Docs: Add preliminaries

Author: InfiniteSynthesis

content/preliminaries/contd.tex

@@ -0,0 +1,80 @@
+\section{Preliminaries (Cont'd)}
+\label{sec:preliminaries-contd}
+
+\paragraph{Global clock.}
+%
+We model synchronous processors using \funcClock (cf.~\cite{TCC:KMTZ13}).
+%
+At a high level, \funcClock maintains a round variable $\tau$ for each session, and the round forwards only when all registered parties send \funcClock the \textsc{clock-update} command.
+%
+The current time can be checked by sending a \textsc{clock-read} command.
+%
+Whenever a party who has finished the computation in a round is activated, she checks if the time from \funcClock has been forwarded; if not, she does nothing and wait for the next activation.
+
+\input{functionalities/global-clock}
+
+\paragraph{Diffuse functionalities.}
+%
+We model the \delay-bounded delay network with \funcDiffuse \cite{C:BMTZ17}.
+%
+Note that once a corrupted message reaches at least one honest party at round $r$, \funcDiffuse guarantees to deliver this message to all honest parties before round $r + \delay$ (i.e., honest parties keep ``echoing'' messages).
+%
+By convention, different types of messages are diffused by different functionalities, and we write $\funcDiffuse^{\mathsf{bc}}$, $\funcDiffuse^{\mathsf{tx}}$, $\funcDiffuse^{\mathsf{pb}}$, $\funcDiffuse^\pk$ to denote the network for chains, transactions, profile blocks and enclave public keys respectively.
+
+\input{functionalities/diffuse}
+
+\paragraph{Random oracle for PoW and its wrapper.}
+%
+Our random oracle for generating PoW follows that in~\cite{C:BMTZ17} except that now it is a shared functionality.
+
+\input{functionalities/global-random-oracle}
+
+In order to limit the adversary on making a certain number of queries per round, we adopt a functionality wrapper \cite{C:BMTZ17} that wraps the corresponding resource to capture such restrictions.
+%
+Note that since now \funcGRO is shared among different sessions, the adversary can ask the environment to make queries on behalf.
+%
+Hence, our wrapper \wrapper{\funcGRO} also puts restrictions on queries that are made by the environment.
+
+\input{functionalities/global-random-oracle-wrapper}
+
+\paragraph{Global random oracle.}
+%
+The restricted programmable and observable global random oracle \funcGrpoRO follows the modelling in~\cite{EC:CDGLN18}.
+%
+We allow the adversary to observe and program the GRO; meantime, every party (in the same session) can check if a point is programmed by calling the ``IsProgrammed'' interface.
+
+\input{functionalities/global-random-oracle-rpo}
+
+\paragraph{Non-interactive zero knowledge scheme \NIZK.}
+%
+The NIZKPoK scheme that we use in this paper are from \cite{TCC:LysRos22}, specifically a non-interactive, straight-line extractable (NISLE) proof
+system satisfying the following three properties.
+
+\begin{definition}
+    [Overwhelming Completeness]
+    \label{def:overwhelming-completeness}
+
+    A NISLE proof system $\Pi^{\mathtt{SLC}}_R = (\mathtt{Setup}^H, \mathtt{Prove}^H,\allowbreak \mathtt{Verify}^H, \mathtt{SimSetup}, \mathtt{SimProve}, \mathtt{Extract})$ for relation $R$ in the random-oracle model has the \emph{overwhelming completeness} property if for any security parameter $\lambda$, any random oracle $H$, any $(x, w) \in R$, and any proof $\pi \gets \Pi^{\mathtt{SLC}}_R.\mathtt{Prove}^H(x, w)$,
+    %
+    \( \Pr[\Pi^{\mathtt{SLC}}_R.\mathtt{Verify}^H(x, \pi) = 1] \ge 1 - \negl(\lambda). \)
+\end{definition}
+
+\begin{definition}
+    [Non-Interactive Multiple SHVZK]
+    \label{def:non-interactive-multiple-SHVZK}
+    
+    A NISLE proof system $\Pi^{\mathtt{SLC}}_R = (\mathtt{Setup}^H,\allowbreak \mathtt{Prove}^H,\allowbreak \mathtt{Verify}^H,\allowbreak \mathtt{SimSetup},\allowbreak \mathtt{SimProve},\allowbreak \mathtt{Extract})$ for relation $R$ in the random-oracle model has the \emph{non-interactive multiple special honest-verifier zero-knowledge (NIM-SHVZK)} property if for any security parameter $\lambda$, any random oracle $H$, any PPT adversary \adv, and a bit $b \overset{\$}{\gets} \{0, 1\}$, ther exist some negligible function \negl such that $\Pr[b' = b] \le 1 /2 + \negl(\lambda)$, where $b'$ is the result of running the game $\mathsf{NIM}\text{-}\mathsf{SHVZK}^{H_*, *}_{\adv, \Pi^{\mathtt{SLC}}_R} (1^\lambda, b)$.
+    %
+    We say \adv wins the $\mathsf{NIM}\text{-}\mathsf{SHVZK}$ game if $\Pr[b' = b] > 1 / 2 + \negl(\lambda)$.
+\end{definition}
+
+\begin{definition}
+    [Non-Interactive Special Simulation-Soundness]
+    \label{def:non-interactive-special-simulation-soundness}
+    
+    A NISLE proof system $\Pi^{\mathtt{SLC}}_R = (\mathtt{Setup}^H,\allowbreak \mathtt{Prove}^H,\allowbreak \mathtt{Verify}^H,\allowbreak \mathtt{SimSetup},\allowbreak \mathtt{SimProve},\allowbreak \mathtt{Extract})$ for relation $R$ in the random oracle model has the \emph{non-interactive special simulation-soundness} property if for any security parameter $\lambda$, any random oracle $H$, any PPT adversary \adv, there exist some negligible function \negl such that  $\Pr[\mathtt{Fail} \gets \mathsf{NIM}\text{-}\mathsf{SSS}^{H_*, \mathtt{Prog}}_{\adv, \Pi^{\mathtt{SLC}}_R} (1^\lambda)] \le \negl(\lambda)$.
+\end{definition}
+
+For completeness, we also describe the security game $\mathsf{NIM}\text{-}\mathsf{SSS}^{H_*, \mathtt{Prog}}_{\adv, \Pi^{\mathtt{SLC}}_R} (1^\lambda)$ related to the non-interactive special simulation-soundness property of the NIZK protocol where $\mathcal{Q}_\adv$ are \adv's queries to the RO (details see~\cite{TCC:LysRos22}).
+
+\input{games/nim-sss}

content/preliminaries/main.tex

@@ -0,0 +1,86 @@
+\section{Preliminaries}
+\label{sec:preliminaries}
+
+\paragraph{UC basics.}
+%
+We provide our protocols and security proofs in Canetti's universal composition (UC) framework~\cite{JC:Canetti00}. 
+%
+We discuss the main components of our real-world model (including the associated hybrids).
+
+We assume that the reader is familiar with simulation-based security and has basic knowledge of the (G)UC framework.
+%
+We review all the aspects of the execution model that are needed for our protocols and proof, but omit some of the low-level details and refer the interested reader to relevant works wherever appropriate.  
+
+We now recall the mechanics of activations in UC.
+%
+In a UC protocol execution, an honest party (ITI)  gets activated either by receiving an input from the environment, or by receiving a message from one of its hybrid functionalities (or from the adversary).
+%
+Any activation results in the activated ITI performing some computation on its view of the protocol and its local state, and ends with either the party sending a message to some of its hybrid functionalities, sending an output to the environment, or not sending any message at all.
+%
+In any of these cases, the party loses the activation.\footnote{In the latter
+case the activation goes to the environment by default.}
+%
+We denote the identities of parties by $\party_i$, i.e. $\party_i = (\pid_i,\sid_i)$, and call $\party_i$ a party for short.
+%
+The index $i$ is used to distinguish two identifiers, i.e., $\party_i \neq \party_j$, and otherwise carries no meaning.
+%
+We will assume a central adversary \adv who gets to corrupt miners and might use them to attempt to break the protocol's security.
+%
+As is common in (G)UC, the resources available to the parties are described as hybrid functionalities.
+%
+Our protocols are synchronous (G)UC protocols~\cite{C:BMTZ17}: parties have access to a (global) clock setup, denoted by \funcClock and can communicate over a network diffuse functionality \funcDiffuse (mode details on these functionalities are provided later).
+%
+We next sketch its main components:
+%
+All functionalities, protocols, and setups have a dynamic party set.
+%
+I.e., they all include special instructions allowing parties to register and deregister, and allow the adversary to learn the current set of registered parties.
+%
+Additionally,  global setups allow any other setup (or functionality) to
+register and deregister with them\footnote{We note that the functionality can learn the code of the registering party (functionality) by considering the \emph{extended identifier} in~\cite{TCC:BCHTZ20}.} and also allow other setups to learn their set of registered parties.
+
+\paragraph{Clock and diffusion functionality.}
+%
+Following the treatment in~\cite{C:BMTZ17}, we model the synchronous processors and bounded-delay network as \funcClock and \funcDiffuse respectively.
+%
+The global clock \funcClock maintains a round index for each session, and this index can only be forwarded when all registered honest parties (in this session) have finished their computation for this round.
+%
+The diffuse functionality \funcDiffuse captures \delay-bounded network --- i.e., when a message (either honest or adversarial) is reached by at least one honest party at round $r$, it is guaranteed to be delivered to all honest parties before round $r + \delay$.
+%
+A detailed description of these functionalities is presented in~\cref{sec:preliminaries-contd}.
+
+\paragraph{Global random oracles.}
+%
+The hash function $H$ to generate PoW is modeled as a (global) random oracle \funcGRO; by convention, we use a wrapper functionalities \wrapper{\funcGRO} to restrict the adversarial and \emph{environmental} access to \funcGRO.
+%
+We assume honest majority in terms of the computational power to solve PoWs.
+%
+I.e., in every round the RO wrapper allows more accesses from the honest parties than the corrupted (and environmental) ones.
+%
+We also adopt a restricted programmable and observable global random oracle \funcGrpoRO \cite{EC:CDGLN18} to model a hash function $G$ that is different from the one used to generate PoW.
+%
+We discuss these two global random oracles in detail in~\cref{sec:preliminaries-contd}.
+
+\paragraph{Non-interactive zero knowledge.}
+%
+For our construction we use a non-interactive, straight-line simulation extractable (NISLE) proof system that relies on \funcGrpoRO as the only setup assumption.
+%
+A protocol that satisfies such a security definition is provided  in~\cite{TCC:LysRos22}.
+%
+We assume familiarity with the notion of simulation extractable NIZK, and refer to~\cref{sec:preliminaries-contd} for the formal definition.
+
+\paragraph{Pseudorandom functions, one-way functions and hardcore bits.}
+%
+Let $F : \{0, 1\}^\ast \times \{0, 1\}^\ast \rightarrow \{0, 1\}^\ast$ be a keyed function.
+%
+$F$ is a pseudorandom function (PRF) if for all PPT distinguisher $D$ it holds that
+%
+\( | \Pr_{k \gets \{0, 1\}^n}[D^{F_k(\cdot)} = 1] - \Pr_{f \gets \mathcal{F}_n}[D^{f}(\cdot) = 1] | \le \negl(n). \)
+%
+A function $f : \{0, 1\}^* \rightarrow \{0, 1\}^*$ is a one-way function if there exists an efficient algorithm for evaluating $f$, and for all PPT adversary \adv, we have
+%
+\( \Pr_{x \gets \{0, 1\}^n}[\adv(f(x)) \in f\inv(f(x))] \le \negl(n). \)
+%
+A hardcore bit is a function $b : \{0, 1\}^\ast \rightarrow \{0, 1\}$ such that for all PPT adversary \adv, it holds that
+%
+\( \Pr_{x \gets \{0, 1\}^n}[\adv(f(x)) = b(x)]| \le \frac{1}{2} + \negl(n). \)

functionalities/diffuse.tex

@@ -0,0 +1,69 @@
+\begin{cccFunctionality}
+      {\funcDiffuse}
+      {diffuse}
+      {The diffusion network.}
+
+      \newcommand*{\msgid}{\ensuremath{\mathsf{mid}}\xspace}
+      \newcommand*{\vecM}{\ensuremath{\vec{M}}\xspace}
+
+      The functionality is parameterized by the network delay \delay.
+
+      \begin{minipage}{\linewidth}
+            \begin{tabularx}{.9\textwidth}{c  X}
+                  \toprule[.3mm]
+                  \textbf{State Variable}
+                   & \textbf{Description}
+                  \\ \midrule[.3mm]
+                  $\partyset \gets \emptyset$
+                   & The set of registered parties.
+                  \\ \midrule
+                  $\vecM \gets [] $
+                   & A dynamically updatable list of quadruples $(m, \msgid, D_{\msgid}, \party)$ where $D_{\msgid}$ denotes the fetch counter.
+                  \\ \bottomrule[.3mm]
+            \end{tabularx}
+            \addtocounter{table}{-1}
+      \end{minipage}
+
+      \paragraph{Network capabilities:}
+      %
+      \begin{cccItemize}[nosep]
+            \item Upon receiving $(\textsc{diffuse}, \sid, m)$ from some
+            $\party_s \in \partyset$, where $\partyset = \{ \party_1, \ldots, \party_n \}$ denotes the current party set, do:
+            %
+            \begin{cccEnum}[nosep]
+                  \item Choose $n$ new unique message-IDs $\msgid_1, \ldots, \msgid_n$.
+                  \item Initialize $2n$ new variables $D_{\msgid_1} := D^{MAX}_{\msgid_1} \ldots := D_{\msgid_n} := D^{MAX}_{\msgid_n} := 1$ and a per message-delay $\delay_{\msgid_i} = \delay$ for $i \in [n]$.
+                  \item Set  $\vecM := \vecM \concat (m, \msgid_1, D_{\msgid_1}, \party_1) \concat \ldots \concat (m, \msgid_n, D_{\msgid_n}, \party_n)$.
+                  \item Send $(\textsc{diffuse}, \sid, m, \party_s, (\party_1, \msgid_1), \ldots ,(\party_n, \msgid_n))$ to the adversary.
+            \end{cccEnum}
+
+            \item Upon receiving $(\textsc{fetch}, \sid)$ from $\party \in \partyset$, or from \adv on behalf of a corrupted party \party:
+            %
+            \begin{cccEnum}[nosep]
+                  \item For all tuples $(m, \msgid, D_\msgid, \party) \in \vecM$, set $D_\msgid := D_\msgid - 1$.
+                  \item Let $\vecM^\party_0$ denote the subvector \vecM including all tuples of the form $(m, \msgid, D_\msgid, \party)$ with $D_\msgid \le 0$ (in the same order as they appear in \vecM).
+                  %
+                  Delete all entries in $\vecM^\party_0$ from \vecM and in case some $(m, \msgid, D_\msgid, \party)$ is in
+                  $\vecM^\party_0$, where \party is honest, set $\delay_{\msgid'} = \delay$ for any $(m, \msgid', D_{\msgid'}, (\cdot, \sid))$ in \vecM and replace this record by $(m, \msgid', \min \{ D_{\msgid'}, \delay \}, \party')$.
+                  \item Output $\vecM^\party_0$ to \party (if \party is corrupted, send $\vecM^\party_0$ to \adv).
+            \end{cccEnum}
+      \end{cccItemize}
+
+      \paragraph{Additional adversarial capabilities:}
+      %
+      \begin{cccItemize}[nosep]
+            \item Upon receiving $(\textsc{diffuse}, \sid, m)$ from some corrupted $\party_s \in \partyset$ (or from \adv on behalf of $\party_s$ if corrupted), 
+            % do 
+            execute it the same way as an honest-sender diffuse, with the only difference that $\delay_{\msgid_i} = \infty$.
+
+            \item Upon receiving $(\textsc{delays}, \sid, (T_{\msgid_{i_1}}, \msgid_{i_1}), \ldots, (T_{\msgid_{i_\ell}}, \msgid_{i_\ell}))$ from the adversary do the following for each pair $(T_{\msgid_{i_j}}, \msgid_{i_j})$:
+            %
+            if $D^{MAX}_{\msgid_{i_j}} + T_{\msgid_{i_j}} \le \delay_{\msgid_{i_j}}$ and $\msgid_{i_j}$ is a message-ID of receiver $\party = (\cdot, \sid)$ registered in the current \vecM, set $D_{\msgid_{i_j}} := D_{\msgid_{i_j}} + T_{\msgid_{i_j}}$ and set $D^{MAX}_{\msgid_{i_j}} := D^{MAX}_{\msgid_{i_j}} + T_{\msgid_{i_j}}$; otherwise, ignore this pair.
+
+            \item Upon receiving $(\textsc{swap}, \sid, \msgid, \msgid')$ from the adversary, if \msgid and $\msgid'$ are message-IDs registered in the current \vecM, then swap the triples $(m, \msgid, D_\msgid, (\cdot, \sid))$ and $(m, \msgid', D_{\msgid'}, (\cdot, \sid))$ in \vecM.
+            %
+            Return $(\textsc{swap}, \sid)$ to the adversary.
+
+            \item Upon receiving $(\textsc{get-reg}, \sid)$ from \adv, return the response $(\textsc{get-reg}, \sid, \partyset)$ to \adv.
+      \end{cccItemize}
+\end{cccFunctionality}

