Amortizing Secure Computation with Penalties

Transcription

1 Amortzng Secure Computaton wth Penaltes ABSTRACT Motvated by the mpossblty of achevng farness n secure computaton [Cleve, STOC 1986], recent works study a model of farness n whch an adversaral party that aborts on recevng output s forced to pay a mutually predefned monetary penalty to every other party that dd not receve the output. These works show how to desgn protocols for secure computaton wth penaltes that guarantees that ether farness s guaranteed or that each honest party obtans a monetary penalty from the adversary. Protocols for ths task are typcally desgned n an hybrd model where partes have access to a clam-or-refund transacton functonalty denote F CR. In ths work, we obtan mprovements on the effcency of these constructons by amortzng the cost over multple executons of secure computaton wth penaltes. More precsely, for computatonal securty parameter λ, we desgn a protocol that mplements l = poly(λ) nstances of secure computaton wth penaltes where the total number of calls to F CR s ndependent of l. Keywords: Secure computaton, farness, Btcon, amortzaton. 1. INTRODUCTION Protocols for secure multparty computaton [26, 13, 7, 9] allow a set of mutually dstrustng partes to carry out a dstrbuted computaton wthout compromsng on prvacy of nputs or correctness of the end result. Despte beng a powerful tool, t s known that secure computaton protocols do not provde farness or guaranteed output delvery when a majorty of the partes are dshonest [10]. 1 Addressng ths defcency s crtcal f secure computaton s to be wdely adopted n practce, especally gven the current nterest n practcal secure computaton. Several workarounds have been proposed n the lterature to counter adversares that may decde to abort, possbly dependng on the outcome of the protocol (see [24, 3, 21, 15]). In ths work, we are nterested n the workaround proposed n [22, 21, 6] where an adversaral party that aborts on recevng output s forced to pay a mutually predefned monetary penalty 1 Farness guarantees that f one party receves output then all partes receve output. Guaranteed output delvery ensures that an adversary cannot prevent the honest partes from computng the functon. Permsson to make dgtal or hard copes of all or part of ths work for personal or classroom use s granted wthout fee provded that copes are not made or dstrbuted for proft or commercal advantage and that copes bear ths notce and the full ctaton on the frst page. Copyrghts for components of ths work owned by others than ACM must be honored. Abstractng wth credt s permtted. To copy otherwse, or republsh, to post on servers or to redstrbute to lsts, requres pror specfc permsson and/or a fee. Request permssons from permssons@acm.org. Copyrght 20XX ACM X-XXXXX-XX-X/XX/XX...$ to every other part that dd not receve the output. In practce, such mechansms would be effectve f the compensaton amount s rghtly defned. Whle the orgnal works [22, 21, 6] depended on e-cash systems, recent works [4, 2, 8, 18, 1, 19, 16] have shown how to use a decentralzed dgtal currency (lke Btcon) to desgn protocols for secure computaton n the penalty model. In ths work, we propose major mprovements to the effcency of protocols for secure computaton wth penaltes by amortzng the cost over multple executons (effectvely makng the amortzed on-chan cost zero). To better explan our contrbutons, we frst dscuss the model, effcency metrcs, settngs, and the effcency of state-of-the-art protocols. Clam-or-refund transacton functonalty. In [8, 19], protocols for secure computaton wth penaltes are desgned n a hybrd model where partes have access to an deal transacton functonalty called the clam-or-refund transacton functonalty [8, 5, 23]. Ths functonalty, denoted as FCR, takes care of handlng money/cons and allows protocols to be desgned ndependently of the Btcon ecosystem. In a nutshell, FCR mplements the followng functonalty: (1) t accepts a depost of cons(q), a Boolean crcut φ and a tme-lmt τ from a desgnated sender S; and (2) wats untl tme τ to get a wtness w from a desgnated recever R such that φ(w) = 1; and (3) f such a wtness was receved wthn tme τ transfers cons(q) to R; (4) else returns cons(q) back to S. Three features of FCR explan ts mportance: (1) FCR can be very effcently mplemented n Btcon [8, 5, 23], and (2) FCR provdes an abstracton whch makes protocols desgned n the FCR- hybrd model robust to changes n the Btcon archtecture, and (3) FCR s complete for secure computaton wth penaltes. Protocols for secure computaton wth penaltes desgned n the FCR- hybrd model work as long as FCR s mplemented. Such an m- plementaton need not be ted to Btcon,.e., Bank of Amerca, Paypal, etc. could, n prncple, support FCR transactons. Each of the latter provdes servces by relyng on ts own network for provdng consstency of ts ledger and at ths level, the underlyng mechancs s not very dfferent from Btcon. Capturng the cost of secure computaton wth penaltes. A protocol for secure computaton wth penaltes typcally nvolves an sequence of F CR deposts. Thus the costs of such protocols can be captured n a varety of ways such as (1) the total number of calls to F CR, (2) the maxmum/total deposts made to F CR n the sequence of deposts, and the complexty of the parameters, specfcally (3) the maxmum/total sze of Boolean crcuts φ employed n the sequence and (4) the maxmum value of tme-lmt τ used n the sequence. To realze F CR n Btcon, we need at least one Btcon transacton to be broadcasted by the sender [8, 5, 23]. Thus, the number of calls to F CR captures the number of Btcon transactons that need to be broadcasted to and supported by the Btcon 1

2 network. The deposts made to F CR capture the amount of funds that need to be ked up n Btcon transactons durng the course of the protocol. The sze of the Boolean crcut φ used n an F CR transacton captures the amount of tme mners need to spend to valdate that F CR transacton, consequently captures the load on the network for verfyng transactons. Addtonally, Btcon transactons currently offer lmted support for Btcon scrpts (essentally the crcut φ). Whle ths s expected to mprove n the future (and other alt-cons lke Ethereum are already offer generous support for scrpts), the sze of the Boolean crcut does a good job n capturng the complexty of the scrpts that Btcon needs to support secure computaton wth penaltes. We denote the total sze of the Boolean scrpts (.e., Btcon scrpts) used n our protocols as the scrpt complexty of the protocol. Fnally, the maxmum value of the tme-lmt used n the sequence of F CR deposts captures the round complexty of the protocol. Sometmes we make a dstncton between on-chan round complexty and off-chan round complexty. Ths dstncton s expected to yeld a tghter grp on the effcency of the protocol. The on-chan round complexty refers to the number of sequental transactons that need to be made on the bkchan. Snce the tme taken to confrm a transacton on the bkchan today s about 1 hour, an on-chan round complexty of s mples that the protocol wll take at least s hours to complete. The off-chan round complexty refers to the standard metrc of round complexty used n tradtonal MPC protocols. Note that an off-chan round typcally takes less than a few seconds to complete. Thus, we beleve that for a far comparson ths dstncton needs to be made. Our contrbutons. We show how to amortze the cost of secure computaton wth penaltes. Let λ be a computatonal securty parameter. Then for l = poly(λ) we show how l sequental nstances of an n-party non-reactve (resp. reactve) secure computaton penaltes can be realzed wth the same on-chan cost of a sngle executon n [8] (resp. [19]). Snce the on-chan latency s typcally very hgh and the on-chan costs capture the load on the Btcon network, we beleve that our results delver major mprovements to the effcency of secure computaton wth penaltes and make t more easy to envson practcal mplementatons on the Btcon network (or other networks). Fnally, n our protocols nether the parameter l nor the sequence of possbly dfferent functons that need to be evaluated need to be known n advance. (For the reactve case, an upper bound on the transcrpt and rounds need to be known n advance.) Techncal overvew and dfferences from pror work. The man dfference from pror work s that we reuse a sngle ntal set of F CR deposts for multple nstances of secure computaton wth penaltes. That s, partes make an ntal set of F CR deposts frst, then ally execute secure computaton protocols, and whenever there s an abort n the al executon, they have recourse to the F CR deposts n order to get penaltes. That s, n an optmstc settng where all partes follow the protocol, the ntal set of F CR deposts reman untouched throughout the l al executons. In the general case, the ntal set of F CR deposts wll be clamed when an abort occurs n one of the al executons. To make thngs smple, we dvde the mplementaton of l nstances nto three stages: (1) the master setup and depost phase, (2.1) a al setup phase for each executon, (2.2) a al exchange phase for each executon, and (3) the master clam phase. In the master setup and depost phase, partes run an unfar standard secure computaton protocol that helps specfy the Boolean crcuts requred for the ntal F CR deposts, followng whch partes make these F CR deposts, referred to as the master deposts. Note that partes do not yet know the nputs of any of the nstances of secure computaton wth penaltes and thus all they supply to the master setup phase s smply randomness. Consequently, the Boolean crcuts n the FCR deposts wll also be ndependent of the nputs/outputs of the l executons. Ths s one of the fundamental dfferences between the prevous protocols [8, 19, 20] and ours. For example n the non-reactve protocols of [8, 20], the Boolean crcuts n the FCR deposts are commtments on the secret shares of the fnal output. That s, the functon evaluaton occurs frst even before the FCR deposts are made. On the other hand, n our case, there are multple functon evaluatons and the master deposts are made before any of the functon evaluatons begn. Further, the master deposts wll need to allow honest partes to obtan penaltes n case any of the functon evaluaton nstances are aborted by the adversary. Our approach can be appled to the settng of [8, 19, 20] by settng l = 1. By performng the master deposts before the functon evaluaton, our approach surprsngly makes the securty analyss easer. In partcular, we no longer need to worry about aborts that happen durng the depost phase. Even better, all the master deposts can be made smultaneously,.e., n O(1) on-chan rounds, unlke pror protocols where the depost phase requred O(n) on-chan rounds. Also, n an optmstc settng where all partes behave honestly, the master clam phase (descrbed later) can also be made smultaneously,.e., n O(1) on-chan rounds. Once all the master deposts have been made, partes sequentally perform the al executons. At the begnnng of each al executon, partes run an unfar standard secure computaton protocol specfed n the al setup phase. The objectve of ths phase s to set thngs up n a way such that penaltes can be obtaned from the partes n case of aborts. Followng ths, partes enter the al exchange phase for that executon, where they exchange messages that reveal the output of that executon. Note that these phases are carred out wthout relyng on FCR. It s only when there s an abort n any of these phases, do partes enter the master clam phase where they try to clam these deposts. We descrbe the three phases n more detal. Master setup and depost phase. In ths phase, partes run a secure computaton protocol that mplements the followng functonalty: (1) run the key generaton algorthm of a sgnature scheme to generate (mvk, msk), (2) secret share msk among all partes, and output mvk to all partes. We refer to (mvk, msk) as the master keys. Note that msk s unknown to the adversary. Followng the secure computaton protocol, partes make a seres of FCR deposts. These are the master deposts. The Boolean crcuts used n these deposts perform two checks: frst, they check for one or more messages each of whch contan a sgnature that verfes aganst the master verfcaton key mvk, and second, they check that the messages obeys a certan structural relaton between them. The structural relaton s necessary to ensure that the honest partes obtan penaltes f a al executon was aborted. More on ths later. Curously, the sequence of FCR deposts n the master depost phase s dentcal to the see-saw deposts of [19] n both the non-reactve and reactve cases. Of course, as explaned above, we wll be usng dfferent (more complcated) scrpts n each FCR depost. Local executon phase. In ths overvew, we wll focus only on handlng the non-reactve case. In the k-th al setup phase (for k [l]), partes run a secure computaton protocol that evaluates the functon f k on nputs provded by the partes, and then secret shares the output among the partes. The secret shares of the outputs are authentcated twce: once under the msk and once under a al sgnng key that s generated nsde ths MPC. Note that to authentcate the output secret shares under msk, the partes wll need to provde the secret shares of msk to the MPC. Nether the 2

3 msk nor the al sgnng key wll be revealed to the partes. Also, the messages that are sgned aren t smply output secret shares but wll nclude the executon number k and the dentty of the party. That s, f s s the -th output secret share, then sgnatures under msk and the al sgnng key wll be computed on the message (, k, s ). Furthermore, the setup phase wll also produce sgnatures under msk on messages of the form (j,, k) where j, [n]. 2 These are referred to as the k wtnesses. Another caveat s that we requre that the MPC of the al setup phase to delver outputs n a partcular order. Ths specfc orderng, the use of k wtnesses, and the structure of the messages contanng the secret shares all wll be mportant deas that wll ensure that the honest partes get compensated n the event of aborts. Followng the k-th al setup phase, partes enter the k-th al exchange phase n whch partes broadcast the output shares along wth the authentcaton under the al sgnng key to all partes. Agan, we wll requre a specfc orderng n whch the partes perform broadcasts. If all partes behave honestly, then partes wll obtan the output of the k-th al executon, and wll proceed to the next executon, and so on. If there was an abort n ether the al setup phase or the al exchange phase, partes enter the master clam phase and do not engage n any further al executons. Note that sgnatures under msk are never revealed durng the al executons; they wll be revealed only durng the clam of the master deposts n the master clam phase. Master clam phase. In ths phase, the partes wll take turns to clam master deposts. The objectve of ths phase s to ensure that f a al executon was aborted md-way, then ether ths al executon s contnued to ts completon n ths phase, or else guarantee that the honest partes obtan penaltes. An mportant attack to defend aganst s one where the adversary replays messages from an older executon. Such an attack would end up allowng the adversary to clam all the master deposts t s requred to clam thereby the adversary does not pay penaltes to honest partes. Furthermore, t ensures that the most recent al executon remans aborted and only the adversary learns the output of that executon. Such attacks are taken care of (1) by the use of sgnatures under the master sgnng keys that wll be revealed only n the master clam phase, and (2) by mposng certan condtons on the structural relatons between the messages used n the clam of a master depost. Clamng a master depost nvolves revealng a partal transcrpt contanng, say the frst j output secret share messages that are of the form (, k, ) for all [j] and for some specfc value k [l]. 3 The messages of ths form alone are not suffcent to clam the depost; one has to produce the correspondng sgnatures under msk as well. By mposng such condtons, namely that j sgnatures on messages (1, k, ),..., (j, k, ) are requred to clam a depost, we can ensure that the current al executon s contnued. Sgnatures under msk on messages of the form (,, ) wll be revealed by honest P for a unque value k (typcally the most recent al executon). Ths n turn wll ensure that the k-th al executon s contnued n the master clam phase. Of course, were the adversary to abort n the master clam phase as well, we wll show that ths would result n all honest partes obtanng the necessary penalty. Important caveats. Note that the penaltes can be obtaned only at the end of the master clam phase. The tme-lmts on the master deposts wll typcally be hgh n order to let all the l executons fn- 2 To avod clutter n our presentaton, we assume that the messages of the form (, k, s ) and (j,, k) are padded approprately so that sgnatures on messages of one form cannot be trvally used to forge sgnatures on messages of the other form. 3 We often use * as the wldcard character. sh. Suppose the very frst executon was aborted by the adversary. Then the funds of the honest partes wll reman ked up untl the tme-lmt on the master depost expres. We note that for the sngle nstance case,.e., l = 1, more effcent protocols are presented n [20]. Unfortunately, we were not able to take advantage of the technques n ther work. Fnally, our protocols can also mprove the effcency of protocols for secure cash dstrbuton wth penaltes consdered n [2, 19]. Whle our protocols may be used to mplement the protocol part of the constructon n [19], the cash dstrbuton part wll requre fresh deposts per executon. Stll, we beleve that the best venues for our results wll be n applcatons such as poker where repeated executons among the same set of partes are lkely. Notes about the F CR-hybrd model. Whle the F CR-hybrd model s Btcon-nspred, t s Btcon-ndependent. Currently, there are several mportant lmtatons about mplementng F CR n Btcon. For nstance, the scrpts that can go nsde a Btcon transacton (specfcally, the value φ n an F CR transacton) are very lmted not all scrpts are currently supported. There are also ongong ssues about malleablty of transactons and how t affects F CR mplementaton (see dscusson n []). Newer and smpler mplementatons of F CR namely va OP_CHECKLOCKTIMEVERIFY have been suggested and accepted. The bottomlne s that the Btcon code s hghly volatle. Ths s man reason why we follow the model n [8, 18, 19] and work n an dealzed model (.e., by abstractng the F CR transacton as an deal functonalty) wth the hope of provdng technques and results that are resstant to the frequent changes to the Btcon code. Furthermore, snce the lmtatons n the Btcon realzaton are by no means fundamental (as evdenced by Ethereum that proposes to realze all types of transacton functonaltes), our constructons also have practcal value both n the Btcon system and also elsewhere. To summarze, our results on secure computaton wth penaltes work on Btcon (or an alt-con or usng a bank/trusted