Round-Preserving Parallel Composition of Probabilistic-Termination Cryptographic Protocols

Abstract

An important benchmark for multi-party computation protocols (MPC) is their round complexity. For several important MPC tasks, such as broadcast, (tight) lower bounds on the round complexity are known. However, some of these lower bounds can be circumvented when the termination round of every party is not a priori known, and simultaneous termination is not guaranteed. Protocols with this property are called probabilistic-termination (PT) protocols. Running PT protocols in parallel affects the round complexity of the resulting protocol in somewhat unexpected ways. For instance, an execution of m protocols with constant expected round complexity might take \(O(\log m)\) rounds to complete. In a seminal work, Ben-Or and El-Yaniv (Distributed Computing ‘03) developed a technique for a parallel execution of arbitrarily many broadcast protocols, while preserving expected round complexity. More recently, Cohen et al. (CRYPTO ‘16) devised a framework for universal composition of PT protocols, and provided the first composable parallel-broadcast protocol with a simulation-based proof. These constructions crucially rely on the fact that broadcast is “privacy-free,” and do not generalize to arbitrary protocols in a straightforward way. This raises the question of whether it is possible to execute arbitrary PT protocols in parallel, without increasing the round complexity. In this paper we tackle this question and provide both feasibility and infeasibility results. We construct a round-preserving protocol compiler, tolerating any dishonest minority of actively corrupted parties, that compiles arbitrary protocols into a protocol realizing their parallel composition, while having a black-box access to the underlying protocols. Furthermore, we prove that the same cannot be achieved, using known techniques, given only black-box access to the functionalities realized by the protocols, unless merely security against semi-honest corruptions is required, for which case we provide a protocol. To prove our results, we utilize the language and results by Cohen et al., which we extend to capture parallel composition and reactive functionalities, and to handle the case of an honest majority.

Appendices

Preliminaries (Cont’d)

1.1 Error-Correcting Secret Sharing

Definition A.1

A (t, n) error-correcting secret sharing (ECSS) scheme over a message space \({\mathcal {M}} \) consists of a pair of algorithms \((\textsf {Share}, \textsf {Recon})\) satisfying the following properties:

1. 1.

   t-privacy For every \(m\in {\mathcal {M}} \), and every subset \({\mathcal {I}} \subseteq [n]\) of size \(|{\mathcal {I}} |\le t\), the distribution of \(\{s_i\}_{i\in {\mathcal {I}}}\) is independent of m, where \((s_1,\ldots ,s_n)\leftarrow \textsf {Share} (m)\).

2. 2.

   Reconstruction from up to t erroneous shares For every \(m\in {\mathcal {M}} \), every \({ \varvec{s}}= (s_1,\ldots ,s_n)\), and every \({ \varvec{s}}' = (s'_1,\ldots ,s'_n)\) such that \({\mathrm {Pr}}_{{ \varvec{S}}\leftarrow \textsf {Share} (m)}\left[ { \varvec{S}}={ \varvec{s}}\right] >0\) and \(|\{i \mid s_i=s'_i\}|\ge n-t\), it holds that \(m=\textsf {Recon} ({ \varvec{s}}')\) (except for a negligible probability).

ECSS can be constructed information-theoretically, with a negligible positive error probability, when \(t<n/2\) [12, 22, 56].

1.2 Information-Theoretic Signatures

Parts of the following section are taken almost verbatim from [42].

\({\mathcal {P}}\) -verifiable Information-Theoretic Signatures We recall the definition and construction of information-theoretic signatures [58, 59] but slightly modify the terminology to what we consider to be more intuitive. The signature scheme (in particular the key-generation algorithm) needs to know the total number of verifiers or alternatively the list \({\mathcal {P}}\) of their identities. Furthermore, as usually for information-theoretic primitives, the key-length needs to be proportional to the number of times that the key is used. Therefore, the scheme is parameterized by two natural numbers \(\ell _{\mathcal {S}} \) and \(\ell _V \) which will be upper bounds on the number of signatures that can be generated and verified, respectively, without violating the security.

A \({\mathcal {P}} \)-verifiable signature scheme consists of a triple of randomized algorithms \((\textsf {Gen}_{},\textsf {Sign}_{},\textsf {Ver}_{})\), where:

1. 1.

   \(\textsf {Gen}_{} (1^\kappa ,n,\ell _{\mathcal {S}},\ell _V)\) outputs a pair \((\texttt {sk}_{},\mathbf {\texttt {vk}_{}})\), where \(\texttt {sk}_{} \in \{0,1\}^{\kappa }\) is a signing key, \(\mathbf {\texttt {vk}_{}}=(\texttt {vk}_{1},\ldots ,\texttt {vk}_{n})\in (\{0,1\}^\kappa )^n\) is a verification-key-vector consisting of (private) verification sub-keys, and \(\ell _{\mathcal {S}},\ell _V \in {\mathbb {N}}\).

2. 2.

   \(\textsf {Sign}_{} (m,\texttt {sk}_{})\) on input a message m and the signing-key \(\texttt {sk}_{}\) outputs a signature \(\sigma \in \{0,1\}^{\textsf {poly}(\kappa )}\).

3. 3.

   \(\textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{i})\) on input a message m, a signature \(\sigma \) and a verification sub-key \(\texttt {vk}_{i} \), outputs a decision bit \(d\in \{0,1\}\).

Fig. 6

Construction of information-theoretic signatures [60]

Definition A.2

A \({\mathcal {P}} \)-verifiable signature scheme \((\textsf {Gen}_{},\textsf {Sign}_{},\textsf {Ver}_{})\) is said to be information-theoretically \((\ell _{\mathcal {S}},\ell _V)\)-secure if it satisfies the following properties:

• (completeness) A valid signature is accepted from any honest receiver:

  $$\begin{aligned} {\mathrm {Pr}}[\textsf {Gen}_{} \rightarrow (\texttt {sk}_{},(\texttt {vk}_{1},\ldots ,\texttt {vk}_{n}));\ \text { for } i\in [n] : (\textsf {Ver}_{} (m,\textsf {Sign}_{} (m,\texttt {sk}_{}),\texttt {vk}_{i})=1)] = 1. \end{aligned}$$

• Let \({\mathcal {O}}^S_{\texttt {sk}_{}} \) denote a signing oracle (on input m, \({\mathcal {O}}^S_{\texttt {sk}_{}} \) outputs \(\sigma =\textsf {Sign}_{} (m,\texttt {sk}_{})\)) and \({\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}\) denote a verification oracle (on input \((m,\sigma ,i)\), \({\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}\) outputs \(\textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{i})\)). Also, let \({\mathcal {A}} ^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}\) denote a computationally unbounded adversary that makes at most \(\ell _{\mathcal {S}}\) calls to \({\mathcal {O}}^S_{\texttt {sk}_{}} \) and at most \(\ell _V\) calls to \({\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}\), and gets to see the verification keys indexed by some subset \({\mathcal {I}} \subsetneq [n]\). The following properties hold:

  • (unforgeability) \({\mathcal {A}} ^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}\) cannot generate a valid signature on message \(m'\) of his choice, other than the one he queries \({\mathcal {O}}^S_{\texttt {sk}_{}} \) on (except with negligible probability). Formally,

    $$\begin{aligned}&{\mathrm {Pr}}\left[ \begin{array}{c} \textsf {Gen}_{} \rightarrow (\texttt {sk}_{},\mathbf {\texttt {vk}_{}}); \text { for some} {\mathcal {I}} \subsetneq [n] \text { chosen by } {\mathcal {A}} ^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}:\\ \biggl (A^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}\bigl (\mathbf {\texttt {vk}_{}}|_{{\mathcal {I}}}\bigr )\rightarrow (m,\sigma ,j)\biggr )\ \ \wedge \ \ (m \text { was not queried to } {\mathcal {O}}^S_{\texttt {sk}_{}})\ \ \wedge \\ (j\in [n]\setminus {\mathcal {I}})\ \ \wedge \ \ \bigl (\textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{j})=1\bigr ) \end{array}\right] \\&\quad = \textsf {negl}. \end{aligned}$$

  • (consistency)¹⁴\({\mathcal {A}} ^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}\) cannot create a signature that is accepted by some (honest) party and rejected by some other even after seeing \(\ell _{\mathcal {S}} \) valid signatures and verifying \(\ell _V \) signatures (except with negligible probability). Formally,

    $$\begin{aligned}&{\mathrm {Pr}}\left[ \begin{array}{c} \textsf {Gen}_{} \rightarrow (\texttt {sk}_{},\mathbf {\texttt {vk}_{}}); \text { for some} {\mathcal {I}} \subsetneq [n]\text { chosen by } {\mathcal {A}} ^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}(\texttt {sk}_{}):\\ A^{{\mathcal {O}}^S_{\texttt {sk}_{}},{\mathcal {O}}^V _{\mathbf {\texttt {vk}_{}}}}(\texttt {sk}_{},\mathbf {\texttt {vk}_{}}|_{\mathcal {I}})\rightarrow (m,\sigma ) \\ \exists i,j\in [n]\setminus {\mathcal {I}} \text { s.t. } \textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{i})\ne \textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{j}) \end{array}\right] \\&\quad = \textsf {negl}. \end{aligned}$$

In [59, 60] a signature scheme satisfying the above notion of security was constructed. These signatures have a deterministic signature generation algorithm \(\textsf {Sign}_{}\). In the following (Fig. 6) we describe the construction from [59] (as described by [60] but for a single signer). We point out that the keys and signatures in the described scheme are elements of a sufficiently large finite field \(F\) (i.e., \(|F |=O(2^{\textsf {poly}(\kappa )}\)); one can easily derive a scheme for strings of length \(\ell =\textsf {poly}(\kappa )\) by applying an appropriate encoding: for example, map the \(i\)’th element of \(F \) to the \(i\)’th string (in the lexicographic order) and vice versa. We say that a value \(\sigma \) is a valid signature on message m (with respect to a given key setup \((sk,\mathbf {\texttt {vk}_{}})\)), if for every honest \(P _i\) it holds that \(\textsf {Ver}_{} (m,\sigma ,\texttt {vk}_{i})=1\).

Theorem A.3

([60]) Assuming \(|F |=\Omega (2^\kappa )\) and \(\ell _{\mathcal {S}} =poly(\kappa )\) the above signature scheme (Fig. 6) is an information-theoretically \((\ell _{\mathcal {S}},poly(\kappa ))\)-secure \({\mathcal {P}} \)-verifiable signature scheme.

Synchronous Protocols in UC (Cont’d)

In this section, we give complementary material to Sect. 2.1 and in particular we include a high-level overview of the formulation of synchronous UC from [46]. More concretely, Katz et al. [46] introduced a framework for universally composable synchronous computation. For self containment we describe here the basics of the model and introduce some terminology that simplifies the description of corresponding functionalities.

Synchronous protocols can be cast as UC protocols which have access to a special clock functionality \({\mathcal {F}}_{\textsc {clock}}\), which allows them to coordinate round switches as described below, and communicate over bounded-delay channels.¹⁵ In a nutshell, the clock functionality works as follows: It stores a bit b which is initially set to 0 and it accepts from each party two types of messages: \(\textsc {clock}\text {-}\textsc {update}\) and \(\textsc {clock}\text {-}\textsc {read}\). The response to \(\textsc {clock}\text {-}\textsc {read}\) is the value of the bit b to the requestor. Each \(\textsc {clock}\text {-}\textsc {update}\) is forwarded to the adversary, but it is also recorded, and upon receiving such a \(\textsc {clock}\text {-}\textsc {update}\) message from all honest parties, the clock functionality updates b to \(b\oplus 1\). It then keeps working as above, until it receives again a \(\textsc {clock}\text {-}\textsc {update}\) message from all honest parties, in which case it resets b to \(b\oplus 1\) and so on.

Such a clock can be used as follows to ensure that honest parties remain synchronized, i.e., no honest party proceeds to the next round before all (honest) parties have finished the current round: Every party stores a local variable where it keeps (its view of) the current value of the clock indicator b. At the beginning of the protocol execution this variable is 0 for all parties. In every round, every party uses all its activations (i.e., messages it receives) to complete all its current-round instructions, and only then sends \(\textsc {clock}\text {-}\textsc {update}\) to the clock signaling to the clock that it has completed its round; following \(\textsc {clock}\text {-}\textsc {update}\), all future activations result to the party sending \(\textsc {clock}\text {-}\textsc {read}\) to the clock until its bit b is flipped; once the party observes that the bit b has flipped, it starts its next round. For the sake of clarity, we do not explicitly mention \({\mathcal {F}}_{\textsc {clock}} \) in our constructions.

In [46], for each message that is to be sent in the protocol, the sender and the receiver are given access to an independent single-use channel.¹⁶ We point out, that instead of the bounded-delay channels, in this work we will assume very simple CSFs that take as input from the sender the message he wishes to send (and a default input from other parties) and deliver the output to the receiver in a fetch mode. Such a simple secure-channel SFE can be realized in a straightforward manner from bounded-delay channels and a clock \({\mathcal {F}}_{\textsc {clock}} \).

As is common in the synchronous protocols literature, throughout this work we will assume that protocols have the following structure: In each round every party sends/receives a (potentially empty) message to all parties and hybrid functionalities. Such a protocol can be described in UC in a regular form using the methodology from [46] as follows: Let \(\mu \in {\mathbb {N}}\) denote the maximum number of messages that any party \(P _i\) might send to all its hybrids during some round.¹⁷ Every party in the protocol uses exactly \(\mu \) activations in each round. That is, once a party \(P _i\) observes that the round has changed, i.e., the indicator-bit b of the clock has being flipped, \(P _i\) starts its next round as described above. However, this round finishes only after \(P _i\) receives \(\mu \) additional activations. Note that \(P _i\) uses these activations to execute his current round instructions; since \(\mu \) is a bound to the number of hybrids used in any round by any party, \(\mu \) activations are enough for the party to complete its round (If \(P _i\) finishes the round early, i.e., in less than \(\mu \) activations, it simply does nothing until the \(\mu \) activations are received.) Once \(\mu \) activations are received in the current round, \(P _i\) sends \(\textsc {clock}\text {-}\textsc {update}\) to the clock and then keeps sending \(\textsc {clock}\text {-}\textsc {read}\) messages, as described above, until it observes a flip of b indicating that \(P _i\) can go to the next round.

In addition to the regular form of protocol execution, Katz et al. [46] described a way of capturing in UC the property that a protocol is guaranteed to terminate in a given number of rounds. The idea is that a synchronous protocol in regular form, which terminates after r rounds, realizes the following functionality \({\mathcal {F}}_{\textsc {}}\). The functionality \({\mathcal {F}}_{\textsc {}}\) keeps track of the number of times every honest party sends \(\mu \) activations/messages and delivers output as soon as this has happened r times. More concretely, imitating an r-round synchronous protocol with \(\mu \) activations per party per round, upon being instantiated, \({\mathcal {F}}_{\textsc {}} \) initiates a global round-counter \({\tau } =0\) and an indicator variable \({\tau } _{i}:=0\) for each \(P _i\in {\mathcal {P}} \); as soon as some party \(P _i\) sends \(\mu \) messages to \({\mathcal {F}}_{\textsc {}}\), while the round-counter \({\tau } \) is the same, \({\mathcal {F}}_{\textsc {}}\) sets \({\tau } _{i}:=1\) and performs the following check:¹⁸ if \({\tau } _{i}=1\) for every honest \(P _i\) then increase \({\tau }:={\tau } +1\) and reset \({\tau } _{i}=0\) for all \(P _i\in {\mathcal {P}} \). As soon as \({\tau } =r\), the functionality \({\mathcal {F}}_{\textsc {}}\) enters a “delivery” mode. In this mode, whenever a message \(\texttt {fetch-output} \) is received from some party \(P _i\), \({\mathcal {F}}_{\textsc {}}\) outputs to \(P _i\) its output. (If \({\mathcal {F}}_{\textsc {}}\) has no output to \(P _i\) is outputs \(\bot \).)

We refer to a functionality that has the above structure, i.e., which keeps track of the current round \({\tau } \) by counting how many times every honest party has sent a certain number \(\mu \) of messages, as a synchronous functionality. To simplify the description of our functionalities, we introduce the following terminology. We say that a synchronous functionality \({\mathcal {F}}_{\textsc {}}\) is in round \(\rho \) if the current value of the above internal counter in \({\mathcal {F}}_{\textsc {}}\) is \({\tau } =\rho \).

We note that protocols in the synchronous model of [46] enjoy the strong composition properties of the UC framework. However, in order to have protocols being executed in a lock-step mode, i.e., where all protocols complete their round within the same clock-tick, Katz et al. [46] make use of the composition with joint-state (JUC) [9]. The idea is the parties use an \({\mathcal {F}}_{\textsc {clock}} \)-hybrid protocol \({\hat{\pi }}\) that emulates toward each of the protocols, sub-clocks and assigns to each sub-clock a unique sub-session ID (\(\mathsf {ssid}\)). Each of these sub-clocks is local to its calling protocol, but \({\hat{\pi }}\) makes sure that it gives a \(\textsc {clock}\text {-}\textsc {update}\) to the actual (joint) clock functionality \({\mathcal {F}}_{\textsc {clock}}\), only when all sub-clocks have received such a \(\textsc {clock}\text {-}\textsc {update}\) message. This ensures that all clocks will switch their internal bits at the same time with the bigger clock, which means that the protocols using them will be mutually synchronized. This property can be formally proved by a direct application of the JUC theorem. For further details the interested reader is referred to [9, 46].

The Probabilistic-Termination Framework (Cont’d)

In this section, we provide supplementary material for Sect. 2.2.

1.1 Canonical Synchronous Functionalities

The description of the canonical synchronous functionality (CSF) is given in Fig. 7. As a generalization of the SFE functionality, CSFs are powerful enough to capture any deterministic well-formed functionality. In fact, all the basic (unwrapped) functionalities considered in this work will be CSFs.

The functionality \({\mathcal {F}}_{\textsc {csf}} \) is parametrized by a (possibly) randomized function f that receives \(n+1\) inputs (n inputs from the parties and one additional input from the adversary) and a leakage function \(l\) that determines what information about the input values is leaked to the adversary. In the first (input) round, all the parties hand \({\mathcal {F}}_{\textsc {csf}} \) their input values, and in the second (output) round, each party receives its output. Whenever some input is submitted to \({\mathcal {F}}_{\textsc {csf}} \), the adversary is given some leakage function of this input; the adversary can use this leakage for deciding which parties to corrupt and which input values to use for corrupted parties. For example, in a broadcast protocol such as [25] the adversary may decide to adaptively corrupt the broadcaster and replace its message based on the leakage received. Additionally, the adversary is allowed to input an extra message that for some functionalities (e.g., Byzantine agreement) might affect the output.

Fig. 7

The canonical synchronous functionality

We now describe a few standard functionalities from the MPC literature as CSFs, we refer the reader to [16] for additional examples.

• Secure Message Transmission (aka Secure Channel). In the secure message transmission (SMT) functionality, a sender \(P _i\) with input \(x_i\) sends its input to a receiver \(P _j\). The function to compute is \(f_{\textsc {smt}} ^{i,j}(x_1,\ldots ,x_n,a)=(\lambda ,\ldots ,x_i,\ldots ,\lambda )\) (where \(x_i\) is the value of the j’th coordinate) and the leakage function is \(l_{\textsc {smt}} ^{i,j}(x_1,\ldots ,x_n)=y\), where \(y=\left| x_i\right| \) in case \(P _j\) is honest and \(y=x_i\) in case \(P _j\) is corrupted. We denote by \({\mathcal {F}}_{\textsc {smt}} ^{i,j}\) the functionality \({\mathcal {F}}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\textsc {smt}} ^{i,j}\) and \(l_{\textsc {smt}} ^{i,j}\), for sender \(P _i\) and receiver \(P _j\).

• Broadcast. In the (standard) broadcast functionality, a sender \(P _i\) with input \(x_i\) distributes its input to all the parties, i.e., the function to compute is \(f_{\textsc {bc}} ^i(x_1,\ldots ,x_n,a)=(x_i,\ldots ,x_i)\). The adversary only learns the length of the message \(x_i\) before its distribution, i.e., the leakage function is \(l_{\textsc {bc}} ^i(x_1,\ldots ,x_n)=\left| x_i\right| \). This means that the adversary does not gain new information about the input of an honest sender before the output value for all the parties is determined, and in particular, the adversary cannot corrupt an honest sender and change its input after learning the input message. We denote by \({\mathcal {F}}_{\textsc {bc}} ^i\) the functionality \({\mathcal {F}}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\textsc {bc}} ^i\) and \(l_{\textsc {bc}} ^i\), for sender \(P _i\).

• Secure Function Evaluation. In the secure function evaluation functionality, the parties compute a randomized function \(g(x_1,\ldots ,x_n)\), i.e., the function to compute is \(f_{\textsc {sfe}} ^g(x_1,\ldots ,x_n,a)=g(x_1,\ldots ,x_n)\). The adversary learns the length of the input values via the leakage function, i.e., the leakage function is \(l_{\textsc {sfe}} (x_1,\ldots ,x_n)=(\left| x_1\right| ,\ldots ,\left| x_n\right| )\). We denote by \({\mathcal {F}}_{\textsc {sfe}} ^g\) the functionality \({\mathcal {F}}_{\textsc {csf}} \) when parametrized with the above functions \(f_{\textsc {sfe}} ^g\) and \(l_{\textsc {sfe}} \), for computing the n-party function g.

1.2 Reactive CSFs

We proceed to extend the notion of CSF to reactive CSFs (RCSFs), i.e., CSFs with multiple input/output phases. Correspondingly, a reactive CSF is parametrized by two vectors of functions \({ \varvec{f}}=(f_1,\ldots ,f_q)\) and \({ \varvec{l}}=(l_1,\ldots ,l_q)\). The description of reactive CSFs can be found in Fig. 8.

Definition C.1

Let \({\mathcal {F}}_{\textsc {rcsf}} ^{{ \varvec{f}},{ \varvec{l}}}\) be a reactive CSF, with \({ \varvec{f}}=(f_1,\ldots ,f_q)\) and \({ \varvec{l}}=(l_1,\ldots ,l_q)\), let \(t<n/2\), and let \(\Pi =(\textsf {Share},\textsf {Recon})\) be a (t, n) error-correcting secret-sharing scheme. For every \(k\in [q]\), denote by \({\tilde{f}}_k\) the function that on inputs \(({\tilde{x}}_1,\ldots , {\tilde{x}}_n,a)\), with \({\tilde{x}}_i=(x_i,s_i)\), first reconstructs the state \({ \varvec{s}}=\textsf {Recon} (s_1,\ldots ,s_n)\), next samples random coins r and computes \((y_1,\ldots ,y_n)=f_k({ \varvec{s}},x_1,\ldots ,x_n,a,r)\), and finally shares the new state \({ \varvec{s}}'=({ \varvec{s}},x_1,\ldots ,x_n,a,r)\) as \((s_1',\ldots ,s_n')\leftarrow \textsf {Share} ({ \varvec{s}}')\) and outputs \({\tilde{y}}_i=(y_i,s'_i)\) to \(P _i\).

A protocol \(\pi \) UC-realizes \({\mathcal {W}}_{\mathrm {strict}} ^{{ \varvec{D}}}({\mathcal {F}}_{\textsc {rcsf}} ^{{ \varvec{f}},{ \varvec{l}}})\), for a vector of distributions \({ \varvec{D}}=(D_1,\ldots , D_q)\), if \(\pi \) consists of q sub-protocols \((\pi _1,\ldots ,\pi _q)\), such that for every \(k\in [q]\), sub-protocol \(\pi _k\) UC-realizes \({\mathcal {W}}_{\mathrm {strict}} ^{D_k}({\mathcal {F}}_{\textsc {csf}} ^{{\tilde{f}}_k,l_k})\). In addition, each party \(P _i\) in \(\pi \) keeps a value \(s_i\), initially set to \(\bot \), that is used as the second input for each sub-protocol. Upon completing the execution of each sub-protocol, party \(P _i\) updates \(s_i\) to be the second output value received.

Fig. 8

The reactive canonical synchronous functionality

1.3 Execution Traces

As discussed in Sect. 2.2, a computation with probabilistic termination is modeled in [16] by augmenting CSFs that capture the actual computational task, with output-round randomizing wrappers that capture the round structure of the protocol realizing the task. The underlying idea is to ensure that an environment, that can always observe how many rounds the execution of a protocol takes, will see an indistinguishable round structure in the corresponding ideal computation. Before formally describing the wrappers in “Appendix C.4”, we illustrate the notion of execution traces, which is central to enable the simulator emulating the round structure.

Recall that the randomizing wrappers are parametrized by a round sampler D, that may depend on a specific protocol implementing the functionality. The round sampler D samples a round number \(\rho _\mathsf {term}\) by which all parties are guaranteed to receive their outputs no matter what the adversary strategy is. The strict wrapper \({\mathcal {W}}_{\mathrm {strict}} \) ensures that all (honest) parties terminate together in the round \(\rho _\mathsf {term}\), whereas the flexible wrapper \({\mathcal {W}}_{\mathrm {flex}} \) allows the adversary to deliver outputs to individual parties at any time before round \(\rho _\mathsf {term}\).

Consider an arbitrary functionality \({\mathcal {F}}_{\textsc {}} \) that is realized by some protocol \(\pi \). If \({\mathcal {F}}_{\textsc {}} \) is to provide guaranteed termination (whether probabilistic or not), it must enforce an upper bound on the number of rounds that elapse until all parties receive their outputs. If the termination round of \(\pi \) is not fixed (but may depend on random choices made during its execution), this upper bound must be chosen according to the distribution induced by \(\pi \).

Thus, in order to simulate correctly, the functionality \({\mathcal {F}}_{\textsc {}} \) and \(\pi \)’s simulator \({\mathcal {S}} \) must coordinate the termination round, and therefore, \({\mathcal {F}}_{\textsc {}} \) must pass the upper bound it samples to \({\mathcal {S}} \). However, it is not sufficient to simply inform the simulator about the guaranteed-termination upper bound \(\rho _\mathsf {term}\). Intuitively, the reason is that protocol \(\pi \) may make probabilistic choices as to the order in which it calls its hybrids (and, even worse, these hybrids may even have probabilistic termination themselves). Thus, \({\mathcal {F}}_{\textsc {}} \) needs to sample the upper bound based on \(\pi \) and the protocols realizing the hybrids called by \(\pi \). As \({\mathcal {S}} \) needs to emulate the entire protocol execution, it is now left with the task of trying to sample the protocol’s choices conditioned on the upper bound it receives from \({\mathcal {F}}_{\textsc {}} \). In general, however, it is unclear whether such a reverse sampling can be performed in (strict) polynomial time.

To avoid this issue and allow for an efficient simulation, we have \({\mathcal {F}}_{\textsc {}} \) output all the coins that were used for sampling the round \(\rho _\mathsf {term}\) to \({\mathcal {S}} \). Because \({\mathcal {S}} \) knows the round-sampler algorithm, it can reproduce the entire computation of the sampler and use it in its simulation. In fact, as we discuss below, it suffices for our proofs to have \({\mathcal {F}}_{\textsc {}} \) output a trace of its choices to the simulator instead of all the coins that were used to sample this trace.

Execution traces As mentioned above, in the synchronous communication model, the execution of the ideal functionality must take the same number of rounds as the protocol. For example, suppose that the functionality \({\mathcal {F}}_{\textsc {}} \) in our illustration above is used as a hybrid by a higher-level protocol \(\pi '\). The functionality \({\mathcal {G}}_{\textsc {}} \) realized by \(\pi '\) must, similarly to \({\mathcal {F}}_{\textsc {}} \), choose an upper bound on the number of rounds that elapse before parties obtain their outputs. However, this upper bound now depends not only on \(\pi '\) itself but also on \(\pi \) (in particular, when \(\pi \) is a probabilistic-termination protocol).

Given the above, the round sampler of a functionality needs to keep track of how the functionality was realized. This can be achieved via the notion of a trace. A trace basically records which hybrids were called by a protocol, and in a recursive way, for each hybrid, which hybrids would have been called by a protocol realizing that hybrid. The recursion ends with the hybrids that are “assumed” by the model, called atomic functionalities (in this paper atomic functionalities are the secure point-to-point communication functionality and the correlated-randomness functionality for broadcast).

Building on our running illustration above, suppose protocol \(\pi '\) (realizing \({\mathcal {G}}_{\textsc {}} \)) makes ideal hybrid calls to \({\mathcal {F}}_{\textsc {}} \) and to some atomic functionality \({\mathcal {H}}_{\textsc {}} \). Assume that in an example execution, \(\pi '\) happens to make (sequential) calls to instances of \({\mathcal {H}}_{\textsc {}} \) and \({\mathcal {F}}_{\textsc {}} \) in the following order: \({\mathcal {F}}_{\textsc {}} \), then \({\mathcal {H}}_{\textsc {}} \), and finally \({\mathcal {F}}_{\textsc {}} \) again. Moreover, assume that \({\mathcal {F}}_{\textsc {}} \) is replaced by protocol \(\pi \) (realizing \({\mathcal {F}}_{\textsc {}} \)) and that \(\pi \) happens to make two (sequential) calls to \({\mathcal {H}}_{\textsc {}} \) upon the first invocation by \(\pi '\), and three (sequential) calls to \({\mathcal {H}}_{\textsc {}} \) the second time. (We assume that both \(\pi \) and \(\pi '\) call exactly one hybrid in every round.) Then, this would result in the trace depicted in Fig. 9.

Fig. 9

Example of an execution trace

Assume that \(\pi \) is a probabilistic-termination protocol and \(\pi '\) a deterministic-termination protocol. Consequently, this means that \({\mathcal {F}}_{\textsc {}} \) is in fact a flexibly wrapped functionality of some CSF \({\mathcal {F}}_{\textsc {}} '\), i.e., \({\mathcal {F}}_{\textsc {}} ={\mathcal {W}}_{\mathrm {flex}} ^{D_{{\mathcal {F}}_{\textsc {}}}}({\mathcal {F}}_{\textsc {}} ')\), where the distribution \({D_{{\mathcal {F}}_{\textsc {}}}}\) samples (from a distribution induced by \(\pi \)) depth-1 traces with root \({\mathcal {W}}_{\mathrm {flex}} ^{D_{{\mathcal {F}}_{\textsc {}}}}({\mathcal {F}}_{\textsc {}} ')\) and leaves \({\mathcal {H}}_{\textsc {}} \).¹⁹ Similarly, \({\mathcal {G}}_{\textsc {}} \) is a strictly wrapped functionality of some CSF \({\mathcal {G}}_{\textsc {}} '\), i.e., \({\mathcal {G}}_{\textsc {}} ={\mathcal {W}}_{\mathrm {strict}} ^{D_{{\mathcal {G}}_{\textsc {}}}} ({\mathcal {G}}_{\textsc {}} ')\), where the distribution \(D_{{\mathcal {G}}_{\textsc {}}}\) first samples (from a distribution induced by \(\pi '\)) a depth-1 trace with root \({\mathcal {W}}_{\mathrm {strict}} ^{D_{{\mathcal {G}}_{\textsc {}}}} ({\mathcal {G}}_{\textsc {}} ')\) and leaves \({\mathcal {W}}_{\mathrm {flex}} ^{D_{{\mathcal {F}}_{\textsc {}}}}({\mathcal {F}}_{\textsc {}} ')\) as well as \({\mathcal {H}}_{\textsc {}} \). Then, each leaf node \({\mathcal {W}}_{\mathrm {flex}} ^{D_{{\mathcal {F}}_{\textsc {}}}}({\mathcal {F}}_{\textsc {}} {}')\) is replaced by a trace (independently) sampled from \(D_{{\mathcal {F}}_{\textsc {}}}\). Thus, the example trace from Fig. 9 would look as in Fig. 10.

Fig. 10

An execution trace with probabilistic-termination and deterministic-termination protocols

1.4 Strict and Flexible Wrappers

This section contains the definitions of the strict wrapper \({\mathcal {W}}_{\mathrm {strict}} \) and of the flexible wrapper \({\mathcal {W}}_{\mathrm {flex}} \).

Fig. 11

The strict-wrapper functionality

Strict-wrapper functionality The strict-wrapper functionality, formally defined in Fig. 11, is parametrized by (a sampler that induces) a distribution \(D\) over traces, and internally runs a copy of a CSF functionality \({\mathcal {F}}_{\textsc {}} \). Initially, a trace \(T \) is sampled from \(D\); this trace is given to the adversary once the first honest party provides its input. The trace \(T \) is used by the wrapper to define the termination round \(\rho _\mathsf {term}\leftarrow c_{\mathsf {tr}} (T)\). In the first round, the wrapper forwards all the messages from the parties and the adversary to (and from) the functionality \({\mathcal {F}}_{\textsc {}} \). Next, the wrapper essentially waits until round \(\rho _\mathsf {term}\), with the exception that the adversary is allowed to send \((\texttt {adv-input},\mathsf {sid},\cdot )\) messages and change its input to the function computed by the CSF. Finally, when round \(\rho _\mathsf {term}\) arrives, the wrapper provides the output generated by \({\mathcal {F}}_{\textsc {}} \) to all parties.

Flexible-wrapper functionality The flexible-wrapper functionality, defined in Fig. 12, follows in similar lines as the strict wrapper. The difference is that the adversary is allowed to instruct the wrapper to deliver the output to each party at any round. In order to accomplish this, the wrapper assigns a termination indicator \(\mathsf {term}_i\), initially set to 0, to each party. Once the wrapper receives an \((\texttt {early-output},\mathsf {sid},\cdot )\) request from the adversary for \(P _i\), it sets \(\mathsf {term}_i\leftarrow 1\). Now, when a party \(P _i\) sends a \((\texttt {fetch-output},\mathsf {sid})\) request, the wrapper checks if \(\mathsf {term}_i=1\), and lets the party receive its output in this case (by forwarding the \((\texttt {fetch-output},\mathsf {sid})\) request to \({\mathcal {F}}_{\textsc {}} \)). When the guaranteed-termination round \(\rho _\mathsf {term}\) arrives, the wrapper provides the output to all parties that did not receive it yet.

Fig. 12

The flexible wrapper functionality

1.5 Slack-Tolerant Wrappers

Slack-tolerant strict wrapper The slack-tolerant strict wrapper \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D,c}\), formally defined in Fig. 13, is parametrized by an integer \(c\ge 0\), which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} \) is similar to \({\mathcal {W}}_{\mathrm {strict}} \) but allows parties to provide input within a window of \(2c+1\) rounds and ensures that they obtain output with the same slack they started with. The wrapper essentially increases the termination round by a factor of \(B_{c} = 3c+1\), which is due to the slack-tolerance technique used to implement the wrapped version of the atomic parallel SMT functionality (see [16]).

Fig. 13

The slack-tolerant strict-wrapper functionality

Slack-tolerant flexible wrapper The slack-tolerant flexible wrapper \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D,c}\), formally defined in Fig. 14, is parametrized by an integer \(c\ge 0\), which denotes the amount of slack tolerance that is added, and a distribution D over traces. The wrapper \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} \) is similar to \({\mathcal {W}}_{\mathrm {flex}} \) but allows parties to provide input within a window of \(2c+1\) rounds and ensures that all honest parties will receive their output within two consecutive rounds. The wrapper essentially increases the termination round to

$$\begin{aligned} \rho _\mathsf {term}= B_{c} \cdot c_{\mathsf {tr}} (T) + 2 \cdot {\mathsf {flex_{tr}}} (T) + c, \end{aligned}$$

where the blow-up factor \(B_{c}\) is as explained above, and the additional factor of 2 results from the termination protocol of Bracha [7] used for every flexibly wrapped CSF, which increases the round complexity by at most two additional rounds (recall that \({\mathsf {flex_{tr}}} (T)\) denotes the number of such CSFs), and c is due to the potential slack. \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} \) allows the adversary to deliver output at any round prior to \(\rho _\mathsf {term}\) but ensures that all parties obtain output with a slack of at most one round. Moreover, it allows the adversary to obtain the output using the \((\texttt {get-output},\mathsf {sid})\) command, which is necessary in order to simulate the termination protocol.

Fig. 14

The slack-tolerant flexible wrapper functionality

1.6 Compilers and Composition Theorems

Deterministic-termination compiler Let \({\mathcal {F}}_{\textsc {}}, {\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m\) be canonical synchronous functionalities, and let \(\pi \) be an SNF protocol that UC-realizes the strictly wrapped functionality \({\mathcal {W}}_{\mathrm {strict}} ^D({\mathcal {F}}_{\textsc {}})\), for some depth-1 distribution D, in the \(({\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m)\)-hybrid model, assuming that all honest parties receive their inputs at the same round. The compiler \(\mathsf {Comp}_{\textsc {dt}} ^c\), parametrized with a slack parameter \(c\ge 0\), receives as input the protocol \(\pi \) and distributions \(D_1,\ldots ,D_m\) over traces and replaces every call to a CSF \({\mathcal {F}}_{\textsc {}} {}_i\) with a call to the wrapped CSF \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_i,c}({\mathcal {F}}_{\textsc {}} {}_i)\). We denote the output of the compiler by \(\pi ' = \mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,\ldots ,D_m)\).

The compiled protocol \(\pi '\) realizes \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{{D^{\mathsf {full}}},c}({\mathcal {F}}_{\textsc {}})\), for a suitably adapted distribution \({D^{\mathsf {full}}}\), assuming all parties start within \(c+1\) consecutive rounds. Consequently, the compiled protocol \(\pi '\) can handle a slack of up to c rounds while using hybrids that are realizable themselves. Calling the wrapped CSFs instead of the original CSFs \({\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m\) affects the trace corresponding to \({\mathcal {F}}_{\textsc {}} \). The new trace \({D^{\mathsf {full}}}= \mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)\) is obtained as follows:

1. 1.

   Sample a trace \(T \leftarrow D\), which is a depth-1 tree with a root label \({\mathcal {W}}_{\mathrm {strict}} ^{D} ({\mathcal {F}}_{\textsc {}})\) and leaves from the set \(\{{\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m\}\).

2. 2.

   Construct a new trace \(T '\) with a root label \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{{D^{\mathsf {full}}},c}({\mathcal {F}}_{\textsc {}})\).

3. 3.

   For each leaf node \({\mathcal {F}}_{\textsc {}} ' = {\mathcal {F}}_{\textsc {}} {}_i\), for some \(i\in [m]\), sample a trace \(T _i \leftarrow D_i\) and append the trace \(T _i\) to the first layer in \(T '\) (i.e., replace the node \({\mathcal {F}}_{\textsc {}} {}'\) with \(T _i\)).

4. 4.

   Output the resulting trace \(T '\).

To illustrate what a full trace is, consider a two-round SFE protocol \(\pi \) that uses a broadcast channel in both rounds (e.g., the protocol from [20] that is adaptively secure and guarantees output delivery). That is, the SNF protocol \(\pi \) is defined in the \({\mathcal {F}}_{\textsc {pbc}} \)-hybrid model, where \({\mathcal {F}}_{\textsc {pbc}} \) is an uninstantiable two-round CSF.²⁰ The distribution \(D_\pi \) outputs a trace consisting of a root labeled with \({\mathcal {W}}_{\mathrm {strict}} ^{D_\pi } ({\mathcal {F}}_{\textsc {sfe}} )\), and two (ordered) children \(({\mathcal {F}}_{\textsc {pbc}},{\mathcal {F}}_{\textsc {pbc}})\). Now, consider the compiled protocol \(\pi ' = \mathsf {Comp}_{\textsc {dt}} ^c(\pi ,D_1,D_2)\), where \(D_1\) and \(D_2\) are the distributions corresponding to the protocol of Dolev and Strong [25], consisting of \(t+1\) point-to-point rounds, i.e., a root labeled with \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_1,c}({\mathcal {F}}_{\textsc {pbc}})\), and \((t+1)(3c+1)\) (ordered) children \(({\mathcal {F}}_{\textsc {psmt}},\ldots ,{\mathcal {F}}_{\textsc {psmt}})\) (recall that each round is replaced by \(3c+1\) rounds to support a slack of c rounds). Then, the full trace \(D_\pi ^{\mathsf {full}} = \mathsf {full}\text {-}\mathsf {trace}(D_\pi ,D_1,D_2)\) outputs a root labeled with \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_\pi ^{\mathsf {full}},c} ({\mathcal {F}}_{\textsc {sfe}} )\) with two (ordered) children \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_1,c} ({\mathcal {F}}_{\textsc {pbc}})\) and \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_2,c} ({\mathcal {F}}_{\textsc {pbc}})\), each has \((t+1)(3c+1)\) (ordered) children \(({\mathcal {F}}_{\textsc {psmt}},\ldots ,{\mathcal {F}}_{\textsc {psmt}})\). (To simplify the example and focus on the meaning of a full trace, we swipe some details under the rug, such as the correlated randomness functionality that is needed for the protocol from [20] and that the protocol from [25] achieves unfair broadcast rather than broadcast.)

Probabilistic-termination compiler Let \({\mathcal {F}}_{\textsc {}}, {\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m\) be canonical synchronous functionalities, and let \(\pi \) be an SNF protocol that UC-realizes the flexibly wrapped functionality \({\mathcal {W}}_{\mathrm {flex}} ^D({\mathcal {F}}_{\textsc {}})\) in the \(({\mathcal {F}}_{\textsc {}} {}_1,\ldots ,{\mathcal {F}}_{\textsc {}} {}_m)\)-hybrid model, for some depth-1 distribution D, assuming all parties start at the same round. Define the following compiler \(\mathsf {Comp}_{\textsc {ptr}} ^c\), parametrized by a slack parameter \(c\ge 0\). The compiler receives as input the protocol \(\pi \), distributions \(D_1,\ldots ,D_m\) over traces, and a subset \(I\subseteq [m]\) indexing which CSFs \({\mathcal {F}}_{\textsc {}} {}_i\) are to be wrapped with \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} \) and which with \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} \); every call in \(\pi \) to a CSF \({\mathcal {F}}_{\textsc {}} {}_i\) is replaced with a call to the wrapped CSF \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D_i,c}({\mathcal {F}}_{\textsc {}} {}_i)\) if \(i\in I\) or to \({\mathcal {W}}_{\mathrm {sl\text {-}strict}} ^{D_i,c}({\mathcal {F}}_{\textsc {}} {}_i)\) if \(i\notin I\).

In addition, the compiler adds the termination procedure, based on an approach originally suggested by Bracha [7], which ensures all honest parties will terminate within two consecutive rounds:

• As soon as a party is ready to output a value y (according to the prescribed protocol) or upon receiving at least \(t+1\) messages \((\texttt {end},\mathsf {sid},y)\) for the same value y (whichever happens first), it sends \((\texttt {end},\mathsf {sid},y)\) to all parties.

• Upon receiving \(n-t\) messages \((\texttt {end},\mathsf {sid},y)\) for the same value y, a party outputs y as the result of the computation and halts.

This termination technique only applies to public-output functionalities; therefore, only CSFs with public output can be wrapped by \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} \). We denote the output of the compiler by \(\pi ' = \mathsf {Comp}_{\textsc {ptr}} ^c(\pi ,D_1,\ldots ,D_m,I)\).

The compiled protocol \(\pi '\) UC-realizes the wrapped functionality \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{{D^{\mathsf {full}}},c} ({\mathcal {F}}_{\textsc {}})\), for the adapted distribution \({D^{\mathsf {full}}}=\mathsf {full}\text {-}\mathsf {trace}(D,D_1,\ldots ,D_m)\). Consequently, the compiled protocol \(\pi '\) can handle a slack of up to c rounds, while using hybrids that are realizable themselves, and ensuring that the output slack is at most one round (as opposed to \(\pi \)). Calling the wrapped hybrids instead of the CSFs affects the trace corresponding to \({\mathcal {F}}_{\textsc {}} \) in exactly the same way as in the case with deterministic termination.²¹

The probabilistic-termination compiler \(\mathsf {Comp}_{\textsc {ptr}} ^c\) is suitable for SNF protocols that implement a flexibly wrapped functionality, e.g., the (adjusted) protocol of Feldman and Micali [27] that realizes randomized Byzantine agreement. Indeed, such protocols introduce new slack; hence, the slack-reduction technique described above is needed to control the new slack and reduce it to \(c=1\). As pointed out in [16], in some cases the SNF protocol may realize a strictly wrapped functionality; however, some of the hybrids are to be wrapped using the flexible wrapper. An example for the latter type of probabilistic-termination protocols is the BGW protocol [6] that has deterministic termination in the broadcast model, yet, once the broadcast channel is implemented using randomized protocols, the obtained protocol has probabilistic termination. For that reason, a second probabilistic-termination compiler \(\mathsf {Comp}_{\textsc {pt}} ^c\), without the slack-reduction procedure, was introduced in [16].

To continue with our illustration, consider again a two-round SFE protocol \(\pi \) that uses a broadcast channel in both rounds, where the distribution \(D_\pi \) outputs a trace consisting of a root labeled with \({\mathcal {W}}_{\mathrm {strict}} ^{D_\pi } ({\mathcal {F}}_{\textsc {sfe}} )\) and two (ordered) children \(({\mathcal {F}}_{\textsc {pbc}},{\mathcal {F}}_{\textsc {pbc}})\). Now, instead of using the protocol of Dolev and Strong [25], consider the parallel-broadcast protocol from Theorem 3.5 that consists of r constant-round phases, followed by two rounds for slack-reduction; the number of rounds in a phase is denoted by \({\mathsf {const}}\), and the number of phases r is sampled from a geometric distribution. The compiled protocol is \(\pi ' = \mathsf {Comp}_{\textsc {pt}} ^c(\pi ,D_1,D_2)\), where \(D_1\) and \(D_2\) are the distributions that output a root labeled with \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D_1,c}({\mathcal {F}}_{\textsc {pbc}})\), and \(r \cdot {\mathsf {const}}\cdot (3c+1)+2\) (ordered) children \(({\mathcal {F}}_{\textsc {psmt}},\ldots ,{\mathcal {F}}_{\textsc {psmt}})\), where r is sampled from the corresponding geometric distribution (recall that each round is replaced by \(3c+1\) rounds to support a slack of c rounds). Then, the full trace \(D_\pi ^{\mathsf {full}} = \mathsf {full}\text {-}\mathsf {trace}(D_\pi ,D_1,D_2)\) outputs a root labeled with \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D_\pi ^{\mathsf {full}},c} ({\mathcal {F}}_{\textsc {sfe}} )\) with two (ordered) children \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D_1,c} ({\mathcal {F}}_{\textsc {pbc}})\) and \({\mathcal {W}}_{\mathrm {sl\text {-}flex}} ^{D_2,c} ({\mathcal {F}}_{\textsc {pbc}})\), where the first child has \(r_1 \cdot {\mathsf {const}}\cdot (3c+1)+2\) (ordered) children \(({\mathcal {F}}_{\textsc {psmt}},\ldots ,{\mathcal {F}}_{\textsc {psmt}})\) and the second child has \(r_2 \cdot {\mathsf {const}}\cdot (3c+1)+2\) (ordered) children \(({\mathcal {F}}_{\textsc {psmt}},\ldots ,{\mathcal {F}}_{\textsc {psmt}})\), where \(r_1\) and \(r_2\) are independently sampled from the corresponding geometric distribution.