Attacker strategy

A one-flask procedure, based on the counter attack strategy , involving Me3Si-SiMe3 as the counter attack reagent was used in the synthesis of ketenedithioacetals from 1,3-dithiane and a carbonyl partner [69]. The scheme given here summarizes the process. 

Fortunately, there are guidelines for these skill sets. This chapter lays out those guidelines for you. You will learn attack strategies for each of the four types of questions, as well as techniques for questions that seem to resist analysis. With practice, these techniques and strategies will become second nature and will remain in your repertoire of logical tools as you enter graduate school. 

Any attacker or any group of colluding attackers is represented by an attacker strategy, which is a probabilistic interactive function or Turing machine, like a correct entity. ... 

Some informal terminology exists in connection with Item 1 An entity or a device that behaves as prescribed in the scheme is called correct otherwise it is corrupted. Formally, a corrupted entity is no longer an individual part of a system instead, one entity carrying out an attacker strategy usually takes the place (i.e., the connections) of several corrupted entities. More details are mentioned in Sections 5.4.1 and 5.4.2. A user or a participant is called honest or dishonest. With a user, this has no formal meaning so far, because no behaviour has been prescribed for users however, honest and dishonest users will be treated differently in the notion of fiilfilling a specification. With a participant, it means that both the user is honest or dishonest and the device is correct or corrupted. 

In the first model, the honest users are integrated into the attacker strategy, as shown in Figure 5.15. (However, the correct entities are still correct.) This is called the model with direct access, because the attackers have direct access to the access points under consideration. 

In the second model, the computational abilities of the entities representing the honest users have to be restricted in the same way as those of the attackers. Apart from this restriction, there will be normal universal quantifiers over their programs in the same place in the formulas in Section 5.4.3 as the quantifier over the attacker strategy. 

First consider a situation in the first model. It is described by an attacker strategy Aj. Then an attacker can achieve exactly the same sequences of interface events in the second model by using the strategy A2 = Aj, if the honest users only pass messages on between the attacker and the interface and these particular honest users... 

Formally, one can see that the equivalence proof cannot be used with privacy requirements If one combines an attacker strategy A2 nd the strategies of the honest users from the model with indirect access into an attacker strategy Aj in the model with direct access, the attacker gains knowledge that only the honest users had in the model with indirect access. 

Computational security. For computational security, the quantifier over the attacker strategies is restricted toAe PPA n Attacker class(Scheme, Req), where PPA denotes the class of probabilistic polynomial-time interactive algorithms. In this case, one can at most allow other system parameters to grow polynomially with the security parameters under consideration, and one usually requires superpolynomially small error probabilities only. 

Whenever a requirement holds for a scheme in the interest of a certain interest group, it also holds in the interest of any larger interest group with the same degree of security. This should be clear because more entities are correct if the interest group is larger, and correct entities are a special case of an attacker strategy. 

The attacker strategy attacks three correct entities the attack is based on a black-box simulation of the attacker strategy A. A succeeds if the resulting sequences of events at the shown interface do not fulfil the requirements (with significant probability). Grey arrows are taps on connections. 

The success of an attacker strategy is represented in the conventional definition in terms of the outcomes of the algorithms used internally in the dispute The attacker strategy must find values m and s where... 

Attacker strategies replacing A or are called A and B, respectively. The resulting protocols if the other algorithm and res are still correct are denoted by... 

Inputs. The inputs to the attacker strategies are the parameters, par, just as with the correct algorithms. The random strings used are called and rg, respectively. 

If only res and A are executed correctly, the attacker strategy replacing all instances of B is called B, and the resulting protocol is written Gen g. The inputs to B are the parameters, par. As above, an output auxg of B, usually its view, is an additional outcome. 

If res. A, and one instance of B are executed correctly, the attacker strategy replacing the other instances of B is written O (an outsider with the help of some risk bearers), and the resulting protocol is written Geriy Q. The inputs to O are par and the internal identity i of the correct risk bearer s entity, i.e., the same number i that B obtains as an input. O has a private output ouxq. 

Security for risk bearers means that the requirement correcmess of broken is fiilfilled in the computational sense. According to Section 7.1.3, it is sufficient to consider an attacker who takes part in key generation and then immediately tries to compute a vahd proof of forgery. These two parts of the attacker strategy are called Aj andA2-... 

Definition 7.11. A standard fail-stop signature scheme is secure for risk bearers iff for all probabilistic polynomial-time interactive algorithms Aj and non-interactive A2 (the two parts of the attacker strategy) and all polynomials Qsig, Qn (determining the growth of a and N as functions of k) ... 

Security for the signer will be defined in two ways. The reason is that previous definitions avoided the concept of probabilistic interactive functions in favour of better-known notions. (This could originally be done because only simple versions of key generation were considered.) Now it is simpler to make a forward definition that deals explicitly with an interactive attacker strategy that carries out authentications and one dispute. This section contains such a forward definition. The backward definition from previous publications and a proof that it is slightly (and unnecessarily) stronger than the forward definition are presented in Section 7.2.1. Nevertheless, some of the later sections are based on the backward definition. 

The next definition introduces notation for the attacker strategy and its interaction with the signer s entity. According to Section 7.1.3, restricted attacker strategies of the following type ate considered ... 

First, the attacker carries out key generation with the real signer s entity and the correct algorithm res. This part of the attacker strategy is called B. 

Deflnition 7.13. Let a standard fail-stop signature scheme and an attacker strategy B, F), consisting of two probabilistic interactive functions of the appropriate type, be given. 

The security for the signer against attacker strategies as described above means that the probability that the attacker succeeds in computing a successful forgery that the signer cannot prove to be a forgery is very small. This criterion can be formulated quite simply with the notation introduced in the previous definition. 

Lemma 7.20. If a standard fail-stop signature scheme is secure for the signer backwards, then for all attacker strategies (B, F) as in Definition 7.13 and all parameters par as in Definition 7.1 or 7.2, respectively ... 

---