Computationally Sound Abstraction and Verification

of Secure Multi-Party Computations

Michael BackesSaarland University

MPI-SWS

Matteo MaffeiSaarland University

Esfandiar MohammadiSaarland University

October 7, 2010

Abstract

We devise an abstraction of secure multi-party computations in the applied π-calculus. Based on thisabstraction, we propose a methodology to mechanically analyze the security of cryptographic proto-cols employing secure multi-party computations. We exemplify the applicability of our framework byanalyzing the SIMAP sugar-beet double auction protocol. We finally study the computational sound-ness of our abstraction, proving that the analysis of protocols expressed in the applied π-calculusand based on our abstraction provides computational security guarantees.

Contents

1 Introduction 2

2 The symbolic abstraction of SMPC 42.1 Review of the applied π-calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Abstracting SMPC in the applied π-calculus . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Formal verification 7

4 Computational soundness of symbolic SMPC 94.1 SMPC in the UC framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2 Computational execution of a process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124.3 Computational safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.4 Computational soundness results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5 Conclusion 235.1 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

A Postponed definitions 26A.1 The syntax and semantics of the applied π-calculus . . . . . . . . . . . . . . . . . . . . . . 26

B From the π-execution to the SMPC-execution 27B.1 The construction of the scheduling simulator . . . . . . . . . . . . . . . . . . . . . . . . . 27B.2 The proof of the soundness of SSim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

C Leveraging UC-realizability 36

D Computational soundness of key-safe protocols with arithmetics 38D.1 Translating processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38D.2 Review of CoSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39D.3 The symbolic model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44D.4 The computational implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46D.5 Computational soundness proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

1

1 Introduction

Proofs of security protocols are known to be error-prone and difficult for humans to make. Security vul-nerabilities have accompanied early authentication protocols like Needham-Schroeder [35, 52], carefullydesigned de-facto standards like SSL and PKCS [57, 22], as well as current widely deployed productslike Microsoft Passport [38] and Kerberos [24]. Hence, work towards the automation of security proofsstarted soon after the first protocols were developed.

From the start, the actual cryptographic operations in such proofs were idealized into so-called , Dolev-Yao models, following [36, 37, 50] (see, e.g., [45, 55, 3, 48, 54, 16]). This idealization simplifies proofconstruction by freeing proofs from cryptographic details such as computational restrictions, probabilisticbehavior, and error probabilities. It was not at all clear from the outset whether Dolev-Yao modelsare a sound abstraction of real cryptography with its computational security definitions. Recent workhas largely bridged this gap for Dolev-Yao models offering the core cryptographic operations such asencryption, digital signatures, and even more complex cryptographic primitives such as non-interactivezero-knowledge proofs (see, e.g., [5, 46, 12, 10, 47, 51, 32, 27, 56, 15, 8]).

While Dolev-Yao models traditionally comprise only non-interactive cryptographic operations (i.e.,cryptographic operations that produce a single message and do not involve any form of communication,such as encryption and digital signatures), recent cryptographic protocols rely on more sophisticatedinteractive primitives (i.e., cryptographic operations that involve several message exchanges among par-ties), with unique features that go far beyond the traditional goals of cryptography to solely offer secrecyand authenticity of communication.

Secure multi-party computation (SMPC) constitutes arguably one of the most prominent and mostamazing such primitive. Intuitively, in an SMPC, a number of parties P1, . . . , Pn wish to securely computethe value F (d1, . . . , dn), for some well-known public function F , where each party Pi holds a private inputdi. This multi-party computation is considered secure if it does not divulge any information about theprivate inputs to other parties; more precisely, no party can learn more from the participation in theSMPC than she could learn purely from the result of the computation already.

SMPC provides solutions to various real-life problems such as e-voting, private bidding and auctions,secret sharing etc. The recent advent of efficient general-purpose implementations (e.g., FairplayMP [18])paves the way for the deployment of SMPC into modern cryptographic protocols. Recently, the effec-tiveness of SMPC as a building block of large-scale and practical applications has been demonstrated bythe sugar-beet double auction that took place in Denmark: The underlying cryptographic protocol [23],developed within the Secure Information Management and Processing (SIMAP) project, is based onSMPC.

Given the complexity of SMPC and its role as a building block for larger cryptographic protocols,it is important to develop abstraction techniques to reason about SMPC-based cryptographic protocolsand to offer support for the automated verification of their security.

Our contributions

The contribution of this paper is threefold:

• We present an abstraction of SMPC within the applied π-calculus [2]. This abstraction consistsof a process that receives the inputs from the parties involved in the protocol over private channels,computes the result, and sends it to the parties again over private channels, however augmentedwith certain details to enable computational soundness results, see below. This abstraction can beused to model and reason about larger cryptographic protocols that employ SMPC as a buildingblock.

• Building upon an existing type-checker [9], we propose an automated verification technique forprotocols based on our SMPC abstraction. We exemplify the applicability of our framework byanalyzing the sugar-beet double auction protocol proposed in [23].

• We establish computational soundness results (in the sense of preservation of trace proper-ties) for protocols built upon our abstraction of SMPC. This result is obtained in essentially twosteps: We first establish a connection between our symbolic abstraction of SMPC in the applied

2

π-calculus (symbolic setting) and the notion of an ideal functionality for SMPC in the UC frame-work [28], which constitutes a low-level abstraction of SMPC that is defined based on bitstrings,Turing machines, etc. (cryptographic setting) Second, we build upon existing results on the securerealization of this functionality in the UC framework in order to obtain a secure cryptographicrealization of our symbolic abstraction of SMPC. This computational soundness result holds forSMPC that involve arbitrary arithmetic operations; moreover, it is compositional, since the proofis parametric over the other (non-interactive) cryptographic primitives used in the symbolic pro-tocol and within the SMPC itself. Computational soundness holds as long as these primitives areshown to be computationally sound (e.g., in the CoSP framework [8]). We prove in particular thecomputational soundness of a Dolev-Yao model with public-key encryption, digitalsignatures, andthe aforementioned arithmetic operations, leveraging and extending prior work in CoSP [8]. Such aresult allows for soundly modelling and verifying many applications employing SMPC as a buildingblock, including the case studies considered in this paper.

Related work

Computational soundness was first shown by Abadi and Rogaway in [5] for passive adversaries andsymmetric encryption. Subsequent work extended the protocol language and security properties [4, 46,43, 17, 1] and considered active adversaries [32, 14, 12, 13, 10, 27, 56, 47, 51, 44, 8]. Recent works alsofocused on computational soundness in the sense of observational equivalence of cryptographic realizationsof processes [6, 30, 29]. All these results, however, only consider non-interactive cryptographic primitives,such as encryptions, signatures, and non-interactive zero-knowledge proofs. To the best of our knowledge,our work presents the first computational soundness proof for an interactive primitive.

Non-interactive primitives only get one input and output one result. Hence, all computation stepsthat are done between the input and the output can be abstracted way. Interactive primitives, on theother hand, are reactive and may involve several communication steps, such as committing to an input.The abstraction of these intermediate communication steps is desirable in order to make the automatedverification feasible. But such an abstraction significantly complicates the computational soundnessproofs.

A salient approach for the abstraction of interactive cryptographic primitives is the Universal Compos-ability framework [25]. The central idea is to define and prove the security of a protocol by comparisonwith an ideal trusted machine, called the ideal functionality. Although this framework has proven aconvenient tool for the modular design and verification of cryptographic protocols, it is not suited toautomation of security proofs, given the intricate operational semantics of the UC framework and thatideal functionalities operate on bitstrings (as opposed to symbolic terms). Dolev-Yao models (e.g., theapplied π-calculus) offer a higher level of abstraction compared to ideal functionalities in the UC frame-work. Most importantly, Dolev-Yao models typically enjoy a simpler operational semantics than the UCframework (e.g., Dolev-Yao models typically do not comprise randomness), which enables automation ofsecurity proofs. The different degree of abstraction in these models is best understood by consideringdigital signatures: While computational soundness proofs for Dolev-Yao abstractions of digital signaturesuse standard techniques [12, 32, 8] finding a sound ideal functionality for digital signatures has proven tobe quite intricate [7, 26, 33]. Yet, securely realizable ideal functionalities constitute a useful tool for prov-ing computational soundness of a Dolev-Yao model. In our proof, we establish a connection between oursymbolic abstraction of SMPC and such an ideal functionality; subsequently, we exploit that this idealfunctionality is securely realizable. A similar proof technique has already been applied by Canetti andHerzog [27] for showing computational soundness of the symbolic abstraction of public-key encryption.For the formal verification of our symbolic abstraction, we use a type-system for authorization policies(c.f. [9, 39]). Specifically, we use the type system of Backes, Hritcu, and Maffei.[9]

A generic symbolic abstraction of ideal functionalities has been proposed in [34]. In that work itis shown that the different notions of simulatability, known in the literature, collapse in the symbolicabstraction. In contrast to our approach, that work does not address computational soundness guaranteesand does not explicitly consider SMPC.

The concept of a general secure two-party computation has been introduced by Yao [58]. Thiswork has been extended to general secure multi-party computations in [42]. General secure multi-partycomputation in the presence of arbitrary surrounding protocols, in the above-mentioned UC framework,

3

has been studied in [28].There are domain-specific languages for specifying functionalities for secure multi-party computations

and for deriving secure cryptographic realizations. FairplayMP [18, 49], e.g., automatically generates aconstant-round secure multi-party computation protocol given a program in the language SFDL. Anotherdomain-specific language SMCL is presented in [53]. SMCL supports reactive functionalities as well.Moreover, this work introduces a type system for checking non-interference properties of the programmedfunctionalities. These approaches only focus on a single instance of a secure multi-party computation.Our framework, in contrary, can be used to reason about an unbounded number of SMPC sessionsand, most importantly, about a large class of cryptographic protocols employing SMPC as a buildingblock. Moreover, our symbolic abstraction is amenable to automated verification techniques and ourcomputational soundness result ensures that such verification techniques provide security guarantees forthe actual computational implementation.

Outline. Section 2 reviews the applied π-calculus and presents our SMPC abstraction. Section 3explains the technique used to statically analyze SMPC-based protocols and applies it to our case study.Section 4 studies the computational soundness of our symbolic model. Section 4.1 explains SMPC inthe UC framework. Section 4.2 presents the computational implementation of a process. Section 4.3introduces the notion of computational safety, formalizing computational soundness in our framework.Finally, Section 4.4 shows the computational soundness of our symbolic SMPC abstraction presents acomputationally sound symbolic model with public-key encryption, digital signatures, and arithmeticoperations. Section 5 concludes this work and discusses future work.

2 The symbolic abstraction of SMPC

In this section, we first review the syntax and the semantics of the calculus. We adopt a variant ofthe applied π-calculus with destructors [9]. After that, we present the symbolic abstraction of securemulti-party computation within this calculus.

2.1 Review of the applied π-calculus

We briefly review the syntax and the operational semantics of the applied π-calculus, and define theadditional notation used in this paper.

Cryptographic messages are represented by terms. The set of terms (ranged over by K, L, M , andN) is the free algebra built from names (a, b, c, m, n, and k), variables (x, y, z, v, and w), and functionsymbols – also called constructors – applied to other terms (f(M1, . . . ,Mk)). We let u range over bothnames and variables. We assume a signature Σ, which is a set of function symbols, each with an arity. Forinstance, the signature may contain the function symbols enc/3 of arity 3 and pk/1 of arity 1, representingciphertexts and public keys, respectively. The term enc(M, pk(K), L) represents the ciphertext obtainedby encrypting M with key pk(K) and randomness L. We let M denote an arbitrary sequence M1, . . . ,Mn

of terms. Destructors are partial functions that processes can apply to terms. Applying a destructor d toterms M either succeeds and yields a term N (denoted as d(M) = N), or it fails (denoted as d(M) = ⊥).For instance, we may use the dec destructor with dec(enc(M, pk(K), L),K) = M to model decryptionin a public-key encryption scheme.

Plain processes are defined as follows. The null process 0 does nothing and is usually omitted fromprocess specifications; νn.P generates a fresh name n and then behaves as P ; a(x).P receives a messageN from channel a and then behaves as P{N/x}; a〈N 〉.P outputs message N on channel a and thenbehaves as P ; P | Q executes P and Q in parallel; !P behaves as an unbounded number of copies of Pin parallel; let x = D then P else Q applies if D = d(M) the destructor d to the terms M ; if applicationsucceeds and produces the term N (d(M) = N) or D equals a term N , then the process behaves asP{N/x}; otherwise, i.e., if d(M) = ⊥, the process behaves as Q.1

The scope of names and variables is delimited by restrictions, inputs, and lets. We write fv(P ) forthe free variables and fn(P ) for the free names in a process P . A term is ground if it does not containany variables. A process is closed if it does not have free variables. A context C[•] is a process with a

1Using a destuctor equal that checks term equality, we write if a = b then P else Q for let equals(a, b) = a in Pelse Q.

4

hole •. An evaluation context is a context whose hole is not under a replication, a conditional, an input,or an output.

The operational semantics of the applied-π calculus is defined in terms of structural equivalence (≡)and internal reduction (→). Structural equivalence relates the processes that are considered equivalentup to syntactic re-arrangement. Internal reduction defines the semantics of process synchronizations anddestructor applications. For more detail on the syntax and semantics of the calculus, we refer to theappendix (see Appendix A).

Safety properties. Following [39], we decorate security-related protocol points with logical predicatesand express security requirements in terms of authorization policies. Formally, we introduce two processesassume F and assert F , where F is a logical formula. Assumptions and assertions do not have anycomputational significance and are solely used to express security requirements. Intuitively, a process issafe if and only if all its assertions are entailed by the active assumptions in every protocol execution.This is formally captured in the following definition:

Definition 1 (Safety). A closed process P is safe if and only if for every F and Q such thatP →∗ νa.(assert F | Q), there exists an evaluation context E[•] = νb. • | Q′ such that Q ≡E[assume F1 | . . . | assume Fn], fn(F ) ∩ b = ∅, and we have that {F1, . . . , Fn} |= F .

A process is robustly safe if it is safe when run in parallel with an arbitrary opponent.

Definition 2 (Opponent). A closed process is an opponent if it does not contain any assert.

Definition 3 (Robust Safety). A closed process P is robustly safe if and only if P | O is safe for everyopponent O.

2.2 Abstracting SMPC in the applied π-calculus

We recall that a secure multi-party computation is a protocol among parties P1, . . . , Pn to jointly computethe result of a function F applied to arguments m1, . . . ,mn, where mi is a private input provided byparty Pi. More generally, not only a function but a reactive, stateful computation is performed, whichrequires the participants to maintain a (synchronized) state. At the end of the computation, each partyshould not learn more than the result (or, more generally, a local view ri of the result). Since the overallprotocol may involve several secure multi-party computations, a session identifier sid is often used to linkthe private inputs to the intended session. Coming up with an abstraction of SMPC that is amenableto automated verification and that can be proven computationally sound is technically challenging, andit required us to refine the abstraction based on insights that were gained in the soundness proof. Forthe sake of exposition, we thus present simple, intuitive abstraction attempts of SMPC in the appliedπ-calculus first, explain why these attempts do not allow for a computational soundness result, and thensuccessively refine them until we reach the final abstraction.

First attempt. A first, naive attempt to symbolically abstract SMPC in the applied π-calculus isto let parties send to each other the public information along with the enveloped private input on aprivate channel. This message can be represented by a term smpc(F, i,m, sid), where i is the principal’sidentifier. The abstraction then consists of a destructor result whose semantics is defined by a rule like

result(mi, i, smpc(F , 1,m1, sid), . . . , smpc(F , n,mn, sid)) = π(i,F(m1, . . . ,mn))

where π(i, ·) denotes the projection on the i-th element. We are facing the common symbolic adversarymodel of an active, but static adversary, i.e., the adversary controls the (asynchronous) network, but onlycompromises parties before the protocol execution starts. In this setting, the abstraction is unsound:a computational attacker (i) is capable of altering the delivery of messages, and (ii) learns the sessionidentifiers that occur in the header of each individual message. Our abstraction attempt does not grantthe adversary any such capabilities; hence a symbolic adversary is much stronger constrained than acomputational adversary, thus preventing computational soundness results. These problems could betackled by modifying the abstraction such that all messages are sent and received over a public channel.The adversary would then decide which parties receive which messages. The resulting abstraction,however, would not be tight enough anymore: Corrupted symbolic parties could send different messages

5

inouti4= !

(inloopi(z).ini(xi, sid′).adv〈sid′〉.if sid = sid′

then lini〈xi〉 else inloopi〈sync()〉)| inloopi〈sync()〉

deliveri4= ini〈yi, sid〉.inloopi〈sync()〉

SMPC(adv, sidc, in,F) 4= sidc(sid). νlin. νinloop.(input1 | · · · | inputn | F [deliver1 | . . . | delivern]

)

Figure 1: The process SMPC as the symbolic abstraction of secure multi-party computation

to the participants, and hence cause them to compute the function F on different inputs. Such an attack,however, is computationally excluded by a secure multi-party computation protocol.

Second attempt. We solved the aforementioned problems by introducing an explicit trusted party towhom every participant i sends its private input and receives its own result in return over a privatechannel ini. This follows the general ideal-functionality paradigm for defining security that was alreadyused in [42] for defining SMPC in the cryptographic setting. Such a trusted party can be nicely abstractedas a distinguished process in the applied π-calculus. A first attempt, called SMPC temp, could lookas follows:

SMPC temp 4= sidc(sid).in1(x1,= sid) . . . inn(xn,= sid).let (y1, . . . , yn) = result(F , x1, . . . , xn) in in1〈y1, sid〉 . . . inn〈yn, sid〉

There still is discrepancy between this abstraction and the computational model that invalidates compu-tational soundness: a computational adversary learns the session identifier, which is instead concealed bySMPC temp. In addition, the computation of F is shifted to the evaluation of the destructor result.Such a complicated destructor would make mechanized verification extremely difficult.

Final abstraction. To make the abstraction amenable to automated verification, in particular type-checking, we represent F as a context that explicitly performs the computation. The resulting abstrac-tion of secure multi-party computation is depicted in Figure 1 as the process SMPC. This process isparametrized by an adversary channel adv , a session identifier channel sidc, n private channels ini foreach of the n participants, and a context F . We implicitly assume that private channels are authenticatedsuch that only the ith participant can send messages on channel ini. The computational implementationof SMPC implements this authentication requirement. Furthermore, SMPC contains two restrictedchannels for every party i: an internal loop channel inloopi and an internal input channel lini.

SMPC receives a session identifier over the channel sidc. Then n + 1 subprocesses are spawned: aprocess inputi for every participant i that is responsible for collecting the ith input and for divulgingpublic information, such as the session identifier, to the adversary, and a process that performs the actualmulti-party computation. Here inputi waits (under a replication) on the loop channel inloopi for thetrigger message sync() of the next round, and expects the private input xi and a session identifier sid′

over ini. It then sends the session identifier sid′ to the adversary, checks whether the session identifiersid′ equals sid, and finally sends the private input xi on the internal input channel lini. The actualmulti-party computation is performed in the last subprocess: after the private inputs of the individualparties are collected from the internal input channels lini, the actual program F is executed.

After each computation round, the subprocesses deliveri send the individual outputs over the privatechannels ini to every participant i along with the session identifier sid. In order to trigger the next round,sync() is sent over the internal loop channels inloopi.

The abstraction allows for a large class of functionalities F as described below.

Definition 4. [SMPC-suited context] An SMPC-suited context is a context F such that:

1. fv(F) = {sid} and fn(F [0]) = {lin1, . . . , linn}.

2. Bound names and variables are distinct and different from free names and free variables.

6

Although one might expect additional constraints on the context F (e.g., it is terminating, it does notcontain replications, etc.), it turns out that such constraints are not necessary as, intuitively, having moretraces in the symbolic setting does not break computational soundness. Such constraints would probablysimplify the proof of computational soundness, but they would make our abstraction less intuitive andless general.

Finally, we briefly describe how we model the corruption of the parties involved in the secure multi-party computation. In this paper we consider static corruption scenarios, in which the parties to becorrupted are selected before the computation starts. As usual in the applied π-calculus, we modelcorrupted parties by letting the adversary know the secret inputs of the corrupted parties. This isachieved by letting the channel ini occur free in the process if party i is corrupted. As we only considerstatic corruption, we restrict our attention to processes that do not send these channels ini over a publicchannel (for a formal definition see Definition 10 of well-formed processes).

Arithmetics in the applied π-calculus. One of the most common applications of SMPC is theevaluation of arithmetic operations on secret inputs. Modelling arithmetic operations in the appliedpi-calculus is straightforward. We encode numbers in binary form via the string0(M), string1(M), andnil() constructor applications. Arithmetic operations are modelled as destructors. For instance, thegreater-equal relation is defined by the destructor ge(M1,M2), which returns M1 if M1 is greater equalthen M2, M2 otherwise. With this encoding, numbers and cryptographic messages are disjoint sets ofvalues, which is crucial for the soundness of our analysis and the computational soundness results.

The Millionaires problem. For the sake of illustration, we show how to express the Millionairesproblem in our formalism (two parties wish to determine who is richer, i.e., whose input is bigger,without divulging their inputs to each other.) The protocol is parametrized by two numbers x1 and x2:

νsid. νsidc. νc1. νc2. sidc〈sid〉 | adv〈sid〉 | SMPC(adv, sidc, c1, c2, compare)| c1(sid).c1〈(x1, id1), sid〉.c1(y1, sid1) | c2(sid).c2〈(x2, id2), sid〉.c2(y2, sid2)

compare[•] 4= lin1((x1, z1)).lin2((x2, z2)).let x1 = ge(x1, x2)then let y1 = y2 = z1 in • else let y1 = y2 = z2 in •

where [y1 := z, y2 := z] denotes the instantiation of variables y1 and y2 with variable z, which can bedefined by encoding, and • is the hole of the context.

3 Formal verification

We propose a technique for formally verifying processes that use the symbolic abstraction SMPC. Inprinciple, our abstraction is amenable to several verification techniques for the applied π-calculus suchas [20, 39, 21]. In this paper, we rely on the type-checker for security policies presented in [9], whichwe extend to support arithmetic operations. This type-checker enforces the robust safety property (cf.Definition 3).

We decorate the protocol linked to our SMPC abstraction with assumptions and assertions, as de-picted in Figure 2. The assumptions are used to mark the inputs of the secure multi-party computationand to specify the correctness property for the secure multi-party computation. The assertion is used tocheck that the result of the SMPC fulfills the correctness property.

Specifically, for every party i an assumption assume Input(idi, xi, sid) is placed upon sending a privateinput xi with session identifier sid, where idi is the (publicly known) identity of party i. To check thecorrectness of the secure multi-party computation, assert P(z, sid) is placed immediately after thereception of the result (z, sid). We also assume a security policy, which takes in general the followingform:

∀id, x, sid, z.(∧ni=1 Input(idi, xi, sid)

∧

i,j∈[n]

idi 6= idj ∧ Frel)⇒ P(z, sid)

The formula Frel characterizes the expected relation between the inputs and the output. As an example,the policy and party annotations for the Millionaires problem would be as follows:

∀id1, id2, x1, x2, sid.(Input(id1, x1, sid) ∧ Input(id2, x2, sid) ∧ id1 6= id2 ∧ x1 ≥ x2

)⇒ Richer(id1, sid).

7

SMPCresult

assume Input(idi, xi, sid)

assume ∀x, id, sid.

n�

i=1

Input(idi, xi, sid) ∧ id1 �= · · · �= idn

∧ Frel ⇒ P(z, sid)

assert P(z, sid)

.

.

.

.

.

.

input(xi, sid)

(z, sid)

Figure 2: Assumptions and assertions for a process linked to our SMPC abstraction.

Each party would be annotated as follows:

Pi4= assume Input(idi, xi, sid) | ci〈(xi, idi), sid〉.ci(yi, sidi).assert Richer(yi, sid).

Arithmetics in the analysis. We extended the type-checker to support arithmetic operations. Specif-ically, we modelled arithmetic operations as predicates in the logic, defined their semantics followingthe semantics given in the calculus, and added a few general properties, such as the transitivity of thegreater-equal relation. The type theory is extended to track the arithmetic properties of terms (e.g.,while typing let z = ge(x1, x2) then P , the type-checker tracks that z is the greatest value between x1

and x2 and uses this information to type P ). The type theory supports this kind of extensions as longas the set of added values is disjoint from the set of cryptographic messages and the added destructorsdo not operate on cryptographic terms, which holds true for our encoding of arithmetics.

Case study: sugar-beet double auction

As a case study for our symbolic abstraction, we formalized and analyzed the sugar-beet double auctionthat has been realized within the SIMAP project by using an SMPC [23]. This protocol constitutesthe first large scale application of an SMPC. The double auction protocol determines a market clearingprice for sugar-beets. More specifically, first, a set of prices is fixed; then, for every price each producercommits itself to an amount of sugar-beets that it is willing to sell, and each buyer commits itself tothe amounts of sugar-beets that it is willing to buy. The market clearing price is the maximal marketclearing price for which the supply did not yet exceed the demand.

The protocol assumes that for every producer the list with the amounts of sugar-beets that thisproducer is willing to sell for each price is monotonically increasing. Analogously, for every buyer the listwith the amount of sugar-beets that a buyer is willing to buy for each price is monotonically decreasingfor this buyer. Beginning from the lowest price, the protocol computes for every price i the demand, i.e.,the sum of the amounts that the buyers are willing to buy, and the supply, i.e., the sum of the amountsthat the sellers are willing to sell. Then, the protocol compares the supply and the demand. If the supplyis greater than the demand, the protocol outputs the price i−1 as the market clearing price. In the othercase, the protocol compares the next higher price i + 1 until the protocol exceeds the maximal price p,in which case the maximal price is output. 2

Both the producers and the buyers might want to keep their bids secret. Hence, the private input ofevery party has to be kept private. In the sugar-beet double auction developed by the SIMAP project,the sellers and buyers perform a joint secure multi-party computation. The producer and buyer partiessend initially an input and receive at the end of the computation the result, i.e., the market clearingprice. In addition, before the start of the protocol, producers and buyers receive a signature on the list

2We only consider the maximal market clearing price. The actual sugar-beet double auction protocol has a moreelaborate procedure for choosing one market clearing price.

8

of participants, the session identifier, and the set of prices from a trusted party. This signature is verifiedby each participant and sent as an input to the SMPC, which verifies the signatures and checks whetherthe data coincides This ensures that all participants agree on the common public inputs. Notice thatthis SMPC performs arithmetic operations as well as cryptographic operations, yet on distinct values.

The protocol comprises three additional parties, called the computation parties. In the real imple-mentation these computation parties receive shares of the secret inputs of all other parties such that nosingle computation party learns the input of the bidders. Then, for efficiency reasons, these computationparties perform the actual SMPC with the received shares. Consequently, the computation parties needto be part of the abstraction. In the abstraction these parties send a command start_round for eachprice that is checked as long as the market clearing price is not found.

