2

Please, consider two honest parties $A$ and $B$ outsourced their private data to a malicious server $S$. So the parties store their data in the server. Then at a later point in time they want to ask the server to run some computation on both parties data and return a private result back to a party.

In order to prove the security of the scheme,in the ideal world, we construct a simulator $SIM_s$ simulating malicious server, $A_s$.

Question: Does $SIM_s$, pick two random datasets, make them private and send to $A_s$?

What is not clear in this case is that whether the parties (or simulator) have input or the server has input. Because the parties have already outsourced their dataset.

user13676
  • 845
  • 5
  • 14

2 Answers2

2

The objective of the simulator is to make the simulated world (often called the ideal world) indistinguishable from the real world (running the actual protocol). See my write-up on the UC framework here for more detail.

In the proof setup, the entity attempting to distinguish between the two worlds is often assumed to provide the inputs to the parties. That keeps things as generic as possible.

So, what should be done is have $\mathcal{Z}$ pick the inputs for the parties.

Community
  • 1
mikeazo
  • 39,117
  • 9
  • 118
  • 183
0

$SIM_s$ can do that, but it doesn't need to. $\:$ The distinguisher chooses the parties' inputs.