@@ -182,13 +182,13 @@ This approach does not agree with the threshold group action, for which a shareh
\fi
\label{example.conflict}\end{example}
We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s PVP protocol, so that, for a superauthorised set \(S^\ast\), a shareholder \(P_i \in S^\ast\) proves knowledge of a witness polynomial \(L_{i,S^\ast}f_i\) for a statement
We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s PVP protocol, so that a shareholder \(P_i \in S^\ast\) proves knowledge of a witness polynomial \(L_{i,S^\ast}f_i\) for a statement
where \(R\sample\mathcal E\), \(R' =\left[L_{i,S^\ast} f_i\paren0\right] R =\left[L_{i,S^\ast} s_i\right] R\).
for a superauthorised set \(S^\ast\), where \(R\sample\mathcal E\), \(R' =\left[L_{i,S^\ast} f_i\paren0\right] R =\left[L_{i,S^\ast} s_i\right] R\).
The inputs of our amended proving protocol are the proving shareholder's index \(i\), the witness polynomial \(f_i\), the superauthorised set \(S^\ast\in\Gamma^+\) and the statement \(\left(\left(R,R'\right), \left( f_i\paren j\right)_{P_j\in S^\ast}\right)\). The protocol can be found in \algoref{fig.tpvpp}, in which \(\mathcal C\) denotes a commitment scheme.
The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j =\left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \algoref{fig.tpvpv}.
\else
...
...
@@ -198,6 +198,9 @@ We resolve the conflicts by amending \cite{DBLP:conf/pqcrypto/BeullensDPV21}'s P
The verifying protocol in turn has the prover's and the verifier's indices \(i\) and \(j\), respectively, a set \(S^\ast\in\Gamma^+\), a statement piece \(x_j\) and a proof piece \(\left(\pi,\pi_j\right)\) as input, where \(x_j =\left(R,R'\right)\in\mathcal E^2\) if \(j=0\) and \(x_j\in\Z_p\) otherwise. The verifying protocol is given in \algoref{fig.tpvpv}.
\fi
It is here, that the two-level sharing we introduced in \secref{sec.keygen} in the key generation protocol comes into play. We will have each shareholder \(P_i\) engaged in an execution of \(\decaps\) provide a PVP with respect to its share \(s_i\) of the secret key \(\sk\), that is then verified by each other participating shareholder with its respective share of \(s_i\).
\todo{fix this line}
The definitions of soundness and zero-knowledge for a threshold PVP scheme carry over from the non-threshold setting in \secref{sec.prelim} intuitively, yet we restate the completeness definition for the threshold setting.
\begin{definition}[Completeness in the threshold setting]
We call a threshold PVP scheme \emph{complete} if, for any \(S'\in\Gamma\), any \(\left(x,f\right)\in\mathcal R\), any \(P_i \in S'\) and \(\left(\pi,\set{\pi_j}_{P_j \in S'}\right)\gets\mathsf{PVP}.P\paren*{i,f,S',x_{S'}}\), we have