minor

ACNS/keyexchange.tex

@@ -2,7 +2,7 @@
 
 %\todo{argument for superauthorised sets}
 A key exchange mechanism is a cryptographic public key scheme that provides three protocols: \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). These enable a party to establish an ephemeral key between the holder of the secret key.
-We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol with reconstructing the secret key. 
+We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol without reconstructing the secret key. 
 
 \ifsubsection
 \subsection{Public Parameters}
@@ -12,9 +12,9 @@ We present our actively secure key exchange mechanism with private key that is s
 We fix the following publically known  parameters.
 
 \begin{itemize}
-	\item A secret sharing instance $\mathcal S$ with shareholders $\mathcal S= \set{P_1, \ldots, P_n}$, secret space \(\Z_p\) and access structure \(\Gamma\).
+	\item A secret sharing instance $\mathcal S$ with shareholders $S= \set{P_1, \ldots, P_n}$, secret space \(\Z_p\) and access structure \(\Gamma\).
 
-	\item A hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) with fixed starting point \(E_0 \in \mathcal E\).
+	\item A hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) with a fixed starting point \(E_0 \in \mathcal E\).
     
 	\item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot] \cdot: \Z_p \times \mathcal E \to \mathcal E; s \mapsto g^s E\).
 \end{itemize} 
@@ -151,12 +151,12 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w
 A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
 De Feo and Meyer \cite{FeoM20} applied the threshold group action (\algoref{fig.tga}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\).
 %\todo{Satz raffen}
-For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), for \(k=1,\ldots, \#S'\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k = \left[L_{i,S'}s_i\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
+For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k = \left[L_{i,S'}s_i\right] E^{k-1}\) for \(k=1,\ldots, \#S'\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
 %The first shareholder \(P_i\) computes and publishes \(E^1 = \left[L_{i,S'} s_i\right] c\). The \(k^\text{th}\) shareholder \(P_j\) takes the previous output \(E^{k-1}\) and outputs \(E^k = \left[L_{j,S'} s_j\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
 %\todo{The last shareholder...}
 Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation towards incorrect results without the other parties recognising this deviation from the protocol.
 %\todo{clarify the round-robin approach to decaps}
-We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof layed out in \secref{sec.prelim}.
+We extend their approach to enable the detection of misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof for the group action inverse problem as layed out in \secref{sec.prelim}.
 
 \ifsubsection
 \subsection{Amending the PVP}