@@ -236,7 +236,7 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\
...
@@ -236,7 +236,7 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\
\item Otherwise, \(P_i\) outputs \(E^k\) and finalises its turn.% turn is finalised and the next shareholder continues with \(E^k\) as input from \(P_i\).
\item Otherwise, \(P_i\) outputs \(E^k\) and finalises its turn.% turn is finalised and the next shareholder continues with \(E^k\) as input from \(P_i\).
\item The protocol terminates with the last shareholder's \(E^{\# S^\ast}\) as output.
\item The protocol terminates with the last shareholder's \(E^{\# S^\ast}\) as output.
\end{enumerate}
\end{enumerate}
The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\)not only has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\)but also inputs \(L_{i,S^\ast} f_i\paren*0\) to compute \(E^k\). The precise protocol can be found in \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}.
The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\) has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\)and also inputs \(L_{i,S^\ast} f_i\paren*0\) to compute \(E^k\). We give the precise protocol in \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}.