$ \begingroup $ In cosmopolitan, the character of the simulator in simulation-based proof is to show that the real protocol behaves like some idealize one. actually, simulation goes binding to the master definition of semantic security for encoding and is besides the way zero cognition is defined. In these settings, the target of the simulator is to show that nothing is revealed ( in encoding, nothing beyond the duration of the plaintext ; in zero cognition, nothing beyond the validity of the claim ). For concreteness, consider zero cognition for a here and now. In this adjust, we construct a simulator who outputs a view of the voucher that is indistinguishable from its view in a real proof execution. now, if the voucher can learn something from the proof itself, then we can run it besides on the position generated by the simulator ( or it itself can run the simulator on itself ) and it will learn the like thing ( up to computational identity ). however, the simulator does not know the witness and it only knows the public statement being proved. thus, this proves that the lone thing that the voucher can learn is what can be learned from the public affirmation and a single piece that the affirmation is in the speech.

When we consider the more general mount of procure calculation, the adversary is allowed to learn the inputs and outputs of all defile parties. thus, the character of the simulator here is to simulate the scene of all corrupt parties, given their inputs and outputs. The problem that arises inaugural is that the bribe parties may change their inputs and then this is not something which is well defined. thus, we consider an IDEAL MODEL with a trust third party who receives the parties inputs and provides their outputs. The simulator works in this ideal model, and the prerequisite is that the output distribution of the dependable parties and the simulator in an ideal execution is computationally identical from the output of the good parties and adversary in a real number execution. once again, this shows that anything that a substantial adversary can do, can besides be achieved in the ideal exemplary. however, trivially, the alone thing the simulator can do in the ideal model is to chose the corrupt parties ‘ inputs. Observe that the simulator ( who we besides call an ideal-model adversary ) actually has two types of interaction :

  1. The simulator externally interacts with the trusted party, sending it the corrupted parties’ inputs and receiving back their outputs. This is real interaction with an external party.
  2. The simulator internally interacts with the real adversary and generates a view that is indistinguishable from its view in a real execution. This is not required by definition per se, but is really the only way to work. Note also that this is not real interaction, but the simulator runs the real adversary internally. It is necessary to do this in order to make sure that the output distribution is like in a real execution. Thus, the inputs used by the corrupted parties are effectively extracted by the simulator, and other events (like if a corrupted party aborts) are also detected. In the standard definition of secure computation, the simulator runs the adversary internally and so it can rewind it and do other tricks. The input extraction is necessary since the simulator needs to send the corrupted parties’ inputs to the ideal trusted party (as in the previous item). Thus, it needs to be able to extract the effective input used by the real adversary. This shows that protocols that are secure under this definition have the property that all inputs are fully defined!

When it comes to universal composability, things become more complex since there is another entity called the environment. This is an external entity and the real and ideal adversaries interact with it ( as real external interaction ). The calculate of the environment is to try to distinguish if it is interacting with a veridical adversary running a real protocol with honest parties, or if it is interacting with an ideal adversary/simulator and a hope party computing the ideal functionality. In this event, we have the follow interaction :

  1. The ideal adversary interacts with the environment and hands it messages that it expects to see from the real adversary; this is real external interaction. In general, if the simulator generates a view for the real adversary that is indistinguishable, then whatever the internally simulated real adversary wants to send to the environment is just forwarded by the simulator to the environment (and whatever is sent back is forwarded to the internally simulated real adversary).
  2. External interaction with the trusted party, as above
  3. Internal interaction with the real adversary, as above. Note that a real adversary can forward every message it receives immediately to the environment and can get back some response (and in fact, it could be the environment who decides on all actions by the real adversary). This actually prevents the simulator from rewinding the real adversary since essentially it is the external environment who runs the adversary, and this is external interaction with the simulator and so cannot be rewound.

I know that this is all very complicated, but with some considerable feat, it makes sense in the end …

Leave a Reply

Your email address will not be published.