From 92abd5f40cec732738b428a521e678c5dcfb2893 Mon Sep 17 00:00:00 2001
From: Philipp Muth <muth@seceng.informatik.tu-darmstadt.de>
Date: Wed, 21 Sep 2022 14:18:42 +0200
Subject: [PATCH] slides for live presentation
---
ACNS/live_presentation/Makefile | 26 ++
ACNS/live_presentation/conclusion.tex | 16 +
ACNS/live_presentation/generalsss.tex | 20 +
ACNS/live_presentation/key_exchange.tex | 109 ++++++
ACNS/live_presentation/local_bib.bib | 16 +
ACNS/live_presentation/main.tex | 38 ++
ACNS/live_presentation/motivation.tex | 252 ++++++++++++
ACNS/live_presentation/notes.tex | 115 ++++++
ACNS/live_presentation/pqc.bib | 493 ++++++++++++++++++++++++
ACNS/live_presentation/preamble.tex | 142 +++++++
ACNS/live_presentation/signatures.tex | 16 +
11 files changed, 1243 insertions(+)
create mode 100644 ACNS/live_presentation/Makefile
create mode 100644 ACNS/live_presentation/conclusion.tex
create mode 100644 ACNS/live_presentation/generalsss.tex
create mode 100644 ACNS/live_presentation/key_exchange.tex
create mode 100644 ACNS/live_presentation/local_bib.bib
create mode 100644 ACNS/live_presentation/main.tex
create mode 100644 ACNS/live_presentation/motivation.tex
create mode 100644 ACNS/live_presentation/notes.tex
create mode 100644 ACNS/live_presentation/pqc.bib
create mode 100644 ACNS/live_presentation/preamble.tex
create mode 100644 ACNS/live_presentation/signatures.tex
diff --git a/ACNS/live_presentation/Makefile b/ACNS/live_presentation/Makefile
new file mode 100644
index 0000000..e0426fd
--- /dev/null
+++ b/ACNS/live_presentation/Makefile
@@ -0,0 +1,26 @@
+
+.PHONY: clean
+
+TEXINPUTS := ""
+
+USECRYPTOBIB :=
+PRETEX := $(USECRYPTOBIB)
+
+
+ACNS.pdf: *.tex
+ #TEXINPUTS=${TEXINPUTS} latexmk -xelatex -interaction=nonstopmode ACNS.tex
+ TEXINPUTS=${TEXINPUTS} latexmk -pdf -interaction=nonstopmode main.tex
+
+oldschool: *.tex
+ #rm ACNS.bbl
+ pdflatex ACNS.tex
+ bibtex ACNS.aux
+ #sed -i '/doi/ s/_/\\_/' ACNS.bbl
+ pdflatex ACNS.tex
+
+clean:
+ #latexmk -xelatex ACNS.tex -C
+ latexmk -xelatex main.tex -C
+
+full: *.tex
+ TEXINPUTS=${TEXINPUTS} latexmk -xelatex -interaction=nonstopmode ACNS.tex
diff --git a/ACNS/live_presentation/conclusion.tex b/ACNS/live_presentation/conclusion.tex
new file mode 100644
index 0000000..8114b02
--- /dev/null
+++ b/ACNS/live_presentation/conclusion.tex
@@ -0,0 +1,16 @@
+\section{Conclusion}
+
+\begin{frame}
+ \begin{block}{Contribution}
+ \begin{itemize}
+ \item Transfer PVP to threshold setting
+ \item Actively secure key exchange mechanism
+ \item Transformed into signature scheme
+ \item Define, which field of secret sharing schemes is compatible
+ \end{itemize}
+ \end{block}
+ \pause
+ \begin{center}
+ \huge{Questions?}
+ \end{center}
+\end{frame}
diff --git a/ACNS/live_presentation/generalsss.tex b/ACNS/live_presentation/generalsss.tex
new file mode 100644
index 0000000..19b2197
--- /dev/null
+++ b/ACNS/live_presentation/generalsss.tex
@@ -0,0 +1,20 @@
+
+\section{General Secret Sharing Schemes}
+%\begin{frame}
+% \frametitle{Necessary Characteristics for Compatibility}
+% \begin{itemize}
+% \item Independent reconstruction: a shareholder's input in reconstructing a secret is independent of other shares
+% \item Self-contained reconstruction: the shares of a secret live in the same space as the secret to enable two-level sharing
+% \item Compatibility with zero-knowledge proof and the piecewise verifiable proof in the HHS
+% \end{itemize}
+%\end{frame}
+
+\begin{frame}
+ \frametitle{Examples}
+ \begin{itemize}
+ \item Shamir's polynomial secret sharing: compatible (our protocol was initially based on it)
+ \item Tassa's hierarchical threshold secret sharing \cite{DBLP:conf/tcc/Tassa04}: compatible (extension of Shamir's approach)
+ \item Damgard and Thorbek's linear integer secret sharing \cite{DBLP:conf/pkc/DamgardT06}: incompatible, since it is only computationally hiding
+ \item Additive secret sharing: incompatible, because superauthorised sets of shareholders do not exist
+ \end{itemize}
+\end{frame}
diff --git a/ACNS/live_presentation/key_exchange.tex b/ACNS/live_presentation/key_exchange.tex
new file mode 100644
index 0000000..00bdb22
--- /dev/null
+++ b/ACNS/live_presentation/key_exchange.tex
@@ -0,0 +1,109 @@
+
+\section{Actively Secure Key Exchange}
+\begin{frame}
+ \frametitle{Measures for Active Security}
+ \begin{definition}[Zero-knowledge Proof of Knowledge in \(\left(\mathcal E,\mathcal G\right)\) \cite{DBLP:conf/pqcrypto/BeullensDPV21}]
+ A party proves knowledge of \(s\) with
+ \[ \left[s\right] E_i = E_i' \]
+ for pairs \(\left(E_i,E_i'\right) \in \mathcal E^2\), \(i=1,\ldots, m\).
+ \end{definition}
+ \begin{definition}[Piecewise Verifiable Proof \cite{DBLP:conf/asiacrypt/BeullensKV19}]
+ A party proves knowledge of a polynomial \(f\) for a statement
+ \[x = \left(\left(E_0,E_1\right),s_1,\ldots, s_n\right),\]
+ where \(E_1 = \left[f\paren* 0\right] E_0\) and \(s_i = f\paren* i \in \ZZ_p\) for \(i=1,\ldots, n\).
+ \end{definition}
+\end{frame}
+
+%\begin{comment}
+%\begin{frame}
+% \frametitle{What to do?}
+% \begin{itemize}
+% \item Transfer PVP proof to threshold setting
+% \item Integrate both to decapsulation protocol to achieve active security
+% \item Prove, that resulting protocol is at least as secure as original decapsulation
+% \end{itemize}
+%
+%\end{frame}
+%\end{comment}
+
+%\begin{frame}
+% \frametitle{Key Generation}
+% \begin{pchstack}[center]
+% \procedure[space = auto]{$\keygen\paren* S$}{
+% \sk \sample \ZZ_p\\
+% \pk \gets \left[\sk\right] E_0\\
+% \set{s_1,\ldots, s_n}\gets \SH.\share\paren* s\\
+% \pcfor i =1 ,\ldots, n\\
+% %\set{s_{i1,\ldots, s_{in}}} \gets \SH.\share\paren*{s_i}\\
+% f_i \sample \ZZ_p \left[X\right]_{\leq k-1}\colon f_i \paren 0 = s_i\\
+% \pcendfor\\
+% \text{publish } \pk\\
+% \pcfor i =1 ,\ldots, n\\
+% \text{send } \set{s_i ,f_i, \set{f_{j}\paren* i}_{j = 1,\ldots, n}} \text{ to } P_i\\
+% \pcendfor
+% }
+% \end{pchstack}
+%
+%\end{frame}
+
+\begin{frame}
+ \begin{block}{Key Generation}
+ Two-level sharing of the secret key, public key stays as is.
+ \end{block}
+ \begin{block}{Encapsulation}
+ Stays as is.
+ \end{block}
+ \begin{block}{Decapsulation (Turn of \(k\)-th shareholder \(P_i\)}
+ \begin{enumerate}
+ \item \(E^k = \left[L_{i,S^\ast} s_i\right] E^{k-1}\).
+ \item Compute and publish PVP and ZKP, that \(\left[L_{i,S^\ast} s_i\right]\) was used in computing \(E^k\).
+ \item If PVP and ZKP verify for all participants, \(P_i\) outputs \(E^k\) and ends turn.
+ \end{enumerate}
+ Last shareholder outputs \(E^{\#S^\ast}\) as result of decapsulation protocol.
+ \end{block}
+\end{frame}
+
+%\begin{frame}
+% \frametitle{Encapsulation}
+% \begin{pchstack}[center]
+% \procedure{$\encaps\paren*{\pk}$}{
+% b \sample \mathcal G\\
+% \key \gets b \ast \pk\\
+% c \gets b \ast E_0\\
+% \pcreturn \left(\key,c\right)
+% }
+% \end{pchstack}
+%
+%\end{frame}
+
+%\begin{frame}[allowframebreaks]
+% \frametitle{Shareholder \(P_i\)'s Turn in the Decapsulation}
+% Let \(S^\ast\) be a superauthorised set of shareholders executing the decapsulation protocol.
+% \begin{enumerate}
+% \item Ascertain \(E^{k-1} \in \mathcal E\), where \(E^{k-1}\) is previous shareholder's output or \(E^0 = c\)
+% \item Sample \(R_k \sample \mathcal E\), compute \(R_k'\gets \left[L_{i,S^\ast}s_i\right] R_k\).
+% \item Compute and publish
+% \begin{align*}
+% \left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right) &\gets \mathsf{PVP}.P \paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right), \left(f_i \paren j\right)_{P_j\in S^\ast}\right)},\\
+% E^k &\gets \left[L_{i,S^\ast}s_i\right] E^{k-1},\\
+% zk &\gets \mathsf{ZK}.P \paren*{\left(R_k,R_k'\right), \left(E^{k-1}, E^k\right), L_{i,S^\ast} s_i}.
+% \end{align*}
+% \item All other participants \(P_j \in S^\ast\) verify
+% \begin{align*}
+% \mathsf{PVP}.V&\paren*{i, j,S^\ast,f_i\paren j,\left(\pi^k,\pi^k_j\right)},\\
+% \mathsf{PVP}.V&\paren*{i,0,S^\ast,\left(R_k,R_k'\right),\left(\pi^k,\pi_0^k\right)},\\
+% \mathsf{ZK}.V&\paren*{\left(R_k,R_k'\right), \left(E^{k-1},E^k\right), zk}.
+% \end{align*}
+% \item If irregularities occur and more than half the participants convict \(P_i\), the protocol is started over without \(P_i\).
+% \item Decapsulation terminates with the last shareholder's output \(E^{\#S^\ast}\) as result.
+% \end{enumerate}
+%\end{frame}
+
+%\begin{frame}
+% \frametitle{Features of our Protocol}
+% \begin{itemize}
+% \item IND-CPA, i.e., the encapsulated key cannot be distinguished from the ciphertext, assuming the hardness of the GAIP
+% \item Simulatable (as was \cite{FeoM20})
+% \item Actively secure, i.e., a misbehaving shareholder can be detected, if the PVP and ZK proof are sound
+% \end{itemize}
+%\end{frame}
diff --git a/ACNS/live_presentation/local_bib.bib b/ACNS/live_presentation/local_bib.bib
new file mode 100644
index 0000000..d3c8459
--- /dev/null
+++ b/ACNS/live_presentation/local_bib.bib
@@ -0,0 +1,16 @@
+
+@InProceedings{C:FiaSha86,
+ author = "Amos Fiat and
+ Adi Shamir",
+ title = "How to Prove Yourself: {Practical} Solutions to Identification and Signature Problems",
+ pages = "186--194",
+ editor = crypto86ed,
+ booktitle = crypto86name,
+ volume = crypto86vol,
+ address = cryptoaddr,
+ month = crypto86month,
+ publisher = cryptopub,
+ series = mylncs,
+ year = 1987,
+ doi = "10.1007/3-540-47721-7_12",
+}
diff --git a/ACNS/live_presentation/main.tex b/ACNS/live_presentation/main.tex
new file mode 100644
index 0000000..619196d
--- /dev/null
+++ b/ACNS/live_presentation/main.tex
@@ -0,0 +1,38 @@
+\documentclass{beamer}
+
+\input{preamble}
+
+\usetheme{Darmstadt}
+\usecolortheme{seahorse}
+
+\title{On Actively Secure Fine-Grained Access Structures from Isogeny Assumptions}
+\author{Fabio Campos\inst{1,2} \and \underline{Philipp Muth}\inst{3}}
+\institute{\relax
+ \inst{1} RheinMain University of Applied Sciences, Wiesbaden, Germany
+ \and
+ \inst{2} Radboud University, Nijmegen, The Netherlands %\\
+ %\email{campos@sopmac.de}
+ \and
+ \inst{3} Technische Universität Darmstadt, Germany%\\
+ %\email{philipp.muth@tu-darmstadt.de}
+}
+
+\begin{document}
+\maketitle
+
+\input{motivation}
+
+\input{key_exchange}
+
+%\input{signatures}
+
+\input{generalsss}
+
+\input{conclusion}
+
+\section{References}
+\begin{frame}[allowframebreaks]
+ \bibliographystyle{amsalpha}
+ \bibliography{pqc,local_bib}
+\end{frame}
+\end{document}
diff --git a/ACNS/live_presentation/motivation.tex b/ACNS/live_presentation/motivation.tex
new file mode 100644
index 0000000..da84bff
--- /dev/null
+++ b/ACNS/live_presentation/motivation.tex
@@ -0,0 +1,252 @@
+\section{Motivation}
+
+\begin{frame}[allowframebreaks]
+ \frametitle{Where are we?}
+ \begin{block}{Hard Homogeneous Spaces (Couveignes \cite{DBLP:journals/iacr/Couveignes06})}
+ A hard homogeneous space \(\left(\mathcal E,\mathcal G\right)\) is
+ \begin{itemize}
+ \item a set \(\mathcal E\),
+ \item a group \(\left(\mathcal G,\odot\right)\) and
+ \item an action \(\ast: \mathcal G\times \mathcal E \to \mathcal E\)
+ \end{itemize}
+ \end{block}
+
+ %\pause
+ %\begin{block}{Properties of \(\ast\)}
+ %\begin{itemize}
+ % \item Compatibility: \(\forall g,g' \in \mathcal G ~\forall E \in \mathcal E \colon g \ast \left(g'\ast E\right) = \left(g\odot g'\right) E\)
+ % \item Identity: \(\forall E \in \mathcal E \colon i \ast E = E \Leftrightarrow i\) is the neutral element in \(\mathcal G\)
+ % \item Transitivity: \(\forall E,E'\in \mathcal E ~\exists ! g \in \mathcal G \colon g \ast E = E'\)
+ %\end{itemize}
+ %\end{block}
+ %\begin{block}{Notation}
+ %For arbitrary \(E\in\mathcal E\), \(g\in\mathcal G\) with prime order \(p\vert \#\mathcal G\) and \(s \in \Z_p\), we denote
+ %\[\left[s\right] E := g^s \ast E.\]
+ %\end{block}
+ %\begin{r%emark}
+ %For \(s,s'\in \Z_p\) and \(E\in\mathcal E\), we have
+ %\[\left[s\right] \left(\left[s'\right] E\right) = \left[s+s'\right] E.\]
+ %\end{remark}
+
+ \begin{block}{The Group Action Inverse Problem (GAIP)}
+ Given two elements \(E,E' \in \mathcal E\), find \(g\in \mathcal G\) with
+ \[g\ast E = E'.\]
+ \end{block}
+\end{frame}
+
+%\begin{frame}
+% \frametitle{Secret Sharing Schemes}
+% \begin{itemize}
+% \item Distribute a secret \(s\) among shareholders \(P_1,\ldots, P_n\) via
+% \[ \mathcal S.\share\paren* s\]
+% \item Reconstruct a shared secret via
+% \[ \SH.\rec\paren*{\set{s_i}_{P_i \in S'}} \]
+% for an authorised set \(S'\in \Gamma\).
+% \end{itemize}
+%
+% \begin{definition}[Superauthorised Sets]
+% A \highlight{superauthorised set} of shareholders is a set \(S^\ast\), so that
+% \[\forall P \in S^\ast \colon S^\ast \setminus\set{P} \in \Gamma.\]
+% \end{definition}
+%
+%\end{frame}
+
+%\begin{frame}%[allowframebreaks]
+% \frametitle{Key Exchange Mechanisms}
+% \begin{center}
+% \begin{tikzpicture}
+% \begin{scope}[minimum size = .7cm]
+% \node [alice] (alice) at (-3,0){Alice};
+% \node [bob] (bob) at (3,0){Bob};
+% \end{scope}
+% %\pause
+% \node [left = .5 of alice] (pair) {$\left(\sk,\pk\right)$};
+% %\node [above = 3 of alice] (pk) {$\pk$};
+% %\draw [->] (alice) -- (pk);
+% %\pause
+% \node [above = 2.5 of bob] (encaps) {$\encaps \paren* \pk$};
+% \node [above = 0.5 of bob] (keybob) {$\key$};
+% %\node [above = 2.5 of alice] (cipher) {$c$};
+% \node (cipher) at ($(encaps)+(-6,0)$) {$c$};
+% \draw [->] (encaps) -- (cipher);
+% \draw [->] (encaps) -- (keybob);
+% %\pause
+%
+% \node [above = 1.5 of alice] (decaps) {$\decaps\paren *{\sk,c}$};
+% \draw [->] (cipher) -- (decaps);
+%
+% \node [above = 0.5 of alice] (keyalice) {$\key$};
+% \draw [->] (decaps) -- (keyalice);
+%
+% \pause
+% \node [draw, red, inner sep = -.1em, shape = rectangle, fit=(decaps)] {};
+% \end{tikzpicture}
+% \end{center}
+%\end{frame}
+
+%\begin{frame}
+% \frametitle{Key Exchange Mechanisms in a HHS}
+% \begin{center}
+% \begin{pchstack}[center,space=3em]
+% \procedure[space=auto]{$\keygen()$}{
+% \sk \sample \ZZ_p\\
+% \pk \gets \left[\sk\right] E_0\\
+% \pcreturn \left(\sk,\pk\right)
+% }
+% \vspace{1em}
+% \procedure[space=auto]{$\encaps\paren* \pk$}{
+% b \sample \mathcal G\\
+% \key \gets b \ast \pk\\
+% c \gets b \ast E_0\\
+% \pcreturn \left(\key,c\right)
+% }
+% \vspace{1em}
+% \procedure[space=auto]{$\decaps\paren*{\sk,c}$}{
+% \key \gets \left[\sk\right] c\\
+% \pcreturn \key
+% }
+% \end{pchstack}
+%\end{center}
+%\end{frame}
+
+\begin{frame}
+ \frametitle{Key Exchange Mechanisms w/ Shared Secret Key}
+ \begin{center}
+ \begin{pchstack}[center,space=5em]
+ \procedure[space=auto]{$\keygen()$}{
+ \sk \sample \ZZ_p\\
+ \pk \gets \left[\sk\right] E_0\\
+ \pcreturn \left(\sk,\pk\right)
+ }
+ \vspace{1em}
+ \procedure[space=auto]{$\encaps\paren* \pk$}{
+ b \sample \mathcal G\\
+ \key \gets b \ast \pk\\
+ c \gets b \ast E_0\\
+ \pcreturn \left(\key,c\right)
+ }
+ \end{pchstack}
+ \end{center}
+
+\end{frame}
+
+\begin{frame}
+ \frametitle{Decapsulation w/ Shared Secret \cite{FeoM20}}
+
+ \begin{center}
+ \begin{tikzpicture}
+ \def\radius{2cm}
+ \begin{scope}[minimum size = .7cm]
+ \node [charlie] (sh1) at (40:\radius) {$s_1$};
+ \only<1-3>{
+ \node [dave](sh2) at (140:\radius){$s_2$};
+ }
+ \only<4>{
+ \node [devil](sh2) at (140:\radius){$s_2$};
+ }
+ \node [maninblack] (sh3) at (220:\radius){$s_3$};
+ \node [physician] (sh4) at (320:\radius){$s_4$};
+ \end{scope}
+
+ \node (sk) at (0,0) {$\sk$};
+ \draw [help lines] (sk) edge (sh1) edge (sh2) edge (sh3) edge (sh4);
+
+ \pause
+ \node [right=of sh1] (cipher) {$E^0 = c$};
+ \coordinate [left = of sh2] (bla) ;
+ \draw [->] (cipher) -- (sh1);
+
+ \pause
+ \draw [->, >=Stealth, bend right] (sh1) edge node [midway, above] {$ E^1 = \left[L_{1,S'} s_1\right] E^0$} (sh2) ;
+ \only<1-3>{
+ \draw [->, >=Stealth, bend right] (sh2) edge node [midway, left] {$ E^2 = \left[L_{2,S'} s_2\right] E^1$} (sh3) ;
+ }
+ \only<4>{
+ \draw [->, >=Stealth, bend right] (sh2) edge node [midway, left, color = red] {$ {E^2} \neq \left[L_{2,S'} s_2\right] E^1$} (sh3) ;
+ }
+ \draw [->, >=Stealth, bend right] (sh3) edge node [midway, below] {$ E^3 = \left[L_{3,S'} s_3\right] E^2$} (sh4) ;
+ \node [right = of sh4] (key) {$\key = \left[L_{4,S'} s_4\right] E^3$};
+ \draw [->] (sh4) -- (key);
+
+ \end{tikzpicture}
+% \only<4>{
+% \begin{tikzpicture}
+% \def\radius{2cm}
+% \begin{scope}[minimum size = .7cm]
+% \node [charlie] (sh1) at (40:\radius) {$s_1$};
+% \node [devil](sh2) at (140:\radius){$s_2$};
+% \node [maninblack] (sh3) at (220:\radius){$s_3$};
+% \node [physician] (sh4) at (320:\radius){$s_4$};
+% \end{scope}
+%
+% \node (sk) at (0,0) {$\sk$};
+% \draw [help lines] (sk) edge (sh1) edge (sh2) edge (sh3) edge (sh4);
+%
+% %\pause
+% \node [right=of sh1] (cipher) {$E^0 = c$};
+% \coordinate [left = of sh2] (bla) ;
+% \draw [->] (cipher) -- (sh1);
+%
+% %\pause
+% \draw [->, >=Stealth, bend right] (sh1) edge node [midway, above] {$ E^1 = \left[L_{1,S'} s_1\right] E^0$} (sh2) ;
+% \draw [->, >=Stealth, bend right] (sh2) edge node [midway, left, color = red] {$ {E^2} \neq \left[L_{2,S'} s_2\right] E^1$} (sh3) ;
+% \draw [->, >=Stealth, bend right] (sh3) edge node [midway, below] {$ E^3 = \left[L_{3,S'} s_3\right] E^2$} (sh4) ;
+% \node [right = of sh4] (key) {$\key = \left[L_{4,S'} s_4\right] E^3$};
+% \draw [->] (sh4) -- (key);
+%
+% \end{tikzpicture}
+% }
+ \end{center}
+\end{frame}
+
+%\begin{comment}
+%\begin{frame}
+% \frametitle{Features of the Protocol}
+% \begin{block}{Threshold Group Action}
+% \[E^{\# S'} = \left[L_{j,S'}s_j\right] \left(\left[\ldots\right]E^{0}\right) = \left[\sum_{P_i\in S'} L_{i,S'}s_i\right] E^0 = \left[s\right] c.\]
+% \end{block}
+% \begin{block}{Advantages}
+% \begin{itemize}
+% \item Simulatable
+% \item Authorised set of shareholders suffices
+% \item Turn order is variable
+% \end{itemize}
+% \end{block}
+% \pause
+% \begin{problem}
+% Passive security: misbehaving shareholders cannot be detected.
+% \end{problem}
+%\end{frame}
+%\end{comment}
+
+%\begin{frame}
+% \frametitle{A Misbehaving Shareholder}
+% \begin{center}
+% \begin{tikzpicture}
+% \def\radius{2cm}
+% \begin{scope}[minimum size = .7cm]
+% \node [charlie] (sh1) at (40:\radius) {$s_1$};
+% \node [devil](sh2) at (140:\radius){$s_2$};
+% \node [maninblack] (sh3) at (220:\radius){$s_3$};
+% \node [physician] (sh4) at (320:\radius){$s_4$};
+% \end{scope}
+%
+% \node (sk) at (0,0) {$\sk$};
+% \draw [help lines] (sk) edge (sh1) edge (sh2) edge (sh3) edge (sh4);
+%
+% %\pause
+% \node [right=of sh1] (cipher) {$E^0 = c$};
+% \coordinate [left = of sh2] (bla) ;
+% \draw [->] (cipher) -- (sh1);
+%
+% %\pause
+% \draw [->, >=Stealth, bend right] (sh1) edge node [midway, above] {$ E^1 = \left[L_{1,S'} s_1\right] E^0$} (sh2) ;
+% \draw [->, >=Stealth, bend right] (sh2) edge node [midway, left, color = red] {$ {E^2} \neq \left[L_{2,S'} s_2\right] E^1$} (sh3) ;
+% \draw [->, >=Stealth, bend right] (sh3) edge node [midway, below] {$ E^3 = \left[L_{3,S'} s_3\right] E^2$} (sh4) ;
+% \node [right = of sh4] (key) {$\key = \left[L_{4,S'} s_4\right] E^3$};
+% \draw [->] (sh4) -- (key);
+%
+% \end{tikzpicture}
+% \end{center}
+%
+%\end{frame}
diff --git a/ACNS/live_presentation/notes.tex b/ACNS/live_presentation/notes.tex
new file mode 100644
index 0000000..4f9daa8
--- /dev/null
+++ b/ACNS/live_presentation/notes.tex
@@ -0,0 +1,115 @@
+\documentclass[a4]{scrartcl}
+
+\usepackage[english]{babel}
+\usepackage[utf8]{inputenc}
+\usepackage[advantage,adversary,asymptotics,ff,keys,logic,mm,notions,operators,primitives,probability,sets]{cryptocode}
+\DeclarePairedDelimiter{\paren}{\lparen}{\rparen}
+\newcommand\keygen{\mathsf{KeyGen}}
+
+\begin{document}
+ \begin{enumerate}
+% ------------------- Motivation -------------------
+ \item Welcome and thank for your interest in our talk. We will in the next few minutes discuss our work "On Actively Secure Fine-Grained Access Structures from Isogeny Assumptions". This was joint work with Fabio Campos from RheinMain University in Wiesbaden.
+ \item Let us first set the stage. We will be moving in the context of hard homogeneous spaces today. The concept of hard homogeneous space was first introduced by Couveignes in 2006. Such a space consists of a set \(\mathcal E\) and a group \(\mathcal G\) combined with an action \(\ast\), that combines an element of \(\mathcal E\) with an element of \(\mathcal G\) and produces another element of the set \(\mathcal E\).
+
+ The mapping \(\ast\) has some important properties, that we will make use of in this work. First, we have compatibility. That is, if we take two element \(g\) and \(g'\) from \(\mathcal G\) and an arbitrary element of \(\mathcal E\), it does not matter, whether we first apply \(g'\) and then \(g\) to \(E\) or we first combine \(g\) and \(g'\).
+ Second, we have the identity property. This means, that when we take the identity element of \(\mathcal G\) and combine it with an element of \(\mathcal E\), it stays unchanged. This must only hold for the identity element \(i\) of \(\mathcal G\).
+ And third, we consider transitivity. This says, that for any two elements of \(\mathcal E\), there exists exactly one \(g\) in \(\mathcal G\), that connects them.
+
+ \item We will use the bracket notation throughout this work, for which we fix an element \(g\) in \(\mathcal G\) with a prime order \(p\). For any \(s\) in \(\ZZ\) modulo \(p\) and any \(E\) in \(\mathcal E\), we then abbreviate \(g^s\) combined with \(E\) as \(\left[s\right] E\).
+
+ The compatibility property then of course gives us the remarked equality.
+
+ In a hard homogeneous space, we assume, that the group action inverse problem is hard to break. This means, that given two element \(E\) and \(E'\), the probability of providing a \(g\) that connects them both is negligible in an implied security parameter.
+
+ \item We shall quickly cover secret sharing schemes, since everyone is likely to be familiar with the concept. We take a set of shareholders \(P_1,\ldots, P_n\). Among these a secret can be shared via the sharing protocol. And an authorised set of shareholders can reconstruct a secret from their shares via the reconstruction protocol. In the case of Shamir sharing -- in which we give the basic version of our protocol -- this means that any set with at as many members as a fixed threshold can reconstruct the secret.
+
+ We define the set of superauthorised sets of shareholders, that is sets, from which we can kick an arbitrary shareholder, and they are still authorised. We shall see the necessity of this definition later on.
+
+ \item Now let us have a look at the definition of a key exchange mechanism. We have two parties, Alice and Bob. Alice has a secret and a public key. Alice publishes the public key and keeps the secret key to herself. Bob can now take the public key and run the so-called encapsulation protocol on it. This gives him a key \(\key\) and a ciphertext \(c\), that he can send to Alice. Alice in turn runs the decapsulation on the ciphertext with her secret key \(\sk\) and also gets a key \(\key\). The keys they both receive should coincide. We will take a closer look at the decapsulation protocol specifically in this work.
+
+ \item A key exchange mechanism in the context of a hard homogeneous space could look like this: For key generation, we sample the secret key \(\sk\) from \(\ZZ_p\). The public key is simply \(\sk\) applied to a publicly known and fixed \(E_0\).
+
+ For the encapsulation protocol, we take a random \(b\in \mathcal G\). The ephemeral key \(\key\) is simply \(b\) connected to the public key and the ciphertext is \(b\) applied to \(E_0\).
+
+ And decapsulation is handled by applying the secret key to the ciphertext.
+
+ \item Let us consider the following setting: Alice does not hold the secret key herself, but it is shared in a secret sharing scheme. This does have some advantages. For example, she cannot lose the key or leak it. On the other hand, she must always ask the shareholders for the key, if she wants to decapsulate a ciphertext. Or does she? It turns out, that she does not. DeFeo and Meyer proposed a protocol in a Shamir setting, in which a decapsulation can be executed by the shareholders without reconstructing the secret key. For that we assume an authorised set of shareholders, say \(S'\), comes together and receives a ciphertext as input. Each shareholder holds a share \(s_1\) to \(s_4\) of the secret key. They fix a turn order and one after the other apply their share to the respective input. More precisely, the first shareholders applies \(L_{1,S'} s_1\) to the ciphertext and passes the result on to the second shareholder. He in turn applies \(L_{2,S'} s_2\) and so on. \(L_{i,S'}\) denotes the Lagrange interpolation coefficient. The last shareholder's output is then the result of the decapsulation.
+
+ \item But why does this work? We take a quick look at the so-called threshold group action. We see, that the result of this round-robin approach turns out to be simply the reconstructed secret key to the ciphertext. So actually, this is the previous decapsulation, but executed by a set of shareholders instead of the owner of the key.
+
+ DeFeo and Meyer showed, that this protocol is simulatable, even if we suspect, that their proof was not entirely correct, the statement nevertheless holds true. Their approach has two nice features, that is you do not need all shareholders but only an authorised set. And their turn order is not fixed, but can be arranged in any suitable way.
+
+ The problem however is, that their protocol is only passively secure.
+
+ \item That is, a misbehaving shareholder, as we depicted here, cannot be detected. One, because his share is obviously unknown to all other parties. And two, it cannot be computed from his input and output.
+
+% ------------------- Actively Secure Key Exchange Mechanism -------------------
+ \item We will use two measures to achieve active security in the decapsulation protocol.
+ First, we have a zero-knowledge proof of knowledge in the context of a hard homogeneous space. For that we take a secret \(s\) and a list of tuples \(\left(E_i,E_i'\right)\) in \(\mathcal E\). Each \(E_i'\) results from applying \(s\) to \(E_i\). A prover thus proves knowledge of \(s\) beyond reasonable doubt without revealing \(s\). The protocol for this is non-interactive.
+
+ And second, we use a piecewise verifiable proof. Consider for that a statement \(x\), that consists of a pair \(\left(E_0,E_1\right)\) and a list of \(s_i\)'s in \(\ZZ_p\). A PVP proves knowledge of a polynomial \(f\) in \(\ZZ_p\), that connects \(E_0\) and \(E_1\) and also interpolates the values \(s_i\). The protocol for this is again non-interactive.
+
+ \item So the challenges that we face are the following.
+ One, the PVP as stated before and discussed by Beullens et al. does not consider the threshold setting. It always proves each interpolation point and does not consider, that not a secret, but a multiple of it is used in the decapsulation. We need to amend that to fit our needs.
+
+ Two, we must marry the zero-knowledge proof and the PVP with the decapsulation protocol in order to achieve active security.
+
+ And three, we should prove, that the protocol, that we get from this, is simulatable, as the original protocol by DeFeo and Meyer was.
+
+ \item We skip the precise modified protocols, since they do not offer much insight. The changes we had to make were mostly on the technical side.
+
+ Now, for our key exchange mechanism we need a key generation protocol, an encapsulation and a decapsulation protocol. Let us start with the key generation protocol. This looks quite a bit different from the one we showed before. We apply, what we call a "two-level" sharing. That is, we let the dealer sample the secret key and compute the public key as before. The secret key is then shared among \(P_1,\ldots,P_n\). But each share of \(\sk\) is shared once more by the dealer, so that each shareholder eventually receives his share \(s_i\) of the secret key, the polynomial \(f_i\), with which his share was shared once more and a share of each other share of the secret key.
+
+ \item The encapsulation protocol stays unchanged, since the secret shared secret key does not concern it.
+
+ %superauthorised set
+ \item The decapsulation protocol looks quite different from the one we sketched before. We show the turn of a shareholder \(P_i\), that is engaged in an execution of the decapsulation protocol. Let us say, that \(P_i\) is the \(k\)-th shareholder in the turn order and that a superauthorised set of shareholders executes the decapsulation.
+
+ \(P_i\) gets \(E^{k-1}\) as input either with \(E^0\) being the ciphertext or the output of the shareholder, whose turn is was before. If \(E^{k-1}\) is not in \(\mathcal E\), then \(P_i\) simply stops and the protocol aborts.
+
+ Otherwise, \(P_i\) samples a random \(R_k\) from the set \(\mathcal E\) and computes \(R_k'\) by applying \(L_{i,S^\ast}\) to \(R_k\).
+
+ Now \(P_i\) generates a piecewise verifiable proof, that proves knowledge of the polynomial \(f_i\), so that \(L_{i,S^\ast} f_i\paren* 0\) connects \(R_k\) and \(R_k'\) and interpolates the values \(f_i\paren* j\), of all other participating shareholders. Furthermore, \(P_i\) computes his contribution to the decapsulation \(E^k\) as he did in the passively secure protocol. And he computes the zero-knowledge proof, that shows, that he knows \(L_{i,S^\ast} s_i\) and also, that both \(E^k\) and \(E^{k-1}\) as well as \(R_k\) and \(R_k'\) are connected by it. In combination, this proves that \(R_k\) and \(R_k'\) and \(E^{k-1}\) and \(E^k\) are connected by the same element, and that the connecting element coincides with the one, that was shared by the dealer.
+
+ \item As a fourth step, all other participants, verify the proofs, that \(P_i\) has published.
+
+ If \(P_i\) misbehaved, the protocol is restarted and \(P_i\) is excluded from future runs.
+
+ The last shareholder eventually outputs \(E^{\# S^\ast}\) as the result of the decapsulation.
+
+ \item Our key exchange mechanism has the following qualities. It is IND-CPA. This means, that given a public key \(\pk\), a ciphertext \(c\) and two potential keys, an adversary cannot distinguish which one is linked to the ciphertext. We skip the precise security game here.
+
+ Also, our decapsulation protocol is simulatable. We proved this in reducing the group action inverse problem to distinguishing the output of a concrete simulator from a real transcript in a series of gamehops.
+
+ And third, the decapsulation is actively secure, in that if a shareholder can provide an incorrect input to the decapsulation without being detected by the other participants, then he can either the zero-knowledge proof or the piecewise verifiable proof.
+
+ \item We come to a little bonus, that we derive from our key exchange mechanism. We apply the Fiat-Shamir-transform to our scheme to obtain an actively secure signature scheme. One may wonder, what why one would need an actively secure signature scheme. After all, if a signature was computed incorrectly, this can obviously be seen, from the verification of the signature failing. But in a setting, where multiple shareholders participate generating a signature, this does not identify the shareholder, who misbehaved. Our protocol can do just that.
+
+ For a signature scheme, we need the protocols. A key generation protocol, a signing protocol and a verifying protocol. We simply keep the \(\keygen\) protocol from the key exchange mechanism. That is, a dealer samples a secret key, computes and publishes the public key and shares the secret key among the shareholders in a two-level sharing. We then apply the Fiat-Shamir-transform to our decapsulation protocol. Traditionally, this transform is to be applied to identification schemes, not key exchange mechanisms. One can however consider our decapuslation protocol as an identification scheme in that a successful decapsulation identifies the executing set of shareholders as authorised, that is it holds the secret key. This gives us a non-interactive signing protocol. The verifying protocol comes naturally with the signing protocol.
+
+ \item We come to our last contribution and -- to be honest -- the initial motivation for this work. We discuss, which secret sharing schemes we can instantiate our key exchange mechanism with other than the traditional Shamir scheme. For that, we first define the characteristics, that a secret sharing must have to be compatible with our protocols.
+ First, it needs independent reconstruction. This means, that the input of a shareholder in reconstructing a secret must not depend on what the other shareholders gave as input. We need this, since each share is hidden due to the group action inverse problem, so no participant can see any share but his own.
+ Second, we need self-contained reconstruction. This enables the two-level sharing, for which the shares of a secret live in the same space as the secret so that they can be shared once more.
+ And third the secret sharing scheme must be compatible with the zero-knowledge proof and the piecewise verifiable proof in the hard homogeneous space.
+
+ \item Let us have a quick look at some examples of secret sharing schemes and see, whether they are compatible with our key exchange mechanism.
+ Shamir's secret sharing scheme obviously is compatible, we gave our protocols in the context of it.
+
+ Tassa gave a fascinating extension of Shamir's approach in his hierarchical threshold secret sharing scheme. It is also based on polynomial interpolation, yet the lower in the hierarchy you go, the higher the degree of the derivation of the original polynomial becomes, of which a shareholder gets interpolation points. It is directly compatible with our protocols, be it with some tweaks to the PVP and the zero-knowledge proof.
+
+ Damgard and Thorbek proposed a secret sharing scheme, in which integer secret rather than secrets from \(\ZZ_p\) are shared. The confidentiality of their scheme is only computational, so we deem it incompatible with our protocol.
+
+ The simplest of all secret sharing schemes, that is additive secret sharing, is incompatible with our key exchange mechanism, since it cannot provide any superauthorised sets and therefore does not enable a piecewise verifiable proof.
+
+ \item In conclusion, we proposed an actively secure key exchange mechanism in which the secret key is shared among a set of shareholders, that enables decapsulation without reconstructing the secret key. We proved the decapsulation protocol simulatable and actively secure, that is an adversary cannot learn any information from an execution and cannot interfere by providing false input without detection. The key exchange mechanism is also indistinguishable under chosen message attack, that is nothing can be learned about an encapsulated key from the corresponding ciphertext.
+
+ For this aim, we transferred the PVP and zero-knowledge proof to the threshold setting.
+
+ We furthermore transformed the key exchange mechanism into a signature scheme with active security.
+
+ And lastly, we characterised the properties, that a secret sharing scheme has to have in order to be compatible with the key exchange mechanism and the signature scheme.
+ \end{enumerate}
+
+\end{document}
+
diff --git a/ACNS/live_presentation/pqc.bib b/ACNS/live_presentation/pqc.bib
new file mode 100644
index 0000000..ef81628
--- /dev/null
+++ b/ACNS/live_presentation/pqc.bib
@@ -0,0 +1,493 @@
+@inproceedings{DBLP:conf/crypto/DonFMS19,
+ author = {Jelle Don and
+ Serge Fehr and
+ Christian Majenz and
+ Christian Schaffner},
+ editor = {Alexandra Boldyreva and
+ Daniele Micciancio},
+ title = {Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle
+ Model},
+ booktitle = {Advances in Cryptology - {CRYPTO} 2019 - 39th Annual International
+ Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2019,
+ Proceedings, Part {II}},
+ series = {Lecture Notes in Computer Science},
+ volume = {11693},