We modelled the SMPC with a context F that initially expects inputs from the producers and buyers;for each price, F expects a command start_round from the computation parties. Upon sending theinput x, the producer and buyer parties assume Input(id, x, sid), where id is the identifier for that partyand sid is the session identifier. Upon receiving the final result (z, sid) every party asserts a predicateMCP(z, sid) (this predicate is defined below). Assume there are m different prices; then, we representthe inputs of the producers and the buyer, i.e., the list with the amounts, as a tuple bids := (x1, . . . , xm).Additionally, each bidder sends a flag b that marks this bidder as a producer, b := 1, or a buyer, b := 0.Every producer and buyer sends the pair (b, bids) to the secure multi-party computation.

Finally, we are ready to state the policy characterizing the result of the computation that is performed:the predicate MCP(z, sid) holds true if there are appropriate input predicates Input(idi, xi, sid) and z isthe maximal price for which demand is greater than or equal to the supply, which we characterize by thepredicate Is max(x1, . . . , xn, z) (the semantics of this predicate is defined in terms of basic arithmeticoperations supported by our type-checker), where πi(t) denotes the i-th element of the tuple t.

∀x1, . . . , xn, z, i. Q(x1, . . . , xn, z) ∧Q(x1, . . . , xn, i)⇒ z ≥ i⇒ Is max(x1, . . . , xn, z) and

∀b1, . . . , bn, bids1, . . . , bidsn, l.

n∑

j=1

πl(bidsj) · (1− bj)︸ ︷︷ ︸

demand

≥n∑

j=1

πl(bidsj) · bj︸ ︷︷ ︸

supply

⇒ Q((b1, bids1), . . . , (bn, bidsn), l)

The policy for the correctness of the computationis then defined as follows:

∀z, sid, x1, . . . , xm, id1, . . . , idn. Input(id1, x1, sid) ∧ · · · ∧ Input(idn, xn, sid)∧

i,j∈[n]

idi 6= idj ∧ Is max(x1, . . . , xm, z)⇒ MCP(z, sid)

The verification of this policy is challenging in that our abstraction comprises about 1400 lines of codeand it relies on complex functions. The type-checker succeeds in 5 minutes and 30 seconds for the SMPCprocess and the ceritifcation issuer and additional 40 seconds for every participant. 3

4 Computational soundness of symbolic SMPC

In this section, we present a computational soundness result for our abstraction of secure multi-partycomputations. Our result builds on the universal composability (UC) framework [25, 28], where thesecurity of a protocol ρ is defined by comparison with an ideal functionality I. The proof proceeds inthree steps, as depicted in Figure 3.

In the first step, we prove that the robust safety of an applied π-calculus process carries over tothe computational setting, where the protocol is executed by interactive Turing machines operating onbitstrings instead of symbolic terms and using cryptographic algorithms instead of constructors anddestructors. This part of the proof solely depends on additional non-interactive cryptographic primitivesthat might be used in the protocol (such as encryption and digital signatures). It does not depend onthe secure multi-party computations, which are still abstracted symbolically by processes of the form

3The source code can be found at http://www.lbs.cs.uni-saarland.de/publications/smpc_simap.spi. We typechecked the protocol with 2 prices, 3 computation parties, and 2 input parties.

9

Applied π

calculus

Computationalexecution

ComputationalSMPC execution

ComputationalSMPC execution

Ideal functionality I Real SMPC ρ

Figure 3: Overview of the computational soundness proof

SMPC(adv , sidc, in,F). Since the remaining steps of the proof are parametric over these non-interactiveprimitives, we decided to make our result general by assuming the first step of the proof, which is fairlystandard and follows arguments similar to previous computational soundness results for non-interactivecryptographic primitives. In Appendix D, we prove the computational soundness of a specific Dolev-Yaomodel with asymmetric encryption, digital signatures, and arithmetic operations.

The first part of the proof entails the computational soundness of a process executing the abstractionSMPC(adv , sidc, in,F). A computational implementation of the protocol, instead, should execute anactual SMPC protocol ρ. In the second step of the proof, we show that for each SMPC-suited contextF , the computational execution of our abstraction SMPC(adv , sidc, in,F) is indistinguishable from theexecution of a protocol I (see Construction 1) that solely comprises a single incorruptible machine.

The third step of the proof builds on a result from [28], which ensures that for any well-formed idealfunctionality I there is a protocol ρ that securely realizes I in the UC framework, which ensures inparticular that the trace properties of I carry over to the actual implementation ρ.

These three steps allow us to conclude that for each abstraction SMPC(adv , sidc, in,F) there existsan implementation ρ such that the trace properties of any well-formed process P (defined in Section 4.3),and in particular the security policies enforced by the type system, carry over from the execution thatmerely executes a process P and executes SMPC(adv , sidc, in,F) as a regular subprocess to the execu-tion that communicates with ρ upon each call of a subprocess SMPC(adv , sidc, in,F). By leveragingthe composability of the UC framework and the realization result for SMPC in the UC framework, wefinally conclude that if a protocol based on our SMPC abstraction is robustly safe then there exists animplementation of that protocol that is computationally safe.

We review the characterization of secure multi-party computations in the UC framework in Sec-tion 4.1. We present the computational execution for our SMPC abstraction in Section 4.2. In Section 4.3we introduce the notion of computational safety. Finally, we state our computational soundness resultin Section 4.4.

Throughout the entire section, we use the notation that n is the number of parties in the currentsecure multi-party computation, i.e., for SMPC(adv , sidc, in,F) we have that n := |in|.

4.1 SMPC in the UC framework

UC Framework. The UC framework defines the security of a protocol ρ by comparison with anideal functionality I. The ideal functionality for secure multi-party computations resembles our SMPCabstraction in that it essentially consists of a single machine performing an ideal computation. In theUC framework, a protocol ρ is called a secure realization of an ideal functionality I if for every attackon ρ there is an attack on I. More precisely, for any adversary that interacts with ρ, there is a simulator(often called the simulator)that interacts with I such that no protocol environment interacting with boththe protocol and the adversary can tell an execution of ρ from an execution of I. In this work, all these

10

machines are polynomial-time.In the UC framework, a network is modelled as a set of interactive Turing machines (ITMs). Every

ITM has a unique identity. The recipient of a message is addressed by the identity of that ITM. Wesay a network S is executable if it contains an ITM Z with distinguished input and output tape andwith the special identity env. An execution of S with input z ∈ {0, 1} ∗ and security parameter k ∈ Nis the following execution of the network: Initially, Z is activated with the message z on its input tape.Whenever an ITM M1 ∈ S finishes an activation with an outgoing message m (tagged with the identityof the receiver M2 ∈ S) on its outgoing communication tape, M2 is invoked with m (tagged with theidentity of the sender M1) on its incoming communication tape. If an ITM terminates its activationwithout an outgoing message or sends a message to a non-existing ITM, the distinguished ITM Z isactivated. The execution of the network terminates whenever Z writes a message on its distinguishedoutput tape.

A network S may also contain a distinguished ITM A, called the adversary. Sending a message overa public channel is modelled as sending a message to the adversary. A UC protocol is a network withoutan adversary and an environment. Corrupted parties are modelled as ITMs that directly forward allmessages from and to the adversary. Moreover, the adversary can read all tapes of a corrupted party.

In the UC framework, it is possible to model a port-based communication, i.e., each party hasfinitely many ports on which it can send (outgoing ports !p) or receive (incoming ports ?p) messages. Inparticular, in a session r every party i has an environment port ?inei,r, an environment port !outei,r, anadversary port ?inai,r, and an adversary port !outai,r. In all cases, port ?p is connected to some port !pand vice-versa. Hence, the incoming environment port ?inei,r and the outgoing environment port !outei,rare connected to an outgoing port !inei,r and an incoming port ?outei,r of the environment, respectively.Similar reasoning holds for the adversary ports ?inai,r, !in

ai,r, ?outai,r, and ?outai,r.

As previously mentioned, in the UC framework the security of a protocol is determined by compar-ison with the ideal functionality. Intuitively, we say that a protocol ρ UC-realizes τ if there exists asimulator such that the interaction of ρ with the adversary and the interaction of τ with the simulatorare indistinguishable.

Definition 5 (Secure realization (UC) [25]). Let ρ and τ be protocols. We say that ρ UC-realizes τif for any polynomial-time adversary A there exists a polynomial-time adversary S such that for anypolynomial-time environment Z the networks ρ ∪ {A,Z} (called the real model) and τ ∪ {S,Z} (calledthe ideal model) are indistinguishable.4

SMPC in the UC framework. In Construction 1, we construct a generic ideal functionality Isid,F,cthat serves as an abstraction of secure multi-party computations. This construction is parametric overthe session identifier sid, the function F to be computed, and the corruption scenario c5. This functionis stateful, it expects the SMPC inputs and a state, and it outputs the result and an updated state.

The ideal functionality receives the (secret) input message of party i from port ?inei,sid along with asession identifier. The input message is stored in the variable xi and the state statei of i is set to input.Both the session identifier and the length of the received message are leaked to the adversary, since inthe actual implementation each party announces the session identifier and commits to its own privateinput, which leaks the length of that input (see part (a) of Construction 1). In addition, the (ideal)adversary is allowed to schedule the delivery of the results to party i, which is achieved by letting theadversary interact with the ideal functionality on port ?inai,sid (see part (b) of Construction 1). Since theideal functionality might be reactive (i.e., the computation might involve different execution rounds), ourconstruction additionally keeps a round counter for each participant i, denoted by ri.

The construction is depicted in Figure 4.

Construction 1 (SMPC Ideal functionality). We construct an interactive polynomial-time machineIsid,F , called the SMPC ideal functionality, which is parametric over a session identifier sid and a poly-time algorithm F . Initially, the variables of Isid,F are instantiated as follows: ∀i ∈ [1, n].statei := input,ri := 1, and stateF := ∅. Upon an activation with message m on port p, Isid,F behaves as follows.(a) Upon (?inei,sid, (m, sid

′)) If sid = sid′ and statei = input, then set statei := compute and xi := m.If statei = input, then send (sid′, |m|) on port ?inai,sid.

4Recall that the execution terminates whenever the environment writes on its output tape. We say that two executionsE,E′ are indistinguishable if |Pr[E = 1]− Pr[E′ = 1]| is negligible.

5c = (c1, . . . , cn) ∈ {0, 1}∗ where party i is corrupted if ci = 1 and uncorrupted if ci = 0.

11

inputi

computei

deliveri

(mi, sid�) (|mi|, sid�)

check sid = sid� store mi

(deliver, sid�)

∀j : computej run F (x1, . . . , xn, stateF )(y1, . . . , yn, s)←

?inei

?inai !oute

i

!outai

Figure 4: The ideal functionality of SMPC

(b) Upon (?inai,sid, (deliver, sid′)), if ∀j ∈ [1, n].statej = compute and ri = rj, then compute

(y1, . . . , yn, s)← F (x1, . . . , xn, stateF ) and set stateF := s and ∀j ∈ [1, n].statej := deliver.If statei = deliver, set ri := ri + 1, statei := input and send yi on port !outei,sid.

Since we consider static corruptions in this paper, the ports !outei,sid and ?inei,sid of the ideal func-tionality are redirected to the adversary whenever a party i is corrupted, as this party is under thecontrol of the attacker. Such a port redirection is technically achieved by using dummy parties that actas message forwarders. We model the corruption scenario by a tuple c1, . . . , cn of bits, where ci = 1 ifand only if party i is corrupted. In the following, we denote by Isid,F,c the UC protocol composed of theideal functionality Isid,F and the dummy parties required to connect the adversary to ports !outei,sid and?inei,sid if ci = 1.

The function F essentially plays the same role in the ideal functionality as the SMPC-suited contextF in our symbolic abstraction of SMPC.

In Section 4.2.1, we construct an algorithm FF for any F . Here, we only outline the construction:FF emulates F [deliver1| . . . |delivern] for a fixed reduction strategy. The inputs (x1, . . . , xn) of FFcorrespond to the messages that F receives over the local input channels lini; the results of FF correspondto the messages sent by the context F [deliver1 | . . . | delivern] on the output channels ini. Upon anempty input state stateF , FF emulates the process F [deliver1 | . . . | delivern] and outputs a state s,which corresponds to the process that is left after the reduction has terminated. This state will be passedto the function in the next invocation, in order to deal with stateful computations. In this way, we areable to construct a family of ideal functionalities indexed by F instead of F . In the sequel, we refer tothis ideal functionality as Isid,F,c.

4.2 Computational execution of a process

Since the applied π-calculus only has semantics in the symbolic model (without probabilities and withoutthe notion of a computational adversary), we need to introduce a notion of computational execution forapplied π-calculus processes. Our computational implementation of a symbolic protocol P builds onthe computational execution of the applied π-calculus that has been proposed in [8]. This is a proba-bilistic polynomial-time algorithm that expects as input the symbolic protocol Q, a set of deterministicpolynomial-time algorithms A for the constructors and destructors in Q, and a security parameter k.This algorithm executes the protocol by interacting with a computational adversary. In the operationalsemantics of the applied π calculus, the reduction order is non-deterministic. This non-determinism is re-solved by letting the adversary determine the order of the reduction steps. The computational executionsends the process to the adversary and expects a selection for the next reduction step. In the following,

12

we follow the convention that “fresh variable” or “fresh name” means a variable or name that does notoccur in any of the variables maintained by the algorithm. The computational execution tightly followsthe semantics of the applied π-calculus, with the exception that it operates on bitstrings and does notinstantiate names and variables in the process but rather maintains an environment η that stores thebitstrings assigned to the free variables in P , and an interpretation µ of the free names in P as bitstrings.Given η and µ, we can computationally evaluate a term or a destructor application D to a bitstringcevalη,µ,k,AD by using the algorithms A for the constructors and destructors in D. (We will often omitk and A for readability if these are clear from the context.) We set cevalη,µD := ⊥ if the application ofone of the algorithms in A fails. In abuse of notation, in the following we will use evaluation contextswith distinguished multiple holes.

The computational execution together with the adversary Advconstitutes a network. The adversary,however, can be seen as the environment; if the execution Execπ stops, Adv is activated.

Definition 6 (Computational π-execution). Let Q be a closed process. Let C be an interactive machinecalled the adversary. We define the computational π-execution as an interactive machine ExecπQ,A(1k)that takes a security parameter k as argument and interacts with C:• Start: Let P be obtained from Q by deterministic α-renaming so that all bound variables and names

in Q are distinct. Let η and µ be a totally undefined partial functions from variables and names,respectively, to bitstrings. Let a1, . . . , an denote the free names in P . For each i, pick ri ∈ Nonceskat random. Set µ := µ ∪ {a1 := r1, . . . , an := rn}. Send (r1, . . . , rn) to C.6

• Main loop: Send P to the adversary and expect an evaluation context E from the adversary.Distinguish the following cases:

– P = E[M(x).P1]: Request two bitstrings c, m from the adversary. If c = cevalη,µM , setη := η ∪ {x := m} and P := E[P1].

– P = E[νa.P1]: Pick r ∈ Noncesk at random, set P := E[P1] and µ := µ(a := r).– P = E[M1〈N〉.P1][M2(x).P2]: If cevalη,µM1 = cevalη,µM2, then set P := E[P1][P2] andη := η ∪ {x := cevalη,µN}.

– P = E[let x = D in P1 else P2]: If m := cevalη,µD 6= ⊥, set η := η ∪ {x := m} andP := E[P1]; Otherwise set P := E[P2].

– P = E[assert F.P1]: Let P := E[P1] and raise the tuple ((F1, . . . , Fn), F, η, µ, P ) whereassume F1, . . ., assume Fn are the top level assumptions7 in P .

– P = E[!Q]: Let Q′ be obtained from Q by deterministic α-renaming so that all bound variablesand names in Q′ are fresh. Set P := E[Q′|!Q].

– P = E[M〈N〉.P1]: Request a bitstring c from the adversary. If c = cevalη,µM , set P := E[P1]and send cevalη,µN to the adversary.

– In all other cases, do nothing.For any interactive machine Adv, we define ExecπQ,A,Adv(1

k) as the interaction between ExecπQ,A(1k)and Adv; the output of ExecπQ,A,Adv(1

k) is the output of Adv.We let AssertionsπP,A,p,Adv(k) denote the distribution of sequences of assertion tuples of the form

((F1, . . . , Fn), F, η, µ, P ) raised in an interaction of ExecπP,A,Adv(1k) within the first p(k) computation

steps (jointly counted for Adv(1k) and ExecπP,A,τ (1k)).

When applied to a protocol built on our abstraction of SMPC, the execution Execπ executes the ab-straction SMPC(adv , sidc, in,F), which corresponds to a trusted host performing an ideal computation.Our computational soundness result, however, has to hold for an arbitrary protocol that incorporates anactual secure multi-party computation protocol.

We thus introduce the notion of SMPC implementation Execsmpc, which differs from Execπ in thatthe SMPC protocol is executed instead of the abstraction SMPC(adv , sidc, in,F). Execsmpc takes asinput the security parameter, a process Q, the algorithms A for the constructors and destructors in Q,and a family τ of UC protocols, one for each of the SMPC in Q. Intuitively, Execsmpc is meant to act asan interface between the adversary and the UC protocol, which can be either the ideal functionality orthe actual SMPC protocol (i.e., τ will be either a family of ideal protocols or a family of real protocols,respectively).

6In the applied π-calculus, free names occurring in the initial process represent nonces that are honestly chosen butknown to the attacker.

7assume F is top-level in P if there exists a context E such that P = E[assume F ].

13

η(z := output i,

s := r)

i is corrupted

storeoutputi

!inei,r

!inai,r

?outei,r

?outai,r

E[SMPC�(adv , in,F)]

E[c(z, s)][0r,in,F ]

E[0r,in,F ]

E[c�x, s�][0r,in,F ]

(i)

(ii)

(iii)

(iv)

(v)

�0r,in,F

SMPC(adv, sidc, in,F)

�

E[0r,in,F ]

ExecSMPC

?inei,r

?inai,r

!outai,r

!outei,r

τr,F,cAdv

Figure 5: The computational SMPC execution Execsmpc, where r := µ(sid) andsidc(sid).SMPC′(adv , in,F) := SMPC(adv , sidc, in,F).

The behavior of Execsmpc is depicted in Figure 5, where sidc(sid).SMPC′(adv , in,F) :=SMPC(adv , sidc, in,F). The adversary may (i) initialize the secure multi-party computation, in whichcase a session identifier r is sent over the channel sidc; (ii) schedule the delivery of the output to somehonest party, in which case the process and the environment η are updated accordingly; (iii) schedulethe input of some honest party i, in which case this input is sent to the UC protocol over the port !inei,r;(iv) schedule the input of some dishonest party i, in which case this input is sent to the UC protocol overthe port connected to !inei,r; and (v) send a message to party i, in which case this message is forwardedto port !inai,r. In all these cases, except for (i) and (ii), the computational execution interacts with theprotocol and the protocol answers with a message m. If m is sent over the outgoing port of some honestparty i (i.e., it is received from port ?outei,r), then m is stored in a buffer waiting for delivery, otherwisem is directly forwarded to the attacker.

The execution Execsmpc together with the adversary Adv and all the protocol parties for any sessionconstitute a network. Each session r induces a subnetwork comprising the computational executionExecsmpc and the protocol parties for the session r. In this session r the execution Execsmpc plays therole of both the environment and the adversary, respectively, listening on the ports ?outei,r and ?outai,r(i ∈ [1, n]). In particular, Execsmpc is activated if no other machine in the subnetwork, composed of theis active anymore. If the execution Execsmpc terminates without having sent a message to a party, theadversary is activated.

Definition 7 (Computational SMPC execution). Let Q and A be as in Definition 6. Let τ denote afamily of UC protocols (intuitively, this family is composed of the implementations of the SMPC protocolsfor each of the SMPC-suited contexts F , the session identifiers r, and the corruption scenarios c, whichwe denote by τr,F,c). We define the interactive machine Execsmpc

Q,A,τ (1k) by modifying the main loop ofExecπQ,A(1k) (see Definition 6) as follows:

(i) (the secure multi-party computation is initialized) P = E[SMPC′(adv , in,F)]. Set r :=cevalη,µ(M), η := η ∪ {sid := r}, and P := E[0r,in,F ].8

8The SMPC abstraction is replaced by the dummy process 0r,in,F , which is tagged with the session identifier r, theinput channels in, and the function to be computed F .

14

(ii) (the output of some honest party is delivered) P = E[c(z, s).Q][0r,in,F ] and outputri = m 6= ⊥, and∃i ∈ [1, n] : cevalη,µ ini = cevalη,µ c :Set η := η ∪ {z := m, s := r}, set outputri := ⊥, and P := E[Q][0r,in,F ].

(iii) (the input of some honest party is scheduled) P = E[c〈x, s〉.Q][0r,in,F ] and ∃i ∈ [1, n] : cevalη,µ ini =cevalη,µ c :Let m := cevalη,µ(x, s) and send m to τr,F,c over the port !inei,r.

9

(iv) (the input of some dishonest party is scheduled) P = E[0r,in,F ] Request a bitstring m from theadversary. If m = (ch, r,m′) and η(ini) = ch for some i ∈ [1, n], send m′ over the port !inei,r.

(v) (the adversary communicates with the protocol) P = E[0r,in,F ] Request a bitstring m from theadversary. If m = (i, r,m′)10 then send m′ over the port !inai,r.

In addition, in all cases but (i) and (ii), whenever a message m′ is received over a port ?outei,r withi not being corrupted, set outputri := m′; whenever a message m′ is received over ?outai,r or over ?outei,rfor a corrupted i, (m′, i) is forwarded to the adversary. Moreover, we do not send P to the adversary butthe erasure of P in which all 0r,in,F are replaced by 0.

For any interactive machine Adv, we define ExecsmpcQ,A,τ,Adv(1

k) as the interaction betweenExecsmpc

Q,A,τ (1k) and Adv; the output of ExecsmpcQ,A,τ,Adv(1

k) is the output of Adv.We let Assertionssmpc

P,A,τ,p,Adv(k) denote the distribution of sequences of assertion tuples of the form((F1, . . . , Fn), F, η, µ, P ) raised in an interaction of Execsmpc

P,A,τ,Adv(1k) within the first p(k) computation

steps (jointly counted for Adv(1k) and ExecsmpcP,A,τ (1k)).

4.2.1 The implementation of FWe construct for each F an algorithm FF that is computed by the ideal functionality Isid,F (see Con-struction 1). This algorithm emulates the computational π execution, i.e., FF additionally expects a stateas input and outputs an updated state. For the construction of FF , we assume a fixed and efficientlycomputable reduction strategy S. This reduction strategy acts as the adversary, i.e., it constitutes aninteractive machine (though in this construction the interaction as well as the interactive machines areemulated by FF ).

Recall that the SMPC process contains internal loop channels inloopi for ensuring that every partyonly accepts a new input if an output has been delivered. The ideal functionality performs these checksdirectly; hence, we can omit these loop channels and we get (for n := |in|)

F [in1〈y1〉 | . . . | inn〈yn〉].

As F expects the inputs over the local input channels lini, we place processes lini〈xi〉 in parallel andset η(xi) to be the ith input. Finally, in order to determine which message S schedules to be sent asan output, we place processes ini(y′i, sid) in parallel and set the ith output to be η(y′i), where η is thevariable mapping of the emulated execution after S finished.

We assume an efficient encoding for processes and the name and variable mappings, µ and η. Letn := |in|; then, FF performs on input (m1, . . . ,mn, state) the following steps:

1. If state is empty, setcompute state0 := F [in1〈y1〉 | . . . | inn〈yn〉]

and µ := η := ∅, where y′ are fresh variables. Otherwise, try to extract a process P , a namemapping µ′, and a variable mapping η′ out of state. If this extraction fails abort; otherwise, setcompute state0 := P, µ := µ′, and η := η′. In both cases, with an empty state and a non-emptystate, extend the variable mapping η ∪ {x1 := m1, . . . , xn := mn} and set

compute state := compute state0 | lin1〈x1〉 | . . . | linn〈xn〉| in1(y′1) | . . . | inn(y′n).

2. Run the Main loop of the computational execution Execπcompute state,S with the name mapping µand the variable mapping η.

9!inei,r is connected to the incoming port ?inei,r of party i in τr,F,c10We implicitly assume that ∀i ∈ [1, n].µ(ini) /∈ [1, n].

15

3. Let compute state′ be the process to which compute state0 has been reduced after the reductionstrategy S terminated. Let Let and η and µ be the variable and name mappings at that point. Letstate ′ be the encoding of η, µ and compute state′, and output (η(y′1), . . . , η(y′n), state ′). If η(y′i)is undefined, output a distinguished error symbol.

4.3 Computational safety

For defining computational safety, we first need to recall the logic for the security policies that weare considering. The logic has to fulfill some standard properties such as monotonicity, closure undersubstitution, and it should allow the replacement of equals by equals.

We assume a set Ds of deduction rules in the sequent calculus that define a deduction relation `s.11

Let Γ be a set of formulas in the logic. We say that a formula F is entailed by a premise Γ, denoted asΓ |=s F , if there is a proof tree (using Ds) such that the conclusion of the deduction rule at the root ofthe tree is Γ `s F .

Following the approach of Backes, Hritcu and Maffei [9], we characterize destructor application testsby introducing for each destructor an uninterpreted function symbol d# and a predicate Red such thatRed(d#(M1, . . . ,Mn),M) holds true only if d(M1, . . . ,Mn) = M holds true, where Mi,M are terms.12

We could assume Ds to contain the following deduction rule:

d(M1, . . . ,Mn) = M

`s Red(d#(M1, . . . ,Mn) = M.

For the sake of a better presentation of the computational entailment relation, however, we want to keepthe names of the variables that have been replaced by terms in the course of the execution. Therefore,we introduce a mapping eval from variables to terms that just stores which variable has been replacedby which term in the current process. Then, we represent the rule as

d(eval(v1), . . . , eval(vn)) = M

`s Red(d#(v1, . . . , vn) = v,

with vi, v being variables only. Moreover, we assume Ds to contain rule for universal quantification:

Γ, C{x′

x

}`s B

Γ,∀x.C `s BL∀ x is free in Γ, C

Γ `s C{x′

x

}, B

Γ `s ∀x.C,BR∀ x is free in Γ, C,

where x′ is a fresh variable. And, we assume analogous rules for existential quantification.The computational entailment relation |=η,µ,A is based on the symbolic entailment relation |=s.

We define the computational entailment relation by the same inference rules with the only differencethat universal quantification indeed quantifies over all bitstrings and all destructor application testsRed(d#(v1, . . . , vn), v) correspond to the check Ad(cevalη,µ v1, . . . , cevalη,µ vn) = cevalη,µ v, where Ad isthe computational implementation of d.

Definition 8 (Computational entailment |=η,µ,A). Let `s be a symbolic entailment relation that isinductively defined by a set of inference rules Ds. Let η and µ be variable and name mappings, and letA be implementations. We define a set of inference rules Dη,µ,A as Ds with the following modifications:

(a) Replaced(eval(v1), . . . , eval(vn)) = eval(v)

`s d(v1, . . . , vn) = v

byAd(cevalη,µ v1, . . . , cevalη,µ vn) = cevalη,µ v

`η,µ,A d(v1, . . . , vn) = v,

11We refer the interested reader to [41]. The sequence calculus has been introduced by Gentzen in 1934 [40].12One minor difference is that in our setting destructors are partial functions and in [9] destructors are defined via a

reduction relation; in particular, destructors might be non-deterministic, i.e., relations.

