Protocol Description. − We now present our fully constant-round MPC protocol that is 1) ts-secure if the network is synchronous, and 2) ta-secure with (n ts)-output quality if the network is asynchronous. The construction, that we already discussed, consists of three steps. – (Parties jointly) use an MPC protocol with the properties of Corollary 4 to compute function fGRBL. – (Each party) encrypts the authenticated shares of the entries of each gate of circg received as output of fGRBL (the keys are also part of the output). They send the resulting ciphertexts to all parties. – (Each party) evaluates the circuit locally: given two (masked) inputs to a gate and the corresponding keys, they decrypt the received shares of the corresponding entry of the gate, recovering the (masked) output value and the corresponding key. They do this until all gates are evaluated. Finally, they unmask the accessible outputs. 10 Respectively, the BA protocol and the adaptation of Dolev-Strong broadcast from [9]. A phase indicator ϕ guarantees that, if the network is asynchronous, parties do not ter- minate before sending the encryptions of their shares to other parties. Security is discussed in Section H. Protocol Πts Πts,ta CR-HMPC HMPC
Protocol Description. Our protocol consists of two parts: A voice commitment and the protection against MitM attacks.
Protocol Description. In the dynamic master key ex- change variant of our protocol, we assume that every client is fielded with the ability to generate cryptographic keys. Client vi initially generates and stores fi random master keys, where fi is a binomial random variable drawn from the distribution
Protocol Description. Another difference to existing work is how we describe the protocol; we do not use UML sequence diagrams to describe the protocol as they often cannot capture the entire set of message exchanges possible in the network environment described above. To describe the behaviour of each re-negotiation participant we provide a finite state machine to describe the state of the contract, similar to the WS- Agreement specification. However, unlike in WS-Agreement, the state machine is not shared between the negotiation participants. Instead each participant has their own ‘copy’ of the state machine which they update as they send and receive messages. In addition, we also explain the possible messaging events using pre- and post-constraints that together specify the conditions which must be satisfied before and after each message is sent. The conditions explain each messaging event as an atomic action and together describe the messaging behaviour of each participant in the re-negotiation protocol.
Protocol Description. We revise our protocol 1 to an authenticated group key agreement protocol using certificate as MIT ECDH. In the revised protocol, the static public key Wi of mi is discrete logarithm problem on E(Fp ) to the base P is the following problem: given a point Q ∈ E(Fp ) , find an integer r such that Q = rP , if such an integer exists. Definition 2 (Authenticated Group Key Agreement Protocol). Let {M1, M 2 ,..., Mu } is all the messages exchanged between members where u is the number of messages, {M1, M 2 ,..., Mu } is all the messages modified by an active adversary, {K1 , K2 ,..., Kn } is the session key list where Ki is computed by mi member computes, if adversary cannot compute a session K ∈{K1, K2 ,..., Kn } , the group key authenticated via certificate issued by a certifying authority (CA), where Wi = wi P and wi is the private key of mi . Each member possesses all the certificates of the other members. We illustrate the agreement protocol is authenticated.
Protocol Description. Let us first introduce the notation we will be using in the rest of the text: the number of binary digits in the binary representation of the largest element from the set {1, 2, . . . , p − 2}. In the initial phase (Step 1), A and B calculate commit- ment/opening pairs for the tuples (xm, gx) and (ym, gy), respectively, that is: (cA, dA) ← Commit(xm, gx) (cB, dB) ← Commit(ym, gy) Having calculated (cA, dA) and (cB, dB) in Step 1, A and B exchange the commitments cA and cB (Step 2). There is no strict order in which this exchange of messages should happen. However, notice that in most cases one party receives a commitment before the other sends its own. We will see later how this fact can help 4Assuming that no attack is taking place yet.
Protocol Description. The protocol is deterministic and runs for L iterations of 3 rounds each. At the start of the protocol, parties position themselves into a large set t [0, M ] of integer values, which we denote as mini-slots. (M = n−2t L · LL+1 to be exact.) If the input of party Pi is xi = 0, then Pi positions himself in the mini-slot v = 0, and if the input is xi = 1, then Pi positions himself in the mini-slot v = M . ≥ 2
Protocol Description. The depth of the tree used for multicast routing is a useful proxy for the energy-efficiency of multicast in many wireless networks [39]. Let h(vi, vj) be the distance in hops between clients vi and vj and let h(s, D) = max h(s, d) (6) d∈D be the depth of a minimum-depth multicast tree from a source compute the lth one-time pad sj ,u φ (kj , u); l \ ⊕ ← compute the bit-wise sum ml,u = sj0 ,u sjl,u; multicast ml,u to all clients in Ojl C; ∈ \ else if gi Ojl C then l l ← compute the lth one-time pad sj ,u φ (kj , u); receive ml,u from client il; ⊕ recover the group key sj0 ,u = ml,u sjl,u; end ← ∪ ←
Protocol Description. What information is being shared and the purpose(s) of each <System A> data The sharing of data from <System A> is necessary to <e.g.enable the creation of reporting> through <System B> for the purposes presented in section 6.
Protocol Description. The pseudocode for the top-level protocol has been described in Algorithm 5 and Algorithms 6-7 are used as sub-protocols. Algorithm 8 overrides the createAttestations method presented in Algorithm 3. The protocol progresses in a sequence of views. Algorithm 5 describes the three stages of the protocol within a view: leader nomination (3-11), leader election (12), and view-change (13-15). Since the leader election stage uses a simple threshold-coin primitive similar to that in the VABA protocol, we abstract it out and do not describe it in detail. Leader nomination stage. The leader nomination stage (lines 3-11 in Algorithm 5) starts with Proposal-Promotion, which consists of four sequential stages of provable broadcast (described in Algorithm 6), similar to that in HotStuff-M. There are n instances that are run in parallel and each party acts as a leader in one of them. − ⊥ ⊥ − − The inputs to the instances are values corresponding to the highest key held by the leader, or any externally valid value if the party acting as the leader does not hold a key. The parties use the validation functions described in Table 2. In particular, the validateNeighbor() function ensures that in a span of n consecutive positions between en and e(n + 1) 1 for view e, a proposal promotion instance uses only one position and all positions before it are used by other instances. If a party completes its own instance, it sends a finished-proposal-promotion message containing the value and a proof of commit to all parties. Otherwise, it waits until n t proposal promotion instances have completed. From a party’s perspective, if n t instances have completed, i.e., it has received as many finished-proposal-promotion messages for this view), it appends to all its logs at all remaining positions for this view. Recall that in each log, every view has n slots dedicated to it, and they can be used in an arbitrary order during the provable broadcast calls in different proposal promotion instances. This step, thus, fills the remaining positions with s and shares it with all neighboring parties ρ(i) (Algorithm 5 lines 24-26). Algorithm 5 VABA-M: VABA with Minority Corruption (for party pi).
