moved s_ij to f_i(j)

ACNS/ACNS.tex

 \newif\ifpublic
 \publictrue
 
+\newif\ifshamir
+\shamirtrue
+
 %\documentclass[conference]{IEEEtran}
 \documentclass[runningheads]{llncs}
 

ACNS/appendix.tex

@@ -2,6 +2,181 @@
 \renewcommand{\thesection}{\Alph{section}}
 \section{Algorithms}\label{sec.algorithms}
 
+\ifshamir
+\begin{algorithm}
+    \DontPrintSemicolon
+    \SetAlgoShortEnd
+    \SetAlgoVlined
+    \SetInd{0.5em}{1em}
+    \KwIn{$E, S'$}
+    $\assignTo{E^0}{E}$\;
+    $\assignTo{k}{0}$\;
+    \For{$P_i \in S'$}{
+        \If{$E^k \not \in \mathcal E$}{
+            $P_i \text{ outputs } \bot \text{ and aborts.}$\;
+        }\Else{
+            $\assignTo{k}{k+1}$\;
+            $P_i \text{ outputs }E^k \gets \left[L_{i,S'} s_i \right] E^{k-1}$\;
+        }
+    }
+    \Return{$E^k$}
+    \caption{Threshold group action}
+    \label{fig.tga}
+\end{algorithm}
+	
+\begin{algorithm}
+	\DontPrintSemicolon
+	\SetAlgoShortEnd
+	\SetAlgoVlined
+	\SetInd{0.5em}{1em}
+	\KwIn{$s, \left(E_i,E_i'\right)_{i=1,\ldots, m} $}
+	\For{$j = 1,\ldots, \lambda$}{
+		$b_j \sample \Z_p$\;
+		\For{$i=1,\ldots, m$}{
+			$\hat E_{ij} \gets \left[b_j\right]E_i$\;
+		}
+	}
+	$\left(c_1,\ldots, c_\lambda\right) \gets \mathcal H\paren*{E_1, E_1', \ldots, E_m,E_m', \hat E_{1,1}, \ldots, \hat E_{m,\lambda}}$\;
+	\For{$j = 1, \ldots, m$}{
+		$r_j \gets b_j - c_j s$\;
+	}
+	\Return {$\pi \gets\left(c_1,\ldots, c_\lambda, r_1,\ldots, r_\lambda\right)$}
+	\caption{The ZK proving protocol for the GAIP}
+	\label{fig.zkp}
+\end{algorithm}
+
+\begin{algorithm}
+	\DontPrintSemicolon
+	\SetAlgoShortEnd
+	\SetAlgoVlined
+	\KwIn{$\pi, \left(E_i,E_i'\right)_{i=1,\ldots, m} $}
+	Parse $\left(c_1,\ldots, c_\lambda,r_1,\ldots, r_\lambda\right) \gets \pi$\;
+	\For{$i=1,\ldots, m \text{ and } j = 1,\ldots, \lambda$}{
+		\If{$c_j == 0$}{
+			$\tilde E_{i,j} \gets \left[r_j\right] E_i$\;
+		}
+        \Else{
+            $\tilde E_{i,j} \gets \left[r_j\right] E_i'$\;
+        }
+	}
+	$\left(c'_1,\ldots, c'_\lambda\right)\gets \mathcal H\paren*{E_1,E_1', \ldots, E_m,E_m',\tilde E_{1,1},\ldots, \tilde E_{m,\lambda}}$\;
+	\Return {$\left(c_1,\ldots, c_\lambda\right) == \left(c'_1,\ldots, c'_\lambda\right)$}
+	\SetInd{0.5em}{1em}
+	\caption{The ZK verifying protocol for the GAIP}
+	\label{fig.zkv}
+\end{algorithm}
+
+\begin{algorithm}
+    \DontPrintSemicolon
+    \SetAlgoShortEnd
+    \SetAlgoVlined
+    \SetInd{0.5em}{1em}
+    \KwIn{$i, f, S^\ast, \left((E_0,E_1), \left(f_i \paren j\right)_{P_j \in S^\ast}\right)$}
+    %\KwOut{a public message $M$}
+    \For{$l \in 1, \ldots, \lambda$}{
+        $b_l \sample \Z_N [x]_{\leq k-1}$\;
+        $\hat{E}_l \gets \left[ b_l\paren* 0\right] E_0$\;
+    }
+    $y_0, y_0' \sample \set{0,1}^\lambda$\;
+    $C_0 \gets \mathcal C\paren*{\hat{E}_1 \concat \ldots \concat \hat{E}_\lambda, y_0}$\;
+    $C_0' \gets \mathcal C \paren*{E_0\concat E_1, y_0'}$\;
+    \For{$P_j \in S^\ast$}{
+        $y_j, y_j' \sample \set{0,1}^\lambda$\;
+        $C_j \gets \mathcal C\paren*{b_1\paren* j \concat \ldots\concat b_\lambda\paren*j, y_j}$\;
+        $C_j'\gets \mathcal C\paren*{L_{i,S^\ast} \cdot f_i\paren j, y_j'}$\;
+    } 
+    $C \gets \left(C_j\right)_{P_j \in S^\ast}$\;
+    $C'\gets \left(C_j'\right)_{P_j \in S^\ast}$\;
+    $c_1, \ldots, c_\lambda \gets \mathcal H\paren*{C,C'}$\;
+    \For{$l \in 1, \ldots, \lambda$}{
+        $r_l \gets b_l - c_l \cdot L_{i,S^\ast}\cdot f$\;
+    }
+    $\mathbf{r} \gets \left(r_1, \ldots, r_\lambda\right)$\;
+    $\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets\left( \left(C,C',\mathbf{r}\right), \set{ \left( y_j,y_j'\right)}_{P_j \in S^\ast}\right)$\;
