4

I'm studying the UC framework by Canetti. While I understand the basic idea, there are still a lot of details that I need to work through.

One thing that's puzzling me is how to achieve concurrency under the UC execution mode. For example, in many distributed algorithms, a machine may broadcast a message and then every receiver may do some computation on the message. The result of the computation may be broadcasted again.

The paper says

In order to simplify the process of determining the next ITI to be activated, we allow an ITI to execute at most a single external-write instruction per activation.

In that case, how does one capture a broadcast functionality, both as an ideal functionality as well as a real protocol?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
lamba
  • 1,395
  • 8
  • 18

2 Answers2

2

UC broadcast can be defined by a functionality $\mathcal{F}_{\textrm{BC}}$, which upon receiving a message $x$ from party $P_i$, sends $(x, P_i)$ to all parties and the adversary.

This is formally given in, e.g. Section 3.2 of a paper by Goldwasser and Lindell. However, many higher-level protocols use broadcast without explicitly specifying the functionality, because it is so straightforward.

That paper also contains the following, very simple echo-broadcast protocol for any $t < n$ corruptions:

  • $P_i$ sends $x$ to all other parties
  • Every other party re-sends $x$ to everybody else and checks that they received the same values.
  • If any value is inconsistent, abort. Otherwise, output $x$.

This is secure in a slightly weaker model, where a corrupt party may force some honest parties to abort; however, any honest party who does not abort will learn the correct output.

pscholl
  • 731
  • 3
  • 7
1

I think this would be the relevant paper to understand how to model synchronicity in the UC model:

Universally composable synchronous computation: Jonathan Katz and Ueli Maurer and Bjoern Tackmann and Vassilis Zikas (TCC 2013)

Basically, they define a "clock" functionality that performs a "tick" (increments a public counter) only after all honest parties indicate that they are done with the current round's activities.

To answer your question about "sending a message to all parties": In this paper, communication channels are modeled by having parties explicitly poll the channel to receive a message when they're ready. So to broadcast a message, send a command to the broadcast functionality. The functionality waits to be activated by honest parties who request to read from the broadcast channel.

Mikero
  • 14,908
  • 2
  • 35
  • 58