Last time we defined a synchronous execution model for distributed protocols, and defined their execution in the presence of an adversary that corrupts some of the parties. In summary, the execution model is defined by a set FF of randomized functions mapping n inputs to n outputs. A protocol is specified by n sequence of probabilistic polynomial time computable functions P[1],...,P[n], and sequence of r functions f[1],...,f[r] from FF. The computation proceeds in r rounds. The input to the program is a sequence of values X[0,...,n], and produces output values Y[0,...,n], where index 0 is used for the auxiliary input/output of the adversary. We define intermediate inputs and outputs X[i,j], Y[i,j] and states S[i,j] for every round j of the computation.

- The initial state S[*,0] is the empty string, and the initial values Y[i,0] =X[i] are set to the protocol input.
- At every round j>0, P[i] is given S[i,j-1] and Y[i,j-1] as input, and produces S[i,j] and X[i,j] as output.
- Programs P[B] for the corrupted players are substituted by the adversary A that gets as input S[B,j-1] and Y[B,j-1], and jointly compute S[B,j] and X[B,j]
- Function f[j] is applied to X[*,j] to obtain Y[*,j], using fresch randomness at every round
- The output of the protocol is set to Y[i] = X[i,r+1], i.e., the last value produced by party P[i]

We say that a protocol computes (randomized) function f if the input-output relation defined by the protocol when all parties are honest has the same distribution as function f. Security is defined using a simulation argument: a protocol (P[],f[]) securely compute function F

Protocol composition is defined in the obvious way. Specifically, let (P[],f[]) be any protocol, and let (Q[],g[]) be a protocol to compute function f[i], i.e., the function used by P at round i. The composition P[Q/i] is defined as the protocol with r(P) + r(Q) - 1 rounds, where round i of protocol P is replaced by the r(Q) rounds of protocol Q. The sequence of round functions for the composed protocol is defined substituting f[i] with g[1],...,g[r(Q)]. The programs P[i] are defined similarly: we can assume wlog that functions P[] keep the current round number as part of the state. In the new program P', when the index reaches round i, the current state S[*,i] is temporarily saved, and for the following r(Q) rounds the prograpms Q[] are executed, starting from the empty state and input values X[*] as specified by X[*,i]. After the r(Q) rounds are executed, the execution of P is resumed, using the saved state S[*,i] and the output of Q as input values.

We want to prove the following theorem. For any protocols (P[],f[]) and (Q[],g[]), if Q securely compute f[i], then the composed protocol P[Q/i] is at least as secure as P. Formally, for any adversary A' attacking P' = P[Q/i] there is an adversary A attacking P such that EXEC[P,f,A,B,X] = EXEC[P',f',A',B,X].

In particular, if P securely compute function F, i.e., for every adversary A there is a "simulator" such that EXEC[P,A,f,B,X] = EXEC[Id,F,S,B,X], then the composed protocol also securely compute F, i.e., for every adversary A' there is a "simulator" such that EXEC[P',A',f',B,X] = EXEC[Id,F,S,B,X].

From the assumption that Q securely compute f[i] we know that for every adversary A'' attacking Q there is a simulator S such that for every set B and inputs X, EXEC[Q,A'',g,B,X] = EXEC[Id,f[i],S,B,X].

Let A' be an adversary attacking the composed protocol P'. We want to define an attack to the idealized protocol P where function f[i] is computed by a "trusted party". We consider a very special adversary A'' attacking Q. This adversary will be used to obtain a simulator S (for Q) that can be used to transform A' into A.

The attack A'' works as follow:

- A'' expects to find as auxiliary input some information that can be interpreted as the state of adversary A' when entering the ith round.
- Simulate adversary A' for r(Q) rounds starting from round i, using the auxiliary input to A'' as the initial state.
- The output of A'' is the state of A' at the end of the simulation.

We know that there exists a simulator S that produces the same output as A'' when interacting with a trusted party evaluation function f[i]. We use this simulator to modify the adversary A' into an adversary A. But before defining A, we make an important observation: A'' does not use the inputs X[B] to the bad players. So for the output of S to be the same as A'' for all inputs X, it must be that the output of S is independent of the values X[B] passed to the simulator. In particular, running S on input X[B]=0 produces the same distribution as running A'' on the real inputs X[B] (which are ignored by A'' anyway).

The new adversary A works as follows:

- Emulate attack A' for the first i-1 rounds. (Notice: for the first i-1 rounds, protocols P and P' are identical.)
- At round i, invoke the simulator S on players inputs X[B] = 0, and auxiliary input X[0] equal to the state S[0,i-1] of A' at the end of the previous round.
- The simulator S first produces modified inputs X[B,i] for the ith round, these values are contributed by A to function f[i]
- The output Y[B,i] of function f[i] is returned to the simulator that completes the execution to output some state information S
- This state information S is passed to A' as S[0,i+r(Q)] and the execution of A' resumes for the remaining rounds of the protocol.

It is easy to see that if EXEC[P,f,A,B,X] can be distinguished from EXEC[P',f',A',B,X] then we can use the distinguisher to tell distributions EXEC[Q,g,A'',B,X] and EXEC[Id,f[i],S,B,X] apart.

**Exercise: **Prove a composition theorem for semihonest
parties, i.e., show that for any two protocols P,Q that privately compute
their respective functions, (and assuming the function computed by Q is the
one used by P at round i), the composition P[Q/i] is also private.

We proved a composition theorem for multiparty computation. The notion of composition used correspond to sequential execution models, and non-adaptive adversary. Both concurrent execution and adaptive adversary raises complications. In particular, the notion of security defined and used in the proof does not seems to be preserved under concurrent composition or more powerful attacks. We will explore extensions to the composition theorem later on in the course.

The recommended references for the material presented in this lecture are

R. Canetti, Security and Composition of Multiparty Cryptographic Protocols, Journal of Cryptology, 13(1), 2000.

O. Goldreich, Secure Multi-Party Computation. manuscript