Skip to content
Snippets Groups Projects
Commit 94b23977 authored by Philipp Muth's avatar Philipp Muth
Browse files

need to change s_{ij} for f_i(j) still

parent 0803efb5
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
ACNS/generalsss.tex
+ 3
3
View file @ 94b23977
\section{Generalising the Secret Sharing Schemes}\label{sec.generalsss} \section{Generalising the Secret Sharing Schemes}\label{sec.generalsss}
We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir:1979:HSS}. The key exchange mechanism in \hyperref[sec.kem]{Section \ref{sec.kem}} as well as the signature scheme in \hyperref[sec.signatures]{Section \ref{sec.signatures}} can be extended to more general secret sharing schemes. In the following, we characterise the requirements that a secret sharing scheme has to meet in order to successfully implement the key exchange mechanism and the signature scheme.\\ We constructed the protocols above in the context of Shamir's secret sharing protocol \cite{Shamir:1979:HSS}. The key exchange mechanism in \secref{sec.kem} as well as the signature scheme in \secref{sec.signatures} can be extended to more general secret sharing schemes. In the following, we characterise the requirements that a secret sharing scheme has to meet in order to successfully implement the key exchange mechanism and the signature scheme.\\
%\subsection{Compatibility requirements} %\subsection{Compatibility requirements}
...@@ -29,10 +29,10 @@ The secret sharing scheme also has to allow for a PVP scheme, that is compatible ...@@ -29,10 +29,10 @@ The secret sharing scheme also has to allow for a PVP scheme, that is compatible
\begin{itemize} \begin{itemize}
\item It is evident, that Shamir's approach fulfills all aforementioned requirements. In fact, the two-level sharing and the PVP have been tailored to Shamir's polynomial based secret sharing approach. \item It is evident, that Shamir's approach fulfills all aforementioned requirements. In fact, the two-level sharing and the PVP have been tailored to Shamir's polynomial based secret sharing approach.
\item Tassa \cite{DBLP:conf/tcc/Tassa04} extended Shamir's approach of threshold secret sharing to a hierarchical access structure. To share a secret \(s\in\Z_p\) with prime \(p\), a polynomial \(f\) with constant term \(s\) is sampled. Shareholders of the top level of the hierarchy are assigned interpolation points of \(f\) as in Shamir's scheme. The \(k\)-th level of the hierarchy receives interpolation points of the \(k-1\)st derivative of \(f\). The shares of in Tassa's scheme are elements of \(\Z_p\) themselves. \item Tassa \cite{DBLP:conf/tcc/Tassa04} extended Shamir's approach of threshold secret sharing to a hierarchical access structure. To share a secret \(s\in\Z_p\) with prime \(p\), a polynomial \(f\) with constant term \(s\) is sampled. Shareholders of the top level of the hierarchy are assigned interpolation points of \(f\) as in Shamir's scheme. The \(k\)-th level of the hierarchy receives interpolation points of the \(k-1\)st derivative of \(f\). The shares of in Tassa's scheme are elements of \(\Z_p\) themselves.
The key generation (\hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}) must be adapted so that a shareholder receives a description of the polynomial utilised in sharing his share, instead of receiving the shares with which his share of the secret key was shared. Hence all derivatives utilised can easily be computed. The key generation (\algoref{fig.keygen}) must be adapted so that a shareholder receives a description of the polynomial utilised in sharing his share, instead of receiving the shares with which his share of the secret key was shared. Hence all derivatives utilised can easily be computed.
%the shares The two-level sharing in the key generation protocol can be executed as given in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}. For any shareholder, the polynomial, with which his share of the secret key was again shared, is handed to him. Thus all derivatives used in the sharing are known the respective shareholder. %the shares The two-level sharing in the key generation protocol can be executed as given in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}. For any shareholder, the polynomial, with which his share of the secret key was again shared, is handed to him. Thus all derivatives used in the sharing are known the respective shareholder.
Reconstructing a shared secret is achieved via Birkhoff interpolation, the execution of which is independent and self-contained. Reconstructing a shared secret is achieved via Birkhoff interpolation, the execution of which is independent and self-contained.
The zero-knowledge proof (\hyperref[fig.zkp]{Algorithm \ref{fig.zkp}} and \hyperref[fig.zkv]{Algorithm \ref{fig.zkv}}) as well as the piecewise verifiable proof (\hyperref[fig.tpvpp]{Algorithm \ref{fig.tpvpp}} and \hyperref[fig.tpvpv]{Algorithm \ref{fig.tpvpv}}) thus directly transfer to Tassa's approach utilising the appropriate derivatives in the verifying protocols. The zero-knowledge proof (\algoref{fig.zkp} and \algoref{fig.zkv}) as well as the piecewise verifiable proof (\algoref{fig.tpvpp} and \algoref{fig.tpvpv}) thus directly transfer to Tassa's approach utilising the appropriate derivatives in the verifying protocols.
The decapsulation and the signing protocols hence can be executed with adjustments only to the verifying steps. The decapsulation and the signing protocols hence can be executed with adjustments only to the verifying steps.
%\item Tassa's hierarchical secret sharing scheme \cite{DBLP:conf/tcc/Tassa04} is also based on sharing via a randomly sampled polynomial. To share a secret \(s\), a polynomial \(f\) in \(\Z_p\left[X\right]\) is sampled with constant term \(s\). Shareholders of the top rank in the hierarchy are assigned interpolation points of \(f\). The second rank is assigned points on the first derivative, in short, shareholders of the \(k\)-th rank obtain interpolation points of the \(k-1\)st derivative. With the shares being in \(Z_p\), this enables the necessary two-level sharing. The polynomial based sharing approach agrees with the PVP protocol given above with some minor adjustments. Thus, transferring the key exchange mechanism and the signature scheme to Tassa's secret sharing can easily be achieved. %\item Tassa's hierarchical secret sharing scheme \cite{DBLP:conf/tcc/Tassa04} is also based on sharing via a randomly sampled polynomial. To share a secret \(s\), a polynomial \(f\) in \(\Z_p\left[X\right]\) is sampled with constant term \(s\). Shareholders of the top rank in the hierarchy are assigned interpolation points of \(f\). The second rank is assigned points on the first derivative, in short, shareholders of the \(k\)-th rank obtain interpolation points of the \(k-1\)st derivative. With the shares being in \(Z_p\), this enables the necessary two-level sharing. The polynomial based sharing approach agrees with the PVP protocol given above with some minor adjustments. Thus, transferring the key exchange mechanism and the signature scheme to Tassa's secret sharing can easily be achieved.
......
ACNS/introduction.tex
+ 4
4
View file @ 94b23977
...@@ -43,10 +43,10 @@ Based on CSI-FiSh \cite{DBLP:conf/asiacrypt/BeullensKV19}, De Feo and Meyer \cit ...@@ -43,10 +43,10 @@ Based on CSI-FiSh \cite{DBLP:conf/asiacrypt/BeullensKV19}, De Feo and Meyer \cit
\noindent \noindent
\textbf{Outline.} \textbf{Outline.}
In Section \ref{sec.prelim} the terminology, primitives and security notions relevant for this work are introduced. In \secref{sec.prelim} the terminology, primitives and security notions relevant for this work are introduced.
Section \ref{sec.kem} presents an actively secure threshold key exchange mechanism and proves our scheme's active security and simulatability. \secref{sec.kem} presents an actively secure threshold key exchange mechanism and proves our scheme's active security and simulatability.
The actively secure signature scheme resulting from applying the Fiat-Shamir-transform to our key exchange mechanism is discussed in Section \ref{sec.signatures}. The actively secure signature scheme resulting from applying the Fiat-Shamir-transform to our key exchange mechanism is discussed in \secref{sec.signatures}.
%We will translate the results concerning active security from Section \ref{sec.kem} to a signature algorithm in Section \ref{sec. signatures}. %We will translate the results concerning active security from Section \ref{sec.kem} to a signature algorithm in Section \ref{sec. signatures}.
Finally, the necessary properties for a secret sharing scheme to be compatible with our key exchange mechanism and signature scheme are characterised in Section \ref{sec.generalsss} in order to enable applying a more general class of secret sharing schemes. Finally, the necessary properties for a secret sharing scheme to be compatible with our key exchange mechanism and signature scheme are characterised in \secref{sec.generalsss} in order to enable applying a more general class of secret sharing schemes.
ACNS/keyexchange.tex
+ 15
15
View file @ 94b23977
...@@ -15,11 +15,11 @@ We fix the following publically known parameters. ...@@ -15,11 +15,11 @@ We fix the following publically known parameters.
\item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot] \cdot: \Z_p \times \mathcal E \to \mathcal E; s \mapsto g^s E\). \item A fixed element \(g \in\mathcal G\) with \(\mathsf{ord} g = p\) for the mapping \([\cdot] \cdot: \Z_p \times \mathcal E \to \mathcal E; s \mapsto g^s E\).
\end{itemize} \end{itemize}
We give our key exchange mechanism in the context of Shamir's secret sharing scheme and elaborate possible extensions to other, more general secret sharing schemes in \hyperref[sec.generalsss]{Section \ref{sec.generalsss}}. We give our key exchange mechanism in the context of Shamir's secret sharing scheme and elaborate possible extensions to other, more general secret sharing schemes in \secref{sec.generalsss}.\\
%\subsection{Key Generation} %\subsection{Key Generation}
\noindent\textbf{Key Generation.} \noindent\textbf{Key Generation.}
A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more. Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(\set{s_{ji}, s_{ij}}_{j=1,\ldots, n}\), that is his share \(s_i\) of \(s\), the sharing of \(s_i\) and a share of other \(s_j\), \(j \neq i\). A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more. Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(\set{s_{ji}, s_{ij}}_{j=1,\ldots, n}\), that is his share \(s_i\) of \(s\), the sharing of \(s_i\) and a share of other \(s_j\), \(j \neq i\).
\begin{algorithm} \begin{algorithm}
\DontPrintSemicolon \DontPrintSemicolon
...@@ -109,19 +109,19 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w ...@@ -109,19 +109,19 @@ Our encapsulation protocol is identical to the protocol of \cite{FeoM20}, thus w
%\subsection{Decapsulation} %\subsection{Decapsulation}
\noindent\textbf{Decapsulation.} \noindent\textbf{Decapsulation.}
A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\). A decapsulation protocol takes a ciphertext \(c\) and outputs a key \(\mathcal K\).
De Feo and Meyer \cite{FeoM20} applied the threshold group action (\hyperref[fig.tga]{Algorithm \ref{fig.tga}}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\). De Feo and Meyer \cite{FeoM20} applied the threshold group action (\algoref{fig.tga}) so that an authorised set \(S'\in\Gamma\) decapsulates a ciphertext \(c\) and produces an ephemeral key \(\left[s\right] c = \left[s\right] \left(b\ast E_0\right) = b \ast \left(\left[s\right] E_0\right)\).
%\todo{Satz raffen} %\todo{Satz raffen}
For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), for \(k=1,\ldots, \#S'\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k = \left[L_{i,S'}s_i\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\). For that, the shareholders agree on an arbitrary order of turns. With \(E^0: =c\), for \(k=1,\ldots, \#S'\), the \(k^\text{th}\) shareholder \(P_i\) outputs \(E^k = \left[L_{i,S'}s_i\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
%The first shareholder \(P_i\) computes and publishes \(E^1 = \left[L_{i,S'} s_i\right] c\). The \(k^\text{th}\) shareholder \(P_j\) takes the previous output \(E^{k-1}\) and outputs \(E^k = \left[L_{j,S'} s_j\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\). %The first shareholder \(P_i\) computes and publishes \(E^1 = \left[L_{i,S'} s_i\right] c\). The \(k^\text{th}\) shareholder \(P_j\) takes the previous output \(E^{k-1}\) and outputs \(E^k = \left[L_{j,S'} s_j\right] E^{k-1}\). The last shareholder outputs the decapsulated ciphertext \(E^{\#S'} = \left[s\right]c\).
%\todo{The last shareholder...} %\todo{The last shareholder...}
Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and falsify the output without being detected. Their approach is simulatable. It does not leak any information on the shares \(s_i\), yet it is only passively secure. Thus, a malicious shareholder can provide malformed input to the protocol and thereby manipulate the output of the computation towards incorrect results without the other parties recognising this deviation from the protocol.
%\todo{clarify the round-robin approach to decaps} %\todo{clarify the round-robin approach to decaps}
We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof layed out in Section \ref{sec.prelim}. We extend their approach to enable detecting misbehaving shareholders in a decapsulation. For that we maintain the threshold group action and apply the PVP and zero-knowledge proof layed out in \secref{sec.prelim}.
\\ \\
\noindent\textbf{Amending the PVP.} \noindent\textbf{Amending the PVP.}
%The PVP does not fit our setting of threshold group action, hence we first discuss the necessary modifications to the PVP. We then present our actively secure decapsulation protocol. %The PVP does not fit our setting of threshold group action, hence we first discuss the necessary modifications to the PVP. We then present our actively secure decapsulation protocol.
In the PVP protocol sketched in \hyperref[sec.prelim]{Section \ref{sec.prelim}}, a prover produces a proof of knowledge for a witness polynomial \(f\) of the statement In the PVP protocol sketched in \secref{sec.prelim}, a prover produces a proof of knowledge for a witness polynomial \(f\) of the statement
\(\left(\left(E_0,E_1\right),s_1, \ldots, s_n\right),\) \(\left(\left(E_0,E_1\right),s_1, \ldots, s_n\right),\)
where \(E_0\sample \mathcal E\), \(E_1 = \left[s_0\right] E_0\) and \(s_i = f\paren* i\) for \(i = 0, \ldots, n\). He thereby proves knowledge of the sharing polynomial \(f\) of \(s_0 = f\paren* 0\). where \(E_0\sample \mathcal E\), \(E_1 = \left[s_0\right] E_0\) and \(s_i = f\paren* i\) for \(i = 0, \ldots, n\). He thereby proves knowledge of the sharing polynomial \(f\) of \(s_0 = f\paren* 0\).
...@@ -132,7 +132,7 @@ This approach does not agree with the threshold group action, for which a shareh ...@@ -132,7 +132,7 @@ This approach does not agree with the threshold group action, for which a shareh
\begin{example} \begin{example}
Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds
\[\set{s_i, \set{s_{ij}}_{P_j \in S}, \set{s_{ji}}_{P_j \in S}}.\] \[\set{s_i, \set{s_{ij}}_{P_j \in S}, \set{s_{ji}}_{P_j \in S}}.\]
Also let \(S'\in \Gamma\) be a minimally authorised set executing \hyperref[fig.tga]{Algorithm \ref{fig.tga}}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Therefore, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with Also let \(S'\in \Gamma\) be a minimally authorised set executing \algoref{fig.tga}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Therefore, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with
\begin{align*} \begin{align*}
\left(\pi,\set{\pi_j}_{P_j \in S}\right) \gets& \mathsf{PVP}.P\paren*{\left(\left(R,R'\right), \left(L_{i,S'} s_{ij}\right)_{P_j \in S}\right), f_i'} \left(\pi,\set{\pi_j}_{P_j \in S}\right) \gets& \mathsf{PVP}.P\paren*{\left(\left(R,R'\right), \left(L_{i,S'} s_{ij}\right)_{P_j \in S}\right), f_i'}
\end{align*} \end{align*}
...@@ -147,10 +147,10 @@ We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s P ...@@ -147,10 +147,10 @@ We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s P
%\[\paren*{\left(R,R'\right),\left( L_{i,S^\ast} s_{ij}\right)_{P_j \in S^\ast}},\] %\[\paren*{\left(R,R'\right),\left( L_{i,S^\ast} s_{ij}\right)_{P_j \in S^\ast}},\]
\[\paren*{\left(R,R'\right),\left( s_{ij}\right)_{P_j \in S^\ast}},\] \[\paren*{\left(R,R'\right),\left( s_{ij}\right)_{P_j \in S^\ast}},\]
where \(R\sample\mathcal E\), \(R' = \left[L_{i,S^\ast} s_i\right] R\), \(s_{ij} = f_i\paren* j\) for \(P_j\in S^\ast\) and \(s_i = f_i\paren* 0\). where \(R\sample\mathcal E\), \(R' = \left[L_{i,S^\ast} s_i\right] R\), \(s_{ij} = f_i\paren* j\) for \(P_j\in S^\ast\) and \(s_i = f_i\paren* 0\).
The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( s_{ij}\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \hyperref[fig.tpvpp]{Algorithm \ref{fig.tpvpp}}, in which \(\mathcal C\) denotes a commitment scheme. The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( s_{ij}\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \algoref{fig.tpvpp}, in which \(\mathcal C\) denotes a commitment scheme.
The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \hyperref[fig.tpvpv]{Algorithm \ref{fig.tpvpv}}. The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \algoref{fig.tpvpv}.
The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in Section \ref{sec.prelim} intuitively, yet we restate the completeness definition for the threshold setting. The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in \secref{sec.prelim} intuitively, yet we restate the completeness definition for the threshold setting.
\begin{definition}[Completeness in the threshold setting] \begin{definition}[Completeness in the threshold setting]
We call a threshold PVP scheme \emph{complete} if, for any \(S'\in \Gamma\), any \(\left(x,f\right)\in\mathcal R\), any \(P_i \in S'\) and \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right) \gets \mathsf{PVP}.P\paren*{i,f,S',x_{S'}}\), we have We call a threshold PVP scheme \emph{complete} if, for any \(S'\in \Gamma\), any \(\left(x,f\right)\in\mathcal R\), any \(P_i \in S'\) and \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right) \gets \mathsf{PVP}.P\paren*{i,f,S',x_{S'}}\), we have
\[\prob{\mathsf{PVP}.V \paren*{i,j,S', x_j, \left(\pi,\pi_j\right)} = \true} = 1 \text{\ for all } P_j \in S'.\] \[\prob{\mathsf{PVP}.V \paren*{i,j,S', x_j, \left(\pi,\pi_j\right)} = \true} = 1 \text{\ for all } P_j \in S'.\]
...@@ -236,7 +236,7 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\ ...@@ -236,7 +236,7 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\
\item Otherwise, \(P_i\) outputs \(E^k\) and finalises its turn.% turn is finalised and the next shareholder continues with \(E^k\) as input from \(P_i\). \item Otherwise, \(P_i\) outputs \(E^k\) and finalises its turn.% turn is finalised and the next shareholder continues with \(E^k\) as input from \(P_i\).
\item The protocol terminates with the last shareholder's \(E^{\# S^\ast}\) as output. \item The protocol terminates with the last shareholder's \(E^{\# S^\ast}\) as output.
\end{enumerate} \end{enumerate}
The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\) has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\) and also inputs \(L_{i,S^\ast} f_i\paren* 0\) to compute \(E^k\). We give the precise protocol in \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}. The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} and \ref{step.zk} ensure, that \(P_i\) has knowledge of the sharing polynomial \(L_{i,S^\ast} f_i\) and also inputs \(L_{i,S^\ast} f_i\paren* 0\) to compute \(E^k\). We give the precise protocol in \algoref{fig.decaps}.
% \begin{figure} % \begin{figure}
% %\begin{tiny} % %\begin{tiny}
...@@ -323,7 +323,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp} ...@@ -323,7 +323,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
A key exchange mechanism with secret shared private key is \emph{correct}, if for any authorised set \(S'\), any public key \(\pk\) and any \(\left(\mathcal K,c\right)\gets \mathsf{Encaps}\paren* \pk\), we have A key exchange mechanism with secret shared private key is \emph{correct}, if for any authorised set \(S'\), any public key \(\pk\) and any \(\left(\mathcal K,c\right)\gets \mathsf{Encaps}\paren* \pk\), we have
\( \mathcal K = \mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}.\) \( \mathcal K = \mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}.\)
\end{definition} \end{definition}
The correctness of our key exchange mechanism presented in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}, \hyperref[fig.encaps]{Algorithm \ref{fig.encaps}} and \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} follows from the correctness of the threshold group action (\hyperref[fig.tga]{Algorithm \ref{fig.tga}}). Let \(\sk\) be a secret key and \(\pk = \left[\sk\right] E_0\) be the respective public key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have The correctness of our key exchange mechanism presented in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} follows from the correctness of the threshold group action (\algoref{fig.tga}). Let \(\sk\) be a secret key and \(\pk = \left[\sk\right] E_0\) be the respective public key, that have been generated by \(\mathsf{KeyGen}\), thus each shareholder \(P_i\) holds a share \(s_i\) of \(\sk\), \(i=1,\ldots, n\). For an authorised set \(S'\) we therefore have
\[\sk = \sum_{P_i \in S'} L_{i,S'} s_i.\] \[\sk = \sum_{P_i \in S'} L_{i,S'} s_i.\]
Furthermore, let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren* \pk\). To show correctness, \(\mathcal K' = \mathcal K\) has to hold, where \(\mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}\). Now, after executing \(\mathsf{Decaps}\paren*{c,S'}\), we have \(\mathcal K' = E^{\#S'}\) emerging as the result of the threshold group action applied to \(c\). This gives us Furthermore, let \(\left(\mathcal K,c\right) \gets \mathsf{Encaps}\paren* \pk\). To show correctness, \(\mathcal K' = \mathcal K\) has to hold, where \(\mathcal K' \gets \mathsf{Decaps}\paren*{c,S'}\). Now, after executing \(\mathsf{Decaps}\paren*{c,S'}\), we have \(\mathcal K' = E^{\#S'}\) emerging as the result of the threshold group action applied to \(c\). This gives us
\[ \mathcal K' = \left[\sum_{P_i \in S'} L_{i,S'}s_i \right] c = \left[\sk\right] \left(b\ast E_0\right) = b \ast \pk = \mathcal K.\] \[ \mathcal K' = \left[\sum_{P_i \in S'} L_{i,S'}s_i \right] c = \left[\sk\right] \left(b\ast E_0\right) = b \ast \pk = \mathcal K.\]
...@@ -349,7 +349,7 @@ There are two aspects of security to consider: ...@@ -349,7 +349,7 @@ There are two aspects of security to consider:
\begin{proof} \begin{proof}
Let \(P_{i'}\) be the malicious shareholder and let \(k'\) be the index of \(P_{i'}\)'s output in the transcript. Since \(\mathsf{Decaps}\paren*{c,S^\ast}\) terminated successfully, we have Let \(P_{i'}\) be the malicious shareholder and let \(k'\) be the index of \(P_{i'}\)'s output in the transcript. Since \(\mathsf{Decaps}\paren*{c,S^\ast}\) terminated successfully, we have
\begin{align} \begin{align}
\mathsf{PVP}.V\paren*{i', j,S^\ast, L_{i',S^\ast} s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\ \mathsf{PVP}.V\paren*{i', j,S^\ast, s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
\mathsf{PVP}.V\paren*{i', 0,S^\ast, \left(R_{k'},R_{k'}' \right), \left(\pi^{k'},\pi^{k'}_0\right)} =& \true\label{eq.pvp2}\\ \mathsf{PVP}.V\paren*{i', 0,S^\ast, \left(R_{k'},R_{k'}' \right), \left(\pi^{k'},\pi^{k'}_0\right)} =& \true\label{eq.pvp2}\\
\mathsf{ZK}.V\paren*{\left(E^{k'-1},E^{k'}\right), \left(R_{k'}, R_{k'}'\right), zk^{k'}} =& \true \label{eq.zk} \mathsf{ZK}.V\paren*{\left(E^{k'-1},E^{k'}\right), \left(R_{k'}, R_{k'}'\right), zk^{k'}} =& \true \label{eq.zk}
\end{align} \end{align}
...@@ -381,7 +381,7 @@ We show that an adversary who corrupts an unauthorised subset of shareholder doe ...@@ -381,7 +381,7 @@ We show that an adversary who corrupts an unauthorised subset of shareholder doe
\end{definition} \end{definition}
\begin{theorem} \begin{theorem}
If the \(\mathsf{PVP}\) protocol and the GAIP \(\mathsf{ZK}\) protocol employed are zero-knowledge, then the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) is simulatable. If the \(\mathsf{PVP}\) protocol and the GAIP \(\mathsf{ZK}\) protocol employed are zero-knowledge, then the decapsulation protocol (\algoref{fig.decaps}) is simulatable.
\end{theorem} \end{theorem}
%In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript. %In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript.
\begin{proof} \begin{proof}
...@@ -395,7 +395,7 @@ The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\) ...@@ -395,7 +395,7 @@ The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\)
uniformly at random for each \(P_i \in S^\ast \setminus \adv\). Since \(\adv\) is unauthorised, \(f'_i\) exists. uniformly at random for each \(P_i \in S^\ast \setminus \adv\). Since \(\adv\) is unauthorised, \(f'_i\) exists.
