# Probabilistic Termination and Composability of Cryptographic Protocols

## Abstract

When analyzing the round complexity of multi-party protocols, one often overlooks the fact that underlying resources, such as a broadcast channel, can by themselves be expensive to implement. For example, it is well known that it is impossible to implement a broadcast channel by a (deterministic) protocol in a sublinear (in the number of corrupted parties) number of rounds. The seminal works of Rabin and Ben-Or from the early 1980s demonstrated that limitations as the above can be overcome by using randomization and allowing parties to terminate at different rounds, igniting the study of protocols over point-to-point channels with *probabilistic termination* and expected *constant* round complexity. However, absent a rigorous simulation-based definition, the suggested protocols are proven secure in a property-based manner or via *ad hoc* simulation-based frameworks, therefore guaranteeing limited, if any, composability. In this work, we put forth the first simulation-based treatment of multi-party cryptographic protocols with probabilistic termination. We define secure multi-party computation (MPC) with probabilistic termination in the UC framework and prove a universal composition theorem for probabilistic termination protocols. Our theorem allows to compile a protocol using deterministic termination hybrids into a protocol that uses expected constant round protocols for emulating these hybrids, preserving the expected round complexity of the calling protocol. We showcase our definitions and compiler by providing the first composable protocols (with simulation-based security proofs) for the following primitives, relying on point-to-point channels: (1) expected constant round perfect Byzantine agreement, (2) expected constant round perfect parallel broadcast, and (3) perfectly secure MPC with round complexity independent of the number of parties.

## Keywords

Probabilistic termination Universal composition Cryptographic protocols Randomized Byzantine agreement.## References

- 1.G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, D. Wichs, Multiparty computation with low communication, computation and interaction via threshold FHE, in David Pointcheval and Thomas Johansson, editors,
*EUROCRYPT 2012*. LNCS, vol. 7237 (Springer, April, 2012), pp. 483–501Google Scholar - 2.G. Asharov, Y. Lindell, A full proof of the BGW protocol for perfectly-secure multiparty computation.
*Electronic Colloquium on Computational Complexity (ECCC)*,**18**:36, (2011)Google Scholar - 3.D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in
*22nd ACM STOC*. (ACM Press, May 1990), pp. 503–513Google Scholar - 4.M. Ben-Or, Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract), in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors,
*2nd ACM PODC*. (ACM Press, August 1983), pp. 27–30Google Scholar - 5.M. Ben-Or, R. El-Yaniv, Resilient-optimal interactive consistency in constant time.
*Distributed Computing*,**16**(4):249–262, (2003)CrossRefGoogle Scholar - 6.M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in
*20th ACM STOC*. (ACM Press, May 1988), pp. 1–10Google Scholar - 7.G. Bracha, An asynchronous [(n-1)/3]-resilient consensus protocol, in Robert L. Probert, Nancy A. Lynch, and Nicola Santoro, editors,
*3rd ACM PODC*. (ACM Press, August 1984), pp. 154–162Google Scholar - 8.C. Cachin, K. Kursawe, F. Petzold, V. Shoup, Secure and efficient asynchronous broadcast protocols, in Joe Kilian, editor,
*CRYPTO 2001*. LNCS, vol. 2139 (Springer, August 2001), pp. 524–541Google Scholar - 9.R. Canetti, Security and composition of multiparty cryptographic protocols.
*Journal of Cryptology*,**13**(1):143–202, (2000)MathSciNetCrossRefzbMATHGoogle Scholar - 10.R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in
*42nd FOCS*. (IEEE Computer Society Press, October 2001), pp. 136–145Google Scholar - 11.R. Canetti, Universally composable signature, certification, and authentication, in
*17th IEEE Computer Security Foundations Workshop, (CSFW-17)*. (2004), pp. 219–235Google Scholar - 12.R. Canetti, A. Cohen, Y. Lindell, A simpler variant of universally composable security for standard multiparty computation, in Rosario Gennaro and Matthew Robshaw, editors,
*CRYPTO 2015, Part II*. LNCS, vol. 9216 (Springer, August 2015), pp. 3–22Google Scholar - 13.R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in
*34th ACM STOC*, (ACM Press, May 2002), pp. 494–503Google Scholar - 14.R. Canetti, T. Rabin, Universal composition with joint state, in Dan Boneh, editor,
*CRYPTO 2003*. LNCS, vol. 2729 (Springer, August 2003), pp. 265–281Google Scholar - 15.D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in
*20th ACM STOC*, (ACM Press, May 1988), pp. 11–19Google Scholar - 16.S.G. Choi, J. Katz, A.J. Malozemoff, V. Zikas, Efficient three-party computation from cut-and-choose, in Juan A. Garay and Rosario Gennaro, editors,
*CRYPTO 2014, Part II*. LNCS, vol. 8617 (Springer, August 2014), pp. 513–530Google Scholar - 17.R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Probabilistic termination and composability of cryptographic protocols, in Matthew Robshaw and Jonathan Katz, editors,
*CRYPTO 2016, Part III*. LNCS, vol. 9816 (Springer, August 2016), pp. 240–269Google Scholar - 18.R. Cohen, S. Coretti, J.A. Garay, V. Zikas, Round-preserving parallel composition of probabilistic-termination cryptographic protocols, in
*ICALP 2017*. LIPIcs, vol. 80 (July 2017), pp. 37:1–37:15Google Scholar - 19.R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast, in Eyal Kushilevitz and Tal Malkin, editors,
*TCC 2016-A, Part I*. LNCS, vol. 9562 (Springer, January 2016), pp. 596–616Google Scholar - 20.R. Cohen, Y. Lindell, Fairness versus guaranteed output delivery in secure multiparty computation, in
*ASIACRYPT 2014, Part II*. LNCS, vol. 8874 (Springer, December 2014), pp. 466–485Google Scholar - 21.I. Damgård, Y. Ishai, Constant-round multiparty computation using a black-box pseudorandom generator, in Victor Shoup, editor,
*CRYPTO 2005*, LNCS, vol. 3621 (Springer, August 2005), pp. 378–394Google Scholar - 22.I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart, Practical covertly secure MPC for dishonest majority - or: Breaking the SPDZ limits, in Jason Crampton, Sushil Jajodia, and Keith Mayes, editors,
*ESORICS 2013*. LNCS, vol. 8134 (Springer, September 2013), pp. 1–18Google Scholar - 23.I. Damgård, J.B. Nielsen, Adaptive versus static security in the UC model, in
*ProvSec 2014*, (2014), pp. 10–28MathSciNetzbMATHGoogle Scholar - 24.I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in Reihaneh Safavi-Naini and Ran Canetti, editors,
*CRYPTO 2012*. LNCS, vol. 7417 (Springer, August 2012), pp. 643–662Google Scholar - 25.D. Dolev, R. Reischuk, H.R. Strong, Early stopping in byzantine agreement.
*J. ACM*,**37**(4):720–741, (1990)MathSciNetCrossRefzbMATHGoogle Scholar - 26.D. Dolev, H. Raymond Strong, Authenticated algorithms for byzantine agreement.
*SIAM Journal on Computing*,**12**(4):656–666, (1983)MathSciNetCrossRefzbMATHGoogle Scholar - 27.B. Eisenberg, On the expectation of the maximum of IID geometric random variables.
*Statistics & Probability Letters*,**78**(2):135–143, (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 28.P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement.
*SIAM Journal on Computing*,**26**(4):873–933, (1997)MathSciNetCrossRefzbMATHGoogle Scholar - 29.M.J. Fischer, N.A. Lynch, A lower bound for the time to assure interactive consistency.
*Information Processing Letters*,**14**(4):183–186, (1982)MathSciNetCrossRefzbMATHGoogle Scholar - 30.M. Fitzi, J.A. Garay, Efficient player-optimal protocols for strong and differential consensus, in Elizabeth Borowsky and Sergio Rajsbaum, editors,
*22nd ACM PODC*, (ACM Press, July 2003), pp. 211–220Google Scholar - 31.S. Garg, C. Gentry, S. Halevi, M. Raykova, Two-round secure MPC from indistinguishability obfuscation, in Yehuda Lindell, editor,
*TCC 2014*. LNCS, vol. 8349 (Springer, February 2014), pp. 74–94Google Scholar - 32.O. Goldreich, S. Micali, A. Wigderson, Proofs that yield nothing but their validity and a methodology of cryptographic protocol design (extended abstract), in
*27th FOCS*. (IEEE Computer Society Press, October 1986), pp. 174–187Google Scholar - 33.O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in Alfred Aho, editor,
*19th ACM STOC*. (ACM Press, May 1987), pp. 218–229Google Scholar - 34.O. Goldreich, E. Petrank, The best of both worlds: Guaranteeing termination in fast randomized byzantine agreement protocols.
*Information Processing Letters*,**36**(1):45–49, (1990)MathSciNetCrossRefzbMATHGoogle Scholar - 35.S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement.
*Journal of Cryptology*,**18**(3):247–287, (2005)MathSciNetCrossRefzbMATHGoogle Scholar - 36.S.D. Gordon, F.-H. Liu, E. Shi, Constant-round MPC with fairness and guarantee of output delivery, in Rosario Gennaro and Matthew Robshaw, editors,
*CRYPTO 2015, Part II*. LNCS, vol. 9216 (Springer, August 2015), pp. 63–82Google Scholar - 37.M. Hirt, V. Zikas, Adaptively secure broadcast, in Henri Gilbert, editor,
*EUROCRYPT 2010*. LNCS, vol. 6110 (Springer, May 2010), pp. 466–485Google Scholar - 38.Y. Ishai, R. Ostrovsky, V. Zikas, Secure multi-party computation with identifiable abort, in Juan A. Garay and Rosario Gennaro, editors,
*CRYPTO 2014, Part II*. LNCS, vol. 8617 (Springer, August 2014), pp. 369–386Google Scholar - 39.Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer - efficiently, in David Wagner, editor,
*CRYPTO 2008*. LNCS, vol. 5157 (Springer, August 2008), pp. 572–591Google Scholar - 40.J. Katz, C.-Y. Koo, On expected constant-round protocols for byzantine agreement, in Cynthia Dwork, editor,
*CRYPTO 2006*. LNCS, vol. 4117 (Springer, August 2006), pp. 445–462Google Scholar - 41.J. Katz, C.-Y. Koo, Round-efficient secure computation in point-to-point networks, in Moni Naor, editor,
*EUROCRYPT 2007*. LNCS, vol. 4515. (Springer, May 2007), pp. 311–328Google Scholar - 42.J. Katz, Y. Lindell, Handling expected polynomial-time strategies in simulation-based security proofs, in Joe Kilian, editor,
*TCC 2005*. LNCS, vol. 3378 (Springer, February 2005), pp. 128–149Google Scholar - 43.J. Katz, U. Maurer, B. Tackmann, V. Zikas, Universally composable synchronous computation, in Amit Sahai, editor,
*TCC 2013*. LNCS, vol. 7785 (Springer, March 2013), pp. 477–498Google Scholar - 44.M. Keller, P. Scholl, N.P. Smart, An architecture for practical actively secure MPC with dishonest majority, in Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors,
*ACM CCS 13*. (ACM Press, November 2013), pp. 549–560Google Scholar - 45.J. Kilian, Founding cryptography on oblivious transfer, in
*20th ACM STOC*. (ACM Press, May 1988), pp. 20–31Google Scholar - 46.E. Kushilevitz, Y. Lindell, T. Rabin, Information-theoretically secure protocols and security under composition, in Jon M. Kleinberg, editor,
*38th ACM STOC*. (ACM Press, May 2006), pp. 109–118Google Scholar - 47.L. Lamport, R.E. Shostak, M.C. Pease, The byzantine generals problem.
*ACM Trans. Program. Lang. Syst.*,**4**(3):382–401, (1982)CrossRefzbMATHGoogle Scholar - 48.Y. Lindell, A. Lysyanskaya, T. Rabin, On the composition of authenticated byzantine agreement, in
*34th ACM STOC*. (ACM Press, May 2002), pp. 514–523Google Scholar - 49.Y. Lindell, A. Lysyanskaya, T. Rabin, Sequential composition of protocols without simultaneous termination, in Aleta Ricciardi, editor,
*21st ACM PODC*. (ACM Press, July 2002), pp. 203–212Google Scholar - 50.Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multi-party computation combining BMR and SPDZ, in Rosario Gennaro and Matthew Robshaw, editors,
*CRYPTO 2015, Part II*. LNCS, vol. 9216 (Springer, August 2015), pp. 319–338Google Scholar - 51.P. Mukherjee, D. Wichs, Two round multiparty computation via multi-key FHE, in Marc Fischlin and Jean-Sébastien Coron, editors,
*EUROCRYPT 2016*, LNCS, vol. 9666 (Springer, May 2016), pp. 735–763Google Scholar - 52.M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults.
*Journal of the ACM*,**27**(2):228–234, (1980)MathSciNetCrossRefzbMATHGoogle Scholar - 53.M.O. Rabin, Randomized byzantine generals, in
*24th Annual Symposium on Foundations of Computer Science, Tucson, Arizona, USA, 7–9 November 1983*. (IEEE Computer Society, 1983), pp. 403–409Google Scholar - 54.T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in
*21st ACM STOC*. (ACM Press, May 1989), pp. 73–85Google Scholar - 55.R. Turpin, B.A. Coan, Extending binary byzantine agreement to multivalued byzantine agreement.
*Information Processing Letters*,**18**(2):73–76, (1984)CrossRefGoogle Scholar - 56.A.C.-C. Yao, Protocols for secure computations (extended abstract), in
*23rd FOCS*. (IEEE Computer Society Press, November 1982), pp. 160–164.Google Scholar