Skip to content
Snippets Groups Projects
Commit 44928f27 authored by Philipp Muth's avatar Philipp Muth
Browse files

minor

parent db1b18e2
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
ACNS/generalsss.tex
+ 2
2
View file @ 44928f27
......@@ -34,8 +34,8 @@ The secret sharing scheme also has to allow for a PVP scheme, that is compatible
\begin{itemize}
\item It is evident, that Shamir's approach fulfills all aforementioned requirements. In fact, the two-level sharing and the PVP have been tailored to Shamir's polynomial based secret sharing approach.
\item Tassa \cite{DBLP:conf/tcc/Tassa04} extended Shamir's approach of threshold secret sharing to a hierarchical access structure. To share a secret \(s\in\Z_p\) with prime \(p\), a polynomial \(f\) with constant term \(s\) is sampled. Shareholders of the top level of the hierarchy are assigned interpolation points of \(f\) as in Shamir's scheme. The \(k\)-th level of the hierarchy receives interpolation points of the \(k-1\)st derivative of \(f\). The shares of in Tassa's scheme are elements of \(\Z_p\) themselves.
The key generation (\algoref{fig.keygen}) must be adapted so that a shareholder receives a description of the polynomial utilised in sharing his share, instead of receiving the shares with which his share of the secret key was shared. Hence all derivatives utilised can easily be computed.
\item Tassa \cite{DBLP:conf/tcc/Tassa04} extended Shamir's approach of threshold secret sharing to a hierarchical access structure. To share a secret \(s\in\Z_p\) with prime \(p\), a polynomial \(f\) with constant term \(s\) is sampled. Shareholders of the top level of the hierarchy are assigned interpolation points of \(f\) as in Shamir's scheme. The \(k\)-th level of the hierarchy receives interpolation points of the \(k-1\)st derivative of \(f\). The shares in Tassa's scheme are elements of \(\Z_p\) themselves.
The key generation (\algoref{fig.keygen}) can easily be transferred to this setting, as each shareholder receives a description of the polynomial utilised in sharing his share. Hence all derivatives and their respective interpolation points can easily be computed.
%the shares The two-level sharing in the key generation protocol can be executed as given in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}. For any shareholder, the polynomial, with which his share of the secret key was again shared, is handed to him. Thus all derivatives used in the sharing are known the respective shareholder.
Reconstructing a shared secret is achieved via Birkhoff interpolation, the execution of which is independent and self-contained.
The zero-knowledge proof (\algoref{fig.zkp} and \algoref{fig.zkv}) as well as the piecewise verifiable proof (\algoref{fig.tpvpp} and \algoref{fig.tpvpv}) thus directly transfer to Tassa's approach utilising the appropriate derivatives in the verifying protocols.
......
ACNS/keyexchange.tex
+ 7
6
View file @ 44928f27
......@@ -180,9 +180,9 @@ This approach does not agree with the threshold group action, for which a shareh
\begin{align*}
\left(\pi,\set{\pi_j}_{P_j \in S}\right) \gets& \mathsf{PVP}.P\paren*{\left(\left(R,R'\right), \left(L_{i,S'} f_i\paren* j\right)_{P_j \in S}\right), f_i'}
\end{align*}
which to \(S'\setminus \set{P_i}\) is indistinguishable from
which is indistinguishable from
\[\mathsf{PVP}.P\paren*{\left(\left(E_0,E_1\right), \left(L_{i,S'} f_i\paren* j\right)_{P_j \in S}\right), L_{i,S'}f_i}\]
with \(E_0 \sample \mathcal E\) and \(E_1 = \left[L_{i,S'} s_i\right] E_0\). Thus, for a minimally authorised set \(S'\), the soundness of the PVP does not hold with respect to \(P_i\in S'\) and \(f_i\).
to \(S'\setminus \set{P_i}\) with \(E_0 \sample \mathcal E\) and \(E_1 = \left[L_{i,S'} s_i\right] E_0\). Thus, for a minimally authorised set \(S'\), the soundness of the PVP does not hold with respect to \(P_i\in S'\) and \(f_i\).
\else
\[\set{s_i, \set{s_{ij}}_{P_j \in S}, \set{s_{ji}}_{P_j \in S}}.\]
Also let \(S'\in \Gamma\) be a minimally authorised set executing \algoref{fig.tga}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Therefore, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with
......@@ -376,7 +376,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
$zk^k \gets \mathsf{ZK}.P\paren*{\left(R_k,R'_k\right),\left(E^{k-1},E^k\right), L_{i,S^\ast} s_i}$\;
$P_i \text{ publishes } \left(E^k, zk^k\right)$\;
\For{$P_j \in S^\ast \setminus \set{P_i}$}{
\If{$\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk} = \false$}{
\If{$\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk^k} = \false$}{
\Return{$\mathsf{Decapsulation}\paren*{c,{S^\ast}'} \text{ with } {S^\ast}' \in \Gamma \wedge P_i \not \in {S^\ast}'$}
}
%$\text{Each } P_j \in S^\ast\setminus\set{P_i} \text{ checks }$\;
......@@ -429,7 +429,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
}
}
%$\text{Each } P_j \in S^\ast\setminus\set{P_i} \text{ checks }$\;
\If{$\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk} = \false$}{
\If{$\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk^k} = \false$}{
\Return{$\mathsf{Decapsulation}\paren*{c,{S^\ast}'} \text{ with } {S^\ast}' \in \Gamma \wedge P_i \not \in {S^\ast}'$}
}
}
......@@ -473,7 +473,7 @@ There are two aspects of security to consider:
\fi
\begin{theorem}
Let \(S^\ast \in \Gamma^+\) and let \(\left(\pk,\sk\right) \gets \mathsf{KeyGen}\) be a public/secret key pair, where \(\sk\) has been shared. Also let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren*{\pk}\). Denote the transcript of \(\mathsf{Decaps}\paren*{c,S^\ast}\) by
\[\left(E^k,\left(R_k, R_k'\right),\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right), zk_k\right)_{k=1,\ldots, \#S^\ast} .\]
\[\left(E^k,\left(R_k, R_k'\right),\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right), zk^k\right)_{k=1,\ldots, \#S^\ast} .\]
Let \(P_i \in S^\ast\) be an arbitrary but fixed shareholder. If \(\mathsf{Decaps}\paren*{c,S^\ast}\) terminated successfully and \(P_{i'}\)'s output was generated dishonestly, then there exists an algorithm that breaks the soundness property of \(\mathsf{PVP}\) or \(\mathsf{ZK}\).
\label{thm.actsecu}\end{theorem}
......@@ -525,7 +525,8 @@ We show that an adversary who corrupts an unauthorised subset of shareholder doe
\begin{definition}[Simulatability]
We call a key exchange mechanism \emph{simulatable}, if for any HHS \(\left(\mathcal E,\mathcal G\right)\) with security parameter \(\lambda\) and any compatible secret sharing instance \(\mathcal S\), there exists a polynomial-time algorithm \(\simul\) so that, for any polynomial-time adversary \(\adv\) the advantage
%\(\left(\set{s_i, \set{s_{ij}}, \set{s_{ji}}}_{P_i, P_j \in S}, \pk\right) \gets \mathsf{KeyGen} \paren{E_0, S}\), any \(S' \subset S\) with \(S' \not\in\Gamma\), any \(\left(\mathcal K, c\right)\gets \mathsf{Encaps}\paren * \pk\), so that for any polynomial time adversary \(\adv\) the advantage
\[\advantage{dist-transcript}{\adv,\simul}[\paren*{\left(\mathcal E,\mathcal G\right), \mathcal S}] := \abs{\prob{\mathsf{Exp}^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}}}\]
\[\advantage{dist-transcript}{\adv,\simul}[\paren*{\left(\mathcal E,\mathcal G\right), \mathcal S}] := \abs{\prob{\mathsf{Exp}^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}} - \frac 12}\]
\todo{inserted $\frac 12$}
in the security game \hyperref[fig.disttranscript]{$Exp^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}$} (\hyperref[fig.disttranscript]{Algorithm \ref{fig.disttranscript}}) is negligible in \(\lambda\).
%Upon input \(\left(\mathcal K,c,\set{s_j, \set{s_{ij}}_{P_i \in S},\set{s_{ji}}_{P_i \in S}}_{P_j\in S}\), \(\simul\) produces for any polynomial-time adversary \(\adv\).
%We call a KEM with shared secret key \emph{simulatable}, if for any adversary \(\adv\) corrupting an unauthorised set of shareholders \(S'\) and any ciphertext \(c \in \mathcal E\) with \(\left(\mathcal K,c\right) = \mathsf{Decaps}\paren*{\pk}\), there is a PPT algorithm \(\mathsf{Sim}\), that upon input \(c\), \(\mathcal K\) and \(\set{s_j, \set{s_{ij}}_{P_i \in S},\set{s_{ji}}_{P_i \in S}}_{P_j\in S}\) outputs a transcript that is indistinguishable from the real transcript of \(\mathsf{Decaps}\paren*{c}\).
......
ACNS/preliminaries.tex
+ 1
1
View file @ 44928f27
......@@ -176,7 +176,7 @@ A piecewise verifiable proof (PVP) is a cryptographic primitive in the context o
\begin{equation}
x=\left(\left(E_0,E_1\right), s_1, \ldots, s_n\right),
\label{eq.pvprelation}\end{equation}
with statement pieces \(s_i = f\paren* i\) for \(i = 0, \ldots, n\), with \(E_1 = \left[s_0\right] E_0 \in \mathcal E\). A PVP provides a proving protocol \(\mathsf{PVP}.P\), which takes a statement \(x\) of the form \eqref{eq.pvprelation} and a witness \(f\) and outputs a proof \(\left(\pi,\set{\pi_i}_{i=0,\ldots, n}\right)\), where \(\left(\pi,\pi_i\right)\) is a proof piece for \(s_i\), \(i = 0,\ldots, n\). The PVP also provides a verifying protocol \(\mathsf{PVP}.V\), which takes an index \(i \in \set{0,\ldots, n}\), a statement piece \(s_i\) and a proof piece \(\left(\pi,\pi_i\right)\) and outputs \(\true\) or \(\false\).
with statement pieces \(s_i = f\paren* i\) for \(i = 0, \ldots, n\) and \(E_1 = \left[s_0\right] E_0 \in \mathcal E\). A PVP provides a proving protocol \(\mathsf{PVP}.P\), which takes a statement \(x\) of the form \eqref{eq.pvprelation} and a witness \(f\) and outputs a proof \(\left(\pi,\set{\pi_i}_{i=0,\ldots, n}\right)\), where \(\left(\pi,\pi_i\right)\) is a proof piece for \(s_i\), \(i = 0,\ldots, n\). The PVP also provides a verifying protocol \(\mathsf{PVP}.V\), which takes an index \(i \in \set{0,\ldots, n}\), a statement piece \(s_i\) and a proof piece \(\left(\pi,\pi_i\right)\) and outputs \(\true\) or \(\false\).
Let \(\mathcal R = \set{\left(x,f\right)}\), where \(f\) is a witness for the statement \(x\). The projection \(R_I\) for some \(I\subset\set{0,\ldots, n}\) denotes \(\left(x_I,f\right)\).
%Furthermore, for \(I\subset\set{0,\ldots,n}\), let \(\mathcal R_I\) denote the projection of \(R\) to \(I\), i.e. the set \(\set{\left(x_I,f\right)}\), where \(\left(x,f\right) \in \mathcal R\) exists so that \(x\vert_I = x_I\).
......
ACNS/signatures.tex
+ 3
1
View file @ 44928f27
\section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures}
We convert the key exchange mechanism in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
We convert the key exchange mechanism in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} into an actively secure signature scheme with secret shared signing key.
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \secref{sec.kem} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\algoref{fig.decaps}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \algoref{fig.sign} and \algoref{fig.ver}.
We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
\ifshamir
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment