Cryptography Reference
In-Depth Information
ties, there exists a feasible ideal-model adversary
A
, controlling the
same parties, so that the probability ensembles
{
real
Π
,A
(
x
)
}
x
and
{
ideal
f,A
(
x
)
}
x
are computationally indistinguishable (as in Foot-
note 2).
Thus, security means that the effect of each minority group in a real
execution of a secure protocol is “essentially restricted” to replacing its
own local inputs (independently of the local inputs of the majority
parties) before the protocol starts, and replacing its own local outputs
(depending only on its local inputs and outputs) after the protocol
terminates. (We stress that in the real execution the minority parties
do obtain additional pieces of information; yet in a secure protocol they
gain nothing from these additional pieces of information, because they
can actually reproduce those by themselves.)
The fact that Definition 7.1 refers to a model without private chan-
nels is due to the fact that our (sketchy) definition of the real-model
adversary allowed it to tap the channels, which in turn effects the
set of possible ensembles
{
real
Π
,A
(
x
)
}
x
. When defining security in
the private-channel model, the real-model adversary is not allowed to
tap channels between honest parties, and this again effects the pos-
sible ensembles
{
real
Π
,A
(
x
)
}
x
. On the other hand, when we wish to
define security with respect to passive adversaries, both the scope of
the real-model adversaries and the scope of the ideal-model adversaries
changes. In the real-model execution, all parties follow the protocol but
the adversary may alter the output of the dishonest parties arbitrarily
depending on all their intermediate internal states (during the execu-
tion). In the corresponding ideal-model, the adversary is not allowed
to modify the
inputs
of dishonest parties (in Step 1), but is allowed to
modify their outputs (in Step 3).
We comment that a definition analogous to Definition 7.1 can be
presented also in case the dishonest parties are not in minority. In fact,
such a definition seems more natural, but the problem is that such a
definition cannot be satisfied. That is, most natural functionalities do
not have a protocol for computing them securely in case at least half of
the parties are dishonest and employ an adequate adversarial strategy.
This follows from an impossibility result regarding two-party computa-