+    \Return{$\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right)$}
+    \caption{Proving protocol of the threshold PVP}
+    \label{fig.tpvpp}
+\end{algorithm}
+
+
+\begin{algorithm}
+    \DontPrintSemicolon
+    \SetAlgoShortEnd
+    \SetAlgoVlined
+    \SetInd{0.5em}{1em}
+    \KwIn{$i,j,S^\ast,x_j, \left(\pi,\pi_j\right)$}
+    $\text{parse } \left(C,C',\mathbf r\right) \gets \pi$\;
+    $\text{parse } \left(y_j, y_j'\right) \gets \pi_j$\;
+	$c_1, \ldots, c_\lambda \gets \mathcal H \paren*{C,C'}$\;
+    \If{$j == 0$}{
+        \If{$C'_j \neq \mathcal C \left(x_j , y'_j\right)$}{
+            \Return{$\false$}
+        }
+        \For{$l \in 1, \ldots, \lambda$}{
+            $\tilde{E}_l \gets \left[ r_l\paren*0\right] E_{c_l}$\;
+        }
+        \Return{$C_0 == \mathcal C\paren*{\tilde{E}_1 \concat \ldots \concat \tilde{E}_\lambda, y_0}$}
+    }
+        \Else{
+            \If{$C'_j \neq \mathcal C \paren*{L_{i,S^\ast} x_j , y'_j}$}{
+                \Return{$\false$}
+            }
+	    \Return{$C_j == \mathcal C\paren*{r_1 \paren* j + c_1 \cdot L_{i,S^\ast}\cdot x_j \concat \ldots\concat r_\lambda\paren* j + c_\lambda \cdot L_{i,S^\ast}\cdot x_j,y_j}$}
+        }
+    \caption{Verifying protocol of the threshold PVP}
+    \label{fig.tpvpv}
+\end{algorithm}
+
+\begin{algorithm}
+	\DontPrintSemicolon
+	\SetAlgoShortEnd
+	\SetAlgoVlined
+	\SetInd{.5em}{1em}
+	\KwIn{$\mathcal S$}
+	$b \sample \bin$\;
+	$S^\ast \sample \Gamma^+$\;
+	$S'\sample 2^{S^\ast} \setminus \Gamma$\;
+	$\left(\set{s_i, f_i, f_j\paren i}_{P_i,P_j \in S},\pk\right) \gets \mathsf{KeyGen}\paren* {\mathcal S}$\;
+	$\left(\mathcal K, c\right) \gets \mathsf{Encaps}\paren*{\pk}$\;
+	$t_0 \gets \simul\paren*{\mathcal K, c, \set{s_i, f_i, f_j\paren i}_{P_i \in S',P_j \in S}}$\;
+	$E^0 \gets E_0$, $k \gets 0$\;
+	\For {$P_i \in S^\ast$}{
+		$k \gets k+1$\;
+		$E^k \gets \left[L_{i,S^\ast}s_i\right] E^{k-1}$\;
+		$R_k \sample \mathcal E$\;
+		$R_k ' \gets \left[L_{i,S^\ast}s_i\right] R_k$\;
+		$\left(\pi^k,\set{\pi^k_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P\paren*{i,f_i,S^\ast,\left(\left(R_k,R_k'\right),\left(L_{i,S^\ast}f_i\paren j\right)_{P_j\in S^\ast}\right)}$\;
+		$zk^k \gets \mathsf{ZK}.P\paren*{\left(R_k,R_k'\right), \left(E^{k-1},E^k\right), L_{i,S^\ast}s_i}$\;
+	}
+	$t_1 \gets \left(E^k,\left(\pi^k, \set{\pi_j^k}_{P_j \in S^\ast}\right), zk^k \right)_{k=1, \ldots, \# S^\ast}$\;
+	$b' \gets \adv\paren*{t_b}$\;
+	\Return{$b == b'$}\;
+	\caption{The security game $\mathsf{Exp}^\text{dist-transcript}_{\adv,\simul}\paren*{S}$}
+	\label{fig.disttranscript}
+\end{algorithm}
+
+\begin{algorithm}
+    \DontPrintSemicolon
+    \SetAlgoShortEnd
+    \SetAlgoVlined
+    \SetInd{0.5em}{1em}
+    \KwIn{$m,s,\pk$}
+    $\text{parse } \left(c_1,\ldots, c_\lambda, z_1,\ldots, z_\lambda\right) \gets s$\;
+    \For{$j = 1, \ldots, \lambda$}{
+        \If{$c_j == 0$}{
+           $E'_j \gets \left[z_j\right] E_0 = \left[\sum_{P_i\in S^\ast} b_{ij}\right] E_0$\; 
+        }
+        \Else{
+            $E'_j \gets \left[z_j\right] \pk = \left[\sum_{P_i\in S^\ast} b_{ij} - L_{i,S^\ast}s_i + s\right] E_0$\;
+        }
+    }
+        $\left(c'_1,\ldots,c'_\lambda\right)\gets \mathcal H\paren*{E'_1,\ldots, E'_\lambda, m}$\;
+        \Return{$\left(c_1,\ldots, c_\lambda\right) == \left(c'_1,\ldots, c'_\lambda\right)$}
+    \caption{Signature verification protocol}
+    \label{fig.ver}
+\end{algorithm}
+
+\else
 \begin{algorithm}
     \DontPrintSemicolon
     \SetAlgoShortEnd
@@ -176,5 +351,7 @@
 \end{algorithm}
 
