Abstract
When analyzing the round complexity of multiparty protocols, one often overlooks the fact that underlying resources, such as a broadcast channel, can by themselves be expensive to implement. For example, it is well known that it is impossible to implement a broadcast channel by a (deterministic) protocol in a sublinear (in the number of corrupted parties) number of rounds. The seminal works of Rabin and BenOr from the early 1980s demonstrated that limitations as the above can be overcome by using randomization and allowing parties to terminate at different rounds, igniting the study of protocols over pointtopoint channels with probabilistic termination and expected constant round complexity. However, absent a rigorous simulationbased definition, the suggested protocols are proven secure in a propertybased manner or via ad hoc simulationbased frameworks, therefore guaranteeing limited, if any, composability. In this work, we put forth the first simulationbased treatment of multiparty cryptographic protocols with probabilistic termination. We define secure multiparty computation (MPC) with probabilistic termination in the UC framework and prove a universal composition theorem for probabilistic termination protocols. Our theorem allows to compile a protocol using deterministic termination hybrids into a protocol that uses expected constant round protocols for emulating these hybrids, preserving the expected round complexity of the calling protocol. We showcase our definitions and compiler by providing the first composable protocols (with simulationbased security proofs) for the following primitives, relying on pointtopoint channels: (1) expected constant round perfect Byzantine agreement, (2) expected constant round perfect parallel broadcast, and (3) perfectly secure MPC with round complexity independent of the number of parties.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
In secure multiparty computation (MPC) [33, 56] n parties \(P _1,\ldots , P _n\) wish to jointly perform a computation on their private inputs in a secure way, so that no coalition of cheating parties can learn more information than their outputs (privacy) or affect the outputs of the computation any more than by choosing their own inputs (correctness).
While the original security definitions had the above propertybased flavor (i.e., the protocols were required to satisfy correctness and privacy, potentially along with other security properties, such as fairness and input independence), it is by now widely accepted that security of multiparty protocols should be argued in a simulationbased manner. Informally, in the simulation paradigm for security, the protocol execution is compared to an ideal world where the parties have access to a trusted party (aka the “ideal functionality”) that captures the security properties the protocol is required to achieve. The trusted party takes the parties’ inputs and performs the computation on their behalf. A protocol is regarded as secure if for any adversary attacking it, there exists an ideal adversary (the simulator) attacking the execution in the ideal world, such that no external distinguisher (environment) can tell the real and the ideal executions apart.
There are several advantages in proving a protocol secure in this way. For starters, the definition of the functionality captures all security properties the protocol is supposed to have, and therefore its design process along with the security proof often exposes potential design flaws or issues that have been overlooked in the protocol design. A very important feature of many simulationbased security definitions is composability, which ensures that a protocol can be composed with other protocols without compromising its security. Intuitively, composability ensures that if a protocol \(\pi ^{\mathcal {G}_{\textsc {}}}\) which uses a “hybrid” \(\mathcal {G}_{\textsc {}} \) (a broadcast channel, for example) securely realizes functionality \(\mathcal {F}_{\textsc {}}\), and protocol \(\rho \) securely realizes the functionality \(\mathcal {G}_{\textsc {}} \), then the protocol \(\pi ^{{\rho }/\mathcal {G}_{\textsc {}}}\), which results by replacing in \(\pi \) calls to \(\mathcal {G}_{\textsc {}} \) by invocations of \(\rho \), securely realizes \(\mathcal {F}_{\textsc {}} \). In fact, simulationbased security is the one and only way we know to ensure that a protocol can be generically used to implement its specification within an arbitrary environment.
Round Complexity. The prevalent model for the design of MPC protocols is the synchronous model, where the protocol proceeds in rounds and all messages sent in any given round are received by the beginning of the next round. In fact, most if not all implemented and highly optimized MPC protocols (e.g., [16, 22, 24, 44, 50]) are in this model. When executing such synchronous protocols over large networks, one needs to impose a long round duration in order to account for potential delay at the network level, since if the duration of the rounds is too short, then it is likely that some of the messages that arrive late will be ignored or, worse, assigned to a later round. Thus, the round complexity, i.e., the number of rounds it takes for a protocol to deliver outputs, is an important efficiency metric for such protocols and, depending on the network parameters, can play a dominant role in the protocol’s running time.
An issue often overlooked in the analysis of the round complexity of protocols is that the relation between a protocol’s round complexity and its actual running time is sensitive to the “hybrids” (e.g., network primitives) that the protocol is assumed to have access to. For example, starting with the seminal MPC works [6, 15, 33, 54, 56], a common assumption is that the parties have access to a broadcast channel, which they invoke possibly in every round. In reality, however, such a broadcast channel might not be available and would have to be implemented by a broadcast protocol designed for a pointtopoint network. Using a standard (deterministic) broadcast protocol for this purpose incurs a linear blowup (in n, the number of parties^{Footnote 1}) on the round complexity of the MPC protocol, as no deterministic broadcast protocol can tolerate a linear number of corruptions and terminate in a sublinear number of rounds [26, 29]. Thus, even though the round complexity of these protocols is usually considered to be linear in the multiplicative depth d of the computed circuit, in reality their running time could become linear in nd (which can be improved to \(O(n+d)\) [41]) when executed over pointtopoint channels.^{Footnote 2}
In fact, all the socalled constant round multiparty protocols (e.g., [1, 3, 21, 31, 36, 39, 45, 51]) rely on broadcast rounds (rounds in which parties make calls to a broadcast channel) and therefore their running time when broadcast is implemented by a standard protocol would explode to be linear in n instead of constant.^{Footnote 3} As the results from [26, 29] imply, this is not a consequence of the specific choice of protocol but a limitation of any protocol in which there is a round such that all parties are guaranteed to have received their outputs; consistently with the literature on faulttolerant distributed computing, we shall refer to protocols satisfying this property as deterministic termination protocols. In fact, to the best of our knowledge, even if we allow a negligible chance for the broadcast to fail, the fastest known solutions tolerating a constant fraction of corruptions follow the paradigm from [28] (see below), which requires a polylogarithmic (in n) number of rounds.^{Footnote 4}
Protocols with Probabilistic Termination. A major breakthrough in faulttolerant distributed algorithms (recently honored with the 2015 Dijkstra Prize in Distributed Computing) was the introduction of randomization to the field by BenOr [4] and Rabin [53], which, effectively, showed how to circumvent the above limitation by using randomization. Most relevant to this submission, Rabin [53] showed that linearly resilient Byzantine agreement protocols [47, 52] (BA, related to broadcast, possibility and impossibilitywise) in expected constant rounds were possible, provided that all parties have access to a “common coin” (i.e., a common source of randomness).^{Footnote 5} This line of research culminated with the work of Feldman and Micali [28], who showed how to obtain a shared random coin with constant probability from “scratch,” yielding a probabilistic BA protocol tolerating the maximum number of misbehaving parties (\(t < n/3\)) that runs in expected constant number of rounds. The randomized BA protocol in [28] works in the informationtheoretic setting; these results were later extended to the computational setting by Fitzi and Garay [30] and by Katz and Koo [40], who showed that assuming digital signatures there exists an (expected) constant round protocol for BA tolerating \(t<n/2\) corruptions. The speedup on the running time in all these protocols, however, comes at the cost of uncertainty, as now they need to give up on guaranteed (eventual) termination (no fixed upper bound on their running time^{Footnote 6}) as well as on simultaneous termination (a party that terminates cannot be sure that other parties have also terminated^{Footnote 7}) [25]. These issues make the simulationbased proof of these protocols a very delicate task, which is the motivation for the current work.
What made the simulationbased approach a more accessible technique in security proofs was the introduction simulationbased security frameworks. The ones that stand out in this development, and most often used in the literature, are Canetti’s modular composition (aka standalone security) [9] and the universal composition (UC) frameworks [10, 11]. The former defines security of synchronous protocols executed in isolation (i.e., only a single protocol is run at a time, and whenever a subroutine protocol is called, it is run until its completion); the latter allows protocols to be executed alongside arbitrary (other) protocols and be interleaved in an arbitrary manner. We remark that although the UC framework is inherently asynchronous, several mechanisms have been proposed to allow for a synchronous execution within it (e.g., [11, 12, 43, 46]).
Despite the widespread use of the simulationbased paradigm to prove security of protocols with deterministic termination, the situation has been quite different when probabilistic termination protocols are considered. Here, despite the existence of roundefficient BA protocols as mentioned above [28, 40], to our knowledge, no formal treatment of the problem in a simulationbased model exists, which would allow us to apply the ingenious ideas of Rabin and BenOr in order to speed up cryptographic protocols. We note that Katz and Koo [40] even provided an expected constant round MPC protocol using their fast BA protocol as a subroutine, employing several techniques to ensure proper use of randomized BA. However, in lack of a formal treatment, existing constructions are usually proved secure in a propertybased manner or rely on ad hoc, less studied security frameworks [49].^{Footnote 8}
A simulationbased and composable treatment of such probabilistic termination (PT for short) protocols would naturally allow, for example, to replace the commonly used broadcast channel with a broadcast protocol, so that the expected running time of the resulting protocol is asymptotically the same as the one of the original (broadcasthybrid) protocol. A closer look at this replacement, however, exposes several issues that have to do not only with the lack of simulationbased security but also with other inherent limitations. Concretely, it is usually the case in an MPC protocol that the broadcast channel is accessed by several (in many cases by all) parties in the same (broadcast) round in parallel. BenOr and ElYaniv [5] observed that if one naïvely replaces each such invocation by a PT broadcast protocol with expected constant running time, then the expected number of rounds until all broadcasts terminate is no longer constant; in fact, it is not hard to see that in the case of [28], the expected round complexity would be logarithmic in the number of instances (and therefore also in the player set size). (We expand on the reason for this blowup in the round complexity in “Appendix A”.) Nevertheless, in [5] a mechanism was proposed for implementing such parallel calls to broadcast so that the total number of rounds remains constant in expectation.
The difficulties arising with generic parallel composition are not the only issue with PT protocols. As observed by Lindell et al. [49], composing such protocols in sequence is also problematic. The main issue here is that, as already mentioned, PT protocols do not have simultaneous termination and therefore a party cannot be sure how long after he receives his output from a call to such a PT protocol he can safely carry on with the execution of the calling protocol. Although PT protocols usually guarantee a constant “slack” of rounds (say, c) in the output of any two honest parties, the naïve approach of using this property to synchronize the parties (i.e., wait c rounds after the first call, 2c rounds after the second call, and so on) imposes an exponential blowup on the round complexity of the calling protocol. To resolve this, [49] proposed using fixed points in time at which a resynchronization subroutine is executed, allowing the parties to ensure that they never get too far out of sync. Alternative approaches for solving this issue were also proposed in [8, 40] but, again, with a restricted (propertybased) proof.
Despite their novel aspects, the aforementioned results on composition of PT protocols do not use simulationbased security, and therefore, it is unclear how (or if) they could be used to, for example, instantiate broadcast within a higherlevel cryptographic protocol. In addition, they do not deal with other important features of modern security definitions, such as adaptive security and strict polynomial time execution. In fact, this lack of a formal cryptographic treatment places some of their claims at odds with the stateoftheart cryptographic definitions. Somewhat pointedly, [5] claimed adaptive security, which, although it can be shown to hold in a propertybased definition, is not achieved by the specified construction when simulationbased security is considered (cf. Sect. 5).
Our Contributions. In this paper, we provide the first formal simulationbased (and composable) treatment of MPC with probabilistic termination. Our treatment builds on Canetti’s universal composition (UC) framework [10, 11]. In order to take advantage of the fast termination of PT protocols, parties typically proceed at different paces and therefore protocols might need to be run in an interleaved manner, e.g., in an MPC protocol a party might initiate the protocol for broadcasting his rround message before other parties have received output from the broadcasting of messages for round \(r1\). This inherent concurrency along with its support for synchrony makes the UC framework the natural candidate for our treatment.
Our motivating goal, which we achieve, is to provide a generic compiler that allows us to transform any UC protocol \(\pi \), even one that cannot be realized in the real world, making calls to deterministic termination UC protocols \(\rho _i\) in a “standalone fashion” (similar to [9], i.e., the protocols \(\rho _i\) are invoked sequentially and in each round exactly one protocol is being executed by all the parties) into a (probabilistic termination) protocol \(\pi '\) (where the parties are no longer synchronized and the hybrids are invoked concurrently) that can be realized in the real world, and in which each \(\rho _i\) is replaced by a PT protocol \(\rho _i'\). The compiled protocol \(\pi '\) achieves the same security as \(\pi \) and has (expected) round complexity proportional to \(\sum _i d_i r_i\), where \(d_i\) is the expected number of calls \(\pi \) makes to \(\rho _i\) and \(r_i\) is the expected round complexity of \(\rho _i\).
Toward this goal, the first step is to define what it means for a protocol to UCsecurely realize a functionality with probabilistic termination in a simulationbased manner, by proposing an explicit formulation of the functionality that captures this important protocol aspect. The highlevel idea is to parameterize the functionality with an efficiently sampleable distribution D that provides an upper bound on the protocol’s running time (i.e., number of rounds), so that the adversary cannot delay outputs beyond this point (but is allowed to deliver the output to honest parties earlier, and even in different rounds).
Next, we prove our universal composability result. Informally, our result provides a generic compiler that takes as input a “standalone” protocol \(\pi \), realizing a probabilistic termination functionality \(\mathcal {F}_{\textsc {}} ^D\) (for a given distribution D) while making sequential calls to (deterministic termination) secure function evaluation (SFE)like functionalities, and compiles it into a new protocol \(\pi '\) in which the calls to the SFEs are replaced by probabilistic termination protocols realizing them. The important feature of our compiler is that in the compiled protocol, the parties do not need to wait for every party to terminate their emulation of each SFE to proceed to the emulation of the next SFE. Rather, shortly after a party (locally) receives its output from one emulation, it proceeds to the next one. This yields an (at most) multiplicative blowup on the expected round complexity as discussed above. In particular, if the protocols used to emulate the SFEs are expected constant round, then the expected round complexity of \(\pi '\) is the same (asymptotically) as that of \(\pi \).
We then showcase our definition and composition theorem by providing simulationbased (therefore composable) probabilistic termination protocols and security proofs for several primitives relying on pointtopoint channels: expected constant round perfect Byzantine agreement, expected constant round perfect parallel broadcast, and perfectly secure MPC with round complexity independent of the number of parties. Not surprisingly, the simulationbased treatment reveals several issues, both at the formal and at the intuitive levels, that are not present in a propertybased analysis, and which we discuss along the way. We now elaborate on each application in turn. Regarding Byzantine agreement, we present a protocol that perfectly securely UCimplements the probabilistic termination Byzantine agreement functionality for \(t<n/3\) in an expected constant number of rounds. (We will use RBA to denote probabilistic termination BA, as it is often referred to as “randomized BA.”^{Footnote 9}) Our protocol follows the structure of the protocol in [28], with a modification inspired by Goldreich and Petrank [34] to make it strict polynomial time (see the discussion below), and in a sense it can be viewed as the analogue for RBA of the wellknown “CLOS” protocol for MPC [13]. Indeed, similarly to how [13] converted (and proved) the “GMW” protocol [32] from statically secure in the standalone setting into an adaptively secure UC version, our work transforms the broadcast and BA protocols from [28] into adaptively UCsecure randomized broadcast and RBA protocols.^{Footnote 10}
Our first construction above serves as a good showcase of the power of our composition theorem, demonstrating how UCsecure RBA is built in a modular manner: First, we decompose the subroutines that are invoked in [28] and describe simple(r) (SFElike) functionalities corresponding to these subroutines; this provides us with a simple “backbone” of the protocol in [28] making calls to these hybrids, which can be easily proved to implement expected constant round RBA. Next, we feed this simplified protocol to our compiler which outputs a protocol that implements RBA from pointtopoint secure channels; our composition theorem ensures that the resulting protocol is also expected constant round.
There is a sticky issue here that we need to resolve for the above to work: The protocol in [28] does not have guaranteed termination and therefore the distribution of the terminating round is not sampleable by a strict probabilistic polynomial time (PPT) machine.^{Footnote 11} A way around this issue would be to modify the UC model of execution so that the corresponding ITMs are expected PPT machines. Such a modification, however, would impact the UC model of computation and would therefore require a new proof of the composition theorem, a trickier task than one might expect, as the shift to expected polynomial time simulation is known to introduce additional conceptual and technical difficulties (cf. [42]), whose resolution is beyond the scope of this work. Instead, here we take a different approach which preserves full compatibility with the UC framework: We adapt the protocol from [28] using ideas from [34] so that it implements a functionality which samples the terminating round with almost the same probability distribution as in [28], but from a finite (linear size) domain; as we show, this distribution is sampleable in strict polynomial time and can therefore be used by a standard UC functionality.
Next, we use our composition theorem to derive the first simulationbased and adaptively (UC) secure parallel broadcast protocol, which guarantees that all broadcast values are received within an expected constant number of rounds. This extends the results from [5, 40] in several ways: First, our protocol is perfectly UCsecure which means that we can now use it within a UCsecure SFE protocol to implement secure channels, and second, it is adaptively secure against a rushing adversary.^{Footnote 12}
Finally, by applying once again our compiler to replace calls to the broadcast channel in the SFE protocol by BenOr et al. [6] (which, recall, is perfectly secure against \(t<n/3\) corruptions in the broadcasthybrid model [2]) by invocations to our adaptively secure UC parallel broadcast protocol, we obtain the first UCsecure PT MPC protocol in the pointtopoint secure channels model with (expected) round complexity O(d), independently of the number of parties, where d is the multiplicative depth of the circuit being computed. As with RBA, this result can be seen as the first analogue of the UC compiler by Canetti et al. [13] for SFE protocols with probabilistic termination.
We stress that the use of perfect security to showcase our composition theorem is just our choice and not a restriction of our composition theorem. In fact, our theorem can be also applied to statistically or computationally secure protocols. Moreover, if one is interested in achieving better constants in the (expected) round complexity, then one can use SFE protocols that attempt to minimize the use of the broadcast channel (e.g., [41]). Our composition theorem will give a direct methodology for this replacement and will, as before, eliminate the dependency of the round complexity from the number of parties.^{Footnote 13}
Followup Work. In the current work the focus is on roundpreserving sequential composition of arbitrary probabilistic termination protocols. Parallel composition is only considered for specific functionalities, in particular for the parallel broadcast functionality. In [18] the roundpreserving parallel composition of arbitrary protocols was considered, showing both positive and negative results.
2 The Model
We consider n parties \(P _1,\ldots ,P _n\) and an adaptive tadversary, i.e., the adversary corrupts up to t parties during the protocol execution.^{Footnote 14} We work in the UC model and assume the reader has some familiarity with its basics. To capture synchronous protocols in UC we use the framework of Katz et al. [43]. Concretely, the assumption that parties are synchronized is captured by assuming that the protocol has access to a “clock” functionality \(\mathcal {F}_{\textsc {clock}}\). The functionality \(\mathcal {F}_{\textsc {clock}}\) maintains an indicator bit which is switched once all honest parties request the functionality to do it. At any given round, a party asks \(\mathcal {F}_{\textsc {clock}}\) to turn the bit on only after having finished with all operations for the current round. Thus, this bit’s value can be used to detect when every party has completed his round, in which case they can proceed to the next round. As a result, this mechanism ensures that no party sends his messages for round \(r+1\) before every party has completed round r. For clarity, we refrain from writing this clock functionality in our theorem statement; however, all our results assume access to such a clock functionality.
In the communication network of [43], parties have access to boundeddelay secure channels. These channels work in a socalled fetch mode, i.e., in order to receive his output the receiver issues a \(\texttt {fetchoutput} \) command. This allows to capture the property of a channel between a sender \(P _s\) and a receiver \(P _r\), delaying the delivery of a message by an amount \(\delta \): As soon as the sender \(P _s\) submits an input y (message to be sent to the receiver) the channel functionality starts counting how many times the receiver requests it.^{Footnote 15} The first \(\delta 1\) such \(\texttt {fetchoutput} \) requests (plus all such requests that are sent before the sender submits input) are ignored (and the adversary is notified about them); the \(\delta \)’th \(\texttt {fetchoutput}\) request following a submitted input y from the sender results in the channel sending \((\texttt {output},y)\) to \(P _r\). In this work we take an alternative approach and model secure channels as special simple SFE functionalities. These SFEs also work in a fetch mode^{Footnote 16} and provide the same guarantee as the boundeddelay channels.
There are two important considerations in proving the security of a synchronous UC protocol: (1) The simulator needs to keep track of the protocol’s current round, and (2) because parties proceed at the same pace, they can synchronize their reaction to the environment; most fully synchronous protocols, for example, deliver output exactly after a given number of rounds. In [43] this property is captured as follows: The functionality keeps track of which round the protocol would be in by counting the number of activations it receives from honest parties. Thus, if the protocol has a regular structure, where every party advances the round after receiving a fixed number \(\mu \) of activations from its environment (all protocols described herein will be in this form), the functionality can easily simulate how rounds in the protocol advance by incrementing its round index whenever it receives \(\mu \) messages from all honest parties; we shall refer to such a functionality as a synchronous functionality. Without loss of generality, whenever clear from the context we will describe functionalities for \(\mu =1\), i.e., once a functionality receives a message from every party it proceeds to the simulation of the next protocol round. We stress that this is done to simplify the description, and in an actual evaluation, as in the synchronous setting of [43], in order to give the simulator sufficiently many activations to perform its simulation, functionalities typically have to wait for \(\mu >1\) messages from each party where the last \(\mu 1\) of these messages are typically “dummy” activations (usually of the type \((\texttt {fetchoutput},\cdot )\)).
To further simplify the description of our functionalities, we introduce the following terminology. We say that a synchronous functionality\(\mathcal {F}_{\textsc {}}\)is in round\(\rho \) if the current value of the above internal round counter in \(\mathcal {F}_{\textsc {}}\) is \(\lambda =\rho \). All synchronous functionalities considered in this work have the following format: They can receive any message as input from the parties; however, they ignore all messages until the first message of the special form \((\texttt {input},\cdot )\); as soon as an honest party sends its input message, any future message by this party is treated as a \((\texttt {fetchoutput},\cdot )\) message. Refer to “Appendix B” for a more detailed overview of [43] and discussion of our model.
3 Secure Computation with Probabilistic Termination
The work of Katz et al. [43] addresses (synchronous) cryptographic protocols that terminate in a fixed number of rounds for all honest parties. However, as mentioned in Sect. 1, BenOr [4] and Rabin [53] showed that in some cases, great asymptotic improvements on the expected termination of protocols can be achieved through the use of randomization. Recall, for example, that in the case of BA, even though a lower bound of \(t+1\) rounds of any deterministic BA protocol tolerating t corruptions exists [26, 29], Rabin’s globalcoin technique (fully realized later on in [28]) yields an expected constant round protocol. This speedup, however, comes at a price, namely, of relinquishing both fixed and simultaneous termination [25]: the round complexity of the corresponding protocols may depend on random choices made during the execution, and parties may obtain output from the protocol in different rounds.
In this section, we show how to capture protocols with such probabilistic termination (PT), i.e., without fixed and without simultaneous termination, within the UC framework. To capture probabilistic termination, we first introduce a functionality template \(\mathcal {F}_{\textsc {csf}} \) called a canonical synchronous functionality (CSF). \(\mathcal {F}_{\textsc {csf}} \) is a simple tworound functionality with explicit (one round) input and (one round) output phases. Computation with probabilistic termination is then defined by wrapping \(\mathcal {F}_{\textsc {csf}} \) with an appropriate functionality wrapper that enables nonfixed, nonsimultaneous termination.
3.1 Canonical Synchronous Functionalities
At a high level, \(\mathcal {F}_{\textsc {csf}} \) corresponds to a generalization of the UCsecure function evaluation (SFE) functionality to allow for potential leakage on the inputs to the adversary and potential adversarial influence on the outputs.^{Footnote 17} In more detail, \(\mathcal {F}_{\textsc {csf}} \) has two parameters: (1) a (possibly) randomized function f that receives \(n+1\) inputs (n inputs from the parties and one additional input from the adversary) and (2) a leakage function \(l\) that leaks some information about the input values to the adversary.
\(\mathcal {F}_{\textsc {csf}} \) proceeds in two rounds: In the first round all the parties hand \(\mathcal {F}_{\textsc {csf}} \) their input values, and in the second round each party receives its output. This is very similar to the standard (UC) SFE functionality; the difference here is that whenever some input is submitted to \(\mathcal {F}_{\textsc {csf}} \), the adversary is handed some leakage function of this input—similarly, for example, to how UCsecure channels leak the message length to the adversary. The adversary can use this leakage when deciding the inputs of corrupted parties. Additionally, he is allowed to input an extra message, which—depending on the function f—might affect the output(s). The detailed description of \(\mathcal {F}_{\textsc {csf}} \) is given in Fig. 1.
Next, we point out a few technical issues about the description of \(\mathcal {F}_{\textsc {csf}} \). Following the simplifications from Sect. 2, \(\mathcal {F}_{\textsc {csf}} \) advances its round as soon as it receives \(\mu =1\) message from each honest party. This ensures that the adversary cannot make the functionality stall indefinitely. Thus, formally speaking, the functionality \(\mathcal {F}_{\textsc {csf}} \) is not well formed (cf. [13]), as its behavior depends on the identities of the corrupted parties.^{Footnote 18} We emphasize that the nonwellformedness relates only to advancing the rounds and is unavoidable if we want to restrict the adversary not to block the evaluation indefinitely (cf. [43]).
Once an honest party sends its input, the adversary receives a leakage from the functionality, and based on this its information can corrupt the party, replace its input value, and send an additional input message to the functionality. Note that the functionality will consider the latest input value received by a party in order to allow the adversary such a behavior.
We point out that as a generalization of the SFE functionality, CSFs are powerful enough to capture any deterministic wellformed functionality. In fact, all the basic (unwrapped) functionalities considered in this work will be CSFs. We now describe how standard functionalities from the MPC literature can be cast as CSFs:

