Mercurial > pysmcl
changeset 317:e461d9e51c40
open -> output
author | Sigurd Meldgaard <stm@daimi.au.dk> |
---|---|
date | Fri, 16 Apr 2010 11:03:53 +0200 |
parents | 307d262401dc |
children | 72bd059a692c |
files | provsec/paper.tex |
diffstat | 1 files changed, 19 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/provsec/paper.tex Fri Apr 16 11:00:20 2010 +0200 +++ b/provsec/paper.tex Fri Apr 16 11:03:53 2010 +0200 @@ -105,10 +105,10 @@ only information that can be derived directly from this is ever made available to an adversary in the real world protocol. -A secure MPC protocol is often implemented by having -players exchange values that are encrypted or by other means hidden, -performing the computations on the hidden values, and opening or -decrypting the final secret values to the appropriate players. +A secure MPC protocol is often implemented by having players exchange +values that are encrypted or by other means hidden, performing the +computations on the hidden values, and opening or decrypting +(outputting) the final secret values to the appropriate players. VIFF is a framework implementing the primitives for doing MPC implemented in Python, it is described in \cite{geisler10}. From our point of @@ -271,7 +271,7 @@ obtaining their own value. A secret value can be revealed by the \KWD{output} function, that -returns the hidden value of its argument. If the variant opening a +returns the hidden value of its argument. If the variant outputting a value to a specific player is used, only for that player the function returns a value, for other players it will return \KWD{None}. @@ -376,14 +376,14 @@ The second conditional is not rewritten because \KWD{c} is not secret. -\KWD{open(a)} is a possible security breach, leaking the value of +\KWD{output(a)} is a possible security breach, leaking the value of \KWD{a}, and therefore causes the generation of a proof burden from the analysis that a can be derived from the public values and the result. (In this case the burden cannot be proven). Opening \KWD{max} using the \KWD{result} function is interpreted as if this is an intended result of the computation, it is therefore -allowed to open it. +allowed to output it. \section{The verifier} @@ -419,7 +419,7 @@ possibilities: \begin{itemize} -\item The opening is marked as intentional, by making use of the +\item The output is marked as intentional, by making use of the construct \verb|result(output(e))|. This should be done when the opened value is a part of the result that the programmer intends the program to compute. Such openings are always considered OK. @@ -438,17 +438,17 @@ % but the analysis cannot determine whether %the opening is harmless. The analysis interprets this to mean that the programmer claims the - opening is harmless. In technical terms, this means the programmer - claims that the opened value can be simulated with an + opening is harmless. This means the programmer + claims that the outputted value can be simulated with an indistinguishable distribution, based only on the intended results of the program. More concretely, this can be the case, for - instance, if the opened value directly follows from the intended + instance, if the outputted value directly follows from the intended results (but the programmer gets an efficiency improvement from revealing the value at an earlier stage). In such a case, the analysis will generate a warning, informing the programmer about the proof burden that has to be carried in order - for the opening to be proved secure, and providing as much help as + for the \KWD{output} to be proved secure, and providing as much help as possible towards giving such a proof. This help can include an overview of the intended results and a summary of the information flow analysis. This part of the implementation is still sketchy in @@ -524,7 +524,7 @@ ``if-branching'' on a Boolean secret value into a program that calculates both branches secretly. \item - Rewrite output statements, + Rewrite \KWD{output} calls, so they block the computation until the opened value is ready. \end{itemize} We now give more details on these rewritings: @@ -644,7 +644,7 @@ When revealing a secret value in VIFF, we get back a deferred, but often we want to output the value, and write an if statement -immediately after using the opened value to branch on. This cannot be +immediately after using the outputted value to branch on. This cannot be done in plain VIFF, because we do not know if the value to be opened is ready when we do the branching. Therefore a common idiom when writing VIFF code is to put the code doing the branch in a callback-function, @@ -695,11 +695,11 @@ We now want to show that $pi_P$ with access to $F$ is implementing $F_P$. -The main property we need to show, is that any \KWD{open} that $pi_P$ -will do, can only release information (do an \KWD{open}) when there is +The main property we need to show, is that any \KWD{output} that $pi_P$ +will do, can only release information (do an \KWD{output}) when there is a way to simulate this output from the information $F_P$ outputs from the $result$ instructions, as of now the verifyer will print a proof -burden for each \KWD{open} not directly within an \KWD{result} to show +burden for each \KWD{output} not directly within an \KWD{result} to show the consequences of the program. A function marked \KWD{ideal\_functionality} should not be called from @@ -709,7 +709,7 @@ harm. -Also we need to show that the only parts of $pi_P$ that can \KWD{open} +Also we need to show that the only parts of $pi_P$ that can \KWD{output} information are the ones that are marked by \KWD{@ideal\_functionality}: Secret information can only be created by those functions, and they can only be called from other such @@ -773,7 +773,7 @@ Because supply can be assumed to increase with increasing price, and demand will decrease, we can assume the difference to be monotone, and hence we can find the market clearing price -by doing a binary search. This requires us to open the result of +by doing a binary search. This requires us to output the result of the intermediate comparisons, as arrays cannot be indexed by secret values. This is however fine, because the result of the computation is the intersection point, and a dishonest party getting access to the