 
+\fi
+
 
 \end{subappendices}

ACNS/preliminaries.tex

@@ -28,7 +28,8 @@ Any superauthorised set is also authorised.
 	A secret \(s \in \Z\bmod p\) is shared by handing each shareholder \( P_i\) an interpolation point of a randomly sampled polynomial of degree \(t-1\) with constant term \(s\).
 	Reconstruction is achieved via Lagrange interpolation, that is
 	\[ s = \sum_{P_i \in S'} L_{i,S'} s_i = \sum_{P_i \in S'} \prod_{\substack{P_j \in S'\\ j\neq i}} \frac{j}{j-i} f\paren* i \]
-	for some \(S' \in \Gamma\) and Lagrange interpolation coefficients \(L_{i,S'}\).
+	for some \(S' \in \Gamma\) and Lagrange interpolation coefficients \(L_{i,S'}\). The set of superauthorised sets of shareholders is 
+	\[\Gamma^+ = \set{S^+ \subset S : \# S^+ \geq t+1}.\]
 	%Shamir's secret sharing scheme is defined by \(S=\set{P_1, \ldots, P_n}\), the access structure \(\Gamma = \set{S' \subset S \colon \# S' \geq t}\) for some fixed threshold \(1\leq t \leq n\) and the secret space \(G = \Z_p := \Z \bmod p\)  for some prime \(p > n\). To share a secret \(s \in \Z_p\), a random polynomial \(f \in \Z_p \left[ X \right]\) of degree \(t-1\) with constant term \(s\) is sampled and the shares are defined by
 	%\( s_i = f\paren* i\)
 	%for \( i = 1, \ldots, n\). The assigning function \(\phi\) is simply the identity function, thus \(P_i\)'s share is \(f\paren* i\), \(1\leq i\leq n\). Reconstruction for an authorised set \(S'\) is achieved via Lagrange interpolation, that is

