Common use of Further Discussion Clause in Contracts

Further Discussion. S S Z S Z q − − 4.4.1 Adaptive Corruptions Adaptive security of our protocol is not achiev- able without relying on additional assumptions. To see this, consider the fol- lowing attack: starts the protocol with two equal pass-strings and, without corrupting anyone, silently observes the transcript produced by using random pass-strings. Afterwards, corrupts both players to learn their internal state. may now choose a value K. This also fixes Lj = K since the pass-strings were equal. Now note that is committed to E, F since signatures are not equivoca- ble. Since perfect shares are sparse in Fn, the probability that there exists a K such that E K and F K are both perfect shares is negligible. Thus, there do not exist plausible values U, V j that explain the transcript10. 4.4.2 Removing Modeling Assumptions All modeling assumptions of our protocol come from the realization of the ideal A-iPAKE functionality. E.g., the A-iPAKE protocol from section 4.1.3 requires a random oracle, an ideal cipher and a CRS. We note that we can remove everything up to the CRS by, e.g., taking the PAKE protocol introduced in [37]. This protocol also securely realizes our 10 We note that additional assumptions like assuming erasures can enable an adaptive security proof. A-iPAKE functionality11. However, it is more costly than our A-iPAKE protocol since both messages each contain one non-interactive zero knowledge proof. Since fPAKE implies a regular PAKE (simply set δ = 0), [20] gives strong evidence that we cannot hope to realize FfPAKE without a CRS. 5 Comparison of fPAKE Protocols In this section, we give a brief comparison of our fPAKE protocols. First, in Figure 10, we describe the assumptions necessary for the two constructions, and the security parameters that they can achieve. Assumptions Threshold δ Gap γ − δ fPAKERSS UC-secure A-iPAKE < n/2 δ fPAKEYGC (1) UC-secure OT (2) projective, output-projective and garbled-output random secure garbling scheme Any None

Further Discussion. S S Z S Z q − −q 4.4.1 Adaptive Corruptions Adaptive security of our protocol is not achiev- able without relying on additional assumptions. To see this, consider the fol- lowing attack: starts the protocol with two equal pass-strings and, without corrupting anyone, silently observes the transcript produced by using random pass-strings. Afterwards, corrupts both players to learn their internal state. may now choose a value K. This also fixes Lj L′ = K since the pass-strings were equal. Now note that is committed to E, F since signatures are not equivoca- ble. Since perfect shares are sparse in Fn, the probability that there exists a K 8 Instead of labels and one-time signature, one could just sign all the messages, as would be done using the split-functionality [BCL+05], but this would be less efficient. This trade-off, with labels, is especially useful when we use a PAKE that admits adding labels basically for free, as it is the case with the special PAKE protocol we use. such that E K and F K are both perfect shares is negligible. Thus, there do not exist plausible values U, V j ′ that explain the transcript10transcript9. 4.4.2 Removing Modeling Assumptions All modeling assumptions of our protocol come from the realization of the ideal A-iPAKE functionality. E.g., the Al-iPAKE protocol from section 4.1.3 requires a random oracle, an ideal cipher and a CRS. We note that we can remove everything up to the CRS by, e.g., taking the PAKE protocol introduced in [37KV11]. This protocol also securely realizes our 10 We note that additional assumptions like assuming erasures can enable an adaptive security proof. A-iPAKE functionality11functionality10. However, it is more costly than our Al-iPAKE protocol since both messages each contain one non-interactive zero knowledge proof. Since fPAKE implies a regular PAKE (simply set δ = 0), [20CHK+05] gives strong evidence that we cannot hope to realize FfPAKE 7fPAKE without a CRS. 5 Comparison of fPAKE Protocols In this section, we give a brief comparison of our fPAKE protocols. First, in Figure 10, we describe the assumptions necessary for the two constructions, and the security parameters that they can achieve. Assumptions Threshold δ Gap γ − δ fPAKERSS UC-secure A-iPAKE < n/2 δ fPAKEYGC (1) UC-secure OT (2) projective, output-projective and garbled-output random secure garbling scheme Any None.