P P. Proof. The fact that S (PXY Z ) = 0 when either E < B or E < A follows from Theorem 5 because PXY Z is either X-simulatable or Y -simulatable by Xxx. The fact that S (PXY Z ) = S(PXY Z) when E > B and E > A can be proved as follows. A suboptimal protocol based on the authentication method of Theorem 7 can be used to generate a relatively small t-bit secret key K, using O(t) bits of the random string. This key can then be used, similar to a bootstrapping process, for instance based on the protocols of [10], to authenticate the messages exchanged in an optimal passive-adversary protocol achieving S(PXY Z). The size of K must only be logarithmic in the maximal size of a message exchanged in [10] and linear in the number of rounds of . No matter what amount of secret key must be generated by , this can be achieved by using messages of size proportional to the key size in a constant number of rounds. Therefore, the ratio of size of K and the size of the generated key vanishes asymptotically. It is known from [14] that min[h( AE); h( BE)] h( AB) S(PXY Z) 1 h( AB): It was recently proved that S(PXY Z) > 0 unless E = 0 [17], even when both E < B and E < A, i.e., even when the above lower bound vanishes (or is negative).

P P. Fully asynchronous system without private setup. There are n designated parties, each of which has a unique identity (i.e., 1 through n) known by everyone. Moreover, we consider the asynchronous message-passing model with static corruptions and bulletin public key infrastructure (PKI) assumption in the absence of any private setup. In particular, our system and threat models can be detailed as: P ∈ {P } – Bulletin PKI. There exists a PKI functionality that can be viewed as a bulletin board, such that each party i j j∈[n] can register some public keys (e.g., the verification key of digital signature) bounded to its identity via the PKI before the start of protocol. P – Computing model. We let the n parties and the adversary A be probabilistic polynomial-time inter- active Turing machines (ITMs). A party i is an ITM defined by the given protocol: it is activated upon receiving an incoming message to carry out some polynomial steps of computations, update its states, possibly generate some outgoing messages, and wait for the next activation. Moreover, we explicitly require the bits of the messages generated by honest parties to be probabilistic uniformly bounded by a polynomial in the security parameter λ, which naturally rules out infinite protocol executions and thus restrict the running time of the adversary through the entire protocol. | − ∫ – Up to n/3 static Byzantine corruptions. The adversary can choose up to f out of n parties to corrupt and fully control, before the course of a protocol execution. No asynchronous BFT can tolerate more than f = (n 1)/3 such static corruptions. Through the paper, we stick with this optimal resilience. We also consider that the adversary can control the corrupted parties to generate their key materials maliciously, which captures that the compromised parties might exploit advantages whiling registering public keys at the PKI. – Fully asynchronous network. We assume that there exists an established p2p channel between any two parties. The channels are considered as secure, which means the adversary cannot modify or drop the messages sent between honest parties and cannot learn any information of the messages except their lengths. Moreover, the adversary must be consulted to approve the delivery of mes- sages, namely, it can arbitrarily delay and reorder messages. Remark that we assume asynchronous secure channels (instead of merely asynchronous reliable channels) for presentation simplicity, and they are not extra assum...

P P. Commitment. Assume that Pi is the first party who starts to run the protocol’s revealing phase, it implies that i received a valid XxxxxxXxxXxxx(XX, x, X) message from leader L. If another honest j received a valid CommitAggPvss(ID, hj, Σj) message from leader L, where hj = h, since a valid Σ contains 2f + 1 valid signatures for a same hash value from distinct parties, it induces that at least one honest party signed for both h and hj, which is impossible. Hence, when some honest party i starts to run the protocol’s revealing phase, the h from any valid XxxxxxXxxXxxx(XX, x, X) message is unique. Following the commitment of the PVSS scheme, there exists a fixed value seed corresponding to the pvss, where h = (pvss). Suppose that some honest party outputs seedj from the Seeding. By the code, it receives 2f + 1 SeedReady messages containing seedj. Then at least one honest party received 2f + 1 valid SeedEcho messages with the same seedj from distinct parties, which means that at least f + 1 honest parties received valid Seed(ID, h, Σ, seedj) message from the leader. From the previous analysis, no honest party will accept a seedj seed from PL or multicast it. Thus, seedj = seed. – Unpredictability. Prior to f +1 honest parties are activated to run the revealing phase of the Seeding protocol, the adversary can only collect at most 2f decryption shares for the committed pvss script. Trivially according to the Unpredictability of PVSS with weight tags, since the aggregated pvss has a weight with 2f +1 non-zero positions, it is infeasible for the adversary to compute a seed∗ = seed at the moment, where seed is the actual secret committed to the aggregated pvss script. The complexities can be easily seen as follows: The message complexity of Seeding is O(n2), which is due to each party sends n SeedEcho and SeedReady messages; considering that the input secret s and pvss both are O(λ) bits, and there are O(n) messages with O(λn) bits and O(n2) messages with O(λ) bits, thus the communication complexity of the protocol is of overall O(λn2) bits.

P P. Lemma 5. If two parties i and j sends valid Vote(ID, G) and valid Vote(ID, Gj) to all parties, respectively, i.e., there exists ( , A, r, ) matching the majority elements in G and r is the largest VRF evaluation among all elements in G, and there exists ( , Aj, rj, ) matching the majority elements in Gj and rj is the largest VRF evaluation among all elements in Gj, then the (A, r) = (Aj, rj). · · − ƒ · · · ·

P P. Let z := (1=pz) z pzPZjZ (z; z)P z , pz = PZ (z), and pz = z PZjZ (z; z)pz; where z is the state of Xxxxx's and Xxx's system conditioned on Xxx's result z: P j 0i = z z j zi (see the proof of Theorem 1).

P P. GetShare(dki, pvss) shi is executed by the party i, takes a valid pvss script and i’s decryption key dki as input, and outputs the secret share shi of the secret committed to pvss. → P – VrfyShare(j, shj, pvss) 0/1 takes the PVSS script pvss and party j’s secret share shj as input, and verifies whether shj is the correct jth share of the polynomial committed to pvss or not. { } → – AggShares( (j, shj) t) a takes t valid secret shares from distinct parties regarding an implicit PVSS script pvss, and computes the secret a committed to the pvss. – VrfySecret(s, pvss) → 0/1 verifies whether a secret s is indeed committed to pvss or not. Gurkan et al. [40] recently proposed to lift PVSS scheme to further enjoy aggregability, which need to slightly adapt the syntax. Here we only highlight the small adaptions to these algorithmic interfaces: – → P → – Deal(ek, ski, s) pvss. Now the algorithm takes an extra secret signing key ski as input, which is needed to make the pvss script to carry an unforgeable weight tag bounded to the identity i. VrfyScript(ek, vk, pvss) 0/1. It takes some verification keys vk besides ek and pvss as input. The output still represents whether pvss is valid or not. → – AggScripts(pvss1, pvss2) pvss. This is a newly introduced algorithm that takes two valid PVSS scripts pvss1 and pvss2 as input and outputs a valid PVSS script pvss. → – Weights(pvss) w. This is another new algorithm. It takes a valid pvss script as input and outputs an n-sized vector w, every jth element in which belongs to N0 and represents that the pvss script indeed aggregates a certain pvss script from the party Pj. The aggregatable PVSS scheme due to Gurkan et al. [40] satisfies a few nice security properties such as verifiable commitment, verifiable aggregation and secrecy. Informally, verifiable commitment means that any party can verify that a PVSS script pvss indeed commits a fixed secret s that can later be collectively reconstructed by the participating parties; secrecy means that it is infeasible for an adversary to compute the committed secret from the PVSS script; verifiable aggregation means if i=1 Weights(pvss) returns (w1, w2, · · · , wn), then the secret s committed to pvss indeed equals Σn wisi, where si is the secret committed to some PVSS script pvssi that is solely generated (and signed) by the party Pi. We defer the detailed descriptions of these properties to Appendix B.

P P. Both xEB and K = eˆ(EB + ψ(QB), R′)z can be computed by C. To prevent this attack, party B should also check that for EA = x1 1 1 + x2 2, x1 = x2, i.e., EA is in the cyclic group generated by P2. The test method can be found in Section 2.2.

P P. 34N37 Int. 35N04 Int. 33N37 1.97 P 35N04 Int. 33N02 Int. 34N37 3.60 P P 35N04E Int. 00X00 Xxx Xxxx 0.26 P P = Purchaser Performance Item D = Deposit to Forest Service D3 = Deposit to Third Party Sale Name: Dragon MP Thin Page 150A Contract 2400-6, (6/06) Dust Abatement Plan (B5.3, C5.31, T-806) Sale Name: Dragon MP Thin 33N02 33N03 33N03B 33N08 33N08A 33N11 33N15 33N29Y 33N29YB 33N37 34N37 35N04 35N04E TABLE A Sale Volume 51,593 GT Road No. 32N83Y Material Type or Grade Initial Application Rate Subsequent Frequency of Subsequent Application Preparation Method Wt.-Vol. Conversion Method water water water water water water water water water water n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a Watering shall be performed once each day for haul up to 10 loads/day. For haul over 10 loads/day watering shall be performed as needed to xxxxx dust T-806 as needed n/a Sale Name: Dragon MP Thin Page 150B Contract 2400-6, (6/06) C5.35# - ROAD AND WATER SUPPLY USE (05/2008) National Forest water supply locations, access, method of filling trucks, period of water availability and procedures designed to maintain water quality at each location shall be agreed in advance of use. Such use shall at no time reduce water supplies to the level that further use may be detrimental to aquatic resources or other established use. Waterholes and other improvements relating to said water supplies shall be put into condition, prior to expected seasonal periods of precipitation or runoff, to avoid resource damage. Damage to resources at such locations caused by Purchaser's Operations, other than fire suppression activities, shall be repaired by Purchaser in a timely and agreed manner to the extent practicable to restore and prevent further resource damage. Unless otherwise agreed, Purchaser's use of roads and other water supply requirements shall conform to the following table. See Table A Sale Name: Dragon MP Thin Page 151 Contract 2400-6,(6/06)

P P. Lemma 1. If any two honest parties i and j output (cipher, , , ) and (cipher′, , , ) in AVSS-Sh[ID], respectively, then cipher = cipher′ except with negligible probability. P

P P Sample Clauses

Filter & Search

Related Clauses

Parent Clauses

Sub-Clauses