Skip to main content

Synchronous Constructive Cryptography

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12551)

Abstract

This paper proposes a simple synchronous composable security framework as an instantiation of the Constructive Cryptography framework, aiming to capture minimally, without unnecessary artefacts, exactly what is needed to state synchronous security guarantees. The objects of study are specifications (i.e., sets) of systems, and traditional security properties like consistency and validity can naturally be understood as specifications, thus unifying composable and property-based definitions. The framework’s simplicity is in contrast to current composable frameworks for synchronous computation which are built on top of an asynchronous framework (e.g. the UC framework), thus not only inheriting artefacts and complex features used to handle asynchronous communication, but adding additional overhead to capture synchronous communication.

As a second, independent contribution we demonstrate how secure (synchronous) multi-party computation protocols can be understood as constructing a computer that allows a set of parties to perform an arbitrary, on-going computation. An interesting aspect is that the instructions of the computation need not be fixed before the protocol starts but can also be determined during an on-going computation, possibly depending on previous outputs.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64378-2_16
  • Chapter length: 34 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-64378-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.

Notes

  1. 1.

    What is known as a rushing adversary in the literature is the special case of communication channels where a dishonest receiver sees the other parties’ inputs of a round before choosing his own input for that round.

  2. 2.

    Conditional probability distributions are denoted by a small “\(\mathrm {p}\)” because they are defined without defining a random experiment. A capital P for probabilities is used only if a random experiment is defined.

  3. 3.

    This is an abstract requirement, in the sense of an axiom, which for an instantiation of the theory, for example to the special case of discrete systems, must be proven to hold.

  4. 4.

    In the literature, one often refers to parties with a name, say \(P_i\) for party at interface i, but we do not need explicit party names and can simply refer to party i.

  5. 5.

    Note that in this view, the often used term “corruption” does not mean that a party switches from being honest to being dishonest, it rather means that a resource loses some guarantees, for example the memory resource of a party becomes accessible to some other parties.

  6. 6.

    The alphabets are large enough to include all values that can actually appear.

  7. 7.

    This type of resource is similar to the notion of canonical synchronous functionalities in [10].

  8. 8.

    If \(Z \in \mathcal {Z}\) and \(Z' \subseteq Z\), then \(Z' \in \mathcal {Z}\).

References

  1. Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly secure multiparty computation. J. Cryptol. 30(1), 58–151 (2017)

    MathSciNet  CrossRef  Google Scholar 

  2. Backes, M., Hofheinz, D., Müller-Quade, J., Unruh, D.: On fairness in simulatability-based cryptographic systems. In: Proceedings of the 2005 ACM workshop on Formal methods in security engineering, pp. 13–22. ACM (2005)

    Google Scholar 

  3. Backes, M., Pfitzmann, B., Waidner, M.: The reactive simulatability (rsim) framework for asynchronous systems. Inf. Comput. 205(12), 1685–1720 (2007)

    MathSciNet  CrossRef  Google Scholar 

  4. Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10. ACM Press, May 1988

    Google Scholar 

  5. Berman, P., Garay, J.A., Perry, K.J.: Towards optimal distributed consensus. In: FOCS, pp. 410–415. IEEE (1989)

    Google Scholar 

  6. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001

    Google Scholar 

  7. Canetti, R., Cohen, A., Lindell, Y.: A simpler variant of universally composable security for standard multiparty computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 3–22. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_1

    CrossRef  Google Scholar 

  8. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th ACM STOC, pp. 494–503. ACM Press, May 2002

    Google Scholar 

  9. Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: 20th ACM STOC, pp. 11–19. ACM Press, May 1988

    Google Scholar 

  10. Cohen, R., Coretti, S., Garay, J., Zikas, V.: Probabilistic termination and composability of cryptographic protocols. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 240–269. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_9

    CrossRef  Google Scholar 

  11. Datta, A., Küsters, R., Mitchell, J.C., Ramanathan, A.: On the relationships between notions of simulation-based security. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 476–494. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_26

    CrossRef  MATH  Google Scholar 

  12. Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. In: 30th ACM STOC, pp. 409–418. ACM Press, May 1998

    Google Scholar 

  13. Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In: Coan, B.A., Afek, Y. (ed.) 17th ACM PODC, pp. 101–111. ACM, June/July 1998

    Google Scholar 

  14. Goldreich, O.: Concurrent zero-knowledge with timing, revisited. In: 34th ACM STOC, pp. 332–340. ACM Press, May 2002

    Google Scholar 

  15. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, pp. 218–229. ACM Press, May 1987