functionalities/global-clock.tex

@@ -0,0 +1,40 @@
+\begin{cccFunctionality}
+    {\funcClock}
+    {clock}
+    {The global clock.}
+
+    This functionality maintains state variables as follows.
+
+    \begin{tabularx}{.9\textwidth}{c X}
+        \toprule[.3mm]
+        \textbf{State Variable}
+         & \textbf{Description}
+        \\ \midrule[.3mm]
+        $\partyset \gets \emptyset$ 
+         & The set of registered parties $\party = (\pid, \sid)$.
+        \\ \midrule
+        $F \gets \emptyset$
+         & The set of registered functionalities (together with their session identifier).
+        \\ \midrule
+        $\tau_\sid \gets 0$
+         & The clock variable for session \sid.
+        \\ \midrule
+        $d_\party \gets 0$
+         & The clock-update variable for $\party = (\pid, \sid) \in \partyset$.
+        \\ \midrule
+        $d(\F, \sid) \gets 0$
+         & The clock-update variable for $(\F, \sid) \in F$.
+        \\ \bottomrule[.3mm]
+    \end{tabularx}
+    \addtocounter{table}{-1}
+
+    \begin{cccItemize}[noitemsep]
+        \item Upon receiving $(\textsc{clock-update}, \sid_C)$ from some party $\party \in \partyset$ set $d_\party \gets 1$; execute \emph{Round-Update} and forward $(\textsc{clock-update}, \sid_C, \party)$ to \adv.
+
+        \item Upon receiving $(\textsc{clock-update}, \sid_C)$ from some functionality \F in a session \sid such that $(\F, \sid) \in F$ set $d(\F, \sid) \gets 1$, execute \emph{Round-Update} and return $(\textsc{clock-update},\allowbreak \sid_C, \F)$ to this instance of \F.
+
+        \item Upon receiving $(\textsc{clock-read}, \sid_C)$ from any participant (including the environment on behalf of a party, the adversary, or any ideal—shared or local—functionality) return $(\textsc{clock-read}, sid_C , \tau_{\sid})$ to the requestor (where \sid is the \sid of the calling instance).
+    \end{cccItemize}
+
+    \emph{Procedure Round-Update:} For each session \sid do: If $d(\F, \sid) = 1$ for all $\F \in F$ and $d_\party = 1$ for all honest partyset $P = (\cdot, \sid) \in \partyset$, then set $\tau_\sid \gets \tau_\sid + 1$ and reset $d(\F, \sid) \gets 0$ and $d_\party \gets 0$ for all partyset $\party = (\cdot, \sid) \in \partyset$.
+\end{cccFunctionality}