Cryptography Reference
In-Depth Information
2
Preliminaries
2.1
Model and Notations
Network and Adversary Models.
We assume a
synchronous
, connected point-to-point
incomplete
network. Two parties
are connected by
n
node-disjoint paths, called
wires
. In addition to the wires, we assume that there is an authentic and reliable
public
channel
between
S
and
R
. Messages over this channel are publicly accessible and cor-
rectly delivered to the recipient. All wires are
bidirectional
but we consider that public
channels are
unidirectional
. SMT-PD protocols proceed in rounds. In each round, one
party may send a message on each wire and the public channel, while the other party
will only receive the sent messages. The sent messages will be delivered before the next
round starts.
The adversary
S
and
R
A
is computationally
unbounded
.
A
can corrupt nodes on paths be-
tween
. A wire is said to be
corrupted
if at least one node on the path is
corrupted. We assume that up to
t
S
and
R
≤
n
−
1 wires can be corrupted by the adversary.
A
can
eavesdrop
,
alter
or
block
messages sent over the corrupted wires.
is assumed to
be
adaptive
, that is, she can corrupt wires during the protocol execution based on the
communication exchanged so far.
A
Notations.
Let
M
be the message space in which
S
selects a message. Let
M
S
de-
note the secret message of
S
,and
M
R
the message output by
R
. We denote the null
string by
⊥
. We write
u
←
U
to denote that a value
u
is uniformly chosen from a
set
U
.
2.2
Definitions
The
statistical distance
of two random variables
X
and
Y
over a set
U
is defined as
Pr[
X
=
u
]
−
Pr[
Y
=
u
]
.
Δ
(
X, Y
)=
1
2
u∈
U
Lemma 1.
Let
X
and
Y
be two random variables over a set
U
. The advantage of any
computationally unbounded algorithm
to distinguish
X
and
Y
is
Pr[
D
(
X
)=1]
−
Pr[
D
(
Y
)=1]
≤
D
:
U
→{
0
,
1
}
Δ
(
X, Y
)
.
In an
execution
of an SMT protocol
Π
,
S
wants to send
M
S
∈
M
to
R
privately
and reliably. We assume that
R
always
outputs a message
M
R
∈
M
at the end of the
protocol.
An execution is completely determined by the random coins of all the parties includ-
ing the adversary, and the message distribution of
M
S
.For
P
,the
view
of
P
includes the random coins of
P
and the message that
P
receives. We denote by
V
A
(
m, c
A
) the view of
∈{S
,
R
,
A}
A
when the protocol is run with
M
S
=
m
and
A
's randomness
C
A
=
c
A
.
Search WWH ::
Custom Search