SBA. Assume that that at most ta parties are corrupted in an execution of Πta,ts Πta,ts over an [weakvalidity] Assume the sender P∗ is honest and has input v∗. Up to (and including) round 3, an honest party Pjsetsbj := v 𝖳 only if they receive a message (v, σ) such that ∈ Vfy(v, σ, pk∗) = 1. Since corrupted parties cannot forge an honest sender’s signature, bj SBC SBC SBC { 𝖳} 𝖳 ∈ { 𝖳}a j SBC SBA v∗, in round 3 for each honest party Pj. Observe that, if bj = in round 3, party Pj does not send a message whenever they are supposed to share their input in Πta,ts ; this does not break ta-weak validity of Πta,ts , since messages can be arbitrarily delayed by the adversary. Therefore, t -weak validity of Πta,ts guarantees that b v∗, in round 3 + s for each honest party Pj. In conclusion, each honest party Pj outputs either v∗ or 𝖳 from Πta,ts Πta,ts . This proves ta-weak validity, and concludes the proof of the lemma. ⊓⊔ H Proof of Lemma 6 We sketch the proof. Assume at most ts parties are corrupted and the network is synchronous. HMPC Then, ts-security of Πts,ta guarantees that each party receives the same correct output from − the computation of fGRBL in Step 1 (which takes into account the input of all honest parties). Therefore, each honest party encrypts their (authenticated) shares of each gate of circg and sends the resulting ciphertexts to all parties. synchrony of the network guarantees that each honest party receives at least n ts > ts valid (i.e. such that the information checking protocol succeeds) and consistent shares for each gate within one extra round. Since dishonest parties cannot forge authentication vectors, even a xxxxxxx adversary cannot compromise the reconstruction of the function table entries. Together with the masked inputs and the relative keys for each input wire, as well as the masks for the accessible output wires, the (only) reconstructed function table entry for each gate allows each honest party Pj to evaluate the garbled version of circg locally and recover the output. In particular, each honest party terminates. Now, Assume at most ta parties are corrupted and the network is asynchronous. Then, HMPC ta-security of protocol Πts,ta (circfGRBL ; circg; bj) guarantees that each honest party receives − − ≥ − ≥