Security Model

Malicious Adversary

In the malicious setting, each corrupted party can deviate from the protocol, e.g., changing the inputs and outputs, aborting the protocol, etc. To define its security, intuitively we also want to simulate the adversary's view, but such a view cannot be defined in the same way as in the semi-honest setting anymore. In particular, the view depends on the real-world adversary which can change the given inputs and generate whatever outputs. Therefore, the secure two-party computation is defined as the indistinguishability between the outputs (which could be anything, like the adversary's view) of the simulator and the adversary.

Semi-Honest Model

Definition

Let $f=(f_1,f_2)$ be a functionality. We say that $\pi$ securely compute $f$ in the presence of static semi-honest adversaries if there exist probabilistic polynomial-time algorithms $S_1$ and $S_2$ such that

\{ (S_1(1^n,x,f_1(x,y)),f(x,y)) \}_{x,y,n} \overset{c}\equiv \{ (view_1^\pi(x,y,n),output^\pi(x,y,n)) \}_{x,y,n},

\{ (S_2(1^n,x,f_2(x,y)),f(x,y)) \}_{x,y,n} \overset{c}\equiv \{ (view_2^\pi(x,y,n),output^\pi(x,y,n)) \}_{x,y,n},

x,y \in \{ 0,1\}^*\space such\space that\space |x|=|y|,\space and\space n\in \mathbb{N}.

In the semi-honest setting, the parties have to follow the exact pre-specified protocol in the real world, which implies that they cannot change their inputs or outputs. Therefore, the simulators only need to generate an indistinguishable view for each party, given the semi-honest party's input and output.

PreviousConcepts NextSecret Sharing

Last updated 2 years ago