Secure Message Transmission (aka Secure Channel). In the secure message transmission (SMT) functionality, a sender \(P _i\) with input \(x_i\) sends its input to \(P _j\). Since \(\mathcal {F}_{\textsc {csf}} \) is an nparty functionality and involves receiving \(\texttt {input} \) messages from all n parties, we define the twoparty task using an nparty function. The function to compute is \(f_{\tiny {\textsc {smt}}} ^{i,j}(x_1,\ldots ,x_n,a)=(\lambda ,\ldots ,x_i,\ldots ,\lambda )\) (where \(x_i\) is the value of the j’th coordinate) and the leakage function is \(l_{\tiny {\textsc {smt}}} ^{i,j}(x_1,\ldots ,x_n)=y\), where \(y=\left x_i\right \) in case \(P _j\) is honest and \(y=x_i\) in case \(P _j\) is corrupted. We denote by \(c^{i,j}\) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {smt}}} ^{i,j}\) and \(l_{\tiny {\textsc {smt}}} ^{i,j}\), for sender \(P _i\) and receiver \(P _j\).

Broadcast. In the (standard) broadcast functionality, a sender \(P _i\) with input \(x_i\) distributes its input to all the parties, i.e., the function to compute is \(f_{\tiny {\textsc {bc}}} ^i(x_1,\ldots ,x_n,a)=(x_i,\ldots ,x_i)\). The adversary only learns the length of the message \(x_i\) before its distribution, i.e., the leakage function is \(l_{\tiny {\textsc {bc}}} ^i(x_1,\ldots ,x_n)=\left x_i\right \). This means that the adversary does not gain new information about the input of an honest sender before the output value for all the parties is determined, and in particular, the adversary cannot corrupt an honest sender and change its input after learning the input message. We denote by \(\mathcal {F}_{\textsc {bc}} ^i\) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {bc}}} ^i\) and \(l_{\tiny {\textsc {bc}}} ^i\), for sender \(P _i\).

Secure Function Evaluation. In the secure function evaluation functionality, the parties compute a randomized function \(g(x_1,\ldots ,x_n)\), i.e., the function to compute is \(f_{\tiny {\textsc {sfe}}} ^g(x_1,\ldots ,x_n,a)=g(x_1,\ldots ,x_n)\). The adversary learns the length of the input values via the leakage function, i.e., the leakage function is \(l_{\tiny {\textsc {sfe}}} (x_1,\ldots ,x_n)=(\left x_1\right ,\ldots ,\left x_n\right )\). We denote by \(\mathcal {F}_{\textsc {sfe}} ^g\) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {sfe}}} ^g\) and \(l_{\tiny {\textsc {sfe}}} \), for computing the nparty function g.

Byzantine Agreement (aka Consensus). In the Byzantine agreement functionality, defined for the set V, each party \(P _i\) has input \(x_i\in V\). The common output is computed such that if \(nt\) of the input values are the same, this will be the output; otherwise the adversary gets to decide on the output. The adversary is allowed to learn the content of each input value from the leakage (and so it can corrupt parties and change their inputs based on this information). The function to compute is \(f_{\tiny {\textsc {ba}}} (x_1,\ldots ,x_n,a)=(y,\ldots ,y)\) such that \(y=x\) if there exists a value x such that \(x=x_i\) for at least \(nt\) input values \(x_i\); otherwise \(y=a\). The leakage function is \(l_{\tiny {\textsc {ba}}} (x_1,\ldots ,x_n)=(x_1,\ldots ,x_n)\). We denote by \(\mathcal {F}_{\textsc {ba}} ^V\) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {ba}}} \) and \(l_{\tiny {\textsc {ba}}} \), defined for the set V.
3.2 Probabilistic Termination in UC
Having defined CSFs, we turn to the notion of (nonreactive) computation with probabilistic termination. This is achieved by defining the notion of an output round randomizing wrapper. Such a wrapper is parametrized by an efficient probabilistic algorithm D, termed the round sampler, that may depend on a specific protocol implementing the functionality. The round sampler D samples a round number \(\rho _\mathsf {term}\) by which all parties are guaranteed to receive their outputs no matter what the adversary strategy is. Moreover, since there are protocols in which all parties terminate in the same round and protocols in which they do not, we consider two wrappers: The first, denoted \(\mathcal {W}_{\mathrm {strict}} \), ensures in a strict manner that all (honest) parties terminate in the same round, whereas the second, denoted \(\mathcal {W}_{\mathrm {flex}} \), is more flexible and allows the adversary to deliver outputs to individual parties at any time before round \(\rho _\mathsf {term}\).
A delicate issue that needs to be addressed is the following: While an ideal functionality can be used to abstractly describe a protocol’s task, it cannot hide the protocol’s round complexity. This phenomenon is inherent in the synchronous communication model: any environment can observe how many rounds the execution of a protocol takes, and, therefore, the execution of the corresponding ideal functionality must take the same number of rounds.^{Footnote 19}
As an illustration of this issue, let \(\mathcal {F}_{\textsc {}} \) be an arbitrary functionality realized by some protocol \(\pi \). If \(\mathcal {F}_{\textsc {}} \) is to provide guaranteed termination (whether probabilistic or not), it must enforce an upper bound on the number of rounds that elapse until all parties receive their outputs. If the termination round of \(\pi \) is not fixed (but may depend on random choices made during its execution), this upper bound must be chosen according to the distribution induced by \(\pi \).
Thus, in order to simulate correctly, the functionality \(\mathcal {F}_{\textsc {}} \) and \(\pi \)’s simulator \(\mathcal {S} \) must coordinate the termination round, and therefore, \(\mathcal {F}_{\textsc {}} \) must pass the upper bound it samples to \(\mathcal {S} \). However, it is not sufficient to simply inform the simulator about the guaranteed termination upper bound \(\rho _\mathsf {term}\). Intuitively, the reason is that protocol \(\pi \) may make probabilistic choices as to the order in which it calls its hybrids (and, even worse, these hybrids may even have probabilistic termination themselves). Thus, \(\mathcal {F}_{\textsc {}} \) needs to sample the upper bound based on \(\pi \) and the protocols realizing the hybrids called by \(\pi \). As \(\mathcal {S} \) needs to emulate the entire protocol execution, it is now left with the task of trying to sample the protocol’s choices conditioned on the upper bound it receives from \(\mathcal {F}_{\textsc {}} \). In general, however, it is unclear whether such a reverse sampling can be performed in (strict) polynomial time.
To avoid this issue and allow for an efficient simulation, we have \(\mathcal {F}_{\textsc {}} \) output all the coins that were used for sampling round \(\rho _\mathsf {term}\) to \(\mathcal {S} \). Because \(\mathcal {S} \) knows the round sampler algorithm, it can reproduce the entire computation of the sampler and use it in its simulation. In fact, as we discuss below, it suffices for our proofs to have \(\mathcal {F}_{\textsc {}} \) output a trace of its choices to the simulator instead of all the coins that were used to sample this trace. In the remainder of this section, we motivate and formally describe our formulation of such traces. The formal description of the wrappers, which in particular sample traces, can then be found at the end of this section.
Execution Traces. As mentioned above, in the synchronous communication model, the execution of the ideal functionality must take the same number of rounds as the protocol. For example, suppose that the functionality \(\mathcal {F}_{\textsc {}} \) in our illustration above is used as a hybrid by a higherlevel protocol \(\pi '\). The functionality \(\mathcal {G}_{\textsc {}} \) realized by \(\pi '\) must, similarly to \(\mathcal {F}_{\textsc {}} \), choose an upper bound on the number of rounds that elapse before parties obtain their outputs. However, this upper bound now depends not only on \(\pi '\) itself but also on \(\pi \) (in particular, when \(\pi \) is a probabilistic termination protocol).
Given the above, the round sampler of a functionality needs to keep track of how the functionality was realized. This can be achieved via the notion of trace. A trace basically records which hybrids were called by a protocol, and in a recursive way, for each hybrid, which hybrids would have been called by a protocol realizing that hybrid. The recursion ends with the hybrids that are “assumed” by the model, called atomic functionalities.^{Footnote 20}
Building on our running illustration above, suppose protocol \(\pi '\) (realizing \(\mathcal {G}_{\textsc {}} \)) makes ideal hybrid calls to \(\mathcal {F}_{\textsc {}} \) and to some atomic functionality \(\mathcal {H}_{\textsc {}} \). Assume that in an example execution, \(\pi '\) happens to make (sequential) calls to instances of \(\mathcal {H}_{\textsc {}} \) and \(\mathcal {F}_{\textsc {}} \) in the following order: \(\mathcal {F}_{\textsc {}} \), then \(\mathcal {H}_{\textsc {}} \), and finally \(\mathcal {F}_{\textsc {}} \) again. Moreover, assume that \(\mathcal {F}_{\textsc {}} \) is replaced by protocol \(\pi \) (realizing \(\mathcal {F}_{\textsc {}} \)) and that \(\pi \) happens to make two (sequential) calls to \(\mathcal {H}_{\textsc {}} \) upon the first invocation by \(\pi '\), and three (sequential) calls to \(\mathcal {H}_{\textsc {}} \) the second time (we assume that both \(\pi \) and \(\pi '\) call exactly one hybrid in every round). Then, this would result in the trace depicted in Fig. 2.
Assume that \(\pi \) is a probabilistic termination protocol and \(\pi '\) a deterministic termination protocol. Consequently, this means that \(\mathcal {F}_{\textsc {}} \) is in fact a flexibly wrapped functionality of some CSF \(\mathcal {F}_{\textsc {}} '\), i.e., \(\mathcal {F}_{\textsc {}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')\), where the distribution \({D_{\mathcal {F}_{\textsc {}}}}\) samples (from a distribution induced by \(\pi \)) depth1 traces with root \(\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')\) and leaves \(\mathcal {H}_{\textsc {}} \).^{Footnote 21} Similarly, \(\mathcal {G}_{\textsc {}} \) is a strictly wrapped functionality of some CSF \(\mathcal {G}_{\textsc {}} '\), i.e., \(\mathcal {G}_{\textsc {}} =\mathcal {W}_{\mathrm {strict}} ^{D_{\mathcal {G}_{\textsc {}}}} (\mathcal {G}_{\textsc {}} ')\), where the distribution \(D_{\mathcal {G}_{\textsc {}}}\) first samples (from a distribution induced by \(\pi '\)) a depth1 trace with root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\mathcal {G}_{\textsc {}}}} (\mathcal {G}_{\textsc {}} ')\) and leaves \(\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')\) as well as \(\mathcal {H}_{\textsc {}} \). Then, each leaf node \(\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} {}')\) is replaced by a trace (independently) sampled from \(D_{\mathcal {F}_{\textsc {}}}\). Thus, the example trace from Fig. 2 would look as in Fig. 3.
Formally, a trace is defined as follows:
Definition 3.1
(traces) A trace is a rooted tree of depth at least 1, in which all nodes are labeled by functionalities and where every node’s children are ordered. The root and all internal nodes are labeled by wrapped CSFs (by either of the two wrappers), and the leaves are labeled by unwrapped CSFs. The trace complexity of a trace \(T \), denoted \(c_{\mathsf {tr}} (T)\), is the number of leaves in \(T \). Moreover, denote by \({\mathsf {flex_{tr}}} (T)\) the number of flexibly wrapped CSFs in \(T \).
Remark
The actual protocol trace encodes its round complexity and the access pattern to its hybrids (i.e., when is each hybrid used). Clearly, this pattern might depend on the inputs of the parties and/or the adversary. For example, in the Byzantine agreement protocol of Feldman and Micali [28], if all honest parties start with the same input, then they get their output faster. For simplicity, in this work, the class of trace distributions we define, and which our wrappers sample from, considers traces that are sampled independently of the honest parties’ inputs or adversary. Nonetheless, our wrappers give the simulator the power to influence the simulated access pattern and/or termination round. This allows us to use this simplified trace distribution class to devise functionalities which, as we show, are implemented by known protocols with probabilistic termination.
Strict Wrapper Functionality. We now proceed to give the formal descriptions of the wrappers. The strict wrapper functionality, defined in Fig. 4, is parametrized by (a sampler that induces) a distribution \(D\) over traces, and internally runs a copy of a CSF functionality \(\mathcal {F}_{\textsc {}} \). Initially, a trace \(T \) is sampled from \(D\); this trace is given to the adversary once the first honest party provides its input. The trace \(T \) is used by the wrapper to define the termination round \(\rho _\mathsf {term}\leftarrow c_{\mathsf {tr}} (T)\). In the first round, the wrapper forwards all the messages from the parties and the adversary to (and from) the functionality \(\mathcal {F}_{\textsc {}} \). Next, the wrapper essentially waits until round \(\rho _\mathsf {term}\), with the exception that the adversary is allowed to send \((\texttt {advinput},\mathsf {sid},\cdot )\) messages and change its input to the function computed by the CSF. Finally, when round \(\rho _\mathsf {term}\) arrives, the wrapper provides the output generated by \(\mathcal {F}_{\textsc {}} \) to all parties.
Flexible Wrapper Functionality. The flexible wrapper functionality, defined in Fig. 5, follows in similar lines to the strict wrapper. The difference is that the adversary is allowed to instruct the wrapper to deliver the output to each party at any round. In order to accomplish this, the wrapper assigns a termination indicator \(\mathsf {term}_i\), initially set to 0, to each party. Once the wrapper receives an \(\texttt {earlyoutput} \) request from the adversary for \(P _i\), it sets \(\mathsf {term}_i\leftarrow 1\). Now, when a party \(P _i\) sends a \(\texttt {fetchoutput} \) request, the wrapper checks if \(\mathsf {term}_i=1\), and lets the party receive its output in this case (by forwarding the \(\texttt {fetchoutput} \) request to \(\mathcal {F}_{\textsc {}} \)). When the guaranteed termination round \(\rho _\mathsf {term}\) arrives, the wrapper provides the output to all parties that did not receive it yet.
4 (Fast) Composition of Probabilistic Termination Protocols
Canonical synchronous functionalities that are wrapped using the flexible wrapper (cf. Sect. 3.2), i.e., functionalities that correspond to protocols with nonsimultaneous termination, are cumbersome to be used as hybrid functionalities for protocols. The reason is that the adversary can cause parties to finish in different rounds, and, as a result, after the execution of the first such functionality, the parties might be out of sync.
This “slack” can be reduced, however, only to a difference of one round, unless one is willing to pay a linear blowup (in the number of parties) in round complexity [26, 29]. Hence, all protocols must be modified to deal with a nonsimultaneous start of (at least) one round, and protocols that introduce slack must be followed by a slack reduction procedure. In this section, we provide general transformations to reduce the desired tasks to the simpler task of designing protocols in a “standalone” setting, where all parties remain synchronized throughout the protocol (and no slack and round complexity issues arise), and all the hybrids are (unachievable) CSFs that are called in a strictly sequential manner.
Definition 4.1
(SNF) Let \(\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities. A synchronous protocol \(\pi \) in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model is in synchronous normal form (SNF) if in every round exactly one ideal functionality \(\mathcal {F}_{\textsc {}} {}_i\) is invoked by all honest parties, and in addition, no honest party hands inputs to other CSFs before this instance halts.
Clearly, designing and proving the security of SNF protocols, which only make calls to simple tworound CSFs is a much simpler task than dealing with protocols that invoke more complicated hybrids, potentially with probabilistic termination (see Sect. 5 for concrete examples).
SNF protocols are designed as an intermediate step, since the hybrid functionalities \(\mathcal {F}_{\textsc {}} {}_i\) are tworound CSFs, and, in general, cannot be realized by realworld protocols. To that end, we define a protocol compiler that transforms SNF protocols into (nonSNF) protocols making calls to wrapped CSFs that can be realized in the real world, while maintaining their security and asymptotic (expected) round complexity. At the same time, the compiler takes care of any potential slack that is introduced by the protocol and ensures that the protocol can be executed even if the parties do not start the protocol simultaneously.
In Sect. 4.1, we apply this approach to deterministic termination protocols that use deterministic termination hybrids, and in Sect. 4.2, generalize it to the probabilistic termination setting. Section 4.3 covers the base case of realizing the wrapped parallel secure message transmission\(\mathcal {F}_{\textsc {psmt}} \) using only (nonparallel) secure message transmission\(\mathcal {F}_{\textsc {smt}} \). All proofs can be found in “Appendix C”.
4.1 Composition with Deterministic Termination
We start by defining a slacktolerant variant of the strict wrapper (cf. Sect. 3.2), which can be used even when parties operate with a (known) slack. Then, we show how to compile an SNF protocol \(\pi \) realizing a strictly wrapped CSF \(\mathcal {F}_{\textsc {}} \) into a (nonSNF) protocol \(\pi '\) realizing a version of \(\mathcal {F}_{\textsc {}} \) wrapped with the slacktolerant strict wrapper and making calls to wrapped hybrids.
SlackTolerant Strict Wrapper. The slacktolerant strict wrapper\(\mathcal {W}_{\text {slstrict}} ^{D,c}\), formally defined in Fig. 6, is parametrized by an integer \(c\ge 0\), which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper \(\mathcal {W}_{\text {slstrict}} \) is similar to \(\mathcal {W}_{\mathrm {strict}} \) but allows parties to provide input within a window of \(2c+1\) rounds and ensures that they obtain output with the same slack they started with. The wrapper essentially increases the termination round by a factor of \(B_{c} = 3c+1\), which is due to the slack tolerance technique used to implement the wrapped version of the atomic parallel SMT functionality (cf. Sect. 4.3).^{Footnote 22}
Deterministic Termination Compiler. Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, and let \(\pi \) an SNF protocol that UCrealizes the strictly wrapped functionality \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\), for some depth1 distribution D, in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, assuming that all honest parties receive their inputs at the same round. We define a compiler \(\mathsf {Comp}_{\textsc {dt}} ^c\), parametrized with a slack parameter \(c\ge 0\), that receives as input the protocol \(\pi \) and distributions \(D_1,\ldots ,D_m\) over traces and replaces every call to a CSF
\(\mathcal {F}_{\textsc {}} {}_i\) with a call to the wrapped CSF \(\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\). We denote the output of the compiler by \(\pi ' = \mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)\).^{Footnote 23}
As shown below, \(\pi '\) realizes \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})\), for a suitably adapted distribution \({D^{\mathsf {full}}}\), assuming all parties start within \(c+1\) consecutive rounds. Consequently, the compiled protocol \(\pi '\) can handle a slack of up to c rounds while using hybrids that are realizable themselves.
Calling the wrapped CSFs instead of the CSFs \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\) affects the trace corresponding to \(\mathcal {F}_{\textsc {}} \). The new trace \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\) is obtained as follows:

