Cait-Sith Security (X): Cheat Sheet

$$\boxed{\begin{array}{c}\mathcal{P}[\text{EchoBroadcast}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{StartBroadcast}}_i(x):}\\ & {\Rsh }_i(\star ,x,0)\\ & \\ & \underline{{\text{WaitBroadcast}}_i(x):}\\ & \hat{x}\_\bullet {\Lsh }_i(\star ,0)\\ & {\text{con}}_i\leftarrow \text{Hash}(\hat{x}\_\bullet )\\ & {\Rsh }_i(\star ,{\text{con}}_i,1)\\ & \text{return }x\_\bullet \\ & \\ & \underline{{\text{EndBroadcast}}_i():}\\ & \widehat{\text{con}}\_\bullet {\Lsh }_i(\star ,1)\\ & \text{if }\exists j.{\widehat{\text{con}}}_j\ne {\text{con}}_i:\\ & \text{stop}(\star ,1)\end{array}}\begin{array}{c}F[\text{SyncComm}]\\ \otimes \\ F[\text{Hash}]\end{array}\\ \\ \text{Leakage}:=\{\text{Hash},\text{stop}\}\end{array}}$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{Commit}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & x_i,r_i\leftarrow \perp \\ & \\ & \underline{(1){\text{SetCommit}}_i(x):}\\ & x_i\leftarrow x,r_i\stackrel{\$}{\leftarrow }{\text{01}}^{2\lambda }\\ & {\text{SetBroadcast}}_i(\text{Hash}(x_i,r_i))\\ & \\ & \underline{{\text{Commit}}_i():}\\ & {\text{SendBroadcast}}_i(\star )\\ & \\ & \underline{{\text{WaitCommit}}_i():}\\ & \text{return }{\text{WaitBroadcast}}_i()\\ & \\ & \underline{{\text{Open}}_i():}\\ & \text{assert }{x}_i\ne \perp \\ & {\Rsh }_i(\star ,(x_i,r_i),2)\\ & \\ & \underline{{\text{WaitOpen}}_i():}\\ & c\_\bullet \leftarrow {\text{WaitCommit}}_i()\\ & {\text{EndBroadcast}}_i()\\ & (\hat{x}\_\bullet ,\hat{r}\_\bullet ){\Lsh }_i(\star ,2)\\ & \text{if }\exists j.\text{Hash}({\hat{x}}_j,{\hat{r}}_j)\ne c_j:\\ & \text{stop}(\star ,2)\\ & \text{return }\hat{x}\_\bullet \\ & \end{array}}\begin{array}{c}F[\text{Stop}]\\ ⊚\\ F[\text{SyncComm}]\\ \otimes \\ F[\text{Hash}]\end{array}\\ \\ \text{Leakage}:=\{\text{Hash},\text{stop}\}\end{array}}⊲\mathcal{P}[\text{EchoBroadcast}]$$ \boxed{ \begin{matrix} \colorbox{FBCFE8}{\large $\mathscr{P}[\text{Convert}]$ }\cr \cr \boxed{ \small{ \begin{aligned} &\colorbox{FBCFE8}{\large $P_i$ }\cr \cr &Z\_{j i}, f_i \gets \bot\cr \cr &\underline{ (1)\text{SetMask}_i(): }\cr &\enspace f_i \xleftarrow{\$} \{ f_i \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f_i(0) = 0 \\} \cr &\enspace F_i \gets f_i \cdot G \cr &\enspace \text{SetCommit}_i(F_i) \cr &\enspace \text{Commit}_i() \cr \cr &\underline{ \text{WaitMask}_i(): }\cr &\enspace \text{WaitCommit}_i() \cr \cr &\underline{ (1)\text{Share}_i(z_i): }\cr &\enspace \text{Open}_i() \cr &\enspace Z_i \gets z_i \cdot G \cr &\enspace \pi_i \gets \text{Prove}_i^\varphi(Z_i; z_i) \cr &\enspace \Rsh_i(\star, (Z_i, \pi_i), 0) \cr &\enspace \Rsh_i(\star, [z_i + f_i(j) \mid j \in [n]], 1) \cr \cr &\underline{ \text{WaitShare}_i(): }\cr &\enspace F\_\bullet \gets \text{WaitOpen}_i() \cr &\enspace (Z\_{\bullet i}, \pi\_{\bullet i}) \gets \Lsh_i(\star, 0) \cr &\enspace \texttt{if } \exists j.