From 0803efb59a40736c729367b17359af45496d365b Mon Sep 17 00:00:00 2001
From: Philipp Muth <muth@seceng.informatik.tu-darmstadt.de>
Date: Tue, 26 Jul 2022 09:47:36 +0200
Subject: [PATCH] reviews for PQC

---
 PKC/PKC.tex           |  13 +-
 PKC/data.txt          |   7 +
 PKC/generalsss.tex    |   2 +-
 PKC/keyexchange.tex   | 443 ++----------------------------------------
 PKC/preamble.tex      |   5 +-
 PKC/preliminaries.tex |  10 +-
 PKC/reviews           |  80 ++++++++
 PKC/signatures.tex    |   6 +-
 8 files changed, 119 insertions(+), 447 deletions(-)
 create mode 100644 PKC/data.txt
 create mode 100644 PKC/reviews

diff --git a/PKC/PKC.tex b/PKC/PKC.tex
index b33d57e..02e591a 100644
--- a/PKC/PKC.tex
+++ b/PKC/PKC.tex
@@ -1,5 +1,5 @@
 \newif\ifpublic
-%\publictrue
+\publictrue
 
 %\documentclass[conference]{IEEEtran}
 \documentclass{iacrtrans}
@@ -21,16 +21,17 @@
 
 
 \ifpublic
-\author{Philipp Muth\inst{1}
-\and
-Fabio Campos\inst{2}}
+\author{
+	Fabio Campos\inst{2}
+	\and
+	Philipp Muth\inst{1}}
 
-\authorrunning{Philipp Muth, Fabio Campos}
+\authorrunning{Fabio Campos, Philipp Muth}
 
 
 \institute{\relax
   Technische Universität Darmstadt,\\Germany\\
-  \email{muth@seceng.informatik.tu-darmstadt.de}
+  \email{philipp.muth@tu-darmstadt.de}
   \and
   Max Planck Institute for Security and Privacy,\\Germany\\
   \email{campos@sopmac.de}
diff --git a/PKC/data.txt b/PKC/data.txt
new file mode 100644
index 0000000..57bb4a7
--- /dev/null
+++ b/PKC/data.txt
@@ -0,0 +1,7 @@
+\title{On Actively Secure Fine-grained Access Structures from Isogeny Assumptions}
+\author{Fabio Campos \and Philipp Muth}
+\index{Campos, Fabio}
+\index{Muth, Philipp}
+\nbpages{22}
+\contact{campos@sopmac.de, philipp.muth@tu-darmstadt.de}
+
diff --git a/PKC/generalsss.tex b/PKC/generalsss.tex
index 2786e2e..1e01342 100644
--- a/PKC/generalsss.tex
+++ b/PKC/generalsss.tex
@@ -1,6 +1,6 @@
 \section{Generalising the secret sharing schemes}\label{sec.generalsss}
 
-We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir79}. The key exchange mechanism in \autoref{sec.kem} as well as the signature scheme in \autoref{sec.signatures} can be extended to more general secret sharing schemes. We first list the requirements that a secret sharing scheme has to meet in order to successfully implement the KEM and the signature scheme, then we give some examples of secret sharing schemes that fulfill said requirements.
+We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir79}. The key exchange mechanism in \secref{sec.kem} as well as the signature scheme in \secref{sec.signatures} can be extended to more general secret sharing schemes. We first list the requirements that a secret sharing scheme has to meet in order to successfully implement the KEM and the signature scheme, then we give some examples of secret sharing schemes that fulfill said requirements.
 \subsection{Compatibility requirements}
 \begin{defin}[Independent Reconstruction]
 	We say a secret sharing instance \(\mathcal S = \left(S, \Gamma, G\right)\) is \textbf{independently reconstructible}, if, for any shared secret \(s \in G\), any \(S'\in\Gamma\) and any shareholder \(P_i\in S'\), \(P_i\)'s input to reconstructing \(s\) is independent of the share of each other engaged shareholder \(P_j\in S'\).
diff --git a/PKC/keyexchange.tex b/PKC/keyexchange.tex
index e346800..54a8848 100644
--- a/PKC/keyexchange.tex
+++ b/PKC/keyexchange.tex
@@ -23,7 +23,7 @@ thus each shareholder \(P_i\) receives his share \(s_i\) of the secret key \(s\)
 
 For ease of notation we denote the polynomial with which the secret key \(s\) was shared by \(f\) and the polynomial with which \(s_i\) was shared by \(f_i\), where \(i =1 , \ldots, n\).
 
-This key generation protocol can be considered as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. A sketch of it can be found in \autoref{fig.keygen}.
+This key generation protocol can be considered as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. A sketch of it can be found in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}.
 % \begin{figure}
 % 	\procedure[space = auto]{$\mathsf{KeyGen}$}{
 % 		s \sample \Z_p\\
@@ -99,9 +99,9 @@ Our encapsulation protocol is identical to the protocol of \cite{PKC:DeFMey20},
 \subsection{Decapsulation}
 A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
 
-De Feo and Meyer \cite{PKC:DeFMey20} applied the threshold group action (\autoref{fig.tga}) to a ciphertext \(c\) to have an authorised set of shareholders compute \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\), thereby decapsulating the ciphertext and obtaining the session key. While their approach is simulatable and thereby does not leak any information on the shares of the secret key, it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby falsify the output without being detected.
+De Feo and Meyer \cite{PKC:DeFMey20} applied the threshold group action (\hyperref[fig.tga]{Algorithm \ref{fig.tga}}) to a ciphertext \(c\) to have an authorised set of shareholders compute \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\), thereby decapsulating the ciphertext and obtaining the session key. While their approach is simulatable and thereby does not leak any information on the shares of the secret key, it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation to incorrect results without being detected.
 
-We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action, yet we apply the PVP and zero-knowledge proof layed out in Section \ref{sec.prelim}.
+We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action, yet we apply the PVP and zero-knowledge proof layed out in \hyperref[sec.prelim]{Section \ref{sec.prelim}}.
 Since the PVP does not fit our setting of threshold group action, we first discuss the necessary modifications to the PVP. We then present our actively secure decapsulation protocol.
 
 \subsubsection{Amending the PVP}
@@ -114,7 +114,7 @@ This does not fit the threshold group action, since, for an authorised set \(S'\
 \begin{exm}
 	Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds
 	\[\set{s_i, \set{s_{ij}}_{P_j \in S}, \set{s_{ji}}_{P_j \in S}}.\]
-	Also let \(S'\in \Gamma\) be a minimally authorised set executing \autoref{fig.tga}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Thus, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with
+	Also let \(S'\in \Gamma\) be a minimally authorised set executing \hyperref[fig.tga]{Algorithm \ref{fig.tga}}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Thus, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with
 	\begin{align*}
 		\left(\pi,\set{\pi_j}_{P_j \in S}\right) \gets& \mathsf{PVP}.P\paren*{\left(\left(R,R'\right), \left(L_{i,S'} s_{ij}\right)_{P_j \in S}\right), f_i'}
 	\end{align*}
@@ -126,10 +126,10 @@ This does not fit the threshold group action, since, for an authorised set \(S'\
 We resolve the conflicts by amending \cite{EPRINT:BDPV20}'s PVP protocol, so that, for a superauthorised set \(S^\ast\), a shareholder \(P_i \in S^\ast\) proves knowledge of a witness polynomial \(L_{i,S^\ast}f_i\) for a statement
 \[\left(\left(R,R'\right),\left( L_{i,S^\ast} s_{ij}\right)_{P_j \in S^\ast}\right),\]
 where \(R\sample\mathcal E\), \(R' = \left[L_{i,S^\ast} s_i\right] R\), \(s_{ij} = f_i\paren* j\) for \(P_j\in S^\ast\) and \(s_i\) was shared via \(f_i\).
-The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( s_{ij}\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \autoref{fig.tpvpp}. By \(\mathcal C\) we denote a commitment scheme.
-The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \autoref{fig.tpvpv}.
+The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( s_{ij}\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \hyperref[fig.tpvpp]{Algorithm \ref{fig.tpvpp}}. By \(\mathcal C\) we denote a commitment scheme.
+The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \hyperref[fig.tpvpv]{Algorithm \ref{fig.tpvpv}}.
 
-The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in Section \ref{sec.prelim} intuitively, yet we restate the completeness definition for the threshold setting.
+The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in \hyperref[sec.prelim]{Section \ref{sec.prelim}} intuitively, yet we restate the completeness definition for the threshold setting.
 \begin{defin}[Completeness in the threshold setting]
 	We call a threshold PVP scheme \emph{complete} if, for any \(S'\in \Gamma\), any \(\left(x,f\right)\in\mathcal R\), any \(P_i \in S'\) and \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right) \gets \mathsf{PVP}.P\paren*{i,f,S',x_{S'}}\), we have
 	\[\prob{\mathsf{PVP}.V \paren*{i,j,S', x_j, \left(\pi,\pi_j\right)} = \true} = 1\]
@@ -265,7 +265,7 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\
 	\item Otherwise, \(P_i\)'s turn is finalised and the next shareholder continues with \(E^k\) as input from \(P_i\).
 	\item The protocol terminates  with the last shareholder's \(E^{\# S^\ast}\) as output.
 \end{enumerate}
-The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\) not only has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\) but also inputs \(L_{i,S^\ast} f_i\paren* 0\) to compute \(E^k\). The precise protocol can be found in \autoref{fig.decaps}.
+The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\) not only has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\) but also inputs \(L_{i,S^\ast} f_i\paren* 0\) to compute \(E^k\). The precise protocol can be found in \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}.
 
 % \begin{figure}
 % %\begin{tiny}
@@ -349,7 +349,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
 A KEM with secret shared private key is \textbf{correct}, if for any authorised set \(S'\), any public key \(\pk\) and any \(\left(\mathcal K,c\right)\gets \mathsf{Encaps}\paren* \pk\), we have
 \[ \mathcal K = \mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}.\]
 \end{defin}
-The correctness of our KEM presented in \autoref{fig.keygen}, \autoref{fig.encaps} and \autoref{fig.decaps} follows from the correctness of the threshold group action (\autoref{fig.tga}). Let \(\pk\) be a public key and \(\sk = \left[\pk\right] E_0\) be the respective secret key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have
+The correctness of our KEM presented in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}, \hyperref[fig.encaps]{Algorithm \ref{fig.encaps}} and \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} follows from the correctness of the threshold group action (\hyperref[fig.tga]{Algorithm \ref{fig.tga}}). Let \(\pk\) be a public key and \(\sk = \left[\pk\right] E_0\) be the respective secret key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have
 \[\sk = \sum_{P_i \in S^\ast} L_{i,S^\ast} s_i.\]
 Furthermore let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren* \pk\). To show correctness, \(\mathcal K' = \mathcal K\) has to hold, where \(\mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}\). Now, after executing \(\mathsf{Decaps}\paren*{c,S'}\), we have \(\mathcal K' = E^{\#S'}\), which emerges as a result of applying the threshold group action to \(c\). This gives us
 \[ \mathcal K' = \left[\sum_{P_i \in S'} L_{i,S'}s_i \right] c = \left[\sk\right] \left(b\ast E_0\right) = b \ast \pk = \mathcal K.\]
@@ -360,7 +360,7 @@ Our decapsulation is executed by superauthorised sets \(S^\ast\), which are auth
 There are two aspects of security to consider:
 \begin{itemize}
 
-	\item Active security: A malicious shareholder cannot generate his contribution to the decapsulation protocol dishonestly without being detected. We prove this by showing that an adversary that can provide malformed inputs without detection can break either the PVP or the zero-knowledge proof of knowledge.
+	\item Active security: A malicious shareholder cannot generate his contribution to the decapsulation protocol dishonestly without being detected and identified. We prove this by showing that an adversary that can provide malformed inputs without detection can break either the PVP or the zero-knowledge proof of knowledge.
 
 	\item Simulatability: An adversary that corrupts an unauthorised set of shareholders cannot learn any information about the uncorrupted shareholders' inputs from an execution of the decapsulation protocol. We show this by proving the simulatability of \(\mathsf{Decaps}\).
 \end{itemize}
@@ -375,10 +375,12 @@ There are two aspects of security to consider:
 \begin{proof}
 	Let \(P_{i'}\) be the malicious shareholder and let \(k'\) be the index of \(P_{i'}\)'s output in the transcript. Since \(\mathsf{Decaps}\paren*{c,S^\ast}\) terminated successfully, we have 
 	\begin{align}
-		\mathsf{PVP}.V\paren*{i', j,S^\ast, L_{i',S^\ast} s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
+		%\mathsf{PVP}.V\paren*{i', j,S^\ast, L_{i',S^\ast} s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
+		\mathsf{PVP}.V\paren*{i', j,S^\ast, s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
 		\mathsf{PVP}.V\paren*{i', 0,S^\ast, \left(R_{k'},R_{k'}' \right), \left(\pi^{k'},\pi^{k'}_0\right)} =& \true\label{eq.pvp2}\\
 		\mathsf{ZK}.V\paren*{\left(E^{k'-1},E^{k'}\right), \left(R_{k'}, R_{k'}'\right), zk^{k'}} =& \true \label{eq.zk}
 	\end{align}
+	\todo{changed \eqref{eq.pvp1}}
 	for all \(P_j \in S^\ast\setminus\set{P_{i'}}\). \(E^{k'}\) was generated dishonestly, thus we have 
 	\[ E^{k'} = \left[\alpha\right] E^{k'-1},\]
 	for some \(\alpha \neq L_{i',S^\ast} s_{i'}\). We distinguish two cases: \(R_{k'}' \neq \left[\alpha\right] R_{k'}\) and \(R_{k'}' = \left[\alpha\right] R_{k'}\). 
@@ -397,14 +399,9 @@ There are two aspects of security to consider:
 \subsubsection{Simulatability}
 We show, that an adversary who corrupts an unauthorised subset of shareholder does not learn any additional information from an execution of the decapsulation protocol. For that we prove the simulatability of the decapsulation.
 
-\begin{comment}
-\begin{defin}
-	We call a KEM with shared secret key \emph{simulatable}, if for any adversary \(\adv\) corrupting an unauthorised set of shareholders \(S'\) and any ciphertext \(c \in \mathcal E\) with \(\left(\mathcal K,c\right) = \mathsf{Decaps}\paren*{\pk}\), there is a PPT algorithm \(\mathsf{Sim}\), that upon input \(c\), \(\mathcal K\) and \(\set{s_j, \set{s_{ij}}_{P_i \in S},\set{s_{ji}}_{P_i \in S}}_{P_j\in S}\) outputs a transcript that is indistinguishable from the real transcript of \(\mathsf{Decaps}\paren*{c}\).
-\end{defin}
-\end{comment}
 
 \begin{thm}
-	The decapsulation protocol presented in \autoref{fig.decaps} is simulatable.
+	The decapsulation protocol presented in \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} is simulatable.
 \end{thm}
 %In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript.
 \begin{proof}
@@ -460,416 +457,4 @@ Each shareholder engaged in an execution of the decapsulation protocol has one r
 \end{align*}
 where \(x\) is the bit representation of an element of \(\mathcal E\) and \(c\) is the size of a commitment produced in \(\mathsf{PVP}.P\). Assuming \(x\), \(c\) and the secret sharing parameters \(k\) and \(p\) to be constant, the message size is thus linear in the security parameter \(\lambda\) with moderate cofactor.
 
-\begin{comment}
-\begin{figure*}
-	\begin{center}
-	\begin{tikzpicture}
-		\node (e) at (0,0) {$E$};
-		\node (ea) at (-2,-2) {$E_a$};
-		\node (eb) at (2,-2) {$E_b$};
-		\node (ec) at (0,-4) {$E_c$};
-		\draw [->] (e) -- (ea) node [pos=.5,left] {$a$};
-		\draw [->] (e) -- (eb) node [pos=.5,right] {$b$};
-		\draw [->] (ea) -- (ec) node [pos=.5,left] {$b$};
-		\draw [->] (eb) -- (ec) node [pos=.5,right] {$a$};
-
-		\node (e') at (7,0) {$E' = E$};
-		\node (ea') at (5,-2) {$E_a' = \left[\mathsf{input}_j\paren*{s_j}\right]E_a$};
-		\node (eb') at (9,-2) {$E_b' = E_b$};
-		\node (ec') at (7,-4) {$E_c' = \left[\mathsf{input}_j\paren*{s_j}\right]E_c$};
-		\draw [->] (e') -- (ea') node [pos=.5,left] {$\left[a\otimes \mathsf{input}_j\paren*{s_j}\right]$};
-		\draw [->] (e') -- (eb') node [pos=.5,right] {$b$};
-		\draw [->] (ea') -- (ec') node [pos=.5,left] {$b$};
-		\draw [->] (eb') -- (ec') node [pos=.5,right] {$\left[a\otimes \mathsf{input}_j\paren*{s_j}\right]$};
-		
-	\end{tikzpicture}
-		\caption{How to reduce the decisional parallelisation challenge to distinguishing the transcript in one shareholder's output}
-	\end{center}
-\end{figure*}
-
-\begin{bem}[Reducing the decisional parallelisation problem to transcript distinguishing]
-	An instance of the decisional parallelisation problem (DPP) is defined by a triple \(\left(E_a, E_b, E_c\right)\), where \(E_a = [a] E\), \(E_b = [b]E\) and \(E_c = [c]E\) hold for some \(E\in\mathcal E\) and \(a,b,c \in \mathcal G\). The challenge is to distinguish whether \(c \sample \mathcal G\) or \(c = a\otimes b\) with \(\otimes\) being the group action in \(\mathcal G\).
-
-	So after being handed said instance \(E_a,E_b,E_c\), we generate \(E_a' \gets \mathsf{input}_j\paren*{s_j} E_a\) and \(E_c'\gets \mathsf{input}_j\paren*{s_j}E_c\) and \(E_b' = E_b\), thereby obtaining a new instance of DPP \(\left(E_a', E_b', E_c'\right)\).
-
-\end{bem}
-\begin{figure}
-	\begin{center}\begin{tikzpicture}
-		\node (b) at (0,0) {\(b_1, \ldots, b_\lambda \sample \Z_N\left[x\right]_{\leq k-1}\)};
-
-		\node (ehat) at (0,-2) {\(\hat{E}_1, \ldots, \hat{E}_\lambda \gets \left[b_1\paren* 0\right]E_0, \ldots, \left[b_\lambda\paren* 0\right] E_0\)};
-		\draw [->] (b) -- (ehat);
-
-		\node (y0) at (6,-2) {\(y_0, y_0' \sample \set{0,1}^\lambda\)};
-		\node (c0) at (4, -4) {\(C_0 \gets \mathcal C\paren*{\hat{E}_1 \vert\vert \ldots \vert\vert \hat{E}_\lambda , y_0}\)};
-		\node (c0') [below =.3 of c0]{\(C_0'\gets \mathcal C \paren*{E_0\vert\vert E_1, y_0'}\)};
-		\draw[->] (ehat) -- (c0);
-		\draw[->] (y0) -- (c0);
-
-		\node (yi) at (-6,-2) {\(y_1,y_1', \ldots, y_n, y_n'\sample \set{0,1}^\lambda\)};
-		\node (ci) at (-4,-4){\(C_i \gets \mathcal C\paren*{b_1\paren* i, \ldots, b_\lambda\paren* i, y_i}\)};
-		\node (ci') [below =.3 of ci] {\(C_i' \gets \mathcal C\paren*{x_i, y_i'}\)};
-		\draw[->] (b) -- (ci);
-		\draw[->] (yi) -- (ci);
-
-		\node (c) at (0,-6) {\(C = \left(C_0,C_1, \ldots, C_n\right)\)};
-		\node (c') [below =.3 of c] {\(C' = \left(C_0',C_1', \ldots, C_n'\right)\)};
-		\draw [->] (ci') -- (c);
-		\draw[->] (c0') -- (c);
-
-		\node (challenge) [below =.5 of c'] {\(c_1, \ldots, c_\lambda = \mathcal H \paren*{C,C'}\)};
-		\draw [->] (c')--(challenge);
-
-		\node (pi) [below =.7 of challenge] {\(\tilde{\pi} = \left(C,C',r\right)\)};
-
-
-	\end{tikzpicture} \end{center}
-	\caption{sketch of ZKP in \cite{EPRINT:BDPV20}}
-\end{figure}
-
-\iffalse
-\begin{bem}[Zero Knowledge Proof of Knowledge for shareholders' outputs]
-	For a shareholder \(P_j\) with the preceding shareholder \(P_{j-1}\)'s output being \(E_{j-1}\in \mathcal E\), we have \(P_j\) produce the following proof of knowledge. \(P_j\) picks a random \(r_j \in \mathcal G\). He computes 
-	\[E_j \gets \left[\mathsf{input}\paren*{s_j}\right] E_{j-1}\] 
-	and 
-	\[E_j' \gets \left[r_j\right] E_{j-1}.\]
-	\(E_j\) as well as the zero-knowledge proof \(E_j'\) are \(P_j\)'s output. Depending on the challenge bit \(b_j \in \bin\), \(P_j\) answers with either 
-	\[z_j = r_j\]
-	in the case of \(b_j = 0\) and with
-	\[z_j = r_j \otimes \mathsf{input}\paren*{s_j}\]
-	in the case of \(b_j = 1\).
-	
-	Verification (see ) is a simple check whether
-	\[ E_j' = [z_j] E_j.\]
-	This means a shareholder \(P_j\)'s output is \(\left(E_j,E_j'\right) = \left(\left[\mathsf{input}_j\paren*{s_j}\right] E_{j-1}, \left[r_j\right] E_j\right)\). We could perhaps reduce an instance \(\left(E_a, E_b, E_c\right) = \left(a\ast E, b\ast E, c\ast E\right)\) of the decisional parallelisation problem to distinguishing \(\left(E_{j-1}, E_j, E_j'\right)\).
-	\todo{make this non-interactive, cramp the decisional parallelisation challenge \(\left(E_a,E_b, E_c\right)\) into this transcript.}
-\end{bem}
-\fi
-
-\begin{bem}[Zero Knowledge Proof of Knowledge for shareholders' outputs]
-\textbf{1-bit security proof}.	For a shareholder \(P_j\) with the preceding shareholder \(P_{j-1}\)'s output being \(E_{j-1}\in \mathcal E\), we have \(P_j\) produce the following proof of knowledge. \(P_j\) picks a random \(r_j \in \mathcal G\). He computes 
-	\[E_j \gets \left[\mathsf{input}\paren*{s_j}\right] E_{j-1}\] 
-	and 
-	\[E_j' \gets \left[r_j\right] E_{j-1}.\]
-	\(E_j\) as well as the zero-knowledge proof \(E_j'\) are \(P_j\)'s output. Depending on the challenge bit \(b_j \in \bin\), \(P_j\) answers with either 
-	\[z_j = r_j\]
-	in the case of \(b_j = 0\) and with
-	\[z_j = r_j \otimes \mathsf{input}\paren*{s_j}^{-1}\]
-	in the case of \(b_j = 1\).
-	Verification (see \autoref{fig:proof}) is a simple check whether
-	\[ E_j' = [z_j] E_{j-1}.\] in the case of \(b_j = 0\) and
-	\[ E_j' = [z_j] E_j.\] in the case of \(b_j = 1\).\\
-	
-\begin{figure}
-	\centering
-	\begin{tikzpicture}
-	
-	\matrix (m) [matrix of math nodes,
-	row sep=4em,
-	column sep=2em,
-	minimum width=2em] {
-		E_{j-1}                     &   & E_j  \\
-		  & E_j'  &  \\
-	};
-	\path[-stealth]
-	(m-1-1) edge node [above] {\(\mathsf{input}\paren*{s_j}\)}  (m-1-3)
-	(m-1-1) edge node [left]  {\(r_j\)}  (m-2-2)
-	(m-1-3) edge node [right] {\(\alpha\)} (m-2-2);
-	\end{tikzpicture}
-	\caption{$[\alpha]E_j=[r_j][\mathsf{input}\paren*{s_j}]^{-1}E_j=[r_j]E_{j-1}=E_j'$}
-	\label{fig:proof}
-\end{figure}	
-
-\textbf{!!! CHECK !!! \([r_j \otimes \mathsf{input}\paren*{s_j}^{-1}]E_j \stackrel{?}{=} [r_j][\mathsf{input}\paren*{s_j}]^{-1}E_j\) !!!}\\
-	
-\textbf{Basic proof}. Obviously \(P_j\), who is assumed not to be able to break the underlying vectorization problem, can cheat with probability $1/2$, namely in the case \(b_j = 0\), where the knowledge of \(\mathsf{input}\paren*{s_j}\) is not required. In order to achieve \(\lambda\)-bit security, the proof is repeated \(\lambda\) times, so \(P_j\) is able to cheat with probability \((1/2)^\lambda\).
-In order to obtain a non-interactive proof, the standard Fiat-Shamir transform can be applied. Therefore, \(P_j\) samples \(r_{j,1},\dots,r_{j,\lambda} \in \mathcal G\) as above and computes 
-\[[r_{j,1}]E_{j-1},\dots, [r_{j,\lambda}]E_{j-1},\] 
-and 
-\[z_{j,1},\dots,z_{j,\lambda}=r_{j,1} \otimes \mathsf{input}\paren*{s_j}^{-1},\dots,r_{j,\lambda} \otimes \mathsf{input}\paren*{s_j}^{-1}.\]
-\(P_j\) then generates the challenges by 
-\[b_{j,1}\|...\|b_{j,\lambda}=H([r_{j,1}]E_{j-1}\|\dots\|[r_{j,\lambda}]E_{j-1}),\] 
-where $H$ is a hash function with at least \(\lambda\) bit output. It can be verified by computing \[E^V_{j,i}=[z_{j,i}]E_{j-1}\] if \(b_{j,i}=0\) resp. \[E^V_{j,i}=[z_{j,i}]E_j\] if \(b_{j,i}=1\) for all \(i\in\{1,...,\lambda\}\), and checking if \[b_{j,1}\|...\|b_{j,\lambda}=H(E^V_{j,1}\|\dots\|E^V_{j,\lambda}).\]
-
-\end{bem}
-
-\begin{bem}[Difference between public key derivation in \cite{EPRINT:BDPV20} and decapsulation in our setting]
