corrections for submission, started presentation

ACNS/introduction.tex

@@ -33,7 +33,7 @@ And fourth, we expand our key encapsulation mechanism and our signature scheme t
 \textbf{Related work.}
 Secret sharing schemes were first introduced by Blakley \cite{Blakley:1979:SCK} and Shamir \cite{Shamir:1979:HSS}. In both their approaches, secrets from the secret space \(\Z_p := \Z\bmod p\) for prime \(p\) are shared  by distributing interpolation points of randomly sampled polynomials.
 %To share \(s\in \Z_p\) among \(n\) sharholders, so that \(t\) or more shareholders are able to reconstruct it, a dealer samples a polynomial \(f \in \Z_p\left[ X\right]\) of degree \(t-1\) with constant term \(s\). The share of a shareholder with index \(i \in \left[ 1,\ldots, n\right]\) is \(f\paren* i\). To reconstruct a secret, a set of \(t\) or more shareholders interpolates the original polynomial \(f\) via Lagrange interpolation. Blakley takes a similar, yet distinct approach.
-Damg{\aa}rd and Thorbek \cite{DBLP:conf/pkc/DamgardT06} presented a secret sharing scheme with secret space \(\Z\). Thorbek \cite{DBLP:journals/iacr/Thorbek09} later improved their scheme Yet their scheme is only computationally confidential, compared to the information theoretical confidentiality of Shamir and Blakley's schemes.
+Damg{\aa}rd and Thorbek \cite{DBLP:conf/pkc/DamgardT06} presented a secret sharing scheme with secret space \(\Z\). Thorbek \cite{DBLP:journals/iacr/Thorbek09} later improved their scheme. Yet their scheme is only computationally confidential, compared to the information theoretical confidentiality of Shamir and Blakley's schemes.
 Tassa \cite{DBLP:conf/tcc/Tassa04} opened Shamir's scheme to a more general application by utilising the derivatives of the sharing polynomial to construct a hierarchical access structure,.
 These basic secret sharing schemes rely on the dealer providing honestly generated shares to the shareholders. Verifiable secret sharing schemes eliminate this drawback by providing the shareholders with the means to verify the correctness of the received shares with varying overhead. Examples of these are \cite{DBLP:conf/ccs/BethKO93,DBLP:conf/crypto/Pedersen91,DBLP:conf/eurocrypt/Stadler96}. With minor efficiency losses, Herranz and S{\'a}ez \cite{DBLP:conf/fc/HerranzS03} were able to achieve verifiable secret sharing for generalised access structures. %A more recent advancement was made in \cite{DBLP:conf/icits/TraversoDB16}, in which the author presented a method to add and remove shareholders in  a verifiable secret sharing setting.
 Traverso et al. \cite{DBLP:conf/africacrypt/TraversoD018} proposed an approach for evaluating arithmetic circuits on secret shared in Tassa's scheme, that also enabled auditing the results. 

ACNS/keyexchange.tex

@@ -26,7 +26,7 @@ We give our key exchange mechanism in the context of Shamir's secret sharing sch
 \noindent\textbf{\\Key Generation.}
 \fi
 \ifshamir
-\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
+%\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
 A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the shareholders \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more with a sharing polynomial \(f_i\). Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(f_i\) and \(f_j\paren* i\), that is his share \(s_i\) of \(s\), the polynomial \(f_i\) and a share \(f_j\paren* i\) of each other \(s_j\), \(j \neq i\).
 \begin{algorithm}
     \DontPrintSemicolon
@@ -53,7 +53,7 @@ A public and secret key pair is established by a trusted dealer (even an untrust
 \end{algorithm}
 
 \else
-\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
+%\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
 A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more. Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(\set{s_{ji}, s_{ij}}_{j=1,\ldots, n}\), that is his share \(s_i\) of \(s\), the sharing of \(s_i\) and a share of other \(s_j\), \(j \neq i\).
 
 \begin{algorithm}
@@ -90,7 +90,7 @@ thus each shareholder \(P_i\) receives his share \(s_i\) of the secret key \(s\)
 For ease of notation we denote the polynomial with which the secret key \(s\) was shared by \(f\) and the polynomial with which \(s_i\) was shared by \(f_i\), where \(i =1 , \ldots, n\).
 \end{comment}
 
-\todo{added motivation}
+%\todo{added motivation}
 This key generation protocol can be regarded as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. While this is not necessary for De Feo and Meyer's passively secure protocol, we require the two-level sharing in ensuring the active security of our key encapsulation mechanism.
 %A sketch of it can be found in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}.\\
 % \begin{figure}
@@ -448,7 +448,8 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
 A key exchange mechanism with secret shared private key is \emph{correct}, if for any authorised set \(S'\), any public key \(\pk\) and any \(\left(\mathcal K,c\right)\gets \mathsf{Encaps}\paren* \pk\), we have
 \( \mathcal K = \mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}.\)
 \end{definition}
-The correctness of our key exchange mechanism presented in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} follows from the correctness of the threshold group action (\algoref{fig.tga}). Let \(\sk\) be a secret key and \(\pk = \left[\sk\right] E_0\) be the respective public key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have
+The correctness of our key exchange mechanism presented in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} follows from the correctness of the threshold group action (\algoref{fig.tga}). 
+Let \(\sk\) be a secret key and \(\pk = \left[\sk\right] E_0\) be the respective public key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have
 \[\sk = \sum_{P_i \in S'} L_{i,S'} s_i.\]
 Furthermore, let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren* \pk\). To show correctness, \(\mathcal K' = \mathcal K\) has to hold, where \(\mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}\). Now, after executing \(\mathsf{Decaps}\paren*{c,S'}\), we have \(\mathcal K' = E^{\#S'}\) emerging as the result of the threshold group action applied to \(c\). This gives us
 \[ \mathcal K' = \left[\sum_{P_i \in S'} L_{i,S'}s_i \right] c = \left[\sk\right] \left(b\ast E_0\right) = b \ast \pk = \mathcal K.\]
@@ -523,10 +524,10 @@ There are two aspects of security to consider:
 We show that an adversary who corrupts an unauthorised subset of shareholder does not learn any additional information from an execution of the decapsulation protocol. %For that we prove the simulatability of the decapsulation.
 
 \begin{definition}[Simulatability]
-	We call a key exchange mechanism \emph{simulatable}, if for any HHS \(\left(\mathcal E,\mathcal G\right)\) with security parameter \(\lambda\) and any compatible secret sharing instance \(\mathcal S\), there exists a polynomial-time algorithm \(\simul\) so that, for any polynomial-time adversary \(\adv\) the advantage
+	We call a key exchange mechanism \emph{simulatable}, if for any HHS \(\left(\mathcal E,\mathcal G\right)\) with security parameter \(\lambda\) and any compatible secret sharing instance \(\mathcal S\), there exists a polynomial-time algorithm \(\simul\) so that for any polynomial-time adversary \(\adv\) the advantage
 	%\(\left(\set{s_i, \set{s_{ij}}, \set{s_{ji}}}_{P_i, P_j \in S}, \pk\right) \gets \mathsf{KeyGen} \paren{E_0, S}\), any \(S' \subset S\) with \(S' \not\in\Gamma\), any \(\left(\mathcal K, c\right)\gets \mathsf{Encaps}\paren * \pk\), so that for any polynomial time adversary \(\adv\) the advantage
 	\[\advantage{dist-transcript}{\adv,\simul}[\paren*{\left(\mathcal E,\mathcal G\right), \mathcal S}] := \abs{\prob{\mathsf{Exp}^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}} - \frac 12}\]
-	\todo{inserted $\frac 12$}
+	%\todo{inserted $\frac 12$}
 	in the security game \hyperref[fig.disttranscript]{$Exp^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}$} (\hyperref[fig.disttranscript]{Algorithm \ref{fig.disttranscript}}) is negligible in \(\lambda\).
 	%Upon input \(\left(\mathcal K,c,\set{s_j, \set{s_{ij}}_{P_i \in S},\set{s_{ji}}_{P_i \in S}}_{P_j\in S}\), \(\simul\) produces for any polynomial-time adversary \(\adv\).
 	%We call a KEM with shared secret key \emph{simulatable}, if for any adversary \(\adv\) corrupting an unauthorised set of shareholders \(S'\) and any ciphertext \(c \in \mathcal E\) with \(\left(\mathcal K,c\right) = \mathsf{Decaps}\paren*{\pk}\), there is a PPT algorithm \(\mathsf{Sim}\), that upon input \(c\), \(\mathcal K\) and \(\set{s_j, \set{s_{ij}}_{P_i \in S},\set{s_{ji}}_{P_i \in S}}_{P_j\in S}\) outputs a transcript that is indistinguishable from the real transcript of \(\mathsf{Decaps}\paren*{c}\).
@@ -720,7 +721,7 @@ where \(x\) is the size of the bit representation of an element of \(\mathcal E\
 	Verification (see ) is a simple check whether
 	\[ E_j' = [z_j] E_j.\]
 	This means a shareholder \(P_j\)'s output is \(\left(E_j,E_j'\right) = \left(\left[\mathsf{input}_j\paren*{s_j}\right] E_{j-1}, \left[r_j\right] E_j\right)\). We could perhaps reduce an instance \(\left(E_a, E_b, E_c\right) = \left(a\ast E, b\ast E, c\ast E\right)\) of the decisional parallelisation problem to distinguishing \(\left(E_{j-1}, E_j, E_j'\right)\).
-	\todo{make this non-interactive, cramp the decisional parallelisation challenge \(\left(E_a,E_b, E_c\right)\) into this transcript.}
+	%\todo{make this non-interactive, cramp the decisional parallelisation challenge \(\left(E_a,E_b, E_c\right)\) into this transcript.}
 \end{bem}
 \fi
 
@@ -875,7 +876,7 @@ We consider two main categories of security guarantees regarding KEMs. On the on
 %\subsection{Indistinguishability of Encapsulated Keys}\label{subsec.kemind}
 \noindent\textbf{Indistinguishability of Encapsulated Keys.}\label{subsec.kemind}
 We capture the notion of indistinguishability of the encapsulated keys by adapting the \(\indcpa\) or \(\indcca\) games, respectively, of traditional key exchange mechanisms as can be found in \autoref{fig:kemgame} to the setting of a secret shared secret key. For that we generate a public/ secret key pair \(\left(\pk,\set{s_1,\ldots, s_n}\right)\), where the secret key is shared. The adversary \(\adv\) then picks an unauthorised set of shareholders \(S\) and obtains the secret key shares of the parties in \(S\).
-\todo{does \(\mathcal O_\mathsf{Decaps}\) only return result or transcript?}
+%\todo{does \(\mathcal O_\mathsf{Decaps}\) only return result or transcript?}
 In the case of \(\indcca\), some amendments to the decapsulation oracle have to be made.  
 The resulting security game can be seen in \autoref{fig:sskemgame}.
 
@@ -973,11 +974,11 @@ The advantage of an adversary \(\adv\) against the \(\mathsf{Exp}^\indcpa_{\sske
 
 \begin{proof}
 	We prove \autoref{thm:pddhareducesskem} by giving a reduction, that is we provide an adversarial algorithm \(\bdv\) that simulates an execution of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \adv}\paren*\lambda\) to the adversary \(\adv\). \(\bdv\) then uses \(\adv\)'s answer to break an instance of \(\mathsf{Exp}^{p-ddha}_{\left(\mathcal E, \mathcal G\right),\bdv}\paren*\lambda\).
-	\todo{or \(\indcca\)?}
+	%\todo{or \(\indcca\)?}
 
 	\(\bdv\) is handed an instance \(\left(a,E,s\ast E,F\right)\) of \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv}\). \(\bdv\) now has to simulate an instance of \(\mathsf{Exp}^\indcpa_{\sskem,\mathcal S, \adv}\) to \(\adv\). \(\bdv\) picks an instance \(\mathcal S\) of a secret sharing scheme compatible to the HHS \(\left(\mathcal E, \mathcal G\right)\). \(\bdv\) then generates a public/ secret key pair \(\left(E_s, \set{s_1, \ldots, s_n}\right)\) from the arising secret shared key exchange mechanism \(\sskem\). \(\bdv\) then hands a description of \(\mathcal S\) to \(\adv\), who answers with a set of shareholders \(S\) he wishes to corrupt. If \(\adv\) returned an authorised set, \(\bdv\) stops. Otherwise \(\bdv\) hands the challenge \(\left(E_s, E,F,\set{s_i}_{P_i \in S}\right)\) to \(\adv\). Eventually, \(\adv\) answers with a bit \(b'\). \(\bdv\) adopts this \(b'\) as his answer.
 
-	\todo{correctly estimate advantages}
+	%\todo{correctly estimate advantages}
 \end{proof}
 
 %We construct an adversary \(\bdv\) against the Power DDHA game in \autoref{fig:gamepddha}, that simulates an instance of \(\mathsf{Exp}^\indcpa_{\sskem, \mathcal S, \cdot}\paren*\lambda\) to an adversary \(\adv\) (\textcolor{red}{oder \(\indcca\)?}) to break the Power DDHA problem.
@@ -1009,7 +1010,7 @@ To reduce \(\mathsf{Exp}^\text{P-DDHA}_{\left(\mathcal E,\mathcal G\right), \bdv
 		&+ \frac 12 \prob{\adv':\left(E,E'\right) \in \mathsf{Dist}_0} \frac{\#\mathcal G - 2 \mathcal G_1}{\#\left(\mathcal G\setminus\mathcal G_1\right)\#\mathcal G_1}\\
 		=& \frac 12 \frac 1{\#\left(\mathcal G\setminus\mathcal G_1\right)} + \frac 12 \prob{\adv':\left(E,E'\right) \in \mathsf{Dist}_0} \frac{\#\mathcal G - 2 \mathcal G_1}{\#\left(\mathcal G\setminus\mathcal G_1\right)\#\mathcal G_1}\\
 	\end{align*}
-	\todo{breaks this down to non-negligible probability}
+	%\todo{breaks this down to non-negligible probability}
 \end{proof}
 
 It remains to prove, that the output of \(\mathsf{Sim}_\text{Decaps}\) upon input \(\left(\set{s_i}_{P_i \in S^\ast}, E_b, E^\ast\right)\) is indistinguishable from a real transcript of \(\text{Decaps}\paren*{E_b,S}\), where \(S^\ast \subset S \in \Gamma\). We show, that this indeeds holds under the assumption that Power DDHA is hard in \(\left(\mathcal E,\mathcal G\right)\).

ACNS/presentation/Makefile

+
+.PHONY: clean 
+
+TEXINPUTS := "" 
+
+USECRYPTOBIB :=
+PRETEX := $(USECRYPTOBIB)
+
+
+ACNS.pdf: *.tex
+	#TEXINPUTS=${TEXINPUTS} latexmk -xelatex -interaction=nonstopmode ACNS.tex 
+	TEXINPUTS=${TEXINPUTS} latexmk -pdf -interaction=nonstopmode main.tex 
+
+oldschool: *.tex
+	#rm ACNS.bbl
+	pdflatex ACNS.tex
+	bibtex ACNS.aux 
+	#sed -i '/doi/ s/_/\\_/' ACNS.bbl 
+	pdflatex ACNS.tex
+
+clean:
+	#latexmk -xelatex ACNS.tex -C
+	latexmk -xelatex main.tex -C
+
+full: *.tex
+	TEXINPUTS=${TEXINPUTS} latexmk -xelatex -interaction=nonstopmode ACNS.tex	

ACNS/presentation/main.tex

+\documentclass{beamer}
+
+\input{preamble}
+
+\usetheme{Darmstadt}
+\usecolortheme{seahorse}
+
+\title{On Actively Secure Fine-Grained Access Structures from Isogeny Assumptions}
+\author{Fabio Campos\inst{1,2} \and \underline{Philipp Muth}\inst{3}}
+\institute{\relax
+  RheinMain University of Applied Sciences, Wiesbaden, Germany
+  \and
+  Radboud University, Nijmegen, The Netherlands %\\
+  %\email{campos@sopmac.de}
+  \and
+  Technische Universität Darmstadt, Germany%\\
+  %\email{philipp.muth@tu-darmstadt.de}
+}
+
+\begin{document}
+\maketitle
+
+\section{Motivation}
+\begin{frame}
+\end{frame}
+
+
+\end{document}

ACNS/presentation/preamble.tex

+%\KOMAoptions{fontsize=10pt}
+%\KOMAoptions{paper=a4}
+\usepackage[T1]{fontenc}
+\usepackage{xurl}
+%\usepackage{concmath}
+\usepackage{subfiles}
+\usepackage[title]{appendix}
+%\usepackage{appendix}
+%\usepackage{subcaption}
+\usepackage[titlenumbered,ruled]{algorithm2e}
+\newcommand\assignTo[2]{#1 \leftarrow #2}
+%\usepackage{todonotes} %remove for submission
+%\let\labelindent\relax
+\usepackage{enumitem}
+\usepackage[english]{babel}
+\usepackage[utf8]{inputenc}
+\usepackage{amsmath}
+\usepackage{amssymb}
+%\usepackage{amsthm}
+\usepackage{mathtools}
+\usepackage{thmtools}
+\usepackage{relsize}
+\usepackage{graphicx}
+\usepackage{flushend}
+%\usepackage{natbib}
+%\usepackage{cite}
+%\usepackage{algorithm}
+%\usepackage{algpseudocode}
+%\usepackage{algorithmicx}
+\usepackage[advantage,adversary,keys,logic,mm,notions,operators,probability,sets]{cryptocode}
+
+%\usepackage[top=3cm, bottom=3cm, left=3cm, right=3cm]{geometry}
+\usepackage{verbatim}
+\usepackage{color}
+\usepackage[nice]{nicefrac}
+%\usepackage{forloop}
+
+\usepackage[super]{nth}
+
+\usepackage{chngcntr}
+\counterwithout{footnote}{subsection}
+
+\usepackage{hyphenat}
+
+\usepackage{tikz}
+\usetikzlibrary{calc,arrows,intersections, through,positioning, matrix}
+\usepackage{tcolorbox}
+
+%\usepackage{titlesec}
+%\titleformat{name=\section}[runin]{\large\normalfont\bf}{\thesection}{.5em}{}
+%\titleformat{name=\subsection}[runin]{\large\normalfont\bf}{\thesubsection}{.5em}{}
+%\titleformat{name=\subsubsection}[runin]{\large\normalfont\bf}{\thesubsubsection}{.5em}{}
+
+\usepackage{hyperref}
+\hypersetup{
+  colorlinks=true,
+  linktoc=section,
+  linkcolor=blue,
+  urlcolor=red,
+  citecolor=blue,
+}
+\providecommand\algoref[1]{\hyperref[#1]{Algorithm \ref{#1}}}
+\providecommand\secref[1]{\hyperref[#1]{Section \ref{#1}}}
+
+\begin{comment}
+\newtheoremstyle{Satz}
+  {\topsep}
+  {\topsep}
+  {}
+  {}
+  {\bfseries}
+  {\newline}
+  {.5em}
+  {}
+\end{comment}
+
+%\theoremstyle{Satz}
+%\newtheorem{thm}{Theorem}
+%\newtheorem*{thm*}{Theorem}
+%\newtheorem{lem}[thm]{Lemma}
+%\newtheorem{prop}[thm]{Proposition}
+%\newtheorem{cor}[thm]{Corollary}
+%\newtheorem{defin}[thm]{Definition}
+%\newtheorem{thm+def}{Theorem and Definition}
+%\newtheorem{exm}[thm]{Example}
+%\newtheorem*{bem}{Remark}
+%\newtheorem{problem}{Problem}
+
+\numberwithin{equation}{section}
+%\numberwithin{thm}{section}
+%\numberwithin{algorithm}{section}
+
+\newcommand{\F}{\mathbb{F}}
+%\newcommand{\C}{\mathbb{C}}
+\newcommand{\R}{\mathbb{R}}
+\newcommand{\N}{\mathbb{N}}
+\newcommand{\D}{\mathbb{D}}
+\newcommand{\Q}{\mathbb{Q}}
+\newcommand{\Hol}{\mathcal{H}}
+\newcommand{\M}{\mathcal{M}}
+\newcommand{\Z}{\mathbb{Z}}
+\newcommand\pias{\Pi_{\text{AS}}}
+\DeclareMathOperator{\spec}{spec}
+\DeclareMathOperator{\re}{Re}
+\DeclareMathOperator{\im}{Im}
+%\DeclareMathOperator\pr{Pr}
+%\renewcommand{\qedsymbol}{$\blacksquare$}
+\DeclareMathOperator\SH{SH}
+\DeclareMathOperator\shaho{sh}
+\newcommand\add{\mathsf{Add}}
+\newcommand\share{\mathsf{Share}}
+\newcommand\rec{\mathsf{Rec}}
+\newcommand\simul{\mathsf{Sim}}
+\newcommand\kem{\mathsf{KEM}}
+\newcommand\sskem{\mathsf{SSKEM}}
+\newcommand\decaps{\mathsf{Decaps}}
+\newcommand\encaps{\mathsf{Encaps}}
+\newcommand\keygen{\mathsf{KeyGen}}
+
+\DeclarePairedDelimiter{\paren}{\lparen}{\rparen}
+\DeclarePairedDelimiter{\bracket}{[}{]}
+%\DeclarePairedDelimiter{\abs}{\lvert}{\rvert}
+%\DeclarePairedDelimiter{\set}{\{}{\}}
+%\newcommand\norm[1]{\left\lVert #1 \right\rVert}
+
+%opening
+%\KOMAoptions{toc=bibliography}
+%\pagestyle{headings}
+%\KOMAoptions{titlepage=firstiscover}
+%\KOMAoptions{abstract=true}
+%\setkomafont{pageheadfoot}{\normalfont}
+%\KOMAoptions{bibliography=totoc}
+%\KOMAoptions{headsepline=true}
+%\KOMAoptions{footsepline=true}
+\usepackage[nodisplayskipstretch]{setspace}
+% \setlength{\topsep}{0pt}
+% \setlength{\partopsep}{0pt plus 0pt minus 0pt}
+% \setlength{\parskip}{0pt}
+% \setlength{\parindent}{0pt}