A Note on Perfect Correctness by Derandomization

Abstract

We show a general compiler that transforms a large class of erroneous cryptographic schemes (such as public-key encryption, indistinguishability obfuscation, and secure multiparty computation schemes) into perfectly correct ones. The transformation works for schemes that are correct on all inputs with probability noticeably larger than half, and are secure under parallel repetition. We assume the existence of one-way functions and of functions with deterministic (uniform) time complexity \(2^{O(n)}\) and non-deterministic circuit complexity \(2^{\Omega (n)}\). Our transformation complements previous results that showed how public-key encryption and indistinguishability obfuscation that err on a noticeable fraction of inputs can be turned into ones that for all inputs are often correct, showing that they can be made perfectly correct. The technique relies on the idea of “reverse randomization” [Naor, Crypto 1989] and on Nisan–Wigderson style derandomization, previously used in cryptography to remove interaction from witness-indistinguishable proofs and commitment schemes [Barak, Ong and Vadhan, Crypto 2003].

Introduction

Randomized algorithms are often faster and simpler than their state-of-the-art deterministic counterparts, yet, by their very nature, they are error-prone. This gap has motivated a rich study of derandomization, where a central avenue has been the design of pseudo-random generators [8, 28, 31] that could offer one universal solution for the problem. This has led to surprising results, intertwining cryptography and complexity theory, and culminating in a derandomization of \(\mathbf {BPP}\) under worst-case complexity assumptions, namely the existence of functions in \(\mathbf{E}=\mathbf{Dtime}(2^{O(n)})\) with worst-case circuit complexity \(2^{\Omega (n)}\) [24, 28].

For cryptographic algorithms, the picture is somewhat more subtle. Indeed, in cryptography, randomness is almost always necessary to guarantee any sense of security. While many cryptographic schemes are perfectly correct even if randomized, some do make errors. For example, in some encryption algorithms, notably the lattice-based ones [1, 29], most but not all ciphertexts can be decrypted correctly. Here, however, we cannot resort to general derandomization, as a (completely) derandomized version will most likely be totally insecure.

It gets worse. While for general algorithms infrequent errors are tolerable in practice, for cryptographic algorithms, errors can be (and have been) exploited by adversaries (see [4] and a long line of follow-up works). Thus, the question of eliminating errors is ever more important in the cryptographic context. This question was addressed in a handful of special contexts in cryptography. In the context of interactive proofs, [16, 19] show how to turn any interactive proof into one with perfect completeness. In the context of encryption schemes, Goldreich, Goldwasser, and Halevi [17] showed how to partially eliminate errors from lattice-based encryption schemes [1, 29]. Subsequent works, starting from that of Dwork, Naor and Reingold [15], show how to partially eliminate errors from any encryption scheme [23, 26]. Here, “partial” refers to the fact that they eliminate errors from the encryption and decryption algorithms, but not the key generation algorithm. That is, in their final immunized encryption scheme, it could still be the case that there are bad keys that always cause decryption errors. In the context of indistinguishability obfuscation (IO), Bitansky and Vaikuntanathan [11] show how to partially eliminate errors from any IO scheme. Concretely, assuming subexponential hardness of learning with errors (LWE) [29], they show how to convert any subexponentially secure IO scheme that might err on a fraction of the inputs into one that is correct on all inputs, with high probability over the coins of the obfuscator. This was improved by Ananth, Jain, and Sahai [2] who base the result on polynomial hardness and one-way functions instead of LWE.

This Work We show how to completely immunize a large class of cryptographic algorithms, turning them into algorithms that make no errors at all. Our most general result concerns cryptographic algorithms (or protocols) that are “secure under parallel repetition.” We show:

Theorem 1.1

(Informal) Assume that one-way functions exist and functions with deterministic (uniform) time complexity \(2^{O(n)}\) and non-deterministic circuit complexity \(2^{\Omega (n)}\) exist. Then, any encryption scheme, indistinguishability obfuscation scheme, and multiparty computation protocol that is secure under parallel repetition can be completely immunized against errors.

More precisely, we show that perfect correctness is guaranteed when the transformed scheme or protocol is executed honestly. The security of the transformed scheme or protocol is inherited from the security of the original scheme under parallel repetition. In the default setting of encryption and obfuscation schemes, encryption and obfuscation are always done honestly, and security under parallel repetition is well known to be guaranteed automatically. Accordingly, we obtain the natural notion of perfectly correct encryption and obfuscation. In contrast, in the setting of MPC, corrupted parties may in general affect any part of the computation. In particular, in the case of corrupted parties, the transformed protocol does not provide a better correctness guarantee, but only the same correctness guarantees as the original (repeated) protocol.

We find that perfect correctness is a natural requirement and the ability to generically achieve it for a large class of cryptographic schemes is aesthetically appealing. In addition, while in many applications almost perfect correctness may be sufficient, some applications do require perfectly correct cryptographic schemes. For example, using public-key encryption as a commitment scheme requires perfect correctness, the construction of non-interactive witness-indistinguishable proofs in [10] requires a perfectly correct indistinguishability obfuscation, and the construction of 3-message zero knowledge against uniform verifiers [3] requires perfectly correct delegation schemes.

Our tools, perhaps unsurprisingly given the above discussion, come from the area of derandomization, in particular, we make heavy use of Nisan–Wigderson (NW) type pseudo-random generators. Such NW-generators were previously used by Barak, Ong, and Vadhan [9] to remove interaction from commitment schemes and ZAPs. We use it here for a different purpose, namely to immunize cryptographic algorithms from errors. Below, we elaborate on the similarities and differences.

The Basic Idea

We briefly explain the basic idea behind the transformation, focusing on the case of public-key encryption. Imagine that we have an encryption scheme given by randomized key-generation and encryption algorithms, and a deterministic decryption algorithm \(({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\), where for any message \(m\in \{0,1\}^n\), there is a tiny decryption error:

$$\begin{aligned} \Pr _{(r_g,r_e)\leftarrow \{0,1\}^{\mathrm{poly}(n)}}\left[ {\mathsf {Dec}}_{sk}({\mathsf {Enc}}_{pk}(m;r_e)) \ne m\; \vert \; (pk,sk)={\mathsf {Gen}}(r_g)\right] \le 2^{-n}\, . \end{aligned}$$

Can we deterministically choose “good randomness” \((r_g,r_e)\) that leads to correct decryption? This question indeed seems analogous to the question of derandomizing \(\mathbf{BPP}\). There, the problem can be solved using Nisan–Wigderson type pseudo-random generators [28]. Such generators can produce a \(\mathrm{poly}(n)\)-long pseudo-random string using a short random seed of length \(d(n)=O(\log n)\). They are designed to fool distinguishers of some prescribed polynomial size t(n) and may run in time \(2^{O(d)} \gg t\). Derandomization of the \(\mathbf{BPP}\) algorithm is then simply done by enumerating over all \(2^{d}=n^{O(1)}\) seeds and taking the majority.

We can try to use NW-type generators to solve our problem in a similar way. However, the resulting scheme would not be secure – indeed, it will be deterministic, which means it cannot be semantically secure [18]. To get around this, we use the idea of reverse randomization from [14, 15, 25, 27]. For each possible seed \(i \in \{0,1\}^d\) for the NW-generator \({\mathsf {NW}}{\mathsf {PRG}}\), we derive corresponding randomness

$$\begin{aligned} (r^i_e,r^i_g) = {\mathsf {NW}}{\mathsf {PRG}}(i) \oplus \left( {\mathsf {BMY}}{\mathsf {PRG}}(s_e^i), {\mathsf {BMY}}{\mathsf {PRG}}(s_g^i)\right) \, . \end{aligned}$$

Here \({\mathsf {BMY}}{\mathsf {PRG}}\) is a Blum-Micali-Yao (a.k.a cryptographic) pseudo-random generator [7, 32], and the seeds \((s_g^i,s_e^i)\in \{0,1\}^{\ell }\) are chosen independently for every i, with the sole restriction that their image is sparse enough (say, they are of total length \(\ell = n/2\)). Encryption and decryption for any given message are now done in parallel with respect to all \(2^d\) copies of the original scheme, where the final result of decryption is defined to be the majority of the \(2^d\) decrypted messages.

Security is now guaranteed by the BMY-type generators and the fact that public-key encryption can be securely performed in parallel. Crucially, the pseudo-randomness of BMY strings is guaranteed despite the fact that their image forms a sparse set. The fact that the set of BMY string is sparse will be used to the perfect correctness of the scheme. In particular, when shifted at random, this set will evade the (tiny) set of “bad randomness” (that lead to decryption errors) with high probability \(1-2^{\ell -n}\ge 1-2^{-n/2}\).

In the actual construction, the image is not shifted truly at random, but rather by an NW-pseudo-random string, and we would like to argue that this suffices to get the desired correctness. To argue that NW-pseudo-randomness is enough, we need to show that with high enough probability (say 0.51) over the choice of the NW string, the shifted image of the BMY generator still evades “bad randomness.” This last property may not be efficiently testable deterministically, but can be tested non-deterministically in fixed polynomial time, by guessing the seeds for the BMY generator that would lead to bad randomness. We accordingly rely on NW generators that fool non-deterministic circuits. Such pseudo-random generators are known under the worst case assumption that there exist functions in \(\mathbf{E}\) with non-deterministic circuit complexity \(2^{\Omega (n)}\) [30].

Related Work on Derandomization in Cryptography

Barak, Ong, and Vadhan [9] were the first to demonstrate how NW-type derandomization can be useful in cryptography. They showed how NW generators can be used to derandomize Naor’s commitments [27] and Dwork and Naor’s ZAPs [14]. In Sect. 3.1, we discuss in further detail the relation and differences between their work and this work.

Subsequently, Barak, Lindell, and Vadhan [6] used NW generators to obtain a lower bound for 2-message public-coin (plain) zero-knowledge proofs.

Organization In Sect. 2, we give the required preliminaries. Section 3 presents the transformation itself. In Sect. 4, we discuss several examples of interest where the transformation can be applied.

Preliminaries

In this section, we give the required preliminaries, including standard computational concepts, cryptographic schemes and protocols, and the derandomization tools that we use.

Standard Computational Concepts

We recall standard computational concepts concerning Turing machines and Boolean circuits.

• By algorithm we mean a uniform Turing machine. We say that an algorithm is \(\hbox {PPT}\) if it is probabilistic and polynomial time.

• A polynomial-size circuit family \({\mathcal {C}}\) is a sequence of circuits \({\mathcal {C}}=\left\{ {C_\lambda }\right\} _{\lambda \in {\mathbb {N}}}\), such that each circuit \(C_\lambda \) is of polynomial size \(\lambda ^{O(1)}\) and has \(\lambda ^{O(1)}\) input and output bits.

• We follow the standard habit of modeling any efficient adversary strategy \({\mathcal {A}}\) as a family of polynomial-size circuits. For an adversary \({\mathcal {A}}\) corresponding to a family of polynomial-size circuits \(\left\{ {{\mathcal {A}}_\lambda }\right\} _{\lambda \in {\mathbb {N}}}\), we often omit the subscript \(\lambda \), when it is clear from the context. For simplicity, we shall simply call such an adversary a polynomial-size adversary.

• We say that a function \(f:{\mathbb {N}}\rightarrow {\mathbb {R}}\) is negligible if it decays asymptotically faster than any polynomial.

• Two ensembles of random variables \({\mathcal {X}}=\{X_{\lambda }\}_{\lambda \in {\mathbb {N}}}\) and \({\mathcal {Y}}=\{Y_{\lambda }\}_{\lambda \in {\mathbb {N}}}\) are said to be computationally indistinguishable, denoted by \({\mathcal {X}}\approx _c {\mathcal {Y}}\), if for all polynomial-size distinguishers \({\mathcal {D}}\), there exists a negligible function \(\nu \) such that for all \(\lambda \),

  $$\begin{aligned} \left| {\Pr [{\mathcal {D}}(X_\lambda )=1] - \Pr [{\mathcal {D}}(Y_\lambda )=1]}\right| \le \nu (\lambda ). \end{aligned}$$

Cryptographic Schemes and Rotocols

We consider a simple model of cryptographic schemes and protocols that will allow to describe the transformation generally. In Sect. 4, we give several examples of such schemes and protocols.

Executions: Let \(\lambda \) be a security parameter and let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomially bounded functions. An (honest) execution of an m-party scheme (or protocol) \(\Pi \) involves interaction between m \(\hbox {PPT}\) parties with inputs \((x_1,\dots ,x_m)\in \{0,1\}^{n\times m}\) and randomness \((r_1,\dots ,r_m)\in \{0,1\}^{\ell \times m}\), at the end of which they each produce outputs \((y_1,\dots ,y_m)\in \{0,1\}^{n\times m}\). Abstracting out, we will think of \(\Pi \) as a single \(\hbox {PPT}\) process that runs in some fixed polynomial time and denote it by \(y \leftarrow \Pi (1^\lambda ,x,r)\), where \(x=(x_1,\dots ,x_m),y=(y_1,\dots , y_m)\), and \(r=(r_1,\dots ,r_m)\).

Definition 2.1

(\((1-\alpha )\)-Correctness) Let \(f:\{0,1\}^{n\times m}\rightarrow \{0,1\}^{n \times m}\) be a polynomial-time computable function. \(\Pi \) computes f \((1-\alpha )\)-correctly if for any \(\lambda \) and any \(x \in \{0,1\}^{n\times m}\),

$$\begin{aligned} \Pr _{r \leftarrow \{0,1\}^{\ell \times m}}\left[ y\ne f(x)\; \vert \; y \leftarrow \Pi (1^\lambda ,x,r)\right] \le \alpha (\lambda ) \, . \end{aligned}$$

Repeated Executions For a function \(k=k(\lambda )\), inputs \(x = (x_1,\dots ,x_m)\in \{0,1\}^{n\times m}\) and randomness \(r=(r_{ij})_{i\in [m],j\in [k]}\), where \(r_{i,j} \in \{0,1\}^{\ell }\), the repeated execution \(y\leftarrow \Pi _{\otimes k}(1^\lambda ,x,r)\) consists of executing \(\Pi (1^\lambda ,x,r_1),\dots ,\Pi (1^\lambda ,x,r_k)\), where \(r_j = (r_{1j},\dots ,r_{mj})\), in parallel and obtaining the corresponding outputs, namely, \(y=(y_{ij})_{i\in [m],j\in [k]}\).

NW and BMY PRGs

We now define the basic tools required for the main transformation — NW-type PRGs [28] and BMY-type PRGs [7, 32]. The transformation itself is given in the next section.

Definition 2.2

(Non-deterministic Circuits) A non-deterministic Boolean circuit \(C(x,w)\) takes x as a primary input and w as a witness. We define \(C(x) := 1\) if and only if there exists w such that \(C(x,w)=1\).

Definition 2.3

(NW-Type PRGs against Non-deterministic Circuits) An algorithm \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\) is an NW-generator against non-deterministic circuits of size t(n) if it is computable in time \(2^{O(d(n))}\) and any non-deterministic circuit C of size at most t(n) distinguishes \(U\leftarrow \{0,1\}^{n}\) from \({\mathsf {NW}}{\mathsf {PRG}}(s)\), where \(s \leftarrow \{0,1\}^{d(n)}\), with advantage at most 1/t(n).

We shall rely on the following theorem by Shaltiel and Umans [30] regarding the existence NW-type PRGs as above assuming worst-case hardness for non-deterministic circuits.

Theorem 2.4

([30]) Assume there exists a function \(f:\{0,1\}^n\rightarrow \{0,1\}\) in \(\mathbf{E}=\mathbf{Dtime}(2^{O(n)})\) with non-deterministic circuit complexity \(2^{\Omega (n)}\). Then, for any polynomial \(t(\cdot )\), there exists an NW-generator against non-deterministic circuits of size t(n) \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\), where \(d(n)=O(\log n)\).

We remark that the above is a worst-case assumption in the sense that the function f needs to be hard in the worst-case (and not necessarily in the average-case). The assumption can be seen as a natural generalization of the assumption that \(\mathbf{EXP} \not \subseteq \mathbf{NP}\). We also note that there is a universal candidate for the corresponding PRG, by instantiating the hard function with any \(\mathbf{E}\)-complete language under linear reductions. See further discuss in [9].

We now define BMY-type (a.k.a cryptographic) PRGs.

Definition 2.5

(BMY-Type PRGs) An algorithm \({\mathsf {BMY}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\) is a BMY-generator if it is computable in time \(\mathrm{poly}(d(n))\) and any polynomial-size adversary distinguishes \(U\leftarrow \{0,1\}^{n}\) from \({\mathsf {BMY}}{\mathsf {PRG}}(s)\), where \(s \leftarrow \{0,1\}^{d(n)}\), with negligible advantage \(n^{-\omega (1)}\).

Theorem 2.6

([22]) BMY-type pseudo-random generators can be constructed from any one-way function.

The Error-Removing Transformation

We now describe a transformation from any \((1-\alpha )\)-correct scheme \(\Pi \) for a function f into a perfectly correct one. For a simpler exposition, we restrict attention to the case that the error \(\alpha \) is tiny. We later show how this restriction can be removed.

Ingredients. In the following, let \(\lambda \) be a security parameter, let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomials, and \(\alpha =\alpha (\lambda )\le 2^{-\lambda m-2}\). We rely on the following:

• A \((1-\alpha )\)-correct scheme \(\Pi \) computing \(f:\{0,1\}^{n\times m} \rightarrow \{0,1\}^{n\times m}\) where each party uses randomness of length \(\ell \).

• A BMY-type pseudo-random generator \({\mathsf {BMY}}{\mathsf {PRG}}:\{0,1\}^{\lambda }\rightarrow \{0,1\}^{\ell }\).

• An NW-type pseudo-random generator \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d} \rightarrow \{0,1\}^{\ell \times m}\) against non-deterministic circuits of size \(t=t(\lambda )\), where t and d depend on the parameters \(m,n,\ell ,\Pi ,f,{\mathsf {BMY}}{\mathsf {PRG}}\), \(t=\lambda ^{O(1)}\), \(d(\lambda )=O(\log \lambda )\), and will be specified later on. We shall denote \(k=2^d\).

The New Scheme:

Given security parameter \(1^\lambda \) and input \(x \in \{0,1\}^{n\times m}\):

1. 1.

   Randomness Generation: Each party \(i\in [m]\)

   • samples k BMY strings \((r^{{\mathsf {BMY}}}_{i1},\dots ,r^{{\mathsf {BMY}}}_{ik})\), where \(r^{\mathsf {BMY}}_{ij} = {\mathsf {BMY}}{\mathsf {PRG}}(s_{ij})\) and \(s_{ij} \leftarrow \{0,1\}^{\lambda }\).

   • computes (all) k NW strings \((r^{{\mathsf {NW}}}_{1},\dots ,r^{{\mathsf {NW}}}_{k})\), where \(r^{{\mathsf {NW}}}_{j} ={\mathsf {NW}}{\mathsf {PRG}}(j)\), and derives \((r^{{\mathsf {NW}}}_{i1},\dots ,r^{{\mathsf {NW}}}_{ik})\), where \(r_{ij}\) is the ith \(\ell \)-bit block of \(r^{{\mathsf {NW}}}_{j}\).

   • compute \(r_{i1},\dots ,r_{ik}\) where \(r_{ij} =r^{{\mathsf {BMY}}}_{ij}\oplus r^{{\mathsf {NW}}}_{ij}\).

2. 2.

   Emulating the Parallel Scheme:

   • the parties emulate the repeated scheme \(\Pi _{\otimes k}(1^\lambda ,x,r)\), with randomness \(r=(r_{ij})_{i\in [m],j\in [k]}\).

   • each party i obtains outputs \((y_{i1},\dots ,y_{ik})\), and in turn computes and outputs \(y_i =\mathsf {majority}(y_{i1},\dots ,y_{ik})\).

Correctness. We now turn to show that the new scheme is perfectly correct.

Proposition 3.1

The new scheme is perfectly correct.

Proof

We first note that had \(r^{\mathsf {NW}}\) been chosen at truly random (instead of using \({\mathsf {NW}}{\mathsf {PRG}}\)) then for any input, with high probability over the choice of \(r^{\mathsf {NW}}\), the corresponding scheme would have been perfectly correct.

Claim 3.1

For any \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\),

$$\begin{aligned} \Pr _{r^{\mathsf {NW}}\leftarrow \{0,1\}^{\ell \times m}}\left[ \exists s_1,\dots ,s_m \in \{0,1\}^{\lambda }: \begin{array}{c} f(x)\ne \Pi (1^\lambda ,x,r)\\ r = r_s^{\mathsf {BMY}}\oplus r^{\mathsf {NW}}\end{array}\right] \le \frac{1}{4}\, , \end{aligned}$$

where \(r_s^{\mathsf {BMY}}=\left( {\mathsf {BMY}}{\mathsf {PRG}}(s_1),\dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_m)\right) \).

Proof

Fixing any such \(\lambda \), x, and \(s=(s_1,\dots ,s_m)\), the string \(r = r_s^{\mathsf {BMY}}\oplus r^{\mathsf {NW}}\) is distributed uniformly at random. In this case, the scheme is guaranteed to err with probability at most \(\alpha \le 2^{-\lambda m}/4\). The claim now follows by taking a union bound over all \(2^{ \lambda m}\) tuples \(s_1,\dots ,s_m\). \(\square \)

We now claim that a similar property holds with roughly the same probability when \(r^{\mathsf {NW}}\) is pseudo-random as in the actual transformation.

Claim 3.2

For any \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\),

$$\begin{aligned} \Pr _{ j \leftarrow \{0,1\}^{d} }\left[ \exists s_1,\dots ,s_m \in \{0,1\}^{\lambda }: \begin{array}{c} f(x)\ne \Pi (1^\lambda ,x,r)\\ r = r_s^{\mathsf {BMY}}\oplus r_j^{\mathsf {NW}}\end{array}\right] \le \frac{1}{4}+\frac{1}{t}\, , \end{aligned}$$

where \(r_s^{\mathsf {BMY}}= \left( {\mathsf {BMY}}{\mathsf {PRG}}(s_1),\dots , {\mathsf {BMY}}{\mathsf {PRG}}(s_m)\right) \) and \(r_j^{\mathsf {NW}}= {\mathsf {NW}}{\mathsf {PRG}}(j)\).

Proof

Assume toward contradiction that the claim does not hold for some \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\). We construct a non-deterministic distinguisher that breaks \({\mathsf {NW}}{\mathsf {PRG}}\). The distinguisher has the input x hardwired. Given \(r^{\mathsf {NW}}\), it non-deterministically guesses \(s_1,\dots ,s_m\), computes \(r^{\mathsf {BMY}}=({\mathsf {BMY}}{\mathsf {PRG}}(s_1), \dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_m))\), \(r=r^{\mathsf {NW}}\oplus r^{\mathsf {BMY}}\), and checks whether \(f(x) \ne \Pi (1^\lambda ,x,r)\). As we just proved in the previous claim, when \(r^{\mathsf {NW}}\) is truly random, such a witness \(s_1,\dots ,s_m\) exists with probability at most 1/4, whereas, by our assumption toward contradiction, when \(r^{\mathsf {NW}}\) is pseudo-random such a witness exists with probability larger than \(\frac{1}{t}+\frac{1}{4}\).

The size of the above distinguisher is some fixed polynomial \(t'(\lambda )\) that depends only on \(m,n,\ell \) and the time required to compute \(\Pi ,f,{\mathsf {BMY}}{\mathsf {PRG}}\). Thus, in the construction we choose \(t>\max \left( {t',8}\right) \), meaning that the constructed distinguisher indeed breaks \({\mathsf {NW}}{\mathsf {PRG}}\). \(\square \)

With the last claim, we now conclude the proof of Proposition 3.1. Indeed, for any input x, when emulating the k-fold repetition \(\Pi _{\otimes k}(1^\lambda ,x,r)\), the randomness used for the jth copy \(\Pi (1^\lambda ,x,r_j)\) is \(r_j = r^{\mathsf {NW}}_j \oplus r_{s_j}^{\mathsf {BMY}}\) where \(r^{\mathsf {NW}}_j={\mathsf {NW}}{\mathsf {PRG}}(j)\) and \(r^{\mathsf {BMY}}_{s_j}=({\mathsf {BMY}}{\mathsf {PRG}}(s_{j1}),\dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_{j1}))\). By the last claim, for all but a \(\frac{1}{4}+\frac{1}{t}\le \frac{3}{8}\) fraction of the \({\mathsf {NW}}\)-seeds j, any choice of \({\mathsf {BMY}}\)-seeds \(s_j\) yields the correct result \(y_j=f(x)\) in the corresponding execution \(\Pi (1^\lambda ,x,r_j)\). In particular, it is always the case that the majority of executions results in \(y=f(x)\), as required. \(\square \)

Security. We now observe that the randomness generated according to the transformation is indistinguishable from real randomness. Intuitively, this means that if the original scheme was secure under parallel repetition, when the honest parties use real randomness, it will remain as secure when using randomness generated according to the transformation. Examples are given in the next section.