ACNS/signatures.tex

@@ -5,6 +5,56 @@ A signature scheme consists of three protocols: key generation, signing and veri
 
 Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
 
+\ifshamir
+\begin{algorithm}[]
+    \DontPrintSemicolon
+    \SetAlgoShortEnd
+    \SetAlgoVlined
+    \SetInd{0.5em}{1em}
+    \KwIn{$m,S^\ast$}
+    $\left(E^0_1,\ldots, E^0_\lambda\right) \gets \left(E_0,\ldots, E_0\right)$\;
+    $k\gets 0$\;
+    \For{$P_i \in S^\ast$}{
+        $k\gets k+1$\;
+        \For{$l \in 1,\ldots, \lambda$}{
+            $P_i \text{ samples } b_{il} \sample \Z_q\left[X\right]_{\leq k-1}$\;
+            $P_i \text{ publishes } R_{il}^k \sample \mathcal E$\;
+            $P_i \text{ publishes } {R'_{il}}^k \gets \left[b_{il}\paren* 0\right]R_{il}^k$\;
+            %$\left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P(i,b_{il},S^\ast,((R_{il}^k,{R'_{il}}^k), \left(b_{il}\paren* l\right)_{P_j \in S^\ast}))$\;
+            $P_i \text{ publishes } \left(\pi,\set{\pi_j}_{P_j \in S^\ast}\right) \gets \mathsf{PVP}.P\paren*{i,b_{il},S^\ast,\left(\left(R_{il}^k,{R'_{il}}^k\right),\left(b_{il}\paren* l\right)_{P_j \in S^\ast}\right)}$\;      
+            $P_i \text{ outputs }E_l^k \gets \left[b_{il}\paren* 0\right] E_l^{k-1}$\;
+            $P_i \text{ publishes } zk \gets \mathsf{ZK}.P\left(\left(R_{il}^k,{R_{il}'}^k\right),\left(E_l^{k-1},E_l^{k}\right), b_{il}\paren* 0\right)$\;
+            \If{$\mathsf{ZK}.V \paren*{\left(R_{il}^k,{R_{il}'}^k\right),\left(E_l^{k-1},E_l^k\right),zk} = \false$}{
+                $\text{restart without }P_i$\;
+            }
+        }
+
+    }
+    $\left(c_1,\ldots, c_\lambda\right) \gets \mathcal H \paren*{E_1^{\#S^\ast},\ldots, E_\lambda^{\#S^\ast}, m}$\;
+
+    \For{$P_i \in S^\ast$}{
+        \For{$l \in 1,\ldots, \lambda$}{
+            $P_i \text{ outputs } z_{il} = b_{il} - c_l\cdot L_{i,S^\ast} \cdot s_i$\;
+            \For{$P_j \in S^\ast$}{
+                $P_j \text{ computes } b'_{il}\paren*j \gets z_{il}\paren* j + c_l L_{i,S^\ast} f_i\paren j$\;
+                $\text{and verifies }$\;
+                $\mathsf{PVP}.V\paren*{i,j,S^\ast,b'_{il}\paren* j, \pi,\pi_j} \wedge \mathsf{PVP}.V\paren*{i,0,S^\ast,\left(R_{il}^k,{R_{il}'}^k\right),\pi,\pi_0}$\;
+                \If{$P_i\text{ is convicted of cheating}$}{
+                    $\text{restart without }P_i$\;
+                }
+            }
+        }
+    }
+    \For{$l \in 1,\ldots, \lambda$}{
+        $z_j  \gets \sum_{P_i \in S^\ast} z_{ij}$\;
+    }
+
+
+    \Return{$\left(\left(c_1,\ldots, c_\lambda\right),\left(z_1,\ldots, z_\lambda\right)\right)$}    
+    \caption{Secret Shared Signing Algorithm}
+    \label{fig.sign}
+\end{algorithm}
+\else
 \begin{algorithm}[]
     \DontPrintSemicolon
     \SetAlgoShortEnd
@@ -53,6 +103,7 @@ Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:
     \caption{Secret Shared Signing Algorithm}
     \label{fig.sign}
 \end{algorithm}
+\fi
 
 \noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.