A Note on the Relation between the Definitions of Security for Semi-Honest and Malicious Adversaries

In secure computation, a set of parties wish to jointly compute some function of their private inputs while preserving security properties like privacy, correctness and more. The two main adversary models that have been considered are semi-honest adversaries who follow the prescribed protocol but try to glean more information than allowed from the protocol transcript, and malicious adversaries who can run any efficient strategy in order to carry out their attack. As such they can deviate at will from the prescribed protocol. One would naturally expect that any protocol that is secure in the presence of malicious adversaries will automatically be secure in the presence of semi-honest adversaries. However, due to a technicality in the definition, this is not necessarily true. In this brief note, we explain why this is the case, and show that a slight modification to the definition of semi-honest adversaries (specifically, allowing a semi-honest adversary to change its received input) suffices for fixing this anomaly. Our aim in publishing this note is to make this curious fact more known to the wider cryptographic community. 1 Malicious Versus Semi-honest Adversaries In order to keep this note brief, we assume that the reader is familiar with the exact definitions of relevance. We refer to [2], [4, Chapter 7], or [5, Chapter 2] for motivation and full definitions of secure computation in the presence of semi-honest and malicious adversaries. At first sight, it seems that any protocol that is secure in the presence of malicious adversaries is also secure in the presence of semi-honest adversaries. This is because a semi-honest adversary is just a “special case” of a malicious adversary who faithfully follows the protocol specification. Although this is what we would expect, it turns out to be false. This anomaly is due to the fact that although a real semi-honest adversary is indeed a special case of a real malicious adversary, this is not true of the respective adversaries in the ideal model. Specifically, the adversary in the ideal model for malicious adversaries is allowed to change its input, whereas the adversary in the ideal model for semi-honest adversaries is not. Thus, the adversary/simulator for the case of malicious adversaries has more power than the adversary/simulator for the case of semi-honest adversaries. As such, it may be possible to simulate a protocol in the malicious model, but not in the semi-honest model. We now present two examples of protocols where this occurs. ∗We thank Yuval Ishai for first pointing out this inconsistency in the definitions to us. Most of this note is an excerpt from [5]. †Dept. of Computer Science, Aarhus University, Denmark. [email protected]. ‡Dept. of Computer Science, Bar-Ilan University, Israel. [email protected].