 Hello everyone, welcome to this talk on Synchronous Constructive Cryptography. I am Chenda, this is joint work with Wally Mauder and we are from ETH Zurich. Let me start with a very simple naive example. One could understand a broadcast protocol as implementing an ideal megaphone that allows a designated sender to input a value B into the megaphone and around later everyone learns this value. However, this is not quite true with typical broadcast protocols as they do not provide any secrecy of the message while being broadcasted. And in particular, typically the adversary learns the message already in the first round of the protocol. This is a problem because if one uses a typical broadcast protocol as a primitive instead of the ideal megaphone, the protocol could be insecure. For example, one could consider a naive randomness generation protocol where all parties broadcast a random bit and parties X or the bits that are received and this would be insecure because the adversary can control what the output is. The goal of composable frameworks is to capture all relevant guarantees that a protocol offers when run in any possible application. Composable frameworks allow to express the guarantees that a protocol achieves in a clean manner and also allow to analyze the security of a complex application assuming idealized subcomponents and without the need to talk about how the subcomponents can be securely implemented. Moreover, the security holds irrespective of where the protocol is executed. To some extent, one could argue that composable security is ultimately necessary. When designing a composable framework, one has to decide how expressive the framework should be meaning which element one wants to capture, which tasks and which elements should be abstracted away. At the same time, the model should be simple and intuitive so that people use it. And usually it is the case that there is a trade-off between generality and usability or simplicity. For example, the widely used UC framework is quite general, but it is also definitely not simple. In this paper, we ask the question, can we create a simple framework which is clean and maybe even minimal in some sense, at least for a restricted setting? And there are many reasons why one would want that. And one of the main reasons is that most proofs and sometimes even statements that are made using current composable general frameworks tend to be rather informal. The reason is that it is kind of tedious and difficult to make them complete. It usually takes a lot of space and there are always subtleties. So people opt to write rather proof sketches high level, which in the worst case might turn out to be technically wrong. A second reason might be that doing such a framework can be beneficial for teaching purposes. Maybe to lower the entrance fee for those that are not familiar with composable frameworks. And finally, it would be very interesting to have such a simple framework if it serves as a basis for formal verification, which I think is an important research direction that is gaining traction in NPC these years. There are many axes that one can consider. Our focus is on synchronous protocols. And as a first step, we also consider only information theoretic statements and static corruption with a fixed number of parties. Focusing on synchronous protocols is meaningful since the vast majority of the protocols in the literature are synchronous and they are usually simpler to understand and achieve better guarantees than their asynchronous counterpart. And in reality, synchronous protocols are justified if one assumes sufficiently synchronized clocks and an upper bound on the network delay. An interest in future extension could be, for example, extending the framework to also consider computational statements and adaptive corruption. Current models for synchronous protocols are not designed to minimally capture this setting. They are typically built on top of an asynchronous model, usually the UC framework by Canetti, which means that one has to consider extract functionalities like an explicit clock or a synchronization functionality. Then one also has to talk about activation pattern, the message scheduling, and so on. Our goal is to design a framework tailored to a synchronous setting, which allows to hopefully describe protocols in an intuitive manner and also allows for simple proofs without the need to talk about elements that should not be part of the synchronous setting. A basic idea which one can find in many disciplines is the idea of specifications. Here one considers a set phi of possible objects and then a specification u is simply a subset of phi. For example, one can consider programs and the specification of programs that compute a certain function with specific efficiency metrics. Another example could be like, for example, the set of all sushi plates and the specification of nigidis, which is a particular type of sushi plate. A specification corresponds to a guarantee and smaller specifications hence correspond to stronger guarantees. A construction is a function that transforms an object into another object. This induces a transformation between specifications. For example, if one considers the specification of pairs of rice and an ingredient that can be, say, salmon, tuna or shrimp, then one can apply the recipe function and show that no matter which pair of rice and ingredient, the recipe applied to that pair leads to an object inside the set S, which for example can correspond to the set of nigidis. More generally, a construction statement from specification R to specification S states that if the construction function is applied to any object in specification R, then the resulting object is guaranteed to satisfy specification S. This idea of having specifications and constructions is adopted in the constructive cryptography framework by Maurer and Renner, where the set phi is a set of objects that are systems called resources with interfaces to the parties. The parties can interact with the system via their corresponding interfaces and apply a so-called converter, which can be thought of as a system that executes the protocol engine. In the multi-party setting, we consider systems with n interfaces, one per party. A protocol then consists of a tuple of converters, also one per party, and the construction consists of each party applying its converter. However, in the multi-party setting, an essential aspect is that parties can be either honest or dishonest. While an honest party applies its converter, there is no guarantee from dishonest parties. The goal is then to state meaningful guarantees for the set of honest parties. Therefore, the multi-party construction notion states a separate guarantee for each possible set of honest parties. For example, if parties 1, 3 and 4 are honest, they apply their converter, and the construction statement would state that this specification is part of an ideal specification S sub 1, 3 and 4. The special case often considered in the literature is that where one provides guarantees only if the set of dishonest parties is within a so-called adversary structure. For example, say if the set of corrupted parties has size at most t. This simply means that for those sets that have too many dishonest parties, there is no guarantee. Furthermore, equivalently, the resource is only known to satisfy the trivial specification phi. Also note that this construction notion generalizes the traditional simulation-based notion where the ideal specification is described in a particular way, namely as an ideal system S with a simulator attached to the dishonest interfaces. We can see the overall system S with the simulator as the ideal specification. And actually we do not want to talk about the simulator. And perhaps a better interpretation is that we want to model the specification of a system S that has no guarantees at the dishonest interfaces. And this corresponds to the set of all systems of the form S with any possible converter attached to the dishonest interface. In this case, interface 2 meaning that anything can happen there. This is defined as the so-called star relaxation in constructive cryptography. We instantiate the notions of resources and converters for our synchronous setting. These are modeled as a special type of random systems. Resources are very simple. These are just systems with n interfaces that simply take an input at each interface and produce an output at every interface. And converters are also systems that with two interfaces, an outside and an inside interface, which will be the interface that is attached to the resource. They take an input from the outside, produce an output to the inside, and then subsequently they take an input from the inside and produce an output to the outside. And one can then easily check that attaching a converter to the resource leads to another resource. The described resource type captures that all parties act in a synchronized manner. Meaning that in each round invocation, all parties give input to the resource and obtain an output from the resource. This implies in particular that any input given to the resource at round R depends solely on the previous outputs up to round R-1. However, typically one allows the dishonest parties inputs to also depend on partial information of the current round inputs from honest parties. This is often denoted as rushing in the literature. And to model such causality guarantees, we follow the standard approach of dividing a round into two semi rounds, which we denote R-A and R-B. In the first semi round, the resource takes inputs from the honest parties and give an output to the dishonest parties. And no output is given to the honest parties. In the second semi round, the resource takes inputs from the dishonest parties and then gives an output to all parties. For the rest of the talk, I will give a few examples on how to state resources in this framework. For example, consider an authenticated channel with upper bound delta. What we expect from an authenticated channel with upper bound is that honest parties are guaranteed to obtain the message after delta rounds. And one can model this channel in a relatively straightforward manner by saying that the sender inputs a message at some round K and then honest parties receive the message at round K plus delta. And typically we would also say that the dishonest parties get the message in the same round K. But we might not want to guarantee that either. Maybe we want to say that honest parties get the message after delta rounds. And there are no further guarantees. This is the only thing we want to say. So to model that we consider a star relaxation. And this basically says that anything could happen at the dishonest party interfaces. Or more technically, any converter can be attached to the dishonest interfaces. In particular, the converter could block the message, could also scramble it, could deliver it later, anything could happen. Another example is the broadcast megaphone. We might want to model a megaphone that allows a sender to input a message at round K and then honest recipients receive the message at round L. And traditionally we would prove two properties. Validity meaning that if the sender is honest, all parties output the sender's message and consistency meaning that in any case all honest parties output the same message. And to model such a broadcast megaphone we can simply encode both properties into the resource specification. We can for example define the set of all resources that satisfy the validity and consistency property. That is, the honest parties outputs at round L are the same and correspond to the input given at round K if the sender is honest. This allows to capture property-based security guarantees in a straightforward manner and therefore unifying property-based and composable definitions. Moreover, the proof that a protocol constructs a broadcast specification is exactly the same as in the property-based case. We introduce a simple ideal interactive computer resource in line with the arithmetic black box functionality introduced by Damgar and Nielsen and which resembles an old-school pocket calculator that admits a small instruction set and has an array of value registers and an instruction queue. The resource has N plus 1 interfaces and the interfaces from 1 to N are used to give inputs to the resource and receive outputs from the resource. Moreover, there is a special interface, let's call it INS, which is used to write instruction into the queue of instructions to be processed. So the resource works as follows. It receives an instruction via the INS interface and then the resource stores the instruction into the queue and also outputs the instruction to all interfaces from 1 to N. The resource can consecutively receive instructions and for each instruction the same will happen. When the queue is non-empty the resource pops an instruction from the queue and starts processing it and the resource tolerates four types of instructions input, output, addition and multiplication. Each instruction takes a certain number of rounds to be processed and these are processed sequentially. For example, when processing an input instruction the resource expects an input at interface I and stores the input value at position P, in this case 3 of the value register. When processing an output instruction, output IP the resource takes the value at position P and outputs it at the corresponding interface I. For example, it can take the previously stored value at position 3 and output it at interface 4. So an additional instruction is naturally defined and it simply adds the values at positions P1 and P2 and stores the result at position P3 and the multiplication instruction is defined similarly. One can show that assuming an ideal broadcast specification and a complete network of pairwise secure channels and traditional protocols like BGW or simple MPC we actually show it for simple MPC only can construct the computer resource meaning that for each set of dishonest parties with size up to n-third one can get a computer resource specification where the interfaces at dishonest parties are star-relaxed. And for each set above n-third there are no guarantees meaning that the resource specification is the set of all resources. To conclude we have introduced a simple model tailored to the setting of synchronous protocols where parties are honest or dishonest and the statements are purely information theoretic. Our framework is also flexible to capture property-based formalizations and can be extended to further settings. Here you can find a link to the full version of the paper and thank you very much for listening and I hope to see you all at the online conference.