Probabilistic Termination and Composability of Cryptographic Protocols

Cohen, Ran; Coretti, Sandro; Garay, Juan; Zikas, Vassilis

doi:10.1007/s00145-018-9279-y

Probabilistic Termination and Composability of Cryptographic Protocols

Published: 12 February 2018

Volume 32, pages 690–741, (2019)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Probabilistic Termination and Composability of Cryptographic Protocols

Download PDF

Ran Cohen¹,
Sandro Coretti²,
Juan Garay³ &
…
Vassilis Zikas⁴

2358 Accesses
9 Citations
Explore all metrics

Abstract

When analyzing the round complexity of multi-party protocols, one often overlooks the fact that underlying resources, such as a broadcast channel, can by themselves be expensive to implement. For example, it is well known that it is impossible to implement a broadcast channel by a (deterministic) protocol in a sublinear (in the number of corrupted parties) number of rounds. The seminal works of Rabin and Ben-Or from the early 1980s demonstrated that limitations as the above can be overcome by using randomization and allowing parties to terminate at different rounds, igniting the study of protocols over point-to-point channels with probabilistic termination and expected constant round complexity. However, absent a rigorous simulation-based definition, the suggested protocols are proven secure in a property-based manner or via ad hoc simulation-based frameworks, therefore guaranteeing limited, if any, composability. In this work, we put forth the first simulation-based treatment of multi-party cryptographic protocols with probabilistic termination. We define secure multi-party computation (MPC) with probabilistic termination in the UC framework and prove a universal composition theorem for probabilistic termination protocols. Our theorem allows to compile a protocol using deterministic termination hybrids into a protocol that uses expected constant round protocols for emulating these hybrids, preserving the expected round complexity of the calling protocol. We showcase our definitions and compiler by providing the first composable protocols (with simulation-based security proofs) for the following primitives, relying on point-to-point channels: (1) expected constant round perfect Byzantine agreement, (2) expected constant round perfect parallel broadcast, and (3) perfectly secure MPC with round complexity independent of the number of parties.

Bitcoin as a Transaction Ledger: A Composable Treatment

Article Open access 04 April 2024

Christian Badertscher, Ueli Maurer, … Vassilis Zikas

On the Size of Pairing-Based Non-interactive Arguments

EasyCrypt: A Tutorial

1 Introduction

In secure multi-party computation (MPC) [33, 56] n parties $P _1,\ldots , P _n$ wish to jointly perform a computation on their private inputs in a secure way, so that no coalition of cheating parties can learn more information than their outputs (privacy) or affect the outputs of the computation any more than by choosing their own inputs (correctness).

While the original security definitions had the above property-based flavor (i.e., the protocols were required to satisfy correctness and privacy, potentially along with other security properties, such as fairness and input independence), it is by now widely accepted that security of multi-party protocols should be argued in a simulation-based manner. Informally, in the simulation paradigm for security, the protocol execution is compared to an ideal world where the parties have access to a trusted party (aka the “ideal functionality”) that captures the security properties the protocol is required to achieve. The trusted party takes the parties’ inputs and performs the computation on their behalf. A protocol is regarded as secure if for any adversary attacking it, there exists an ideal adversary (the simulator) attacking the execution in the ideal world, such that no external distinguisher (environment) can tell the real and the ideal executions apart.

There are several advantages in proving a protocol secure in this way. For starters, the definition of the functionality captures all security properties the protocol is supposed to have, and therefore its design process along with the security proof often exposes potential design flaws or issues that have been overlooked in the protocol design. A very important feature of many simulation-based security definitions is composability, which ensures that a protocol can be composed with other protocols without compromising its security. Intuitively, composability ensures that if a protocol $\pi ^{\mathcal {G}_{\textsc {}}}$ which uses a “hybrid” $\mathcal {G}_{\textsc {}} $ (a broadcast channel, for example) securely realizes functionality $\mathcal {F}_{\textsc {}}$, and protocol $\rho $ securely realizes the functionality $\mathcal {G}_{\textsc {}} $, then the protocol $\pi ^{{\rho }/\mathcal {G}_{\textsc {}}}$, which results by replacing in $\pi $ calls to $\mathcal {G}_{\textsc {}} $ by invocations of $\rho $, securely realizes $\mathcal {F}_{\textsc {}} $. In fact, simulation-based security is the one and only way we know to ensure that a protocol can be generically used to implement its specification within an arbitrary environment.

Round Complexity. The prevalent model for the design of MPC protocols is the synchronous model, where the protocol proceeds in rounds and all messages sent in any given round are received by the beginning of the next round. In fact, most if not all implemented and highly optimized MPC protocols (e.g., [16, 22, 24, 44, 50]) are in this model. When executing such synchronous protocols over large networks, one needs to impose a long round duration in order to account for potential delay at the network level, since if the duration of the rounds is too short, then it is likely that some of the messages that arrive late will be ignored or, worse, assigned to a later round. Thus, the round complexity, i.e., the number of rounds it takes for a protocol to deliver outputs, is an important efficiency metric for such protocols and, depending on the network parameters, can play a dominant role in the protocol’s running time.

An issue often overlooked in the analysis of the round complexity of protocols is that the relation between a protocol’s round complexity and its actual running time is sensitive to the “hybrids” (e.g., network primitives) that the protocol is assumed to have access to. For example, starting with the seminal MPC works [6, 15, 33, 54, 56], a common assumption is that the parties have access to a broadcast channel, which they invoke possibly in every round. In reality, however, such a broadcast channel might not be available and would have to be implemented by a broadcast protocol designed for a point-to-point network. Using a standard (deterministic) broadcast protocol for this purpose incurs a linear blowup (in n, the number of parties^{Footnote 1}) on the round complexity of the MPC protocol, as no deterministic broadcast protocol can tolerate a linear number of corruptions and terminate in a sublinear number of rounds [26, 29]. Thus, even though the round complexity of these protocols is usually considered to be linear in the multiplicative depth d of the computed circuit, in reality their running time could become linear in nd (which can be improved to $O(n+d)$ [41]) when executed over point-to-point channels.^{Footnote 2}

In fact, all the so-called constant round multi-party protocols (e.g., [1, 3, 21, 31, 36, 39, 45, 51]) rely on broadcast rounds (rounds in which parties make calls to a broadcast channel) and therefore their running time when broadcast is implemented by a standard protocol would explode to be linear in n instead of constant.^{Footnote 3} As the results from [26, 29] imply, this is not a consequence of the specific choice of protocol but a limitation of any protocol in which there is a round such that all parties are guaranteed to have received their outputs; consistently with the literature on fault-tolerant distributed computing, we shall refer to protocols satisfying this property as deterministic termination protocols. In fact, to the best of our knowledge, even if we allow a negligible chance for the broadcast to fail, the fastest known solutions tolerating a constant fraction of corruptions follow the paradigm from [28] (see below), which requires a poly-logarithmic (in n) number of rounds.^{Footnote 4}

Protocols with Probabilistic Termination. A major breakthrough in fault-tolerant distributed algorithms (recently honored with the 2015 Dijkstra Prize in Distributed Computing) was the introduction of randomization to the field by Ben-Or [4] and Rabin [53], which, effectively, showed how to circumvent the above limitation by using randomization. Most relevant to this submission, Rabin [53] showed that linearly resilient Byzantine agreement protocols [47, 52] (BA, related to broadcast, possibility- and impossibility-wise) in expected constant rounds were possible, provided that all parties have access to a “common coin” (i.e., a common source of randomness).^{Footnote 5} This line of research culminated with the work of Feldman and Micali [28], who showed how to obtain a shared random coin with constant probability from “scratch,” yielding a probabilistic BA protocol tolerating the maximum number of misbehaving parties ($t < n/3$) that runs in expected constant number of rounds. The randomized BA protocol in [28] works in the information-theoretic setting; these results were later extended to the computational setting by Fitzi and Garay [30] and by Katz and Koo [40], who showed that assuming digital signatures there exists an (expected) constant round protocol for BA tolerating $t<n/2$ corruptions. The speedup on the running time in all these protocols, however, comes at the cost of uncertainty, as now they need to give up on guaranteed (eventual) termination (no fixed upper bound on their running time^{Footnote 6}) as well as on simultaneous termination (a party that terminates cannot be sure that other parties have also terminated^{Footnote 7}) [25]. These issues make the simulation-based proof of these protocols a very delicate task, which is the motivation for the current work.

What made the simulation-based approach a more accessible technique in security proofs was the introduction simulation-based security frameworks. The ones that stand out in this development, and most often used in the literature, are Canetti’s modular composition (aka stand-alone security) [9] and the universal composition (UC) frameworks [10, 11]. The former defines security of synchronous protocols executed in isolation (i.e., only a single protocol is run at a time, and whenever a subroutine protocol is called, it is run until its completion); the latter allows protocols to be executed alongside arbitrary (other) protocols and be interleaved in an arbitrary manner. We remark that although the UC framework is inherently asynchronous, several mechanisms have been proposed to allow for a synchronous execution within it (e.g., [11, 12, 43, 46]).

Despite the widespread use of the simulation-based paradigm to prove security of protocols with deterministic termination, the situation has been quite different when probabilistic termination protocols are considered. Here, despite the existence of round-efficient BA protocols as mentioned above [28, 40], to our knowledge, no formal treatment of the problem in a simulation-based model exists, which would allow us to apply the ingenious ideas of Rabin and Ben-Or in order to speed up cryptographic protocols. We note that Katz and Koo [40] even provided an expected constant round MPC protocol using their fast BA protocol as a subroutine, employing several techniques to ensure proper use of randomized BA. However, in lack of a formal treatment, existing constructions are usually proved secure in a property-based manner or rely on ad hoc, less studied security frameworks [49].^{Footnote 8}

A simulation-based and composable treatment of such probabilistic termination (PT for short) protocols would naturally allow, for example, to replace the commonly used broadcast channel with a broadcast protocol, so that the expected running time of the resulting protocol is asymptotically the same as the one of the original (broadcast-hybrid) protocol. A closer look at this replacement, however, exposes several issues that have to do not only with the lack of simulation-based security but also with other inherent limitations. Concretely, it is usually the case in an MPC protocol that the broadcast channel is accessed by several (in many cases by all) parties in the same (broadcast) round in parallel. Ben-Or and El-Yaniv [5] observed that if one naïvely replaces each such invocation by a PT broadcast protocol with expected constant running time, then the expected number of rounds until all broadcasts terminate is no longer constant; in fact, it is not hard to see that in the case of [28], the expected round complexity would be logarithmic in the number of instances (and therefore also in the player set size). (We expand on the reason for this blowup in the round complexity in “Appendix A”.) Nevertheless, in [5] a mechanism was proposed for implementing such parallel calls to broadcast so that the total number of rounds remains constant in expectation.

The difficulties arising with generic parallel composition are not the only issue with PT protocols. As observed by Lindell et al. [49], composing such protocols in sequence is also problematic. The main issue here is that, as already mentioned, PT protocols do not have simultaneous termination and therefore a party cannot be sure how long after he receives his output from a call to such a PT protocol he can safely carry on with the execution of the calling protocol. Although PT protocols usually guarantee a constant “slack” of rounds (say, c) in the output of any two honest parties, the naïve approach of using this property to synchronize the parties (i.e., wait c rounds after the first call, 2c rounds after the second call, and so on) imposes an exponential blowup on the round complexity of the calling protocol. To resolve this, [49] proposed using fixed points in time at which a re-synchronization subroutine is executed, allowing the parties to ensure that they never get too far out of sync. Alternative approaches for solving this issue were also proposed in [8, 40] but, again, with a restricted (property-based) proof.

Despite their novel aspects, the aforementioned results on composition of PT protocols do not use simulation-based security, and therefore, it is unclear how (or if) they could be used to, for example, instantiate broadcast within a higher-level cryptographic protocol. In addition, they do not deal with other important features of modern security definitions, such as adaptive security and strict polynomial time execution. In fact, this lack of a formal cryptographic treatment places some of their claims at odds with the state-of-the-art cryptographic definitions. Somewhat pointedly, [5] claimed adaptive security, which, although it can be shown to hold in a property-based definition, is not achieved by the specified construction when simulation-based security is considered (cf. Sect. 5).

Our Contributions. In this paper, we provide the first formal simulation-based (and composable) treatment of MPC with probabilistic termination. Our treatment builds on Canetti’s universal composition (UC) framework [10, 11]. In order to take advantage of the fast termination of PT protocols, parties typically proceed at different paces and therefore protocols might need to be run in an interleaved manner, e.g., in an MPC protocol a party might initiate the protocol for broadcasting his r-round message before other parties have received output from the broadcasting of messages for round $r-1$. This inherent concurrency along with its support for synchrony makes the UC framework the natural candidate for our treatment.

Our motivating goal, which we achieve, is to provide a generic compiler that allows us to transform any UC protocol $\pi $, even one that cannot be realized in the real world, making calls to deterministic termination UC protocols $\rho _i$ in a “stand-alone fashion” (similar to [9], i.e., the protocols $\rho _i$ are invoked sequentially and in each round exactly one protocol is being executed by all the parties) into a (probabilistic termination) protocol $\pi '$ (where the parties are no longer synchronized and the hybrids are invoked concurrently) that can be realized in the real world, and in which each $\rho _i$ is replaced by a PT protocol $\rho _i'$. The compiled protocol $\pi '$ achieves the same security as $\pi $ and has (expected) round complexity proportional to $\sum _i d_i r_i$, where $d_i$ is the expected number of calls $\pi $ makes to $\rho _i$ and $r_i$ is the expected round complexity of $\rho _i$.

Toward this goal, the first step is to define what it means for a protocol to UC-securely realize a functionality with probabilistic termination in a simulation-based manner, by proposing an explicit formulation of the functionality that captures this important protocol aspect. The high-level idea is to parameterize the functionality with an efficiently sampleable distribution D that provides an upper bound on the protocol’s running time (i.e., number of rounds), so that the adversary cannot delay outputs beyond this point (but is allowed to deliver the output to honest parties earlier, and even in different rounds).

Next, we prove our universal composability result. Informally, our result provides a generic compiler that takes as input a “stand-alone” protocol $\pi $, realizing a probabilistic termination functionality $\mathcal {F}_{\textsc {}} ^D$ (for a given distribution D) while making sequential calls to (deterministic termination) secure function evaluation (SFE)-like functionalities, and compiles it into a new protocol $\pi '$ in which the calls to the SFEs are replaced by probabilistic termination protocols realizing them. The important feature of our compiler is that in the compiled protocol, the parties do not need to wait for every party to terminate their emulation of each SFE to proceed to the emulation of the next SFE. Rather, shortly after a party (locally) receives its output from one emulation, it proceeds to the next one. This yields an (at most) multiplicative blowup on the expected round complexity as discussed above. In particular, if the protocols used to emulate the SFEs are expected constant round, then the expected round complexity of $\pi '$ is the same (asymptotically) as that of $\pi $.

We then showcase our definition and composition theorem by providing simulation-based (therefore composable) probabilistic termination protocols and security proofs for several primitives relying on point-to-point channels: expected constant round perfect Byzantine agreement, expected constant round perfect parallel broadcast, and perfectly secure MPC with round complexity independent of the number of parties. Not surprisingly, the simulation-based treatment reveals several issues, both at the formal and at the intuitive levels, that are not present in a property-based analysis, and which we discuss along the way. We now elaborate on each application in turn. Regarding Byzantine agreement, we present a protocol that perfectly securely UC-implements the probabilistic termination Byzantine agreement functionality for $t<n/3$ in an expected constant number of rounds. (We will use RBA to denote probabilistic termination BA, as it is often referred to as “randomized BA.”^{Footnote 9}) Our protocol follows the structure of the protocol in [28], with a modification inspired by Goldreich and Petrank [34] to make it strict polynomial time (see the discussion below), and in a sense it can be viewed as the analogue for RBA of the well-known “CLOS” protocol for MPC [13]. Indeed, similarly to how [13] converted (and proved) the “GMW” protocol [32] from statically secure in the stand-alone setting into an adaptively secure UC version, our work transforms the broadcast and BA protocols from [28] into adaptively UC-secure randomized broadcast and RBA protocols.^{Footnote 10}

Our first construction above serves as a good showcase of the power of our composition theorem, demonstrating how UC-secure RBA is built in a modular manner: First, we de-compose the subroutines that are invoked in [28] and describe simple(r) (SFE-like) functionalities corresponding to these subroutines; this provides us with a simple “backbone” of the protocol in [28] making calls to these hybrids, which can be easily proved to implement expected constant round RBA. Next, we feed this simplified protocol to our compiler which outputs a protocol that implements RBA from point-to-point secure channels; our composition theorem ensures that the resulting protocol is also expected constant round.

There is a sticky issue here that we need to resolve for the above to work: The protocol in [28] does not have guaranteed termination and therefore the distribution of the terminating round is not sampleable by a strict probabilistic polynomial time (PPT) machine.^{Footnote 11} A way around this issue would be to modify the UC model of execution so that the corresponding ITMs are expected PPT machines. Such a modification, however, would impact the UC model of computation and would therefore require a new proof of the composition theorem, a trickier task than one might expect, as the shift to expected polynomial time simulation is known to introduce additional conceptual and technical difficulties (cf. [42]), whose resolution is beyond the scope of this work. Instead, here we take a different approach which preserves full compatibility with the UC framework: We adapt the protocol from [28] using ideas from [34] so that it implements a functionality which samples the terminating round with almost the same probability distribution as in [28], but from a finite (linear size) domain; as we show, this distribution is sampleable in strict polynomial time and can therefore be used by a standard UC functionality.

Next, we use our composition theorem to derive the first simulation-based and adaptively (UC) secure parallel broadcast protocol, which guarantees that all broadcast values are received within an expected constant number of rounds. This extends the results from [5, 40] in several ways: First, our protocol is perfectly UC-secure which means that we can now use it within a UC-secure SFE protocol to implement secure channels, and second, it is adaptively secure against a rushing adversary.^{Footnote 12}

Finally, by applying once again our compiler to replace calls to the broadcast channel in the SFE protocol by Ben-Or et al. [6] (which, recall, is perfectly secure against $t<n/3$ corruptions in the broadcast-hybrid model [2]) by invocations to our adaptively secure UC parallel broadcast protocol, we obtain the first UC-secure PT MPC protocol in the point-to-point secure channels model with (expected) round complexity O(d), independently of the number of parties, where d is the multiplicative depth of the circuit being computed. As with RBA, this result can be seen as the first analogue of the UC compiler by Canetti et al. [13] for SFE protocols with probabilistic termination.

We stress that the use of perfect security to showcase our composition theorem is just our choice and not a restriction of our composition theorem. In fact, our theorem can be also applied to statistically or computationally secure protocols. Moreover, if one is interested in achieving better constants in the (expected) round complexity, then one can use SFE protocols that attempt to minimize the use of the broadcast channel (e.g., [41]). Our composition theorem will give a direct methodology for this replacement and will, as before, eliminate the dependency of the round complexity from the number of parties.^{Footnote 13}

Follow-up Work. In the current work the focus is on round-preserving sequential composition of arbitrary probabilistic termination protocols. Parallel composition is only considered for specific functionalities, in particular for the parallel broadcast functionality. In [18] the round-preserving parallel composition of arbitrary protocols was considered, showing both positive and negative results.

2 The Model

We consider n parties $P _1,\ldots ,P _n$ and an adaptive t-adversary, i.e., the adversary corrupts up to t parties during the protocol execution.^{Footnote 14} We work in the UC model and assume the reader has some familiarity with its basics. To capture synchronous protocols in UC we use the framework of Katz et al. [43]. Concretely, the assumption that parties are synchronized is captured by assuming that the protocol has access to a “clock” functionality $\mathcal {F}_{\textsc {clock}}$. The functionality $\mathcal {F}_{\textsc {clock}}$ maintains an indicator bit which is switched once all honest parties request the functionality to do it. At any given round, a party asks $\mathcal {F}_{\textsc {clock}}$ to turn the bit on only after having finished with all operations for the current round. Thus, this bit’s value can be used to detect when every party has completed his round, in which case they can proceed to the next round. As a result, this mechanism ensures that no party sends his messages for round $r+1$ before every party has completed round r. For clarity, we refrain from writing this clock functionality in our theorem statement; however, all our results assume access to such a clock functionality.

In the communication network of [43], parties have access to bounded-delay secure channels. These channels work in a so-called fetch mode, i.e., in order to receive his output the receiver issues a $\texttt {fetch-output} $ command. This allows to capture the property of a channel between a sender $P _s$ and a receiver $P _r$, delaying the delivery of a message by an amount $\delta $: As soon as the sender $P _s$ submits an input y (message to be sent to the receiver) the channel functionality starts counting how many times the receiver requests it.^{Footnote 15} The first $\delta -1$ such $\texttt {fetch-output} $ requests (plus all such requests that are sent before the sender submits input) are ignored (and the adversary is notified about them); the $\delta $’th $\texttt {fetch-output}$ request following a submitted input y from the sender results in the channel sending $(\texttt {output},y)$ to $P _r$. In this work we take an alternative approach and model secure channels as special simple SFE functionalities. These SFEs also work in a fetch mode^{Footnote 16} and provide the same guarantee as the bounded-delay channels.

There are two important considerations in proving the security of a synchronous UC protocol: (1) The simulator needs to keep track of the protocol’s current round, and (2) because parties proceed at the same pace, they can synchronize their reaction to the environment; most fully synchronous protocols, for example, deliver output exactly after a given number of rounds. In [43] this property is captured as follows: The functionality keeps track of which round the protocol would be in by counting the number of activations it receives from honest parties. Thus, if the protocol has a regular structure, where every party advances the round after receiving a fixed number $\mu $ of activations from its environment (all protocols described herein will be in this form), the functionality can easily simulate how rounds in the protocol advance by incrementing its round index whenever it receives $\mu $ messages from all honest parties; we shall refer to such a functionality as a synchronous functionality. Without loss of generality, whenever clear from the context we will describe functionalities for $\mu =1$, i.e., once a functionality receives a message from every party it proceeds to the simulation of the next protocol round. We stress that this is done to simplify the description, and in an actual evaluation, as in the synchronous setting of [43], in order to give the simulator sufficiently many activations to perform its simulation, functionalities typically have to wait for $\mu >1$ messages from each party where the last $\mu -1$ of these messages are typically “dummy” activations (usually of the type $(\texttt {fetch-output},\cdot )$).

To further simplify the description of our functionalities, we introduce the following terminology. We say that a synchronous functionality$\mathcal {F}_{\textsc {}}$is in round$\rho $ if the current value of the above internal round counter in $\mathcal {F}_{\textsc {}}$ is $\lambda =\rho $. All synchronous functionalities considered in this work have the following format: They can receive any message as input from the parties; however, they ignore all messages until the first message of the special form $(\texttt {input},\cdot )$; as soon as an honest party sends its input message, any future message by this party is treated as a $(\texttt {fetch-output},\cdot )$ message. Refer to “Appendix B” for a more detailed overview of [43] and discussion of our model.

3 Secure Computation with Probabilistic Termination

The work of Katz et al. [43] addresses (synchronous) cryptographic protocols that terminate in a fixed number of rounds for all honest parties. However, as mentioned in Sect. 1, Ben-Or [4] and Rabin [53] showed that in some cases, great asymptotic improvements on the expected termination of protocols can be achieved through the use of randomization. Recall, for example, that in the case of BA, even though a lower bound of $t+1$ rounds of any deterministic BA protocol tolerating t corruptions exists [26, 29], Rabin’s global-coin technique (fully realized later on in [28]) yields an expected constant round protocol. This speedup, however, comes at a price, namely, of relinquishing both fixed and simultaneous termination [25]: the round complexity of the corresponding protocols may depend on random choices made during the execution, and parties may obtain output from the protocol in different rounds.

In this section, we show how to capture protocols with such probabilistic termination (PT), i.e., without fixed and without simultaneous termination, within the UC framework. To capture probabilistic termination, we first introduce a functionality template $\mathcal {F}_{\textsc {csf}} $ called a canonical synchronous functionality (CSF). $\mathcal {F}_{\textsc {csf}} $ is a simple two-round functionality with explicit (one round) input and (one round) output phases. Computation with probabilistic termination is then defined by wrapping $\mathcal {F}_{\textsc {csf}} $ with an appropriate functionality wrapper that enables non-fixed, non-simultaneous termination.

3.1 Canonical Synchronous Functionalities

At a high level, $\mathcal {F}_{\textsc {csf}} $ corresponds to a generalization of the UC-secure function evaluation (SFE) functionality to allow for potential leakage on the inputs to the adversary and potential adversarial influence on the outputs.^{Footnote 17} In more detail, $\mathcal {F}_{\textsc {csf}} $ has two parameters: (1) a (possibly) randomized function f that receives $n+1$ inputs (n inputs from the parties and one additional input from the adversary) and (2) a leakage function $l$ that leaks some information about the input values to the adversary.

$\mathcal {F}_{\textsc {csf}} $ proceeds in two rounds: In the first round all the parties hand $\mathcal {F}_{\textsc {csf}} $ their input values, and in the second round each party receives its output. This is very similar to the standard (UC) SFE functionality; the difference here is that whenever some input is submitted to $\mathcal {F}_{\textsc {csf}} $, the adversary is handed some leakage function of this input—similarly, for example, to how UC-secure channels leak the message length to the adversary. The adversary can use this leakage when deciding the inputs of corrupted parties. Additionally, he is allowed to input an extra message, which—depending on the function f—might affect the output(s). The detailed description of $\mathcal {F}_{\textsc {csf}} $ is given in Fig. 1.

Next, we point out a few technical issues about the description of $\mathcal {F}_{\textsc {csf}} $. Following the simplifications from Sect. 2, $\mathcal {F}_{\textsc {csf}} $ advances its round as soon as it receives $\mu =1$ message from each honest party. This ensures that the adversary cannot make the functionality stall indefinitely. Thus, formally speaking, the functionality $\mathcal {F}_{\textsc {csf}} $ is not well formed (cf. [13]), as its behavior depends on the identities of the corrupted parties.^{Footnote 18} We emphasize that the non-well-formedness relates only to advancing the rounds and is unavoidable if we want to restrict the adversary not to block the evaluation indefinitely (cf. [43]).

Once an honest party sends its input, the adversary receives a leakage from the functionality, and based on this its information can corrupt the party, replace its input value, and send an additional input message to the functionality. Note that the functionality will consider the latest input value received by a party in order to allow the adversary such a behavior.

We point out that as a generalization of the SFE functionality, CSFs are powerful enough to capture any deterministic well-formed functionality. In fact, all the basic (unwrapped) functionalities considered in this work will be CSFs. We now describe how standard functionalities from the MPC literature can be cast as CSFs:

Secure Message Transmission (aka Secure Channel). In the secure message transmission (SMT) functionality, a sender $P _i$ with input $x_i$ sends its input to $P _j$. Since $\mathcal {F}_{\textsc {csf}} $ is an n-party functionality and involves receiving $\texttt {input} $ messages from all n parties, we define the two-party task using an n-party function. The function to compute is $f_{\tiny {\textsc {smt}}} ^{i,j}(x_1,\ldots ,x_n,a)=(\lambda ,\ldots ,x_i,\ldots ,\lambda )$ (where $x_i$ is the value of the j’th coordinate) and the leakage function is $l_{\tiny {\textsc {smt}}} ^{i,j}(x_1,\ldots ,x_n)=y$, where $y=\left| x_i\right| $ in case $P _j$ is honest and $y=x_i$ in case $P _j$ is corrupted. We denote by $c^{i,j}$ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {smt}}} ^{i,j}$ and $l_{\tiny {\textsc {smt}}} ^{i,j}$, for sender $P _i$ and receiver $P _j$.
Broadcast. In the (standard) broadcast functionality, a sender $P _i$ with input $x_i$ distributes its input to all the parties, i.e., the function to compute is $f_{\tiny {\textsc {bc}}} ^i(x_1,\ldots ,x_n,a)=(x_i,\ldots ,x_i)$. The adversary only learns the length of the message $x_i$ before its distribution, i.e., the leakage function is $l_{\tiny {\textsc {bc}}} ^i(x_1,\ldots ,x_n)=\left| x_i\right| $. This means that the adversary does not gain new information about the input of an honest sender before the output value for all the parties is determined, and in particular, the adversary cannot corrupt an honest sender and change its input after learning the input message. We denote by $\mathcal {F}_{\textsc {bc}} ^i$ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {bc}}} ^i$ and $l_{\tiny {\textsc {bc}}} ^i$, for sender $P _i$.
Secure Function Evaluation. In the secure function evaluation functionality, the parties compute a randomized function $g(x_1,\ldots ,x_n)$, i.e., the function to compute is $f_{\tiny {\textsc {sfe}}} ^g(x_1,\ldots ,x_n,a)=g(x_1,\ldots ,x_n)$. The adversary learns the length of the input values via the leakage function, i.e., the leakage function is $l_{\tiny {\textsc {sfe}}} (x_1,\ldots ,x_n)=(\left| x_1\right| ,\ldots ,\left| x_n\right| )$. We denote by $\mathcal {F}_{\textsc {sfe}} ^g$ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {sfe}}} ^g$ and $l_{\tiny {\textsc {sfe}}} $, for computing the n-party function g.
Byzantine Agreement (aka Consensus). In the Byzantine agreement functionality, defined for the set V, each party $P _i$ has input $x_i\in V$. The common output is computed such that if $n-t$ of the input values are the same, this will be the output; otherwise the adversary gets to decide on the output. The adversary is allowed to learn the content of each input value from the leakage (and so it can corrupt parties and change their inputs based on this information). The function to compute is $f_{\tiny {\textsc {ba}}} (x_1,\ldots ,x_n,a)=(y,\ldots ,y)$ such that $y=x$ if there exists a value x such that $x=x_i$ for at least $n-t$ input values $x_i$; otherwise $y=a$. The leakage function is $l_{\tiny {\textsc {ba}}} (x_1,\ldots ,x_n)=(x_1,\ldots ,x_n)$. We denote by $\mathcal {F}_{\textsc {ba}} ^V$ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {ba}}} $ and $l_{\tiny {\textsc {ba}}} $, defined for the set V.

3.2 Probabilistic Termination in UC

Having defined CSFs, we turn to the notion of (non-reactive) computation with probabilistic termination. This is achieved by defining the notion of an output round randomizing wrapper. Such a wrapper is parametrized by an efficient probabilistic algorithm D, termed the round sampler, that may depend on a specific protocol implementing the functionality. The round sampler D samples a round number $\rho _\mathsf {term}$ by which all parties are guaranteed to receive their outputs no matter what the adversary strategy is. Moreover, since there are protocols in which all parties terminate in the same round and protocols in which they do not, we consider two wrappers: The first, denoted $\mathcal {W}_{\mathrm {strict}} $, ensures in a strict manner that all (honest) parties terminate in the same round, whereas the second, denoted $\mathcal {W}_{\mathrm {flex}} $, is more flexible and allows the adversary to deliver outputs to individual parties at any time before round $\rho _\mathsf {term}$.

A delicate issue that needs to be addressed is the following: While an ideal functionality can be used to abstractly describe a protocol’s task, it cannot hide the protocol’s round complexity. This phenomenon is inherent in the synchronous communication model: any environment can observe how many rounds the execution of a protocol takes, and, therefore, the execution of the corresponding ideal functionality must take the same number of rounds.^{Footnote 19}

As an illustration of this issue, let $\mathcal {F}_{\textsc {}} $ be an arbitrary functionality realized by some protocol $\pi $. If $\mathcal {F}_{\textsc {}} $ is to provide guaranteed termination (whether probabilistic or not), it must enforce an upper bound on the number of rounds that elapse until all parties receive their outputs. If the termination round of $\pi $ is not fixed (but may depend on random choices made during its execution), this upper bound must be chosen according to the distribution induced by $\pi $.

Thus, in order to simulate correctly, the functionality $\mathcal {F}_{\textsc {}} $ and $\pi $’s simulator $\mathcal {S} $ must coordinate the termination round, and therefore, $\mathcal {F}_{\textsc {}} $ must pass the upper bound it samples to $\mathcal {S} $. However, it is not sufficient to simply inform the simulator about the guaranteed termination upper bound $\rho _\mathsf {term}$. Intuitively, the reason is that protocol $\pi $ may make probabilistic choices as to the order in which it calls its hybrids (and, even worse, these hybrids may even have probabilistic termination themselves). Thus, $\mathcal {F}_{\textsc {}} $ needs to sample the upper bound based on $\pi $ and the protocols realizing the hybrids called by $\pi $. As $\mathcal {S} $ needs to emulate the entire protocol execution, it is now left with the task of trying to sample the protocol’s choices conditioned on the upper bound it receives from $\mathcal {F}_{\textsc {}} $. In general, however, it is unclear whether such a reverse sampling can be performed in (strict) polynomial time.

To avoid this issue and allow for an efficient simulation, we have $\mathcal {F}_{\textsc {}} $ output all the coins that were used for sampling round $\rho _\mathsf {term}$ to $\mathcal {S} $. Because $\mathcal {S} $ knows the round sampler algorithm, it can reproduce the entire computation of the sampler and use it in its simulation. In fact, as we discuss below, it suffices for our proofs to have $\mathcal {F}_{\textsc {}} $ output a trace of its choices to the simulator instead of all the coins that were used to sample this trace. In the remainder of this section, we motivate and formally describe our formulation of such traces. The formal description of the wrappers, which in particular sample traces, can then be found at the end of this section.

Execution Traces. As mentioned above, in the synchronous communication model, the execution of the ideal functionality must take the same number of rounds as the protocol. For example, suppose that the functionality $\mathcal {F}_{\textsc {}} $ in our illustration above is used as a hybrid by a higher-level protocol $\pi '$. The functionality $\mathcal {G}_{\textsc {}} $ realized by $\pi '$ must, similarly to $\mathcal {F}_{\textsc {}} $, choose an upper bound on the number of rounds that elapse before parties obtain their outputs. However, this upper bound now depends not only on $\pi '$ itself but also on $\pi $ (in particular, when $\pi $ is a probabilistic termination protocol).

Given the above, the round sampler of a functionality needs to keep track of how the functionality was realized. This can be achieved via the notion of trace. A trace basically records which hybrids were called by a protocol, and in a recursive way, for each hybrid, which hybrids would have been called by a protocol realizing that hybrid. The recursion ends with the hybrids that are “assumed” by the model, called atomic functionalities.^{Footnote 20}

Building on our running illustration above, suppose protocol $\pi '$ (realizing $\mathcal {G}_{\textsc {}} $) makes ideal hybrid calls to $\mathcal {F}_{\textsc {}} $ and to some atomic functionality $\mathcal {H}_{\textsc {}} $. Assume that in an example execution, $\pi '$ happens to make (sequential) calls to instances of $\mathcal {H}_{\textsc {}} $ and $\mathcal {F}_{\textsc {}} $ in the following order: $\mathcal {F}_{\textsc {}} $, then $\mathcal {H}_{\textsc {}} $, and finally $\mathcal {F}_{\textsc {}} $ again. Moreover, assume that $\mathcal {F}_{\textsc {}} $ is replaced by protocol $\pi $ (realizing $\mathcal {F}_{\textsc {}} $) and that $\pi $ happens to make two (sequential) calls to $\mathcal {H}_{\textsc {}} $ upon the first invocation by $\pi '$, and three (sequential) calls to $\mathcal {H}_{\textsc {}} $ the second time (we assume that both $\pi $ and $\pi '$ call exactly one hybrid in every round). Then, this would result in the trace depicted in Fig. 2.

Assume that $\pi $ is a probabilistic termination protocol and $\pi '$ a deterministic termination protocol. Consequently, this means that $\mathcal {F}_{\textsc {}} $ is in fact a flexibly wrapped functionality of some CSF $\mathcal {F}_{\textsc {}} '$, i.e., $\mathcal {F}_{\textsc {}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')$, where the distribution ${D_{\mathcal {F}_{\textsc {}}}}$ samples (from a distribution induced by $\pi $) depth-1 traces with root $\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')$ and leaves $\mathcal {H}_{\textsc {}} $.^{Footnote 21} Similarly, $\mathcal {G}_{\textsc {}} $ is a strictly wrapped functionality of some CSF $\mathcal {G}_{\textsc {}} '$, i.e., $\mathcal {G}_{\textsc {}} =\mathcal {W}_{\mathrm {strict}} ^{D_{\mathcal {G}_{\textsc {}}}} (\mathcal {G}_{\textsc {}} ')$, where the distribution $D_{\mathcal {G}_{\textsc {}}}$ first samples (from a distribution induced by $\pi '$) a depth-1 trace with root $\mathcal {W}_{\mathrm {strict}} ^{D_{\mathcal {G}_{\textsc {}}}} (\mathcal {G}_{\textsc {}} ')$ and leaves $\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')$ as well as $\mathcal {H}_{\textsc {}} $. Then, each leaf node $\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} {}')$ is replaced by a trace (independently) sampled from $D_{\mathcal {F}_{\textsc {}}}$. Thus, the example trace from Fig. 2 would look as in Fig. 3.

Formally, a trace is defined as follows:

Definition 3.1

(traces) A trace is a rooted tree of depth at least 1, in which all nodes are labeled by functionalities and where every node’s children are ordered. The root and all internal nodes are labeled by wrapped CSFs (by either of the two wrappers), and the leaves are labeled by unwrapped CSFs. The trace complexity of a trace $T $, denoted $c_{\mathsf {tr}} (T)$, is the number of leaves in $T $. Moreover, denote by ${\mathsf {flex_{tr}}} (T)$ the number of flexibly wrapped CSFs in $T $.

Remark

The actual protocol trace encodes its round complexity and the access pattern to its hybrids (i.e., when is each hybrid used). Clearly, this pattern might depend on the inputs of the parties and/or the adversary. For example, in the Byzantine agreement protocol of Feldman and Micali [28], if all honest parties start with the same input, then they get their output faster. For simplicity, in this work, the class of trace distributions we define, and which our wrappers sample from, considers traces that are sampled independently of the honest parties’ inputs or adversary. Nonetheless, our wrappers give the simulator the power to influence the simulated access pattern and/or termination round. This allows us to use this simplified trace distribution class to devise functionalities which, as we show, are implemented by known protocols with probabilistic termination.

Strict Wrapper Functionality. We now proceed to give the formal descriptions of the wrappers. The strict wrapper functionality, defined in Fig. 4, is parametrized by (a sampler that induces) a distribution $D$ over traces, and internally runs a copy of a CSF functionality $\mathcal {F}_{\textsc {}} $. Initially, a trace $T $ is sampled from $D$; this trace is given to the adversary once the first honest party provides its input. The trace $T $ is used by the wrapper to define the termination round $\rho _\mathsf {term}\leftarrow c_{\mathsf {tr}} (T)$. In the first round, the wrapper forwards all the messages from the parties and the adversary to (and from) the functionality $\mathcal {F}_{\textsc {}} $. Next, the wrapper essentially waits until round $\rho _\mathsf {term}$, with the exception that the adversary is allowed to send $(\texttt {adv-input},\mathsf {sid},\cdot )$ messages and change its input to the function computed by the CSF. Finally, when round $\rho _\mathsf {term}$ arrives, the wrapper provides the output generated by $\mathcal {F}_{\textsc {}} $ to all parties.

Flexible Wrapper Functionality. The flexible wrapper functionality, defined in Fig. 5, follows in similar lines to the strict wrapper. The difference is that the adversary is allowed to instruct the wrapper to deliver the output to each party at any round. In order to accomplish this, the wrapper assigns a termination indicator $\mathsf {term}_i$, initially set to 0, to each party. Once the wrapper receives an $\texttt {early-output} $ request from the adversary for $P _i$, it sets $\mathsf {term}_i\leftarrow 1$. Now, when a party $P _i$ sends a $\texttt {fetch-output} $ request, the wrapper checks if $\mathsf {term}_i=1$, and lets the party receive its output in this case (by forwarding the $\texttt {fetch-output} $ request to $\mathcal {F}_{\textsc {}} $). When the guaranteed termination round $\rho _\mathsf {term}$ arrives, the wrapper provides the output to all parties that did not receive it yet.

4 (Fast) Composition of Probabilistic Termination Protocols

Canonical synchronous functionalities that are wrapped using the flexible wrapper (cf. Sect. 3.2), i.e., functionalities that correspond to protocols with non-simultaneous termination, are cumbersome to be used as hybrid functionalities for protocols. The reason is that the adversary can cause parties to finish in different rounds, and, as a result, after the execution of the first such functionality, the parties might be out of sync.

This “slack” can be reduced, however, only to a difference of one round, unless one is willing to pay a linear blowup (in the number of parties) in round complexity [26, 29]. Hence, all protocols must be modified to deal with a non-simultaneous start of (at least) one round, and protocols that introduce slack must be followed by a slack reduction procedure. In this section, we provide general transformations to reduce the desired tasks to the simpler task of designing protocols in a “stand-alone” setting, where all parties remain synchronized throughout the protocol (and no slack and round complexity issues arise), and all the hybrids are (unachievable) CSFs that are called in a strictly sequential manner.