\(\simul^1\) then proceeds by honestly producing the output of each \(P_i \in S^\ast\setminus \adv\) according to the decapsulation protocol, i.e., it samples \(R_k \sample \mathcal E\), computes \(R_k' \gets \left[L_{i,S^\ast} f_i'\paren* 0\right] R_k\) and outputs \(\simul^1\) then proceeds by honestly producing the output of each \(P_i \in S^\ast\setminus \adv\) according to the decapsulation protocol, i.e., it samples \(R_k \sample \mathcal E\), computes \(R_k' \gets \left[L_{i,S^\ast} f_i'\paren* 0\right] R_k\) and outputs
\[\mathsf{PVP}.P\paren*{i,f_i',S^\ast,\left(\left(R_k,R_k'\right),\left(L_{i,S^\ast}s_{ij}\right)_{P_j \in S^\ast}\right)},\] \[\mathsf{PVP}.P\paren*{i,f_i',S^\ast,\left(\left(R_k,R_k'\right),\left(s_{ij}\right)_{P_j \in S^\ast}\right)},\]
\(E^k \gets \left[L_{i,S^\ast} s'_i\right] E^{k-1}\) and \(\mathsf{ZK}.P\paren*{\left(R_k, R_k'\right),\left(E^{k-1},E^k\right),L_{i,S^\ast}f'_i\paren* 0}\), where \(k\) is the index of \(P_i\)'s output in the transcript, \(s_{ij}: = f_i'\paren* j\) for \(P_j \in S^\ast \setminus \adv\) and \(s'_i := f_i'\paren* 0\). Since, for all \(P_i \in S^\ast\setminus\adv\), \(s_i\) is information theoretically hidden to the adversary, the resulting transcript is identically distributed to a real transcript. \(E^k \gets \left[L_{i,S^\ast} s'_i\right] E^{k-1}\) and \(\mathsf{ZK}.P\paren*{\left(R_k, R_k'\right),\left(E^{k-1},E^k\right),L_{i,S^\ast}f'_i\paren* 0}\), where \(k\) is the index of \(P_i\)'s output in the transcript, \(s_{ij}: = f_i'\paren* j\) for \(P_j \in S^\ast \setminus \adv\) and \(s'_i := f_i'\paren* 0\). Since, for all \(P_i \in S^\ast\setminus\adv\), \(s_i\) is information theoretically hidden to the adversary, the resulting transcript is identically distributed to a real transcript.
\item Let \(i'\) denote the index of the last honest party in the execution of the decapsulation protocol and \(k'\) the index of its output. \(\simul^2\) behaves exactly as \(\simul^1\) with the exception, that it does not compute the PVP itself but calls the simulator \(\simul^\mathsf{PVP}\) for the PVP to generate the proof \(\left(\pi^{k'},\set{\pi^{k'}_j}\right)\) for the statement \(\left(\left(R_{k'},R_{k'}'\right), \left(L_{i,S^\ast} s_{i'j}\right)_{P_j \in S^\ast}\right)\). Since the PVP is zero-knowledge, \(\simul^2\)'s output is indistinguishable from that of \(\simul^1\). \item Let \(i'\) denote the index of the last honest party in the execution of the decapsulation protocol and \(k'\) the index of its output. \(\simul^2\) behaves exactly as \(\simul^1\) with the exception, that it does not compute the PVP itself but calls the simulator \(\simul^\mathsf{PVP}\) for the PVP to generate the proof \(\left(\pi^{k'},\set{\pi^{k'}_j}\right)\) for the statement \(\left(\left(R_{k'},R_{k'}'\right), \left(L_{i,S^\ast} s_{i'j}\right)_{P_j \in S^\ast}\right)\). Since the PVP is zero-knowledge, \(\simul^2\)'s output is indistinguishable from that of \(\simul^1\).
......
ACNS/preamble.tex
+ 4
2
View file @ 94b23977
...@@ -59,6 +59,8 @@ ...@@ -59,6 +59,8 @@
urlcolor=red, urlcolor=red,
citecolor=blue, citecolor=blue,
} }
\providecommand\algoref[1]{\hyperref[#1]{Algorithm \ref{#1}}}
\providecommand\secref[1]{\hyperref[#1]{Section \ref{#1}}}
\begin{comment} \begin{comment}
\newtheoremstyle{Satz} \newtheoremstyle{Satz}
...@@ -101,7 +103,7 @@ ...@@ -101,7 +103,7 @@
\DeclareMathOperator{\spec}{spec} \DeclareMathOperator{\spec}{spec}
\DeclareMathOperator{\re}{Re} \DeclareMathOperator{\re}{Re}
\DeclareMathOperator{\im}{Im} \DeclareMathOperator{\im}{Im}
\DeclareMathOperator\pr{Pr} %\DeclareMathOperator\pr{Pr}
%\renewcommand{\qedsymbol}{$\blacksquare$} %\renewcommand{\qedsymbol}{$\blacksquare$}
\DeclareMathOperator\SH{SH} \DeclareMathOperator\SH{SH}
\DeclareMathOperator\shaho{sh} \DeclareMathOperator\shaho{sh}
......
