Skip to content
Snippets Groups Projects
Commit 3b1cdd90 authored by Philipp Muth's avatar Philipp Muth
Browse files

slides until key exchange done

parent d02e79d7
Branches
No related tags found
No related merge requests found
......@@ -13,3 +13,68 @@
where \(E_1 = \left[f\paren* 0\right] E_0\) and \(s_i = f\paren* i\) for \(i=1,\ldots, n\).
\end{definition}
\end{frame}
\begin{frame}
\frametitle{Key Generation}
\begin{pchstack}[center]
\procedure[space = auto]{$\keygen\paren* S$}{
\sk \sample \ZZ_p\\
\pk \gets \left[\sk\right] E_0\\
\set{s_1,\ldots, s_n}\gets \SH.\share\paren* s\\
\pcfor i =1 ,\ldots, n\\
%\set{s_{i1,\ldots, s_{in}}} \gets \SH.\share\paren*{s_i}\\
f_i \sample \ZZ_p \left[X\right]_{\leq k-1}\colon f_i \paren 0 = s_i\\
\pcendfor\\
\text{publish } \pk\\
\pcfor i =1 ,\ldots, n\\
\text{send } \set{s_i ,f_i, \set{f_{j}\paren* i}_{j = 1,\ldots, n}} \text{ to } P_i\\
\pcendfor
}
\end{pchstack}
\end{frame}
\begin{frame}
\frametitle{Encapsulation}
\begin{pchstack}[center]
\procedure{$\encaps\paren*{\pk}$}{
b \sample \mathcal G\\
\key \gets b \ast \pk\\
c \gets b \ast E_0\\
\pcreturn \left(\key,c\right)
}
\end{pchstack}
\end{frame}
\begin{frame}[allowframebreaks]
\frametitle{A Shareholder \(P_i\)'s Turn in the Decapsulation Protocol}
Let \(S^\ast\) be a superauthorised set of shareholders executing the decapsulation protocol.
\begin{enumerate}
\item Ascertain \(E^{k-1} \in \mathcal E\), where \(E^{k-1}\) is previous shareholder's output.
\item Sample \(R_k \sample \mathcal E\), compute \(R_k'\gets \left[L_{i,S^\ast}s_i\right] R_k\).
\item Compute and publish
\begin{align*}
\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right) &\gets \mathsf{PVP}.P \paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right), \left(f_i \paren j\right)_{P_j\in S^\ast}\right)},\\
E^k &\gets \left[L_{i,S^\ast}s_i\right] E^{k-1},\\
zk &\gets \mathsf{ZK}.P \paren*{\left(R_k,R_k'\right), \left(E^{k-1}, E^k\right), L_{i,S^\ast} s_i}.
\end{align*}
\item All other participants \(P_j \in S^\ast\) verify
\begin{align*}
\mathsf{PVP}.V&\paren*{i, j,S^\ast,f_i\paren j,\left(\pi^k,\pi^k_j\right)},\\
\mathsf{PVP}.V&\paren*{i,0,S^\ast,\left(R_k,R_k'\right),\left(\pi^k,\pi_0^k\right)},\\
\mathsf{ZK}.V&\paren*{\left(R_k,R_k'\right), \left(E^{k-1},E^k\right), zk}.
\end{align*}
\item If irregularities occur and more than half the participants convict \(P_i\), the protocol is started over without \(P_i\).
\item Decapsulation terminates with the last shareholder's output \(E^{\#S^\ast}\) as result.
\end{enumerate}
\end{frame}
\begin{frame}
\frametitle{Features of our Protocol}
\begin{itemize}
\item IND-CPA, i.e., the encapsulated key cannot be distinguished from the ciphertext, assuming the hardness of the GAIP
\item Simulatable (as was \cite{FeoM20})
\item Actively Secure, i.e., a misbehaving shareholder can be detected, if the PVP and ZK proof are sound
\end{itemize}
\end{frame}
\section{Motivation}
\begin{frame}
\begin{frame}[allowframebreaks]
\frametitle{Where are we?}
\begin{block}{Hard Homogeneous Spaces}
A hard homogeneous space \(\left(\mathcal E,\mathcal G\right)\) is
......@@ -11,7 +11,7 @@
\end{itemize}
\end{block}
\pause
%\pause
\begin{block}{Properties of \(\ast\)}
\begin{itemize}
\item Compatibility: \(\forall g,g' \in \mathcal G ~\forall E \in \mathcal E \colon g \ast \left(g'\ast E\right) = \left(g\odot g'\right) E\)
......@@ -19,6 +19,30 @@
\item Transitivity: \(\forall E,E'\in \mathcal E ~\exists ! g \in \mathcal G \colon g \ast E = E'\)
\end{itemize}
\end{block}
%\end{frame}
%\begin{frame}
\begin{block}{Notation}
For arbitrary \(E\in\mathcal E\), \(g\in\mathcal G\) with prime order \(p\vert \#\mathcal G\) and \(s \in \Z_p\), we denote
\[\left[s\right] E := g^s \ast E.\]
\end{block}
\begin{remark}
For \(s,s'\in \Z_p\) and \(E\in\mathcal E\), we have
\[[s] \left(\left[s'\right] E\right) = \left[s+s'\right] E.\]
\end{remark}
\begin{block}{The Group Action Inverse Problem}
Given two elements \(E,E' \in \mathcal E\), find \(g\in \mathcal G\) with
\[g\ast E = E'.\]
\end{block}
\end{frame}
\begin{frame}
\frametitle{Secret Sharing Schemes}
\begin{definition}[Superauthorises Sets]
\end{definition}
\end{frame}
\begin{frame}
......
......@@ -27,7 +27,7 @@
%\usepackage{algorithm}
%\usepackage{algpseudocode}
%\usepackage{algorithmicx}
\usepackage[advantage,adversary,keys,logic,mm,notions,operators,probability,sets]{cryptocode}
\usepackage[advantage,adversary,asymptotics,ff,keys,logic,mm,notions,operators,primitives,probability,sets]{cryptocode}
%\usepackage[top=3cm, bottom=3cm, left=3cm, right=3cm]{geometry}
\usepackage{verbatim}
......@@ -84,7 +84,7 @@
%\newtheorem{defin}[thm]{Definition}
%\newtheorem{thm+def}{Theorem and Definition}
%\newtheorem{exm}[thm]{Example}
%\newtheorem*{bem}{Remark}
\newtheorem*{remark}{Remark}
%\newtheorem{problem}{Problem}
\numberwithin{equation}{section}
......@@ -106,7 +106,7 @@
\DeclareMathOperator{\im}{Im}
%\DeclareMathOperator\pr{Pr}
%\renewcommand{\qedsymbol}{$\blacksquare$}
\DeclareMathOperator\SH{SH}
\DeclareMathOperator\SH{\mathcal S}
\DeclareMathOperator\shaho{sh}
\newcommand\add{\mathsf{Add}}
\newcommand\share{\mathsf{Share}}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment