We present a general compilerMComp()that translates a given protocolπto a more “robust" one that introduces new entity called mediatorM. The compiled protocol has a strong isolation guarantee and preserves the original properties even when the mediator is malicious. Informally, the effect of the com- piler on the mediator’s capabilities is that the mediator must exhibit honest behavior, or else its cheating will be detected. The compiler expectsπto be a fully instantiated protocol, namely a protocol that uses
FunctionalityFπ
oblComp FunctionalityFπ
OblCompproceeds as follows, given a protocolπ. At the first activation, verify that
sid= (P,M;sid0), whereP is an ordered set ofmidentities; else halt. Denote the parties identities
Pj,Mand the adversariesS(j,M),S(M,j). Also, initialize variablesOUTjand−−→msg to⊥. Next:
– Pj inputs a pair of commitments cominput and comrand; a vector of commitments − →
C; and a round numberrid. In addition,Pj inputs strings decinput and decrand, and stringCRS.
– Minputs a pair of commitments cominputj and comrandj ; a vector of commitments−C→j; a commit-
mentCjrid0−1; and a round numberrid0. In addition,Minputs a vector−−→decj,decrid 0−1
j and a string CRS0.
1. Upon receiving an input(Compute−party, sid, cominput,comrand,−→C , rid,
decinput,decrand, CRS) from partyPj record the input, and send a public delayed output (Re-
ceipt_party,sid,Pj) toM. Once it is recorded, ignore any subsequent(Compute−party, ...)in-
puts.
2. Upon receiving an input(Compute, sid,cominputj ,comrandj ,−C→j, Crid 0−1 j ,rid0, −−→
decj,decrid 0−1
j , CRS0) fromM and(Compute−party, sid, ...) already outputted toM, then
record the input. Once it is recorded, ignore any subsequent(Compute, ...)inputs.
3. Upon receiving(Corrupt,sid,T),,whereT ∈ {Pj,M}, from an appropriate adversary, do:
give both adversaries this party inputs. Furthermore, if this adversary now provides some input value and none of the parties received output, then change the record to this value. In any case, output
(Corrupted,sid,T)to the newly corrupted party.
4. Upon receiving an input (Deliver, S(j,i), m) from S(i,j) do: verify that S(j,i) and S(i,j)∈ {S(j,M),S(M,j)}, else ignore the input. output (Deliver,S(j,i),S(i,j),m) toS(j,i).
5. Upon receiving an input(next_message,sid)fromS(M,j)and the values above are recorded, run Compute() to obtain−−→msg and output(message, sid,−−→msg)toM.
6. Upon receiving an input(update,sid)fromS(j,M)and the values above are recorded, run Com- pute() to obtainOUTj and output(update, sid, Crid
0−1
j ,OUTj)toPj.
Procedure Compute()
– If (cominput,comrand,−→C , rid, CRS) 6= (cominputj ,comrandj ,−C→j,rid0, CRS0) then set −−→msg =
OUTj =⊥.
– If decinput
resp.,decrand
is not a valid decommitment to cominputj
resp.,comrandj
, or −−→decj
does not contain valid decommitments to all the commitments in−C→j then set−−→msg= OUTj =⊥.
– If rid0>1anddecridj 0−1is not a valid decommitment toCjrid0−1then set−−→msg= OUTj =⊥.
– Let−−→msg1, . . . ,−−−−−−→msgrid0−1be the committed values in −→
Cj andCrid 0−1
j . If any of these contain dummy
values, set−−→msg= OUTj =⊥.
– Letxj andrj be the committed values in comjinputand comrandj respectively and−−→msg = OUTj = ⊥. if rid0 < r+ 1 then compute and store in−−→msg the next messages that partyPj would send in
protocolπ when running with inputxj, random taperj, common reference stringCRS, and after
receiving messages−−→msg1, . . . ,−−−−−−→msgrid0−1. else compute and store inOUTj the output of partyPj.
– Return−−→msg,OUTj
.
FunctionalityFmsfef
FunctionalityFmsfef proceeds as follows, given a functionf : ({0,1}∗∪ {⊥})m×R→({0,1}∗)m. At the first activation, verify thatsid= (P;sid0), whereP is an ordered set ofmidentities; else halt.
Denote the parties identitiesP1, ..., Pm, adversaries identities
S(i,j)
i6=j,i∈PS{M}
,j∈PS{M}. Also,
initialize variablesx1, ..., xm, y1, ..., ymto default value⊥. Next:
– Ifmediator= 1(this indicates a honest mediator) thenFmsfef proceeds as follows: 1. INPUT&COMPUTE: Upon receiving an input message from partyPido:
(a) if input is (Input,sid,v) then setxi =vand output (Input,sid,Pi) toS(i,M).
(b) if input is (Compute,sid) then notify the adversaries S(i,M), S(M,i) and record the (Compute,...) request.
2. INPUT RESPONSE: Upon receiving anokay message from allMrelated adversaries and all inputs are set then output acontinuemessage to allMrelated adversaries.
3. COMPUTE RESPONSE: Upon receiving input(response,sid)fromS(M,i)do:
(a) mark the appropriate (Compute,sid) request as approved in current round (ifPiis corrupted
mark as if recorded).
