Adaptive versus non-adaptive security of multi-party protocols

Abstract

Security analysis of multi-party cryptographic protocols distinguishes between two types of adversarial settings: In the non-adaptive setting the set of corrupted parties is chosen in advance, before the interaction begins. In the adaptive setting the adversary chooses who to corrupt during the course of the computation. We study the relations between adaptive security (i.e., security in the adaptive setting) and non-adaptive security, according to two definitions and in several models of computation. While affirming some prevailing beliefs, we also obtain some unexpected results. Some highlights of our results are: According to a more basic definition (due to Canetti), for honest-but-curious adversaries, adaptive security is equivalent to non-adaptive security when the number of parties is logarithmic, and is strictly stronger than non-adaptive security when the number of parties is super-logarithmic. For Byzantine adversaries, adaptive security is strictly stronger than non-adaptive security, for any number of parties. According to an augmented definition which is cast in an information-theoretic setting (due to Dodis, Micali, and Rogaway), adaptive and non-adaptive security are essentially equivalent. This holds for both honest-but-curious and Byzantine adversaries, and for any number of parties.