16

(b) replaceΓ, C

{x′

x

}`s B

Γ,∀x.C `s Bx is free in Γ, C

by∀b ∈ {0, 1}∗ : Γ, C

{x′

x

}`η∪{x′:=b},µ,A B

Γ,∀x.C `η,µ,A Bx is free in Γ, C, and

(c) replaceΓ `s C

{x′

x

}, B

Γ `s ∀x.C,Bx is free in Γ, C

by∀b ∈ {0, 1}∗ : Γ `η∪{x′:=b},µ,A C

{x′

x

}, B

Γ `η,µ,A ∀x.C,Bx is free in Γ, C,

(d) replace all remaining `s by `η,µ,A.

We say that a formula F is entailed by a premise Γ, denoted as Γ |=η,µ,A F , if there is a proof tree(using Dη,µ,A) such that the conclusion of the deduction rule at the root of the tree is Γ `η,µ,A F .

We stress that we use the same computational entailment relation |=η,µ,A for both the computation π-execution and the computational SMPC-execution. The reason is that we consider first order formulasover free n-ary predicates and destructor application tests.

There are properties for which computational soundness cannot be shown. For a function H whoserange is smaller than its domain (such as a collision-resistant hash function), consider the injectivityproperty ∀x, y.x 6= y ⇒ H(x) 6= H(y). Symbolically, this property holds true if H is a constructor.Computationally, however, this formula naturally does not hold as x and y are universally quantifiedand collisions cannot be avoided. To exclude such cases, we only consider quantification over protocolmessages. This is formalized by requiring that all quantified subformulas ∀x.F and ∃x.F are of the form∀x.p(. . . , x, . . .) ⇒ F ′ and ∃x.p(. . . , x, . . .). ∧ F ′ (where p is a predicate) and we call the resulting classof first-order formulas well-formed formulas (seeDefinition 9). Hence ∀x, y.x 6= y ⇒ H(x) 6= H(y) is notwell-formed. Instead, ∀x, y.p(x) ∧ p(y) ∧ x 6= y ⇒ H(x) 6= H(y)13 (where p is a predicate, meant to beassumed upon reception of x and y) is well-formed. As we exclude assumptions of the form ∀x.p(x),p(m) has to be assumed explicitly and m must be a protocol message. For a collision-resistant hashfunction H, the above formula holds computationally. We stress that in contrast to other computationalsoundness results (e.g., [8]), where formulas are assumed to be term-free (i.e., contain nullary predicatesonly), our result holds for formulas containing terms of the calculus and destructor application tests.

Definition 9 (Well-formed formula). Let |=s be the entailment relation and Ds the set of deductionrules from above (the beginning of Section 4.3). Let x, x′, xi denote variables, let p denote a predicate,and d a destructor. Let F be a formula over predicates p(x1, . . . , xm) and destructor application testsd(x1, . . . , xm) = x′. We say that F is well-formed iff for all subformulas F ′ of F we have that• if F ′ = ∀x.F ′′, we have F ′′ = p(. . . , x, . . . )⇒ F ′′′ (for some well-formed formula F ′′′),• if F ′ = ∃x.F ′′, we have F ′′ = p(. . . , x, . . . ) ∧ F ′′′ (for some well-formed formula F ′′′).

Such a p(. . . , x, . . .) is called the guard of x.

A note on well-formed formulas. This well-formedness condition might seem heavily restrictive,but almost every formula can be easily converted into a well-formed formula. For example, the generalsecurity policy

∀id, x, sid, z.(∧ni=1 Input(idi, xi, sid) ∧ id1 6= . . . 6= idn ∧ Frel

)⇒ P(z, sid)

presented in Section 3 can be easily converted into a well-formed formula (given a free predicate p):

∀id, x, sid, z.(∧ni=1 p

idi (id) ∧ni=1 pi(x) ∧ psid(sid) ∧ pmcp(z)

∧ni=1 Input(idi, xi, sid) ∧ id1 6= . . . 6= idn ∧ Frel)⇒ P(z, sid).

13This formula is logically equivalent to ∀x.p(x)⇒ ∀y.p(y)⇒ x 6= y ⇒ H(x) 6= H(y). For the sake of a clear presentation,the policies in Section 3 are not well-formed, but adding for every quantified variable x a predicate p(x) to the premisemakes these policies well-formed as well.

17

This formula additionally requires that in the process at an appropriate place contains assume pa(m) foreach pa(m) that occurs in the formula.

For the computational soundness proof, we require all formulas to be well-formed. Moreover, intight correspondence to the UC model, we require session identifiers to be unique. In addition, aswe only consider static corruption, we need to require that the private channels ini (occurring in anSMPC occurrence SMPC(adv , sidc, in,F)) are never sent over a public channel. Hence, we require thata process only contains well-formed formulas and for all subprocess SMPC(adv , sidc, in,F) that thecontext F is SMPC-suited (see Definition 4), the channels ini are never sent over a public channel, everysession identifier is sent at most once over a channel sidc.

For the next definition, we need the following notation. We call a channel sidc that occurs in anSMPC subprocess SMPC(adv , sidc, in,F) process a session identifier channel and a channel ini thatoccurs in such an SMPC subprocess a party channel. A public channel is a channel that is either free ora channel that has been sent over a public channel.

Definition 10 (Well-formed processes). A process P is well-formed if the following conditions hold:1. For all asserts assert F in P the formula F is a predicate and for all assumes assume F the

formula F is a well-formed formula.2. For all subprocesses SMPC(adv , sidc, in,F) of P , F is an SMPC-suited context.3. Every session identifier is only sent once over a session identifier channel sidc.4. A non-free party channel ini (i.e., a term that contains ini) is never sent over a public channel.

We call a process an atomic process if it does not contain any assumptions and only assertionsassert true and assert false.

The computational notion of robust safety depends on the computational notion of logical entailment.We now introduce two definitions of robust computational safety, with respect to Execπ and Execsmpc,respectively.

Definition 11 (Robust computational safety). Let P be a process, A an implementation of the destruc-tors in P , and τ a family of secure multi-party computations. We say that P is π-(resp. SMPC-)robustlycomputationally safe using A (resp. A, τ) iff for all polynomial-time interactive machines Adv and allpolynomials p,

Pr[for all ((F1, . . . , Fn), F, η, µ,Q) ∈ a, {F1, . . . , Fn} |=η,µ,A F : a← AssertionsπP,A,p,Adv(k)]

(resp. Pr[for all ((F1, . . . , Fn), F, η, µ,Q) ∈ a, {F1, . . . , Fn} |=η,µ,A F : a← AssertionssmpcP,A,τ,p,Adv(k)])

is overwhelming in k.

A symbolic model is computationally sound if robust safety carries over to the computational setting.This definition is used in our first theorem, which is parameterized over the non-interactive primitivesused in the protocol.

Definition 12 (Computationally sound model). Let A be a set of constructor and destructor implemen-tations. We say that a symbolic model (D,P) is computationally sound using A iff for all P ∈ P suchthat P is robustly safe, P is π-robustly computationally safe using A.

Definition 13 (Well-formed symbolic models). A symbolic model (D,P) is called well-formed if allprocesses P ∈ P are well-formed and P fulfills the following closure properties:

(i) If P ∈ P and P ′ is a subprocesses of P , then P ′ ∈ P.

(ii) If P ∈ P, then νn.P ∈ P for any name n.

(iii) If P ∈ P and P ′ is statically equivalent to P , then P ′ ∈ P.

(iv) If P ∈ P and P ′ is an erasure of P obtained by replacing each assumption assume F withcp1〈v1〉 | . . . cpn〈vn〉, where vi is a quantified variable with guards pi in F , and replacing eachassert F ′ by

cp′1(w1). . . . .cp′m(wm).if d(v1, . . . , vs) = v then 0 else assert false

where d ∈ D and w1, . . . , wm are quantifies variables with guards p′1, . . . , p′m (respectively) that

occur in an assume F ′′ in P , then for this erasure P ′ we have νc. P, where c denotes all freshlyintroduced channels.

18

Adv

SMPCinteraction

non–SMPCinteraction

ExecπP,A

SSim

reschedule

Figure 6: The scheduling simulator SSim in interaction with the execution Execπ and the adversary.

(v) If P ∈ P and P = P1|P2, then for Q := if d(M) = N then assert false else 0|P2 we haveQ ∈ P for any term M , N in the symbolic model and any destructor d ∈ D.

(vi) If P ∈ P and P = P1|P2, then for Q := if d(M) = N then 0 else assert false|P2 we haveQ ∈ P for any term M , N in the symbolic model and any destructor d ∈ D.

4.4 Computational soundness results

Finally, we are able to state our main results. In Section 4.4.1 we study the computational soundness ofsymbolic SMPC (Theorem 1), examining the main proof steps in Lemma 1, 2, 3, and 4. In Section 4.4.2we present a computationally sound symbolic model with public-key encryption, digital signatures andarithmetic operations.

4.4.1 Computational soundness of symbolic SMPC

We now state the main computational soundness result of this work: the robust safety of a process usingnon-interactive primitives and our SMPC abstraction carries over to the computational setting, as longas the non-interactive primitives are computationally sound. This result ensures that the verificationtechnique from Section 3 provides computational safety guarantees. We stress that the non-interactiveprimitives can be used both within the SMPC abstractions and within the surrounding protocol.

Our proof of the next lemma utilizes that the simulator is able to compute the length of a messageon its own. Therefore, we require of any implementation that the length of the output only dependson the length of the input. More formally, we say that a function f is length-regular, if for all x, y wehave that |x| = |y| implies |f(x)| = |f(y)|. An algorithm A is length-regular if the function that A islength-regular, and a set A1 dots,An of algorithms is length-regular if every algorithm Ai, i ∈ [1, n], islength-regular.

Lemma 1. For every well-formed atomic P , there exists a family I of SMPC ideal functionalities suchthat if P is π-robustly computationally safe using A and A is length-regular, then P is SMPC-robustlycomputationally safe using A, I.

For brevity, we postpone the full proof to the appendix (see Appendix B) and only give a proof sketchat this point.

Proof sketch. We show that there is a ppt simulator SSim that we can plug in between Execπ and theadversary. Such that for any process well-formed process P , for any adversary Adv the interaction withthe execution ExecπP,A together with SSim is indistinguishable from the interaction with the executionExecsmpc

P,A,I (using the ideal functionality I) (see Figure 6). This simulator SSim simply forwards themessages as long as the messages do not belong to the interaction with an SMPC occurrence, i.e., aslong as no subprocess SMPC(sidc, in,F) (for some sidc, in, and F) is scheduled by the adversary. Forall messages in an interaction of an SMPC occurrence, SSim basically lets ExecπP,A behave like FF . Inparticular, SSim schedules the same reduction strategy S as FF (see Section 4.2.1). Moreover, in orderto output the same leakage as I the scheduling simulator SSim needs to be able to compute the lengthof a message given the appropriate term. As all implementation algorithms are length-regular and thelength of nonces is fixed, the scheduling simulator can efficiently compute the length of a message giventhe corresponding term.

19

We show that the two interactions, between ExecπP,A, SSim and Adv and between ExecsmpcP.A,I and

Adv, are indistinguishable for any Adv. Consequently, the statement follows.

As a next step, we show that if a protocol ρ UC realizes our ideal functionality I, then, ρ is a soundimplementation of SMPC as well.

Lemma 2. Let ρ and I be two family of SMPC protocols and ideal functionalities such that ρ UC-realizesI (i.e., ρsid,F,c ∈ ρ iff Isid,F,c ∈ I and ρsid,F,c UC realizes Isid,F,c). For every well-formed atomic P , ifP is π-robustly computationally safe using A, I then P is SMPC-robustly computationally safe using A,ρ.

For brevity, we postpone the full proof to the appendix (see Appendix C) and only give a proof sketchat this point.

Proof sketch. We assumed ρ UC to realizes I; consequently, there is for any ppt adversary a ppt simulatorsuch that for all environments the interaction between ρ and the adversary is indistinguishable from theinteraction between I and the simulator. We only consider a dummy adversary that basically executesthe commands of the environment. Moreover, for our setting, we instantiate the environments as (theemulation of) a pair of machines: the execution SMPC and a ppt machine that constitutes the adversaryagainst SMPC, called hereafter the distinguisher.

In Figure 7, P denotes the protocol, i.e., either ρ or F , respectively, Adv denotes the adversary, i.e.,the ppt adversary Adv from the real setting or the simulator Sim, respectively. Moreover, the figuresshow the following connections (for a session r):• e denotes the connections between the environment output ports !outei,r and incoming ports of the

environment ?outei,r and the environment input port !inei and outgoing ports ?inei,r of the protocol(for any i ∈ [1, |in|),

• a denotes the connections between the adversary output ports !outai,r and incoming port ?outai,r ofthe adversary and the adversary input ?inai,r and outgoing ports !inai,r of the adversary,

• ea denotes the connections between the output ports of the distinguisher A and input ports of theadversary for the distinguisher and the distinguisher A for the adversary, respectively, and finally

• ea’ denotes the connections between the output ports of the execution and input ports of theadversary for the execution and the execution for the adversary, respectively.

In the setting depicted in Figure 7, the UC protocol P directly communicates with the adversaryAdv. The distinguisher can only communicate via the dummy adversary with the execution. The dummyadversary, forwards all messages of the form (i, s,m), where i ∈ [1, n] to the i party of the protocol sessions; all other message are redirected to the execution. By assumption, the indistinguishability of the twointeractions holds, i.e., between ρ and the dummy adversary and I and the simulator for the dummyadversary.

As a next step, we transform the setting such that we are in the final setting. We modify the dummyadversary such that it redirects all messages to the execution (see Figure 8). We can show that in thissetting the two interactions are indistinguishable as well i.e., the interaction between ρ and the dummyadversary and I and between the simulator for the dummy adversary. Consequently, the statementfollows.

It remains to show that there is are protocol that UC-realizes the ideal functionalities Isid,F,c. In [28]a general construction is given for realizing any ideal functionality, which satisfies a particular well-formedness condition. Unfortunately, it turns out that their proof has a flaw. The problem with theconstruction is, basically, that their construction transforms any ideal functionality into a circuit, andall parties jointly compute this circuit. However, as they consider an attacker that controls the network,any potentially realizable ideal functionality has to hand the message delivery over to the ideal attacker.In particular the ideal functionality expects some message from the attacker for the message delivery. Inthe circuit that they construct, however, they close all input ports from the attacker. Hence, the circuit,which expects an order from the attacker for the message delivery, will not output anything. Therefore, asthe ideal setting sends an output but he the realization does not, an environment can simply distinguishthe two settings. We propose a simple fix: A well-formed ideal functionality, additionally, does notexpect any message from the adversary. And we construct a wrapping machine W(τ) that for a givenwell-formed ideal functionality τ and executes τ , leak the message lengths of the inputs, and sends the

20

A Exec P

Adv

ea�

eaa

eea�

eaA Adv Execa a

eP

Figure 7: The instantiation Figure 8: The transformed setup

outputs upon a command from the ideal functionality. Then, we can apply the construction of [28] onthe ideal functionality τ , yielding a protocol ρτ , and prove, along the lines of [28], that there is for anywell-formed ideal functionality τ a protocol ρτ such that ρ UC realizes W(τ).

Our ideal functionality Isid,F,c constitutes such an ideal functionalityW(τ), where τ is the submachinethat executes F and stores the state of F . With these modifications, we are able to apply the resultpresented in [28].

Lemma 3. [28] Assume that enhanced trapdoor permutations exists. Then, for all Isid,F,c there existsa non-trivial protocol in the CRS-model that UC realizes Isid,F,c in the presence of malicious, staticadversaries.

We stress that Lemma 2, and therefore also Theorem 1, holds for any secure multi-party computation(SMPC) protocols that UC realizes our ideal functionality I. Other SMPC protocols might be attractivefor efficiency reasons. However, other SMPC protocols might not realize the ideal functionality for anycorruption scenario. Hence, they impose additional protocol constraints in that they require that for alloccurrences SMPC(adv , sidc, in,F) only certain subsets of {in1, . . . , inn} are free.

As a next step, we show that computational soundness for atomic processes already suffices forguaranteeing computational soundness for the large class of well-formed processes.

Lemma 4. Let (D,P) be a well-formed symbolic model. Assume there is an implementation A, ρ suchthat for all atomic processes P ∈ P the robust safety of P implies the SMPC-robust computational safetyof P using A, ρ. Then also for all well-formed P ∈ P the robust safety of P implies the SMPC-robustcomputational safety of P using A, ρ.

Proof. We prove the lemma by contradiction. First we assume that the initial process P is robustly safebut there is a set A of sequences of assertion tuples such that Pr[a′ ∈ A : a′ ← Assertionssmpc

P,A,τ,p,Adv)] isnon-negligible and for all a ∈ A there is an assertion tuple t := ((F1, . . . .Fn), F, η, µ,Q) in a such thatF1, . . . .Fn 6|=η,µ,A F . Let for each such t (i.e., assertion tuple) Rt be a corresponding reduction sequencefrom the initial process P to the process Q with the variable and name mappings η and µ.

In the applied π-calculus, we apply the reduction sequence Rt to the initial process P resulting in thesame process Q (up to the renaming σ of the variables that has been performed by the computationalexecution).Claim 1: Rt is a valid reduction sequence.

This claim follows from the computational soundness of atomic processes and by the subprocesscloseness of P by induction over the reduction sequence.

As P is robustly safe, we know that there is a proof tree T for the statement F |=s F over symbolicterms (see Definition 8). Let T ′ be the proof tree after replacing each occurrence of `s by `η,µ,A andeach variable x that is free in the conclusion of the root of T by σ(x) (recall that σ is the renamingperformed by the computational execution). We define a proof tree T based on T by applying thefollowing replacements to T

{`s`η,µA

}from the root to the leafs and by considering the fixpoint of this

replacement:14

14We stress that this fixpoint exists because we have a tree structure. However, this fixpoint can be an infinite prooftree.

21

(a) Replace

T

Γ, C{x′

x

}`η′,µ′,A B

Γ,∀x.C `η′,µ′,A Bby

∀b ∈ {0, 1}∗ :T

{η′ ∪ {x′ := b}

η′

}

Γ, C{x′

x

}`η′∪{x′:=b},µ′,A B

Γ,∀x.C `η′,µ′,A B,

(b) replace

T

Γ `η′,µ′,A C{x′

x

}, A

Γ `η′,µ′,ulA ∀x.C,Aby

∀b ∈ {0, 1}∗ :T

{η′ ∪ {x′ := b}

η′

}

Γ `η′∪{x′:=b},µ′,A C{x′

x

}, A

Γ `η′,µ′,A ∀x.C,A,

(c) replaced(eval(v1), . . . , eval(vn)) = eval(v)

`η′,µ′,ulA Red(d#(v1, . . . , vn), v)

byAd(cevalη′,µ′ v1, . . . , cevalη′,µ′ vn) = cevalη′,µ′ v

`η′,µ′,A Red(d#(v1, . . . , vn), v), and finally

We claim that this (possibly infinite) tree T constitutes a proof tree for {F1, . . . , Fn} |=η,µ,A F . Assumethat there is a deduction step s that does not constitute a valid deduction step. As a tree is noetherian, weperform a noetherian induction over the proof tree. In the induction proof, we distinguish the followingcases:

(i) (s is a ∀-rule) By induction T{ba

}, is a proof tree and by construction s is valid.

(ii) (s 6= Ad(cevalη′,µ′ v1, . . . , cevalη′,µ′ vn) = cevalη′,µ′ v

`η′,µ′,A Red(d#(v1, . . . , vn), v)and s is not a ∀-rule) In this case, there is a

already in T a corresponding step s′ that is invalid, which is a contradiction to the assumption thatT is a valid proof tree.

(iii) (s =Ad(cevalη′,µ′ v1, . . . , cevalη′,µ′ vn) = cevalη′,µ′ v

`η,µ,A Red(d#(v1, . . . , vn), v)) As all formulas are well-formed, each quan-

tified variable in F are guarded. We say that a guard p(x) is necessary in F for F if and onlyif F |=s p(x), F |=s F , and for all F ′ such that F ′ 6|=s p(x), we have F ′ 6|=s F . As F |=s F weknow that there is for each quantified variable x with a necessary guard p(x) an active assumptionassume Fj such that Fj |=s p(x).

We construct a process P out of the process P that is robust safe but not robust computationallysafe. We introduce in P the restricted channel names cv, cv1 , . . . , cvn . As all formulas in the initialprocess P are well-formed, there is for each quantified vi an assumption assume Fj in Q thatcontains a predicate p that has vi as an argument, i.e., p(. . . , vi, . . . ). This assumption assume Fjalso exists in the initial process P . Replace in P this assume Fj with cvi〈vi〉 (analogously, for v).Then, we replace assert F with the following process:

cv(v).cv1(v1). . . . .cvn(vn).if d(v1, . . . , vm) = v then 0 else assert false

Then, we erase all other assert and assume statements, i.e., replace them with 0. We observe thatthe resulting process νc. P , where c denotes all freshly introduced channels, is robustly safe as weassumed that P is robustly safe. By assumption, however, P is not SMPC-robustly computationallysafe, which is a contradiction to the computational soundness of atomic processes.

We finally state our main computational soundness result. We apply a result of [28] for UC-realizablemulti-party computation protocols for virtually all ideal functionalities. This result only holds understandard cryptographic assumptions. First, we assume that for each session all parties share a commonlyknown random bitstring, called the common reference string (CRS). Such a setup is called the CRS-model.

22

Second, we assume that enhanced trapdoor permutations exist, which roughly are permutations that areeasy to compute and hard to invert unless a secret trapdoor is known. Moreover, as also required inother computational soundness results [15, 8], we require all implementations A to be length-regular(see Appendix B), i.e., the length of the output is easily computable by the length of the input (seeAppendix B).

Theorem 1 (Computational soundness of symbolic SMPC). Let (D,P) be computationally sound, well-formed model using A, where A is length-regular. If enhanced trapdoor permutations exist, then there isa family ρ of SMPC implementations in the CRS-model such that for each well-formed P ∈ P, the robustsafety of P implies the SMPC-robust computational safety of P using A, ρ.

Proof. The proof consists of four steps. Let atomic proceses be processes that only contain assertions ofthe form assert false and do not contain assumption. We show in Lemma 1 that for each atomic processP the π-robust computational safety using A implies SMPC-robust computational safety using A and I.In Lemma 2, we show for any two UC protocols τ and ρ such that τ UC-realizes τ ′ the SMPC-robustcomputational safety of P using A and τ ′ implies SMPC-robust computational safety using A and τ . Ifenhanced trapdoor permutations exist, we know by Lemma 3 that there is a protocol ρ that UC-realizesI in the CRS-model; hence, by applying Lemma 2 to ρ and I we obtain SMPC-robust computationalsafety using A and ρ for all atomic processes P . In Lemma 4 we show for each class of protocols P if therobust safety of each atomic P ∈ calP implies the SMPC-robust computational safety of P using A andρ, then the robust safety of each well-formed P ∈ P also implies the SMPC-robust computational safetyof P using A and ρ.

4.4.2 A computationally sound symbolic model with arithmetic operations

We show that our computational soundness result applies to a large class of protocols by proving thecomputational soundness of a symbolic model with public-key encryption, signatures, and arithmetics15,including our case study with the sugar-beet double auction.We recall that numbers are modelled assymbolic bitstrings and arithmetic operations as destructors on these bitstrings. In this way, we enforcea strict separation between numbers and cryptographic terms, such as signatures and keys. Thus, itis not possible to apply an arithmetic operation on nonces, signatures, or encrypted messages. Due tothis separation, the impossibility result for computational soundness of XOR [11] does not apply. Asin [8], we impose some standard conditions on protocols to ensure that all encryptions and signatures areproduced using fresh randomness and that secret keys are not sent around. A protocol satisfying theseconditions is called key-safe. We denote the resulting symbolic model as (DESA,PESA).

The computational soundness proof for (DESA,PESA) follows almost exactly the lines of the symbolicmodel for key-safe protocols in the work of Backes, Hofheinz, and Unruh [8]. Therefore, we postponedthe proof to the appendix (Appendix D).

Theorem 2 (Computational soundness of (DESA,PESA)). If enhanced trapdoor permutations exist, thereis an length-regular implementation A such that (DESA,PESA) is a computationally sound, well-formedmodel.

As a corollary of Theorem 1 and Theorem 2, we get the computational soundness of protocols us-ing SMPC, public-key encryption, signatures, and arithmetics, with such non-interactive cryptographicprimitives possibly used within both SMPC and the surrounding protocol.

Corollary 1 (SMPC computational soundness with (DESA,PESA)). There is an implementation A anda family of UC-protocols τ such that for each well-formed P ∈ PESA, the robust safety of P implies theSMPC-robust computational safety of P using A and τ .

5 Conclusion

We have presented an abstraction of SMPC in the applied π-calculus. We have shown that the securityof protocols based on this abstraction can be automatically verified using a type system, and we haveestablished computational soundness results for this abstraction including SMPC that involve arbirtrary

15This result extends prior work [8] in the CoSP framework to arithmetics and first-order logic formulas.

23

arithmetic operations. This is the first work to tackle the abstraction, verification, and computationalsoundness of protocols based on an interactive cryptographic primitive.

Our framework allows for the verification of protocols incorporating SMPC as a building block. Inparticular, the type-checker ensures that the inputs provided by the participants to the SMPC are well-formed and, after verifying the correctness of SMPC, the type-checker obtains a characterization of theoutputs (e.g., in the Millionaires problem, the output is the identity of the participant providing thegreatest input) that can be used to establish global properties of the overall protocol. Our framework isgeneral and covers SMPC based on arithmetic operations as well as on cryptographic primitives.

This work focuses on trace properties, which include authenticity, integrity, authorization policies, andweak secrecy (i.e., the attacker cannot compute a certain value)16. As a future work, we plan to extendour framework to observational equivalence relations, possibly building on recent results for a fragmentof the applied π-calculus [30]. It would be interesting to formulate and verify an indistinguishability-based secrecy property for SMPC. This task is particularly challenging since the result of an SMPCtypically reveals some information about the secret inputs and standard secrecy definitions based onobservational equivalence are thus too restrictive. An additional problem is the computational soundnessof observational equivalence for processes with private channels, which are excluded in [30] but are neededin our abstraction and, arguably, in any reasonable SMPC abstraction.

5.1 Future work

Generalizing computational soundness for interactive primitives for arbitrary calculi

We proved our abstraction computationally sound with respect to the applied π calculus. The CoSPframework (see Appendix D) of Backes, Hofheinz, and Unruh [8] provides a general model for provingnon-interactive primitives to be a computationally sound abstraction with respect to a large class ofcalculi (including the applied π calculus or RCF[19]). An interesting direction for future research is theextension of the CoSP framework to interactive primitives.

