Common use of An authentication compiler Clause in Contracts

An authentication compiler. In [6], Xxxx et al. introduced a scalable compiler which transforms any GKA protocol P , secure against passive adversary, to an authenticated GKA protocol P ′, secure against an active adversary. It achieves this by enhancing the protocol to include a (pre-)round where everyone broad- casts its identity and a random nonce. Thereafter each mes- sage is accompanied by a signature on the message, identi- ties of the participants and their nonces (see [6] for details). Then if P is a secure GKA protocol, then the protocol P ′ is a secure Authenticated GKA protocol. Namely, where: qex and qs are the number of Execute and Send queries respectively. ' |P| t′ = t + ( qex + qs).tP ' , tP ' is the time to execute P ′. AdvPA' (t, qex, qs): Advantage of an active adversary ( ′) against the authenticated protocol P ′, making qex Execute queries and qs Send queries in time t. AdvPA(t′, 1): Advantage of a passive adversary ( ) against the protocol P , making 1 Execute query in time t′. A AdvPA(t, qex): Advantage of a passive adversary ( ) against the protocol P , making qex Execute queries in time t′. SuccDDH(t′): Success probability of an adversary against an instance of the DDH problem in time t′. SuccΣ(t′): Success probability of an adversary against the signature scheme Σ in time t′. and k is the security parameter.

An authentication compiler. In [6], Xxxx Yung et al. introduced a scalable compiler which transforms any GKA protocol P , secure against passive adversary, to an authenticated GKA protocol P ′, secure against an active adversary. It achieves this by enhancing the protocol to include a (pre-)round where everyone broad- casts its identity and a random nonce. Thereafter each mes- sage is accompanied by a signature on the message, identi- ties of the participants and their nonces (see [6] for details). Then if P is a secure GKA protocol, then the protocol P ′ is a secure Authenticated GKA protocol. Namely, where: qex and qs are the number of Execute and Send queries respectively. ' |P| t′ = t + ( qex + qs).tP ' , tP ' is the time to execute P ′. AdvPA' (t, qex, qs): Advantage of an active adversary ( ′) against the authenticated protocol P ′, making qex Execute queries and qs Send queries in time t. AdvPA(t′, 1): Advantage of a passive adversary ( ) against the protocol P , making 1 Execute query in time t′. A AdvPA(t, qex): Advantage of a passive adversary ( ) against the protocol P , making qex Execute queries in time t′. SuccDDH(t′): Success probability of an adversary against an instance of the DDH problem in time t′. SuccΣ(t′): Success probability of an adversary against the signature scheme Σ in time t′. and k is the security parameter.

An authentication compiler. In [6], Xxxx et al. introduced a scalable compiler which transforms any GKA protocol P , secure against passive adversary, to an authenticated GKA protocol P ′j, secure against an active adversary. It achieves this by enhancing the protocol to include a (pre-)round where everyone broad- casts its identity and a random nonce. Thereafter each mes- sage is accompanied by a signature on the message, identi- ties of the participants and their nonces (see [6] for details). Then if P is a secure GKA protocol, then the protocol P ′ j is a secure Authenticated GKA protocol. Namely, where: qex and qs are the number of Execute and Send queries respectively. ' r A |P| t′ tj = t + ( qex + qs).tP ' r , tP ' r is the time to execute P ′. AdvPA' j. AdvPAr (t, qex, qs): Advantage of an active adversary ( ′j) against the authenticated protocol P ′j, making qex Execute queries and qs Send queries in time t. AdvPA(t′A AdvPA(tj, 1): Advantage of a passive adversary ( ) against the protocol P , making 1 Execute query in time t′. tj. A AdvPA(t, qex): Advantage of a passive adversary ( ) against the protocol P , making qex Execute queries in time t′. SuccDDH(t′tj. SuccDDH (tj): Success probability of an adversary against an instance of the DDH problem in time t′. SuccΣ(t′tj. SuccΣ(tj): Success probability of an adversary against the signature scheme Σ in time t′. tj. and k is the security parameter.

An authentication compiler. In [6], Xxxx Yung et al. introduced a scalable compiler which transforms any GKA protocol P , secure against passive adversary, to an authenticated GKA protocol P ′j, secure against an active adversary. It achieves this by enhancing the protocol to include a (pre-)round where everyone broad- casts its identity and a random nonce. Thereafter each mes- sage is accompanied by a signature on the message, identi- ties of the participants and their nonces (see [6] for details). Then if P is a secure GKA protocol, then the protocol P ′ j is a secure Authenticated GKA protocol. Namely, where: qex and qs are the number of Execute and Send queries respectively. ' r A |P| t′ tj = t + ( qex + qs).tP ' r , tP ' r is the time to execute P ′. AdvPA' j. XxxXXx (tx, qexxxx, qsxx): Advantage of an active adversary ( ′j) against the authenticated protocol P ′j, making qex Execute queries and qs Send queries in time t. AdvPA(t′A AdvPA(tj, 1): Advantage of a passive adversary ( ) against the protocol P , making 1 Execute query in time t′. tj. A AdvPA(t, qex): Advantage of a passive adversary ( ) against the protocol P , making qex Execute queries in time t′. SuccDDH(t′tj. SuccDDH (tj): Success probability of an adversary against an instance of the DDH problem in time t′. SuccΣ(t′tj. SuccΣ(tj): Success probability of an adversary against the signature scheme Σ in time t′. tj. and k is the security parameter.

An authentication compiler. In [6], Xxxx Yung et al. introduced a scalable compiler which transforms any GKA protocol P , secure against passive adversary, to an authenticated GKA protocol P ′j, secure against an active adversary. It achieves this by enhancing the protocol to include a (pre-)round where everyone broad- casts its identity and a random nonce. Thereafter each mes- sage is accompanied by a signature on the message, identi- ties of the participants and their nonces (see [6] for details). Then if P is a secure GKA protocol, then the protocol P ′ j is a secure Authenticated GKA protocol. Namely, where: qex and qs are the number of Execute and Send queries respectively. ' r A |P| t′ tj = t + ( qex + qs).tP ' r , tP ' r is the time to execute P ′. AdvPA' j. XxxXXx (tx, qexxxx, qsxx): Advantage of an active adversary ( ′j) against the authenticated protocol P ′j, making qex Execute queries and qs Send queries in time t. AdvPA(t′A AdvPA(tj, 1): Advantage of a passive adversary ( ) against the protocol P , making 1 Execute query in time t′. tj. A AdvPA(t, qex): Advantage of a passive adversary ( ) against the protocol P , making qex Execute queries in time t′. SuccDDH(t′tj. SuccDDH(tj): Success probability of an adversary against an instance of the DDH problem in time t′. SuccΣ(t′tj. SuccΣ(tj): Success probability of an adversary against the signature scheme Σ in time t′. tj. and k is the security parameter.