Cryptography Reference

In-Depth Information

can also be feasibly obtained in the latter ideal setting then the protocol

“emulates the ideal setting” (i.e., “emulates a trusted party”), and so

is deemed secure. This basic approach can be applied in a variety of

models, and is used to define the goals of security in these models.
2
We

first discuss some of the parameters used in defining various models,

and next demonstrate the application of this approach in two important

models. For further details, see (36) or (67, Sec. 7.2 and 7.5.1).

7.1.1

Some parameters used in defining security models

The following parameters are described in terms of the actual (or real)

computation. In
some cases
, the corresponding definition of security is

obtained by imposing some restrictions or provisions on the ideal model.

For example, in the case of two-party computation (see below), secure

computation is possible only if premature termination is
not
consid-

ered a breach of security. In that case, the suitable security definition

is obtained (via the simulation paradigm) by allowing (an analogue

of) premature termination in the ideal model. In
all cases
, the desired

notion of security is defined by requiring that for any adequate adver-

sary in the real model, there exist a corresponding adversary in the

corresponding ideal model that obtains essentially the same impact (as

the real-model adversary).

The communication channels:
The parameters of the model

include questions like whether or not the channels may be

tapped by an adversary, whether or not they are tamper-free,

and questions referring to the network behavior (in the case of

multi-party protocols).

2
A few technical comments are in place. Firstly, we assume that the inputs of all parties are

of the same length. We comment that as long as the lengths of the inputs are polynomially

related, the above convention can be enforced by padding. On the other hand, some length

restriction is essential for the security results, because in general it is impossible to hide

all information regarding the length of the inputs to a protocol. Secondly, we assume

that the desired functionality is computable in probabilistic polynomial-time, because we

wish the secure protocol to run in probabilistic polynomial-time (and a protocol cannot

be more ecient than the corresponding centralized algorithm). Clearly, the results can

be extended to functionalities that are computable within any given (time-constructible)

time bound, using adequate padding.