Score:0

Why is a protocol that is secure in the presence of a malicious adversary also secure in the presence of an augmented semi-honest adversary?

cn flag

Proposition Let π be a protocol that securely computes a functionality f in the presence of malicious adversaries. Then π securely computes f in the presence of augmented semi-honest adversaries.

Proof. Let π be a protocol that securely computes f in the presence of malicious adversaries. Let A be an augmented semi-honest real adversary and let S be the simulator for A that is guaranteed to exist by the security of π (for every malicious A there exists such an S, and in particular for an augmented semi-honest A). We construct a simulator S′ for the augmented semi-honest setting, by simply having S′ run S. However, in order for this to work, we have to show that S′ can do everything that S can do. In the ma- licious ideal model, S can choose whatever input it wishes for the corrupted party; since S′ is augmented semi-honest, it too can modify the input. In addition, S can cause the honest party to output abort. However, S′ cannot do this. Nevertheless, this is not a problem because when S is the simulator for an augmented semi-honest A it can cause the honest party to output abort with at most negligible probability. In order to see this, note that when two honest parties run the protocol, neither outputs abort with non-negligible probability. Thus, when an honest party runs together with an augmented semi-honest adversary, it too outputs abort with at most negligible probabil- ity. This is due to the fact that the distribution over the messages it receives in both cases is identical (because a semi-honest real adversary follows the protocol instructions just like an honest party). This implies that the simu- lator for the malicious case, when applied to an augmented semi-honest real adversary, causes an abort with at most negligible probability. Thus, the aug- mented semi-honest simulator can run the simulator for the malicious case, as required.


This is demonstrated by Carmit Hazay and Yehuda Lindell in the book Efficient Secure Two-Party Protocols.

So my question is:

Why is "abort" negligible here?

Why can't the same idea be used to show that security in the augmented semi-honest model implies security in the semi-honest model? That is, can we have an augmented semi-honest adversary change the input with negligible probability to get security in the presence of semi-honest adversary?

If change the input is not negligible and abort is negligible, what's the difference between them?


I can understand that a protocol that is secure in the presence of malicious adversaries is not necessarily secure in the presence of semi-honest adversaries. Because they correspond to different ideal models.

So I don't know why a protocol that is secure in the presence of a malicious adversary also secure in the presence of an augmented semi-honest adversary, which seems like the two have almost the same ideal model and augmented semi-honest adversary is a weakened version of the malicious adversary.


Augmented semi-honest adversary is defined as follows:

Goldreich introduces the notion of an augmented semi-honest adversary that may modify its input before the execution.

us flag
You quote a long proof in your question -- what statement is being proved?
cn flag
@Mikero Thank you for your advice,I have modified it.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.