We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content.

For more information visit our privacy policy.

Game G4 definition

Game G4. In this game, we formally modify the way we simulate the honest players. The simulator still knows their passwords. In round 1, S sends a random value ci on behalf of Pi and afterwards, when all cj have been sent, it sends a random value zi∗ (chosen without asking the encryption oracle, since we try to avoid the use of the password), and the veri cation key VKi, generated honestly. Finally, S sets ci = H3(ssid, zi∗, VKi, i) by programming the oracle. There is a negligible risk that the simulation fails, if the adversary has already asked this query to the oracle, which probability is bounded by qh3 /q. In round 2, S proceeds by using the password pwi: it asks for the three decryption queries, on zi∗, zi∗ 1, and zi∗+1 , with key pwi and appropriate tweaks. Granted the way we simulate the decryption oracle, we learn zi—1, zi, and zi+1, together with the discrete logarithm xi in base g of zi, unless the corresponding encryption queries have been asked. Our simulation does not make any encryption, xi is not initialized if zi∗ has been obtained has a ciphertext by the adversary: This happens with negligible probability. Once we have xi, one can thus conclude by computing the Zi and Zi+1, and then hi, hi+1 and Xi. Such a change in the process does not alter the view of the adversary, in any way, since this is a purely syntactic rewriting, with negligible probability of failure.
Sample 1
Game G4. In this game, we do exactly as above except that any hash value involving KR(= KL), asked by instance ΠU , one invokes the decryption oracle to com- 1 2 pw pw pute X = Dj (Y ) (or Djj (Y )). The oracle goes into an expecting state. Note that we do not allow the event En- crypt to occur, i.e. adversary is not given the power of encrypting a message by itself guessing the password. So any subsequent send query (i.e. after Send0(∗, ∗, “Start”) query) is on a properly encrypted message which is en- the users are answered independently from the random oracles. More explicitely, we are given an instance (A = ga, B = gb) of CDH problem without its solution C = gab and without the values a, b. Now, whenever two successive users U1 and U2 compute X1 = gx1 , X2 = gx2 respectively choosing x1, x2 randomly from Z∗, we simulate as in G3, i.e. with X1 = Ac1 and crypted by the simulator (and not by the adversary) on q c ∗ querying the encryption oracle. U1 Consider send queries for instance Πd1 which are limit- xxx to any of the followings: X2 = B 2 where c1, c2 are random values in Zq . The exponents xj for other users Uj are chosen at random from Z∗. The only difference of this game with G3 is that the hash value involving KR(= KL), asked by the Send0(U1, d1, “Start”), Send1(U1, d1, Y2), Send1(U1, d1, 1 2 Yn), and Send2(U1, d1, Y i) for 1 ≤ i ≤ n, i 1. The Send0 and Send2 queries are simulated as usual. In re- sponse to Send1(U1, d1, Y1) and Send1(U1, d1, Yn) queries, one invokes the decryp- tion and hash oracles as in game G2 to compute users (simulator), is answered with a random value r from {0, 1}l instead of quering the hash oracle. Here the adversary A may ask the same hash query which is still answered by quering the random oracle. Thus we have the folowing distribution of transcript, session key pair. X2 = Dpw(Y2), KR = KL = H(Cc1 c2 ) and Xn =  ∗ l 
Sample 1
Game G4. In the last game, the attacker can also execute SSReveal queries of either the user’s device or the IoT device. As SSReveal(U ) = z, K , the attacker will not be able to find h and SK without knowledge of du, h, which requires to find a correct hash collision and solving the ECDHP. Similar, SSReveal(D) = rd, K, h and again the attacker does not find h, SK without knowledge of ddQu and thus solving the ECDHP. To conclude, for G4, we find that |Pr[succ4(A)] − Pr[succ3(A)]| ≤ cannot be constructed as z is not known and can not be revealed due to the ECDHP. Without K, there is also no h and thus no SK to find. If dd is leaked of the IoT device, we still have assumed that there is no access to the PUF design of the device. As a consequence, even if K is derived, Cd, rd, h are not found due to the one-time pad security offered by the xor operation. • Protection against leakage of temporal session state infor- mation: This is obtained since in both cases, the attacker will not be able to find a valid value for h. as knowledge is missing on private data of one of the participants to derive ddQu = duQd. q2
Sample 1

Examples of Game G4 in a sentence

  • Since p | q, generating b from U (R5×1) instead of U (R5×1) makes the advantage of the adversary in Game G4−′at least as big as in game G3, as the adversary in Game G4 can easily calculate the same value for c as in Game G3.

  • In game G4, since Ri is uniform at random in2 3 c s Game G4 (Randomize Credentials).

  • Since p | q, generating b from U (Rl×1) instead of U (Rl×1) makes the advantage of the adversary in Game G4−jat least as big as in game G3, as the adversary in Game G4 can easily calculate the same value for c as in Game G3.

  • We assume that is an attacker that breaks the AKE security game with a different advantage in Game G5 than in Game G4, then we construct an adversary ' which is able to distinguish triples coming from either a DDH or a random distribution: at the beginning of the experiment, ' receives a triple (X, Y, Z) which is a DDH triple if b = 0 or a random triple if b = 1.

  • Since the languages are not satisfied, the perfect smoothness guarantees perfect indistinguishability: AdvG3 (A) = AdvG2 ( ).Game G4: We now modify the way Execute-queries between two incompatible users are an-swered: we replace both session keys KC = ProjHash(hpS, LAC , cC, rC) × Hash(hkC, LAS , cS)πC πS,CπCπS,CKS = Hash(hkS, LAC , cC) × ProjHash(hpC, LAC , cS, rS)(for the client and the server) by two independent truly random values.

  • Since p | q, generating b from U (R5×1) instead of U (R5×1) makes the advantage of the adversary in Game G4−at least as big as in game G3, as the adversary in Game G4 can easily calculate the same value for c as in Game G3.

  • In practice, the experience of China's reform shows that any institutional reform can’t go against national interests, which constitutes a bottom line in institutional reform [4].

  • Game G4: We define the game G4 as the game G3, but we encaps K1 instead of K0: Encaps(EK, Reg, S∗):2.

  • As a result, Pr [γ2] = Pr [γ3] .Game G4 : It is the same as G3, except that bi = Ui + Encode (Ri) and b = U + Encode (R)now is changed back to bi = Aiw + ei + Encode (Ri) + Aiδi and b = Aw + e + Enc (R).

  • Since the computation is only rearranged, Pr[G3 = 1] = Pr[G2 = 1].Game 4: Game G4 is the same except that y values are$now drawn randomly from Z∗.


More Definitions of Game G4

Game G4 handles dictionary attacks using the TestPwd interface. In this game, we only change the simulation. Consider the following setting: Pi obtained input (NewSession, sid, pwi) and P1−i is corrupted and already provided its inputs to 7A-iPAKE. In this situation, S will proceed simulation of Pi as follows: n S assembles pwZ ∈ Fp from the queries to 7A-iPAKE that P1−i issued. S sends (XxxxXxx, xxx, Pi, pwZ ) to 7, obtaining either “wrong guess”, “correct guess” and perhaps also a mask M ⊆ [n] from 7. If S does not receive a mask, S is not modified further. Else, let I := [n] \ M the set of mismatching indices, and d := |I| ≤ γ their number. S sets up n pairs of keys (K, L) with $ (K , L ) = (K′, L′ ) ← F2 for the matching indices t ∈ M and independent (K , L ) ←$ F2 and (K′, L′ ) ←$ F2 for the mismatching indices t ∈ I, where (K′, L′) denotes the output of A-iPAKE towards 1−i. now continues the simulation of i using (K, L) as output of A-iPAKE. We have to analyze different cases depending on the different outcomes of TestPwd. However, note that the modifications only have an impact on the output ki of i if the record gets interrupted, and only affect the transcript if the answer to the TestPwd query contains a mask. Considering the case where TestPwd – outputs m and sets the record compromised, i.e. d γ since the distri- bution of X, X′, L, L′ only depends on the mask of the pass-strings, the view of is identically distributed in game G4 and game G3; outputs “wrong guess” and sets the record interrupted, i.e. d > γ: i will now obtain a randomly chosen session key from , substituting the key ki computed by . However, in this case, observe that the privacy property implies that nothing is learned about the secret V ′. Hence, ki looks random. We formally show this in Lemma 13, namely, that the probability that outputs an F that lets i output a non-randomly chosen session key is negligible; Lemma 13. Consider an honest party i, holding an adversarially deter- mined pass-string pwi, running the protocol with the adversary holding a pass-string pw1 i with d := d(pwi, pw1 i) > γ. Then the probability that i outputs a non-randomly chosen session key is negligible in λ.
Sample 1
Game G4. In this game, we abort the protocol runs if the adversary has been lucky in guessing the values γ' (or γ) and u (or u−1) without asking the corresponding random oracle queries. We achieve this aim by modifying the random oracle queries to hi for i ∈ {2, 3, 4}. Provided that the hi(C, S, m, µ, α, γ') query was asked by the adversary and ⟨0, C, π, γ⟩ ∈ h for γ = (γ')−1, it must be checked whether 0, C, π, γ A and 1, C, π, u A just before returning r for i 2, 3, 4 . If the latter test fails, the game must be aborted. Say, the simulator is able to determine if the adversary had made a correct guess for u or not by observing A. This modification ensures that the adversary should have asked correct random oracle queries to H0 and h1 for asking correct queries to hi for i 2, 3, 4 . The two games G4 and G3 are perfectly indistinguishable unless the protocol aborts in the random oracle queries. The abortion may happen only if the adversary has correctly guessed the values γ and u without asking the corresponding random oracle queries. So we have: O(qro) |Pr[Succ4] − Pr[Succ3]| ≤ 2κ . ← A ← ← ⟨ ⟩ ∈ { }
Sample 1
Game G4. Game G4 is same as game G3 except that ∆ modifies the way it generates the blinded responses. Using the same DDH-tuple (g, gra , grb , grarb ), ∆ does the following: A Whenever a blinded response is to be generated for some session participant Mi, ∆ retrieves the corresponding blinded secret gri from the table Sessions. Then it looks for this blinded secret in table L. If ∆ finds it in the table, it retrieves the corresponding secret entry (ri) and raises grarb (from the DDH- tuple) to it to get grarbri . It further raises it to the secret, rl (randomly chosen from [1, q − 1]), of the group leader. The resulting value grarbrirl is used as the blinded response for participant Mi in the session transcript. If on the other hand, ∆ does not find gri in table L, this means that this blinded secret has been introduced by the adversary and ∆ does not know the corresponding secret. Thus for a session where any of the blinded secrets is not found in table L, ∆ continues to generate the blinded responses (for all the participants) as in game G3 (by raising blinded secret to the secret of the leader). Thus, in brief, ∆ uses the value grarbrirl as the blinded response for participant Mi, if all blinded secrets in that session were generated by him otherwise it uses the value grbrirl . Note that as A can make a Test query only on a fresh A participant instance, this rules out those sessions where has been able to introduce blinded secrets on his own (by asking the Corrupt query). Thus ∆ can respond to the queries of such sessions without using data from the DDH-tuple 4 . Clearly again from the adversary’s point of view there is no change in the game. Thus | Pr[W in3] = Pr[W in4]|.
Sample 1
Game G4. S handles dictionary attacks using the TestPwd interface. In this game, we only change the simulation. Consider the following setting: Pi obtained input (NewSession, sid, pwi, role) and P1−i is corrupted and already provided its inputs to FA-iPAKE. In this situation, S will proceed simulation of Pi as follows: S assembles pwZ ∈ Fn from the queries to FA-iPAKE that P1−i issued. S sends (TestPwd, sid, Pi, pwZ ) to F , obtaining either “wrong guess”, “correct guess” and per- haps also a mask M ⊆ [n] from F . If S does not receive a mask, S is not modified further. Else, let I := [n] \ M the set of mismatching indices, and d := |I| ≤ γ their
Sample 1

Related to Game G4

  • Game has the meaning ascribed to that term in the Control Act;

  • Game ticket or "ticket" means an acceptable evidence of Play, which is a ticket produced in a manner that meets the specifications defined in the rules of each Selling Lottery and Rule 31 (Play Validation) and is a physical representation of the Play or Plays sold to the player or is a properly and validly registered ticketless transaction Play.

  • Google means the Google Entity that is party to the Agreement.

  • Microsoft means Microsoft Corporation.

  • Game birds means wild birds that shall not be hunted except

  • Games means games of chance.

  • Metadata includes all information created manually or automatically to provide meaning or context to other data.

  • End User means, in the event that the Services or Deliverables involve the use of any information systems, any and all UNICEF employees, consultants and other personnel and any other external users collaborating with UNICEF, in each case, authorized by UNICEF to access and use the Services and/or Deliverables.

  • phonogram means the fixation of the sounds of a performance or of other sounds, or of a representation of sounds, other than in the form of a fixation incorporated in a cinematographic or other audiovisual work;

  • VAR means value-at-risk.

  • Reseller is a category of CLECs who purchase the use of Finished Services for the purpose of reselling those Telecommunications Services to their End User Customers.

  • EULA means an end user license agreement for software of CenturyLink or a third-party provider. Customer End Users must accept a EULA before downloading certain software for use with the Service.

  • Brand name drug means a Prescription Drug that has been given a name by a manufacturer or distributor to distinguish it as produced or sold by a specific manufacturer or distributor and may be used and protected by a trademark.

  • RN means Registered Nurse.

  • Brand Features means the trade names, trademarks, service marks, logos, domain names, and other distinctive brand features of each party, respectively, as secured by such party from time to time.

  • End Users means a Third Party residence or business that subscribes to Telecommunications Services provided by any of the Parties at retail. As used herein, the term “End User(s)” does not include any of the Parties to this Agreement with respect to any item or service obtained under this Agreement.

  • Publisher means any person or entity that distributes copies of the Document to the public.

  • OEM means Original Equipment Manufacturer.

  • Open Wireless Network means any network or segment of a network that is not designated by the State of New Hampshire’s Department of Information Technology or delegate as a protected network (designed, tested, and approved, by means of the State, to transmit) will be considered an open network and not adequately secure for the transmission of unencrypted PI, PFI, PHI or confidential DHHS data.

  • Biometrics means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition;

  • BT Network means the communications network owned or leased by BT and used to provide a Service.

  • Gamete means either of the two generative cells essential for human reproduction;

  • Online tool means an electronic service provided by a custodian that allows the user, in an agreement distinct from the terms-of-service agreement between the custodian and user, to provide directions for disclosure or nondisclosure of digital assets to a third person.

  • The End-User means the authorized user of the equipment/the Medical Superintendent/Head of the Department of the concerned specialty.

  • Advertiser means a company that (i) advertises its brands, products, and/or services via the Advertisements; and/or (ii) interacts with Consumers on its Digital Properties or through its Ads in relation to its brands, products, and/or services.

  • Licensed Software includes error corrections, upgrades, enhancements or new releases, and any deliverables due under a maintenance or service contract (e.g., patches, fixes, PTFs, programs, code or data conversion, or custom programming).

Most Referenced Clauses

Most Referenced Definitions