Last time we investigated possible definitions of secure function evaluation protocols, and showed how defining security is not a strightforward task. How do we tell the difference between good definitions from bad ones? Last time we have seem that many intuitively correct definitions hide serious bugs, and as some bugs are fixed, some others might appear. So far, we have been reasoning about definitions in an informal way: discussing the intuitive requirements like privacy and correctness of the computation, and trying to formalize them in a way that seem to capture the intuition. But how do we know if we got it right or wrong? For the wrong definitions it is easy: we exhibited a protocol that satisfies the definition, but it is clearly insecure. But how good is a good definition? The answer is that a definition is as good as what we can formally prove about it. Good things that can be proved about notions of security is how well they compose: If we combine two protocols, each satisfying security definition D1 and D2, can we conclude that the resulting protocol will be secure according to the natural security definition D3 associated to the combined program?

In order to prove statements like the one above, we need to be very precise
about what it meas to "combine" programs and/or definitions, and the first
step is to give a precise definition of what is a protocol and how it is
executed. We already discussed the execution of multiparty protocols in
previous lectures. We revisit execution of protocols in a more general setting
that will be convenient to prove our composition theorem.As simplifying
assumption, we restrict ourselves to n parties interacting using a
*secure* and *syncrhonous* network, and an *active*, but
*non-adaptive* adversary attacking them. Details follows.

The Network: By secure we mean that party A can send messages to party B in such a way that no other party can read or alter the message. Synchronous means that all point-to-point communications happen at the same time. Formally, we can model the communication as a function f(X) where the input X is a sequence of n n-dimensional row vectors, and output the transpose matrix X*, also interpreted as a sequence of n n-dimensional row vectors. Each player P[i] contributes a row vector X[i,*], where X[i,j] is a message from P[i] intended for player P[j]. The output of the function for player i is given by (the transpose of) the column vector X[*,i].

Remark: this synchronous network does not capture rushing adversaries that receive messages from honest players before sending out their own messages. The rushing adversary correspond in some sense to a semisynchronous network. We will consider asynchronous networks later on in the course, so, for now, we will assume completely synchronous communication, where the adversary cannot rush to get his messages ahead of time.

The advantage of a completely synchronous network is that communication can be modeled as a special function F(X) = X* to be computed securely. This allows to give a uniform treatment of security and composition of function evaluation protocols. Under this assumption, a protocol is described by a tuple P[1,...,n] of polynomial time computable functions, and a list f[1,...,n] of (possibly randomized) functions, each mapping n strings to n strings. The protocol is executed as follows:

- Each party P[i] receives an input X[i] and a random string R[i]. Define Y[i,0] = X[i] and S[i,0] = R[i]
- The computation proceeds in rounds. For j=1 to k:
- P[i] on input Y[i,j-1] and current state S[i,j-1], compute X[i,j] and S[i,j]
- Randomized function f[j] is applied to vector X[*,j] to obtain Y[*,j], using fresh randomness at each round

- On input Y[i,k] and S[i,k], player P[i] outputs its final value Y[i]

When all parties are honest, the protocols computes a randomized function F[X[1,..,n]] = Y[1,..,n].

The execution of the protocol in the presence of a non-adaptive adversary A corrupting set of parties B is defined by substituting programs P[B] with a single program A such that

- A initially receives X[B] (including auxiliary input X[0]) and randomness R[B]. Define Y[B,0] = X[B] and S[A,0] = R[B]
- At each round from j=1,..,k, the operations of P[B] are replaced by
- A on input Y[B,j-1] and S[A,j-1] computes X[B,j] and S[A,j]
- As before, randomized function f[j] is applied to vector X[*,j] to obtain Y[*,j], using fresh randomness at each round

- On input Y[B,k] and S[A,k], corrupted players P[B] output as instructed by A.

The result of executing protocol P[*] using functions f[*] in the presence of adversary A corrupting parties B on input X[*] is denoted EXEC[P,f,A,B,X]

The "real model" and "ideal model" used before can all be seen as special cases of this execution model. In the REAL model, all functions f[j] are the transposition function modeling the synchronous communication network. In the IDEAL model, there is only one round, the function f[1] is the function we want to evaluate securely, and the protocol programs P[i] are the identity function. We say that a protocol P is a secure implementation of function F if for any adversary A there exists a "simulator" S, such that EXEC[P,f,A,B,X] = EXEC[Id,F,S,B,X].

The computational model described above is convenient because it allows to represent not only the real and ideal model, but also "hybrid" models where functions f_i are possibly differemt. Let T be a family of functions from n strings to n strings. We say that a protocol [P,f_i] is in the T-model if all functions f_i belong to set T. Assume for example T={f,g_{ij}} where f is the transpose function modeling simple communication rounds, and g_{ij} is a family of functions that allow two parties P[i] and P[j] to execute oblivious transfer. A protocol in the T-model represent a protocol where parties are allowed to communicate via synchronous secure private channels, and execure OT. Here OT is not being implemented. We are assuming the parties have access to an ideal OT function and can execute OT securely in one round.

The relevance of the hybrid model is that we can compose protocols together. Protocol composition is defined in the obvious way. Let P be a protocol to compute function F in the (T+{G})-model. Let Q be a protocol to compute function G in the T-model. We can combime P and Q to obtain a protocol to compute F in the T-model. The composed protocol works as follows.

- Each occurrence of function G within the sequence of functions corresponding to P is replaced by the sequence of function associated to Q
- For each party, the input to function G computed by P is passed along with some fresh randomness to the program for Q, after temporarily saving the current state s.
- When the subprotocol for Q terminates, we resume execution of P with current state s and output value as obtained from Q

By repeated composition, we can obtain protocols in the real model where T = {f}.

In order for this composition to be meaningful it must preserve security. Next time we will prove that if Q is a secure protocol to evaluate G in the T-model, then the composed protocol P[Q/G] in the T-model is at least as secure as P. In particular, if P is a secure protocol for evaluation F in the (T+{G})-model, then P[Q/G] is also a secure protocol for F in the simpler T-model.

The recommended references for the material presented in this lecture are

R. Canetti, Security and Composition of Multiparty Cryptographic Protocols, Journal of Cryptology, 13(1), 2000.

O. Goldreich, Secure Multi-Party Computation. manuscript