Security model?

[byzhang]

Thank you so much for JIFF!

I have a question on the security model. As far as I know, there are 3 roles in JIFF: 1 server, 2 or 3 computation parties, N input parties. Which ones can be semi-honest or malicious? Which ones must be non-colluding? I didn't find such information in jsdoc nor in your presentations.

Thanks in advance!

[KinanBab]

Hello,

Everything has to be semi honest so far.

If the server is used as a crypto provider (e.g. to generate beaver triplets), then the server cannot collude with any subset of compute parties. This is the default behavior on the master branch.

The branch merge-preprocessing changes the default behavior to use preprocessing protocols to generate crypto material. In that case, the server can collude with any subset of compute parties.

The compute parties themselves have two scenarios:

1. if the computation does not use smult_bgw, then JIFF is secure against k-1 colluding computation server, where k is the number of computation parites. For example: This is the case when the server generates material, the computation does not multiplications preprocessing, or it overrides the multiplication preprocessing with some different protocol.

2. if the computation uses smult_bgw, either directly, or via preprocessing, then it is secure against an honest majority of computation parties.

Finally, Input parties that do not participate in the computation can collude with any subset of each others and other parties.

Note that in JIFF computation parties can be 2, 3, or more. There is no upper limit.

[byzhang]

Thank you @KinanBab !
In case you have some insights on multiparty/conclave#10 (JIFF on Conclave), it's highly appreciated.