# Proving Security

This chapter discusses how to prove that a protocol is secure. We start with the definition of a threat model, which is a prerequisite for proving security. Then, we describe the most common proof technique in MPC: simulator proofs in the real/ideal paradigm.

## Threat Models

A *threat model* describes the assumptions we make about the behavior of parties participating in a secure protocol.

When we argue (or prove) that a protocol is secure, we do so with respect to a particular threat model. The idea of security makes sense only in the context of a threat model, as we'll see in this chapter, so a secure protocol should always come with a complete description of the intended threat model.

### The Adversary and Corruption

The *adversary* is a conceptual abstraction of what we're trying to defend against. "The adversary" is typically thought of as a single entity who may *corrupt* some of the parties participating in the protocol. Corrupted parties reveal everything they know to the adversary (and in some cases, follow the adversary's commands). The adversary can learn or compute anything that any of the corrupted parties could learn or compute on their own, and the notion of collusion between parties is captured by the idea that multiple parties may be corrupted simultaneously and the adversary learns all of their combined knowledge.

Parties that are not corrupted are called *honest*. We typically assume that honest parties do not share any information with any other party, except as directed by the protocol.

### Semi-Honest and Malicious Security

Honest parties always follow the protocol. But how do corrupted parties behave?

In the *semi-honest* (also called *passive*) model, corrupted parties *also* follow the protocol. In this model, *all* parties follow the protocol.

In the *malicious* (also called *active*) model, corrupted parties *may deviate* from the protocol, as instructed by the adversary. In this model, honest parties still follow the protocol, but corrupted ones don't.

Malicious security is clearly the stronger threat model - it makes fewer assumptions about the behavior of corrupted parties. Which one is "correct"? There is no single right answer - it depends on what expectations you can safely make about how parties running the protocol will behave in real life. In particular, is it realistic to believe that corrupted parties will still follow the protocol? In most cases, probably not - so semi-honest security is typically considered a fairly weak threat model.

Why consider semi-honest security at all, then? It turns out that building protocols with semi-honest security is often much easier than building malicious-secure protocols, and semi-honest protocols can often be a useful stepping-stone to more complicated malicious-secure ones. We'll see examples of this in later chapters.

### Honest and Dishonest Majorities

Besides semi-honest and malicious, the other major consideration in a threat model is: how many parties may be corrupted?

In the *honest majority* setting, we assume that a majority of the parties are honest (not corrupted).

In the *dishonest majority* setting (also called *$n-1$ security*) we assume that $n-1$ out of the $n$ parties may be corrupted - in other words, everyone except a single person may be controlled by the adversary!

The dishonest majority assumption is the strongest one we can make. If $n$ parties are corrupted, then security is impossible (or maybe vacuous?) - the adversary knows everything all $n$ parties know, including their secrets.

The dishonest majority assumption is clearly stronger than the honest majority assumption, but assuming an honest majority often makes it much easier to construct secure protocols - we'll see several examples of protocols in later chapters. In real life, an honest majority might be a very reasonable assumption - in many cases, secure protocols are designed to protect against rare "bad actors" rather than situations where most participants are behaving badly.

In protocols that involve different classes of parties (e.g. clients and servers), it's common to state the assumptions precisely in terms of those classes, and it's possible to mix the two (e.g. we assume an honest majority of clients, but a dishonest majority of servers).

It's also common to be more precise about how large the honest majority is. Many secure protocols for [federated learning](todo), for example, assume that an even smaller fraction of parties may be corrupted (e.g. as few as 5% or 10%). For protocols involving hundreds or even thousands of parties, this may be a very reasonable assumption - it's generally more difficult for an adversary to corrupt a large number of parties in real life.

### How Many Participants?

todo (2pc vs 3pc vs mpc, do more parties make it better?)

## The Real/Ideal Paradigm

### The Ideal World and Ideal Functionality

### The Real World

### The Simulator and Simulator Security

### Hybrid Arguments