Cryptography Reference
In-Depth Information
The results surveyed below describe a variety of models in which
such an “emulation” is possible. The models vary by the underlying
assumptions regarding the communication channels, numerous para-
meters relating to the extent of adversarial behavior, and the desired
level of emulation of the trusted party (i.e., level of “security”).
Organization:
Section 7.1 provides a rather comprehensive survey of
the various definitions used in the area of secure multi-party computa-
tion, whereas Section 7.2 similarly surveys the known results. However,
some readers may prefer to first consider one concrete case of the def-
initional approach, as provided in Section 7.1.2, and proceed directly
to see some constructions. Indeed, a few constructions are sketched in
Section 7.3. All the above refers to the security of stand-alone exe-
cutions, and the preservation of security in an environment in which
many executions of many protocols are being attacked is considered in
Section 7.4.
7.1
The definitional approach and some models
Before describing the aforementioned results, we further discuss the
notion of “emulating a trusted party”, which underlies the definitional
approach to secure multi-party computation (as initiated and developed
in (73; 100; 13; 14; 35; 36)). The approach can be traced back to the
definition of zero-knowledge (cf. (81)), and even to the definition of
secure encryption (cf. (64), rephrasing (80)). The underlying paradigm
(called the simulation paradigm (cf. Section 4.1)) is that a scheme is
secure if whatever a feasible adversary can obtain after attacking it, is
also feasibly attainable “from scratch”. In the case of zero-knowledge
this amounts to saying that whatever a (feasible) verifier can obtain
after interacting with the prover on a prescribed valid assertion, can be
(feasibly) computed from the assertion itself. In the case of multi-party
computation we compare the effect of adversaries that participate in
the execution of the actual protocol to the effect of adversaries that
participate in an imaginary execution of a trivial (ideal) protocol for
computing the desired functionality with the help of a trusted party. If
whatever the adversaries can feasibly obtain in the former real setting
