Protocol Description. In the dynamic master key ex- change variant of our protocol, we assume that every client is fielded with the ability to generate cryptographic keys. Client vi initially generates and stores fi random master keys, where fi is a binomial random variable drawn from the distribution
Protocol Description. Our protocol consists of two parts: A voice commitment and the protection against MitM attacks.
Protocol Description. Another difference to existing work is how we describe the protocol; we do not use UML sequence diagrams to describe the protocol as they often cannot capture the entire set of message exchanges possible in the network environment described above. To describe the behaviour of each re-negotiation participant we provide a finite state machine to describe the state of the contract, similar to the WS- Agreement specification. However, unlike in WS-Agreement, the state machine is not shared between the negotiation participants. Instead each participant has their own ‘copy’ of the state machine which they update as they send and receive messages. In addition, we also explain the possible messaging events using pre- and post-constraints that together specify the conditions which must be satisfied before and after each message is sent. The conditions explain each messaging event as an atomic action and together describe the messaging behaviour of each participant in the re-negotiation protocol.
Protocol Description. The protocol is deterministic and runs for L iterations of 3 rounds each. [0, M ] of integer values, which we denote as mini-slots. (M = n−2t L · LL+1 to be exact.) If the input of party Pi is xi = 0, then Pi positions himself in the mini-slot v = 0, and if the input is xi = 1, then Pi positions himself in the mini-slot v = M . 2
Protocol Description. The PACE protocol, see [9], is adaptable for prime fields and elliptic curves. Here, in order to increase the performance we want to adapt the protocol such that it uses elliptic curves. First, the communication partners (terminal and smart card) of course have to agree on an elliptic curve E and base point G. The operations are then performed in the cyclic group < G >:= {t ∗ G|t ∈ IN}, n := | < G > |. In the following, < G >∗ denotes the cyclic group < G > without the point at infinity. A practical method is the use of published secure domain parameter of a trusted authority, see [5]. A PACE protocol run starts with the selection of a random number s 0 s < 2m) by the smart card in step (a). m is defined as the block size of the blockcipher used for the encryption of s. Next, the smart card derives a key µ using a key derivation function, here h(π 1) is used. In the next step s is encrypted using a blockcipher with key µ, z = ENC(µ, s), and z is then transmitted to the terminal. Afterwards, the terminal decrypts z and terminal and card enforce a first anonymous Diffie Xxxxxxx key agreement using the base point G with the result P (steps (e) - (i)). Thereupon, P is exclusively used to calculate a new base point G′ by using s in step (j) for the subsequent Diffie Xxxxxxx key agreement. Now, the second anonymous Xxxxxx-Xxxxxxx key agreement is performed to cal- culate a common secret curve Point K (steps (k) - (o)). Then, two different keys kENC = h(Kx 1) for encryption and kMAC = h(Kx 2) for calculation of Mes- sage Authentication Codes (MAC) are derived from K. First, kMAC is used for a MAC-calculation in step (p) and (q) performed as mutual authentication of terminal and card in steps ((r) - (u)). After a successful PACE protocol run, Secure Messaging is started using the derived keys kENC and kMAC.
Protocol Description. The depth of the tree used for multicast routing is a useful proxy for the energy-efficiency of multicast in many wireless networks [39]. Let h(vi, vj) be the distance in hops between clients vi and vj and let h(s, D) = max h(s, d) (6) d∈D be the depth of a minimum-depth multicast tree from a source compute the lth one-time pad sj ,u φ (kj , u); \ ⊕ ← compute the bit-wise sum ml,u = sj0 ,u sjl,u; multicast ml,u to all clients in Ojl C; ∈ \ else if gi Ojl C then ← compute the lth one-time pad sj ,u φ (kj , u); receive ml,u from client il; ⊕ recover the group key sj0 ,u = ml,u sjl,u; ← ∪ ←
Protocol Description. The depth of the tree used for multicast routing is a useful proxy for the energy-efficiency of multicast in many wireless networks [39]. Let h(vi, vj) be the distance in hops between clients vi and vj and let h(s, D) = max h(s, d) (6) d∈D be the depth of a minimum-depth multicast tree from a source compute the bit-wise sum ml,u = sj0 ,u ⊕ sjl,u; multicast ml,u to all clients in Ojl \ C; else if gi ∈ Ojl \ C then compute the lth one-time pad sj ,u ← φ (kj , u); receive ml,u from client il; recover the group key sj0 ,u = ml,u ⊕ sjl,u; end
Protocol Description. We now describe Coffee in detail. Section 3.1 describes how the protocol proceeds in epochs determined by the blockchain’s blocks, Section 3.2 describes the contents of a user’s state, Section 3.3 how the structure of the ratchet tree is modified when handling changes to the group membership, and Section
Protocol Description. RBA (Algorithm 1) is an iteration-based protocol. Initially, for all honest nodes q S, q initializes its internal variables by rq = 1, lockvalueq = SKIP, lockiteq = 1 and clockq = 0 and also chooses its initial value vq V .
Protocol Description. Before Step 1, the pioneer can be uniquely determined by all the nodes according to the pioneer election.
