@@ -128,7 +128,7 @@ where \(E_0\sample \mathcal E\), \(E_1 = \left[s_0\right] E_0\) and \(s_i = f\pa
...
@@ -128,7 +128,7 @@ where \(E_0\sample \mathcal E\), \(E_1 = \left[s_0\right] E_0\) and \(s_i = f\pa
This approach does not agree with the threshold group action, for which a shareholder \(P_i\)'s output in the round-robin approach is \(E^k \gets\left[L_{i,S'} s_i \right] E^{k-1}\) rather than \(E^k \gets\left[s_i\right]E^{k-1}\), where \(E^{k-1}\) denotes the previous shareholder's output. Futhermore, authorised sets need not contain all shareholders. \autoref{example.conflict} illustrates a further conflict with of the PVP with the threshold group action.
This approach does not agree with the threshold group action, for which a shareholder \(P_i\)'s output in the round-robin approach is \(E^k \gets\left[L_{i,S'} s_i \right] E^{k-1}\) rather than \(E^k \gets\left[s_i\right]E^{k-1}\), where \(E^{k-1}\) denotes the previous shareholder's output. Futhermore, authorised sets need not contain all shareholders. \autoref{example.conflict} illustrates a further conflict with of the PVP with the threshold group action.
%This does not fit the threshold group action, since, for an authorised set \(S'\), a shareholder \(P_i\)'s contribution to the round-robin approach is not \(E^k \gets \left[s_i\right]E^{k-1}\), where \(E^{k-1}\) denotes the previous shareholder's output, but \(E^k \gets \left[L_{i,S'} s_i \right] E^{k-1}\). Authorised sets also do not necessarily contain all shareholders \(\set{P_1, \ldots, P_n}\). The following example illustrates a further conflict with of the PVP with the threshold group action.
%This does not fit the threshold group action, since, for an authorised set \(S'\), a shareholder \(P_i\)'s contribution to the round-robin approach is not \(E^k \gets \left[s_i\right]E^{k-1}\), where \(E^{k-1}\) denotes the previous shareholder's output, but \(E^k \gets \left[L_{i,S'} s_i \right] E^{k-1}\). Authorised sets also do not necessarily contain all shareholders \(\set{P_1, \ldots, P_n}\). The following example illustrates a further conflict with of the PVP with the threshold group action.
\todo{kick or shorten to remark?}
%\todo{kick or shorten to remark?}
\begin{example}
\begin{example}
Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds
Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds
\todo{really publish $s_{ij}$? yes, no actual info is leaked}
%\todo{really publish $s_{ij}$? yes, no actual info is leaked}
If \eqref{eq.ver1} fails, \(P_j\) issues a complaint against \(P_i\). If \(P_i\) is convicted of cheating by more than \(\nicefrac{\# S^\ast}{2}\) shareholders, decapsulation is restarted with an \({S^\ast}'\in\Gamma^+\), so that \(P_i \not\in{S^\ast}'\).
If \eqref{eq.ver1} fails, \(P_j\) issues a complaint against \(P_i\). If \(P_i\) is convicted of cheating by more than \(\nicefrac{\# S^\ast}{2}\) shareholders, decapsulation is restarted with an \({S^\ast}'\in\Gamma^+\), so that \(P_i \not\in{S^\ast}'\).
If \eqref{eq.ver2} fails, the decapsulation is restarted outright with \({S^\ast}' \in\Gamma^+\), so that \(P_i \not\in{S^\ast}'\).
If \eqref{eq.ver2} fails, the decapsulation is restarted outright with \({S^\ast}' \in\Gamma^+\), so that \(P_i \not\in{S^\ast}'\).
%\item If \(\mathsf{ZK}.V\paren*{\left(R_k, R_k'\right), \left(E^{k-1},E^k\right),zk}\) fails to verify, decapsulation is restarted with a set \({S^\ast}'\in\Gamma^+\), where \(P_i\not\in{S^\ast}'\).
%\item If \(\mathsf{ZK}.V\paren*{\left(R_k, R_k'\right), \left(E^{k-1},E^k\right),zk}\) fails to verify, decapsulation is restarted with a set \({S^\ast}'\in\Gamma^+\), where \(P_i\not\in{S^\ast}'\).