Cryptography Reference
In-Depth Information
protocol can do against it.
3
In either case, we must say a few more things about the
adversary and his or her capabilities. First and foremost, we must specify whether
his or her computing power is restricted:
•
If the adversary has unrestricted computing power and can still not cheat
or violate the security of an MPC, then we are in the realm of
information-
theoretic security
.
•
If, however, the adversary has restricted computing power and the security of
the MPC relies on (unproven) intractability assumptions, then we are in the
realm of
cryptographic security
.
Similar to other cryptographic systems, there are MPC protocols that provide
information-theoretic security and protocols that provide cryptographic security.
Furthermore, the potential misbehavior of some of the players is typically
modeled by considering a central adversary with an overall cheating strategy who
can corrupt some of the players. There are basically three types of corruption:
•
In a
passive corruption
, the adversary learns the entire information of the
corrupted player but the player continues to perform the protocol correctly
(such players are sometimes called
semihonest
).
•
In an
active corruption
, the adversary learns the entire information of the
corrupted player and takes full control of the corrupted player. This also means
that the adversary can make the corrupted player deviate arbitrarily from the
protocol.
•
In a
fail corruption
, the adversary can let the player stop the protocol execution
but does not learn its information. This allows the adversary to model denial-
of-service attacks against one (or several) player(s).
It is only recently that people have started to look at fail corruption as a type
of corruption of its own. Many theoretical results that were achieved in the late
1980s only distinguish between passive and active corruptions (see Section 18.2).
It goes without saying that if no active corruptions are considered, then the only
security issue is the secrecy of the players' inputs. In most papers on secure MPC, the
adversary's corruption capability is specified by a threshold
t
—that is, the adversary
is assumed to be able to corrupt up to
t
players (but not more). In this setting, a
distinction can be made between passive, active, and fail corruptions. For each of
these types of corruption, one can work with a different threshold.
3
This fact must be kept in mind and considered with care when one discusses the use of protocols for
secure MPC for applications like electronic voting.
