Definition 2. Let E be a tweakable blockcipher that internally uses a dedicated blockcipher E. We say that it is optimally standard/ideal-model secure if for any distinguisher making q queries to its construction oracle and r evaluations of the primitive (where in the standard model, r = τ /τE): Advs/i-s˜prp(Ð) ≤ const · max{q, r} , ˜ min{|K|, |ł|} ˜|K|
Definition 2. We define a Weil–Deligne inertial type (of L over E) to be an isomorphism class of pairs τ = (ρτ , Nτ ) such that ρτ : IL GLn(E) is a representation of the inertia subgroup IL WL with open kernel, Nτ Mn(E) is a nilpotent matrix such that there exists a Weil–Deligne represen- tation (r, N ) of L and an isomorphism (r, N )|IL ∼= (ρτ , Nτ ). Σi∈Z>0 ∈ m ⪯ Σ ≤ ≤ ≤ Σ ≤ ≤ ∈ ≥
Definition 2. (Agreement Clause). Let G be a predicate, n an integer denoting a time unit, and a = p, an, d be an action. The syntax of agreement clauses is defined as follows:
C :: = IF G THEN P(a) | IF G THEN F (a) | IF G THEN O(a) | IF G THEN On(a) In the following, we provide an intuitive explanation of the clause syntax. A more precise meaning will be given later when representing agreement clauses in the Event-B language. A permission clause is denoted as IF G THEN (a), which indicates that provided the condition G holds, the system may perform action a. A prohibition clause is denoted as IF G THEN (a), which indicates that the system must not perform ac- tion a when condition G holds. An obligation clause is denoted as IF G THEN (a), which indicates that provided the condition G holds, the system eventually must per- form action a. Finally, a bounded-obligation clause is denoted as IF G THEN n(a), which indicates that provided the condition G holds, the system must perform action a within n time units. A data sharing agreement can be defined as follows. Definition 3. (Data Sharing Agreement). A DSA is a tuple (Principals, Data, ActionNames, fromTime, endTime, P(C)). Principals is the set of principals signing the agreement and abiding by its clauses. Data is the data elements to be shared. ActionNames is a set containing the name of the actions that a party can perform on a data. fromTime and endTime denotes the starting and finishing time of the agreement respectively; this is an abstraction rep- resenting the starting and finishing date of the agreement. Finally, P( ) is the set of clauses of the agreement.
Definition 2. 1. A probability measure Pµ on DΩ[0, ∞) satisfying (2.3) is said to be cone-mixing if, for all θ ∈ (0, 1 π), t→∞ A∈F0, B∈Fθ P (A)>0 sup Pµ(B | A) − Pµ(B) = 0, (2.11)
Definition 2. 3 (Model). A model is a tuple M = (Q, R, π) where • Q is some non-empty set of states (or “possible worlds”), • R ⊆ Q × Q is an accessibility relation, and • π : Q → 2Π is a valuation function.
Definition 2. 3. (DDH assumption) Let g be a generator of a finite cyclic group G and x, y, z 0, G 1 be chosen at random. The group G satisfies the Decisional Xxxxxx-Xxxxxxx (DDH) assumption if there is no probabilistic polynomial algorithm A, such that |Pr[A(g, G, gx, gy, gz) = 1] − Pr[A(g, G, gx, gy, gxy) = 1]| is not computationally indistinguishable. COMPUTATIONAL EFFICIENCY: Each party computes 2 modular ex- ponentiations. COMMUNICATION EFFICIENCY: Each party sends log p bits in one round. SECURITY: The protocol is provably secure against passive adversaries assuming discrete logarithm problem is hard. RESULT: A and B both possess the same shared secret key K.
Definition 2. 3.7. (i) SBL is the closure of D in BL(S)∗.
Definition 2. 4. (GDH assumption) Let g be a generator of a finite cyclic group G and x1, ..., xl, z 0, G 1 be chosen at random with l N
Definition 2. 8 (Concurrent Game Structure). A CGS is a tuple M = A, Q, Π, π, A, δ • Q is a non-empty set of states, • A is a finite, non-empty set of agents, • Π is a countable set of proposition symbols, and • π : Q → 2Π is a valuation function. • × →
A : Q A N+ denotes the number of actions, in a given state, is available to a given agent. For each state q, the set of complete profiles P(q) is a vector of numbers given by P(q) := ∏ Aa(q) a∈A 2Every model M and state q in M satisfies φ if, and only if, it satisfies ¬¬φ . 3Each of φ and ¬¬φ is derivable from the other. • × → ∈ → δ : Q P Q is the transition map. For every state q Q, δq : P(q) Q, assigns to each complete profile in q a unique successor state. To formalize the satisfiability of ATL formulas, we need to introduce some more terminology for describing agents’ choices. ⊆ The definition of a complete profile is given in Definition 2.8. For a coalition A A, an A-profile in a state q is a vector of numbers. The set of A-profiles at q is gathered in the set P(q, A) defined by P(q, A) := ∏ Aa(q) a∈A For every state q and two coalitions A, B such that A ⊆ B, if vA ∈ P(q, A) and vB ∈ P(q, B), then we say vB extends vA if, and only if, for every i ∈ A, vA(q)(i)= vB(q)(i). ∈ ∈ ∈ ∈ ⊆ × → ≤ We denote this vA vB. The elements of such a profile are simply numbers (action indexes). A strategy for a coalition A A is a map sA : Q A N+ specifying for every state q Q and agent a A, some A-profile for that state (i.e., number sA(q, a) A(q, a) for every agent a A corresponding to an action that agent performs in that state). We denote the set of A-strategies by strat(A). If there are coalitions A and B, such that A ⊆ B, we say that a B-strategy sB extends an A-strategy sA if, and only if, for every state q, sA(q) ≤ sB(q). We denote this sB ≥ sA. ∈ In every state q, a strategy s strat(A) for all agents, yields a unique successor state δ (q, s(q)). Starting in any state q, any A-strategy defines an infinite sequence of states called a computation λ = q0, q1, q2,... where q = q0 and qi+1 = δ (qi, s(qi)). The computation resulting from the A-strategy s starting in state q, is denoted λs,q. Given a computation λ , we denote the i-th state in the computation by λ [i], the prefix q0, q1, q2,..., qi by λ [0, i], and the infinite suffix qi, qi+1, qi+2,... by λ [i, ∞]. The set of outcomes of an A-strategy sA is defined as a set of such computations starting at some state q. out(q, sA) = { λs,q | s ∈ strat(A) and s ≥ sA } We are now ready to define the satisfa...
Definition 2. A canonically twisted module over V is a super vector space over V , M = M0¯ M1¯ equipped with a linear map: X V → End(M )[[z±1/2]] (50) a → Ytw(a, z1/2) = a(n) n2 1 Z z—n—1 (51) equipped with twisted vertex operator Ytw(a, z1/2) such that satisfying the fol- lowing axioms for a, b, c ∈ V :