Definition 4.1

(SNF) Let $\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities. A synchronous protocol $\pi $ in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model is in synchronous normal form (SNF) if in every round exactly one ideal functionality $\mathcal {F}_{\textsc {}} {}_i$ is invoked by all honest parties, and in addition, no honest party hands inputs to other CSFs before this instance halts.

Clearly, designing and proving the security of SNF protocols, which only make calls to simple two-round CSFs is a much simpler task than dealing with protocols that invoke more complicated hybrids, potentially with probabilistic termination (see Sect. 5 for concrete examples).

SNF protocols are designed as an intermediate step, since the hybrid functionalities $\mathcal {F}_{\textsc {}} {}_i$ are two-round CSFs, and, in general, cannot be realized by real-world protocols. To that end, we define a protocol compiler that transforms SNF protocols into (non-SNF) protocols making calls to wrapped CSFs that can be realized in the real world, while maintaining their security and asymptotic (expected) round complexity. At the same time, the compiler takes care of any potential slack that is introduced by the protocol and ensures that the protocol can be executed even if the parties do not start the protocol simultaneously.

In Sect. 4.1, we apply this approach to deterministic termination protocols that use deterministic termination hybrids, and in Sect. 4.2, generalize it to the probabilistic termination setting. Section 4.3 covers the base case of realizing the wrapped parallel secure message transmission$\mathcal {F}_{\textsc {psmt}} $ using only (non-parallel) secure message transmission$\mathcal {F}_{\textsc {smt}} $. All proofs can be found in “Appendix C”.

4.1 Composition with Deterministic Termination

We start by defining a slack-tolerant variant of the strict wrapper (cf. Sect. 3.2), which can be used even when parties operate with a (known) slack. Then, we show how to compile an SNF protocol $\pi $ realizing a strictly wrapped CSF $\mathcal {F}_{\textsc {}} $ into a (non-SNF) protocol $\pi '$ realizing a version of $\mathcal {F}_{\textsc {}} $ wrapped with the slack-tolerant strict wrapper and making calls to wrapped hybrids.

Slack-Tolerant Strict Wrapper. The slack-tolerant strict wrapper$\mathcal {W}_{\text {sl-strict}} ^{D,c}$, formally defined in Fig. 6, is parametrized by an integer $c\ge 0$, which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper $\mathcal {W}_{\text {sl-strict}} $ is similar to $\mathcal {W}_{\mathrm {strict}} $ but allows parties to provide input within a window of $2c+1$ rounds and ensures that they obtain output with the same slack they started with. The wrapper essentially increases the termination round by a factor of $B_{c} = 3c+1$, which is due to the slack tolerance technique used to implement the wrapped version of the atomic parallel SMT functionality (cf. Sect. 4.3).^{Footnote 22}

Deterministic Termination Compiler. Let $\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities, and let $\pi $ an SNF protocol that UC-realizes the strictly wrapped functionality $\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})$, for some depth-1 distribution D, in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model, assuming that all honest parties receive their inputs at the same round. We define a compiler $\mathsf {Comp}_{\textsc {dt}} ^c$, parametrized with a slack parameter $c\ge 0$, that receives as input the protocol $\pi $ and distributions $D_1,\ldots ,D_m$ over traces and replaces every call to a CSF

$\mathcal {F}_{\textsc {}} {}_i$ with a call to the wrapped CSF $\mathcal {W}_{\text {sl-strict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$. We denote the output of the compiler by $\pi ' = \mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)$.^{Footnote 23}

As shown below, $\pi '$ realizes $\mathcal {W}_{\text {sl-strict}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})$, for a suitably adapted distribution ${D^{\mathsf {full}}}$, assuming all parties start within $c+1$ consecutive rounds. Consequently, the compiled protocol $\pi '$ can handle a slack of up to c rounds while using hybrids that are realizable themselves.

Calling the wrapped CSFs instead of the CSFs $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$ affects the trace corresponding to $\mathcal {F}_{\textsc {}} $. The new trace ${D^{\mathsf {full}}}= \mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)$ is obtained as follows:

1.
Sample a trace $T \leftarrow D$, which is a depth-1 tree with a root label $\mathcal {W}_{\mathrm {strict}} ^{D} (\mathcal {F}_{\textsc {}})$ and leaves from the set $\{\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\}$.
2.
Construct a new trace $T '$ with a root label $\mathcal {W}_{\mathrm {strict}} ^{{D^{\mathsf {full}}}} (\mathcal {F}_{\textsc {}})$.
3.
For each leaf node $\mathcal {F}_{\textsc {}} ' = \mathcal {F}_{\textsc {}} {}_i$, for some $i\in [m]$, sample a trace $T _i \leftarrow D_i$ and append the trace $T _i$ to the first layer in $T '$ (i.e., replace the node $\mathcal {F}_{\textsc {}} {}'$ with $T _i$).
4.
Output the resulting trace $T '$.

The following theorem states that the compiled protocol $\pi '$ UC-realizes the wrapped functionality $\mathcal {W}_{\text {sl-strict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})$.

Theorem 4.2

Let $\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities, let $t<n/3$, and let $\pi $ an SNF protocol that UC-realizes $\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model, for some depth-1 distribution D, in the presence of adaptive, malicious t-adversary, and assuming that all honest parties receive their inputs at the same round. Let $D_1,\ldots ,D_m$ be arbitrary distributions over traces, ${D^{\mathsf {full}}}= \mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)$, and $c\ge 0$.

Then, the compiled protocol $\pi '=\mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)$ UC-realizes $\mathcal {W}_{\text {sl-strict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {W}_{\text {sl-strict}} ^{D_1,c}(\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W}_{\text {sl-strict}} ^{D_m,c}(\mathcal {F}_{\textsc {}} {}_m))$-hybrid model, in the presence of adaptive, malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

The expected round complexity of the compiled protocol $\pi '$ is

$$\begin{aligned} B_{c} \cdot \sum _{i\in [m]} d_i \cdot E[c_{\mathsf {tr}} (T _i)], \end{aligned}$$

where $d_i$ is the expected number of calls in $\pi $ to hybrid $\mathcal {F}_{\textsc {}} {}_i$, $T _i$ is a trace sampled from $D_i$, and $B_{c} = 3c+1$ is the blowup factor.

The proof of Theorem 4.2 can be found in “Appendix C.1”.

4.2 Composition with Probabilistic Termination

The composition theorem in Sect. 4.1 does not work if the protocol $\pi $ itself introduces slack (e.g., the fast broadcast protocol by Feldman and Micali [28]) or if one of the hybrids needs to be replaced by a slack-introducing protocol (e.g., instantiating the broadcast hybrids with fast broadcast protocols in BGW [6]).

As in Sect. 4.1, we start by adjusting the flexible wrapper (cf. Sect. 3.2) to be slack-tolerant. In addition, the slack-tolerant flexible wrapper ensures that all parties will obtain their outputs within two consecutive rounds. Then, we show how to compile an SNF protocol $\pi $ realizing a CSF $\mathcal {F}_{\textsc {}} $, wrapped with the flexible wrapper, into a (non-SNF) protocol $\pi '$ realizing a version of $\mathcal {F}_{\textsc {}} $ wrapped with slack-tolerant flexible wrapper. The case where $\pi $ implements a strictly wrapped CSF, but some of the hybrids are wrapped with the slack-tolerant flexible wrapper follows along similar lines.

Slack-Tolerant Flexible Wrapper. The slack-tolerant flexible wrapper$\mathcal {W}_{\text {sl-flex}} ^{D,c}$, formally defined in Fig. 7, is parametrized by an integer $c\ge 0$, which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper $\mathcal {W}_{\text {sl-flex}} $ is similar to $\mathcal {W}_{\mathrm {flex}} $ but allows parties to provide input within a window of $2c+1$ rounds and ensures that all honest parties will receive their output within two consecutive rounds. The wrapper essentially increases the termination round to

$$\begin{aligned} \rho _\mathsf {term}= B_{c} \cdot c_{\mathsf {tr}} (T) + 2 \cdot {\mathsf {flex_{tr}}} (T) + c, \end{aligned}$$

where the blowup factor $B_{c}$ is as explained in Sect. 4.1, and the additional factor of 2 results from the termination protocol described below for every flexibly wrapped CSF, which increases the round complexity by at most two additional rounds (recall that ${\mathsf {flex_{tr}}} (T)$ denotes the number of such CSFs), and c is due to the potential slack. $\mathcal {W}_{\text {sl-flex}} $ allows the adversary to deliver output at any round prior to $\rho _\mathsf {term}$ but ensures that all parties obtain output with a slack of at most one round. Moreover, it allows the adversary to obtain the output using the $(\texttt {get-output},\mathsf {sid})$ command, which is necessary in order to simulate the termination protocol.

Probabilistic Termination Compiler. Let $\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities, and let $\pi $ be an SNF protocol that UC-realizes the flexibly wrapped functionality $\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})$ in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model, for some depth-1 distribution D, assuming all parties start at the same round. Define the following compiler $\mathsf {Comp}_{\textsc {ptr}} ^c$, parametrized by a slack parameter $c\ge 0$. The compiler receives as input the protocol $\pi $, distributions $D_1,\ldots ,D_m$ over traces, and a subset $I\subseteq [m]$ indexing which CSFs $\mathcal {F}_{\textsc {}} {}_i$ are to be wrapped with $\mathcal {W}_{\text {sl-flex}} $ and which with $\mathcal {W}_{\text {sl-strict}} $; every call in $\pi $ to a CSF $\mathcal {F}_{\textsc {}} {}_i$ is replaced with a call to the wrapped CSF $\mathcal {W}_{\text {sl-flex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\in I$ or to $\mathcal {W}_{\text {sl-strict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\notin I$.

In addition, the compiler adds the following termination procedure, based on an approach originally suggested by Bracha [7], which ensures all honest parties will terminate within two consecutive rounds:

As soon as a party is ready to output a value y (according to the prescribed protocol) or upon receiving at least $t+1$ messages $(\texttt {end},\mathsf {sid},y)$ for the same value y (whichever happens first), it sends $(\texttt {end},\mathsf {sid},y)$ to all parties.
Upon receiving $n-t$ messages $(\texttt {end},\mathsf {sid},y)$ for the same value y, a party outputs y as the result of the computation and halts.

Observe that this technique only works for public output functionalities, and therefore, only CSFs with public output can be wrapped by $\mathcal {W}_{\text {sl-flex}} $. We denote the output of the compiler by $\pi ' = \mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)$.

The following theorem states that the compiled protocol $\pi '$ UC-realizes the wrapped functionality $\mathcal {W}_{\text {sl-flex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})$, for the adapted distribution ${D^{\mathsf {full}}}=\mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)$. Consequently, the compiled protocol $\pi '$ can handle a slack of up to c rounds, while using hybrids that are realizable themselves, and ensuring that the output slack is at most one round (as opposed to $\pi $). Calling the wrapped hybrids instead of the CSFs affects the trace corresponding to $\mathcal {F}_{\textsc {}} $ in exactly the same way as in the case with deterministic termination (cf. Sect. 4.1).^{Footnote 24}

Theorem 4.3

Let $\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities, let $t<n/3$, and let $\pi $ an SNF protocol that UC-realizes $\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model, for some depth-1 distribution D, in the presence of adaptive, malicious t-adversary, and assuming that all honest parties receive their inputs at the same round. Let $I\subseteq [m]$ be the subset (of indices) of functionalities to be wrapped using the flexible wrapper, let $D_1,\ldots ,D_m$ be arbitrary distributions over traces, denote ${D^{\mathsf {full}}}= \mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)$ and let $c\ge 0$. Assume that $\mathcal {F}_{\textsc {}} $ and $\mathcal {F}_{\textsc {}} {}_i$, for every $i\in I$, are public output functionalities.

Then, the compiled protocol $\pi '=\mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)$ UC-realizes $\mathcal {W}_{\text {sl-flex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))$-hybrid model, where $\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {sl-flex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\in I$ and $\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {sl-strict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\notin I$, in the presence of adaptive, malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

The expected round complexity of the compiled protocol $\pi '$ is

$$\begin{aligned} B_{c} \cdot \sum _{i\in [m]} d_i \cdot E[c_{\mathsf {tr}} (T _i)] + 2 \cdot \sum _{i\in [m]} d_i \cdot E[{\mathsf {flex_{tr}}} (T _i)] + 2, \end{aligned}$$

where $d_i$ is the expected number of calls in $\pi $ to hybrid $\mathcal {F}_{\textsc {}} {}_i$, $T _i$ is a trace sampled from $D_i$, and $B_{c} = 3c+1$ is the blowup factor.

The proof of Theorem 4.3 can be found in “Appendix C.2”.

Consider now the scenario where an SNF protocol $\pi $ realizes a strictly wrapped functionality, yet some of the CSF hybrids are to be wrapped by flexible wrappers. The corresponding compiler $\mathsf {Comp}_{\textsc {pt}} $ works as $\mathsf {Comp}_{\textsc {ptr}} $ with the exception that the slack reduction protocol is not performed at the end. The proof of the following theorem follows that of Theorem 4.3.

Theorem 4.4

Let $\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m$ be canonical synchronous functionalities, let $t<n/3$, and let $\pi $ an SNF protocol that UC-realizes $\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)$-hybrid model, for some depth-1 distribution D, in the presence of an adaptive, malicious t-adversary, and assuming that all honest parties receive their inputs at the same round. Let $I\subseteq [m]$ be the subset (of indices) of functionalities to be wrapped using the flexible wrapper, let $D_1,\ldots ,D_m$ be arbitrary distributions over traces, denote ${D^{\mathsf {full}}}= \mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)$ and let $c\ge 0$. Assume that $\mathcal {F}_{\textsc {}} {}$ and $\mathcal {F}_{\textsc {}} {}_i$, for every $i\in I$, are public output functionalities.

Then, the compiled protocol $\pi '=\mathsf {Comp}_{\textsc {pt}} ^c(\pi ,D_1,\ldots ,D_m,I)$ UC-realizes $\mathcal {W}_{\text {sl-flex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})$ with perfect security in the $(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))$-hybrid model, where $\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {sl-flex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\in I$ and $\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {sl-strict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$ if $i\notin I$, in the presence of an adaptive, malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

The expected round complexity of the compiled protocol $\pi '$ is

$$\begin{aligned} B_{c} \cdot \sum _{i\in [m]} d_i \cdot E[c_{\mathsf {tr}} (T _i)] + 2 \cdot \sum _{i\in [m]} d_i \cdot E[{\mathsf {flex_{tr}}} (T _i)], \end{aligned}$$

where $d_i$ is the expected number of calls in $\pi $ to hybrid $\mathcal {F}_{\textsc {}} {}_i$, $T _i$ is a trace sampled from $D_i$, and $B_{c} = 3c+1$ is the blowup factor.

4.3 Wrapping Secure Channels

The basis of the top-down, inductive approach taken in this work consists of providing protocols realizing wrapped atomic functionalities, using merely secure channels, i.e., $\mathcal {F}_{\textsc {smt}} $. Due to the restrictions to SNF protocols, which may only call a single CSF hybrid in any given round, a parallel variant $\mathcal {F}_{\textsc {psmt}} $ of $\mathcal {F}_{\textsc {smt}} $ (defined below) is used as an atomic functionality. This ensures that in SNF protocols parties can securely send messages to each other simultaneously.

Parallel SMT. The parallel secure message transmission functionality$\mathcal {F}_{\textsc {psmt}} $ is a CSF for the following functions $f_{\tiny {\textsc {psmt}}} $ and $l_{\tiny {\textsc {psmt}}} $. Each party $P _i$ has a vector of input values $(x^i_1,\ldots ,x^i_n)$ such that $x^i_j$ is sent from $P _i$ to $P _j$. That is, the function to compute is $f_{\tiny {\textsc {psmt}}} ((x^1_1,\ldots ,x^1_n),\ldots ,(x^n_1,\ldots ,x^n_n),a) = ((x^1_1,\ldots ,x^n_1),\ldots ,(x^1_n,\ldots ,x^n_n))$. As we consider rushing adversaries, which can determine the messages sent by the corrupted parties after receiving the messages sent by the honest parties, the leakage function should leak the messages that are to be delivered from honest parties to corrupted parties. Therefore, the leakage function is $l_{\tiny {\textsc {psmt}}} ((x^1_1,\ldots ,x^1_n),\ldots ,(x^n_1,\ldots ,x^n_n))=(y^1_1,y^1_2, \ldots , y^n_{n-1}, y^n_n)$, where $y^i_j=|x^i_j|$ in case $P _j$ is honest and $y^i_j=x^i_j$ in case $P _j$ is corrupted.

Realizing Wrapped Parallel SMT. The remainder of this section deals with securely realizing $\mathcal {W}_{\text {sl-strict}} ^{D,c}(\mathcal {F}_{\textsc {psmt}})$ in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, for a particular distribution D and an arbitrary nonnegative integer c. Note that the corresponding protocol ${\pi _{\textsc {psmt}}} $ is not an SNF protocol since it makes $n^2$ parallel calls to $\mathcal {F}_{\textsc {smt}} $ in each round; this is of no concern since it directly realizes a wrapped functionality and therefore need not be compiled. There is a straightforward (non-SNF) protocol realizing $\mathcal {F}_{\textsc {psmt}} $ in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, and therefore (due to the UC composition theorem) it suffices to describe protocol ${\pi _{\textsc {psmt}}} $ in the $\mathcal {F}_{\textsc {psmt}} $-hybrid model.

A standard solution to overcome asynchrony by a constant number of rounds $c \ge 0$, introduced by Lindell et al. [48] and used by Katz and Koo [40], is to expand each communication round to $2c+1$ rounds. Each party listens for messages throughout all $2c+1$ rounds and sends its own messages in round $c+1$. It is straightforward to verify that if the slack is c, i.e., the parties start within $c+1$ rounds from each other, round r-messages (in the original protocol, without round expansion) are sent, and delivered, before round $(r+1)$-messages and after round $(r-1)$-messages.

The solution described above does not immediately apply to our case, due to the nature of canonical synchronous functionalities. Recall that in a CSF the adversary can send an $\texttt {adv-input} $ message (and affect the output) only before any honest party has received an output from the functionality. If only $2c+1$ rounds are used a subtle problem arises: Assume for simplicity that $c=1$ and say that $P _1$ is a fast party and $P _2$ is a slow party. Initially, $P _1$ listens for one round. In the second round $P _2$ listens and $P _1$ send its messages to all the parties. In the third round $P _2$ sends its messages and $P _1$ receives its message, produces output, and completes the round. Now, $P _2$ listens for an additional round, and the adversary can send it messages on behalf of corrupted parties. In other words, the adversary can choose the value for $P _2$’s output after$P _1$ has received its output—such a phenomena cannot be modeled using CSFs. For this reason we add an additional round where each party is idle; if $P _1$ waits one more round (without listening) before it produces its output, then $P _2$ will receive all the messages that determine its output, and so once $P _1$ produces output and completes, the adversary cannot affect the output of $P _2$.

As a result, in the protocol presented in Fig. 8, each round is expanded to $3c+1$ rounds, where during the final c rounds, parties are simply idle and ignore any messages they receive.

Denote by $D_{\textsc {psmt}} $ the deterministic distribution that outputs a depth-1 trace consisting of a root $\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {psmt}}}(\mathcal {F}_{\textsc {psmt}})$ and $3c+1$ leaves $\mathcal {F}_{\textsc {psmt}} $.

Lemma 4.5

Let $c\ge 0$ and $t<n/3$. Protocol ${\pi _{\textsc {psmt}}} $ UC-realizes $\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})$ with perfect security in the $\mathcal {F}_{\textsc {psmt}} $-hybrid model, in the presence of an adaptive, malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

Proof

For simplicity, denote by $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$ the wrapped functionality $\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})$. Let $\mathcal {Z} $ be an environment. We construct the following simulator $\mathcal {S} $ running with $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$ and $\mathcal {Z} $, simulating the dummy adversary.^{Footnote 25} The main idea is to simulate each of the $3c+1$ instances of $\mathcal {F}_{\textsc {psmt}} $ ro $\mathcal {Z} $. Initially, $\mathcal {S} $ receives the message $(\texttt {trace},\mathsf {sid},T)$, where $T $ is a depth-1 trace consisting of $3c+1$ leaves $\mathcal {F}_{\textsc {psmt}} $. Next, $\mathcal {S} $ simulates $3c + 1$ sequential instances of $\mathcal {F}_{\textsc {psmt}} $, by interacting with $\mathcal {Z} $ and $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$. In the first $2c+1$ instances of $\mathcal {F}_{\textsc {psmt}} $, the simulator $\mathcal {S} $ proceeds as follows for every instance of $\mathcal {F}_{\textsc {psmt}} $:

In the first (“input”) round of this $\mathcal {F}_{\textsc {psmt}} $ instance, upon receiving an input message $(\texttt {input},\mathsf {sid},x_i)$ from $\mathcal {Z} $, where $x_i\ne \bot $ is a vector of messages to be sent by a corrupted $P _i$, the simulator $\mathcal {S} $ forwards the message to $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$.
If $\mathcal {S} $ receives a leakage message $(\texttt {leakage},\mathsf {sid},P _i,l_i)$ from $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$, where $l_i$ is a length-n vector, consisting of the messages sent by some honest party $P _i$ to each corrupted party (and the length of messages $P _i$ sends to honest parties), $\mathcal {S} $ forwards the message to $\mathcal {Z} $. If no leakage message arrived during this round, $\mathcal {S} $ sends the message $(\texttt {leakage},\mathsf {sid},P _i,\bot )$ to $\mathcal {Z} $, on behalf of every party.
In the second (“output”) round of this $\mathcal {F}_{\textsc {psmt}} $ instance, $\mathcal {S} $ sends $(\texttt {output},\mathsf {sid},y_i)$ to $\mathcal {Z} $ for every corrupted $P _i$, where $y_i$ is a vector consisting of the messages sent to $P _i$ in the “input” round (if some party did not send a message to $P _i$ the value $\lambda $ is used).

In the last c instances of $\mathcal {F}_{\textsc {psmt}} $, the simulator $\mathcal {S} $ does not forward the input messages from $\mathcal {Z} $ to $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$, and outputs $(\texttt {output},\mathsf {sid},\lambda )$ for every corrupted party.

Since the view of every party in the protocol ${\pi _{\textsc {psmt}}} $ is simply the messages sent and received to fpsmt, and no random coins are used, upon a corruption request of a party $P _i$, the simulator simply hands the internal state of $P _i$ to $\mathcal {Z} $, and resumes the simulation as above.

By inspection, it can be seen that the view of $\mathcal {Z} $ is identically distributed when interacting with $\mathcal {S} $ in an ideal computation of $\mathcal {W} (\mathcal {F}_{\textsc {psmt}})$, or when interacting with the dummy adversary in an execution of ${\pi _{\textsc {psmt}}} $. $\square $

The corollary follows since $\mathcal {F}_{\textsc {psmt}} $ can be realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model in a straightforward way, by calling $\mathcal {F}_{\textsc {smt}} $ in parallel $n^2$ times.

Corollary 4.6

Let $c\ge 0$ and $t<n/3$. The functionality $\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})$ can be UC-realized with perfect security in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, in the presence of an adaptive, malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

5 Applications of Our Fast Composition Theorem

In this section, we demonstrate the power of our framework by providing some concrete applications. All of the protocols we present in this section enjoy perfect security facing adaptive adversaries corrupting less than a third of the parties. We start in Sect. 5.1 by presenting expected constant round protocols for Byzantine agreement. Next, in Sect. 5.2 we present an expected constant round protocol for parallel broadcast. Finally, in Sect. 5.3 we present a secure function evaluation protocol whose round complexity is O(d) in expectation, where d is the depth of the circuit representing the function.

5.1 Fast and Perfectly Secure Byzantine Agreement

We start by describing the binary and multi-valued randomized Byzantine agreement protocols (the definition of $\mathcal {F}_{\textsc {ba}} $ appears in Sect. 3.1). These protocols are based on techniques due to Feldman and Micali [28] (which are in turn based on Ben-Or [4] and Rabin [53]) and Turpin and Coan [55], with modifications to work in the UC framework. We provide simulation-based proofs for these protocols.

A Binary Byzantine Agreement Protocol. We now describe a UC protocol for randomized binary Byzantine agreement, which is based on the protocol of Feldman and Micali [28]. For simplicity, we work in a hybrid model, where parties have access to the oblivious common coin functionality; we first present this functionality as a canonical synchronous functionality.

Oblivious Common Coin. In the oblivious common coin ideal functionality (introduced in [28]) every honest party $P _i$ outputs a bit $y_i\in \{0,1\}$ such that the following holds: With probability $p>0$ all honest parties will agree on a uniformly distributed bit, and with probability $1-p$ the output for each honest party is determined by the adversary. The meaning of obliviousness here is that the parties are unaware of whether agreement on the coin is achieved or not.

In more detail, each honest party $P _i$ sends an empty string $x_i=\lambda $ as input, and the leakage function is $l_{\tiny {\textsc {oc}}} (x_1,\ldots ,x_n)=\bot $. The function to compute, $f_{\tiny {\textsc {oc}}} (x_1,\ldots ,x_n,a)=(y_1,\ldots ,y_n)$, is parametrized by an efficiently sampleable distribution D over $\{0,1\}$ that outputs 1 with probability p and 0 with probability $1-p$, and works as follows:

Initially, sample a “fairness bit” $b \leftarrow D$.
If $b=1$ or if $a=\bot $ (i.e., if the adversary did not send an $\texttt {adv-input} $ message) sample a uniformly distributed bit $y\leftarrow \{0,1\}$ and set $y_i \leftarrow y$ for every $i\in [n]$.
If $b=0$ and $a\ne \bot $, parse the adversarial input a as a vector of n values $(a_1,\ldots , a_n)$, and set $y_i \leftarrow a_i$ for every $i\in [n]$.

We denote by $\mathcal {F}_{\textsc {oc}} $ the CSF functionality parametrized with the above functions $f_{\tiny {\textsc {oc}}} $ and $l_{\tiny {\textsc {oc}}} $. Feldman and Micali [28, Thm. 3] showed a constant round oblivious common coin protocol for $p=0.35$. Denote by $D_{\textsc {oc}} $ the deterministic distribution that outputs a depth-1 trace consisting of a root $\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {oc}}}(\mathcal {F}_{\textsc {oc}})$ and 32 leaves $\mathcal {F}_{\textsc {psmt}} $.

Theorem 5.1

([28]). Let $t<n/3$, then, assuming all honest parties receive their inputs at the same round, $\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {oc}}}(\mathcal {F}_{\textsc {oc}})$ can be UC-realized in the $\mathcal {F}_{\textsc {psmt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary.

Overview of the Protocol. The binary BA functionality, realized by the protocol, is the wrapped functionality $\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$ (the distribution $D_{\textsc {rba}} $ is formally defined in Lemma 5.2), denoted $\mathcal {F}_{\textsc {rba}} $ for short. The protocol ${\pi _{\textsc {rba}}} $, described in Fig. 9, is based on the protocol from [28] modified using the “best-of-both-worlds” technique due to Goldreich and Petrank [34]. Recall that following Sect. 4, it is sufficient to describe the protocol using CSFs as hybrids rather than wrapped CSFs (even though such a description might be overly ideal, and cannot be instantiated in the real world), and the same level of security is automatically achieved in a compiled protocol (that can be instantiated) where the underlying CSFs are properly wrapped. Therefore, the protocol is defined in the $(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}},\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$-hybrid model.

At first sight, it may seem odd that the binary Byzantine agreement functionality $\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}$ is used in order to implement the randomized binary Byzantine agreement functionality $\mathcal {F}_{\textsc {rba}} $. However, the functionality $\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}$ will only be invoked in the event (which occurs with a negligible probability) that the protocol does not terminate within a poly-log number of rounds. Once the protocol is compiled, the CSF functionality $\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}$ will be wrapped using a strict wrapper, such that the wrapped functionality $\mathcal {W}_{\mathrm {strict}} (\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$ can be instantiated using any linear round deterministic Byzantine agreement protocol (e.g., the protocol in [37]).

At a high level, protocol ${\pi _{\textsc {rba}}} $ proceeds as follows. Initially, each party sends its input to all other parties over a point-to-pint channel using $\mathcal {F}_{\textsc {psmt}} $, and sets its vote to be its input bit. Next, the parties proceed in phases, where each phase consists of invoking the functionality $\mathcal {F}_{\textsc {oc}} $ followed by a voting process consisting of three rounds of sending messages via $\mathcal {F}_{\textsc {psmt}} $. The voting ensures that (1) if all honest parties agree on their votes at the beginning of the phase, they will terminate at the end of the phase, (2) in each phase, all honest parties will agree on their votes at the end of each phase with probability at least p, and (3) if an honest party terminates in some phase then all honest parties will terminate with the same value by the end of the next phase. In the negligible event that the parties do not terminate after $\tau =\log ^{1.5}(\kappa )+1$ phases (where $\kappa $ denotes the security parameter), the parties use the Byzantine agreement functionality $\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}$ in order to ensure termination. To avoid confusion in ${\pi _{\textsc {rba}}} $ between the different calls to $\mathcal {F}_{\textsc {oc}} $, the $\alpha $’th invocation will use the session identifier $\mathsf {sid} _\alpha =\mathsf {sid} \circ \alpha $, obtained by concatenating $\alpha $ to $\mathsf {sid} $.

Denote by $D_{\textsc {rba}} $ the distribution that outputs a depth-1 trace, where the root is $\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$, and the leaves are set as follows: Initially sample an integer r from the geometric distribution with parameter $p=0.35$ and support $\{1\ldots , \tau +1\}$ (representing the phase where $\mathcal {F}_{\textsc {oc}} $ samples a fairness bit 1, plus the option that $\mathcal {F}_{\textsc {oc}} $ samples 0 in all $\tau $ phases). The first leaf in the trace is $\mathcal {F}_{\textsc {psmt}} $, followed by $\min (r,\tau )$ sequences of $(\mathcal {F}_{\textsc {oc}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}})$. Finally, if $r\ge \tau $ add the leaf $\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}$ to the trace. In “Appendix D.1” we prove the following lemma.

Lemma 5.2

Let $t<n/3$, then, assuming all honest parties receive their inputs at the same round, protocol ${\pi _{\textsc {rba}}} $ UC-realizes $\mathcal {F}_{\textsc {rba}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$, in the $(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary.

We now use Theorem 4.3 to derive the main result of this section.

Theorem 5.3

Let $c\ge 0$ and $t<n/3$. There exists an efficiently sampleable distribution D such that the functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$ has an expected constant round complexity and can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

Proof

(sketch). Denote by $D_{\textsc {ba}} $ the deterministic distribution that outputs a depth-1 trace consisting of a root $\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {ba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$ and $t+1$ leaves $\mathcal {F}_{\textsc {psmt}} $. Let $D^{\mathsf {full}}_{\textsc {rba}} =\mathsf {full}\text {-}\mathsf {trace}(D_{\textsc {rba}},D_{\textsc {oc}},D_{\textsc {psmt}},D_{\textsc {ba}})$.

For simplicity, denote $\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}=\mathcal {W}_{\text {sl-flex}} ^{D^{\mathsf {full}}_{\textsc {rba}},c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$, $\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}}=\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})$, $\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}=\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {oc}},c}(\mathcal {F}_{\textsc {oc}})$ and $\mathcal {F}_{\textsc {ba}} ^{\textsc {dt}}=\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {ba}},c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$. In addition, denote $D_1=D_{\textsc {psmt}} $, $D_2=D_{\textsc {oc}} $, $D_3=D_{\textsc {ba}} $ and $I=\emptyset $.

From Lemma 5.2, ${\pi _{\textsc {rba}}} $ UC-realizes $\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$, in the $(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})$-hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs at the same round. Following Theorem 4.3, the compiled protocol $\mathsf {Comp}_{\textsc {ptr}} ^c({\pi _{\textsc {rba}}},D_1,D_2,D_3,I)$ UC-realizes $\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}$, in the $(\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}},\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {dt}})$-hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs within $c+1$ consecutive rounds.

The proof follows since each of the functionalities $(\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}},\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {dt}})$ can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model. This follows from Lemma 4.5, Theorem 5.1, and the protocol from [37]. $\square $

Multi-valued Byzantine Agreement Protocol. In “Appendix D.1” we present an analogue of the multi-valued Byzantine agreement protocol due to Turpin and Coan [55] for the UC framework and prove the following.

Theorem 5.4

Let $c\ge 0$, $t<n/3$ and $V\subseteq \{0,1\}^*$. There exists an efficiently sampleable distribution D such that the functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {ba}} ^V)$ has an expected constant round complexity and can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

5.2 Fast and Perfectly Secure Parallel Broadcast

As discussed in Sect. 1 (and “Appendix A”), composing protocols with probabilistic termination naïvely does not retain expected round complexity. Ben-Or and El-Yaniv [5] constructed an elegant protocol for probabilistic termination parallel broadcast^{Footnote 26} with a constant round complexity in expectation, albeit under a property-based security definition. In this section, we adapt the [5] protocol to the UC framework and show that it does not realize the parallel broadcast functionality, but rather a weaker variant which we call unfair parallel broadcast. Next, we show how to use unfair parallel broadcast in order to compute (fair) parallel broadcast in constant excepted number of rounds.

In a standard broadcast functionality (cf. Sect. 3.1), the sender provides a message to the functionality which delivers it to the parties. Hirt and Zikas [37] defined the unfair version of the broadcast functionality, in which the functionality informs the adversary which message it received, and allows the adversary, based on this information, to corrupt the sender and replace the message. Following the spirit of [37], we now define the unfair parallel broadcast functionality, using the language of CSF.

Unfair Parallel Broadcast. In the unfair parallel broadcast functionality, each party $P _i$ with input $x_i$ distributes its input to all the parties. The adversary is allowed to learn the content of each input value from the leakage function (and so it can corrupt parties and change their messages prior to their distribution, based on this information). The function to compute is $f_{\tiny {\textsc {upbc}}} (x_1,\ldots ,x_n,a)=((x_1,\ldots ,x_n),\ldots ,(x_1,\ldots ,x_n))$, and the leakage function is $l_{\tiny {\textsc {upbc}}} (x_1,\ldots ,x_n)=(x_1,\ldots ,x_n)$. We denote by $\mathcal {F}_{\textsc {upbc}} $ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {upbc}}} $ and $l_{\tiny {\textsc {upbc}}} $.

In “Appendix D.2.1”, we present an adaptation of the [5] protocol, show that it perfectly UC-realizes (a wrapped version of) $\mathcal {F}_{\textsc {upbc}} $ (see Fig. 12), and prove the following result.

Theorem 5.5

Let $c\ge 0$ and $t<n/3$. There exists an efficiently sampleable distribution D such that the functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {upbc}})$ has an expected constant round complexity and can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

We now turn to define the (fair) parallel broadcast functionality.

Parallel Broadcast. In the parallel broadcast functionality, each party $P _i$ with input $x_i$ distributes its input to all the parties. Unlike the unfair version, the adversary only learns the length of the honest parties’ messages before their distribution, i.e., the leakage function is $l_{\tiny {\textsc {pbc}}} (x_1,\ldots ,x_n)=(\left| x_1\right| ,\ldots ,\left| x_n\right| )$. It follows that the adversary cannot use the leaked information in a meaningful way when deciding which parties to corrupt. The function to compute is identical to the unfair version, i.e., $f_{\tiny {\textsc {pbc}}} (x_1,\ldots ,x_n,a)=((x_1,\ldots ,x_n),\ldots ,(x_1,\ldots ,x_n))$. We denote by $\mathcal {F}_{\textsc {pbc}} $ the functionality $\mathcal {F}_{\textsc {csf}} $ when parametrized with the above functions $f_{\tiny {\textsc {pbc}}} $ and $l_{\tiny {\textsc {pbc}}} $.

Unfortunately, the unfair parallel broadcast protocol ${\pi _{\textsc {upbc}}} $ (cf. Fig. 12) fails to realize (a wrapped version of) the standard parallel broadcast functionality $\mathcal {F}_{\textsc {pbc}} $. The reason is similar to the argument presented in [37]: In the first round of the protocol, each party distributes its input, and since we consider a rushing adversary, the adversary learns the messages before the honest parties do. It follows that the adversary can corrupt a party before the honest parties receive the message and replace the message to be delivered. This attack cannot be simulated in the ideal world where the parties interact with $\mathcal {F}_{\textsc {pbc}} $, since by the time the simulator learns the broadcast message in the ideal world, the functionality does not allow to change it.

Although protocol ${\pi _{\textsc {upbc}}} $ does not realize $\mathcal {F}_{\textsc {pbc}} $, it can be used in order to construct a protocol that does. Each party commits to its input value before any party learns any new information, as follows. Each party, in parallel, first secret shares its input using a $(t+1)$-out-of-n secret sharing protocol.^{Footnote 27} In the second step, every party, in parallel, broadcast a vector with all the shares he received, by the use of the above unfair parallel broadcast functionality $\mathcal {F}_{\textsc {upbc}} $, and each share is reconstructed based on the announced values. The reason this modification achieves fair broadcast is the following: If a sender $P _i$ is not corrupted until he distributes his shares, then a t-adversary has no way of modifying the reconstructed output of $P _i$’s input, since he can at most affect $t<n/3$ shares, which can be self-corrected by the reconstruction algorithm (e.g., using Shamir’s scheme). Thus, the only way the adversary can affect any of the broadcast messages is by corrupting the sender independently of his input, an attack which is easily simulated. In case a malicious sender generates shares that do not correspond to a degree t polynomial, all honest parties identify the misbehavior (since all shares are publicly transmitted over the unfair broadcast channel) and agree on a default value for the sender, e.g., zero. We describe this protocol, denoted ${\pi _{\textsc {pbc}}} $, in Fig. 10.

Theorem 5.6

Let $c\ge 0$ and $t < n/3$. There exists an efficiently sampleable distribution D such that the functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {pbc}})$ has an expected constant round complexity and can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

Proof

(sketch). The simulator uses the adversary attacking ${\pi _{\textsc {pbc}}} $ in a black-box straight-line manner. To simulate the first (secret sharing) round, for honest senders the simulator simply hands the adversary random shares for all corrupted parties and for corrupted senders he follows the adversary’s instructions. If during this step the adversary asks to corrupt new senders, the simulator learns their outputs and can easily complete the sharing to match this output. At the end of this phase, the simulator interacts with its hybrid until it produces output. Once this is the case, he uses this output to continue the simulation with its adversary. Clearly, for any sender $P _i$ who is not corrupted until he distributes his shares, then a t-adversary has no way of modifying the reconstructed output of $P _i$’s input, since he can at most affect $t<n/3$ shares (and Shamir’s scheme can correct up to n / 3 erroneous shares). Thus, the only way the adversary can affect any of the broadcasted message is by corrupting the sender independently of his input, an attack which is easily simulated. The fact that the running time is constant (expected) follows trivially from the fact that ${\pi _{\textsc {pbc}}} $ executes only one round (namely the sharing round) more than the unfair protocol which is expected constant round (cf. Theorem 5.5). $\square $

5.3 Fast and Perfectly Secure SFE

We conclude this section by showing how to construct a perfectly UC-secure SFE protocol which computes a given circuit in expected O(d) rounds, independently of the number of parties, in the point-to-point channels model. The protocol is obtained by taking the protocol from [6],^{Footnote 28} denoted $\pi _{\textsc {bgw}}$. This protocol relies on (parallel) broadcast and (parallel) point-to-point channels, and therefore it can be described in the $(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {pbc}})$-hybrid model. It follows from Theorem 4.4, that the compiled protocol $\mathsf {Comp}_{\textsc {pt}} ^c(\pi _{\textsc {bgw}},D_1,D_2,I)$, for $D_1=D_{\textsc {psmt}} $, $D_2=D^{\mathsf {full}}_{\textsc {pbc}} $ and $I=\{2\}$, UC-realizes the corresponding wrapped functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {sfe}} )$ (for an appropriate distribution D), in the $(\mathcal {W}_{\text {sl-strict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}}),\mathcal {W}_{\text {sl-flex}} ^{D^{\mathsf {full}}_{\textsc {pbc}},c}(\mathcal {F}_{\textsc {pbc}}))$-hybrid model, resulting in the following.

Theorem 5.7

Let f be an n-party function, C an arithmetic circuit with multiplicative depth d computing f, $c\ge 0$ and $t < n/3$. Then there exists an efficiently sampleable distribution D such that the functionality $\mathcal {W}_{\text {sl-flex}} ^{D,c}(\mathcal {F}_{\textsc {sfe}} ^f)$ has round complexity O(d) in expectation and can be UC-realized in the $\mathcal {F}_{\textsc {smt}} $-hybrid model, with perfect security, in the presence of an adaptive malicious t-adversary, assuming that all honest parties receive their inputs within $c+1$ consecutive rounds.

Notes

More precisely, in the number of corruptions a protocol can tolerate, which is a constant fraction of n.
Throughout this work we will consider protocols in which all parties receive their output. If one relaxes this requirement (i.e., allows that some parties may not receive their outputs and give up on fairness), then the techniques of Goldwasser and Lindell [35] allow for replacing broadcast with a constant round multi-cast primitive. In fact, we note that even security with identifiable abort [38] cannot be achieved in general without the ability to compute broadcast [19, 20].
We remark that even though those protocols are for the computational setting, the lower bound on broadcast round complexity also applies.
Note that this includes even FHE-based protocols, as they also assume a broadcast channel and their security fails if multi-cast over point-to-point channels is used instead.
Essentially, the value of the coin can be adopted by the honest parties in case disagreement at any given round is detected, a process that is repeated multiple times.
Throughout this paper we use running time and round complexity interchangeably.
It should be noted, however, that in many of these protocols there is a known (constant) “slack” of c rounds, such that if a party terminates in round r, then it can be sure that every honest party will have terminated by round $r+c$.
As we discuss below, the protocol of Katz and Koo has an additional issue with adaptive security in the rushing adversary model, as defined in the UC framework, similar to the issue exploited in [37].
BA is a deterministic output primitive and it should be clear that the term “randomized" can only refer to the actual number of rounds; however, to avoid confusion we will abstain from using this term for functionalities other than BA whose output might also be probabilistic.
As we show, the protocol in [28] does not satisfy input independence, and therefore is not adaptively secure in a simulation-based manner (cf. [37]).
All entities in UC, and in particular ideal functionalities, are strict interactive PPT Turing machines, and the UC composition theorem is proved for such PPT ITMs.
Although security against a “dynamic” adversary is also claimed in [5], the protocol does not implement the natural parallel broadcast functionality in the presence of an adaptive adversary (see Sect. 5).
Note that even a single round of broadcast is enough to create the issues with parallel composition and non-simultaneous termination discussed above.
In contrast, a static adversary chooses the set of corrupted parties at the onset of the computation.
Following the simplifying approach of [43], we assume that communication channels are single use; thus, each message transmission uses an independent instance of the channel (cf. “Appendix B”).
In fact, for simplicity we assume that they deliver output on the first “fetch”.
Looking ahead, this adversarial influence will allow us to describe BA-like functionalities as simple and intuitive CSFs.
This is, in fact, also the case for the standard UC SFE functionality.
In particular, this means that most CSFs are not realizable, since they always guarantee output after two rounds.
In this work, atomic functionalities are always parallel SMT CSFs $\mathcal {F}_{\textsc {psmt}} $, defined in Sect. 4.3.
Note that the root node of the trace sampled from $D_{\mathcal {F}_{\textsc {}}}$ is merely labeled by $\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')$, i.e., this is not a circular definition.
We note that the insufficiency of the blowup factor $2c+1$ rounds does not correspond to any particular attack, but it is merely a technicality of the wrapped CSF definition, see Sect. 4.3.
The distributions $D_i$ depend on the protocols realizing the strictly wrapped functionalities $\mathcal {W}_{\text {sl-strict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)$. Note, however, that the composition theorems in Sects. 4.1 and 4.2 actually work for arbitrary distributions $D_i$.
Of course, the root of the trace $T $ sampled from D is a flexibly wrapped functionality $\mathcal {W}_{\mathrm {flex}} ^{D} (\mathcal {F}_{\textsc {}})$ in the probabilistic termination case.
Recall that proving security with respect to the dummy adversary is sufficient (cf. [10, Claim 10]).
In [5] the problem is referred to as “interactive consistency.”
In [37] verifiable secret sharing (VSS) is used; however, as we argue, this is not necessary.
A full simulation proof of the protocol with a black-box straight-line simulation was recently given by [2] and [23].
As argued in [43], bounded-delay channels are essential as they allow parties to detect whether or not a message was sent within a round.
As pointed out in [43], an alternative approach would be to have a multi-use communication channel; as modeling the actual communication network is out of the scope of the current work, we will use the more standard and formally treated model of single-use channels from [43].
In fact, in Sect. 3 we introduce a more liberal variant of the UC SFE functionality that we call canonical synchronous functionality (in short, CSF) that allows us to abstract several (even more complicated) tasks such as Byzantine agreement.
In the simple case where the parties only use point-to-point channels, $\mu =2(n-1)$, since each party uses $n-1$ channels as sender and $n-1$ as receiver to exchange his messages for each round with all other n parties.
The wrappers presented in this work generalize the notion of guaranteed termination to capture randomized number of rounds. Concretely, one can view the functionality for SFE with guarantee termination from [43] as a wrapped version of the standard SFE functionality with our wrapper with a deterministic round distribution.
To make sure that the simulator can keep track of the round index, $\mathcal {F}_{\textsc {}}$ notifies $\mathcal {S}$ about each received input, unless it has reached its delivery state defined below.
Recall that proving security with respect to the dummy adversary is sufficient (cf. [10, Claim 10]).
Recall that the children at each node in a trace are ordered.
$\mathcal {S} $ can be advanced by suitably sending it $(\texttt {fetch-output},\mathsf {sid},\cdot )$ messages.
The execution $\mathcal {Z} $ interacts with can be advanced by suitably sending $(\texttt {fetch-output},\mathsf {sid},\cdot )$ messages to the parties.
Recall that proving security with respect to the dummy adversary is sufficient [10, Claim 10].
$\mathcal {S} $ can be advanced by suitably sending it $(\texttt {fetch-output},\mathsf {sid},\cdot )$ messages.
$\mathcal {S} $ can be advanced by suitably sending it $(\texttt {fetch-output},\mathsf {sid},\cdot )$ messages.
The execution $\mathcal {Z} $ interacts with can be advanced by suitably sending $(\texttt {fetch-output},\mathsf {sid})$ messages to the parties.
The execution $\mathcal {Z} $ interacts with can be advanced by suitably sending $(\texttt {fetch-output},\mathsf {sid})$ messages to the parties.
Note that although the hybrids are CSFs, and all honest parties terminate at the same round, the protocol has probabilistic termination.

References

G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, D. Wichs, Multiparty computation with low communication, computation and interaction via threshold FHE, in David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, April, 2012), pp. 483–501
G. Asharov, Y. Lindell, A full proof of the BGW protocol for perfectly-secure multiparty computation. Electronic Colloquium on Computational Complexity (ECCC), 18:36, (2011)
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in 22nd ACM STOC. (ACM Press, May 1990), pp. 503–513
M. Ben-Or, Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract), in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 2nd ACM PODC. (ACM Press, August 1983), pp. 27–30
M. Ben-Or, R. El-Yaniv, Resilient-optimal interactive consistency in constant time. Distributed Computing, 16(4):249–262, (2003)
Article Google Scholar
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in 20th ACM STOC. (ACM Press, May 1988), pp. 1–10
G. Bracha, An asynchronous [(n-1)/3]-resilient consensus protocol, in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 3rd ACM PODC. (ACM Press, August 1984), pp. 154–162
C. Cachin, K. Kursawe, F. Petzold, V. Shoup, Secure and efficient asynchronous broadcast protocols, in Joe Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, August 2001), pp. 524–541
R. Canetti, Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, (2000)
Article MathSciNet MATH Google Scholar
R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS. (IEEE Computer Society Press, October 2001), pp. 136–145
R. Canetti, Universally composable signature, certification, and authentication, in 17th IEEE Computer Security Foundations Workshop, (CSFW-17). (2004), pp. 219–235
R. Canetti, A. Cohen, Y. Lindell, A simpler variant of universally composable security for standard multiparty computation, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 3–22
R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in 34th ACM STOC, (ACM Press, May 2002), pp. 494–503
R. Canetti, T. Rabin, Universal composition with joint state, in Dan Boneh, editor, CRYPTO 2003. LNCS, vol. 2729 (Springer, August 2003), pp. 265–281
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in 20th ACM STOC, (ACM Press, May 1988), pp. 11–19
S.G. Choi, J. Katz, A.J. Malozemoff, V. Zikas, Efficient three-party computation from cut-and-choose, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 513–530
R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Probabilistic termination and composability of cryptographic protocols, in Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part III. LNCS, vol. 9816 (Springer, August 2016), pp. 240–269
R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Round-preserving parallel composition of probabilistic-termination cryptographic protocols, in ICALP 2017. LIPIcs, vol. 80 (July 2017), pp. 37:1–37:15
R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast, in Eyal Kushilevitz and Tal Malkin, editors, TCC 2016-A, Part I. LNCS, vol. 9562 (Springer, January 2016), pp. 596–616
R. Cohen, Y. Lindell, Fairness versus guaranteed output delivery in secure multiparty computation, in ASIACRYPT 2014, Part II. LNCS, vol. 8874 (Springer, December 2014), pp. 466–485
I. Damgård, Y. Ishai, Constant-round multiparty computation using a black-box pseudorandom generator, in Victor Shoup, editor, CRYPTO 2005, LNCS, vol. 3621 (Springer, August 2005), pp. 378–394
I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart, Practical covertly secure MPC for dishonest majority - or: Breaking the SPDZ limits, in Jason Crampton, Sushil Jajodia, and Keith Mayes, editors, ESORICS 2013. LNCS, vol. 8134 (Springer, September 2013), pp. 1–18
I. Damgård, J.B. Nielsen, Adaptive versus static security in the UC model, in ProvSec 2014, (2014), pp. 10–28
MathSciNet MATH Google Scholar
I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, August 2012), pp. 643–662
D. Dolev, R. Reischuk, H.R. Strong, Early stopping in byzantine agreement. J. ACM, 37(4):720–741, (1990)
Article MathSciNet MATH Google Scholar
D. Dolev, H. Raymond Strong, Authenticated algorithms for byzantine agreement. SIAM Journal on Computing, 12(4):656–666, (1983)
Article MathSciNet MATH Google Scholar
B. Eisenberg, On the expectation of the maximum of IID geometric random variables. Statistics & Probability Letters, 78(2):135–143, (2008)
Article MathSciNet MATH Google Scholar
P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal on Computing, 26(4):873–933, (1997)
Article MathSciNet MATH Google Scholar
M.J. Fischer, N.A. Lynch, A lower bound for the time to assure interactive consistency. Information Processing Letters, 14(4):183–186, (1982)
Article MathSciNet MATH Google Scholar
M. Fitzi, J.A. Garay, Efficient player-optimal protocols for strong and differential consensus, in Elizabeth Borowsky and Sergio Rajsbaum, editors, 22nd ACM PODC, (ACM Press, July 2003), pp. 211–220
S. Garg, C. Gentry, S. Halevi, M. Raykova, Two-round secure MPC from indistinguishability obfuscation, in Yehuda Lindell, editor, TCC 2014. LNCS, vol. 8349 (Springer, February 2014), pp. 74–94
O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract), in 27th FOCS. (IEEE Computer Society Press, October 1986), pp. 174–187
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in Alfred Aho, editor, 19th ACM STOC. (ACM Press, May 1987), pp. 218–229
O. Goldreich, E. Petrank, The best of both worlds: Guaranteeing termination in fast randomized byzantine agreement protocols. Information Processing Letters, 36(1):45–49, (1990)
Article MathSciNet MATH Google Scholar
S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement. Journal of Cryptology, 18(3):247–287, (2005)
Article MathSciNet MATH Google Scholar
S.D. Gordon, F.-H. Liu, E. Shi, Constant-round MPC with fairness and guarantee of output delivery, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 63–82
M. Hirt, V. Zikas, Adaptively secure broadcast, in Henri Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, May 2010), pp. 466–485
Y. Ishai, R. Ostrovsky, V. Zikas, Secure multi-party computation with identifiable abort, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 369–386
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer - efficiently, in David Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, August 2008), pp. 572–591
J. Katz, C.-Y. Koo, On expected constant-round protocols for byzantine agreement, in Cynthia Dwork, editor, CRYPTO 2006. LNCS, vol. 4117 (Springer, August 2006), pp. 445–462
J. Katz, C.-Y. Koo, Round-efficient secure computation in point-to-point networks, in Moni Naor, editor, EUROCRYPT 2007. LNCS, vol. 4515. (Springer, May 2007), pp. 311–328
J. Katz, Y. Lindell, Handling expected polynomial-time strategies in simulation-based security proofs, in Joe Kilian, editor, TCC 2005. LNCS, vol. 3378 (Springer, February 2005), pp. 128–149
J. Katz, U. Maurer, B. Tackmann, V. Zikas, Universally composable synchronous computation, in Amit Sahai, editor, TCC 2013. LNCS, vol. 7785 (Springer, March 2013), pp. 477–498
M. Keller, P. Scholl, N.P. Smart, An architecture for practical actively secure MPC with dishonest majority, in Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 13. (ACM Press, November 2013), pp. 549–560
J. Kilian, Founding cryptography on oblivious transfer, in 20th ACM STOC. (ACM Press, May 1988), pp. 20–31
E. Kushilevitz, Y. Lindell, T. Rabin, Information-theoretically secure protocols and security under composition, in Jon M. Kleinberg, editor, 38th ACM STOC. (ACM Press, May 2006), pp. 109–118
L. Lamport, R.E. Shostak, M.C. Pease, The byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, (1982)
Article MATH Google Scholar
Y. Lindell, A. Lysyanskaya, T. Rabin, On the composition of authenticated byzantine agreement, in 34th ACM STOC. (ACM Press, May 2002), pp. 514–523
Y. Lindell, A. Lysyanskaya, T. Rabin, Sequential composition of protocols without simultaneous termination, in Aleta Ricciardi, editor, 21st ACM PODC. (ACM Press, July 2002), pp. 203–212
Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multi-party computation combining BMR and SPDZ, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 319–338
P. Mukherjee, D. Wichs, Two round multiparty computation via multi-key FHE, in Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, LNCS, vol. 9666 (Springer, May 2016), pp. 735–763
M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults. Journal of the ACM, 27(2):228–234, (1980)
Article MathSciNet MATH Google Scholar
M.O. Rabin, Randomized byzantine generals, in 24th Annual Symposium on Foundations of Computer Science, Tucson, Arizona, USA, 7–9 November 1983. (IEEE Computer Society, 1983), pp. 403–409
T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in 21st ACM STOC. (ACM Press, May 1989), pp. 73–85
R. Turpin, B.A. Coan, Extending binary byzantine agreement to multivalued byzantine agreement. Information Processing Letters, 18(2):73–76, (1984)
Article Google Scholar
A.C.-C. Yao, Protocols for secure computations (extended abstract), in 23rd FOCS. (IEEE Computer Society Press, November 1982), pp. 160–164.

Download references

Author information

Authors and Affiliations

Department of Computer Science, Bar-Ilan University, Ramat Gan, Israel
Ran Cohen
Department of Computer Science, ETH Zurich, Zurich, Switzerland
Sandro Coretti
Yahoo Research, Sunnyvale, CA, USA
Juan Garay
Department of Computer Science, RPI, Troy, MI, USA
Vassilis Zikas

Authors

Ran Cohen
View author publications
You can also search for this author in PubMed Google Scholar
Sandro Coretti
View author publications
You can also search for this author in PubMed Google Scholar
Juan Garay
View author publications
You can also search for this author in PubMed Google Scholar
Vassilis Zikas
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ran Cohen.

Additional information

Communicated by Nigel Smart.

An extended abstract of this work appeared at CRYPTO 2016 [17].

Ran Cohen: Work supported by a grant from the Israel Ministry of Science, Technology and Space (Grant 3-10883) and by the National Cyber Bureau of Israel.

Sandro Coretti: This author was supported in part by the Swiss NSF Project No. 200020-132794.

Juan Garay, Vassilis Zikas: Work done in part while the author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF Grant #CNS-1523467.

Vassilis Zikas: This author was supported in part by the Swiss NSF Ambizione Grant PZ00P2_142549.

Appendices

Appendix A: On Parallel (In)Composability of Protocols with Probabilistic Termination

Ben-Or and El-Yaniv [5] observed that when executing randomized protocols with probabilistic termination in parallel, then, in general, the expected running time of the composed protocol (i.e., the rounds its takes for all protocols to give output to all parties) is not preserved. We prove a formal example where this is the case. Concretely, consider a protocol realizing a particular ideal functionality such that the probability that all parties have completed the protocol by round k is $p^k$ for some $0<p<1$. Then, the expected running time of the protocol is 1 / p rounds, i.e., constant. (This is essentially the case in most randomized BA protocols starting with Feldman and Micali [28].) However, as implied by the following lemma, if m instances of the protocol are run in parallel, in a straightforward manner, the resulting protocol will have an expected running time of $\Theta (\log m)$, which is no longer constant.

In particular, running m parallel copies of the protocol of Feldman and Micali [28] results in a protocol that in expectation takes $\Theta (\log m)$ phases (and thus rounds) to complete.

Lemma A.1

Let $X_1,\ldots ,X_m$ be independent, identically distributed (IID) geometric random variables, such that for every $i\in [m]$ it holds that ${\mathrm {Pr}}[X_i = 1] = p$ for some $0<p<1$. Then,

$$\begin{aligned} E\left[ \max _{1 \le i \le m} X_i\right] = \Theta (\log m). \end{aligned}$$

Proof

As shown in Eisenberg [27], the expected value of the maximum of the random variables satisfies the following inequality:

$$\begin{aligned} \frac{1}{-\log (1-p)} \sum _{k=1}^m \frac{1}{k} \le E\left[ \max _{1 \le i \le m} X_i\right] \le 1 + \frac{1}{-\log (1-p)} \sum _{k=1}^m \frac{1}{k}. \end{aligned}$$

The lemma follows immediately from the properties of the Harmonic numbers $H_m=\sum _{k=1}^m \frac{1}{k}$. In particular, denote $u_m = H_m-\log m$, then the series $(u_m)_m$ converges to Euler’s constant $\gamma $, implying that

$$\begin{aligned} H_m = \Theta (\log m). \end{aligned}$$

$\square $

Appendix B: The Model (Cont’d)

In this section, we give complementary material to Sect. 2 and in particular we include a high-level overview of the formulation of synchronous UC from [43]. More concretely, Katz et al. [43] introduced a framework for universally composable synchronous computation. For self-containment we describe here the basics of the model and introduce some terminology that simplifies the description of corresponding functionalities.

Synchronous protocols can be cast as UC protocols which have access to a special clock functionality $\mathcal {F}_{\textsc {clock}}$—which allows them to coordinate round switches as described below—and communicate over bounded-delay channels.^{Footnote 29} In a nutshell, the clock functionality works as follows: It stores a bit b which is initially set to 0 and it accepts from each party two types of messages: $\textsc {clock}\text {-}\textsc {update}$ and $\textsc {clock}\text {-}\textsc {read}$. The response to $\textsc {clock}\text {-}\textsc {read}$ is the value of the bit b to the requestor. Each $\textsc {clock}\text {-}\textsc {update}$ is forwarded to the adversary, but it is also recorded, and upon receiving such a $\textsc {clock}\text {-}\textsc {update}$ message from all honest parties, the clock functionality updates b to $b\oplus 1$. It then keeps working as above, until it receives again a $\textsc {clock}\text {-}\textsc {update}$ message from all honest parties, in which case it resets b to $b\oplus 1$, and so on.

Such a clock can be used as follows to ensure that honest parties remain synchronized, i.e., no honest party proceeds to the next round before all (honest) parties have finished the current round: Every party stores a local variable where it keeps (its view of) the current value of the clock indicator b. At the beginning of the protocol execution this variable is 0 for all parties. In every round, every party uses all its activations (i.e., messages it receives) to complete all its current round instructions and only then sends $\textsc {clock}\text {-}\textsc {update}$ to the clock signaling to the clock that it has completed its round; following $\textsc {clock}\text {-}\textsc {update}$, all future activations result in the party sending $\textsc {clock}\text {-}\textsc {read}$ to the clock until its bit b is flipped; once the party observes that the bit b has flipped, it starts its next round. Recall that, as mentioned in Sect. 2, for the sake of clarity, we do not explicitly mention $\mathcal {F}_{\textsc {clock}} $ in our constructions.

In [43], for each message that is to be sent in the protocol, the sender and the receiver are given access to an independent single-use channel.^{Footnote 30} We point out that instead of the bounded-delay channels, in this work we will assume very simple SFEs^{Footnote 31} that take as input from the sender the message he wishes to send (and a default input from other parties) and deliver the output to the receiver in a fetch mode. Such a simple secure channel SFE can be realized in a straightforward manner from bounded-delay channels and a clock $\mathcal {F}_{\textsc {clock}} $.

As is common in the synchronous protocols literature, throughout this work we will assume that protocols have the following structure: In each round every party sends/receives a (potentially empty) message to all parties and hybrid functionalities. Such a protocol can be described in UC in a regular form (cf. Sect. 2) using the methodology from [43] as follows: Let $\mu \in \mathbb {N}$ denote the maximum number of messages that any party $P _i$ might send to all its hybrids during some round.^{Footnote 32} Every party in the protocol uses exactly $\mu $ activations in each round. That is, once a party $P _i$ observes that the round has changed, i.e., the indicator bit b of the clock has being flipped, $P _i$ starts its next round as described above. However, this round finishes only after $P _i$ receives $\mu $ additional activations. Note that $P _i$ uses these activations to execute his current round instructions; since $\mu $ is a bound on the number of hybrids used in any round by any party, $\mu $ activations are enough for the party to complete its round. (If $P _i$ finishes the round early, i.e., in less than $\mu $ activations, it simply “does nothing” until the $\mu $ activations are received, i.e., forward the activation from the environment to its hybrid functionalities.) Once $\mu $ activations are received in the current round, $P _i$ sends $\textsc {clock}\text {-}\textsc {update}$ to the clock and then keeps sending $\textsc {clock}\text {-}\textsc {read}$ message, as described above, until it observes a flip of b indicating that $P _i$ can go to the next round.

In addition to the regular form of protocol execution, Katz et al. [43] described a way of capturing in UC the property that a protocol is guaranteed to terminate in a given number of rounds.^{Footnote 33} The idea is that a synchronous protocol in regular form which terminates after r rounds realizes the following functionality $\mathcal {F}_{\textsc {}}$. The functionality $\mathcal {F}_{\textsc {}}$ keeps track of the number of times every honest party sends $\mu $ activations/messages and delivers output as soon as this has happened r times. More concretely, imitating an r-round synchronous protocol with $\mu $ activations per party per round, upon being instantiated, $\mathcal {F}_{\textsc {}} $ initiates a global round counter $\lambda =0$ and an indicator variable $\lambda _{i}:=0$ for each $P _i\in \mathcal {P} $; as soon as some party $P _i$ sends $\mu $ messages to $\mathcal {F}_{\textsc {}}$, while the round counter $\lambda $ is the same, $\mathcal {F}_{\textsc {}}$ sets $\lambda _{i}:=1$ and does the following check:^{Footnote 34} if $\lambda _{i}=1$ for all honest $P _i$ then increase $\lambda :=\lambda +1$ and reset $\lambda _{i}=0$ for all $P _i\in \mathcal {P} $. As soon as $\lambda =r$, the functionality $\mathcal {F}_{\textsc {}}$ enters a “delivery” mode. In this mode, whenever a message $(\texttt {fetch-output},\cdot )$ is received by some party $P _i$, the functionality $\mathcal {F}_{\textsc {}}$ outputs to $P _i$ its output. (If $\mathcal {F}_{\textsc {}}$ has no output to $P _i$ is outputs $\bot $.)

We refer to a functionality that has the above structure, i.e., which keeps track of the current round $\lambda $ by counting how many times every honest party has sent a certain number $\mu $ of messages, as a synchronous functionality. To simplify the description of our functionalities, we introduce the following terminology. We say that a synchronous functionality$\mathcal {F}_{\textsc {}}$is in round$\rho $ if the current value of the above internal counter in $\mathcal {F}_{\textsc {}}$ is $\lambda =\rho $.

We note that protocols in the synchronous model of [43] enjoy the strong composition properties of the UC framework. However, in order to have protocols being executed in a lock-step mode, i.e., where all protocols complete their round within the same clock-tick, Katz et al. [43] make use of the composition with joint state (JUC) [14]. The idea is the parties use an $\mathcal {F}_{\textsc {clock}} $-hybrid protocol $\hat{\pi }$ that emulates toward each of the protocols and subclocks and assigns to each subclock a unique subsession ID ($\mathsf {ssid}$). Each of these subclocks is local to its calling protocol, but $\hat{\pi }$ makes sure that it gives a $\textsc {clock}\text {-}\textsc {update}$ to the actual (joint) clock functionality $\mathcal {F}_{\textsc {clock}}$, only when all subclocks have received such a $\textsc {clock}\text {-}\textsc {update}$ message. This ensures that all clocks will switch their internal bits at the same time with the bigger clock, which means that the protocols using them will be mutually synchronized. This property can be formally proved by direct application of the JUC theorem. For further details the interested reader is referred to [14, 43].

A final delicate point that needs to be addressed is with respect to whether/when parties can stop sending messages to their functionalities. Concretely, since the parties do not a priori know the termination round, a party cannot halt as soon as it produces output, since some other party might still need several rounds to produce its own output. Rather, every protocol in our setting continues sending (dummy) messages to all its hybrids even after having generated its output—as long as it keeps being activated by the environment—to enable also the other (slower) parties compute their outputs. Note that this is a straightforward adaptation of classical UC protocols—instead of the protocol ignoring messages after it has produced output, it enters a special dummy stage. Most importantly, it does not yield inefficient protocols, as the input of a UC protocol consists of the concatenation of its inputs, and therefore, as long as the environment provides new inputs/activations the protocol can continue executing dummy steps. (The UC experiment finishes when the environment decides to stop and make its guess.)

Appendix C: Composition of Probabilistic Termination Protocols (Cont’d)

This section contains the proofs for Sect. 4.

1.1 C.1 Composition with Deterministic Termination (Cont’d)

We start by giving the intuition for the proof of Theorem 4.2. Loosely speaking, the main differences between the SNF protocol $\pi $ implementing the functionality $\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})$ and the compiled protocol $\pi '$ implementing $\mathcal {W}_{\text {sl-strict}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})$ is that $\pi $ uses CSF as hybrids, whereas $\pi '$ uses wrapped CSFs, and in addition, parties might not start at the same round, but with a slack of c rounds. In order to ensure that any potential overlap between concurrent calls to different wrapped hybrids remain secure, the wrappers expand each round to $3c+1$ rounds.

Now, given a simulator $\mathcal {S} $ for the dummy adversary and the SNF protocol $\pi $, we construct a simulator $\mathcal {S} '$ for the dummy adversary and the compiled protocol $\pi '$. The new simulator acts as a proxy between $\mathcal {S} $ on the one hand and the environment and the ideal functionality on the other, with the exception that it must “synchronize” the round counters between them. Therefore, $\mathcal {S} '$ stores a local round counter $\rho _i$ for every hybrid $\mathcal {H}_{\textsc {}} {}_i$, and a “slack counter” $c_j$ for every party $P _j$ to ensure that its messages are delivered with the same initial slack it started the protocol.