Anonymous Public-Key Encryption. We recall the definition of anonymous public-key encryption from [3]. Σ ← ←0 10 1 1 Σ Definition 35 A CPA-secure public-key encryption scheme PE = (KGen, Enc, Dec) is anony- mous if the following is negligible for any ppt adversary A: .Pr (pk , sk ) KGen(1κ); (pk , sk ) KGen(1κ); m ← A(pk , pk ); b ← {0, 1}; c ← Encpk (m) : A(c) = b − 2 . .
Anonymous Public-Key Encryption. We recall the definition of anonymous public-key encryption from [2]. Definition 28 A public-key encryption scheme PE = (G, K, E , D) consists of four algorithms: • Common-key generation: I = G(1κ), where I is a common key, which might be just the security parameter κ or include some additional information. • Key generation: (pk, sk) = K(I), takes as input the common key I and returns a pair of keys, where pk is the public key and sk is the secret key. • Encryption: c = Epk(m; r) denotes an encryption with key pk of a plaintext m with randomness r, to obtain ciphertext c.
Anonymous Public-Key Encryption. We recall the definition of anonymous public-key encryption from [3].
Anonymous Public-Key Encryption. We recall the definition of anonymous public-key encryption from [3]. Definition 35 A CPA-secure public-key encryption scheme PE = (KGen, Enc, Dec) is anony- mous if the following is negligible for any ppt adversary A: Pr (pk , sk ) KGen(1n); (pk , sk ) KGen(1n); m ← A(pk , pk ); b ← {0, 1}; c ← Encpk (m) : A(c) = b − 2 . D Proof of Theorem 16 The claims regarding the communication complexity, size of the setup, and the number MPC of invocations of Byzantine agreement follow because Πl runs a VACS protocol with l-output quality and inputs of length O(I · poly(n)) in step 2; |C| = O(n) (in expectation) reliable broadcast protocols on inputs of length O(O · poly(n)) in step 4; and a reliable consensus protocol on inputs of length O in step 5. To prove security of the protocol, we define a simulator S that works as follows: Setup: S generates the setup honestly, with two exceptions: • S uses the TFHE simulator to generate the TFHE public key, t − 1 decryption keys {dki}, and n + 1 ciphertexts c1, . . . , cn, crand. • S generates the CRS for the UC-NIZK proof system using the corresponding simulator. In particular, this defines a set C of the parties. Corruptions: Whenever A corrupts a party, S gives A the state held by that party at that point in time. Let S denote the set of parties that A corrupts that are (1) in C and (2) corrupted before executing step 2 of the protocol. If |S| ≥ t the simulator aborts (call this event abort1). Otherwise, when A corrupts the ith party in S, it is given dki as part of that party’s state. If A corrupts a party Pi before Pi has begun executing step 1 of the protocol, then S corrupts Pi in the ideal world to obtain Pi’s input (which it then gives to A along with Pi’s state). When A corrupts a party at any other point in the protocol, S delays its corruption of that party until after S sends XxxxXxx to the trusted party (as described below).
