Questions tagged [simulation]
33 questions
4
votes
1 answer
Visibility of oracle queries in the Indifferentiability model
I have a construction $C$ which internally uses idealized primitive $\mathcal{P}$ (a random permutation) where the goal is that $C$ is indifferentiable from a random oracle $\mathcal{F}$. That is, $C$ implements the API of $\mathcal{F}$. Via the…
PeterRindal
- 83
- 6
4
votes
0 answers
"Simulator Based" vs "Game Based" security proof for a two-party computation protocol
I am trying to find out how to write a security proof for a two-party computation problem.
I have read some examples to write simulators like $x_1 ∧ x_2$ problem and the example in Goldreich's book. I have also read some parts of Lindell's toturial…
m123
- 293
- 3
- 9
4
votes
0 answers
How to get started with Simulation and UC proofs?
I've been in my PhD program for a few months, and every time I try to understand the simulation and UC proof-paradigms I get so confused.
I feel like what I really need is an easy set of (guided) problems and examples that I can play around with and…
FearfulJoe
- 41
- 1
3
votes
1 answer
About simulating abort in multiple party computation
I am new to the simulated proof and am a little bit confused about the abort in the simulation.
When the real-time protocol abort, I assume that the ideal process should also abort? Does this mean that the simulator would first observe the result of…
js wang
- 381
- 1
- 10
3
votes
1 answer
Is it common/valid to hardcode an element of a language into a simulator?
Short version: Is it a common practice (and a valid practice) to hardcode an element $d \in \mathcal{L}$ of a language into a simulator? (making the simulator non-uniform and non-constructive)
Long version:
I have a prover $P$ that does the…
Léo Colisson
- 1,551
- 13
- 14
3
votes
0 answers
A highly space-efficient embedding of prime factorization problem using the Ising model
I hope this is not off-topic for this SE, as it directly relates to the RSA problem. My background is in quantum information and computation, so please excuse me if my notation doesn't match your community's notation.
What's the idea?
I'm trying to…
Amirhossein Rezaei
- 131
- 4
3
votes
1 answer
MPC Security- Need for Joint Distribution
The security of the multi-party computation protocol can be given by real/ideal world paradigm. The simulator based proof considers the joint distribution of adversary's output and honest parties output.
Why is there a need to take the joint…
Crypto_Research
- 719
- 3
- 10
3
votes
1 answer
Resources for simple MPC proofs
Could anyone direct me to literature regarding privacy proofs in the MPC setting.
For example, how can one prove the following simple problem:
Suppose a setting with $n$ parties $S_1, \ldots, S_n$ wish to compute an additive sharing of $0$, so…
Kolja
- 165
- 1
- 10
3
votes
3 answers
Why we need to consider a probability ensemble and not just a probability distribution in the definition of Security under Simulation?
I'm currently reading this classic paper "How To Simulate It" and on most of the definitions it is using the term probability ensemble to represent the message space. From my understanding a probability ensemble is like a stochastic process and a…
tur11ng
- 992
- 5
- 22
2
votes
1 answer
Simulation based proof for Beaver's multiplication protocol
Setup
Recently, I became interested in simulation based proofs in the context of secure two party computation. I read some book chapters (from Secure MPC and Secret Sharing and Foundations on cryptography volume 2), papers (most importantly How To…
opag
- 63
- 3
2
votes
0 answers
How to prove the security if a circuit is obscured by an IO,where the key generattion algorithm of a functional encryption is used in the circuit?
I want to design a scheme, where there is a circuit C0 which is obscured by an indistinguishability obfuscation (IO). In C0, a master key of a functional encryption (FE) is hardwired. Given an input z to C0, it outputs a secret key using the key…
laolien
- 51
- 3
2
votes
0 answers
Can the discrepancy of compute time to simulate a system and to observe it be used to verify the actual state of the system?
Lets say I have a self driving taxi company. I need to prove to the law enforcement that my cars do not break any traffic rules.
The cars ride on urban streets where lots of things going on. I imagine the environment is highly chaotic. The cars are…
taha ismet sevgili
- 21
- 1
2
votes
1 answer
'Callbacks' in UC?
In UC, consider the protocol ρ^φ, which uses the protocol φ 'as a subroutine'. If I understand correctly, ρ would call φ with arguments, which would then perform computations, perhaps even calling its own sub-sub-protocols, and would finally return…
Suraaj K S
- 232
- 1
- 7
2
votes
1 answer
Parallel Composition in UC / CC?
I was learning about composable security frameworks, and I was wondering about the following when I was learning about Constructive Cryptography here (https://youtu.be/l7vyzRtLQCM?feature=shared&t=1143):
Here, we are in the Alice-Bob-Eve setting.…
Suraaj K S
- 232
- 1
- 7
2
votes
0 answers
Why does joint distribution of simulation output and functionality output is required?
I was going through this simulation tutorial.
For example, let x and y be lists of data elements, and
let f be a functionality that outputs an independent random sample of x ∪ y of some predetermined
size to each party. Now, consider a protocol…
Paritosh007
- 41
- 2