Security in Asynchronous Interactive Systems
Ivan Geffner, Joseph Y. Halpern

TL;DR
This paper extends secure computation techniques to asynchronous interactive systems, ensuring bidirectional simulation of protocols with optimal security conditions, even under adversarial scheduling influences.
Contribution
It introduces a novel secure simulation construction for asynchronous systems that guarantees bidirectional output consistency, achieving optimal security bounds.
Findings
Construction secure if n > 4t, the best possible bound.
Satisfies additional security properties for 3t < n ≤ 4t.
Addresses challenges posed by asynchronous scheduler influence.
Abstract
Secure function computation has been thoroughly studied and optimized in the past decades. We extend techniques used for secure computation to simulate arbitrary protocols involving a mediator. The key feature of our notion of simulation is that it is bidirectional: not only does the simulation produce only outputs that could happen in the original protocol, but the simulation produces all such outputs. In a synchronous system, it can be shown that this requirement can already be achieved by the standard notion of secure computation. However, in an asynchronous system, new subtleties arise because the scheduler can influence the output. We provide a construction that is secure if , where is the number malicious agents, which is provably the best possible. We also show that our construction satisfies additional security properties even if .
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Complexity and Algorithms in Graphs · Distributed systems and fault tolerance
Security in Asynchronous Interactive Systems
Ivan Geffner
Cornell University Supported in part by NSF grant IIS-1703846.
Joseph Y. Halpern
Cornell University Supported in part by NSF grants IIS-1703846 and IIS-1718108, ARO grant W911NF-17-1-0592, and a grant from Open Philanthropy.
Abstract
Secure function computation has been thoroughly studied and optimized in the past decades. We extend techniques used for secure computation to simulate arbitrary protocols involving a mediator. The key feature of our notion of simulation is that it is bidirectional: not only does the simulation produce only outputs that could happen in the original protocol, but the simulation produces all such outputs. In a synchronous system, it can be shown that this requirement can already be achieved by the standard notion of secure computation. However, in an asynchronous system, new subtleties arise because the scheduler can influence the output. We provide a construction that is secure if , where is the number malicious agents, which is provably the best possible. We also show that our construction satisfies additional security properties even if .
1 Introduction
In a distributed system, agents often want to be able to carry out a computation without revealing any private information. There has been a great deal of work showing how and to what extent this can be done. We briefly review the most relevant work here.
Ben-Or, Goldwasser and Widgerson [?] (BGW from now on) showed that, if , then every function of inputs can be securely computed by agents in a synchronous system with private communication channels, where “securely computed” means that no coalition of at most malicious agents can either (a) prevent the honest agents from correctly computing the output of given their inputs (assuming some fixed inputs for malicious agents who do not provide inputs) or (b) learn anything about the inputs of the honest agents (beyond what can be concluded from the output of ). The notion of an agent “not learning anything” is formalized by comparing what happens in the actual computation to what could have happened had there been a trusted third party (which we here call a mediator) who will calculate after being given the input by agent , for . Then, roughly speaking, the malicious agents do not learn anything if the distribution of outputs in the actual computation could have also resulted in the computation with a mediator if the malicious agents had given the appropriate input to the mediator.
Ben-Or, Canetti and Goldreich [?] (BCG from now on) proved analogous results in the asynchronous case. Asynchrony raises new subtleties. For example, agent cannot tell if the fact that he has received no messages from another agent (which means that cannot use ’s input in computing ) is due to the fact that is malicious or that its messages have not yet arrived. Roughly speaking, when defining secure function computation in an asynchronous setting, BCG require that for every scheduler and set of malicious agents, no matter what the agents in do, the resulting distribution over outputs could have also resulted in the computation with a mediator if the malicious agents had given the appropriate input to the mediator.
BCG show that, in asynchronous systems, if , the malicious agents cannot prevent the honest agents from correctly computing the output of given their inputs, nor can the malicious agents learn anything about the inputs of the honest agents. Ben-Or, Kelmer and Rabin [?] (BKR from now on) then showed if we are willing to tolerate a small probability that the agents do not correctly compute or that the malicious agents learn something, then we can achieve this if . BCG and BKR also prove matching lower bounds for their results, showing that we really need to have (resp., ).
We can view secure function computation as a one-round interaction with a trusted mediator: each agent sends its input to the mediator, the mediator waits until it receives enough inputs, applies to these inputs (again, replacing missing inputs with a default value), and sends the output back to the agents, who then output it. We generalize BCG and BKR’s results for function computation to a more general setting. Specifically, we want to simulate arbitrary interactions with a mediator, not just function computation. Also, unlike previous approaches, we want the simulation to be “bidirectional”: the set of possible output distributions that arise with the mediator must be the same as those that arise without the mediator, even in the presence of malicious parties. More precisely, we show that, given a protocol for agents and a protocol for a mediator, we can construct a protocol such that for all sets of fewer than malicious agents, the following properties hold:
- (a)
For all protocols for the malicious agents and all schedulers in the setting without the mediator, there exists a protocol for the agents in and a scheduler in the setting with the mediator such that, for all input profiles , the output distribution in the computation with , , and with input is the same as the output distribution with , , and with input .
- (b)
For all protocols for the malicious agents and all schedulers in the setting with the mediator, there exists a protocol for the agents in and a scheduler in the setting without a mediator such that, for all input profiles , the output distribution in the computation with , , and with input is the same as the output distribution with , , and with input .
This result implies that arbitrary distributed protocols that work in the presence of a trusted mediator can be compiled to protocols that work without a mediator, as long as there are less than malicious agents. And, just as BKR, if we allow a probability of error, we can get this result while tolerating up to malicious agents. BCG proved the analogue of (a) for secure function computation, which is enough for security purposes: if there is any bad behavior in the protocol without the mediator, this bad behavior must already exist in the protocol with the mediator. However, (b) also seems like a natural requirement; if a protocol satisfies this property, then all behaviors in the protocol with the mediator also occur in the protocol without the mediator.
Clearly, the results of BCG and BKR are special cases of our result.
However, in general, our results do not follow from those of BCG/BKR, as is shown in Section 3.3. Specifically, the results of BCG/BKR do not give us property (b), since the outcome can depend on the behavior of the scheduler. For example, consider a protocol for two agents and a mediator in which each agent sends its input to the mediator, the mediator sends to each agent the first message it receives, and each agent outputs whatever they receive from the mediator. Let be the scheduler that delivers the message from agent first, for . It is easy to check that if the agents have inputs [math] and , respectively, and play with mediator , then they both output [math], while if they play with , then they both output . This means that, unlike secure function computation, even if all the agents are honest, the distribution over the agents’ outputs can depend on the scheduler’s protocol, not just the agents’ inputs.
Even though our results do not follow from those of BCG/BKR, our proofs very much follow the lines of those of BCG/BKR. However, there are some new subtleties that arise in our setting.
In particular, as the example above shows, when we try to implement the setting with the mediator, the agents must somehow keep track of the scheduler’s possible behaviors. Doing this adds nontrivial complexity to our argument.
Besides the main result, we also show that our protocol without the mediator has two additional security properties, which may be of independent interest. Specifically, we show that the following two properties hold for coalitions of malicious agents of size at most .
- (P1)
The only way malicious agents can disrupt the computation is by preventing honest agents from terminating; if an honest agent terminates, then its output is correct.
- (P2)
If or more honest agents terminate, then all honest agents terminate. That is, either all the honest agents terminate or a nontrivial number of honest agents (more than ) do not terminate.
If we allow an probability of error, we get analogous results if we have rather than . We remark that these two properties are in fact also satisfied by BCG’s and BKR’s implementations, but they do not prove this (or even state the properties explicitly).
Our interest in these properties stems in part from a game-theoretic variant of the problem that we consider a companion paper [Abraham, Dolev, Geffner, and Halpern 2019] where agents get utility for various outcomes, and, in addition to honest and malicious agents, there are rational agents, who will deviate from a protocol if (and only if) it is to their benefit to do so. We also assume that honest agents can leave “wills”, so that if sufficiently many honest agents do not terminate, the remaining agents will be punished. The second property above guarantees that either all the honest agents terminate, or sufficiently many of them do not terminate to guarantee that rational agents will not try to prevent honest agents from terminating (due to the threat of punishment). The first property above guarantees that if all the honest agents terminate, their output will be correct. Thus, using these results allows us to obtain results stronger than those of this paper in the game-theoretic setting.
The focus of this paper is on upper bounds. Since our algorithms have the same upper bounds as those of BCG and BKR, despite the results of BCG and BKR being special cases of our results, and BCG and BKR prove lower bounds that match their upper bonds on the number of malicious agents that can be tolerated, we immediately get lower bounds that match our upper bounds from the results of BCG and BKR.
2 The Model
The model used throughout this paper is that of an asynchronous network in which every pair of agents can communicate through a private and reliable communication channel. For most of our results, we assume that all messages sent through any of these channels are eventually received, but they can be delayed arbitrarily. The order in which these messages are received is determined by the environment (also called the scheduler). The scheduler also chooses the order in which the agents are scheduled. For some of the results of this paper, we drop the condition that all messages must be eventually delivered. We call these more general schedulers relaxed schedulers.
Whenever a agent is scheduled, it reads all the messages that it has received since the last time it was scheduled, sends a (possibly empty) sequence of messages, and then performs some internal actions. We assume that the scheduler does not deliver any message or schedule other agents during an agent’s turn. Thus, although agent does not send all its messages simultaneously when it is scheduled, they are sent atomically, in the sense that no other agent is scheduled while is scheduled, nor are any messages delivered while is scheduled. Note that the atomicity assumption is really a constraint on the scheduler’s protocol.
More precisely, consider the following types of events:
- •
: Agent gets scheduled.
- •
: Agent sends a message to agent .
- •
: Message sent by is received by . The message must be one sent at an earlier time to that was not already received.
- •
: Agent locally computes value .
- •
: Agent outputs string .
- •
: is done sending messages and performing computations (for now).
For simplicity, we assume that agents can output only strings in . Note that all countable sets can be encoded by such strings, and thus we can freely talk about players being able to output any element of any countable set (for instance, elements of a finite field ) by assuming that they are actually outputting an encoding of these elements. We also assume that at most one event occurs at each time step. Let denote a global history up to time : a sequence that starts with an input profile , followed by the ordered sequence of events that have occurred up to and including time . We assume that the only events between events of the form and are ones of the form and . This captures our atomicity assumption. We do not include explicit events that correspond to reading messages. (Nothing would change if we included them; they would simply clutter the notation.) Message delivery (which is assumed to be under the control of the scheduler) occurs at times between when agents are scheduled. We can also consider the subsequence involving agent , namely, ’s initial state, followed by events of the form , , , , and . This subsequence is called ’s local history. We drop the argument if can be deduced from context or if it is not relevant (for instance, when we consider the local history of an agent after a particular event).
Agent moves only after a event. What it does (in particular, the order in which sends messages) is determined by ’s protocol, which is a function of ’s local history. The scheduler moves after an action of the form or . It is convenient to assume that the scheduler is also running a protocol, which is also a function of its local history. Since the scheduler does not see the contents of messages, we can take its history to be identical to , except that the messages are removed, although we do track the index of the messages delivered; that is, we replace events of the form and by and , where is the index of the message sent by to in . For instance, means that the second message sent by to was delivered to . Note that the scheduler does see events of the form ; indeed, these are signals to the scheduler that it can move, since ’s turn is over. Since we view the agents (and the mediator) as sending messages atomically,
in the sequel, we talk about an agent’s (or the mediator’s) turn. An agent’s th turn takes place the th time it is scheduled. During its turn, the agent sends a block of messages and performs some local computation.
It is more standard in the literature to assume that agents perform at most one action when they are scheduled. We can view this a constraint on agents’ protocols. A single-action protocol for agent is one where agent sends at most one message before performing the action. As we show in Section 3.7, we could have restricted to single-action protocols with no loss of generality as far as our results go; allowing agents to perform a sequence of actions atomically just makes the exposition easier.
Even though it might appear that malicious agents and the scheduler act independently, we show in our companion paper [Abraham, Dolev, Geffner, and Halpern 2019, Section A.1] that we can assume without loss of generality that they coordinate their actions (i.e., that they are all under the control of a single entity, which we take here to be the scheduler).
Definition 1**.**
*An adversary is a triple , consisting of a set of malicious agents, the protocol used by the agents in , and a protocol for the scheduler. An adversary where the scheduler is relaxed is a relaxed adversary. *
In this paper, we consider protocols that involve a mediator, typically denoted , using a protocol denoted . In protocols that involve a mediator, we assume that honest agents’ strategies are always such that the honest agents communicate only with the mediator, not with each other. However, since malicious agents can deviate, they can communicate with each other. As far as the scheduler is concerned, the mediator is like any other agent, so the scheduler (and the mediator’s protocol) determine when the mediator sends and receives messages. However, the mediator is never malicious, and thus never deviates from its announced protocol.
We deal only with bounded protocols, where there is a bound on the number of messages that an honest agent sends. Of course, there is nothing to prevent malicious agents from spamming the mediator and sending an arbitrary number of messages. We assume that the mediator reads at most messages from each agent , ignoring any further messages sent by .
For our results involving termination, specifically, (P2), it is critical that players know when the mediator stops sending messages. For these results, we restrict the honest agents and the mediator to using protocols that have the following canonical form:
Using a canonical protocol, each honest agent tags its th message with label and all honest agents are guaranteed to send at most messages regardless of their inputs or the random bits they use. Whenever the mediator receives a message from an agent , it checks its tag ; if or if the mediator has already received a message from with tag , it ignores the message. The mediator is guaranteed to eventually terminate. Whenever this happens, it sends a special “STOP” message to all agents and halts. Whenever an honest agent receives a “STOP” message, it terminates.
Even though canonical protocols have a bound on the number of messages that honest agents and the mediator can send, the mediator’s local history in a canonical protocol can be arbitrarily long, since it can be scheduled an arbitrary number of times. We conjecture that, in general, since the message space is finite, the expected number of messages required to simulate the mediator is unbounded. However, we can do better if the mediator’s protocol satisfies two additional properties. Roughly speaking, the first property says that the mediator can send messages only either at its first turn or in response to an agent’s message; the second property says that the mediator ignores empty turns, that is, turns where it does not receive or send messages. Thus, the second property implies that the mediator cannot send a message after receiving a message that describes how many empty turns there have been since the last time the mediator sent a message. More precisely, the first property says that whenever the mediator is scheduled with history , then if (i.e., if is not the initial history) or if the mediator has not received any messages in since the last time it was scheduled, then . The second property says that , where is the result of removing consecutive (, ) pairs in (e.g., if , then ).
In Section 4.4, we show that if the mediator uses a responsive protocol that can be represented using a curcuit with gates, then we can simulate any protocol in such a way that the expected number of messages sent by honest players during the simulation is polynomial in and and linear in .
3 Secure Computation in Interactive Settings
3.1 The BGW/BCG notion of secure computation
Secure computation is concerned with jointly computing a function on variables, where the th input is known only to agent . For instance, if we want to compute the average salary of the people from the state of New York, then would be New York’s population, the input is ’s salary, and . (For the denominator we count only people who are actually working.) Ideally, a secure computation protocol that computes would be a protocol in which each agent outputs and gains no information about the inputs for . In our example, this amounts to not learning other people’s salaries.
Typically, we are interested in performing secure computation in a setting where some of the agents might be malicious and not follow the protocol. In particular, they might not give any information about their input or might just pretend that they have a different input (for instance, they can lie about their salary). What output do we want the secure computation of to produce in this case? To make precise what we want, we use notation introduced by BGW and BCG.
Let be a vector of components; let be a subset of (where we use the notation to denote the set , as is standard); let denote the vector obtained by projecting onto the indices of ; and if is a vector of length , let denote the vector obtained by replacing the entries of indexed by with . Given a set of indices, a default value, which we take here to be 0, and a function , we take to be the function results from applying , but taking the inputs of the agents not in to be 0; that is, . Roughly speaking, if only the agents in provide inputs, we want the output of the secure computation to be .
What about agents who lie about their inputs? A malicious agent who lies about his input and pretends to have some other input is indistinguishable from an honest agent who has as his actual input. We can capture this lie using a function , where is the domain of the inputs and is the set of malicious agents. The function encodes the inputs malicious agents pretend to have given their actual inputs. BCG require that all the honest agent output the same value and that the output has the form , where . They allow to depend on , since malicious agents can influence the choice of . They also allow the choice of and the function to be randomized. Since the choice of and can be correlated, and are assumed to take as input a common random value , where denotes the domain of random inputs. That is, for some function , and the malicious agents with actual input pretend that their input is .
BCG place no requirements on the output of malicious agents, but they do want the inputs of honest agents to remain as secret as possible. Hence, in an ideal scenario, the outputs of malicious agents can depend only on , , and possibly some randomization. Taking to denote the output function of a malicious agent , we can now give BCG’s definitions.
Definition 2**.**
An ideal -adversary is a tuple consisting of a set of malicious agents with and three randomized functions with for all input profiles and , and . The ideal output of given function , input profile , and a value is
[TABLE]
Let denote the distribution induced over outputs by the protocol profile on input given the ideal -adversary . Note that an ideal -adversary is somewhat different from the adversary as defined in Definition 1, although they are related, as we show in Section 3.3. We use variants of to denote both types of adversary.
We can now give the BCG definition of secure computation. Let be the distribution of outputs when running protocol on input with adversary .
Definition 3** (Secure computation).**
Let be a function on variables and a protocol for agents. Protocol -securely computes if, for every adversary , the following properties hold:
- SC1.
*For all input profiles , all honest agents terminate with probability 1. *
- SC2.
There exists an ideal -adversary such that, for all input profiles , and are identically distributed.
Note that BCG just require that some ideal -adversary gives the same distribution over the the outputs of . This captures the idea that all ways that malicious agents can deviate are modeled by adversaries. Also note that SC1 follows from SC2 if we view non-termination as a special kind of output.
BCG prove the following result:
Theorem 1**.**
Given and such that and a function , there exists a protocol that -securely computes .
The construction of , which is sketched in the next section, is of critical importance for this paper, since most of the primitives used in this construction are also used in ours.
3.2 The BCG construction
To explain the BCG construction, we must first review the tools used by BCG, specifically, broadcast, consensus, verifiable secret sharing (VSS), circuit computation, accumulative sets, agreement on a core set, and random polynomial generation. (Accumulative sets and agreement on a core set were introduced by BCG; the other tools are older.)
3.2.1 Broadcast
A broadcast protocol involves a sender who sends a message to all agents in such a way that all honest agents receive the same message. (Although we talk about “a broadcast protocol”, this is really a joint protocol, that is, a protocol for each agent. Given a joint protocol , we use to denote ’s part of the protocol. The sender’s protocol is different from those of the other agents. The sender has input , the message to be shared; the other agents have no input.) Moreover, if the sender is honest, the message received by an agent must be the message that the sender sent. More precisely, a broadcast protocol invoked by a sender with input must satisfy the following properties in all histories:
- •
If an honest agent terminates broadcast with output , then all honest agents eventually terminate broadcast with output .
- •
If the sender is honest, then all honest agents eventually terminate broadcast and output .
Bracha [?] provides a broadcast protocol that tolerates up to malicious agents in asynchronous systems if .
3.2.2 Consensus
In a consensus protocol, each agent starts with an initial preference and must output a value such that the following properties are satisfied in all histories:
- •
All honest agents terminate with probability 1.
- •
If one honest agent terminates and outputs , then all honest agents terminate and output .
- •
If all honest agents have the same initial value , then if an honest agent terminates the protocol, outputs .
Abraham, Dolev and Halpern [?] provide a consensus protocol that is -resilient in asynchronous systems if .
3.2.3 Verifiable secret sharing
In a verifiable secret sharing protocol, a sender starts out with some secret that it wants to share. VSS consists of a pair of protocols , commonly referred to as the sharing protocol and the reconstruction protocol, and a designated agent, the sender, such that the following properties hold:
- •
If the sender is honest, then every honest agent will eventually complete .
- •
If an honest agent completes , then all honest agents eventually complete and .
- •
The output of is called ’s share of the secret. There is a unique value such that if each honest agent runs with input ’s share of the secret, then all the honest agents will complete , and will output the same value , no matter what the malicious agents do.
- •
If the sender is honest, then (the sender’s secret).
- •
If the sender is honest and no honest agent has begun executing , then the malicious agents cannot guess with probability (where is the cardinality of the space of possible secrets).
With VSS, just as with the broadcast protocol, the sender’s protocol is different from that of the other agents; only the sender has the secret . Whenever a recipient receives a message from the sender, it invokes with input and outputs its share of the secret, which becomes the input to . Even though we require each agent to output the same value after runing , a simple modification of allows a single agent to learn the secret, without any other agent getting any additional information: If we want only to learn the secret, all the agents send their shares to , and simulates the computation of locally. (This depends on the assumption that the only input to is ’s share of the secret, and that it suffices for to learn the shares of the honest agents in order to recover the secret.) However, no other agents learn anything about the secret (since all they have is their share of the secret).
BCG provide a VSS protocol in an asynchronous setting that is resilient as long as . BKR showed that if , then for all , there exists a -resilient protocol that achieves the VSS properties in asynchronous systems with probability at least . More precisely, their protocol has the property that if some honest agent terminates, then all honest agents terminate and all the properties above hold, and some honest agent terminates with probability at least .
3.2.4 Accumulative sets
Suppose that we have a global clock, initialized to 0. We do not assume that agents have access to the global clock. An accumulative set is a function from histories and global time to sets such that if . (Intuitively, consists of the elements of at time in history .)
Definition 4**.**
Given with , a tuple of accumulative subsets of (one for each agent) is -uniform in history if, for every agent that is honest in ,
- •
* for all times ;*
- •
there exists a time such that ;
- •
for all agents that are honest in , there exists a time such that for all .
To see how -uniform accumulative sets are used, suppose that each agent in a system of agents has a secret . The agents each invoke -resilient VSS concurrently in a system with malicious agents and , with agent acting as the sender with secret in its invocation of VSS. Let consist of those agents for which has terminated the sharing phase of the VSS initiated by by time in history . Clearly is an accumulative set. We claim that is -uniform. Clearly, for all times by construction. Since there at most malicious agents in each history and the VSS scheme is -resilient, the properties of VSS guarantee that each honest agent will eventually complete the VSS initiated by each honest agent , which means is included in for some , and thus there must exist a time such that . Since is finite, there must come a time such that for all . Let . The properties of VSS guarantee that iff .
3.2.5 Agreement on a core set
An agreement on a core set (ACS) protocol is given as input natural numbers and . Each agent is also assumed to have access to an accumulative set . If the tuple is -uniform with respect to the histories of the ACS protocol, then the following properties must hold:
- •
All honest agents must eventually complete the ACS protocol.
- •
If an honest agent completes the protocol at time , then it output a set such that .
- •
If and are honest, then .
Thus, all honest agents running an ACS protocol must output the same set; this set is called the core set. We denote by agent ’s invocation of the ACS protocol with inputs and relative to accumulative set . Note that although the notation suggests that is the input to , the protocol may actually check several times while it is running, and may be different each time it is checked, since may updated in parallel with .
BCG provide an ACS protocol that is -resilient in asynchronous systems if .
3.2.6 Circuit computation
Another key primitive that we use is circuit computation. Let be a VSS scheme, and let be a circuit with inputs consisting only of addition and multiplication gates. Suppose that each agent has shares of secrets respectively (where the secrets are computed using ). A circuit computation of (relative to ), denoted (we suppress the dependence on from now on) has the following properties. We assume that there is an input such that each agent has shares of . Agent ’s component of the protocol, denoted , is given the inputs and computes a single output , such that the following properties hold:
- •
is ’s share of (relative to ).
- •
After running with inputs (but before running the reconstruction protocol ), no malicious agent has any information about the shares of an honest agent , the values , or beyond what it had before running , even if all the malicious agents pool their information.
- •
Even after honest agents run , no malicious agent can guess the values of the shares of an honest agents or the the secrets any better than it could before running if it were given .
Simply put, a circuit computation protocol allows agents to compute their share of the output of an arithmetic circuit given their shares of the circuit’s inputs, without revealing any information.
Since it is well known that every function can be represented by a circuit for a prime (viewing the elements of as the first elements of ), if we can define a protocol for all arithmetic circuits, then we can define a protocol for all functions . This is especially important in the next section, where we use CC to compute functions whose inputs and outputs are local histories.
BCG provide an implementation of for all arithmetic circuits relative to the VSS protocol that they provide that is -resilient in asynchronous systems as long as ; given , BKR provide an implementation of for all arithmetic circuits relative to the VSS protocol that they provide that is -resilient in asynchronous systems and has at most an probability of error (i.e., there is a probability that agents remain in deadlock or the output of the computation will not be the appropriate share of the circuit’s output) as long as .
We can assume without loss of generality that CC can handle randomized functions. That is, if there is a protocol to securely compute every deterministic function , then there is a protocol to securely compute every randomized function . A randomized function can be viewed as a deterministic function once it is given sufficiently many random bits, that is, it can be identified with a deterministic function for sufficiently large. Using ACS, VSS, and (deterministic) CC, the agents can easily compute shares for random bits as follows.
Each agent chooses a random bit and shares it using VSS. 2. 2.
Using ACS, the agents agree on a common set consisting of at least agents who correctly shared a bit at step
- Set (where denotes sum mod 2).
-
Each agent computes its share of using CC.
If , then there are at least honest agents, so each honest agent will get shares from at least agents. Since the set of agents agreed on using ACS contains at least one honest agent, the bit must be truly random.
We can also assume without loss of generality that whenever an honest agent terminates a CC computation of some function , even in the presence of at most malicious agents, at least other honest agents have computed their share of . This can be ensured by having an honest agent send a Ready message to all agents when it finishes the conputation of , and terminating the CC procedure when it receives Ready messages. If there are at most malicious agents, if an agent receives Ready messages, at least are from honest agents who genuinely computed their own share. This property will be critical later, since it guarantees that sufficiently many honest agents are running the protocol at roughly the same pace.
3.2.7 Construction of
Using the primitives sketched above, BCG gave a construction of . At the high level, the construction proceeds as follows: for :
Each agent shares its input using VSS. 2. 2.
Agents agree on a core set with using an ACS procedure with parameters and , where the accumulative set of agent is the set of agents such that has terminated the VSS invoked by at step 1. 3. 3.
Each agent computes its share of using CC, where ’s input for the th input gate is ’s share of if ; otherwise it is 0. 4. 4.
Each agent sends its share of to each other agent , then uses the shares received from other agents to reconstruct using VSS. 5. 5.
Each agent outputs .
3.3 Secure computation and mediators
Even though it is not explicitly proven by BCG, their construction of satisfies an additional property that we call SC3, which is essentially a converse of SC2.
SC3. For all ideal -adversaries , there exists an adversary such that, for all input profiles , and are identically distributed.
Lemma 1**.**
Given a function , protocol satisfies SC3.
Proof.
Suppose that is deterministic (i.e., , , and do not depend on the random string ). Given , let and (note that we have dropped the input to both functions since both are independent of ). Consider the protocol such that, if the agents in have input , consists of running with input , where , except that if was supposed to output (note that all outputs of honest agents are of this form, since the ideal output has this form, and securely computes ) it outputs instead.
Suppose that the scheduler delays messages to and from players in until all others players terminate, and that it delivers messages in such a way that all players in terminate all instances of VSS invoked by a player in before they receive any other messages. The properties of the ACS protocol guarantee that, in this case, the core set computed by honest players will be . It follows from the construction of that and are identically distributed. If is randomized, works the same way except that it chooses , , and by sampling from the same distribution that is sampled from. ∎
We next show how secure computation relates to simulating a mediator. Consider the following protocol for players and a mediator: Agents send their inputs to the mediator the first time that they are scheduled. The mediator waits until it has received a valid input from all agents in a subset of agents with . The mediator then computes and sends each agent the pair . When the agents receive a message from the mediator, they output that message and terminate.
Clearly satisfies SC1. It is easy to see that it also satisfies SC2: Given a set of malicious agents, a deterministic protocol profile for the malicious agents, and a deterministic scheduler , define to be whatever the malicious agents send to the mediator with input , let be the set of agents from whom the mediator has received a message the first time it is scheduled after having received a message from a least agents (given , , and input ), and let be the output function that malicious agents use in (note that they receive a single message with the output of the computation, so their output depends only on , , and ). Clearly SC2 holds with this choice of -ideal adversary. Randomized functions and can be viewed as resulting from sampling random bits according to some distribution and then running deterministically; the protocols , , and can sample from the same distribution and then proceed as above with respect to the deterministic and .
The protocol satisfies SC3 as well. Given , the definition of and is straightforward: the agents in choose a random input and then each agent sends to the mediator. The scheduler delivers all messages from the agents in first, and then schedules the mediator. It then delivers all the other messages.
Since both and satisfy SC2 and SC3, for all adversaries , there exists an adversary (resp., for all adversaries there exists an adversary ) such that and are identically distributed.
Unfortunately, given a protocol for the mediator, there might not exist a function such that SC2 and SC3 hold, as the example given in the introduction (where the mediator sends to the agents the first message it receives) shows. Note that, in this example, the output of the agents is not a function of their input profile, there is no function for which SC2 and SC3 hold. Nevertheless, we are still interested in securely computing the output of the protocol with the mediator. That is, we are interested in getting analogues to SC2 and SC3 for arbitrary interactive protocols.
Definition 5**.**
*Protocol -bisimulates if the following two properties hold: *
- (a)
*For all adversaries with , there exists an adversary such that for all input profiles , and are identically distributed. *
- (b)
For all adversaries with , there exists an adversary such that all input profiles , and are identically distributed.
Note that the first clause is analogous to SC2, while the second clause is analogous to SC3. There is no clause analogous to SC1 since we allow agents not to terminate. In any case, since we can view non-termination as a special type of output (i.e., we can view an agent that does not terminate as outputting ), so SC2 already guarantees that non-termination happens with the same probability in and (In the setting of BGW, since all functions terminate, with this viewpoint, SC2 implies SC1, a point already made by Canetti [?].)
Our earlier discussion proves the following proposition:
Proposition 1**.**
* -bisimulates if .*
3.4 Beyond secure computation
We view -bisumulation as capturing the essence of secure computation, as defined by BCG (and others). However, there are two additional properties that we need for the results of our companion paper [Abraham, Dolev, Geffner, and Halpern 2019], which we believe are of independent interest. Both of them are in fact satisfied by , although BCG do not discuss them.
To understand the first property, note that Proposition 1 guarantees that -bisimulates if . What happens if is larger than this threshold? Although BCG make claims for their protocol only if , variants of some of the properties that they are interested in continue to hold even if . Specifically, for each adversary , there exists a relaxed adversary such that, for all input profiles , and are identically distributed. This means that if , then the only way that the adversary can affect is by preventing some agents from terminating. This motivates the following definition:
Definition 6**.**
A protocol -bisimulates if it -bisimulates but the schedulers and of the first and second clause of Definition 5 respectively may be relaxed for .
Proposition 2**.**
* -bisimulates if and .*
As we just observed, if , then some honest agents might not terminate. However, we can show that the BCG protocol has the property that if at least honest agents terminate, then all the remaining honest agents terminate. This observation motivates the following definition:
Definition 7**.**
*A protocol -coterminates if, all adversaries with and all input profiles , in all histories of with adversary and input , either all the agents not in terminate or strictly fewer than agents not in do. *
Proposition 3**.**
* -coterminates.*
We do not prove Proposition 2 or 3 here, since we prove a generalization of them below (see Theorem 2).
3.5 Simulating arbitrary protocols
The goal of this paper is to show that we can securely implement any interaction with a mediator, and do so in a way that ensure the two properties discussed in Section 3.4. This is summarized in the following theorem:
Theorem 2**.**
For every protocol for agents and a mediator, there exists a protocol for agents such that
- (a)
*-bisimulates if and , *
- (b)
-coterminates if and is in canonical form.
Moreover, if is responsive, the expected number of messages sent a history of is polynomial in and , and linear in , where is the expected number of messages sent when running and is the number of gates in an arithmetic circuit that implements the mediator’s protocol.
The construction of is given in Section 4.2 and, not surprisingly, uses many of the techniques used by BCG. And, like BKR, if we allow an probability of error we get stronger results. We define --bisimulation just like -bisimulation (Definition 5), except that, in both clauses, the distance between and is less than , where the distance between probability measures and on some finite space is defined as . The definition of --bisimulation and --bisimulation are analogous. A protocol --coterminates if it -coterminates with probability .
Theorem 3**.**
For every protocol for agents and a mediator and all , there exists a protocol for agents such that
- (a)
-*-bisimulates if and , *
- (b)
--coterminates if and is in canonical form.
Moreover, if is responsive, can be implemented in such a way that the expected number of messages when running is polynomial in and , and linear in , where is the expected number of messages sent when running .
3.6 Adversaries in asynchronous systems
Even though throughout this paper we consider the scheduler and malicious players to be separate adversarial entities, we show next that they can coordinate. In particular, we show that malicious players and the scheduler can communicate even though the scheduler cannot send or receive messages.
To see that a malicious player can send information to the scheduler, it suffices to note that a player can encode any unary string by 5for instance, use the following scheme: Whenever a malicious player sending messages to itself. Since the scheduler knows the number of messages sent by each player and the recipient of each message, it can “receive” such messages. patterns. The scheduler can communicate with the malicious players by using the following scheme: Whenever a malicious player is scheduled, it just sends a message to itself and performs a action. The scheduler then delivers the message to and schedules again. This process is repeated until is scheduled before receiving the message it sent to itself. Agent can interpret the number of times that this process is repeated as the unary string .
Since the scheduler and the malicious players can coordinate by communicating in this fashion, this shows that without loss of generality we can view the adversary as a single entity that controls both the malicious parties and the scheduler simultaneously. We will assume such an adversary in the rest of the paper.
3.7 Other models
Before proving our main results, we discuss some of the choices made in our formal model and show that they are essentially being made without loss of generality. We start by considering our assumption that agents perform a sequence of actions atomically when they are scheduled. We next show that we would get theorems equivalent to the ones that we are claiming if we had instead assumed that agents perform just a single action when they are scheduled. To prove this, we first need the following notion:
Definition 8**.**
A protocol is -message bounded if for all inputs and all histories, no player ever sends more than messages in a single turn. A protocol is message bounded if it is -message bounded for some .
Proposition 4**.**
There exist a function from message-bounded protocols to single-action protocols such that for all profiles , the following holds:
- (a)
*For all schedulers (resp., relaxed schedulers) there exists a scheduler (resp., relaxed scheduler) such that, for all input profiles ,
and are identically distributed, where we take and we view and , respectively, as the adversaries (i.e., we take ).*
- (b)
*For all schedulers (resp., relaxed schedulers) there exists a scheduler (resp., relaxed scheduler) such that, for all input profiles ,
and are identically distributed.*
The converse of Proposition 4 is trivial, since single-action strategies are strategies.
It follows from Proposition 4 that Theorem 2 holds even if we restrict agents to using single-action strategies.
Proof.
Intuitively, is identical to , except that rather than sending a sequence of messages when it is scheduled, sends the messages one at a time. The scheduler is then chosen to ensure that is scheduled so that it sends all of its messages as if they were sent atomically. In addition to keeping track of the messages it has sent and received, uses the variable whose value is a sequence of mesages (intuitively, the ones that would have sent at this point in the simulation of that it has not yet sent), initally set to the empty sequence, and a binary variable , originally set to 1.
When is scheduled by , proceeds as follows: If , then sets to the sequence of messages that it would send with given its current history. (If randomizes, then does the same randomization. If is the empty sequence (so would not send any messages at that point), performs the action , and outputs whatever it does with ; otherwise, sets to [math], sends the first message in to its intended recipient, and removes this message from . If , then if is empty, sets to 1, sends , and outputs whatever it does with ; otherwise, sends the first message in to its intended recipient and removes it from .
Since is message bounded, there exists an such that is -message bounded. For part (a), given , we construct so that it simulates , except that if schedules , schedules repeatedly until either it observes or until sends messages in consecutive turns. Since is -message bounded, it is clear that and are identically distributed. Note that it is necessary for to be -message bounded, since if the scheduler schedules each player repeatedly until it stops sending a message during its turn, a player that keeps sending messages would be scheduled indefinitely, and so would prevent other players from being scheduled.
For part (b), given , we construct so that it simulates . There is one issue that we have to deal with. Whereas with , an agent can send messages each time it is scheduled, with , it can send only one message when it is scheduled. The scheduler constructed from in part (a) scheduled repeatedly until it sent all the messages it did with . But we cannot assume that the scheduler that we are given for part (b) does this. Thus, must keep track of how many of the messages that each agent was supposed to send the last time it was scheduled by have been sent so far. To do this, uses variables , one for each agent , initially set to 0, such that keeps track of how many of the messages that agent sent with still need to be sent by . As we observed above, given a local history of the scheduler where the agents use and the scheduler uses , there is a corresponding local history of the scheduler where the agents use and the scheduler uses . If, given , schedules agent with probability , then with the same probability , proceeds as follows: if (which means that all the messages that sent the last time it was scheduled have been delivered in ), then schedules , sees how many messages delivers according , and sets to this number; if , then is decremented by 1 but no agent is scheduled. Again, it is clear that that and are identically distributed.
∎
BCG put further constraints on the scheduler. Specifically, they assume that, except possibly for the first time that agent is scheduled, is scheduled immediately after receiving a message and only then. That is, in our terminology, BCG assume that a event must be followed by a event, and all events except possibly the first one occur after a event. We call the schedulers that satisfy this constraint BCG schedulers.
We now prove a result analogous to Proposition 4, from which it follows that we could have obtained our results using a BCG scheduler.
Proposition 5**.**
There exist a function from strategies to strategies such that for all strategies the following holds:
- (a)
*For all schedulers (resp., relaxed schedulers) there exists a BCG scheduler (resp., relaxed BCG scheduler) such that, for all input profiles ,
and are identically distributed.*
- (b)
*For all BCG schedulers (resp., relaxed schedulers) there exists a scheduler (resp., relaxed scheduler) such that, for all input profiles ,
and are identically distributed.*
Proof.
As in Proposition 4, the idea is that simulates , but since can schedule an agent only when it delivers a message, we have each agent send itself special messages, denoted , to ensure that there are always enough messages in the system. In more detail, works as follows. When it is first scheduled, agent sends itself a message. Since we are considering BCG schedulers, agent is scheduled subsequently only when it receives a message. If it receives a message other than , it does nothing (although the message is added to its history). If it receives a message, then it does whatever it would do with given its current history with the messages and the events not preceeded by a message removed, and sends itself another message.
For part (a), given , first schedules each agent once (in some arbitrary order), to ensure that that each of them has sent a message that is available to be delivered. Given a history , considers what would do in the history that results from by removing the initial event for each agent , the last message that each agent sends when it is scheduled if it sends a message at all, and the receipt of these messages. If is a history that results where the agents are running , then the send and receive events removed are precisely those that involve . If delivers a message with some probability, then delivers the corresponding message with the same probability; if schedules an agent with some probability, delivers the last that sent and schedules agent with the same probability. If there is no message to deliver, then does nothing, but our construction of guarantees that if is a history that results from running , then there will be such a message that can be delivered. Again, it is clear that and are identically distributed.
For part (b), given , the construction of is similar to that of Proposition 4. Again, given a local history of where the agents use , there is a corresponding history of where the agents use . If, given input , delivers a message with some probability and the messages is not a message, then delivers the corresponding message with probability . If the message is a message, then also schedules agent . If schedules an agent with probability , and in this is the first time that is scheduled, then schedules with probability and otherwise does nothing with probability . Yet again, it is straightforward to show that and are identically distributed. ∎
4 The Proof of Theorems 2 and 3
In this section, we prove Theorems 2 and 3. Since the proofs are rather complicated, we proceed in stages.
4.1 -uniform VSS and CC and determinate VSS
BCG’s implementation of VSS satisfies some additional properties that they do not make use of, but that we will need in our construction, so we outline them here.
Given a sequence of distinct honest agents, a sequence of values, and a secret , we say that is -realizable by a VSS (resp., CC) implementation if, for that implementation, there exists an agent such that the the event that each agent computes as the output of ’s invocation of VSS with secret has nonzero probability. In other words, is -realizable if could be the output of the agents in running VSS with secret . is realizable if it is -realizable for some .
We say that is an -extension of if is a prefix of , is a prefix of and is -realizable. is a full -extension if is the set of all agents. Again, we say that is an extension of if it is an -extension of for some ; it is a full extension if, in addition, is the set of all agents. We omit the term in each of these definitions if it is clear from context which agent computed each of the shares in .
BCG’s implementation of VSS and CC guarantees that if is the share of an honest agent after running an invocation of VSS or CC, then there exists a polynomial of degree (where is a bound on the number of malicious agents) such that and is the secret shared through VSS or computed through CC. Moreover, this polynomial is uniformly sampled from the set of all polynomials of degree with . With BCG’s implementation of VSS and CC, a pair is realizable iff there exists a polynomial of degree such that for all .
With this notation, we can state the properties that we need for our VSS and CC implementation. A circuit that computes values in can be securely computed by agents if the inputs are shared using VSS, and the addition and multiplication gates are computed using CC. At the end of the computation, each agent has a share of the output. The first property that we require, to simplify our proof, is that for all sets of size at most , the output of such a circuit is uniformly distributed over :
Definition 9**.**
*An implementation of VSS and CC is -uniform if, for
all circuits with a single output gate, and all sets of honest agents with , the output of after securely computing is uniformly distributed over .*
We actually seem to need a somewhat stronger property than -uniformity: conditional -uniformity (i.e., -uniformity conditional on the outcome of earlier CC instances). In general, a -uniform implementation may not satisfy conditional -uniformity. For example, two empty circuits that take the shares of a single VSS instance as inputs produce identical outputs, which are the the shares of the VSS. Fortunately, it is easy to convert a circuit to a circuit that computes the same secret, and also satisfies conditional -uniformity conditional on all other CC instances. Suppose for simplicity that has a single output gate. We construct by having each agent invoke a -uniform VSS with 0 as the secret. Agent then computes (using CC) the product of the secrets whose shares it receives, and adds it share of the product to the output of . Clearly the players will get the same value with and after they share their shares, no matter what the malicious players do. Also, since takes as inputs instances of VSS that are not used in any other circuit, the output of a subset with conditional on the output of all other CC instances is uniformly distributed over . Thus, if the implementation of VSS and CC is -uniform, we can assume without loss of generality that we are working with conditionally -uniform circuits.
We also require that the shares of a set of at least honest agents uniquely determine the secret.
Definition 10**.**
An implementation of VSS and CC is -determinate if
- (a)
* is -resilient;*
- (b)
* is -uniform if there are at most malicious agents; and*
- (c)
for all pairs with , if is realizable, then there exists a unique full extension of .
BCG’s implementation of VSS is -determinate: it is easy to check that it satisfies clauses (b) and (c) of the definition; BCG prove that it is -resilient. For all of our constructions, we assume that the secret-sharing scheme used is -determinate.
4.2 Constructing
Our construction of is similar in spirit to BCG’s constrution of . As we said earlier, what makes our setting more complicated is that the agents send multiple messages to the mediator, and the mediator sends multiple messages back. We will need to keep track of which messages are being sent in response to which other messages. Moreover, to get -bisimulation, we need to be able to simulate all possible behaviors of the scheduler, both with and with .
For ease of exposition, we begin by giving a naive construction of , which, as we later show, does not quite satisfy all the desired properties. However, it gives the intuition for the actual construction (which requires only a small modification of the naive construction). We now sketch the naive construction, then give a detailed description, and then explain the minor modifications needed to correct the problems in the naive construction.
This construction may not satisfy the bound we claimed on the expected number of messages when the mediator is responsive. We show in Section 4.4 how to modify the construction so as to satisfy that bound.
When running , each agent simulates its counterpart running except that, rather than sending and receiving messages from the mediator, shares messages it shares and reconstructs messages using VSS. In addition, all agents use CC to compute the mediator’s local history given the messages shared by the agents and to compute the messages the mediator sends to the agents according to , given its local history. Note that, after running CC, each agent has a share of the mediator’s message. If this is a message sent by the mediator to agent , then each agent sends its share to , so that can reconstruct the message.
To do the simulation, each agent computes two sequences, and . Each element in the first sequence represents the ’s local history the th time that is scheduled in the simulated interaction with the mediator, while each term of the second sequence represents ’s share of the mediator’s local history the th time that the mediator is scheduled in the simulated interaction. Of course, these histories depend (in part) on how does the simulation. In our naive protocol, we assume that all agents get scheduled in the simulation at times corresponding to when they get scheduled in the computation of , after getting corresponding messages. That is, whenever is scheduled in , it checks all the messages received from the simulated mediator since the last time it was scheduled in , then simulates itself being scheduled in after receiving exactly the same messages in the same order as it did in . This means that is constructed by appending to all messages received by and the results of all local computations of between the st and th time that is scheduled in . Therefore, in the naive construction, , which is ’s view the th time that is scheduled in the simulation of the computation of , is also part of ’s view of the simulation the th time that is scheduled in . That is, if has been scheduled times in , then it is also scheduled exactly times in the simulation. As we show later by example, this property prevents us from being able to simulate all schedulers in the interaction with the mediator, and is precisely why the naive construction does not quite work. That said, for now we continue to explain the naive construction.
Note that, in , does not receive the mediator’s actual messages in its simulation; rather, it receives shares of those messages. Agent appends a message to only at the point that the message can be reconstructed from the shares of the message that receives from the other agents.
After computing , computes which messages it sends according to (given the history it has simulated) and, for each such message , shares using VSS.
Computing is more subtle. We must ensure that all agents agree on what messages should be appended to to get ; otherwise, agents will not have a consistent view of the mediator’s history. Since, at any point in the execution of , different agents may have terminated different invocations of VSS, this requires a little care. Let be the sequence of shares of the mediator’s local history in the simulation computed thus far by agent . We will ensure that, for all , are shares of some local history of the mediator in the computation of being simulated, where is the empty sequence and is a prefix of (so that the mediator’s history get increasingly longer). After computing their shares of , agents can perform a circuit computation to compute the messages the mediator sends to the agents given local history .
We now describe the naive construction of in more detail.
As we said, because our naive construction assumes that is scheduled the same number of times in the simulation of as in the actual computation of , the th time is scheduled when running , ’s history includes simulated histories and shares of simulated histories (note that might not be equal to ). These simulated histories are the output of local computations, and thus are recorded in the ’s history. In addition, ’s history keeps track of the status of all the invocations of protocols like VSS and CC in which participates (including results of random coin tosses, which we also view as the outcome of computation). Note that there might be several invocations of the same protocol that an agent is involved in at the same time; for example, an agent might invoke VSS several times before any of them complete. To remove ambiguity, we assume that all invocations of a protocol are labeled; for example, the first invocation of VSS invoked by agent could be labeled (VSS, , ), the second one could be labeled (VSS, , )), and so on.
These labels are communicated to the scheduler using the scheme presented in Section 3.6. Thus, we can assume without loss of generality that the scheduler knows the labels.
If agent is scheduled when it is in such a state, it first processes all messages received since the last time it was scheduled. (We assume that all messages received since the last time that was scheduled are held in some buffer.) “Processing a message” consists of playing its part in the protocol to which belongs (which we assume is indicated in the label of ); if is a share of a simulated mediator message, checks if it can reconstruct a new mediator message and, if so, updates accordingly. After processing all of its new messages, will have constructed . Agent checks what action(s) takes given input . If outputs a value , then so does ; if these actions include sending one or more messages to the mediator, then shares those messages using VSS instead. Finally, if possible, computes its share of the simulated mediator’s local history and computes (along with the other agents) which messages the mediator sends to the agents. We now explain how this is done.
Agent computes inductively. Clearly, , the mediator’s initially local history, is empty (and all agents know this). To compute , simulates a computation of VSS initiated by agent 1 (there is nothing special about agent 1 here; any other agent would do) with input the empty sequence under the assumption that all agents are honest, and takes to be ’s share of the output of the computation. Since VSS is a randomized protocol, to assure consistency, all agents must use the same random bits in this computation of VSS; we can assume that these random bits are hardcoded into . Note that this is equivalent to just hardcoding the values of in , but viewing as the output of an invocation of VSS will be useful in the future.
Assuming that has been computed, we show how to compute . The idea is that the agents perform a circuit computation with inputs and all the new messages to be appended to (note that each agent has a share of each of these inputs). It is critical when running a CC invocation that the inputs of each honest agent are consistent with the inputs of all other honest agents participating in the same invocation. More precisely, for all pairs of agents and , if ’s th input is ’s share of the message being shared in some VSS invocation (VSS, , ), then ’s th input must be ’s share of the same message. It is not straightforward to ensure this, since and might have completed different invocations of VSS at the time that they update and respectively.
Since this issue arises in a number of contexts, we formalize this notion of consistency. Suppose that is a joint protocol and is a history of . Let be an invocation of CC in in which some honest agent has participated. Invocation is well-defined if the following holds:
- (a)
All honest agents eventually participate in .
- (b)
Suppose that has inputs. For each with , there exists an invocation of VSS or CC that occurred earlier in the computation such that each honest agent ’s share of the th input of is ’s share of the output of .
All the invocations of CC to compute are well-defined in this sense, since players must use the shares of the same secret at each gate of the CC.
To ensure this, agents first agree on which subset of messages should be appended to , then they agree on the order in which these messages should be appended, and finally they append these messages to and compute the messages sent by the scheduler to the agents, which are also appended to . The protocol for extending to proceeds in four phases, denoted .
- Phase :
Let the maximum number of messages that an honest agent sends when running . Each agent participates in consensus protocols in phase , denoted , where is intended to achieve consensus on whether has shared its th message successfully. More precisely, ’s input to consensus protocol is 1 iff has terminated ’s th invocation of VSS by the time starts phase and has output 0 for all . Agent waits until it has terminated all the consensus protocols it is involved with in phase before starting phase . If the output of some consensus protocol is 1, then waits until it has also completed ’s th VSS invocation in round before starting phase . 2. Phase :
Let be the consensus protocols that were used in phase and had output 1, ordered in lexicographic order (i.e., precedes iff or [ and ]). In this phase, coordinates with the other agents on the order that they should append the messages shared in (VSS, ), …, (VSS, ) to . We want the agents to agree on the same permutation of . To do this, they use BCG’s secure computation protocol. Each agent inputs a permutation to the protocol; the output is the permutation that they coordinate on. Agent ’s input to the protocol is the unique permutation satisfying iff terminated (VSS, before (VSS, . Note that since completes all the VSS invocations that are in progress in phase before it starts phase , can compute this permutation. The BCG computation returns the (unique) permutation satisfying iff or and . Thus, roughly speaking, if, on average, agents terminated before . Note that because of the asynchrony of the system, we can guarantee only that at most inputs will be available when computing . For the remaining inputs we take to be the identity permutation. 3. Phase :
Agent uses CC to append new messages to . More precisely, it updates with (VSS, ), …, (VSS, ) in the order determined by the permutation computed in phase . Note that the properties of VSS and the fact that completes all outstanding VSS invocations in phase guarantee that all honest agents have a share of all these messages when they start phase . This procedure gives agent a share that we denote of the mediator’s updated local history after appending these new messages to in the appropriate order. 4. Phase :
Agent computes by using CC to append to the message the mediator sends to the according to , given input . (This can be done because all agents know the mediator’s protocol .) Agent ’s input for this invocation of CC is its share . Note that each agent invokes CC only once, using it to compute all the mediator’s messages are computed and appended them to . Agent ’s output of this invocation of CC is its share of .
In phase agents never actually compute (their shares, if any, of) the messages sent by the mediator during its st turn; they compute only the result of appending these message to . Later we will see how agents compute their shares of each of thesee messages individually, using the fact that it is encoded in .
This protocol satisfies two important properties if :
Lemma 2**.**
All honest agents eventually terminate phase . Moreover, for all adversaries of size at most and all histories, the CC protocol invoked in phase is well-defined.
Proof.
If the output of some consensus protocol is 1, then the properties of VSS guarantee that at least one honest agent had input 1. Thus, at least one honest agent terminated (VSS, , ). The properties of VSS guarantee that all other honest agents eventually terminate this VSS invocation as well. The properties of consensus and secure computation guarantee that all agents use the outputs of the same VSS invocations in the same order, which means that the CC procedure of phase is well-defined for all runs. ∎
Lemma 3**.**
If an honest agent shares a message using VSS, then will be in for some , and hence each honest agent will have a share of in .
Proof.
If (VSS, , ) is invoked by an honest agent , then all honest agents are guaranteed to eventually terminate this invocation of VSS. Thus, the output of consensus protocol (at Phase ) is 1 for exactly one value of . (Note that if the output of is , then all honest players take 0 to be the input for all consensus protocols with . This guarantees that the output of all these protocols is 0.) This ensures that (VSS, , ) is appended to in Phase , and thus it is included in . ∎
Since, by the time each agent finishes computing , all the messages that the mediator sends to each agent are already encoded in , it may seem that to compute the shares of these messages individually, would have to use an instance of CC for each one.
However, this procedure is not so straightforward since does not know beforehand how many messages the mediator sends or the order in which the mediator sends messages the th time it is scheduled (although this is also encoded in ). To deal with this issue, before computing its share of each of the mediator’s messages, first checks if there is a message that still needs to be sent and, if so, who the recipient is.
More precisely, let be the function that takes as input a mediator’s local history and returns the recipient of the th message sent by the mediator the th time it is scheduled; similarly, let be the function that computes the th message sent by the mediator the th time it is scheduled, given the mediator’s history. If the mediator sends fewer than messages the th time it is scheduled, or if the input is not a well-defined local history, both and return 0. After computing , agent proceeds as follows for : it performs a circuit computation of with input . Then broadcasts the output of this computation, and uses the values it receives from other agents to reconstruct .
If , performs a circuit computation of with input and computes . If , then for each , sends the output of its circuit computation of to agent .
This completes the description of the naive version of . As we have been hinting, this protocol does not quite work. The following example makes the reasons more precise.
Consider a protocol in which the mediator sends a STOP message to each agent the first time it (the mediator) is scheduled. If was scheduled before receiving the STOP message, it outputs 0; otherwise, it outputs 1. Note that any combination of outputs is possible with , depending on when the scheduler schedules the mediator and the agents. However, this is not true for as we have defined it. Suppose, for example, that all agents are honest, and is the first agent scheduled in a history of . At this point, is supposed to compute . Since it has not received any messages, it will take to be empty, and thus output 0. It follows that no history of can end with all agents outputting 1, which means that does not -bisimulate .
In our construction of the naive version of , each agent calculates the th time that is scheduled in . However, since computing each of takes several turns of , the mediator’s history being computed by during its th turn satisfies that . This means that is simulating that the mediator, at all times, has taken less turns than , which may not be true in the protocol with the mediator. As our example shows, some scenarios cannot be simulated with our naive construction because of this.
We deal with this problem by using the scheduler in the simulation to determine whether an update to or should occur when is scheduled.
We proceed as follows. When an agent is first scheduled, sends two special messages, and , to itself and computes (which is just an empty history) and . What does when it is scheduled for the th time for depends on whether it has received messages of the form and and messages from itself since the last time it was scheduled. Suppose that has computed the sequences and when it is scheduled for the th time. If has not received a message since the last time it was scheduled, does not compute . If has received a message since the last time it was scheduled, then it sends itself another message and computes as described above, using all the messages it received since it was last scheduled and received a message Thus, computes the next history in the sequence if and only if receives a message. Similarly, if has not received a message of the form since the last time it was scheduled, then it does not do any of the steps needed to compute . If it has received a message of the form message since the last time it was scheduled, it sends itself a message of the form . (Thus, the second component of the subscript serves a counter for the number of such messages that have been sent.) If , then plays its part in computing . Otherwise, does not take part in any procedure involved in the computation of ; that is, waits until it receives before attempting to compute . Thus, when it is scheduled, may take part in computing both and , only one of them, or neither of them. Since the scheduler must eventually deliver all messages, all agents receive all the messages that they send themselves, so eventually do update and .
This completes the construction of . In the next few subsections, we prove that has the desired properties.
4.3 The proof of Theorem 2(a)
We now prove Theorem 2(a). For ease of exposition, we begin by proving this result for the special case that , showing that -bisimulates if .
Proof that -bisimulates if : We actually prove a result slightly stronger than Theorem 2(a): while the definition of bisimulation allows to depend on both and to depend on both on , in our construction below, depends only on (and not on ), while depends only on (and not on ).
We begin by showing that satisfies part (a) of the definition of bisimulation assuming that all players are honest. Later, we show how this proof can also be applied to the case in which a subset of players deviate. Given a scheduler in the mediator setting, we construct a scheduler in the setting without the mediator as follows. Initially, schedules each agent exactly once. Recall that if is honest, the first time it is scheduled it sends only and messages to itself. The point of scheduling all the agents initially is simply to get these messages into the system. From then, just as the agents do with , simulates which history the scheduler would have
in the interaction with the mediator if the mediator and the agents used and the scheduler used . At the beginning of the game, the scheduler sets to the empty history. How the scheduler updates and what actions the scheduler performs according to then depend on the form of (i.e., the actions that would perform given history ), and on the actions that the players perform afterwards:
- •
If has the form , then it delivers ’s most recent message if there is one to deliver, and then schedules . Suppose that initiates VSS instances during its turn. Then immediately after ’s turn, appends and events to , followed by a event.
- •
If has the form and it is the th time that the mediator is scheduled according to , then the scheduler delivers to each agent its message if there is one to deliver and then schedules agents cyclically () until all agents finish computing and their share of each of the messages sent by the mediator during its th turn. The scheduler also delivers to each agent all the messages required by for the computation of and the shares of the mediator’s messages immediately after they are sent. Suppose that the players determine that the mediator sends messages to , in that order. Then appends to . Note that the scheduler knows , and also knows when each player terminates the computation of (given our assumption that the scheduler knows the label of each message), since player has terminated the computation of if all messages related to this computation have been delivered and no player sent further messages when it was scheduled. Thus, all players are guaranteed to have terminated the computation of after the scheduler has gone through a full cycle of scheduling the players without any player sending any message required for the computation of , for . (Recall that we are assuming for now that all players are honest.)
- •
If has the form , the scheduler delivers to all the messages that needs to compute the mediator’s th message to . That is, the scheduler delivers the messages from other agents containing the shares of the th message from the mediator to . (By our inductive hypothesis, these messages have been sent but not yet delivered.) Then appends to .
- •
If has the form , the scheduler schedules the agents cyclically until all the agents finish computing . More precisely, the scheduler delivers only the messages involved in protocol , and does so immediately after they are sent, all of this while scheduling the agents cyclically until all the agents stop sending messages. Then appends to .
Note that does not depend on the protocol used by malicious agents. Suppose that and are deterministic. For each input , let denote agent ’s local history at the end of its th turn in the unique history of . When the agents use , they simulate the computation of . Let denote ’s history at the end of ’s th turn in the simulation. Although randomizes, since and are deterministic, as we now show, the value of is independent of this randomization.
Lemma 4**.**
For all input profiles , .
We prove this lemma by proving a more general result that establishes a correspondence between histories of and histories of . In , agents attempt to simulate all the events of , which include being scheduled and sending and receiving messages. By the construction of , all shares of a message sent by the mediator are received by its recipient virtually “at the same time” (more precisely, they are received one immediately after the other, with no other action in between). This allows us to define a correspondence between events in a history of when used with scheduler and events in a history of when used with scheduler . We start by defining the correspondence between events that are in an agent ’s history in and .
- •
The event that agent is scheduled for the th time in corresponds to the event that is scheduled after receving its th message in . (Of course, may not have received messages in ; in this case, no event in corresponds to the event of being scheduled for the th time in . Similar comments hold for all the other correspondences defined below.)
- •
The event that sends its th message in corresponds to the event that initiates its th invocation of VSS in .
- •
The event that receives the th message sent by the mediator during its th turn in corresponds to the event that receives a share of in . Note that encodes the th message sent by the simulated mediator during its th turn given its local history .
Since the mediator is being simulated by all agents, events in the mediator’s history in do not correspond to single events in . Rather, they correspond to exactly events, one for each agent. Scheduler guarantees that these events occur consecutively in .
- •
The event that the mediator is scheduled for the th time in corresponds to the set of events in consisting of agent being scheduled after receiving a message, for each agent .
- •
The event that the mediator sends the th message to agent during its th turn in corresponds to the set of events in consisting of each agent computing its share of (which encodes the th message sent by the simulated mediator during its th turn) and sending it to agent .
- •
The event that the mediator receives ’s th message in corresponds to the set of events in consisting of each agent terminating the th VSS invocation initiated by .
Note that we have not included the events in the correspondence. Even though such events are needed to define then end of agent’s turn, they are redundant, since they come immediately before a in ’s local history.
An event in a history of is a simulation event if it could correspond to some event in another history of . More precisely, an event in history is a simulation event if there exists a history of and an event in such that corresponds to . Two histories and of and correspond if all non- events in ’s history in correspond to some event in , all non- events in the mediator’s history in correspond to events in , one for each agent, each simulation event in corresponds to some event in , and the order of corresponding events in each agent ’s history is preserved; more precisely, if and are two non- events in ’s (resp., the mediator’s) history in , and and are the events that correspond to and in ’s history in , then precedes in iff precedes in .
Lemma 4 follows from the following lemma, which is almost immediate from the construction of and . Although there are a number of histories in with scheduler and input due to the randomization used in protocols such as VSS and CC, all of them correspond to the unique history in when the scheduler plays and players have input profile .
Lemma 5**.**
*For all input profiles , the unique history of where the agents use with scheduler and input profile corresponds to all the histories of where the agents use with scheduler and input profile . *
Note that Lemma 5 implies Lemma 4, since it states that agents simulate receiving and sending messages in exactly the same order with as they do with . Moreover, if the protocol is deterministic, the contents of those messages are uniquely determined.
If or involve randomization, we can assume that the agents and mediator toss all the coins they need at the beginning (before they are first scheduled) and then use the outcomes of these coin tosses for their decisions. Fixing the outcome of such coin tosses makes the protocols deterministic, and an analogous argument to that used for Lemma 4 for each of the possible sequences of coin tosses guarantees that the agents’ outputs are identically distributed in and in . Since is just another protocol, it immediately follows from Lemma 4 that for all input profiles
and are identically distributed for all possible protocols for the malicious agents. This completes the proof that part (a) of the definition of “bisimulates” holds.
We now prove that part (b) of the definition of “bisimulates” holds. For this proof, we assume without loss of generality that malicious agents output their local history when running , since any output must be a function of their local history. For ease of exposition, we begin by giving the highlights of the construction of and , given , , and ; we later present the construction in more detail. The idea for constructing and is that the adversary simulates what would occur if honest agents use , malicious agents use , and the scheduler uses . If the adversary in the protocol with the mediator knew the input of honest agents,
the adversary could perform the simulation before the protocol starts, and have malicious agents output the local history they have in the simulation, regardless of their history in . However, the adversary does not know the honest agents’ inputs. Thus, the adversary does the simulation assuming honest agents have some fixed input, which we take to be . The following lemma makes precise the sense in which using rather than is “safe”.
Lemma 6**.**
Let be a random a random variable whose values are the values of the malicious agents, when the honest agents use , given input profile , and adversary . Let and be the implementation of VSS and CC, respectively, in a -resilient secret-sharing scheme. Then for all adversaries and input profiles and , we have
- •
* and are identically distributed;*
- •
* and are identically distributed;*
Lemma 6 implies that the adversary’s history in an invocation of VSS and CC is independent of the actual inputs of the honest agents. This follows easily from the definition of -resilience, since otherwise the adversary could deduce information about the honest agents’ inputs given its local history. This means that much of the simulation can be performed by the adversary without having to know which inputs honest agents are using.
Indeed, there are only three types of actions or decisions of an honest agent that both depend on the honest agents’ inputs and can affect the adversary’s local history:
- (a)
how many time invokes VSS after receiving a message;
- (b)
what values broadcasts after computing its share of ;
- (c)
what values sends to an agent after computing (if ).
Clearly, the number of times that an honest agent invokes VSS affects the adversary’s simulated history. For (b) and (c), if the adversary assumes that the honest agents have arbitrary inputs, the values received by agents in will also be arbitrary, as opposed to being correlated to the agents’ inputs (e.g., the messages sent by the mediator can depend in the messages received by honest agents, which ultimately depend on their inputs).
We show next that (a), (b) and (c) are the only decisions and actions taken by honest agents that the adversary cannot simulate. Suppose that the adversary had an oracle that could tell the adversary the number of times each honest agent invokes VSS each time is scheduled, and the values of each instance of and (if ). Then the adversary could perform its simulation even without the honest agents’ inputs: it could run its simulation with arbitrary inputs for honest agents. Whenever an honest agent is scheduled after receiving a message, it could ask the oracle how many times invokes VSS, and could simulate performing that many invocations of VSS with arbitrary inputs, even without knowing the actual local history of . Similarly, whenever honest agents have to broadcast or send an agent in their share of or , the adversary could ask the oracle what value (resp., ) takes in the actual history of . In its simulation, the adversary takes the set of shares that the honest agents broadcast or sent to agents in to be -realizable or -realizable, respectively, regardless of the local history of the honest agents in the simulation (we will show when we present the more detailed construction how this can be done in such a way that the adversary’s local history in its simulation is still consistent, despite the fact that in the simulation, honest agents may send different shares than the ones they computed). It follows from Lemma 6 that the adversary’s local histories in the simulation with this oracle and its histories in a real interaction where honest players play with input are identically distributed.
Unfortunately, the adversary does not have access to such an oracle. However, by the construction of , the values given by the oracle can be deduced from the history of the protocol with the mediator that the adversary is simulating, even without the benefit of an oracle. Specifically, if, for all honest agent , each of the simulated histories in is equal to ’s local history at the end of ’s th turn in , and if each of the histories is equal to the local history of the mediator at the end of its th turn; the number of times that an honest agent invokes VSS after receiving its th message but before receiving its st message in is the number of messages sent by during its th turn in ; is the recipient of the th message sent by the mediator during its th turn; and is the content of this message (which is known by the adversary if its recipient is in ).
Thus, if the adversary could schedule agents and deliver messages in in such a way that, for each agent and all , the local histories in the adversary’s simulation are the same as the local history of in at the end of ’s th turn, then we could dispense with the oracle. However, because the adversary does not know in the honest agents’ input profiles, it cannot in general do this.
Fortunately, we do not need quite this much.
Recall that the aim of the simulation is for the adversary to compute what history it would have in . Since , Lemma 6 implies that the local histories of the agents in and of the scheduler have the same distribution, independent of which values are being shared by honest agents. Therefore, to deduce the values given by the oracle, it suffices that the adversary schedules agents and delivers messages in in such a way that, for each agent , the local histories in the adversary’s simulation are the same as the local history of in at the end of ’s th turn, except possibly for ’s input and the content of the messages sent and received by . This means that the local histories and ’s local histories in at the end of its th turn should consist of exactly the same , , , , and events, and may differ only in the content of their and events. A more detailed construction of the adversary is given next.
For simplicity, we assume the adversary is a single entity that controls both the scheduler and the subset of malicious agents. Given , and , the adversary . starts by performing a simulation of a history of using additional variables and with , all initially set to a special value . Whenever one of the following events occur in the simulation, the adversary proceeds as described below.
- (1)
An agent is scheduled after receiving a message: In this case, schedules in . If sends messages when it is scheduled in , then in its simulation, is scheduled and invokes VSS times with input [math], regardless of ’s local history in the simulation.
- (2)
An honest agent terminates the share phase of , with : Since , the properties of VSS guaranteee that at least honest agents in the simulation will also compute their share of , and that these shares reconstruct a unique value . The scheduler then schedules agent in , and sends message to the mediator, tagged with label .
- (3)
An agent is the first honest agent to compute the permutation computed in phase .
Let be the cardinality of the domain of of , and let be the invocations of VSS that are included in in Phase . The scheduler delivers agent ’s th message, …, and ’s th message to the mediator in , and then schedules the mediator.
- (4)
An agent terminates the invocation of CC instance for . If the additional variable , then the adversary continues its simulation under the assumption that ’s output of the CC invocation is rather than the actual output. Otherwise, since , the assumption made at the end of Section 3.2.6 guarantee that there is a set of at least honest agents in the simulation that have already computed their shares of .
Let be the unique full extension of the shares of the agents in , and let be either the receiver of the mediator’s th message during its th turn or 0 if the mediator didn’t send messages during its th turn. The adversary samples uniformly at random a full -extension of and sets to for all .
The adversary continues its simulation by assuming that ’s output of the CC invocation is rather than .
- (5)
An agent terminates the CC invocation for , and and are such that
the mediator sent at least messages the th time it was scheduled in , and the recipient of the th message sent by the mediator the th time it is scheduled in is in . If , then the adversary continues its simulation by assuming that ’s output of the CC invocation is rather than the actual output. Otherwise, let be the content of the th message that the mediator sends the th time it is scheduled (note that this value is known by , and hence by the adversary). Since , by the properties of CC, there is a set with at least honest agents that have computed
their shares of in the simulation. Let be the unique full extension of the shares of agents in . The adversary samples uniformly at random a full -extension of and sets to for each . Then the adversary continues its simulation by assuming that
’s output of the CC invocation is rather than .
- (6)
An agent reconstructs using VSS for some and . In this case, the scheduler delivers the th message sent by the mediator to the th time the mediator was scheduled.
Note this construction for the adversary is well defined. The first and second clause guarantee that if an agent terminated in the adversary’s simulation, then agent sent a message tagged with label in the corresponding history of . Also, whenever an honest agent finishes the computation of or , it must have terminated the computation of , and (3) guarantees that the mediator has been scheduled at least times (as needed for (4) and (5)).
The first step in proving that this construction of and satisfies clause (b) of the definition of -bisimulation is to show that the adversary can simulate how many times each honest agent invokes VSS in . Recall that honest agents may initiate a new invocation of only after receiving a message. Given a history in , let denote the number of times that agent invokes VSS after receiving its th message but before receiving the st message. Let be the sequence of all such values, arranged lexicographically first by their index and then by their index. The following lemma, which follows immediately from the construction of and , shows that the distribution of these random variables is the same in and in the adversary’s simulation.
Lemma 7**.**
Fix with and an input profile . Let be the distribution over histories when agents use with scheduler and input , and let be the distribution over histories in the adversary’s simulation when agents use with scheduler and input . Then and are identically distributed.
As we pointed out before, one of the only decisions made by honest agents that the adversary cannot simulate without additional information is the number of invocations of VSS that they perform when they are scheduled. Thus, this lemma shows that honest agents behave exactly the same in and in the adversary’s simulation except for the values that they share using VSS and the values of and sent to other players. However, by Lemma 6, exactly which values are shared using VSS does not affect the adversary’s local history in its simulation. Therefore, the only events that might differ between the adversary’s local history in and its local history in its simulation in are those in which agents in receive shares of and from honest agents. In , and are the recipient and the content of the mediator’s th message during its th turn, which are computed using CC with the simulated mediator’s local history as input. Since the adversary assumes in its simulation that the values that honest agents share using VSS are all 0,
the local histories that honest agents compute in the adversary’s simulation would not follow the same distribution as their local histories if they used with their actual input. Thus, the shares of and would also have a different distribution.
However, much as when dealing with VSS invocations, the adversary can use the mediator’s actions in as feedback for its simulation, and simulates that the shares of and that honest agents send to players in define secrets and respectively, regardless of their local history, where and are the recipient and the content of the mediator’s th message during its th turn in (note that the adversary does this for whenever , since otherwise it does not know the content of this message).
By construction, this simulation proceeds in such a way that the shares that honest players send are “consistent” with the shares of and that players in could compute from their local history, in the sense that the shares of and sent by honest players together with the shares of those functions that players in could compute are -realizable and -realizable respectively. Note that if this weren’t the case, the simulated local history of players in could not occur if honest players played . The following lemma shows the correctness of this construction.
Given a history of , let denote the subsequence of events in of messages from agents not in involving the computation of and , using CC, the broadcast procedures for the shares of , and the messages in which they send their shares of .
Lemma 8**.**
*Fix with and an input profile
Let be the distribution over histories when agents use with adversary and input , and let and . Then and are identically distributed for all , where is the distribution on sequences of events defined naturally by composing and .*
Proof.
The proof of this lemma is analogous to that given by Canetti in his proof of Lemma 4.31 [Canetti 1996, p. 91]. ∎
As we noted in Section 4.1, we implement CC in such a way that there is no correlation between the shares of different circuit computations. Thus, Lemma 8 can be easily generalized to show that and are identically distributed. This, together with Lemma 6 and Lemma 7 implies Theorem 2(a) in the case that .
We now prove that -bisimulates in the general setting, where and . Let . Given a protocol for agents, consider the protocol for agents, where the first agents use , while the last agents use the null protocol, that is, they never send any messages. Given an adversary in the setting with agents (and no mediator), consider an adversary in the setting with agents in which is a relaxed scheduler that acts just like , except that it might schedule agents in , although it never delivers their messages (note that since does not deliver the messages sent by the last agents, is well defined even in the setting with agents). Since , following the same construction as in the case that , there exists an adversary such that
[TABLE]
for all input profiles .
Note that the scheduler resulting from this construction is in fact a relaxed scheduler: since some of the VSS-share and CC instances in are not guaranteed to terminate if is relaxed, some messages might not be delivered by .
Consider a scheduler in that acts like except that it does not schedule agents . By construction,
[TABLE]
and
[TABLE]
so
[TABLE]
as desired.
Finally, it remains to show that if , is not relaxed. Given the adversaries and defined above, consider an adversary for , such that , agents use , agents in send no messages, and acts just like . By construction,
[TABLE]
In this case, is not a relaxed scheduler, since agents in never send any messages. Moreover, since , it follows that , and reasoning analogous to the previous case shows that there exists an adversary such that
[TABLE]
However, in this case, is not relaxed, since was not.
4.4 Bounding the number of messages
As mentioned in Section 3.2.7, our construction of does not bound the number of messages sent. To see this, note that players compute each time that the mediator is scheduled in the simulation. Since the number of times that the mediator can be scheduled is unbounded, the number of messages sent in can be unbounded as well.
If the mediator is responsive, we show how we can modify the construction of Section 3.2.7 so as to bound the number of messages. The idea is that, since is responsive, agents don’t need to simulate all the mediator’s histories; it suffices to simulate only the histories in which that the mediator receives at least one message at every turn except possibly the first one. Note that this bounds the number of mediator turns that the players simulate by , and thus guarantees that the expected number of messages in is polynomial in and since all primitives satisfy this property. To do this, agents run Section 4.3 with a simple modification in the computation of for . Instead of running a consensus protocol for each VSS invocation (VSS, , ), players use an ACS computation with parameter , in which the accumulative set of player consists of the pairs such that has terminated (VSS, , ) but was not in any core set with . Players then continue Phases to as usual, but take iff . Since the players take the parameter to be 1, ; thus, it is guaranteed that in the simulation, the mediator has received at least one message at its th turn.
The proof of correctness of this modified construction is identical to that given in Section 4.3 for the original construction.
4.5 The proof of Theorem 2(b)
If is in canonical form, the construction of is as in Section 3.2.7, except that if an honest player reconstructs a message containing “STOP”, it terminates.
Suppose that a set of at least honest agents terminate. This means that all agents in have computed their share of each of the mediator’s messages. Thus, for each message sent by the mediator, each honest agent will eventually receive a subset of shares such that is -realizable. Recall that we assumed (at the end of Section 3.2) that the secret-sharing scheme used in is -determinate. Thus, this subset of shares suffices for each honest agent to uniquely reconstruct , even with an adversary of size : if a pair with is -realizable, at least agents from are honest, and their shares uniquely define (and each of the other agents’ shares). Thus, receiving a realizable set of at least shares uniquely determines the secret being shared.
4.6 The proof of Theorem 3
The protocol for Theorem 3 is analogous to that for Theorem 2, except that we use the VSS and CC implementations of BKR instead of those of BCG. The proof of Theorem 3(a) is then identical to that of Theorem 2(a). Since it can be easily shown that the VSS and CC implementations constructed by BKR --coterminate, Theorem 3(b) follows.
5 Conclusion
We have shown how to simulate arbitrary protocols securely in an asynchronous setting in a “bidirectional” way (as formalized by our notion of bisimulation). This bidirectionality plays a key role our application of these results in a companion paper; we believe that it might turn out to be useful in other settings as well. While this property holds for the BCG function simulation, proving that we can simulate arbitrary protocols so that it holds seems to be nontrivial.
Our construction may not be message-efficient in the general case. However, for responsive mediators, a small modification allows us to bound the expected number of messages by a function that is polynomial in the number of players and the maximum number of messages sent in the setting with the mediator, and linear in , the number of gates in a circuit that implements the mediator’s protocol. It is still an open problem whether all protocols can be implemented in a way that the expected number of messages sent by honest agents is bounded by some function of , , and .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Abraham, Dolev, Geffner, and Halpern 2019 Abraham, I., D. Dolev, I. Geffner, and J. Y. Halpern (2019). Implementing mediators with asynchronous cheap talk. In Proc. 38th ACM Symposium on Principles of Distributed Computing .
- 2Abraham, Dolev, and Halpern 2008 Abraham, I., D. Dolev, and J. Y. Halpern (2008). An almost-surely terminating polynomial protocol for asynchronous Byzantine agreement with optimal resilience. In Proc. 27th ACM Symposium on Principles of Distributed Computing , pp. 61–75.
- 3Ben-Or, Canetti, and Goldreich 1993 Ben-Or, M., R. Canetti, and O. Goldreich (1993). Asynchronous secure computation. In STOC ’93: Proceedings of the 25 Annual ACM Symposium on Theory of Computing , pp. 52–61.
- 4Ben-Or, Goldwasser, and Wigderson 1988 Ben-Or, M., S. Goldwasser, and A. Wigderson (1988). Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proc. 20th ACM Symp. Theory of Computing , pp. 1–10.
- 5Ben-Or, Kelmer, and Rabin 1994 Ben-Or, M., B. Kelmer, and T. Rabin (1994). Asynchronous secure computations with optimal resilience (extended abstract). In Proc. 13th ACM Symp. Principles of Distributed Computing , pp. 183–192.
- 6Bracha 1984 Bracha, G. (1984). An asynchronous [ ( n − 1 ) / 3 ] delimited-[] 𝑛 1 3 [(n-1)/3] -resilient consensus protocol. In Proc. 3rd ACM Symposium on Principles of Distributed Computing , pp. 154–162.
- 7Canetti 1996 Canetti, R. (1996). Studies in Secure Multiparty Computation and Applications . Ph. D. thesis, Technion.
