Round-Efficient Byzantine Agreement and Multi-party Computation with Asynchronous Fallback

Abstract

Protocols for Byzantine agreement (BA) and secure multi-party computation (MPC) can be classified according to the underlying communication model. The two most commonly considered models are the synchronous one and the asynchronous one. Synchronous protocols typically lose their security guarantees as soon as the network violates the synchrony assumptions. Asynchronous protocols remain secure regardless of the network conditions, but achieve weaker security guarantees even when the network is synchronous.

Recent works by Blum, Katz and Loss [TCC’19], and Blum, Liu-Zhang and Loss [CRYPTO’20] introduced BA and MPC protocols achieving security guarantees in both settings: security up to \(t_s\) corruptions in a synchronous network, and up to \(t_a\) corruptions in an asynchronous network, under the provably optimal threshold trade-offs \(t_a \le t_s\) and \(t_a + 2t_s < n\). However, current solutions incur a high synchronous round complexity when compared to state-of-the-art purely synchronous protocols. When the network is synchronous, the round complexity of BA protocols is linear in the number of parties, and the round complexity of MPC protocols also depends linearly on the depth of the circuit to evaluate.

In this work, we provide round-efficient constructions for both primitives with optimal resilience: fixed-round and expected constant-round BA protocols, and an MPC protocol whose round complexity is independent of the circuit depth.

C.-D. Liu-Zhang—This work was partially carried out while the author was at ETH Zürich.

Appendices

Appendix

A Additional Definitions

Symmetric-Key Encryption. We recall the definition of a symmetric encryption scheme.

Definition 7

A symmetric encryption scheme is a triple \(({\mathsf {Enc}},{\mathsf {Dec}},{\mathsf {Kgn}})\) of algorithms such that:

• the key generation algorithm \({\mathsf {Kgn}}\) outputs a secret key \(K \in \mathcal {K}\);

• given a secret key \(K \in \mathcal {K}\) and a plaintext \(m \in \{0,1\}^*\), the encryption algorithm \({\mathsf {Enc}}\) outputs a ciphertext \(\mathcal {C} \ni c := {\mathsf {Enc}}_K(m)\);

• given a ciphertext \(c \in \mathcal {C}\) and a secret key \(K \in \mathcal {K}\), the decryption algorithm \({\mathsf {Dec}}\) outputs \({\mathsf {Dec}}_K(c) \in \{0,1\}^*\);

• \({\mathsf {Dec}}_K\left( {\mathsf {Enc}}_K(m)\right) =m\) for all \(m \in \{0,1\}^*\) and \(K \in \mathcal {K}\).

In a dual key encryption scheme, two keys \(K_1, K_2\) are needed to encrypt and decrypt. The semantics are otherwise unchanged.

Secret-Sharing. A secret-sharing scheme allows a dealer D to distribute a secret s among a set \(\mathcal {P}\) of n parties, so that only certain qualified subsets of parties can reconstruct the secret. Other subsets should obtain no information about the secret. A secret-sharing scheme is specified by its access structure \(\varGamma \subseteq 2^\mathcal {P}\): the collection of the qualified subsets of parties.

Definition 8

A secret-sharing scheme for access structure \(\varGamma \) is a pair of protocols \(({\mathsf {Share}}, {\mathsf {Reconstruct}})\)with the following properties.

• After \({\mathsf {Share} (s)}\), there is a unique value \(s'\) that can be reconstructed, and \(s' = s\) if the dealer is honest. Furthermore, any subset of parties \(S \in \varGamma \) can execute \({\mathsf {Reconstruct}}\) to reconstruct s.

• After \({\mathsf {Share} (s)}\), any subset of parties \(S \notin \varGamma \) obtains no information about s.

We are interested in t-out-of-n secret-sharing schemes, that is, secret sharing schemes where \(\varGamma := \{S \in 2^\mathcal {P} \,:\, \#S \ge t\}\).

B Gradecast with Asynchronous Weak Validity

We present, using slightly different notation, a 4-round gradecast protocol by Katz et al. [32] and explicitly show that their construction achieves t-weak graded validity (q.v. Definition 5) for all \(t < n/2\) when the network is asynchronous. We refer to the full version [22] for the security proofs.

Lemma 7

Assume \(t < n/2\). Protocol \(\varPi _\mathsf {GBC} ^t\) achieves the following security guarantees.

• When run over a synchronous network: t-graded validity and t-graded consistency.

• When run over an asynchronous network: t-weak graded validity.

C Proof of Lemma 1

Assume that that at most \(t_s\) parties are corrupted in an execution of protocol \(\varPi _{\mathsf {WC}}^{t_a, t_s}\left( \varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}\right) \) over a synchronous network.

[liveness] Synchrony of the network and \(t_s\)-graded validity of \(\varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}\) guarantee that each honesty party \(P_j\) sets \(b_{ij} := \varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}(i) = (v_i, 2)\) each time party \(P_i\) is honest. Therefore, \(\#(S_j^v \sqcup S_j^{1-v}) \ge n -t_s\), so that \(P_j\) sets \(b_j \in \{0, 1, \bot \}\) during output determination and does not output \(\top \). This proves \(t_s\)-liveness.

[validity] Suppose that all honest parties hold the same input v. synchrony of the network and \(t_s\)-graded validity of protocol \(\varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}\) guarantee that each honesty party \(P_j\) sets \(b_{ij} := \varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}(i) = (v, 2)\) each time party \(P_i\) is honest. Therefore, \(\#S^v_j \ge n-t_s\) and party \(P_j\) outputs v. It is worth noting that if both \(\#S_j^v \ge n-t_s\) and \(\#S_j^{1-v} \ge n-t_s\), then \(n \ge \#(S_j^v \sqcup S_j^{1-v}) \ge 2n - 2t_s > n\), which is absurd. This proves \(t_s\)-validity.

[weak consistency] Suppose an honest party \(P_j\) outputs \(v \in \{0,1\}\). There are two possibilities. The first is that

$$\begin{aligned} {\left\{ \begin{array}{ll} \begin{aligned} &{}\#S_j^{v} \ge n - t_s - t_a\\ &{}\#(S^{1-v}_j \sqcup U_j^{1-v}) \le t_a. \end{aligned} \end{array}\right. } \end{aligned}$$

(1)

If \(P_i\) is another honest party, then synchrony of the network and \(t_s\)-graded consistency of \(\varPi _{\mathsf {GBC}}^{\max \{t_a,t_s\}}\) guarantee that \( \#S_i^{1-v} \le t_a < n - t_s - t_a \le n - t_s.\) If this was not the case, by \(t_s\)-graded consistency of \(\varPi _{\mathsf {GBC}}^{\max \{t_a,t_s\}}\) we would have \(\#(S^{1-v}_j \sqcup U_j^{1-v}) > t_a\), which is a contradiction. Therefore, party \(P_i\) does not output \(1-v\). The second case is that \(\#S_j^v \ge n-t_s\). In this case (reasoning as above), for an honest player \(P_i\)

$$\begin{aligned} {\left\{ \begin{array}{ll} \#(S_i^{v} \sqcup U_i^{v}) \ge n - t_s > 2t_a \ge t_a\\ \#S_i^{1-v} < n - t_s \end{array}\right. } \end{aligned}$$

(2)

so that \(P_i\) does not output \(1-v\). This proves \(t_s\)-weak consistency.

Assume that that at most \(t_a\) parties are corrupted in an execution of protocol \(\varPi _{\mathsf {WC}}^{t_a, t_s}\left( \varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}\right) \) over an asynchronous network.

[weak validity] Assume all honest parties hold the same input v. Suppose an honest party \(P_j\) does not output \(\top \). This means \(\#(S_j^v \sqcup S_j^{1-v}) \ge n-t_s\). By \(t_a\)-weak graded validity of protocol \(\varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}\), party \(P_j\) sets \(b_{ij} := \varPi _{\mathsf {GC}}^{\max \{t_a, t_s\}}(i) \in \{v, \top \}\) for each honest party \(P_i\). Therefore, \(\#S_j^{1-v} \le t_a < n - t_s - t_a \le n - t_s\) (so that party \(P_j\) does not output \(1-v\)), but also

$$\begin{aligned} {\left\{ \begin{array}{ll} \#S_j^{v} \ge n-t_s - \#S_j^{1-v} \ge n - t_s - t_a\\ \#(S_j^{1-v} \sqcup U_j^{1-v}) \le t_a \end{array}\right. } \end{aligned}$$

(3)

so that party \(P_j\) outputs v. This proves \(t_a\)-weak validity and concludes the proof of the lemma.

D A Simpler Weak-Consensus with Asynchronous Weak Validity for \(t_a + 2t_s<n\) and \(t_a\le t_s\)

We show a simple 3-round construction for a weak consensus protocol that is 1) \(t_s\)-secure in a synchronous network, and 2) \(t_a\)-weakly valid in an asynchronous network, under the stronger assumptions that \(t_a + 2t_s < n\), \(t_a \le t_s\) (these assumptions are optimal for BA with full asynchronous fallback [9]). The public key infrastructure available allows parties to forward cryptographic evidence (in the form of digital signatures) that they received a given message from other parties by appropriately combining this evidence to generate what we refer to as certificates (see e.g. [30]). An \(\ell \)-certificate on a bit b is simply a concatenation of at least \(\ell \) valid signatures on b from distinct parties.

Lemma 8

Assume \(t_a + 2t_s < n\) and \(t_a \le t_s\). Protocol \(\varPi _{{\mathsf {WC}}}^{t_a, t_s}\) achieves the following security guarantees.

• When run over a synchronous network: \(t_s\)-liveness, \(t_s\)-validity, and \(t_s\)-weak consistency.

• When run over an asynchronous network: \(t_a\)-weak validity.

Proof

Assume that at most \(t_s\) parties are corrupted in an execution of \(\varPi _{{\mathsf {WC}}}^{t_a, t_s}\) over a synchronous network.

[liveness] Each honest party \(P_j\) sends message \((v_j, \mathsf {Sgn} (v_j, \texttt {pk}_j))\) to all parties at in Round 1. synchrony of the network guarantees all these messages are delivered within the round. It follows that, in Round 2, \(\#S_j \ge n - t_s\) for each honest party \(P_j\), so that \(P_j\) sets \(b_j = \bot \). This proves \(t_s\)-liveness, as \(b_j\) is never set to \(\top \).

[validity] Assume each honest party holds the same input \(v \in \{0, 1\}\). In Round 1, each honest \(P_j\) sends message \((v_j, \mathsf {Sgn} (v_j, \texttt {pk}_j))\) to all parties. synchrony of the network guarantees that \(\#S_j^v \ge n - t_s \ge n - t_s - t_a\) for each honest party \(P_j\), so that \(P_j\) sets \(b_j = v\) in Round 2. Notice that \(\#S_j^{1-v} \le t_s < n - t_s - t_a\). No honest party signs bit \(1-v\) at any point in the execution of the protocol, and the adversary cannot forge signatures on behalf of honest parties. Together with \(t_s < n - t_s -t_a\), this implies that no \((n-t_s-t_a)\)-certificate on bit \(1-v\) can be produced by corrupted parties, so that no honest party \(P_j\) sets \(b_j = \bot \) in Round 3. In conclusion, each honest party \(P_j\) outputs \(b_j = v\). This proves \(t_s\)-validity.

[weak consistency] Assume an honest party \(P_j\) outputs v. This means \(P_j\) sets \(b_j = v\) in Round 2, and sends a \((n-t_s-t_a)\)-certificate on v to all parties in Round 3. synchrony of the network guarantees that this certificate is delivered to all honest parties by the end of the round. In conclusion, no honest party outputs \(1-v\). This proves \(t_s\)-weak consistency.

Assume that that at most \(t_a\) parties are corrupted in an execution of \(\varPi _{{\mathsf {WC}}}^{t_a, t_s}\) over an asynchronous network.

[weak validity] Assume each honest party holds the same input \(v \in \{0, 1\}\) and assume an honest party \(P_j\) does not output \(\top \). This means \(\#S_j \ge n-t_s\). Notice that \(S_j = S_j^{v} \sqcup S_j^{1-v}\). The adversary cannot forge honest parties’ signatures, which guarantees \(\#S_j^{1-v} \le t_a\); this implies \(\#S_j^v \ge \#S_j - t_a \ge n - t_s - t_a\), so that \(P_j\) sets \(b_j = v\) in Round 2. The assumption \(t_a \le t_s\) guarantees that \(t_a \le t_s < n - t_s - t_a\), which means corrupted parties cannot produce an \((n - t_s - t_a)\)-certificate on \(1-v\). In conclusion, party \(P_j\) outputs \(b_j = v\) in Round 3. This proves \(t_a\)-weak validity and concludes the proof of the lemma.    \(\square \)

E Proof of Lemma 2

Assume that that at most \(t_s\) parties are corrupted in an execution of \(\varPi _{\mathsf {SBA}}^{t_a, t_s}\) over a synchronous network.

[liveness] We claim that each honest party \(P_j\) inputs \(b_j \in \{0,1\}\) to the execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration k (for all k). This holds trivially for \(k=1\). Suppose it holds for k. synchrony of the network guarantees that, by \(t_s\)-liveness of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\), \(b_j \in \{0, 1, \bot \}\) for each honest party \(P_j\) after running weak-consensus in iteration k. Since \({\mathsf {coin}}_k \in \{0,1\}\), then \(b_j \in \{0,1\}\) for each honest party \(P_j\) at the end of iteration k, so that \(P_j\) inputs \(b_j \in \{0,1\}\) to the execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration \(k+1\). The claim follows by induction on k. Therefore, after iteration \(\kappa \), party \(P_j\) outputs \(b_j \in \{0,1\}\). This proves \(t_s\)-liveness.

[validity] Assume each honest party \(P_j\) holds the same input \(v \in \{0,1\}\). We claim that each honest party \(P_j\) inputs v to the execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration k (for all k). This holds trivially for \(k=1\). Suppose it holds for k. synchrony of the network guarantees that, by \(t_s\)-validity of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\), \(b_j = v \in \{0,1\}\) for each honest party \(P_j\) after round the execution of weak-consensus in iteration k. Therefore, party \(P_j\) ignores the value \(\mathsf {coin} _k\) and keeps \(b_j = v\) at the end of the iteration. In conclusion, party \(P_j\) inputs v to the execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration \(k+1\). The claim follows by induction on k. Therefore, after iteration \(\kappa \), party \(P_j\) outputs \(b_j =v\). This proves \(t_s\)-validity.

[consistency] synchrony of the network guarantees that, by \(t_s\)-weak consistency of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\), after the execution of weak consensus in iteration k, there is \(b^k \in \{0, 1\}\) such that \(b_j = b^k\) or \(b_j = \bot \) for each honest party \(P_j\) (for all k). Since \(\mathsf {coin} _k\) is a uniformly random bit (independent of \(b^k\), since the adversary only learns the value \(\mathsf {coin} _k\) after each honest party has produced output from weak consensus in iteration k), then \(\mathbb {P}(\mathsf {coin} _k = b^k) = 1/2\) for all k. Furthermore, synchrony of the network guarantees that, by \(t_s\)-validity of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\), if \(\mathsf {coin} _k =b^k\) for some k, then \(b_j = b^k\) at the end of iteration k for each honest party \(P_j\) and for all \(k' \ge k\) (the proof is by induction on \(k'\) as above, and we omit it).

For each positive integer k, let \(\mathsf {agree} _k\) denote the event that there exists \(b \in \{0,1\}\) such that \(b_j = b\) for each honest party \(P_j\) at the end of iteration k. We denote by \(\mathsf {agree} _{0}\) the event that all honest parties hold the same input. Furthermore, let \(\mathsf {abort} _k\) denote the event that some honest party \(P_j\) outputs \(\bot \) from the execution of \(\varPi _{{\mathsf {WC}}}^{t_a, t_s}\) in iteration k. For each \(k \ge 0\) we have

$$\begin{aligned} \begin{aligned} \mathbb {P}(\mathsf {agree} _{k+1}\,|\,\mathsf {agree} _k^c)&= \mathbb {P}\big ( \mathsf {agree} _{k+1} \cap (\mathsf {abort} _{k+1} \sqcup \mathsf {abort} _{k+1}^c)\,|\,\mathsf {agree} _k^c\big )\\&= \mathbb {P}\big ( \mathsf {agree} _{k+1} \cap \mathsf {abort} _{k+1}\,|\,\mathsf {agree} _k^c\big )\\&= \mathbb {P}\big (\mathsf {agree} _{k+1}\,|\,\mathsf {abort} _{k+1}\cap \mathsf {agree} _k^c\big )\mathbb {P}\big (\mathsf {abort} _{k+1}\big )\\&+\mathbb {P}\big (\mathsf {agree} _{k+1}\,|\,\mathsf {abort} _{k+1}^c \cap \mathsf {agree} _k^c\big )\mathbb {P}\big (\mathsf {abort} _{k+1}^c\big )\\&= \mathbb {P}\big (\mathsf {coin} _{k+1}= b^{k+1}\big )\mathbb {P}\big (\mathsf {abort} _{k+1}\big )+ 1 \cdot \mathbb {P}\big (\mathsf {abort} _{k+1}^c\big )\\&= \frac{1}{2}\left( \mathbb {P}\big (\mathsf {abort} _{k+1}\big ) + \mathbb {P}\big (\mathsf {abort} _{k+1}^c\big )\right) + \frac{1}{2}\mathbb {P}\big (\mathsf {abort} _{k+1}^c\big ) \ge \frac{1}{2}. \end{aligned} \end{aligned}$$

(4)

Notice, once again, that the above equality \(\mathbb {P}\big (\mathsf {agree} _{k+1}\,|\,\mathsf {abort} _{k+1} \cap \mathsf {agree} _k^c\big ) = \mathbb {P}\big (\mathsf {coin} _{k+1}= b^{k+1}\big )\) holds because \(t_s\) corrupted parties alone cannot learn \(\mathsf {coin} _{k+1}\) in advance, so that the output of honest parties in the execution of \(\varPi _{{\mathsf {WC}}}^{t_a, t_a}\) is independent from the value of \(\mathsf {coin} _{k+1}\) in iteration \(k+1\). The observation that \(\mathsf {agree} _k^c \supseteq \mathsf {agree} _{k+1}^c\) allows us to finally estimate

(5)

This proves \(t_s\)-consistency.

Assume that that at most \(t_a\) parties are corrupted in an execution of \(\varPi _{\mathsf {SBA}}^{t_a, t_s}\) over an asynchronous network.

[weak validity] Assume each honest party \(P_j\) holds the same input \(v \in \{0,1\}\). We claim that each honest party \(P_j\) inputs v to the execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration k (for all k). The claim is trivially true for \(k=1\). Assume it is true for k. By \(t_a\)-weak validity of protocol \(\varPi _{\mathsf {WC}}^{t_a, t_s}\), each honest party \(P_j\) outputs either v or \(\top \) from \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration k. Therefore, each honest party \(P_j\) ignores the coin-flip value and sets \(b_j = v\) at the end of iteration k, and therefore inputs \(b_j = v\) to the following execution of \(\varPi _{\mathsf {WC}}^{t_a, t_s}\) in iteration \(k+1\). The claim follows by induction on k. In conclusion, each honest party outputs \(b_j = v\) at the end of iteration \(\kappa \). This proves \(t_a\)-weak validity.

F Synchronous Broadcast with Asynchronous Weak Validity

We now explain how to obtain a broadcast protocol that is \(t_s\)-secure in a synchronous network and \(t_a\)-weakly valid in an asynchronous network, starting from a BA with the same guarantees. In addition to the rounds required by the BA, our construction runs only 2 rounds. In particular, given a fixed-round BA, it yields a fixed-round broadcast protocol. The opposite construction (BA from broadcast) is shown in [9]. Together, these result completely resolve the question of equivalence of BA and broadcast with asynchronous weak validity.

The idea, well known in the synchronous model, is for the sender \(P^*\) to send their input to all parties in the first round; parties then run a Byzantine agreement protocol on the values they received to ensure consistency. However, this construction cannot be directly translated to our setting: if an honest party \(P_j\) does not receive a message from the sender \(P^*\) within the first round, then \(P^*\) could be corrupted, or the adversary might have delayed the message. In the former scenario, an easy patch would be to input a default value to the BA protocol, but this solution does not allow to achieve weak validity in the latter scenario. On the other hand, not inputting any message to the Byzantine agreement protocol fails to provide consistency if the network is synchronous.

We solve this problem by having parties run two BAs: one to agree on whether the sender behaved honestly, and one to agree on a received value. These executions can be carried out in parallel for improved round efficiency.

Let \(\varPi _{{\mathsf {SBA}}}^{t_a, t_s}\) be a synchronous Byzantine agreement protocol (for example, our protocol with asynchronous weak validity from Sect. 4.2) which runs in s rounds.

Lemma 9

Assume protocol \(\varPi _{{\mathsf {SBA}}}^{t_a, t_s}\) achieves the following security guarantees.

• When run over a synchronous network: \(t_s\)-validity and \(t_s\)-consistency.

• When run over an asynchronous network: \(t_a\)-weak validity.

Then, protocol \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \) achieves the following security guarantees.

• When run over a synchronous network: \(t_s\)-validity and \(t_s\)-consistency.

• When run over an asynchronous network: \(t_a\)-weak validity.

Proof

Assume that that at most \(t_s\) parties are corrupted in an execution of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \) over a synchronous network.

[validity] If the sender \(P^*\) is honest, they send \((v^*, \mathsf {Sgn} (v^*, \texttt {pk}^*))\) to all parties in round 1. synchrony of the network guarantees these messages are delivered within the round, so that each honest party \(P_j\) sets \(\mathsf {received-input} _j :=1\) and \(b_j := v^*\) in round 1. By \(t_s\)-validity of \(\varPi _{\mathsf {SBA}}^{t_a, t_s}\), each honest party sets \(\mathsf {received-input} _j := \varPi _{\mathsf {SBA}}^{t_a, t_s}( \mathsf {received-input} _j = 1) = 1\) and \(b_j := \varPi _{\mathsf {SBA}}^{t_a, t_s}(b_j = v^*) = v^*\) in round \(3+s\), and outputs \(b_j = v^*\) from \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \). This proves \(t_s\)-validity.

[consistency] Assume an honest party \(P_j\) outputs \(v \ne \top \). This means that \(\mathsf {received-input} _j\) equals 1 in round \(3+s\). Then, \(t_s\)-consistency of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\) guarantees \(\mathsf {received-input} _i = 1\) in round \(3+s\) for each honest party \(P_i\). Furthermore, \(t_s\)-validity of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\) guarantees that at least one honest party \(P_k\) inputs \(\mathsf {received-input} _k =1\) to \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\) in round 3. This means party \(P_k\) received a validly signed message from the sender in round 1, and forwarded this message to all parties in round 2. synchrony of the network then guarantees \(b_i \ne \top \) for each honest party \(P_i\) in round 3. Since each honest party provides a valid input, \(t_s\)-consistency of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\) guarantees that \(b_i = b_j = v\) in round \(3+s\) for each honest party \(P_i\), so that \(P_i\) outputs v from \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \). This proves \(t_s\)-consistency.

Assume that that at most \(t_a\) parties are corrupted in an execution of protocol \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \) over an asynchronous network.

[weak validity] Assume the sender \(P^*\) is honest and has input \(v^*\). Up to (and including) round 3, an honest party \(P_j\) sets \(b_j :=v \ne \top \) only if they receive a message \((v, \sigma )\) such that \(\mathsf {Vfy} (v, \sigma , \texttt {pk}^*) =1\). Since corrupted parties cannot forge an honest sender’s signature, \(b_j \in \{v^*, \top \}\) in round 3 for each honest party \(P_j\). Observe that, if \(b_j = \top \) in round 3, party \(P_j\) does not send a message whenever they are supposed to share their input in \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\); this does not break \(t_a\)-weak validity of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\), since messages can be arbitrarily delayed by the adversary. Therefore, \(t_a\)-weak validity of \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\) guarantees that \(b_j \in \{v^*, \top \}\) in round \(3+s\) for each honest party \(P_j\). In conclusion, each honest party \(P_j\) outputs either \(v^*\) or \(\top \) from \(\varPi _{{\mathsf {SBC}}}^{t_a, t_s}\left( \varPi _{{\mathsf {SBA}}}^{t_a, t_s}\right) \). This proves \(t_a\)-weak validity, and concludes the proof of the lemma.    \(\square \)

G Proof of Lemma 6

We sketch the proof. Assume at most \(t_s\) parties are corrupted and the network is synchronous. Then, \(t_s\)-security of \(\varPi _{\mathsf {HMPC}}^{t_s, t_a}\) guarantees that each party receives the same correct output from the computation of \(f_\mathsf {GRBL} \) in Step 1 (which takes into account the input of all honest parties). Therefore, each honest party encrypts their (authenticated) shares of each gate of \(\mathsf {circ} _g\) and sends the resulting ciphertexts to all parties. synchrony of the network guarantees that each honest party receives at least \(n - t_s > t_s\) valid (i.e. such that the information checking protocol succeeds) and consistent shares for each gate within one extra round. Since dishonest parties cannot forge authentication vectors, even a rushing adversary cannot compromise the reconstruction of the function table entries. Together with the masked inputs and the relative keys for each input wire, as well as the masks for the accessible output wires, the (only) reconstructed function table entry for each gate allows each honest party \(P_j\) to evaluate the garbled version of \(\mathsf {circ} _g\) locally and recover the output. In particular, each honest party terminates.

Now, Assume at most \(t_a\) parties are corrupted and the network is asynchronous. Then, \(t_a\)-security of protocol \(\varPi _{\mathsf {HMPC}}^{t_s, t_a}\left( {\mathsf {circ}}_{f_{\mathsf {GRBL}}}; {\mathsf {circ}}_g; b_j\right) \) guarantees that each honest party receives the same output (taking into account the inputs of at least \(n-t_s\) honest parties) from the computation of \(f_\mathsf {GRBL} \) in Step 1. Notice that if \(\phi _j = 0\) (i.e. if \(P_j\) has not yet sent their encrypted shares), then party \(P_j\) does not terminate. Eventual delivery then guarantees that each honest party receives at least \(n-t_a \ge n - t_s \ge t_s+1\) valid and consistent encrypted shares of each function table entry of \(\mathsf {circ} _g\). Since dishonest parties cannot forge authentication vectors, each set of \(t_s+1\) valid shares identifies the same secret. Together with the masked inputs and the relative keys for each input wire, as well as the masks for the accessible output wires, the (only) reconstructed function table entry for each gate allows each honest party \(P_j\) to evaluate the garbled version of \(\mathsf {circ} _g\) locally and recover the output. In particular, each honest party terminates.