1.
Sample a trace \(T \leftarrow D\), which is a depth1 tree with a root label \(\mathcal {W}_{\mathrm {strict}} ^{D} (\mathcal {F}_{\textsc {}})\) and leaves from the set \(\{\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\}\).

2.
Construct a new trace \(T '\) with a root label \(\mathcal {W}_{\mathrm {strict}} ^{{D^{\mathsf {full}}}} (\mathcal {F}_{\textsc {}})\).

3.
For each leaf node \(\mathcal {F}_{\textsc {}} ' = \mathcal {F}_{\textsc {}} {}_i\), for some \(i\in [m]\), sample a trace \(T _i \leftarrow D_i\) and append the trace \(T _i\) to the first layer in \(T '\) (i.e., replace the node \(\mathcal {F}_{\textsc {}} {}'\) with \(T _i\)).

4.
Output the resulting trace \(T '\).
The following theorem states that the compiled protocol \(\pi '\) UCrealizes the wrapped functionality \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\).
Theorem 4.2
Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, let \(t<n/3\), and let \(\pi \) an SNF protocol that UCrealizes \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, in the presence of adaptive, malicious tadversary, and assuming that all honest parties receive their inputs at the same round. Let \(D_1,\ldots ,D_m\) be arbitrary distributions over traces, \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\), and \(c\ge 0\).
Then, the compiled protocol \(\pi '=\mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)\) UCrealizes \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {W}_{\text {slstrict}} ^{D_1,c}(\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W}_{\text {slstrict}} ^{D_m,c}(\mathcal {F}_{\textsc {}} {}_m))\)hybrid model, in the presence of adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
The expected round complexity of the compiled protocol \(\pi '\) is
where \(d_i\) is the expected number of calls in \(\pi \) to hybrid \(\mathcal {F}_{\textsc {}} {}_i\), \(T _i\) is a trace sampled from \(D_i\), and \(B_{c} = 3c+1\) is the blowup factor.
The proof of Theorem 4.2 can be found in “Appendix C.1”.
4.2 Composition with Probabilistic Termination
The composition theorem in Sect. 4.1 does not work if the protocol \(\pi \) itself introduces slack (e.g., the fast broadcast protocol by Feldman and Micali [28]) or if one of the hybrids needs to be replaced by a slackintroducing protocol (e.g., instantiating the broadcast hybrids with fast broadcast protocols in BGW [6]).
As in Sect. 4.1, we start by adjusting the flexible wrapper (cf. Sect. 3.2) to be slacktolerant. In addition, the slacktolerant flexible wrapper ensures that all parties will obtain their outputs within two consecutive rounds. Then, we show how to compile an SNF protocol \(\pi \) realizing a CSF \(\mathcal {F}_{\textsc {}} \), wrapped with the flexible wrapper, into a (nonSNF) protocol \(\pi '\) realizing a version of \(\mathcal {F}_{\textsc {}} \) wrapped with slacktolerant flexible wrapper. The case where \(\pi \) implements a strictly wrapped CSF, but some of the hybrids are wrapped with the slacktolerant flexible wrapper follows along similar lines.
SlackTolerant Flexible Wrapper. The slacktolerant flexible wrapper\(\mathcal {W}_{\text {slflex}} ^{D,c}\), formally defined in Fig. 7, is parametrized by an integer \(c\ge 0\), which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper \(\mathcal {W}_{\text {slflex}} \) is similar to \(\mathcal {W}_{\mathrm {flex}} \) but allows parties to provide input within a window of \(2c+1\) rounds and ensures that all honest parties will receive their output within two consecutive rounds. The wrapper essentially increases the termination round to
where the blowup factor \(B_{c}\) is as explained in Sect. 4.1, and the additional factor of 2 results from the termination protocol described below for every flexibly wrapped CSF, which increases the round complexity by at most two additional rounds (recall that \({\mathsf {flex_{tr}}} (T)\) denotes the number of such CSFs), and c is due to the potential slack. \(\mathcal {W}_{\text {slflex}} \) allows the adversary to deliver output at any round prior to \(\rho _\mathsf {term}\) but ensures that all parties obtain output with a slack of at most one round. Moreover, it allows the adversary to obtain the output using the \((\texttt {getoutput},\mathsf {sid})\) command, which is necessary in order to simulate the termination protocol.
Probabilistic Termination Compiler. Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, and let \(\pi \) be an SNF protocol that UCrealizes the flexibly wrapped functionality \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})\) in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, assuming all parties start at the same round. Define the following compiler \(\mathsf {Comp}_{\textsc {ptr}} ^c\), parametrized by a slack parameter \(c\ge 0\). The compiler receives as input the protocol \(\pi \), distributions \(D_1,\ldots ,D_m\) over traces, and a subset \(I\subseteq [m]\) indexing which CSFs \(\mathcal {F}_{\textsc {}} {}_i\) are to be wrapped with \(\mathcal {W}_{\text {slflex}} \) and which with \(\mathcal {W}_{\text {slstrict}} \); every call in \(\pi \) to a CSF \(\mathcal {F}_{\textsc {}} {}_i\) is replaced with a call to the wrapped CSF \(\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\in I\) or to \(\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\notin I\).
In addition, the compiler adds the following termination procedure, based on an approach originally suggested by Bracha [7], which ensures all honest parties will terminate within two consecutive rounds:

As soon as a party is ready to output a value y (according to the prescribed protocol) or upon receiving at least \(t+1\) messages \((\texttt {end},\mathsf {sid},y)\) for the same value y (whichever happens first), it sends \((\texttt {end},\mathsf {sid},y)\) to all parties.

Upon receiving \(nt\) messages \((\texttt {end},\mathsf {sid},y)\) for the same value y, a party outputs y as the result of the computation and halts.
Observe that this technique only works for public output functionalities, and therefore, only CSFs with public output can be wrapped by \(\mathcal {W}_{\text {slflex}} \). We denote the output of the compiler by \(\pi ' = \mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)\).
The following theorem states that the compiled protocol \(\pi '\) UCrealizes the wrapped functionality \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\), for the adapted distribution \({D^{\mathsf {full}}}=\mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\). Consequently, the compiled protocol \(\pi '\) can handle a slack of up to c rounds, while using hybrids that are realizable themselves, and ensuring that the output slack is at most one round (as opposed to \(\pi \)). Calling the wrapped hybrids instead of the CSFs affects the trace corresponding to \(\mathcal {F}_{\textsc {}} \) in exactly the same way as in the case with deterministic termination (cf. Sect. 4.1).^{Footnote 24}
Theorem 4.3
Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, let \(t<n/3\), and let \(\pi \) an SNF protocol that UCrealizes \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, in the presence of adaptive, malicious tadversary, and assuming that all honest parties receive their inputs at the same round. Let \(I\subseteq [m]\) be the subset (of indices) of functionalities to be wrapped using the flexible wrapper, let \(D_1,\ldots ,D_m\) be arbitrary distributions over traces, denote \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\) and let \(c\ge 0\). Assume that \(\mathcal {F}_{\textsc {}} \) and \(\mathcal {F}_{\textsc {}} {}_i\), for every \(i\in I\), are public output functionalities.
Then, the compiled protocol \(\pi '=\mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)\) UCrealizes \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))\)hybrid model, where \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\in I\) and \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\notin I\), in the presence of adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
The expected round complexity of the compiled protocol \(\pi '\) is
where \(d_i\) is the expected number of calls in \(\pi \) to hybrid \(\mathcal {F}_{\textsc {}} {}_i\), \(T _i\) is a trace sampled from \(D_i\), and \(B_{c} = 3c+1\) is the blowup factor.
The proof of Theorem 4.3 can be found in “Appendix C.2”.
Consider now the scenario where an SNF protocol \(\pi \) realizes a strictly wrapped functionality, yet some of the CSF hybrids are to be wrapped by flexible wrappers. The corresponding compiler \(\mathsf {Comp}_{\textsc {pt}} \) works as \(\mathsf {Comp}_{\textsc {ptr}} \) with the exception that the slack reduction protocol is not performed at the end. The proof of the following theorem follows that of Theorem 4.3.
Theorem 4.4
Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, let \(t<n/3\), and let \(\pi \) an SNF protocol that UCrealizes \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, in the presence of an adaptive, malicious tadversary, and assuming that all honest parties receive their inputs at the same round. Let \(I\subseteq [m]\) be the subset (of indices) of functionalities to be wrapped using the flexible wrapper, let \(D_1,\ldots ,D_m\) be arbitrary distributions over traces, denote \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\) and let \(c\ge 0\). Assume that \(\mathcal {F}_{\textsc {}} {}\) and \(\mathcal {F}_{\textsc {}} {}_i\), for every \(i\in I\), are public output functionalities.
Then, the compiled protocol \(\pi '=\mathsf {Comp}_{\textsc {pt}} ^c(\pi ,D_1,\ldots ,D_m,I)\) UCrealizes \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))\)hybrid model, where \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\in I\) and \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\notin I\), in the presence of an adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
The expected round complexity of the compiled protocol \(\pi '\) is
where \(d_i\) is the expected number of calls in \(\pi \) to hybrid \(\mathcal {F}_{\textsc {}} {}_i\), \(T _i\) is a trace sampled from \(D_i\), and \(B_{c} = 3c+1\) is the blowup factor.
4.3 Wrapping Secure Channels
The basis of the topdown, inductive approach taken in this work consists of providing protocols realizing wrapped atomic functionalities, using merely secure channels, i.e., \(\mathcal {F}_{\textsc {smt}} \). Due to the restrictions to SNF protocols, which may only call a single CSF hybrid in any given round, a parallel variant \(\mathcal {F}_{\textsc {psmt}} \) of \(\mathcal {F}_{\textsc {smt}} \) (defined below) is used as an atomic functionality. This ensures that in SNF protocols parties can securely send messages to each other simultaneously.
Parallel SMT. The parallel secure message transmission functionality\(\mathcal {F}_{\textsc {psmt}} \) is a CSF for the following functions \(f_{\tiny {\textsc {psmt}}} \) and \(l_{\tiny {\textsc {psmt}}} \). Each party \(P _i\) has a vector of input values \((x^i_1,\ldots ,x^i_n)\) such that \(x^i_j\) is sent from \(P _i\) to \(P _j\). That is, the function to compute is \(f_{\tiny {\textsc {psmt}}} ((x^1_1,\ldots ,x^1_n),\ldots ,(x^n_1,\ldots ,x^n_n),a) = ((x^1_1,\ldots ,x^n_1),\ldots ,(x^1_n,\ldots ,x^n_n))\). As we consider rushing adversaries, which can determine the messages sent by the corrupted parties after receiving the messages sent by the honest parties, the leakage function should leak the messages that are to be delivered from honest parties to corrupted parties. Therefore, the leakage function is \(l_{\tiny {\textsc {psmt}}} ((x^1_1,\ldots ,x^1_n),\ldots ,(x^n_1,\ldots ,x^n_n))=(y^1_1,y^1_2, \ldots , y^n_{n1}, y^n_n)\), where \(y^i_j=x^i_j\) in case \(P _j\) is honest and \(y^i_j=x^i_j\) in case \(P _j\) is corrupted.
Realizing Wrapped Parallel SMT. The remainder of this section deals with securely realizing \(\mathcal {W}_{\text {slstrict}} ^{D,c}(\mathcal {F}_{\textsc {psmt}})\) in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, for a particular distribution D and an arbitrary nonnegative integer c. Note that the corresponding protocol \({\pi _{\textsc {psmt}}} \) is not an SNF protocol since it makes \(n^2\) parallel calls to \(\mathcal {F}_{\textsc {smt}} \) in each round; this is of no concern since it directly realizes a wrapped functionality and therefore need not be compiled. There is a straightforward (nonSNF) protocol realizing \(\mathcal {F}_{\textsc {psmt}} \) in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, and therefore (due to the UC composition theorem) it suffices to describe protocol \({\pi _{\textsc {psmt}}} \) in the \(\mathcal {F}_{\textsc {psmt}} \)hybrid model.
A standard solution to overcome asynchrony by a constant number of rounds \(c \ge 0\), introduced by Lindell et al. [48] and used by Katz and Koo [40], is to expand each communication round to \(2c+1\) rounds. Each party listens for messages throughout all \(2c+1\) rounds and sends its own messages in round \(c+1\). It is straightforward to verify that if the slack is c, i.e., the parties start within \(c+1\) rounds from each other, round rmessages (in the original protocol, without round expansion) are sent, and delivered, before round \((r+1)\)messages and after round \((r1)\)messages.
The solution described above does not immediately apply to our case, due to the nature of canonical synchronous functionalities. Recall that in a CSF the adversary can send an \(\texttt {advinput} \) message (and affect the output) only before any honest party has received an output from the functionality. If only \(2c+1\) rounds are used a subtle problem arises: Assume for simplicity that \(c=1\) and say that \(P _1\) is a fast party and \(P _2\) is a slow party. Initially, \(P _1\) listens for one round. In the second round \(P _2\) listens and \(P _1\) send its messages to all the parties. In the third round \(P _2\) sends its messages and \(P _1\) receives its message, produces output, and completes the round. Now, \(P _2\) listens for an additional round, and the adversary can send it messages on behalf of corrupted parties. In other words, the adversary can choose the value for \(P _2\)’s output after\(P _1\) has received its output—such a phenomena cannot be modeled using CSFs. For this reason we add an additional round where each party is idle; if \(P _1\) waits one more round (without listening) before it produces its output, then \(P _2\) will receive all the messages that determine its output, and so once \(P _1\) produces output and completes, the adversary cannot affect the output of \(P _2\).
As a result, in the protocol presented in Fig. 8, each round is expanded to \(3c+1\) rounds, where during the final c rounds, parties are simply idle and ignore any messages they receive.
Denote by \(D_{\textsc {psmt}} \) the deterministic distribution that outputs a depth1 trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {psmt}}}(\mathcal {F}_{\textsc {psmt}})\) and \(3c+1\) leaves \(\mathcal {F}_{\textsc {psmt}} \).
Lemma 4.5
Let \(c\ge 0\) and \(t<n/3\). Protocol \({\pi _{\textsc {psmt}}} \) UCrealizes \(\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})\) with perfect security in the \(\mathcal {F}_{\textsc {psmt}} \)hybrid model, in the presence of an adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Proof
For simplicity, denote by \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\) the wrapped functionality \(\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})\). Let \(\mathcal {Z} \) be an environment. We construct the following simulator \(\mathcal {S} \) running with \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\) and \(\mathcal {Z} \), simulating the dummy adversary.^{Footnote 25} The main idea is to simulate each of the \(3c+1\) instances of \(\mathcal {F}_{\textsc {psmt}} \) ro \(\mathcal {Z} \). Initially, \(\mathcal {S} \) receives the message \((\texttt {trace},\mathsf {sid},T)\), where \(T \) is a depth1 trace consisting of \(3c+1\) leaves \(\mathcal {F}_{\textsc {psmt}} \). Next, \(\mathcal {S} \) simulates \(3c + 1\) sequential instances of \(\mathcal {F}_{\textsc {psmt}} \), by interacting with \(\mathcal {Z} \) and \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\). In the first \(2c+1\) instances of \(\mathcal {F}_{\textsc {psmt}} \), the simulator \(\mathcal {S} \) proceeds as follows for every instance of \(\mathcal {F}_{\textsc {psmt}} \):

In the first (“input”) round of this \(\mathcal {F}_{\textsc {psmt}} \) instance, upon receiving an input message \((\texttt {input},\mathsf {sid},x_i)\) from \(\mathcal {Z} \), where \(x_i\ne \bot \) is a vector of messages to be sent by a corrupted \(P _i\), the simulator \(\mathcal {S} \) forwards the message to \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\).

If \(\mathcal {S} \) receives a leakage message \((\texttt {leakage},\mathsf {sid},P _i,l_i)\) from \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\), where \(l_i\) is a lengthn vector, consisting of the messages sent by some honest party \(P _i\) to each corrupted party (and the length of messages \(P _i\) sends to honest parties), \(\mathcal {S} \) forwards the message to \(\mathcal {Z} \). If no leakage message arrived during this round, \(\mathcal {S} \) sends the message \((\texttt {leakage},\mathsf {sid},P _i,\bot )\) to \(\mathcal {Z} \), on behalf of every party.

In the second (“output”) round of this \(\mathcal {F}_{\textsc {psmt}} \) instance, \(\mathcal {S} \) sends \((\texttt {output},\mathsf {sid},y_i)\) to \(\mathcal {Z} \) for every corrupted \(P _i\), where \(y_i\) is a vector consisting of the messages sent to \(P _i\) in the “input” round (if some party did not send a message to \(P _i\) the value \(\lambda \) is used).
In the last c instances of \(\mathcal {F}_{\textsc {psmt}} \), the simulator \(\mathcal {S} \) does not forward the input messages from \(\mathcal {Z} \) to \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\), and outputs \((\texttt {output},\mathsf {sid},\lambda )\) for every corrupted party.
Since the view of every party in the protocol \({\pi _{\textsc {psmt}}} \) is simply the messages sent and received to fpsmt, and no random coins are used, upon a corruption request of a party \(P _i\), the simulator simply hands the internal state of \(P _i\) to \(\mathcal {Z} \), and resumes the simulation as above.
By inspection, it can be seen that the view of \(\mathcal {Z} \) is identically distributed when interacting with \(\mathcal {S} \) in an ideal computation of \(\mathcal {W} (\mathcal {F}_{\textsc {psmt}})\), or when interacting with the dummy adversary in an execution of \({\pi _{\textsc {psmt}}} \). \(\square \)
The corollary follows since \(\mathcal {F}_{\textsc {psmt}} \) can be realized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model in a straightforward way, by calling \(\mathcal {F}_{\textsc {smt}} \) in parallel \(n^2\) times.
Corollary 4.6
Let \(c\ge 0\) and \(t<n/3\). The functionality \(\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})\) can be UCrealized with perfect security in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, in the presence of an adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
5 Applications of Our Fast Composition Theorem
In this section, we demonstrate the power of our framework by providing some concrete applications. All of the protocols we present in this section enjoy perfect security facing adaptive adversaries corrupting less than a third of the parties. We start in Sect. 5.1 by presenting expected constant round protocols for Byzantine agreement. Next, in Sect. 5.2 we present an expected constant round protocol for parallel broadcast. Finally, in Sect. 5.3 we present a secure function evaluation protocol whose round complexity is O(d) in expectation, where d is the depth of the circuit representing the function.
5.1 Fast and Perfectly Secure Byzantine Agreement
We start by describing the binary and multivalued randomized Byzantine agreement protocols (the definition of \(\mathcal {F}_{\textsc {ba}} \) appears in Sect. 3.1). These protocols are based on techniques due to Feldman and Micali [28] (which are in turn based on BenOr [4] and Rabin [53]) and Turpin and Coan [55], with modifications to work in the UC framework. We provide simulationbased proofs for these protocols.
A Binary Byzantine Agreement Protocol. We now describe a UC protocol for randomized binary Byzantine agreement, which is based on the protocol of Feldman and Micali [28]. For simplicity, we work in a hybrid model, where parties have access to the oblivious common coin functionality; we first present this functionality as a canonical synchronous functionality.
Oblivious Common Coin. In the oblivious common coin ideal functionality (introduced in [28]) every honest party \(P _i\) outputs a bit \(y_i\in \{0,1\}\) such that the following holds: With probability \(p>0\) all honest parties will agree on a uniformly distributed bit, and with probability \(1p\) the output for each honest party is determined by the adversary. The meaning of obliviousness here is that the parties are unaware of whether agreement on the coin is achieved or not.
In more detail, each honest party \(P _i\) sends an empty string \(x_i=\lambda \) as input, and the leakage function is \(l_{\tiny {\textsc {oc}}} (x_1,\ldots ,x_n)=\bot \). The function to compute, \(f_{\tiny {\textsc {oc}}} (x_1,\ldots ,x_n,a)=(y_1,\ldots ,y_n)\), is parametrized by an efficiently sampleable distribution D over \(\{0,1\}\) that outputs 1 with probability p and 0 with probability \(1p\), and works as follows:

Initially, sample a “fairness bit” \(b \leftarrow D\).

If \(b=1\) or if \(a=\bot \) (i.e., if the adversary did not send an \(\texttt {advinput} \) message) sample a uniformly distributed bit \(y\leftarrow \{0,1\}\) and set \(y_i \leftarrow y\) for every \(i\in [n]\).

If \(b=0\) and \(a\ne \bot \), parse the adversarial input a as a vector of n values \((a_1,\ldots , a_n)\), and set \(y_i \leftarrow a_i\) for every \(i\in [n]\).
We denote by \(\mathcal {F}_{\textsc {oc}} \) the CSF functionality parametrized with the above functions \(f_{\tiny {\textsc {oc}}} \) and \(l_{\tiny {\textsc {oc}}} \). Feldman and Micali [28, Thm. 3] showed a constant round oblivious common coin protocol for \(p=0.35\). Denote by \(D_{\textsc {oc}} \) the deterministic distribution that outputs a depth1 trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {oc}}}(\mathcal {F}_{\textsc {oc}})\) and 32 leaves \(\mathcal {F}_{\textsc {psmt}} \).
Theorem 5.1
([28]). Let \(t<n/3\), then, assuming all honest parties receive their inputs at the same round, \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {oc}}}(\mathcal {F}_{\textsc {oc}})\) can be UCrealized in the \(\mathcal {F}_{\textsc {psmt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
Overview of the Protocol. The binary BA functionality, realized by the protocol, is the wrapped functionality \(\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\) (the distribution \(D_{\textsc {rba}} \) is formally defined in Lemma 5.2), denoted \(\mathcal {F}_{\textsc {rba}} \) for short. The protocol \({\pi _{\textsc {rba}}} \), described in Fig. 9, is based on the protocol from [28] modified using the “bestofbothworlds” technique due to Goldreich and Petrank [34]. Recall that following Sect. 4, it is sufficient to describe the protocol using CSFs as hybrids rather than wrapped CSFs (even though such a description might be overly ideal, and cannot be instantiated in the real world), and the same level of security is automatically achieved in a compiled protocol (that can be instantiated) where the underlying CSFs are properly wrapped. Therefore, the protocol is defined in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}},\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model.
At first sight, it may seem odd that the binary Byzantine agreement functionality \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) is used in order to implement the randomized binary Byzantine agreement functionality \(\mathcal {F}_{\textsc {rba}} \). However, the functionality \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) will only be invoked in the event (which occurs with a negligible probability) that the protocol does not terminate within a polylog number of rounds. Once the protocol is compiled, the CSF functionality \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) will be wrapped using a strict wrapper, such that the wrapped functionality \(\mathcal {W}_{\mathrm {strict}} (\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\) can be instantiated using any linear round deterministic Byzantine agreement protocol (e.g., the protocol in [37]).
At a high level, protocol \({\pi _{\textsc {rba}}} \) proceeds as follows. Initially, each party sends its input to all other parties over a pointtopint channel using \(\mathcal {F}_{\textsc {psmt}} \), and sets its vote to be its input bit. Next, the parties proceed in phases, where each phase consists of invoking the functionality \(\mathcal {F}_{\textsc {oc}} \) followed by a voting process consisting of three rounds of sending messages via \(\mathcal {F}_{\textsc {psmt}} \). The voting ensures that (1) if all honest parties agree on their votes at the beginning of the phase, they will terminate at the end of the phase, (2) in each phase, all honest parties will agree on their votes at the end of each phase with probability at least p, and (3) if an honest party terminates in some phase then all honest parties will terminate with the same value by the end of the next phase. In the negligible event that the parties do not terminate after \(\tau =\log ^{1.5}(\kappa )+1\) phases (where \(\kappa \) denotes the security parameter), the parties use the Byzantine agreement functionality \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) in order to ensure termination. To avoid confusion in \({\pi _{\textsc {rba}}} \) between the different calls to \(\mathcal {F}_{\textsc {oc}} \), the \(\alpha \)’th invocation will use the session identifier \(\mathsf {sid} _\alpha =\mathsf {sid} \circ \alpha \), obtained by concatenating \(\alpha \) to \(\mathsf {sid} \).
Denote by \(D_{\textsc {rba}} \) the distribution that outputs a depth1 trace, where the root is \(\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\), and the leaves are set as follows: Initially sample an integer r from the geometric distribution with parameter \(p=0.35\) and support \(\{1\ldots , \tau +1\}\) (representing the phase where \(\mathcal {F}_{\textsc {oc}} \) samples a fairness bit 1, plus the option that \(\mathcal {F}_{\textsc {oc}} \) samples 0 in all \(\tau \) phases). The first leaf in the trace is \(\mathcal {F}_{\textsc {psmt}} \), followed by \(\min (r,\tau )\) sequences of \((\mathcal {F}_{\textsc {oc}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}})\). Finally, if \(r\ge \tau \) add the leaf \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) to the trace. In “Appendix D.1” we prove the following lemma.
Lemma 5.2
Let \(t<n/3\), then, assuming all honest parties receive their inputs at the same round, protocol \({\pi _{\textsc {rba}}} \) UCrealizes \(\mathcal {F}_{\textsc {rba}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
We now use Theorem 4.3 to derive the main result of this section.
Theorem 5.3
Let \(c\ge 0\) and \(t<n/3\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Proof
(sketch). Denote by \(D_{\textsc {ba}} \) the deterministic distribution that outputs a depth1 trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {ba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\) and \(t+1\) leaves \(\mathcal {F}_{\textsc {psmt}} \). Let \(D^{\mathsf {full}}_{\textsc {rba}} =\mathsf {full}\text {}\mathsf {trace}(D_{\textsc {rba}},D_{\textsc {oc}},D_{\textsc {psmt}},D_{\textsc {ba}})\).
For simplicity, denote \(\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}=\mathcal {W}_{\text {slflex}} ^{D^{\mathsf {full}}_{\textsc {rba}},c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\), \(\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}}=\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}})\), \(\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}=\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {oc}},c}(\mathcal {F}_{\textsc {oc}})\) and \(\mathcal {F}_{\textsc {ba}} ^{\textsc {dt}}=\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {ba}},c}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\). In addition, denote \(D_1=D_{\textsc {psmt}} \), \(D_2=D_{\textsc {oc}} \), \(D_3=D_{\textsc {ba}} \) and \(I=\emptyset \).
From Lemma 5.2, \({\pi _{\textsc {rba}}} \) UCrealizes \(\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs at the same round. Following Theorem 4.3, the compiled protocol \(\mathsf {Comp}_{\textsc {ptr}} ^c({\pi _{\textsc {rba}}},D_1,D_2,D_3,I)\) UCrealizes \(\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}\), in the \((\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}},\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {dt}})\)hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs within \(c+1\) consecutive rounds.
The proof follows since each of the functionalities \((\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}},\mathcal {F}_{\textsc {oc}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {dt}})\) can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model. This follows from Lemma 4.5, Theorem 5.1, and the protocol from [37]. \(\square \)
Multivalued Byzantine Agreement Protocol. In “Appendix D.1” we present an analogue of the multivalued Byzantine agreement protocol due to Turpin and Coan [55] for the UC framework and prove the following.
Theorem 5.4
Let \(c\ge 0\), \(t<n/3\) and \(V\subseteq \{0,1\}^*\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {ba}} ^V)\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
5.2 Fast and Perfectly Secure Parallel Broadcast
As discussed in Sect. 1 (and “Appendix A”), composing protocols with probabilistic termination naïvely does not retain expected round complexity. BenOr and ElYaniv [5] constructed an elegant protocol for probabilistic termination parallel broadcast^{Footnote 26} with a constant round complexity in expectation, albeit under a propertybased security definition. In this section, we adapt the [5] protocol to the UC framework and show that it does not realize the parallel broadcast functionality, but rather a weaker variant which we call unfair parallel broadcast. Next, we show how to use unfair parallel broadcast in order to compute (fair) parallel broadcast in constant excepted number of rounds.
In a standard broadcast functionality (cf. Sect. 3.1), the sender provides a message to the functionality which delivers it to the parties. Hirt and Zikas [37] defined the unfair version of the broadcast functionality, in which the functionality informs the adversary which message it received, and allows the adversary, based on this information, to corrupt the sender and replace the message. Following the spirit of [37], we now define the unfair parallel broadcast functionality, using the language of CSF.

Unfair Parallel Broadcast. In the unfair parallel broadcast functionality, each party \(P _i\) with input \(x_i\) distributes its input to all the parties. The adversary is allowed to learn the content of each input value from the leakage function (and so it can corrupt parties and change their messages prior to their distribution, based on this information). The function to compute is \(f_{\tiny {\textsc {upbc}}} (x_1,\ldots ,x_n,a)=((x_1,\ldots ,x_n),\ldots ,(x_1,\ldots ,x_n))\), and the leakage function is \(l_{\tiny {\textsc {upbc}}} (x_1,\ldots ,x_n)=(x_1,\ldots ,x_n)\). We denote by \(\mathcal {F}_{\textsc {upbc}} \) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {upbc}}} \) and \(l_{\tiny {\textsc {upbc}}} \).
In “Appendix D.2.1”, we present an adaptation of the [5] protocol, show that it perfectly UCrealizes (a wrapped version of) \(\mathcal {F}_{\textsc {upbc}} \) (see Fig. 12), and prove the following result.
Theorem 5.5
Let \(c\ge 0\) and \(t<n/3\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {upbc}})\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
We now turn to define the (fair) parallel broadcast functionality.

Parallel Broadcast. In the parallel broadcast functionality, each party \(P _i\) with input \(x_i\) distributes its input to all the parties. Unlike the unfair version, the adversary only learns the length of the honest parties’ messages before their distribution, i.e., the leakage function is \(l_{\tiny {\textsc {pbc}}} (x_1,\ldots ,x_n)=(\left x_1\right ,\ldots ,\left x_n\right )\). It follows that the adversary cannot use the leaked information in a meaningful way when deciding which parties to corrupt. The function to compute is identical to the unfair version, i.e., \(f_{\tiny {\textsc {pbc}}} (x_1,\ldots ,x_n,a)=((x_1,\ldots ,x_n),\ldots ,(x_1,\ldots ,x_n))\). We denote by \(\mathcal {F}_{\textsc {pbc}} \) the functionality \(\mathcal {F}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\tiny {\textsc {pbc}}} \) and \(l_{\tiny {\textsc {pbc}}} \).
Unfortunately, the unfair parallel broadcast protocol \({\pi _{\textsc {upbc}}} \) (cf. Fig. 12) fails to realize (a wrapped version of) the standard parallel broadcast functionality \(\mathcal {F}_{\textsc {pbc}} \). The reason is similar to the argument presented in [37]: In the first round of the protocol, each party distributes its input, and since we consider a rushing adversary, the adversary learns the messages before the honest parties do. It follows that the adversary can corrupt a party before the honest parties receive the message and replace the message to be delivered. This attack cannot be simulated in the ideal world where the parties interact with \(\mathcal {F}_{\textsc {pbc}} \), since by the time the simulator learns the broadcast message in the ideal world, the functionality does not allow to change it.
Although protocol \({\pi _{\textsc {upbc}}} \) does not realize \(\mathcal {F}_{\textsc {pbc}} \), it can be used in order to construct a protocol that does. Each party commits to its input value before any party learns any new information, as follows. Each party, in parallel, first secret shares its input using a \((t+1)\)outofn secret sharing protocol.^{Footnote 27} In the second step, every party, in parallel, broadcast a vector with all the shares he received, by the use of the above unfair parallel broadcast functionality \(\mathcal {F}_{\textsc {upbc}} \), and each share is reconstructed based on the announced values. The reason this modification achieves fair broadcast is the following: If a sender \(P _i\) is not corrupted until he distributes his shares, then a tadversary has no way of modifying the reconstructed output of \(P _i\)’s input, since he can at most affect \(t<n/3\) shares, which can be selfcorrected by the reconstruction algorithm (e.g., using Shamir’s scheme). Thus, the only way the adversary can affect any of the broadcast messages is by corrupting the sender independently of his input, an attack which is easily simulated. In case a malicious sender generates shares that do not correspond to a degree t polynomial, all honest parties identify the misbehavior (since all shares are publicly transmitted over the unfair broadcast channel) and agree on a default value for the sender, e.g., zero. We describe this protocol, denoted \({\pi _{\textsc {pbc}}} \), in Fig. 10.
Theorem 5.6
Let \(c\ge 0\) and \(t < n/3\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {pbc}})\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Proof
(sketch). The simulator uses the adversary attacking \({\pi _{\textsc {pbc}}} \) in a blackbox straightline manner. To simulate the first (secret sharing) round, for honest senders the simulator simply hands the adversary random shares for all corrupted parties and for corrupted senders he follows the adversary’s instructions. If during this step the adversary asks to corrupt new senders, the simulator learns their outputs and can easily complete the sharing to match this output. At the end of this phase, the simulator interacts with its hybrid until it produces output. Once this is the case, he uses this output to continue the simulation with its adversary. Clearly, for any sender \(P _i\) who is not corrupted until he distributes his shares, then a tadversary has no way of modifying the reconstructed output of \(P _i\)’s input, since he can at most affect \(t<n/3\) shares (and Shamir’s scheme can correct up to n / 3 erroneous shares). Thus, the only way the adversary can affect any of the broadcasted message is by corrupting the sender independently of his input, an attack which is easily simulated. The fact that the running time is constant (expected) follows trivially from the fact that \({\pi _{\textsc {pbc}}} \) executes only one round (namely the sharing round) more than the unfair protocol which is expected constant round (cf. Theorem 5.5). \(\square \)
5.3 Fast and Perfectly Secure SFE
We conclude this section by showing how to construct a perfectly UCsecure SFE protocol which computes a given circuit in expected O(d) rounds, independently of the number of parties, in the pointtopoint channels model. The protocol is obtained by taking the protocol from [6],^{Footnote 28} denoted \(\pi _{\textsc {bgw}}\). This protocol relies on (parallel) broadcast and (parallel) pointtopoint channels, and therefore it can be described in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {pbc}})\)hybrid model. It follows from Theorem 4.4, that the compiled protocol \(\mathsf {Comp}_{\textsc {pt}} ^c(\pi _{\textsc {bgw}},D_1,D_2,I)\), for \(D_1=D_{\textsc {psmt}} \), \(D_2=D^{\mathsf {full}}_{\textsc {pbc}} \) and \(I=\{2\}\), UCrealizes the corresponding wrapped functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {sfe}} )\) (for an appropriate distribution D), in the \((\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {psmt}},c}(\mathcal {F}_{\textsc {psmt}}),\mathcal {W}_{\text {slflex}} ^{D^{\mathsf {full}}_{\textsc {pbc}},c}(\mathcal {F}_{\textsc {pbc}}))\)hybrid model, resulting in the following.
Theorem 5.7
Let f be an nparty function, C an arithmetic circuit with multiplicative depth d computing f, \(c\ge 0\) and \(t < n/3\). Then there exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {sfe}} ^f)\) has round complexity O(d) in expectation and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Notes
More precisely, in the number of corruptions a protocol can tolerate, which is a constant fraction of n.
Throughout this work we will consider protocols in which all parties receive their output. If one relaxes this requirement (i.e., allows that some parties may not receive their outputs and give up on fairness), then the techniques of Goldwasser and Lindell [35] allow for replacing broadcast with a constant round multicast primitive. In fact, we note that even security with identifiable abort [38] cannot be achieved in general without the ability to compute broadcast [19, 20].
We remark that even though those protocols are for the computational setting, the lower bound on broadcast round complexity also applies.
Note that this includes even FHEbased protocols, as they also assume a broadcast channel and their security fails if multicast over pointtopoint channels is used instead.
Essentially, the value of the coin can be adopted by the honest parties in case disagreement at any given round is detected, a process that is repeated multiple times.
Throughout this paper we use running time and round complexity interchangeably.
It should be noted, however, that in many of these protocols there is a known (constant) “slack” of c rounds, such that if a party terminates in round r, then it can be sure that every honest party will have terminated by round \(r+c\).
As we discuss below, the protocol of Katz and Koo has an additional issue with adaptive security in the rushing adversary model, as defined in the UC framework, similar to the issue exploited in [37].
BA is a deterministic output primitive and it should be clear that the term “randomized" can only refer to the actual number of rounds; however, to avoid confusion we will abstain from using this term for functionalities other than BA whose output might also be probabilistic.
All entities in UC, and in particular ideal functionalities, are strict interactive PPT Turing machines, and the UC composition theorem is proved for such PPT ITMs.
Note that even a single round of broadcast is enough to create the issues with parallel composition and nonsimultaneous termination discussed above.
In contrast, a static adversary chooses the set of corrupted parties at the onset of the computation.
Following the simplifying approach of [43], we assume that communication channels are single use; thus, each message transmission uses an independent instance of the channel (cf. “Appendix B”).
In fact, for simplicity we assume that they deliver output on the first “fetch”.
Looking ahead, this adversarial influence will allow us to describe BAlike functionalities as simple and intuitive CSFs.
This is, in fact, also the case for the standard UC SFE functionality.
In particular, this means that most CSFs are not realizable, since they always guarantee output after two rounds.
In this work, atomic functionalities are always parallel SMT CSFs \(\mathcal {F}_{\textsc {psmt}} \), defined in Sect. 4.3.
Note that the root node of the trace sampled from \(D_{\mathcal {F}_{\textsc {}}}\) is merely labeled by \(\mathcal {W}_{\mathrm {flex}} ^{D_{\mathcal {F}_{\textsc {}}}}(\mathcal {F}_{\textsc {}} ')\), i.e., this is not a circular definition.
We note that the insufficiency of the blowup factor \(2c+1\) rounds does not correspond to any particular attack, but it is merely a technicality of the wrapped CSF definition, see Sect. 4.3.
Of course, the root of the trace \(T \) sampled from D is a flexibly wrapped functionality \(\mathcal {W}_{\mathrm {flex}} ^{D} (\mathcal {F}_{\textsc {}})\) in the probabilistic termination case.
Recall that proving security with respect to the dummy adversary is sufficient (cf. [10, Claim 10]).
In [5] the problem is referred to as “interactive consistency.”
In [37] verifiable secret sharing (VSS) is used; however, as we argue, this is not necessary.
As argued in [43], boundeddelay channels are essential as they allow parties to detect whether or not a message was sent within a round.
In fact, in Sect. 3 we introduce a more liberal variant of the UC SFE functionality that we call canonical synchronous functionality (in short, CSF) that allows us to abstract several (even more complicated) tasks such as Byzantine agreement.
In the simple case where the parties only use pointtopoint channels, \(\mu =2(n1)\), since each party uses \(n1\) channels as sender and \(n1\) as receiver to exchange his messages for each round with all other n parties.
The wrappers presented in this work generalize the notion of guaranteed termination to capture randomized number of rounds. Concretely, one can view the functionality for SFE with guarantee termination from [43] as a wrapped version of the standard SFE functionality with our wrapper with a deterministic round distribution.
To make sure that the simulator can keep track of the round index, \(\mathcal {F}_{\textsc {}}\) notifies \(\mathcal {S}\) about each received input, unless it has reached its delivery state defined below.
Recall that proving security with respect to the dummy adversary is sufficient (cf. [10, Claim 10]).
Recall that the children at each node in a trace are ordered.
\(\mathcal {S} \) can be advanced by suitably sending it \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages.
The execution \(\mathcal {Z} \) interacts with can be advanced by suitably sending \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages to the parties.
Recall that proving security with respect to the dummy adversary is sufficient [10, Claim 10].
\(\mathcal {S} \) can be advanced by suitably sending it \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages.
\(\mathcal {S} \) can be advanced by suitably sending it \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages.
The execution \(\mathcal {Z} \) interacts with can be advanced by suitably sending \((\texttt {fetchoutput},\mathsf {sid})\) messages to the parties.
The execution \(\mathcal {Z} \) interacts with can be advanced by suitably sending \((\texttt {fetchoutput},\mathsf {sid})\) messages to the parties.
Note that although the hybrids are CSFs, and all honest parties terminate at the same round, the protocol has probabilistic termination.
References
G. Asharov, A. Jain, A. LópezAlt, E. Tromer, V. Vaikuntanathan, D. Wichs, Multiparty computation with low communication, computation and interaction via threshold FHE, in David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, April, 2012), pp. 483–501
G. Asharov, Y. Lindell, A full proof of the BGW protocol for perfectlysecure multiparty computation. Electronic Colloquium on Computational Complexity (ECCC), 18:36, (2011)
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in 22nd ACM STOC. (ACM Press, May 1990), pp. 503–513
M. BenOr, Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract), in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 2nd ACM PODC. (ACM Press, August 1983), pp. 27–30
M. BenOr, R. ElYaniv, Resilientoptimal interactive consistency in constant time. Distributed Computing, 16(4):249–262, (2003)
M. BenOr, S. Goldwasser, A. Wigderson, Completeness theorems for noncryptographic faulttolerant distributed computation (extended abstract), in 20th ACM STOC. (ACM Press, May 1988), pp. 1–10
G. Bracha, An asynchronous [(n1)/3]resilient consensus protocol, in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 3rd ACM PODC. (ACM Press, August 1984), pp. 154–162
C. Cachin, K. Kursawe, F. Petzold, V. Shoup, Secure and efficient asynchronous broadcast protocols, in Joe Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, August 2001), pp. 524–541
R. Canetti, Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, (2000)
R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS. (IEEE Computer Society Press, October 2001), pp. 136–145
R. Canetti, Universally composable signature, certification, and authentication, in 17th IEEE Computer Security Foundations Workshop, (CSFW17). (2004), pp. 219–235
R. Canetti, A. Cohen, Y. Lindell, A simpler variant of universally composable security for standard multiparty computation, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 3–22
R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable twoparty and multiparty secure computation, in 34th ACM STOC, (ACM Press, May 2002), pp. 494–503
R. Canetti, T. Rabin, Universal composition with joint state, in Dan Boneh, editor, CRYPTO 2003. LNCS, vol. 2729 (Springer, August 2003), pp. 265–281
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in 20th ACM STOC, (ACM Press, May 1988), pp. 11–19
S.G. Choi, J. Katz, A.J. Malozemoff, V. Zikas, Efficient threeparty computation from cutandchoose, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 513–530
R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Probabilistic termination and composability of cryptographic protocols, in Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part III. LNCS, vol. 9816 (Springer, August 2016), pp. 240–269
R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Roundpreserving parallel composition of probabilistictermination cryptographic protocols, in ICALP 2017. LIPIcs, vol. 80 (July 2017), pp. 37:1–37:15
R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast, in Eyal Kushilevitz and Tal Malkin, editors, TCC 2016A, Part I. LNCS, vol. 9562 (Springer, January 2016), pp. 596–616
R. Cohen, Y. Lindell, Fairness versus guaranteed output delivery in secure multiparty computation, in ASIACRYPT 2014, Part II. LNCS, vol. 8874 (Springer, December 2014), pp. 466–485
I. Damgård, Y. Ishai, Constantround multiparty computation using a blackbox pseudorandom generator, in Victor Shoup, editor, CRYPTO 2005, LNCS, vol. 3621 (Springer, August 2005), pp. 378–394
I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart, Practical covertly secure MPC for dishonest majority  or: Breaking the SPDZ limits, in Jason Crampton, Sushil Jajodia, and Keith Mayes, editors, ESORICS 2013. LNCS, vol. 8134 (Springer, September 2013), pp. 1–18
I. Damgård, J.B. Nielsen, Adaptive versus static security in the UC model, in ProvSec 2014, (2014), pp. 10–28
I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in Reihaneh SafaviNaini and Ran Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, August 2012), pp. 643–662
D. Dolev, R. Reischuk, H.R. Strong, Early stopping in byzantine agreement. J. ACM, 37(4):720–741, (1990)
D. Dolev, H. Raymond Strong, Authenticated algorithms for byzantine agreement. SIAM Journal on Computing, 12(4):656–666, (1983)
B. Eisenberg, On the expectation of the maximum of IID geometric random variables. Statistics & Probability Letters, 78(2):135–143, (2008)
P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal on Computing, 26(4):873–933, (1997)
M.J. Fischer, N.A. Lynch, A lower bound for the time to assure interactive consistency. Information Processing Letters, 14(4):183–186, (1982)
M. Fitzi, J.A. Garay, Efficient playeroptimal protocols for strong and differential consensus, in Elizabeth Borowsky and Sergio Rajsbaum, editors, 22nd ACM PODC, (ACM Press, July 2003), pp. 211–220
S. Garg, C. Gentry, S. Halevi, M. Raykova, Tworound secure MPC from indistinguishability obfuscation, in Yehuda Lindell, editor, TCC 2014. LNCS, vol. 8349 (Springer, February 2014), pp. 74–94
O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract), in 27th FOCS. (IEEE Computer Society Press, October 1986), pp. 174–187
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in Alfred Aho, editor, 19th ACM STOC. (ACM Press, May 1987), pp. 218–229
O. Goldreich, E. Petrank, The best of both worlds: Guaranteeing termination in fast randomized byzantine agreement protocols. Information Processing Letters, 36(1):45–49, (1990)
S. Goldwasser, Y. Lindell, Secure multiparty computation without agreement. Journal of Cryptology, 18(3):247–287, (2005)
S.D. Gordon, F.H. Liu, E. Shi, Constantround MPC with fairness and guarantee of output delivery, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 63–82
M. Hirt, V. Zikas, Adaptively secure broadcast, in Henri Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, May 2010), pp. 466–485
Y. Ishai, R. Ostrovsky, V. Zikas, Secure multiparty computation with identifiable abort, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 369–386
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer  efficiently, in David Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, August 2008), pp. 572–591
J. Katz, C.Y. Koo, On expected constantround protocols for byzantine agreement, in Cynthia Dwork, editor, CRYPTO 2006. LNCS, vol. 4117 (Springer, August 2006), pp. 445–462
J. Katz, C.Y. Koo, Roundefficient secure computation in pointtopoint networks, in Moni Naor, editor, EUROCRYPT 2007. LNCS, vol. 4515. (Springer, May 2007), pp. 311–328
J. Katz, Y. Lindell, Handling expected polynomialtime strategies in simulationbased security proofs, in Joe Kilian, editor, TCC 2005. LNCS, vol. 3378 (Springer, February 2005), pp. 128–149
J. Katz, U. Maurer, B. Tackmann, V. Zikas, Universally composable synchronous computation, in Amit Sahai, editor, TCC 2013. LNCS, vol. 7785 (Springer, March 2013), pp. 477–498
M. Keller, P. Scholl, N.P. Smart, An architecture for practical actively secure MPC with dishonest majority, in AhmadReza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 13. (ACM Press, November 2013), pp. 549–560
J. Kilian, Founding cryptography on oblivious transfer, in 20th ACM STOC. (ACM Press, May 1988), pp. 20–31
E. Kushilevitz, Y. Lindell, T. Rabin, Informationtheoretically secure protocols and security under composition, in Jon M. Kleinberg, editor, 38th ACM STOC. (ACM Press, May 2006), pp. 109–118
L. Lamport, R.E. Shostak, M.C. Pease, The byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, (1982)
Y. Lindell, A. Lysyanskaya, T. Rabin, On the composition of authenticated byzantine agreement, in 34th ACM STOC. (ACM Press, May 2002), pp. 514–523
Y. Lindell, A. Lysyanskaya, T. Rabin, Sequential composition of protocols without simultaneous termination, in Aleta Ricciardi, editor, 21st ACM PODC. (ACM Press, July 2002), pp. 203–212
Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multiparty computation combining BMR and SPDZ, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 319–338
P. Mukherjee, D. Wichs, Two round multiparty computation via multikey FHE, in Marc Fischlin and JeanSébastien Coron, editors, EUROCRYPT 2016, LNCS, vol. 9666 (Springer, May 2016), pp. 735–763
M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults. Journal of the ACM, 27(2):228–234, (1980)
M.O. Rabin, Randomized byzantine generals, in 24th Annual Symposium on Foundations of Computer Science, Tucson, Arizona, USA, 7–9 November 1983. (IEEE Computer Society, 1983), pp. 403–409
T. Rabin, M. BenOr, Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in 21st ACM STOC. (ACM Press, May 1989), pp. 73–85
R. Turpin, B.A. Coan, Extending binary byzantine agreement to multivalued byzantine agreement. Information Processing Letters, 18(2):73–76, (1984)
A.C.C. Yao, Protocols for secure computations (extended abstract), in 23rd FOCS. (IEEE Computer Society Press, November 1982), pp. 160–164.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Nigel Smart.
An extended abstract of this work appeared at CRYPTO 2016 [17].
Ran Cohen: Work supported by a grant from the Israel Ministry of Science, Technology and Space (Grant 310883) and by the National Cyber Bureau of Israel.
Sandro Coretti: This author was supported in part by the Swiss NSF Project No. 200020132794.
Juan Garay, Vassilis Zikas: Work done in part while the author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF Grant #CNS1523467.
Vassilis Zikas: This author was supported in part by the Swiss NSF Ambizione Grant PZ00P2_142549.
Appendices
Appendix A: On Parallel (In)Composability of Protocols with Probabilistic Termination
BenOr and ElYaniv [5] observed that when executing randomized protocols with probabilistic termination in parallel, then, in general, the expected running time of the composed protocol (i.e., the rounds its takes for all protocols to give output to all parties) is not preserved. We prove a formal example where this is the case. Concretely, consider a protocol realizing a particular ideal functionality such that the probability that all parties have completed the protocol by round k is \(p^k\) for some \(0<p<1\). Then, the expected running time of the protocol is 1 / p rounds, i.e., constant. (This is essentially the case in most randomized BA protocols starting with Feldman and Micali [28].) However, as implied by the following lemma, if m instances of the protocol are run in parallel, in a straightforward manner, the resulting protocol will have an expected running time of \(\Theta (\log m)\), which is no longer constant.
In particular, running m parallel copies of the protocol of Feldman and Micali [28] results in a protocol that in expectation takes \(\Theta (\log m)\) phases (and thus rounds) to complete.
Lemma A.1
Let \(X_1,\ldots ,X_m\) be independent, identically distributed (IID) geometric random variables, such that for every \(i\in [m]\) it holds that \({\mathrm {Pr}}[X_i = 1] = p\) for some \(0<p<1\). Then,
Proof
As shown in Eisenberg [27], the expected value of the maximum of the random variables satisfies the following inequality:
The lemma follows immediately from the properties of the Harmonic numbers \(H_m=\sum _{k=1}^m \frac{1}{k}\). In particular, denote \(u_m = H_m\log m\), then the series \((u_m)_m\) converges to Euler’s constant \(\gamma \), implying that
\(\square \)
Appendix B: The Model (Cont’d)
In this section, we give complementary material to Sect. 2 and in particular we include a highlevel overview of the formulation of synchronous UC from [43]. More concretely, Katz et al. [43] introduced a framework for universally composable synchronous computation. For selfcontainment we describe here the basics of the model and introduce some terminology that simplifies the description of corresponding functionalities.
Synchronous protocols can be cast as UC protocols which have access to a special clock functionality \(\mathcal {F}_{\textsc {clock}}\)—which allows them to coordinate round switches as described below—and communicate over boundeddelay channels.^{Footnote 29} In a nutshell, the clock functionality works as follows: It stores a bit b which is initially set to 0 and it accepts from each party two types of messages: \(\textsc {clock}\text {}\textsc {update}\) and \(\textsc {clock}\text {}\textsc {read}\). The response to \(\textsc {clock}\text {}\textsc {read}\) is the value of the bit b to the requestor. Each \(\textsc {clock}\text {}\textsc {update}\) is forwarded to the adversary, but it is also recorded, and upon receiving such a \(\textsc {clock}\text {}\textsc {update}\) message from all honest parties, the clock functionality updates b to \(b\oplus 1\). It then keeps working as above, until it receives again a \(\textsc {clock}\text {}\textsc {update}\) message from all honest parties, in which case it resets b to \(b\oplus 1\), and so on.
Such a clock can be used as follows to ensure that honest parties remain synchronized, i.e., no honest party proceeds to the next round before all (honest) parties have finished the current round: Every party stores a local variable where it keeps (its view of) the current value of the clock indicator b. At the beginning of the protocol execution this variable is 0 for all parties. In every round, every party uses all its activations (i.e., messages it receives) to complete all its current round instructions and only then sends \(\textsc {clock}\text {}\textsc {update}\) to the clock signaling to the clock that it has completed its round; following \(\textsc {clock}\text {}\textsc {update}\), all future activations result in the party sending \(\textsc {clock}\text {}\textsc {read}\) to the clock until its bit b is flipped; once the party observes that the bit b has flipped, it starts its next round. Recall that, as mentioned in Sect. 2, for the sake of clarity, we do not explicitly mention \(\mathcal {F}_{\textsc {clock}} \) in our constructions.
In [43], for each message that is to be sent in the protocol, the sender and the receiver are given access to an independent singleuse channel.^{Footnote 30} We point out that instead of the boundeddelay channels, in this work we will assume very simple SFEs^{Footnote 31} that take as input from the sender the message he wishes to send (and a default input from other parties) and deliver the output to the receiver in a fetch mode. Such a simple secure channel SFE can be realized in a straightforward manner from boundeddelay channels and a clock \(\mathcal {F}_{\textsc {clock}} \).
As is common in the synchronous protocols literature, throughout this work we will assume that protocols have the following structure: In each round every party sends/receives a (potentially empty) message to all parties and hybrid functionalities. Such a protocol can be described in UC in a regular form (cf. Sect. 2) using the methodology from [43] as follows: Let \(\mu \in \mathbb {N}\) denote the maximum number of messages that any party \(P _i\) might send to all its hybrids during some round.^{Footnote 32} Every party in the protocol uses exactly \(\mu \) activations in each round. That is, once a party \(P _i\) observes that the round has changed, i.e., the indicator bit b of the clock has being flipped, \(P _i\) starts its next round as described above. However, this round finishes only after \(P _i\) receives \(\mu \) additional activations. Note that \(P _i\) uses these activations to execute his current round instructions; since \(\mu \) is a bound on the number of hybrids used in any round by any party, \(\mu \) activations are enough for the party to complete its round. (If \(P _i\) finishes the round early, i.e., in less than \(\mu \) activations, it simply “does nothing” until the \(\mu \) activations are received, i.e., forward the activation from the environment to its hybrid functionalities.) Once \(\mu \) activations are received in the current round, \(P _i\) sends \(\textsc {clock}\text {}\textsc {update}\) to the clock and then keeps sending \(\textsc {clock}\text {}\textsc {read}\) message, as described above, until it observes a flip of b indicating that \(P _i\) can go to the next round.
In addition to the regular form of protocol execution, Katz et al. [43] described a way of capturing in UC the property that a protocol is guaranteed to terminate in a given number of rounds.^{Footnote 33} The idea is that a synchronous protocol in regular form which terminates after r rounds realizes the following functionality \(\mathcal {F}_{\textsc {}}\). The functionality \(\mathcal {F}_{\textsc {}}\) keeps track of the number of times every honest party sends \(\mu \) activations/messages and delivers output as soon as this has happened r times. More concretely, imitating an rround synchronous protocol with \(\mu \) activations per party per round, upon being instantiated, \(\mathcal {F}_{\textsc {}} \) initiates a global round counter \(\lambda =0\) and an indicator variable \(\lambda _{i}:=0\) for each \(P _i\in \mathcal {P} \); as soon as some party \(P _i\) sends \(\mu \) messages to \(\mathcal {F}_{\textsc {}}\), while the round counter \(\lambda \) is the same, \(\mathcal {F}_{\textsc {}}\) sets \(\lambda _{i}:=1\) and does the following check:^{Footnote 34} if \(\lambda _{i}=1\) for all honest \(P _i\) then increase \(\lambda :=\lambda +1\) and reset \(\lambda _{i}=0\) for all \(P _i\in \mathcal {P} \). As soon as \(\lambda =r\), the functionality \(\mathcal {F}_{\textsc {}}\) enters a “delivery” mode. In this mode, whenever a message \((\texttt {fetchoutput},\cdot )\) is received by some party \(P _i\), the functionality \(\mathcal {F}_{\textsc {}}\) outputs to \(P _i\) its output. (If \(\mathcal {F}_{\textsc {}}\) has no output to \(P _i\) is outputs \(\bot \).)
We refer to a functionality that has the above structure, i.e., which keeps track of the current round \(\lambda \) by counting how many times every honest party has sent a certain number \(\mu \) of messages, as a synchronous functionality. To simplify the description of our functionalities, we introduce the following terminology. We say that a synchronous functionality\(\mathcal {F}_{\textsc {}}\)is in round\(\rho \) if the current value of the above internal counter in \(\mathcal {F}_{\textsc {}}\) is \(\lambda =\rho \).
We note that protocols in the synchronous model of [43] enjoy the strong composition properties of the UC framework. However, in order to have protocols being executed in a lockstep mode, i.e., where all protocols complete their round within the same clocktick, Katz et al. [43] make use of the composition with joint state (JUC) [14]. The idea is the parties use an \(\mathcal {F}_{\textsc {clock}} \)hybrid protocol \(\hat{\pi }\) that emulates toward each of the protocols and subclocks and assigns to each subclock a unique subsession ID (\(\mathsf {ssid}\)). Each of these subclocks is local to its calling protocol, but \(\hat{\pi }\) makes sure that it gives a \(\textsc {clock}\text {}\textsc {update}\) to the actual (joint) clock functionality \(\mathcal {F}_{\textsc {clock}}\), only when all subclocks have received such a \(\textsc {clock}\text {}\textsc {update}\) message. This ensures that all clocks will switch their internal bits at the same time with the bigger clock, which means that the protocols using them will be mutually synchronized. This property can be formally proved by direct application of the JUC theorem. For further details the interested reader is referred to [14, 43].
A final delicate point that needs to be addressed is with respect to whether/when parties can stop sending messages to their functionalities. Concretely, since the parties do not a priori know the termination round, a party cannot halt as soon as it produces output, since some other party might still need several rounds to produce its own output. Rather, every protocol in our setting continues sending (dummy) messages to all its hybrids even after having generated its output—as long as it keeps being activated by the environment—to enable also the other (slower) parties compute their outputs. Note that this is a straightforward adaptation of classical UC protocols—instead of the protocol ignoring messages after it has produced output, it enters a special dummy stage. Most importantly, it does not yield inefficient protocols, as the input of a UC protocol consists of the concatenation of its inputs, and therefore, as long as the environment provides new inputs/activations the protocol can continue executing dummy steps. (The UC experiment finishes when the environment decides to stop and make its guess.)
Appendix C: Composition of Probabilistic Termination Protocols (Cont’d)
This section contains the proofs for Sect. 4.
1.1 C.1 Composition with Deterministic Termination (Cont’d)
We start by giving the intuition for the proof of Theorem 4.2. Loosely speaking, the main differences between the SNF protocol \(\pi \) implementing the functionality \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\) and the compiled protocol \(\pi '\) implementing \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})\) is that \(\pi \) uses CSF as hybrids, whereas \(\pi '\) uses wrapped CSFs, and in addition, parties might not start at the same round, but with a slack of c rounds. In order to ensure that any potential overlap between concurrent calls to different wrapped hybrids remain secure, the wrappers expand each round to \(3c+1\) rounds.
Now, given a simulator \(\mathcal {S} \) for the dummy adversary and the SNF protocol \(\pi \), we construct a simulator \(\mathcal {S} '\) for the dummy adversary and the compiled protocol \(\pi '\). The new simulator acts as a proxy between \(\mathcal {S} \) on the one hand and the environment and the ideal functionality on the other, with the exception that it must “synchronize” the round counters between them. Therefore, \(\mathcal {S} '\) stores a local round counter \(\rho _i\) for every hybrid \(\mathcal {H}_{\textsc {}} {}_i\), and a “slack counter” \(c_j\) for every party \(P _j\) to ensure that its messages are delivered with the same initial slack it started the protocol.
Theorem 4.2
Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, let \(t<n/3\), and let \(\pi \) an SNF protocol that UCrealizes \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, in the presence of adaptive, malicious tadversary, and assuming that all honest parties receive their inputs at the same round. Let \(D_1,\ldots ,D_m\) be arbitrary distributions over traces, \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\), and \(c\ge 0\).
Then, the compiled protocol \(\pi '=\mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)\) UCrealizes \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {W}_{\text {slstrict}} ^{D_1,c}(\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W}_{\text {slstrict}} ^{D_m,c}(\mathcal {F}_{\textsc {}} {}_m))\)hybrid model, in the presence of adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
The expected round complexity of the compiled protocol \(\pi '\) is
where \(d_i\) is the expected number of calls in \(\pi \) to hybrid \(\mathcal {F}_{\textsc {}} {}_i\), \(T _i\) is a trace sampled from \(D_i\), and \(B_{c} = 3c+1\) is the blowup factor.
Proof
Let \(\mathcal {S} \) be the simulator for protocol \(\pi \) running with the dummy adversary.^{Footnote 35} Consider the following simulator \(\mathcal {S} '\) for \(\pi '\) that internally runs a copy of \(\mathcal {S} \). Initially, \(\mathcal {S} '\) sets slack counters \(c_1, \ldots , c_n \leftarrow 0\) and proceeds as follows.

At any round forward \((\texttt {advinput},\mathsf {sid},\cdot )\) messages from \(\mathcal {S} \) to \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\).

In rounds \(\rho = 1,\ldots ,2c+1\), upon receiving \((\texttt {leakage},\mathsf {sid},P _j,\cdot )\) from \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\), forward the message to \(\mathcal {S} \) and in addition record the slack for party \(P _j\) as \(c_j \leftarrow \rho  1\).
Along with the very first such message, \(\mathcal {S} '\) receives a trace \(T^{\mathsf {full}}\) from \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\). \(\mathcal {S} '\) constructs a new trace \(T \) with the root \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}})\), where the leaves are set as follows: Each node in the first layer of \(T^{\mathsf {full}}\) is a root for a subtree labeled with \(\mathcal {W}_{\mathrm {strict}} ^{D_i}(\mathcal {F}_{\textsc {}} {}_i)\) (for some \(i\in [m]\)); \(\mathcal {S} '\) adds the leaf \(\mathcal {F}_{\textsc {}} {}_i\) to the first layer in \(T \). Finally, \(\mathcal {S} '\) passes \(T \) to \(\mathcal {S} \).

Simulate the execution of every wrapped hybrid \(\mathcal {H}_{\textsc {}} {}_i=\mathcal {W}_{\text {slstrict}} ^{D_j,c}(\mathcal {F}_{\textsc {}} {}_j)\) (for some \(j\in [m]\)) in the order they appear in the first layer in \(T^{\mathsf {full}}\) as follows^{Footnote 36} (the first such hybrid must be simulated as early as in round \(\rho = 1\). Note that if there is actual slack among the parties, the simulations of consecutive hybrids overlap):

Let \(\rho _i\) be the (simulated) round counter of \(\mathcal {H}_{\textsc {}} {}_i\) and let \(T^{\mathsf {full}}_i\) be the corresponding subtree in \(T^{\mathsf {full}}\).

In any round \(\rho _i\) forward the messages \((\texttt {advinput},\mathsf {sid},\cdot )\) (that are directed to \(\mathcal {H}_{\textsc {}} {}_i\)) from the environment to \(\mathcal {S} \).

For every party \(P _j\), in round \(\rho _i = c_j+1\), obtain the simulated leakage for \(P _j\) from \(\mathcal {S} \) and pass it to the environment;^{Footnote 37} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), simply forward \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages from \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) to the environment (to simulate the advancement of the execution of \(\mathcal {H}_{\textsc {}} {}_i\)).

The simulation for party \(P _j\) ends in round \(\rho _i = B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}_i) + c_j\).

Let \(\mathcal {Z} '\) be an environment that can distinguish between an execution of protocol \(\pi '\) in the \((\mathcal {W}_{\text {slstrict}} ^{D_1,c}(\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W}_{\text {slstrict}} ^{D_m,c}(\mathcal {F}_{\textsc {}} {}_m))\)hybrid model with the dummy adversary and the execution in the ideal model with \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}} {})\) and \(\mathcal {S} '\). We construct the following environment \(\mathcal {Z} \) distinguishing between an execution of \(\pi \) in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model with the dummy adversary and the ideal model with \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}} {})\) and \(\mathcal {S} \):

\(\mathcal {Z} \) internally runs a copy of \(\mathcal {Z} '\), emulating the parties and the adversary (either in a real execution of \(\pi \) or an ideal execution of \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}} {})\)). Initialize slack counters \(c_1,\ldots ,c_n \leftarrow 0\) and a simulated round counter \(\rho \) (for \(\mathcal {Z} '\)).

Whenever \(\mathcal {Z} '\) sends a message \((\texttt {input},\mathsf {sid},\cdot )\) to \(P _j\) in rounds \(\rho = 1,\ldots ,2c+1\), \(\mathcal {Z} \) forwards the message to \(P _j\) and records slack \(c_j \leftarrow \rho  1\).

For each executed (resp. simulated) tworound CSF hybrid \(\mathcal {F}_{\textsc {}} {}_i\), proceed as follows to simulate an execution (resp. simulation) of \(\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) to \(\mathcal {Z} '\) (the first such simulation takes place as early as in round \(\rho = 1\). Note that if there is actual slack among the parties, the simulations of consecutive hybrids overlap):

Initialize a round counter \(\rho _i \leftarrow 1\) and sample a trace \(T^{\mathsf {full}}_i\) from \(D_i\).

At any round, forward \((\texttt {advinput},\mathsf {sid},\cdot )\) messages from \(\mathcal {Z} '\) to the adversary.

For every party \(P _j\), in round \(\rho _i = c_j + 1\), obtain the leakage for \(P _j\) from the adversary and pass it to \(\mathcal {Z} '\);^{Footnote 38} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), upon receiving \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages from \(\mathcal {Z} '\) for some party \(P _j\), pass \((\texttt {fetchoutput},\mathsf {sid},P _j)\) to \(\mathcal {Z} \) (to simulate the advancement of the execution).

The simulation for party \(P _j\) ends in round \(\rho _i = B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}_i) + c_j\).


At any round, forward \((\texttt {output},\mathsf {sid},\cdot )\) messages from a party to \(\mathcal {Z} '\).

Output whatever decision bit \(\mathcal {Z} '\) outputs.
It can be seen by inspection that:

When \(\mathcal {Z} \) interacts with a realworld execution of \(\pi \) with hybrids \(\mathcal {F}_{\textsc {}} {}_i\), the view of \(\mathcal {Z} '\) is exactly the view it would have when interacting with a realworld execution of \(\pi '\) with hybrids \(\mathcal {W}_{\text {slstrict}} ^{D_i,c} (\mathcal {F}_{\textsc {}} {}_i)\), and

When \(\mathcal {Z} \) interacts with an idealworld execution of \(\mathcal {W}_{\mathrm {strict}} ^D(\mathcal {F}_{\textsc {}} {})\) with simulator \(\mathcal {S} \), the view of \(\mathcal {Z} '\) is exactly the view it would have when interacting with an idealworld execution of \(\mathcal {W}_{\text {slstrict}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}} {})\) with simulator \(\mathcal {S} '\).
The expected round complexity follows by linearity of expectation and by noting that the expected number of times a hybrid \(\mathcal {F}_{\textsc {}} {}_i\) is called in \(\pi \) and the expected trace complexity of \(D_i\) are independent random variables. Indeed, the trace complexity needed to implement \(\mathcal {W}_{\mathrm {strict}} ^{D_i}(\mathcal {F}_{\textsc {}} {}_i)\) is independent of the protocol \(\pi \), and the number of calls to \(\mathcal {F}_{\textsc {}} {}_i\) in \(\pi \) depends on the CSF representation of \(\mathcal {F}_{\textsc {}} {}_i\), and not on its wrapped version. \(\square \)
1.2 C.2 Composition with Probabilistic Termination (Cont’d)
The intuition for proving Theorem 4.3 is similar to that of proving Theorem 4.2. In addition to simply synchronizing between the simulator \(\mathcal {S} \) and the ideal functionality and environment, \(\mathcal {S} '\) must also address the following issues. First, some CSFs (\(\mathcal {F}_{\textsc {}} {}_i\) for \(i\in I\)) are wrapped using the flexible wrapper, whereas others (\(\mathcal {F}_{\textsc {}} {}_i\) for \(i\notin I\)) are wrapped using the strict wrapper. Second, \(\mathcal {S} '\) must simulate the termination procedure at the end of every flexibly wrapped CSF and at the end of the simulation.
Theorem 4.3
Let \(\mathcal {F}_{\textsc {}}, \mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m\) be canonical synchronous functionalities, let \(t<n/3\), and let \(\pi \) an SNF protocol that UCrealizes \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model, for some depth1 distribution D, in the presence of adaptive, malicious tadversary, and assuming that all honest parties receive their inputs at the same round. Let \(I\subseteq [m]\) be the subset (of indices) of functionalities to be wrapped using the flexible wrapper, let \(D_1,\ldots ,D_m\) be arbitrary distributions over traces, denote \({D^{\mathsf {full}}}= \mathsf {full}\text {}\mathsf {trace}(D,D_1,\ldots ,D_m)\) and let \(c\ge 0\). Assume that \(\mathcal {F}_{\textsc {}} \) and \(\mathcal {F}_{\textsc {}} {}_i\), for every \(i\in I\), are public output functionalities.
Then, the compiled protocol \(\pi '=\mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)\) UCrealizes \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) with perfect security in the \((\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))\)hybrid model, where \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\in I\) and \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)=\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) if \(i\notin I\), in the presence of adaptive, malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
The expected round complexity of the compiled protocol \(\pi '\) is
where \(d_i\) is the expected number of calls in \(\pi \) to hybrid \(\mathcal {F}_{\textsc {}} {}_i\), \(T _i\) is a trace sampled from \(D_i\), and \(B_{c} = 3c+1\) is the blowup factor.
Proof
Let \(\mathcal {S} \) be the simulator for protocol \(\pi \) running with the dummy adversary.^{Footnote 39} Consider the following simulator \(\mathcal {S} '\) for \(\pi '\) that internally runs a copy of \(\mathcal {S} \). Initially, \(\mathcal {S} '\) sets slack counters \(c_1, \ldots , c_n \leftarrow 0\) and proceeds as follows.

At any round forward \((\texttt {advinput},\mathsf {sid},\cdot )\) messages from \(\mathcal {S} \) to \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\).

In rounds \(\rho = 1,\ldots ,2c+1\), upon receiving \((\texttt {leakage},\mathsf {sid},P _j,\cdot )\) from \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\), forward the message to \(\mathcal {S} \) and in addition record the slack for party \(P _j\) as \(c_j \leftarrow \rho  1\).
Along with the very first such message, \(\mathcal {S} '\) receives a trace \(T^{\mathsf {full}}\) from \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\). \(\mathcal {S} '\) constructs a new trace \(T \) with the root \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}})\), where the leaves are set as follows: Each node in the first layer of \(T^{\mathsf {full}}\) is a root for a subtree labeled with \(\mathcal {W}_{\mathrm {strict}} ^{D_i}(\mathcal {F}_{\textsc {}} {}_i)\) or \(\mathcal {W}_{\mathrm {flex}} ^{D_i}(\mathcal {F}_{\textsc {}} {}_i)\) (for some \(i\in [m]\)); \(\mathcal {S} '\) adds the leaf \(\mathcal {F}_{\textsc {}} {}_i\) to the first layer in \(T \). Finally, \(\mathcal {S} '\) passes \(T \) to \(\mathcal {S} \).

Simulate the execution of all wrapped hybrids \(\mathcal {H}_{\textsc {}} {}_i\) in the order they appear in \(T^{\mathsf {full}}\) (the first such hybrid must be simulated as early as in round \(\rho = 1\). Note that if there is actual slack among the parties, the simulations of consecutive hybrids overlap). If the hybrid \(\mathcal {H}_{\textsc {}} {}_i\) is of the form \(\mathcal {W}_{\text {slstrict}} ^{D_j,c}(\mathcal {F}_{\textsc {}} {}_j)\) (for some \(j\in [m]\)), i.e., if \(j\notin I\), proceed as follows:

Let \(\rho _i\) be the (simulated) round counter of \(\mathcal {H}_{\textsc {}} {}_i\) and let \(T^{\mathsf {full}}_i\) be the corresponding subtree in \(T^{\mathsf {full}}\).

In any round \(\rho _i\) forward the messages \((\texttt {advinput},\mathsf {sid},\cdot )\) (that are directed to \(\mathcal {H}_{\textsc {}} {}_i\)) from the environment to \(\mathcal {S} \).

For every party \(P _j\), in round \(\rho _i = c_j + 1\), obtain the simulated leakage for \(P _j\) from \(\mathcal {S} \) and pass it to the environment;^{Footnote 40} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), simply forward \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages from \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) to the environment (to simulate the advancement of \(\mathcal {H}_{\textsc {}} {}_i\)’ execution).

The simulation for party \(P _j\) ends in round \(\rho _i = B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}_i) + c_j\).
If the hybrid \(\mathcal {H}_{\textsc {}} {}_i\) is of the form \(\mathcal {W}_{\text {slflex}} ^{D_j,c}(\mathcal {F}_{\textsc {}} {}_j)\) (for some \(j\in [m]\)), i.e., if \(j\in I\), proceed as follows:

Let \(\rho _i\) be the (simulated) round counter of \(\mathcal {H}_{\textsc {}} {}_i\) and let \(T^{\mathsf {full}}_i\) be the corresponding subtree in \(T^{\mathsf {full}}\). Set \(\rho _\mathsf {term}\leftarrow B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}) + 2 \cdot {\mathsf {flex_{tr}}} (T^{\mathsf {full}}) + c\).

In any round \(\rho _i\), forward the messages \((\texttt {advinput},\mathsf {sid},\cdot )\) (that are directed to \(\mathcal {H}_{\textsc {}} {}_i\)) from the environment to \(\mathcal {S} \).

For every party \(P _j\), in round \(\rho _i = c_j + 1\), obtain the simulated leakage for \(P _j\) from \(\mathcal {S} \) and pass it to the environment;^{Footnote 41} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), simply forward \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages from \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}})\) to the environment (to simulate the advancement of \(\mathcal {H}_{\textsc {}} {}_i\)’ execution).

If the environment issues \((\texttt {earlyoutput},\mathsf {sid},\cdot )\) commands, before round \(\rho _\mathsf {term}\), for certain parties \(P _j\in \mathcal {P} \), set \(c_j \leftarrow 0\) for these parties and \(c_j \leftarrow 1\) for the others and end the simulation of \(\mathcal {H}_{\textsc {}} {}_i\) one round later. If the environment does not issue such a command for any party, set \(c_j \leftarrow 0\) for all parties and end the simulation of \(\mathcal {H}_{\textsc {}} {}_i\) in round \(\rho _\mathsf {term}\).


When \(\mathcal {S} \) wants to output \((\texttt {earlyoutput},\mathsf {sid},P _j)\) to \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})\), proceed as follows:

Pass \((\texttt {getoutput},\mathsf {sid})\) to \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})\), obtain \((\texttt {output},\mathsf {sid},y)\), and record y (the first time).

Simulate \(P _j\) sending \((\texttt {end},\mathsf {sid},y)\) to all parties.

For every party \(P _j\), keep track of how many simulated \((\texttt {end},\mathsf {sid},\cdot )\) messages have been received by \(P _j\) (including those sent by corrupted parties).
 \(*\) :

When a party receives \(t+1\) such messages (for the same value y), simulate that party’s sending of such a message of its own (unless already done so).
 \(*\) :

When a party \(P _j\) receives \(nt\) such messages (for the same value y), send \((\texttt {earlyoutput},\mathsf {sid},P _j)\) to \(\mathcal {W}_{\textsc {pt}} ^{{D^{\mathsf {full}}}}(\mathcal {F}_{\textsc {}})\).

Let \(\mathcal {Z} '\) be an environment distinguishing between an execution of \(\pi '\) in the \((\mathcal {W} (\mathcal {F}_{\textsc {}} {}_1),\ldots ,\mathcal {W} (\mathcal {F}_{\textsc {}} {}_m))\)hybrid model and the ideal model with \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}} {})\) and \(\mathcal {S} '\). We construct the following environment \(\mathcal {Z} \) distinguishing between an execution of \(\pi \) in the \((\mathcal {F}_{\textsc {}} {}_1,\ldots ,\mathcal {F}_{\textsc {}} {}_m)\)hybrid model and the ideal model with \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}} {})\) and \(\mathcal {S} \):

\(\mathcal {Z} \) internally runs a copy of \(\mathcal {Z} '\) and emulates the parties and the adversary (either in a real execution of \(\pi \) or an ideal execution of \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}} {})\)). Initialize slack counters \(c_1,\ldots ,c_n \leftarrow 0\) and a simulated round counter \(\rho \) (for \(\mathcal {Z} '\)).

When \(\mathcal {Z} '\) sends a message \((\texttt {input},\mathsf {sid},\cdot )\) for \(P _j\) in rounds \(\rho = 1,\ldots ,2c+1\), \(\mathcal {Z} \) forwards the message to \(P _j\) and records slack \(c_j \leftarrow \rho  1\).

For each executed (resp. simulated) tworound CSF hybrid \(\mathcal {F}_{\textsc {}} {}_i\), simulate an execution (resp. simulation) of \(\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) or \(\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\) to \(\mathcal {Z} '\) (the first such simulation takes place as early as in round \(\rho = 1\). Note that if there is actual slack among the parties, the simulations of consecutive hybrids overlap). If \(i\notin I\), i.e., if the hybrid functionality in \(\pi '\) is of the form \(\mathcal {H}_{\textsc {}} {}_i=\mathcal {W}_{\text {slstrict}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\), proceed as follows:

Initialize a round counter \(\rho _i \leftarrow 1\) and sample a trace \(T^{\mathsf {full}}_i\) from \(D_i\).

At any round, forward \((\texttt {advinput},\mathsf {sid},\cdot )\) messages from \(\mathcal {Z} '\) to the adversary.

For every party \(P _j\), in round \(\rho _i = c_j + 1\), obtain the leakage for \(P _j\) from the adversary and pass it to \(\mathcal {Z} '\);^{Footnote 42} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), upon receiving \((\texttt {fetchoutput},\mathsf {sid},\cdot )\) messages from \(\mathcal {Z} '\) for some party \(P _j\), pass \((\texttt {fetchoutput},\mathsf {sid},P _j)\) to \(\mathcal {Z} \) (to simulate the advancement of the execution).

The simulation for party \(P _j\) ends in round \(\rho _i = B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}_i) + c_j\).
If \(i\in I\), i.e., if the hybrid functionality is of the form \(\mathcal {H}_{\textsc {}} {}_i=\mathcal {W}_{\text {slflex}} ^{D_i,c}(\mathcal {F}_{\textsc {}} {}_i)\), proceed as follows:

Initialize a round counter \(\rho _i \leftarrow 1\) and sample a trace \(T^{\mathsf {full}}_i\) from \(D_i\). Set
$$\begin{aligned} \rho _\mathsf {term}\leftarrow B_{c} \cdot c_{\mathsf {tr}} (T^{\mathsf {full}}_i) + 2 \cdot {\mathsf {flex_{tr}}} (T^{\mathsf {full}}_i) + c. \end{aligned}$$ 
At any round, forward \((\texttt {advinput},\mathsf {sid},\cdot )\) messages from \(\mathcal {Z} '\) to the adversary.

For every party \(P _j\), in round \(\rho _i = c_j + 1\), obtain the leakage for \(P _j\) from the adversary and pass it to \(\mathcal {Z} '\);^{Footnote 43} add \((\texttt {trace},\mathsf {sid},T^{\mathsf {full}}_i)\) to the first such message.

In all other rounds \(\rho _i\), upon receiving \((\texttt {fetchoutput},\mathsf {sid})\) messages from \(\mathcal {Z} '\) for some party \(P _j\), pass \((\texttt {fetchoutput},\mathsf {sid},P _j)\) to \(\mathcal {Z} \) (to simulate the advancement of the execution).

If \(\mathcal {Z} '\) issues \((\texttt {earlyoutput},\mathsf {sid},\cdot )\) commands for certain parties \(P _j\in \mathcal {P} \) before round \(\rho _\mathsf {term}\), set \(c_j \leftarrow 0\) for these parties and \(c_j \leftarrow 1\) for the others, and end the simulation of \(\mathcal {H}_{\textsc {}} {}_i\) one round later. If \(\mathcal {Z} '\) did not issue such a command to any party by round \(\rho _\mathsf {term}\), set \(c_j \leftarrow 0\) for all parties and end the simulation of \(\mathcal {H}_{\textsc {}} {}_i\) in round \(\rho _\mathsf {term}\).


When a party wants to output \((\texttt {output},\mathsf {sid},y)\), proceed as follows:

Pass \((\texttt {getoutput},\mathsf {sid})\) to \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c}(\mathcal {F}_{\textsc {}})\), obtain \((\texttt {output},\mathsf {sid},y)\), and record y (only at the first time).

Simulate (to \(\mathcal {Z} '\)) \(P _j\) sending \((\texttt {end},\mathsf {sid},y)\) to all parties.

For every party \(P _j\), keep track of how many simulated \((\texttt {end},\mathsf {sid},\cdot )\) messages it has received (including those sent by corrupted parties).
 \(*\) :

When a party receives \(t+1\) such messages (for the same y), simulate that party’s sending such a message of its own (unless already done so).
 \(*\) :

When a party \(P _j\) receives \(nt\) such messages (for the same y), pass \((\texttt {output},\mathsf {sid},y)\) to \(\mathcal {Z} '\) on behalf of \(P _j\).


Output whatever decision bit \(\mathcal {Z} '\) outputs.
It can be seen by inspection that:

When \(\mathcal {Z} \) interacts with a realworld execution of \(\pi \) with hybrids \(\mathcal {F}_{\textsc {}} {}_i\), the view of \(\mathcal {Z} '\) is exactly the view it would have when interacting with a realworld execution of \(\pi '\) with hybrids \(\mathcal {W} (\mathcal {F}_{\textsc {}} {}_i)\) and the dummy adversary.

When \(\mathcal {Z} \) interacts with an idealworld execution of \(\mathcal {W}_{\mathrm {flex}} ^D(\mathcal {F}_{\textsc {}} {})\) with simulator \(\mathcal {S} \), the view of \(\mathcal {Z} '\) is exactly the view it would have when interacting with an idealworld execution of \(\mathcal {W}_{\text {slflex}} ^{{D^{\mathsf {full}}},c} (\mathcal {F}_{\textsc {}} {})\) with simulator \(\mathcal {S} '\).
The expected round complexity follows by similar arguments as in Theorem 4.2. \(\square \)
Appendix D: Applications of Our Fast Composition Theorem (Cont’d)
This section includes complementary material to Sect. 5.
1.1 D.1 Fast and Perfectly Secure Byzantine Agreement (Cont’d)
In Sect. 5.1, we presented the randomized binary Byzantine agreement protocol \({\pi _{\textsc {rba}}} \). We now proceed to prove Lemma 5.2.
Lemma 5.2
Let \(t<n/3\), then, assuming all honest parties receive their inputs at the same round, protocol \({\pi _{\textsc {rba}}} \) UCrealizes \(\mathcal {F}_{\textsc {rba}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {rba}}}(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
Proof
We first claim correctness, i.e., that all honest parties output the same value and that if \(nt\) of the inputs are the same, this value will be the common output. The protocol \({\pi _{\textsc {rba}}} \) consists of two parts: The first is running (up to) \(\tau \) phases of the Feldman–Micali protocol, and the second (which only occurs if there exists an honest party that did not receive output, i.e., has value \(\mathsf {term}=0\), in the first part, or if there exists an honest party that received output in phase \(\tau \), i.e., has value \(\mathsf {term}=\tau \)) consists of calling a BA functionality. As shown in [28, Thm. 4], the Feldman–Micali protocol satisfies the consistency and validity properties in the propertybased definition of Byzantine agreement. In addition, if some honest party received output b in some phase \(\alpha \) (i.e., if it sets \(\mathsf {term}=\alpha \)), then the value \(b_i\) of every honest party \(P _i\) equals b at the end of phase \(\alpha \). It follows that:

In case \(nt\) honest parties (in particular if all honest parties) start with the same input, they will agree on this value as their output and terminate in the first phase. (In all other cases it remains only to show that all honest parties agree on the output.)

In case the first honest party received output in phase \(\alpha <\tau 1\), it holds that by phase \(\alpha +1<\tau \) all honest parties will receive the same output (i.e., \(0<\mathsf {term}<\tau \) for all honest parties), and so correctness follows from [28].

In case no honest party received output in all \(\tau \) phases (i.e., \(\mathsf {term}=0\) for all honest parties), all honest parties send their internal values to \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) and output the result, hence, correctness follows from the \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) functionality.

In case all honest parties receive their outputs in phase \(\tau \) (i.e., \(\mathsf {term}=\tau \) for all honest parties), then by [28] they receive the same value. In this case, this is the value they will output after calling \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) and so correctness is satisfied.

In case some honest parties receive their outputs in phase \(\tau \) (i.e., \(\mathsf {term}=\tau \)) and the other honest parties do not (i.e., \(\mathsf {term}=0\)), then it holds that all honest parties send the same value to \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\), and correctness is satisfied.

In case some honest parties receive their outputs in phase \(\tau 1\) (i.e., \(\mathsf {term}=\tau 1\)), they do not send any input to \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\). However, the remaining honest parties will receive the same output in phase \(\tau \) (i.e., \(\mathsf {term}=\tau \)), and will output this value, regardless of the output they receive from \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\). Therefore, correctness is satisfied.
Regarding termination, [28, Claim T44] showed that for any positive integer m, if all honest parties agree on the same bit at the beginning of the mth phase, then they will all terminate at the end of the phase with probability at least p. It follows that in case all honest parties start with the same input value, they will terminate within the first iteration. Otherwise, the probability distribution of terminating in less than \(\tau =\log ^{1.5}(\kappa )+1\) phases is geometric with parameter p. In the negligible probability that the parties did not receive output in less than \(\tau \) phases, termination is guaranteed by \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\).
We now prove that \({\pi _{\textsc {rba}}} \) UCrealizes \(\mathcal {F}_{\textsc {rba}} \). Let \(\mathcal {A} \) be the dummy adversary and let \(\mathcal {Z} \) be an environment. We construct a simulator \(\mathcal {S} \) that simulates the honest parties in \({\pi _{\textsc {rba}}} \), the adversary \(\mathcal {A} \) and the ideal functionalities \(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}} \) and \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) to the environment, as follows.

\(\mathcal {S} \) forwards all messages from the environment to \(\mathcal {A} \) (and vice versa).

\(\mathcal {S} \) simulates every honest party by independently sampling random coins for the party and running the protocol according to the protocol’s specification. Note that \(\mathcal {S} \) learns the input for each honest party \(P _i\) as soon as \(P _i\) sends it to \(\mathcal {F}_{\textsc {rba}} \) by receiving the message \((\texttt {leakage},\mathsf {sid},P _i,(x_1, \ldots , x_n))\). In addition, \(\mathcal {S} \) learns the trace of the protocol by receiving the message \((\texttt {trace},\mathsf {sid},T)\) from \(\mathcal {F}_{\textsc {rba}} \) and can derive the terminating phase \(r_\mathsf {out} \) by counting the number of sequences \((\mathcal {F}_{\textsc {oc}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}})\) in \(T \) (and setting \(r_\mathsf {out} \leftarrow \tau +1\) if the last leaf is \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\)).

Whenever \(\mathcal {A} \) sends a message \((\mathsf {sid},b_j)\) on behalf of a corrupted party \(P _j\) to some honest party during the first round, \(\mathcal {S} \) sends \((\texttt {input},\mathsf {sid},b_j\)) to \(\mathcal {F}_{\textsc {rba}} \) on behalf of \(P _j\).

Whenever \(\mathcal {A} \) requests to corrupt some party \(P _i\in \mathcal {P} \), \(\mathcal {S} \) corrupts \(P _i\) and sends the simulated internal state of \(P _i\) (consisting of \(P _i\)’s input, randomness and incoming messages) to \(\mathcal {A} \). Recall that in case \(\mathcal {A} \) corrupts a party \(P _i\) after it sent its input to some corrupted party, during the first round, \(\mathcal {A} \) may instruct \(P _i\) to send a different value as its input to all other parties. In this case, \(\mathcal {S} \) sends \((\texttt {input},\mathsf {sid},b_i\)) to \(\mathcal {F}_{\textsc {rba}} \) on behalf of \(P _i\).

When simulating \(\mathcal {F}_{\textsc {oc}} \) in the first \(r_\mathsf {out}1\) phases, instead of sampling the fairness bit, \(\mathcal {S} \) acts as if \(b=0\), i.e., it allows \(\mathcal {A} \) to decide on the output values of the parties. In case some subset of simulated honest parties \(\mathcal {P} '\) terminate in a phase r (prior to phase \(r_\mathsf {out} \)) with value \(y\in \{0,1\}\), \(\mathcal {S} \) sends \((\texttt {advinput},\mathsf {sid}, y)\) to \(\mathcal {F}_{\textsc {rba}} \) followed by \((\texttt {earlyoutput}, \mathsf {sid}, P _i)\) for every \(P _i\in \mathcal {P} '\). In addition, \(\mathcal {S} \) proceeds based on the following cases:

In case \(r<\tau \), \(\mathcal {S} \) sends \((\texttt {earlyoutput}, \mathsf {sid}, P _i)\) for every \(P _i\in \mathcal {P} \setminus \mathcal {P} '\) in the next phase, ensuring that all honest parties will terminate appropriately.

In case \(r=\tau \), then the honest parties in \(\mathcal {P} \setminus \mathcal {P} '\) proceed to the invocation of \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\), \(\mathcal {S} \) simulates all honest parties in \(\mathcal {P} \setminus \mathcal {P} '\) sending y as their input and receives input values from the adversary. Next, \(\mathcal {S} \) computes the output just like \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) would, and sends to the adversary the output values. (Recall that the output value from \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) is not being used by the honest parties.)

Note that the case \(r=\tau +1\) can never happen.


In case no honest party has terminated prior to phase \(r_\mathsf {out} \), then \(\mathcal {S} \) proceeds as follows:

In case \(r_\mathsf {out} \le \tau \), \(\mathcal {S} \) samples a random bit \(y\in \{0,1\}\) in the \(r_\mathsf {out} \)th phase, sends \((\texttt {advinput},\mathsf {sid}, y)\) to \(\mathcal {F}_{\textsc {rba}} \), and simulates the next invocation of \(\mathcal {F}_{\textsc {oc}} \) by setting the fairness bit \(b=1\) and with output y, i.e., ensuring that the honest parties will receive output y in the simulated protocol. Recall that if \(r_\mathsf {out} <\tau \) then indeed all honest parties will terminate in the simulated protocol, however, if \(r_\mathsf {out} =\tau \) the simulator must simulate \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) to \(\mathcal {A} \). Note that \(\mathcal {A} \) cannot affect the output value in this scenario (as all honest parties participate with input value y); \(\mathcal {S} \) simulates all honest parties sending y as their input and responds with y as the output for all corrupted parties.

In case \(r_\mathsf {out} =\tau +1\), i.e., in case no party received output in all \(\tau \) phases, \(\mathcal {S} \) simulates the functionality \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\) to the adversary. Initially, \(\mathcal {S} \) simulates all honest parties sending their local intermediate value as their input to \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\), and receives the input values from the adversary on behalf of the corrupted parties. (Recall that the adversary may dynamically corrupt honest parties and change their input message.) Next, \(\mathcal {S} \) computes the result as in \(\mathcal {F}_{\textsc {ba}} ^{\{0,1\}}\), i.e., it checks whether there exists at least \(nt\) input values that all equal to some value y, and if so sets it as the output; otherwise, it sets the output based on the \((\texttt {advinput},\mathsf {sid},\cdot )\) message sent by the adversary.

It follows using a standard hybrid argument that the view of the environment \(\mathcal {Z} \) is identically distributed when interacting with a realworld execution of \({\pi _{\textsc {rba}}} \) in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {oc}}, \mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model and the dummy adversary, and when interacting with the simulator \(\mathcal {S} \) and the ideal model computation of \(\mathcal {F}_{\textsc {rba}} \). \(\square \)
1.1.1 D.1.1 Multivalued Byzantine Agreement Protocol
As presented above, \({\pi _{\textsc {rba}}} \) is a binary BA protocol. Using a transformation due to Turpin and Coan [55], the decision domain can be extended without increasing the expected running time. Given a set \(V\subseteq \{0,1\}^*\), denote by \(D_{\textsc {mvba}} \) the deterministic distribution that outputs a depth1 trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {mvba}}}(\mathcal {F}_{\textsc {ba}} ^V)\) and three leaves \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\) (Fig. 11).
Lemma D.1
Let \(t<n/3\) and \(V\subseteq \{0,1\}^*\). Then, assuming all honest parties receive their inputs at the same round, the protocol \({\pi _{\textsc {mvba}}} \) UCrealizes \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {mvba}}}(\mathcal {F}_{\textsc {ba}} ^V)\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
The proof of the Lemma is straightforward.
Theorem 5.4
Let \(c\ge 0\), \(t<n/3\) and \(V\subseteq \{0,1\}^*\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {ba}} ^V)\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Proof
(sketch). Let \(D^{\mathsf {full}}_{\textsc {mvba}} =\mathsf {full}\text {}\mathsf {trace}(D_{\textsc {mvba}},D_{\textsc {psmt}},D^{\mathsf {full}}_{\textsc {rba}})\). For simplicity, denote \(\mathcal {F}_{\textsc {ba}} ^{\textsc {pt,v}}=\mathcal {W}_{\text {slflex}} ^{D^{\mathsf {full}}_{\textsc {mvba}},c}(\mathcal {F}_{\textsc {ba}} ^V)\), \(D_1=D_{\textsc {psmt}} \), \(D_2=D^{\mathsf {full}}_{\textsc {rba}} \) and \(I=\{2\}\).
From Lemma D.1, \({\pi _{\textsc {mvba}}} \) UCrealizes \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {mvba}}}(\mathcal {F}_{\textsc {ba}} ^V)\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}} ^{\{0,1\}})\)hybrid model, in three rounds, assuming all parties receive their inputs at the same round. Following Theorem 4.4, the compiled protocol \(\mathsf {Comp}_{\textsc {pt}} ^c({\pi _{\textsc {mvba}}},D_1,D_2,I)\) UCrealizes \(\mathcal {F}_{\textsc {ba}} ^{\textsc {pt,v}}\), in the \((\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}},\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}})\)hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs within \(c+1\) consecutive rounds.
The proof follows since, following Lemma 4.5 and Theorem 5.3 the functionalities \(\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}}\) and \(\mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}\) can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, using expected constant round protocols. \(\square \)
1.2 D.2 Fast and Perfectly Secure Parallel Broadcast (Cont’d)
Our construction proceeds in two steps. In a first step we show how to adapt the protocol from BenOr and ElYaniv [5] to obtain a probabilistic termination (expected constant round) version of unfair parallel broadcast with perfect security. In step two, we use (and improve on) an idea due to Hirt and Zikas [37] to transform our unfair protocol into a fair parallel broadcast protocol.
1.2.1 D.2.1 The Unfair Parallel Broadcast Protocol
In this section, we adjust the interactive consistency protocol of BenOr and ElYaniv [5] (with minor adjustments) to the UC framework. The protocol \({\pi _{\textsc {upbc}}} \) (see Fig. 12 for a detailed description) is parametrized by two integers d and m. Initially, each party distributes its input to all other parties. The underlying idea of the protocol is to run \(n\cdot m\) instances of the BA protocol \({\pi _{\textsc {rba}}} \) in parallel, such that for each \(P _i\), a class of m instances of \({\pi _{\textsc {rba}}} \) are executed on the input of \(P _i\). However, in order to avoid the blowup in the number of rounds, the parallel execution of the protocols is truncated after d phases. Once the first step concludes, each party checks for each of the n classes if it received output in at least one of the executions. If so, it arbitrarily selects one output for each class and distributes the vector of output values to all the parties.
Next, the parties run a leader election protocol and once some party \(P _k\) is elected to be the leader, all parties run a BA protocol on the output vector that was distributed by the leader \(P _k\) earlier (which might be null). Each party checks whether the agreed output corresponds to the output values it received in the first step and sets a termination indicator accordingly. Finally, the parties run another BA protocol on the termination indicators and terminate in case the output is 1; otherwise another iteration is executed.
BenOr and ElYaniv showed that consistency and validity properties are satisfied, and furthermore, if \(m=\log (n)\) and d is such that at least 5 phases of the truncated randomized BA protocol are executed, then the protocol will terminate in a constant expected number of rounds.
We analyze this protocol in a hybrid model, where parties have access to a leader election functionality \(\mathcal {F}_{\textsc {le}} \) and a Byzantine agreement functionality \(\mathcal {F}_{\textsc {ba}} \). We actually require two types of BA functionalities: The first is a standard BA functionality, whereas the second is a “truncated” BA, which runs for a specific number of rounds and halts even if no output is specified. We now describe these ideal functionalities as CSFs.
Leader Election. In the leader election functionality, the parties agree on a random value \(k\in _R[n]\). This functionality can be cast as a special case of secure function evaluation (as defined in Sect. 3.1), where the parties compute the function \(g_{\textsf {le}} (\lambda ,\ldots ,\lambda )=(k, \ldots , k)\). We denote by \(\mathcal {F}_{\textsc {le}} \) the functionality \(\mathcal {F}_{\textsc {sfe}} ^{g_{\textsf {le}}}\).
BenOr and ElYaniv [5] showed how to implement the leader election functionality by first using the oblivious common coin protocol from [28] to compute an oblivious leader election, and next run a (multivalued) Byzantine agreement protocol on the result. The oblivious leader election functionality \(\mathcal {F}_{\textsc {ole}} \) is defined in a similar way to the oblivious common coin functionality (\(\mathcal {F}_{\textsc {oc}} \), Sect. 5.1), with the exception that output value y is not a bit, but a uniformly distributed element in [n]. Denote by \(D_{\textsc {le}} \) the deterministic distribution that outputs a depth1 trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {le}}}(\mathcal {F}_{\textsc {le}})\) and 2 leaves \((\mathcal {F}_{\textsc {ole}},\mathcal {F}_{\textsc {ba}} ^{[n]})\).
Lemma D.2
([5]). Let \(t<n/3\). Then, assuming all honest parties receive their inputs at the same round, \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {le}}}(\mathcal {F}_{\textsc {le}})\), in the \((\mathcal {F}_{\textsc {ole}},\mathcal {F}_{\textsc {ba}} ^{[n]})\)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
Truncated Byzantine Agreement. The truncated Byzantine agreement functionality is a CSF whose function is parametrized by a set V, an efficiently sampleable distribution D, and a nonnegative integer d. Each party \(P _i\) has input \(x_i\in V\) and receives two output values \((y_1^i,y_2^i)\). The adversary is allowed to learn all the input values as the honest parties send them, i.e., the leakage function is \(l_{\tiny {\textsc {trba}}} (x_1,\ldots ,x_n)=(x_1,\ldots ,x_n)\). The function to compute is \(f_{\tiny {\textsc {trba}}} (x_1,\ldots ,x_n,a)=((y_1^i,y_2^i),\ldots ,(y_1^i,y_2^i))\), which operates as follows:

If there exists a value y such that \(y=x_i\) for at least \(nt\) input values \(x_i\), then set \((y_1^i,y_2^i)\leftarrow (y,\bot )\) for every \(i\in [n]\).

Else, sample a number \(r\leftarrow D\). The adversarial input a is parsed as a vector of \(n+1\) integer values \((a_0,a_1\ldots , a_n)\). The first coordinate \(a_0\) represents the output value, i.e., set \(y\leftarrow a_0\). Next, for each party \(P _i\), set a value \(d_i \leftarrow \min (a_i,r)\). Finally, the output values for each party \(P _i\) is defined as follows:

If \(d_i< d\) then set \((y_1^i,y_2^i)\leftarrow (y,\bot )\).

If \(d_i=d\) then set \((y_1^i,y_2^i)\leftarrow (\bot ,y)\).

If \(d_i>d\) then set \((y_1^i,y_2^i)\leftarrow (\bot ,\bot )\).

In fact, in the protocol \({\pi _{\textsc {upbc}}} \), a parallel version (of s instances, for some s) of the abovedescribed functionality is required. That is, each party \(P _i\) has a vector of input values \({ \varvec{x}}_i=(x^i_1,\ldots ,x^i_s)\) and receives a vector of s output values \((y^i_1,\ldots ,y^i_s)\) where each \(y^i_j\) is a pair of values as above. The leakage function reveals all the input values to the adversary, and the function to compute is essentially s instances of the above function f, where for each instance the value r is sampled from D using independent random coins. In addition, the adversarial input a is parsed as a vector of \(s(n+1)\) integer values, where for each instance, the adversary specifies a different vector \((a_0,a_1\ldots , a_n)\). Note, however, that the value d is the same in all s instances.
We denote by \(\mathcal {F}_{\textsc {trba}} \) the functionality \(\mathcal {F}_{\textsc {csf}} \) describing the parallel version of truncated randomized BA, as described above.
The Protocol. We first describe a version of the protocol by [5] augmented with (a simpler version of) the technique from [34], where all hybrids used are CSFs;^{Footnote 44} using Theorem 4.3 we then obtain our result. Recall that the unfair parallel broadcast functionality \(\mathcal {F}_{\textsc {upbc}} \) is defined in Sect. 5.2.
Let \(d\ge 5\) , let \(m=\log (n)\), and let \(\tau =\log ^{1.5}(\kappa )+1\). Denote by D the geometric distribution with parameter 2q / 3 and support \(\{1\ldots , \tau +1\}\), where q is the probability that when independently sampling nm “terminating phases” \((r_1,\ldots ,r_{nm})\) from the distribution \(D_{\textsc {rba}} \), then for every \(j\in [n]\) it holds that at least one of the values \((r_{(j1)m+1}, \ldots , r_{(j1)m+m})\) is smaller than d. (The distribution D outputs the phase in which the event where \(\mathcal {F}_{\textsc {le}} \) returned a party that was honest before the \(\mathcal {F}_{\textsc {le}} \) invocation and received output in each BA occurs, plus the option that this event did not occur in all \(\tau \) phases.)
Denote by \(D_{\textsc {upbc}} \) the distribution that outputs a depth1 trace with a root \(\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {upbc}}}(\mathcal {F}_{\textsc {upbc}})\) and where the leaves are set as follows: Initially sample an integer \(r\leftarrow D\). The first leaf is \(\mathcal {F}_{\textsc {psmt}} \), followed by \(\min (r,\tau )\) sequences of \((\mathcal {F}_{\textsc {trba}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {le}},\mathcal {F}_{\textsc {ba}},\mathcal {F}_{\textsc {ba}})\). Finally, if \(r= \tau +1\) add the leaf \(\mathcal {F}_{\textsc {upbc}} \).
Lemma D.3
Let \(t<n/3\), and assume all honest parties receive their inputs at the same round. Then, the protocol \({\pi _{\textsc {upbc}}} \) UCrealizes the functionality \(\mathcal {F}_{\textsc {ptupbc}} =\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {upbc}}}(\mathcal {F}_{\textsc {upbc}})\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}},\mathcal {F}_{\textsc {le}},\mathcal {F}_{\textsc {trba}},\mathcal {F}_{\textsc {upbc}})\)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary.
Proof
We first claim correctness. The protocol \({\pi _{\textsc {upbc}}} \) consists of two parts: The first is running (up to) \(\tau \) phases of the BenOr and ElYaniv [5] protocol, and the second (which only occurs if no output was generated in the first part, i.e., if all honest parties have value \(\mathsf {term}=0\)) consists of calling an unfair parallel broadcast functionality. As shown in [5, Thm. 5], the BenOr and ElYaniv protocol satisfies the consistency and validity properties in the propertybased definition of interactive consistency (i.e., parallel Byzantine agreement). In addition, since the last step in each phase is invoking the BA functionality in order to agree whether all honest parties received output and can safely terminate, or whether an additional phase should be executed, it follows that if one honest party has received output in some phase, then so do the rest of the honest parties.
It follows that:

In case some honest party received output in phase \(\alpha \le \tau \), then all honest parties also receive the same output at this phase (i.e., \(\mathsf {term}=1\) for all honest parties), and so correctness follows from [5].

In case no honest party received output in all \(\tau \) phases (i.e., \(\mathsf {term}=0\) for all honest parties), all honest parties send their initial values to \(\mathcal {F}_{\textsc {upbc}} \) and output the result; hence, correctness follows from the \(\mathcal {F}_{\textsc {upbc}} \) functionality.
Regarding termination, BenOr and ElYaniv showed that for \(d\ge 5\) and \(m=\log (n)\), all honest parties receive their outputs within a constant number of phases in expectation. In the negligible probability that the parties did not receive output in less than \(\tau \) phases, termination is guaranteed by \(\mathcal {F}_{\textsc {upbc}} \).
We now prove that \({\pi _{\textsc {upbc}}} \) UCrealizes \(\mathcal {F}_{\textsc {ptupbc}} \). Let \(\mathcal {A} \) be the dummy adversary and let \(\mathcal {Z} \) be an environment. We construct a simulator \(\mathcal {S} \) that simulates the honest parties in \({\pi _{\textsc {upbc}}} \), the adversary \(\mathcal {A} \) and the ideal functionalities \(\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}},\mathcal {F}_{\textsc {le}},\mathcal {F}_{\textsc {tprba}} \) and \(\mathcal {F}_{\textsc {upbc}} \) to the environment, as follows.

\(\mathcal {S} \) forwards all messages from the environment to \(\mathcal {A} \) (and vice versa).

\(\mathcal {S} \) simulates every honest party by independently sampling random coins for the party and running the protocol according to the protocol’s specification. Note that \(\mathcal {S} \) learns the input for each honest party \(P _i\) as soon as \(P _i\) sends it to \(\mathcal {F}_{\textsc {ptupbc}} \) by receiving the message \((\texttt {leakage},\mathsf {sid},P _i,(x_1, \ldots , x_n))\). In addition, \(\mathcal {S} \) learns the trace of the protocol by receiving the message \((\texttt {trace},\mathsf {sid},T)\) from \(\mathcal {F}_{\textsc {ptupbc}} \) and can derive the guaranteed termination phase \(r_\mathsf {out} \) by counting the number of sequences \((\mathcal {F}_{\textsc {tprba}},\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {le}},\mathcal {F}_{\textsc {ba}},\mathcal {F}_{\textsc {ba}})\) in \(T \) (and setting \(r_\mathsf {out} \leftarrow \tau +1\) if the last CSF is \(\mathcal {F}_{\textsc {upbc}} \)).

Whenever \(\mathcal {A} \) sends a message \((\mathsf {sid},x_j)\) on behalf of a corrupted party \(P _j\) to some honest party during the first round, \(\mathcal {S} \) sends \((\texttt {input},\mathsf {sid},x_j\)) to \(\mathcal {F}_{\textsc {ptupbc}} \) on behalf of \(P _j\). (Note that \(x_j\) is in fact a vector.)

Whenever \(\mathcal {A} \) requests to corrupt some \(P _i\in \mathcal {P} \), the simulator \(\mathcal {S} \) corrupts \(P _i\) and sends the simulated internal state of \(P _i\) (consisting of \(P _i\)’s input, randomness, and incoming messages) to \(\mathcal {A} \). Recall that in case \(\mathcal {A} \) corrupts a party \(P _i\) after it sent its input to some corrupted party, during the first round, \(\mathcal {A} \) may instruct \(P _i\) to send a different value \(x_i\) as its input to all other parties. In this case, \(\mathcal {S} \) sends \((\texttt {input},\mathsf {sid},x_i\)) to \(\mathcal {F}_{\textsc {ptupbc}} \) on behalf of \(P _i\).

In the first \(r_\mathsf {out}1\) phases, \(\mathcal {S} \) simulates \(\mathcal {F}_{\textsc {trba}} \) according to the behavior of the ideal functionality, i.e., by independently sampling nm values from \(D_{\textsc {rba}} \). Next, when simulating the functionality \(\mathcal {F}_{\textsc {le}} \), instead of sampling a random index \(k\in [n]\), the simulator \(\mathcal {S} \) samples k such that in case \(\mathcal {F}_{\textsc {trba}} \) was successful (i.e., if the honest parties received output) k is uniformly distributed conditioned on \(P _k\) is corrupted, i.e., \(\mathcal {S} \) allows \(\mathcal {A} \) to decide whether the protocol will successfully terminate or not in this phase. In case \(\mathcal {A} \) instructs \(P _k\) to follow the protocol, then all honest parties will terminate in this phase (prior to phase \(r_\mathsf {out} \)) with value \({ \varvec{c}}\); \(\mathcal {S} \) sends \((\texttt {advinput},\mathsf {sid}, { \varvec{c}})\) to \(\mathcal {F}_{\textsc {ptupbc}} \) followed by \((\texttt {earlyoutput}, \mathsf {sid}, P _i)\) for every \(P _i\in \mathcal {P} \).

In case no honest party has terminated prior to phase \(r_\mathsf {out} \), then \(\mathcal {S} \) proceeds as follows:

In case \(r_\mathsf {out} \le \tau \), when simulating \(\mathcal {F}_{\textsc {trba}} \) in the \(r_\mathsf {out} \)th phase, \(\mathcal {S} \) ensures that honest parties will receive output, and when simulating \(\mathcal {F}_{\textsc {le}} \), \(\mathcal {S} \) uniformly selects an index k such that \(P _k\) was honest before the simulation of \(\mathcal {F}_{\textsc {le}} \). Next, \(\mathcal {S} \) sends \((\texttt {advinput},\mathsf {sid}, { \varvec{c}}_k)\) to \(\mathcal {F}_{\textsc {ptupbc}} \) and continues simulating the protocol. Since \(P _k\) was honest when distributing \({ \varvec{c}}_k\), this ensures that the honest parties will receive output \({ \varvec{c}}_k\) in the simulated protocol.

In case \(r_\mathsf {out} =\tau +1\), i.e., in case no party received output in all \(\tau \) phases, \(\mathcal {S} \) simulates the functionality \(\mathcal {F}_{\textsc {upbc}} \) to the adversary. Initially, \(\mathcal {S} \) simulates all honest parties sending their initial inputs as their input to \(\mathcal {F}_{\textsc {upbc}} \) and receives the input values from the adversary on behalf of the corrupted parties. (Recall that the adversary may dynamically corrupt honest parties and change their input message.) Next, \(\mathcal {S} \) computes the result as in \(\mathcal {F}_{\textsc {upbc}} \), i.e., it provides the output \((x_1,\ldots ,x_n)\) to each party.

It follows using a standard hybrid argument that the view of the environment \(\mathcal {Z} \) is identically distributed when interacting with a realworld execution of \({\pi _{\textsc {upbc}}} \) and the dummy adversary, and when interacting with the simulator \(\mathcal {S} \) and the ideal model computation of \(\mathcal {F}_{\textsc {ptupbc}} \). \(\square \)
Using Theorem 4.3 we obtain the following as a result.
Theorem 5.5
Let \(c\ge 0\) and \(t<n/3\). There exists an efficiently sampleable distribution D such that the functionality \(\mathcal {W}_{\text {slflex}} ^{D,c}(\mathcal {F}_{\textsc {upbc}})\) has an expected constant round complexity and can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model, with perfect security, in the presence of an adaptive malicious tadversary, assuming that all honest parties receive their inputs within \(c+1\) consecutive rounds.
Proof
(sketch). Denote by \(D_{\textsc {trba}} \) the deterministic distribution that outputs a trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {trba}}}(\mathcal {F}_{\textsc {trba}})\) and a constant number of leaves \(\mathcal {F}_{\textsc {psmt}} \) (corresponding to d phases of \({\pi _{\textsc {rba}}} \)). Denote by \(D_{\textsc {dtupbc}} \) the deterministic distribution that outputs a trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {dtupbc}}}(\mathcal {F}_{\textsc {upbc}})\) and \(t+1\) leaves \(\mathcal {F}_{\textsc {psmt}} \). Denote by \(D_{\textsc {ole}} \) the deterministic distribution that outputs a trace consisting of a root \(\mathcal {W}_{\mathrm {strict}} ^{D_{\textsc {ole}}}(\mathcal {F}_{\textsc {ole}})\) and 32 leaves \(\mathcal {F}_{\textsc {psmt}} \). Let \(D^{\mathsf {full}}_{\textsc {le}} =\mathsf {full}\text {}\mathsf {trace}(D_{\textsc {le}},D_{\textsc {psmt}},D^{\mathsf {full}}_{\textsc {mvba}})\).
For simplicity, denote the functionalities \(\mathcal {F}_{\textsc {upbc}} ^{\textsc {pt}}=\mathcal {W}_{\text {slflex}} ^{D^{\mathsf {full}}_{\textsc {upbc}},c}(\mathcal {F}_{\textsc {upbc}})\), \(\mathcal {F}_{\textsc {trba}} ^{\textsc {dt}}=\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {trba}},c}(\mathcal {F}_{\textsc {trba}})\), \(\mathcal {F}_{\textsc {le}} ^{\textsc {pt}}=\mathcal {W}_{\text {slflex}} ^{D^{\mathsf {full}}_{\textsc {le}},c}(\mathcal {F}_{\textsc {le}})\), \(\mathcal {F}_{\textsc {upbc}} ^{\textsc {dt}}=\mathcal {W}_{\text {slstrict}} ^{D_{\textsc {dtupbc}},c}(\mathcal {F}_{\textsc {upbc}})\). In addition, denote \(D_1=D_{\textsc {psmt}} \), \(D_2=D^{\mathsf {full}}_{\textsc {rba}} \), \(D_3=D_{\textsc {le}} \), \(D_4=D_{\textsc {trba}} \), \(D_5=D_{\textsc {dtupbc}} \) and \(I=\{2,3\}\).
Following Lemma D.3, \({\pi _{\textsc {upbc}}} \) UCrealizes \(\mathcal {W}_{\mathrm {flex}} ^{D_{\textsc {upbc}}}(\mathcal {F}_{\textsc {upbc}})\), in the \((\mathcal {F}_{\textsc {psmt}},\mathcal {F}_{\textsc {ba}},\mathcal {F}_{\textsc {le}},\mathcal {F}_{\textsc {trba}},\mathcal {F}_{\textsc {upbc}})\)–hybrid model, using an expected constant number of rounds, assuming that all the parties receive their inputs at the same round. By applying Theorem 4.3, the compiled protocol \(\mathsf {Comp}_{\textsc {ptr}} ^c({\pi _{\textsc {upbc}}},D_1,D_2,D_3,D_4,D_5,I)\) UCrealizes \(\mathcal {F}_{\textsc {upbc}} ^{\textsc {pt}}\), in the \((\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}, \mathcal {F}_{\textsc {le}} ^{\textsc {pt}},\mathcal {F}_{\textsc {trba}} ^{\textsc {dt}},\mathcal {F}_{\textsc {upbc}} ^{\textsc {dt}})\)hybrid model, in an expected constant number of rounds, assuming all parties receive their inputs within \(c+1\) consecutive rounds.
The proof follows since each of the functionalities \(\{\mathcal {F}_{\textsc {psmt}} ^{\textsc {dt}}, \mathcal {F}_{\textsc {ba}} ^{\textsc {pt}}, \mathcal {F}_{\textsc {le}} ^{\textsc {pt}},\mathcal {F}_{\textsc {trba}} ^{\textsc {dt}},\mathcal {F}_{\textsc {upbc}} ^{\textsc {dt}}\}\) can be UCrealized in the \(\mathcal {F}_{\textsc {smt}} \)hybrid model with expected constant round complexity. \(\square \)
Rights and permissions
About this article
Cite this article
Cohen, R., Coretti, S., Garay, J. et al. Probabilistic Termination and Composability of Cryptographic Protocols. J Cryptol 32, 690–741 (2019). https://doi.org/10.1007/s001450189279y
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s001450189279y