    Google Scholar 

  16. Hirt, M., Maurer, U.M.: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000)

    MathSciNet  CrossRef  Google Scholar 

  17. Hirt, M., Zikas, V.: Adaptively secure broadcast. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 466–485. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_24

    CrossRef  Google Scholar 

  18. Hofheinz, D., Müller-Quade, J.: A synchronous model for multi-party computation and the incompleteness of oblivious transfer. Proc. FCS 4, 117–130 (2004)

    Google Scholar 

  19. Hofheinz, D., Unruh, D., Müller-Quade, J.: Polynomial runtime and composability. J. Cryptol. 26(3), 375–441 (2013)

    MathSciNet  CrossRef  Google Scholar 

  20. Jost, D., Maurer, U.: Overcoming impossibility results in composable security using interval-wise guarantees. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 33–62. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_2

    CrossRef  Google Scholar 

  21. Kalai, Y.T., Lindell, Y., Prabhakaran, M.: Concurrent general composition of secure protocols in the timing model. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 644–653. ACM Press, May 2005

    Google Scholar 

  22. Katz, J., Maurer, U., Tackmann, B., Zikas, V.: Universally composable synchronous computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 477–498. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_27

    CrossRef  Google Scholar 

  23. Kushilevitz, E., Lindell, Y., Rabin, T.: Information-theoretically secure protocols and security under composition. In: Kleinberg, J.M., (ed.) 38th ACM STOC, pp. 109–118. ACM Press, May 2006

    Google Scholar 

  24. Küsters, R., Tuengerthal, M.: The IITM model: a simple and expressive model for universal composability. IACR Cryptol. EPrint Archive 2013, 25 (2013)

    MATH  Google Scholar 

  25. Lanzenberger, D., Maurer, U.: Coupling of random systems. In: Theory of Cryptography – TCC 2020, to appear, November 2020

    Google Scholar 

  26. Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_8

    CrossRef  Google Scholar 

  27. Maurer, U.: Secure multi-party computation made simple. Discrete Appl. Math. 154(2), 370–381 (2006)

    MathSciNet  CrossRef  Google Scholar 

  28. Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_3

    CrossRef  MATH  Google Scholar 

  29. Maurer, U., Renner, R.: Abstract cryptography. In: In Innovations in Computer Science, Citeseer (2011)

    Google Scholar 

  30. Maurer, U., Renner, R.: From indifferentiability to constructive cryptography (and back). In: Hirt, M., Smith, A. (eds.) TCC 2016, Part I. LNCS, vol. 9985, pp. 3–24. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_1

    CrossRef  MATH  Google Scholar 

  31. Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8

    CrossRef  Google Scholar 

  32. Micciancio, D., Tessaro, S.: An equational approach to secure multi-party computation. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 355–372. ACM, January 2013

    Google Scholar 

  33. Nielsen, J.B.: On Protocol Security in the Cryptographic Model. BRICS, Russia (2003)

    Google Scholar 

  34. Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: IBM Thomas J, Watson Research Division (2000)

    Google Scholar 

  35. Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st ACM STOC, pp. 73–85. ACM Press, May 1989

    Google Scholar 

  36. Wikström, D.: Simplified universal composability framework. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 566–595. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_24

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Chen-Da Liu-Zhang .

Editor information

Editors and Affiliations

Appendices

Appendix

A Broadcast Construction

We show how to construct the broadcast resource specification introduced in Sect. 6.2, using the so-called king-phase paradigm [5]. The construction consists of several steps, each providing stronger consistency guarantees.

1.1 A.1 Weak-Consensus

Let Z be a set of parties. The primitive weak-consensus provides two guarantees:

  • Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

  • Weak Consistency: If some party \(i \in \overline{Z}\) decides on an output \(y_i \in \{0,1\}\), then every other party \(j \in \overline{Z}\) decides on a value \(y_j \in \{y_i, \bot \}\).

A specification \(\mathcal {WC}_{k,l, Z, t}\) capturing the guarantees of a weak-consensus primitive (up to t dishonest parties, and where parties input at round k and output at round l) can be naturally defined as the set of all resources satisfying validity and weak consistency. More concretely, for \(|Z| \le t\), \(\mathcal {WC}_{k, l, Z, t}\), is the set of all resources which output a value at round l.b that satisfy the validity and weak consistency properties, according to the inputs from round k.a. That is:

figure j

And when \(|Z| > t\), \(\mathcal {WC}_{k,l,Z, t} = \varPhi \).

Protocol \(\varPi _{\mathtt {wc}}^k = (\pi _1^{\mathtt {wc}},\dots ,\pi _n^{\mathtt {wc}})\) constructs specification \(\mathcal {WC}_{k,k,Z, t}\) from \(\mathcal {N}_{Z}\). The protocol is quite simple: At round k each party sends its input message to every other party via each channel. Then, if there is a bit b that is received at least \(n-t\) times, the output is b. Otherwise, the output is \(\bot \). At a very high level, the protocol meets the specification because, if a party i outputs a bit b, it received b from at least \(n-t\) parties, and hence it received b from at least \(n-2t\) honest parties. This implies that every other party received the bit \(1-b\) at most \(2t < n-t\) times (since \(t < \frac{n}{3}\)). Hence, no honest party outputs \(1-b\).

figure k

Theorem 2

Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {wc}}^k\) constructs \(\mathcal {WC}_{k,k,Z,t}\) from \(\mathcal {N}_{Z}\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Proof

Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {wc}}^k)_{\overline{Z}} \mathcal {N}_{Z} \subseteq \mathcal {WC}_{k,k,Z,t}\).

For that, all we need to prove is that at round \(k.b\), the outputs from the honest parties satisfy both the weak-consistency and the validity property, where the inputs to be taken into account are those at round \(k.a\). We divide two cases:

  • If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In the system specification \(\mathcal {WC}_{k,k,Z,t}\), the parties output the bit b by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit b at least \(n-t\) times. Hence, each party \(i \in \overline{Z}\) also outputs b.

  • Otherwise, in \(\mathcal {R}_Z\), either every party \(i \in \overline{Z}\) outputs \(\bot \) (in which case the parties meet the specification \(\mathcal {WC}_{k,k,Z,t}\)), or some party i outputs a bit b. In this case, we observe that it received b from at least \(n-t\) parties, and hence it received b from at least \(n-2t\) honest parties. This implies that every other party received the bit \(1-b\) at most \(2t < n-t\) times (since \(t < \frac{n}{3}\)). In conclusion, no honest party outputs \(1-b\), and the parties output a value \(v_i \in \{\bot , b\}\).

   \(\square \)

1.2 A.2 Graded-Consensus

We define graded-consensus with respect to a set of parties Z. In this protocol, each party inputs a bit \(x_i \in \{0,1\}\) and outputs a pair value-grade \((y_i,g_i) \in \{0,1\}^2\). The primitive provides two guarantees:

  • Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value with grade 1.

  • Graded Consistency: If some party \(i \in \overline{Z}\) decides on a value \(y_i \in \{0,1\}\) with grade \(g_i = 1\), then every other party \(j \in \overline{Z}\) decides on the same value \(y_j = y_i\).

Specification \(\mathcal {GC}_{k,l, Z, t}\) captures the guarantees of a graded-consensus primitive secure up to t dishonest parties, and where parties give input at round k and output at round l. If \(|Z| \le t\):

figure l

And when \(|Z| > t\), \(\mathcal {GC}_{k,l, Z, t} = \varPhi \).

We show a protocol \(\varPi _{\mathtt {gc}}^k = (\pi _1^{\mathtt {gc}},\dots ,\pi _n^{\mathtt {gc}})\) that constructs specification \(\mathcal {GC}_{k,k+1,Z,t}\) from the assumed specification \([\mathcal {WC}_{k,k,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the weak consensus protocol on its input \(x_i\). Then, at round \(k + 1\), each party sends the output from the weak consensus protocol to every other party via the network. After that, each party i sets the output value \(y_i\) to be the most received bit, and the grade \(g_i = 1\) if and only if the value was received at least \(n-t\) times.

If any party i decides on an output \(y_i\) with \(g_i = 1\), it means that the party received \(y_i\) from at least \(n-t\) parties, where at least \(n-2t\) are honest parties. Hence, every other honest party received the value \(y_i\) at least \(n-2t\) times. Given that \(n-2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\). Therefore, by weak consistency, no honest party obtained \(1 - y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received it at most \(t < n - 2t\) times and therefore outputs \(y_j = y_i\).

figure m

Theorem 3

Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {gc}}^k\) constructs \(\mathcal {GC}_{k,k+1, Z, t}\) from \([\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Proof

Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {gc}}^k)_{\overline{Z}} [\mathcal {WC}_{k,k,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {GC}_{k,k+1, Z, t}\).

For that, all we need to prove is that at round \((k+1).b\), the outputs from the honest parties satisfy both the graded-consistency and the validity property, where the inputs to be taken into account are those at round \(k.a\).

At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {WC}_{k,k,Z,t}\). Then, it is guaranteed that at round \(k.b\), honest parties obtain an output that satisfies validity and weak-consistency. At round \((k+1).b\), we divide two cases:

  • If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In \(\mathcal {GC}_{k,k+1, Z, t}\), the parties output the bit (b, 1) by definition. In \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) outputs the bit b as \(z_j\) because of the validity of \(\mathcal {WC}_{k,k,Z,t}\). Then, party i receives at least \(n-t\) times the bit b. Hence, each party \(i \in \overline{Z}\) also outputs b.

  • If an honest party i decides on an output \(y_i\) with \(g_i = 1\), then it means that the party received \(y_i\) from at least \(n-t\) parties, where at least \(n-2t\) are honest parties. This implies that every other honest party received the value \(y_i\) at least \(n-2t\) times. Given that \(n-2t > t\), at least one honest party obtained \(y_i\) as output of \(\mathcal {WC}_{k,k,Z,t}\) at round \((k+1).b\). Therefore, by weak consistency, no honest party obtained \(1 - y_i\) as output from \(\mathcal {WC}_{k,k,Z,t}\), from which it follows that each honest party j received at most \(t < n - 2t\) times and therefore outputs \(y_j = y_i\).

   \(\square \)

1.3 A.3 King-Consensus

We first define a specification that achieves king-consensus with respect to a set of parties Z. In the king-consensus primitive, there is a party K, the king, which plays a special role. The primitive provides two guarantees:

  • Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

  • King Consistency: If party \(K \in \overline{Z}\), then there is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).

We describe a specification \(\mathcal {KC}_{k,l, Z, t, K}\) that models a king-consensus primitive where K has the role of king, and is secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):

figure n

And when \(|Z| > t\), \(\mathcal {KC}_{k,l, Z, t, K} = \varPhi \).

Protocol \(\varPi _{\mathtt {kc}}^k = (\pi _1^{\mathtt {kc}},\dots ,\pi _n^{\mathtt {kc}})\) constructs specification \(\mathcal {KC}_{k,k+2, Z, t, K}\) from the assumed specification \([\mathcal {GC}_{k,k+1,Z,t}, \mathcal {N}_{Z}]\): At round k, each party i invokes the graded consensus protocol on its input \(x_i\). Then, at round \(k + 2\), the king K sends the output \(z_K\) from the graded consensus protocol to every other party. Finally, each party i sets the value \(y_i = z_i\) to the output of graded consensus if the grade was \(g_i = 1\), and otherwise to the value of the king \(y_i = z_K\). Note that consistency is guaranteed to hold only in the case the king is honest: if every honest party i has grade \(g_i = 0\), they all adopt the king’s value. Otherwise, there is a party j with grade \(g_j = 1\), and graded consistency ensures that all honest parties (in particular the king) have the same output.

figure o

Theorem 4

Let \(t < \frac{n}{3}\). \(\varPi _{\mathtt {kc}}^k\) constructs \(\mathcal {KC}_{k,k+2, Z, t, K}\) from \([\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Proof

Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We want to prove that the system specification \(\mathcal {R}_Z := (\varPi _{\mathtt {kc}}^k)_{\overline{Z}} [\mathcal {GC}_{k,k+1,Z,t},\mathcal {N}_{Z}] \subseteq \mathcal {KC}_{k,k+2, Z, t, K}\).

At round \(k.a\), each party \(i \in \overline{Z}\) inputs the message \(x_i\) to \(\mathcal {GC}_{k,k+1,Z,t}\). Then, it is guaranteed that at round \((k+1).b\), honest parties obtain an output that satisfies validity and graded-consistency. We divide two cases:

  • If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): In \(\mathcal {KC}_{k,k+2, Z, t, K}\), the parties output the bit b at round \(k+2\) by definition. In the system specification \(\mathcal {R}_Z\), each party \(i \in \overline{Z}\) receives the bit (b, 1) at round \(k+1\), because of the validity of \(\mathcal {GC}_{k,k+1,Z,t}\). Hence, each party \(i \in \overline{Z}\) also outputs b at round \(k+2\).

  • Otherwise, assume the king is honest. If every honest party i obtains an output \((z_i,0)\), then at round \((k + 2).b\), every party takes the value of the king \(z_K\). Otherwise, there is a party j that obtained an output \((z_j,1)\) at round \((k + 1).b\). In this case, graded consistency implies that all honest parties have the same output. In particular, this holds for the honest king. Thus, all parties decide on the same output.    \(\square \)

1.4 A.4 Consensus

We define a specification that achieves consensus with respect to a set of parties Z. The primitive provides two guarantees:

  • Validity: If all parties in \(\overline{Z}\) input the same value, they agree on this value.

  • Consistency: There is a value y such that every party \(j \in \overline{Z}\) decides on the value \(y_j = y\).

We describe a specification \(\mathcal {C}_{k,l, Z, t}\) that models consensus, secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):

figure p

And when \(|Z| > t\), \(\mathcal {C}_{k,l, Z, t} = \varPhi \).

Protocol \(\varPi _{\mathtt {cons}}^k = (\pi _1^{\mathtt {cons}},\dots ,\pi _n^{\mathtt {cons}})\) constructs specification \(\mathcal {C}_{k,k+3(t+1)-1, Z, t}\) from the assumed specification \([\mathcal {KC}_{k,k+2,Z,t,1},\dots ,\mathcal {KC}_{k+3t,k+3(t+1)-1,Z,t, {t+1}}]\). The idea is simply to execute the king consensus protocol sequentially \(t+1\) times with different kings. More concretely, at round \(k + 3j\), \(j \in [0,t]\), parties execute the king consensus protocol, where the king is \({j+1}\). If parties start with the same input bit, validity of king consensus guarantees that this bit is kept until the end. Otherwise, since the number of dishonest parties is at most t, one of the executions has an honest king. After the execution with the honest king, consistency is reached, and validity ensures that consistency is maintained until the end of the execution.

figure q

Theorem 5

Let \(t < n\). \(\varPi _{\mathtt {cons}}^k\) constructs \(\mathcal {C}_{k,k+3t+2, Z, t}\) from \([\mathcal {KC}_{k,k+2,Z,t,1}, \dots ,\) \(\mathcal {KC}_{k+3t,k+3t+2,Z,t, {t+1}}]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Proof

Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We divide two cases:

  • If every party \(i \in \overline{Z}\) had as input value b at round k (there was pre-agreement): After each input to \(\mathcal {KC}_{k+3j,k+3j+2, Z, t, {j+1}}\), the parties obtain the bit b because of validity. This is the same in \(\mathcal {C}_{k,k+3t+2, Z, t}\) by definition.

  • Otherwise, given that there are up to t dishonest parties and there are \(t+1\) different kings, there is an honest king K. The output of any system in the specification \(\mathcal {KC}_{k+3(K-1),k+3K-1,Z,t, {K}}\) is the same value v for all honest parties because of the king consistency. All the following invocations to king consensus keep the value v as the output because of the validity property. Thus, all parties decide on the same output.

   \(\square \)

1.5 A.5 Broadcast

In Sect. 6.2 we introduced a broadcast resource specification. We show how to achieve such a specification from \(\mathcal {C}_{k,l, Z, t}\), as long as \(|Z| \le t\), for any \(t \le \frac{n}{3}\).

We recall the broadcast specification resource secure up to t dishonest parties, which starts at round k and ends at round l. If \(|Z| \le t\):

figure r

And when \(|Z| > t\), \(\mathcal {BC}_{k,l, Z, t} = \varPhi \).

Protocol \(\varPi _{\mathtt {bc}}^k = (\pi _1^{\mathtt {bc}},\dots ,\pi _n^{\mathtt {bc}})\) constructs specification \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from the assumed specification \([\mathcal {C}_{k+1,k+3t+3,Z,t},\mathcal {N}_Z]\). The sender simply sends its input value x to every party, and then parties execute the consensus protocol on the received value from the sender.

Theorem 6

Let \(t < \frac{n}{2}\). \(\varPi _{\mathtt {bc}}^k\) constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \([\mathcal {C}_{k+1,k+3t+3,Z,t},\) \(\mathcal {N}_Z]\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Proof

Let \(Z \subseteq \mathcal {P}\) such that \(|Z| \le t\). We divide two cases:

  • If the sender is honest, every honest party receives the sender’s input \(x_s\) and inputs this value into the consensus resource. Because of the validity of consensus, every honest party obtains \(x_s\) from the consensus resource and outputs it. This is the same in \(\mathcal {BC}_{k,k+3t+3, Z, t}\) by definition.

  • Otherwise, the consistency of the consensus resource guarantees that every honest party receives the same value from the consensus resource, and hence every honest party outputs the same value.   \(\square \)

As a corollary of composing all the previous protocols, we obtain that there is a protocol which constructs broadcast from a network of bilateral channels.

Corollary 1

Let \(t < \frac{n}{3}\). There is a protocol that constructs \(\mathcal {BC}_{k,k+3t+3,Z,t}\) from \(\mathcal {N}_Z\), for any \(Z\subseteq \mathcal {P}\) such that \(|Z| \le t\), and constructs \(\varPhi \) otherwise.

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Liu-Zhang, CD., Maurer, U. (2020). Synchronous Constructive Cryptography. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64378-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64377-5

  • Online ISBN: 978-3-030-64378-2

  • eBook Packages: Computer ScienceComputer Science (R0)