What does a semi-malicious setting mean in MPC? How is it different from malicious or semi-honest setting?

Paritosh007

3/10/24, 1:23 PM

I was reading this paper, where I came across the following statement:

We consider the problem of unbounded MPC with security against semi-malicious adversaries in the dishonest majority setting. In our communication model, parties publish their first message through a broadcast channel which is immediately delivered to all participants. At any point in time, any subset S of participants (with a dishonest majority) can gather together and evaluate a circuit C over their inputs (x_1, . . . , x _|S|) in a single round of broadcast.

Is semi-malicious similar to the augmented semi-honest model where the adversary can change inputs of the corrupted parties?

1 + 0

multiparty-computation

Score:3

Crypto

Geoffroy Couteau

3/10/24, 1:42 PM

My recollection is that semi-malicious means (informally) that the protocol is semi-honest secure, and additionally, a malicious adversary can only break correctness, but not security. That is, the adversary can cause the honest parties to get wrong outputs, but it cannot learn any private information.

One standard reason to use this model is that it is much easier to compile into a maliciously secure protocol: it allows to defer "checking honest behavior" to the end of the protocol. You can do the entire protocol without being afraid of leaking information, then add some step at the very end to prove the correctness of the entire computation. In contrast, to compile a standard semi-honest protocol into a malicious one, you really need checking honest behavior after each message sent, which can be significantly more costly.

+ 5

Geoffroy Couteau

3/10/24, 1:44 PM

Note that the formal definition is given in Section 3.4, page 9 of the paper you cite (though it's perhaps not easy to extract the intuition from the formal definition).

pscholl

3/10/24, 2:03 PM

There may be multiple definitions in the literature, but I think of a semi-malicious adversary as one who can choose bad randomness, but will otherwise follow the protocol. This seems different to the "only breaking correctness" notion.

Paritosh007

3/10/24, 3:46 PM

But then how is it different from the augmented semi-honest model where the adversary can control inputs of the corrupted parties?

Crypto Learner

3/11/24, 3:05 PM

@GeoffroyCouteau, so, checking *after each message sent* is the thing we have in "[covert adversary model](https://eprint.iacr.org/2007/060); Is it?

Geoffroy Couteau

3/14/24, 9:56 AM

@pscholl: that's indeed a different definition. I don't remember exactly where I encountered my version (I referred to this as "half-malicious" in a 2019 paper and had seen it before, but I don't have a pointer on top of my head), but after a quick eprint check, your definition seems currently the most commonly used. Is it the one used in the paper OP is asking about? If yes, I should edit my incorrect answer.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What does a semi-malicious setting mean in MPC? How is it different from malicious or semi-honest setting?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.