Constant-Factor Improvements Sample Clauses

Constant-Factor Improvements. In this section we propose improvements that reduce the round complexity by a factor of 4 and the entropy loss by a factor of up to 18, making this protocol considerably more practical. Reducing the length of the extracted MAC key k2 Note that choosing the length of k2 as above increases the entropy loss of the protocol by almost a factor of 3. By reworking the analysis of Phase 1 using the notion of average min-entropy (similar to the analysis in Appendix C ), we can show that requiring k2 to be longer than twice the communication in Phase 1, as discussed above, is unnecessary. Using the same notation that we used in the protocol description, we let σ2 denote the tag of the MAC. To succeed in forging it, the adversary ▇▇▇ needs to successfully change σ2 to σ2' . In addition, in Phase 1 she is also allowed to query ▇▇▇▇▇ and ▇▇▇, say, T times. Protocol Auth implicitly imposes the constraint that ▇▇▇ needs to also respond to T such queries. Let us denote her queries by (q1,... , qT ) and responses by (q1' ,... , qT' ). We analyze the security of phases I and II jointly by looking at the average min-entropy of (σ2' , (q1' ,... , qT' )) given (σ2, (q1,... , qT )). It turns out to be roughly λk2 — T — λσ2 , which makes the likelihood that Eve to completes phase I and comes up with σ2' is no more than 2−L if λk > 2L + T .