Concretely, we consider two distributions \(r^{\mathsf {tra}}\) and \(r^{\mathsf {uni}}\) on randomness for the parties in \(\Pi _{\otimes k}\):

1. 1.

   In \(r^{\mathsf {tra}}= \left( r^{\mathsf {tra}}_{ij}: i\in [m],j\in [k]\right) \), each \(r^{\mathsf {tra}}_{ij}\) is computed as in the above transformation; namely \(r_{ij} = r_{ij}^{\mathsf {BMY}}\oplus r_{ij}^{\mathsf {NW}}\), where \(r_{i,j}^{\mathsf {BMY}}={\mathsf {BMY}}{\mathsf {PRG}}(s_{ij})\) for a random seed \(s_{ij} \leftarrow \{0,1\}^{\lambda }\) and \(r_{ij}^{\mathsf {NW}}\) is the ith \(\ell \)-bit block of \({\mathsf {NW}}{\mathsf {PRG}}(j)\).

2. 2.

   In \(r^{\mathsf {uni}}= \left( r^{\mathsf {uni}}_{ij}: i\in [m],j\in [k]\right) \), each \(r^{\mathsf {uni}}_{ij}\) is sampled uniformly at random, namely \(r^{\mathsf {uni}}_{ij}\leftarrow \{0,1\}^\ell \).

Proposition 3.2

\(r^{\mathsf {tra}}\) and \(r^{\mathsf {uni}}\) are computationally indistinguishable.

Proof

By the security of the BMY PRG, for any i, j:

$$\begin{aligned} r_{ij}^{\mathsf {tra}}= r_{ij}^{\mathsf {BMY}}\oplus r_{ij}^{\mathsf {NW}}={\mathsf {BMY}}{\mathsf {PRG}}(s_{ij}) \oplus r_{ij}^{\mathsf {NW}}\approx _c r_{ij}^{\mathsf {uni}}\oplus r_{ij}^{\mathsf {NW}}\equiv r_{ij}^{\mathsf {uni}}\, . \end{aligned}$$

Since \(r_{ij}^{\mathsf {tra}}\) (respectively, \(r_{ij}^{\mathsf {uni}}\)) is generated independently from all other \(r_{i'j'}^{\mathsf {tra}}\) (respectively \(r_{i'j'}^{\mathsf {uni}}\)), the proposition follows by a standard hybrid argument. \(\square \)

Removing the Assumption Regarding Tiny Error Above we assumed that \(\alpha (\lambda ) \le 2^{-\lambda m-2}\). We now show how to remove this assumption using standard amplification by parallel repetition. For completeness, we explicitly describe the transformation.

Ingredients In the following, let \(\lambda \) be a security parameter, let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomials, and \(\eta =\lambda ^{-O(1)}\), and let \(k' = 3\lambda m \eta ^{-2}\). Let \(\Pi \) be a \((1/2+\eta )\)-correct scheme computing \(f:\{0,1\}^{n\times m} \rightarrow \{0,1\}^{n\times m}\) where each party uses randomness of length \(\ell \).

The New Scheme:

Given security parameter \(1^\lambda \) and input \(x \in \{0,1\}^{n\times m}\):

1. 1.

   Randomness Generation: Each party \(i\in [m]\)

   • samples \(k'\) random strings \((r_{i1},\dots ,r_{ik'})\), where \(r_{ij} \leftarrow \{0,1\}^{\ell }\).

2. 2.

   Emulating the Parallel Scheme:

   • the parties emulate the repeated scheme \(\Pi _{\otimes k'} (1^\lambda ,x,r)\), with randomness \(r=(r_{ij})_{i\in [m],j\in [k']}\).

   • each party i obtains outputs \((y_{i1},\dots ,y_{ik'})\), and in turn computes and outputs \(y_i =\mathsf {majority}(y_{i1},\dots ,y_{ik'})\).

Proposition 3.3

The new scheme is \((1-2^{-\lambda m-2})\)-correct.

Proof

By a Chernoff–Hoeffding bound, each party i obtains the correct output \(y_i\), except with probability \(2^{-6\lambda m}\). By a union bound all m parties obtain the correct outputs \((y_1,\dots ,y_m)\), except with probability \(m 2^{-6\lambda m} < 2^{-\lambda m -2}\), as required. \(\square \)

The Combination of the Two Steps We observe that the combination of the two steps also has a simple form of a parallel execution using specially crafted randomness that is pseudo-random. This will be used in the next section to prove security for specific examples in which security under parallel repetition is guaranteed.

Specifically, when combining the two steps, the final transformed scheme \(\Pi ^{\mathsf {tra}}\) consists of three high-level steps:

1. 1.

   Each party i locally generates randomness \(r^{\mathsf {tra}}_{i,j}\) for \(j\in [K]\), where \(K = k\times k'\).

2. 2.

   The parties emulate the repeated scheme \(\Pi _{\otimes K}(1^\lambda ,x,r)\) where \(r^{\mathsf {tra}}=(r^{\mathsf {tra}}_{ij})_{i\in [m],j\in [K]}\).

3. 3.

   Each party i obtains outputs \((y_{i1},\dots ,y_{iK})\) and performs a local postprocessing step to obtain its final output \(y_i\).

By Proposition 3.2\(r^{\mathsf {tra}}\) is pseudo-random.

Relation to the Work of Barak, Ong, and Vadhan

Barak, Ong, and Vadhan [9] use NW generators to derandomize Naor’s commitments [27] and Dwork and Naor’s ZAPs [14]. In these applications, “reverse randomization” is already encapsulated in the constructions of ZAPs and commitments that they start from, and they show that “the random shift” can be derandomized, using the fact that ZAPs and commitments are secure under parallel repetition. Barak, Ong, and Vadhan were not interested in the correctness of a specific computation per se, but rather in the existence of an “incorrect object”, namely an accepting proof for a false statement in ZAPs, or a commitment with two inconsistent openings.

In their applications, it is in fact enough to use hitting-set generators rather than pseudo-random generators. Such generators only guarantee to hit any set of large density that can be recognized by circuits of some prescribed size. (The density of corresponding seeds just has to be positive, and not necessarily large.) Intuitively, the reason that hitting-set generators are enough for their applications is that they only need to deal with a one-sided error. For example, in a ZAP system, one already assumes that true statements are always accepted by the verifier, so when derandomizing they only need to recognize false statements. This is analogous to having an encryption system that is always correct on encryptions of zero, but may make mistakes on encryptions of one. We note, however, that as an assumption, hitting set generators (against non-deterministic circuits) are sufficient for constructing corresponding pseudo-random generators (against non-deterministic circuits), since they directly imply required hard functions (see further discussion in [21]).

We note that for the case of bit commitments, Barak, Ong, and Vadhan settle for (hitting-set) generators against uniform distinguishers. We can also rely on (pseudo-random) generators against uniform distinguishers for some specific applications such as correcting errors in bit encryption; however, in general (e.g., for indistinguishability obfuscation), we need to deal with non-uniform distinguishers. Roughly speaking, uniform indistinguishability is sufficient only in cases where the input space can be uniformly enumerated in polynomial time, which is indeed the case for bit commitments or bit encryption, where the inputs are only zero and one.

Examples of Interest

We now discuss three examples of interest.

Public-Key Encryption

Our first example concerns public-key encryption. We start by recalling the definition.

Definition 4.1

(Public-Key Encryption) For a message space \({\mathcal {M}}\), and function \(\alpha (\cdot )\le 1\), a triple of algorithms \(({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\), where the first two are \(\hbox {PPT}\) and third is deterministic polynomial-time, is said to be a public-key encryption scheme for \({\mathcal {M}}\) with \((1-\alpha )\)-correctness if it satisfies:

1. 1.

   \((1-\alpha )\)-Correctness: for any \(m\in {\mathcal {M}}\) and security parameter \(\lambda \),

   $$\begin{aligned} \Pr _{{\mathsf {Gen}},{\mathsf {Enc}}}\left[ {\mathsf {Dec}}_{sk}({\mathsf {Enc}}_{pk}(m)) =m\; \vert \; (pk,sk) \leftarrow {\mathsf {Gen}}(1^\lambda )\right] \ge 1-\alpha (\lambda ) \, . \end{aligned}$$
2. 2.

   Semantic security: for any polynomial-size distinguisher \({\mathcal {D}}\) there exists a negligible function \(\mu (\cdot )\), such that for any two messages \(m ,m'\in {\mathcal {M}}\) of the same size:

   $$\begin{aligned} \left| \Pr [{\mathcal {D}}({\mathsf {Enc}}_{pk}(m))=1]-\Pr [{\mathsf {Enc}}_{pk}(m'))=1]\right| \le \mu (\lambda )\, , \end{aligned}$$

   where the probability is over the coins of \({\mathsf {Enc}}\) and the choice of pk sampled by \({\mathsf {Gen}}(1^\lambda )\).

Applying the Transformation Public-key encryption can be modeled as a three-party scheme \(\Pi \) consisting of a generator, an encryptor, and a decryptor. The generator has no input and uses its randomness \(r_1\) to generate pk and sk, which are sent to the encryptor and decryptor, respectively. The encryptor has as input a message m and uses its randomness \(r_2\) in order to generate an encryption \({\mathsf {Enc}}_{pk}(m;r_2)\), which is sent to the decryptor. The decryptor has no input nor randomness, it uses the secret key to decrypt and outputs the decrypted message. (In this case the function computed by \(\Pi \) is \(f(\bot ,m,\bot )=(\bot ,\bot ,m)\).)

In the repeated scheme \(\Pi _{\otimes K}\), the generator \({\mathsf {Gen}}(1^\lambda ;r_{1j})\) is applied K independent times, with fresh randomness \(r_{1j}\) for each \(j\in [K]\), to generate corresponding keys \(pk =\left\{ {pk_j}\right\} , sk =\left\{ {sk_j}\right\} \). Encryption involves K independent encryptions:

$$\begin{aligned} {\mathsf {Enc}}^{\otimes K}_{pk}(m;r_2) := {\mathsf {Enc}}_{pk_1}(m;r_{21}), \dots ,{\mathsf {Enc}}_{pk_k}(m;r_{2K})\, . \end{aligned}$$

As defined in Sect. 3, when applying the error-removal transformation, the randomness \(r=\left( r_{ij}: i \in [2],j\in [K]\right) \) is sampled according to \(r^{\mathsf {tra}}\) instead of truly at random according to \(r^{\mathsf {uni}}\). Decryption is done by decrypting each encryption with the corresponding \(sk_j\) and postprocessing the K results as prescribed by the transformation.

Claim 4.1

If \(\Pi = ({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\) is \((1/2+\eta )\)-correct, for some \(\eta = \lambda ^{-O(1)}\), then the new public-key encryption scheme given by \(\Pi ^{\mathsf {tra}}\) is secure and perfectly correct.

Proof

The correctness of the new scheme given by the transformation, follows directly from Proposition 3.1. We next observe that the new scheme is also secure. Concretely, for any (infinite sequence of) two messages \(m,m'\in {\mathcal {M}}\),

$$\begin{aligned} {\mathsf {Enc}}^{\otimes K}_{pk}(m;r^{\mathsf {tra}}_2) \approx _c {\mathsf {Enc}}^{\otimes K}_{pk} (m;r_2^{{\mathsf {uni}}}) \approx _c {\mathsf {Enc}}^{\otimes K}_{pk} (m';r^{\mathsf {uni}}_2)\approx _c {\mathsf {Enc}}^{\otimes K}_{pk} (m';r_2^{{\mathsf {tra}}})\, . \end{aligned}$$

The first and last indistinguishability relations follow directly from Proposition 3.2. The fact that \({\mathsf {Enc}}^{\otimes K}_{pk}(m;r^{\mathsf {uni}}_2)\approx _c {\mathsf {Enc}}^{\otimes K}_{pk}(m';r^{\mathsf {uni}}_2)\) follows from the semantic security of the underlying encryption scheme, which is known to be preserved under multiple encryptions (see, e.g., [20]). \(\square \)

In [15], Dwork, Naor, and Reingold show how public-key encryption where decryption errors may even occur for a large fraction of messages, can be transformed into ones that only have a tiny decryption error over the randomness of the scheme. Applying our transformation, we can further turn such schemes into perfectly correct ones.

Indistinguishability Obfuscation

Our second example concerns indistinguishability obfuscation (IO) [5]. We start by recalling the definition.

Definition 4.2

(Indistinguishability Obfuscation) For a class of circuits \({\mathcal {C}}\), and function \(\alpha (\cdot )\le 1\), a \(\hbox {PPT}\) algorithm \({\mathcal {O}}\) is said to be an indistinguishability obfuscator for \({\mathcal {C}}\) with \((1-\alpha )\)-correctness if it satisfies:

1. 1.

   \((1-\alpha )\)-Correctness: for any \(C\in {\mathcal {C}}\) and security parameter \(\lambda \),

   $$\begin{aligned} \Pr _{{\mathcal {O}}}\left[ \forall x: {\mathcal {O}}(C,1^\lambda )(x)=C(x)\right] \ge 1-\alpha (\lambda ) \, . \end{aligned}$$
2. 2.

   Indistinguishability: for any polynomial-size distinguisher \({\mathcal {D}}\) there exists a negligible function \(\mu (\cdot )\), such that for any two circuits \(C,C'\in {\mathcal {C}}\) that compute the same function and are of the same size:

   $$\begin{aligned} \left| \Pr [{\mathcal {D}}({\mathcal {O}}(C,1^\lambda ))=1] -\Pr [{\mathcal {D}}({\mathcal {O}}(C',1^\lambda ))=1]\right| \le \mu (\lambda )\, , \end{aligned}$$

   where the probability is over the coins of \({\mathcal {D}}\) and \({\mathcal {O}}\).

Applying the Transformation IO can be modeled as a two-party scheme \(\Pi \) consisting of an obfuscator and an evaluator. The obfuscator has as input a circuit C and uses its randomness \(r_1\) in order to create an obfuscated circuit \(\widetilde{C} = {\mathcal {O}}(C,1^\lambda ;r_1)\), which is sent to the evaluator. The evaluator has an input x for the circuit, and no randomness, it computes \(\widetilde{C}(x)\) and outputs the result. (In this case the function computed by \(\Pi \) is \(f(C,x)=(\bot ,C(x))\).)

In the repeated scheme \(\Pi _{\otimes K}\), obfuscation involves K independent obfuscations:

$$\begin{aligned} {\mathcal {O}}^{\otimes K}(C,1^\lambda ;r_1) := {\mathcal {O}}(C,1^\lambda ;r_{11}), \dots ,{\mathcal {O}}(C,1^\lambda ;r_{1K})\, . \end{aligned}$$

As defined in Sect. 3, when applying the error-removal transformation, the randomness \(r=\left( r_{1j}: j \in [K]\right) \) is sampled according to \(r^{\mathsf {tra}}\) instead of truly at random according to \(r^{\mathsf {uni}}\). Evaluation for input x is done by running each obfuscated circuit on the input x and postprocessing the K results as prescribed by the transformation.

Claim 4.2

If \(\Pi = {\mathcal {O}}\) is \((1/2+\eta )\)-correct, for some \(\eta = \lambda ^{-O(1)}\), then the new indistinguishability obfuscation scheme given by \(\Pi ^{\mathsf {tra}}\) is secure and perfectly correct.

Proof

The correctness of the new scheme given by the transformation follows directly from Proposition 3.1. We now observe that the new scheme is also secure, which follows similarly to the case of public-key encryption considered above. Concretely, for any (infinite sequence of) two equal-size circuits \(C,C'\in {\mathcal {C}}\),

$$\begin{aligned} {\mathcal {O}}^{\otimes K}(C,1^\lambda ;r^{\mathsf {tra}}_1) \approx _c {\mathcal {O}}^{\otimes K}(C,1^\lambda ;{r_1^{\mathsf {uni}}}) \approx _c {\mathcal {O}}^{\otimes K}({C'},1^\lambda ;r^{\mathsf {uni}}_1)\approx _c {\mathcal {O}}^{\otimes K}(C',1^\lambda ;{r_1^{\mathsf {tra}}})\, . \end{aligned}$$

The first and last indistinguishability relations follow directly from Proposition 3.2. The fact that \({\mathcal {O}}^{\otimes K}(C,1^\lambda ;r^{\mathsf {uni}}_1)\approx _c {\mathcal {O}}^{\otimes K}(C',1^\lambda ; r^{\mathsf {uni}}_1)\) follows from the security of the underlying obfuscation scheme, which is known to be preserved under multiple obfuscations (see e.g. [11]). \(\square \)

In [11], Bitansky and Vaikuntanathan show how indistinguishability obfuscation [5] where the obfuscated circuit may err also on a large fraction of inputs can be transformed into one that only has a tiny error over the randomness of the obfuscator as required here. Applying our transformation, we can further turn such schemes into perfectly correct ones.

Multi-Party Computation

Our third and last example concerns multi-party computation (MPC) protocols. There are several models for capturing the adversarial capabilities in an MPC protocol. Roughly speaking, our transformation can be applied whenever the protocol is secure against parallel repetition. In the new protocol, perfect correctness will be guaranteed when all the parties behave honestly. The security guarantee given by the new protocol will be inherited from the original repeated protocol. We stress that, in the case of corrupted parties, the transformed protocol does not provide any correctness guarantees beyond those given by the original (repeated) protocol. In particular, if the adversary can inflict a certain correctness error in the original (repeated) protocol, it may also be able to do so in the transformed protocol.

The Formal Model Since we rely on standard MPC conventions, we shall keep our description relatively light, abstracting out less relevant details (for further reading, see for instance [12, 20]). We consider protocols with security against static corruptions according to the real-ideal paradigm. We restrict attention to the standalone model.¹ In this setting, the adversary \({\mathcal {A}}\) corrupts some set of parties \(C \subseteq [m]\), which it fully controls throughout the protocol, and can also choose the inputs for honest parties at the onset of the computation. The adversarial view in the protocol consists of all the communication generated by the honest parties and their respective outputs. We denote by \({\mathsf {Real}}_{\Pi }^{{\mathcal {A}}}(1^\lambda ,z;r)\) the polynomial-time process that generates the adversarial view and the outputs of the honest parties in \([m]\setminus C\) when these parties execute protocol \(\Pi \) for functionality f with randomness \(r=(r_{i_1}, \dots ,r_{i_{m-|C|}})\), and a \(\hbox {PPT}\) adversary \({\mathcal {A}}\) with auxiliary input z controlling the parties in C.

The requirement is that the output of this process can be simulated by a \(\hbox {PPT}\) process \({\mathsf {Ideal}}_{f}^{{\mathcal {S}}}(1^\lambda ,z)\) called the ideal process where \({\mathcal {A}}\) is replaced by an efficient simulator \({\mathcal {S}}\). The simulator can only submit inputs \(x_1,\dots ,x_m\) to f, learn the outputs of the corrupted parties in C, and has to generate the adversarial view. The ideal process outputs the view generated by the simulator as well as the output generated by f for the honest parties.

As before, we denote by \(\Pi _{\otimes K}\) the K-fold parallel repetition of a protocol \(\Pi \) for computing \(f_{\otimes K}(x)=(f(x))^K\), where each honest party \(i\in [m]\setminus C\), given input \(x_i\), runs K parallel copies of \(\Pi \), all with the same input \(x_i\) and obtains outputs \(y_{i1},\dots ,y_{iK}\). We consider protocols that are secure under parallel repetition in the following sense.

Definition 4.3

We say that an MPC protocol \(\Pi \) (for some functionality f) is secure under parallel repetition with respect to an ideal process \({\mathsf {Ideal}}\) if for any \(\hbox {PPT}\) adversary \({\mathcal {A}}\) and polynomial \(K(\lambda )\) there exists a \(\hbox {PPT}\) simulator \({\mathcal {S}}\) such that for any (infinite sequence of) security parameter \(\lambda \in {\mathbb {N}}\) and auxiliary input in \(z\in \{0,1\}^{\lambda ^{O(1)}}\),

$$\begin{aligned} {\mathsf {Real}}_{\Pi _{\otimes K}}^{{\mathcal {A}}}(1^\lambda ,z) \approx _c {\mathsf {Ideal}}^{{\mathcal {S}}}_{f_{\otimes K}}(1^\lambda ,z)\, . \end{aligned}$$

Definition 4.4

We say that an MPC protocol \(\Pi \) for functionality \(f:\{0,1\}^{n\times m}\rightarrow \{0,1\}^{n\times m}\) is \((1-\alpha )\)-correct if when all parties behave honestly, given inputs \((x_1,\dots ,x_m)\), then the probability that each party i, outputs \(y_i\) where \((y_1,\dots ,y_m)=f(x_1,\dots ,x_m)\), is at least \(1-\alpha \).

Applying the Transformation We consider applying our transformation to eliminate errors in the case that all parties execute the protocol honestly, while preserving the same level of security under corruptions. We denote by \(\Pi ^{\mathsf {tra}}\) the protocol \(\Pi \) for computing f after applying the transformation from Sect. 3 where \(\Pi \) is repeated in K times in parallel, the randomness of parties is derived as defined in the transformation, and the final output of party i is derived by postprocessing the K outputs \((y_{i1},\dots ,y_{iK})\) obtained as prescribed by the transformation.

Claim 4.3

Assume that \(\Pi \) is a protocol for f that is \((1/2+\eta )\)-correct, for some \(\eta =\lambda ^{-O(1)}\) and secure under parallel repetition. Then \(\Pi ^{\mathsf {tra}}\) is a secure and perfectly correct protocol for f.

Proof

The perfect correctness of the new protocol \(\Pi ^{\mathsf {tra}}\), when all parties behave honestly, follows directly from Proposition 3.1.

We now show that the protocol \(\Pi ^{\mathsf {tra}}\) is secure. For any \(\hbox {PPT}\) adversary \({\mathcal {A}}\) against \(\Pi ^{\mathsf {tra}}\), viewing \({\mathcal {A}}\) as an adversary against \(\Pi _{\otimes K}\), let \({\mathcal {S}}\) be its simulator given by Definition 4.3. We show that for any (infinite sequence of) security parameter \(\lambda \), and auxiliary input z,

$$\begin{aligned} {\mathsf {Real}}_{\Pi ^{{\mathsf {tra}}}}^{{\mathcal {A}}}(1^\lambda ,z) \approx _c {\mathsf {Ideal}}^{{\mathcal {S}}}_{f}(1^\lambda ,z)\, . \end{aligned}$$

Let \(\Pi _{\otimes K}^\mathsf{pp}\) be the protocol where the parties first execute the K-fold repetition of \(\Pi _{\otimes K}\) and then each party sets its final output by postprocessing its K outputs as specified by the correctness amplification transformation. Then we first note that by definition

$$\begin{aligned} {\mathsf {Real}}_{\Pi ^{\mathsf {tra}}}^{{\mathcal {A}}}(1^\lambda ,z) \equiv {\mathsf {Real}}_{\Pi _{\otimes K}^\mathsf{pp}}^{{\mathcal {A}}} (1^\lambda ,z;r^{\mathsf {tra}})\, , \end{aligned}$$

where \(r^{\mathsf {tra}}\) is the randomness of the honest parties, generated according to our transformation.

Next, by Proposition 3.2, it holds that:

$$\begin{aligned} {\mathsf {Real}}_{\Pi _{\otimes K}^\mathsf{pp}}^{{\mathcal {A}}}(1^\lambda ,z;r^{\mathsf {tra}}) \approx _c {\mathsf {Real}}_{\Pi _{\otimes K}^\mathsf{pp}}^{{\mathcal {A}}} (1^\lambda ,z;{r^{\mathsf {uni}}})\, , \end{aligned}$$

where \(r^{\mathsf {tra}}\) is randomness generated according to our transformation and \(r^{\mathsf {uni}}\) is truly random.

It is left to show that

$$\begin{aligned} {\mathsf {Real}}_{\Pi _{\otimes K}^\mathsf{pp}}^{{\mathcal {A}}}(1^\lambda ,z;r^{\mathsf {uni}}) \approx _c {\mathsf {Ideal}}^{{\mathcal {S}}}_{f}(1^\lambda ,z) \, . \end{aligned}$$

(1)

Indeed, recall that by Definition 4.3,

$$\begin{aligned} {\mathsf {Real}}_{\Pi _{\otimes K}}^{{\mathcal {A}}}(1^\lambda ,z;r^{\mathsf {uni}}) \approx _c {\mathsf {Ideal}}^{{\mathcal {S}}}_{f_{\otimes K}}(1^\lambda ,z)\, . \end{aligned}$$

(2)

Next, note that and each of the two distributions in Equation 1 can be efficiently generated given a sample from the respective distribution in the Equation 2. This is done by postprocessing the K outputs of each honest party as prescribed by the correctness amplification transformation. Accordingly, any efficient distinguisher for 1 immediately implies an efficient distinguisher for 2. Thus, the indistinguishability in Equation 1 follows by Equation 2.

This concludes the proof. \(\square \)