Cryptography Reference
In-Depth Information
can also be feasibly obtained in the latter ideal setting then the protocol
“emulates the ideal setting” (i.e., “emulates a trusted party”), and so
is deemed secure. This basic approach can be applied in a variety of
models, and is used to define the goals of security in these models.
2
We
first discuss some of the parameters used in defining various models,
and next demonstrate the application of this approach in two important
models. For further details, see (36) or (67, Sec. 7.2 and 7.5.1).
7.1.1
Some parameters used in defining security models
The following parameters are described in terms of the actual (or real)
computation. In
some cases
, the corresponding definition of security is
obtained by imposing some restrictions or provisions on the ideal model.
For example, in the case of two-party computation (see below), secure
computation is possible only if premature termination is
not
consid-
ered a breach of security. In that case, the suitable security definition
is obtained (via the simulation paradigm) by allowing (an analogue
of) premature termination in the ideal model. In
all cases
, the desired
notion of security is defined by requiring that for any adequate adver-
sary in the real model, there exist a corresponding adversary in the
corresponding ideal model that obtains essentially the same impact (as
the real-model adversary).
The communication channels:
The parameters of the model
include questions like whether or not the channels may be
tapped by an adversary, whether or not they are tamper-free,
and questions referring to the network behavior (in the case of
multi-party protocols).
2
A few technical comments are in place. Firstly, we assume that the inputs of all parties are
of the same length. We comment that as long as the lengths of the inputs are polynomially
related, the above convention can be enforced by padding. On the other hand, some length
restriction is essential for the security results, because in general it is impossible to hide
all information regarding the length of the inputs to a protocol. Secondly, we assume
that the desired functionality is computable in probabilistic polynomial-time, because we
wish the secure protocol to run in probabilistic polynomial-time (and a protocol cannot
be more ecient than the corresponding centralized algorithm). Clearly, the results can
be extended to functionalities that are computable within any given (time-constructible)
time bound, using adequate padding.
