Proof sketch. To derive a contradiction, assume that there exists an algorithm A that solves Byzantine agree- ment with ℓ ≤ t. In the argument below, we consider only executions of A with some fixed set of ℓ Byzantine processes, chosen so that each of the ℓ identifiers is held by one Byzan- tine process. We consider configurations of the the algorithm A at the end of a synchronous round. Such a configuration can be completely specified by the state of each process. A config- uration C is 0-valent if, starting from C, the only possible decision value that correct processes can have is 0; it is 1- valent if, starting from C, the only possible decision value that correct processes can have is 1. C is univalent if it is either 0-valent or 1-valent; C is multivalent if it is not univalent. The following lemma encapsulates a Byzantine agent’s abil- ity to influence the decision value. ′ Lemma 17 Let C and C be two configurations of A such that the state of only one correct process is different in C accepted message. More precisely, this multiplicity is greater than the number of correct processes that sent the message and does not exceed the number of correct processes by more than the actual number of Byzantine processes in the exe- cution. Furthermore, all correct processes agree eventually on the multiplicity of each message. This authenticated broadcast with multiplicity is used to ensure the agreement property. As ℓ > t, at least one iden- tifier is assigned only to correct processes. This property is used to ensure the termination property of the agreement algorithm.
Proof sketch. The proof of this theorem relies on the theory of typical sequences7 and is similar to the proof of Theorem 8, which is a special case of this theorem, but the technical details are omitted from this extended abstract. In order to authenticate a k-bit message by an l = 2k-bit authenticator using m = 4k bits of Xn (or of Y n when Bob is the sender), the described approach based on error correcting codes can be used to select the positions of a subsequence [Xi ; : : : ; Xi ] of Xn. The receiver accepts the message if and only if the sequence of pairs [(Xi1 ; Yi1 ); : : : ; (Xil ; Yil )] is -typical for the distribution PXY for some suitable small . One can prove that for every distribution PXY Z that is neither X-simulatable nor Y -simulatable by Xxx, there exists a positive such that for su ciently large k Xxx's cheating probability is arbitrarily small. The same argument as in the proof of Theorem 8 can be used to prove that the ratio of bits needed for authentication and of bits used for secret-key agreement vanishes asymptotically.
Proof sketch. The proof of Theorem 3.1 is provided in Appendix D. In summary, this proof proceeds as follows: We build a CKE construction that internally uses a CGKA scheme to execute a CGKA execution schedule Seq. For establishing a CKE key to k public keys, this sequence Seq contains at least one collective update assistance for k passive users. The core idea of the CKE construction is that precisely the effective operations’ CGKA ciphertexts of this collective update assistance in the CGKA sequence are embedded in the committed CKE ciphertext. Hence, the total ciphertext size of these effective CGKA operations equals the size of the CKE ciphertext. All remaining operations in the CGKA sequence (i.e., pre-add phase, add operations, and ineffective pre- assistance operations) are, in different shapes, encoded in the CKE common reference string CRS. The complex but interesting idea of this construction, and hence of this proof, is the isolation of the effective operations from the remaining operations in the entire sequence as well as their encoding in the CKE ciphertext such that CKE functionality and security are reached. As part of the proof, we reduce the security of this CKE construction to the security of the underlying CGKA scheme. Finally, we show that a CGKA scheme that executes schedule Seq without inducing a communication overhead of Ω(k) for the effective operations implies a CKE construction with compact ciphertexts.
Proof sketch. We now discuss the main ideas of the proof of Theorem 1.0.2. We apply the Xxxxx-Xxxxxxxxxx circle method (see, for example, [42]), first expressing the correlation Σ 1E′ (n)1E′ (n + h) in terms of the integral ∫ 1 2 2 X<n≤2X Σ 1E′ (n)e(nα) 0 X<n≤2X e(−hα)dα. (2.1.1) We need to understand which points on the unit circle contribute the main term. Dirichlet’s approximation theorem states that for each Q ≥ 1 there exists a/q ∈ Q with (a, q) = 1, 1 ≤ q ≤ Q and |α − a/q| ≤ 1/(qQ). So, we first aim to understand the behaviour of the exponential sum appearing in (2.1.1) at a rational point a/q with (a, q) = 1 on the unit circle. We have that X<Σn≤2X 1E′ (n)e an = q = Σb=1 Σ ab Σ e q X<n≤2X n≡b mod q q e ab Σ 1E′ (n) Σ 1. q q
Proof sketch. A scheme for authenticating a k-bit message sent from Xxxxx to Bob using m bits of Xn (e.g. [Xq; : : : ; Xq+m 1] for some q) can be derived as follows. Every message is authenticated by appending a particular subset of bits in [Xq; : : : ; Xq+m 1]. These subsets should be su ciently disjoint to avoid that 6 In the following we consider schemes for authenticating a k-bit message by an l-bit authenticator using m > l bits of the common sequence.
Proof sketch. For simplicity, assume that σ consists of single- tons, i.e., σ = σf ( ). The main component of our proof is the following claim:
Proof sketch. For every efficient adversary , we describe a simulator RFE such that no efficient environment can distinguish an execution with the real RFE protocol ΠRFE and A from an execution with the ideal functionality FP and S S RFE. RFE is described in the full version of this paper. We prove indistinguisha- bility in a series of hybrid steps. First, we introduce the ideal functionality as a dummy node. Next, we allow the functionality to choose the parties’ keys, and we prove the indistinguishability of this step from the previous using the garbled output randomness property of our garbling scheme . Next, we simulate an hon- est party’s interaction with another honest party without using their pass-string, and prove the indistinguishability of this step from the previous using the obliv- iousness property of our garbling scheme. Finally, we simulate an honest party’s interaction with a corrupted party without using the honest party’s pass-string, and prove the indistinguishability of this step from the previous using the privacy property of our garbling scheme. We give a more formal proof of Theorem 1 in the full version of this paper [28].
Proof sketch. The proof here follows from the proof of Lemma 2.3. Briefly, when all honest parties start with same input, every pair of honest parties will have edge between them. In other words, the edges in the complementary graph will be either (a) between an honest and a corrupted party OR (b) between two corrupted parties. Therefore following the argument given in Lemma 2.3, component of an (n, t)-star will contain at least t + l honest parties, which subsequently will lead to the construction of and with size at least 2t + l. Although it is not guaranteed that all honest parties find same quadruple ( , , , ), but it is ensured that they will find some quadruple. So the honest parties never agree on predefined m٨ in this case. Now since all the parties broadcast their quadruple, it is easy to reach agreement on a valid quadruple which the parties do by selecting the one broadcasted by the party with minimum index. Therefore all the parties will agree on CORE.
Proof sketch. By Lemma 4.1, all honest parties in CORE hold same message, say m. The proof now follows from the proof of Lemma 2.4. We still brief the proof here. Let (sl, . . . , sn) = ENC(m0, . . . , mt), where m = m0 . . . mt. First note that all honest party in CORE hold m and therefore the codeword (sl, . . . , sn). Now every party Pi will receive si correctly as majority of the parties in CORE are honest and they will send si to Pi. Once every honest Pi holds correct si, he sends that to everybody. Therefore a party will receive n values from n parties in which at most t can be wrong (sent by Byzantine corrupted party). However, DEC of (n, t + l) RS code with n = 3t + l allows to correct t errors. Therefore DEC will return m0, . . . , mt such that m = m0| . . . |mt.
