3

I am trying to find out how to write a security proof for a two-party computation problem.

I have read some examples to write simulators like $x_1 ∧ x_2$ problem and the example in Goldreich's book. I have also read some parts of Lindell's toturial . But I am still unsure about my understanding. I have also seen the paper which uses the game-based approach for its security analysis. I have also read this question

My questions are:

  1. Can I use game-based approach to write my security proof for a two-party computation problem? Since there are only two parties involved? Or I always MUST use simulator-based approach to write the security proof for any multi (and two) party computation problem?

  2. Does a privacy-preserving multi-party computation scheme (like the paper I mentioned) include less security guarantee? In other words, does a secure multi-party computation problem which uses simulation-based proof capture more security concerns than privacy?

kodlu
  • 22,423
  • 2
  • 27
  • 57
m123
  • 283
  • 3
  • 9
  • 2
    Game-based security definitions are usually weaker than simulation-based. So simulation-based is preferable, but is also arguably harder to prove and sometimes requires more assumptions. The advantage of simulation-based is that protocols retain their security when composed (e.g. universal composability). The term "privacy preserving" is used loosely and doesn't have a formal definition as far as I know. – lamontap Jul 04 '23 at 21:03
  • 2
    Note that indeed protocols proved under simulation-based security can be composed. But by default you can only do sequential composition. For protocols to be universally composable, they need to be proved in the UC model involving an "environment". – lamba Jul 05 '23 at 21:34
  • @lamontap: Why is the game-based security considered to be weaker? In game-based approach also we do not limit the strategy of the adversary and it is guaranteed that the adversary learns nothing undesired. Isn't it exactly the same as what we are achieving via simulation? Is there any example that can be proved to be secured by game based approach, but it is insecure in reality or via simulation? – m123 Jul 13 '23 at 22:33
  • "Weaker" in the sense that game-based definitions (also sometimes called standalone) usually don't provide guarantees when multiple instances of the protocol are composed. – lamontap Jul 27 '23 at 14:58

0 Answers0