Abstract
This paper proposes a simple synchronous composable security framework as an instantiation of the Constructive Cryptography framework, aiming to capture minimally, without unnecessary artefacts, exactly what is needed to state synchronous security guarantees. The objects of study are specifications (i.e., sets) of systems, and traditional security properties like consistency and validity can naturally be understood as specifications, thus unifying composable and propertybased definitions. The framework’s simplicity is in contrast to current composable frameworks for synchronous computation which are built on top of an asynchronous framework (e.g. the UC framework), thus not only inheriting artefacts and complex features used to handle asynchronous communication, but adding additional overhead to capture synchronous communication.
As a second, independent contribution we demonstrate how secure (synchronous) multiparty computation protocols can be understood as constructing a computer that allows a set of parties to perform an arbitrary, ongoing computation. An interesting aspect is that the instructions of the computation need not be fixed before the protocol starts but can also be determined during an ongoing computation, possibly depending on previous outputs.
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
What is known as a rushing adversary in the literature is the special case of communication channels where a dishonest receiver sees the other parties’ inputs of a round before choosing his own input for that round.
 2.
Conditional probability distributions are denoted by a small “\(\mathrm {p}\)” because they are defined without defining a random experiment. A capital P for probabilities is used only if a random experiment is defined.
 3.
This is an abstract requirement, in the sense of an axiom, which for an instantiation of the theory, for example to the special case of discrete systems, must be proven to hold.
 4.
In the literature, one often refers to parties with a name, say \(P_i\) for party at interface i, but we do not need explicit party names and can simply refer to party i.
 5.
Note that in this view, the often used term “corruption” does not mean that a party switches from being honest to being dishonest, it rather means that a resource loses some guarantees, for example the memory resource of a party becomes accessible to some other parties.
 6.
The alphabets are large enough to include all values that can actually appear.
 7.
This type of resource is similar to the notion of canonical synchronous functionalities in [10].
 8.
If \(Z \in \mathcal {Z}\) and \(Z' \subseteq Z\), then \(Z' \in \mathcal {Z}\).
References
Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly secure multiparty computation. J. Cryptol. 30(1), 58–151 (2017)
Backes, M., Hofheinz, D., MüllerQuade, J., Unruh, D.: On fairness in simulatabilitybased cryptographic systems. In: Proceedings of the 2005 ACM workshop on Formal methods in security engineering, pp. 13–22. ACM (2005)
Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (rsim) framework for asynchronous systems. Inf. Comput. 205(12), 1685–1720 (2007)
BenOr, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic faulttolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10. ACM Press, May 1988
Berman, P., Garay, J.A., Perry, K.J.: Towards optimal distributed consensus. In: FOCS, pp. 410–415. IEEE (1989)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001
Canetti, R., Cohen, A., Lindell, Y.: A simpler variant of universally composable security for standard multiparty computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_1
Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable twoparty and multiparty secure computation. In: 34th ACM STOC, pp. 494–503. ACM Press, May 2002
Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: 20th ACM STOC, pp. 11–19. ACM Press, May 1988
Cohen, R., Coretti, S., Garay, J., Zikas, V.: Probabilistic termination and composability of cryptographic protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 240–269. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530153_9
Datta, A., Küsters, R., Mitchell, J.C., Ramanathan, A.: On the relationships between notions of simulationbased security. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 476–494. Springer, Heidelberg (2005). https://doi.org/10.1007/9783540305767_26
Dwork, C., Naor, M., Sahai, A.: Concurrent zeroknowledge. In: 30th ACM STOC, pp. 409–418. ACM Press, May 1998
Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and fasttrack multiparty computations with applications to threshold cryptography. In: Coan, B.A., Afek, Y. (ed.) 17th ACM PODC, pp. 101–111. ACM, June/July 1998
Goldreich, O.: Concurrent zeroknowledge with timing, revisited. In: 34th ACM STOC, pp. 332–340. ACM Press, May 2002
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, pp. 218–229. ACM Press, May 1987
Hirt, M., Maurer, U.M.: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000)
Hirt, M., Zikas, V.: Adaptively secure broadcast. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 466–485. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642131905_24
Hofheinz, D., MüllerQuade, J.: A synchronous model for multiparty computation and the incompleteness of oblivious transfer. Proc. FCS 4, 117–130 (2004)
Hofheinz, D., Unruh, D., MüllerQuade, J.: Polynomial runtime and composability. J. Cryptol. 26(3), 375–441 (2013)
Jost, D., Maurer, U.: Overcoming impossibility results in composable security using intervalwise guarantees. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 33–62. Springer, Cham (2020). https://doi.org/10.1007/9783030567842_2
Kalai, Y.T., Lindell, Y., Prabhakaran, M.: Concurrent general composition of secure protocols in the timing model. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 644–653. ACM Press, May 2005
Katz, J., Maurer, U., Tackmann, B., Zikas, V.: Universally composable synchronous computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 477–498. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642365942_27
Kushilevitz, E., Lindell, Y., Rabin, T.: Informationtheoretically secure protocols and security under composition. In: Kleinberg, J.M., (ed.) 38th ACM STOC, pp. 109–118. ACM Press, May 2006
Küsters, R., Tuengerthal, M.: The IITM model: a simple and expressive model for universal composability. IACR Cryptol. EPrint Archive 2013, 25 (2013)
Lanzenberger, D., Maurer, U.: Coupling of random systems. In: Theory of Cryptography – TCC 2020, to appear, November 2020
Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_8
Maurer, U.: Secure multiparty computation made simple. Discrete Appl. Math. 154(2), 370–381 (2006)
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642273759_3
Maurer, U., Renner, R.: Abstract cryptography. In: In Innovations in Computer Science, Citeseer (2011)
Maurer, U., Renner, R.: From indifferentiability to constructive cryptography (and back). In: Hirt, M., Smith, A. (eds.) TCC 2016, Part I. LNCS, vol. 9985, pp. 3–24. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662536414_1
Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540741435_8
Micciancio, D., Tessaro, S.: An equational approach to secure multiparty computation. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 355–372. ACM, January 2013
Nielsen, J.B.: On Protocol Security in the Cryptographic Model. BRICS, Russia (2003)
Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: IBM Thomas J, Watson Research Division (2000)
Rabin, T., BenOr, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st ACM STOC, pp. 73–85. ACM Press, May 1989
Wikström, D.: Simplified universal composability framework. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 566–595. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662490969_24
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Broadcast Construction
We show how to construct the broadcast resource specification introduced in Sect. 6.2, using the socalled kingphase paradigm [5]. The construction consists of several steps, each providing stronger consistency guarantees.
1.1 A.1 WeakConsensus
Let Z be a set of parties. The primitive weakconsensus provides two guarantees:

Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

Weak Consistency: If some party \(i \in \overline{Z}\) decides on an output \(y_i \in \{0,1\}\), then every other party \(j \in \overline{Z}\) decides on a value \(y_j \in \{y_i, \bot \}\).
A specification \(\mathcal {WC}_{k,l, Z, t}\) capturing the guarantees of a weakconsensus primitive (up to t dishonest parties, and where parties input at round k and output at round l) can be naturally defined as the set of all resources satisfying validity and weak consistency. More concretely, for \(Z \le t\), \(\mathcal {WC}_{k, l, Z, t}\), is the set of all resources which output a value at round l.b that satisfy the validity and weak consistency properties, according to the inputs from round k.a. That is:
And when \(Z > t\), \(\mathcal {WC}_{k,l,Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {wc}}^k = (\pi _1^{\mathtt {wc}},\dots ,\pi _n^{\mathtt {wc}})\) constructs specification \(\mathcal {WC}_{k,k,Z, t}\) from \(\mathcal {N}_{Z}\). The protocol is quite simple: At round k each party sends its input message to every other party via each channel. Then, if there is a bit b that is received at least \(nt\) times, the output is b. Otherwise, the output is \(\bot \). At a very high level, the protocol meets the specification because, if a party i outputs a bit b, it received b from at least \(nt\) parties, and hence it received b from at least \(n2t\) honest parties. This implies that every other party received the bit \(1b\) at most \(2t < nt\) times (since \(t < \frac{n}{3}\)). Hence, no honest party outputs \(1b\).
Theorem 2
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {wc}}^k\) constructs \(\mathcal {WC}_{k,k,Z,t}\) from \(\mathcal {N}_{Z}\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(Z \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {wc}}^k)_{\overline{Z}} \mathcal {N}_{Z} \subseteq \mathcal {WC}_{k,k,Z,t}\).
For that, all we need to prove is that at round \(k.b\), the outputs from the honest parties satisfy both the weakconsistency and the validity property, where the inputs to be taken into account are those at round \(k.a\). We divide two cases:

If every party \(i \in \overline{Z}\) had as input value b at round k (there was preagreement): In the system specification \(\mathcal {WC}_{k,k,Z,t}\), the parties output the bit b by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit b at least \(nt\) times. Hence, each party \(i \in \overline{Z}\) also outputs b.

Otherwise, in \(\mathcal {R}_Z\), either every party \(i \in \overline{Z}\) outputs \(\bot \) (in which case the parties meet the specification \(\mathcal {WC}_{k,k,Z,t}\)), or some party i outputs a bit b. In this case, we observe that it received b from at least \(nt\) parties, and hence it received b from at least \(n2t\) honest parties. This implies that every other party received the bit \(1b\) at most \(2t < nt\) times (since \(t < \frac{n}{3}\)). In conclusion, no honest party outputs \(1b\), and the parties output a value \(v_i \in \{\bot , b\}\).
\(\square \)
1.2 A.2 GradedConsensus
We define gradedconsensus with respect to a set of parties Z. In this protocol, each party inputs a bit \(x_i \in \{0,1\}\) and outputs a pair valuegrade \((y_i,g_i) \in \{0,1\}^2\). The primitive provides two guarantees:

Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value with grade 1.

Graded Consistency: If some party \(i \in \overline{Z}\) decides on a value \(y_i \in \{0,1\}\) with grade \(g_i = 1\), then every other party \(j \in \overline{Z}\) decides on the same value \(y_j = y_i\).
Specification \(\mathcal {GC}_{k,l, Z, t}\) captures the guarantees of a gradedconsensus primitive secure up to t dishonest parties, and where parties give input at round k and output at round l. If \(Z \le t\):
And when \(Z > t\), \(\mathcal {GC}_{k,l, Z, t} = \varPhi \).
We show a protocol \(\varPi _{\mathtt {gc}}^k = (\pi _1^{\mathtt {gc}},\dots ,\pi _n^{\mathtt {gc}})\) that constructs specification \(\mathcal {GC}_{k,k+1,Z,t}\) from the assumed specification \([\mathcal {WC}_{k,k,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the weak consensus protocol on its input \(x_i\). Then, at round \(k + 1\), each party sends the output from the weak consensus protocol to every other party via the network. After that, each party i sets the output value \(y_i\) to be the most received bit, and the grade \(g_i = 1\) if and only if the value was received at least \(nt\) times.
If any party i decides on an output \(y_i\) with \(g_i = 1\), it means that the party received \(y_i\) from at least \(nt\) parties, where at least \(n2t\) are honest parties. Hence, every other honest party received the value \(y_i\) at least \(n2t\) times. Given that \(n2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\). Therefore, by weak consistency, no honest party obtained \(1  y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received it at most \(t < n  2t\) times and therefore outputs \(y_j = y_i\).
Theorem 3
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {gc}}^k\) constructs \(\mathcal {GC}_{k,k+1, Z, t}\) from \([\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(Z \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {gc}}^k)_{\overline{Z}} [\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {GC}_{k,k+1, Z, t}\).
For that, all we need to prove is that at round \((k+1).b\), the outputs from the honest parties satisfy both the gradedconsistency and the validity property, where the inputs to be taken into account are those at round \(k.a\).
At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {WC}_{k,k,Z,t}\). Then, it is guaranteed that at round \(k.b\), honest parties obtain an output that satisfies validity and weakconsistency. At round \((k+1).b\), we divide two cases:

If every party \(i \in \overline{Z}\) had as input value b at round k (there was preagreement): In \(\mathcal {GC}_{k,k+1, Z, t}\), the parties output the bit (b, 1) by definition. In \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) outputs the bit b as \(z_j\) because of the validity of \(\mathcal {WC}_{k,k,Z,t}\). Then, party i receives at least \(nt\) times the bit b. Hence, each party \(i \in \overline{Z}\) also outputs b.

If an honest party i decides on an output \(y_i\) with \(g_i = 1\), then it means that the party received \(y_i\) from at least \(nt\) parties, where at least \(n2t\) are honest parties. This implies that every other honest party received the value \(y_i\) at least \(n2t\) times. Given that \(n2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\) at round \((k+1).b\). Therefore, by weak consistency, no honest party obtained \(1  y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received at most \(t < n  2t\) times and therefore outputs \(y_j = y_i\).
\(\square \)
1.3 A.3 KingConsensus
We first define a specification that achieves kingconsensus with respect to a set of parties Z. In the kingconsensus primitive, there is a party K, the king, which plays a special role. The primitive provides two guarantees:

Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

King Consistency: If party \(K \in \overline{Z}\), then there is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).
We describe a specification \(\mathcal {KC}_{k,l, Z, t, K}\) that models a kingconsensus primitive where K has the role of king, and is secure up to t dishonest parties, which starts at round k and ends at round l. If \(Z \le t\):
And when \(Z > t\), \(\mathcal {KC}_{k,l, Z, t, K} = \varPhi \).
Protocol \(\varPi _{\mathtt {kc}}^k = (\pi _1^{\mathtt {kc}},\dots ,\pi _n^{\mathtt {kc}})\) constructs specification \(\mathcal {KC}_{k,k+2, Z, t, K}\) from the assumed specification \([\mathcal {GC}_{k,k+1,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the graded consensus protocol on its input \(x_i\). Then, at round \(k + 2\), the king K sends the output \(z_K\) from the graded consensus protocol to every other party. Finally, each party i sets the value \(y_i = z_i\) to the output of graded consensus if the grade was \(g_i = 1\), and otherwise to the value of the king \(y_i = z_K\). Note that consistency is guaranteed to hold only in the case the king is honest: if every honest party i has grade \(g_i = 0\), they all adopt the king’s value. Otherwise, there is a party j with grade \(g_j = 1\), and graded consistency ensures that all honest parties (in particular the king) have the same output.
Theorem 4
Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {kc}}^k\) constructs \(\mathcal {KC}_{k,k+2, Z, t, K}\) from \([\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(Z \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {kc}}^k)_{\overline{Z}} [\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {KC}_{k,k+2, Z, t, K}\).
At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {GC}_{k,k+1,Z,t}\). Then, it is guaranteed that at round \((k+1).b\), honest parties obtain an output that satisfies validity and gradedconsistency. We divide two cases:

If every party \(i \in \overline{Z}\) had as input value b at round k (there was preagreement): In \(\mathcal {KC}_{k,k+2, Z, t, K}\), the parties output the bit b at round \(k+2\) by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit (b, 1) at round \(k+1\), because of the validity of \(\mathcal {GC}_{k,k+1,Z,t}\). Hence, each party \(i \in \overline{Z}\) also outputs b at round \(k+2\).

Otherwise, assume the king is honest. If every honest party i obtains an output \((z_i,0)\), then at round \((k + 2).b\), every party takes the value of the king \(z_K\). Otherwise, there is a party j that obtained an output \((z_j,1)\) at round \((k + 1).b\). In this case, graded consistency implies that all honest parties have the same output. In particular, this holds for the honest king. Thus, all parties decide on the same output. \(\square \)
1.4 A.4 Consensus
We define a specification that achieves consensus with respect to a set of parties Z. The primitive provides two guarantees:

Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

Consistency: There is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).
We describe a specification \(\mathcal {C}_{k,l, Z, t}\) that models consensus, secure up to t dishonest parties, which starts at round k and ends at round l. If \(Z \le t\):
And when \(Z > t\), \(\mathcal {C}_{k,l, Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {cons}}^k = (\pi _1^{\mathtt {cons}},\dots ,\pi _n^{\mathtt {cons}})\) constructs specification \(\mathcal {C}_{k,k+3(t+1)1, Z, t}\) from the assumed specification \([\mathcal {KC}_{k,k+2,Z,t,1},\dots ,\mathcal {KC}_{k+3t,k+3(t+1)1,Z,t, {t+1}}]\). The idea is simply to execute the king consensus protocol sequentially \(t+1\) times with different kings. More concretely, at round \(k + 3j\), \(j \in [0,t]\), parties execute the king consensus protocol, where the king is \({j+1}\). If parties start with the same input bit, validity of king consensus guarantees that this bit is kept until the end. Otherwise, since the number of dishonest parties is at most t, one of the executions has an honest king. After the execution with the honest king, consistency is reached, and validity ensures that consistency is maintained until the end of the execution.
Theorem 5
Let \(t < n\). \(\varPi _{\mathtt {cons}}^k\) constructs \(\mathcal {C}_{k,k+3t+2, Z, t}\) from \([\mathcal {KC}_{k,k+2,Z,t,1}, \dots ,\) \(\mathcal {KC}_{k+3t,k+3t+2,Z,t, {t+1}}]\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(Z \le t\). We divide two cases:

If every party \(i \in \overline{Z}\) had as input value b at round k (there was preagreement): After each input to \(\mathcal {KC}_{k+3j,k+3j+2, Z, t, {j+1}}\), the parties obtain the bit b because of validity. This is the same in \(\mathcal {C}_{k,k+3t+2, Z, t}\) by definition.

Otherwise, given that there are up to t dishonest parties and there are \(t+1\) different kings, there is an honest king K. The output of any system in the specification \(\mathcal {KC}_{k+3(K1),k+3K1,Z,t, {K}}\) is the same value v for all honest parties because of the king consistency. All the following invocations to king consensus keep the value v as the output because of the validity property. Thus, all parties decide on the same output.
\(\square \)
1.5 A.5 Broadcast
In Sect. 6.2 we introduced a broadcast resource specification. We show how to achieve such a specification from \(\mathcal {C}_{k,l, Z, t}\), as long as \(Z \le t\), for any \(t \le \frac{n}{3}\).
We recall the broadcast specification resource secure up to t dishonest parties, which starts at round k and ends at round l. If \(Z \le t\):
And when \(Z > t\), \(\mathcal {BC}_{k,l, Z, t} = \varPhi \).
Protocol \(\varPi _{\mathtt {bc}}^k = (\pi _1^{\mathtt {bc}},\dots ,\pi _n^{\mathtt {bc}})\) constructs specification \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from the assumed specification \([\mathcal {C}_{k+1,k+3t+3,Z,t},\mathcal {N}_Z]\). The sender simply sends its input value x to every party, and then parties execute the consensus protocol on the received value from the sender.
Theorem 6
Let \(t < \frac{n}{2}\). \(\varPi _{\mathtt {bc}}^k\) constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \([\mathcal {C}_{k+1,k+3t+3,Z,t},\) \(\mathcal {N}_Z]\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Proof
Let \(Z \subseteq \mathcal {P}\) such that \(Z \le t\). We divide two cases:

If the sender is honest, every honest party receives the sender’s input \(x_s\) and inputs this value into the consensus resource. Because of the validity of consensus, every honest party obtains \(x_s\) from the consensus resource and outputs it. This is the same in \(\mathcal {BC}_{k,k+3t+3, Z, t}\) by definition.

Otherwise, the consistency of the consensus resource guarantees that every honest party receives the same value from the consensus resource, and hence every honest party outputs the same value. \(\square \)
As a corollary of composing all the previous protocols, we obtain that there is a protocol which constructs broadcast from a network of bilateral channels.
Corollary 1
Let \(t < \frac{n}{3}\). There is a protocol that constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \(\mathcal {N}_Z\), for any \(Z\subseteq \mathcal {P}\) such that \(Z \le t\), and constructs \(\varPhi \) otherwise.
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
LiuZhang, CD., Maurer, U. (2020). Synchronous Constructive Cryptography. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/9783030643782_16
Download citation
DOI: https://doi.org/10.1007/9783030643782_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030643775
Online ISBN: 9783030643782
eBook Packages: Computer ScienceComputer Science (R0)