Section 6.1)
We will first give a description of the simulator and then argue indistinguisha- bility between the real and ideal worlds.
Simulator: The simulatorSimis given the security parameterλand an auxiliary inputz. Letf be representable by a circuitC of depth ≤d. Let (tSm, tSh, tFc)
be the corruption thresholds of the adversary, where 2tSm+tSh+tFc < N. Let
Abe the (N−tSm−tFc)-out-of-N access structure. Simproceeds as follows:
– Before Protocol Execution: From the semi-malicious mixed adversary
Adv,Simreceives a tuple of sets (ASm,ASh,AFc) of corrupted parties, with
|ASm| ≤tSm,|ASh| ≤tSh, and |AFc| ≤tFc.
– Input Commitment Phase (Round 1):For every fail-corrupt party that
Advwishes to abort in this round,Siminstructs the corresponding party. For each honest and each fail-corrupt party not yet instructed to abort,Pi,Sim does the following:
1. RunTMFHE.DistSetup(1λ,1d,1N, i) to computeparams i. 2. RunTMFHE.KeyGen(1λ) to compute (pk
i, ski). 3. Give (paramsi, pki) asPi’s round 1 message toAdv.
Simthen receives round 1 messages fromAdvon behalf of every party in the setsASmandASh.
– Input Commitment Phase (Round 2):For every fail-corrupt party that
Adv wishes to abort in this round, Sim instructs the corresponding party. Then,Simparses the message (if one was sent) from partyPjas (paramsj, pkj). LetS1 ⊆[N] be the set of parties that sent a message in round 1. It trun- cates eachparamsjto the appropriate size for|S1|parties and setsparamsas the concatenation of the truncatedparamsj’s for allj∈S1. LetPK denote {pkj}j∈S1. Let A
′ be the access structure induced by restrictingA to the
parties inS1. LetShon2 be the set of honest and fail-corrupt parties that send a message in round 2. LetS1
corr be the set of corrupted (semi-malicious and
semi-honest) parties that sent a message in round 1.Simdoes the following: 1. RunSim1(params,PK,A′, Scorr1 , Shon2 ) to compute ({cti}i∈S2
hon,state), where Sim1is the first algorithm of the TMFHE simulator.
2. Givecti asPi’s round 2 message toAdvfori∈Shon2 .
LetS2 ⊆ [N] be the set of parties that sent a round 2 message. For semi- maliciously and semi-honestly corrupted partiesPi in S2, Simreceives the inputxi used byAdvand sends it to the trusted party. For the fail-corrupt parties that already aborted,Simsends 0λto the trusted party.
– Query to Ideal Functionality:Simreceives the outputbfrom the trusted party.
– Computation Phase (Round 3): For every fail-corrupt party that Adv
wishes to abort in this round, Sim instructs the corresponding party. Let CT ={ctj}j∈S2. LetC
′ be the circuit induced by hardcoding the inputs to Ccorresponding to aborted fail-corrupt parties as 0λ. LetS3
honbe the set of
honest and fail-corrupt parties that have not yet been told to abort in round 3 byAdv. For corrupted (semi-honest and semi-malicious) partiesPiinScorr1 ,
Simextracts the secret keysski that they generated.Simdoes the following 1. RunSim2(state, b,ct, Sˆ corr1 , Shon2 ,{ski}i∈S1
corr) to compute{pj}j∈Shon2 , where Sim2 is the second algorithm of the TMFHE simulator and ˆct is the ciphertext obtain by evaluatingC′ on the ciphertexts inCT.
2. Forj∈S3
hon, givepj asPj’s round 3 message toAdv.
– Output to Honest Parties: Sim tells the trusted party to send b to all honest parties.
Lemma 9. For any tuple of thresholds(tSm, tSh, tFc)with2tSm+tSh+tFc< N, for any (tSm, tSh, tFc)-semi-malicious mixed adversary Adv= (ASm,ASh,AFc), for the above simulator Sim,
|P r[D(REALΠ,Adv(z)(λ,x)) = 1]−P r[D(IDEALf,Sim(z)(λ,x)) = 1]| ≤negl(λ)
for any PPT distinguisher D.
Proof. Suppose there was some (tSm, tSh, tFc)-semi-malicious mixed adversary Adv = (ASm,ASh,AFc) for which there existed a distinguisher D that could
distinguish between the real and ideal world experiments. Then, there exists an adversaryAdv′ that could break the security of the underlying TMFHE scheme. Recall thatAis theN−tSm−tFc-out-of-N access structure.Adv′ proceeds as
follows.
1. Adv′ runsAdv, which outputs a tuple of sets (ASm,ASh,AFc) of corrupted
parties.
2. Advoutputs a set of fail-corrupt partiesS1
inp⊆ AFc that will abort in round
1 (they will never send a message). Let Sparties = [N]\Sinp1 and let N′ =
|Sparties|. Adv′ outputs N′ ≤N as its number of parties, the corrupted set
S= (ASm∪ASh)⊆Sparties, and the access structureA′induced by restricting
Ato the parties in Sparties.
3. For i∈Sparties\S, Adv′ receives (paramsi, pki) and gives this to Advas Pi’s round 1 message.
4. For each j ∈ S, Adv will output (paramsj, pkj). By running Adv, Adv′ is able to determine the randomnessrKeyGenj used by Advto generatepkj and outputs (paramsj, rjKeyGen).
5. LetS2
honbe the set of honest and fail-corrupt parties that will send a round 2
message.Adv′outputs this set along with the inputsxi∈ {0,1}λfori∈Shon2 .
Adv′ is givencti fori∈Shon2 and gives this toAdvas Pi’s round 2 message. 6. By runningAdv,Adv′ is able to extract the inputxi and randomnessrEncrypti
used byAdvfor eachi∈S.Adv′ outputs (xi, rEncrypti ) for alli∈S.
7. LetS2= (Shon2 ∪ASm∪ASh) be the set of parties that sent a round 2 message.
LetC′ be the circuit induced byC by setting the input of all parties that
did not send a round 2 message to 0λ.Adv′
outputsC′ along withS
2. 8. Let S3hon be the set of honest and fail-corrupt parties that send a round 3
message.Adv′ outputsShon3 and receives partial decryptions pi fori∈Shon3 .
Adv′ gives these toAdvasPi’s round 3 message.Advoutputs some function of its view andAdv′ outputs the same value along with{xi}i6∈S.
SinceAis theN−tSm−tFc-out-of-Naccess structure and 2tSm+tSh+tFc< N, it follows that |ASm∪ ASh| ≤tSm+tSh < N −tSm−tFc, and therefore,
ASm∪ ASh 6∈A′ (the N −tSm−tFc-out-of-N′ access structure), so Adv′ is a
valid adversary for the TMFHE security game. IfAdv′is interacting with the real TMFHE security game, it simulates the real world experiment forΠ exactly for some fixed inputs. Similarly, if Adv′ is interacting with the simulated TMFHE security game, it simulates the ideal world experiment forΠ exactly. Therefore, the existence ofAdvwould result in an adversary that could break the security of the TMFHE scheme, a contradiction.
E
Round-Optimal MPC Secure Against Mixed
Adversaries: Security Proof (Theorem 6)
We provide a description of the simulator.
Simulator: The simulatorSimis given the security parameterλand an auxiliary inputz. Letf be representable by a circuitCof depth≤d. Let (tMal, tSh, tFc) be
the corruption thresholds of the adversary, where 2tMal+tSh+tFc< N. LetAbe
the (N−tMal−tFc)-out-of-N access structure. LetExtGen,Ext,SimProvebe the
extraction and simulation algorithms associated with the simulation-extractable multi-string NIZK.Simproceeds as follows:
– Before Protocol Execution:Simreceives a tuple of sets (AMal,ASh,AFc)
of corrupted parties, with|AMal| ≤tMal,|ASh| ≤tSh, and |AFc| ≤tFc.
– Round 1: For every fail-corrupt party that Adv wishes to abort in this round,Siminstructs the corresponding party. For each honest and each fail- corrupt party not yet instructed to abort,Pi,Simdoes the following:
1. RunTMFHE.DistSetup(1λ,1d,1N, i) to computeparams i. 2. RunTMFHE.KeyGen(1λ) to compute (pki, ski).
3. RunExtGen(1λ) to compute (crsi, τi, ξi).
4. Give (paramsi, pki,crsi) asPi’s round 1 message toAdv.
For each semi-honest corrupt partyPi∈ ASh,Simdoes the following:
1. Sample randomnessriDistSetupandriKeyGento be used by theTMFHE.DistSetup
andTMFHE.KeyGenalgorithms, respectively. 2. RunExtGen(1λ) to compute (crs
i, τi, ξi). 3. Give (rDistSetupi , r
KeyGen
i ,crsi) asPi’s round 1 randomness (note that this forcesPi to outputcrsi as its CRS, as the CRS is uniform).
Simthen receives round 1 messages fromAdvon behalf of every party in the sets AMal and ASh. Let Scrs denote the set of honest parties, semi-honest
parties, and fail-corrupt parties that sent a message in round 1.
– Round 2: For every fail-corrupt party that Adv wishes to abort in this round,Siminstructs the corresponding party. Then,Simparses the message (if one was sent) from partyPj as (paramsj, pkj,crsj). LetS1 ⊆[N] be the set of parties that sent a message in round 1. It truncates eachparamsj to the appropriate size for|S1|parties and sets paramsas the concatenation of the truncatedparamsj’s for allj∈S1. Let PKdenote {pkj}j∈S1. LetCRS
denote {crsj}j∈S1. Let A
to the parties inS1. Let Shon2 be the set of honest and fail-corrupt parties
that send a message in round 2. LetT ={τj}j∈Scrs. Let E={ξj}j∈Scrs. Let S1
corr be the set of corrupted (malicious or semi-honest) parties that sent a
message in round 1.Simdoes the following:
1. RunSim1(params,PK,A′, Scorr1 , Shon2 ) to obtain ({cti}i∈S2
hon,state), where Sim1is the first algorithm of the TMFHE simulator.
2. For each honest and fail-corrupt party not yet instructed to abort,Pi, runSimProve(CRS, T, yi) to computeπi whereyi is the statement that there exists some inputxand randomnessrsuch that
TMFHE.Encrypt(params,PK,A′, x;r) =ct
i.
3. Give (cti, πi) asPi’s round 2 message to Advfori∈Shon2 .
Simthen receives round 2 messages fromAdvon behalf of every party in the setsAMal andASh.
– Query to Ideal Functionality:
1. Parse the round 2 message (if one was sent) from Pj as (ctj, πj) and check that
NIZK.Verify(CRS, yj, πj) = 1. LetS2⊆S1be the set of parties that sent a round 2 message that passed verification. For semi-honest partiesPj inS2,Simreceives the inputxj used byAdvand sends it to the trusted party. For the fail-corrupt and malicious parties that already aborted,
Sim sends 0λ to the trusted party. For malicious partiesP
j in S2, Sim runs Ext(CRS, E, yj, πj) to extract a witness (xj, rj) used by Adv and sendsxj to the trusted party asPj’s input.
2. Simreceives the outputb from the trusted party.
– Round 3: For every fail-corrupt party that Adv wishes to abort in this round, Siminstructs the corresponding party. Let CT = {ctj}j∈S2. Let C
′
be the circuit induced by hardcoding the inputs toCcorresponding to parties not inS2 as 0λ. Let Scorr2 be the set of corrupted parties that sent a round
2 message that passed verification. LetS3
hon be the set of honest and fail-
corrupt parties that have not yet been told to abort in round 3 byAdv.Sim
does the following
1. RunSim2(state, b,ct, Sˆ corr1 , Shon2 ,{(xi, ri)}i∈S2
corr) to obtain{pj}j∈Shon2 , where Sim2is the second algorithm of the modified TMFHE simulator that uses the (xi, ri)’s of the corrupted parties round 2 messages to simulate and ˆct is the evaluated ciphertext obtained by evaluatingC′ on the ciphertexts
inCT. 2. For j ∈ S3
hon, runSimProve(CRS, T, zj) to compute π
′
j where zj is the statement that there exists some randomnessr, r′ such that
TMFHE.KeyGen(1λ;r) = (pk
j, sk) and TMFHE.PartDec(j, sk,ctˆ;r′) =
pj. 3. Forj∈S3
hon, give (pj, π′j) asPj’s round 3 message toAdv.
– Output to Honest Parties: Sim tells the trusted party to send b to all honest parties.
Security with respect to this simulator follows from the properties of the simulation-extractable multi-string NIZK and the security of the underlying TMFHE scheme with respect toSim1,Sim2.