-	In \cite{EPRINT:BDPV20}, the shareholders act in two steps: 
-	\begin{enumerate}
-		\item Sharing their additive contribution \(x_0^{(i)} = f^{(i)}\paren* 0\) and proving their knowledge thereof with a PVP for the statement 
-			\[x = \left(\left(R^{(i)}, R'^{(i)}\right), \set{x_j^{(i)} = f^{(i)}\paren* j}_{j = 1, \ldots, n}\right).\]
-		\item Computing the public key by a round robin method. For that each shareholder \(P_i\) computes \(F_i\) from \(\left[x_0^{(i)}\right] F_{i-1}\) and proves correctnes by a ZKP of the statement
-			\[\left(\left(R^{(i)}, R'^{(i)}\right), \left(F_{i-1},F_i\right), x_0^{(i)} = f^{(i)}\paren* 0\right).\]
-	\end{enumerate}
-
-	In our setting we can keep the first phase with the dealer providing each shareholder \(P_j\) with not only his share \(s_j\) of the secret key \(s\), but also with a share of each others share. Thus we apply a two-layer secret sharing, where each share of the secret key is shared once more and each shareholder \(P_j\) holds the sharing polynomial \(f^{(j)}\) of his own share. Again, each shareholder can prove knowledge of said polynomial with a PVP of the statement 
-	\[x = \left(\left(R^{(i)}, R'^{(i)}\right), \set{x_j^{(i)} = f^{(i)}\paren* j}_{j = 1,\ldots, n}\right).\]
-	Yet in the second phase, that is decapsulation executed by an authorised set of shareholders \(S^\ast\), each engaged shareholder does not merely provide his secret share \(s_i\) as input, but a derivative of it, that is \(\mathsf{input}_i\paren*{s_i, S^\ast}\). Thus the ZKP employed in the second phase is not transferable one-to-one, since
-	\[F_i = \left[ \mathsf{input}_i\paren*{s_i, S^\ast}\right] F_{i-1}\]
-	instead of \(F_i = \left[ s_i\right] F_{i-1}\). Thus some adjustments to the ZKP need to me made. Slight upsight:
-	\[ \mathsf{input}_i \paren*{s_i, S^\ast} = L_{i,S^\ast} \cdot s_i, \]
-	at least in the case of Shamir sharing (and Tassa as well, for differing coefficients), which might help.
-
-	\textbf{Idea for  a solution.} Upon starting an execution of the decapsulation protocol, the set of participating shareholders \(S^\ast\) is known (publically). Thus each shareholder \(P_i\)  can issue a PVP in which he proves the knowledge of \(\mathsf{input}_j\paren*{s_{i,j}}\) rather than \(s_{i,j}\) itself, an so he can in his own turn use a fitting ZKP for \(\mathsf{input}_i\paren*{s_i,S^\ast}\). The PVP can be published to a billboard, i.e., is it immutable and known to everyone, but since the PVP is ZK, this does not matter.
-\end{bem}
-
-In this section we present a secret shared key exchange mechanism (SSKEM) based on the threshold key exchange mechanism presented by De Feo and Meyer \cite{PKC:DeFMey20}. They based their scheme on Shamir's secret sharing scheme \cite{Shamir79} combined with a hard homogeneous space. Our scheme also makes use of an HHS, yet we enable a substantially more general class of secret sharing schemes. The SSKEM we propose is outlined in \autoref{fig:sskem}.
-
-\begin{figure*}
-	\procedure{Public Parameters}{
-		\text{HHS}~\left(\mathcal E, \mathcal G\right),~\text{starting element} ~ E_0 \in \mathcal E,\\% ~\text{distinguished}~ g \in \mathcal G ~\text{with}~ \# g = q,\\
-		%\text{Hash function}~ \mathcal H: \mathcal E \to \set{0,1}^\lambda\\
-		\text{Secret sharing instance}~ \mathcal S~\text{with access structure}~ \Gamma, ~\text{authorised}~ S = \set{P_{1}, \ldots, P_{k}} \in \Gamma
-	}
-
-	\procedure[linenumbering,space = auto]{$\mathsf{Keygen}\paren*{\mathcal S,\Gamma, E_0}$}{
-		s \sample \Z_q\\
-		\pk \gets E_s = \bracket* s E_0\\ %= s \ast E_0\\
-		\set{s_1, \ldots, s_n} \gets \mathcal S.\mathsf{share}\paren* s\\ %\text{among shareholders accoring to access structure}~ \Gamma\\
-		%\text{publish}~ E_s := \bracket* s E_0 = g^s \ast E_0\\
-		\pcfor i = 1, \ldots, n\\
-			\set{s_{i1},\ldots,s_{in}} \gets \mathcal S.\mathsf{share}\paren*{s_i}\\
-		\pcendfor\\
-		\text{publish } \pk\\
-		\pcfor i = 1, \ldots , n\\
-			\text{send } s_i, \set{s_{i1},\ldots, s_{in}} \text{ and } \set{s_{1i},\ldots,s_{ni}} \text{ to }P_i\\
-		\pcendfor
-	}
-
-	\procedure[linenumbering,space = auto]{$\mathsf{Encaps} \paren*{E_s}$}{
-		b \sample \mathcal G\\
-		%\mathcal K := \mathcal H \paren*{b\ast E_s} = \mathcal H \paren*{b \ast \left(g^s \ast E_0\right)}\\
-		c \gets b \ast E_0\\
-		\mathcal K \gets b \ast E_s\\
-		\pcreturn \left(c, \mathcal K\right)
-	}
-
-	\procedure[linenumbering,space = auto]{$\mathsf{Decaps} \paren*{c, S^\ast}$}{
-		k \gets 0, E^0 \gets c\\
-		\pcfor P_i \in S^\ast\\
-		\pcif E^k\not \in \mathcal E\\
-			P_i \text{ outputs } \bot \text{ and the decapsulation aborts.}\\
-		\pcfi\\
-			k \gets k+1, R \sample \mathcal E, R_k' \gets \left[L_{i,S^\ast} s_i\right] R_k\\
-			P_i \text{ publishes }\left(\pi, \set{\pi_i}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P \paren*{\left(R_k, R_k'\right), \set{L_{i,S^\ast} s_{ij}}_{P_j \in S^\ast}}\\
-			%\text{Each } P_i \in S^\ast \text{ verifies the correctness of }\pi \text{ with  respect to }\left(E',E''\right)\text{ and } L_{i,S^\ast} s_{ij}\\
-			\pcif \exists P_j \in S^\ast \colon \mathsf{PVP}.V\paren*{S^\ast,  j,i, s_{ij}} \neq \true\vee \mathsf{PVP}.V\paren*{S^\ast, 0,i, \left(R,R_k'\right)} \neq \true\\
-				P_j \text{ publishes } s_{ij}\\
-				\text{if }P_i\text{ is cheating, restart } \mathsf{Decaps}\paren*{c,{S^\ast}'} \text{ with } P_i \not \in {S^\ast}'\\
-			\pcfi\\
-			%\pccomment{generate \(\mathsf{PVP}.P\) for \(L_{i,S^\ast} s_i\)}\\
-			E^k \gets \left[L_{i,S^\ast} s_i\right] E^{k-1}\\
-			%\pccomment{compute \(E^k = \left[ L_{j,S^\ast} s_j\right] E^{k-1}\)}\\
-			zk \gets \mathsf{ZK}.P \paren*{\left(E^{k-1}, E^k \right), \left(R_k,R_k'\right), L_{i,S^\ast} s_i}\\
-			%\pccomment{compute ZKP for \(\left(\left(E^i, E^{i-1}\right), \left(R',R\right), L_{i,S^\ast} s_i\right)\)}\\
-			P_i \text{ publishes } zk, E^k\\
-			%\pccomment{publish \(E^k\) and ZKP}\\
-			\pcif \mathsf{ZK}.V \paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk} = \false\\
-			\text{restart } \mathsf{Decaps}\paren*{c,{S^\ast}'} \text{ with } P_i \not \in {S^\ast}'\\
-			\pcfi\\
-			%\pccomment{verify \(\mathsf{PVP}.V\) for \(L_{j,S^\ast}s_j\) for all \(P_j \in S^\ast\)}\\
-		\pcendfor\\
-		\pcreturn \mathcal K \gets E^k
-	}
-	\caption{Secret Shared Elgamal Key Exchange Mechanism} 
-	\label{fig:sskem}
-\end{figure*}
-\begin{bem}[Big Difference to CSI-RaShi]
-	CSI-RaShi is additive secret sharing, i.e. all participants are needed to reconstruct secret key. We aim for at least threshold secret sharing, better even just any secret sharing (with some limitations of course).
-
-	Knowledge proved by PVP in CSI-RaShi:
-	\begin{enumerate}
-		\item \(f^{(i)} \paren* 0 \colon R'^{(i)} = \left[f^{(i)}\paren* 0\right] R^{(i)}\)
-		\item \(x_j = f^{(i)} \paren* j\) for \(j = 1, \ldots, n\)
-	\end{enumerate}
-	Knowledge to prove in our case 
-	\begin{enumerate}
-		\item \(s_i = f^{(i)}\paren* 0 : E^{(i)} = \left[ \mathsf{input}_i\paren*{s_i}\right] E^{(i-1)}\)
-		\item \(\mathsf{input}_j\paren*{s_j} : s_j = f^{(i)}\paren* j\) for \(P_j \in S^\ast\) (the engaged shareholders)
-	\end{enumerate}
-
-\end{bem}
-
-A traditional key exchange mechanism (KEM) consists of three algorithms \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). Whereas many examples of KEMs have already been established and analysed in terms of efficiency as well as security, a rigorous security model for secret shared key exchange mechanisms remains to be introduced. We propose security notions adjusted for the secret shared setting in the following subsections and will prove, that our scheme fulfills those.
-
-We consider two main categories of security guarantees regarding KEMs. On the one hand there is indistinguishability of an encapsulated key, that is an adversary who obtains a ciphertext generated by \(\mathsf{Encaps}\) by for example wiretapping the communication to the owner of the secret key cannot distinguish the true encapsulated key from a random one with overwhelming probability. And on the other hand there is confidentiality of the secret key, that is an adversary cannot derive any meaningful information regarding the secret key from a decapsulation transcript. We discuss the former aspect in \autoref{subsec.kemind}, and the latter in \autoref{subsec.kemsimul}.
-
-\subsection{Indistinguishability of Encapsulated Keys}\label{subsec.kemind}
-We capture the notion of indistinguishability of the encapsulated keys by adapting the \(\indcpa\) or \(\indcca\) games, respectively, of traditional KEMs as can be found in \autoref{fig:kemgame} to the setting of a secret shared secret key. For that we generate a public/ secret key pair \(\left(\pk,\set{s_1,\ldots, s_n}\right)\), where the secret key is shared. The adversary \(\adv\) then picks an unauthorised set of shareholders \(S\) and obtains the secret key shares of the parties in \(S\).
-\todo{does \(\mathcal O_\mathsf{Decaps}\) only return result or transcript?}
-In the case of \(\indcca\), some amendments to the decapsulation oracle have to be made.  
-The resulting security game can be seen in \autoref{fig:sskemgame}.
-
-%A KEM \(\kem\)'s primary purpose is to provide the means of secure key exchange to any party \(B\) with the holder \(A\) of secret key \(\sk\), generated by \(\left(\sk,\pk\right) \gets \kem.\mathsf{KeyGen}\). That is, by executing \(\kem.\mathsf{Encap}\paren*\pk\), \(B\) obtains a key \(\mathcal K\) and a ciphertext \(c\). The ciphertext is then sent to \(A\), who runs \(\kem.\mathsf{Decaps}\paren*{c, \sk}\) and thereby also obtains \(\mathcal K\). Since it can rarely be guaranteed with absolute certainty, that \(c\) is not leaked during the transfer to \(A\), it has to be certain, that an eavesdropper cannot derive any information about \(\mathcal K\) without knowing \(\sk\). This notion is usually captured in an \(\indcpa\) or an \(\indcca\) security game, as can be seen in \autoref{fig:kemgame} and found for example in \cite{cryptoeprint:2019:1356}.
-
-\begin{figure*}
-\begin{center}\begin{tabular}{c|c c}
-	\procedure[space = auto]{$\mathsf{Exp}^\text{indcpa}_{\mathsf{KEM}, \adv}\paren* \lambda$}{
-		b \sample \bin\\
-		\left(\pk,\sk\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\
-		\left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\
-		K_1^\ast \sample \mathcal K\\
-		b' \gets \adv\paren*{\pk, c^\ast, K_b^\ast}\\
-		\pcreturn \left(b = b'\right)
-	}&
-	\procedure[space = auto]{$\mathsf{Exp}^\text{indcca}_{\mathsf{KEM}, \adv}\paren* \lambda$}{
-		b \sample \bin\\
-		\left(\pk,\sk\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\
-		\left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\
-		K_1^\ast \sample \mathcal K\\
-		b' \gets \adv^{\mathcal O_\mathsf{Decaps}}\paren*{\pk, c^\ast, K_b^\ast}\\
-		\pcreturn \left(b = b'\right)
-	}&
-	\procedure[space = auto]{$\mathcal O_\text{Decaps} \paren*{c}$}{
-		\pcif c = c^\ast\\
-		\pcreturn \bot\\
-		\pcelse \\
-		\pcreturn \mathsf{Decaps}\paren*{\sk,c}\\
-		%\pcfi
-	}
-	\end{tabular}
-	\end{center}
-
-	\caption{\(\indcpa\) and \(\indcca\) security game for key exchange mechanism \(\mathsf{KEM} = \left(\mathsf{KeyGen, Encaps, Decaps}\right)\)}
-	\label{fig:kemgame}
-\end{figure*}
-
-%We transfer these security games to the setting of secret shared key exchange mechanisms (SSKEM). In this scenario there is not one party \(A\) holding the secret key, but it has been shared among a set of shareholders according to a secret sharing scheme \(\mathcal S\) with access structure \(\Gamma\). We consider an adversary \(\adv\), that can corrupt any unauthorised set of shareholders \(S\not\in\Gamma\). Thus \(\adv\) gains knowledge of several shares of the secret key and is thus strictly more powerful than in the traditional KEM setting. In the case of the \(\indcca\) game, the decapsulation oracle becomes an interactive \(\ppt\) machine. That is, upon being queried by \(\adv\) to execute the decapsulation protocol upon an input \(c\), \(\mathcal O_\text{Decaps}\) requires the adversary \(\adv\) to contribute.
-
-The advantage of an adversary \(\adv\) against the \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \adv}\paren*{\lambda}\) or \(\mathsf{Exp}^\indcca_{\sskem,\mathcal S,\adv}\paren*\lambda\) game, respectively, in \autoref{fig:sskemgame} is defined as follows.
-\begin{defin}
-	An adversary \(\adv\)'s advantage against a game \(\mathsf{Exp}^\text{type}_{\sskem, \cdot}\paren* \lambda\), where \(\text{type} \in \set{\indcpa, \indcca}\), is defined as 
-	\[\advantage{\text{type}}{\mathsf{SSKEM},\adv}[\paren*\lambda] = \abs{\frac 12 - \prob{\mathsf{Exp}^\text{type}_{\mathsf{SSKEM},\adv} \paren*\lambda= \true} }.\]
-	\label{def:advtkemgame}
-\end{defin}
-
-\begin{figure*}
-\begin{center}\begin{tabular}{c|c c}
-	\procedure[space = auto]{$\mathsf{Exp}^\text{indcpa}_{\sskem,\mathcal S ,\adv}\paren* \lambda$}{
-		b \sample \bin\\
-		\left(\pk,\set{s_1,\ldots, s_n}\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\
-		%\left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\
-		S\gets \adv \paren*{ \mathcal S}\\
-		\left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\
-		K_1^\ast \sample \mathcal K\\
-		\pcif S \in \Gamma\\
-		\pcreturn \false\\
-		\pcelse\\
-		b' \gets \adv\paren*{\pk, c^\ast, K_b^\ast, \set{s_i}_{P_i \in S}}\\
-		\pcfi\\
-		\pcreturn \left(b = b'\right)
-	}&
-	\procedure[space = auto]{$\mathsf{Exp}^\text{indcca}_{\sskem,\mathcal S, \adv}\paren* \lambda$}{
-		b \sample \bin\\
-		\left(\pk,\set{s_1, \ldots, s_n}\right)\gets \mathsf{KeyGen}\paren*{\lambda}\\
-		%\left(s_1, \ldots, s_n\right) \gets \mathcal S.\share\paren*\pk\\
-		S\gets \adv \paren*{\mathcal S}\\
-		\left(c^\ast, K_0^\ast\right) \gets\mathsf{Encaps}\paren* \pk\\
-		K_1^\ast \sample \mathcal K\\
-		\pcif S \in \Gamma\\
-		\pcreturn \false\\
-		\pcelse\\
-		b' \gets \adv^{\mathcal O_\mathsf{Decaps}}\paren*{\pk, c^\ast, K_b^\ast, \set{s_i}_{P_i \in S}}\\
-		\pcfi\\
-		\pcreturn \left(b = b'\right)
-	}&
-	\procedure[space = auto]{$\mathcal O_\text{Decaps} \paren*{c}$}{
-		\pcif c = c^\ast\\
-		\pcreturn \bot\\
-		\pcelse \\
-		\pcreturn \mathsf{Decaps}\paren*{\sk,c}\\
-		\pccomment{different runs for simulated vs. real execution?}
-	}
-	\end{tabular}
-	\end{center}
-
-	\caption{\(\indcpa\) and \(\indcca\) security game for secret shared key exchange mechanism \(\mathsf{SSKEM} = \left(\mathsf{KeyGen, Encaps, Decaps}\right)\)}
-	\label{fig:sskemgame}
-\end{figure*}
-
-\begin{thm}
-	If there exists an adversary \(\adv\) so that \(\advantage{\indcpa}{\sskem, \adv}[\paren* \lambda]\) is non-negligible, then there also exists an adversary \(\bdv\) for which \(\advantage{p-ddha}{\left(\mathcal E,\mathcal G\right), \bdv}[\paren* \lambda]\) is non-negligible.
-	\label{thm:pddhareducesskem}
-\end{thm}
-
-\begin{proof}
-	We prove \autoref{thm:pddhareducesskem} by giving a reduction, that is we provide an adversarial algorithm \(\bdv\) that simulates an execution of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \adv}\paren*\lambda\) to the adversary \(\adv\). \(\bdv\) then uses \(\adv\)'s answer to break an instance of \(\mathsf{Exp}^{p-ddha}_{\left(\mathcal E, \mathcal G\right),\bdv}\paren*\lambda\).
-	\todo{or \(\indcca\)?}
-
-	\(\bdv\) is handed an instance \(\left(a,E,s\ast E,F\right)\) of \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\). \(\bdv\) now has to simulate an instance of \(\mathsf{Exp}^\indcpa_{\sskem,\mathcal S, \adv}\) to \(\adv\). \(\bdv\) picks an instance \(\mathcal S\) of a secret sharing scheme compatible to the HHS \(\left(\mathcal E, \mathcal G\right)\). \(\bdv\) then generates a public/ secret key pair \(\left(E_s, \set{s_1, \ldots, s_n}\right)\) from the arising secret shared key exchange mechanism \(\sskem\). \(\bdv\) then hands a description of \(\mathcal S\) to \(\adv\), who answers with a set of shareholders \(S\) he wishes to corrupt. If \(\adv\) returned an authorised set, \(\bdv\) stops. Otherwise \(\bdv\) hands the challenge \(\left(E_s, E,F,\set{s_i}_{P_i \in S}\right)\) to \(\adv\). Eventually, \(\adv\) answers with a bit \(b'\). \(\bdv\) adopts this \(b'\) as his answer.
-
-	\todo{correctly estimate advantages}
-\end{proof}
-
-%We construct an adversary \(\bdv\) against the Power DDHA game in \autoref{fig:gamepddha}, that simulates an instance of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \cdot}\paren*\lambda\) to an adversary \(\adv\) (\textcolor{red}{oder \(\indcca\)?}) to break the Power DDHA problem.
-
-\begin{bem}[\(\indcca\) case]
-To reduce \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\) to an instance of \(\mathsf{Exp}^\indcca_{\mathsf{TKEM},\mathcal S, \adv}\), \(\bdv\) acts exactly as he does in the \(\indcpa\) case. It remains to discuss how  \(\bdv\) answer a query from \(\adv\) to the decapsulation oracle \(\mathcal O_\text{Decaps}\). Upon \(\adv\) putting a query \(c\) to the decapsulation oracle, \(\bdv\) checks, whether \(c\) agrees with the challenge \(c^\ast\), that \(\bdv\) handed \(\adv\) previously. If so, \(\bdv\) returns \(\bot\) to \(\adv\). Otherwise, \(\bdv\) chooses an authorised set of shareholders \(S'\) and executes the decapsulation algorithm presented in \autoref{fig:sskem} and returns the result to \(\adv\).
-\end{bem}
-
-\begin{prop}
-	For a hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) with \(\# G = \prod p_i^{l_i}\), where \(p_1 > p_2 > \ldots > p_n\) are prime, and \(g \in G\) with \(\# g  = p_1\), consider the two distributions
-	\[\mathsf{Dist}_0 := \set{\left(E,E'\right): E \sample \mathcal E, E' = g^s \ast E, s \sample \left[1, p_1 -1\right]}\]
-	and
-	\[\mathsf{Dist}_1 := \set{\left(E,E'\right): E \sample \mathcal E, E' = \mathfrak s^a \ast E, \mathfrak s \sample G, a \sample \left[1, \# \mathcal G\right]}.\]
-	Assuming the hardness of GAIP in \(\left(\mathcal E, \mathcal G\right)\), \(\mathsf{Dist}_1\) and \(\mathsf{Dist}_2\) are indistinguishable.
-\end{prop}
-\begin{proof}
-	Let \(\adv'\) be an adversary that distinguishes \(\mathsf{Dist}_0\) from \(\mathsf{Dist}_1\) with non-negligible advantage. We construct an adversary \(\adv\) against GAIP that uses \(\adv'\) to gain non-negligible advantage. Given a challenge \(\left(E,E'\right)\), \(\adv\) checks whether \(E=E'\). If that is the case, \(\adv\) answers with \(1\in \mathcal G\). Otherwise, \(\adv\) passes \(\left(E,E'\right)\) to \(\adv'\). There are two cases to consider.
-
-	If \(\adv'\) answers, that \(\left(E,E'\right)\) is from \(\mathsf{Dist}_0\), that is  there exists a \(g' \in \mathcal G_1 := \left<g\right>\) so that \(E' = g' \ast E\), then \(\adv\) picks a random generator \(g\) of \(\mathcal G_1\) and answers with \(s'\gets g\).
-
-	If, on the other hand, \(\adv'\) answers  that \(\left(E,E'\right)\) stems from \(\mathsf{Dist}_1\), then \(\adv\) picks a random \(\mathfrak s \in \mathcal G\setminus \mathcal G_1\) as well as \(a \sample \left[2, \# \mathcal G\right]\) and returns \(s'\gets\mathfrak s ^ a\).
-
-	It remains to show, that \(\adv\) has non-negligible advantage, that is the probability for \(\adv\) to return an \(s' \in \mathcal G\) with \(E' = s'\ast E\) is non-negligible.
-	\begin{align*}
-		&\prob{s' \gets \adv : E' = s'\ast E} \\
-		= & \prob{b=0}\prob{\adv' : \left(E,E'\right) \in \mathsf{Dist}_0} \frac 1 {\#\mathcal G_1}+ \prob{b=1}\prob{\adv' : \left(E,E'\right) \in \mathsf{Dist}_1}\frac 1{\# \left(\mathcal G \setminus \mathcal G_1\right)}\\
-		=& \frac 12 \prob{\adv' : \left(E,E'\right) \in \mathsf{Dist}_0} \frac {\#\mathcal G - \#\mathcal G_1} {\#\left(\mathcal G\setminus \mathcal G_1\right)\#\mathcal G_1} + \frac 12 \prob{\adv' : \left(E,E'\right) \in \mathsf{Dist}_1} \frac {\# \mathcal G_1} {\#\left(\mathcal G \setminus \mathcal G_1\right)\#\mathcal G_1}\\
-		=& \frac 12 \left(\left(\prob{\adv' : \left(E,E'\right)\in \mathsf{Dist}_0} + \prob{\adv':\left(E,E'\right) \in \mathsf{Dist_1}}\right)\frac{\#\mathcal G_1}{\#\left(\mathcal G\setminus \mathcal G_1\right)\#\mathcal G_1}\right) \\
-		&+ \frac 12 \prob{\adv':\left(E,E'\right) \in \mathsf{Dist}_0} \frac{\#\mathcal G - 2 \mathcal G_1}{\#\left(\mathcal G\setminus\mathcal G_1\right)\#\mathcal G_1}\\
-		=& \frac 12 \frac 1{\#\left(\mathcal G\setminus\mathcal G_1\right)} + \frac 12 \prob{\adv':\left(E,E'\right) \in \mathsf{Dist}_0} \frac{\#\mathcal G - 2 \mathcal G_1}{\#\left(\mathcal G\setminus\mathcal G_1\right)\#\mathcal G_1}\\
-	\end{align*}
-	\todo{breaks this down to non-negligible probability}
-\end{proof}
-
-It remains to prove, that the output of \(\mathsf{Sim}_\text{Decaps}\) upon input \(\left(\set{s_i}_{P_i \in S^\ast}, E_b, E^\ast\right)\) is indistinguishable from a real transcript of \(\text{Decaps}\paren*{E_b,S}\), where \(S^\ast \subset S \in \Gamma\). We show, that this indeeds holds under the assumption that Power DDHA is hard in \(\left(\mathcal E,\mathcal G\right)\).
-
-\begin{thm}
-	For any unauthorised set of shareholders \(S^\ast\) and authorised set \(S = \set{P_1,\ldots, P_n} \supset S^\ast\), any \(E_b \in \mathcal E\) and any \(E^\ast = \sskem.\text{Decaps}\paren*{E_b}\), the transcript \(\left(E_b, E_1, \ldots, E_{n-1}, E^\ast\right)\) is indistinguishable from \(\mathsf{Sim}_\text{Decaps}\paren*{\set{s_i}_{P_i \in S^\ast}, E_b, E^\ast}\) under the assumption, that Power DDHA is hard in \(\left(\mathcal E,\mathcal G\right)\).
-\label{thm.simuldecaps}\end{thm}
-
-\begin{proof}
-	We prove \autoref{thm.simuldecaps} via reduction. For that matter we provide an adversary \(\bdv\) against \(\mathsf{Exp}_{\left(\mathcal E, \mathcal G\right), \bdv}^{P-DDHA}\) that plays an instance of \(\mathsf{Exp}^\text{Decaps-Transcript}_{\left(\mathcal E,\mathcal G\right),\adv }\paren*{\lambda}\) an adversary \(\adv\) to gain non negligible advantage.
-
-	\(\bdv\) gets handed a tuple \(\left(a,E,\mathfrak s\ast E, F\right)\), and \(\bdv\) has to decide whether \(F =\mathfrak s^a \ast E\) or \(F\) was drawn uniformly at random from \(\mathcal E\). \(\bdv\) now has to provide an instance \(\) to \(\adv\)
-
-	A sketch of said adversary reduction can be found in \autoref{fig.pddhatotranscript}.
-\end{proof}
-
-\begin{figure}
-	\procedure[linenumbering, space = auto]{$\mathsf{Exp}^\text{Decaps-Transcript}_{\left(\mathcal E,\mathcal G\right),\adv }\paren*{\lambda}$}{
-		b \sample \bin\\
-		g \sample \mathcal G ~\text{with}~ \mathsf{ord} g = q\\
-		E^0 \sample \mathcal E \pccomment{sample random decapsulation input}\\
-		S\sample \Gamma \pccomment{sample authorised set of shareholders}\\
-		S^\ast \sample 2^S \setminus \Gamma \pccomment{pick an unauthorised subset of \(S\)}\\
-		%\left(h_1, \ldots, h_{\#S}\right) \sample \bin^{\#S}\setminus\left\{\left(0,\ldots, 0\right)\right\} \\
-		s \sample \Z_q \pccomment{generate a random secret}\\ 
-		\left(s_1, \ldots, s_{\#S}\right) \gets \mathcal S.\share\paren* s\pccomment{and share it}\\
-		\pcfor j = 1 ,\ldots, \#S\\
-		\pcif b = 0 \\
-		E^j \gets \left[ g^{\mathsf{input}_j \paren*{s_j, S}}\right] E^{j-1}\\
-		\pcelseif b=1 \wedge P_j \in S^\ast	\\
-		E^j \sample \mathcal E\\
-		\pcfi\\
-		b' \gets \adv\paren*{\left(E^0, E^1, \ldots, E^{\#S}\right)}\\
-		\pcreturn (b=b')
-	}
-	\caption{The distinguishing experiment for decapsulation transcripts}
-	\label{fig:gametranscript}
-\end{figure}
-
-%Picture of the distinguishers against Algorithm 1
-\end{comment}
 
diff --git a/PKC/preamble.tex b/PKC/preamble.tex
index 2015061..c499da4 100644
--- a/PKC/preamble.tex
+++ b/PKC/preamble.tex
@@ -58,6 +58,8 @@
   urlcolor=red,
   citecolor=blue,
 }
+\providecommand\algoref[1]{\hyperref[#1]{Algorithm \ref{#1}}}
+\providecommand\secref[1]{\hyperref[#1]{Section \ref{#1}}}
 
 \newtheoremstyle{Satz}
   {\topsep}
@@ -114,9 +116,6 @@
 
 \DeclarePairedDelimiter{\paren}{\lparen}{\rparen}
 \DeclarePairedDelimiter{\bracket}{[}{]}
-%\DeclarePairedDelimiter{\abs}{\lvert}{\rvert}
-%\DeclarePairedDelimiter{\set}{\{}{\}}
-%\newcommand\norm[1]{\left\lVert #1 \right\rVert}
 
 %opening
 %\KOMAoptions{toc=bibliography}
diff --git a/PKC/preliminaries.tex b/PKC/preliminaries.tex
index f5d34d9..8059a1e 100644
--- a/PKC/preliminaries.tex
+++ b/PKC/preliminaries.tex
@@ -129,7 +129,7 @@ The intuitive decisional continuation of this problem is as follows.
 
 
 \subsection{Threshold Group Action}
-Assume, that a secret \(s\) has been shared in a Shamir secret sharing instance, thus each shareholder \(P_i\) holds a share \(s_i \) of \(s\), \(i=1,\ldots, n\). Let \(E\) be an arbitrary but fixed element of \(\mathcal E\). The action \(E' \gets \left[s\right] E\) can be computed by any authorised set \(S'\) without reconstructing \(s\) by executing  the protocol given in \autoref{fig.tga}.
+Assume, that a secret \(s\) has been shared in a Shamir secret sharing instance, thus each shareholder \(P_i\) holds a share \(s_i \) of \(s\), \(i=1,\ldots, n\). Let \(E\) be an arbitrary but fixed element of \(\mathcal E\). The action \(E' \gets \left[s\right] E\) can be computed by any authorised set \(S'\) without reconstructing \(s\) by executing  the protocol given in \algoref{fig.tga}.
 %\begin{center}
 % \begin{figure}
 % 	\procedure[space = auto, linenumbering]{Threshold Group Action}{
@@ -177,7 +177,7 @@ Assume, that a secret \(s\) has been shared in a Shamir secret sharing instance,
 \end{algorithm}
 
 %\end{center}
-If \autoref{fig.tga} is executed without aborting, we have by the compatibility property of \(\ast\) and the repeated application of 
+If \algoref{fig.tga} is executed without aborting, we have by the compatibility property of \(\ast\) and the repeated application of 
 \[E^k \gets \left[L_{i,S'} s_i\right]E^{k-1}\]
 the result 
 \[E^{\# S'} = \left[\sum_{P_i \in S'} L_{i,S'} s_i \right] E = \left[ s\right] E.\]
@@ -187,7 +187,7 @@ A piecewise verifiable proof (PVP) is a cryptographic primitive in the context o
 \begin{equation}
 	\left(\left(E_0,E_1\right), s_1, \ldots, s_n\right),
 \label{eq.pvprelation}\end{equation}
-where \(E_1 = \left[s_0\right] E_0 \in \mathcal E\) and \(s_i = f\paren* i\) for  \(i = 0, \ldots, n\). A PVP provides two protocol. The proving protocol \(\mathsf{PVP}.P\) takes a statement \(x\) of the form \eqref{eq.pvprelation} and a witness \(f\) as input and outputs a proof \(\left(\pi,\set{\pi_i}_{i=0,\ldots, n}\right)\), where \(\left(\pi,\pi_i\right)\) is a proof piece for the partial statement \(x_i\), \(i = 0,\ldots, n\). The verifying protocol \(\mathsf{PVP}.V\) takes an index \(i \in \set{0,\ldots, n}\), a statement piece \(x_i\) and a proof piece \(\left(\pi,\pi_i\right)\) as input and outputs \(\true\) or \(\false\). 
+where \(E_1 = \left[s_0\right] E_0 \in \mathcal E\) and \(s_i = f\paren* i\) for  \(i = 0, \ldots, n\). A PVP provides two protocols. The proving protocol \(\mathsf{PVP}.P\) takes a statement \(x\) of the form \eqref{eq.pvprelation} and a witness \(f\) as input and outputs a proof \(\left(\pi,\set{\pi_i}_{i=0,\ldots, n}\right)\), where \(\left(\pi,\pi_i\right)\) is a proof piece for the partial statement \(x_i\), \(i = 0,\ldots, n\). The verifying protocol \(\mathsf{PVP}.V\) takes an index \(i \in \set{0,\ldots, n}\), a statement piece \(x_i\) and a proof piece \(\left(\pi,\pi_i\right)\) as input and outputs \(\true\) or \(\false\). 
 
 Let \(\mathcal R\) denote the set of all tuples \(\set{\left(x,f\right)}\), where \(f\) is a witness for the statement \(x\). Furthermore, for \(I\subset\set{0,\ldots,n}\), we let \(\mathcal R_I\) denote the set of partial relations \(\set{\left(x_I,f\right)}\), where there exists \(\left(x,f\right) \in \mathcal R\) so that \(x\vert_I = x_I\).
 
@@ -235,7 +235,7 @@ for \(i = 1, \ldots, m\) and \(j = 1, \ldots, \lambda\). He then derives challen
 
 The verification protocol is straight forward: for a statement \(\left(E_i,E'_i\right)_{i=1,\ldots,m}\) and a proof \(\pi = \left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)\), the verifier computes \(\tilde E_{i,j}\gets \left[r_j\right] E_i\) if \(c_j = 0\) and \(\tilde E_{i,j} \gets \left[r_j\right] E'_i\) otherwise, for \(i = 1, \ldots, m\) and \( j = 1, \ldots, \lambda\). Then he generates verification bits \(\left(\tilde c_1 ,\ldots \tilde c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1' , \ldots, E_m, E_m', \tilde E_{1,1} \ldots, \tilde E_{m,\lambda}}\) and accepts the proof if \(\left(c_1,\ldots, c_\lambda\right) = \left(\tilde c_1, \ldots, \tilde c_\lambda\right)\).
 
-A sketch of the proving and verifying protocols can be found in \autoref{fig.zkp} and \autoref{fig.zkv}, respectively.
+A sketch of the proving and verifying protocols can be found in \algoref{fig.zkp} and \algoref{fig.zkv}, respectively.
 
 \begin{algorithm}
 	\DontPrintSemicolon
@@ -285,7 +285,7 @@ We again refer to \cite{EPRINT:BDPV20} for the proof of the presented algorithms
 \subsection{The Adversary}
 	We consider a static and active adversary. At the beginning of a protocol execution, the adversary corrupts a set of shareholders. The adversary is able to see their inputs and control their outputs. The set of corrupted shareholders cannot be changed throughout the execution of the protocol.
 
-	The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to falsify the output of the execution of our protocol without being detected.
+	The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to manipulate the execution of our protocol to return an incorrect output without detection.
 	
 \subsection{Communication channels}
 Both our schemes assume the existence of a trusted dealer in addition to the shareholders engaged in a secret sharing instance.
diff --git a/PKC/reviews b/PKC/reviews
new file mode 100644
index 0000000..1060811
--- /dev/null
+++ b/PKC/reviews
@@ -0,0 +1,80 @@
+----------------------- REVIEW 1 ---------------------
+SUBMISSION: 2
+TITLE: On Actively Secure Fine-grained Access Structures from Isogeny Assumptions
+AUTHORS: Philipp Muth and Fabio Campos
+
+----------- Overall evaluation -----------
+SCORE: 1 (weak accept)
+----- TEXT:
+The paper is about threshold isogeny-based cryptography, in particular threshold decryption/decapsulation. Public key is pk=[s]E_0, ciphertext is C=[b]E_0. Decapsulation is to compute [s]C.
+
+In the threshold setting player i has share s_i such that s = \sum_{i in S} L_{i,S}*s_i. So for decap player i needs to compute [L_{i,S}*s_i]*C.
+
+De Feo and Meyer [11] showed a general approach to get threshold CSIDH-KEM and CSI-FiSh signatures. Their protocols are only passively secure. The basic operation in these schemes is to compute [s]*E where s is Shamir-secret-shared among the players. Beullens, Disson, Pedersen and Vercauteren [2] showed how to make this basic operation [s]*E actively secure. Why is it not immediate that [2]+[11] provides secure threshold KEM and signature? Page 8 of the paper seems to explain what is the problem ("This approach does not agree with the threshold group action, for which a shareholder P_i's output in the round-robin approach is E_k = [L_{i,S}s_i]E_{k-1} rather than E_k = [s_i]E_{k-1}"), but I am not sure quite why this is not solved in [2], since they also use polynomial secret sharing.
+
+The paper claims four original contributions:
+1. transfer the active security measures outlined in [2] from their setting of full engagement protocols to a setting of threshold secret sharing.
+2. apply the adapted active security measures to propose an actively secure key exchange mechanism with secret shared secret key. 
+3. present an actively secure signature scheme by applying a Fiat-Shamir transform to our key exchange mechanism. 
+4. expand our key encapsulation mechanism and our signature scheme to a wider ﬁeld of secret sharing schemes.
+
+Contributions 1 and 2 seem to me to be fairly straightforward combinations of [2] and [11], but I might be missing something. Item 3 is strangely worded. As far as I can see you do not "apply Fiat-Shamir to your key exchange mechanism". Your signature is threshold CSI-FiSh, as in [11]. Again seems to be just [2]+[11. Finally contribution 4 is essentially trivial: to note that the PVP in [2] can also be used with Tassa's approach.
+
+One change to the protocol is the requirement that decapsulation is executed by superauthorised sets S^*. Hence t+1 players are requred to get active security, when t players would be enough to decapsulate with passive security.
+
+The paper does not do a good job of giving the reader intuition for the two-level sharing s_{ij} and the role that it plays in PVP.V (Algorithm 9). If I understand right, since for decap player i needs to compute [L_{i,S}*s_i]*C we need to show correctness of [L_{i,S}*s_i]E rather than [s_i]E as in other works. This is done quite easily, since L_{i,S} is a public constant, by sharing s_i as s_{ij}, from which L_{i,S}*s_{ij} are shares of L_{i,S}*s_i. In my opinion, introducing f_i to share s_i and then defining f_i' = L_{i,S}*f_i is unnecessarily complicated and it would have been simpler to just share L_{i,S}*s_i as s_{ij}. 
+
+Indeed, this seems to lead to typos. On page 10 you say the \pi^k_j come from PVP(f_i,S^*,(R_k,R_k'), s_{ij} ), where R_k' = [L_{i,S'}*s_i]R_k = [f_i'(0)]R_k. But I feel it should be PVP(f_i',S^*,(R_k,R_k'),L_{i,S'}*s_{ij}). It seems to be correct in the security proof on page 13 (step 1).
+
+The key idea, if I understand right, is that player j gets s_{kj} for all users k, and is thus able to check the commitments in the j-th proof component \pi^k_j. This is somewhat buried in the details (eg Algorithm 9 in the Appendix).
+
+Overall, the paper seems ok. But there is room for improvement in the writing. Please try to fix the structure of the paper to make it more clear. Perhaps after a few weeks away from the paper you will be able to see how some parts are confusing and can be improved. If not, please ask your friends and colleagues for their advice.
+
+Some comments on the English:
+
+- You use the word "falsify" for cheating behavior (e.g., on page 6 and 7 "falsify the output without being detected"). Is this standard terminology? I am not familiar with it, and the meaning is not obvious. I guess "falsify" means "make the output wrong". Also, as you discuss on page 15, "detected" is weaker than you want. You want the cheater to be *identified*.
+
+- You sometimes use too many commas. For example commas are not needed in "We show, that an adversary", "call a key exchange mechanism simulatable, if, for any", "This series is inspired by the simulators, that [2] gave"
+
+
+
+----------------------- REVIEW 2 ---------------------
+SUBMISSION: 2
+TITLE: On Actively Secure Fine-grained Access Structures from Isogeny Assumptions
+AUTHORS: Philipp Muth and Fabio Campos
+
+----------- Overall evaluation -----------
+SCORE: 2 (accept)
+----- TEXT:
+This article describes isogeny-based key exchange and signature schemes based on Shamir's secret sharing scheme, adapted to cyclic group actions in Couveignes' HHS framework.  CSIDH, a post-quantum group-action candidate, is the obvious and targeted instantiation.
+
+In fact, the setting is closer to that of CSI-FiSh than pure CSIDH: we need an element of the class group of large prime order, which strongly suggests that we need the factorization of the class group order.  This is known for CSIDH-512, but (as the authors rightly note) the true security level of CSIDH-512 is in question.  However, computing class group orders for CSIDH is a subexponential algorithm, and the computation for CSIDH-512 already represents a world record in that area.  It is not clear to me that we will ever be able to compute class group orders for the larger CSIDH parameters that will be required for better security: if we have to move to 1024-bit field primes, for example, then we have no chance of computing the class group.
+
+We are therefore in the domain of cryptosystems that may never be securely realised, which is a massive caveat.
+
+Setting this issue to one side, given a choice of element g of order p, where p is a large prime dividing the group order, we get an action of ZZ/pZZ on the HS defined by (n,E) -> g^n * E .  Now Shamir's secret sharing can be done on the integer multipliers, because the action is additively homomorphic.  This was done by De Feo and Meyer, but they only achieved security against passive adversaries; the real contribution of this work is to define similar schemes secure against active attacks.
+
+The schemes in question are
+- a KEM whose private key is shared among a set of shareholders, and can be reconstructed by authorised subsets of users to decapsulate;
+- a signature scheme with a shared secret signing key.  (Active security in this context means that cheating shareholders can be identified and excluded from future signings.)
+
+The article also discusses some (im)possible generalizations.  Briefly: the results extend nicely from Shamir to Tassa's hierarchical access structures; but they do not extend to Damgard and Thorbek's even more general secret sharing.
+
+I found this article clearly and logically set out, and very easy to read (for what is mostly provable security), though I lack expertise with these kinds of proofs and could not confidently verify them in full detail.  The results are practical insofar as CSIDH-512 is acceptable, but unfortunately the above caveat applies.  In any case, they are a good advertisement for the sorts of advanced cryptographic constructions that can be easily achieved within the group-action framework for post-quantum security.  It should be interesting, and accessible, to a large part of the PQCrypto audience.
+
+
+
+----------------------- REVIEW 3 ---------------------
+SUBMISSION: 2
+TITLE: On Actively Secure Fine-grained Access Structures from Isogeny Assumptions
+AUTHORS: Philipp Muth and Fabio Campos
+
+----------- Overall evaluation -----------
+SCORE: 1 (weak accept)
+----- TEXT:
+This paper proposes a threshold secret sharing scheme for CSIDH key exchange and then extends this construction to arbitrary access structures as well as signature schemes providing active security. The result improves upon previous results, which did not achieve this particular combination -- prior schemes either did not support arbitrary access structures, or did not achieve active security (in the sense of being able to identify cheating shareholders in real time).
+
+The corresponding results for regular discrete logarithm cryptography are already known. The main contribution here is transporting those results from the setting of discrete logarithms to that of hard homogeneous spaces. It is not so surprising to me that the authors managed to accomplish this task -- intuitively if you can treat and represent CSIDH-512 as a cyclic group action then the modifications to convert (say) a threshold access structure to this setting seem very natural. Furthermore there is currently no realizable instantiation of cyclic HHSs other than CSIDH-512, which as the paper points out has weak post-quantum security, although when quantum computers become available we will be able to pre-compute the data needed for larger parameters. The generalizations to other secret sharing schemes is a nice addition, but still I feel the result just seems weak compared to other submissions.
+
+
+
diff --git a/PKC/signatures.tex b/PKC/signatures.tex
index 5e8b624..307ae58 100644
--- a/PKC/signatures.tex
+++ b/PKC/signatures.tex
@@ -1,8 +1,8 @@
 \section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures}
 
-We convert the key exchange mechanism in \autoref{fig.keygen}, \autoref{fig.encaps} and \autoref{fig.decaps} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
+We convert the key exchange mechanism in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
 
-A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the KEM in \autoref{sec.kem} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\autoref{fig.decaps}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \autoref{fig.sign} and \autoref{fig.ver}.
+A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the KEM in \secref{sec.kem} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\algoref{fig.decaps}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \algoref{fig.sign} and \algoref{fig.ver}.
 
 %Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
 % \begin{figure}
@@ -137,7 +137,7 @@ A signature scheme consists of three protocols: key generation, signing and veri
     \label{fig.ver}
 \end{algorithm}
 \begin{comment}
-A signature scheme consists of three protocols for key generation, signing and verifying, respectively. We transfer the unmodified key generation protocol from the KEM in \autoref{sec.kem} to our signature scheme. The signing and verifying protocols are given in \autoref{fig.sign} and \autoref{fig.ver}, respectively. 
+A signature scheme consists of three protocols for key generation, signing and verifying, respectively. We transfer the unmodified key generation protocol from the KEM in \secref{sec.kem} to our signature scheme. The signing and verifying protocols are given in \algoref{fig.sign} and \algoref{fig.ver}, respectively. 
 
 Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
 
-- 
GitLab