P P Clause Examples

P P. Commitment. Assume that Pi is the first party who starts to run the protocol’s revealing phase, it implies that i received a valid XxxxxxXxxXxxx(XX, x, X) message from leader L. If another honest j received a valid CommitAggPvss(ID, hj, Σj) message from leader L, where hj = h, since a valid Σ contains 2f + 1 valid signatures for a same hash value from distinct parties, it induces that at least one honest party signed for both h and hj, which is impossible. Hence, when some honest party i starts to run the protocol’s revealing phase, the h from any valid XxxxxxXxxXxxx(XX, x, X) message is unique. Following the commitment of the PVSS scheme, there exists a fixed value seed corresponding to the pvss, where h = (pvss). Suppose that some honest party outputs seedj from the Seeding. By the code, it receives 2f + 1 SeedReady messages containing seedj. Then at least one honest party received 2f + 1 valid SeedEcho messages with the same seedj from distinct parties, which means that at least f + 1 honest parties received valid Seed(ID, h, Σ, seedj) message from the leader. From the previous analysis, no honest party will accept a seedj seed from PL or multicast it. Thus, seedj = seed. – Unpredictability. Prior to f +1 honest parties are activated to run the revealing phase of the Seeding protocol, the adversary can only collect at most 2f decryption shares for the committed pvss script. Trivially according to the Unpredictability of PVSS with weight tags, since the aggregated pvss has a weight with 2f +1 non-zero positions, it is infeasible for the adversary to compute a seed∗ = seed at the moment, where seed is the actual secret committed to the aggregated pvss script. The complexities can be easily seen as follows: The message complexity of Seeding is O(n2), which is due to each party sends n SeedEcho and SeedReady messages; considering that the input secret s and pvss both are O(λ) bits, and there are O(n) messages with O(λn) bits and O(n2) messages with O(λ) bits, thus the communication complexity of the protocol is of overall O(λn2) bits.

P P. Proof. The fact that S (PXY Z ) = 0 when either E < B or E < A follows from Theorem 5 because PXY Z is either X-simulatable or Y -simulatable by Xxx. The fact that S (PXY Z ) = S(PXY Z) when E > B and E > A can be proved as follows. A suboptimal protocol based on the authentication method of Theorem 7 can be used to generate a relatively small t-bit secret key K, using O(t) bits of the random string. This key can then be used, similar to a bootstrapping process, for instance based on the protocols of [10], to authenticate the messages exchanged in an optimal passive-adversary protocol achieving S(PXY Z). The size of K must only be logarithmic in the maximal size of a message exchanged in [10] and linear in the number of rounds of . No matter what amount of secret key must be generated by , this can be achieved by using messages of size proportional to the key size in a constant number of rounds. Therefore, the ratio of size of K and the size of the generated key vanishes asymptotically. min[h( AE); h( BE)] h( AB) S(PXY Z) 1 h( AB): It was recently proved that S(PXY Z) > 0 unless E = 0 [17], even when both E < B and E < A, i.e., even when the above lower bound vanishes (or is negative).

P P. Fully asynchronous system without private setup. There are n designated parties, each of which has a unique identity (i.e., 1 through n) known by everyone. Moreover, we consider the asynchronous message-passing model with static corruptions and bulletin public key infrastructure (PKI) assumption in the absence of any private setup. In particular, our system and threat models can be detailed as: – Bulletin PKI. There exists a PKI functionality that can be viewed as a bulletin board, such that each party i j j∈[n] can register some public keys (e.g., the verification key of digital signature) bounded to its identity via the PKI before the start of protocol. – Computing model. We let the n parties and the adversary A be probabilistic polynomial-time inter- active Turing machines (ITMs). A party i is an ITM defined by the given protocol: it is activated upon receiving an incoming message to carry out some polynomial steps of computations, update its states, possibly generate some outgoing messages, and wait for the next activation. Moreover, we explicitly require the bits of the messages generated by honest parties to be probabilistic uniformly bounded by a polynomial in the security parameter λ, which naturally rules out infinite protocol executions and thus restrict the running time of the adversary through the entire protocol. – Up to n/3 static Byzantine corruptions. The adversary can choose up to f out of n parties to corrupt and fully control, before the course of a protocol execution. No asynchronous BFT can tolerate more than f = (n 1)/3 such static corruptions. Through the paper, we stick with this optimal resilience. We also consider that the adversary can control the corrupted parties to generate their key materials maliciously, which captures that the compromised parties might exploit advantages whiling registering public keys at the PKI. – Fully asynchronous network. We assume that there exists an established p2p channel between any two parties. The channels are considered as secure, which means the adversary cannot modify or drop the messages sent between honest parties and cannot learn any information of the messages except their lengths. Moreover, the adversary must be consulted to approve the delivery of mes- sages, namely, it can arbitrarily delay and reorder messages. Remark that we assume asynchronous secure channels (instead of merely asynchronous reliable channels) for presentation simplicity, and they are not extra assumptions as can be ...

P P. In other words, F now generates a random session key upon a first NewKey query for an honest party i with fresh record ( i, pwi) where the other party is also honest, if (at least) one of the following events happens:

P P. As usual in security notions for key exchange, the adversary also sets the session keys for corrupted players. In the definition of Xxxxxxx et al. [20], the adversary additionally sets Pi’s key if P1−i is corrupted. However, contrarily to the original definition, we do not allow the adversary to set i’s key if 1−i is corrupted but did not guess i’s pass-string. We make this change in order to protect an honest i from, for instance, revealing sensitive information to an adversary who did not successfully guess her pass-string, but did corrupt her partner. Another minor change we make is considering only two parties — 0 and xxx composability takes care of ensuring that a two-party functionality remains secure in a multi-party world. As in the definition of Xxxxxxx et al. [20], we consider only static corruptions in the standard corruption model of Xxxxxxx [17]. Also as in their definition, we chose not to provide the players with confirmation that key agreement was successful. The players might obtain such confirmation from subsequent use of the key. By default, in the fPAKE functionality the TestPwd interface provides the adversary with one bit of information — whether the pass-string guess was cor- rect or not. This definition can be strengthened by providing the adversary with no information at all, as in implicit-only PAKE ( iPAKE, Figure 7), or weakened by providing the adversary with extra information when the adversary’s guess is close enough. To capture the diversity of possibilities, we introduce a more general TestPwd interface, described in Figure 2. It includes three leakage functions that we will instantiate in different ways below—Lc if the guess is close-enough to succeed, Lf if it is too far. Moreover, a third leakage function—Lm for medium distance— allows the adversary to get some information even if the adversary’s guess is only The functionality fPAKE is parameterized by a security parameter λ and xxxxx-

P P. To model the possibility of dictionary attacks, the functionality allows the adversary to make one pass-string guess against each player ( 0 and 1). In the real world, if the adversary succeeds in guessing (a pass-string similar enough to) party i’s pass-string, it can often choose (or at least bias) the session key computed by i. To model this, the functionality then allows the adversary to set the session key for i.

P P. If the nurse works the holiday weekend, she shall also work the paid holiday, unless it is the 8th consecutive shift or otherwise mutually agreed.

P P. ≤− − P i P ∗ Plays an OT sender as follows: i i S(1 , f, y). · Xxxxxx (Xx,i, Xx,1−i) ← Xi. • S follows the instructions in Figure 4 for steps 3-8 with pw . RFE ∗ Plays an OT receiver honestly with pw'i. · Sends Xi,1−i to P1−i as the OT output. i'

P P. Alteration to the Master Schedule may be made between December 18th and January 7th so that all nurses will receive five (5) or more consecutive days off at either Christmas or New Year’s. Six (6) days off will be scheduled when it is possible to do so. Christmas to include Christmas Eve, Christmas Day and Boxing Day. New Year’s to include New Year’s Eve and New Year’s Day. The Hospital will endeavour to conclude any alterations to the Master Schedule by January 7 If nurses are able to be off work both Christmas and New Year's, it will be offered to the nurses on a rotating basis from year to year in order of seniority.