Common use of P P Clause in Contracts

P P. As usual in security notions for key exchange, the adversary also sets the session keys for corrupted players. In the definition of ▇▇▇▇▇▇▇ et al. [20], the adversary additionally sets Pi’s key if P1−i is corrupted. However, contrarily to the original definition, we do not allow the adversary to set i’s key if 1−i is corrupted but did not guess i’s pass-string. We make this change in order to protect an honest i from, for instance, revealing sensitive information to an adversary who did not successfully guess her pass-string, but did corrupt her partner. Another minor change we make is considering only two parties — 0 and ▇▇▇ composability takes care of ensuring that a two-party functionality remains secure in a multi-party world. As in the definition of ▇▇▇▇▇▇▇ et al. [20], we consider only static corruptions in the standard corruption model of ▇▇▇▇▇▇▇ [17]. Also as in their definition, we chose not to provide the players with confirmation that key agreement was successful. The players might obtain such confirmation from subsequent use of the key. By default, in the fPAKE functionality the TestPwd interface provides the adversary with one bit of information — whether the pass-string guess was cor- rect or not. This definition can be strengthened by providing the adversary with no information at all, as in implicit-only PAKE ( iPAKE, Figure 7), or weakened by providing the adversary with extra information when the adversary’s guess is close enough. To capture the diversity of possibilities, we introduce a more general TestPwd interface, described in Figure 2. It includes three leakage functions that we will instantiate in different ways below—Lc if the guess is close-enough to succeed, Lf if it is too far. Moreover, a third leakage function—Lm for medium distance— allows the adversary to get some information even if the adversary’s guess is only The functionality fPAKE is parameterized by a security parameter λ and ▇▇▇▇▇-

P P. As usual in security notions for key exchange, the adversary also sets the session keys for corrupted players. In the definition of ▇▇▇▇▇▇▇ et al. [20CHK+05], the adversary additionally sets Pi’s key if P1−i is corrupted. However, contrarily to the original definition, we do not allow the adversary to set i’s key if 1−i is corrupted but did not guess i’s pass-string. We make this change in order to protect an honest i from, for instance, revealing sensitive information to an adversary who did not successfully guess her pass-string, but did corrupt her partner. Another minor change we make is considering only two parties — 0 and 1 — in the functionality, instead of considering arbitrarily many parties and enforcing that only two of them engage the functionality. This is because univer- ▇▇▇ composability takes care of ensuring that a two-party functionality remains secure in a multi-party world. As in the definition of ▇▇▇▇▇▇▇ et al. [20CHK+05], we consider only static corruptions cor- ruptions in the standard corruption model of ▇▇▇▇▇▇▇ [17Can01]. Also as in their definition, we chose not to provide the players with confirmation that key agreement agree- ment was successful. The players might obtain such confirmation from subsequent subse- quent use of the key. By default, in the fPAKE functionality the TestPwd interface provides the adversary with one bit of information — whether the pass-string guess was cor- rect or not. This definition can be strengthened by providing the adversary with no information at all, as in implicit-only PAKE ( iPAKE, Figure 7), or weakened by providing the adversary with extra information when the adversary’s guess is close enough. To capture the diversity of possibilities, we introduce a more general TestPwd interface, described in Figure 2. It includes three leakage functions that we will instantiate in different ways below—Lc if the guess is close-enough to succeed, Lf if it is too far. Moreover, a third leakage function—Lm for medium distance— allows the adversary to get some information even if the adversary’s guess is only somewhat close (closer than some parameter γ δ), but not close enough for successful key agreement. We thus decouple the distance needed for functionality from the (possibly larger) distance needed to guarantee security; the smaller the gap between these two distances, the better, of course. The functionality fPAKE is parameterized by a security parameter λ and ▇▇▇▇▇-