+ pages = {356--383},
+ publisher = {Springer},
+ year = {2019},
+ url = {https://doi.org/10.1007/978-3-030-26951-7\_13},
+ doi = {10.1007/978-3-030-26951-7\_13},
+ timestamp = {Fri, 09 Apr 2021 18:35:29 +0200},
+ biburl = {https://dblp.org/rec/conf/crypto/DonFMS19.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/eurocrypt/BonnetainS20,
+ author = {Xavier Bonnetain and
+ Andr{\'{e}} Schrottenloher},
+ editor = {Anne Canteaut and
+ Yuval Ishai},
+ title = {Quantum Security Analysis of {CSIDH}},
+ booktitle = {Advances in Cryptology - {EUROCRYPT} 2020 - 39th Annual International
+ Conference on the Theory and Applications of Cryptographic Techniques,
+ Zagreb, Croatia, May 10-14, 2020, Proceedings, Part {II}},
+ series = {Lecture Notes in Computer Science},
+ volume = {12106},
+ pages = {493--522},
+ publisher = {Springer},
+ year = {2020},
+ url = {https://doi.org/10.1007/978-3-030-45724-2\_17},
+ timestamp = {Mon, 04 May 2020 14:35:02 +0200},
+ biburl = {https://dblp.org/rec/conf/eurocrypt/BonnetainS20.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/eurocrypt/Peikert20,
+ author = {Chris Peikert},
+ editor = {Anne Canteaut and
+ Yuval Ishai},
+ title = {He Gives C-Sieves on the {CSIDH}},
+ booktitle = {Advances in Cryptology - {EUROCRYPT} 2020 - 39th Annual International
+ Conference on the Theory and Applications of Cryptographic Techniques,
+ Zagreb, Croatia, May 10-14, 2020, Proceedings, Part {II}},
+ series = {Lecture Notes in Computer Science},
+ volume = {12106},
+ pages = {463--492},
+ publisher = {Springer},
+ year = {2020},
+ url = {https://doi.org/10.1007/978-3-030-45724-2\_16},
+ timestamp = {Mon, 04 May 2020 14:35:02 +0200},
+ biburl = {https://dblp.org/rec/conf/eurocrypt/Peikert20.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@misc{Brandao_Davidson_Vassilev_2020,
+title={{NIST roadmap toward criteria for threshold schemes for cryptographic primitives}},
+url={http://dx.doi.org/10.6028/NIST.IR.8214A},
+institution={National Institute of Standards and Technology},
+author={Brandao, Luis T A N and Davidson, Michael and Vassilev, Apostol},
+year={2020},
+month={Jul} }
+
+@inproceedings{DBLP:conf/ccs/LindellN18,
+ author = {Yehuda Lindell and
+ Ariel Nof},
+ editor = {David Lie and
+ Mohammad Mannan and
+ Michael Backes and
+ XiaoFeng Wang},
+ title = {Fast Secure Multiparty {ECDSA} with Practical Distributed Key Generation
+ and Applications to Cryptocurrency Custody},
+ booktitle = {Proceedings of the 2018 {ACM} {SIGSAC} Conference on Computer and
+ Communications Security, {CCS} 2018, Toronto, ON, Canada, October
+ 15-19, 2018},
+ pages = {1837--1854},
+ publisher = {{ACM}},
+ year = {2018},
+ url = {https://doi.org/10.1145/3243734.3243788},
+ timestamp = {Tue, 10 Nov 2020 20:00:51 +0100},
+ biburl = {https://dblp.org/rec/conf/ccs/LindellN18.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@article{DBLP:journals/iacr/Couveignes06,
+ author = {Jean Marc Couveignes},
+ title = {Hard Homogeneous Spaces},
+ journal = {{IACR} Cryptol. ePrint Arch.},
+ pages = {291},
+ year = {2006},
+ url = {http://eprint.iacr.org/2006/291},
+ timestamp = {Mon, 11 May 2020 16:00:12 +0200},
+ biburl = {https://dblp.org/rec/journals/iacr/Couveignes06.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@inproceedings{DBLP:conf/pqcrypto/CozzoS20,
+ author = {Daniele Cozzo and
+ Nigel P. Smart},
+ editor = {Jintai Ding and
+ Jean{-}Pierre Tillich},
+ title = {Sashimi: Cutting up {CSI-FiSh} Secret Keys to Produce an Actively Secure
+ Distributed Signing Protocol},
+ booktitle = {Post-Quantum Cryptography - 11th International Conference, PQCrypto
+ 2020, Paris, France, April 15-17, 2020, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {12100},
+ pages = {169--186},
+ publisher = {Springer},
+ year = {2020},
+ url = {{https://doi.org/10.1007/978-3-030-44223-1\_10}},
+ timestamp = {Mon, 04 May 2020 13:23:15 +0200},
+ biburl = {https://dblp.org/rec/conf/pqcrypto/CozzoS20.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/asiacrypt/BeullensKV19,
+ author = {Ward Beullens and
+ Thorsten Kleinjung and
+ Frederik Vercauteren},
+ editor = {Steven D. Galbraith and
+ Shiho Moriai},
+ title = {{CSI-FiSh:} Efficient Isogeny Based Signatures Through Class Group Computations},
+ booktitle = {Advances in Cryptology - {ASIACRYPT} 2019 - 25th International Conference
+ on the Theory and Application of Cryptology and Information Security,
+ Kobe, Japan, December 8-12, 2019, Proceedings, Part {I}},
+ series = {Lecture Notes in Computer Science},
+ volume = {11921},
+ pages = {227--247},
+ publisher = {Springer},
+ year = {2019},
+ url = {{https://doi.org/10.1007/978-3-030-34578-5\_9}},
+ timestamp = {Tue, 26 Nov 2019 14:13:27 +0100},
+ biburl = {https://dblp.org/rec/conf/asiacrypt/BeullensKV19.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@inproceedings{DBLP:conf/ima/CozzoS19,
+ author = {Daniele Cozzo and
+ Nigel P. Smart},
+ editor = {Martin Albrecht},
+ title = {Sharing the {LUOV:} Threshold Post-quantum Signatures},
+ booktitle = {Cryptography and Coding - 17th {IMA} International Conference, {IMACC}
+ 2019, Oxford, UK, December 16-18, 2019, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {11929},
+ pages = {128--153},
+ publisher = {Springer},
+ year = {2019},
+ url = {https://doi.org/10.1007/978-3-030-35199-1\_7},
+ timestamp = {Thu, 19 Dec 2019 09:27:27 +0100},
+ biburl = {https://dblp.org/rec/conf/ima/CozzoS19.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@inproceedings{DBLP:conf/africacrypt/TraversoD018,
+ author = {Giulia Traverso and
+ Denise Demirel and
+ Johannes Buchmann},
+ editor = {Antoine Joux and
+ Abderrahmane Nitaj and
+ Tajjeeddine Rachidi},
+ title = {Performing Computations on Hierarchically Shared Secrets},
+ booktitle = {Progress in Cryptology - {AFRICACRYPT} 2018 - 10th International Conference
+ on Cryptology in Africa, Marrakesh, Morocco, May 7-9, 2018, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {10831},
+ pages = {141--161},
+ publisher = {Springer},
+ year = {2018},
+ url = {{https://doi.org/10.1007/978-3-319-89339-6\_9}},
+ timestamp = {Tue, 14 May 2019 10:00:52 +0200},
+ biburl = {https://dblp.org/rec/conf/africacrypt/TraversoD018.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/icits/TraversoDB16,
+ author = {Giulia Traverso and
+ Denise Demirel and
+ Johannes Buchmann},
+ editor = {Anderson C. A. Nascimento and
+ Paulo S. L. M. Barreto},
+ title = {Dynamic and Verifiable Hierarchical Secret Sharing},
+ booktitle = {Information Theoretic Security - 9th International Conference, {ICITS}
+ 2016, Tacoma, WA, USA, August 9-12, 2016, Revised Selected Papers},
+ series = {Lecture Notes in Computer Science},
+ volume = {10015},
+ pages = {24--43},
+ year = {2016},
+ url = {https://doi.org/10.1007/978-3-319-49175-2\_2},
+ timestamp = {Mon, 16 Nov 2020 15:55:52 +0100},
+ biburl = {https://dblp.org/rec/conf/icits/TraversoDB16.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/fc/HerranzS03,
+ author = {Javier Herranz and
+ Germ{\'{a}}n S{\'{a}}ez},
+ editor = {Rebecca N. Wright},
+ title = {Verifiable Secret Sharing for General Access Structures, with Application
+ to Fully Distributed Proxy Signatures},
+ booktitle = {Financial Cryptography, 7th International Conference, {FC} 2003, Guadeloupe,
+ French West Indies, January 27-30, 2003, Revised Papers},
+ series = {Lecture Notes in Computer Science},
+ volume = {2742},
+ pages = {286--302},
