Skip to content
Snippets Groups Projects
Commit 95ae7b51 authored by Philipp Muth's avatar Philipp Muth
Browse files

moved s_ij to f_i(j)

parent 94b23977
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
ACNS/ACNS.tex
+ 3
0
View file @ 95ae7b51
\newif\ifpublic
\publictrue
\newif\ifshamir
\shamirtrue
%\documentclass[conference]{IEEEtran}
\documentclass[runningheads]{llncs}
......
ACNS/appendix.tex
+ 177
0
View file @ 95ae7b51
......@@ -2,6 +2,181 @@
\renewcommand{\thesection}{\Alph{section}}
\section{Algorithms}\label{sec.algorithms}
\ifshamir
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$E, S'$}
$\assignTo{E^0}{E}$\;
$\assignTo{k}{0}$\;
\For{$P_i \in S'$}{
\If{$E^k \not \in \mathcal E$}{
$P_i \text{ outputs } \bot \text{ and aborts.}$\;
}\Else{
$\assignTo{k}{k+1}$\;
$P_i \text{ outputs }E^k \gets \left[L_{i,S'} s_i \right] E^{k-1}$\;
}
}
\Return{$E^k$}
\caption{Threshold group action}
\label{fig.tga}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$s, \left(E_i,E_i'\right)_{i=1,\ldots, m} $}
\For{$j = 1,\ldots, \lambda$}{
$b_j \sample \Z_p$\;
\For{$i=1,\ldots, m$}{
$\hat E_{ij} \gets \left[b_j\right]E_i$\;
}
}
$\left(c_1,\ldots, c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1', \ldots, E_m,E_m', \hat E_{1,1}, \ldots, \hat E_{m,\lambda}}$\;
\For{$j = 1, \ldots, m$}{
$r_j \gets b_j - c_j s$\;
}
\Return {$\pi \gets\left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)$}
\caption{The ZK proving protocol for the GAIP}
\label{fig.zkp}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\KwIn{$\pi, \left(E_i,E_i'\right)_{i=1,\ldots, m} $}
Parse $\left(c_1,\ldots, c_\lambda,r_1,\ldots, r_\lambda\right) \gets \pi$\;
\For{$i=1,\ldots, m \text{ and } j = 1,\ldots, \lambda$}{
\If{$c_j == 0$}{
$\tilde E_{i,j} \gets \left[r_j\right] E_i$\;
}
\Else{
$\tilde E_{i,j} \gets \left[r_j\right] E_i'$\;
}
}
$\left(c'_1,\ldots, c'_\lambda\right)\gets \mathcal H\paren*{E_1,E_1', \ldots, E_m,E_m',\tilde E_{1,1},\ldots, \tilde E_{m,\lambda}}$\;
\Return {$\left(c_1,\ldots, c_\lambda\right) == \left(c'_1,\ldots, c'_\lambda\right)$}
\SetInd{0.5em}{1em}
\caption{The ZK verifying protocol for the GAIP}
\label{fig.zkv}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$i, f, S^\ast, \left((E_0,E_1), \left(f_i \paren j\right)_{P_j \in S^\ast}\right)$}
%\KwOut{a public message $M$}
\For{$l \in 1, \ldots, \lambda$}{
$b_l \sample \Z_N [x]_{\leq k-1}$\;
$\hat{E}_l \gets \left[ b_l\paren* 0\right] E_0$\;
}
$y_0, y_0' \sample \set{0,1}^\lambda$\;
$C_0 \gets \mathcal C\paren*{\hat{E}_1 \concat \ldots \concat \hat{E}_\lambda, y_0}$\;
$C_0' \gets \mathcal C \paren*{E_0\concat E_1, y_0'}$\;
\For{$P_j \in S^\ast$}{
$y_j, y_j' \sample \set{0,1}^\lambda$\;
$C_j \gets \mathcal C\paren*{b_1\paren* j \concat \ldots\concat b_\lambda\paren*j, y_j}$\;
$C_j'\gets \mathcal C\paren*{L_{i,S^\ast} \cdot f_i\paren j, y_j'}$\;
}
$C \gets \left(C_j\right)_{P_j \in S^\ast}$\;
$C'\gets \left(C_j'\right)_{P_j \in S^\ast}$\;
$c_1, \ldots, c_\lambda \gets \mathcal H\paren*{C,C'}$\;
\For{$l \in 1, \ldots, \lambda$}{
$r_l \gets b_l - c_l \cdot L_{i,S^\ast}\cdot f$\;
}
$\mathbf{r} \gets \left(r_1, \ldots, r_\lambda\right)$\;
$\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets\left( \left(C,C',\mathbf{r}\right), \set{ \left( y_j,y_j'\right)}_{P_j \in S^\ast}\right)$\;
\Return{$\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right)$}
\caption{Proving protocol of the threshold PVP}
\label{fig.tpvpp}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$i,j,S^\ast,x_j, \left(\pi,\pi_j\right)$}
$\text{parse } \left(C,C',\mathbf r\right) \gets \pi$\;
$\text{parse } \left(y_j, y_j'\right) \gets \pi_j$\;
$c_1, \ldots, c_\lambda \gets \mathcal H \paren*{C,C'}$\;
\If{$j == 0$}{
\If{$C'_j \neq \mathcal C \left(x_j , y'_j\right)$}{
\Return{$\false$}
}
\For{$l \in 1, \ldots, \lambda$}{
$\tilde{E}_l \gets \left[ r_l\paren*0\right] E_{c_l}$\;
}
\Return{$C_0 == \mathcal C\paren*{\tilde{E}_1 \concat \ldots \concat \tilde{E}_\lambda, y_0}$}
}
\Else{
\If{$C'_j \neq \mathcal C \paren*{L_{i,S^\ast} x_j , y'_j}$}{
\Return{$\false$}
}
\Return{$C_j == \mathcal C\paren*{r_1 \paren* j + c_1 \cdot L_{i,S^\ast}\cdot x_j \concat \ldots\concat r_\lambda\paren* j + c_\lambda \cdot L_{i,S^\ast}\cdot x_j,y_j}$}
}
\caption{Verifying protocol of the threshold PVP}
\label{fig.tpvpv}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{.5em}{1em}
\KwIn{$\mathcal S$}
$b \sample \bin$\;
$S^\ast \sample \Gamma^+$\;
$S'\sample 2^{S^\ast} \setminus \Gamma$\;
$\left(\set{s_i, f_i, f_j\paren i}_{P_i,P_j \in S},\pk\right) \gets \mathsf{KeyGen}\paren* {\mathcal S}$\;
$\left(\mathcal K, c\right) \gets \mathsf{Encaps}\paren*{\pk}$\;
$t_0 \gets \simul\paren*{\mathcal K, c, \set{s_i, f_i, f_j\paren i}_{P_i \in S',P_j \in S}}$\;
$E^0 \gets E_0$, $k \gets 0$\;
\For {$P_i \in S^\ast$}{
$k \gets k+1$\;
$E^k \gets \left[L_{i,S^\ast}s_i\right] E^{k-1}$\;
$R_k \sample \mathcal E$\;
$R_k ' \gets \left[L_{i,S^\ast}s_i\right] R_k$\;
$\left(\pi^k,\set{\pi^k_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P\paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right),\left(L_{i,S^\ast}f_i\paren j\right)_{P_j\in S^\ast}\right)}$\;
$zk^k \gets \mathsf{ZK}.P\paren*{\left(R_k,R_k'\right), \left(E^{k-1},E^k\right), L_{i,S^\ast}s_i}$\;
}
$t_1 \gets \left(E^k,\left(\pi^k, \set{\pi_j^k}_{P_j \in S^\ast}\right), zk^k \right)_{k=1, \ldots, \# S^\ast}$\;
$b' \gets \adv\paren*{t_b}$\;
\Return{$b == b'$}\;
\caption{The security game $\mathsf{Exp}^\text{dist-transcript}_{\adv,\simul}\paren*{S}$}
\label{fig.disttranscript}
\end{algorithm}
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$m,s,\pk$}
$\text{parse } \left(c_1,\ldots, c_\lambda, z_1,\ldots, z_\lambda\right) \gets s$\;
\For{$j = 1, \ldots, \lambda$}{
\If{$c_j == 0$}{
$E'_j \gets \left[z_j\right] E_0 = \left[\sum_{P_i\in S^\ast} b_{ij}\right] E_0$\;
}
\Else{
$E'_j \gets \left[z_j\right] \pk = \left[\sum_{P_i\in S^\ast} b_{ij} - L_{i,S^\ast}s_i + s\right] E_0$\;
}
}
$\left(c'_1,\ldots,c'_\lambda\right)\gets \mathcal H\paren*{E'_1,\ldots, E'_\lambda, m}$\;
\Return{$\left(c_1,\ldots, c_\lambda\right) == \left(c'_1,\ldots, c'_\lambda\right)$}
\caption{Signature verification protocol}
\label{fig.ver}
\end{algorithm}
\else
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
......@@ -176,5 +351,7 @@
\end{algorithm}
\fi
\end{subappendices}
ACNS/keyexchange.tex
+ 177
8
View file @ 95ae7b51
......@@ -19,6 +19,35 @@ We give our key exchange mechanism in the context of Shamir's secret sharing sch
%\subsection{Key Generation}
\noindent\textbf{Key Generation.}
\ifshamir
\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more with a sharing polynomial \(f_i\). Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(f_i\) and \(f_k\paren* i\), that is his share \(s_i\) of \(s\), the polynomial \(f_i\) and a share \(f_j\paren* i\) of each other \(s_j\), \(j \neq i\).
\begin{algorithm}
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\KwIn{$\mathcal S$}
\SetInd{0.5em}{1em}
%\KwIn{$i,j,S',x_j, \left(\pi,\pi_j\right)$}
%\KwOut{a public message $M$}
$s \sample \Z_p$\;
$\assignTo{\pk}{\left[ s\right] E_0}$\;
$\set{s_1,\ldots, s_n}\gets \mathcal S.\share\paren* s$\;
\For{$i = 1, \ldots, n$}{
$f_i \sample \Z_p : f_i\paren* 0 = s_i$\;
%$\set{s_{i1}, \ldots, s_{in}} \gets \mathcal S.\share \paren*{s_i}$\;
}
$\text{publish } \pk$\;
\For{$i = 1, \ldots, n$}{
$\text{send } \set{s_i, \set{f_{j}\paren* i}_{j = 1,\ldots, n}} ,f_i \text{ to } P_i$\;
}
%\Return{$E^k$}
\caption{Key generation}
\label{fig.keygen}
\end{algorithm}
\else
\todo{koennen wir den shareholdern nicht einfach ihr Polynom geben? (gleicher Informationsgehalt)}
A public and secret key pair is established by a trusted dealer (even an untrusted dealer is feasible by employing verifiable secret sharing schemes) executing \algoref{fig.keygen}. For that he samples a secret key \(s\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is then shared among the \(\set{P_1, \ldots, P_n}\) via \(\mathcal S.\share\paren*s\). The dealer shares each share \(s_i\), \(i=1,\ldots, n\), once more. Each shareholder \(P_i\), \(i=1,\ldots, n\), eventually receives \(s_i\), \(\set{s_{ji}, s_{ij}}_{j=1,\ldots, n}\), that is his share \(s_i\) of \(s\), the sharing of \(s_i\) and a share of other \(s_j\), \(j \neq i\).
\begin{algorithm}
......@@ -43,7 +72,7 @@ A public and secret key pair is established by a trusted dealer (even an untrust
\caption{Key generation}
\label{fig.keygen}
\end{algorithm}
\fi
\begin{comment}
We assume the existence of a trusted dealer, yet even an untrusted dealer can be accommodated with little overhead. For key generation, the dealer samples the secret key \(s \in \Z_p\) and publishes the public key \(\pk \gets [s] E_0\). The secret key \(s\) is shared via \(\left(s_1, \ldots, s_n\right)\gets \mathcal S.\share\paren* s\). Then, each share \(s_i\), \(1 \leq i \leq n\), is shared once more, resulting in \(n\) sets of \(n\) shares each.
......@@ -55,7 +84,8 @@ thus each shareholder \(P_i\) receives his share \(s_i\) of the secret key \(s\)
For ease of notation we denote the polynomial with which the secret key \(s\) was shared by \(f\) and the polynomial with which \(s_i\) was shared by \(f_i\), where \(i =1 , \ldots, n\).
\end{comment}
This key generation protocol can be regarded as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders.\\
\todo{added motivation}
This key generation protocol can be regarded as a "two-level sharing", where each share of the secret key is itself shared again among the shareholders. While this is not necessary for De Feo and Meyer's passively secure protocol, we require the two-level sharing in ensuring the active security of our key encapsulation mechanism.\\
%A sketch of it can be found in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}.\\
% \begin{figure}
% \procedure[space = auto]{$\mathsf{KeyGen}$}{
......@@ -131,6 +161,16 @@ This approach does not agree with the threshold group action, for which a shareh
%\todo{kick or shorten to remark?}
\begin{example}
Let \(\sk\) be a secret key generated and shared by \(\mathsf{KeyGen}\). That is each shareholder \(P_i\) holds
\ifshamir
\[\set{s_i, f_i, \set{f_j\paren* i}_{P_j \in S}}.\]
Also let \(S'\in \Gamma\) be a minimally authorised set executing \algoref{fig.tga}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} f_i\paren* j\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\) and all \(P_j\in S'\setminus \set{P_i}\). Therefore, \(P_i\) can publish
\begin{align*}
\left(\pi,\set{\pi_j}_{P_j \in S}\right) \gets& \mathsf{PVP}.P\paren*{\left(\left(R,R'\right), \left(L_{i,S'} f_i\paren* j\right)_{P_j \in S}\right), f_i'}
\end{align*}
which to \(S'\setminus \set{P_i}\) is indistinguishable from
\[\mathsf{PVP}.P\paren*{\left(\left(E_0,E_1\right), \left(L_{i,S'} f_i\paren* j\right)_{P_j \in S}\right), L_{i,S'}f_i}\]
with \(E_0 \sample \mathcal E\) and \(E_1 = \left[L_{i,S'} s_i\right] E_0\). Thus, for a minimally authorised set \(S'\), the soundness of the PVP does not hold with respect to \(P_i\in S'\) and \(f_i\).
\else
\[\set{s_i, \set{s_{ij}}_{P_j \in S}, \set{s_{ji}}_{P_j \in S}}.\]
Also let \(S'\in \Gamma\) be a minimally authorised set executing \algoref{fig.tga}, i.e., for any \(P_i \in S'\), \(S' \setminus \set{P_i}\) is unauthorised. Thus, for any arbitrary but fixed \(s_i'\in \Z_p\), there exists a polynomial \(f'_i\in \Z_p\left[X\right]_{k-1}\) so that \(f'_i \paren* j = L_{i,S'} s_{ij}\) and \(R' = \left[f'_i \paren* 0\right] R\) for any \(R,R' \in \mathcal E\). Therefore, \(P_i\) can publish \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\) with
\begin{align*}
......@@ -139,16 +179,24 @@ This approach does not agree with the threshold group action, for which a shareh
which to \(S'\setminus \set{P_i}\) is indistinguishable from
\[\mathsf{PVP}.P\paren*{\left(\left(E_0,E_1\right), \left(L_{i,S'} s_{ij}\right)_{P_j \in S}\right), L_{i,S'}f_i}\]
with \(E_0 \sample \mathcal E\) and \(E_1 = \left[L_{i,S'} s_i\right] E_0\). Thus, for a minimally authorised set \(S'\), the soundness of the PVP does not hold with respect to \(P_i\in S'\) and \(f_i\).
\fi
\label{example.conflict}\end{example}
We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s PVP protocol, so that, for a superauthorised set \(S^\ast\), a shareholder \(P_i \in S^\ast\) proves knowledge of a witness polynomial \(L_{i,S^\ast}f_i\) for a statement
%\[\left(\left(R,R'\right),\left( L_{i,S^\ast} s_{ij}\right)_{P_j \in S^\ast}\right),\]
%\todo{conflict solved?}
%\[\paren*{\left(R,R'\right),\left( L_{i,S^\ast} s_{ij}\right)_{P_j \in S^\ast}},\]
\ifshamir
\[\paren*{\left(R,R'\right),\left(f_i\paren j\right)_{P_j \in S^\ast}},\]
where \(R\sample\mathcal E\), \(R' = \left[L_{i,S^\ast} f_i\paren 0\right] R = \left[L_{i,S^\ast} s_i\right] R\).
The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f_i\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( f_i\paren j\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \algoref{fig.tpvpp}, in which \(\mathcal C\) denotes a commitment scheme.
The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \algoref{fig.tpvpv}.
\else
\[\paren*{\left(R,R'\right),\left(s_{ij}\right)_{P_j \in S^\ast}},\]
where \(R\sample\mathcal E\), \(R' = \left[L_{i,S^\ast} s_i\right] R\), \(s_{ij} = f_i\paren* j\) for \(P_j\in S^\ast\) and \(s_i = f_i\paren* 0\).
The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f\), the superauthorised set \(S^\ast \in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( s_{ij}\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \algoref{fig.tpvpp}, in which \(\mathcal C\) denotes a commitment scheme.
The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j = \left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \algoref{fig.tpvpv}.
\fi
The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in \secref{sec.prelim} intuitively, yet we restate the completeness definition for the threshold setting.
\begin{definition}[Completeness in the threshold setting]
......@@ -219,12 +267,24 @@ We arrive at our decapsulation protocol, executed by a superauthorised set \(S^\
\item If the previous shareholder's output \(E^{k-1}\) is not in \(\mathcal E\), \(P_i\) outputs \(\bot\) and aborts. The first shareholder's input \(E^0\) is the protocol's input ciphertext \(c\).
\item Otherwise \(P_i\) samples \(R_k \sample \mathcal E\) and computes \(R_k' \gets \left[L_{i,S^\ast} s_i\right]R_k\).
\item\label{step.pvp} \(P_i\) computes and publishes
$$\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right) \gets \mathsf{PVP}.P \paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right), \left(s_{ij}\right)_{P_j\in S^\ast}\right)}.$$
\item\label{step.zk} \(P_i\) computes \(E^k \gets \left[L_{i,S^\ast} s_i\right] E^{k-1}\) and the zero-knowledge proof \(zk \gets \mathsf{ZK}.P \paren*{\left(R_k,R_k'\right), \left(E^{k-1}, E^k\right), L_{i,S^\ast} s_i}\). He publishes both.
\ifshamir
\[\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right) \gets \mathsf{PVP}.P \paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right), \left(f_i \paren j\right)_{P_j\in S^\ast}\right)}.\]
\else
\[\left(\pi^k,\set{\pi^k_j}_{P_j\in S^\ast}\right) \gets \mathsf{PVP}.P \paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right), \left(s_{ij}\right)_{P_j\in S^\ast}\right)}.\]
\fi
\item\label{step.zk} \(P_i\) computes \(E^k \gets \left[L_{i,S^\ast} s_i\right] E^{k-1}\) and the zero-knowledge proof
\[zk \gets \mathsf{ZK}.P \paren*{\left(R_k,R_k'\right), \left(E^{k-1}, E^k\right), L_{i,S^\ast} s_i}.\]
He publishes both.
\item Each shareholder \(P_j \in S^\ast\setminus\set{P_i}\) verifies
\ifshamir
\begin{equation}
\mathsf{PVP}.V \paren*{i, j,S^\ast,f_i\paren j,\left(\pi^k,\pi^k_j\right)} \wedge \mathsf{PVP}.V\paren*{i,0,S^\ast,\left(R_k,R_k'\right),\left(\pi^k,\pi_0^k\right)}
\label{eq.ver1}\end{equation}
\else
\begin{equation}
\mathsf{PVP}.V \paren*{i, j,S^\ast,s_{ij},\left(\pi^k,\pi^k_j\right)} \wedge \mathsf{PVP}.V\paren*{i,0,S^\ast,\left(R_k,R_k'\right),\left(\pi^k,\pi_0^k\right)}
\label{eq.ver1}\end{equation}
\fi
and
\begin{equation}
\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right), \left(E^{k-1},E^k\right), zk}.
......@@ -274,6 +334,50 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
% \end{figure}
\ifshamir
\begin{algorithm}[t]
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$c, S^\ast$}
$E^0 \gets c$\;
$k \gets 0$\;
\For{$P_i \in S^\ast$}{
\If{$E^k \not \in\mathcal E$}{
$P_i \text{ outputs } \bot \text{ and aborts.}$\;
}
$k \gets k+1$\;
$R_k \sample \mathcal E$\;
$R_k' \gets \left[L_{i,S^\ast} s_i\right]R_k$\;
$\left(\pi^k,\set{\pi^k_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P\left(i,f_i,S^\ast,((R_k,R_k'),(f_i\paren j)_{P_j\in S^\ast})\right)$\;
$P_i \text{ publishes } \left(R_k,R_k'\right) \text{ and }\left(\pi^k,\set{\pi^k_j}_{P_j \in S^\ast}\right)$\;
$E^k \gets \left[L_{i,S^\ast} s_i \right]E^{k-1}$\;
$zk^k \gets \mathsf{ZK}.P\paren*{\left(R_k,R'_k\right),\left(E^{k-1},E^k\right), L_{i,S^\ast} s_i}$\;
$P_i \text{ publishes } \left(E^k, zk^k\right)$\;
\For{$P_j \in S^\ast \setminus \set{P_i}$}{
\If{$\mathsf{ZK}.V\paren*{\left(R_k,R_k'\right),\left(E^{k-1},E^k\right),zk} = \false$}{
\Return{$\mathsf{Decapsulation}\paren*{c,{S^\ast}'} \text{ with } {S^\ast}' \in \Gamma \wedge P_i \not \in {S^\ast}'$}
}
%$\text{Each } P_j \in S^\ast\setminus\set{P_i} \text{ checks }$\;
%$b_j \gets \mathsf{PVP}.V\paren*{i, j,S^\ast,L_{i,S^\ast} s_{ij},\left(\pi^k,\pi^k_j\right)}$\;
\If{$\mathsf{PVP}.V\paren*{i, j,S^\ast, f_i\paren j,\left(\pi^k,\pi^k_j\right)} = \false \vee$ $\mathsf{PVP}.V\paren*{i,0,S^\ast,\left(R_k,R_k'\right),\left(\pi^k,\pi_0^k\right)} = \false$}{
%\If{$b_j = \false \text{ for some } P_j$}{
$P_j \text{ publishes } f_i \paren j$\;
\If{$ P_i \text{ is convicted}$}{
\Return{$\mathsf{Decapsulation}\paren*{c,{S^\ast}'} \text{ with } {S^\ast}' \in \Gamma \wedge P_i \not \in {S^\ast}'$}
}
}
%$\text{Each } P_j \in S^\ast\setminus\set{P_i} \text{ checks }$\;
}
}
\Return{$\mathcal K \gets E^k$}
\caption{Decapsulation}
\label{fig.decaps}
\end{algorithm}
\else
\begin{algorithm}[t]
\DontPrintSemicolon
\SetAlgoShortEnd
......@@ -316,6 +420,7 @@ The combination of the PVP and the zero-knowledge proof in steps \ref{step.pvp}
\caption{Decapsulation}
\label{fig.decaps}
\end{algorithm}
\fi
......@@ -348,11 +453,19 @@ There are two aspects of security to consider:
\begin{proof}
Let \(P_{i'}\) be the malicious shareholder and let \(k'\) be the index of \(P_{i'}\)'s output in the transcript. Since \(\mathsf{Decaps}\paren*{c,S^\ast}\) terminated successfully, we have
\ifshamir
\begin{align}
\mathsf{PVP}.V\paren*{i', j,S^\ast, f_{i'}\paren j, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
\mathsf{PVP}.V\paren*{i', 0,S^\ast, \left(R_{k'},R_{k'}' \right), \left(\pi^{k'},\pi^{k'}_0\right)} =& \true\label{eq.pvp2}\\
\mathsf{ZK}.V\paren*{\left(E^{k'-1},E^{k'}\right), \left(R_{k'}, R_{k'}'\right), zk^{k'}} =& \true \label{eq.zk}
\end{align}
\else
\begin{align}
\mathsf{PVP}.V\paren*{i', j,S^\ast, s_{i'j}, \left(\pi^{k'},\pi^{k'}_j\right)} =& \true\label{eq.pvp1}\\
\mathsf{PVP}.V\paren*{i', 0,S^\ast, \left(R_{k'},R_{k'}' \right), \left(\pi^{k'},\pi^{k'}_0\right)} =& \true\label{eq.pvp2}\\
\mathsf{ZK}.V\paren*{\left(E^{k'-1},E^{k'}\right), \left(R_{k'}, R_{k'}'\right), zk^{k'}} =& \true \label{eq.zk}
\end{align}
\fi
for all \(P_j \in S^\ast\setminus\set{P_{i'}}\). \(E^{k'}\) was generated dishonestly, thus we have
\[ E^{k'} = \left[\alpha\right] E^{k'-1}, \text{\ for some\ } \alpha \neq L_{i',S^\ast} s_{i'}.\]
We distinguish two cases: \(R_{k'}' \neq \left[\alpha\right] R_{k'}\) and \(R_{k'}' = \left[\alpha\right] R_{k'}\).
......@@ -360,12 +473,21 @@ There are two aspects of security to consider:
In the first case, \(P_{i'}\) published a zero-knowledge proof \(zk^{k'}\) so that \eqref{eq.zk} holds, where \(E^{k'} = \left[\alpha\right] E^{k'-1}\) yet \(R_{k'}' \neq \left[\alpha\right] R_{k'}\). \(P_{i'}\) thus broke the soundness property of the zero-knowledge proof.
In the second case, \(P_{i'}\) published \(\left(\pi^{k'},\set{\pi_{j}^{k'}}_{P_j \in S^\ast}\right)\) so that \eqref{eq.pvp1} and \eqref{eq.pvp2} hold for all \(P_j \in S^\ast\setminus \set{P_{i'}}\) and for \(j=0\). Thus, \(P_{i'}\) proved knowledge of a witness polynomial \(f'\) with
\ifshamir
\begin{equation}
f'\paren* j = L_{i',S^\ast} f_{i'}\paren j
\label{eq.interpol}\end{equation}
for all \(P_j \in S^\ast\setminus\set{P_{i'}}\) and \( R_{k'}' = \left[f'\paren* 0\right] R_{k'}\), that is
\(f'\paren* 0 = \alpha.\)
Since \(f'\) has degree at most \(k-1\), it is well-defined from \eqref{eq.interpol}. Thus, we have \(f' \equiv L_{i',S^\ast} f_{i'}\), where \(f_{i'}\) is the polynomial with which \(s_{i'}\) was shared, i.e., \(f_{i'} \paren* 0 = s_{i'}\). This gives us \(\alpha = f' \paren* 0 = L_{i',S^\ast} f_{i'} \paren* 0 = L_{i',S^\ast} s_{i'}\). We arrive at a contradiction, assuming the soundness of the PVP.
\else
\begin{equation}
f'\paren* j = L_{i',S^\ast} s_{ij}
\label{eq.interpol}\end{equation}
for all \(P_j \in S^\ast\setminus\set{P_{i'}}\) and \( R_{k'}' = \left[f'\paren* 0\right] R_{k'}\), that is
\(f'\paren* 0 = \alpha.\)
Since \(f'\) has degree at most \(k-1\), it is well-defined from \eqref{eq.interpol}. Thus, we have \(f' \equiv L_{i',S^\ast} f_{i'}\), where \(f_{i'}\) is the polynomial with which \(s_i\) was shared, i.e., \(f_{i'} \paren* 0 = s_i\). This gives us \(\alpha = f' \paren* 0 = L_{i',S^\ast} f_{i'} \paren* 0 = L_{i',S^\ast} s_{i'j}\). We arrive at a contradiction, assuming the soundness of the PVP.
\fi
\end{proof}
\noindent\textbf{Simulatability.}
......@@ -385,6 +507,52 @@ We show that an adversary who corrupts an unauthorised subset of shareholder doe
\end{theorem}
%In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript.
\begin{proof}
\ifshamir
We give a finite series of simulators, the first of which simulates the behaviour of the uncorrupted parties faithfully and the last of which fulfills the secrecy requirements. This series is inspired by the simulators that \cite{DBLP:conf/pqcrypto/BeullensDPV21} gave for the secrecy proof of their key generation algorithm, yet differs in some significant aspects. The outputs of the respective simulators will be proven indistinguishable, hence resulting in the indistinguishability of the first and last one. As a slight misuse of the notation, we denote the set of corrupted shareholders by \(\adv\), where \(\adv\) is the adversary corrupting an unauthorised set of shareholders. This means \(P_i\) is corrupted iff \(P_i \in \adv\).
The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\) and the adversary's knowledge after \(\mathsf{KeyGen}\) was successfully executed, that is
\[\set{s_i, f_i,\set{f_j\paren i}_{P_j \in S^\ast\setminus \adv}}_{P_i\in \adv}.\]
\begin{enumerate}
\item The adversary corrupted an unauthorised set \(\adv\), hence each share of the secret key is uniformly distributed from his view. \(\simul^1\) samples a polynomial \(f'_i \in \Z_p\left[X\right]_{k-1}\) with
\[\forall P_j \in \adv: f'_i \paren* j = f_i\paren j\]
uniformly at random for each \(P_i \in S^\ast \setminus \adv\). Since \(\adv\) is unauthorised, \(f'_i\) exists.
\(\simul^1\) then proceeds by honestly producing the output of each \(P_i \in S^\ast\setminus \adv\) according to the decapsulation protocol, i.e., it samples \(R_k \sample \mathcal E\), computes \(R_k' \gets \left[L_{i,S^\ast} f_i'\paren* 0\right] R_k\) and outputs
\[\mathsf{PVP}.P\paren*{i,f_i',S^\ast,\left(\left(R_k,R_k'\right),\left(f_i'\paren j\right)_{P_j \in S^\ast}\right)},\]
\[E^k \gets \left[L_{i,S^\ast} f_i'\paren 0\right] E^{k-1}\]
and
\[\mathsf{ZK}.P\paren*{\left(R_k, R_k'\right),\left(E^{k-1},E^k\right),L_{i,S^\ast}f'_i\paren* 0},\]
where \(k\) is the index of \(P_i\)'s output in the transcript. Since, for all \(P_i \in S^\ast\setminus\adv\), the real share \(s_i = f_i\paren 0\) of \(P_i\) is information theoretically hidden to the adversary, the resulting transcript is identically distributed to a real transcript.
\item Let \(i'\) denote the index of the last honest party in the execution of the decapsulation protocol and \(k'\) the index of its output. \(\simul^2\) behaves exactly as \(\simul^1\) with the exception, that it does not compute the PVP itself but calls the simulator \(\simul^\mathsf{PVP}\) for the PVP to generate the proof \(\left(\pi^{k'},\set{\pi^{k'}_j}\right)\) for the statement \(\left(\left(R_{k'},R_{k'}'\right), \left(L_{i,S^\ast} f_{i'}\paren j\right)_{P_j \in S^\ast}\right)\). Since the PVP is zero-knowledge, \(\simul^2\)'s output is indistinguishable from that of \(\simul^1\).
\item \(\simul^3\) behaves identical to \(\simul^2\) apart from not generating the zero-knowledge proof for \(P_{i'}\) itself, but outsourcing it to the simulator for the zero-knowledge proof. That is \(\simul^3\) hands tuples \(\left(R_{k'}, R_{k'}'\right)\) and \(\left(E^{k'-1}, E^{k'}\right)\) to \(\simul^\mathsf{ZK}\) and publishes its answer as the zero-knowledge proof. With \(\mathsf{ZK}\) being zero-knowledge, the output of \(\simul^3\) is indistinguishable from that of \(\simul^2\).
\item The final simulator \(\simul^4\) enforces the correct decapsulation output, that is \(E^{\# S^\ast} = \mathcal K\). Since, for \(P_j \in \adv\), \(s_j\) was provided as input and \(P_{i'}\) is the last honest shareholder in the order of decapsulation execution, \(\simul^4\) computes
\[ \sum_{P_j \in S'} L_{j,S^\ast}s_j,\]
where \(S'\) contains the shareholders, whose turn is after \(P_{i'}\)'s. To achieve the correct output of the decapsulation \(E\), \(\simul^4\) thus sets
\[E^{k'} \gets \left[-\sum_{P_j \in S' } L_{j,S^\ast} s_j \right] E\]
instead of \(E^{k'} \gets \left[L_{i',S^\ast} s'_{i'}\right]E^{k' -1}\). Assuming the soundness of the PVP as well as of the zero-knowledge proof, this guarantees the result to be \(E^{\# S^\ast} = E\), since
\[E^{\# S^\ast} = \left[\sum_{P_j \in S'} L_{j,S^\ast}s_j\right] E^{k'} = E\]
holds. It remains to show, that the output of \(\simul^4\) cannot be distinguished from that of \(\simul^3\). The following reasoning is similar to that of \cite{DBLP:conf/pqcrypto/BeullensDPV21}, yet for completeness we give a reduction \(\bdv'\), that uses a distinguisher \(\adv'\), that distinguishes \(\simul^3\) from \(\simul^4\), to break the decisional parallelisation problem. We highlight the necessary modifications.
Let \(\left(E_a, E_b,E_c\right)\) be an instance of the decisional parallelisation problem with base element \(c\). \(\bdv'\) computes
\[E^{k'} \gets \left[ \sum_{P_j \in S^\ast\setminus \left(S' \cup \set{P_{i'}}\right)} L_{j, S^\ast} s_j \right] E_a.\]
With \(s_{i'}\) looking uniformly distributed from \(\adv\)'s view, this choice of \(E^{k'}\) is indistinguishable from \(E^{k'} = \left[L_{i',S^\ast}s'_{i'}\right] E^{k'-1}\).
\(\bdv'\) furthermore does not sample \(R_{k'} \sample \mathcal E\) but puts \(R_{k'} \gets E_b\) and \(R_{k'}' \gets E_c\). The resulting transcript is handed to \(\adv'\) and \(\bdv'\) outputs whatever \(\adv'\) outputs.
Comparing the distributions, we see that
\[E^{k'} = \left[a\right] E^{k'-1} = [a] \left(\left[\sum_{P_j \in S^\ast\setminus \left(S' \cup \set{P_{i'}}\right)} L_{j, S^\ast} s_j\right] c\right)\]
if and only if \(E_a = [a] c\), where \(s_j := s'_j\) for \(P_j \not \in \adv\). Furthermore,
\(R'_{k'} = [a] R_{k'}\)
is equivalent to
\(E_c = [a] E_b.\)
In the case of \(E_a = [a] c\) and \(E_c = [a]E_b\), the transcript handed to \(\adv'\) is identically distributed to \(\simul^3\)'s output. If, on the other hand, \(\left(E_a,E_b,E_c\right)\) is a random triple, then the transcript follows the same distribution as \(\simul^4\)'s output. \(\bdv'\) thus breaks the DPP with the same advantage as \(\adv'\) distinguishes \(\simul^3\) from \(\simul^4\).
\end{enumerate}
\(\simul^4\) outputs a transcript of the decapsulation protocol with input \(c\) and output \(\mathcal K\) that cannot be distinguished from the output of \(\simul^1\), which is indistinguishable from a real execution protocol.
\else
We give a finite series of simulators, the first of which simulates the behaviour of the uncorrupted parties faithfully and the last of which fulfills the secrecy requirements. This series is inspired by the simulators that \cite{DBLP:conf/pqcrypto/BeullensDPV21} gave for the secrecy proof of their key generation algorithm, yet differs in some significant aspects. The outputs of the respective simulators will be proven indistinguishable, hence resulting in the indistinguishability of the first and last one. As a slight misuse of the notation, we denote the set of corrupted shareholders by \(\adv\), where \(\adv\) is the adversary corrupting an unauthorised set of shareholders. This means \(P_i\) is corrupted iff \(P_i \in \adv\).
The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\) and the adversary's knowledge after \(\mathsf{KeyGen}\) was successfully executed, that is
......@@ -425,6 +593,7 @@ The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\)
\end{enumerate}
\(\simul^4\) outputs a transcript of the decapsulation protocol with input \(c\) and output \(\mathcal K\) that cannot be distinguished from the output of \(\simul^1\), which is indistinguishable from a real execution protocol.
\fi
\end{proof}
%\subsection{Efficiency}
\noindent\textbf{Efficiency.}
......
ACNS/preliminaries.tex
+ 2
1
View file @ 95ae7b51
......@@ -28,7 +28,8 @@ Any superauthorised set is also authorised.
A secret \(s \in \Z\bmod p\) is shared by handing each shareholder \( P_i\) an interpolation point of a randomly sampled polynomial of degree \(t-1\) with constant term \(s\).
Reconstruction is achieved via Lagrange interpolation, that is
\[ s = \sum_{P_i \in S'} L_{i,S'} s_i = \sum_{P_i \in S'} \prod_{\substack{P_j \in S'\\ j\neq i}} \frac{j}{j-i} f\paren* i \]
for some \(S' \in \Gamma\) and Lagrange interpolation coefficients \(L_{i,S'}\).
for some \(S' \in \Gamma\) and Lagrange interpolation coefficients \(L_{i,S'}\). The set of superauthorised sets of shareholders is
\[\Gamma^+ = \set{S^+ \subset S : \# S^+ \geq t+1}.\]
%Shamir's secret sharing scheme is defined by \(S=\set{P_1, \ldots, P_n}\), the access structure \(\Gamma = \set{S' \subset S \colon \# S' \geq t}\) for some fixed threshold \(1\leq t \leq n\) and the secret space \(G = \Z_p := \Z \bmod p\) for some prime \(p > n\). To share a secret \(s \in \Z_p\), a random polynomial \(f \in \Z_p \left[ X \right]\) of degree \(t-1\) with constant term \(s\) is sampled and the shares are defined by
%\( s_i = f\paren* i\)
%for \( i = 1, \ldots, n\). The assigning function \(\phi\) is simply the identity function, thus \(P_i\)'s share is \(f\paren* i\), \(1\leq i\leq n\). Reconstruction for an authorised set \(S'\) is achieved via Lagrange interpolation, that is
......
ACNS/signatures.tex
+ 51
0
View file @ 95ae7b51
......@@ -5,6 +5,56 @@ A signature scheme consists of three protocols: key generation, signing and veri
Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
\ifshamir
\begin{algorithm}[]
\DontPrintSemicolon
\SetAlgoShortEnd
\SetAlgoVlined
\SetInd{0.5em}{1em}
\KwIn{$m,S^\ast$}
$\left(E^0_1,\ldots, E^0_\lambda\right) \gets \left(E_0,\ldots, E_0\right)$\;
$k\gets 0$\;
\For{$P_i \in S^\ast$}{
$k\gets k+1$\;
\For{$l \in 1,\ldots, \lambda$}{
$P_i \text{ samples } b_{il} \sample \Z_q\left[X\right]_{\leq k-1}$\;
$P_i \text{ publishes } R_{il}^k \sample \mathcal E$\;
$P_i \text{ publishes } {R'_{il}}^k \gets \left[b_{il}\paren* 0\right]R_{il}^k$\;
%$\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P(i,b_{il},S^\ast,((R_{il}^k,{R'_{il}}^k), \left(b_{il}\paren* l\right)_{P_j \in S^\ast}))$\;
$P_i \text{ publishes } \left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P\paren*{i,b_{il},S^\ast,\left(\left(R_{il}^k,{R'_{il}}^k\right),\left(b_{il}\paren* l\right)_{P_j \in S^\ast}\right)}$\;
$P_i \text{ outputs }E_l^k \gets \left[b_{il}\paren* 0\right] E_l^{k-1}$\;
$P_i \text{ publishes } zk \gets \mathsf{ZK}.P\left(\left(R_{il}^k,{R_{il}'}^k\right),\left(E_l^{k-1},E_l^{k}\right), b_{il}\paren* 0\right)$\;
\If{$\mathsf{ZK}.V \paren*{\left(R_{il}^k,{R_{il}'}^k\right),\left(E_l^{k-1},E_l^k\right),zk} = \false$}{
$\text{restart without }P_i$\;
}
}
}
$\left(c_1,\ldots, c_\lambda\right) \gets \mathcal H \paren*{E_1^{\#S^\ast},\ldots, E_\lambda^{\#S^\ast}, m}$\;
\For{$P_i \in S^\ast$}{
\For{$l \in 1,\ldots, \lambda$}{
$P_i \text{ outputs } z_{il} = b_{il} - c_l\cdot L_{i,S^\ast} \cdot s_i$\;
\For{$P_j \in S^\ast$}{
$P_j \text{ computes } b'_{il}\paren*j \gets z_{il}\paren* j + c_l L_{i,S^\ast} f_i\paren j$\;
$\text{and verifies }$\;
$\mathsf{PVP}.V\paren*{i,j,S^\ast,b'_{il}\paren* j, \pi,\pi_j} \wedge \mathsf{PVP}.V\paren*{i,0,S^\ast,\left(R_{il}^k,{R_{il}'}^k\right),\pi,\pi_0}$\;
\If{$P_i\text{ is convicted of cheating}$}{
$\text{restart without }P_i$\;
}
}
}
}
\For{$l \in 1,\ldots, \lambda$}{
$z_j \gets \sum_{P_i \in S^\ast} z_{ij}$\;
}
\Return{$\left(\left(c_1,\ldots, c_\lambda\right),\left(z_1,\ldots, z_\lambda\right)\right)$}
\caption{Secret Shared Signing Algorithm}
\label{fig.sign}
\end{algorithm}
\else
\begin{algorithm}[]
\DontPrintSemicolon
\SetAlgoShortEnd
......@@ -53,6 +103,7 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
\caption{Secret Shared Signing Algorithm}
\label{fig.sign}
\end{algorithm}
\fi
\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment