2023-04-05
Cait-Sith Security (3): Multiplication and Triples
We basically start with the ideal
functionality for multiplicative-to-additive conversion (MTA),
from HMRT21 .
We slightly simplify their functionality, by giving the adversary
more power to corrupt the result.
Definition (MTA):
F [ MTA ] P i a 1 , a 2 , β 1 , β 2 ← ⊥ Δ ← ⊥ ( 1 ) StartMTA i ( a ) : ‾ a i ← a Sample ( ) : ‾ assert a 1 , a 2 , Δ ≠ ⊥ if β 1 , β 2 = ⊥ : ( β 1 , β 2 ) ← $ { ( β 1 , β 2 ) ∈ F q 2 ∣ β 1 + β 2 = a 1 ⋅ a 2 + Δ } ( 1 ) EndMTA i ( ) : ‾ wait _ ( i , 0 ) a 1 , a 2 , Δ ≠ ⊥ Sample ( ) return β i ( 1 ) Cheat ( Δ ) ‾ Δ ← Δ \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$F[\text{MTA}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&a_1, a_2, \beta_1, \beta_2 \gets \bot\cr
&\Delta \gets \bot\cr
\cr
&\underline{
(1)\text{StartMTA}_i(a):
}\cr
&\enspace
a_i \gets a
\cr
\cr
&\underline{
\text{Sample}():
}\cr
&\enspace
\texttt{assert } a_1, a_2, \Delta \neq \bot
\cr
&\enspace
\texttt{if } \beta_1, \beta_2 = \bot:
\cr
&\enspace\enspace
(\beta_1, \beta_2) \xleftarrow{\$} \{(\beta_1, \beta_2) \in \mathbb{F}_q^2 \mid \beta_1 + \beta_2 = a_1 \cdot a_2 + \Delta \}
\cr
\cr
&\underline{
(1)\text{EndMTA}_i():
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} a_1, a_2, \Delta \neq \bot
\cr
&\enspace
\text{Sample}()
\cr
&\enspace
\texttt{return } \beta_i
\cr
\cr
&\underline{
(1)\text{Cheat}(\Delta)
}\cr
&\enspace
\Delta \gets \Delta
\cr
\end{aligned}
}
}
\end{matrix}
} F [ M T A ] P i a 1 , a 2 , β 1 , β 2 ← ⊥ Δ ← ⊥ ( 1 ) S t a r t M T A i ( a ) : a i ← a S a m p l e ( ) : assert a 1 , a 2 , Δ = ⊥ if β 1 , β 2 = ⊥ : ( β 1 , β 2 ) $ {( β 1 , β 2 ) ∈ F q 2 ∣ β 1 + β 2 = a 1 ⋅ a 2 + Δ } ( 1 ) E n d M T A i ( ) : wait _ ( i , 0 ) a 1 , a 2 , Δ = ⊥ S a m p l e ( ) return β i ( 1 ) C h e a t ( Δ ) Δ ← Δ □ \square □
The basic idea is that we convert a secret s = a ⋅ b s = a \cdot b s = a ⋅ b α , β \alpha, \beta α , β α + β = s \alpha + \beta = s α + β = s s + Δ s + \Delta s + Δ
Multiplication
Next, we consider multiplication using this functionality.
First, we need to take a detour, to consider using two instances
of the functionality together.
Consider the following protocol:
P [ MTA 2 ] P i ( 1 ) Start _ i j ( a , b ) : ‾ StartMTA i 0 ( Flip _ i j ( a , b ) ) StartMTA i 1 ( Flip _ i j ( b , a ) ) ( 1 ) EndMTA _ i j ( ) : ‾ return EndMTA i 0 ( ) + EndMTA i 1 ( ) ( 1 ) Cheat τ ( Δ ) ‾ Cheat τ ( Δ ) ⊲ P [ MTA ] 2 \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{MTA}^2]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Start}\_{ij}(a, b):
}\cr
&\enspace
\text{StartMTA}^0_i(\text{Flip}\_{ij}(a, b))
\cr
&\enspace
\text{StartMTA}^1_i(\text{Flip}\_{ij}(b, a))
\cr
\cr
&\underline{
(1)\text{EndMTA}\_{ij}():
}\cr
&\enspace
\texttt{return } \text{EndMTA}^0_i() + \text{EndMTA}^1_i()
\cr
\cr
&\underline{
(1)\text{Cheat}^\tau(\Delta)
}\cr
&\enspace
\text{Cheat}^\tau(\Delta)
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd \mathscr{P}[\text{MTA}]^2 P [ M T A 2 ] P i ( 1 ) S t a r t _ ij ( a , b ) : S t a r t M T A i 0 ( F l i p _ ij ( a , b )) S t a r t M T A i 1 ( F l i p _ ij ( b , a )) ( 1 ) E n d M T A _ ij ( ) : return E n d M T A i 0 ( ) + E n d M T A i 1 ( ) ( 1 ) C h e a t τ ( Δ ) C h e a t τ ( Δ ) ⊲ P [ M T A ] 2 Well, it turns out that this implements the following functionality:
F [ MTA 2 ] P i a 1 , a 2 , b 1 , b 2 , β 1 , β 2 ← ⊥ Δ ← ⊥ ( 1 ) Start i ( a , b ) : ‾ a i ← a , b i ← b Sample ( ) : ‾ assert a 1 , a 2 , b 1 , b 2 , Δ ≠ ⊥ if β 1 , β 2 = ⊥ : ( β 1 , β 2 ) ← $ { ( β 1 , β 2 ) ∈ F q 2 ∣ β 1 + β 2 = a 1 ⋅ b 2 + a 2 ⋅ b 1 + Δ } ( 1 ) End i ( ) : ‾ wait _ ( i , 0 ) a 1 , a 2 , b 1 , b 2 , Δ ≠ ⊥ Sample ( ) return β i ( 1 ) Cheat ( Δ ) ‾ Δ ← Δ Leak ( Δ ) ‾ return ( a 1 ≠ ⊥ , a 2 ≠ ⊥ , b 1 ≠ ⊥ , b 2 ≠ ⊥ ) \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$F[\text{MTA}^2]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&a_1, a_2, b_1, b_2, \beta_1, \beta_2 \gets \bot\cr
&\Delta \gets \bot\cr
\cr
&\underline{
(1)\text{Start}_i(a, b):
}\cr
&\enspace
a_i \gets a,\ b_i \gets b
\cr
\cr
&\underline{
\text{Sample}():
}\cr
&\enspace
\texttt{assert } a_1, a_2, b_1, b_2, \Delta \neq \bot
\cr
&\enspace
\texttt{if } \beta_1, \beta_2 = \bot:
\cr
&\enspace\enspace
(\beta_1, \beta_2) \xleftarrow{\$} \{(\beta_1, \beta_2) \in \mathbb{F}_q^2 \mid \beta_1 + \beta_2 = a_1 \cdot b_2 + a_2 \cdot b_1 + \Delta \}
\cr
\cr
&\underline{
(1)\text{End}_i():
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} a_1, a_2, b_1, b_2, \Delta \neq \bot
\cr
&\enspace
\text{Sample}()
\cr
&\enspace
\texttt{return } \beta_i
\cr
\cr
&\underline{
(1)\text{Cheat}(\Delta)
}\cr
&\enspace
\Delta \gets \Delta
\cr
\cr
&\underline{
\text{Leak}(\Delta)
}\cr
&\enspace
\texttt{return } (a_1 \neq \bot, a_2 \neq \bot, b_1 \neq \bot, b_2 \neq \bot)
\cr
\end{aligned}
}
}
\end{matrix}
} F [ M T A 2 ] P i a 1 , a 2 , b 1 , b 2 , β 1 , β 2 ← ⊥ Δ ← ⊥ ( 1 ) S t a r t i ( a , b ) : a i ← a , b i ← b S a m p l e ( ) : assert a 1 , a 2 , b 1 , b 2 , Δ = ⊥ if β 1 , β 2 = ⊥ : ( β 1 , β 2 ) $ {( β 1 , β 2 ) ∈ F q 2 ∣ β 1 + β 2 = a 1 ⋅ b 2 + a 2 ⋅ b 1 + Δ } ( 1 ) E n d i ( ) : wait _ ( i , 0 ) a 1 , a 2 , b 1 , b 2 , Δ = ⊥ S a m p l e ( ) return β i ( 1 ) C h e a t ( Δ ) Δ ← Δ L e a k ( Δ ) return ( a 1 = ⊥ , a 2 = ⊥ , b 1 = ⊥ , b 2 = ⊥ ) This is a bit of a simplification, in that there's only a single Δ \Delta Δ
Lemma:
For a negligible ϵ \epsilon ϵ
P [ MTA 2 ] ⇝ ϵ F [ MTA 2 ] \mathscr{P}[\text{MTA}^2] \overset{\epsilon}{\leadsto} F[\text{MTA}^2] P [ M T A 2 ] ⇝ ϵ F [ M T A 2 ] Proof:
First, the case of all corruptions is trivial, as with any protocol,
and the protocol clearly functions in the case of no corruptions,
so we consider the case where, without loss of generality, the second
party is corrupt.
We start, as usual, by unrolling things.
Γ H 0 ( 1 ) Start 1 ( a , b ) : ‾ … ⊗ Γ M 0 = 1 ( StartMTA 2 τ , EndMTA 2 τ , Cheat τ ) ∘ F [ MTA ] ⊗ F [ MTA ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
\cr
&\underline{
(1)\text{Start}_1(a, b):
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^0_M$
} = 1
\begin{pmatrix}
\text{StartMTA}^\tau_2
,\cr
\text{EndMTA}^\tau_2
,\cr
\text{Cheat}^\tau
\end{pmatrix}
}
\cr
\circ\cr
F[\text{MTA}] \otimes F[\text{MTA}]
\end{matrix} Γ H 0 ( 1 ) S t a r t 1 ( a , b ) : … ⊗ Γ M 0 = 1 S t a r t M T A 2 τ , E n d M T A 2 τ , C h e a t τ ∘ F [ M T A ] ⊗ F [ M T A ] And from here, we can directly perform a simulation.
