Semi-honest security, also known as the honest-but-curious or passive adversary model, is a security definition for cryptographic protocols where all participating parties are assumed to follow the protocol specification exactly as prescribed, but may attempt to infer additional private information by analyzing the messages they receive during execution. This model provides a baseline guarantee that no party learns anything beyond their designated output from the protocol transcript alone.
Glossary
Semi-Honest Security

What is Semi-Honest Security?
A foundational cryptographic security model where adversaries follow the protocol correctly but attempt to learn additional information from the protocol transcript.
This model serves as the foundational security threshold for many privacy-preserving machine learning protocols, including secure aggregation and federated learning systems. While weaker than malicious security—which tolerates arbitrary deviations—semi-honest security is significantly more efficient and captures realistic threats where participants are trusted to execute code correctly but may be passively logging data for later analysis. Protocols proven secure in this model are often hardened to Byzantine fault tolerance for production deployment.
Key Characteristics of Semi-Honest Security
The semi-honest security model defines the baseline threat profile for most practical secure computation protocols. It assumes adversaries follow the protocol specification correctly but may attempt to learn additional information from the protocol transcript.
Protocol Compliance Guaranteed
In the semi-honest model, all parties—including the adversary—execute the protocol exactly as specified. There is no deviation, no injection of malformed messages, and no premature abort. This assumption dramatically simplifies protocol design because correctness is never in question. The adversary will not send invalid shares, corrupt intermediate values, or refuse to participate. This compliance guarantee allows cryptographers to focus exclusively on information leakage rather than robustness to arbitrary faults.
Passive Adversary Behavior
The adversary is passive—it observes the protocol transcript, including all messages received and any intermediate computations performed locally, but never interferes with execution. This is fundamentally different from active adversaries that can modify, replay, or suppress messages. The passive adversary's goal is purely eavesdropping: extracting private inputs from the legitimate messages it sees. In secure aggregation, this means a curious server correctly sums encrypted updates while attempting to infer individual client contributions from the aggregate.
Transcript-Based Inference
The adversary's attack surface is limited to the protocol transcript—the complete record of all messages exchanged during execution. Security requires that this transcript reveals nothing beyond the intended output. Formally, for any semi-honest adversary, there must exist a simulator that can produce a computationally indistinguishable transcript given only the adversary's input and the protocol's output. This simulation paradigm proves that participation leaks no additional information. If something can be simulated without access to honest parties' private inputs, observing it in the real protocol reveals nothing.
Collusion Boundaries
Semi-honest protocols typically specify collusion thresholds—the maximum number of parties the adversary may corrupt and still guarantee security. A protocol secure against t semi-honest corruptions means any coalition of up to t parties pooling their views cannot learn the inputs of the remaining honest parties. In secure aggregation with pairwise masking, security often holds against all-but-one collusion: the server and any subset of clients cannot unmask a single honest client's update. These thresholds define the protocol's privacy ceiling.
Efficiency Advantage Over Malicious Security
Protocols designed for semi-honest security are significantly more efficient than their maliciously secure counterparts. They avoid expensive zero-knowledge proofs, consistency checks, and Byzantine agreement mechanisms. In practice, semi-honest secure aggregation can use simple one-time pads and secret sharing without verifiability overhead. This efficiency gap—often 10-100x in communication and computation—makes semi-honest protocols the pragmatic choice when participants are trusted to follow the protocol but not trusted to see raw data, such as in federated learning across hospitals or banks.
Relationship to Other Security Models
Semi-honest security sits between unconditional trust and malicious security on the threat model spectrum. It is stronger than assuming all parties are fully trusted, yet weaker than defending against arbitrary Byzantine behavior. Many real-world deployments use semi-honest protocols augmented with lightweight integrity checks—such as authenticated encryption or aggregate signatures—to detect accidental deviations without the full cost of malicious security. This hybrid approach acknowledges that while participants are not actively malicious, implementation bugs or misconfigurations can cause protocol violations that should be caught.
Semi-Honest vs. Malicious Security
A comparison of the adversarial assumptions, protocol guarantees, and computational costs associated with the two primary security models in secure multi-party computation and secure aggregation protocols.
| Feature | Semi-Honest Security | Malicious Security |
|---|---|---|
Adversary Model | Honest-but-curious; follows protocol correctly | Active adversary; may arbitrarily deviate from protocol |
Protocol Compliance | ||
Privacy Guarantee | Inputs remain confidential from transcript | Inputs remain confidential despite active attacks |
Correctness Guarantee | Output is correct if all parties follow protocol | Output is correct or protocol aborts with proof of cheating |
Typical Overhead vs. Cleartext | 2x–10x | 100x–1000x+ |
Cryptographic Primitives | Secret sharing, oblivious transfer | Zero-knowledge proofs, VSS, authenticated secret sharing |
Dropout Resilience | Requires majority of honest parties | Requires majority of honest parties; aborts if threshold breached |
Use Case | Federated learning with trusted clients | Public blockchains, untrusted cloud computing |
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the honest-but-curious adversary model, its assumptions, and its role in cryptographic protocol design.
Semi-honest security, also known as honest-but-curious or passive security, is a cryptographic adversary model where all participating parties follow the protocol specification exactly but may attempt to learn additional information from the protocol transcript. The adversary does not deviate from the prescribed steps, inject malicious messages, or abort prematurely. Instead, they passively observe all messages received during execution and perform arbitrary polynomial-time computation on their view—which includes their private input, internal randomness, and all received messages—to infer sensitive information about other parties' inputs. This model is the baseline for secure multi-party computation (MPC) and secure aggregation protocol design because it is computationally easier to achieve than malicious security while still providing meaningful privacy guarantees in environments where participants are trusted to execute code correctly but not trusted with raw data access. Protocols proven secure in the semi-honest model guarantee that anything the adversary learns could be simulated from their own input and output alone, formalized through the real-ideal simulation paradigm.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding semi-honest security requires contrasting it with stronger adversarial models and the specific protocol components that enforce honest-but-curious behavior.
Honest-But-Curious Model
The canonical synonym for semi-honest security, formalized in foundational multi-party computation literature. The adversary follows the protocol exactly but logs all intermediate messages.
- Also called passive security in the cryptographic literature
- Assumes the adversary does not modify its local random tape or deviate from the prescribed message schedule
- The baseline security model for most efficient secure aggregation protocols like SecAgg
Gradient Leakage
The primary privacy threat that semi-honest security models aim to prevent. An adversary analyzing shared model gradients can reconstruct private training data through optimization-based attacks.
- Deep Leakage from Gradients (DLG) iteratively finds synthetic inputs whose gradients match observed updates
- Even a semi-honest server could mount these attacks if given access to individual client updates
- Secure aggregation eliminates this vector by ensuring the server only sees the aggregate sum, never individual contributions
Covert Security
An intermediate security model between semi-honest and malicious security. Adversaries may cheat arbitrarily, but are detected with a specified probability if they do so.
- Provides a practical trade-off: stronger guarantees than semi-honest with lower overhead than full malicious security
- Cheating is deterred by a non-negligible chance of detection and associated reputational or financial penalties
- Useful when participants are mutually distrustful but have long-term incentives to maintain honest behavior
Universal Composability
A rigorous cryptographic framework for analyzing protocol security under arbitrary composition. A protocol proven secure in the UC framework remains secure even when run concurrently with other protocols.
- Semi-honest protocols often serve as building blocks that are later compiled into maliciously secure variants using GMW compiler techniques
- UC security requires an explicit environment machine that models all external interactions
- Provides the strongest theoretical guarantee that protocol security holds in real-world deployment scenarios

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us