Welcome to the lecture Secure Multi-Party Computation.

We are now in lecture number 10 and my name is Dominik Schroeder.

So let me start by briefly reviewing what we discussed in the last lecture.

In the last lecture we talked about the construction of maliciously secure two-party computation.

And the main technique that we learned in this part is essentially a technique called

cut and choose.

As you remember the construction is somewhat involved and not super efficient.

And this brings us to the question as always in cryptography, whether the definition that

we are using is meaningful.

Recall that so far you've learned two extreme cases in some sense.

The first extreme case is semi-honest security.

And semi-honest security, this notion corresponds to an adversary that follows the protocol

honestly and tries to deviate afterwards.

So this adversary will always compute the correct responses and never send a malicious

message even though it would gain some information about that.

The second extreme that we have learned is malicious security.

And in the case of malicious security, the adversary can actually do whatever it wants.

So this actually leads us to the question whether there's something in between.

So whether we can find an intermediate definition, I don't know, that is maybe here or maybe

here that is still meaningful, still covers a certain level of malicious adversaries,

but where we achieve significantly more efficient protocols.

And this brings us to a notion that we call covert security.

While in the case of malicious security, we essentially rule out the existence of a malicious

adversary, in the case of covert security, there might exist a malicious adversary.

Now the main difference here is that there is a certain probability

of actually catching this adversary.

So the difference is in one case, this adversary doesn't exist, and in the other case it exists,

but there's a certain chance of catching this adversary.

So this lecture should demonstrate to you how difficult it is again to find a meaningful

definition to also train you on understanding that for certain applications, certain definitions

might make sense.

And we are not always striving for malicious security in general.

So thank you for your attention and the following lecture was given previously at FAU.

And the malicious security, right, so basically if you have a protocol that is secure against

malicious adversaries, then that means that basically there does not exist a malicious

attacker.

And for many practical applications, right, I mean such a strong notion you actually may

not want.

I mean of course you always want it, but if you basically trade efficiency against security,

then you would say, well maybe I'm willing to accept a certain level as long as I can

detect this.

For example, I mean other notions, other notions, accountability, other notions are usually

used in cryptos, something like accountability, where we follow the same idea.

We say, well I allow malicious behavior, but if you do so, right, I mean you can learn

more than you should, but there's a good chance of actually catching you.

And here there's accountability means basically you can deviate, but after the fact I can

basically prove to the outside that you were the one who misbehaved.

Right, so here we're looking now at some intermediate notion.

So, that is somehow in between both notions.

So what is the idea of covert security?