party) as long as the underlyng F CR transactons are mplementable n Btcon (or the correspondng alt-con or a bank/trusted party). At least one alt-con, namely Ethereum, supports programmable contracts wth no lmtatons on scrpts and thus can be used to mplement our protocols. Related work. We dscussed the relaton between our work and the works of [8, 19, 20] that are also n the FCR model. The works of [4, 5] construct 2-party lottery protocols usng Btcon scrpts whch essentally mplement FCR. Other notable works whch are not n the FCR model nclude the works of [2, 1, 17, 16, 18]. The works of [17, 16] use a more powerful transacton functonalty whch mplements a bkchan to mplement smart contracts and far secure computaton (under the penaltes noton). We wsh to emphasze that protocols constructed n the FCR-hybrd model can be easly cast nto protocols n any of the above models. Also, we make an explct dstncton between the off-chan costs and the on-chan costs whch s not always captured n other works. For nstance, n Ethereum, the entre smart contract (or the functon) s put on the bkchan, and n a naïve constructon, every mner s nvolved n the computaton of the functon as well as the state changes assocated wth executng the contract. These are exactly the type of burdens on the mners that we are tryng to releve va use of (possbly expensve) off-chan mechansms (e.g., secure computaton). The works of [25, 11] are concerned wth the establshment of a payment channel to allows partes to do an unbounded number of money transfers wthout burdenng the bkchan. Ther work does not consder the problem of dong an unbounded number of far exchanges (or secure computaton wth penaltes) wthout burdenng the bkchan. 3

4 2. PRELIMINARIES A functon µ( ) s neglgble n λ f for every postve polynomal p( ) and all suffcently large λ s t holds that µ(λ) < 1/p(λ). A probablty ensemble X = {X(a, λ)} a {0,1},n N s an nfnte sequence of random varables ndexed by a and λ N. Two dstrbuton ensembles X = {X(a, λ)} λ N and Y = {Y (a, λ)} λ N are sad to be computatonally ndstngushable, denoted X c Y f for every non-unform polynomal-tme algorthm D there exsts a neglgble functon µ( ) such that for every a {0, 1}, Pr[D(X(a, λ)) = 1] Pr[D(Y (a, λ)) = 1] µ(λ). All partes are assumed to run n tme polynomal n the securty parameter λ. We prove securty n the secure computaton wth cons (SCC) model proposed n [8]. Note that the man dfference from standard defntons of secure computaton [12] s that now the vew of Z contans the dstrbuton of cons. Let IDEAL f,s,z (λ, z) denote the output of envronment Z ntalzed wth nput z after nteractng n the deal process wth deal process adversary S and (standard or specal) deal functonalty G f on securty parameter λ. Recall that our protocols wll be run n a hybrd model where partes wll have access to a (standard or specal) deal functonalty G g. We denote the output of Z after nteractng n an executon of π n such a model wth A by HYBRID g π,a,z (λ, z), where z denotes Z s nput. We are now ready to defne what t means for a protocol to SCC realze a functonalty. DEFINITION 2. Let π be a protocol and f be a multparty functonalty. We say that π securely computes f wth penaltes f π SCC-realzes the functonalty F f accordng to Defnton 1. Throughout ths paper, we deal only wth statc adversares and mpose no restrctons on the number of partes that can be corrupted. Our schemes also make use of a dgtal sgnature scheme whch we denote as (SgKeyGen, SgSgn, SgVerfy) [14]. 2.1 Ideal Functonaltes Secure functon evaluaton wth ordered output delvery. In our protocols, we ask partes to run secure computaton protocols that delver output n a certan order. (Note that standard secure computaton protocol do not guarantee farness n the presenece of a dshonest majorty.) Such protocols can be obtaned easly by tweakng exstng MPC protocols n the followng way. Frst, the functon s evaluated on the nputs to produce, say n outputs z 1,..., z n. Each z s then secret shared among the partes. Once the outputs are delvered to the partes, they then proceed to reconstruct the actual outputs n order. That s, n the frst reconstructon phase, all partes broadcast ther shares of z 1. At the end of ths phase, P 1 obtans z 1. Then partes broadcast ther shares of z 2 n the next phase and so on. Our protocols typcally nvolve sendng the outputs n reverse order. The actual order s slghtly more complcated, but the dea above can be trvally generalzed to accommodate our needs. Notaton: sesson dentfer sd, an n-nput, n -output functon f, a hard-coded orderng of outputs χ = (χ 1,..., χ n ), partes P 1,..., P n, adversary S that corrupts partes {P s} s C, set H = [n] \ C. INPUT PHASE: Wat to receve a message (nput, sd, ssd, r, y r) from P r for all r H. Wat to receve a message (nput, sd, ssd, s, {y s} s C ) from S. OUTPUT DELIVERY: Compute ((χ 1, z 1 ),..., (χ n, z n )) f(y 1,..., y n). For j [n ], sequentally do: send (output, sd, ssd, z j ) to P χj. If χ j C, then: If S sends (abort, sd, ssd), send (output, sd, ssd, ) to P r for r H. enforcng ordered delv- Fgure 1: The deal functonalty Ff ord ery of output. For clarty, we present the generalzed defnton of the functonalty n Fgure 1. The values χ j specfy the ndex of the party that s supposed to receve the output n the j-th phase. That s, n phase j, party P χj receves the output z j. Note that n > n s possble. In our protocols we wll need n = O(n 2 ) but smple round reducton technques can be appled to mplement the desred functonalty n DEFINITION 1. Let n N. Let π be a probablstc polynomaltme n-party protocol and let G f be a probablstc polynomal-tme O(n) rounds. Note that the protocol realzng Ff ord does not guarantee farness. n-party (standard or specal) deal functonalty. We say that π Clam-or-refund transacton functonalty FCR [8, 5, 23]. At a SCC realzes G f wth abort n the G g-hybrd model (where G g s a hgh level, FCR allows a sender P s to condtonally send cons(x) standard or a specal deal functonalty) f for every non-unform to a recever P r. The condton s formalzed as the revelaton of probablstc polynomal-tme adversary A attackng π there exsts a satsfyng assgnment (.e., wtness) for a sender-specfed crcut a non-unform probablstc polynomal-tme adversary S for the φ s,r( ; z) (.e., relaton) that may depend on some publc nput z. deal model such that for every non-unform probablstc polynomaltme adversary Z, Further, there s a tme bound, formalzed as a round number τ, wthn whch P r has to act n order to clam the cons. An mportant c {IDEAL f,s,z (λ, z)} λ N,z {0,1} {HYBRID g π,a,z (λ, z)} λ N,z {0,1}. property that we wsh to stress s that the satsfyng wtness s made publc by F CR. Any cryptocurrency that supports tme-dependent scrpts can be used to realze F CR. Earler Btcon mplementatons of F CR were gven n [8, 5, 23]. In a Btcon realzaton of F CR, sendng a message wth cons(x) corresponds to broadcastng a transacton to the Btcon network, and watng accordng to some tme parameter untl there s enough confdence that the transacton wll not be reversed. We denote an F CR transacton where sender P s asks recever P r for a wtness for a predcate φ n exchange for cons(q) wth deadlne τ by: P s φ q,τ Next, we defne an mportant metrc of protocols that nvolve a sequence of F CR deposts called the scrpt complexty. Ths metrc captures the load on the Btcon network for verfyng the F CR transactons. DEFINITION 3 (SCRIPT COMPLEXITY [18]). Let Π be a protocol among P 1,..., P n n the FCR-hybrd model. For crcut φ, let φ denote ts crcut complexty. For a gven executon of Π startng from a partcular ntalzaton Ω of partes nputs and random tapes and dstrbuton of cons, let V Π,Ω denote the sum of all φ such that some honest party clamed an FCR transacton by producng a wtness for φ durng an executon of Π. Then the scrpt complexty of Π, denoted V Π, equals max Ω (V Π,Ω). P r 4

5 F CR wth sesson dentfer sd, runnng wth partes P 1,..., P n, a parameter 1 λ, and an deal adversary S proceeds as follows: Depost phase. Upon recevng the tuple (depost, sd, ssd, s, r, φ s,r, τ, cons(x)) from P s, record the message (depost, sd, ssd, s, r, φ s,r, τ, x) and send t to all partes. Ignore any future depost messages wth the same ssd from P s to P r. Clam phase. Untl tme τ: upon recevng (clam, sd, ssd, s, r, φ s,r, τ, x, w) from P r, check f (1) a tuple (depost, sd, ssd, s, r, φ s,r, τ, x) was recorded, and (2) f φ s,r(w) = 1. If both checks pass, send (clam, sd, ssd, s, r, φ s,r, τ, x, w) to all partes, send (clam, sd, ssd, s, r, φ s,r, τ, cons(x)) to P r, and delete the record (depost, sd, ssd, s, r, φ s,r, τ, x). Refund phase: After tme τ: f the record (depost, sd, ssd, s, r, φ s,r, τ, x) was not deleted, then send (refund, sd, ssd, s, r, φ s,r, τ, cons(x)) to P s, delete record (depost, sd, ssd, s, r, φ s,r, τ, x). Fgure 2: The specal deal functonalty F CR. Notaton: sesson dentfer sd, partes P 1,..., P n, adversary S that corrupts {P s} s C, safety depost d, penalty amount q, a tme-lmt τ, set H = [n] \ C. DEPOSIT PHASE: Intalze flg =. Wat to get message (setup, sd, ssd,, cons(d)) from P for all H. Then wat to get message (setup, sd, ssd, cons(hq)) from S where h = H. EXECUTION PHASE: Set flg = 0. For k = 1,..., sequentally do: Wat to receve a message (nput, sd, ssd k,, x (k), f k ) from P for all H. Send (functon, sd, ssd k, f k ) to all partes. Wat untl tme τ to receve a message (nput, sd, ssd k, {x (k) s } s C, f k ) from S. If no such message was receved wthn tme τ, then go to the clam phase. Compute (z (k) 1,..., z(k) n ) f k (x (k) 1,..., x(k) n ). Send message (output, sd, ssd k, {z s (k) } s C ) to S. If S returns (contnue, sd, ssd), then send (output, sd, ssd k, z (k) ) to each P. Else f S returns (abort, sd, ssd), update flg = 1, and go to the clam phase. CLAIM PHASE: At tme τ, do: If flg = 0 or, send (return, sd, ssd, cons(d)) to all P r for r H. If flg = 0, send (return, sd, ssd, cons(hq)) to S. Else f flg = 1, send (penalty, sd, ssd, cons(d + q + q )) to P for all H where q = 0 unless S sent a message (extra, sd, ssd, {q } H, H cons(q )). Fgure 3: Specal deal functonalty F MSFE for multple sequental SFE wth penaltes. Secure computaton wth penaltes multple executons. We now present the functonalty FMSFE whch we wsh to realze. Recall that secure computaton wth penaltes guarantees the followng. An honest party never has to pay any penalty. If a party aborts after learnng the output and does not delver output to honest partes, then every honest party s compensated. See Fgure 3 for a formal descrpton. The man dfference between the pror defntons n [8, 19] s that FMSFE drectly realzes multple nvocatons of secure computaton wth penaltes. For smplctly FMSFE deals only wth the non-reactve case. In the frst phase referred to as the depost phase, the functonalty FMSFE accepts safety deposts cons(d) from each honest party and penalty depost cons(hq) from the adversary. Note that the penalty depost suffces to compensate each honest party n the event of an abort. Once the deposts are made, partes enter the next phase referred to as the executon phase where partes can engage n unbounded number of secure functon evaluatons. In each executon, partes submt nputs and wat to receve outputs. As usual, the deal adversary S gets to learn the output frst and then decde whether to delver the output to all partes. If S decdes to abort, then no further executons are carred out, partes enter the clam phase, and honest partes get cons(d + q),.e., ther safety depost plus the penalty amount. Note that penaltes are dstrbuted only at tme τ. Now f S never aborts durng a al executon, then the safety deposts are returned back to the honest partes, and S gets back ts penalty depost at tme τ. Note that we requre S to depost cons(hq) up front. Ths s dfferent from the defnton of secure computaton wth penaltes n [8], where S may not submt cons(hq) and yet the computaton mght proceed. We beleve that our defnton s more natural. We are able to support ths defnton because n our protocol (unlke the case n [8]), the computaton happens only after all the deposts are made. Next, we dscuss the reactve case. Reactve case. The defnton for the secure computaton wth penaltes n the reactve settng FMMPC s dentcal to FMSFE except that the functon f k s composed of sub-functons for the dfferent stages,.e., f k = (f k,1,..., f k,ρ ), where ρ denotes the number of stages. Now, S can abort between dfferent stages of f k or wthn a sngle stage, say f k,ρ. In ether case, the honest partes wll be compensated va the penalty depost cons(hq) submtted by S n the depost phase. For lack of space, the formal defnton s presented n the full verson. 3. TWO PARTY NON-REACTIVE CASE We descrbe the protocol for the 2-party non-reactve case n Fgure 4. For clarty, we annotate each of the steps n (1) the master deposts as Tx j, (2) the k-th al setup phase as sp (k) j, (3) the k- th al exchange phase as ex (k) j, (4) the master clams as clm j. Sometmes we treat these annotatons as Boolean varables whch are set to 1 f the correspondng event occurred or else they are set delvered output to P 1. We now explan the desgn of the protocol and descrbe each of the phases n more detal. In the presentaton here we gnore some detals on the tme-lmts. In the master setup phase, partes nteract wth an unfar deal functonalty that runs the key generaton algorthm for a dgtal sgnature scheme, and outputs the master verfcaton key mvk to both partes, and secret shares the master sgnng key msk. In addton, the master functon wll authentcate the shares of the mas- to 0. As an example, we say sp (k) 1 = 1 ff F ord 5

6 MASTER SETUP PHASE: P 1 and P 2 nteract wth an deal functonalty F f that computes (mvk, msk) SgKeyGen(1 λ ) and computes secret shares msk 1, msk 2 of msk and delvers msk 1, mvk, MAC(msk 2 ) to P 1 and msk 2, mvk, MAC(msk 1 ) to P 2 where MAC s (an nformaton-theoretc) message authentcaton code. MASTER DEPOSIT PHASE: Partes make the followng F CR deposts: where: φ P 2 1 P 2 (Tx 2 ) q,τ 2 φ P 1 2 P 1 (Tx 1 ) q,τ 1 φ 1 (d 1, t 1, σ 1 ; mvk) = SgVerfy(mvk, (1, d 1, t 1 ), σ 1 ) φ 2 (d 1, t 1, σ 1, d 2, t 2, σ 2 ; mvk) = (d 1 = d 2 ) SgVerfy(mvk, (1, d1, t 1 ), σ 1 ) SgVerfy(mvk, (2, d2, t 2 ), σ 2 ) EXECUTION PHASE: In the k-th al setup phase: Partes agree on the functon to be executed f k va broadcast. If there s dsagreement, then partes enter the master clam phase. Else, P 1 and P 2 nteract wth an deal functonalty F ord to whch they nput: (1) the functon f k and nputs to f k, and (2) mvk, secret shares of msk, and the correspondng MACs. F ord computes the output z f (k) obtaned by evaluatng f k on the nputs provded by the partes, then t k secret shares z (k) = s (k) 1 s(k) 2. It then computes (vk(k), sk(k) ) SgKeyGen(1 λ ) and computes σ (k) = SgSgn(msk, (, k, s (k) )) and ψ (k) = SgSgn(sk (k), (, k, s(k) )). F ord sends the outputs n the followng order (.e., χ = (2, 1) for F ord ): 1. (s (k) 2, σ(k) 2, ψ(k) 2 ) to P 2, (sp (k) 2 ) 2. (s (k) 1, σ(k) 1, ψ(k) 1 ) to P 1. (sp (k) 1 ) In the k-th al exchange phase: 1. P 1 sends (s 1, ψ 1 ) = (s (k) 1, ψ(k) 1 ) to P 2. (ex (k) 1 ) 2. If SgVerfy(vk (k), (1, k, s 1), ψ 1 ) = 1: P 2 sends (s (k) 2, ψ(k) 2 ) to P 1. (ex (k) 2 ) CLAIM PHASE: Partes enter ths phase when ether all al executons are completed or n the event of aborts after/durng the master depost phase. 1. At tme τ 1 : let k denote the last completed al executon. If sp (k+1) 1 = 1, then P 1 clams Tx 1 usng wtness (k + 1, s (k+1) 1, σ (k+1) 1 ), else clam Tx 1 usng wtness (k, s (k) 1, σ(k) 1 ) f k > 0. (clm 1) 2. At tme τ 2, f party P 1 clamed Tx 1 usng wtness (d 1, t 1, σ 1 ), then party P 2 clams Tx 2 at tme τ 2 usng wtness (d 1, t 1, σ 1, d 2 = d 1, t 2 = s (d 1) 2, σ 2 = σ (d 1) 2 ). If there exsts k such that sp (k) 2 = 1 but ex (k) 2 = 0, then both partes output t 1 t 2 as the output of the k-th executon. (clm 2 ) Fgure 4: 2-party realzaton of F MSFE ter sgnng key. Lookng ahead we wll need ths authentcaton because each subsequent al executon wll need to produce sgnatures verfable by the master verfcaton key. To do so, these subsequent al executons wll reconstruct the master sgnng key from the authentcated secret shares held by both partes. Followng ths, partes enter the master depost phase where they make F CR deposts as follows. In the followng, τ 2 > τ 1. φ P 2 1 P 2 (Tx 2) q,τ 2 φ P 1 2 P 1 (Tx 1) q,τ 1 Here, the predcates φ 1, φ 2 have the master verfcaton key mvk hardcoded n them. The predcates essentally check f ther nput s a vald sgnature aganst the master verfcaton key mvk. The messages that are sgned under msk wll be secret shares of the output of a functon evaluaton (more on ths n the next paragraph), and we wll append the player ndex and an executon number denoted d, and then sgn the message consstng of player d, nonce, and secret share under the master sgnng key msk. As we wll see below, the predcate φ 1 takes as nput one message and a correspondng sgnature, whle the predcate φ 2 takes as nput two messages and correspondng sgnatures. In addton to checkng the valdty of the sgnatures, the predcates also verfy an addtonal condton on the nonces contaned n the underlyng sgned messages. Below, we explctly specfy the predcates φ 1 and φ 2: φ 1(d 1, t 1, σ 1; mvk) = SgVerfy(mvk, (1, d 1, t 1), σ 1) φ 2(d 1, t 1, σ 1, d 2, t 2, σ 2; mvk) = (d1 = d2) SgVerfy(mvk, (1, d1, t 1), σ 1) SgVerfy(mvk, (2, d2, t 2), σ 2) Next, we descrbe the al setup phase. In the k-th al setup phase, the partes submt ther authentcated shares of the master sgnng key, and further also submt the nputs to an unfar deal computng the functon f k that s to be computed n ths phase. As descrbed before, the k-th setup phase frst reconstructs the master sgnng key from the authentcated shares submtted by the partes. Then t computes the functon f k on the nputs submtted by the partes to obtan the output z (k). (For smplcty, we assume that all partes obtan the same output.) Followng ths, the output z (k) s secret shared usng an addtve secret functonalty F ord sharng scheme to produce shares s (k) 1, s(k) 2. Each of these shares s then authentcated twce: once usng the reconstructed master sgnng key msk, and once usng a al sgnng key sk (k) generated nsde the unfar deal functonalty. We stress that the al sgnng key sk (k) s never revealed to any party; recall that the global sgnng key msk s never revealed to any party ether. Fnally, the al outputs of the unfar deal functonalty n the k-th al setup phase are dstrbuted n the followng order to the two partes: 1. Party P 2 obtans ts secret share of the output s (k) 2 along wth a sgnature σ (k) 2 on T (k) 2 = (2, k, s (k) 2 ) sgned under msk and a sgnature ψ (k) 2 on T (k) 2 sgned under sk (k) and the correspondng al verfcaton key vk (k). (sp(k) 2 ) 2. Party P 1 obtans ts secret share of the output s (k) 1 along wth a sgnature σ (k) 1 on T (k) 1 = (1, k, s (k) 1 ) sgned under msk and a sgnature ψ (k) 1 on T (k) 1 sgned under sk (k), and the correspondng al verfcaton key vk (k). (sp(k) 1 ) 6

7 We wll shortly dscuss why the order of outputs as above s needed (.e., why P 1 obtans the output of the al setup phase after P 2). Observe that to obtan the output of the al phase, partes smply have to exchange the shares s (k) 1 and s (k) 2, and the output of the al phase equals s (k) 1 s(k) 2. The al exchange phase happens n the followng order: 1. Party P 1 frst sends T (k) 1 and ψ (k) 1 to P 2. (ex (k) 1 ) 2. If a vald message was receved, then P 2 sends T (k) 2 and ψ (k) 2 to P 1. (ex (k) 2 ) After ths, the al phase completes, and the partes have obtaned the outputs. Note that snce sgnatures under sk (k) are unforgeable except wth neglgble probablty (because each party only has an addtve share of sk (k) ), t follows except wth neglgble probablty that a vald (T (k), ψ (k) ) par sent by party P has to be the one generated by the al setup phase, and hence results n partes generatng the correct output. Followng ths, the partes can then proceed to the next al phase and so on. Suppose l denote the total number of successfully completed al executons. Once all the l al executons are completed, the partes proceed to master clam phase where the followng happens n order: 1. At tme τ 1: let k denote the last completed al executon. If sp (k+1) 1 = 1, then P 1 clams Tx 1 usng wtness (k + 1, s (k+1) 1, σ (k+1) 1 ), else clam Tx 1 usng wtness (k, s (k) ) f k > 0. (clm1) 1, σ(k) 1 2. At tme τ 2, f party P 1 clamed Tx 1 usng wtness (d 1, t 1, σ 1), then party P 2 clams Tx 2 at tme τ 2 usng wtness (d 1, t 1, σ 1, d 2 = d 1, t 2 = s (d 1) 2, σ 2 = σ (d 1) 2 ). If there exsts k such that sp (k) 2 = 1 but ex (k) 2 = 0, then both partes output t 1 t 2 as the output of the k-th executon. (clm 2) The master clam phase s desgned n a way that allows the honest party to force the completon of the most recent al executon that s ncomplete. For nstance, P 1 can force the completon of the (k + 1)-th executon by clamng Tx 1 usng wtness (k + 1, s (k+1) 1, σ (k+1) 1 ). Ths then forces P 2 to reveal the secret share s (k+1) 2 wthout whch t cannot clam Tx 2. Ths s because the only sgnature under msk on messages of the form (2, k +1, ) that P 2 possesses s T (k+1) 2 = (2, k + 1, s (k+1) 2 ). Thus, we have that ether P 2 clams Tx 2 or pays a penalty cons(q) to honest P 1. On the other hand, f P 1 was dshonest or f all al executons were completed, then partes effectvely replay some old executon. That s, P 1 wll clam Tx 1 usng wtnesses obtaned from the k-th al executon for whch ex (k) 2 = 1. Followng ths P 2 can clam Tx 2 usng wtness revealed by P 1 and wtness obtaned from the k-th al setup phase. We prove: THEOREM 1. Assume one-way functons exst. There exsts a 2-party protocol that SCC-realzes F MSFE n the (F OT, F CR)- hybrd model such that the number of calls to F CR, ts scrpt complexty, and depost amounts are ndependent of the number of executons. Proof sketch. Let P j denote the party corrupted by the adversary A. We descrbe the smulator S for the protocol of Fgure 4. S begns by actng as the unfar deal functonalty n the master setup phase, and runs the key generaton algorthm of a dgtal sgnature scheme, sk(k) to produce (mvk, msk). It then chooses a random msk j to gve to A. If A aborts the master setup phase, then S outputs whatever A outputs and termnates the smulaton. Else, n the master depost phase, S acts as FCR. If j = 2, t wats to receve a depost from A. If the depost was not receved or the depost s not of the specfed format, then S aborts outputtng whatever A outputs. Else, S obtans cons(q) from A whch t forwards to FMSFE as the penalty depost. On the other hand, f j = 1, then S actng as FCR nforms A that (honest) P 2 made the depost as nstructed. Then t wats for A to make the depost. Agan f the depost s not of the correct form or was not made, then S termnates the smulaton outputtng whatever A outputs. In ths case, the smulaton s ndstngushable from the real executon snce honest P 2 would have got cons(q) refunded from Tx 2 wth all but neglgble probablty (except n the case A manages to forge sgnatures under msk). Else, t obtans cons(q) from A whch t forwards to FMSFE as the penalty depost. Ths concludes the smulaton of the master setup and depost phases. In the k-th al setup phase, S learns of the functon to be evaluated f k from FMSFE and acts as the unfar deal functonalty F ord, and obtans the nput for ths executon from A. Note that f A sends ncorrect shares of msk, then S termnates the smulaton, and the smulaton wll be ndstngushable from the real executon snce the MAC checks won t pass n the real executon except wth neglgble probablty. Then S runs the key generaton algorthm of a dgtal sgnature scheme to generate (vk (k) ), and computes the sgnature ψ (k) j under sk (k) (k) on message T j = (j, k, s) for random value s. It then sends T (k) j, ψ (k) j, vk (k) to A. If A aborts n ths step, then S rejects any further al executons and goes drectly to the smulaton of the master clam phase (descrbed below). Ths stll results n a vald smulaton snce A should not be able to forge a sgnature under sk (k) due to the unforgeablty property of the dgtal sgnature scheme. Otherwse, S begns the smulaton of the al exchange phase. If j = 1, then t wats to receve (T, ψ) from A. If (T, ψ) (T (k) j, ψ (k) j ), S termnates the smulaton (snce ths s a forgery that should happen only wth neglgble probablty). Otherwse, S contacts FMSFE wth the extracted nput (obtaned whle actng as F ord ) to obtan the output of the al executon z (k). S actng as P 2 sends the value T (k) 2 = (2, k, z (k) s) and the sgnature ψ (k) 2 on T (k) 2 to A. The case when j = 2 s also handled smlarly.. S frst submts the extracted nput to F MSFE to get the output of the k-th al executon z (k). Then S actng as honest P 1 sends the value T (k) 1 = (1, k, s z (k) ) along wth a sgnature ψ (k) 1 on T (k) 1 to A. It s easy to see that the smulaton s ndstngushable from the real executon. Fnally, we descrbe the smulaton of the master clam phase. S enters ths phase ether because there were: (1) aborts n the al setup phase, (2) aborts n the al exchange phase, or (3) all executons were successfully completed. We analyze separately the case when P 1 s corrupt and the case when P 2 s corrupt. Suppose j = 1. S wats untl tme τ 1 to see f P 1 clams Tx 1. Suppose P 1 does not clam Tx 1, then S wats to get ts penalty depost back from F MSFE and sends t to P 1 as refund obtaned from Tx 2. The smulaton s ndstngushable from the real executon because P 2 always obtans the output frst n the al executon; thus f P 1 had receved the output of a al executon phase, then so dd P 2. Therefore, S wll be able to get ts penalty depost cons(q) back from F MSFE. Now on the other hand, suppose P 1 dd clam Tx 1 usng some wtness (d 1, t 1, σ 1), then S checks f σ (d 1) 1 = σ 1 (.e., f σ 1 was handed to A durng the smulaton). The check wll pass 7

8 wth all but neglgble probablty snce ths corresponds to A forgng a sgnature under msk. In the rest of the analyss we wll assume that σ 1 = σ (d 1) 1. Now, S actng as F CR wll need to produce cons(q) to A as the clam reward for clamng Tx 1. To do so, S wll need to obtan ts penalty amount from F MSFE. As before, ths step s possble snce P 1 cannot learn the output of a al executon before the honest party (recall P 2 always obtans outputs frst n the al exchange phase), and thus S wll be able to get ts penalty depost back from F MSFE whch t can send to P 1 as the money obtaned by clamng Tx 1. Now all that S needs to do s to produce wtnesses for clamng Tx 2 n order to justfy that cons(q) from Tx 2 are not gong to be refunded back to P 1. Ths s easy snce the wtness (d 1, t 1, σ 1, d 2 = d 1, t 2 = z (d1) t 1, σ 2 = σ (d 2) 2 ) satsfes φ 2. In other words, the secret shares and correspondng sgnatures from the d 1-th executon wll allow honest P 2 to clam Tx 2. Ths concludes the smulaton n the case when P 1 s corrupt. It s easy to see that the smulaton s ndstngushable from the real executon. Next, we consder the case when j = 2. Now S wll need to act frst (as honest P 1) n the master clam phase. Let k denote the number of completed al executons,.e., ex (k) 2 = 1. If k = 0, then S does not have to act n the master clam phase. It wll smply get back ts penalty depost from FMSFE and return t to P 2 as refund of Tx 1. The smulaton s ndstngushable from real snce except wth neglgble probablty P 2 wll not be able to produce sgnatures under msk to clam Tx 2. In the rest of the smulaton, we assume k > 0. At tme τ 1, S wll have to clam Tx 1. To do so, S frst checks f there was an ncomplete al executon,.e., f sp (k+1) 1 = 1. If there was, ths means that the output of the (k + 1)-th executon was not obtaned by both partes (n fact, t s possble that only P 2 obtaned the output and not P 1). S wll clam Tx 1 usng the wtness (k +1, s z (k+1), σ (k+1) 1 ) where s was the secret share gven to P 2 as part of the output of the (k + 1)-th al setup phase. Now, S wats to see f P 2 clams Tx 2. Suppose P 2 does not clam Tx 2, then ths means that n the real executon honest P 1 would not obtan the output, but only the penalty. Thus, to make the smulaton ndstngushable from real, S wll send an abort message to F MSFE, and termnate the smulaton (n partcular, t wll not get ts penalty depost back from F MSFE). On the other hand, f P 2 dd clam Tx 2, then except wth neglgble probablty t has to do usng the wtness (k + 1, s z (k+1), σ (k+1) 1, k + 1, s, σ (k+1) 2 ). Ths s because the only sgnature under msk on messages of the form (k + 1,, ) that A possesses s on the message (k + 1, s, σ (k+1) 2 ) obtaned durng the nteracton wth S. Thus, n ths case, S asks FMSFE to delver the output to P 1 for executon k + 1, and obtans back the penalty depost from FMSFE whch t forwards to P 2 as the reward obtaned for clamng Tx 2. Fnally, we consder the case when sp (k+1) 1 = 0,.e., the (k + 1)-th executon dd not delver outputs to ether party. In ths case, S gets ts penalty depost cons(q) back from FMSFE. Then S clams Tx 1 usng wtnesses from the k-th executon,.e., (k, s z (k), σ (k) 1 ) where s was the random secret share sent to P 2. Now f P 2 clams Tx 2, except wth neglgble probablty t has to do usng wtness (k, s z (k), σ (k) 1, k, s, σ(k) 2 ). Suppose P 2 clamed Tx 2, then S produces the necessary cons(q) from the returned penalty depost. On the other hand, f P 2 dd not clam Tx 2, then S sends the returned cons(q) back to FMSFE to be delvered to the honest party as extra reward. It s easy to see that the smulaton s ndstngushable from real both n the standard sense as well as wth respect to the dstrbuton of cons. Ths concludes the proof of the theorem. Note on tme-lmts: τ 1 < τ 2 < < τ n. For each [n 1]: τ+1, k = τn, k τ unk n,. ROOF DEPOSITS. For each j [n 1]: φ n P j P n q,τ n LADDER DEPOSITS. For = n 1 down to 1: Rung unk: For j = n down to + 1: P j φ unk j, P q,τ j, unk < τ = τ unk +1, = (Tx n,j) (Tx unk j, ) Rung clmb: (Tx ) P +1 φ P q,τ Rung k: For each j = n down to + 1: P φ k j, P j q,τ j, k Fgure 5: Locked ladder mechansm from [19]. (Tx k j, ) 4. MULTIPARTY CASE We descrbe the protocol for the multparty non-reactve case. MASTER SETUP PHASE AND MASTER DEPOSIT PHASE. In the master setup phase, partes nteract wth an unfar deal functonalty that realzes the master setup functon whch runs the key generaton algorthm for a dgtal sgnature scheme, and outputs the master verfcaton key mvk to all n partes, and secret shares the master sgnng key msk. In addton, the master functon wll authentcate the shares of the master sgnng key. That s, n sprt, the master setup phase s dentcal to the one n the 2-party case, except now t caters to n partes. Next, partes enter the master depost phase where they make FCR deposts as n Fgure 5 (.e., dentcal to the ked ladder mechansm n [19]). Note that relaton between tme-lmts s specfed n Fgure 5. Here, the predcates {φ }, {φ unk j, }, {φ k j, } all have the master verfcaton key mvk hardcoded n them. The predcates essentally check f ther nput s a vald sgnature aganst the master verfcaton key mvk. The messages that are sgned under msk wll be secret shares of the output of a functon evaluaton (more on ths n the next paragraph), and we wll append the player ndex and a nonce denoted d whch essentally denotes an executon number, and then sgn the message consstng of player d, nonce, and secret share under the master sgnng key msk. In addton to checkng the valdty of the sgnatures, the predcates also verfy an addtonal structural relaton on the nonces contaned n the underlyng sgned messages. Below, we explctly specfy the predcates {φ k j, }, {φ }, {φ unk j, }: φ k j, (TT, d, σ; mvk) = tv (d) 1 (TT) SgVerfy(mvk, (j,, d), σ) φ (TT, d; mvk) = tv (d) (TT) φ unk j, (TT, d, σ; mvk) = tv (d) (TT) SgVerfy(mvk, (j,, d), σ) 8