In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
The name ``reduction'' comes from computational complexity.
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
\item A function $\delta: (Q \backslash\{q_{halt}\})\times\Gamma^{k-1}\to Q \times\Gamma^{k-1}\times\{\leftarrow, \downarrow, \rightarrow\}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
\smallskip
Namely, $\delta(q, a_1, \ldots, a_{k-1})=(r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star\to\Gamma^\star$, if for any finite input $x \in\Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
A TM $M$ is said to \emph{recognize} a language $L \subseteq\Sigma^\star$ if on a finite input $x \in\Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
\end{definition}
Turing machines are a computational model that proved useful in complexity theory as it is convenient to evaluate the running time of a Turing machine, which amounts to bound the number of steps the machine can make.
Similarly, the working tapes works analogously to the memory of a program, and then counting the number of cells the machine uses is equivalent to evaluate the amount of memory the program requires.
From these considerations, it is possible to describe the time and space complexity of a program from the definition of Turing machines.
In our context, we will work with Turing machine that runs in polynomial-time and space, as polynomials benefit from good stability properties (sum, product, composition, \ldots{}).
The class \textsf{P} describes the set of languages that can be recognized by a Turing machine running in time $T(n)=\bigO(\poly)$.
\end{definition}
In theoretical computer science, the class \textsf{P} is often considered as the set of ``easy'' problems.
These problems are considered easy in the sense that the growth of the cost to solve them is asymptotically negligible in front of other functions such as exponential.
In this context, it is reasonable to consider the computational power of an adversary as polynomial (or quasi-polynomial) in time and space.
As cryptographic algorithms are not deterministic, we also have to consider the probabilistic version of the computation model.
A \emph{probabilistic Turing machine} is a Turing machine with two different transition functions $\delta_0$ and $\delta_1$, where at each step, a random coin is tossed to pick $\delta_0$ or $\delta_1$ with probability $1/2$ independently of all the previous choices.
The machine only outputs \texttt{accept} and \texttt{reject} depending on the content of the output tape at the end of the execution.
We denote by $M(x)$ the random variable corresponding to the value $M$ writes on its output tape at the end of its execution.
The class \textsf{PP} describes the set of languages $L \subseteq\Sigma^\star$ that a Turing machine $M$ recognizes such that the TM $M$ stops in time $\poly[|x|]$ on every input $x$ and
\[\begin{cases}
\Pr\left[ M(x) = 1 \mid x \in L \right] > \frac12\\
\Pr\left[ M(x) = 0 \mid x \notin L \right] > \frac12
\end{cases}. \]
In the following $\ppt$ stands for ``probabilistic polynomial time''.
\end{definition}
We defined complexity classes that corresponds to natural sets of programs that are of interest for us, but now how to work with it?
That's why we'll now define the principle of polynomial time reduction.
\begin{definition}[Polynomial time reduction] \label{de:pt-reduction}\index{Reduction!Polynomial time}
A language $A \subseteq\bit^\star$ is \emph{polynomial-time reducible to} a language $B \subseteq\bit^\star$, denoted by $A \redto B$, if there is a \emph{polynomial-time computable} function $f: \bit^\star\to\bit^\star$ such that for every $x \in\bit^\star$, $x \in A$ if and only if $f(x)\in B$.
\end{definition}
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ to solve $A$.
\begin{figure}
\centering
\input fig-poly-red
\caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}}\label{fig:poly-reduction}
\end{figure}
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
