A key exchange mechanism is a cryptographic public key scheme that provides three protocols: \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). These enable a party to establish an ephemeral key between the holder of the secret key.
A key exchange mechanism is a cryptographic public key scheme that provides three protocols: \(\mathsf{KeyGen}\), \(\mathsf{Encaps}\) and \(\mathsf{Decaps}\). These enable a party to establish an ephemeral key between the holder of the secret key.
We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol with reconstructing the secret key.
We present our actively secure key exchange mechanism with private key that is secret shared among a set of shareholders. An authorised subset can execute the \(\mathsf{Decaps}\) protocol without reconstructing the secret key.
\ifsubsection
\ifsubsection
\subsection{Public Parameters}
\subsection{Public Parameters}
...
@@ -12,9 +12,9 @@ We present our actively secure key exchange mechanism with private key that is s
...
@@ -12,9 +12,9 @@ We present our actively secure key exchange mechanism with private key that is s
We fix the following publically known parameters.
We fix the following publically known parameters.
\begin{itemize}
\begin{itemize}
\item A secret sharing instance $\mathcal S$ with shareholders $\mathcalS=\set{P_1, \ldots, P_n}$, secret space \(\Z_p\) and access structure \(\Gamma\).
\item A secret sharing instance $\mathcal S$ with shareholders $S=\set{P_1, \ldots, P_n}$, secret space \(\Z_p\) and access structure \(\Gamma\).
\item A hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) with fixed starting point \(E_0\in\mathcal E\).
\item A hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\) with a fixed starting point \(E_0\in\mathcal E\).
\item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot]\cdot: \Z_p \times\mathcal E \to\mathcal E; s \mapsto g^s E\).
\item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot]\cdot: \Z_p \times\mathcal E \to\mathcal E; s \mapsto g^s E\).
\end{itemize}
\end{itemize}
...
@@ -151,12 +151,12 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w
...
@@ -151,12 +151,12 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w
A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
De Feo and Meyer \cite{FeoM20} applied the threshold group action (\algoref{fig.tga}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c =\left[s\right]\left(b\ast E_0\right)= b \ast\left(\left[s\right] E_0\right)\).
De Feo and Meyer \cite{FeoM20} applied the threshold group action (\algoref{fig.tga}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c =\left[s\right]\left(b\ast E_0\right)= b \ast\left(\left[s\right] E_0\right)\).
%\todo{Satz raffen}
%\todo{Satz raffen}
For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), for \(k=1,\ldots, \#S'\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k =\left[L_{i,S'}s_i\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'}=\left[s\right]c\).
For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k =\left[L_{i,S'}s_i\right] E^{k-1}\) for \(k=1,\ldots, \#S'\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'}=\left[s\right]c\).
%The first shareholder \(P_i\) computes and publishes \(E^1 = \left[L_{i,S'} s_i\right] c\). The \(k^\text{th}\) shareholder \(P_j\) takes the previous output \(E^{k-1}\) and outputs \(E^k = \left[L_{j,S'} s_j\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
%The first shareholder \(P_i\) computes and publishes \(E^1 = \left[L_{i,S'} s_i\right] c\). The \(k^\text{th}\) shareholder \(P_j\) takes the previous output \(E^{k-1}\) and outputs \(E^k = \left[L_{j,S'} s_j\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
%\todo{The last shareholder...}
%\todo{The last shareholder...}
Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation towards incorrect results without the other parties recognising this deviation from the protocol.
Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation towards incorrect results without the other parties recognising this deviation from the protocol.
%\todo{clarify the round-robin approach to decaps}
%\todo{clarify the round-robin approach to decaps}
We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof layed out in \secref{sec.prelim}.
We extend their approach to enable the detection of misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof for the group action inverse problem as layed out in \secref{sec.prelim}.
