@@ -50,7 +50,9 @@ We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fi
\label{fig.sign}
\end{algorithm}
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}.
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}.\\
\noindent\textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
%Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
% \begin{figure}
...
...
@@ -172,4 +174,4 @@ First, in the case without hashing, since the sigma protocol has special soundne
\end{figure}
\end{comment}
\noindent\textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
