Hi Martin,
I am confused about the notion of security via adversary traces
presented in those papers. It is described via two properties:
* Identity Property: a public state P can only lead to one other
public state P', regardless of the secret state.
* Commutative Property: computing on secrets leads to the same state
as opening everything and computing on open values.
I think you write that this is a new idea -- have you then looked into
how this relates to the more standard notion of Ideal World/Real World
simulation arguments in the UC framework?
Yes this is a new formulation of the security guaranties in the
programming language community. I have not compared this to UC, it
would be nice to do so.
It is not clear to me how you can describe the server as one entity
with one state when it is really a set of computers -- are you
thinking of the product state for S1, S2, and S3? Is that state even
well-defined in an asynchronous network setting, or do you assume that
the coordinator synchronizes the network?
In the paper on page two, lower left, we write that each server party
execute identical copies of the server program inn lock-step. Based
on this assumption it is reasonable to consider the server as having
a single well-defined state. However in Viff this is no longer true
due to parallelism. But it would be very nice if we could consider
the server as having a single well-defined state.
You say that the adversary can observe the trace which shows how the
configuration change on the server, but with secret values masked out.
Shouldn't the adversary be able to see the secret values of the server
parties he has corrupted?
A server is not a client, so a server only has shares of secret values.
We assume that the adversary at most corrupt a number of servers upto
the threshold. If he corrupts more, then all our security guaranties
are off.
So assuming that the adversary does not have access to the secret
values is not a problem.
Oh, and using the term "semantic security" in Section 4.5 is
unfortunate since it already has a standard definition in
cryptography:
http://en.wikipedia.org/wiki/Semantic_security
Thanks
--
Janus
___
viff-devel mailing list (http://viff.dk/)
viff-devel@viff.dk
http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk