@@ -13,7 +13,7 @@ For this scenario we take a secret sharing scheme \(\mathcal S\), comprised of a
...
@@ -13,7 +13,7 @@ For this scenario we take a secret sharing scheme \(\mathcal S\), comprised of a
\begin{proof}[Proof of \autoref{thm:sim.alg1}]
\begin{proof}[Proof of \autoref{thm:sim.alg1}]
Let \(S^\ast=\set*{P_{i_1},\ldots, P_{i_{k'}}}\subset S =\set*{P_1,\ldots, P_k}\) be the subset of shareholders corrupted by an adversary \(\mathcal A\).
Let \(S^\ast=\set*{P_{i_1},\ldots, P_{i_{k'}}}\subset S =\set*{P_1,\ldots, P_k}\) be the subset of shareholders corrupted by an adversary \(\mathcal A\).
We show, that the output of the simulator \(\mathsf{Sim}_1\) given in \autoref{fig:sim1} is computationally indistinguishable from the transcript of a real execution under the assumption that Power-DDHA is hard in the respective hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\). The simulator's input consists of the shares of the corrupted shareholders \(\set*{s_i}_{P_i \in S^\ast}\), the input into the decapsulation algorithm \(E_b\) and the output \(E^\ast\).
We show that the output of the simulator \(\mathsf{Sim}_1\) given in \autoref{fig:sim1} is computationally indistinguishable from the transcript of a real execution under the assumption that Power-DDHA is hard in the respective hard homogeneous space \(\left(\mathcal E, \mathcal G\right)\). The simulator's input consists of the shares of the corrupted shareholders \(\set*{s_i}_{P_i \in S^\ast}\), the input into the decapsulation algorithm \(E_b\) and the output \(E^\ast\).
% Sim gets decapsulated value K = H([b \ast g^s \ast] E_0) and the secret shares of the honest party. He has to find a transcript that is consistent
% Sim gets decapsulated value K = H([b \ast g^s \ast] E_0) and the secret shares of the honest party. He has to find a transcript that is consistent
Similarly to \(\mathsf{Sim}_1\), we first consider the case of one uncorrupted shareholder \(P_{k^\ast}\), and secondly we prove computational indistinguishability for the case of two of more uncorrupted shareholders.
Similarly to \(\mathsf{Sim}_1\), we first consider the case of one uncorrupted shareholder \(P_{k^\ast}\), and secondly we prove computational indistinguishability for the case of two of more uncorrupted shareholders.
@@ -369,10 +369,10 @@ There are two aspects of security to consider:
...
@@ -369,10 +369,10 @@ There are two aspects of security to consider:
\end{proof}
\end{proof}
\noindent\textbf{Simulatability.}
\noindent\textbf{Simulatability.}
We show, that an adversary who corrupts an unauthorised subset of shareholder does not learn any additional information from an execution of the decapsulation protocol. %For that we prove the simulatability of the decapsulation.
We show that an adversary who corrupts an unauthorised subset of shareholder does not learn any additional information from an execution of the decapsulation protocol. %For that we prove the simulatability of the decapsulation.
\begin{definition}[Simulatability]
\begin{definition}[Simulatability]
We call a key exchange mechanism \emph{simulatable}, if, for any HHS \(\left(\mathcal E,\mathcal G\right)\) with security parameter \(\lambda\) and any compatible secret sharing instance \(\mathcal S\), there exists a polynomial-time algorithm \(\simul\) so that, for any polynomial-time adversary \(\adv\) the advantage
We call a key exchange mechanism \emph{simulatable}, if for any HHS \(\left(\mathcal E,\mathcal G\right)\) with security parameter \(\lambda\) and any compatible secret sharing instance \(\mathcal S\), there exists a polynomial-time algorithm \(\simul\) so that, for any polynomial-time adversary \(\adv\) the advantage
%\(\left(\set{s_i, \set{s_{ij}}, \set{s_{ji}}}_{P_i, P_j \in S}, \pk\right) \gets \mathsf{KeyGen} \paren{E_0, S}\), any \(S' \subset S\) with \(S' \not\in\Gamma\), any \(\left(\mathcal K, c\right)\gets \mathsf{Encaps}\paren * \pk\), so that for any polynomial time adversary \(\adv\) the advantage
%\(\left(\set{s_i, \set{s_{ij}}, \set{s_{ji}}}_{P_i, P_j \in S}, \pk\right) \gets \mathsf{KeyGen} \paren{E_0, S}\), any \(S' \subset S\) with \(S' \not\in\Gamma\), any \(\left(\mathcal K, c\right)\gets \mathsf{Encaps}\paren * \pk\), so that for any polynomial time adversary \(\adv\) the advantage
in the security game \hyperref[fig.disttranscript]{$Exp^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}$} (\hyperref[fig.disttranscript]{Algorithm \ref{fig.disttranscript}}) is negligible in \(\lambda\).
in the security game \hyperref[fig.disttranscript]{$Exp^\text{dist-transcript}_{\adv,\simul}\paren*{\mathcal S}$} (\hyperref[fig.disttranscript]{Algorithm \ref{fig.disttranscript}}) is negligible in \(\lambda\).
...
@@ -385,7 +385,7 @@ We show, that an adversary who corrupts an unauthorised subset of shareholder do
...
@@ -385,7 +385,7 @@ We show, that an adversary who corrupts an unauthorised subset of shareholder do
\end{theorem}
\end{theorem}
%In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript.
%In short if an \(\sskem\) is simulatable, an adversary cannot derive any meaningful information concerning the secret key from the transcript of an execution of the decapsulation algorithm, since with just the information he gathered from partaking in the decapsulation execution, a transcript can be generated that is indistinguishable from the actual transcript.
\begin{proof}
\begin{proof}
We give a finite series of simulators, the first of which simulates the behaviour of the uncorrupted parties faithfully and the last of which fulfills the secrecy requirements. This series is inspired by the simulators, that \cite{DBLP:conf/pqcrypto/BeullensDPV21} gave for the secrecy proof of their key generation algorithm, yet differs in some significant aspects. The outputs of the respective simulators will be proven indistinguishable, hence resulting in the indistinguishability of the first and last one. As a slight misuse of the notation, we denote the set of corrupted shareholders by \(\adv\), where \(\adv\) is the adversary corrupting an unauthorised set of shareholders. This means \(P_i\) is corrupted iff \(P_i \in\adv\).
We give a finite series of simulators, the first of which simulates the behaviour of the uncorrupted parties faithfully and the last of which fulfills the secrecy requirements. This series is inspired by the simulators that \cite{DBLP:conf/pqcrypto/BeullensDPV21} gave for the secrecy proof of their key generation algorithm, yet differs in some significant aspects. The outputs of the respective simulators will be proven indistinguishable, hence resulting in the indistinguishability of the first and last one. As a slight misuse of the notation, we denote the set of corrupted shareholders by \(\adv\), where \(\adv\) is the adversary corrupting an unauthorised set of shareholders. This means \(P_i\) is corrupted iff \(P_i \in\adv\).
The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\) and the adversary's knowledge after \(\mathsf{KeyGen}\) was successfully executed, that is
The input for each simulator is a ciphertext \(c\), a derived key \(\mathcal K\) and the adversary's knowledge after \(\mathsf{KeyGen}\) was successfully executed, that is
