Journal of Cryptology

, Volume 32, Issue 3, pp 690–741 | Cite as

Probabilistic Termination and Composability of Cryptographic Protocols

  • Ran CohenEmail author
  • Sandro Coretti
  • Juan Garay
  • Vassilis Zikas


When analyzing the round complexity of multi-party protocols, one often overlooks the fact that underlying resources, such as a broadcast channel, can by themselves be expensive to implement. For example, it is well known that it is impossible to implement a broadcast channel by a (deterministic) protocol in a sublinear (in the number of corrupted parties) number of rounds. The seminal works of Rabin and Ben-Or from the early 1980s demonstrated that limitations as the above can be overcome by using randomization and allowing parties to terminate at different rounds, igniting the study of protocols over point-to-point channels with probabilistic termination and expected constant round complexity. However, absent a rigorous simulation-based definition, the suggested protocols are proven secure in a property-based manner or via ad hoc simulation-based frameworks, therefore guaranteeing limited, if any, composability. In this work, we put forth the first simulation-based treatment of multi-party cryptographic protocols with probabilistic termination. We define secure multi-party computation (MPC) with probabilistic termination in the UC framework and prove a universal composition theorem for probabilistic termination protocols. Our theorem allows to compile a protocol using deterministic termination hybrids into a protocol that uses expected constant round protocols for emulating these hybrids, preserving the expected round complexity of the calling protocol. We showcase our definitions and compiler by providing the first composable protocols (with simulation-based security proofs) for the following primitives, relying on point-to-point channels: (1) expected constant round perfect Byzantine agreement, (2) expected constant round perfect parallel broadcast, and (3) perfectly secure MPC with round complexity independent of the number of parties.


Probabilistic termination Universal composition Cryptographic protocols Randomized Byzantine agreement. 


  1. 1.
    G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, D. Wichs, Multiparty computation with low communication, computation and interaction via threshold FHE, in David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012. LNCS, vol. 7237 (Springer, April, 2012), pp. 483–501Google Scholar
  2. 2.
    G. Asharov, Y. Lindell, A full proof of the BGW protocol for perfectly-secure multiparty computation. Electronic Colloquium on Computational Complexity (ECCC), 18:36, (2011)Google Scholar
  3. 3.
    D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in 22nd ACM STOC. (ACM Press, May 1990), pp. 503–513Google Scholar
  4. 4.
    M. Ben-Or, Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract), in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 2nd ACM PODC. (ACM Press, August 1983), pp. 27–30Google Scholar
  5. 5.
    M. Ben-Or, R. El-Yaniv, Resilient-optimal interactive consistency in constant time. Distributed Computing, 16(4):249–262, (2003)CrossRefGoogle Scholar
  6. 6.
    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in 20th ACM STOC. (ACM Press, May 1988), pp. 1–10Google Scholar
  7. 7.
    G. Bracha, An asynchronous [(n-1)/3]-resilient consensus protocol, in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors, 3rd ACM PODC. (ACM Press, August 1984), pp. 154–162Google Scholar
  8. 8.
    C. Cachin, K. Kursawe, F. Petzold, V. Shoup, Secure and efficient asynchronous broadcast protocols, in Joe Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, August 2001), pp. 524–541Google Scholar
  9. 9.
    R. Canetti, Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS. (IEEE Computer Society Press, October 2001), pp. 136–145Google Scholar
  11. 11.
    R. Canetti, Universally composable signature, certification, and authentication, in 17th IEEE Computer Security Foundations Workshop, (CSFW-17). (2004), pp. 219–235Google Scholar
  12. 12.
    R. Canetti, A. Cohen, Y. Lindell, A simpler variant of universally composable security for standard multiparty computation, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 3–22Google Scholar
  13. 13.
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in 34th ACM STOC, (ACM Press, May 2002), pp. 494–503Google Scholar
  14. 14.
    R. Canetti, T. Rabin, Universal composition with joint state, in Dan Boneh, editor, CRYPTO 2003. LNCS, vol. 2729 (Springer, August 2003), pp. 265–281Google Scholar
  15. 15.
    D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in 20th ACM STOC, (ACM Press, May 1988), pp. 11–19Google Scholar
  16. 16.
    S.G. Choi, J. Katz, A.J. Malozemoff, V. Zikas, Efficient three-party computation from cut-and-choose, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 513–530Google Scholar
  17. 17.
    R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Probabilistic termination and composability of cryptographic protocols, in Matthew Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part III. LNCS, vol. 9816 (Springer, August 2016), pp. 240–269Google Scholar
  18. 18.
    R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Round-preserving parallel composition of probabilistic-termination cryptographic protocols, in ICALP 2017. LIPIcs, vol. 80 (July 2017), pp. 37:1–37:15Google Scholar
  19. 19.
    R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast, in Eyal Kushilevitz and Tal Malkin, editors, TCC 2016-A, Part I. LNCS, vol. 9562 (Springer, January 2016), pp. 596–616Google Scholar
  20. 20.
    R. Cohen, Y. Lindell, Fairness versus guaranteed output delivery in secure multiparty computation, in ASIACRYPT 2014, Part II. LNCS, vol. 8874 (Springer, December 2014), pp. 466–485Google Scholar
  21. 21.
    I. Damgård, Y. Ishai, Constant-round multiparty computation using a black-box pseudorandom generator, in Victor Shoup, editor, CRYPTO 2005, LNCS, vol. 3621 (Springer, August 2005), pp. 378–394Google Scholar
  22. 22.
    I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart, Practical covertly secure MPC for dishonest majority - or: Breaking the SPDZ limits, in Jason Crampton, Sushil Jajodia, and Keith Mayes, editors, ESORICS 2013. LNCS, vol. 8134 (Springer, September 2013), pp. 1–18Google Scholar
  23. 23.
    I. Damgård, J.B. Nielsen, Adaptive versus static security in the UC model, in ProvSec 2014, (2014), pp. 10–28MathSciNetzbMATHGoogle Scholar
  24. 24.
    I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012. LNCS, vol. 7417 (Springer, August 2012), pp. 643–662Google Scholar
  25. 25.
    D. Dolev, R. Reischuk, H.R. Strong, Early stopping in byzantine agreement. J. ACM, 37(4):720–741, (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    D. Dolev, H. Raymond Strong, Authenticated algorithms for byzantine agreement. SIAM Journal on Computing, 12(4):656–666, (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    B. Eisenberg, On the expectation of the maximum of IID geometric random variables. Statistics & Probability Letters, 78(2):135–143, (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal on Computing, 26(4):873–933, (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    M.J. Fischer, N.A. Lynch, A lower bound for the time to assure interactive consistency. Information Processing Letters, 14(4):183–186, (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    M. Fitzi, J.A. Garay, Efficient player-optimal protocols for strong and differential consensus, in Elizabeth Borowsky and Sergio Rajsbaum, editors, 22nd ACM PODC, (ACM Press, July 2003), pp. 211–220Google Scholar
  31. 31.
    S. Garg, C. Gentry, S. Halevi, M. Raykova, Two-round secure MPC from indistinguishability obfuscation, in Yehuda Lindell, editor, TCC 2014. LNCS, vol. 8349 (Springer, February 2014), pp. 74–94Google Scholar
  32. 32.
    O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract), in 27th FOCS. (IEEE Computer Society Press, October 1986), pp. 174–187Google Scholar
  33. 33.
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in Alfred Aho, editor, 19th ACM STOC. (ACM Press, May 1987), pp. 218–229Google Scholar
  34. 34.
    O. Goldreich, E. Petrank, The best of both worlds: Guaranteeing termination in fast randomized byzantine agreement protocols. Information Processing Letters, 36(1):45–49, (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement. Journal of Cryptology, 18(3):247–287, (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    S.D. Gordon, F.-H. Liu, E. Shi, Constant-round MPC with fairness and guarantee of output delivery, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 63–82Google Scholar
  37. 37.
    M. Hirt, V. Zikas, Adaptively secure broadcast, in Henri Gilbert, editor, EUROCRYPT 2010. LNCS, vol. 6110 (Springer, May 2010), pp. 466–485Google Scholar
  38. 38.
    Y. Ishai, R. Ostrovsky, V. Zikas, Secure multi-party computation with identifiable abort, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II. LNCS, vol. 8617 (Springer, August 2014), pp. 369–386Google Scholar
  39. 39.
    Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer - efficiently, in David Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, August 2008), pp. 572–591Google Scholar
  40. 40.
    J. Katz, C.-Y. Koo, On expected constant-round protocols for byzantine agreement, in Cynthia Dwork, editor, CRYPTO 2006. LNCS, vol. 4117 (Springer, August 2006), pp. 445–462Google Scholar
  41. 41.
    J. Katz, C.-Y. Koo, Round-efficient secure computation in point-to-point networks, in Moni Naor, editor, EUROCRYPT 2007. LNCS, vol. 4515. (Springer, May 2007), pp. 311–328Google Scholar
  42. 42.
    J. Katz, Y. Lindell, Handling expected polynomial-time strategies in simulation-based security proofs, in Joe Kilian, editor, TCC 2005. LNCS, vol. 3378 (Springer, February 2005), pp. 128–149Google Scholar
  43. 43.
    J. Katz, U. Maurer, B. Tackmann, V. Zikas, Universally composable synchronous computation, in Amit Sahai, editor, TCC 2013. LNCS, vol. 7785 (Springer, March 2013), pp. 477–498Google Scholar
  44. 44.
    M. Keller, P. Scholl, N.P. Smart, An architecture for practical actively secure MPC with dishonest majority, in Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, ACM CCS 13. (ACM Press, November 2013), pp. 549–560Google Scholar
  45. 45.
    J. Kilian, Founding cryptography on oblivious transfer, in 20th ACM STOC. (ACM Press, May 1988), pp. 20–31Google Scholar
  46. 46.
    E. Kushilevitz, Y. Lindell, T. Rabin, Information-theoretically secure protocols and security under composition, in Jon M. Kleinberg, editor, 38th ACM STOC. (ACM Press, May 2006), pp. 109–118Google Scholar
  47. 47.
    L. Lamport, R.E. Shostak, M.C. Pease, The byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, (1982)CrossRefzbMATHGoogle Scholar
  48. 48.
    Y. Lindell, A. Lysyanskaya, T. Rabin, On the composition of authenticated byzantine agreement, in 34th ACM STOC. (ACM Press, May 2002), pp. 514–523Google Scholar
  49. 49.
    Y. Lindell, A. Lysyanskaya, T. Rabin, Sequential composition of protocols without simultaneous termination, in Aleta Ricciardi, editor, 21st ACM PODC. (ACM Press, July 2002), pp. 203–212Google Scholar
  50. 50.
    Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multi-party computation combining BMR and SPDZ, in Rosario Gennaro and Matthew Robshaw, editors, CRYPTO 2015, Part II. LNCS, vol. 9216 (Springer, August 2015), pp. 319–338Google Scholar
  51. 51.
    P. Mukherjee, D. Wichs, Two round multiparty computation via multi-key FHE, in Marc Fischlin and Jean-Sébastien Coron, editors, EUROCRYPT 2016, LNCS, vol. 9666 (Springer, May 2016), pp. 735–763Google Scholar
  52. 52.
    M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults. Journal of the ACM, 27(2):228–234, (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  53. 53.
    M.O. Rabin, Randomized byzantine generals, in 24th Annual Symposium on Foundations of Computer Science, Tucson, Arizona, USA, 7–9 November 1983. (IEEE Computer Society, 1983), pp. 403–409Google Scholar
  54. 54.
    T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in 21st ACM STOC. (ACM Press, May 1989), pp. 73–85Google Scholar
  55. 55.
    R. Turpin, B.A. Coan, Extending binary byzantine agreement to multivalued byzantine agreement. Information Processing Letters, 18(2):73–76, (1984)CrossRefGoogle Scholar
  56. 56.
    A.C.-C. Yao, Protocols for secure computations (extended abstract), in 23rd FOCS. (IEEE Computer Society Press, November 1982), pp. 160–164.Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Ran Cohen
    • 1
    Email author
  • Sandro Coretti
    • 2
  • Juan Garay
    • 3
  • Vassilis Zikas
    • 4
  1. 1.Department of Computer ScienceBar-Ilan UniversityRamat GanIsrael
  2. 2.Department of Computer ScienceETH ZurichZurichSwitzerland
  3. 3.Yahoo ResearchSunnyvaleUSA
  4. 4.Department of Computer ScienceRPITroyUSA

Personalised recommendations