Proof sketch Sample Clauses

Proof sketch. To derive a contradiction, assume that there exists an algorithm A that solves Byzantine agree- ment with ℓ ≤ t. In the argument below, we consider only executions of A with some fixed set of ℓ Byzantine processes, chosen so that each of the ℓ identifiers is held by one Byzan- tine process. We consider configurations of the the algorithm A at the end of a synchronous round. Such a configuration can be completely specified by the state of each process. A config- uration C is 0-valent if, starting from C, the only possible decision value that correct processes can have is 0; it is 1- valent if, starting from C, the only possible decision value that correct processes can have is 1. C is univalent if it is either 0-valent or 1-valent; C is multivalent if it is not univalent. The following lemma encapsulates a Byzantine agent’s abil- ity to influence the decision value. ′ Lemma 17 Let C and C be two configurations of A such that the state of only one correct process is different in C accepted message. More precisely, this multiplicity is greater than the number of correct processes that sent the message and does not exceed the number of correct processes by more than the actual number of Byzantine processes in the exe- cution. Furthermore, all correct processes agree eventually on the multiplicity of each message. This authenticated broadcast with multiplicity is used to ensure the agreement property. As ℓ > t, at least one iden- tifier is assigned only to correct processes. This property is used to ensure the termination property of the agreement algorithm.

Proof sketch. The proof of this theorem relies on the theory of typical sequences7 and is similar to the proof of Theorem 8, which is a special case of this theorem, but the technical details are omitted from this extended abstract. In order to authenticate a k-bit message by an l = 2k-bit authenticator using m = 4k bits of Xn (or of Y n when Bob is the sender), the described approach based on error correcting codes can be used to select the positions of a subsequence [Xi ; : : : ; Xi ] of Xn. The receiver accepts the message if and only if the sequence of pairs [(Xi1 ; Yi1 ); : : : ; (Xil ; Yil )] is -typical for the distribution PXY for some suitable small . One can prove that for every distribution PXY Z that is neither X-simulatable nor Y -simulatable by Xxx, there exists a positive such that for su ciently large k Xxx's cheating probability is arbitrarily small. The same argument as in the proof of Theorem 8 can be used to prove that the ratio of bits needed for authentication and of bits used for secret-key agreement vanishes asymptotically.

Proof sketch. The proof of Theorem 3.1 is provided in Appendix D. In summary, this proof proceeds as follows: We build a CKE construction that internally uses a CGKA scheme to execute a CGKA execution schedule Seq. For establishing a CKE key to k public keys, this sequence Seq contains at least one collective update assistance for k passive users. The core idea of the CKE construction is that precisely the effective operations’ CGKA ciphertexts of this collective update assistance in the CGKA sequence are embedded in the committed CKE ciphertext. Hence, the total ciphertext size of these effective CGKA operations equals the size of the CKE ciphertext. All remaining operations in the CGKA sequence (i.e., pre-add phase, add operations, and ineffective pre- assistance operations) are, in different shapes, encoded in the CKE common reference string CRS. The complex but interesting idea of this construction, and hence of this proof, is the isolation of the effective operations from the remaining operations in the entire sequence as well as their encoding in the CKE ciphertext such that CKE functionality and security are reached. As part of the proof, we reduce the security of this CKE construction to the security of the underlying CGKA scheme. Finally, we show that a CGKA scheme that executes schedule Seq without inducing a communication overhead of Ω(k) for the effective operations implies a CKE construction with compact ciphertexts.

Proof sketch. ‌ We now discuss the main ideas of the proof of Theorem 1.0.2. We apply the Xxxxx-Xxxxxxxxxx circle method (see, for example, [42]), first expressing the correlation Σ 1E′ (n)1E′ (n + h) in terms of the integral ∫ 1 2 2 X<n≤2X Σ 1E′ (n)e(nα) 0 X<n≤2X e(−hα)dα. (2.1.1) We need to understand which points on the unit circle contribute the main term. Dirichlet’s approximation theorem states that for each Q ≥ 1 there exists a/q ∈ Q with (a, q) = 1, 1 ≤ q ≤ Q and |α − a/q| ≤ 1/(qQ). So, we first aim to understand the behaviour of the exponential sum appearing in (2.1.1) at a rational point a/q with (a, q) = 1 on the unit circle. We have that X<Σn≤2X 1E′ (n)e an = Σb=1 Σ Σ X<n≤2X n≡b mod q e ab Σ 1E′ (n) Σ 1. b=1 P<p1≤P 1+δ X <p2≤ 2X p1 p1

Proof sketch. A scheme for authenticating a k-bit message sent from Xxxxx to Bob using m bits of Xn (e.

Proof sketch. For simplicity, assume that σ consists of singletons, i.e., σ = σf (M). The main component of our proof is the following claim:

Proof sketch. For every efficient adversary , we describe a simulator RFE such that no efficient environment can distinguish an execution with the real RFE protocol ΠRFE and A from an execution with the ideal functionality FP and RFE. RFE is described in the full version of this paper. We prove indistinguisha- bility in a series of hybrid steps. First, we introduce the ideal functionality as a dummy node. Next, we allow the functionality to choose the parties’ keys, and we prove the indistinguishability of this step from the previous using the garbled output randomness property of our garbling scheme . Next, we simulate an hon- est party’s interaction with another honest party without using their pass-string, and prove the indistinguishability of this step from the previous using the obliv- iousness property of our garbling scheme. Finally, we simulate an honest party’s interaction with a corrupted party without using the honest party’s pass-string, and prove the indistinguishability of this step from the previous using the privacy property of our garbling scheme. We give a more formal proof of Theorem 1 in the full version of this paper [28].

Proof sketch. Assume that there is an algorithm A that achieves approximate agreement when n 3f . We partition the n nodes into three (non-empty) sets of size at most f : V0, V1, and Vb. Nodes in set V0 are correct and have input 0, and, similarly, nodes in set V1 are correct and have input 1. The nodes in Vb are corrupted, and, similarly to Theorem 17.11, they support the input value of each correct node. This way, because of correct-range validity, nodes in V0 output 0, and nodes in V1 output 1, which breaks ε-agreement for any ε < 1.

Proof sketch. Use mathematical induction Initial step: when k = 1, Π(st1 = l) = 1 and p(st1 = l) = 1/(n−a1+1), for 1 ≤ l ≤ n−a1+1. and ij ̸= i. This is the same as a − ai − k + 2 ≤ 905 l ≤ n − a + k. 906

Proof sketch. We can divide all possible random annotations with STi = l into k disjoint sets with m annotation segments located on the left of the specified i-th segment ψi and the remaining k m 1 segments on the right side. The cardinality of each set with selected left m annotation segments (which then determines the segments on the right ) is the number of all possible annotations on the left l − 1 times the number for n − l − ai of tokens on f (E(ϕ1,1(Ψ11, Ψ21)), . . . , E(ϕk1,k2(Ψ1k1, Ψ2k2))). the right side. Originally, to estimate the expectation of similarity by chance, we need to sum up the similarity in a high-dimensional space of all possible random annotations, If we fix the order of m selected random annota- tion segments ψi1 , ..., ψim , the random annotation of the left tokens is equivalent to distribute fore the first annotation segment, between adjacent l − 1 l − 1 − Σm ai objects into m + 1 spaces, be- Σ Σ × Ψ11 Ψ1k1