(b) if all parties inP have at least one (Compute,...) approved in current round then output a
continuemessage to allMrelated adversaries and delete all approved requests. 4. OUTPUT: Upon receiving an (output,Pi,p)message fromS(i,M)do:
(a) ifxihas been set for all parties inP, andy1, ..., ynhave not yet been set, then chooser ←R
and set(y1, .., yn)←f(x1, ..., xn, r); else ifxihas not been set for all parties, ignore.
(b) ifPiis corrupted then outputyitoS(i,M); else outputyitoPi.
5. CORRUPT: Upon receiving input (Corrupt,Pi,p) fromPirelated adversary do:
(a) recordPias corrupted party and output (Corrupted,Pi) toPi.
(b) givexiand an output that was given toPi(if any) to allPirelated adversaries.
6. DELIVER: Upon receive input (Deliver,S(`,k),m) fromS(i,j)do:
(a) ifi=`andPiis corrupted orj=`=Mandk=jthen output (Deliver,S(i,j),S(`,k),m) toS(`,k).
7. SET INPUT: Upon receiving input(set_input,Pi, v0)fromS(i,M)do:
(a) ifPiis corrupted and none of the parties received output then setxi←v0; otherwise ignore.
8. ABORT: Upon receiving input(abort,Pi)fromS(i,M)do:
(a) ifPi is corrupted and none of the parties received output then set(y1, .., yn) ←(⊥, ...,⊥);
otherwise ignore.
– Ifmediator= 0(this indicates a corrupted mediator) thenFmsfef proceeds as follows:
1. INPUT&COMPUTE: Upon receiving an input message from partyPido as in the honest medi-
ator case but notify all adversaries.
2. OUTPUT: Upon receiving an (output,Pi,p)message fromS(i,M)do:
(a) ifxi has been set for all partiesPi ∈ P, andy1, ..., yn have not yet been set, then choose r ← R and set (y1, .., yn) ← f(x1, ..., xn, r); else if xi has not been set for all parties,
ignore.
(b) ifPiis corrupted then outputyito all adversaries.
(c) else: ifp=⊥ then setyi=⊥. In any case, outputyitoPi.
3. CORRUPT: Upon receiving input (Corrupt,Pi,p) fromPirelated adversary do as for the honest
mediator case but notify all adversaries.
4. DELIVER: Upon receive input (Deliver,S(`,k),m) fromS(i,j)then output (Deliver,S(i,j),S(`,k),
m) toS(`,k)(this capture the ability of corrupted parties to communicate using corrupted medi- ator)
5. SET INPUT: Upon receiving input (set_input,Pi,v0) from S(i,M) do as in the honest mediator case.
no ideal functionalities other thanG¯acrs. As discussed above, the constructed protocolMComp(π) is presented as an(Fsmt,Fπ
OblComp,G¯acrs)-hybrid protocol. Next, when these functionalities are realized we obtain a protocol in theG¯acrs-hybrid model.
The protocol consists of three stages. In the first stage the parties and the mediator communicate with ¯
Gacrsand obtain the CRS string. In the second stage, the parties commit to their inputs and random coins for a protocolπ that securely computesF. In the third stage, the parties emulate π, round-by-round, as follows. Upon partyPj requests,Mengages inPj’s nextπ-message computation. at the end of this
computation,Mobtains the messages thatPj would send in the current round ofπ, andPj obtains a
commitment to the messages it would receive in the previous round of π. In last round emulationPj
also obtains its output. However, the mediator would not engage in a computation with the same party more than once in a given round, but rather records the request and process it in the next round of the protocol. Whenever Mcollects all current round messages it proceeds to the emulation of the next round. Everything the mediator sends to the parties will be “wrapped” inside a commitment. When all parties behave honestly, these will all be commitments to legitimate protocol messages of π. If some partyPj aborts (or deviates from the protocol),Mwill not be able to generate a valid commitment of
this sort. Nevertheless, we do not want other party to learn thatPj aborted the protocol; Therefore, we
allowMto send special “dummy commitments" to⊥. It is important to note that no corrupted party can collude with the corrupted mediator to perform a malleability attack on the protocol. More formally, the input commitments received by the corrupted mediator do not enable to compute the protocol on a related value. This follows from the idealFπ
OblComp(that do not reveal any information on the committed values to the mediator) and from the UC security of the protocol realizing Fπ
OblComp. Therefore, a standard statistically binding non-interactive commitment scheme suffices. LetCbe such a commitment scheme, whereC(m;r)denotes a commitment tomusing random coinsr. The decommitment of com=
C(m;r)isdec = (m;r). Recall that that the interface ofFπ
OblCompinvolves the commitment scheme
C. Formal description of the protocol appears in Figures 31 and 32.
We are now ready to prove the security of the compiled protocolMComp(π):
Theorem 11. Given a (poly-time) functionf = (f1, ..., fn)and a protocolπthat isG¯acrs-setup oblivi-
ous UC-realization of the well-formed aborting functionalityFsfef . Then the compiled protocolMComp(π)
LUC-realize Fmsfef in the(Fsmt,Fπ
OblComp,G¯acrs)-hybrid model in the presence of static adversaries,
where all corruptions are PID-wise.