Characterizing arithmetic functions with a computationally sound implementation

Showing computationally soundness for arithmetic functions is known to be troublesome and even im-possible for group operations in most Dolev-Yao models, as shown by Backes and Pfitzmann [11].17

However, for many applications, such as auction protocols or voting schemes, arithmetic functions areunavoidable; hence, it would be interesting to characterize the class of arithmetic functions that areDolev-Yao abstractable in a computationally sound way.

Computational soundness for arbitrary functionalities

Although it is possible to model virtually any interactive primitive with our abstraction, such as zero-knowledge proof systems, the resulting implementation is not allowed to leak more than the messagelength and would therefore be far more inefficient than, e.g., a usual zero-knowledge proof system. Morespecifically, our abstraction does not allow functionalities in which the ideal adversary sends or receivesmessages directly to or from the functionality.

Many efficient protocols are realizations of functionalities that have more leakage than only themessage length or allow the adversary to have more influence than merely to decide which messagesare delivered. With our proof method it is possible to show computational soundness for protocols thatemulate these functionalities as well, assuming there is a protocol that UC realizes such a functionality.We believe that is suffices to incorporate the additional leakage and the additional influence capabilitiesof the adversary into SMPC (see Figure 1) and the general ideal functionality (see Construction 1) andto adjust the scheduling simulator (see Appendix B) to the modified process SMPC. We believe that,then, it is possible to show that the modification of SMPC is a computationally sound abstraction ofsuch a more efficient protocol.

16To symbolically model weak secrecy, one can add the process c(x).if x=n then assert false (where c is a public channel)to check the secrecy of n: The protocol is robustly safe only if the attacker does not learn n.

17Actually, only the impossibility result for XOR has been shown, yet the same reasoning applies to any group operation.

24

Special-purpose implementations

Our result considers at the moment a general secure multi-party computation (SMPC). For generality, wedisallow assumptions and assertions to be placed inside the SMPC abstraction. An implementation, how-ever, that is tailored to our computational execution Execsmpc would allow for placing assumptions andassertions inside our SMPC abstraction while staying computationally sound. Such an implementationwould extend the verification possibilities.

Acknowledgements. We thank Dominique Unruh for numerous insightful discussions about simulationbased security and computational soundness. Moreover, we thank Fabienne Eigner and Kim Pecina fortheir intensive support on the case study. We are also grateful for the helpful comments of the anonymousreviewers.

25

Appendix

A Postponed definitions

A.1 The syntax and semantics of the applied π-calculus

M,N ::= terms

x, y, z variables

a, b, c names

f(M1, . . . ,Mn) constructor application

D ::= destructor term

M terms

d(M1, . . . ,Mn) destructor application

P,Q ::= processes

M〈N〉.P output

M(x).P input

0 nil

P | Q parallel composition

!P replication

νa.P restriction

let x = D let

in P else Q

assume F assumption

assert F assertion

P | 0 ≡ P P ≡ P P | Q ≡ Q | P (P | Q) | R ≡ P | (Q | R)

P ≡ Q Q ≡ RP ≡ R νa.νb.P ≡ νb.νa.P

P ≡ QP | R ≡ Q | R

a /∈ fn(P )

νa.(P | Q) ≡ P | νa.Q

P ≡ Qνa.P ≡ νa.Q

N ≈ N ′

N〈M〉.Q | N ′(x).P → Q | P{M/x}d(M) = N 6= ⊥

let x = d(M) in P else Q→ P{N/x}

d(M) = ⊥let x = d(M) in P else Q→ Q let x = N in P else Q→ P{N/x} !P → P | !P

P → Q

P | R→ Q | R νa.P → νa.Q

P ′ ≡ P P → Q Q ≡ Q′

P ′ → Q′

P → Q

P | R→ Q | R νa.P → νa.Q

P ′ ≡ P P → Q Q ≡ Q′

P ′ → Q′

26

B From the π-execution to the SMPC-execution

In this section, we present the proof of Lemma 1.

Lemma 1.For every well-formed P , there exists a family I of SMPC ideal functionalities such that if Pis π-robustly computationally safe using A, then P is SMPC-robustly computationally safe using A, I.

Let an occurrence of a subprocess SMPC(adv , sidc, in,F) in a process P be called an SMPC session.Recall that the SMPC execution Execsmpc for every SMPC session SMPC(adv , sidc, in,F) does notreduce the subprocess SMPC(adv , sidc, in,F) itself but interacts with a UC protocol, which we call theimplementation of SMPC. The lemma states that there is a family of ideal functionalities in interactionsuch that for all well-formed processes P all valid assertions in the computational execution Execπ

with an implementation A also hold in the computational execution Execsmpc with an implementationA and I (as an implementation of SMPC). The family of ideal functionalities I is constructed inConstruction 1.

The proof compares the computational execution Execπ with the computational execution Execsmpc

that uses the ideal functionality I as the implementation of SMPC. More precisely, let k be the securityparameter and p be an arbitrary polynomial; we show that there is a polynomially bounded function land a machine SSim, called the scheduling simulator, such that for all well-formed processes P , all im-plementations A, and all adversaries Adv we have that the distribution AssertionsπP,A,(p+l),〈SSim,Adv〉(k)is statistically indistinguishable from the distribution Assertionssmpc

P,A,I,p,Adv(k) for all k.

B.1 The construction of the scheduling simulator

The scheduling simulator SSim basically schedules the reduction steps that correspond to the action ofI. SSim simulates against an adversary Adv the execution Execsmpc while interacting withExecπ. Westress that SSim does not have additional capabilities compared to a usual adversary against Execπ.

As SSim does not know the bitstring η(sid) corresponding to the symbolic session identifier sidfrom the beginning of the execution, SSim internally assigns an identifier γ to every SMPC occurrenceSMPC(adv , sidc, in,F) and tags in an internal copy of the current process SMPC(adv , sidc, in,F) (andlater on 0r,in,F ) with γ, denoted as SMPC(adv , sidc, in,F)γ and 0r,in,F as 0r,in,F,γ .18

There is a discrepancy between the process that is executed by Execπ and the process that theadversary expects from the simulation of Execsmpc: In Execsmpc every SMPC session is replaced by0r,in,F after initialization; in Execπ, on the other hand, every SMPC session is treated as a regularsubprocess. Therefore, for each SMPC(adv , sidc, in,F) occurrence γ, the scheduling simulator storesthe state of this occurrence in a process smpc state(γ). Moreover, SSim stores the current processfor the adversary as P and keeps track of the modifications as follows. SSim translates the evaluationcontext from the adversary by replacing every SMPC(adv , sidc, in,F)γ (or 0r,in,F,γ , respectively) bysmpc state(γ). Thereafter, SSim uses the translated evaluation context E to address the subprocessto be reduced in the execution Execπ and sends appropriate evaluation contexts until the process inExecπ is a desired state. At this point SSim updates P such that it corresponds to a reduction step inthe execution Execsmpc.

The process smpc state(γ) consists of a subprocess compute state(γ) for the current state of Fand a context smpc frame(γ)[•], i.e.,

smpc state(γ) := smpc frame(γ)[compute state(γ)].

smpc frame(γ)[•] can be characterized by the state of every party. Therefore, SSim maintains a functionstateπ with which SSim keeps track of the state stateπ(γ, i) of a party i in an SMPC session γ. InDefinition 14, we formally define the context smpc frame(γ)[•].

There is a yet another gap between I and SMPC: The ideal functionality I expects an explicit com-mand (i, s, deliver) for outputting the result; on the other hand, the process SMPC(adv , sidc, in,F)expects an appropriate sequence of evaluation contexts. Moreover, we need to maintain two partial map-pings sessionid and µ. sessionid(γ) is in the course of the execution assigned the real session identifier assoon as the upon receiving the first accepted input, the real session identifier is leaked to the adversary.

18Similar to the computational execution, SSim does not send 0r,in,F,γ to the adversary but only 0.

27

This mapping is used to later on check, whether the adversary addresses the commands to the correctsession. µ stores the all channel bitstrings that the execution Execπ sends to the adversary, such as thebitstrings for the private channels of the corrupted parties.

In some cases, SSim checks whether for a given term c there is an i such that cevalη,µ ini = cevalη,µ c.Although SSim does not know η and µ, the simulator can efficiently perform this check as it knows allintermediate processes and, hence, all reduction steps.

Characterizing the state of an SMPC session. For the construction of SSim we need to characterizethe different states of the distinguished process SMPC(adv , sidc, in,F). This is done by a context, calledsmpc frame(γ)[•], that is defined in Definition 14. In our abstraction, every party of a secure multi-party computation can be in the following states: init, input, compute, and deliver. In the stateinit, the entire session is not initialized yet; in the state input, the party expects an input; in the statecompute, the party is ready to start the main computation; and, in the state deliver, the party is readyto deliver a message. These states are stored in a mapping stateπ (which is maintained by SSim) suchthat stateπ(γ, i) is the state of party i in the session γ.

Definition 14 (smpc frame). Let a mapping stateπ from internal session identifiers and party identi-fiers to states given. We assign a process to each state stateπ(γ, i). Let α := (stateπ, γ, (adv, sidc, in,F)).

stateπ(γ, i) = input : inpi(α) 4= ini(xi, sid′).adv〈sid′〉.if sid = sid′ then lini〈xi〉else inloopi〈sync()〉 | inputi

stateπ(γ, i) = compute : inpi(α) 4= lin1〈xi〉 | inputistateπ(γ, i) ∈ {deliver, init} : inpi(α) 4= inputi

We define the context initp(α) as initp(α)[•] 4= sidc(sid).νlin. νinloop.(•) if for all i ∈ [1, |in|]stateπ(γ, i) = init and initp(α)[•] 4= • otherwise.

We define the context smpc frame(γ)[α] as follows.

smpc frame(α)[•] 4= initp(α)[inp1(α) | . . . | inpn(α) | •

]

In the construction of SSim, stateπ and (adv, sidc, in,F) are mostly clear from the context; moreprecisely, in the construction stateπ is globally defined and for every γ there is only one tuple(adv, sidc, in,F). Hence, if there is no ambiguity we also write smpc frame(γ)[•] for smpc frame(α)[•].

The scheduling simulator keeps track of subprocesses Q in a process P ; this is done via a context Esuch that E[Q] = P . As the process P might be reduced, we need for every reduction step of the processan appropriate reduction step of the context E.

Definition 15 (Reduction of a context). Let P be a process, Q be a subprocess, and E be the evaluationcontext such that E[Q] = P . We say that P is reduced to P ′ if there is a subprocess R of P and acorresponding evaluation context L such that L[R] = P and there is a process R′ such that P ′ = L[R′].We say that the evaluation context E is reduced to E′ according to the reduction from P to P ′ if thereis a context L′ with two distinct holes such that L′[R][Q] = P , L′[R][•] = E[•], and L′[•][Q] = L[•] andL′[R′][Q] = P ′ and L′[R′][•] = E′[•].

Construction of SSim. Before we present the actual construction of the scheduling simulator, weintroduce some notation for convenience. Throughout this section we use n for the amount of parties inan SMPC occurrence, i.e., for an occurrence SMPC(adv , sidc, in,F) we consider n to be |in|.

With abuse of notation, we denote the replacement of every occurrence of 0r,in,F,γ in a process P bysmpc state(γ) as

P

{smpc state(γ)

0r,in,F,γ

}.

Analogously, we write for an evaluation context E for the context in which each occurrence of 0r,in,F,γis replaced by smpc state(γ) as

E

{smpc state(γ)

0r,in,F,γ

}.

28

We use for a context E and a process P the abbreviations E := E{

smpc state(γ)0r,in,F,γ

}, P :=

P{

smpc state(γ)0r,in,F,γ

}, and sidc(sid).SMPC′(adv , in,F) := SMPC(adv , sidc, in,F).

1. Upon receiving the initial process P0, set P := P0. Enumerate every occurrenceSMPC(adv , sidc, in,F) with an internal session identifier γ, and tag this occurrenceSMPC(adv , sidc, in,F) in P with γ. Let initially for each γ compute state(γ) := F ,delivery(γ, i) := false, let sessionid(γ) be completely undefined, and let stateπ(γ, i) := init for alli ∈ [1, n]. For any γ let corrupt(γ, i) := true, if the corresponding ini in SMPC(adv , sidc, in,F)is free; otherwise let corrupt(γ, i) := false.

Forward all bitstrings that are initially sent by the execution Execπ to the adversary. In additionstore all channel names in the partial mapping µ.

Then proceed as in 2.

2. Main loop: Let P be the last process that has been sent by the execution Execπ. Check whetherP = P . If the check fails, stop the entire simulation. Otherwise, construct the erasure of P , i.e.,remove in P the tag γ from each SMPC(adv , sidc, in,F) and remove the tag (r, in,F , γ) fromeach 0r,in,F,γ . Send the erasure of P to the adversary Adv. Then, expect an evaluation context E.We distinguish the following cases for E.

(a) E schedules the initialization• Evaluation context: P = E[SMPC′(adv , in,F)γ ]• State check: Check whether stateπ(γ, i) := init for all i ∈ [1, n].

Schedule appropriate reduction steps until the current process in Execπ is

E[smpc frame(state ′π, γ, α)[compute state(γ)]],

where α := (adv, sidc, in,F) and state ′π(γ, i) := input for all i ∈ [1, n] and state ′π coincideswith stateπ on all other arguments.19

Set P := E[0r,in,F,γ ], stateπ(γ, i) := input for all i ∈ [1, n].

(b) E schedules an input to a corrupted party i.• Evaluation context: P = E[0r,in,F,γ ]• State check: Request a bitstring m from the adversary. Check whether m =

(c, s, input,m′) and stateπ(γ, i) = input.Schedule appropriate reduction steps until the current process in Execπ is

E[smpc frame(state ′π, γ, α)[compute state(γ)]],

where α := (adv, sidc, in,F) and state ′π(γ, i) := compute and state ′π coincides with stateπ onall other arguments. In the first reduction step, the execution Execπ requests a message andthe bitstring for the channel ini. Upon such a request of the execution, send (c, (m′, s)) inresponse. If the execution does not accept the channel name c, i.e., if c 6= µ(ini), we scheduleappropriate reduction steps until the current process of Execπ is again

E[smpc frame(stateπ, γ, α)[compute state(γ)]].

Moreover, in that case we leave P and stateπ(γ, i) unchanged.If the execution accepts the channel name c, we proceed and check in case µ(ini) is definedwhether c = µ(ini); if µ(ini) is not defined set µ(ini) := c. If the check fails, abort the entiresimulation. Set channel(γ, i) := c. Execπ requests in a later step the bitstring µ(adv) for thechannel adv. Upon such a request, send cadv and expect a bitstring s′ in response. Forward(s′, |m′|, i) to the adversary and store the session identifier s′ that is sent to the adversaryupon an accepted input, i.e., set sessionid(γ) := s′. Reduce for all j 6= i for which context(γ, i)is defined context(γ, j) according to the reduction steps that have just been scheduled.Set stateπ(γ, i) := compute, and let P remain unchanged.

19Recall that we have at this point compute state(γ) = F [deliver1 | . . . | delivern], as the session has just beeninitialized.

29

(c) E schedules an input to an honest party i.

• Evaluation context: P = E[c〈x, s〉.Q][0r,in,F,γ ]• State check: Check whether there is an i ∈ [1, n] such that cevalη,µ c = cevalη,µ ini,stateπ(γ, i) = input, and delivery(γ, i) = false.

Let Q′ := Q{

smpc state(γ′)0r,in,F,γ

}. Schedule appropriate reduction steps until the current process

of Execπ is

E[smpc frame(state ′π, γ, α)[compute state(γ)]],

where α := (adv, sidc, in,F) and state ′π(γ, i) := compute and state ′π coincides with stateπ onall other arguments.Execπ requests in a later step the bitstring µ(adv) for the channel adv. Upon such a request,send cadv and expect a bitstring s′ in response. Recall that all implementations are length-regular; as we know the length of the nonces, we can compute the message length of anymessage. Let xi be the input term for party i. We compute the length of the bitstringη(xi) corresponding to the input of party i. Then, we send (s′, l, i) to the adversary andstore the session identifier s′ that is sent to the adversary upon an accepted input, i.e., setsessionid(γ) := s′. Reduce for all j 6= i for which context(γ, i) is defined context(γ, j) accordingto the reduction steps that have just been scheduled.Set stateπ(γ, i) := compute, and P := E[Q][0r,in,F,γ ].

(d) Start the main computation upon the first delivery command for a party i.

• Evaluation context: P = E[0r,in,F,γ ]• State check: Request a bitstringm from the adversary. Check whether s = sessionid(γ)

and stateπ(γ, i) = compute for all i ∈ [1, n]. Moreover, check whether (i) m =(i, s, deliver) or (ii) m = (c, s, deliver). In case (ii), check furthermore whether thereis an i ∈ [1, n] such that c = µ(ini).

Simulate the execution Execπ on the process

Q := compute state(γ) | lin1〈x1〉 | . . . | linn〈xn〉︸ ︷︷ ︸=:Qlin

| in1(y′1, sid) | . . . | inn(y′n, sid)︸ ︷︷ ︸=:Qin

against the fixed and efficiently computable reduction strategy S that is used by FF (seeSection 4.2.1) as follows:– (an input is read) For every context E[•1][•2] = E′[•1] | E′′[•2] | Qin that is sent by S such

that E′′[P ′][lini〈xi〉] = Qlin for some P ′, send

E′′′[•1][•2] := E[inp1(α) | . . . | inpi−1(α) | •2| inputi | inpi+1(α) | . . . | inpn(α) | E′[•1]]

to the execution Execπ, where α := (stateπ, γ, (adv, sidc, in,F)) and inpj(α) is defined asin Definition 14. Receive an updated process P ′ =: E[smpc frame(γ)[compute state(γ)]]from the execution. If P ′ is unmodified (i.e., P ′ = E′′′[P ′][lini〈xi〉]]), sendcompute state(γ) | Qlin | Qin as a response to E to the reduction strategy S. Other-wise if P ′ = E′′′[P ′′][0]], send E′[P ′′] | E′′[0] | Qin as a response to E to the reductionstrategy S. Update Qlin := E′′[0] and reduce for all i for which context(γ, i) is defined thecontext context(γ, i) according to the reduction of compute state(γ) (see Definition 15).In all other cases, abort the entire simulation of SSim.

– (a step inside F is performed) For every context E[•] = E′[•] | Qlin | Qin thatis sent by S, send E[smpc frame(γ)[E[•]]] to the execution. Receive the updatedprocess P ′ =: E[smpc frame(γ)[compute state(γ)]] from the execution and sendcompute state(γ) | Qlin | Qin as a response to E to the reduction strategy S. Reduce forall i for which context(γ, i) is defined the context context(γ, i) according to the reduction ofcompute state(γ) (see Definition 15). Do the same for an evaluation context E with twodistinct holes, i.e., for E[•1][•2] = E′[•1][•2] | Qlin | Qin.

30

– (an output is sent) For every context E[•1][•2] = E′[•1] | Qlin | E′′[•2] that is sent by S suchthat E′′[ini(xi)] = Qin and compute state(γ) = E′[deliveri], store context(γ, i) := E′[•].Send E′[0] |Qlin | E′′[0] as a response to E to the reduction strategy S. Update Qin := E′′[0]and reduce for all i for which context(γ, i) is defined the context context(γ, i) according tothe reduction of compute state(γ) (see Definition 15).

Let P ′′ be the last process that has been sent by Execπ. Set stateπ(γ, i) := deliver forall i ∈ [1, n]. Update compute state(γ), i.e., set E[smpc frame(γ)[compute state(γ)]] :=P ′′. Let P remain unchanged.Thereafter, proceed as in the case of a delivery command for corrupted parties (case 2e).

(e) The delivery command for a party i is sent.

• Evaluation context: P = E[0r,in,F,γ ]• State check: Request a bitstring m from the adversary. Check whether s =

sessionid(γ), and stateπ(γ, i) = deliver and either (i) m = (i, s, deliver) or (ii)m = (c, s, deliver). In case (ii) additionally check whether there is an i ∈ [1, n] suchthat µ(ini) = c.

In case (i), set delivery(γ, i) := true, stateπ(γ, i) = input, and let P remain unchanged.In case (ii), schedule appropriate reduction steps until the current process of Execπ is

E[smpc frame(state ′π, γ, α)[context(γ, i)[0]]],

where α := (adv, sidc, in,F) and state ′π(γ, i) := input and state ′π(γ′, j) := stateπ(γ′, j) for all(γ′, j) 6= (γ, i).Upon a request from the execution Execπ for a bitstring, send µ(ini) to Execπ. Ex-pect a pair (m′, s′) and forward (m′, i) to the adversary. Reduce for all j 6= i forwhich context(γ, i) is defined context(γ, j) according to the reduction steps induced byE[smpc frame(γ)[context(γ, i)[•]]].Let P ′ be the last process that has been sent by Execπ. Set E[smpc state(γ)] := P ′. Let Premain unchanged. Set stateπ(γ, i) := input.

(f) The output of party i is delivered to an honest party.

• Evaluation context: P = E[c(x).Q][0r,in,F,γ ]• State check: Check whether there is an i such that cevalη,µ c = cevalη,µ outi. Check

whether stateπ(γ, i) = input, delivery(γ, i) = true.

Let Q′ := Q{

smpc state(γ′)0r,in,F,γ

}. In case (ii), schedule appropriate reduction steps until the

current process of Execπ is

E[Q′][smpc frame(state ′π, γ, α)[context(γ, i)[0]]],

where α := (adv, sidc, in,F) and state ′π(γ, i) := input and state ′π(γ′, j) := stateπ(γ′, j) for all(γ′, j) 6= (γ, i).Reduce for all j 6= i for which context(γ, i) is defined context(γ, j) according to the reductionsteps induced by E[smpc frame(γ)[context(γ, i)[•]]].Let P ′ be the last process that has been sent by Execπ. Set P := E[Q][0r,in,F,γ ] anddelivery(γ, i) := false.

(g) P = E[!Q]: For each bound variable and name in Q, choose fresh variables, or name, from thesame equivalence class, according to the same enumerations as in Execπ, yielding a processQ′. For any SMPC(adv , sidc, in,F) occurrence in Q, assign a fresh internal identifier γ andset for all i ∈ [1, n] stateπ(γ, i) = init, compute state(γ) := F , delivery(γ, i) := false,corrupt(γ, i) := true if ini is free in the initial process P0, and corrupt(γ, i) := false otherwise.Check whether the process in response is equal to E[Q]{smpc state(γ)/0r,in,F,γ}. If the checkfails, abort; otherwise, set P := E[E[Q′ | !Q].

(h) P = E[M(x).Q]: Request two bitstrings (c,m) from the adversary. Send to the execution E.If Execπ requests two bitstrings, we send (c,m). Check whether the process in response isequal to E[Q]{smpc state(γ)/0r,in,F,γ}. If the check fails, abort; otherwise, set P := E[Q].

31

(i) P = E[M〈N〉.Q]: Request a bitstring c from the adversary. Send to the execution E. If theexecution requests a bitstrings send c and expect a bitstring m. Check whether the term Nis actually a channel c. If the check succeeds, set µ(c) := m. Send m to the adversary Adv.Moreover, check whether the process in response is equal to E[Q]{smpc state(γ)/0r,in,F,γ}. Ifthe check fails, abort; otherwise, set P := E[Q].

(j) P = E[νa.Q]: Send to the execution E. and check whether the process in response is equal toE[Q]{smpc state(γ)/0r,in,F,γ}. If the check fails, abort; otherwise, set P := E[Q].

(k) P = E[M1〈N〉.P1][M2(x).P2]: Send to the execution E. and check whether the process inresponse is equal to E[Q]{smpc state(γ)/0r,in,F,γ}. If the check fails, abort; otherwise, setP := E[P1][P2].

(l) P = E[let x = D in P1 else P2]: Send to the execution E and check whether the processin response is equal to E[P ′′]{smpc state(γ)/0r,in,F,γ} with P ′′ ∈ {P1, P2}. If the check fails,abort; otherwise, set P := E[P ′′] with the matching P ′′.

(m) P = E[assert(F ).Q]: Send to the execution E and check whether the process in response isequal to E[Q]{smpc state(γ)/0r,in,F,γ}. If the check fails, abort; otherwise, set P := E[Q].

(n) In all other cases do nothing.

A note on the network model. Recall that every time a party A sends a message to a party B,the machine B is activated. Hence, upon activation by the execution, i.e., when SSim receives a processor a message from Execπ, or by the adversary, i.e., when SSim receives an evaluation context or amessage from Adv, it might happen that SSim first finishes his actions from the previous round and onlythereafter reads the new input from the execution.

B.2 The proof of the soundness of SSim

The proof compares the parts of the internal state of ExecπP,A,〈SSim,Adv〉 with parts of the internal state ofExecsmpc

P,A,I,Adv, which is shown in Lemma 5. The proof proceeds by induction over the evaluation contextsthat Adv has sent. The sequence of internal states that is being compared is defined in Definition 16.

We perform an induction over the internal states of the two settings. However, there are slighttechnical mismatches between the two settings. These mismatches are not essential to the proof and areremoved in Definition 16where we define the two distributions over the (adjusted) internal states. InLemma 5, we show that these two distributions are statistically indistinguishable.

Notation. For an SMPC occurrence smpc state(γ), we need for each i ∈ n the notion of the input andthe output variable of party i. Recall the process inpi from the smpc frame (see Definition 14): inpi =Q|inputi. If there is a subprocess lini〈xi〉 in Q, then xi is called the input variable of smpc state(γ).The output variable of party i in smpc state(γ) is defined via context(γ, i). If context(γ, i) is definedand

smpc frame(γ)[context(γ, i)[deliveri]] = smpc state(γ),

then yi in ini〈yi, sid〉.inloopi〈sync()〉 is called the output variable of party i in smpc state(γ).Let ⊥ be a distinguished error symbol. Moreover, for the sequence of internal states, we enumerate all

SMPC occurrences in ExecsmpcP,A,I,Adv with internal session identifiers γ in the same way as the scheduling

simulator SSim.

Definition 16 (Internal states). Let P be a process. Let Adv be a machine, called the adversary. LetExecsmpc be as in Definition 7, and Execπ be as in Definition 6. The rth round of Execsmpc

P,A,I,Adv isthe rth round of the main loop of Execsmpc. The rth round of ExecπP,A,〈SSim,Adv〉 is the rth round of themain loop of SSim.

• (m′r, n′r,mr, nr) Let m′r be the messages that are sent in ExecπP,A,〈SSim,Adv〉 to the adversary Adv

in the rth round and n′r be the messages that are sent by the adversary Adv in the rth round;analogous with mr and nr for Execsmpc

P,A,I,Adv.

32

• (resultγ,ri , inputγ,ri ) Let inputγ,ri := xi from the ideal functionality Iu,in,F,γ (see Construction 1).20

Analogously, let resultγ,ri := yi from the ideal functionality Iu,in,F,γ . On the other hand, forExecπP,A,〈SSim,Adv〉 let xγ,ri and yγ,ri be the input and output variable, respectively, of party i insmpc state(γ) in round r.

• (compute state) Let compute stateγr be the process that FF would extract from stateF . IfstateF = ∅ set compute stateγ0 := Fγ [0]. On the other hand, let compute state′γr be the processcompute state(γ)

{deliveri

0

}of SSim, i.e., for every i every occurrence of a process deliveri is

replaced by the empty process 0.

• (η′′, µ′′) η′′ and µ′′ are the variable and name mapping of Execπ restricted on all variables andnames, respectively, that are not locally bounded in a subprocess smpc state. η and µ are thevariable and name mapping, respectively, of Execsmpc.

• (ηγ , µγ) Let Iγ denote the session in Execsmpc that belongs to the internal session identifier γ.The variable and name mappings ηγ and µγ are the mappings that FF in Iγ would extract fromstateF . The mappings η′γ and µ′γ are obtained by restricting η′ and µ′ to the variables and names,respectively, in smpc state(γ).

• (state ′π) Let state ′′π be the state mapping of SSim in round r. Then, let state ′π(γ, i) := ⊥ ifstate ′′π(γ, i) = init and state ′π(γ, i) := state ′′π(γ, i) otherwise. On the other hand, in Execsmpc,let Iγ denote the session that belongs to the internal session identifier γ. Let stateπ(γ, ·) be thestate mapping of Iγ . If I has not been initialized yet, set stateπ(γ, i) := ⊥ for all i ∈ [1, n].

Let Γ(r) be the set of all internal session identifiers in round r. Let

((ms, ns), (compute stateγs )γ∈Γ(r), statesπ, (η

s, µs), (inputγ,s)γ∈Γ(r), (resultγ,s)γ∈Γ(r))rs=0

be the sequence of internal states of the execution ExecsmpcP,A,I,Adv up to the rth round. Let

((m′s, n′s), (compute state′γs )γ∈Γ(r), state

′πs, (η′′s, µ′′s), (η′(xγ,s))γ∈Γ(r), (η′(yγ,s))γ∈Γ(r))rs=0

be the sequence of internal states of the execution ExecπP,A,I,〈SSim,Adv〉 up to the rth round.Let TAdvP,r be the distribution of the rth extended prefix of the execution Execsmpc

P,A,I,Adv and, analo-gously, T ′AdvP,r be the distribution for ExecπP,A,〈SSim,Adv〉

For proving Lemma 1, we show that for all security parameters k and for all polynomials p there is apolynomially bounded function l and a machine SSim such that for all well-formed processes P , all im-plementations A, and all adversaries Adv we have that the distribution AssertionsπP,A,(p+l),〈SSim,Adv〉(k)is statistically indistinguishable from the distribution Assertionssmpc

P,A,I,p,Adv(k). For proving the indis-tinguishability of these two distributions over assertion tuples, we show an even stronger property: Weshow that even the distributions over the sequences of internal states of both settings are statisticallyindistinguishable. Lemma 5is shown by an induction over the internal states of the two settings.

Lemma 5. Let TDP,r and T ′DP,r be defined as in Definition 16). Then, for all machines D and for all r ∈ Nthe two distributions TDP,r and T ′DP,r are statistically indistinguishable, i.e., for all (possibly unbounded)interactive machines D, all polynomials p, and all r ∈ N there is a k0 ∈ N such that for all k > k0

∣∣∣∣Pr[b = 1 : b← D(1k, t), t← TDP,r

]− Pr

[b = 1 : b← D(1k, t), t← T ′

DP,r

] ∣∣∣∣ ≤ p(k)

holds true.

Proof. We prove the statement by induction on the round r of Main loop, of either the execution Execsmpc

or the scheduling simulator SSim. More precisely, our induction hypothesis is that the two distributionsTDP,r−1 and T ′DP,r−1 are indistinguishable for any distinguisher D. The processes that are sent to theadversary are indistinguishable as long as all checks on expect in SSim succeed.

20In particular, inputγ,ri := ⊥, if xi is undefined.

33

For r = 0, we only need to compare Start. In Start both Execsmpc and Execπ only send the freenames and the initial process to the adversary. Moreover, the initially the current process is the same inboth settings, and we have for all γ

compute stateγ0 = compute state′γ0 = Fγ [0].

Hence, T0 and T ′0 are indistinguishable.For r > 0, we assume that Tr−1 and T ′r−1 are statistically indistinguishable. Hence, all previously

sent subprocesses are indistinguishable in both settings. As we can see by the construction of SSim,Execsmpc, and Execπ, in all cases the check P = P succeeds. Let P be the process that has been sentto the adversary at the beginning of round r.

We distinguish the following cases for the evaluation context E that is sent by the adversary inresponse to the last process P that has been sent by SSim or Execsmpc, respectively. Recall that stateπis maintained by I as well as by SSim. With abuse of notation, we denote both stateπ and state ′π fromTr and T ′r, respectively, with the mapping stateπ in the following case distinction.

(a) E schedules the initialization.

• Evaluation context: P = E[SMPC′(adv , in,F)γ ]

• State: stateπ(γ, i) := ⊥ for all i ∈ [1, n]

The scheduling simulator SSim sets state′π(γ, i) := input for all i ∈ [1, n]. On the other hand,initially, the internal state of Ir,F is set to input. No other values in Tr and T ′r change compared tothe round r − 1; hence and by induction hypothesis, Tr and T ′r are indistinguishable.

(b) E schedules an input of a corrupted party i.

• Evaluation context: P = E[0r,in,F,γ ]

• State: A bitstring m has been requested from the adversary. Check whether m =(c, s, input,m′), s = sessionid(γ), and stateπ(γ, i) = input.

The scheduling simulator first sends evaluation contexts such that the execution asks for a channelname c, a message m′, and a session id s for ini(x

γ,ri , sid), and, then, the simulator sends (c, (s,m′)).

In the two settings the probability that c = cevalη,µ ini and sid = cevalη,µ sidγ is the same, whereη and µ denote the variable and the name mapping of Execsmpc or Execπ, respectively. If the twobitstrings are accepted, we have η(xγ,pi ) = m′. On the other hand, we know by the construction of Ithat inputpi = m′ holds true as well. By the induction hypothesis we know that Tr−1 and T ′r−1 arecomputationally indistinguishable. As only the list of inputs differs r − 1 and r and we have seenthat Execsmpc

P,A accepts the inputs with the same probability as ExecπP,A,SSim accepts the input, Trand T ′r are computationally indistinguishable.

(c) E schedules an input for an honest party i.

• Evaluation context: P = E[c〈x, s〉.Q][0r,in,F,γ ]

• State: There is an i ∈ [1, n] such that cevalη,µ c = cevalη,µ ini and stateπ(γ, i) = input.

By construction of the computational ideal functionality, the computational ideal functionality ac-cepts if and only if SMPC accepts the input. Moreover, we know that inputγ,ri = η(xγ,ri ) andstateπ(γ, i) = compute. By induction hypothesis, we conclude that Tr and T ′r are indistinguishable.

(d) Start the main computation before delivering the first result for party i.

• Evaluation context: (i) P = E[0r,in,F,γ ] or (ii) P = E[c(x).Q][0r,in,F,γ ]

• State: A bitstring m has been requested from the adversary. stateπ(γ, i) = compute for all i ∈[1, n]. Moreover, either (i) m = (c, s, deliver) and s = sessionid(γ) or (i) m = (i, s, deliver′)and s = sessionid(γ). In case (ii), check additionally whether there is an i ∈ [1, |ini|] such thatcevalη,µ c = cevalη,µ ini.

34

At this point there is a mismatch between the two settings: If in ExecsmpcP,A,I,Adv the adversary sends

a delivery request for a party that is uncorrupted party and for which the channel name has not beenalready sent to the adversary, there is an exponentially small chance of the adversary succeeding; inthe communication with the scheduling simulator, on the other hand, there is no chance of succeeding.However, this situation only happens with exponentially small probability.

As a first step, let us note that by Definition 4fv(F [0]) ⊆ ∅. η(fv(F [0])) is contained in Tr−1 andη′(fv(F [0])) is contained in T ′r−1. Hence, by induction hypothesis, η(fv(compute state(γ))) andη′(fv(compute state′(γ))) are indistinguishable.

I as well as SSim runs the main computation whenever deliver is scheduled and stateπ(γ, i) =compute for all i ∈ [1, n] where in are the channels involved in the session γ. Recall that I and SSimuse the same reduction strategy and that this reduction strategy schedules the same reduction steps.By induction hypothesis, we know that stater−1

π , ηr−1γ , µr−1

γ , compute stateγr−1 and state ′πr−1,

η′r−1γ , µ′r−1

γ , compute state′γr−1 are indistinguishable.21

Since SSim as well as FF run Execπcompute state(γ),A, FF (inputγ,r1 , . . . , inputγ,rn , stateF ) =:(resultr1, . . . , result

rn) and η′(yγ,r1 ), . . . , η′(yγ,rn ) are indistinguishable for a distinguisher that is given

Tr−1 or T ′r−1 Moreover, as compute stater−1 = compute state′r−1 holds by induction hypothesis,compute stater = compute state′r.

Thereafter, we are in the case for delivery with corrupted parties or honest parties, respectively.

(e) The delivery command for a party i is sent.

• Evaluation context: P = E[0r,in,F,γ ]

• State: A bitstrings m has been requested from the adversary, stateπ(γ, i) = deliver, and (i)m = (i, s, deliver) and s = sessionid(γ) or (ii) m = (c, s, deliver) and s = sessionid(γ).

In case (i), we set in both settings stateπ(γ, i) to input. Hence, Tr and T ′r remain indistinguishable.

In case (ii), in both settings the bitstring c is sent to the execution. If c = η(ini) the result is sentto the adversary in both settings. Moreover, both settings set stateπ(γ, i) := input.

By induction hypothesis, or as we have already seen in the case (d), we know that these two resultsare computationally indistinguishable. Hence, we conclude that Tr and T ′r are indistinguishable.

(f) The output of party i is delivered to an honest party.

• Evaluation context: P = E[c(x).Q][0r,in,F,γ ]

• State: There is an i such that cevalη,µ c = cevalη,µ ini and stateπ(γ, i) = input.

We stress that the scheduling simulator can compute whether there is an i such that cevalη,µ c =cevalη,µ ini.

We have the invariant that delivery(γ, i) = true if and only if outputi is defined. Hence, bothExecπP,A,〈SSim,D〉 and Execsmpc

P,A,I,D perform a message synchronization, i.e., the message is outputto the honest party.

By induction hypothesis resultγ,r−1i and µ(yγ,ri ) are indistinguishable; hence, ηr, µr and η′′r, µ′′r are

indistinguishable as well. Therefore, Tr and T ′r are indistinguishable as well.

(g) In all other cases, either the scheduling simulator only replaces the unreduced SMPC with thecurrent state smpc state of Execπ in the evaluation context E and forwards the modified evaluationcontext to Execπ, or both SSim and either Execsmpc or I ignore the evaluation context. Since Execπ

coincides on these cases with Execsmpc and the scheduling simulator only forwards messages, Tr andT ′r are indistinguishable as well.

21Formally, we consider the distribution obtained by projecting TDP,r−1 and T ′DP,r−1 to (stater−1π , ηr−1

γ , µr−1γ ,

compute stateγr−1) and (state′πr−1, η′r−1

γ , µ′r−1γ , compute state′γr−1), respectively.

35

Finally, we prove the lemma.

Lemma 1. For every well-formed P , there exists a family I of SMPC ideal functionalities such thatif P is π-robustly computationally safe using A, then P is SMPC-robustly computationally safe using A,I.

Proof of Lemma 1. In Lemma 5we show that the distributions over the sequence of processes that aresent to the adversary are indistinguishable. Hence, it suffices to solely show that the messages inside theevents are indistinguishable. But, as the two executions coincide on all processes that do not containSMPC, assertion tuples that contain message that are distinguishable can be used to distinguish TDP,rfrom T ′DP,r which, however, is a contradiction to Lemma 5.

C Leveraging UC-realizability

In this section, we show that the notion of UC-realization implies the SMPC-robust computational safety(see Definition 11) in our framework.

Lemma 2.[Leveraging UC-realizability] Let ρ and I be two family of SMPC protocols and idealfunctionalities such that ρ UC-realizes I (i.e., ρsid,F,c ∈ ρ iff Isid,F,c ∈ I and ρsid,F,c UC realizesIsid,F,c). For every well-formed P , if P is π-robustly computationally safe using A, I then P is SMPC-robustly computationally safe using A, ρ.

Proof. Let A be a set of constructor and destructor implementations. Then, we show that for all processesQ in the applied π calculus and for all ppt machines Adv, hereafter called the distinguisher, there is a pptmachine Sim such that for all ppt machines A the following indistinguishability holds true for A the twodistributions are indistinguishable Execsmpc

Q,I,ρ,〈Adv,A〉 and ExecsmpcQ,I,I,〈Sim,A〉. This indistinguishability, in

turn, implies that∣∣∣∣Pr[((F1, . . . , Fn), F, η, µ) ∈ Assertionssmpc

Q,A,I,p,〈Sim,A〉(k), {F1, . . . , Fn} |=η,µ,A F]

− Pr[((F1, . . . , Fn), F, η, µ) ∈ Assertionssmpc

Q,A,ρ,p,〈Adv,A〉(k), {F1, . . . , Fn} |=η,µ,A F] ∣∣∣∣

is negligible. Hence, the statement follows.The proof begins with the UC setting. As ρ UC realizes I, we know that for all ppt adversariesM there

is a simulator Sim such that for all ppt environments E the following two settings are indistinguishable:first, P := ρsid,in,F and Adv := M and, second, P := Isid,in,F and Adv := Sim. By the universal

composability [25] and as assumed ρUC≥ F , we know that for any polynomial p

p(k)∑

i=1

ρiUC≥

p(k)∑

i=1

Ii

holds true where ρi + ρj denotes the concurrent execution of ρi and ρj and k is the security parameter.Consequently, there is a simulator for the concurrent execution of all sessions. Throughout the proof, wedenote by Sim that simulator. The figures show, for clarity, only the transformations on one protocolsession, but we perform the transformations on all sessions simultaneously.

As the UC realization property ensures that for all adversaries there is a valid simulator for allenvironment, we can concentrate on one particular adversary and a subset of all possible environments.In the course of the proof, we basically consider the dummy adversary, called MD. Moreover, we splitthe environment E into two parts. The first part constitutes a ppt distinguisher A, and the second partconstitutes the computational execution Execsmpc

Q,A . Then, we transform the environment E in severalsteps in which the messages from the distinguisher A and the UC adversary Adv are redirected suchthat after each transformation the two settings remain indistinguishable for A.

In Figure 9 and Figure 10, P denotes the protocol, i.e., either ρ or F , respectively, Adv denotes theadversary, i.e., the ppt adversary Adv from the real setting or the simulator Sim, respectively. Moreover,the figures show the following connections (for a session r):

36

A Exec P

Adv

ea�

eaa

eea�

eaA Adv Execa a

eP

Figure 9: The instantiation Figure 10: The transformed setup

• e denotes the connections between the environment output ports !outei,r and incoming ports of theenvironment ?outei,r and the environment input port !inei,r and outgoing ports ?inei,r of the protocol(for any i ∈ [1, |in|),

• a denotes the connections between the adversary output ports !outai,r and incoming port ?outai,r ofthe adversary and the adversary input ?inai,r and outgoing ports !inai,r of the adversary,

• ea denotes the connections between the output ports of the distinguisher A and input ports of theadversary for the distinguisher and the distinguisher A for the adversary, respectively, and finally

• ea’ denotes the connections between the output ports of the execution and input ports of theadversary for the execution and the execution for the adversary, respectively.

The instantiation (Figure 9): We consider a family of environments that consist of two parts: appt distinguisher A and the computational SMPC execution Execsmpc

Q,A . The distinguisher A can onlycommunicate with the execution Execsmpc

Q,A and the UC adversary Adv. The execution is modified in thatall messages (i, s,m), which the execution would usually send over an adversary port to the protocol,are ignored. Recall that we have a nested scheduling order: Whenever a protocol party of the UCattacker is stops without sending a message, the execution is activated. Whenever the execution stopsthe distinguisher is activated.22

We restrict our attention to the UC adversary, hereafter called MD, that basically executes thecommands of the adversary. As we consider static corruption, the dummy adversary only needs toforward messages. Upon a message m, MD checks whether m = (i, sid,m′) and i ∈ [1, |in|], where sid isthe session identifier of every party.23 If the check succeeds, MD sends m′ over the port !inai . Otherwise,send m over ea′.

As ρ UC-realizes F , there is a simulator Sim for each ppt adversary such that the two settings areindistinguishable for all environments E(A,Execsmpc

Q,A ) where A is an arbitrary ppt machine.

The transformed setup (Figure 10): We change the setting such that all ports from the protocol thathave been connected to the adversary ports (a) are here connected to the environment. Analogously,all ports from the adversary (a) that have been connected to the protocol are here connected to theenvironment. In particular, all corrupted parties do not redirect the messages to the UC adversary Advanymore but send the messages to the execution. Here, we consider the machine M ′D that internally runsMD and forwards everything to MD. Whenever MD wants to send a message m′ over !inai,r, M

′D sends

m := (i, sid,m′) to the execution. As M ′D reverts the effect of MD, effectively M ′D only forwards everymessage from the distinguisher A. We do the same transformation for the simulator SimMD

obtaininga simulator Sim′MD

.Moreover, we consider usual execution Execsmpc

Q,A . In particular, the execution forwards all messagesthat it receives over a port ?outai,r to the UC adversary M ′D. And, for every message (i, s,m) that isreceived by the adversary, the execution forwards m over !inai,r. We stress that the execution does notpay attention over which port a message has been sent by the adversary; the execution processes all ofthem in the same way.

After these modification we effectively are in the situation in which A only communicates with theadversary, the adversary only communicates with the execution, and the execution communicates with

22Technically, these two machines are emulated by one master-machine that respects the constraints mentioned.23Recall that we assumed that the channel names are distinct from [1, n] for the maximal number of parties in Q that

perform a joint secure multi-party computation.

37

the adversary and the protocol. The execution checks upon a message over a channel ?outei whether iis corrupted. If the check succeeds, the execution forwards the message to the adversary. Hence, theexecution only forwards the messages that are addressed to the adversary. Two settings, consequently,remain indistinguishable for A. More precisely, given a successful distinguisher for the two settings inthis transformed setup, we can construct a successful distinguisher for the initial setup, which contradictsassumption that ρi UC realizes Ii.

As M ′D merely forwards every message, we have shown that for any ppt distinguisher A the followingtwo settings are indistinguishable: Execsmpc

Q,A,Aρ,〈M ′D,A〉 and ExecsmpcQ,A,AI ,〈Sim′MD ,A〉

.It remains to show that the following difference is negligible:

∣∣∣∣Pr[((F1, . . . , Fn), F, η, µ) ∈ Assertionssmpc

Q,A,I,p,〈Sim,A〉(k), {F1, . . . , Fn} |=η,µ,A F]

− Pr[((F1, . . . , Fn), F, η, µ) ∈ Assertionssmpc

Q,A,ρ,p,〈Adv,A〉(k), {F1, . . . , Fn} |=η,µ,A F] ∣∣∣∣.

The assumption tuples that are raised can only differ in the messages that they contain, since the processis observable to the distinguisher. The two executions, however, only differ in the implementation ofSMPC; hence, it remains to show that the messages sent over e are indistinguishable. Above, we showedthat by the UC security, we can conclude that the messages that are sent over e are indistinguishable inthe two settings (see Figure 9). As the execution is a polynomial-time machine, everything it computesout of indistinguishable inputs remains indistinguishable. Hence, the statement follows.

D Computational soundness of key-safe protocols with arith-metics

In this section, we first show how to leverage computational soundness proofs from CoSP to our framework(Section D.1). We translate from the variant of the applied π-calculus that is presented in this work to thevariant of the applied π-calculus in [8], which has been proven in [8] to inherit computational soundnessresults from CoSP. Then, we review the CoSP framework (Section D.2), introduce a symbolic model forpublic-key encryption, signatures, and arithmetic operations (Section D.3), present the implementationconditions for the computational soundness result (Section D.4), extending the symbolic model andthe implementation conditions for public-key encryption and signatures presented in [8], and finally wepresent the computational soundness proof for the presented symbolic model (Section D.5).

With minor modifications the computational soundness proof in [8] for public-key encryption andsignatures directly applies to the extended model; in the proof we highlight the modifications in bold.

D.1 Translating processes

The applied π calculus considered in [8] is a variant of the calculus that we consider in the current work.Instead of assumes and asserts they only provide atomic events, i.e., events that do not carry a message.Security properties are expressed as properties over traces of atomic events. The operations semanticsof their variant of the applied π calculus comprises an additional rule for reducing events, and eachreduction step may be labelled by an event. With this notation, a process is said to satisfy a propertyif for every reduction sequence the sequence of raised events is in the trace property. The computationalexecution of the applied π calculus with events, presented in [8], is basically identical to Execπ with thedifference that a sequence of events is output instead of a sequence of assertion tuples. A process is saidto computationally satisfy a trace property if for any adversary the probability that the event trace is inthe trace property (in a polynomially long interaction) is overwhelming.

We introduce two notions: first, the applied π calculus with atomic events representing the calculusthat is used in [8], and, second, the applied π calculus with assumes and asserts representing the calculusthat is used in the present work.

The translation. We simply erase in a process P all occurrences of assert true and replace alloccurrences of assert false with event bad, obtaining a process T (P ). The trace property Tp(P ) thensimply requires that the event bad has not been raised. Then, the following lemma follows immediately.

38

Lemma 6. There is a translation T from processes to processes and a translation Tp from processesto traces such that the following holds true: For any well-formed process P (in the applied π calculuswith assumes and asserts) if P is robustly safe, then, T (P ) satisifies Tp(P ). Moreover, whenever T (P )computationally satisfies Tp(P ), P is robustly computationally safe.

Proof. There is a strong correspondence between P and T (P ) as the operational semantics of the twocalculi almost coincide. The only difference is that in the applied π-calculus with asserts and assumesasserts are not reduce, while in the calculus with atomic events the events are reduced.

We have the following property: Let P be an atomic process in the applied π-calculus with assertsand assumes. After applying an arbitrary reduction sequence to T (P ), i.e., T (P ) →∗ P we distinguishtwo cases. Either the event bad has been raised in P . In this case, there is reduction sequence such thatP →∗ P ′, P = T (P ′′), P ′′ is a subprocess of P ′ (modulo associativity and commutativity), and there isa top-level assume false in P ′. Or no event bad has been raised and there is a reduction sequence suchthat P →∗ P ′ and P = T (P ′). The lemma directly follows from this observation.

Before we present the modified proof from the work of Backes, Hofheinz, and Unruh [8], we present theproof of our second main theorem.

Theorem 2.[Computational soundness of (DESA,PESA)] If enhanced trapdoor permutations exist, thereis an length-regular implementation A such that (DESA,PESA) is a computationally sound, well-formedmodel.

Proof. By Lemma 6, we know that if an atomic process (in the applied π-calculus with assumes andasserts) P is robustly safe, then the trace property (see Definition 23) Tp(P ) for the process T (P ) holdstrue. In [8] it has been shown that there is an embedding from the applied π-calculus with atomic eventsinto CoSP protocols (see Definition 17) such that trace properties are preserved. In Lemma 12, we showthat the symbolic model presented in Section D.3 is computationally sound. In [8], a computational π-execution is presented upon which Execπ is based. Moreover, Backes, Hofheinz, and Unruh show in [8]that trace properties a preserved from the computational (CoSP-)execution and their computationalπ-execution. The translation function from CoSP protocols to processes, presented in [8], also preservescontainment in the image of T . Moreover, we consider the closure of the resulting symbolic model underthe conditions in Definition 13 is well-formed. Hence, with Lemma 6, we can conclude the proof.

D.2 Review of CoSP

Backes, Hofheinz, and Unruh presented a framework for conducting computational soundness proofs [8].This framework separates the task of proving computational soundness for a set of (non-interactive)primitives against Dolev-Yao attackers from the task of embedding a calculus into a setting with a sym-bolic Dolev-Yao attacker. We give an overview of the ideas underlying CoSP. All definitions in CoSPare relative to a symbolic model that specifies a set of constructors and destructors that symbolicallyrepresent computational operations, and a computational implementation that specifies cryptographicalgorithms for these constructors and destructors. In CoSP, a protocol is represented by an infinitetree that describes the protocol as a labeled transition system. Such a CoSP protocol contains actionsfor performing abstract computations (applying constructors and destructors to messages) and for com-municating with an adversary. A CoSP protocol is endowed with two semantics, a symbolic executionand a computational execution. In the symbolic execution, messages are represented by terms. In thecomputational execution, messages are bitstrings, and the computational implementation is used insteadof applying constructors and destructors. A computational implementation is computationally soundif any symbolically secure CoSP protocol is also computationally secure. The advantage of expressingcomputational soundness results in CoSP is that the protocol model in CoSP is very general. Hence,the semantics of other calculi can be embedded therein, thus transferring the computational soundnessresults from CoSP to these calculi.

D.2.1 Symbolic protocols

We define a CoSP protocol as a tree with a distinguished root and with labels on both nodes andedges. Intuitively, the nodes correspond to different protocol actions: Computation nodes produce terms

39

(using a constructor or destructor); input and output nodes correspond to receive and send operations;nondeterministic nodes encode nondeterministic choices in the protocol; control nodes allow an outsideentity (i.e., an adversary) to influence the control flow of the protocol.

The edge labels intuitively allow for distinguishing branches in the protocol execution, e.g., destruc-tor nodes have two outgoing edges labelled with yes and no, corresponding to the two cases that thedestructor is defined on the input term or not; hence we can, e.g., speak about the yes-successor of adestructor node.

Definition 17 (CoSP protocol). A CoSP protocol Πs is a tree with a distinguished root and labels onboth edges and nodes. Each node has a unique identifier N and one of the following types:• Computation nodes are annotated with a constructor, nonce, or destructor F/n together with the

identifiers of n (not necessarily distinct) nodes. Computation nodes have exactly two successors;the corresponding edges are labeled with yes and no, respectively.

• Output nodes are annotated with the identifier of one node. An output node has exactly onesuccessor.

• Input nodes have no further annotation. An input node has exactly one successor.• Control nodes are annotated with a bitstring l. A control node has at least one and up to countably

many successors annotated with distinct bitstrings l′ ∈ {0, 1}∗. (We call l the out-metadata and l′

the in-metadata.)• Nondeterministic nodes have no further annotation. Nondetermininistic nodes have at least one

and at most finitely many successors; the corresponding edges are labeled with distinct bitstrings.We assume that the annotations are part of the node identifier N . If a node N contains an identifier N ′

in its annotation, then N ′ has to be on the path from the root to N (including the root, excluding N),and N ′ must be a computation node or input node. In case N ′ is a computation node, the path from N ′

to N has to additionally go through the outgoing edge of N ′ with label yes.

Assigning each nondeterministic node a probability distribution over its successors yields the notionof a probabilistic CoSP protocol.

Definition 18 (Probabilistic CoSP protocol). A probabilistic CoSP protocol Πp is a CoSP protocol,where each nondeterministic node is additionally annotated with a probability distribution over the labelsof the outgoing edges.

In the following, we assume that such a probability distribution is encoded as a list of pairs, consistingof a label and a rational probability. Any probabilistic CoSP protocol Πp can be transformed canonicallyinto a CoSP protocol Πs by erasing the probability distributions. We will call Πs the symbolic protocolthat corresponds to Πp.

Probabilistic CoSP protocols will be crucial in the definition of computational soundness. Moreover,they often constitute an intermediate technical step within a larger proof. For instance, reasoning aboutimplementations of CoSP protocols is difficult since they do not have a unique such implementationif nondeterministic nodes are present, in contrast to probabilistic CoSP protocols. With the notion ofprobabilistic CoSP protocols at hand, one can instead consider the set of all implementations of allprobabilistic CoSP protocols whose corresponding CoSP protocol is Πs.

Definition 19 (Efficient protocol). We call a probabilistic CoSP protocol efficient if:• There is a polynomial p such that for any node N , the length of the identifier of N is bounded byp(m) where m is the length (including the total length of the edge-labels) of the path from the rootto N .

• There is a deterministic polynomial-time algorithm that, given the identifiers of all nodes and theedge labels on the path to a node N , computes the label of N .

We finally provide the notions of a symbolic execution of a CoSP protocol.The symbolic execution of a CoSP protocol for a given symbolic model consists of a sequence of triples

(S, ν, f) where S represents the knowledge of the adversary, ν represents the current node identifier inthe protocol, and f represents a partial function mapping already processed node identifiers to messages.

Definition 20 (Symbolic execution). Let a symbolic model (C,N,T,D,`) and a CoSP protocol Πs begiven. A full trace is a (finite) list of tuples (Si, νi, fi) such that the following conditions hold:

40

• Correct start: S1 = ∅, ν1 is the root of Πs, f1 is a totally undefined partial function mapping nodeidentifiers to terms.

• Valid transition: For every two consecutive tuples (S, ν, f) and (S′, ν′, f ′) in the list, let ν be thenode identifiers in the annotation of ν and define t through tj := f(νj). We have:

– If ν is a computation node with constructor, destructor or nonce F , then S′ = S. If m :=evalF (t) 6= ⊥, ν′ is the yes-successor of ν in Πs, and f ′ = f(ν := m). If m = ⊥, then ν′ isthe no-successor of ν and f ′ = f .

– If ν is an input node, then S′ = S and ν′ is the successor of ν in Πs and there exists an mwith S ` m and f ′ = f(ν := m).

– If ν is an output node, then S′ = S ∪ {t1}, ν′ is the successor of ν in Πs and f ′ = f .– If ν is a control or a nondeterministic node, then ν′ is a successor of ν and f ′ = f and S′ = S.

A list of node identifiers (νi) is a node trace if there is a full trace with these node identifiers.

D.2.2 Computational model

We now define the computation implementation of a symbolic model as a family of functions that providecomputation interpretations to constructors, destructors, and nonces.

Definition 21 (Computational implementation). Let a symbolic model M = (C,N,T,D,`) be given.A computational implementation of M is a family of functions A = (Ax)x∈C∪D∪N such that AF forF/n ∈ C ∪ D is a partial deterministic function N × ({0, 1}∗)n → {0, 1}∗, and AN for N ∈ N is atotal probabilistic function with domain N and range {0, 1}∗ (i.e., it specifies a probability distributionon bitstrings that depends on its argument). The first argument of AF and AN represents the securityparameter.

All functions AF have to be computable in deterministic polynomial-time, and all AN have to becomputable in probabilistic polynomial-time.24

Requiring AC and AD to be deterministic is without loss of generality, since one can always add anexplicit randomness argument that takes a nonce as input.

The computational execution of a probabilistic CoSP protocol defines an overall probability distribu-tion on all possible node traces that the protocol proceeds through. In contrast to symbolic executions,we do not aim at defining the notion of a full trace: the adversary’s symbolic knowledge S has no formalcounterpart in the computational setting, and the function f occuring in the computational executionswill not be needed in our later results.

Note on the computational interpretation of symbols. Here and in the following, we will assumea canonical bitstring representation of symbols. We do not require that the bitstring representation of aterm, say, E(m) hides (the bitstring representation of) m. (A suitable secrecy property will be ensured byan additional Dolev-Yao-like requirement on the computational machine that receives and sends bitstringrepresentations of terms.) The purpose of the bitstring presentation is only to be syntactically able toconsider a CoSP protocol in a computational setting.

Definition 22 (Computational execution). Let a symbolic model M = (C,N,T,D,`), a computationalimplementation A of M, and a probabilistic CoSP protocol Πp be given. Let a probabilistic polynomial-time interactive machine E (the adversary) be given (polynomial-time in the sense that the number ofsteps in all activations are bounded in the length of the first input of E), and let p be a polynomial. Wedefine a probability distribution NodespM,A,Πp,E

(k), the computational node trace, on (finite) lists of nodeidentifiers (νi) according to the following probabilistic algorithm (both the algorithm and E are run oninput k):• Initial state: ν1 := ν is the root of Πp. Let f be an initially empty partial function from node

identifiers to bitstrings, and let n be an initially empty partial function from N to bitstrings.• For i = 2, 3, . . . do the following:

– Let ν be the node identifiers in the annotation of ν. mj := f(νj).

24More precisely, there has to exist a single uniform probabilistic polynomial-time algorithm A that, given the name ofC ∈ C, D ∈ D, or N ∈ N, together with an integer k and the inputs m, computes the output of AC , AD, and AN ordetermines that the output is undefined. This algorithm must run in polynomial-time in k+ |m| and may not use randomcoins when computing AC and AD.

41

– Proceed depending on the type of node ν:∗ If ν is a computation node with nonce N ∈ N: Let m′ := n(N) if n(N) 6= ⊥ and samplem′ according to AN (k) otherwise. Let ν′ be the yes-successor of ν, f ′ := f(ν := m′), andn′ := n(N := m′). Let ν := ν′, f := f ′ and n := n′.

∗ If ν is a computation node with constructor or destructor F , then m′ := AF (k, m). Ifm′ 6= ⊥, then ν′ is the yes-successor of ν, if m′ = ⊥, then ν′ is the no-successor of ν.Let f ′ := f(ν := m′). Let ν := ν′ and f := f ′.

∗ If ν is an input node, ask for a bitstring m from E. Abort the loop if E halts. Let ν′ bethe successor of ν. Let f := f(ν := m) and ν := ν′.

∗ If ν is an output node, send m1 to E. Abort the loop if E halts. Let ν′ be the successorof ν. Let ν := ν′.

∗ If ν is a control node, annotated with out-metadata l, send l to E. Abort the loop if Ehalts. Upon receiving an answer l′, let ν′ be the successor of ν along the edge labeled l′

(or the lexicographically smallest edge if there is no edge with label l′). Let ν := ν′.∗ If ν is a nondeterministic node, let D be the probability distribution in the annotation ofν. Pick ν′ according to the distribution D, and let ν := ν′.

– Let νi := ν.– Let len be the number of nodes from the root to ν plus the total length of all bitstrings in the

range of f . If len > p(k), stop.

D.2.3 Computational Soundness

We first define trace properties and their fulfillment by a (probabilistic) CoSP protocol. After that, weprovide the definition of computational soundness for trace properties.

Definition 23 (Trace property). A trace property P is an efficiently decidable and prefix-closed set of(finite) lists of node identifiers.

Let M = (C,N,T,D,`) be a symbolic model and Πs a CoSP protocol. Then Πs symbolically satisfiesa trace property P in M iff every node trace of Πs is contained in P. Let A be a computational imple-mentation of M and let Πp be a probabilistic CoSP protocol. Then (Πp, A) computationally satisfies atrace property P in M iff for all probabilistic polynomial-time interactive machines E and all polynomialsp, the probability is overwhelming that NodespM,A,Πp,E

(k) ∈ P.

Definition 24 (Computational soundness). A computational implementation A of a symbolic modelM = (C,N,T,D,`) is computationally sound for a class P of CoSP protocols iff for every trace propertyP and for every efficient probabilistic CoSP protocol Πp, we have that (Πp, A) computationally satisfiesP whenever the corresponding CoSP protocol Πs of Πp symbolically satisfies P and Πs ∈ P .

D.2.4 A Sufficient Criterion for Soundness

To tame the complexity of computational soundness proofs, we introduce a technical tool to show sound-ness. We introduce the notion of a simulator and identify several properties such that the existence ofa simulator with all of these properties already entails computational soundness in the sense of Defini-tion 24. This notion might remind of the simulation-based proofs of computational soundness [12, 27],but it does not depend on framework-specific details such as scheduling, message delivery, etc. Westress that, in CoSP, asserting computational soundness proofs need not be done using this simulator-based characterization to enjoy CoSP’s benefits, but every other prevalently used technique for showingcomputational soundness can be used as well.

In the following, we fix a symbolic model M = (C,N,T,D,`) and a computational implementationA of M. In the following, we moreover assume that whenever a machine sends a term or a node, theterm/node is suitably encoded as bitstring.

We proceed by introducing the notion of a simulator, essentially by imposing syntactic constraintson the set of all interactive machines.

Definition 25 (Simulator). A simulator is an interactive machine Sim that satisfies the following syn-tactic requirements:

42

• When activated without input, it replies with a term m ∈ T. (This corresponds to the situationthat the protocol expects some message from the adversary.)

• When activated with some t ∈ T, it replies with an empty output. (This corresponds to the situationthat the protocol sends a message to the adversary.)

• When activated with (info, ν, t) where ν is a node identifier and t ∈ T, it replies with (proceed).• At any point (in particular instead of sending a reply), it may terminate.

A simulator Sim is intuitively expected to translate a computational attack into a correspondingsymbolic attack. Sim operates in a symbolic setting, but will usually simulate internally a computationaladversary. Thus Sim essentially translates bitstrings to terms, and vice versa.

We proceed by defining the hybrid execution of a probabilistic CoSP protocol. We call this executionhybrid because it is a mixture of the symbolic and the computational execution. Concretely, we definea hybrid protocol machine ΠC that is associated to Πp and interfaces Sim with a probabilistic CoSPprotocol Πp.

Definition 26 (Hybrid execution). Let Πp be a probabilistic CoSP protocol, and let Sim be a simulator.We define a probability distribution H -TraceM,Πp,Sim(k) on (finite) lists of tuples (Si, νi, fi) called thefull hybrid trace according to the following probabilistic algorithm ΠC , run on input k, that interactswith Sim. (ΠC is called the hybrid protocol machine associated with Πp and internally runs a symbolicsimulation of Πp as follows:)• Start: S1 := S := ∅, ν1 := ν is the root of Πp, and f1 := f is a totally undefined partial function

mapping node identifiers to T. Run Πp on ν.• Transition: For i = 2, 3, . . . do the following:

– Let ν be the node identifiers in the label of ν. Define t through tj := f(νj).– Proceed depending on the type of ν:∗ If ν is a computation node with constructor, destructor, or nonce F , then let m :=evalF (t). If m 6= ⊥, let ν′ be the yes-successor of ν and let f ′ := f(ν := m). Ifm = ⊥, let ν′ be the no-successor of ν and let f ′ := f .∗ If ν is an output node, send t1 to Sim (but without handing over control to Sim). Let ν′

be the unique successor of ν. Set ν := ν′.∗ If ν is an input node, hand control to Sim, and wait to receive m ∈ T from Sim. Letf ′ := f(ν := m), and let ν′ be the unique successor of ν. Set f := f ′ and ν := ν′.

∗ If ν is a control node labeled with out-metadata l, send l to Sim, hand control to Sim, andwait to receive a bitstring l′ from Sim. Let ν′ be the successor of ν along the edge labeledl′ (or the lexicographically smallest edge if there is no edge with label l′). Let ν := ν′.

∗ If ν is a nondeterministic node, sample ν′ according to the probability distribution specifiedin ν. Let ν := ν′.

– Send (info, ν, t) to Sim. When receiving an answer (proceed) from Sim, continue.– If Sim has terminated, stop. Otherwise let (Si, νi, fi) := (S, ν, f).

The probability distribution of the (finite) list ν1, . . . produced by this algorithm we denoteH -NodesM,Πp,Sim(k). We call this distribution the hybrid node trace.

We write Sim + ΠC to denote the execution of Sim and ΠC .We proceed by defining properties of a simulator, such as adhering to a Dolev-Yao style deduction

relation. Later we will show that simulators that satisfy these properties entail computational soundnessresults. Treating these properties separately instead of immediately conjoining them into a generalsoundness criterion allows us to more careful identify where these individual properties are exploited incomputational soundness proofs.

The first property – Dolev-Yao-style – captures that Sim adheres to the deduction relation ` inDefinition 20 for input/output nodes. More precisely, the terms that Sim sends to the CoSP protocolhave to be derivable from Sim’s symbolic view so far.

Definition 27 (Dolev-Yao style simulator). A simulator Sim is Dolev-Yao style (short: DY) for M andΠp, if with overwhelming probability the following holds:

In an execution of Sim + ΠC , for each `, let m` ∈ T be the `-th term sent (during processing of oneof ΠC ’s input nodes) from Sim to ΠC in that execution. Let T` ⊆ T the set of all terms that Sim hasreceived from ΠC (during processing of output nodes) prior to sending m`. Then we have T` ` m`.

43

The second property – indistinguishability – captures that the hybrid node traces are computationallyindistinguishable from real node traces, i.e., the corresponding random variables cannot be distinguishedby any probabilistic algorithm that runs in polynomial time in the security parameter. We write

c≈ todenote computational indistinguishability.

Definition 28 (Indistinguishable simulator). A simulator Sim is indistinguishable for M, Πp, an im-plementation A, an adversary E, and a polynomial p, if

NodespM,A,Πp,E(k)

c≈ H -NodesM,Πp,Sim(k),

i.e., if the computational node trace and the hybrid node trace are computationally indistinguishable.

We define the following abbreviation.

Definition 29 (Good simulator). A simulator is good for M, Πp, A, E, and p if it is Dolev-Yao stylefor M, and Πp, and indistinguishable for M, Πp, A, E, and p.

We can now formally state and prove the main result of this section: the existence of a good simulatorimplies computational soundness.

Theorem 3 (Good simulator implies soundness). Let M = (C,N,T,D,`) be a symbolic model, let Pbe a class of CoSP protocols, and let A be a computational implementation of M. Assume that for everyefficient probabilistic CoSP protocol Πp (whose corresponding CoSP protocol is in P ), every probabilisticpolynomial-time adversary E, and every polynomial p, there exists a good simulator for M, Πp, A, E,and p. Then A is computationally sound for protocols in P .

D.3 The symbolic model

We first specify the symbolic model M = (C,N,T,D,`). The symbolic model introduces arith-metic opertations on symbolic bistrings, which model payloads; arithmetic operations arenot defined on other cryptographic terms, such as encrypted messages, or signatures. Weintroduce two functions ι and ι that translate symbolic bitstrings to natural numbers andnatural numbers to bitstrings, respectively. These two mappings are used in the definitionof the arithmetic operations.• Constructors and nonces: Let C := {enc/3, ek/1, dk/1, sig/3, vk/1, sk/1, pair/2, string0/1,

string1/1,nil/0, garbageSig/2, garbage/1, garbageE/2} and N := NP ∪ NE . Here NP and NE

are countably infinite sets representing protocol and adversary nonces, respectively. Intuitively,encryption, decryption, verification, and signing keys are represented as ek(r), dk(r), vk(r), sk(r)with a nonce r (the randomness used when generating the keys). enc(ek(r′),m, r) encrypts musing the encryption key ek(r′) and randomness r. sig(sk(r′),m, r) is a signature of m usingthe signing key sk(r′) and randomness r. The constructors string0 , string1 , and nil are usedto model arbitrary strings used as payload in a protocol (e.g., a bitstring 010 would be encodedas string0 (string1 (string0 (nil)))). garbage, garbageE , and garbageSig are constructors necessaryto express certain invalid terms the adversary may send, these constructors are not used by theprotocol.

• Message type: We define T as the set of all terms M matching the following grammar:

M ::= enc(ek(N),M,N) | ek(N) | dk(N) |sig(sk(N),M,N) | vk(N) | sk(N) |pair(M,M) | S | N |garbage(N) | garbageE (M,N) |garbageSig(M,N)

S ::= nil | string0(S) | string1(S)

where the nonterminal N stands for nonces.

44

• Destructors: D := {dec/2, isenc/1, isek/1, ekof /1, verify/2, issig/1, isvk/1, vkof /2, fst/1, snd/1,unstring0/1, unstring1/1, equals/2, add/2, sub/2,mult/2, ge/2, xor}. The destructors isek , isvk ,isenc, and issig realize predicates to test whether a term is an encryption key, verification key,ciphertext, or signature, respectively. ekof extracts the encryption key from a ciphertext, vkof ex-tracts the verification key from a signature. dec(dk(r), c) decrypts the ciphertext c. verify(vk(r), s)verifies the signature s with respect to the verification key vk(r) and returns the signed message ifsuccessful. The destructors fst and snd are used to destruct pairs, and the destructors unstring0

and unstring1 allow to parse payload-strings. (Destructors ispair and isstring are not necessary,they can be emulated using fst , unstring i, and equals(·,nil).)The behavior of the destructors is given by the following rules; an application matching none ofthese rules evaluates to ⊥. We define the functions ι from symbolic strings, denoted as String tonatural numbers, denoted as N. We use a standard binary encoding of numbers: For s ∈ String ,ι(s) :=

∑|m|i=1 2i−1 · si, where si = 1 if the ith string constructor is string1 and si = 0 if the ith

string constructor is string0, and, for n ∈ N, ι(n) denotes the be the corresponding encoding of thenumber n as symbolic bitstring s ∈ String .

dec(dk(t1), enc(ek(t1),m, t2)) = m

isenc(enc(ek(t1), t2, t3)) = enc(ek(t1), t2, t3)isenc(garbageE (t1, t2)) = garbageE (t1, t2)

isek(ek(t)) = ek(t)ekof (enc(ek(t1 ),m, t2 )) = ek(t1)

ekof (garbageE (t1 , t2 )) = t1

verify(vk(t1), sig(sk(t1), t2, t3)) = t2

issig(sig(sk(t1), t2, t3)) = sig(sk(t1), t2, t3)issig(garbageSig(t1, t2)) = garbageSig(t1, t2)

isvk(vk(t1)) = vk(t1)vkof (sig(sk(t1), t2, t3)) = vk(t1)

vkof (garbageSig(t1, t2)) = t1

fst(pair(x, y)) = x

snd(pair(x, y)) = y

unstring0(string0(s)) = s

unstring1(string1(s)) = s

normalize(s) = ι(ι(s))add(string i(s), stringj(s

′)) = ι(ι(string i(s)) + ι(stringj(s′)))

sub(string i(s), stringj(s′)) = ι(ι(string i(s))− ι(stringj(s

′)))mult(string i(s), stringj(s

′)) = ι(ι(string i(s)) · ι(stringj(s′)))

ge(string i(s), stringj(s′)) = string i(s) if ι(string i(s)) ≥ ι(stringj(s

′))xor(string i(s),nil) = string i(s)xor(nil , string i(s)) = string i(s)

xor(string i(s), string i(s′)) = string0(xor(s, s′))

xor(string i(s), string1−i(s′)) = string1(xor(s, s′))

equals(t1, t1) = t1

where i, j ∈ {0, 1}

• Deduction relation: ` is the smallest relation satisfying the rules in Figure 11.

45

m ∈ SS ` m

N ∈ NE

S ` NS ` t t ∈ T F ∈ C ∪D evalF (t) 6= ⊥

S ` evalF (t)

Figure 11: Deduction rules for the symbolic model

D.4 The computational implementation

Obtaining a computational soundness result for the symbolic model M requires its implementation touse an IND-CCA2 secure encryption scheme and a strongly existentially unforgeable signature scheme.More precisely, we require that (Aek , Adk ), Aenc , and Adec form the key generation, encryption anddecryption algorithm of an IND-CCA2-secure scheme; and that (Avk , Ask ), Asig , and Averify form the keygeneration, signing, and verification algorithm of a strongly existentially unforgeable signature scheme.Let Aisenc(m) = m iff m is a ciphertext. (Only a syntactic check is performed; it is not necessary to checkwhether m was correctly generated.) Aissig , Aisek , and Aisvk are defined analogously. Aekof extractsthe encryption key from a ciphertext, i.e., we assume that ciphertexts are tagged with their encryptionkey. Similarly Avkof extracts the verification key from a signature, and Averify can be used to extractthe signed message from a signature, i.e., we assume that signatures are tagged with their verificationkey and the signed message. Nonces are implemented as (suitably tagged) random k-bit strings. Apair ,Afst , and Asnd construct and destruct pairs. We require that the implementation of the constructorsare length regular, i.e., the length of the result of applying a constructor depends only on the lengthsof the arguments. No restrictions are put on Agarbage , AgarbageE , and AgarbageSig as these are neveractually used by the protocol. (The implementation of these functions need not even fulfill equationslike Aisenc(AgarbageE (x)) = AgarbageE (x).)

The exact requirements are as follows:

D.4.1 Implementation conditions.

We require that the implementation A of the symbolic model M has the following properties. We use astandard binary encoding of numbers, 〈m〉2 :=

∑|m|i=1 2i−1 ·mi, where mi is the ith bit of the string m,

and let [n]2 be the corresponding encoding of the number n as a bitstring.1. A is an implementation of M in the sense of Definition 21(in particular, all functions Af (f ∈ C∪D)

are polynomial-time computable).2. There are disjoint and efficiently recognizable sets of bitstrings representing the types nonces,

ciphertexts, encryption keys, decryption keys, signatures, verification keys, signing keys, pairs, andpayload-strings. The set of all bitstrings of type nonce we denote Noncesk.25 (Here and in thefollowing, k denotes the security parameter.)

3. The functions Aenc , Aek , Adk , Asig , Avk , Ask , Apair , Astring0, and Astring1

are length-regular. Wecall an n-ary function f length regular if |mi| = |m′i| for i = 1, . . . , n implies |f(m)| = |f(m′)|. Allm ∈ Noncesk have the same length.

4. AN for N ∈ N returns a uniformly random r ∈ Noncesk.5. Every image of Aenc is of type ciphertext, every image of Aek and Aekof is of type encryption key,

every image of Adk is of type decryption key, every image of Asig is of type signature, every imageof Avk and Avkof is of type verification key, every image of Anil , Astring0

, and Astring1is of type

payload-string.6. For all m1,m2 ∈ {0, 1}∗ we have Afst(Apair (m1,m2)) = m1 and Asnd(Apair (m1,m2)) = m2. Everym of type pair is in the range of Apair . If m is not of type pair, Afst(m) = Asnd(m) = ⊥.

7. For all m of type payload-string we have that Aunstringi (Astringi (m)) = m andAunstringi

(Astringj(m)) = ⊥ for i, j ∈ {0, 1}, i 6= j. For m = nil or m not of type payload-

string, Aunstring0(m) = Aunstring1

(m) = ⊥. Every m of type payload-string is of the formm = Aunstring0

(m′) or m = Aunstring1(m′) or m = nil for some m′ of type payload-string. More-

over, for 〈m〉2 ≥ 〈m′〉2, we have Asub(m,m′) := [〈m〉2 − 〈m′〉2]2 and Age(m,m′) = m, andfor 〈m〉2 < 〈m′〉2 we have Asub(m,m′) := ⊥ and Age(m,m′) := ⊥. Furthermore, we haveAadd(m,m′) := [〈m〉2 + 〈m′〉2]2.

25This would typically be the set of all k-bit strings with a tag denoting nonces.

46

8. Aekof (Aenc(p, x, y)) = p for all p of type encryption key, x ∈ {0, 1}∗, y ∈ Noncesk. Aekof (e) 6= ⊥for any e of type ciphertext and Aekof (e) = ⊥ for any e that is not of type ciphertext.

9. Avkof (Asig(Ask (x), y, z)) = Avk (x) for all y ∈ {0, 1}∗, x, z ∈ Noncesk. Avkof (e) 6= ⊥ for any e oftype signature and Avkof (e) = ⊥ for any e that is not of type signature.

10. Aenc(p,m, y) = ⊥ if p is not of type encryption key.11. Adec(Adk (r),m) = ⊥ if r ∈ Noncesk and Aekof (m) 6= Aek (r). (This implies that the encryption

key is uniquely determined by the decryption key.)12. Adec(Adk (r), Aenc(Aek (r),m, r′)) = m for all r, r′ ∈ Noncesk.13. Averify(Avk (r), Asig(Ask (r),m, r′)) = m for all r, r′ ∈ Noncesk.14. For all p, s ∈ {0, 1}∗ we have that Averify(p, s) 6= ⊥ implies Avkof (s) = p.15. Aisek (x) = x for any x of type encryption key. Aisek (x) = ⊥ for any x not of type encryption key.16. Aisvk (x) = x for any x of type verification key. Aisvk (x) = ⊥ for any x not of type verification key.17. Aisenc(x) = x for any x of type ciphertext. Aisenc(x) = ⊥ for any x not of type ciphertext.18. Aissig(x) = x for any x of type signature. Aissig(x) = ⊥ for any x not of type signature.19. We define an encryption scheme (KeyGen,Enc,Dec) as follows: KeyGen picks a random r ← Noncesk

and returns (Aek (r), Adk (r)). Enc(p,m) picks a random r ← Noncesk and returns Aenc(p,m, r).Dec(k, c) returns Adec(k, c). We require that then (KeyGen,Enc,Dec) is IND-CCA secure.

20. We define a signature scheme (SKeyGen,Sig,Verify) as follows: SKeyGen picks a randomr ← Noncesk and returns (Avk (r), Ask (r)). Sig(p,m) picks a random r ← Noncesk and re-turns Asig(p,m, r). Verify(p, s,m) returns 1 iff Averify(p, s) = m. We require that then(SKeyGen,Sig,Verify) is strongly existentially unforgeable.

21. For all e of type encryption key and all m ∈ {0, 1}∗, the probability that Aenc(e,m, r) =Aenc(e,m, r′) for uniformly chosen r, r′ ∈ Noncesk is negligible.

22. For all rs ∈ Noncesk and all m ∈ {0, 1}∗, the probability that Asig(Ask (rs),m, r) =Asig(Ask (rs),m, r′) for uniformly chosen r, r′ ∈ Noncesk is negligible.

Note that any IND-CCA secure encryption scheme and strongly existentially unforgeable signaturescheme can be transformed into an implementation satisfying the above conditions by suitably taggingand padding the ciphertexts, signatures, and keys.

Key-safe protocols. The computational soundness result we derive in this section requires that theCoSP protocol satisfies certain constraints. In a nutshell, these constraints require that encryption,signing, and key generation always use fresh randomness, that decryption only uses honestly generated(i.e., through key generation) decryption keys, that only honestly generated keys are used for signing, andthat the protocol does not produce garbage terms. Decryption and signing keys may not be sent around.(In particular, this avoids the so-called key-cycle and key-commitment problems.) We call protocolssatisfying these conditions key-safe. We stress that key-safe protocols are not a requirement inducedby our framework as such. In fact, requirements similar to key-safeness are standard and state-of-theart assumptions for soundness results (either explicit or implicitly enforced by the modeling, see, e.g.,[5, 51, 12]).

The exact requirements are the following:

Protocol conditions. A CoSP protocol is key-safe if it satisfies the following conditions:1. The argument of every ek -, dk -, vk -, and sk -computation node and the third argument of every enc-

and sig-computation node is an N -computation node with N ∈ NP . (Here and in the following, wecall the nodes referenced by a protocol node its arguments.) We call these N -computation nodesrandomness nodes. Any two randomness nodes on the same path are annotated with differentnonces.

2. The argument of every string i-node (i ∈ {0, 1}) is either a stringj-node (j ∈ {0, 1}) or annil-node.

3. Every computation node that is the argument of an ek -computation node or of a dk -computationnode on some path p occurs only as argument to ek - and dk -computation nodes on that path p.

4. Every computation node that is the argument of a vk -computation node or of an sk -computationnode on some path p occurs only as argument to vk - and sk -computation nodes on that path p.

5. Every computation node that is the third argument of an enc-computation node or of a sig-computation node on some path p occurs exactly once as an argument in that path p.

6. Every dk -computation node occurs only as the first argument of a dec-destructor node.7. The first argument of a dec-destructor node is a dk -computation node.

47

8. Every sk -computation node occurs only as the first argument of a sig-computation node.9. The first argument of a sig-computation node is an sk -computation node.

10. There are no computation nodes with the constructors garbage, garbageE , garbageSig , or N ∈ NE .

D.5 Computational soundness proof

Construction of the simulator. In the following, we define distinct nonces Nm ∈ NE for eachm ∈ {0, 1}∗. In a hybrid execution, we call a term t honestly generated if it occurs as a subterm of aterm sent by the protocol ΠC to the simulator before it has occurred as a subterm of a term sent by thesimulator to the protocol ΠC .

For an adversary E and a polynomial p, we construct the simulator Sim as follows: In the firstactivation, it chooses rN ∈ Noncesk for every N ∈ NP . It maintains an integer len, initially 0. At anypoint in the execution, N denotes the set of all nonces N ∈ NP that occurred in terms received fromΠC . R denotes the set of randomness nonces (i.e., the nonces associated with all randomness nodes ofΠC passed through up to that point).

Sim internally simulates the adversary E. When receiving a term t ∈ T from ΠC , it passes β(t) toE where the partial function β : T → {0, 1}∗ is defined below. When E answers with m ∈ {0, 1}∗, thesimulator sends τ(m) to ΠC where the function τ : {0, 1}∗ → T is defined below. The bitstrings sentfrom the protocol at control nodes are passed through to E and vice versa. When the simulator receives(info, ν, t), the simulator increases len by `(t) + 1 where ` : T→ {0, 1}∗ is defined below. If len > p(k),the simulator terminates, otherwise it answers with (proceed).

Translation functions. The partial function β : T → {0, 1}∗ is defined as follows (where the firstmatching rule is taken):• β(N) := rN if N ∈ N .• β(Nm) := m.• β(enc(ek(t1), t2,M)) := Aenc(β(ek(t1)), β(t2), rM ) if M ∈ N .• β(enc(ek(M), t, Nm)) := m if M ∈ N .• β(ek(N)) := Aek (rN ) if N ∈ N .• β(ek(Nm)) := m.• β(dk(N)) := Adk (rN ) if N ∈ N .• β(sig(sk(N), t,M)) := Asig(Ask (rN ), β(t), rM ) if N,M ∈ N .• β(sig(sk(M), t, Ns)) := s.• β(vk(N)) := Avk (rN ) if N ∈ N .• β(vk(Nm)) := m.• β(sk(N)) := Ask (rN ) if N ∈ N .• β(pair(t1, t2)) := Apair (β(t1), β(t2)).• β(string0(t)) := Astring0

(β(t)).• β(string1(t)) := Astring1

(β(t)).• β(nil) := Anil().• β(garbage(N c)) := c.• β(garbageE (t,N c)) := c.• β(garbageSig(t1, t2, Ns)) := s.• β(t) := ⊥ in all other cases.

The total function τ : {0, 1}∗ → T is defined as follows (where the first matching rule is taken):• τ(r) := N if r = rN for some N ∈ N \ R.• τ(r) := Nr if r is of type nonce.• τ(c) := enc(ek(M), t, N) if c has earlier been output by β(enc(ek(M), t, N)) for some M ∈ N,N ∈ N .

• τ(c) := enc(ek(N), τ(m), N c) if c is of type ciphertext and τ(Aekof (c)) = ek(N) for some N ∈ Nand m := Adec(Adk (rN ), c) 6= ⊥.

• τ(e) := ek(N) if e has earlier been output by β(ek(N)) for some N ∈ N .• τ(e) := ek(Ne) if e is of type encryption key.• τ(s) := sig(sk(M), t, N) if s has earlier been output by β(sig(sk(M), t, N)) for some M,N ∈ N .• τ(s) := sig(sk(M), τ(m), Ns) if s is of type signature and τ(Avkof (s)) = vk(M) for some M ∈ N

and m := Averify(Avkof (s), s) 6= ⊥.

48

• τ(e) := vk(N) if e has earlier been output by β(vk(N)) for some N ∈ N .• τ(e) := vk(Ne) if e is of type verification key.• τ(m) := pair(τ(Afst(m)), τ(Asnd(m))) if m of type pair.• τ(m) := string0(m′) if m is of type payload-string and m′ := Aunstring0 (m) 6= ⊥.• τ(m) := string1(m′) if m is of type payload-string and m′ := Aunstring1

(m) 6= ⊥.• τ(m) := nil if m is of type payload-string and m = Anil().• τ(c) := garbageE (τ(Aekof (c)), N c) if c is of type ciphertext.• τ(s) := garbageSig(τ(Avkof (s)), Ns) if s is of type signature.• τ(m) := garbage(Nm) otherwise.The function ` : T → {0, 1}∗ is defined as `(t) := |β(t)|. Note that `(t) does not depend on the

actual values of rN because of the length-regularity of Aenc , Aek , Adk , Asig , Avk , Ask , Apair , Astring0,

and Astring1. Hence `(t) can be computed without accessing rN .

The faking simulator. The simulator Sim′ is defined exactly like Sim, except that it makes use of anencryption and a signing oracle (these oracles also supply keypairs (ekN , dkN ), resp. (vkN , skN )). Whencomputing β(ek(N)) or β(dk(N)) with N ∈ N , it instructs the encryption oracle to generate a newencryption/decryption key pair (ekN , dkN ) (unless (ekN , dkN ) are already defined) and retrieves ekNor dkN from the oracle, respectively. When computing β(enc(ek(N), t,M)) with N,M ∈ N , instead ofcomputing Aenc(Aek (rN ), β(t), rM ), Sim′ requests the encryption Enc(ekN , β(t)) of β(t) from the encryp-tion oracle (that is, Sim′ has to compute β(t) but does not need to retrieve ekN ). However, the resultingciphertext is stored and when later computing β(enc(ek(N), t,M)) with the same arguments, the storedciphertext is reused. When computing β(enc(ek(Ne), t2,M)) with M ∈ N , Sim′ requests the encryptionEnc(e, β(t)) from Sim′. (In this case, the oracle encrypts β(t) using its own randomness but using theencryption key e provided by Sim′.) When computing τ(c), instead of computing Aenc(Adk (rN ), c), Sim′

invokes the encryption oracle to decrypt c using the decryption key dkN (again, Sim′ does not need toretrieve dkN ).

Similarly, to compute β(vk(N)) or β(sk(N)), Sim′ retrieves keys vkN or skN from the signing ora-cle. To compute β(sig(sk(N), t,M)), Sim′ invokes the signing oracle with message β(t) to get a signa-ture under the signing key skN . However, the resulting signature is stored and when later computingβ(sig(sk(N), t,M)) with the same arguments, the stored ciphertext is reused. Sim′ does not invoke thesigning oracle for verifying signatures, instead Sim′ executes Averify directly (as does Sim).

The simulator Simf is defined like Sim′, except that when computing β(enc(ek(N), t,M)) withN,M ∈ N , instead of invoking the encryption oracle with plaintext β(t), it invokes it with plaintext0`(t). (But in a computation β(enc(ek(Ne), t,M)) with M ∈ N , the simulator Simf still uses β(t) asplaintext.)

Properties of the simulator. We derive several properties of the simulators Sim and Simf that willfinally allow to show that Sim is a good simulator for key-safe protocols. In the following, let Π′ alwaysdenote an key-safe probabilistic CoSP protocol. By construction, Sim, Sim′ and Simf run in polynomialtime.

Lemma 7. The full traces H -TraceM,Πp,Sim and H -TraceM,Πp,Simfare computationally indistinguish-

able.

Proof. Note that the difference between Sim and Sim′ is that the randomness for the key generation, theencryption, and the signing is chosen by the algorithms KeyGen, SKeyGen, Enc, and Sig in Sim′, whileSim uses nonces rN instead. However, from protocol conditions 1, 3, 4, 5, it follows that Sim never usesa given randomness rN twice (note that, since N ∈ R, τ does not access rN either). Hence the full tracesH -TraceM,Πp,Sim and H -TraceM,Πp,Sim′ are indistinguishable.

Note that by definition of τ , Sim′ invokes Dec(dkN , c) only for values c that have not been outputby β(enc(ek(M), t, N)). Thus Dec(dkN , c) is invoked only for values c that have not been output byEnc(ekN , ·). By protocol condition 6, dkN is only used as an argument to Dec. Since |β(t)| = |0`(t)| bydefinition of `, the IND-CCA property of (KeyGen,Enc,Dec) (implementation condition 19) implies thatthe full traces H -TraceM,Πp,Sim′ and H -TraceM,Πp,Simf

are indistinguishable. Using the transitivity ofcomputational indistinguishability, the lemma follows.

Lemma 8. Sim is indistinguishable for M, Π, A, and for every polynomial p.

49

The reader may wonder why the proof of Lemma 8(given below) is so long in our framework, inparticular in view of the fact that many prior works that follow a similar proof idea (e.g., [51, 32, 31]) donot seem to need such a proof step. The answer is these works did indeed depend on a similar fact: Intheir proofs, the protocol constructs bitstrings from terms, and the simulator parses bitstrings, and weneed that parsing a bitstring does indeed yield the original term. This fact is usually implicitly assumedto be true, but when verified in detail , the proof turns out to be very lengthy .

Proof. We will first show that when fixing the randomness of the adversary and the protocol, the nodetrace NodespM,A,Πp,E

in the computational execution and the node trace H -NodesM,Πp,Sim in the hybridexecution are equal. Hence, fix the variables rN for all N ∈ NP , fix a random tape for the adversary,and for each node ν fix a choice eν of an outgoing edge.

We assume that the randomness is chosen such that all bitstrings rN , Aek (rN ), Adk (rN ), Avk (rN ),Ask (rN ), Aenc(e,m, rN ), and sig(s,m, rN ) are all pairwise distinct for all N ∈ N and all bitstrings e oftype encryption key, s of type signing key, and m ∈ {0, 1}∗ that result from some evaluation of β in theexecution.

Note that this is the case with overwhelming probability: For terms of different types this followsfrom implementation condition 5. For keys, this follows from the fact that if two randomly chosenkeys would be equal with non-negligible probability, the adversary could guess secret keys and thusbreak the IND-CCA property or the strong existential unforgeability (implementation conditions 19and 20). For nonces, if two random nonces rN , rM would be equal with non-negligible probability,so would encryption keys Aek (rN ) and Aek (rM ). For encryptions, by implementation condition 21,the probability that Aenc(e,m, rN ) for random rN ∈ Noncesk matches any given string is negligible.Since by protocol condition 5, each Aenc(e,m, rN ) computed by β uses a fresh nonce rN , this impliesthat Aenc(e,m, rN ) equals a previously computed encryption is negligible. Analogously for signatures(implementation condition 22, protocol conditions 5 and 9).

In the following, we designate the values fi and νi in the computational execution by f ′i and ν′i, andin the hybrid execution by fCi and νCi . Let s′i denote the state of the adversary E in the computationalmodel, and sCi the state of the simulated adversary in the hybrid model.Claim 2: In the hybrid execution, for any b ∈ {0, 1}∗, β(τ(b)) = b.

This claim follows by induction over the length of b and by distinguishing the cases in the definitionof τ .Claim 3: In the hybrid execution, for any term t stored at a node ν, β(t) 6= ⊥.

By induction on the structure of t.Claim 4: For all terms t 6∈ R that occur in the hybrid execution, τ(β(t)) = t.

By induction on the structure of t and using the assumption that rN , Aek (rN ), Adk (rN ), Avk (rN ),Ask (rN ), as well as all occuring encryptions and signatures are pairwise distinct for all N ∈ N . Forterms t that contain randomness nonces, note that by protocol condition 5, randomness nonces neveroccur outside the last argument of enc-, sig-, ek -, dk -, vk -, or sk -terms.Claim 5: In the hybrid execution, at any computation node ν = νi with constructor or destructor Fand arguments ν1, . . . , νn the following holds: Let tj be the term stored at node νj (i.e., tj = f ′i(νj)).Then β(evalF (t)) = AF (β(t1), . . . , β(tn)). Here the left hand side is defined iff the right hand side is.

We show Claim 5. We distinguish the following cases:

Case 1: “F = ek”.Note that by protocol condition 1, we have t1 ∈ NP . Then β(ek(t1)) = Aek (rt1) = Aek (β(t1)).

Case 2: “F ∈ {dk , vk , sk}”.Analogous to the case F = ek .

Case 3: “F ∈ {pair , fst , snd , string0, string0, unstring0, unstring1,nil , add , sub,mult , ge, xor}”.Claim 5 follows directly from the definition of β. In particular, for F ∈ {add , sub,mult , ge} andm of type payload-string we have β(ι(m)) = 〈m〉2 ∈ N.

Case 4: “F = isek”.If t1 = ek(t′1), we have that t′1 = N ∈ N or t′1 = Nm where m is of type ciphertext (as othersubterms of the form ek(·) are neither produced by the protocol nor by τ). In both cases, β(ek(t′1))is of type encryption key. Hence β(isek(t1)) = β(ek(t′1)) = Aisek (β(ek(t′1))) = Aisek (β(t1)). If t1 is

50

not of the form ek(·), then β(t1) is not of type public key (this uses that τ only uses Nm with mof type public key inside a term ek(Nm)). Hence β(isek(t1)) = ⊥ = Aisek (β(t1)).

Case 5: “F ∈ {isvk , isenc, issig}”.Similar to the case F = isek .

Case 6: “F = ekof ”.If t1 = enc(ek(u1), u2,M) with M ∈ N , we have that β(t1) = Aenc(β(ek(u1)), β(u2), rM ). Byimplementation condition 8, Aekof (β(t1)) = β(ek(u1)). Furthermore, ekof (t1) = ek(u1), henceAekof (β(t1)) = β(ekof (t1)). If t1 = enc(ek(u1), u2, N

m), by protocol condition 10, t1 was nothonestly generated. Hence, by definition of τ , m is of type ciphertext, and ek(u1) = τ(Aekof (m)).Thus with Claim 2, β(ek(u1)) = Aekof (m). Furthermore, we have β(t1) = m by definition of β andthus Aekof (β(t1)) = β(ek(u1)) = β(ekof (t1)). If t1 = garbageE (u1, u2), the proof is analogous. Inall other cases for t1, β(t1) is not of type ciphertext, hence Aekof (β(t1)) = ⊥ by implementationcondition 8. Furthermore ekof (t1) = ⊥. Thus β(ekof (t1)) = ⊥ = Aekof (β(t1)).

Case 7: “F = vkof ”.If t1 = sig(sk(N), u1,M) with N,M ∈ N , we have that β(t1) = Asig(Ask (rN ), β(u2), rM ). Byimplementation condition 9, Aekof (β(t1)) = Avk (rN ). Furthermore, vkof (t1) = vk(N), henceAvkof (β(t1)) = Avk (rN ) = β(vk(N)) = β(vkof (t1)). All other cases for t1 are handled like in thecase of F = ekof .

Case 8: “F = enc”.By protocol condition 1, t3 =: N ∈ N . If t1 = ek(u1) we have β(enc(t1, t2, t3)) =Aenc(β(t1), β(t2), rN ) by definition of β. Since β(N) = rN , we have β(enc(t1, t2, t3)) =Aenc(β(t1), β(t2), β(t3)). If t1 is not of the form ek(u1), then enc(t1, t2, t3) = ⊥ and by def-inition of β, β(t1) is not of type encryption key and hence by implementation condition 10,β(enc(t1, t2, t3)) = Aek (β(t1), . . . ) = ⊥ = β(enc(t1, t2, t3)).

Case 9: “F = dec”.By protocol condition 7, t1 = dk(N) with N ∈ N . We distinguish the following cases for t2:

Case 9.1: “t2 = enc(ek(N), u2,M) with M ∈ N”.Then Adec(β(t1), β(t2)) = Adec(Adk (rN ), Aenc(Aek (N), β(u2), rM )) = β(u2) by implementa-tion condition 12. Furthermore β(dec(t1, t2)) = β(u2) by definition of dec.

Case 9.2: “t2 = enc(ek(N), u2, Nc)”.

Then t2 was produced by τ and hence c is of type ciphertext and τ(Adec(Adk (rN ), c)) =u2. Then by Claim 2, Adec(Adk (rN ), c) = β(u2) and hence Adec(β(t1), β(t2)) =Adec(Adk (rN ), c) = β(u2) = β(dec(t1, t2)).

Case 9.3: “t2 = enc(u1, u2, u3) with u1 6= ek(N)”.As shown above (case F = ekof ), Aekof (β(enc(u1, u2, u3)) = β(ekof (enc(u1, u2, u3)) = β(u1).Moreover, from Claim 4, Aekof (β(enc(u1, u2, u3)) = β(u1) 6= β(ek(N)) = Aek (rN ). Thusby implementation condition 11, Adec(β(t1), β(t2)) = Adec(Adk (rN ), β(enc(u1, u2, u3))) = ⊥.Furthermore, dec(t1, t2) = ⊥ and thus β(dec(t1, t2)) = ⊥.

Case 9.4: “t2 = garbageE (u1, Nc)”.

Assume that m := Adec(β(t1), β(t2)) = Adec(Ask (rN ), c) 6= ⊥. By implementation condi-tion 11 this implies Aekof (c) = Aek (rN ) and thus τ(Aekof (c)) = τ(Aek (rN )) = ek(N). Byprotocol condition 10, t2 has been produced by τ , i.e., t2 = τ(c). Hence c is of type ci-phertext. Then, however, we would have τ(c) = enc(ek(N), τ(m), N c) 6= t2. This is acontradiction to t2 = τ(c), so the assumption that Adec(β(t1), β(t2)) 6= ⊥ was false. SoAdec(β(t1), β(t2)) = ⊥ = β(⊥) = β(dec(t1, garbageE (u1, N

c))).

Case 9.5: “All other cases”.Then β(t2) is not of type ciphertext. By implementation condition 8, Aekof (β(t2)) = ⊥.Hence Aekof (β(t2)) 6= Aek (rN ) and by implementation condition 11, Adec(β(t1), β(t2)) =Adec(Adk (rN ), β(t2)) = ⊥ = β(dec(t1, t2)).

51

Case 10: “F = sig”.By protocol conditions 9 and 1 we have that t1 = sk(N) and t3 = M with N,M ∈ N . Thenβ(sig(t)) = Asig(Ask (rN ), β(t3), rM ) = Asig(β(sk(N)), β(t2), β(M)) = Asig(β(t1), β(t2), β(t3)).

Case 11: “F = verify”.We distinguish the following subcases:

Case 11.1: “t1 = vk(N) and t2 = sig(sk(N), u2,M) with N,M ∈ N”.Then Averify(β(t1), β(t2)) = Averify(Avk (rN ), Asig(Ask (rN ), β(u2), rM )) (∗)= β(u2) =β(verify(t)) where (∗) uses implementation condition 13.

Case 11.2: “t2 = sig(sk(N), u2,M) and t1 6= vk(N) with N,M ∈ N”.By Claim 4, β(t1) 6= β(vk(N)) Furthermore Averify(β(vk(N)), β(t2)) =Averify(β(t1), Asig(Ask (rN ), β(u2), rM )) (∗)= β(u2) 6= ⊥. Hence with implementation con-dition 14, Averify(β(t1), β(t2)) = ⊥ = β(⊥) = verify(t1, t2).

Case 11.3: “t1 = vk(N) and t2 = sig(sk(N), u2,Ms)”.

Then t2 was produced by τ and hence s is of type signature with τ(Avkof (s)) = vk(N)and m := Averify(Avkof (s), s) 6= ⊥ and u2 = τ(m). Hence with Claim 2 we havem = β(τ(m)) = β(u2) and β(t1) = β(vk(N)) = β(τ(Avkof (s))) = Avkof (s). ThusAverify(β(t1), β(t2)) = Averify(Avkof (s), s) = m = β(u2). And β(verify(t1, t2)) =β(verify(vk(N), sig(sk(N), u2,M

s))) = β(u2).

Case 11.4: “t2 = sig(sk(N), u2,Ms) and t1 6= vk(N)”.

As in the previous case, Averify(Avkof (s), s) 6= ⊥ and β(vk(N)) = Avkof (s). Since t1 6=vk(N), by Claim 4, β(t1) 6= β(vk(N)) = Avkof (s). From implementation condition 14 andAverify(Avkof (s), s) 6= ⊥, we have Averify(β(t1), β(t2)) = Averify(β(t1), s) = ⊥ = β(⊥) =β(verify(t1, t2)).

Case 11.5: “t2 = garbageSig(u1, Ns)”.

Then t2 was produced by τ and hence s is of type signature and either Averify(Avkof (s), s) = ⊥or τ(Avkof (s)) is not of the form vk(. . . ). The latter case only occurs if Avkof (s) = ⊥as otherwise Avkof (s) is of type verification key and hence τ(Avkof (s)) = vk(. . . ). Hencein both cases Averify(Avkof (s), s) = ⊥. If β(t1) = Avkof (s) then Averify(β(t1), β(t2)) =Averify(Avkof (s), s) = ⊥ = β(verify(t1, t2)). If β(t1) 6= Avkof (s) then by implementa-tion condition 14, Averify(β(t1), β(t2)) = Averify(β(t1), s) = ⊥. Thus in both cases, withverify(t1, t2) = ⊥ we have Averify(β(t1), β(t2)) = ⊥ = β(verify(t1, t2)).

Case 11.6: “All other cases”.Then β(t2) is not of type signature, hence by implementation condition 9, Avkof (β(t2)) =⊥, hence β(t1) 6= Avkof (β(t2)), and by implementation condition 14 we haveAverify(β(t1), β(t2)) = ⊥ = β(verify(t1, t2)).

Case 12: “F = equals”.If t1 = t2 we have β(equals(t1, t2)) = β(t1) = Aequals(β(t1), β(t1)) = Aequals(β(t1), β(t2)). Ift1 6= t2, then t1, t2 6∈ R. To see this, let N1 be the node associated with t1. If N1 is a noncecomputation node, then t1 6∈ R follows from protocol conditions 3, 4, and 5. In case N1 is an inputnode, t1 6∈ R follows by definition of τ . Finally, if N1 is a destructor computation node, t1 6∈ Rfollows inductively. (Similarly for t2.) By Claim 4, t1, t2 6∈ R implies β(t1) 6= β(t2) and henceβ(equals(t1, t2)) = ⊥ = Aequals(β(t1), β(t2)) as desired.

Case 13: “F ∈ {garbage, garbageE , garbageSig} ∪NE”.By protocol condition 10, the constructors garbage, garbageE , garbageSig , and N ∈ NE do notoccur in the protocol.

Thus Claim 5 holds.We will now show that for the random choices fixed above, NodespM,A,Πp,E

= H -NodesM,Πp,Sim.To prove this, we show the following invariant: f ′i = β ◦ fCi and ν′i = νCi and si = s′i for all i ≥ 0. We

show this by induction on i.

52

We have f ′0 = fC0 = ∅ and ν′0 = νC0 is the root node, so the invariant is satisfied for i = 0.Assume that the invariant holds for some i. If ν′i is a nondeterministic node, ν′i+1 = νCi+1 is determinedby eν′i = eνCi . Since a nondeterministic node does not modify f and the adversary is not activated,f ′i+1 = f ′i = β ◦ fCi = β ◦ fCi+1 and si = s′i. Hence the invariant holds for i+ 1 if ν′i is a nondeterministicnode.

If ν′i is a computation node with constructor or destructor F , we have that f ′i+1(ν′i) =AF (f ′i(ν1), . . . , f ′i(νn)) = AF (β(fCi (ν1)), . . . , β(fCi (νn))) for some nodes νs depending on the label ofν′i. And fCi+1(ν′i) = fCi+1(νCi ) = evalF (fCi (ν1), . . . , fCi (νn)). From Claim 5 it follows that β(fCi+1(ν′i)) =f ′i+1(ν′i) where the lhs is defined iff the rhs is. Hence β ◦ fCi+1 = f ′i+1.

By Claim 3, β(fCi+1(νCi )) is defined if fCi+1(ν′i) is. Hence fCi+1(νCi ) is defined iff f ′i+1(ν′i) is. If fCi+1(νCi )is defined, then νCi+1 is the yes-successor of νCi and the no-successor otherwise. If f ′i+1(ν′i) is defined,then ν′i+1 is the yes-successor of ν′i = νCi and the no-successor otherwise. Thus νCi+1 = ν′i+1.

The adversary E is not invoked, hence s′i+1 = sCi+1. So the invariant holds for i + 1 if ν′i is acomputation node with a constructor or destructor.

If ν′i is a computation node with nonce N ∈ NP , we have that f ′i+1(ν′i) = rN = β(N) = β(fCi+1(ν′i)).Hence β ◦ fCi+1 = f ′i+1. By Definition 22, the ν′i+1 is the yes-successor of ν′i. Since N ∈ T, νCi+1 is theyes-successor of νCi = ν′i. Thus ν′i+1 = νCi+1. The adversary E is not invoked, hence s′i+1 = sCi+1. So theinvariant holds for i+ 1 if ν′i is a computation node with a nonce.

In the case of a control node, the adversary E in the computational execution and the simulator inthe hybrid execution get the out-metadata l of the node ν′i or νCi , respectively. The simulator passes lon to the simulated adversary. Thus, since s′i = sCi , we have that s′i+1 = sCi+1, and in the computationaland the hybrid execution, E answer with the same in-metadata l′. Thus ν′i+1 = νCi+1. Since a controlnode does not modify f we have f ′i+1 = f ′i = β ◦ fCi = β ◦ fCi+1. Hence the invariant holds for i+ 1 if ν′iis a control node.

In the case of an input node, the adversary E in the computational execution and the simulator inthe hybrid execution is asked for a bitstring m′ or bitstring tC , respectively. The simulator producesthis string by asking the simulated adversary E for a bitstring mC and setting tC := τ(mC). Sinces′i = sCi , m′ = mC . Then by definition of the computational and hybrid executions, f ′i+1(ν′i) = m′ andfCi+1(ν′i) = tC = τ(m′). Thus f ′i+1(ν′i) = m′

(∗)= β(τ(m′)) = β(fCi+1(ν′i)) where (∗) follows from Claim 2.Since f ′i+1 = f ′i and fCi+1 = fC everywhere else, we have f ′i+1 = β ◦ fCi+1. Furthermore, since input nodeshave only one successor, ν′i+1 = νCi+1. Thus the invariant holds for i+ 1 in the case of an input node.

In the case of an output node, the adversary E in the computational execution gets m′ := f ′i(ν1)where the node ν1 depends on the label of ν′i. In the hybrid execution, the simulator gets tC := fCi (ν1)and sends mC := β(tC) to the simulated adversary E. By induction hypothesis we then have m′ = mC ,so the adversary gets the same input in both executions. Thus s′i+1 = sCi+1. Furthermore, since outputnodes have only one successor, ν′i+1 = νCi+1. And f ′i+1 = f ′i and fCi+1 = fC , so f ′i+1 = β ◦ fCi+1. Thus theinvariant holds for i+ 1 in the case of an output node.

From the invariant it follows, that the node trace is the same in both executions.Since random choices with all nonces, keys, encryptions, and signatures being pairwise distinct occur

with overwhelming probability (as discussed above), the node traces of the real and the hybrid executionare indistinguishable.

Lemma 9. In a given step of the hybrid execution with Simf , let S be the set of messages sent from Πc

to Simf . Let u′ ∈ T be the message sent from Simf to Πc in that step. Let C be a context and u ∈ Tsuch that u′ = C[u] and S 0 u and C does not contain a subterm of the form sig(�, ·, ·). (� denotes thehole of the context C.)

Then there exists a term tbad and a context D such that D obeys the following grammar

D ::= � | pair(t,D) | pair(D, t) | enc(ek(N),D,M)| enc(D, t,M) | sig(sk(M),D,M)| garbageE (D,M) | garbageSig(D,M)

with N ∈ NP ,M ∈ NE , t ∈ T

and such that u = D[tbad ] and such that S 0 tbad and such that one of the following holds: tbad ∈ NP ,or tbad = enc(p,m,N) with N ∈ NP , or tbad = sig(k,m,N) with N ∈ NP , or tbad = sig(sk(N),m,M)with N ∈ NP , M ∈ NE or tbad = ek(N) with N ∈ NP , or tbad = vk(N) with N ∈ NP .

53

Proof. We prove the lemma by structural induction on M . We distinguish the following cases:

Case 1: “u = garbage(u1)”.By protocol condition 10 the protocol does not contain garbage-computation nodes. Thus u is notan honestly generated term. Hence it was produced by an invocation τ(m) for some m ∈ {0, 1}∗,and hence u = garbage(Nm). Hence S ` u in contradiction to the premise of the lemma.

Case 2: “u = garbageE (u1, u2)”.By protocol condition 10 the protocol does not contain garbageE -computation nodes. Thus u isnot an honestly generated term. Hence it was produced by an invocation τ(c) for some c ∈ {0, 1}∗,and hence u = garbageE (u1, N

m). Since S ` Nm and S 0 u, we have S 0 u1. Hence by theinduction hypothesis, there exists a subterm tbad of u1 and a context D satisfying the conclusionof the lemma for u1. Then tbad and D′ := garbageE (D, Nm) satisfy the conclusion of the lemmafor u.

Case 3: “u = garbageSig(u1, u2)”.By protocol condition 10 the protocol does not contain garbageSig-computation nodes. Thus u isnot an honestly generated term. Hence it was produced by an invocation τ(c) for some c ∈ {0, 1}∗,and hence u = garbageSig(u1, N

m). Since S ` Nm and S 0 u, we have S 0 u1. Hence by theinduction hypothesis, there exists a subterm tbad of u1 and a context D satisfying the conclusionof the lemma for u1. Then tbad and D′ := garbageSig(D, Nm) satisfy the conclusion of the lemmafor u.

Case 4: “u = dk(u1)”.By protocol condition 6, any dk -computation node occurs only as the first argument of a dec-destructor node. The output of the destructor dec only contains a subterm dk(u1) if its secondargument already contained such a subterm. Hence a term dk(u1) cannot be honestly generated.But subterms of the form dk(·) are not in the range of τ . (Except if dk(·) was given as argumentto a call to β. However, as β is only invoked with terms sent by Πc, this can only occur if dk(·)was honestly generated or produced by τ .) Thus no term sent by Simf contains dk(·). Hence ucannot be a subterm of u′.

Case 5: “u = ek(u1) with u1 /∈ NP ”.By protocol condition 1, the argument of an ek -computation node is an N -computation node withN ∈ NP . Hence u is not honestly generated. Hence it was produced by an invocation τ(e) for somee ∈ {0, 1}∗, and hence u = ek(Ne). Hence S ` u in contradiction to the premise of the lemma.

Case 6: “u = ek(N) with N ∈ NP ”.The conclusion of the lemma is fulfilled with D := � and tbad := u.

Case 7: “u = vk(u1) with u1 /∈ NP ”.By protocol condition 1, the argument of a vk -computation node is an N -computation node withN ∈ NP . Hence u is not honestly generated. Hence it was produced by an invocation τ(e) for somee ∈ {0, 1}∗, and hence u = vk(Ne). Hence S ` u in contradiction to the premise of the lemma.

Case 8: “u = vk(N) with N ∈ NP ”.The conclusion of the lemma is fulfilled with D := � and tbad := u.

Case 9: “u = sk(N)”.Say a subterm sk(N) occurs free in some term t′ if an occurrence of sk(N) in t′ is not the firstargument of a sig-constructor in t′. Since C is not of the form sig(�, ·, ·), we have that u occursfree in u′. However, by protocol condition 8, Πc only sends a free sk(N) if Simf first sends one.And by construction of τ , Simf sends a free sk(N) only if sk(N) was given as an argument to acall to β. And sk(N) is given as an argument to β only if it is sent by Πc. Hence Simf cannothave sent u′ in contradiction to the premise of the lemma.

Case 10: “u = pair(u1, u2)”.Since S 0 u, we have S 0 ui for some i ∈ {1, 2}. Hence by induction hypothesis, there exists asubterm tbad of ui and a context D satisfying the conclusion of the lemma for ui. Then tbad andD′ = pair(D, u2) or D′ = pair(u1,D) satisfy the conclusion of the lemma for u.

54

Case 11: “u = stringi(u1) with i ∈ {0, 1} or u = nil”.Then, since u ∈ T, u contains only the constructors string0, string1,nil . Hence S ` u in contradic-tion to the premise of the lemma.

Case 12: “u ∈ NP ”.The conclusion of the lemma is fulfilled with D := � and tbad := u.

Case 13: “u ∈ NE”.Then S ` u in contradiction to the premise of the lemma.

Case 14: “u = enc(u1, u2, N) with N ∈ NP ”.The conclusion of the lemma is fulfilled with D := � and tbad := u.

Case 15: “u = enc(u1, u2, u3) with S 0 u1 and u3 /∈ NP ”.By protocol condition 1, the third argument of an enc-computation node is a N -computation nodewith N ∈ NP . Hence u is not honestly generated. Hence it was produced by an invocation τ(c) forsome c ∈ {0, 1}∗, and hence u = enc(ek(N), u2, N

c) for some N ∈ NP . Since S 0 u1, by inductionhypothesis, there exists a subterm tbad of u1 = ek(N) and a context D satisfying the conclusion ofthe lemma for ek(N). Then tbad and D′ = enc(D, u2, N

c) satisfy the conclusion of the lemma foru.

Case 16: “u = enc(u1, u2, u3) with S ` u1 and u3 /∈ NP ”.Analogous to the previous case, u = enc(ek(N), u2, N

c) for some N ∈ NP . From S ` u1, S ` N c,and S 0 u we have S 0 u2. Hence by induction hyposthesis, there exists a subterm tbad of u2 anda context D satisfying the conclusion of the lemma for u2. Then tbad and D′ = enc(ek(N),D, N c)satisfy the conclusion of the lemma for u.

Case 17: “u = sig(u1, u2, N) with N ∈ NP ”.The conclusion of the lemma is fulfilled with D := � and tbad := u.

Case 18: “u = sig(sk(N), u2, u3) with u3 /∈ NP and N ∈ NP ”.Since u ∈ T we have u3 ∈ N, hence u3 ∈ NE . The conclusion of the lemma is fulfilled with D := �and tbad := u.

Case 19: “u = sig(u1, u2, u3) with S ` u1 and u3 /∈ NP and u1 is not of the form sk(N) withN ∈ NP ”.By protocol condition 1, the third argument of an enc-computation node is an N -computationnode with N ∈ NP . Hence u is not honestly generated. Hence it was produced by an invocationτ(s) for some s ∈ {0, 1}∗, and hence u = sig(sk(N), u2, N

s) for some N ∈ N. Since u1 is not of theform sk(N) with N ∈ NP , we have N ∈ NE . From S ` u1, S ` N c, and S 0 u we have S 0 u2.Hence by induction hyposthesis, there exists a subterm tbad of u2 and a context D satisfying theconclusion of the lemma for u2. Then Then tbad and D′ = sig(sk(N),D, Ns) satisfy the conclusionof the lemma for u.

Case 20: “u = sig(u1, u2, N) with S 0 u1 and u3 /∈ NP ”.As in the previous case, u = sig(sk(N), u2, N

s) for some N ∈ N. Since S 0 u1, N /∈ NE . HenceN ∈ NP . Thus conclusion of the lemma is fulfilled with D := � and tbad := u.

Lemma 10. For any (direct or recursive) invocation of β(t) performed by Simf , we have that S ` twhere S is the set of all terms sent by Πc to Simf up to that point.

Proof. We perform an induction on the point in time at which β(t) has been invoked. Thus, assume thatLemma 10holds for all invocations before the current invocation β(t). We distinguish two cases: In thefirst case, β(t) is directly invoked by the simulator Simf (not through a recursive invocation). In thiscase, t is a message the simulator received from the protocol, hence t ∈ S and thus S ` t.

In the second case, β(t) has not been directly invoked by Simf . Instead, β(t) has been invoked as asubroutine from a call β(t′) for some term t′. By definition of β, this leaves the following cases for t′:

55

t′ = enc(t, u,M) or t′ = enc(ek(Ne), t,M) or t′ = sig(sk(N), t,M) or t′ = pair(t, u) or t′ = pair(u, t)or t′ = string0 (t) or t′ = string1 (t). Here N,M ∈ N , u ∈ T, and e ∈ {0, 1}∗.

(At the first glance it might seem that we are missing the case t′ = enc(ek(N), t,M) with N,M ∈ Nhere. However, in this case β(t) is not invoked by β(t′) because the simulator Simf uses the plaintext0|`(t)| instead of β(t).)

In all cases except t′ = enc(ek(Ne), t,M), from the definition of ` and the fact that S ` t′, we havethat S ` t. Hence Lemma 10holds in those cases.

In the case t′ = enc(ek(Ne), t,M), we have that S ` Ne since Ne ∈ NE , hence S ` sk(Ne) and thusS ` t. This shows Lemma 10in the remaining case.

Lemma 11. Simf is DY for M and Π.

Proof. Let a1, . . . , an be terms sent by the protocol to Simf . Let u1, . . . , un be the terms sent by Simf

to the protocol. Let Si := {a1, . . . , ai}. If Simf is not DY, then with non-negligible probability thereexists an i such that Si 0 ui. Fix the smallest such i0 and set S := Si0 and u := ui0 . By Lemma 9(withu′ := u and C := �), we have that there is a term tbad and a context D obeying the grammar given inLemma 9and such that u = D[tbad ] and such that S 0 tbad and such that one of the following holds:(a) tbad ∈ NP , or (b) tbad = enc(p,m,N) with N ∈ NP , or (c) tbad = sig(k,m,N) with N ∈ NP ,or (d) tbad = sig(sk(N),m,M) with N ∈ NP , M ∈ NE or (e) tbad = ek(N) with N ∈ NP , or(f) tbad = vk(N) with N ∈ NP .

By construction of the simulator, if the simulator outputs u, we know that the simulated adversaryE has produced a bitstring m such that τ(m) = u = D[tbad ]. By definition of τ , during the computationof τ(m), some recursive invocation of τ has returned tbad . Hence the simulator has computed a bitstringmbad with τ(mbad) = tbad .

We are left to show that such a bitstring mbad can be found only with negligible probability.We distinguish the possible values for tbad (as listed in Lemma 9):

Case 1: “tbad = N ∈ NP ”.By definition of β and using the fact that Simf uses the signing and encryption oracle for allinvocations of β except β(N) that involve rN (such as β(dk(N))), we have that Simf accesses rNonly when computing β(N) and in τ . Since S 0 tbad = N , by Lemma 10we have that β(N) isnever invoked, thus rN is never accessed through β. In τ , rN is only used in comparisons. Moreprecisely, τ(r) checks for all N ∈ N whether r = rN . Such checks do not help in guessing rN sincewhen such a check succeeds, rN has already been guessed. Thus the probability that mbad = rNoccurs as input of τ is negligible.

Case 2: “tbad = enc(p,m,N) with N ∈ NP ”.Then τ(mbad) returns tbad only if mbad was the output of an invocation of β(enc(p,m,N)) =β(tbad). But by Lemma 10, β(tbad) is never invoked, so this case does not occur.

Case 3: “tbad = sig(k,m,N) with N ∈ NP ”.Then τ(mbad) returns tbad only ifmbad was the output of an invocation of β(sig(k,m,N)) = β(tbad).But by Lemma 10, β(tbad) is never invoked, so this case does not occur.

Case 4: “tbad = sig(sk(N),m,M) with N ∈ NP , M ∈ NE”.Then τ(mbad) returns tbad only if mbad was not the output of an invocation of β. In particular,mbad was not produced by the signing oracle. Furthermore, τ(mbad) returns tbad only if mbad

is a valid signature with respect to the verification key vkN . Hence mbad is a valid signaturethat was not produced by the signing oracle. Such a bitstring mbad can only be produced withnegligible probability by E because of the strong existential unforgeability of (SKeyGen,Sig,Verify)(implementation condition 20).

Case 5: “tbad = ek(N) with N ∈ NP ”.Then by Lemma 10, β(ek(N)) is never computed and hence ekN never requested from the en-cryption oracle. Furthermore, from protocol conditions 6 and 3, we have that no term sent byΠc contains dk(N), and all occurrences of N in terms sent by Πc are of the form ek(N). ThusS 0 dk(N). Hence by Lemma 10, β(dk(N)) is never computed and dkN is never requested from theencryption oracle. Furthermore, since S 0 ek(N), for all terms of the form t = enc(ek(N), . . . , . . . ),

56

we have that S 0 t. Thus β(t) is never computed and hence no encryption using ekN is ever re-quested from the encryption oracle. However, decryption queries with respect to dkN may still besent to the encryption oracle. Yet, by implementation condition 11, these will always fail unless theciphertext to be decrypted already satisfies Aekof (m) = ekN , i.e., if ekN has already been guessed.Hence the probability that ekN = mbad occurs as input of τ is negligible.

Case 6: “tbad = vk(N) with N ∈ NP ”.Then by Lemma 10, β(vk(N)) is never computed and hence vkN is never requested from the signingoracle. Furthermore, since S 0 vk(N), we also have S 0 sk(N) and S 0 t for t = sig(sk(N), . . . , . . . ).Thus β(sk(N)) and β(t) never computed and hence neither skN nor a signature with respect toskN is requested from the signing oracle. Hence the probability that vkN = mbad occurs as outputof τ is negligible.

Summarizing, we have shown that if the simulator Simf is not DY, then with non-negligible proba-bility Simf performs the computation τ(mbad), but mbad can only occur with negligible probability asan argument of τ . Hence we have a contradiction to the assumption that Simf is not DY.

Lemma 12. The implementation A (satisfying the implementation conditions given in Section D.4) isa computationally sound implementation of the symbolic model M (defined on Section D.3) for the classof key-safe protocols.

Proof. By Lemma 11, Simf is DY for key-safe protocols. Whether a full trace satisfies the conditionsfrom Definition 27 can be efficiently verified (since ` is efficiently decidable). Hence Lemma 7 impliesthat Sim is DY for key-safe protocol, too. By Lemma 8, Sim is indistinguishable. Hence Sim is a goodsimulator for M, key-safe Π, A, and polynomials p. By Theorem 3, the computational soundness of Afor key-safe protocols follows.

57

References

[1] M. Abadi, M. Baudet, and B. Warinschi. Guessing attacks and the computational soundness ofstatic equivalence. In Proc. 9th International Conference on Foundations of Software Science andComputation Structures (FOSSACS), volume 3921 of LNCS, pages 398–412. Springer, 2006.

[2] M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In Proc. 28thSymposium on Principles of Programming Languages (POPL), pages 104–115. ACM Press, 2001.

[3] M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi calculus. In Proc. 4thACM Conference on Computer and Communications Security, pages 36–47, 1997.

[4] M. Abadi and J. Jurjens. Formal eavesdropping and its computational interpretation. In Proc. 4thInternational Symposium on Theoretical Aspects of Computer Software (TACS), pages 82–94, 2001.

[5] M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational soundness offormal encryption). Journal of Cryptology, 15(2):103–127, 2002.

[6] P. Adao and C. Fournet. Cryptographically sound implementations for communicating processes.In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, editors, Proc. 33rd International Colloquiumon Automata, Languages and Programming (ICALP), volume 4052 of LNCS, pages 83–94. Springer,2006.

[7] M. Backes and D. Hofheinz. How to break and repair a universally composable signature func-tionality. In Proc. 6th Information Security Conference (ISC), volume 3225 of Lecture Notes inComputer Science, pages 61–72. Springer, 2004. Extended version in IACR Cryptology ePrintArchive 2003/240, Sep. 2003, http://eprint.iacr.org/.

[8] M. Backes, D. Hofheinz, and D. Unruh. CoSP: A general framework for computational soundnessproofs. In Proc. 16th ACM Conference on Computer and Communication Security (CCS), pages66–78. ACM Press, November 2009. Preprint on IACR ePrint 2009/080.

[9] M. Backes, C. Hritcu, and M. Maffei. Type-checking zero-knowledge. In Proc. of the 15th ACMconference on Computer and communications security(CCS), pages 357–370, 2008.

[10] M. Backes and B. Pfitzmann. Symmetric encryption in a simulatable Dolev-Yao style cryptographiclibrary. In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pages 204–218,2004.

[11] M. Backes and B. Pfitzmann. Limits of the cryptographic realization of Dolev-Yao-style XOR. InProc. 10th European Symposium on Research in Computer Security (ESORICS), volume 3679 ofLNCS, pages 178–196. Springer, 2005.

[12] M. Backes, B. Pfitzmann, and M. Waidner. A composable cryptographic library with nested op-erations (extended abstract). In Proc. 10th ACM Conference on Computer and CommunicationsSecurity, pages 220–230, 2003. Full version in IACR Cryptology ePrint Archive 2003/015, Jan. 2003.

[13] M. Backes, B. Pfitzmann, and M. Waidner. Symmetric authentication within a simulatable crypto-graphic library. In Proc. 8th European Symposium on Research in Computer Security (ESORICS),volume 2808 of LNCS, pages 271–290. Springer, 2003.

[14] M. Backes, B. Pfitzmann, and M. Waidner. The reactive simulatability (RSIM) framework forasynchronous systems. Information and Computation, 205(12):1685–1720, 2007.

[15] M. Backes and D. Unruh. Computational soundness of symbolic zero-knowledge proofs againstactive attackers. In Proc. 20th IEEE Symposium on Computer Security Foundations (CSF), pages255–269. IEEE, 2008.

[16] D. Basin, S. Modersheim, and L. Vigano. OFMC: A symbolic model checker for security protocols.International Journal of Information Security, 2004.

58

[17] M. Baudet, V. Cortier, and S. Kremer. Computationally sound implementations of equational the-ories against passive adversaries. In Proc. 32nd International Colloquium on Automata, Languagesand Programming (ICALP), volume 3580 of LNCS, pages 652–663. Springer, 2005.

[18] A. Ben-David, N. Nisan, and B. Pinkas. FairplayMP: a system for secure multi-party computation.In Proc. of the 15th ACM conference on Computer and communications security(CCS), pages 257–266. ACM, 2008.

[19] J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secureimplementations. In Proc. 20th IEEE Symposium on Computer Security Foundations (CSF), pages17–32. IEEE Computer Society, 2008.

[20] B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In Proc. 14th IEEEComputer Security Foundations Workshop (CSFW), pages 82–96, 2001.

[21] B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equivalences for securityprotocols. Journal of Logic and Algebraic Programming, 75:3–51, 2008.

[22] D. Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryption stan-dard PKCS. In Advances in Cryptology: CRYPTO ’98, volume 1462 of LNCS, pages 1–12. Springer,1998.

[23] P. Bogetoft, D. L. Christensen, I. Damgard, M. Geisler, T. P. Jakobsen, M. Krøigaard, J. D. Nielsen,J. B. Nielsen, K. Nielsen, J. Pagter, M. I. Schwartzbach, and T. Toft. Secure multiparty computationgoes live. In R. Dingledine and P. Golle, editors, Financial Cryptography, volume 5628 of LNCS,pages 325–343. Springer, 2009.

[24] F. Butler, I. Cervesato, A. D. Jaggard, A. Scedrov, and C. Walstad. Formal analysis of kerberos 5.Theoretical Computer Science, 367(1):57–87, 2006.

[25] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. InProc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pages 136–145, 2001.Extended version in Cryptology ePrint Archive, Report 2000/67.

[26] R. Canetti. Universally composable signatures, certification and authorization. Cryptology ePrintArchive, Report 2003/239, http://eprint.iacr.org/, 2004.

[27] R. Canetti and J. Herzog. Universally composable symbolic analysis of mutual authentication andkey exchange protocols. In Proc. 3rd Theory of Cryptography Conference (TCC), volume 3876 ofLNCS, pages 380–403. Springer, 2006.

[28] R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai. Universally composable two-party and multi-party secure computation. In Proc. 34th Annual ACM Symposium on Theory of Computing (STOC),pages 494–503, New York, NY, USA, 2002. ACM.

[29] H. Comon-Lundh. About models of security protocols (abstract). In R. Hariharan, M. Mukund,and V. Vinay, editors, Proc. 28th Conference on Foundations of Software Technology and TheoreticalComputer Science (FSTTCS). Schloss Dagstuhl, 2008.

[30] H. Comon-Lundh and V. Cortier. Computational soundness of observational equivalence. In Proc.of the 15th ACM conference on Computer and communications security(CCS), pages 109–118, 2008.

[31] V. Cortier, S. Kremer, R. Kusters, and B. Warinschi. Computationally sound symbolic secrecy inthe presence of hash functions. In Proc. 26th Conference on Foundations of Software Technologyand Theoretical Computer Science (FSTTCS), pages 176–187, 2006.

[32] V. Cortier and B. Warinschi. Computationally sound, automated proofs for security protocols. InProc. 14th European Symposium on Programming (ESOP), pages 157–171, 2005.

[33] A. Datta, A. Derek, J. Mitchell, A. Ramanathan, and A. Scedrov. Games and the impossibilityof realizable ideal functionality. In Proc. 3rd Theory of Cryptography Conference (TCC). Springer,2006.

59

[34] S. Delaune, S. Kremer, and O. Pereira. Simulation based security in the applied pi calculus. InProc. 29th Conference on Foundations of Software Technology and Theoretical Computer Science(FSTTCS), pages 169–180. Schloss Dagstuhl, 2009.

[35] D. E. Denning and G. M. Sacco. Timestamps in key distribution protocols. Commun. ACM,24(8):533–536, 1981.

[36] D. Dolev and A. C. Yao. On the security of public key protocols. IEEE Transactions on InformationTheory, 29(2):198–208, 1983.

[37] S. Even and O. Goldreich. On the security of multi-party ping-pong protocols. In Proc. 24th IEEESymposium on Foundations of Computer Science (FOCS), pages 34–39, 1983.

[38] D. Fisher. Millions of .Net Passport accounts put at risk. eWeek, May 2003.

[39] C. Fournet, A. D. Gordon, and S. Maffeis. A type discipline for authorization in distributed systems.In Proc. 21st IEEE Symposium on Computer Security Foundations (CSF), pages 31–45. IEEE, 2007.

[40] G. Gentzen. Untersuchungen uber das logische Schließen I. Mathematische Zeitschrift, 39(2):176–210, 1934.

[41] J.-Y. Girard, P. Taylor, and Y. Lafont. Proofs and types. Cambridge University Press, 1989.

[42] O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game – or – a completenesstheorem for protocols with honest majority. In Proc. 19th Annual ACM Symposium on Theory ofComputing (STOC), pages 218–229, 1987.

[43] J. Herzog, M. Liskov, and S. Micali. Plaintext awareness via key registration. In Advances inCryptology: CRYPTO 2003, volume 2729 of LNCS, pages 548–564. Springer, 2003.

[44] R. Janvier, Y. Lakhnech, and L. Mazare. Completing the picture: Soundness of formal encryptionin the presence of active adversaries. In Proc. 14th European Symposium on Programming (ESOP),pages 172–185, 2005.

[45] R. Kemmerer, C. Meadows, and J. Millen. Three systems for cryptographic protocol analysis.Journal of Cryptology, 7(2):79–130, 1994.

[46] P. Laud. Semantics and program analysis of computationally secure information flow. In Proc. 10thEuropean Symposium on Programming (ESOP), pages 77–91, 2001.

[47] P. Laud. Symmetric encryption in automatic analyses for confidentiality against active adversaries.In Proc. 25th IEEE Symposium on Security & Privacy, pages 71–85, 2004.

[48] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proc. 2ndInternational Conference on Tools and Algorithms for the Construction and Analysis of Systems(TACAS), volume 1055 of LNCS, pages 147–166. Springer, 1996.

[49] D. Malkhi, N. Nisan, B. Pinkas, and Y. Sella. Fairplay - secure two-party computation system. InUSENIX Security Symposium, pages 287–302. USENIX, 2004.

[50] M. Merritt. Cryptographic Protocols. PhD thesis, Georgia Institute of Technology, 1983.

[51] D. Micciancio and B. Warinschi. Soundness of formal encryption in the presence of active adversaries.In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS, pages 133–151.Springer, 2004.

[52] R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers.Commun. ACM, 12(21):993–999, 1978.

[53] J. D. Nielsen. Languages for Secure Multiparty Computation and Towards Strongly Typed Macros.PhD thesis, Department of Computer Science, University of Aarhus, Denmark, 2009.

60

[54] L. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Cryptology,6(1):85–128, 1998.

[55] S. Schneider. Security properties and CSP. In Proc. 17th IEEE Symposium on Security & Privacy,pages 174–187, 1996.

[56] C. Sprenger, M. Backes, D. Basin, B. Pfitzmann, and M. Waidner. Cryptographically sound theoremproving. In Proc. 19th IEEE Computer Security Foundations Workshop (CSFW), pages 153–166,2006.

[57] D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proc. 2nd USENIX Workshop onElectronic Commerce, pages 29–40, 1996.

[58] A. C. Yao. Protocols for secure computations. In Proc. 23rd IEEE Symposium on Foundations ofComputer Science (FOCS), pages 160–164, 1982.

61