P P. Commitment. Assume that Pi is the first party who starts to run the protocol’s revealing phase, it implies that i received a valid XxxxxxXxxXxxx(XX, x, X) message from leader L. If another honest j received a valid CommitAggPvss(ID, hj, Σj) message from leader L, where hj = h, since a valid Σ contains 2f + 1 valid signatures for a same hash value from distinct parties, it induces that at least one honest party signed for both h and hj, which is impossible. Hence, when some honest party i starts to run the protocol’s revealing phase, the h from any valid XxxxxxXxxXxxx(XX, x, X) message is unique. Following the commitment of the PVSS scheme, there exists a fixed value seed corresponding to the pvss, where h = (pvss). Suppose that some honest party outputs seedj from the Seeding. By the code, it receives 2f + 1 SeedReady messages containing seedj. Then at least one honest party received 2f + 1 valid SeedEcho messages with the same seedj from distinct parties, which means that at least f + 1 honest parties received valid Seed(ID, h, Σ, seedj) message from the leader. From the previous analysis, no honest party will accept a seedj seed from PL or multicast it. Thus, seedj = seed. – Unpredictability. Prior to f +1 honest parties are activated to run the revealing phase of the Seeding protocol, the adversary can only collect at most 2f decryption shares for the committed pvss script. Trivially according to the Unpredictability of PVSS with weight tags, since the aggregated pvss has a weight with 2f +1 non-zero positions, it is infeasible for the adversary to compute a seed∗ = seed at the moment, where seed is the actual secret committed to the aggregated pvss script. The complexities can be easily seen as follows: The message complexity of Seeding is O(n2), which is due to each party sends n SeedEcho and SeedReady messages; considering that the input secret s and pvss both are O(λ) bits, and there are O(n) messages with O(λn) bits and O(n2) messages with O(λ) bits, thus the communication complexity of the protocol is of overall O(λn2) bits.
P P. Fully asynchronous system without private setup. There are n designated parties, each of which has a unique identity (i.e., 1 through n) known by everyone. Moreover, we consider the asynchronous message-passing model with static corruptions and bulletin public key infrastructure (PKI) assumption in the absence of any private setup. In particular, our system and threat models can be detailed as: P ∈ {P } – Bulletin PKI. There exists a PKI functionality that can be viewed as a bulletin board, such that each party i j j∈[n] can register some public keys (e.g., the verification key of digital signature) bounded to its identity via the PKI before the start of protocol. P – Computing model. We let the n parties and the adversary A be probabilistic polynomial-time inter- active Turing machines (ITMs). A party i is an ITM defined by the given protocol: it is activated upon receiving an incoming message to carry out some polynomial steps of computations, update its states, possibly generate some outgoing messages, and wait for the next activation. Moreover, we explicitly require the bits of the messages generated by honest parties to be probabilistic uniformly bounded by a polynomial in the security parameter λ, which naturally rules out infinite protocol executions and thus restrict the running time of the adversary through the entire protocol. | − ∫ – Up to n/3 static Byzantine corruptions. The adversary can choose up to f out of n parties to corrupt and fully control, before the course of a protocol execution. No asynchronous BFT can tolerate more than f = (n 1)/3 such static corruptions. Through the paper, we stick with this optimal resilience. We also consider that the adversary can control the corrupted parties to generate their key materials maliciously, which captures that the compromised parties might exploit advantages whiling registering public keys at the PKI. – Fully asynchronous network. We assume that there exists an established p2p channel between any two parties. The channels are considered as secure, which means the adversary cannot modify or drop the messages sent between honest parties and cannot learn any information of the messages except their lengths. Moreover, the adversary must be consulted to approve the delivery of mes- sages, namely, it can arbitrarily delay and reorder messages. Remark that we assume asynchronous secure channels (instead of merely asynchronous reliable channels) for presentation simplicity, and they are not extra assum...
P P. Lemma 5. If two parties i and j sends valid Vote(ID, G) and valid Vote(ID, Gj) to all parties, respectively, i.e., there exists ( , A, r, ) matching the majority elements in G and r is the largest VRF evaluation among all elements in G, and there exists ( , Aj, rj, ) matching the majority elements in Gj and rj is the largest VRF evaluation among all elements in Gj, then the (A, r) = (Aj, rj). · · − ƒ · · · ·
P P. Proof. The fact that S (PXY Z ) = 0 when either E < B or E < A follows from Theorem 5 because PXY Z is either X-simulatable or Y -simulatable by Xxx. The fact that S (PXY Z ) = S(PXY Z) when E > B and E > A can be proved as follows. A suboptimal protocol based on the authentication method of Theorem 7 can be used to generate a relatively small t-bit secret key K, using O(t) bits of the random string. This key can then be used, similar to a bootstrapping process, for instance based on the protocols of [10], to authenticate the messages exchanged in an optimal passive-adversary protocol achieving S(PXY Z). The size of K must only be logarithmic in the maximal size of a message exchanged in [10] and linear in the number of rounds of . No matter what amount of secret key must be generated by , this can be achieved by using messages of size proportional to the key size in a constant number of rounds. Therefore, the ratio of size of K and the size of the generated key vanishes asymptotically. It is known from [14] that min[h( AE); h( BE)] h( AB) S(PXY Z) 1 h( AB): It was recently proved that S(PXY Z) > 0 unless E = 0 [17], even when both E < B and E < A, i.e., even when the above lower bound vanishes (or is negative).
P P. Both xEB and K = eˆ(EB + ψ(QB), Rj)z can be computed by C. To prevent this attack, party B should also check that for EA = x1 1 1 + x2 2, x1 = x2, i.e., EA is in the cyclic group generated by P2. The test method can be found in Section 2.2.
P P. GetShare(dki, pvss) shi is executed by the party i, takes a valid pvss script and i’s decryption key dki as input, and outputs the secret share shi of the secret committed to pvss. → P – VrfyShare(j, shj, pvss) 0/1 takes the PVSS script pvss and party j’s secret share shj as input, and verifies whether shj is the correct jth share of the polynomial committed to pvss or not. { } → – AggShares( (j, shj) t) a takes t valid secret shares from distinct parties regarding an implicit PVSS script pvss, and computes the secret a committed to the pvss. – VrfySecret(s, pvss) → 0/1 verifies whether a secret s is indeed committed to pvss or not. Gurkan et al. [40] recently proposed to lift PVSS scheme to further enjoy aggregability, which need to slightly adapt the syntax. Here we only highlight the small adaptions to these algorithmic interfaces: – → P → – Deal(ek, ski, s) pvss. Now the algorithm takes an extra secret signing key ski as input, which is needed to make the pvss script to carry an unforgeable weight tag bounded to the identity i. VrfyScript(ek, vk, pvss) 0/1. It takes some verification keys vk besides ek and pvss as input. The output still represents whether pvss is valid or not. → – AggScripts(pvss1, pvss2) pvss. This is a newly introduced algorithm that takes two valid PVSS scripts pvss1 and pvss2 as input and outputs a valid PVSS script pvss. → – Weights(pvss) w. This is another new algorithm. It takes a valid pvss script as input and outputs an n-sized vector w, every jth element in which belongs to N0 and represents that the pvss script indeed aggregates a certain pvss script from the party Pj. The aggregatable PVSS scheme due to Gurkan et al. [40] satisfies a few nice security properties such as verifiable commitment, verifiable aggregation and secrecy. Informally, verifiable commitment means that any party can verify that a PVSS script pvss indeed commits a fixed secret s that can later be collectively reconstructed by the participating parties; secrecy means that it is infeasible for an adversary to compute the committed secret from the PVSS script; verifiable aggregation means if i=1 Weights(pvss) returns (w1, w2, · · · , wn), then the secret s committed to pvss indeed equals Σn wisi, where si is the secret committed to some PVSS script pvssi that is solely generated (and signed) by the party Pi. We defer the detailed descriptions of these properties to Appendix B.
P P. Let z := (1=pz) z pzPZjZ (z; z)P z , pz = PZ (z), and pz = z PZjZ (z; z)pz; where z is the state of Xxxxx's and Xxx's system conditioned on Xxx's result z: P j 0i = z z j zi (see the proof of Theorem 1).
P P. (b) If the nurse works the holiday weekend, she shall also work the paid holiday, unless it is the 8th consecutive shift or otherwise mutually agreed.
P P. (b) The day shift shall be the first [1st] shift of the day.
P P. (e) Alteration to the Master Schedule may be made between December 18th and January 7th so that all nurses will receive five (5) or more consecutive days off at either Christmas or New Year’s. Six (6) days off will be scheduled when it is possible to do so. Christmas to include Christmas Eve, Christmas Day and Boxing Day. New Year’s to include New Year’s Eve and New Year’s Day. The Hospital will endeavour to conclude any alterations to the Master Schedule by January 7 If nurses are able to be off work both Christmas and New Year's, it will be offered to the nurses on a rotating basis from year to year in order of seniority.
