Common use of Adaptive Attack Clause in Contracts

Adaptive Attack. ‌ In the static attack, we demonstrated that the claim “for all possibilities for the set P2, if the leader is an honest party in P2, then the protocol terminates with the correct value” is not valid. We provided specific choices of the leader within certain possibilities for P2 where the claim does not hold. This shows that the claim is incorrect in those cases. In the adaptive attack, we further illustrate the difficulty in finding an argument for the weaker claim “there exists a possibility for P2 such that if the leader is an honest party in P2, then the protocol terminates with the correct values.” We use the same setup with four parties, namely p1, p2, p3, and p4, and demonstrate that if either p1 or p2 is chosen as the leader, the adversary can manipulate the protocol to start over instead of terminating. Since any legitimate set P2 consists of three parties, it must include at least one of p1 and p2. Therefore, in any possible set P2, there is an honest party whose selection as the leader does not guarantee termination. This shows the hopelessness of finding a valid argument for the weaker claim. Assuming the preconditions for the Πselect protocol hold, we now consider adaptive corruption in this subsection. The adversary does not corrupt any party before the leader is selected. If the chosen leader is p2, then follows the description of the static attack by corrupting p1 and executing the attack as previously described. However, if party p1 is chosen as the leader, we can leverage symmetry and modify the adver- ▇▇▇▇’s description accordingly. We rename the parties as follows: p′1 .= p2, p′2 .= p1, p′3 .= p4, and p′4 .= p3. The adversary A corrupts p′1 and runs the same static adversary code on the participant set p1′ , p′2, p′3, p4′ . Furthermore, it is important to note that in the static attack, we previously specified that Relay1,2 = Relay4,2 .= p1, p2, p3 , while allowing Relay2,1 and Relay3,1 to be arbi- trary since they were not essential to the attack and could take any value. However, in order to achieve full symmetry in the static attack and apply the aforementioned approach, should now set Relay2,1 = Relay3,1 .= p1, p2, p4 in the description of the static attack. With these adjustments, our adaptive adversary is complete. B The Asynchronous ▇▇▇▇▇▇-▇▇▇▇ Extension‌ Here, we investigate when the generic extension of binary to multi-valued synchronous BA (for t < n/3) given by ▇▇▇▇▇▇ and ▇▇▇▇ [TC84] works in the asynchronous setting with eventual delivery. It turns out that an asynchronous version of the extension—with appropriate modifications—is secure when t < n/5, but is provably insecure for any t n/5 regardless of which binary A- BA protocol is used. We remark that while our negative result is not exactly a lower bound, as the attack that we present is on a specific extension protocol, the fact that we lose two additive factors of t in resiliency (and even three, with a more naïveapproach) gives some evidence that more sophisticated techniques are needed to maintain optimal resiliency, as in [MR17]. Since our primary goal is to show that the ▇▇▇▇▇▇-▇▇▇▇ extension cannot be used to get optimally resilient, multi-valued A-BA in expected-constant rounds, we choose to work with simpler, property-based definitions in this section. We start by reviewing the original extension in [TC84], which requires just two additional rounds. Parties first distribute their inputs amongst one another, over P2P channels. An honest party, based on how many of the received values disagree with his own, considers himself either “perplexed” or “content,” and announces this information. If enough parties claim to be perplexed, the honest party becomes “alert.” The parties now run a binary BA protocol to agree on this last state (effectively, to determine if they all started with the same input), and depending on the outcome they either output a default value, or are able to recover a common value from their local transcripts of the protocol. Protocol ΠVa-tc Local input of party pi: vi ∈ V , |V | ≥ 2 Local output of party pi: v ∈ V Code for party pi:

Adaptive Attack. ‌ In the static attack, we demonstrated that the claim “for all possibilities for the set P2, if the leader is an honest party in P2, then the protocol terminates with the correct value” is not valid. We provided specific choices of the leader within certain possibilities for P2 where the claim does not hold. This shows that the claim is incorrect in those cases. In the adaptive attack, we further illustrate the difficulty in finding an argument for the weaker claim “there exists a possibility for P2 such that if the leader is an honest party in P2, then the protocol terminates with the correct values.” We use the same setup with four parties, namely p1, p2, p3, and p4, and demonstrate that if either p1 or p2 is chosen as the leader, the adversary can manipulate the protocol to start over instead of terminating. Since any legitimate set P2 consists of three parties, it must include at least one of p1 and p2. Therefore, in any possible set P2, there is an honest party whose selection as the leader does not guarantee termination. This shows the hopelessness of finding a valid argument for the weaker claim. Assuming the preconditions for the Πselect protocol hold, we now consider adaptive corruption in this subsection. The adversary does not corrupt any party before the leader is selected. If the chosen leader is p2, then follows the description of the static attack by corrupting p1 and executing the attack as previously described. However, if party p1 is chosen as the leader, we can leverage symmetry and modify the adver- ▇▇▇▇’s description accordingly. We rename the parties as follows: p′1 .= p2, p′2 .= p1, p′3 .= p4, and p′4 .= p3. The adversary A corrupts p′1 and runs the same static adversary code on the participant set p1′ , p′2, p′3, p4′ . Furthermore, it is important to note that in the static attack, we previously specified that Relay1,2 = Relay4,2 .= p1, p2, p3 , while allowing Relay2,1 and Relay3,1 to be arbi- trary since they were not essential to the attack and could take any value. However, in order to achieve full symmetry in the static attack and apply the aforementioned approach, should now set Relay2,1 = Relay3,1 .= p1, p2, p4 in the description of the static attack. With these adjustments, our adaptive adversary is complete. B The Asynchronous ▇▇▇▇▇▇-▇▇▇▇ Extension‌ Here, we investigate when the generic extension of binary to multi-valued synchronous BA (for t < n/3) given by ▇▇▇▇▇▇ and ▇▇▇▇ [TC84] works in the asynchronous setting with eventual delivery. It turns out that an asynchronous version of the extension—with appropriate modifications—is secure when t < n/5, but is provably insecure for any t n/5 regardless of which binary A- BA protocol is used. We remark that while our negative result is not exactly a lower bound, as the attack that we present is on a specific extension protocol, the fact that we lose two additive factors of t in resiliency (and even three, with a more naïveapproachnaïve approach) gives some evidence that more sophisticated techniques are needed to maintain optimal resiliency, as in [MR17]. Since our primary goal is to show that the ▇▇▇▇▇▇-▇▇▇▇ extension cannot be used to get optimally resilient, multi-valued A-BA in expected-constant rounds, we choose to work with simpler, property-based definitions in this section. We start by reviewing the original extension in [TC84], which requires just two additional rounds. Parties first distribute their inputs amongst one another, over P2P channels. An honest party, based on how many of the received values disagree with his own, considers himself either “perplexed” or “content,” and announces this information. If enough parties claim to be perplexed, the honest party becomes “alert.” The parties now run a binary BA protocol to agree on this last state (effectively, to determine if they all started with the same input), and depending on the outcome they either output a default value, or are able to recover a common value from their local transcripts of the protocol. Protocol ΠVa-tc Local input of party pi: vi ∈ V , |V | ≥ 2 Local output of party pi: v ∈ V Code for party pi: