Further Optimizations Sample Clauses

Further Optimizations. Although we have strived to make our protocol as efficient as possible, we have omitted several optimizations in order to simplify the presentation; they are described next. Some of them lead to a more flexible, “pipelined” execution of the protocol steps. 1. A party need not generate a share of the coin in round r+1 if it did not accept a main-vote of abstain in round r. 2. A party need not wait for n t coin shares, unless it is going to cast a soft pre-vote, or unless it needs to later verify the justification of a soft pre-vote (it can always wait for them later if needed). 3. A party need not wait for n t pre-votes once it accepts two conflicting pre-votes, since then it is already in a position to cast a main-vote of abstain. 4. A party need not wait for n t main-votes if it has already accepted a main-vote for something other than abstain, since then it is already in a position to move to the next round; however, the decision condition should be checked before the end of the next round. 5. It is possible to collapse steps 4 and 1; however, some adjustments must be made to accommodate the threshold signature. If a party wants to make a hard pre-vote for b, he should generate signature shares on two messages that say “I pre-vote b if the coin is 0” and “I pre-vote b if the coin is 1.” If a party wants to make a soft pre-vote, he should generate signature shares on two messages that say “I pre-vote 0 if the coin is 0” and “I pre-vote 1 if the coin is 1.” This allows the parties to make soft pre-votes and reveal the coin concurrently, while also making it possible to combine both soft and hard pre-votes for the same value to construct the necessary main-vote justifications. This variation reduces the round and message complexity by a factor of 1/3, at the expense of somewhat higher computational and bit complexity; it also precludes variations (1) and (2) above. 6 A ▇▇▇▇▇▇-▇▇▇▇▇▇▇ Based Threshold Coin-Tossing Scheme 6.1 The Scheme
Further Optimizations. Reduced computation costs by precomputing the (r, R)-pairs together with corresponding digital signa- tures. Whenever a device has to change its pair it makes a random selection from the precomputed set. Precomputing saves one multiplication in each proto- col, but is a trade-off between computation and mem- ory costs. • If a mobile device performs ECC operations in hard- ware then we suggest to use binary finite fields F2m In this section we discuss the security of µSTR-H proto- cols with respect to the requirements of Section 2.2. µSTR- H has reduced computation, communication and memory costs compared to STR and is suitable for heterogeneous mobile ad-hoc groups. The computation process of the group key still relies on the tree-based ▇▇▇▇▇▇-▇▇▇▇▇▇▇ key exchange method as in STR, except for the difference that mathematical operations are peformed in a subgroup of points <G> of an elliptic curve E over a finite field Fq as described in Section 3.1, and not in a cyclic group Z∗. We show that security of µSTR-H protocols benefits from the security of STR protocols as proven in [10] and [11]. The computational group key secrecy of STR protocols relies on the hardness of Computational ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (CDH) problem, that has also been proven hard in < G > [13]. The decisional group key secrecy of STR protocols relies on the hardness of Decisional ▇▇▇▇▇▇-▇▇▇▇▇▇▇ (DDH) prob- lem [2], that has been proven hard in < G > for certain kinds of elliptic curves (non-supersingular and non-trace-2 elliptic curves [9]). Thus, adversary A can neither compute nor distinguish the group key knowing only the public keys and blinded session randoms (note communication broad- cast channel is public). Therefore, a group key can only be discovered if at least one secret value, either any ri or ki is known to A. Due to the hardness of Discrete Logarithm (DL) problem (its ECC counterpart is believed to be even more difficult to solve [13]) adversary is not able to reveal these values from their public values Ri and Ki. In case of backward secrecy we show that any A being a joining member is not able to obtain any of the previous used group keys. Assume, A becomes a new member of the group at position a in P . As a new member A is able to compute all secret keys ki (a ≤ i ≤ n). The sponsor of the addi- tive event changes own rs and causes the change of all ki, s ≤ i ≤ n. Since s < a A can only compute changed se- cret keys, and is therefore not able to compute the previ- ously used gr...