Multi-party semantics

The multi-party semantics class establishes how a program can be collaboratively animated. We define the multi-party semantics assuming that program evaluation is carried out by three computing nodes, each one holding a description of the program in potentially different languages L1, L2 and L3. We restrict the multi-party semantics to only three parties due to tool limitations. Nevertheless, having a three-party set is explanatory enough to demonstrate the concepts we want to explore in this work and the definitions here presented can be easily extended to other party configurations.

Our multi-party semantics formalisation is based on adversarial code, influenced by the UC model. Program evaluation is managed by an environment, that can provide inputs to the program being interpreted and also collect outputs at any time. Furthermore, the environment can request the evaluation of the program in a small-step basis. This evaluation is carried out by an adversary, that, at a high-level, models the inside behaviour of the environment inside the program execution.

The adversary has the possibility of either request some local party execution or a synchronised execution, where all parties, executing at the same time, have the ability to perform distributed protocols that require party interaction.

Finally, the semantics here specified contemplates the possibility of the execution disclosing the communication trace that is left by operations that result from the collaboration of parties.

Semantics interface

The semantics interface discloses 6 procedures:

  • init(P) - initialises the evaluation with initial program P

  • stepP(id) - locally executes party id.

  • stepS - executes the entire set of parties at the same time. This procedure should be used to perform operations that require party synchronisation.

  • stepInput(x) - processes the input x provided by the environment

  • getOutput - releases output to the environment

module type Semantics = {
  proc init(P1 : L1.L, P2 : L2.L, P3 : L3.L) : unit
  proc stepP(id : partyId_t) : bool
  proc stepS() : sideInfo_t option
  proc setInput(x : secret_t) : bool
  proc getOutput() : secret_t option
}.

We enforce that the only procedure inside the multi-party semantics that is able to generate visible side information is the synchronised stepS method. Local party execution modeled by stepP does not encompass any visible information, as it simply computes some local operation.

Environment interface

The environment semantics interface specifies how the environment interacts with the program evaluation. It discloses 3 procedures:

  • stepInput(x) - provides input x to the program semantics

  • getOutput - collects output from the program

  • activate - activates the adversary so that it can procede with the actual program evaluation.

module type EnvSemInterface = {
  proc setInput(x: secret_t): bool
  proc getOutput(): secret_t option
  proc activate(): sideInfo_t option
}.

The environment has oracle access to the environment semantics interface in order to animate some program via the animate procedure. To represent the output of some program animation, we enrich the formalisation with a special output_event_t type.

module type Environment (ESI: EnvSemInterface) = {
  proc animate(): output_event_t
}.

Adversary interface

The adversary semantics interface specifies how the adversary interacts with the program evaluation. It discloses 2 procedures:

  • stepP(id) - locally executes party id

  • stepS - performs a synchronised execution of the entire set of parties

module type AdvSemInterface = {
  proc stepP(id: partyId_t): bool
  proc stepS(): sideInfo_t option
}.

The adversary has oracles access to the adversary semantics interface in order to execute one instruction of a program via the step procedure.

module type Adversary (ASI : AdvSemInterface) = {
  proc step() : sideInfo_t option
}.

General evaluation strategy

Armed with the structures previously defined, we can now construct a general evaluation strategy that executes any given program and that ends with the output event that is verified by the environment.

We start by specifying a concrete implementation of the environment semantics oracle that is parameterised by the concrete semantics of the program and by an adversary. This new module EnvironmentSemanticsInterface essentially defines all possible environment operations based on the concrete semantics of the program and based on the evaluation strategies disclosed by the adversary.

module EnvironmentSemanticsInterface (Sem : Semantics) (A : Adversary) = {
  include Sem [-init, setInput, getOutput]
  proc init = Sem.init
  proc setInput (x: secret_t): bool = {
    var r;
    r <@ Sem.setInput(x);
    return r;
  }
  proc getOutput(): secret_t option = {
    var r;
    r <@ Sem.getOutput();
    return r;
  }
  proc activate(): sideInfo_t option = {
    var r;
    r <@ A(Sem).step();
    return r;
  }
}.

Finally, a program can be computed according to the generic procedure displayed bellow. It takes as input 3 programs written in languages L1, L2 and L3, initialises the local semantics module of each party with the respective program and then proceeds with the concrete program execution. It adopts as output the same output given to by the environment.

module Eval(Sem : Semantics, Z : Environment, A : Adversary) = {
  proc eval(P : L) = {
    var b;
    EnvironmentSemanticsInterface(Sem,A).init(P);
    b <@ Z(EnvironmentSemanticsInterface(Sem,A)).animate();
    return (b);
  }
}.