P P P. 34N37 Int. 35N04 Int. 33N37 1.97 P P 35N04 Int. 33N02 Int. 34N37 3.60 P P P 35N04E Int. 35N04 End Road 0.26 P P P = Purchaser Performance Item, D = Deposit to Forest Service, D3 = Deposit to Third Party Road Termini Miles Applicable During haul Road Maintenance Specifications From To T802 T803 T804 T805 T806 T807 T809 T810 32N83Y Int. 33N11 Landing 0.40 P P 33N02 Int. Xxx 00 Int. 35N04 8.00 P P P P 33N03 Int. 33N37 End Road 1.20 P P 33N03B Int. 33N03 End Road 0.20 P P 33N08 Int. 35N04 Int. 33N30Y 0.51 P P P 33N08A Int. 33N08 Landing 0.30 P P 33N11 Int. 33N02 Landing 1.80 P P P 33N15 Int. 35N04 Int. 33N37 1.06 P P P 33N29Y Int. 35N04 Int. 33N29YB 0.63 P P 33N29YB Int. 33N29Y End Road 0.60 P P
P P P. SIG G1 As a consequence, we can reach the following security result Theorem 1. Our proposed pairing-based two-party authenticated key agreement protocol is secure, given the CDH assumption and the hash functions are assumed random oracles.
P P P. These vectors determine a generalized measurement with positive operators Oz = jzihzj. Since z Oz P 0 = z jz; 0ihz; 0j = z 11HE P 0 j zih zj11HE P P 0 = 11HE P 0 , the Oz satisfy z Oz = 11HE , as they should in order to de- ne a generalized measurement [24]. Note that the rst case (nz dim HE ) is a special case of the second one, with j zi = jz; 0i. If Xxx now performs the measurement, then we have PXY Z(x; y; z) = jhx; y; zj ij2 = jhx; y; zj ; 0ij2, and PXY jZ(x; y; z) = jhx; yj z; zij2 = jhxj zij2 jhyj zij2 = PXjZ (x; z)PY jZ(y; z) holds for all jzi and for all jx; yi 2 HA HB. Consequently, I(X; Y jZ) = 0. 2 Theorem 2 states that if AB is entangled, then Xxx cannot force the intrinsic information to be zero: Whatever she does (i.e., whatever generalized measure- ments she carries out), there is something Xxxxx and Xxx can do such that the intrinsic information is positive. Note that this does not, a priori, imply that secret-key agreement is possible in every case. Indeed, we will provide evidence for the fact that this implication does generally not hold.
P P P. It remains to show that (6) implies ai si and xi 0. We show that whenever i ai = i si = 1 and ai 6 si, then i ai =si > 1 : First, note that Pi ai =si = Pi ai = 1 for ai si. Let now si1 ai1 and si2 ai2 . i1 i2 i1 1 i2 2 We show that a2 =si + a2 =si < a2 =(si ") + a =(si + ") holds for every " > 0, which obviously implies the above statement. It is straightforward to see i1 i2 1 1 that this is equivalent to a2 si (si + ") > a2 si (si "); and holds because of
P P P. We denote the input of party Pi by mi 0, 1 A, which is divided into t blocks, with αth block being denoted by miα, for α = 1, . . . , t. At the beginning of our protocol, we initialize two dynamic variables n′ = n and t′ = t and one dynamic set ′ = . ′ denotes the set of non-eliminated parties and contains n′ parties, out of which at most t′ can be corrupted. In every segment α the computation is structured into three main phases: (a) Checking Phase, (b) Expansion Phase and (c)
P P P. G G Definition 5 (Type 4) In this situation we take G1 = 1, but we select G2 to be the whole group which is a group of order q2. As in the Type 2 situation we set P1 = 1 and P2 = 1 1 + 2. There is an efficiently computable homomorphism ψ from G2 to G1 such that ψ(P2) = P1. Hashing into G1 or G2 can be performed, although maybe not very efficiently into G2. However, one cannot hash efficiently into the subgroup of G2 generated by P2. Note, that the pairing of a non-zero element in G1 and a non-zero element in G2 may be trivial in this situation. Hence, in all situations we have that P1 is the generator of G1 and P2 is a fixed element of G2 of prime order q, such that where there is a computable homomorphism ψ from G2 to G1 we have ψ(P2) = P1. In Type 3 curves, such an isomorphism exists one is just unable to compute it, we will still refer to ψ in this situation but it should be born in mind that one is unable to compute it. We shall see that a number of efficient key agreement protocols can be implemented in the Type 3 setting, or less efficiently in the Type 2 setting. The rest are implementable only in the Type 1 and Type 4 setting. In the Type 1 setting we have problems due to efficiency as the security parameter increases as we are restricted to supersingular curves. In the Type 4 setting the security proofs become more cumbersome as the image of the hash function into G2 is not going to be into the group generated by P2. We shall refer to the groups G1, G2 and GT , the elements P1 and P2, the pairing eˆ, and possibly the homomorphism ψ, as a set of pairing parameters. We assume that given a security parameter one can generate a set of pairing parameters meeting the required security level.
P P P. As usual in security notions for key exchange, the adversary also sets the session keys for corrupted players. In the definition of Xxxxxxx et al. [CHK+05], the adversary additionally sets Pi’s key if P1−i is corrupted. However, contrary to the original definition, we do not allow the adversary to set i’s key if 1−i is corrupted but did not guess i’s pass-string. We make this change in order to protect an honest i from, for instance, revealing sensitive information to an adversary who did not successfully guess her pass- string, but did corrupt her partner. Roles There are two categories of fPAKE protocols: symmetric protocols in which the two parties execute the same code, and asymmetric protocols in which the two parties execute different code. Frequently in asymmetric protocols, one party can be seen as the “sender” who initiates the protocol, and the other can be seen as the “receiver” who responds.2 In our ideal functionality, each party includes a role tag in her NewSession query; one party should identify herself as the sender (denoted as role = sender), while the other should identify herself as the receiver (role = receiver). The functionality simply forwards these role tags to the simulator; the roles do not affect any of the functinality’s decisions. In the case of symmetric protocols, the role tags are unnecessary, since a sender and a receiver execute the same code. In the case of asymmetric protocols, the simulator needs the role tags in order to determine which code to execute. It might look strange that the functionality ignores these role tags once it forwards them to the simulator; it might seem that, in the case of an asymmetric protocol, the functionality should only proceed if one of the roles provided is sender and the other receiver. However, in such a situation, the simulator can trigger the desired behavior — an abort — simply by never issuing a NewKey query.3 2 To reflect the fact that, even in symmetric protocols, one party likely requests that the other engage in key exchange with her, such a request message can be pre-pended to any symmetric protocol.
P P P. In other words, F now generates a random session key upon a first NewKey query for an honest party i with fresh record ( i, pwi) where 1−i is also honest, if (at least) one of the following events happen: P − −
P P P. G G Definition 3 (Type 2) In this situation, we take G1 = 1 and G2 to be a subgroup of which is not equal to either 1 or 2. We set P1 = 1 and for convenience we set P2 = 1 1 + 2. There is an efficient algorithm to cryptographically hash arbitrary bit strings into G1, but there is no way to hash bit strings into G2 (nor to generate random elements of G2 bar multiplying P2 by an integer). However, there is an efficiently computable group isomorphism ψ : G2 G1 mapping P2 to P1, which is simply the trace map restricted to G2. P G G P