+ publisher = {Springer},
+ year = {2003},
+ url = {{https://doi.org/10.1007/978-3-540-45126-6\_21}},
+ timestamp = {Tue, 14 May 2019 10:00:38 +0200},
+ biburl = {https://dblp.org/rec/conf/fc/HerranzS03.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/eurocrypt/Stadler96,
+ author = {Markus Stadler},
+ editor = {Ueli M. Maurer},
+ title = {Publicly Verifiable Secret Sharing},
+ booktitle = {Advances in Cryptology - {EUROCRYPT} '96, International Conference
+ on the Theory and Application of Cryptographic Techniques, Saragossa,
+ Spain, May 12-16, 1996, Proceeding},
+ series = {Lecture Notes in Computer Science},
+ volume = {1070},
+ pages = {190--199},
+ publisher = {Springer},
+ year = {1996},
+ url = {https://doi.org/10.1007/3-540-68339-9\_17},
+ timestamp = {Tue, 14 May 2019 10:00:53 +0200},
+ biburl = {https://dblp.org/rec/conf/eurocrypt/Stadler96.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/crypto/Pedersen91,
+ author = {Torben P. Pedersen},
+ editor = {Joan Feigenbaum},
+ title = {Non-Interactive and Information-Theoretic Secure Verifiable Secret
+ Sharing},
+ booktitle = {Advances in Cryptology - {CRYPTO} '91, 11th Annual International Cryptology
+ Conference, Santa Barbara, California, USA, August 11-15, 1991, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {576},
+ pages = {129--140},
+ publisher = {Springer},
+ year = {1991},
+ url = {{https://doi.org/10.1007/3-540-46766-1\_9}},
+ timestamp = {Fri, 17 Jul 2020 16:12:45 +0200},
+ biburl = {https://dblp.org/rec/conf/crypto/Pedersen91.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/asiacrypt/BackesKP11,
+ author = {Michael Backes and
+ Aniket Kate and
+ Arpita Patra},
+ editor = {Dong Hoon Lee and
+ Xiaoyun Wang},
+ title = {Computational Verifiable Secret Sharing Revisited},
+ booktitle = {Advances in Cryptology - {ASIACRYPT} 2011 - 17th International Conference
+ on the Theory and Application of Cryptology and Information Security,
+ Seoul, South Korea, December 4-8, 2011. Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {7073},
+ pages = {590--609},
+ publisher = {Springer},
+ year = {2011},
+ url = {https://doi.org/10.1007/978-3-642-25385-0\_32},
+ timestamp = {Tue, 14 May 2019 10:00:40 +0200},
+ biburl = {https://dblp.org/rec/conf/asiacrypt/BackesKP11.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/ccs/BethKO93,
+ author = {Thomas Beth and
+ Hans{-}Joachim Knobloch and
+ Marcus Otten},
+ editor = {Dorothy E. Denning and
+ Raymond Pyle and
+ Ravi Ganesan and
+ Ravi S. Sandhu and
+ Victoria Ashby},
+ title = {Verifiable Secret Sharing for Monotone Access Structures},
+ booktitle = {{CCS} '93, Proceedings of the 1st {ACM} Conference on Computer and
+ Communications Security, Fairfax, Virginia, USA, November 3-5, 1993},
+ pages = {189--194},
+ publisher = {{ACM}},
+ year = {1993},
+ url = {https://doi.org/10.1145/168588.168612},
+ timestamp = {Tue, 10 Nov 2020 20:00:40 +0100},
+ biburl = {https://dblp.org/rec/conf/ccs/BethKO93.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/tcc/Tassa04,
+ author = {Tamir Tassa},
+ editor = {Moni Naor},
+ title = {Hierarchical Threshold Secret Sharing},
+ booktitle = {Theory of Cryptography, First Theory of Cryptography Conference, {TCC}
+ 2004, Cambridge, MA, USA, February 19-21, 2004, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {2951},
+ pages = {473--490},
+ publisher = {Springer},
+ year = {2004},
+ url = {{https://doi.org/10.1007/978-3-540-24638-1\_26}},
+ timestamp = {Tue, 14 May 2019 10:00:47 +0200},
+ biburl = {https://dblp.org/rec/conf/tcc/Tassa04.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@article{DBLP:journals/iacr/Thorbek09,
+ author = {Rune Thorbek},
+ title = {Proactive Linear Integer Secret Sharing},
+ journal = {{IACR} Cryptol. ePrint Arch.},
+ pages = {183},
+ year = {2009},
+ url = {http://eprint.iacr.org/2009/183},
+ timestamp = {Mon, 11 May 2020 15:58:29 +0200},
+ biburl = {https://dblp.org/rec/journals/iacr/Thorbek09.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/pkc/DamgardT06,
+ author = {Ivan Damg{\aa}rd and
+ Rune Thorbek},
+ editor = {Moti Yung and
+ Yevgeniy Dodis and
+ Aggelos Kiayias and
+ Tal Malkin},
+ title = {Linear Integer Secret Sharing and Distributed Exponentiation},
+ booktitle = {Public Key Cryptography - {PKC} 2006, 9th International Conference
+ on Theory and Practice of Public-Key Cryptography, New York, NY, USA,
+ April 24-26, 2006, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {3958},
+ pages = {75--90},
+ publisher = {Springer},
+ year = {2006},
+ url = {{https://doi.org/10.1007/11745853\_6}},
+ timestamp = {Fri, 01 May 2020 18:32:25 +0200},
+ biburl = {https://dblp.org/rec/conf/pkc/DamgardT06.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DBLP:conf/pqcrypto/BeullensDPV21,
+ author = {Ward Beullens and
+ Lucas Disson and
+ Robi Pedersen and
+ Frederik Vercauteren},
+ editor = {Jung Hee Cheon and
+ Jean{-}Pierre Tillich},
+ title = {{CSI-RAShi:} Distributed Key Generation for {CSIDH}},
+ booktitle = {Post-Quantum Cryptography - 12th International Workshop, PQCrypto
+ 2021, Daejeon, South Korea, July 20-22, 2021, Proceedings},
+ series = {Lecture Notes in Computer Science},
+ volume = {12841},
+ pages = {257--276},
+ publisher = {Springer},
+ year = {2021},
+ url = {{https://doi.org/10.1007/978-3-030-81293-5\_14}},
+ timestamp = {Wed, 21 Jul 2021 15:51:05 +0200},
+ biburl = {https://dblp.org/rec/conf/pqcrypto/BeullensDPV21.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+
+@Article{Shamir:1979:HSS,
+ author = {Adi Shamir},
+ title = {How to Share a Secret},
+ journal = {Commun. {ACM}},
+ volume = {22},
+ number = {11},
+ pages = {612--613},
+ year = {1979},
+ url = {http://doi.acm.org/10.1145/359168.359176},
+ timestamp = {Wed, 14 Nov 2018 10:22:34 +0100},
+ biburl = {https://dblp.org/rec/journals/cacm/Shamir79.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@InProceedings{Blakley:1979:SCK,
+ author = "G. R. Blakley",
+ title = "Safeguarding cryptographic keys",
+ editor = "Richard E. Merwin and Jacqueline T. Zanca and Merlin.
+ Smith",
+ booktitle = "1979 National Computer Conference: June 4--7, 1979,
+ New York, New York",
+ volume = "48",
+ publisher = "AFIPS Press",
+ address = "pub-AFIPS:adr",
+ series = "AFIPS Conference proceedings",
+ pages = "313--317",
+ year = "1979",
+ bibdate = "Fri Nov 20 15:54:39 MST 1998",
+ bibsource = "http://www.math.utah.edu/pub/tex/bib/cryptography.bib",
+ acknowledgement = "Nelson H. F. Beebe, University of Utah, Department
+ of Mathematics, 110 LCB, 155 S 1400 E RM 233, Salt Lake
+ City, UT 84112-0090, USA, Tel: +1 801 581 5254, FAX: +1
+ 801 581 4148, e-mail: \path|beebe@math.utah.edu|,
+ \path|beebe@acm.org|, \path|beebe@computer.org|
+ (Internet), URL:
+ \path|http://www.math.utah.edu/~beebe/|",
+ referencedin = "Referenced in \cite[Ref. 3]{Canetti:1997:PSL},
+ \cite[Ref. 2]{Gemmell:1997:ITC}.",
+ xxauthor = "R. Blakley",
+}
+
+@inproceedings{LindellN18,
+ author = {Yehuda Lindell and
+ Ariel Nof},
+ editor = {David Lie and
+ Mohammad Mannan and
+ Michael Backes and
+ XiaoFeng Wang},
+ title = {Fast Secure Multiparty {ECDSA} with Practical Distributed Key Generation
+ and Applications to Cryptocurrency Custody},
+ booktitle = {Proceedings of the 2018 {ACM} {SIGSAC} Conference on Computer and
+ Communications Security, {CCS} 2018, Toronto, ON, Canada, October
+ 15-19, 2018},
+ pages = {1837--1854},
+ publisher = {{ACM}},
+ year = {2018},
+ url = {https://doi.org/10.1145/3243734.3243788},
+ timestamp = {Tue, 10 Nov 2020 20:00:51 +0100},
+ biburl = {https://dblp.org/rec/conf/ccs/LindellN18.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DoernerKLS19,
+ author = {Jack Doerner and
+ Yashvanth Kondi and
+ Eysa Lee and
+ Abhi Shelat},
+ title = {Threshold {ECDSA} from {ECDSA} Assumptions: The Multiparty Case},
+ booktitle = {2019 {IEEE} Symposium on Security and Privacy, {SP} 2019, San Francisco,
+ CA, USA, May 19-23, 2019},
+ pages = {1051--1066},
+ publisher = {{IEEE}},
+ year = {2019},
+ url = {https://doi.org/10.1109/SP.2019.00024},
+ timestamp = {Wed, 16 Oct 2019 14:14:51 +0200},
+ biburl = {https://dblp.org/rec/conf/sp/DoernerKLS19.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{DoernerKLS18,
+ author = {Jack Doerner and
+ Yashvanth Kondi and
+ Eysa Lee and
+ Abhi Shelat},
+ title = {Secure Two-party Threshold {ECDSA} from {ECDSA} Assumptions},
+ booktitle = {2018 {IEEE} Symposium on Security and Privacy, {SP} 2018, Proceedings,
+ 21-23 May 2018, San Francisco, California, {USA}},
+ pages = {980--997},
+ publisher = {{IEEE} Computer Society},
+ year = {2018},
+ url = {https://doi.org/10.1109/SP.2018.00036},
+ timestamp = {Wed, 16 Oct 2019 14:14:51 +0200},
+ biburl = {https://dblp.org/rec/conf/sp/DoernerKLS18.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
+
+@inproceedings{FeoM20,
+ author = {Luca De Feo and
+ Michael Meyer},
+ editor = {Aggelos Kiayias and
+ Markulf Kohlweiss and
+ Petros Wallden and
+ Vassilis Zikas},
+ title = {Threshold Schemes from Isogeny Assumptions},
+ booktitle = {Public-Key Cryptography - {PKC} 2020 - 23rd {IACR} International Conference
+ on Practice and Theory of Public-Key Cryptography, Edinburgh, UK,
+ May 4-7, 2020, Proceedings, Part {II}},
+ series = {Lecture Notes in Computer Science},
+ volume = {12111},
+ pages = {187--212},
+ publisher = {Springer},
+ year = {2020},
+ url = {{https://doi.org/10.1007/978-3-030-45388-6\_7}},
+ timestamp = {Fri, 22 May 2020 21:56:39 +0200},
+ biburl = {https://dblp.org/rec/conf/pkc/FeoM20.bib},
+ bibsource = {dblp computer science bibliography, https://dblp.org}
+}
diff --git a/ACNS/live_presentation/preamble.tex b/ACNS/live_presentation/preamble.tex
new file mode 100644
index 0000000..2703d9f
--- /dev/null
+++ b/ACNS/live_presentation/preamble.tex
@@ -0,0 +1,142 @@
+%\KOMAoptions{fontsize=10pt}
+%\KOMAoptions{paper=a4}
+\usepackage[T1]{fontenc}
+\usepackage{xurl}
+%\usepackage{concmath}
+\usepackage{subfiles}
+\usepackage[title]{appendix}
+%\usepackage{appendix}
+%\usepackage{subcaption}
+\usepackage[titlenumbered,ruled]{algorithm2e}
+\newcommand\assignTo[2]{#1 \leftarrow #2}
+%\usepackage{todonotes} %remove for submission
+%\let\labelindent\relax
+%\usepackage{enumitem}
+\usepackage[english]{babel}
+\usepackage[utf8]{inputenc}
+\usepackage{amsmath}
+\usepackage{amssymb}
+%\usepackage{amsthm}
+\usepackage{mathtools}
+\usepackage{thmtools}
+\usepackage{relsize}
+\usepackage{graphicx}
+\usepackage{flushend}
+%\usepackage{natbib}
+%\usepackage{cite}
+%\usepackage{algorithm}
+%\usepackage{algpseudocode}
+%\usepackage{algorithmicx}
+\usepackage[advantage,adversary,asymptotics,ff,keys,logic,mm,notions,operators,primitives,probability,sets]{cryptocode}
+
+%\usepackage[top=3cm, bottom=3cm, left=3cm, right=3cm]{geometry}
+\usepackage{verbatim}
+\usepackage{color}
+\usepackage[nice]{nicefrac}
+%\usepackage{forloop}
+
+\usepackage[super]{nth}
+
+\usepackage{chngcntr}
+\counterwithout{footnote}{subsection}
+
+\usepackage{hyphenat}
+
+\usepackage{tikz}
+\usetikzlibrary{arrows,calc,fit, matrix,intersections,positioning, through}
+\usepackage{tikzpeople}
+\usepackage{tcolorbox}
+
+%\usepackage{titlesec}
+%\titleformat{name=\section}[runin]{\large\normalfont\bf}{\thesection}{.5em}{}
+%\titleformat{name=\subsection}[runin]{\large\normalfont\bf}{\thesubsection}{.5em}{}
+%\titleformat{name=\subsubsection}[runin]{\large\normalfont\bf}{\thesubsubsection}{.5em}{}
+
+\usepackage{hyperref}
+\hypersetup{
+ colorlinks=true,
+ linktoc=section,
+ linkcolor=blue,
+ urlcolor=red,
+ citecolor=blue,
+}
+\providecommand\algoref[1]{\hyperref[#1]{Algorithm \ref{#1}}}
+\providecommand\secref[1]{\hyperref[#1]{Section \ref{#1}}}
+
+\begin{comment}
+\newtheoremstyle{Satz}
+ {\topsep}
+ {\topsep}
+ {}
+ {}
+ {\bfseries}
+ {\newline}
+ {.5em}
+ {}
+\end{comment}
+
+%\theoremstyle{Satz}
+%\newtheorem{thm}{Theorem}
+%\newtheorem*{thm*}{Theorem}
+%\newtheorem{lem}[thm]{Lemma}
+%\newtheorem{prop}[thm]{Proposition}
+%\newtheorem{cor}[thm]{Corollary}
+%\newtheorem{defin}[thm]{Definition}
+%\newtheorem{thm+def}{Theorem and Definition}
+%\newtheorem{exm}[thm]{Example}
+\newtheorem*{remark}{Remark}
+%\newtheorem{problem}{Problem}
+
+\numberwithin{equation}{section}
+%\numberwithin{thm}{section}
+%\numberwithin{algorithm}{section}
+
+\newcommand{\F}{\mathbb{F}}
+%\newcommand{\C}{\mathbb{C}}
+\newcommand{\R}{\mathbb{R}}
+\newcommand{\N}{\mathbb{N}}
+\newcommand{\D}{\mathbb{D}}
+\newcommand{\Q}{\mathbb{Q}}
+\newcommand{\Hol}{\mathcal{H}}
+\newcommand{\M}{\mathcal{M}}
+\newcommand{\Z}{\mathbb{Z}}
+\newcommand\pias{\Pi_{\text{AS}}}
+\DeclareMathOperator{\spec}{spec}
+\DeclareMathOperator{\re}{Re}
+\DeclareMathOperator{\im}{Im}
+%\DeclareMathOperator\pr{Pr}
+%\renewcommand{\qedsymbol}{$\blacksquare$}
+\DeclareMathOperator\SH{\mathcal S}
+\DeclareMathOperator\shaho{sh}
+\newcommand\add{\mathsf{Add}}
+\newcommand\share{\mathsf{Share}}
+\newcommand\rec{\mathsf{Rec}}
+\newcommand\simul{\mathsf{Sim}}
+\newcommand\kem{\mathsf{KEM}}
+\newcommand\sskem{\mathsf{SSKEM}}
+\newcommand\decaps{\mathsf{Decaps}}
+\newcommand\encaps{\mathsf{Encaps}}
+\newcommand\keygen{\mathsf{KeyGen}}
+\providecommand\sign{\pcalgostyle{Sign}}
+\providecommand\highlight[1]{\emph{#1}}
+
+\DeclarePairedDelimiter{\paren}{\lparen}{\rparen}
+\DeclarePairedDelimiter{\bracket}{[}{]}
+%\DeclarePairedDelimiter{\abs}{\lvert}{\rvert}
+%\DeclarePairedDelimiter{\set}{\{}{\}}
+%\newcommand\norm[1]{\left\lVert #1 \right\rVert}
+
+%opening
+%\KOMAoptions{toc=bibliography}
+%\pagestyle{headings}
+%\KOMAoptions{titlepage=firstiscover}
+%\KOMAoptions{abstract=true}
+%\setkomafont{pageheadfoot}{\normalfont}
+%\KOMAoptions{bibliography=totoc}
+%\KOMAoptions{headsepline=true}
+%\KOMAoptions{footsepline=true}
+\usepackage[nodisplayskipstretch]{setspace}
+% \setlength{\topsep}{0pt}
+% \setlength{\partopsep}{0pt plus 0pt minus 0pt}
+% \setlength{\parskip}{0pt}
+% \setlength{\parindent}{0pt}
diff --git a/ACNS/live_presentation/signatures.tex b/ACNS/live_presentation/signatures.tex
new file mode 100644
index 0000000..b95a377
--- /dev/null
+++ b/ACNS/live_presentation/signatures.tex
@@ -0,0 +1,16 @@
+
+\section{Deriving a Signature Scheme}
+\begin{frame}
+ \begin{block}{Why actively secure signature schemes?}
+ Correctness of a signature is easily verified with the public key and the signed message.
+
+ BUT: An incorrect signature does not identify the misbehaving shareholder.
+ \end{block}
+ \begin{block}{Signature Scheme}
+ \begin{itemize}
+ \item \(\keygen\): Keep \(\keygen\) of the key exchange mechanism, i.e., the secret key is two-level shared among parties \(P_1,\ldots,P_n\)
+ \item \(\sign\): Apply Fiat-Shamir-transform \cite{C:FiaSha86} to the decapsulation protocol, resulting in a signing protocol with secret shared secret key
+ \item \(\verify\): Arises naturally from the Fiat-Shamir-transformation
+ \end{itemize}
+ \end{block}
+\end{frame}
--
GitLab