I was going through this simulation tutorial.
For example, let x and y be lists of data elements, and
let f be a functionality that outputs an independent random sample of x ∪ y of some predetermined
size to each party. Now, consider a protocol that securely outputs the same random sample to
both parties (and where each party’s view can be simulated). Clearly, this protocol should not be
secure. In particular, party P1 should have no information about the sample received by P2, and
vice versa.
Followed by this, there is this definition of simulation which makes this "insecure" protocol secure
My doubts are the following:
Even if we consider the joint distribution definition (mentioned below), the
probabilistic function f(x, y) (in the above example text) is same as the output(x, y, n) and (it is available to simulator since it is well defined in case of semi honest adversaries), then how would this definition prevent the above "insecure" protocol example from being secure?
How does the output of S1 becomes distinguishable from the real world if the adversary1 which is aware of above insecure protocol knows f2(x, y) ? Isn't this known even in the real world scenario? How is it that the simulator is learning something extra other than the real world execution?
P.S Any useful resources to understand the theory of automata notations used in this tutorial would be of great help.