Γ H 1 = 1 ( Start 1 , End 1 ) ⊗ S Δ 1 , Δ 2 , first ← ⊥ α ← $ F q ( 1 ) StartMTA 2 τ ( a ) : ‾ if a τ = ⊥ : a τ ← a if a 1 , a 2 ≠ ⊥ : Start ( a 1 , a 2 ) ( 1 ) EndMTA 2 τ ( ) : ‾ ( r 1 , ∙ , r 2 , ∙ ) ← Leak ( ) wait _ ( 2 , 0 ) r _ τ ≠ ⊥ ∧ a τ , Δ τ ≠ ⊥ if first = ⊥ : first ← τ if first = τ : return α return End 2 ( ) ( 1 ) Cheat τ ( Δ ) : ‾ if Δ τ = ⊥ : Δ τ ← Δ if Δ 1 , Δ 2 ≠ ⊥ : Cheat ( Δ 1 + Δ 2 − α ) ∘ F [ MTA 2 ] \begin{matrix}
\boxed{
\begin{aligned}
&\colorbox{bae6fd}{\large
$\Gamma^1_H$
} = 1
\begin{pmatrix}
\text{Start}_1
,\cr
\text{End}_1
\end{pmatrix}
\end{aligned}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\Delta^1, \Delta^2, \text{first} \gets \bot\cr
&\alpha \xleftarrow{\$} \mathbb{F}_q\cr
\cr
&\underline{
(1)\text{StartMTA}^\tau_2(a):
}\cr
&\enspace
\texttt{if } a^\tau = \bot:
\cr
&\enspace\enspace
a^\tau \gets a
\cr
&\enspace
\texttt{if } a^1, a^2 \neq \bot:
\cr
&\enspace\enspace
\text{Start}(a^1, a^2)
\cr
\cr
&\underline{
(1)\text{EndMTA}^\tau_2():
}\cr
&\enspace
(r_1, \bullet, r_2, \bullet) \gets \text{Leak}()
\cr
&\enspace
\texttt{wait}\_{(2, 0)} r\_\tau \neq \bot \land a^\tau, \Delta^\tau \neq \bot
\cr
&\enspace
\texttt{if } \text{first} = \bot:
\cr
&\enspace\enspace
\text{first} \gets \tau
\cr
&\enspace
\texttt{if } \text{first} = \tau:
\cr
&\enspace\enspace
\texttt{return } \alpha
\cr
&\enspace
\texttt{return } \text{End}_2()
\cr
\cr
&\underline{
(1)\text{Cheat}^\tau(\Delta):
}\cr
&\enspace
\texttt{if } \Delta^\tau = \bot:
\cr
&\enspace\enspace
\Delta^\tau \gets \Delta
\cr
&\enspace
\texttt{if } \Delta^1, \Delta^2 \neq \bot:
\cr
&\enspace\enspace
\text{Cheat}(\Delta^1 + \Delta^2 - \alpha)
\cr
\end{aligned}
}
}
\cr
\circ\cr
F[\text{MTA}^2]
\end{matrix} Γ H 1 = 1 ( S t a r t 1 , E n d 1 ) ⊗ S Δ 1 , Δ 2 , f i r s t ← ⊥ α $ F q ( 1 ) S t a r t M T A 2 τ ( a ) : if a τ = ⊥ : a τ ← a if a 1 , a 2 = ⊥ : S t a r t ( a 1 , a 2 ) ( 1 ) E n d M T A 2 τ ( ) : ( r 1 , ∙ , r 2 , ∙ ) ← L e a k ( ) wait _ ( 2 , 0 ) r _ τ = ⊥ ∧ a τ , Δ τ = ⊥ if f i r s t = ⊥ : f i r s t ← τ if f i r s t = τ : return α return E n d 2 ( ) ( 1 ) C h e a t τ ( Δ ) : if Δ τ = ⊥ : Δ τ ← Δ if Δ 1 , Δ 2 = ⊥ : C h e a t ( Δ 1 + Δ 2 − α ) ∘ F [ M T A 2 ] The basic idea is that the adversary can only tell whether or not
they've received correct shares of the MTA by summing everything
together, from both the honest and malicious parties,
because of this, we can give them junk until they get the second
share, in which case we need to make it so that the sum is preserved.
We can do this by cheating with Δ 1 + Δ 2 − α \Delta^1 + \Delta^2 - \alpha Δ 1 + Δ 2 − α
■ \blacksquare ■
Next, let's look at the actual multiplication protocol.
Definition (Multiplication):
P [ Multiply ] P i start i ← ⊥ ( 1 ) StartMultiply i ( a , b ) : ‾ start i ← true ∀ j ≠ i . StartMTA i ( 0 , i j ) ( Flip i ( a , b ) ) ∀ j ≠ i . StartMTA i ( 1 , i j ) ( Flip i ( b , a ) ) ( 1 ) EndMultiply i ( ) : ‾ assert start i wait _ ( i , 0 ) ∀ j . ( γ 0 _ j , γ 1 _ j ) ← ( EndMTA i ( 0 , i j ) ( ) , EndMTA i ( 1 , i j ) ( ) ) return a ⋅ b + ∑ j ( γ j 0 + γ 1 _ j ) ⊲ F [ MTA ] n 2 \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{Multiply}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\text{start}_i \gets \bot\cr
\cr
&\underline{
(1)\text{StartMultiply}_i(a, b):
}\cr
&\enspace
\text{start}_i \gets \texttt{true}
\cr
&\enspace
\forall j \neq i.\ \text{StartMTA}_i^{(0, ij)}(\text{Flip}_i(a, b))
\cr
&\enspace
\forall j \neq i.\ \text{StartMTA}_i^{(1, ij)}(\text{Flip}_i(b, a))
\cr
\cr
&\underline{
(1)\text{EndMultiply}_i():
}\cr
&\enspace
\texttt{assert } \text{start}_i
\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j. (\gamma^0\_j, \gamma^1\_j) \gets (\text{EndMTA}_i^{(0, ij)}(), \text{EndMTA}_i^{(1, ij)}())
\cr
&\enspace
\texttt{return } a \cdot b + \sum_j (\gamma^0_j + \gamma^1\_j)
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd
\begin{matrix}
F[\text{MTA}]^{n^2}\cr
\end{matrix} P [ M u l t i p l y ] P i s t a r t i ← ⊥ ( 1 ) S t a r t M u l t i p l y i ( a , b ) : s t a r t i ← true ∀ j = i . S t a r t M T A i ( 0 , ij ) ( F l i p i ( a , b )) ∀ j = i . S t a r t M T A i ( 1 , ij ) ( F l i p i ( b , a )) ( 1 ) E n d M u l t i p l y i ( ) : assert s t a r t i wait _ ( i , 0 ) ∀ j . ( γ 0 _ j , γ 1 _ j ) ← ( E n d M T A i ( 0 , ij ) ( ) , E n d M T A i ( 1 , ij ) ( )) return a ⋅ b + j ∑ ( γ j 0 + γ 1 _ j ) ⊲ F [ M T A ] n 2 □ \square □
The basic idea is that you need to do MTAs between each pair
of parties.
One bit of notation we use is that we use i j ij ij i ≤ j i \leq j i ≤ j Flip i ( a , b ) \text{Flip}_i(a, b) F l i p i ( a , b ) i , j i, j i , j a a a b b b
This gets us to the ideal functionality for multiplication:
Definition (Ideal Multiplication):
P [ IdealMultiply ] P i a , b ← ⊥ ( 1 ) StartMultiply i ( a , b ) : ‾ a , b ← a , b a _ ∙ ← a , b _ ∙ ← b StartMultiply i ( a _ ∙ , b _ ∙ ) ( 1 ) EndMultiply i ( ) : ‾ return a ⋅ b + EndMultiply i ( ) F [ Multiply ] a _ i j , b _ i j , β i , Δ ← ⊥ ( 1 ) StartMultiply i ( a _ ∙ , b _ ∙ ) : ‾ a _ i ∙ ← a _ ∙ , b _ i ∙ ← b _ ∙ ( 1 ) EndMultiply i ( ) : ‾ wait _ ( i , 0 ) ∀ i ≠ j . a _ i j , b _ i j ≠ ⊥ ∧ Δ ≠ ⊥ ∧ a _ i i ≠ ⊥ Sample ( ) return β i Sample ( ) : ‾ assert ∀ i ≠ j . a _ i j , b _ i j ≠ ⊥ ∧ Δ ≠ ⊥ if ∀ i . β i = ⊥ : c ← ∑ _ i ≠ j a _ i j ⋅ b _ j i ( β 1 , … , β n ) ← { β i ← $ F q n ∣ ∑ i β i = c + Δ } ( 1 ) Cheat ( Δ ) : ‾ Δ ← Δ Leak ( i , j ) : ‾ return a _ i j , b _ i j ≠ ⊥ \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealMultiply}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&a, b \gets \bot\cr
\cr
&\underline{
(1)\text{StartMultiply}_i(a, b):
}\cr
&\enspace
a, b \gets a, b
\cr
&\enspace
a\_{\bullet} \gets a,\ b\_{\bullet} \gets b
\cr
&\enspace
\text{StartMultiply}_i(a\_{\bullet}, b\_{\bullet})
\cr
\cr
&\underline{
(1)\text{EndMultiply}_i():
}\cr
&\enspace
\texttt{return } a \cdot b + \text{EndMultiply}_i()
\cr
\end{aligned}
}
}
\quad
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Multiply}]$
}\cr
\cr
&a\_{ij}, b\_{ij}, \beta_i, \Delta \gets \bot\cr
\cr
&\underline{
(1)\text{StartMultiply}_i(a\_\bullet, b\_\bullet):
}\cr
&\enspace
a\_{i\bullet} \gets a\_\bullet,\ b\_{i \bullet} \gets b\_{\bullet}
\cr
\cr
&\underline{
(1)\text{EndMultiply}_i():
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall i \neq j.\ a\_{ij}, b\_{ij} \neq \bot \land \Delta \neq \bot \land a\_{ii} \neq \bot
\cr
&\enspace
\text{Sample}()
\cr
&\enspace
\texttt{return } \beta_i
\cr
\cr
&\underline{
\text{Sample}():
}\cr
&\enspace
\texttt{assert } \forall i \neq j.\ a\_{ij}, b\_{ij} \neq \bot \land \Delta \neq \bot
\cr
&\enspace
\texttt{if } \forall i.\ \beta_i = \bot:
\cr
&\enspace\enspace
c \gets \sum\_{i \neq j} a\_{ij} \cdot b\_{ji}
\cr
&\enspace\enspace
(\beta_1, \ldots, \beta_n) \gets \{\beta_i \xleftarrow{\$} \mathbb{F}_q^n \mid \sum_i \beta_i = c + \Delta \}
\cr
\cr
&\underline{
(1)\text{Cheat}(\Delta):
}\cr
&\enspace
\Delta \gets \Delta
\cr
\cr
&\underline{
\text{Leak}(i, j):
}\cr
&\enspace
\texttt{return } a\_{ij}, b\_{ij} \neq \bot
\cr
\end{aligned}
}
}
\end{matrix}
} P [ I d e a l M u l t i p l y ] P i a , b ← ⊥ ( 1 ) S t a r t M u l t i p l y i ( a , b ) : a , b ← a , b a _ ∙ ← a , b _ ∙ ← b S t a r t M u l t i p l y i ( a _ ∙ , b _ ∙ ) ( 1 ) E n d M u l t i p l y i ( ) : return a ⋅ b + E n d M u l t i p l y i ( ) F [ M u l t i p l y ] a _ ij , b _ ij , β i , Δ ← ⊥ ( 1 ) S t a r t M u l t i p l y i ( a _ ∙ , b _ ∙ ) : a _ i ∙ ← a _ ∙ , b _ i ∙ ← b _ ∙ ( 1 ) E n d M u l t i p l y i ( ) : wait _ ( i , 0 ) ∀ i = j . a _ ij , b _ ij = ⊥ ∧ Δ = ⊥ ∧ a _ ii = ⊥ S a m p l e ( ) return β i S a m p l e ( ) : assert ∀ i = j . a _ ij , b _ ij = ⊥ ∧ Δ = ⊥ if ∀ i . β i = ⊥ : c ← ∑ _ i = j a _ ij ⋅ b _ ji ( β 1 , … , β n ) ← { β i $ F q n ∣ i ∑ β i = c + Δ } ( 1 ) C h e a t ( Δ ) : Δ ← Δ L e a k ( i , j ) : return a _ ij , b _ ij = ⊥ □ \square □
There are two ways the adversary can tamper with the result here.
They can cheat via Δ \Delta Δ a _ ∙ , b _ ∙ a\_\bullet, b\_\bullet a _ ∙ , b _ ∙
Lemma:
For some negligible ϵ \epsilon ϵ
P [ Multiply ] ⇝ ϵ P [ IdealMultiply ] \mathscr{P}[\text{Multiply}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealMultiply}] P [ M u l t i p l y ] ⇝ ϵ P [ I d e a l M u l t i p l y ] Proof:
First, P [ Multiply ] = P 0 ⊲ P [ MTA 2 ] n 2 \mathscr{P}[\text{Multiply}] = \mathscr{P}^0 \lhd \mathscr{P}[\text{MTA}^2]^{n^2} P [ M u l t i p l y ] = P 0 ⊲ P [ M T A 2 ] n 2
P 0 P i start i ← ⊥ ( 1 ) StartMultiply i ( a , b ) : ‾ start i ← true ∀ j ≠ i . Start i i j ( a , b ) ( 1 ) EndMultiply i ( ) : ‾ assert start i return a ⋅ b + ∑ _ j ≠ i End i i j ( ) ⊲ P [ MTA 2 ] n 2 \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}^0$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\text{start}_i \gets \bot\cr
\cr
&\underline{
(1)\text{StartMultiply}_i(a, b):
}\cr
&\enspace
\text{start}_i \gets \texttt{true}
\cr
&\enspace
\forall j \neq i.\ \text{Start}_i^{ij}(a, b)
\cr
\cr
&\underline{
(1)\text{EndMultiply}_i():
}\cr
&\enspace
\texttt{assert } \text{start}_i
\cr
&\enspace
\texttt{return } a \cdot b + \sum\_{j \neq i} \text{End}_i^{ij}()
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd
\begin{matrix}
\mathscr{P}[\text{MTA}^2]^{n^2}\cr
\end{matrix} P 0 P i s t a r t i ← ⊥ ( 1 ) S t a r t M u l t i p l y i ( a , b ) : s t a r t i ← true ∀ j = i . S t a r t i ij ( a , b ) ( 1 ) E n d M u l t i p l y i ( ) : assert s t a r t i return a ⋅ b + ∑ _ j = i E n d i ij ( ) ⊲ P [ M T A 2 ] n 2 Then, it holds that:
P 0 ⊲ P [ MTA 2 ] n 2 / 2 ⇝ P ⊲ F [ MTA 2 ] n 2 / 2 = P 1 \mathscr{P}^0 \lhd \mathscr{P}[\text{MTA}^2]^{n^2/2}
\leadsto \mathscr{P} \lhd F[\text{MTA}^2]^{n^2/2}
= \mathscr{P}^1 P 0 ⊲ P [ M T A 2 ] n 2 /2 ⇝ P ⊲ F [ M T A 2 ] n 2 /2 = P 1 Unrolling P 1 \mathscr{P}^1 P 1
Γ H 0 ( 1 ) StartMultiply i ( a , b ) : ‾ … ⊗ Γ M 0 = 1 ( Start k k i , End k k i , Cheat k i ) ∘ F [ MTA 2 ] n 2 / 2 \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
\cr
&\underline{
(1)\text{StartMultiply}_i(a, b):
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^0_M$
} = 1
\begin{pmatrix}
\text{Start}_k^{ki}
,\cr
\text{End}_k^{ki}
,\cr
\text{Cheat}^{ki}
\end{pmatrix}
}
\cr
\circ\cr
F[\text{MTA}^2]^{n^2/2}
\end{matrix} Γ H 0 ( 1 ) S t a r t M u l t i p l y i ( a , b ) : … ⊗ Γ M 0 = 1 S t a r t k ki , E n d k ki , C h e a t ki ∘ F [ M T A 2 ] n 2 /2 This is equivalent to:
Γ H 0 = 1 ( StartMultiply i , EndMultiply i ) ⊗ S left ← { ( k , i ) k ∈ M , i ∈ H } a _ k i , b _ k i , α _ k i , Δ _ k i ← ⊥ a _ k l , b _ k l ← 0 Start k k i ( a , b ) ‾ a _ k i ← a , b _ k i ← b if ∀ i . a _ k i , b _ k i ≠ ⊥ : StartMultiply i ( a _ ∙ , b _ ∙ ) End k k i ( ) ‾ if ( k , i ) ∉ left : return α _ k i wait _ ( i , 0 ) a _ k i , b _ k i , Δ _ k i ≠ ⊥ ∧ Leak ( i , k ) left ← left / { ( k , i ) } if ∣ left ∣ = 0 : α k ← EndMultiply k ( ) ( k ∈ M ) return ∑ _ k ∈ M α k − ∑ _ α _ k i ≠ ⊥ α _ k i else : α _ k i ← $ F q return α _ k i Cheat k i ( Δ ) ‾ Δ _ k i ← Δ if ∀ k , i . Delta _ k i ≠ ⊥ Cheat ( ∑ _ ( k , i ) Δ _ k i ) ⊗ 1 ( Start k k l , End k k l , Cheat k l ) ∘ F [ Multiply ] \begin{matrix}
\boxed{
\begin{aligned}
&\colorbox{bae6fd}{\large
$\Gamma^0_H$
} = 1
\begin{pmatrix}
\text{StartMultiply}_i
,\cr
\text{EndMultiply}_i
\end{pmatrix}
\end{aligned}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\text{left} \gets \{(k, i)\ k \in \mathcal{M}, i \in \mathcal{H} \}\cr
&a\_{ki}, b\_{ki}, \alpha\_{ki}, \Delta\_{ki} \gets \bot\cr
&a\_{kl}, b\_{kl} \gets 0\cr
\cr
&\underline{
\text{Start}_k^{ki}(a, b)
}\cr
&\enspace
a\_{ki} \gets a, b\_{ki} \gets b
\cr
&\enspace
\texttt{if } \forall i.\ a\_{ki}, b\_{ki} \neq \bot:
\cr
&\enspace\enspace
\text{StartMultiply}_i(a\_\bullet, b\_\bullet)
\cr
\cr
&\underline{
\text{End}_k^{ki}()
}\cr
&\enspace
\texttt{if } (k, i) \notin \text{left}:
\cr
&\enspace\enspace
\texttt{return } \alpha\_{ki}
\cr
&\enspace
\texttt{wait}\_{(i, 0)} a\_{ki}, b\_{ki}, \Delta\_{ki} \neq \bot \land \text{Leak}(i, k)
\cr
&\enspace
\text{left} \gets \text{left} / \{(k, i)\}
\cr
&\enspace
\texttt{if } |\text{left}| = 0:
\cr
&\enspace\enspace
\alpha_k \gets \text{EndMultiply}_k()\enspace (k \in \mathcal{M})
\cr
&\enspace\enspace
\texttt{return } \sum\_{k \in \mathcal{M}} \alpha_k - \sum\_{\alpha\_{ki} \neq \bot} \alpha\_{ki}
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\alpha\_{ki} \xleftarrow{\$} \mathbb{F}_q
\cr
&\enspace\enspace
\texttt{return } \alpha\_{ki}
\cr
\cr
&\underline{
\text{Cheat}^{ki}(\Delta)
}\cr
&\enspace
\Delta\_{ki} \gets \Delta
\cr
&\enspace
\texttt{if } \forall k, i.\ \text{Delta}\_{ki} \neq \bot
\cr
&\enspace\enspace
\text{Cheat}\left(\sum\_{(k, i)} \Delta\_{ki}\right)
\cr
\end{aligned}
}
}
\otimes
1
\begin{pmatrix}
\text{Start}^{kl}_k,\cr
\text{End}^{kl}_k,\cr
\text{Cheat}^{kl}\cr
\end{pmatrix}
\cr
\circ\cr
F[\text{Multiply}]
\end{matrix} Γ H 0 = 1 ( S t a r t M u l t i p l y i , E n d M u l t i p l y i ) ⊗ S l e f t ← {( k , i ) k ∈ M , i ∈ H } a _ ki , b _ ki , α _ ki , Δ _ ki ← ⊥ a _ k l , b _ k l ← 0 S t a r t k ki ( a , b ) a _ ki ← a , b _ ki ← b if ∀ i . a _ ki , b _ ki = ⊥ : S t a r t M u l t i p l y i ( a _ ∙ , b _ ∙ ) E n d k ki ( ) if ( k , i ) ∈ / l e f t : return α _ ki wait _ ( i , 0 ) a _ ki , b _ ki , Δ _ ki = ⊥ ∧ L e a k ( i , k ) l e f t ← l e f t / {( k , i )} if ∣ l e f t ∣ = 0 : α k ← E n d M u l t i p l y k ( ) ( k ∈ M ) return ∑ _ k ∈ M α k − ∑ _ α _ ki = ⊥ α _ ki else : α _ ki $ F q return α _ ki C h e a t ki ( Δ ) Δ _ ki ← Δ if ∀ k , i . D e l t a _ ki = ⊥ C h e a t ( ∑ _ ( k , i ) Δ _ ki ) ⊗ 1 S t a r t k k l , E n d k k l , C h e a t k l ∘ F [ M u l t i p l y ] In essence, this is just a more complicated variant of the simulator from the previous proof.
All that matters is that the sum of all shares is correct,
so we can just keep using junk up until the very last share,
at which point we need to ensure that the result is correct.
We also need to aggregate the cheating values used by all of the malicious
parties,
in order to get just a single bias in the end.
■ \blacksquare ■
Triples
Definition (Triple Generation):
P [ Triple ] P i ( 1 ) Triple i ( ) : ‾ f i , e i ← $ F q [ X ] _ ≤ t − 1 F i , E i ← f i ⋅ G , e i ⋅ G SetCommit i ( ( F i , E i ) ) Commit i ( ) SetMask i ( ) WaitCommit i ( ) WaitMask i ( ) Open i ( ) π i 0 ← Prove φ ( F i ( 0 ) ; f i ( 0 ) ) π i 1 ← Prove φ ( E i ( 0 ) ; e i ( 0 ) ) ↱ i ( ⋆ , ( π i 0 , π i 1 ) , 0 ) ↱ i ( ⋆ , [ ( f i ( j ) , e i ( j ) ) ∣ j ∈ [ n ] ] , 1 ) ( F _ ∙ , E _ ∙ ) ← WaitOpen i ( ) ( π 0 _ ∙ i , π 1 _ ∙ i ) ← ↰ i ( ⋆ , 1 ) ( a _ ∙ i , b _ ∙ i ) ← ↰ i ( ⋆ , 1 ) a i ← ∑ j a _ j i , F ← ∑ j F j ( 0 ) b i ← ∑ j a _ j i , E ← ∑ j E j ( 0 ) bad 0 ← ∃ j . ¬ Verify φ ( π j 0 , F j ( 0 ) ) bad 1 ← ∃ j . ¬ Verify φ ( π j 1 , E j ( 0 ) ) if a i ⋅ G ≠ E ( i ) ∨ b i ⋅ G ≠ F ( i ) ∨ bad 0 ∨ bad 1 stop ( ⋆ , 0 ) Multiply i ( f i ( 0 ) , e i ( 0 ) ) C i ← e i ( 0 ) ⋅ F ( 0 ) π i 2 ← Prove ψ ( E i ( 0 ) , F ( 0 ) , C i ; e i ( 0 ) ) ↱ i ( ⋆ , ( C i , π i ) , 1 ) ( C _ ∙ , π 2 _ ∙ ) ↰ i ( ⋆ , 1 ) if ∃ j . ¬ Verify ψ ( π j 2 , ( E j ( 0 ) , F ( 0 ) , C j ) ) stop ( ⋆ , 1 ) z i ← WaitMultiply i ( ) Share i ( z i ) c i ← WaitShare i ( C ) return ( a i , b i , c i , E ( 0 ) , F ( 0 ) , C ) F [ ZK ( φ ) ] ⊗ F [ ZK ( ψ ) ] ⊗ F [ SyncComm ] ⊚ F [ Stop ] Leakage : = { stop } ⊲ P [ Commit ] ⊗ P [ Convert ] ⊗ P [ Multiply ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{Triple}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Triple}_i():
}\cr
&\enspace
f_i, e_i \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}
\cr
&\enspace
F_i, E_i \gets f_i \cdot G, e_i \cdot G
\cr
&\enspace
\text{SetCommit}_i((F_i, E_i))
\cr
&\enspace
\text{Commit}_i()
\cr
&\enspace
\text{SetMask}_i()
\cr
\cr
&\enspace
\text{WaitCommit}_i()
\cr
&\enspace
\text{WaitMask}_i()
\cr
&\enspace
\text{Open}_i()
\cr
&\enspace
\pi^0_i \gets \text{Prove}^\varphi(F_i(0); f_i(0))
\cr
&\enspace
\pi^1_i \gets \text{Prove}^\varphi(E_i(0); e_i(0))
\cr
&\enspace
\Rsh_i(\star, (\pi^0_i, \pi^1_i), 0)
\cr
&\enspace
\Rsh_i(\star, [(f_i(j), e_i(j)) \mid j \in [n]], 1)
\cr
&\enspace\cr
&\enspace
(F\_\bullet, E\_\bullet) \gets \text{WaitOpen}_i()
\cr
&\enspace
(\pi^0\_{\bullet i}, \pi^1\_{\bullet i}) \gets \Lsh_i(\star, 1)
\cr
&\enspace
(a\_{\bullet i}, b\_{\bullet i}) \gets \Lsh_i(\star, 1)
\cr
&\enspace
a_i \gets \sum_j a\_{ji}, \enspace F \gets \sum_j F_j(0)
\cr
&\enspace
b_i \gets \sum_j a\_{ji}, \enspace E \gets \sum_j E_j(0)
\cr
&\enspace
\text{bad}^0 \gets
\exists j. \neg \text{Verify}^\varphi(\pi^0_j, F_j(0))
\cr
&\enspace
\text{bad}^1 \gets
\exists j. \neg \text{Verify}^\varphi(\pi^1_j, E_j(0))
\cr
&\enspace
\texttt{if } a_i \cdot G \neq E(i) \lor b_i \cdot G \neq F(i) \lor \text{bad}^0 \lor \text{bad}^1
\cr
&\enspace\enspace
\texttt{stop}(\star, 0)
\cr
&\enspace
\text{Multiply}_i(f_i(0), e_i(0))
\cr
&\enspace
C_i \gets e_i(0) \cdot F(0)
\cr
&\enspace
\pi^2_i \gets \text{Prove}^\psi(E_i(0), F(0), C_i; e_i(0))
\cr
&\enspace
\Rsh_i(\star, (C_i, \pi_i), 1)
\cr
&\enspace\cr
&\enspace
(C\_\bullet, \pi^2\_\bullet) \Lsh_i(\star, 1)
\cr
&\enspace
\texttt{if } \exists j.\ \neg \text{Verify}^\psi(\pi^2_j, (E_j(0), F(0), C_j))
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
z_i \gets \text{WaitMultiply}_i()
\cr
&\enspace
\text{Share}_i(z_i)
\cr
&\enspace
c_i \gets \text{WaitShare}_i(C)
\cr
&\enspace
\texttt{return } (a_i, b_i, c_i, E(0), F(0), C)
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
F[\text{ZK}(\varphi)]\cr
\otimes\cr
F[\text{ZK}(\psi)]\cr
\otimes\cr
F[\text{SyncComm}]\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
}
\lhd
\begin{matrix}
\mathscr{P}[\text{Commit}]\cr
\otimes\cr
\mathscr{P}[\text{Convert}]\cr
\otimes\cr
\mathscr{P}[\text{Multiply}]\cr
\end{matrix} P [ T r i p l e ] P i ( 1 ) T r i p l e i ( ) : f i , e i $ F q [ X ] _ ≤ t − 1 F i , E i ← f i ⋅ G , e i ⋅ G S e t C o m m i t i (( F i , E i )) C o m m i t i ( ) S e t M a s k i ( ) W a i t C o m m i t i ( ) W a i t M a s k i ( ) O p e n i ( ) π i 0 ← P r o v e φ ( F i ( 0 ) ; f i ( 0 )) π i 1 ← P r o v e φ ( E i ( 0 ) ; e i ( 0 )) ↱ i ( ⋆ , ( π i 0 , π i 1 ) , 0 ) ↱ i ( ⋆ , [( f i ( j ) , e i ( j )) ∣ j ∈ [ n ]] , 1 ) ( F _ ∙ , E _ ∙ ) ← W a i t O p e n i ( ) ( π 0 _ ∙ i , π 1 _ ∙ i ) ← ↰ i ( ⋆ , 1 ) ( a _ ∙ i , b _ ∙ i ) ← ↰ i ( ⋆ , 1 ) a i ← j ∑ a _ ji , F ← j ∑ F j ( 0 ) b i ← j ∑ a _ ji , E ← j ∑ E j ( 0 ) b a d 0 ← ∃ j . ¬ V e r i f y φ ( π j 0 , F j ( 0 )) b a d 1 ← ∃ j . ¬ V e r i f y φ ( π j 1 , E j ( 0 )) if a i ⋅ G = E ( i ) ∨ b i ⋅ G = F ( i ) ∨ b a d 0 ∨ b a d 1 stop ( ⋆ , 0 ) M u l t i p l y i ( f i ( 0 ) , e i ( 0 )) C i ← e i ( 0 ) ⋅ F ( 0 ) π i 2 ← P r o v e ψ ( E i ( 0 ) , F ( 0 ) , C i ; e i ( 0 )) ↱ i ( ⋆ , ( C i , π i ) , 1 ) ( C _ ∙ , π 2 _ ∙ ) ↰ i ( ⋆ , 1 ) if ∃ j . ¬ V e r i f y ψ ( π j 2 , ( E j ( 0 ) , F ( 0 ) , C j )) stop ( ⋆ , 1 ) z i ← W a i t M u l t i p l y i ( ) S h a r e i ( z i ) c i ← W a i t S h a r e i ( C ) return ( a i , b i , c i , E ( 0 ) , F ( 0 ) , C ) F [ Z K ( φ )] ⊗ F [ Z K ( ψ )] ⊗ F [ S y n c C o m m ] ⊚ F [ S t o p ] L e a k a g e := { stop } ⊲ P [ C o m m i t ] ⊗ P [ C o n v e r t ] ⊗ P [ M u l t i p l y ] □ \square □
This protocol is very long, but relatively straightforward.
The idea is that you first generate a a a b b b a ∗ b a * b a ∗ b a ∗ b ⋅ G a * b \cdot G a ∗ b ⋅ G C C C
Definition (Ideal Triple Generation):
P [ IdealTriple ] P i ( 1 ) Triple i ( ) : ‾ Set i ( ⋆ ) WaitSet i ( ⋆ , true ) Share i 0 ( ⋆ ) ( a i , b i ) ← WaitShares i 0 ( true ) Share i 1 ( ⋆ ) c i ← WaitShares i 1 ( true ) ( A , B , C ) ← ( F A , h ( ) ( 0 ) , F B , h ( ) ( 0 ) , F C , h ( ) ( 0 ) ) return ( a i , b i , c i , A , B , C ) F [ Convert ] f A , h , f B , h , ← $ F q [ X ] _ ≤ t − 1 f A , h , f B , h , ← $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = f A , h ( 0 ) ⋅ f B , h ( 0 ) } F A , m , F B , m , F C , m , ready _ i j , shared { 0 , 1 } _ i j , a _ i , b _ i , c _ i , x i A , x i B , x i C ← ⊥ Set i ( S ) : ‾ ready _ i j ← true ( ∀ j ∈ S ) ( 1 ) Cheat ( F A , F B , F C ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F A , m , F B , m , F C , m ← F A , F B , F C WaitSet i ( S , m ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S . ready _ j i ∧ ( m → F ∙ , m ≠ ⊥ ) Share i 0 ( S ) : ‾ shared 0 _ i j ← true ( ∀ j ∈ S ) CheatShare 0 ( S , x ^ A _ ∙ , x ^ B _ ∙ ) : ‾ for Y ∈ { A , B } : assert F Y , m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j Y ⋅ G = F Y , m ( j ) for j . x j Y ≠ ⊥ : x j Y ← x ^ j Y WaitShares i 0 ( h ) : ‾ if h : wait _ ( i , 1 ) x i A , x i B ≠ ⊥ ∧ ∀ j . ∧ ∀ j . shared 0 _ j i return ( f A , h ( i ) + x i A , f B , h ( i ) + x i B ) else : wait _ ( i , 1 ) ∀ j ∈ H . shared 0 _ j i ≠ ⊥ return ( f A , h ( i ) , f B , h ( i ) ) Share i 1 ( S ) : ‾ shared 1 _ i j ← true ( ∀ j ∈ S ) CheatShare 1 ( S , x ^ C _ ∙ ) : ‾ assert F C , m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j C ⋅ G = F C , m ( j ) for j . x j C = ⊥ : x j C ← x ^ j C WaitShares i 1 ( ) : ‾ wait _ ( i , 1 ) x i C , ≠ ⊥ ∧ ∀ j . ∧ ∀ j . shared 1 _ j i return f C , h ( i ) + x i C F Y ∈ { A , B , C } , h ( ) : ‾ wait F Y , m ≠ ⊥ ∧ ∀ i . ∃ j . ready _ i j return f Y , h ⋅ G ⊗ F [ Sync ] ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealTriple}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Triple}_i():
}\cr
&\enspace
\text{Set}_i(\star)
\cr
&\enspace
\text{WaitSet}_i(\star, \texttt{true})
\cr
&\enspace
\text{Share}^0_i(\star)
\cr
&\enspace
(a_i, b_i) \gets \text{WaitShares}^0_i(\texttt{true})
\cr
&\enspace
\text{Share}^1_i(\star)
\cr
&\enspace
c_i \gets \text{WaitShares}^1_i(\texttt{true})
\cr
&\enspace
(A, B, C) \gets
(\text{F}^{A,h}()(0), \text{F}^{B,h}()(0), \text{F}^{C,h}()(0))
\cr
&\enspace
\texttt{return } (a_i, b_i, c_i, A, B, C)
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Convert}]$
}\cr
\cr
&f^{A,h}, f^{B,h}, \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}\cr
&f^{A,h}, f^{B,h}, \xleftarrow{\$} \{f \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f(0) = f^{A, h}(0) \cdot f^{B, h}(0)\}\cr
&F^{A,m}, F^{B,m}, F^{C,m}, \text{ready}\_{ij}, \text{shared}^{\{0, 1\}}\_{ij}, a\_{i}, b\_{i}, c\_{i}, x^A_i, x^B_i, x^C_i \gets \bot\cr
\cr
&\underline{
\text{Set}_i(S):
}\cr
&\enspace
\text{ready}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
(1)\text{Cheat}(F^A, F^B, F^C):
}
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^{A, m}, F^{B, m}, F^{C, m} \gets F^A, F^B, F^C
\cr
\cr
&\underline{
\text{WaitSet}_i(S, m):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S.\ \text{ready}\_{ji} \land (m \to F^{\bullet, m} \neq \bot)
\cr
\cr
&\underline{
\text{Share}^0_i(S):
}\cr
&\enspace
\text{shared}^0\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{CheatShare}^0(S, \hat{x}^A\_\bullet, \hat{x}^B\_\bullet):
}
}\cr
&\enspace
\texttt{for } Y \in \{A, B\}:
\cr
&\enspace\enspace
\texttt{assert } F^{Y,m} \neq \bot \land \forall j \in S.\ \hat{x}^Y_j \cdot G = F^{Y, m}(j)
\cr
&\enspace\enspace
\texttt{for } j.\ x^Y_j \neq \bot: x^Y_j \gets \hat{x}^Y_j
\cr
\cr
&\underline{
\text{WaitShares}^0_i(h):
}\cr
&\enspace
\texttt{if } h:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} x^A_i, x^B_i \neq \bot \land \forall j. \land \forall j. \text{shared}^0\_{ji}
\cr
&\enspace\enspace
\texttt{return } (f^{A,h}(i) + x^A_i, f^{B,h}(i) + x^B_i)
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{H}. \text{shared}^0\_{ji} \neq \bot
\cr
&\enspace\enspace
\texttt{return } (f^{A,h}(i), f^{B,h}(i))
\cr
\cr
&\underline{
\text{Share}^1_i(S):
}\cr
&\enspace
\text{shared}^1\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{CheatShare}^1(S, \hat{x}^C\_\bullet):
}
}\cr
&\enspace
\texttt{assert } F^{C,m} \neq \bot \land \forall j \in S.\ \hat{x}^C_j \cdot G = F^{C, m}(j)
\cr
&\enspace
\texttt{for } j.\ x^C_j = \bot: x^C_j \gets \hat{x}^C_j
\cr
\cr
&\underline{
\text{WaitShares}^1_i():
}\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} x^C_i, \neq \bot \land \forall j. \land \forall j. \text{shared}^1\_{ji}
\cr
&\enspace\enspace
\texttt{return } f^{C, h}(i) + x^C_i
\cr
\cr
&\underline{
\text{F}^{Y \in \{A, B, C\}, h}():
}\cr
&\enspace
\texttt{wait } F^{Y, m} \neq \bot \land \forall i.\ \exists j.\ \text{ready}\_{ij}
\cr
&\enspace
\texttt{return } f^{Y, h} \cdot G
\cr
\end{aligned}
}
}\cr
\otimes\cr
F[\text{Sync}]\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ I d e a l T r i p l e ] P i ( 1 ) T r i p l e i ( ) : S e t i ( ⋆ ) W a i t S e t i ( ⋆ , true ) S h a r e i 0 ( ⋆ ) ( a i , b i ) ← W a i t S h a r e s i 0 ( true ) S h a r e i 1 ( ⋆ ) c i ← W a i t S h a r e s i 1 ( true ) ( A , B , C ) ← ( F A , h ( ) ( 0 ) , F B , h ( ) ( 0 ) , F C , h ( ) ( 0 )) return ( a i , b i , c i , A , B , C ) F [ C o n v e r t ] f A , h , f B , h , $ F q [ X ] _ ≤ t − 1 f A , h , f B , h , $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = f A , h ( 0 ) ⋅ f B , h ( 0 )} F A , m , F B , m , F C , m , r e a d y _ ij , s h a r e d { 0 , 1 } _ ij , a _ i , b _ i , c _ i , x i A , x i B , x i C ← ⊥ S e t i ( S ) : r e a d y _ ij ← true ( ∀ j ∈ S ) ( 1 ) C h e a t ( F A , F B , F C ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F A , m , F B , m , F C , m ← F A , F B , F C W a i t S e t i ( S , m ) : wait _ ( i , 0 ) ∀ j ∈ S . r e a d y _ ji ∧ ( m → F ∙ , m = ⊥ ) S h a r e i 0 ( S ) : s h a r e d 0 _ ij ← true ( ∀ j ∈ S ) C h e a t S h a r e 0 ( S , x ^ A _ ∙ , x ^ B _ ∙ ) : for Y ∈ { A , B } : assert F Y , m = ⊥ ∧ ∀ j ∈ S . x ^ j Y ⋅ G = F Y , m ( j ) for j . x j Y = ⊥ : x j Y ← x ^ j Y W a i t S h a r e s i 0 ( h ) : if h : wait _ ( i , 1 ) x i A , x i B = ⊥ ∧ ∀ j . ∧ ∀ j . s h a r e d 0 _ ji return ( f A , h ( i ) + x i A , f B , h ( i ) + x i B ) else : wait _ ( i , 1 ) ∀ j ∈ H . s h a r e d 0 _ ji = ⊥ return ( f A , h ( i ) , f B , h ( i )) S h a r e i 1 ( S ) : s h a r e d 1 _ ij ← true ( ∀ j ∈ S ) C h e a t S h a r e 1 ( S , x ^ C _ ∙ ) : assert F C , m = ⊥ ∧ ∀ j ∈ S . x ^ j C ⋅ G = F C , m ( j ) for j . x j C = ⊥ : x j C ← x ^ j C W a i t S h a r e s i 1 ( ) : wait _ ( i , 1 ) x i C , = ⊥ ∧ ∀ j . ∧ ∀ j . s h a r e d 1 _ ji return f C , h ( i ) + x i C F Y ∈ { A , B , C } , h ( ) : wait F Y , m = ⊥ ∧ ∀ i . ∃ j . r e a d y _ ij return f Y , h ⋅ G ⊗ F [ S y n c ] ⊚ F [ S t o p ] L e a k a g e := { stop } The ideal triple generation protocol is as you might expect,
with the functionality itself doing the multiplication perfectly.
However, we once again have the various tweaks to secret sharing
induced by the commit reveal paradigm.
See the key sharing document for some discussion about
these artifacts, which naturally show up here again.
Lemma
For a negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ Triple ] ⇝ ϵ P [ IdealTriple ] \mathscr{P}[\text{Triple}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealTriple}] P [ T r i p l e ] ⇝ ϵ P [ I d e a l T r i p l e ] Proof
Clearly, P [ Triple ] \mathscr{P}[\text{Triple}] P [ T r i p l e ] P [ SplitShare ] \mathscr{P}[\text{SplitShare}] P [ S p l i t S h a r e ]
P 0 P i ( 1 ) Triple i ( ) : ‾ z i A , z i B ← $ F q Set i 0 ( z i A ) , Set i 1 ( z i B ) SetMask i ( ) WaitSet i 0 ( ) , WaitSet i 1 ( ) WaitMask i ( ) Share i 0 ( ) , Share i 1 a i ← WaitShare i 0 ( ) , b i ← WaitShare i 1 ( ) StartMultiply i ( z i A , z i B ) A ← ∑ i Z 0 ( i ) , B ← ∑ i Z 1 ( i ) C i ← z i B ⋅ A π i 2 ← Prove ψ ( Z 1 ( i ) , A , C i ; z i B ) ↱ i ( ⋆ , ( C i , π i ) , 1 ) ( C _ ∙ , π 2 _ ∙ ) ↰ i ( ⋆ , 1 ) if ∃ j . ¬ Verify ψ ( π j 2 , ( Z 1 ( j ) , A , C j ) ) stop ( ⋆ , 1 ) z i C ← EndMultiply i ( ) Share i ( z i C ) c i ← WaitShare i ( ) C ← ∑ i C i if ∑ i Z 2 ( i ) ≠ C stop ( ⋆ , 2 ) return ( a i , b i , c i , A , B , C ) ⊲ P [ SplitShare ] ⊗ P [ SplitShare ] ⊗ P [ Convert ] ⊗ P [ Multiply ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}^0$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Triple}_i():
}\cr
&\enspace
z^A_i, z^B_i \xleftarrow{\$} \mathbb{F}_q
\cr
&\enspace
\text{Set}^0_i(z^A_i), \text{Set}^1_i(z^B_i)
\cr
&\enspace
\text{SetMask}_i()
\cr
\cr
&\enspace
\text{WaitSet}^0_i(), \text{WaitSet}^1_i()
\cr
&\enspace
\text{WaitMask}_i()
\cr
&\enspace
\text{Share}^0_i(), \text{Share}^1_i
\cr
\cr
&\enspace
a_i \gets \text{WaitShare}^0_i(), b_i \gets \text{WaitShare}^1_i()
\cr
&\enspace
\text{StartMultiply}_i(z^A_i, z^B_i)
\cr
&\enspace
\text{A} \gets \sum_i \text{Z}^{0}(i),
\text{B} \gets \sum_i \text{Z}^{1}(i)
\cr
&\enspace
C_i \gets z^B_i \cdot A
\cr
&\enspace
\pi^2_i \gets \text{Prove}^\psi(\text{Z}^{1}(i), A, C_i; z^B_i)
\cr
&\enspace
\Rsh_i(\star, (C_i, \pi_i), 1)
\cr
&\enspace\cr
&\enspace
(C\_\bullet, \pi^2\_\bullet) \Lsh_i(\star, 1)
\cr
&\enspace
\texttt{if } \exists j.\ \neg \text{Verify}^\psi(\pi^2_j, (\text{Z}^{1}(j), A, C_j))
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
z^C_i \gets \text{EndMultiply}_i()
\cr
&\enspace
\text{Share}_i(z^C_i)
\cr
&\enspace
c_i \gets \text{WaitShare}_i()
\cr
&\enspace
C \gets \sum_i C_i
\cr
&\enspace
\texttt{if } \sum_i \text{Z}^{2}(i) \neq C
\cr
&\enspace\enspace
\texttt{stop}(\star, 2)
\cr
&\enspace
\texttt{return } (a_i, b_i, c_i, A, B, C)
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd
\begin{matrix}
\mathscr{P}[\text{SplitShare}]\cr
\otimes\cr
\mathscr{P}[\text{SplitShare}]\cr
\otimes\cr
\mathscr{P}[\text{Convert}]\cr
\otimes\cr
\mathscr{P}[\text{Multiply}]\cr
\end{matrix} P 0 P i ( 1 ) T r i p l e i ( ) : z i A , z i B $ F q S e t i 0 ( z i A ) , S e t i 1 ( z i B ) S e t M a s k i ( ) W a i t S e t i 0 ( ) , W a i t S e t i 1 ( ) W a i t M a s k i ( ) S h a r e i 0 ( ) , S h a r e i 1 a i ← W a i t S h a r e i 0 ( ) , b i ← W a i t S h a r e i 1 ( ) S t a r t M u l t i p l y i ( z i A , z i B ) A ← i ∑ Z 0 ( i ) , B ← i ∑ Z 1 ( i ) C i ← z i B ⋅ A π i 2 ← P r o v e ψ ( Z 1 ( i ) , A , C i ; z i B ) ↱ i ( ⋆ , ( C i , π i ) , 1 ) ( C _ ∙ , π 2 _ ∙ ) ↰ i ( ⋆ , 1 ) if ∃ j . ¬ V e r i f y ψ ( π j 2 , ( Z 1 ( j ) , A , C j )) stop ( ⋆ , 1 ) z i C ← E n d M u l t i p l y i ( ) S h a r e i ( z i C ) c i ← W a i t S h a r e i ( ) C ← i ∑ C i if i ∑ Z 2 ( i ) = C stop ( ⋆ , 2 ) return ( a i , b i , c i , A , B , C ) ⊲ P [ S p l i t S h a r e ] ⊗ P [ S p l i t S h a r e ] ⊗ P [ C o n v e r t ] ⊗ P [ M u l t i p l y ] From here, we can jump to the final protocol with an atrocious simulator:
Γ H 0 … ⊗ S z i A , z i B ← $ F q ( ∀ i ∈ H / { 1 } ) Z i A , Z i B ← z i A ⋅ G , z i B ⋅ G ( ∀ i ∈ H / { 1 } ) z i A , z i B , Z i A , Z i B ← ⊥ ( ∀ i ∈ M ) γ i ← $ F q ( ∀ i ≠ 1 ) z ^ C _ i j , x i A , x i B , x i C , F A , m , F B , m , F C , m , m ^ _ i j ← ⊥ ready A _ i j , ready B _ i j , ready C _ i j ← ⊥ shared A _ i j , shared B _ i j , shared C _ i j ← ⊥ Set k 0 ( S , z , Z ) : ‾ assert z ≠ ⊥ ∨ Z ≠ ⊥ if z k A , Z k A = ⊥ ∧ z ≠ ⊥ : z k A ← z , Z k A ← z ⋅ G elif Z k A = ⊥ ∧ Z ≠ ⊥ : Z k A ← Z ready A _ k j ← true ( ∀ j ∈ S ) Set? k ( ) Set k 1 ( S , z , Z ) : ‾ assert z ≠ ⊥ ∨ Z ≠ ⊥ if z k B , Z k B = ⊥ ∧ z ≠ ⊥ : z k B ← z , Z k B ← z ⋅ G elif Z k B = ⊥ ∧ Z ≠ ⊥ : Z k B ← Z ready A _ k j ← true ( ∀ j ∈ S ) ready B _ k j ← true ( ∀ j ∈ S ) Set? k ( ) SetMask k ( S ) : ‾ ready C _ k j ← true ( ∀ j ∈ S ) Set? k ( ) Set? k ( ) : ‾ for j . ∀ Y ∈ { A , B , C } . ready Y _ k j : super . Set k ( { j } ) WaitSet k 0 ( S , m ) : ‾ wait ∀ j ∈ S ∩ M . ready A _ j k super . WaitSet k ( S ∩ H ) WaitSet k 1 ( S , m ) : ‾ wait ∀ j ∈ S ∩ M . ready B _ j k super . WaitSet k ( S ∩ H ) WaitMask k ( S , m ) : ‾ wait ∀ j ∈ S ∩ M . ready C _ j k super . WaitSet k ( S ∩ H ) Share k 0 ( S , z ) : ‾ assert Z k A ≠ ⊥ if z k A = ⊥ : assert z ⋅ G = Z k A z k A ← z shared A _ k j ← true ( ∀ j ∈ S ) Share? k 0 ( ) Share k 1 ( S , z ) : ‾ assert Z k B ≠ ⊥ if z k B = ⊥ : assert z ⋅ G = Z k B z k B ← z shared B _ k j ← true ( ∀ j ∈ S ) Share? k 0 ( ) WaitShare k 0 ( h ) : ‾ ( a k , b k ) ← WaitShares k 0 ( ) return a k WaitShare k 1 ( h ) : ‾ ( a k , b k ) ← WaitShares k 0 ( ) return b k ( 1 ) StartMultiply k ( a _ ∙ , b _ ∙ ) : ‾ a _ k j ← a j , b _ k j ← b j ( 1 ) Cheat k F[Multiply] ( Δ ) : ‾ Δ ← Δ EndMultiply k ( ) : ‾ return γ k − z k A ⋅ z k B Share k ( S , z _ ∙ ) : ‾ for j ∈ S . z ^ C _ k j = ⊥ : for j ∈ S . z ^ C _ k j = ⊥ : z ^ C _ k j ← z j for j ∈ H . ∀ i ∈ M . z ^ C _ i j ≠ ⊥ : if ∑ _ i ∈ H Z ( j ) + ∑ _ i ∈ M z ^ C _ i j ⋅ G ≠ F C , h ( 0 ) : stop ( { j } ) super . Share i 1 ( S ) Share? k 0 ( ) : ‾ for j . shared A _ k j ∧ shared B _ k j : super . Share k 0 ( { j } ) WaitShare k ( h ) : ‾ if h : return WaitShare k 1 ( ) else : wait x k C ≠ ⊥ ∧ ∀ i ∈ M . z C _ i k ≠ ⊥ return WaitShare k 1 ( ) − ∑ _ i ∈ M z C _ i k − x k C Prove ψ ( W , P , Q ; w ) : ‾ assert w ⋅ G = W ∧ w ⋅ P = Q π ← $ 01 2 λ μ [ π ] ← ( W , P , Q ) Verify ψ ( π , ( W , P , Q ) ) : ‾ return μ [ π ] = ? ( W , P , Q ) ↱ k ( S , m _ ∙ , 1 ) ‾ for j ∈ S ∩ H : ( C k , π ) ← m j if μ [ π ] ≠ ( Z k B ( ) , F A , h ( 0 ) , C k ) : stop ( { j } ) m ^ _ k j ← m j ( ∀ j ∈ S ) ↰ k ( S , 1 ) : ‾ wait _ ( k , 1 ) ∀ j ∈ S ∩ M . m ^ _ k j ≠ ⊥ r _ ∙ ← ⊥ for j ∈ S ∩ H . ∄ i . m ^ _ i j ≠ ⊥ : π ← $ 01 2 λ μ [ π ] ← ( Z 1 ( j ) , F A , h ( 0 ) , C ( j ) ) r j ← ( C j , π ) r j ← m ^ _ k j ( ∀ j ∈ S ) return r _ ∙ ( 1 ) Cheat 0 ( F ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F A , m ← F Cheat? ( ) CheatShare 0 ( S , x ^ _ ∙ ) : ‾ assert F A , m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F A , m ( j ) x j A ← x ^ j ( ∀ j ∈ S ) CheatShare? ( ) F 0 , h ( ) : ‾ return F A , h − F A , h ( 0 ) ( 1 ) Cheat 1 ( F ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F B , m ← F Cheat? ( ) CheatShare 1 ( S , x ^ _ ∙ ) : ‾ assert F B , m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F B , m ( j ) x j B ← x ^ j ( ∀ j ∈ S ) CheatShare? ( ) F 1 , h ( ) : ‾ return F B , h − F B , h ( 0 ) ( 1 ) Cheat F[Convert] ( F ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F C , m ← F Cheat? ( ) Cheat? ( ) ‾ if F A , m , F B , m , F C , m ≠ ⊥ : super . Cheat ( F A , m , F B , m , F C , m ) CheatShare? ( ) : ‾ for j . x ^ j A , x ^ j B ≠ ⊥ : super . CheatShare 0 ( { j } , x ^ A _ ∙ , x ^ B _ ∙ ) CheatShare ( S , x ^ _ ∙ ) : ‾ assert F C , m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F C , m ( j ) x ^ j C ← x ^ j ( ∀ j ∈ S ) super . CheatShare 1 ( S , x ^ _ ∙ ) F h ( ) : ‾ return F C , h − F C , h ( 0 ) Z 0 ( i ) : ‾ return F A , h ( 0 ) − ∑ j Z j A if i = 1 else Z i A Z 1 ( i ) : ‾ return F B , h ( 0 ) − ∑ j Z j B if i = 1 else Z i B C ( i ) : ‾ return F C , h ( 0 ) − ∑ j z j A ⋅ F B , h ( 0 ) if i = 1 else z i A ⋅ F B , h ( 0 ) Z ( i ) : ‾ return C ^ ( ) − ∑ i γ i ⋅ G if i = 1 else γ i ⋅ F B , h ( 0 ) C ^ ( ) : ‾ wait for all variables used below O _ 11 = F C , h ( 0 ) − ∑ _ i ∈ H / { 1 } z i B ⋅ F A , h ( 0 ) − ∑ _ i ∈ H / { 1 } z i A ⋅ F B , h ( 0 ) − O _ h h O _ h 1 = ∑ _ i ∈ H , j ∈ H / { 1 } z j B ⋅ Z i A ⋅ G O _ h 1 = ∑ _ i ∈ H / { 1 } , j ∈ H z i A ⋅ Z j B ⋅ G O _ h h = ∑ _ i , j ∈ H / { 1 } z i A ⋅ z j B ⋅ G O _ h m = ∑ _ i ∈ H , j ∈ M Z 0 ( i ) ⋅ b _ j i O _ m h = ∑ _ i ∈ M , j ∈ H a _ i j ⋅ Z 1 ( j ) O _ m m = ∑ _ i , j ∈ M a _ i j ⋅ b _ j i ⋅ G return O _ 11 + O _ 1 h + O _ h 1 + O _ h h + O _ h m + O _ m h + O _ m m + Δ ⋅ G … ∘ F [ Messages ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
&\ldots
\end{aligned}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
&z^A_i, z^B_i \xleftarrow{\$} \mathbb{F}_q\ (\forall i \in \mathcal{H} / \{1\})\cr
&Z^A_i, Z^B_i \gets z^A_i \cdot G, z^B_i \cdot G\ (\forall i \in \mathcal{H} / \{1\})\cr
&z^A_i, z^B_i, Z^A_i, Z^B_i \gets \bot\ (\forall i \in \mathcal{M})\cr
&\gamma_i \xleftarrow{\$} \mathbb{F}_q\ (\forall i \neq 1)\cr
&\hat{z}^C\_{ij}, x^A_i, x^B_i, x^C_i, F^{A, m}, F^{B, m}, F^{C, m}, \hat{m}\_{ij} \gets \bot\cr
&\text{ready}^A\_{ij}, \text{ready}^B\_{ij}, \text{ready}^C\_{ij} \gets \bot\cr
&\text{shared}^A\_{ij}, \text{shared}^B\_{ij}, \text{shared}^C\_{ij} \gets \bot\cr
\cr
&\underline{
\text{Set}_k^0(S, z, Z):
}\cr
&\enspace
\texttt{assert } z \neq \bot \lor Z \neq \bot
\cr
&\enspace
\texttt{if } z^A_k, Z^A_k = \bot \land z \neq \bot: z^A_k \gets z, Z^A_k \gets z \cdot G
\cr
&\enspace
\texttt{elif } Z^A_k = \bot \land Z \neq \bot : Z^A_k \gets Z
\cr
&\enspace
\text{ready}^A\_{kj} \gets \texttt{true }\ (\forall j \in S)
\cr
&\enspace
\text{Set?}_k()
\cr
\cr
&\underline{
\text{Set}_k^1(S, z, Z):
}\cr
&\enspace
\texttt{assert } z \neq \bot \lor Z \neq \bot
\cr
&\enspace
\texttt{if } z^B_k, Z^B_k = \bot \land z \neq \bot: z^B_k \gets z, Z^B_k \gets z \cdot G
\cr
&\enspace
\texttt{elif } Z^B_k = \bot \land Z \neq \bot : Z^B_k \gets Z
\cr
&\enspace
\text{ready}^A\_{kj} \gets \texttt{true }\ (\forall j \in S)
\cr
&\enspace
\text{ready}^B\_{kj} \gets \texttt{true }\ (\forall j \in S)
\cr
&\enspace
\text{Set?}_k()
\cr
\cr
&\underline{
\text{SetMask}_k(S):
}\cr
&\enspace
\text{ready}^C\_{kj} \gets \texttt{true }\ (\forall j \in S)
\cr
&\enspace
\text{Set?}_k()
\cr
\cr
&\underline{
\text{Set?}_k():
}\cr
&\enspace
\texttt{for } j.\ \forall Y \in \{A, B, C\}. \text{ready}^Y\_{kj}:
\cr
&\enspace\enspace
\texttt{super}.\text{Set}_k(\{j\})
\cr
\cr
&\underline{
\text{WaitSet}_k^0(S, m):
}\cr
&\enspace
\texttt{wait } \forall j \in S \cap \mathcal{M}.\ \text{ready}^A\_{jk}
\cr
&\enspace
\texttt{super}.\text{WaitSet}_k(S \cap \mathcal{H})
\cr
\cr
&\underline{
\text{WaitSet}_k^1(S, m):
}\cr
&\enspace
\texttt{wait } \forall j \in S \cap \mathcal{M}.\ \text{ready}^B\_{jk}
\cr
&\enspace
\texttt{super}.\text{WaitSet}_k(S \cap \mathcal{H})
\cr
\cr
&\underline{
\text{WaitMask}_k(S, m):
}\cr
&\enspace
\texttt{wait } \forall j \in S \cap \mathcal{M}.\ \text{ready}^C\_{jk}
\cr
&\enspace
\texttt{super}.\text{WaitSet}_k(S \cap \mathcal{H})
\cr
\cr
&\underline{
\text{Share}^0_k(S, z):
}\cr
&\enspace
\texttt{assert } Z^A_k \neq \bot
\cr
&\enspace
\texttt{if } z^A_k = \bot:
\cr
&\enspace\enspace
\texttt{assert } z \cdot G = Z^A_k
\cr
&\enspace\enspace
z^A_k \gets z
\cr
&\enspace
\text{shared}^A\_{kj} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\text{Share?}^0_k()
\cr
\cr
&\underline{
\text{Share}^1_k(S, z):
}\cr
&\enspace
\texttt{assert } Z^B_k \neq \bot
\cr
&\enspace
\texttt{if } z^B_k = \bot:
\cr
&\enspace\enspace
\texttt{assert } z \cdot G = Z^B_k
\cr
&\enspace\enspace
z^B_k \gets z
\cr
&\enspace
\text{shared}^B\_{kj} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\text{Share?}^0_k()
\cr
\cr
&\underline{
\text{WaitShare}^0_k(h):
}\cr
&\enspace
(a_k, b_k) \gets \text{WaitShares}^0_k()
\cr
&\enspace
\texttt{return } a_k
\cr
\cr
&\underline{
\text{WaitShare}^1_k(h):
}\cr
&\enspace
(a_k, b_k) \gets \text{WaitShares}^0_k()
\cr
&\enspace
\texttt{return } b_k
\cr
\cr
&\underline{
(1)\text{StartMultiply}_k(a\_\bullet, b\_\bullet):
}\cr
&\enspace
a\_{kj} \gets a_j, b\_{kj} \gets b_j
\cr
\cr
&\underline{
(1)\text{Cheat}^{\tiny \text{F[Multiply]}}_k(\Delta):
}\cr
&\enspace
\Delta \gets \Delta
\cr
\cr
&\underline{
\text{EndMultiply}_k():
}\cr
&\enspace
\texttt{return } \gamma_k - z^A_k \cdot z^B_k
\cr
\cr
&\underline{
\text{Share}_k(S, z\_\bullet):
}\cr
&\enspace
\texttt{for } j \in S.\ \hat{z}^C\_{kj} = \bot:
\cr
&\enspace
\texttt{for } j \in S.\ \hat{z}^C\_{kj} = \bot: \hat{z}^C\_{kj} \gets z_j
\cr
&\enspace
\texttt{for } j \in \mathcal{H}.\ \forall i \in \mathcal{M}.\ \hat{z}^C\_{ij} \neq \bot:
\cr
&\enspace\enspace
\texttt{if } \sum\_{i \in \mathcal{H}} \text{Z}(j) + \sum\_{i \in \mathcal{M}} \hat{z}^C\_{ij} \cdot G \neq F^{C, h}(0):
\cr
&\enspace\enspace\enspace
\texttt{stop}(\{j\})
\cr
&\enspace
\texttt{super}.\text{Share}^1_i(S)
\cr
\cr
&\underline{
\text{Share?}^0_k():
}\cr
&\enspace
\texttt{for } j.\ \text{shared}^A\_{kj} \land \text{shared}^B\_{kj}:
\cr
&\enspace\enspace
\texttt{super}.\text{Share}^0_k(\{j\})
\cr
\cr
&\underline{
\text{WaitShare}_k(h):
}\cr
&\enspace
\texttt{if } h:
\cr
&\enspace\enspace
\texttt{return } \text{WaitShare}^1_k()
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\texttt{wait } x^C_k \neq \bot \land \forall i \in \mathcal{M}.\ z^C\_{ik} \neq \bot
\cr
&\enspace\enspace
\texttt{return } \text{WaitShare}^1_k() - \sum\_{i \in \mathcal{M}} z^C\_{ik} - x^C_k
\cr
\cr
&\underline{
\text{Prove}^\psi(W, P, Q; w):
}\cr
&\enspace
\texttt{assert } w \cdot G = W \land w \cdot P = Q
\cr
&\enspace
\pi \xleftarrow{\$} \texttt{01}^{2 \lambda}
\cr
&\enspace
\mu[\pi] \gets (W, P, Q)
\cr
\cr
&\underline{
\text{Verify}^\psi(\pi, (W, P, Q)):
}\cr
&\enspace
\texttt{return } \mu[\pi] \overset{?}{=} (W, P, Q)
\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 1)
}\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}:
\cr
&\enspace\enspace
(C_k, \pi) \gets m_j
\cr
&\enspace\enspace
\texttt{if } \mu[\pi] \neq (Z^B_k(), \text{F}^{A, h}(0), C_k):
\cr
&\enspace\enspace\enspace
\texttt{stop}(\{j\})
\cr
&\enspace
\hat{m}\_{kj} \gets m_j\ (\forall j \in S)
\cr
\cr
&\underline{
\Lsh_k(S, 1):
}\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S \cap \mathcal{M}.\ \hat{m}\_{kj} \neq \bot
\cr
&\enspace
r\_\bullet \gets \bot
\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}. \nexists i.\ \hat{m}\_{ij} \neq \bot:
\cr
&\enspace\enspace
\pi \xleftarrow{\$} \texttt{01}^{2 \lambda}
\cr
&\enspace
\mu[\pi] \gets (\text{Z}^1(j), F^{A, h}(0), \text{C}(j))
\cr
&\enspace
r_j \gets (C_j, \pi)
\cr
&\enspace
r_j \gets \hat{m}\_{kj}\ (\forall j \in S)
\cr
&\enspace
\texttt{return } r\_\bullet
\cr
\cr
&\underline{
(1)\text{Cheat}^0(F):
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^{A, m} \gets F
\cr
&\enspace
\text{Cheat?}()
\cr
\cr
&\underline{
\text{CheatShare}^0(S, \hat{x}\_\bullet):
}\cr
&\enspace
\texttt{assert } F^{A, m} \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^{A, m}(j)
\cr
&\enspace
x^A_j \gets \hat{x}_j\ (\forall j \in S)
\cr
&\enspace
\text{CheatShare?}()
\cr
\cr
&\underline{
\text{F}^{0, h}():
}\cr
&\enspace
\texttt{return } \text{F}^{A, h} - \text{F}^{A, h}(0)
\cr
\cr
&\underline{
(1)\text{Cheat}^1(F):
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^{B, m} \gets F
\cr
&\enspace
\text{Cheat?}()
\cr
\cr
&\underline{
\text{CheatShare}^1(S, \hat{x}\_\bullet):
}\cr
&\enspace
\texttt{assert } F^{B, m} \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^{B, m}(j)
\cr
&\enspace
x^B_j \gets \hat{x}_j\ (\forall j \in S)
\cr
&\enspace
\text{CheatShare?}()
\cr
\cr
&\underline{
\text{F}^{1, h}():
}\cr
&\enspace
\texttt{return } \text{F}^{B, h} - \text{F}^{B, h}(0)
\cr
\cr
&\underline{
(1)\text{Cheat}^{\tiny \text{F[Convert]}}(F):
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^{C, m} \gets F
\cr
&\enspace
\text{Cheat?}()
\cr
\cr
&\underline{
\text{Cheat?}()
}\cr
&\enspace
\texttt{if } F^{A, m}, F^{B, m}, F^{C, m} \neq \bot:
\cr
&\enspace\enspace
\texttt{super}.\text{Cheat}(F^{A, m}, F^{B, m}, F^{C, m})
\cr
\cr
&\underline{
\text{CheatShare?}():
}\cr
&\enspace
\texttt{for } j. \hat{x}^A_j, \hat{x}^B_j \neq \bot:
\cr
&\enspace\enspace
\texttt{super}.\text{CheatShare}^0(\{j\}, \hat{x}^A\_\bullet, \hat{x}^B\_\bullet)
\cr
\cr
&\underline{
\text{CheatShare}(S, \hat{x}\_\bullet):
}\cr
&\enspace
\texttt{assert } F^{C, m} \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^{C, m}(j)
\cr
&\enspace
\hat{x}^C_j \gets \hat{x}_j\ (\forall j \in S)
\cr
&\enspace
\texttt{super}.\text{CheatShare}^1(S, \hat{x}\_\bullet)
\cr
\cr
&\underline{
\text{F}^h():
}\cr
&\enspace
\texttt{return } \text{F}^{C, h} - \text{F}^{C, h}(0)
\cr
\cr
&\underline{
\text{Z}^0(i):
}\cr
&\enspace
\texttt{return } \text{F}^{A, h}(0) - \sum_j Z^A_j \texttt{ if } i = 1 \texttt{ else } Z^A_i
\cr
\cr
&\underline{
\text{Z}^1(i):
}\cr
&\enspace
\texttt{return } \text{F}^{B, h}(0) - \sum_j Z^B_j \texttt{ if } i = 1 \texttt{ else } Z^B_i
\cr
\cr
&\underline{
\text{C}(i):
}\cr
&\enspace
\texttt{return } \text{F}^{C, h}(0) - \sum_j z^A_j \cdot \text{F}^{B, h}(0) \texttt{ if } i = 1 \texttt{ else } z^A_i \cdot \text{F}^{B, h}(0)
\cr
\cr
&\underline{
\text{Z}(i):
}\cr
&\enspace
\texttt{return } \hat{C}() - \sum_i \gamma_i \cdot G \texttt{ if } i = 1 \texttt{ else } \gamma_i \cdot \text{F}^{B, h}(0)
\cr
\cr
&\underline{
\hat{C}():
}\cr
&\enspace
\texttt{wait } \text{for all variables used below}
\cr
&\enspace
O\_{11} = \text{F}^{C, h}(0) - \sum\_{i \in \mathcal{H} / \{1\}} z^B_i \cdot \text{F}^{A, h}(0) - \sum\_{i \in \mathcal{H} / \{1\}} z^A_i \cdot \text{F}^{B, h}(0) - O\_{hh}
\cr
&\enspace
O\_{h1} = \sum\_{i \in \mathcal{H},j \in \mathcal{H} / \{1\}} z^B_j \cdot Z^A_i \cdot G
\cr
&\enspace
O\_{h1} = \sum\_{i \in \mathcal{H} / \{1\},j \in \mathcal{H}} z^A_i \cdot Z^B_j \cdot G
\cr
&\enspace
O\_{hh} = \sum\_{i,j \in \mathcal{H} / \{1\}} z^A_i \cdot z^B_j \cdot G
\cr
&\enspace
O\_{hm} = \sum\_{i \in \mathcal{H}, j \in \mathcal{M}} \text{Z}^0(i) \cdot b\_{ji}
\cr
&\enspace
O\_{mh} = \sum\_{i \in \mathcal{M}, j \in \mathcal{H}} a\_{ij} \cdot \text{Z}^1(j)
\cr
&\enspace
O\_{mm} = \sum\_{i, j \in \mathcal{M}} a\_{ij} \cdot b\_{ji} \cdot G
\cr
&\enspace
\texttt{return } O\_{11} + O\_{1h} + O\_{h1} + O\_{hh} + O\_{hm} + O\_{mh} + O\_{mm} + \Delta \cdot G
\cr
\cr
&\ldots\cr
\end{aligned}
}
}
\cr
\circ\cr
F[\text{Messages}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 … ⊗ S z i A , z i B $ F q ( ∀ i ∈ H / { 1 }) Z i A , Z i B ← z i A ⋅ G , z i B ⋅ G ( ∀ i ∈ H / { 1 }) z i A , z i B , Z i A , Z i B ← ⊥ ( ∀ i ∈ M ) γ i $ F q ( ∀ i = 1 ) z ^ C _ ij , x i A , x i B , x i C , F A , m , F B , m , F C , m , m ^ _ ij ← ⊥ r e a d y A _ ij , r e a d y B _ ij , r e a d y C _ ij ← ⊥ s h a r e d A _ ij , s h a r e d B _ ij , s h a r e d C _ ij ← ⊥ S e t k 0 ( S , z , Z ) : assert z = ⊥ ∨ Z = ⊥ if z k A , Z k A = ⊥ ∧ z = ⊥ : z k A ← z , Z k A ← z ⋅ G elif Z k A = ⊥ ∧ Z = ⊥ : Z k A ← Z r e a d y A _ kj ← true ( ∀ j ∈ S ) S e t ? k ( ) S e t k 1 ( S , z , Z ) : assert z = ⊥ ∨ Z = ⊥ if z k B , Z k B = ⊥ ∧ z = ⊥ : z k B ← z , Z k B ← z ⋅ G elif Z k B = ⊥ ∧ Z = ⊥ : Z k B ← Z r e a d y A _ kj ← true ( ∀ j ∈ S ) r e a d y B _ kj ← true ( ∀ j ∈ S ) S e t ? k ( ) S e t M a s k k ( S ) : r e a d y C _ kj ← true ( ∀ j ∈ S ) S e t ? k ( ) S e t ? k ( ) : for j . ∀ Y ∈ { A , B , C } . r e a d y Y _ kj : super . S e t k ({ j }) W a i t S e t k 0 ( S , m ) : wait ∀ j ∈ S ∩ M . r e a d y A _ jk super . W a i t S e t k ( S ∩ H ) W a i t S e t k 1 ( S , m ) : wait ∀ j ∈ S ∩ M . r e a d y B _ jk super . W a i t S e t k ( S ∩ H ) W a i t M a s k k ( S , m ) : wait ∀ j ∈ S ∩ M . r e a d y C _ jk super . W a i t S e t k ( S ∩ H ) S h a r e k 0 ( S , z ) : assert Z k A = ⊥ if z k A = ⊥ : assert z ⋅ G = Z k A z k A ← z s h a r e d A _ kj ← true ( ∀ j ∈ S ) S h a r e ? k 0 ( ) S h a r e k 1 ( S , z ) : assert Z k B = ⊥ if z k B = ⊥ : assert z ⋅ G = Z k B z k B ← z s h a r e d B _ kj ← true ( ∀ j ∈ S ) S h a r e ? k 0 ( ) W a i t S h a r e k 0 ( h ) : ( a k , b k ) ← W a i t S h a r e s k 0 ( ) return a k W a i t S h a r e k 1 ( h ) : ( a k , b k ) ← W a i t S h a r e s k 0 ( ) return b k ( 1 ) S t a r t M u l t i p l y k ( a _ ∙ , b _ ∙ ) : a _ kj ← a j , b _ kj ← b j ( 1 ) C h e a t k F [ M u l t i p l y ] ( Δ ) : Δ ← Δ E n d M u l t i p l y k ( ) : return γ k − z k A ⋅ z k B S h a r e k ( S , z _ ∙ ) : for j ∈ S . z ^ C _ kj = ⊥ : for j ∈ S . z ^ C _ kj = ⊥ : z ^ C _ kj ← z j for j ∈ H . ∀ i ∈ M . z ^ C _ ij = ⊥ : if ∑ _ i ∈ H Z ( j ) + ∑ _ i ∈ M z ^ C _ ij ⋅ G = F C , h ( 0 ) : stop ({ j }) super . S h a r e i 1 ( S ) S h a r e ? k 0 ( ) : for j . s h a r e d A _ kj ∧ s h a r e d B _ kj : super . S h a r e k 0 ({ j }) W a i t S h a r e k ( h ) : if h : return W a i t S h a r e k 1 ( ) else : wait x k C = ⊥ ∧ ∀ i ∈ M . z C _ ik = ⊥ return W a i t S h a r e k 1 ( ) − ∑ _ i ∈ M z C _ ik − x k C P r o v e ψ ( W , P , Q ; w ) : assert w ⋅ G = W ∧ w ⋅ P = Q π $ 01 2 λ μ [ π ] ← ( W , P , Q ) V e r i f y ψ ( π , ( W , P , Q )) : return μ [ π ] = ? ( W , P , Q ) ↱ k ( S , m _ ∙ , 1 ) for j ∈ S ∩ H : ( C k , π ) ← m j if μ [ π ] = ( Z k B ( ) , F A , h ( 0 ) , C k ) : stop ({ j }) m ^ _ kj ← m j ( ∀ j ∈ S ) ↰ k ( S , 1 ) : wait _ ( k , 1 ) ∀ j ∈ S ∩ M . m ^ _ kj = ⊥ r _ ∙ ← ⊥ for j ∈ S ∩ H . ∄ i . m ^ _ ij = ⊥ : π $ 01 2 λ μ [ π ] ← ( Z 1 ( j ) , F A , h ( 0 ) , C ( j )) r j ← ( C j , π ) r j ← m ^ _ kj ( ∀ j ∈ S ) return r _ ∙ ( 1 ) C h e a t 0 ( F ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F A , m ← F C h e a t ? ( ) C h e a t S h a r e 0 ( S , x ^ _ ∙ ) : assert F A , m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F A , m ( j ) x j A ← x ^ j ( ∀ j ∈ S ) C h e a t S h a r e ? ( ) F 0 , h ( ) : return F A , h − F A , h ( 0 ) ( 1 ) C h e a t 1 ( F ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F B , m ← F C h e a t ? ( ) C h e a t S h a r e 1 ( S , x ^ _ ∙ ) : assert F B , m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F B , m ( j ) x j B ← x ^ j ( ∀ j ∈ S ) C h e a t S h a r e ? ( ) F 1 , h ( ) : return F B , h − F B , h ( 0 ) ( 1 ) C h e a t F [ C o n v e r t ] ( F ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F C , m ← F C h e a t ? ( ) C h e a t ? ( ) if F A , m , F B , m , F C , m = ⊥ : super . C h e a t ( F A , m , F B , m , F C , m ) C h e a t S h a r e ? ( ) : for j . x ^ j A , x ^ j B = ⊥ : super . C h e a t S h a r e 0 ({ j } , x ^ A _ ∙ , x ^ B _ ∙ ) C h e a t S h a r e ( S , x ^ _ ∙ ) : assert F C , m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F C , m ( j ) x ^ j C ← x ^ j ( ∀ j ∈ S ) super . C h e a t S h a r e 1 ( S , x ^ _ ∙ ) F h ( ) : return F C , h − F C , h ( 0 ) Z 0 ( i ) : return F A , h ( 0 ) − j ∑ Z j A if i = 1 else Z i A Z 1 ( i ) : return F B , h ( 0 ) − j ∑ Z j B if i = 1 else Z i B C ( i ) : return F C , h ( 0 ) − j ∑ z j A ⋅ F B , h ( 0 ) if i = 1 else z i A ⋅ F B , h ( 0 ) Z ( i ) : return C ^ ( ) − i ∑ γ i ⋅ G if i = 1 else γ i ⋅ F B , h ( 0 ) C ^ ( ) : wait f o r a l l v a r i a b l e s u s e d b e l o w O _ 1 1 = F C , h ( 0 ) − ∑ _ i ∈ H / { 1 } z i B ⋅ F A , h ( 0 ) − ∑ _ i ∈ H / { 1 } z i A ⋅ F B , h ( 0 ) − O _ hh O _ h 1 = ∑ _ i ∈ H , j ∈ H / { 1 } z j B ⋅ Z i A ⋅ G O _ h 1 = ∑ _ i ∈ H / { 1 } , j ∈ H z i A ⋅ Z j B ⋅ G O _ hh = ∑ _ i , j ∈ H / { 1 } z i A ⋅ z j B ⋅ G O _ hm = ∑ _ i ∈ H , j ∈ M Z 0 ( i ) ⋅ b _ ji O _ mh = ∑ _ i ∈ M , j ∈ H a _ ij ⋅ Z 1 ( j ) O _ mm = ∑ _ i , j ∈ M a _ ij ⋅ b _ ji ⋅ G return O _ 1 1 + O _ 1 h + O _ h 1 + O _ hh + O _ hm + O _ mh + O _ mm + Δ ⋅ G … ∘ F [ M e s s a g e s ] ⊚ F [ S t o p ] The vast majority of this simulator is just mindless bookkeeping.
The main part of interest is the C ^ \hat{C} C ^
That's the only real tricky part of the simulator,
the rest is just adding in necessary checks ourselves,
and coalescing contributions from adversaries, as we've done many times.
■ \blacksquare ■
