Common use of P P Clause in Contracts

P P. Fully asynchronous system without private setup. There are n designated parties, each of which has a unique identity (i.e., 1 through n) known by everyone. Moreover, we consider the asynchronous message-passing model with static corruptions and bulletin public key infrastructure (PKI) assumption in the absence of any private setup. In particular, our system and threat models can be detailed as: – Bulletin PKI. There exists a PKI functionality that can be viewed as a bulletin board, such that each party i j j∈[n] can register some public keys (e.g., the verification key of digital signature) bounded to its identity via the PKI before the start of protocol. – Computing model. We let the n parties and the adversary A be probabilistic polynomial-time inter- active Turing machines (ITMs). A party i is an ITM defined by the given protocol: it is activated upon receiving an incoming message to carry out some polynomial steps of computations, update its states, possibly generate some outgoing messages, and wait for the next activation. Moreover, we explicitly require the bits of the messages generated by honest parties to be probabilistic uniformly bounded by a polynomial in the security parameter λ, which naturally rules out infinite protocol executions and thus restrict the running time of the adversary through the entire protocol. – Up to n/3 static Byzantine corruptions. The adversary can choose up to f out of n parties to corrupt and fully control, before the course of a protocol execution. No asynchronous BFT can tolerate more than f = (n 1)/3 such static corruptions. Through the paper, we stick with this optimal resilience. We also consider that the adversary can control the corrupted parties to generate their key materials maliciously, which captures that the compromised parties might exploit advantages whiling registering public keys at the PKI. – Fully asynchronous network. We assume that there exists an established p2p channel between any two parties. The channels are considered as secure, which means the adversary cannot modify or drop the messages sent between honest parties and cannot learn any information of the messages except their lengths. Moreover, the adversary must be consulted to approve the delivery of mes- sages, namely, it can arbitrarily delay and reorder messages. Remark that we assume asynchronous secure channels (instead of merely asynchronous reliable channels) for presentation simplicity, and they are not extra assumptions as can be obtained from the PKI assumption. – Miscellany. All system parameters, such as n, are (probably unfixed) polynomials in the security parameter ▇ [▇▇,▇,▇▇]. – Communication complexity is defined as the bits of all messages exchanged among honest parties during a protocol execution. Sometimes, an asynchronous protocol might have randomized exe- cutions, so we might consider the upper bound of expected communication complexity (averaged over all possible executions) in the presence of any adversary that fully controls the network and corrupts up to n/3 parties. – Message complexity captures the number of messages exchanged among honest parties in a protocol execution. Similar to communication’s, we sometimes might consider the upper bound of expected message complexity. – Asynchronous rounds (or running time). The eventual delivery of the asynchronous network notion might cause that the protocol execution is somehow independent to “real time”. Nevertheless, it is needed to characterize the running time of asynchronous protocols. A standard way to do so is: for each message the adversary assigns a virtual round number r, subject to the condition that any (r 1)-th round messages between any two correct parties must be delivered before any (r + 1)-th round message is sent [15]. So it becomes straightforward to measure the running time by counting such asynchronous “rounds”.