Cryptography Reference
In-Depth Information
Active versus passive
: An orthogonal parameter of restriction
refers to whether a dishonest party takes active steps to dis-
rupt the execution of the protocol (i.e., sends messages that
differ from those specified by the protocol), or merely gath-
ers information (which it may latter share with the other dis-
honest parties). The latter adversary has been given a variety
of names such as
semi-honest
,
passive
,and
honest-but-curious
.
This restricted model may be justified in certain settings, and
certainly provides a useful methodological locus (cf., (75; 74; 63)
and Section 7.3). Below we refer to the adversary of the unre-
stricted model as to
active
; another commonly used name is
malicious
.
Restricted notions of security:
One important example is the will-
ingness to tolerate “unfair” protocols in which the execution
can be suspended (at any time) by a dishonest party, provided
that it is detected doing so. We stress that in case the execu-
tion is suspended, the dishonest party does not obtain more
information than it could have obtained when not suspending
the execution. (What may happen is that the honest parties will
not obtain their desired outputs, but rather will detect that the
execution was suspended.) We stress that the motivation to this
restricted model is the impossibility of obtaining general secure
two-party computation in the unrestricted model.
Upper bounds on the number of dishonest parties:
In some
models, secure multi-party computation is possible only if a
majority of the parties is honest (cf., (25; 44)). Sometimes even
a special majority (e.g., 2/3) is required. General “(resilient)
adversarial-structures” have been considered too (cf. (86)).
Mobile adversary:
In most works, once a party is said to be dishon-
est it remains so throughout the execution. More generally, one
may consider transient adversarial behavior (e.g., an adversary
seizes control of some site and later withdraws from it). This
model, introduced in (106), allows to construct protocols that
remain secure even in case the adversary may seize control of
all sites during the execution (but never control concurrently,
