Re: [viff-devel] SMCL security notion
In the paper on page two, lower left, we write that each server party execute identical copies of the server program inn lock-step. Based on this assumption it is reasonable to consider the server as having a single well-defined state. However in Viff this is no longer true due to parallelism. But it would be very nice if we could consider the server as having a single well-defined state. I don't like this since it introduces a wide gap between the model and the real world and I believe such a gap makes it easier to come up with inefficient solutions. Then we have to come up with a better description... -- Janus ___ viff-devel mailing list (http://viff.dk/) viff-devel@viff.dk http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk
Re: [viff-devel] SMCL security notion
Hi Martin, I am confused about the notion of security via adversary traces presented in those papers. It is described via two properties: * Identity Property: a public state P can only lead to one other public state P', regardless of the secret state. * Commutative Property: computing on secrets leads to the same state as opening everything and computing on open values. I think you write that this is a new idea -- have you then looked into how this relates to the more standard notion of Ideal World/Real World simulation arguments in the UC framework? Yes this is a new formulation of the security guaranties in the programming language community. I have not compared this to UC, it would be nice to do so. It is not clear to me how you can describe the server as one entity with one state when it is really a set of computers -- are you thinking of the product state for S1, S2, and S3? Is that state even well-defined in an asynchronous network setting, or do you assume that the coordinator synchronizes the network? In the paper on page two, lower left, we write that each server party execute identical copies of the server program inn lock-step. Based on this assumption it is reasonable to consider the server as having a single well-defined state. However in Viff this is no longer true due to parallelism. But it would be very nice if we could consider the server as having a single well-defined state. You say that the adversary can observe the trace which shows how the configuration change on the server, but with secret values masked out. Shouldn't the adversary be able to see the secret values of the server parties he has corrupted? A server is not a client, so a server only has shares of secret values. We assume that the adversary at most corrupt a number of servers upto the threshold. If he corrupts more, then all our security guaranties are off. So assuming that the adversary does not have access to the secret values is not a problem. Oh, and using the term semantic security in Section 4.5 is unfortunate since it already has a standard definition in cryptography: http://en.wikipedia.org/wiki/Semantic_security Thanks -- Janus ___ viff-devel mailing list (http://viff.dk/) viff-devel@viff.dk http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk
[viff-devel] SMCL security notion
Hi Janus and everybody else, I have now read the progress report and had a look at the PLAS paper: http://www.daimi.au.dk/~fagidiot/fagidiot/download/jdn-progress.pdf http://www.daimi.au.dk/~fagidiot/fagidiot/download/smcl-plas07.pdf and of course I have lots of questions... :-) I am confused about the notion of security via adversary traces presented in those papers. It is described via two properties: * Identity Property: a public state P can only lead to one other public state P', regardless of the secret state. * Commutative Property: computing on secrets leads to the same state as opening everything and computing on open values. I think you write that this is a new idea -- have you then looked into how this relates to the more standard notion of Ideal World/Real World simulation arguments in the UC framework? It is not clear to me how you can describe the server as one entity with one state when it is really a set of computers -- are you thinking of the product state for S1, S2, and S3? Is that state even well-defined in an asynchronous network setting, or do you assume that the coordinator synchronizes the network? You say that the adversary can observe the trace which shows how the configuration change on the server, but with secret values masked out. Shouldn't the adversary be able to see the secret values of the server parties he has corrupted? Oh, and using the term semantic security in Section 4.5 is unfortunate since it already has a standard definition in cryptography: http://en.wikipedia.org/wiki/Semantic_security -- Martin Geisler ___ viff-devel mailing list (http://viff.dk/) viff-devel@viff.dk http://lists.viff.dk/listinfo.cgi/viff-devel-viff.dk