Influence of attackers on honest users

The formal reason for modeling the honest users is that one cannot define runs of the system without them One needs some source for the user inputs. A more intuitive reason for modeling the honest users is that this is where the active attacks described in Section 2.5 come in One must decide to what extent the behaviour of honest users might be influenced by the attackers. 

In the following, two formal models of essentially the same idea are presented. Some discussions of their relative merits follow. The section concludes with discussions of how conventional definitions of active attacks fit into these models. Actually, the general model with interfaces seems to simplify the treatment of active attacks in definitions considerably. 

Essentially, one obtains the best degree of security if one universally quantifies over the behaviour of the honest users No matter what the honest users do, the requirements are fulfilled. Such a model automatically covers all conceivable active attacks, because behaviours resulting from an influence by an attacker are just behaviours, too. It is rather a natural model, too — for instance, how could one know anything about how an honest user selects the messages she authenticates (This is in contrast to the behaviour of correct entities, which act according to programs.) 

Of course, the notion universally quantifies was not precise, because it was not clear where such a quantifier would be placed in what formula. Hence two precise models are now presented. The first one is simpler and sufficient for all integrity requirements (and thus all the minimal requirements on signature schemes), whereas the second one is more intuitive and can also be used with privacy requirements. 

Secret sharing schemes, introduced in [Blak79, Sham79], can be used to approach this situation for private storage, too. However, in this case, several shares must remain intact for the secret to be recovered and must be recollected each time the secret is used. 

---