\ \neg \text{Verify}^\varphi(\pi\_{ji}, Z_j) \cr &\enspace\enspace \texttt{stop}(\star, 0) \cr &\enspace x\_{\bullet i} \gets \Lsh_i(\star, 1) \cr &\enspace x_i \gets \sum_j x\_{ji},\ Z \gets \sum_j Z_j, \enspace F \gets Z + \sum_j F_j \cr &\enspace \texttt{if } \exists j.\ (\text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0) \lor x_i \cdot G \neq F(i): \cr &\enspace\enspace \texttt{stop}(\star, 1) \cr &\enspace \texttt{return } (x_i, Z) \cr \cr &\underline{ \text{Z}_i(j): }\cr &\enspace \texttt{return } Z\_{ji} \cr \end{aligned} } } \quad \begin{matrix} F[\text{SyncComm}]\cr \circledcirc \cr F[\text{Stop}] \end{matrix}\cr \cr \text{Leakage} := \{\texttt{stop}\} \end{matrix} } \lhd \mathscr{P}[\text{Commit}] $$\boxed{\begin{array}{c}\mathcal{P}[\text{KeyShare}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{Share}}_i(z):}\\ & z_i\leftarrow z\\ & f_i\stackrel{\$}{\leftarrow }\{f_i\in {\mathbb{F}}_q[X]\_\le t-1\mid f_i(0)=s_i\}\\ & F_i\leftarrow f_i\cdot G\\ & {\text{SetCommit}}_i(F_i)\\ & {\text{Commit}}_i()\\ & \\ & {\text{WaitCommit}}_i()\\ & {\text{Open}}_i()\\ & {\pi }_i\leftarrow {\text{Prove}}_i^{\phi }(F_i(0);z_i)\\ & {\Rsh }_i(\star ,{\pi }_i,0)\\ & {\Rsh }_i(\star ,[f_i(j)\mid j\in [n]],1)\\ & \\ & F\_\bullet \leftarrow {\text{WaitOpen}}_i()\\ & \pi \_\bullet i\leftarrow {\Lsh }_i(\star ,1)\\ & \text{if }\exists j.\neg {\text{Verify}}^{\phi }(\pi \_ji,F_j(0))\\ & \text{stop}(\star ,0)\\ & x\_\bullet i\leftarrow {\Lsh }_i(\star ,1)\\ & x_i\leftarrow \sum _{j}x\_ji,F\leftarrow \sum _j{F}_j(0)\\ & \text{if }\exists j.\text{deg}(F_j)\ne t-1\vee x_i\cdot G\ne F(i):\\ & \text{stop}(\star ,3)\\ & \text{return }(x_i,F(0))\end{array}}\begin{array}{c}F[\text{SyncComm}]\\ ⊚\\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{stop}\}\end{array}}⊲\mathcal{P}[\text{Commit}]$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{KeyGen}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{Gen}}_i():}\\ & s\stackrel{\$}{\leftarrow }{\mathbb{F}}_q\\ & \text{return }{\text{Share}}_i(s)\end{array}}\end{array}}⊲\mathcal{P}[\text{KeyShare}]$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{Presign}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & {\text{setup}}_i\leftarrow \text{false}\\ & x_i,X\leftarrow \perp \\ & \\ & \underline{(1){\text{Setup}}_i():}\\ & (x_i,X)\leftarrow {\text{Gen}}_i()\\ & {\text{setup}}_i\leftarrow \text{true}\\ & \\ & \underline{(1){\text{Presign}}_i^{\tau }():}\\ & \text{assert }{\text{setup}}_i\\ & (a_i,b_i,c_i,A,B,C)\leftarrow {\text{Triple}}_i^{(\tau ,0)}()\\ & (k_i,d_i,{\text{kd}}_i,K,D,\text{KD})\leftarrow {\text{Triple}}_i^{(\tau ,1)}()\\ & {\Rsh }_i(\star ,\lambda (\mathcal{P})\cdot {\text{kd}}_i,1)\\ & {\Rsh }_i(\star ,\lambda (\mathcal{P})\cdot (k_i+a_i),2)\\ & {\Rsh }_i(\star ,\lambda (\mathcal{P})\cdot (x_i+b_i),3)\\ & \\ & \text{kd}\_\bullet {\Lsh }_i(\star ,1)\\ & \text{ka}\_\bullet {\Lsh }_i(\star ,2)\\ & \text{xb}\_\bullet {\Lsh }_i(\star ,3)\\ & \text{kd}\leftarrow \sum _j{\text{kd}}_j\\ & \text{if }\text{kd}\cdot G\ne \text{KD}:\text{stop}(\star ,1)\\ & \text{ka}\leftarrow \sum _j{\text{ka}}_j\\ & \text{if }\text{ka}\cdot G\ne K+A:\text{stop}(\star ,2)\\ & \text{xb}\leftarrow \sum _j{\text{xb}}_j\\ & \text{if }\text{xb}\cdot G\ne X+B:\text{stop}(\star ,3)\\ & \\ & R\leftarrow \frac{1}{\text{kd}}\cdot D\\ & {\sigma }_i\leftarrow \text{ka}\cdot x_i-\text{xb}\cdot a_i+c_i\\ & \text{return }(X,R,k_i,{\sigma }_i)\end{array}}\begin{array}{c}F[\text{SyncComm}]\\ ⊚\\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{stop}\}\end{array}}⊲\begin{array}{c}\mathcal{P}[\text{KeyGen}]\\ \otimes \\ \mathcal{P}[\text{Triple}]\end{array}$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{Sign}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & {\text{setup}}_i\leftarrow \text{false}\\ & \\ & \underline{(1){\text{Setup}}_i():}\\ & \text{super}.{\text{Setup}}_i()\\ & {\text{setup}}_i\leftarrow \text{true}\\ & \\ & \underline{(1){\text{Sign}}_i^{\tau }(m):}\\ & \text{assert }{\text{setup}}_i\\ & (X,R,k_i,{\sigma }_i)\leftarrow {\text{Presign}}_i^{\tau }()\\ & s_i\leftarrow \text{Hash}(m)\cdot k_i+x(R)\cdot {\sigma }_i\\ & {\Rsh }_i(\star ,s_i,4)\\ & s\_\bullet \leftarrow {\Lsh }_i(\star ,4)\\ & s\leftarrow \sum _j{s}_j\\ & \text{if }\neg \text{ECDSA}.\text{Verify}(X,m,(R,s)):\\ & \text{stop}(\star ,4)\\ & \text{return }s\end{array}}\begin{array}{c}F[\text{SyncComm}]\\ ⊚\\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{stop}\}\end{array}}⊲\mathcal{P}[\text{Presign}]$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{Multiply}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & {\text{start}}_i\leftarrow \perp \\ & \\ & \underline{(1){\text{StartMultiply}}_i(a,b):}\\ & {\text{start}}_i\leftarrow \text{true}\\ & \forall j\ne i.{\text{StartMTA}}_i^{(0,ij)}({\text{Flip}}_i(a,b))\\ & \forall j\ne i.{\text{StartMTA}}_i^{(1,ij)}({\text{Flip}}_i(b,a))\\ & \\ & \underline{(1){\text{EndMultiply}}_i():}\\ & \text{assert }{\text{start}}_i\\ & \text{wait}\_(i,0)\forall j.({\gamma }^0\_j,{\gamma }^1\_j)\leftarrow ({\text{EndMTA}}_i^{(0,ij)}(),{\text{EndMTA}}_i^{(1,ij)}())\\ & \text{return }a\cdot b+\sum _j({\gamma }_j^0+{\gamma }^1\_j)\end{array}}\end{array}}⊲\begin{array}{c}F[\text{MTA}{]}^{n^2}\end{array}$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{Triple}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{Triple}}_i():}\\ & f_i,e_i\stackrel{\$}{\leftarrow }{\mathbb{F}}_q[X]\_\le t-1\\ & F_i,E_i\leftarrow f_i\cdot G,e_i\cdot G\\ & {\text{SetCommit}}_i((F_i,E_i))\\ & {\text{Commit}}_i()\\ & {\text{SetMask}}_i()\\ & \\ & {\text{WaitCommit}}_i()\\ & {\text{WaitMask}}_i()\\ & {\text{Open}}_i()\\ & {\pi }_i^0\leftarrow {\text{Prove}}^{\phi }(F_i(0);f_i(0))\\ & {\pi }_i^1\leftarrow {\text{Prove}}^{\phi }(E_i(0);e_i(0))\\ & {\Rsh }_i(\star ,({\pi }_i^0,{\pi }_i^1),0)\\ & {\Rsh }_i(\star ,[(f_i(j),e_i(j))\mid j\in [n]],1)\\ & \\ & (F\_\bullet ,E\_\bullet )\leftarrow {\text{WaitOpen}}_i()\\ & ({\pi }^0\_\bullet i,{\pi }^1\_\bullet i)\leftarrow {\Lsh }_i(\star ,1)\\ & (a\_\bullet i,b\_\bullet i)\leftarrow {\Lsh }_i(\star ,1)\\ & a_i\leftarrow \sum _{j}a\_ji,F\leftarrow \sum _j{F}_j(0)\\ & b_i\leftarrow \sum _{j}a\_ji,E\leftarrow \sum _j{E}_j(0)\\ & {\text{bad}}^0\leftarrow \exists j.\neg {\text{Verify}}^{\phi }({\pi }_j^0,F_j(0))\\ & {\text{bad}}^1\leftarrow \exists j.\neg {\text{Verify}}^{\phi }({\pi }_j^1,E_j(0))\\ & \text{if }{a}_i\cdot G\ne E(i)\vee b_i\cdot G\ne F(i)\vee {\text{bad}}^0\vee {\text{bad}}^1\\ & \text{stop}(\star ,0)\\ & {\text{Multiply}}_i(f_i(0),e_i(0))\\ & C_i\leftarrow e_i(0)\cdot F(0)\\ & {\pi }_i^2\leftarrow {\text{Prove}}^{\psi }(E_i(0),F(0),C_i;e_i(0))\\ & {\Rsh }_i(\star ,(C_i,{\pi }_i),1)\\ & \\ & (C\_\bullet ,{\pi }^2\_\bullet ){\Lsh }_i(\star ,1)\\ & \text{if }\exists j.\neg {\text{Verify}}^{\psi }({\pi }_j^2,(E_j(0),F(0),C_j))\\ & \text{stop}(\star ,1)\\ & z_i\leftarrow {\text{WaitMultiply}}_i()\\ & {\text{Share}}_i(z_i)\\ & c_i\leftarrow {\text{WaitShare}}_i(C)\\ & \text{return }(a_i,b_i,c_i,E(0),F(0),C)\end{array}}\begin{array}{c}F[\text{ZK}(\psi )]\\ \otimes \\ F[\text{SyncComm}]\\ ⊚\\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{stop}\}\end{array}}⊲\begin{array}{c}\mathcal{P}[\text{Commit}]\\ \otimes \\ \mathcal{P}[\text{Convert}]\\ \otimes \\ \mathcal{P}[\text{Multiply}]\end{array}$$

Ideal Protocols

$$\boxed{\begin{array}{c}\mathcal{P}[\text{IdealBroadcast}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{StartBroadcast}}_i(x):}\\ & {\text{SetBroadcast}}_i(x)\\ & {\text{SendBroadcast}}_i(\star )\\ & \\ & \underline{{\text{WaitBroadcast}}_i():}\\ & x\_\bullet \leftarrow {\text{GetBroadcast}}_i(\star )\\ & {\text{Sync}}_i(\star )\\ & \text{return }x\_\bullet \\ & \\ & \underline{{\text{EndBroadcast}}_i():}\\ & {\text{WaitSync}}_i(\star )\\ & \text{if }{\text{BadBroadcast}}_i():\\ & \text{stop}(\star ,1)\end{array}}\begin{array}{c}\boxed{\begin{array}{rl}& F[\text{Broadcast}]\\ & \\ & x_i,\text{sent}\_ij,\text{trap}\_ij\leftarrow \perp \\ & \\ & \underline{(1){\text{SetBroadcast}}_i(x):}\\ & x_i\leftarrow x\\ & \\ & \underline{{\text{SendBroadcast}}_i(S):}\\ & \text{assert }{x}_i\ne \perp \\ & \text{sent}\_ij\leftarrow \text{true}(\forall j\in S)\\ & \\ & \underline{{\text{GetBroadcast}}_i(S):}\\ & \text{wait}\_(i,0)\text{sent}\_ji(\forall j\in S)\\ & \text{return }[x_j\mid j\in S]\\ & \\ & \underline{\text{Trap}(j,m\_\bullet ):}\\ & \text{assert }\forall i.m_i=\perp \vee (\text{trap}\_ij=\perp \wedge x_i=\perp )\\ & \text{trap}\_ij\leftarrow m_i\\ & \\ & \underline{{\text{BadBroadcast}}_i():}\\ & \text{return }\exists j.\text{trap}\_ji\ne \perp \wedge \text{trap}\_ji\ne x\_j\end{array}}\\ \otimes \\ F[\text{Sync}(1)]\\ \otimes \\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{Trap},\text{stop}\}\end{array}}$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{IdealCommit}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & \underline{(1){\text{SetCommit}}_i(x):}\\ & {\text{SetCommit}}_i(x)\\ & \\ & \underline{{\text{Commit}}_i():}\\ & {\text{Commit}}_i(\star )\\ & \\ & \underline{{\text{WaitCommit}}_i():}\\ & {\text{WaitCommit}}_i(\star )\\ & {\text{Sync}}_i(\star )\\ & \\ & \underline{{\text{Open}}_i():}\\ & {\text{Open}}_i(\star )\\ & \\ & \underline{{\text{WaitOpen}}_i():}\\ & {\text{WaitCommit}}_i()\\ & {\text{WaitSync}}_i(\star )\\ & \text{return }{\text{WaitOpen}}_i(\star )\end{array}}\begin{array}{c}\boxed{\begin{array}{rl}& F[\text{Commit}]\\ & \\ & x_i,\text{com}\_ij,\text{open}\_ij\leftarrow \perp \\ & \\ & \underline{(1){\text{SetCommit}}_i(x):}\\ & x_i\leftarrow x\\ & \\ & \underline{{\text{Commit}}_i(S):}\\ & \text{com}\_ij\leftarrow \text{true}(\forall j\in S)\\ & \\ & \underline{{\text{WaitCommit}}_i(S):}\\ & \text{wait}\_(i,0)\forall j\in S.\text{com}\_ji\\ & \\ & \underline{{\text{Open}}_i(S):}\\ & \text{assert }{x}_i\ne \perp \\ & \text{open}\_ij\leftarrow \text{true}(\forall j\in S)\\ & \\ & \underline{{\text{WaitOpen}}_i(S):}\\ & \text{wait}\_(i,2)\forall j\in S.\text{open}\_ji\\ & \text{return }x\_\bullet \end{array}}\\ \otimes \\ F[\text{Sync}(1)]\\ ⊚\\ F[\text{Stop}]\end{array}\\ \\ \text{Leakage}:=\{\text{stop}\}\end{array}}$$ $$\boxed{\begin{array}{c}F[\text{MTA}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & a_1,a_2,{\beta }_1,{\beta }_2\leftarrow \perp \\ & \Delta \leftarrow \perp \\ & \\ & \underline{(1){\text{StartMTA}}_i(a):}\\ & a_i\leftarrow a\\ & \\ & \underline{\text{Sample}():}\\ & \text{assert }{a}_1,a_2,\Delta \ne \perp \\ & \text{if }{\beta }_1,{\beta }_2=\perp :\\ & ({\beta }_1,{\beta }_2)\stackrel{\$}{\leftarrow }\{({\beta }_1,{\beta }_2)\in {\mathbb{F}}_q^2\mid {\beta }_1+{\beta }_2=a_1\cdot a_2+\Delta \}\\ & \\ & \underline{(1){\text{EndMTA}}_i():}\\ & \text{wait}\_(i,0)a_1,a_2,\Delta \ne \perp \\ & \text{Sample}()\\ & \text{return }{\beta }_i\\ & \\ & \underline{(1)\text{Cheat}(\Delta )}\\ & \Delta \leftarrow \Delta \end{array}}\end{array}}$$ $$\boxed{\begin{array}{c}\mathcal{P}[\text{IdealMultiply}]\\ \\ \boxed{\begin{array}{rl}& P_i\\ & \\ & a,b\leftarrow \perp \\ & \\ & \underline{(1){\text{StartMultiply}}_i(a,b):}\\ & a,b\leftarrow a,b\\ & a\_\bullet \leftarrow a,b\_\bullet \leftarrow b\\ & {\text{StartMultiply}}_i(a\_\bullet ,b\_\bullet )\\ & \\ & \underline{(1){\text{EndMultiply}}_i():}\\ & \text{return }a\cdot b+{\text{EndMultiply}}_i()\end{array}}\boxed{\begin{array}{rl}& F[\text{Multiply}]\\ & \\ & a\_ij,b\_ij,{\beta }_i,\Delta \leftarrow \perp \\ & \\ & \underline{(1){\text{StartMultiply}}_i(a\_\bullet ,b\_\bullet ):}\\ & a\_i\bullet \leftarrow a\_\bullet ,b\_i\bullet \leftarrow b\_\bullet \\ & \\ & \underline{(1){\text{EndMultiply}}_i():}\\ & \text{wait}\_(i,0)\forall i\ne j.a\_ij,b\_ij\ne \perp \wedge \Delta \ne \perp \wedge a\_ii\ne \perp \\ & \text{Sample}()\\ & \text{return }{\beta }_i\\ & \\ & \underline{\text{Sample}():}\\ & \text{assert }\forall i\ne j.a\_ij,b\_ij\ne \perp \wedge \Delta \ne \perp \\ & \text{if }\forall i.{\beta }_i=\perp :\\ & c\leftarrow \sum \_i\ne ja\_ij\cdot b\_ji\\ & ({\beta }_1,\dots ,{\beta }_n)\leftarrow \{{\beta }_i\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^n\mid \sum _i{\beta }_i=c+\Delta \}\\ & \\ & \underline{(1)\text{Cheat}(\Delta ):}\\ & \Delta \leftarrow \Delta \\ & \\ & \underline{\text{Leak}(i,j):}\\ & \text{return }a\_ij,b\_ij\ne \perp \end{array}}\end{array}}$$ $$\boxed{\begin{array}{rl}& F[\text{ZK}(\phi )]\\ & \\ & \Pi [\bullet ]\leftarrow \perp \\ & \\ & \underline{{\text{Prove}}_i(b;a):}\\ & \text{assert }\phi (a)=b\\ & \pi \stackrel{\$}{\leftarrow }{\text{01}}^{2\lambda }\\ & \Pi [\pi ]\leftarrow b\\ & \text{return }\pi \\ & \\ & \underline{\text{Verify}(\pi ,b):}\\ & \text{return }\Pi [\pi ]\ne \perp \wedge \Pi [\pi ]=b\end{array}}$$

Connections

(All for negligeable epsilon, and up to $t-1$ malicious corruptions.)

• $\mathcal{P}[\text{EchoBroadcast}]⇝\mathcal{P}[\text{IdealBroadcast}]$.
• $\mathcal{P}[\text{Commit}]⇝\mathcal{P}[\text{IdealCommit}]$
• $\mathcal{P}[\text{KeyShare}]⇝\mathcal{P}[\text{IdealKeyShare}]$
• $\mathcal{P}[\text{KeyGen}]⇝\mathcal{P}[\text{IdealKeyGen}]$
• $\mathcal{P}[\text{Convert}]⇝\mathcal{P}[\text{IdealConvert}]$
• $\mathcal{P}[\text{Presign}]⇝\mathcal{P}[\text{IdealPresign}]$
• $\mathcal{P}[\text{Sign}]⇝\mathcal{P}[\text{IdealSign}]$
• $\mathcal{P}[\text{Multiply}]⇝F[\text{Multiply}]$
• $\mathcal{P}[\text{Triple}]⇝\mathcal{P}[\text{IdealTriple}]$