptography. This gap gives rise to the first motivating question for our work.

figure a

Round complexity of black-box protocol transformations. It turns out that if “plain model” is relaxed to allow a simple setup in the form of random OT correlations between each pair of parties, the first part of the above question has been settled. Concretely, given an OT correlation setup, which can be generated with good concrete efficiency [14, 44], there is a 2-round MPC protocol making a black-box use of a pseudorandom generator [26]. However, this 2-round protocol is quite complex and inefficient, as it is obtained by applying a heavily non-black-box “protocol garbling” transformation [13, 28] to an underlying multi-round (information-theoretic) MPC protocol. This not only hurts asymptotic and concrete efficiency, but also rules out applying this transformation while respecting a black-box use of an underlying primitive. The latter includes a black-box use of an algebraic structure (e.g., a big finite field), a cryptographic primitive (e.g., homomorphic encryption or even a random oracle), or an ideal functionality oracle (e.g., OT or its arithmetic variant OLE). This is similar to the classical non-black-box protocol transformation from semi-honest MPC to malicious MPC, due to Goldreich, Micali, and Wigderson [31], which is limited in the same way.

In contrast, “black-box protocol transformations” from weak MPC protocols to stronger ones, commonly known as “MPC-in-the-head” transformations [46, 49, 50], have successfully avoided these limitations. In a nutshell, such transformations obtain a strong MPC protocol for f (say, with malicious security) by making a black-box use of any weak MPC protocol (say, with semi-honest security) for a related functionality \(f'\). The relation between f and \(f'\) needs to be restricted in some way. Typically, \(f'\) is a next-message function of (an information-theoretic) weak MPC protocol for f.

This black-box protocol transformation paradigm, systematically studied in [48], has not only given rise to new theoretical feasibility and efficiency results, but it has also led to practical zero-knowledge proof systems [5, 29], digital signatures [16, 51], and MPC protocols [41]. The question we ask is whether one can obtain a similar black-box protocol transformation in the context of 2-round MPC with OT correlation setup:

figure b

This question is particularly motivated in the two-party case, where there are many different techniques for efficient 2-round semi-honest protocols that make black-box use of algebraic or cryptographic primitives.

1.1 Our Contributions

We make progress on the aforementioned questions by obtaining the following types of round-efficient black-box protocols.

Black-box 4-Round “Pairwise MPC” in the Plain Model. Our first result addresses the first question by settling the round complexity of black-box MPC for a restricted but useful class of functionalities. Concretely, we get a 4-round black-box protocol for any pairwise MPC functionality that enable each ordered pair of parties to simultaneously compute a function of their inputs, whose output is delivered to the second party. The protocol makes a black-box use of any public-key encryption (\(\mathsf {PKE}\)) with pseudorandom public keys (which can be instantiated based on CDH, LWE and LPN), similar to the 4-round 2-party OT protocol of [24].

Informal Theorem 1

Let f be a pairwise MPC functionality. Assume the existence of a public-key encryption with pseudorandom public keys. There exists a four round black-box MPC protocol in the plain model that securely implements f against static corruptions of all-but-one parties.

The central challenge in the pairwise MPC setting is to develop two-party protocols that remain secure when executed in parallel. We develop new black-box protocols for this setting, starting with the case of OT protocols, and generalizing via the result of [45] to any two-party functionality. To this end, a technical contribution of our work is a novel combination of split-state non-malleable codes [18, 23] with standalone secure two-party protocols to obtain black-box, non-malleable two-party protocols.

The resulting pairwise MPC can be used to generate OT correlations in a preprocessing phase, as required by the 2-round black-box protocol of [26]. This results in a 6-round MPC protocol making black-box use of \(\mathsf {PKE}\) with pseudorandom public keys. While this already constitutes a major improvement over the state of the art, it is still two rounds away from the 4-round lower bound. Perhaps more importantly, as discussed above, the [26] approach employs a round-collapsing “protocol garbling” that limits its efficiency and applicability to protocols that make black-box use of algebraic or cryptographic primitives. Motivated by both limitations, we would like to replace the protocol garbling technique by a black-box protocol transformation that takes advantage of OT correlations.

An “IPS-style Compiler” for 2-round MPC. Our second main contribution is a new black-box protocol transformation obtained via a round-optimized variant of the “IPS compiler” [49]. This transformation uses a 2-round honest-majority MPC protocol from [47, 58] to transform in a black-box way any 2-round MPC protocol with an augmented variant of semi-honest security to obtain a 2-round MPC protocol with malicious security. The transformation relies on a special form of OT correlations (denoted as watchlist correlations) that can be generated via the above mentioned pairwise MPC functionality. Specifically, the watchlist correlations model outputs an n-party correlation between \((n-1)\) senders and a single receiver, where each sender \(S_i\) for \(i \in [n-1]\) obtains a random set of m strings \(x_{i,1}, \ldots , x_{i,m}\), and the receiver obtains a random subset \(K \subset [m]\) of a fixed size, as well as the values \(\{x_{i, j}\}_{i \in [n-1], j \in [k]}\). Combined with our first main result, this yields the same kind of 6-round black-box protocol obtained via [26], but with the advantage of making a black-box use of an augmented semi-honest protocol (as opposed to a non-black-box use of a malicious protocol incurred by the protocol garbling technique).

The augmented semi-honest security requirement combines the so-called semi-malicious security [8], which is satisfied by most natural 2-round semi-honest protocols, with a form of adaptive security with erasures. The latter is satisfied by all natural information-theoretic protocols (with standard forms of setup), as well as by computationally secure protocols with pre-processing. Concretely, we show the protocol from [26] in the OT correlations model and the protocol from [55] in the OLE correlations model satisfy augmented semi-honest security and thus, can be used in our compiler.

Informal Theorem 2

Let f be an arbitrary multiparty functionality. Consider the client-server MPC protocol from [47] that securely computes f. Let \(f'\) be the function computed by the servers in this protocol. There exists a black-box transformation from a two-round MPC protocol for \(f'\) satisfying augmented semi-honest security to a two-round malicious secure protocol for computing f in the watchlist correlations model.

Towards concretely efficient 2-sided NISC. An interesting use case for the above result is the 2-round, secure two-party protocol in which both parties get an output. This should be contrasted with the standard notion of non-interactive secure computation (NISC) [45] that applies to one-sided functionalities. Note that this kind of 2-sided NISC cannot be obtained by simply running two parallel instances of standard NISC, since even if we ignore parallel composition issues, there is no mechanism to enforce consistency between the inputs used in these instances (unless we rely on zero-knowledge proofs and make non-black-box use of cryptography). The only alternative black-box approach to 2-sided NISC over OT correlations we are aware of is via the protocol garbling technique that garbles the code of a malicious secure protocol and thus, has prohibitive computational and communication cost. Even in the 1-sided case, existing protocols from [1, 17, 42, 45, 56] are heavily tailored to specific garbling techniques and do not make a black-box use of an underlying semi-honest protocol.

We note that techniques developed in the context of an “IPS-style compiler" in the two-round setting gives a new approach for constructing protocols for the 2-sided NISC problem. Specifically, if we use [47, 58] as the outer protocol and use the simple two-sided version of Yao’s protocol (using Boolean garbling in the OT correlations model) as the inner protocol, we obtain a 2-sided NISC protocol that is secure against malicious adversaries in the OT correlations model.Footnote 1 In Sect. 8.5 of the full version, we suggest some optimizations to improve the concrete efficiency.

Black-box 5-Round MPC in the Plain Model. Our third and final result uses a specialized combination of the previous contributions to get “one round away” from settling the main open question about the round complexity of black-box MPC. Concretely, we get a 5-round MPC protocol that makes a black-box use of \(\mathsf {PKE}\) with pseudorandom public keys (as in the first contribution), along with any 2-round OT protocol with “semi-malicious” security. The latter security requirement is a very mild strengthening of semi-honest security in the context of 2-round OT protocols, and is satisfied by most 2-round OT protocols from the literature (for instance, it can be instantiated from standard assumptions such as DDH, LWE, QR).

Informal Theorem 3

Let f be an arbitrary multiparty functionality. Assume the existence of a public key encryption with pseudorandom public keys and a two-round oblivious transfer protocol with semi-malicious security. There exists a five-round black-box protocol in the plain model that securely implements f against malicious adversaries that statically corrupts upto all-but-one parties.

1.2 Related Work

In this subsection, we give a brief overview of the two main approaches taken by prior work obtaining black-box MPC protocols in the plain model.

Coin tossing based approach. The main idea in this approach is to use a black-box simulatable coin tossing protocol to setup a CRS and then use black-box MPC protocols (such as [GIS18]) in the CRS model. Roughly, to generate the CRS, the idea is for each party to commit to a random string \(r_i\) and in a later step, for all parties to reveal their coins. To ensure that malicious parties cannot set their randomness as a function of that of other honest players, players should use a (concurrent) non-malleable commitment in the commit phase.

But the main bottleneck to obtaining such a coin tossing protocol is achieving simulatability. To achieve the simulation guarantee and allow a simulator to “force” the output of the coin toss to be a certain valueFootnote 2, one would need to rely zero-knowledge protocols, which if applied naively make non-black-box use of cryptography. Even if one were able to achieve simulation-based guarantees via a specific protocol, one would need to tailor this to prove statements about construction of bounded concurrent non-malleable commitment w.r.t. commitment against synchronising adversaries, for which no round efficient black-box constructions exist. More specifically, [35] gives a black-box protocol but the number of rounds of this protocol is greater than 18 (the coin tossing requires at least two more rounds. [36] gives a 3-round black-box construction of NMCom but is only secure in the standalone setting. The other round efficient constructions of concurrent NMCom [20, 21, 37, 53] make non-black use of cryptography.

IPS compiler based approach. The IPS compiler [49] gives a black-box MPC protocol in the OT hybrid model. The main challenge in instantiating this approach in the plain model is in constructing a protocol that securely realizes the ideal OT functionality. In particular, we need a protocol that realizes the ideal OT functionality between every ordered pair of parties. [60] gave a non-constant round black-box way to realize this which was improved by [32] who gave a constant round protocol. The main component in the constant round protocol is again a constant round black-box bounded concurrent non-malleable commitment wrt replacement (which is weaker than the traditional definition of non-malleable commitment wrt commitment). Even if we rely on a three-round black-box version of such a non-malleable commitment from [34], the OT protocol requires at least 12 rounds of communication. A straightforward way of combining this with the IPS approach incurs at least four more rounds.

2 Technical Overview

In this section, we provide an overview of the key technical ideas used in constructing a four round, black-box pairwise MPC in the plain model. One of the key building blocks used in this construction is a watchlist protocol. We give a construction of this protocol based on any public-key encryption with pseudorandom public keys and we elaborate on this next.

2.1 The Watchlist Protocol

We start by describing the ideal version of the watchlist functionality. The watchlist functionality is nothing but an implementation of a k-out-of-m oblivious transfer between each ordered pair of parties. Specifically, each ordered pair \(P_i\) and \(P_j\) execute a k-out-of-m OT where \(P_i\) acts as a receiver and \(P_j\) acts as a sender. We observe that the k-out-of-m OT is a one-sided functionality and hence, this can be realized if parties have pairwise access to independent copies of the ideal OT functionality [45, 49]. We call this as simultaneous secure OT and would like to securely realize this ideal functionality in the plain model in the presence of arbitrary malicious corruptions.

A Starting Point. A natural first attempt is to just have each pair of parties simultaneously execute a two-party secure protocol computing the k-out-of-m OT functionality. Such a protocol can be realized based on black-box use of any public key encryption scheme with pseudorandom public keys [24, 57].

Unfortunately, this does not securely emulate access to independent copies of the ideal OT functionality between pairs of participants, because this protocol satisfies only stand-alone security. It is easy to achieve OT that composes under parallel repetition with fixed roles, i.e., where many OT sessions are executed in parallel, and an adversary either corrupts multiple senders or multiple receivers but does not simultaneously corrupt (subsets of) senders and receivers. In particular, the stand-alone secure construction of OT from pseudorandom public keys in [24] already achieves this notion of parallel composition.

But in the (more general) simultaneous setting, an adversarial party \(P^*_i\) participates in many OT sessions simultaneously, as sender in some sessions and receiver in others. This gives \(P_i^*\) the opportunity to generate its own (e.g., sender) message in some OT session as a function of a message generated by an honest sender in a different OT session, thereby possibly making its own input depend on the input(s) of honest player(s). Clearly, this is disallowed by the ideal simultaneous OT functionality; but not prevented by standalone OT. Our first step towards addressing this vulnerability is to ensure that adversarial inputs are independent of the inputs of honest players.

As discussed in the introduction, we develop a novel approach to achieving such independence. In particular, we construct “non-malleable OT” that satisfies the following guarantees.

  • Receiver Security under Parallel Composition. For every adversarial sender \({\mathcal A} ^*\) that corrupts the OT sender (or resp., multiple senders in any parallel composition of the OT protocol), there exists a simulator that simulates the view of \({\mathcal A} ^*\) with black-box access to (resp., copies of) the ideal OT functionality. This follows automatically from simulation-based security against malicious senders (resp., in the parallel composition setting) of the underlying two-party secure protocol \(\varPi _{\mathcal F} \).

  • Non-Malleability. Informally, here we consider a man-in-the-middle adversary \(\mathsf {MIM} \) that acts as a receiver in a subset of OT sessions (that we refer to as “left” sessions) and as sender in a different subset of OT sessions (that we refer to as “right” sessions). We require the existence of a simulator-extractor \(\mathsf {Sim}\text {-}\mathsf {Ext}\), that given the inputs of all honest receivers (participating in all right sessions), is able to extract all the implicit inputs used by the \(\mathsf {MIM} \) in all its right sessions. Crucially, \(\mathsf {Sim}\text {-}\mathsf {Ext}\) does not have access to the inputs of honest senders (participating in the left sessions). This is the key property that prevents an adversarial sender from “copying” the inputs of honest senders, or more generally, generating its inputs as a function of honest senders’ inputs. Achieving this property will be a key technical focus of our work.

In what follows, we provide an overview of our construction of non-malleable OT. Then, in Sect. 2.1, we discuss why any non-malleable OT protocol satisfying these properties almost directly implies pairwise ideal OT functionality (or, simulataneous secure OT), and therefore also securely realizes watchlists.

Towards Non-Malleable OT. We take inspiration from recent works that use non-malleable codes (introduced in [23]) to build cryptographic primitives like non-malleable commitments [36], and non-malleable multi-prover interactive proofs [33].

In more detail, we will build non-malleable OT by combining parallel composable two-party secure computation with (an) appropriate (variant of) split-state non-malleable codes. Such codes are specified by encoding and decoding algorithms \((\mathsf {Enc},\mathsf {Dec})\). The encoding algorithm \(\mathsf {Enc}\) is a randomized algorithm that encodes any message m into a codeword consisting of two parts or “states” \((\mathsf {L},\mathsf {R})\), and the decoding algorithm \(\mathsf {Dec}\) on input a codeword returns the underlying message. The security property is that for every pair of tampering functions (fg) with no fixed points, the (distribution of) \(\widetilde{m} \leftarrow \mathsf {Dec}(f(\mathsf {L}), g(\mathsf {R}))\), where \((\mathsf {L}, \mathsf {R}) \leftarrow \mathsf {Enc}(m)\), is independent of m. We now describe (a simplified variant of) our construction.

Our Construction. For simplicity, we will focus on the special case of implementing non-malleable 1-out-of-2 OT, but our techniques immediately extend to the more general setting of k-out-of-m OT. To prevent obvious copying attacks, we will assign to each party a unique tag or identity.

Our construction of non-malleable OT simply involves executing a secure two-party protocol \(\varPi \) between a sender \({\mathcal S} \) and a receiver \({\mathcal R} \), for a special functionality \({\mathcal F} \). Before describing this functionality, we discuss the inputs of participants to this functionality.

The sender \({\mathcal S} \) with on input \((\mathsf {m}_0,\mathsf {m}_1)\) and \(\mathsf {tag} \) encodes these messages using an appropriate split-state non-malleable code \((\mathsf {Enc},\mathsf {Dec})\). Specifically, \({\mathcal S} \) computes \(\mathsf {L}_{0},\mathsf {R}_{0} \leftarrow \mathsf {Enc}(\mathsf {m}_0||\mathsf {tag})\) and \(\mathsf {L}_{1},\mathsf {R}_{1} \leftarrow \mathsf {Enc}(\mathsf {m}_1||\mathsf {tag})\). The receiver \({\mathcal R} \) obtains as input a choice bit \(\mathsf {b} \in \{0,1\}\), and samples uniformly random \(c \in \{0,1\}\). \({\mathcal S} \) and \({\mathcal R} \) then invoke a two-party secure protocol \(\varPi _{\mathcal F} \) to compute functionality \({\mathcal F} \) described in Fig. 1. In addition, \({\mathcal S} \) sends \(\mathsf {tag} \) to \({\mathcal R} \).

Fig. 1.
figure 1

The functionality \({\mathcal F} \)

Full size image

We note that the ideal functionality \({\mathcal F} \) reveals \(\mathsf {m}_b\) to \({\mathcal R} \), and in addition, reveals either only \((\mathsf {L}_0, \mathsf {L}_1)\) or only \((\mathsf {R}_0, \mathsf {R}_1)\). Because any split-state non-malleable code is also a 2-out-of-2 secret sharing scheme [4], the shares \(\mathsf {L}_{1-b}\) and \(\mathsf {R}_{1-b}\) each statistically hide \(\mathsf {m}_{1-b}\) from \({\mathcal R} \). It is also clear that protocol \(\varPi \) makes only black-box use of the underlying two-party computation protocol.

We show that (an appropriate k-out-of-m variant of) the protocol sketched above securely realizes non-malleable OT, even when \(\varPi \) itself is only parallel composable secure (but may be completely malleable).

Proving Sender Non-Malleability. For ease of exposition, let’s consider a simpler man-in-the-middle adversary (\(\mathsf {MIM}\)) that participates in a single left session as receiver, and a single right session as sender. We will also assume that the \(\mathsf {MIM} \) never sends messages that cause an honest party to abort. Additionally, the underlying secure two-party protocol \(\varPi \) will be a round optimal (four round) protocol with sequential messages, and has the following specific structure. Namely, it will require the receiver to commit to its input b in the first round of the protocol, and at the same time, it will be delayed-input w.r.t. receiver input c, which will be chosen by the receiver immediately before the third round begins. Finally, it will require the inputs \((\mathsf {m}_0, \mathsf {m}_1, \mathsf {L}_0, \mathsf {R}_0, \mathsf {L}_1, \mathsf {R}_1, \mathsf {tag})\) of the sender to be committed in the second round of the protocol, before c is chosen by the receiver.

First Attempt: An Alternate Extraction Mechanism. One possible way to extract sender inputs from the right execution, is to execute the simulator of the underlying two-party protocol \(\varPi \). Unfortunately, this fails because \(\varPi \) is only parallel composable secure, and extracting from the right execution automatically reveals honest sender inputs from the left execution.

Instead, we will use the specific way that sender inputs are encoded to introduce an alternate extraction mechanism. Specifically, one could imagine rewinding the third and the fourth round message of \(\varPi \), using inputs \(c = 0\) and \(c = 1\) on behalf of the honest receiver in the real and rewinding threads, respectively. By our assumption, the adversary is non-aborting. Therefore, we expect to obtain outputs \((\widetilde{\mathsf {L}}_0,\widetilde{\mathsf {L}}_1)\) and \((\widetilde{\mathsf {R}}_0,\widetilde{\mathsf {R}}_1)\) in the right session in the real and rewinding threads respectively. At this point, we can use the decoder of the non-malleable code to obtain \((\widetilde{\mathsf {m}}_0,\widetilde{\mathsf {m}}_1)\), which, by correctness of the two-party protocol, should correspond to the implicit inputs of the \(\mathsf {MIM}\) in the right session.

It doesn’t seem like this argument gives us much (yet): rewinding the \(\mathsf {MIM}\) ’s third and fourth rounds would also end up rewinding the third and the fourth rounds of the left execution with (possibly different) inputs \(\widetilde{c}, \widehat{c}\) used by the \(\mathsf {MIM}\) in the main and rewinding threads. Thus, it may seem like we are back to square one: it may not be possible to hide the inputs of the honest sender in the presence of such rewinding.

Towards Resolving the Extraction Bottleneck: 1-Rewind Sender Security. To tackle this problem, our first step will be to require that \(\varPi \) satisfy a stronger security property: 1-rewind sender security. Roughly, this means that any adversarial receiver \({\mathcal R} ^*\) that rewinds the honest sender one time in the third and fourth rounds, using (possibly different) inputs \(\widetilde{c}, \widehat{c}\) in the main and rewinding threads, does not recover any information beyond the output of \({\mathcal F} \) on inputs \((\mathsf {m}_0, \mathsf {m}_1, \mathsf {L}_0, \mathsf {L}_1, \mathsf {R}_0, \mathsf {R}_1, \widetilde{\mathsf {b}}, \widetilde{c})\) and \((\mathsf {m}_0, \mathsf {m}_1, \mathsf {L}_0, \mathsf {L}_1, \mathsf {R}_0, \mathsf {R}_1, \widetilde{\mathsf {b}}, \widehat{c})\). We formalize this by requiring the existence of a specific type of simulator: this simulator generates a view for \({\mathcal R} ^*\) in the main thread given only \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {L}_0, \mathsf {L}_1)\) and a view for \({\mathcal R} ^*\) in the rewinding thread given only \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {R}_0, \mathsf {R}_1)\) (or vice-versa). Now, it may seem like this type of simulator may not be very meaningful, since the sum total of this information could essentially allow the receiver to recover \(\mathsf {m}_{1-{\widetilde{\mathsf {b}}}}\) by combining \(\mathsf {L}_{1-{\widetilde{\mathsf {b}}}}\) with \(\mathsf {R}_{1-{\widetilde{\mathsf {b}}}}\).

However, the fact that \((\mathsf {L}_0, \mathsf {L}_1)\) and \((\mathsf {R}_0, \mathsf {R}_1)\) are made available in separate threads can be exploited argue that the \(\mathsf {MIM}\) ’s input must be independent of \(\mathsf {m}_{1-{\widetilde{\mathsf {b}}}}\), as we discuss next.

Alternative Simulation. Let us go back to our alternate extraction mechanism discussed earlier, where w.l.o.g. the third and fourth round messages of \(\varPi \) are rewound with (honest) receiver input set to \(c = 0\) in the main and \(c=1\) in the rewinding thread, respectively. This means that in the main thread, the challenger obtains output \((\widetilde{\mathsf {L}}_0,\widetilde{\mathsf {L}}_1)\) in the right session. In the rewind thread, setting \(c=1\), the challenger obtains outputs \((\widetilde{\mathsf {R}}_0,\widetilde{\mathsf {R}}_1)\). Meanwhile the real and rewinding left executions will simulated using only \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {L}_0, \mathsf {L}_1)\) and \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {R}_0, \mathsf {R}_1)\) (or vice-versa) respectively, as described above. This means that in the main thread, the \(\mathsf {MIM}\) outputs \((\widetilde{\mathsf {L}}_0,\widetilde{\mathsf {L}}_1)\) as a function of only \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {L}_0, \mathsf {L}_1)\), and in the rewinding thread, the \(\mathsf {MIM}\) outputs \((\widetilde{\mathsf {R}}_0,\widetilde{\mathsf {R}}_1)\) as a function of only \((\mathsf {m}_{\widetilde{\mathsf {b}}}, \mathsf {R}_0, \mathsf {R}_1)\).Footnote 3

We formalize this intuition to argue that the \(\mathsf {MIM}\) ’s behaviour naturally gives rise to a split-state tampering function family. Here, one tampering function corresponds to the \(\mathsf {MIM}\) ’s functionality in the main thread, and the other corresponds to the \(\mathsf {MIM}\) ’s functionality in the rewinding thread. This allows us to rely on the non-malleability of the underlying encoding scheme to switch from generating \(\mathsf {L}_{1-{\widetilde{\mathsf {b}}}}, \mathsf {R}_{1-{\widetilde{\mathsf {b}}}}\) as an encoding of \({m}_{1-\mathsf {b}}\), to generating it as an encoding of a dummy value.

This completes a simplified description of the main ideas in our protocol. We swept several details under the rug but point out one important detail below.

Many-many Non-malleability. Recall that we simplified things earlier, to focus on a setting where the \(\mathsf {MIM}\) participates in a single left session as receiver and a single right session as sender. For our application to watchlists, we require security against adversaries that participate in multiple left and right sessions.

To achieve security in this setting, we will rely on many-many non-malleable codes (that are implied by one-many non-malleable codes [18]) that achieve security in the presence of multiple tamperings of a single codeword [18]. Moreover, in order to deal with adversaries that may abort arbitrarily, we will modify the functionality \({\mathcal F} \). Instead of encoding \((m_0,m_1)\) a single time, the sender generates \(\lambda \) (where \(\lambda \) is the security parameter) fresh encodings \(\{(\mathsf {L}^i_{\mathsf {b}},\mathsf {R}^i_\mathsf {b})\}_{i \in [\lambda ], \mathsf {b} \in \{0,1\}}\) of \(\mathsf {m}_0\) and \(\mathsf {m}_1\). The receiver picks \(\lambda \) choice bits \(c_1,\ldots ,c_{\lambda }\) instead of a single bit c. The functionality \({\mathcal F} \) checks if for every \(i \in [\lambda ], \mathsf {b} \in \{0,1\}\), \(\{(\mathsf {L}^i_{\mathsf {b}},\mathsf {R}^i_\mathsf {b})\}_{i \in [\lambda ], \mathsf {b} \in \{0,1\}}\) encode \(\mathsf {m}_\mathsf {b} \). If the check fails, \({\mathcal F} \) outputs \(\bot \). If it passes, then for every \(i \in [\lambda ]\), it outputs \((\mathsf {L}^i_{0},\mathsf {L}^i_1)\) if \(c_i = 0\) and otherwise, outputs \((\mathsf {R}^i_0,\mathsf {R}^i_1)\).

This helps ensure that for every adversary \(\mathsf {MIM} \) that completes a main thread (without aborting) given honest receiver input \(c = c_1,\ldots ,c_{\lambda }\), there is (w.h.p.) a rewinding thread with a different choice \(c' = c'_1,\ldots ,c'_{\lambda }\) of honest receiver input, that is also completed by the \(\mathsf {MIM}\). We then rely on any index i for which \(c_i \ne c'_i\) to carry out the argument described above. Additional details of our non-malleable OT protocol can be found in Sect. 5.1 in the full version.

From Non-Malleable OT to Watchlists. We note that that our OT protocol, as described above, prohibits an adversarial sender from generating its generating its inputs as a function of honest senders’ inputs.

One could ask for an even stronger property, requiring the inputs of adversarial receivers to be independent of the honest receivers’ inputs. At first glance, this stronger property appears to be necessary, since pairwise access to ideal OTs would actually enforce that all adversarial receiver inputs are independent of the inputs of honest receivers.

But upon taking a closer look, we realize that non-malleable OT as described in the previous section actually suffices to construct watchlists with security in the real/ideal paradigm. Intuitively, this is because the outputs of honest parties are affected only by the inputs of the adversarial senders, and are unaffected by the inputs of adversarial receivers. In other words, even if adversarial receivers manage to have their inputs depend on the inputs of the honest receivers, this cannot affect the joint distribution of their view and the outputs of honest parties in the ideal world. We formalize this intuition and show that non-malleable OT generically implies a protocol for securely realizing the watchlist functionality.

The only missing ingredient in our description is the 1-rewind sender secure protocol, which we describe next.

Constructing a 1-Rewind Sender Secure Protocol. In our actual construction of non-malleable OT, the receiver inputs \((c_1, \ldots c_\lambda )\) do not need to remain hidden from a corrupted sender. In particular, all we need is for the protocol to allow for delayed function selection, where the function to be computed (defined by \(c_1, \ldots , c_\lambda \)) is selected by the receiver in the third round. Given this, the 1-rewinding security property translates to requiring that any corrupt receiver which rewinds the third and the fourth round messages of the sender by providing (possibly) different functions learns nothing beyond the output of these two functions on sender and receiver inputs that were fixed in the first two rounds.

We will design such a 2-party protocol for \(\mathsf {NC1}\) circuitsFootnote 4 by relying on a different variant [45, 46, 49] of the IPS paradigm. Specifically, we will use the same 2-client m-server outer protocol [58] that was discussed at the beginning of the overview, and combine it an inner protocol that is based a variant of Yao’s garbled circuits [61]. Yao’s protocol also allows for the garbled circuits to be generated in the final round, which immediately gives us the delayed function selection property. Importantly, since we only care about parallel composable security in the resulting two-party protocol, parallel composable but possibly malleable 1-rewind secure OT will suffice to implement watchlists in this setting. We slightly generalize the works of [24, 57] to obtain a maliciously secure OT that satisfies 1-rewind sender security and makes black-box use of a PKE with pseudorandom public keys. We refer the reader to Appendix C of the full version for the details of constructing the secure computation protocol and to Appendix D of the full version for the construction of a 1-rewind sender secure OT protocol.

Immediate Application: Black-Box Simultaneous Two-Party Computation. Plugging the resulting simultaneous OT protocol in place of ideal OT, into the non-interactive two-party secure black-box computation protocol of [45], yields a round optimal two-party simultaneous secure computation, from black-box use of any PKE with pseudorandom public keys.

Organization. Due to lack of space, we include our construction of non-malleable OT in the body of the paper, and defer remaining protocols to the full version.

3 Preliminaries and Definitions

Let \(\lambda \) denote the security parameter. A function \(\mu (\cdot ) : \mathbb {N} \rightarrow \mathbb {R}^+\) is said to be negligible if for any polynomial \(\mathsf {poly} (\cdot )\) there exists \(\lambda _0\) such that for all \(\lambda > \lambda _0\) we have \(\mu (\lambda ) < \frac{1}{\mathsf {poly} (\lambda )}\). We will use \(\mathsf {negl} (\cdot )\) to denote an unspecified negligible function and \(\mathsf {poly} (\cdot )\) to denote an unspecified polynomial function. We use \(\varDelta \) to denote the statistical distance.

For a probabilistic algorithm A, we denote A(xr) to be the output of A on input x with the content of the random tape being r. When r is omitted, A(x) denotes a distribution. For a finite set S, we denote \(x \leftarrow S\) as the process of sampling x uniformly from the set S. We will use PPT to denote Probabilistic Polynomial Time algorithm.

3.1 Non-malleable Codes

We will use non-malleable codes in the split-state model, that are one-many secure and satisfy a special augmented non-malleability [2] property, as discussed below.

Definition 1

(One-many augmented split-state non-malleable codes). Fix any polynomials \(\ell (\cdot ), p(\cdot )\). An \(\ell (\cdot )\)-augmented non-malleable code with error \(\epsilon (\cdot )\) for messages \(m \in \{0,1\}^{p({\lambda })}\) consists of algorithms \(\mathsf {NM.Code},\mathsf {NM.Decode}\) where \(\mathsf {NM.Code}(m) \rightarrow (L, R)\) such that for every \(m \in \{0,1\}^{p({\lambda })}\),

$$\mathsf {NM.Decode}(\mathsf {NM.Code}(m)) = m$$

and for every set of functions \(f = (f_1, f_2, \ldots f_{\ell ({\lambda })}), g = (g_1, g_2, \ldots g_{\ell ({\lambda })})\) there exists a random variable \({\mathcal D} _{f, g}\) on \(\{ \{0,1\}^{p(\lambda )} \cup \mathsf {same}^* \}^{\ell ({\lambda })}\) which is independent of the randomness in \(\mathsf {NM.Code}\) such that for all messages \(m \in \{0,1\}^{p(\lambda )}\) it holds that

$$ \varDelta \left( \left( {\mathsf {R}}, \{\mathsf {NM.Decode}\big (f_i({\mathsf {L}}),g_i({\mathsf {R}})\}_{i \in [\ell ({\lambda })]} \big ) \right) , \left( \mathsf {replace}({\mathcal D} _{f,g}, m) \right) \right) \le \epsilon ({\lambda }) $$
$$ \varDelta \left( \left( {\mathsf {R}}, \{\mathsf {NM.Decode}\big (g_i({\mathsf {R}}),f_i({\mathsf {L}})\}_{i \in [\ell ({\lambda })]} \big ) \right) , \left( \mathsf {replace}({\mathcal D} _{f,g}, m) \right) \right) \le \epsilon ({\lambda })$$

where \(({\mathsf {L}}, {\mathsf {R}}) \leftarrow \mathsf {NM.Code}(\mathsf {m})\) and the function \(\mathsf {replace} : \{0, 1\}^* \times \{0,1\}^* \rightarrow \{0,1\}\) replaces all occurrences of \(\mathsf {same}^*\) in its first input with its second input s, and outputs the result.

It was shown in [3, 34, 38] that the CGL one-many non-malleable codes constructed in [18] are also one-many augmented non-malleable codes. But we point out that in this definition, we also require messages obtained by decoding the tampered codewords with left and right shares interchanged to be unrelated with the original message. It is easy to see that this property is satisfied by any non-malleable code with symmetric decoding (i.e. where \(\mathsf {NMDec}(\mathsf {L},\mathsf {R}) = \mathsf {NMDec}(\mathsf {R},\mathsf {L})\)). This property can be achieved, as observed in [33], by modifying any split-state code to attach a special symbol “\(\ell \)” to the left part of the codeword, and a special symbol “r” to the right part of the codeword. This yields the following imported theorem:

Theorem 1

(Imported.)  [33, 34] For every polynomial \(\ell (\cdot )\), there exists a polynomial \(q(\cdot )\) such that for every \({\lambda } \in \mathbb {N}\), there exists an explicit \(\ell \)-augmented, split-state non-malleable code satisfying Definition 1 with efficient encoding and decoding algorithms with code length \(q({\lambda })\), rate \({q({\lambda })^{-\Omega (1)}}\) and error \(2^{-q({\lambda })^{\Omega (1)}}\).

3.2 Low-Depth Proofs

We will describe how any computation that can be verified by a family of polynomial sized ciruits can be transformed into a proof that is verifiable by a family of circuits in \(\mathsf {NC1}\). Let R be an efficiently computable binary relation. Let L be the language consisting of statements in R, i.e. for which \(R(x) = 1\).

Definition 2

(Low-Depth Non-Interactive Proofs). A low-depth non-interactive proof with perfect completeness and soundness for a relation R consists of an (efficient) prover P and a verifier V that satisfy:

  • Perfect completeness. A proof system is perfectly complete if an honest prover can always convince an honest verifier. For all \(x \in L\) we have

    $$\Pr [V(\pi ) = 1 | \pi \leftarrow P(x) ] = 1$$

  • Perfect soundness. A proof system is perfectly sound if it is infeasible to convince an honest verifier when the statement is false. For all \(x \not \in L\) and all (even unbounded) adversaries \({\mathcal A} \) we have

    $$Pr[ V (x, \pi ) = 1| \pi \leftarrow {\mathcal A} (x)] = 0.$$

  • Low depth. The verifier V can be implemented in \(\mathsf {NC1}\).

We outline a simple construction of a low-depth non-interactive proof, borrowed from [25]. The prover P executes the verification circuit on x and generates the proof as the sequential concatenation (in some specified order) of the bit values assigned to the individual wires of the circuit computing R. The verifier V proceeds by checking consistency of the values assigned to the internal wires of the circuit for each gate. In particular for each gate in the verification circuit the verifier checks if the wire vales provided in the proof represent a correct evaluation of the gate. Since the verification corresponding to each gate can be done independent of every other gate and in constant depth, we have that V itself is constant depth.

Looking ahead, our construction of non-malleable OT makes use of a (malleable) two-party computation protocol for \(\mathsf {NC1}\) that must verify validity of a non-malleable code. We rely on low-depth proofs to ensure that the two-party computation protocol only performs \(\mathsf {NC1}\) computations.

3.3 1-Rewind Sender-Secure Two-Party Computation

Let us consider a protocol \(\varPi \) between two parties, namely, the sender \(\S \) and the receiver \(\mathcal {R}\). The sender holds a private input \(x_{\S }\) and the receiver holds a private input \(x_{\mathcal {R}}\) and they wish to compute some function of their private inputs securely with the receiver obtains the output of the function. We want this protocol to satisfy:

  • (Delayed-function selection) The function to be securely computed is only decided in the third round by the receiver \(\mathcal {R}\). That is, the third round message contains the explicit description of the function f to be computed and the first two messages depend only on the size of the function.

  • (1-Rewinding Security) Any malicious receiver that rewinds the third and fourth rounds of the protocol once (by possibly giving different functions \(f_0,f_1\)) cannot learn anything about the sender’s inputs except the output on these two functions.

The syntax of the protocol and the two properties are formalized below.

Syntax. The special two party protocol \(\varPi \) is given by a tuple of algorithms \((\varPi _1,\varPi _2,\varPi _3,\varPi _4,\mathsf {out}_{\varPi })\). \(\varPi _1\) and \(\varPi _3\) are the next message functions run by the receiver \(\mathcal {R}\) and \(\varPi _2\) and \(\varPi _4\) are the next message functions run by the sender \(\S \). At the end of the protocol, \(\mathcal {R}\) runs \(\mathsf {out}_{\varPi }\) on the transcript, its input and the random tape to get the output of the protocol. We use \(\pi _r\) to denote the message sent in the protocol \(\varPi \) in round r for every \(r \in [4]\).

Definition 3

Let \(\varPi = (\varPi _1,\varPi _2,\varPi _3,\varPi _4,\mathsf {out}_\varPi )\) be a 4-round protocol between a receiver \(\mathcal {R}\) and a sender \(\S \) with the receiver computing the output at the end of the fourth round. We say that \(\varPi \) is a 1-rewinding sender secure protocol with delayed function selection for \(\mathsf {NC}^1\) circuits if it satisfies:

  • Delayed Function Selection. The first and second message functions \(\varPi _1,\varPi _2\) take as input the size of the function \(f \in \mathsf {NC}^1\) to be securely computed and are otherwise, independent of the function description. The third round message from \(\mathcal {R}\) contains the explicit description of the function f to be computed.

  • Receiver Security. For every malicious PPT adversary \(\mathcal {A}\) that corrupts the sender, there exists an expected polynomial (black-box) simulator \(\mathsf {Sim}_\mathcal {R}= (\mathsf {Sim}^1_\mathcal {R},\mathsf {Sim}^2_\mathcal {R})\) such that for all choices of honest receiver input \(x_\mathcal {R}\) and the function \(f \in \mathsf {NC}^1\), the joint distribution of the view of \(\mathcal {A}\) and \(\mathcal {R}\)’s output in the real execution is computationally indistinguishable to the output of the ideal experiment described in Fig. 2.

  • 1-Rewinding Sender Security. For every malicious adversary \(\mathcal {A}\), corrupting the receiver, there exists an expected polynomial time simulators \(\mathsf {Sim}_\S = (\mathsf {Sim}^1_\S ,\mathsf {Sim}^2_\S )\) such that for every choice of sender’s input \(x_\S \), we have:

    $$ \mathsf {Expt}_{1}(\mathcal {A},\varPi ,x_{\mathcal {R}},x_\S ) \overline{{\mathsf {Expt}}} _2(\mathcal {A},\mathsf {Sim}_{\S },x_{\mathcal {R}},x_{\S }) $$

    where \(\mathsf {Expt}_1\) and \(\mathsf {Expt}_2\) are defined in Fig. 3.

Fig. 2.
figure 2

Ideal experiment in the receiver security game

Full size image
Fig. 3.
figure 3

Descriptions of \(\mathsf {Expt}_1\) and \(\mathsf {Expt}_2\).

Full size image

4 Non-Malleable Oblivious Transfer

4.1 Definition

We define non-malleable OT which considers a man-in-the-middle adversary that generates OT messages as a function of those generated by honest players. The non-malleability property ensures that no PPT adversarial sender can generate its OT inputs as a function of the (secret) inputs of honest senders.

Definition 4

(\(\ell \) non-malleable \({ \left( \begin{matrix} {m}\\ {k} \end{matrix}\right) } \) Oblivious Transfer). An \(\ell \) non-malleable \({ \left( \begin{matrix} {m}\\ {k} \end{matrix}\right) } \) Oblivious Transfer is a protocol between a sender \({\mathcal S} \) with inputs \(\{\mathsf {m}_i\}_{i \in [m]}\) and a receiver \({\mathcal R} \) with input \(K \subset [m]\) where \(|K| = k\), that satisfies the following:

  • Correctness. For every \(i \in [m], \mathsf {m}_i \in \{0,1\}^{{\lambda }}\) and \(K \subset [m]\) such that \(|K| = k\),

    $$\mathsf {Out}_{{\mathcal R}} \langle {\mathcal S} (\{\mathsf {m}_i\}_{i \in [m]}), {\mathcal R} (K) \rangle = \{m_i\}_{i \in K}$$

  • (Parallel Composable) Receiver Security. For every PPT sender \({\mathcal S} ^*\) and every pair \(K, K'\) of k-sized subsets of [m], we require

    $$\mathsf {View} _{{\mathcal S} ^*} \langle {\mathcal S} ^*, {\mathcal R} (K) \rangle \approx _c \mathsf {View} _{{\mathcal S} ^*} \langle {\mathcal S} ^*, {\mathcal R} (K') \rangle $$

    Additionally, we require that there exists a PPT extractor \(\mathsf {Sen}.\mathsf {Ext}\) that on input any transcript \(\tau \) and with black-box access to any PPT sender \({\mathcal S} ^*\) outputs \(\{(\mathsf {m}^*_{i,j})\}_{i \in [m], j \in [\ell ]}\) where \(\mathsf {m}^*_{i,j}\) denotes the \(i^{th}\) implicit input used by \({\mathcal S} ^*\) in the \(j^{th}\) session of \(\tau \) (if any input is not well-defined, it outputs \(\bot \) in its place)Footnote 5.

  • Non-Malleability. Consider any PPT adversary (denoted by \(\mathsf {MIM}\)) that interacts with upto \(\ell \) senders \({\mathcal S} _1, \ldots , {\mathcal S} _\ell \) on the left, where for every \(j \in [\ell ]\), \({\mathcal S} _j\) has input \(\{\mathsf {m}_{i,j} \in \{0,1\}^{n} \}_{i \in [m]}\), and upto \(\ell \) receivers \({\mathcal R} _1, \ldots , {\mathcal R} _\ell \) on the right, where for every \(j \in [\ell ]\), \({\mathcal R} _j\) has input \(K_j\). We denote by \(\mathsf {View} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \) the view of the \(\mathsf {MIM}\) in this interaction, and denote the \(i^{th}\) implicit input used by the \(\mathsf {MIM}\) in the \(j^{th}\) right session by \(\mathsf {m}'_{i,j}\)Footnote 6. We denote by \(\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \) the joint distribution of \(\{(\mathsf {m}'_{i,j})\}_{i \in [m], j \in [\ell ]}\) and \(\mathsf {View} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \). Then, we require that there exists a simulator-extractor pair, \((\mathsf {Sim}_{\mathsf {OT}}, \mathsf {Ext}_{\mathsf {OT}})\) that outputs

    $$\mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]}, \{K_j\}_{j \in [\ell ]}) = \mathsf {Sim}_{\mathsf {OT}}^{\mathsf {MIM}, \{\mathsf {OT}(\{\mathsf {m}_{i,j}\}_{i \in [m]},\cdot )\}_{j \in [\ell ]}}(\sigma , \{\widetilde{K}_j\}_{j \in [\ell ]}),$$

    for \((\sigma , \{\widetilde{K}_j\}_{j \in [\ell ]}) \leftarrow \mathsf {Ext}^\mathsf {MIM} _{\mathsf {OT}}(\{K_j\}_{j \in [\ell ]})\), s.t. for all honest inputs \(\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]},\) \(\{K_j\}_{j \in [\ell ]}\), we have

    $$\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \approx _c \mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]}, \{K_j\}_{j \in [\ell ]}). $$

4.2 Construction

In this subsection, we construct \(\ell \) non-malleable m-choose-k OT. Here, \(\ell \) denotes the number of executions that an \(\mathsf {MIM} \) adversary may participate in. Our construction is described in Figure 4, and makes use of the following:

  • A 4 round two-party secure computation protocol \(\varPi \) with delayed-function selection and 1-rewinding sender security.

  • An information-theoretic \(m(\lambda ) \cdot \ell (\lambda )\) non-malleable secret sharing scheme.

  • A low-depth proof for P.

  • An existentially unforgeable signature scheme with algorithms denoted by \(\mathsf {Signature}.\mathsf {Setup}\), \(\mathsf {Signature}.\mathsf {Sign}\) and \(\mathsf {Signature}.\mathsf {Verify}\).

We describe our protocol formally in Fig. 4. The correctness of this protocol follows from correctness of the underlying oblivious transfer, non-malleable codes and signature scheme. In what follows, we prove security of this protocol.

Fig. 4.
figure 4

\(\ell ({\lambda })\) Non-Malleable \(m({\lambda })\)-choose-\(k({\lambda })\) Oblivious Transfer

Full size image

Theorem 2

Let \(\lambda \) denote the security parameter, and \(m = m(\lambda ), k = k(\lambda ), \ell = \ell (\lambda )\) be arbitrary fixed polynomials. There exists a 4 round \(\ell \) non-malleable \({ \left( \begin{matrix} {m}\\ {k} \end{matrix}\right) } \) oblivious transfer protocol satisfying Definition 4 that makes black-box use of any 4 round two-party secure computation protocol \(\varPi \) satisfying Definition 3, and any existentially unforgeable signature scheme.

By relying on our 4 round two-party secure computation protocol satisfying Definition 3 based on black-box use of any public-key encryption with pseudorandom public keys, we obtain the following Corollary.

Corollary 1

Let \(\lambda \) denote the security parameter, and \(m = m(\lambda ), k = k(\lambda ), \ell = \ell (\lambda )\) be arbitrary polynomials. There exists a 4 round \(\ell \) non-malleable \({ \left( \begin{matrix} {m}\\ {k} \end{matrix}\right) } \) OT protocol satisfying Definition 4 that makes black-box use of any public-key encryption with pseudo-random public keys.

4.3 Security

We consider any man-in-the-middle adversary that participates as an OT receiver in upto \(\ell ({\lambda })\) executions of this protocol on the right, and participates as an OT sender in upto \(\ell ({\lambda })\) executions on the left.

We will prove that there exists a PPT algorithm \(\mathsf {Sim}\text {-}\mathsf {Ext}\), that with black-box access to the \(\mathsf {MIM}\), to \(\ell \) copies of the ideal OT functionality \(\mathbf {OT} = \{\mathsf {OT}_j(\{\mathsf {m}_{i,j}\}_{i \in [m]}, \cdot )\}_{j \in [\ell ]}\) and with input \(\{K_j\}_{j \in [\ell ]}\), simulates an execution of the protocol with the \(\mathsf {MIM}\) and extracts all the inputs \(\{(\{\widetilde{\mathsf {m}}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}\) used by the \(\mathsf {MIM}\) in the executions where the \(\mathsf {MIM} \) is sender. We will prove that \(\mathsf {Sim}\text {-}\mathsf {Ext}\) outputs \(\mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]}, \{K_j\}_{j \in [\ell ]} )\) such that

$$\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \approx _c \mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]}, \{K_j\}_{j \in [\ell ]} )$$

To prove indistinguishability, we define a sequence of hybrid experiments, where the first one outputs the distribution \(\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]}\) and the final one outputs the distribution \(\mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i,j}\}_{i \in [m], j \in [\ell ]}, \{K_j\}_{j \in [\ell ]} )\). Formally, these hybrids are defined as follows:

\(\mathsf {Hyb}_0:\) This corresponds to an execution of the \(\mathsf {MIM}\) with \(\ell \) honest senders \(\{{\mathcal S} _j\}_{j \in [\ell ]}\) on the left, each using inputs \(\{\mathsf {m}_{i,j}\}_{i \in [m]}\) respectively and \(\ell \) honest receivers on the right with inputs \((\{K_j\}_{j \in [\ell ]})\) respectively. The output of this hybrid is \(\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]}\).

\(\mathsf {Hyb}_1:\) This experiment modifies \(\mathsf {Hyb}_1\) by introducing an additional abort condition. Specifically, the experiment first executes the complete protocol corresponding to the real execution of the \(\mathsf {MIM}\) exactly as in \(\mathsf {Hyb}_0\) to obtain the distribution \(\mathsf {Real} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}_{i,j}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} _j(K_j)\}_{j \in [\ell ]} \rangle \).

Let \(p({\lambda })\) denote the probability that the \(\mathsf {MIM}\) completes this execution without aborting. Set \(\gamma ({\lambda }) = \max \big ({\lambda }, p^{-2}({\lambda }) \big )\). With the first two rounds of the transcript fixed, the rewind the right execution up to \(\gamma ({\lambda })\) times, picking inputs \((\mathsf {c} ^j_1,\ldots ,\mathsf {c} ^j_\lambda )\) for each of the \(\ell \) receivers \(\{{\mathcal R} _j\}_{j \in [\ell ]}\) independently and uniformly at random in every run. If there exists a rewinding thread where the \(\mathsf {MIM} \) completes the protocol execution, denote the inputs chosen by the challenger on behalf of the honest receiver in this rewinding thread by \(({\mathsf {c} '}^j_1,\ldots ,{\mathsf {c} '}^j_\lambda )\). For every \(j \in [\ell ]\), let index \(\alpha _j \in [\lambda ]\) be such that \({\mathsf {c}}_{\alpha _j}^j = 0\) and \({\mathsf {c} '}_{\alpha _j}^j = 1\). Additionally for every \(j \in [\ell ], i \in [m]\), use \((\widetilde{\mathsf {L}}_{\alpha _j,i}^{j}, \widetilde{\mathsf {R}}_{\alpha _j,i}^{j})\) obtained as output from the main and rewinding executions respectively to compute \(\widetilde{\mathsf {m}}_{i}^{j} = \mathsf {NM.Decode}(\widetilde{\mathsf {L}}^{j}_{\alpha _j,i},\widetilde{\mathsf {R}}^{j}_{\alpha _j,i})\).

If no such rewinding thread exists, or if there exists \(j \in [\ell ]\) for which there does not exist \(\alpha \in [\lambda ]\) such that \(\mathsf {c} _{\alpha }^j = 0\) and \({\mathsf {c} '}_\alpha ^j = 1\), then set \(\widetilde{\mathsf {m}}_i^j = \bot \) for all \(i \in [m]\). Now, the output of this hybrid is the joint distribution

$$\mathsf {View} _\mathsf {MIM} \langle \{{\mathcal S} _j(\{\mathsf {m}^j_{i}\}_{i \in [m]})\}_{j \in [\ell ]}, \{{\mathcal R} ^j(K^j)\}_{j \in [\ell ]} \rangle , \{\widetilde{\mathsf {m}}^{j}_{i}\}_{j \in [\ell ], i \in [m]}.$$

Lemma 1

For every unbounded distinguisher \({\mathcal D} \) we have

$$\Big | \Pr [{\mathcal D} (\mathsf {Hyb}_0) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_1) = 1] \Big | = \mathsf {negl} ({\lambda })$$

Proof

Since the \(\mathsf {MIM}\) ’s inputs \(\{(\widetilde{\mathsf {m}}_i^j\}_{j \in [\ell ]}\) are committed in round 2 of the protocol, then conditioned on the adversary providing a non-aborting transcript in a rewinding execution in \(\mathsf {Hyb}_1\), by simulation security of the \(\mathsf {2pc}\), \(\{(\widetilde{\mathsf {m}}_i^j\}_{j \in [\ell ]}\) are correctly extracted.

Therefore, to prove this lemma it suffices to show that such a rewinding execution (with a non-aborting transcript) can be found within \(\gamma ({\lambda })\) attempts, except with probability \(\mathsf {negl} ({\lambda })\). To see this, we observe that the probability of a non-aborting transcript is \(p({\lambda })\), and therefore, the probability that all \(\gamma ({\lambda })\) trials abort is \((1 - p({\lambda }))^{\ell ({\lambda })} \le \exp ^{p^{-1}({\lambda })} = \mathsf {negl} ({\lambda })\).

\(\mathsf {Hyb}_2\): This experiment modifies \(\mathsf {Hyb}_2\) to execute the simulator of \(\varPi \) in all sessions where the \(\mathsf {MIM} \) is a receiver. Specifically, in these executions, instead of the honest sender strategy with input \(\{\mathsf {m}_{i}^{j}\}_{i \in [m], j \in [\ell ]}\), we execute the simulator \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}^{\mathsf {MIM},{\mathcal F} (\mathsf {inp}_{{\mathcal S} ^j},\cdot )}\) where

$$\mathsf {inp}_{{\mathcal S} ^j} = (\{\mathsf {m}_i^j,\mathsf {L}^j_{1,i}, \ldots , \mathsf {L}^j_{\lambda ,i}, \mathsf {R}^j_{1,i}, \ldots , \mathsf {R}^j_{\lambda ,i}\}_{i \in [m]}).$$

\(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) expects round 1 and round 3 messages from the \(\mathsf {MIM} \), and the \(\mathsf {MIM} \) in turn expects corresponding messages from the receiver in the right execution. Receiver messages for the right execution are generated using honest receiver strategy with inputs \(K^j\) fixed, and inputs \(c_1^j, \ldots , c_{\lambda } ^j\) chosen uniformly at random, exactly as in \(\mathsf {Hyb}_1\). Denote the view of the \(\mathsf {MIM}\) by

$$\mathsf {View} _{\mathsf {Sim}^{\{{\mathcal F} (\mathsf {inp}_{{\mathcal S} ^j},\cdot )\}_{j \in [\ell ]}}}\langle \{{\mathcal R} ^j(K^j)\}_{j \in [\ell ]} \rangle ,$$

where for every \(j \in [\ell ]\), \(\mathsf {inp}_{{\mathcal S} ^j}\) is as defined above.

Next, with the first two rounds of the transcript fixed, the challenger rewinds the right execution up to \(\ell ({\lambda })\) times, picking inputs \((\mathsf {c} _1^j,\ldots ,\mathsf {c} _\lambda ^j)\) for \({\mathcal R} ^j\) independently and uniformly at random in every run, and generating messages in the left execution by running the simulator \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) each time.

If there exists a rewinding execution where the \(\mathsf {MIM}\) completes the protocol, denote the inputs chosen by the challenger on behalf of the honest receiver in this rewinding thread by \(({\mathsf {c} '}^j_1,\ldots ,{\mathsf {c} '}^j_\lambda )\). For every \(j \in [\ell ]\), let index \(\alpha _j \in [\lambda ]\) be such that \({\mathsf {c}}_{\alpha _j}^j = 0\) and \({\mathsf {c} '}_{\alpha _j}^j = 1\). Additionally for every \(j \in [\ell ], i \in [m]\), use \((\widetilde{\mathsf {L}}_{\alpha _j,i}^{j}, \widetilde{\mathsf {R}}_{\alpha _j,i}^{j})\) obtained as output from the main and rewinding executions respectively to compute \(\widetilde{\mathsf {m}}_{i}^{j} = \mathsf {NM.Decode}(\widetilde{\mathsf {L}}^{j}_{\alpha _j,i},\widetilde{\mathsf {R}}^{j}_{\alpha _j,i})\). If no such rewinding thread exists, or if there exists \(j \in [\ell ]\) for which there does not exist \(\alpha \in [\lambda ]\) such that \(\mathsf {c} _{\alpha }^j = 0\) and \({\mathsf {c} '}_\alpha ^j = 1\), then set \(\widetilde{\mathsf {m}}_i^j = \bot \) for all \(i \in [m]\). The output of this hybrid is the joint distribution:

$$\mathsf {View} _{\mathsf {Sim}^{\{{\mathcal F} (\mathsf {inp}_{{\mathcal S} ^j},\cdot )\}_{j \in [\ell ]}}}\langle \{{\mathcal R} ^j(K^j)\}_{j \in [\ell ]} \rangle , \{\widetilde{\mathsf {m}}^{j}_{i}\}_{j \in [\ell ], i \in [m]},$$

where for every \(j \in [\ell ]\), \(\mathsf {inp}_{{\mathcal S} ^j}\) is as defined above.

Lemma 2

Assuming 1-rewinding secure two party computation, for every efficient distinguisher \({\mathcal D} \) we have

$$\Big | \Pr [{\mathcal D} (\mathsf {Hyb}_1) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_2) = 1] \Big | = \mathsf {negl} ({\lambda })$$

Proof

We consider a sequence of sub-hybrids \(\mathsf {Hyb}_{1,0}, \mathsf {Hyb}_{1,1}, \ldots \mathsf {Hyb}_{1,\ell }\) where for every \(j \in [\ell ]\), \(\mathsf {Hyb}_{1,j}\) is identical to \(\mathsf {Hyb}_{1,j-1}\), except that instead of executing the honest sender strategy using honest sender inputs \(\{m_i^j\}_{i \in [m]}\), we execute the simulator in the \(j^{th}\) left execution, where \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}^{\mathsf {MIM},{\mathcal F} (\mathsf {inp}_{{\mathcal S} ^j},\cdot )}\) where

$$\mathsf {inp}_{{\mathcal S} ^j} = (\{\mathsf {m}_i^j,\mathsf {L}^j_{1,i}, \ldots , \mathsf {L}^j_{\lambda ,i}, \mathsf {R}^j_{1,i}, \ldots , \mathsf {R}^j_{\lambda ,i}\}_{i \in [m]})$$

Suppose the lemma is not true. Then for every large enough \(\lambda \in \mathbb {N}\) there exists \(j^*(\lambda ) \in [\ell (\lambda )]\), a polynomial \(p(\cdot )\) and a distinguisher \({\mathcal D} \) such that for infinitely many \({\lambda } \in \mathbb {N}\),

$$\Big | \Pr [{\mathcal D} (\mathsf {Hyb}_{1,j^*-1}) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_{1,j^*}) = 1] \Big | = \frac{1}{q({\lambda })}$$

We derive a contradiction by building a reduction \({\mathcal A} \) that on input \(\lambda \), obtains \(j^*(\lambda )\) as advice and with black-box access to the \(\mathsf {MIM}\) and to \({\mathcal D} \) contradicts 1-rewinding security of the two party computation protocol. \({\mathcal A} \) proceeds as follows:

  • \({\mathcal A} \) first creates receiver \({\mathcal R} '\) that interacts with the external challenger as follows.

    • Generate the first round messages according to receiver strategy with inputs \(\{K^j\}_{j \in [\ell ]}\) for the right execution. Obtain first round messages from the \(\mathsf {MIM}\), and output the \(\mathsf {MIM}\) ’s message in the \({j^*}^{th}\) left execution to the challenger of the \(\mathsf {2pc}\).

    • Obtain the second round message for the left execution externally from the \(\mathsf {2pc}\) challenger, and forward this to the \(\mathsf {MIM}\) as \({\mathcal S} ^{j^*}\)’s message in the \({j^*}^{th}\) left execution. Obtain the second round message from the \(\mathsf {MIM} \) for the right execution.

    • Generate the third round message for the right execution according to honest receiver strategy, and obtain the third round message from the \(\mathsf {MIM} \). Output the \(\mathsf {MIM}\) ’s message in left session \(j^*\) to the challenger.

    • Obtain the fourth round message for the left execution externally from the challenger, and forward this to the \(\mathsf {MIM}\) as \({\mathcal S} \)’s message in the \({j^*}^{th}\) left execution. Obtain the fourth round message from the \(\mathsf {MIM}\) for the right execution.

  • Next, \({\mathcal A} \) rewinds \({\mathcal R} '\) once, as follows.

    • Generate the third round message according to honest receiver strategy, and obtain the third round message from the \(\mathsf {MIM} \). Output the \(\mathsf {MIM}\) ’s message in session \(j^*\) to the challenger.

    • Obtain the fourth round message for the left execution externally from the challenger, and forward this to the \(\mathsf {MIM}\) as \({\mathcal S} \)’s message in the \({j^*}^{th}\) left execution. Obtain the fourth round message from the \(\mathsf {MIM}\) from the left execution.

    • If none of the executions abort, for every \(j \in [\ell ]\), find \(\alpha _j \in [\lambda ]\) such that \(\mathsf {c} ^j_{\alpha _j} = 0\) and \({\mathsf {c} '}^j_{\alpha _j} = 1\). and use it to compute \(\widetilde{\mathsf {m}}_i^j = \mathsf {NM.Decode}(\widetilde{\mathsf {L}}_{\alpha _j,i}^j, \widetilde{\mathsf {R}}_{\alpha _j, i}^j)\) for \(i \in [m], j \in [\ell ]\). Else, set \(\widetilde{\mathsf {m}}_i^j = \bot \) for \(i \in [m], j \in [\ell ]\)

  • \({\mathcal A} \) outputs the entire view of \({\mathcal R} '\) together with \(\{\widetilde{\mathsf {m}}_i^j\}_{i \in [m], j \in [\ell ]}\). If the challenger used honest sender messages, we denote the distribution output by \({\mathcal A} \) in this experiment by \(\mathsf {Dist}_1\) and if the challenger used simulated messages, we denote the distribution output by \({\mathcal A} \) in this experiment by \(\mathsf {Dist}_2\).

If the challenger’s messages correspond to the real sender \({\mathcal S} \), then the distribution output by \({\mathcal A} \) conditioned on not aborting corresponds to \(\mathsf {Hyb}_1\), and if the challenger’s messages correspond to \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\), then the distribution output by \({\mathcal A} \) conditioned on not aborting corresponds to \(\mathsf {Hyb}_2\).

By assumption, for infinitely many \({\lambda } \in \mathbb {N}\),

$$\Big | \Pr [{\mathcal D} (\mathsf {Hyb}_1) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_2) = 1] \Big | = \frac{1}{q({\lambda })}$$

Since the \(\mathsf {MIM}\) completes any run of the protocol without aborting with probability at least \(p({\lambda })\), and because aborts are independent of the distinguishing advantage, for infinitely many \(\lambda \in \mathbb {N}\):

$$\Big | \Pr [{\mathcal D} = 1 ~\wedge ~ \lnot \textsf {abort}|\mathsf {Hyb}_1] - \Pr [{\mathcal D} = 1 ~\wedge ~ \lnot \textsf {abort}|\mathsf {Hyb}_2] \Big | \ge \frac{1}{p({\lambda }) \cdot q({\lambda })}$$

where \(\lnot \textsf {abort}\) denotes the event that an execution that is completed in the main thread, is also completed without aborting in one rewinding execution.

This implies that for infinitely many \(\lambda \in \mathbb {N}\):

$$\Big | \Pr [{\mathcal D} (\mathsf {Dist}_1) = 1] - \Pr [{\mathcal D} (\mathsf {Dist}_2) = 1] \Big | \ge \frac{1}{p({\lambda }) \cdot q({\lambda })},$$

and thus \({\mathcal D} \) contradicts 1-rewinding security of the two party computation protocol.

\(\mathsf {Hyb}_3\): This hybrid is the same as \(\mathsf {Hyb}_2\) except whenever the challenger obtains as output a verification key in one of the right sessions that is identical to a verification key used in one of the left sessions, the hybrid outputs \(\bot \). By existential unforgeability of the signature scheme, given any PPT adversary \(\mathsf {MIM} \), \(\mathsf {Hyb}_2\) and \(\mathsf {Hyb}_3\) are statistically indistinguishable.

\(\mathsf {Hyb}_4\): This hybrid is the same as \(\mathsf {Hyb}_3\) except that \(\mathsf {inp}_{{\mathcal S} ^j}\) is set differently. Specifically, for every \(j \in [\ell ], i \in [m]\) and \(\alpha \in [\lambda ]\), we set \((\mathsf {L}_{\alpha ,i}^j, \mathsf {R}_{\alpha , i}^j) \leftarrow \mathsf {NM.Sim}(1^{p(\lambda )})\), and set

$$\mathsf {inp}_{{\mathcal S} ^j} = (\{\mathsf {m}_i^j,\mathsf {L}^j_{1,i}, \ldots , \mathsf {L}^j_{\lambda ,i}, \mathsf {R}^j_{1,i}, \ldots , \mathsf {R}^j_{\lambda ,i}\}_{i \in [m]}).$$

We note that at this point, the functionality \(\{{\mathcal F} (\mathsf {inp}_{{\mathcal S} ^j},\cdot )\}_{j \in [\ell ]}\) can be perfectly simulated with access to the ideal functionality \(\{\mathsf {OT}^j(\mathsf {m}_i^j, \mathsf {m}_i^j, \cdot )\}_{j \in [\ell ]}\). Therefore, the output of this hybrid is identical to the ideal view \(\mathsf {Ideal} _\mathsf {MIM} (\{\mathsf {m}_{i}^{j}\}_{i \in [m], j \in [\ell ]}, \{K^j\}_{j \in [\ell ]} )\).

Lemma 3

Assuming \(m({\lambda }) \cdot \ell ({\lambda })\) symmetric non-malleable codes, for every unbounded distinguisher \({\mathcal D} \) we have:

$$\Big | \Pr [{\mathcal D} (\mathsf {Hyb}_4) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_3) = 1] \Big | = \mathsf {negl} ({\lambda })$$

Proof

We prove indistinguishability between \(\mathsf {Hyb}_3\) and \(\mathsf {Hyb}_4\) by considering a sequence of sub-hybrids, \(\{\mathsf {Hyb}_{3,i,j,k}\}_{i \in [1,m], j \in [1,\ell ], k \in [0,\lambda ]}\) where:

  • \(\mathsf {Hyb}_{3} = \mathsf {Hyb}_{3,0,\ell ,\lambda }\), \(\mathsf {Hyb}_{4} = \mathsf {Hyb}_{3,m,\ell ,\lambda }\),

  • for \(i \in [m]\), \(\mathsf {Hyb}_{3,i-1,\ell ,\lambda } = \mathsf {Hyb}_{3,i,1,0}\)

  • for \(j \in [\ell ]\), \(\mathsf {Hyb}_{3,i,j-1,\lambda } = \mathsf {Hyb}_{3,i,j,0}\),

  • for every \(i \in [m], j \in [\ell ], k \in [\lambda ]\), \(\mathsf {Hyb}_{3,i,j,k}\) is identical to \(\mathsf {Hyb}_{3,i,j,k-1}\) except that \(\mathsf {Hyb}_{3,i,j,k}\) samples \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j) \leftarrow \mathsf {NM.Code}(0)\).

Suppose the lemma is not true. Then there exists \(i^* \in [m], j^* \in [\ell ], k^* \in [\lambda ]\), an unbounded distinguisher \({\mathcal D} \) and a polynomial \(p(\cdot )\) such that for large enough \(\lambda \in \mathbb {N}\),

$$\begin{aligned} \Big | \Pr [{\mathcal D} (\mathsf {Hyb}_{3,i^*,j^*,k^*}) = 1] - \Pr [{\mathcal D} (\mathsf {Hyb}_{3,i^*,j^*,k^*-1}) = 1] \Big | = \frac{1}{p({\lambda })} \end{aligned}$$
(1)

We now define a pair of tampering functions \((f_\mathsf {MIM}, g_\mathsf {MIM})\), and additional function \(h_\mathsf {MIM} \) as follows:

  • \(f_\mathsf {MIM}, g_\mathsf {MIM} \) and \(h_\mathsf {MIM} \) share common state that is generated as follows:

    • Execute \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}^{\mathsf {MIM}}\), using honest \({\mathcal R} \) strategy in the right executions with input \(\{K^j\}_{j \in [\ell ]}\) and uniformly chosen \(\{c_1^j, \ldots c_\lambda ^j\}_{j \in [\ell ]}\), until \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) generates a query to the ideal functionality \({\mathcal F} \) at the end of round 3.

    • At this point, \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}^{\mathsf {MIM}}\) outputs a view and transcript of the \(\mathsf {MIM}\) until the third round, as well as \(\{\widetilde{K}^j, \widetilde{\mathsf {c}}^j_1, \ldots , \widetilde{\mathsf {c}}^j_\lambda \}_{j \in [\ell ]}\) that correspond to the receiver’s inputs in the left execution.

    • Rewind the third round once with uniformly and independently chosen \(\{{\mathsf {c} '}^j_1, \ldots , {\mathsf {c} '}^j_\lambda \}_{j \in [\ell ]}\). If for every \(j \in [\ell (\lambda )]\), there exists \(\alpha _j \in [\lambda ]\) such that \(\mathsf {c} ^j_{\alpha _j} = 0\) and \({\mathsf {c} '}^j_{\alpha _j} = 1\), continue, otherwise abort.

    • Obtain the rewinding view (with the same prefix of the first two rounds), as well as \((\overline{\mathsf {c}}_1, \ldots , \overline{\mathsf {c}}_n)\) that correspond to the receiver’s input in the left session in this rewinding execution. If \(\widetilde{\mathsf {c}}_{k}^j \ne \overline{\mathsf {c}}_{k}^j\), continue. Otherwise, abort.

    • Generate \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j)\) for every \((i,j,k) \in [m] \times [\ell ] \times [\lambda ] \setminus \{i^*, j^*, k^*\}\) according to \(\mathsf {Hyb}_{3,i^*,j^*,k^*-1}\) (this is identical to setting them according to \(\mathsf {Hyb}_{3,i^*,j^*,k^*}\)).

    • Output the view of the \(\mathsf {MIM}\) until round 3 in the main the rewinding threads, including \((i^*, j^*, k^*)\), the values \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j)_{(i,j,k) \in [m] \times [\ell ] \times [\lambda ] \setminus \{i^*, j^*, k^*\}}\).

    • Additionally, output the receiver’s inputs \(\{\widetilde{K}^j, \widetilde{\mathsf {c}}^j_1, \ldots , \widetilde{\mathsf {c}}^j_\lambda \}_{j \in [\ell ]}\) and the sender’s inputs \(\{sk^j, vk^j, \{\mathsf {m}_i^j\}_{i \in [m]}\}_{j \in [\ell ]}\).

  • Next, the function \(h_\mathsf {MIM} \) on input \({\mathsf {L}}\), sets \(\mathsf {L}_{k^*, i^*}^{j^*} = {\mathsf {L}}, \mathsf {R}_{k^*,i^*}^{j^*} = 0\). Now, using hardwired values \(\{vk^j, \{\mathsf {m}_i^j\}_{i \in [m]}\}_{j \in [\ell ]}\), \(\{\widetilde{K}^j, \widetilde{\mathsf {c}}^j_1, \ldots , \widetilde{\mathsf {c}}^j_\lambda \}_{j \in [\ell ]}\) as well as the values \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j)_{(i,j,k) \in [m] \times [\ell ] \times [\lambda ] \setminus \{i^*, j^*, k^*\}}\), it computes

    $$\mathsf {out} = \{{\mathcal F} ^j (vk^j, \{\mathsf {m}_i, \mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j\}_{i \in [m], k \in [\lambda ]},\widetilde{K}^j,\{\widetilde{\mathsf {c}}_k^j\}_{k \in [\lambda ]})\}_{j \in [\ell ]}.$$

    It then invokes \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) on \(\mathsf {out}\) to generate the fourth round message of the protocol transcript in the main thread if \(\widetilde{\mathsf {c}}_{k^*}^{j^*} = 0\), and generates the fourth round message of the protocol transcript in the rewinding thread if \(\overline{\mathsf {c}}_{k^*}^{j^*} = 0\). It outputs the resulting transcript as the view of the \(\mathsf {MIM} \).

  • The function \(f_\mathsf {MIM} \) on input \({\mathsf {L}}\), sets \(\mathsf {L}_{k^*, i^*}^{j^*} = {\mathsf {L}}, \mathsf {R}_{k^*,i^*}^{j^*} = 0\). Now, using hardwired values \(\{vk^j, \{\mathsf {m}_i^j\}_{i \in [m]}\}_{j \in [\ell ]}\), \(\{\widetilde{K}^j, \widetilde{\mathsf {c}}^j_1, \ldots , \widetilde{\mathsf {c}}^j_\lambda \}_{j \in [\ell ]}\) as well as the values \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j)_{(i,j,k) \in [m] \times [\ell ] \times [\lambda ] \setminus \{i^*, j^*, k^*\}}\), it computes

    $$\mathsf {out} = \{{\mathcal F} ^j vk^j, \{\mathsf {m}_i, \mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j\}_{i \in [m], k \in [\lambda ]},\widetilde{K}^j,\{\widetilde{\mathsf {c}}_k^j\}_{k \in [\lambda ]})\}_{j \in [\ell ]}.$$

    It then invokes \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) on \(\mathsf {out}\) to generate the fourth round message of the protocol transcript in the main thread if \(\widetilde{\mathsf {c}}_{k^*}^{j^*} = 0\), and generates the fourth round message of the protocol transcript in the rewinding thread if \(\overline{\mathsf {c}}_{k^*}^{j^*} = 0\). It outputs the values \(\{\mathsf {L}^j_{\alpha _j,i}\}_{i \in [m], j \in [\ell ]}\) or \(\{\mathsf {R}^j_{\alpha _j,i}\}_{i \in [m], j \in [\ell ]}\) obtained from the \(\mathsf {MIM}\).

  • The function \(g_\mathsf {MIM} \) on input \({\mathsf {R}}\), sets \(\mathsf {R}_{k^*, i^*}^{j^*} = {\mathsf {R}}, \mathsf {L}_{k^*,i^*}^{j^*} = 0\). Now, using hardwired values \(\{vk^j, \{\mathsf {m}_i^j\}_{i \in [m]}\}_{j \in [\ell ]}\), \(\{\widetilde{K}^j, \widetilde{\mathsf {c}}^j_1, \ldots , \widetilde{\mathsf {c}}^j_\lambda \}_{j \in [\ell ]}\) as well as the values \((\mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j)_{(i,j,k) \in [m] \times [\ell ] \times [\lambda ] \setminus \{i^*, j^*, k^*\}}\), it computes

    $$\mathsf {out} = \{{\mathcal F} ^j vk^j, \{\mathsf {m}_i, \mathsf {L}_{k,i}^j, \mathsf {R}_{k,i}^j\}_{i \in [m], k \in [\lambda ]},\widetilde{K}^j,\{\widetilde{\mathsf {c}}_k^j\}_{k \in [\lambda ]})\}_{j \in [\ell ]}.$$

    It then invokes \(\mathsf {Sim}\text {-}\mathsf {2PC}_\mathsf {Sen}\) on \(\mathsf {out}\) to generate the fourth round message of the protocol transcript in the main thread if \(\widetilde{\mathsf {c}}_{k^*}^{j^*} = 1\), and generates the fourth round message of the protocol transcript in the rewinding thread if \(\overline{\mathsf {c}}_{k^*}^{j^*} = 1\). It outputs the values \(\{\mathsf {L}^j_{\alpha _j,i}\}_{i \in [m], j \in [\ell ]}\) or \(\{\mathsf {R}^j_{\alpha _j,i}\}_{i \in [m], j \in [\ell ]}\) obtained from the \(\mathsf {MIM}\).

By security augmented non-malleable codes,

$$\begin{aligned} \Big ( {\mathsf {L}}, \mathsf {NM.Decode}\big (f_\mathsf {MIM} ({\mathsf {L}}),g_\mathsf {MIM} ({\mathsf {R}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(\mathsf {m}_{i^*}^{j^*})) \Big ) \approx _{\mathsf {\epsilon }} \\ \Big ( {\mathsf {L}}, \mathsf {NM.Decode}\big (f_\mathsf {MIM} ({\mathsf {L}}),g_\mathsf {MIM} ({\mathsf {R}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(0)) \Big ) \text { and }\\ \Big ( {\mathsf {L}}, \mathsf {NM.Decode}\big (g_\mathsf {MIM} ({\mathsf {R}}),f_\mathsf {MIM} ({\mathsf {L}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(\mathsf {m}_{i^*}^{j^*})) \Big ) \approx _{\mathsf {\epsilon }} \\ \Big ( {\mathsf {L}}, \mathsf {NM.Decode}\big (g_\mathsf {MIM} ({\mathsf {R}}), f_\mathsf {MIM} ({\mathsf {L}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(0)) \Big )~~~~ \end{aligned}$$

By the data processing inequality, this implies that for every function \(h(\cdot )\),

$$\begin{aligned} \Big ( h({\mathsf {L}}), \mathsf {NM.Decode}\big (f_\mathsf {MIM} ({\mathsf {L}}),g_\mathsf {MIM} ({\mathsf {R}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(\mathsf {m}_{i^*}^{j^*})) \Big ) \approx _{\mathsf {\epsilon }}\\ \Big ( h({\mathsf {L}}), \mathsf {NM.Decode}\big (f_\mathsf {MIM} ({\mathsf {L}}),g_\mathsf {MIM} ({\mathsf {R}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(0)) \Big ) \text { and }\\ \Big ( h({\mathsf {L}}), \mathsf {NM.Decode}\big (g_\mathsf {MIM} ({\mathsf {R}}), f_\mathsf {MIM} ({\mathsf {L}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(\mathsf {m}_{i^*}^{j^*})) \Big ) \approx _{\mathsf {\epsilon }}\\ \Big ( h({\mathsf {L}}), \mathsf {NM.Decode}\big (g_\mathsf {MIM} ({\mathsf {R}}),f_\mathsf {MIM} ({\mathsf {L}}) \big ) \Big | ({\mathsf {L}}, {\mathsf {R}} \leftarrow \mathsf {NM.Code}(0)) \Big ) \end{aligned}$$

Setting \(h = h_\mathsf {MIM} \), for \(f_\mathsf {MIM} \) and \(g_\mathsf {MIM} \) defined above, these distributions correspond exactly to the outputs of \(\mathsf {Hyb}_{3,i^*,j^*,k^*-1}\) and \(\mathsf {Hyb}_{3,i^*,j^*,k^*}\) respectively, whenever \(\widetilde{c}_{k^*}^{j^*} \ne \overline{c}_{k^*}^{j^*}\). Whenever \(\widetilde{c}_{k^*}^{j^*} = \overline{c}_{k^*}^{j^*}\), the distributions \(\mathsf {Hyb}_{3,i^*,j^*,k^*-1}\) and \(\mathsf {Hyb}_{3,i^*,j^*,k^*}\) are statistically indistinguishable because they jointly only depend on one of the shares, \(\mathsf {L}\) or \(\mathsf {R}\). Since \(\epsilon (\lambda ) = \mathsf {negl} (\lambda )\), this contradicts Eq. (1), completing our proof.

5 Summary of Results

In this section, we provide a theorem statement capturing two of our main results. See full version for the proof.

Theorem 3

Let f be an arbitrary multiparty functionality.

  • In the watchlist correlations model, assuming black-box access to a pseudorandom generator, there exists a two-round protocol that computes f against static, malicious adversaries satisfying security with selective abort. For f in \(\mathsf {NC1}\), a similar protocol exists unconditionally.

  • Further assuming black-box access to a public-key encryption with pseudorandom public keys and a two-round oblivious transfer with semi-malicious security, there exists a protocol that securely computes f in five rounds in the plain model against static, malicious corruptions of all-but-one players satisfying security with selective abort.

The communication and computation costs of both the protocols are \(\mathsf {poly} (\lambda ,n,|f|)\), where |f| denotes the size of the circuit computing f, and where communication is over a broadcast channel.