Lower Bound Sample Clauses

Lower Bound. For all m and α ∈ (0, 1], ν(m, α) ≥ 1+α

Lower Bound. The number k of updates a user is required to make before their state is guaranteed to heal plays a crucial role. We consider a security game parameterized by the number of users n and k. The adversary schedules who updates in each round, and we require that at any point the group key is secure assuming that every party that was corrupted in the past was asked to update at least k times (since their last corruption). Table 1 states our lower bound and upper bound, as well as existing ones. Our lower bound is roughly n1+1/k k/ log(k). The main message here is that we need to allow for logarithmically many rounds for healing (as in CoCoA) if we want a small logarithmic sender communication cost per user. In particular, if we insist on a constant number of rounds, the average cost per user will be of order n1/k. 1It is possible, as in [AAN+22a, AHKM22], to reduce recipient communication by introducing additional reliance on the server. We focus on sender communication. Scheme Communication Rounds Rand. corr. See TreeKEM and related n2 2 RC [BBR18] √ ▇▇▇▇▇▇▇▇▇, Dodis, R¨osler CoCoA on k−1 n-ary trees n2 2 RC [BDR20] √ ¬ n k2 k−1 n k RC Sec. 5.2 CoCoA on 2-ary trees n log(n)2 log(n) RC [AAN+22a] CoCoALight on (k−1)/√2 n-ary trees n k (k−1)/√2 n k RC Sec. 5.3 Restrictions Communication Rounds Rand. corr. See ¬ ¬ None n2 2 RC [BDR20] NDW, NNE, PCU∗ n log(n)/ log(log(n)) log(n) RC Cor. 6 NDW, NNE, PCU∗ ε · n · (1+ε)k−√1 αεn · k/ log(k) k ¬RC Cor. 6 Table 1: Upper-bounds (top) and lower-bounds (bottom) in the no-information setting for Ω(n) corrupted users. Communication is measured as total number of ciphertexts sent to recover from corruption, col- umn “Rounds” indicates the number of update rounds after which schemes are required to recover from corruption, column “Rand. corr.”, whether the security model allows the adversary to learn internal ran- domness of algorithms. The protocol [BDR20] improves over TreeKEM in that concurrent operations do not degrade future performance, which is not captured in the table. Our lower-bounds require CGKA to not allow distributed work (NDW) and not use nested encryption (NNE). Our bound holds without the extra assumption requiring the protocols to have publicly-computable update cost (PCU). However, additional properties of it hold when this assumption is present. We refer the reader to the discussion in Section 1.3 below for more details. Here, αε ≈ ε is some constant depending on ε. ∈ ⌈ ⌉ · ∈ ⌈ ⌉ ⌈ ⌉ Upper bound. We introdu...

Lower Bound. Broadcast encryption is a mechanism that allows a sender to send a group key to a selected set of users. This can be regarded as a group key agreement of one message that is sent by the sender. In a symmetric key based broadcast encryption, the sender is a fixed authority. In this case, the user key size is combinatorially lower bounded. In addition, it is secure only against a limited number of users. In a public key broadcast encryption, the key size problem can be waived. But one still has to set the threshold for the number of bad users. Also the cipher text size depends on the number of users and hence could be large (e.g., it is O ( p n) in for n users). Further, users are initialized by a central authority which is not desired in our setting.

Lower Bound. (Achievability Scheme): Because of (3) we can find subspaces Π1, . . . , Πs, such that Πi ∩ Πj = 0 and Π1 ⊕ ker F 1 = FL, Π2 ⊕ Π1 ⊕ ker F 2 = FL, key-reconciliation used ideas from network coding [10]. IV. Gaussian Broadcast Channel A. Upper Bound

Lower Bound. In this section, we analyze the round complexity required to achieve AA on trees. We begin by revisiting ▇▇▇▇▇▇’▇ lower bound for AA on real values regarding how close the honest values may get after a fixed number of rounds. Theorem 1 (Theorem 15 of [19]). Let Π be an arbitrary deterministic R-round protocol that satisfies Validity and Termination on R even when up to t of the n parties involved are Byzantine. Then, given a, b ∈ R with b − a ≥ D, there is an execution of Π where the honest inputs are in {a, b} and two honest parties output values v and v′ satisfying v − v′ ≥ K(R, D), where: sup{t1 · ... · tR : t1, . . . , tR ∈ N, t1 + ... + tR ≤ t} tR K(R, D) ≥ D · (n + t)R ≥ D · RR · (n + t)R . (1) The proof in [19] assumes an R-round protocol given in the full-information form: in the first round, each party sends its input value to all other parties. In each of the next R − 1 rounds, the parties distribute their current views to all parties. After the final round, each party produces its output by applying a deterministic function f on its final view. For each distribution (n+t)R {t1, t2, . . . , tR ∈ N : t1 + t2 + · · · + tR ≤ t}, the proof constructs a chain of at most s ≤ t1·t2·...·tR views, in which parties begin with inputs from the set {a, b}, where b −a ≥ D. For the constructed views, ti roughly represents the number of Byzantine parties that deviate from the protocol for the first time in round i. For any pair of views that are consecutive in the chain, there exists an execution in which two honest parties obtain those views. The chain is constructed such that the first view leads to output a (by ▇▇▇▇▇▇▇▇), and the last view leads to output b (also by Validity). This implies the existence of two consecutive views in the chain that yield two honest outputs v, v′ ∈ R with v − v′ ≥ D/s. The proof can be adapted to paths and trees directly by replacing the input values a and b with the endpoints of a longest path in the input space tree T ; these endpoints are D(T )-distant vertices. We then follow the exact same steps in the proof and obtain that there exist two consecutive views leading to two honest output vertices v, v′ such that d(v, v′) ≥ D(T )/s. This yields the following corollary. Corollary 1. Let Π be an arbitrary deterministic R-round protocol that satisfies Validity and Ter- mination on the input space tree T even when up to t of the n parties involved are Byzantine. Then, there exists an execution of Π in which two honest parties produ...

Lower Bound. (Achievability Scheme) Assume a wiretap channel scenario where there 1. ∈

Lower Bound. Needs at least (m+1) rounds of message exchanges ▪ “Oral” messages – messages can be forged / changed in any manner, but the receiver always knows the sender Theorem: There is no t-Byzantine-robust broadcast protocol for t ≥ ▇/▇ -- similar to Scenario-0 for T ▪ Algorithm Broadcast( N, t ) where t is the resilience For t = ▇, ▇▇▇▇▇▇▇▇▇( ▇, ▇ ): 1 The general sends 〈value, xg〉 to all processes, Receive messages of pulse 1. The general decides on xg. if a message 〈value, x〉 was received from g in pulse-1 then decide on x The general sends 〈value, xg〉 to all processes, the lieutenants do not send. Receive messages of pulse 1. Lieutenant p acts as follows: if a message 〈value, x〉 was received from g in pulse-1 then xp = x else xp = udef ; Announce xp to the other Broadcastp( N – 1, t – 1 ) in For t > 0, Broadcast( N, t ):