*Bounty: 100*

*Bounty: 100*

**An example of a security protocol**

This protocol is designed *in the semi-honest* model. Two parties encrypt their input and send it to the cloud. Cloud will perform computation using a *homomorphic encryption* and send *the result* to *P2*. Afterward, P2 sends its computed value to P1, and finally, *P1 will obtain the output*.

*Note*: Output ($S$) is the number of zeros among these values $D_z(R_1),D_z(R_2),D_z(F)$.

*Note*: Cloud does not know anything about the parties inputs and output, and it just computes on encrypted data and send the result to the P2.

*Note*: P2 sends $z_2$ to P1 via a secure channel and then P1 computes the private key $z=z1*z2$.

In the case of a guaranteed honest majority, I am going to prove the security of the protocol using the **real ideal model** just as below(I have tried to construct the real views according to the Hazay-Lindell’s book-page 21):

**Case1**: *P2* is corrupted

$VIEW^Pi_{P_2}$=${I_2,r,y_2,x_2,z_2,Enc_K(F)}$, $r$ is used in the $E_Y$ process.

**Case2**: *P1* is corrupted

$VIEW^Pi_{P_1}$=${I_1,r,y_1,x_1,z_1,z_2,R_1,R_2,F}$, $r$ is used in the $E_Y$ process.

**Case3**: *Cloud* is corrupted

$VIEW^Pi_{Cloud}$=${r,E_Y(I_2),E_Y(I_1)}$

**Question1**: Are the real views, which I have shown in three cases, correct? Should I consider the cases where (P1, P2), (P1, Cloud) and (P2, Cloud) are corrupted, too?

**Question2**: Would you please tell me how the simulator in the ideal world should **simulate** in each case? (Please, explain the trickiest part of each case that I should consider it in my proving)

**Question3**: How does the simulator simulate **value $Enc_K(F)$** received from the cloud? ($Enc_K$ is a symmetric encryption)

**Question4**: How does the simulator show **the correctness** in each case?