ACNS/preliminaries.tex
+ 6
5
View file @ 94b23977
...@@ -134,7 +134,7 @@ The intuitive decisional continuation of this problem is as follows. ...@@ -134,7 +134,7 @@ The intuitive decisional continuation of this problem is as follows.
%\subsection{Threshold Group Action} %\subsection{Threshold Group Action}
\noindent\textbf{Threshold Group Action.} \noindent\textbf{Threshold Group Action.}
Let \(s\) be a Shamir shared secret among shareholders \(P_1,\ldots,P_n\), that is each \(P_i\) holds a share \(s_i\) of \(s\), \(i=1,\ldots, n\). To compute \(E' = \left[s\right] E\) for an arbitrary but fixed \(E \in \mathcal E\) without reconstructing \(s\), we have an authorised set of shareholders execute \hyperref[fig.tga]{Algorithm \ref{fig.tga}}. Let \(s\) be a Shamir shared secret among shareholders \(P_1,\ldots,P_n\), that is each \(P_i\) holds a share \(s_i\) of \(s\), \(i=1,\ldots, n\). To compute \(E' = \left[s\right] E\) for an arbitrary but fixed \(E \in \mathcal E\) without reconstructing \(s\), we have an authorised set of shareholders execute \algoref{fig.tga}.
If it is executed successfully, we have by the compatibility property of \(\ast\) and the repeated application of \(E^k \gets \left[L_{i,S'} s_i\right]E^{k-1}\) the result If it is executed successfully, we have by the compatibility property of \(\ast\) and the repeated application of \(E^k \gets \left[L_{i,S'} s_i\right]E^{k-1}\) the result
\[E^{\# S'} = \left[\sum_{P_i \in S'} L_{i,S'} s_i \right] E = \left[ s\right] E.\] \[E^{\# S'} = \left[\sum_{P_i \in S'} L_{i,S'} s_i \right] E = \left[ s\right] E.\]
%Assume, that a secret \(s\) has been shared in a Shamir secret sharing instance, thus each shareholder \(P_i\) holds a share \(s_i \) of \(s\), \(i=1,\ldots, n\). Let \(E\) be an arbitrary but fixed element of \(\mathcal E\). The action \(E' \gets \left[s\right] E\) can be computed by any authorised set \(S'\) without reconstructing \(s\) by executing the protocol given in \hyperref[fig.tga]{Algorithm \ref{fig.tga}}.%\autoref{fig.tga}. %Assume, that a secret \(s\) has been shared in a Shamir secret sharing instance, thus each shareholder \(P_i\) holds a share \(s_i \) of \(s\), \(i=1,\ldots, n\). Let \(E\) be an arbitrary but fixed element of \(\mathcal E\). The action \(E' \gets \left[s\right] E\) can be computed by any authorised set \(S'\) without reconstructing \(s\) by executing the protocol given in \hyperref[fig.tga]{Algorithm \ref{fig.tga}}.%\autoref{fig.tga}.
...@@ -189,7 +189,7 @@ Let \(\mathcal R = \set{\left(x,f\right)}\), where \(f\) is a witness for the st ...@@ -189,7 +189,7 @@ Let \(\mathcal R = \set{\left(x,f\right)}\), where \(f\) is a witness for the st
is negligible in the security parameter \(\lambda\), where \(P\) is an oracle that upon input \(\left(x,f\right)\) returns \(\left(\pi,\set{\pi_j}_{j \in I}\right)\) with \(\left(\pi,\set{\pi_j}_{j = 0, \ldots, n}\right)\gets\mathsf{PVP}.P\paren*{f,x}\). is negligible in the security parameter \(\lambda\), where \(P\) is an oracle that upon input \(\left(x,f\right)\) returns \(\left(\pi,\set{\pi_j}_{j \in I}\right)\) with \(\left(\pi,\set{\pi_j}_{j = 0, \ldots, n}\right)\gets\mathsf{PVP}.P\paren*{f,x}\).
\end{definition} \end{definition}
We refer to \cite{DBLP:conf/pqcrypto/BeullensDPV21} for the precise proving and verifying protocols and the security thereof. In combination they state a complete, sound and zero-knowledge non-interactive PVP. We refer to \cite{DBLP:conf/pqcrypto/BeullensDPV21} for the precise proving and verifying protocols and the security thereof. In combination they state a complete, sound and zero-knowledge non-interactive PVP.
A prover can hence show knowledge of a sharing polynomial \(f\) to a secret \(s_0 = f\paren* 0\) with shares \(s_i = f\paren* i\). In Section \ref{sec.kem}, we adjust \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s proving protocol to our setting of threshold schemes, so that knowledge of a subset of interpolation points is proven instead of all interpolation points. \\ A prover can hence show knowledge of a sharing polynomial \(f\) to a secret \(s_0 = f\paren* 0\) with shares \(s_i = f\paren* i\). In \secref{sec.kem}, we adjust \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s proving protocol to our setting of threshold schemes, so that knowledge of a subset of interpolation points is proven instead of all interpolation points. \\
%Let \(\mathcal R= \set{\left(x,f\right)}\) denote the set of statements \(x\) of the form \eqref{eq.pvprelation}, for which \(f\) is a witness polynomial. For a subset \(I \subset \set{1,\ldots, n}\), we denote by \(\mathcal R_I\) the set of partial relations %Let \(\mathcal R= \set{\left(x,f\right)}\) denote the set of statements \(x\) of the form \eqref{eq.pvprelation}, for which \(f\) is a witness polynomial. For a subset \(I \subset \set{1,\ldots, n}\), we denote by \(\mathcal R_I\) the set of partial relations
%\[\set{\left(x_I,f\right)\vert \exists x \colon \left(x,f\right) \in \mathcal R \wedge x_I = x\vert_I},\] %\[\set{\left(x_I,f\right)\vert \exists x \colon \left(x,f\right) \in \mathcal R \wedge x_I = x\vert_I},\]
%where \(x\vert_I\) is the projection of \(x\) to the coordinates contained in \(I\). %where \(x\vert_I\) is the projection of \(x\) to the coordinates contained in \(I\).
...@@ -216,14 +216,15 @@ via a hash function \(\mathcal H : \mathcal E^{(2+\lambda)m}\to \set{0,1}^\lambd ...@@ -216,14 +216,15 @@ via a hash function \(\mathcal H : \mathcal E^{(2+\lambda)m}\to \set{0,1}^\lambd
The verification protocol is straight forward: given a statement \(\left(E_i,E'_i\right)_{i=1,\ldots,m}\) and a proof \(\pi = \left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)\), the verifier computes \(\tilde E_{i,j}\gets \left[r_j\right] E_i\) if \(c_j = 0\) and \(\tilde E_{i,j} \gets \left[r_j\right] E'_i\) otherwise, for \(i = 1, \ldots, m\) and \( j = 1, \ldots, \lambda\). He then generates verification bits \(\left(\tilde c_1 ,\ldots \tilde c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1' , \ldots, E_m, E_m', \tilde E_{1,1} \ldots, \tilde E_{m,\lambda}}\) and accepts the proof if \(\left(c_1,\ldots, c_\lambda\right) = \left(\tilde c_1, \ldots, \tilde c_\lambda\right)\). The verification protocol is straight forward: given a statement \(\left(E_i,E'_i\right)_{i=1,\ldots,m}\) and a proof \(\pi = \left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)\), the verifier computes \(\tilde E_{i,j}\gets \left[r_j\right] E_i\) if \(c_j = 0\) and \(\tilde E_{i,j} \gets \left[r_j\right] E'_i\) otherwise, for \(i = 1, \ldots, m\) and \( j = 1, \ldots, \lambda\). He then generates verification bits \(\left(\tilde c_1 ,\ldots \tilde c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1' , \ldots, E_m, E_m', \tilde E_{1,1} \ldots, \tilde E_{m,\lambda}}\) and accepts the proof if \(\left(c_1,\ldots, c_\lambda\right) = \left(\tilde c_1, \ldots, \tilde c_\lambda\right)\).
We sketch the proving and verifying protocols in \hyperref[fig.zkp]{Algorithm \ref{fig.zkp}} and \hyperref[fig.zkv]{Algorithm \ref{fig.zkv}}, respectively. We sketch the proving and verifying protocols in \algoref{fig.zkp} and \algoref{fig.zkv}, respectively.
Again, we refer to \cite{DBLP:conf/asiacrypt/BeullensKV19} for the proof of completeness, soundness and zero-knowledge with respect to the security parameter \(\lambda\).\\ Again, we refer to \cite{DBLP:conf/asiacrypt/BeullensKV19} for the proof of completeness, soundness and zero-knowledge with respect to the security parameter \(\lambda\).\\
%\subsection{The Adversary} %\subsection{The Adversary}
\noindent\textbf{The Adversary.} \noindent\textbf{The Adversary.}
We consider a static and active adversary. At the beginning of a protocol execution, the adversary corrupts a set of shareholders. The adversary is able to see their inputs and control their outputs. The set of corrupted shareholders cannot be changed throughout the execution of the protocol. We consider a static and active adversary. At the beginning of a protocol execution, the adversary corrupts a set of shareholders. The adversary is able to see their inputs and control their outputs. The set of corrupted shareholders cannot be changed throughout the execution of the protocol.
The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to falsify the output of the execution of our protocol without being detected.\\ %The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to falsify the output of the execution of our protocol without being detected.\\
The adversary's aim is two-fold. On the one hand it wants to obtain information on the uncorrupted parties' inputs, on the other hand it wants to manipulate the execution of our protocol towards an incorrect output without detection.\\
%\subsection{Communication channels} %\subsection{Communication channels}
\noindent\textbf{Communication Channels.} \noindent\textbf{Communication Channels.}
......
ACNS/signatures.tex
+ 2
2
View file @ 94b23977
\section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures} \section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures}
We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}, \hyperref[fig.encaps]{Algorithm \ref{fig.encaps}} and \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol. We convert the key exchange mechanism in \algoref{fig.keygen}, \algoref{fig.encaps} and \algoref{fig.decaps} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}. A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \secref{sec.kem} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\algoref{fig.decaps}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \algoref{fig.sign} and \algoref{fig.ver}.
Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment