Next: GrothVSSHE, Previous: BarnettSmartVTMF, Up: Classes [Contents][Index]

Jarecki and Lysyanskaya [JL00] have introduced some useful building blocks in order to gain security against an adaptive adversary for threshold cryptography.

- Class:
**JareckiLysyanskayaEDCF** This class provides the erasure-free distributed coinflip (EDCF) protocol. It also needs a group

*G_q*of prime order*q*where the discrete logarithm problem is computationally hard. The protocol produces a public value*a = \sum_{i=1}^n a_i \bmod q*such that*0 \le a < q*is random and uniformly distributed, if at least one party*P_i, 1 \le i \le n*has chosen their corresponding coin share*a_i\in{\bf Z}_q*uniformly at random.The coinflip protocol is useful in order to transform a public-coin honest-verifier zero-knowledge proof of knowledge (HVZKP) into interactive proof resp. argument which preserve the zero-knowledge property even in case of malicious verifiers. Such proof systems are called

*simultaneous*zero-knowledge proofs of knowledge. The underlying general model of Jarecki and Lysyanskaya [JL00] considers a synchronous communication network of*n*players with access to a reliable broadcast channel, where an adaptive adversary can corrupt up to a minority*t < n/2*of the players.- Member of JareckiLysyanskayaEDCF:
*mpz_t***p** This is the public prime number

*p*which defines the underlying finite field*{\bf Z}/p{\bf Z}*.

- Member of JareckiLysyanskayaEDCF:
*mpz_t***q** This is the public prime number

*q*which defines the underlying cyclic group*G_q*. Note that*G_q*is a subgroup of*{\bf Z}/p{\bf Z}*and it must be chosen to have order*q*.

- Member of JareckiLysyanskayaEDCF:
*mpz_t***g** This is the fixed public generator

*g*of the underlying group*G_q*.

- Member of JareckiLysyanskayaEDCF:
*mpz_t***h** This is the common public value

*h \in G_q*such that nobody knows*\log_g h*. It can be obtained by the above key generation protocol (see BarnettSmartVTMF).**Jarecki and Lysyanskaya [JL00]:**“When secure channels are present,*h*can be obtained by using general techniques of multi-party computation [BGW88, CDD+99]. When secure channel are not there, and implementing them by erasure is not an option, we can use another protocol, where each player generates his share*h_i*of*h*, and then all players, in parallel, prove knowledge of*\log_g h_i*to each other.”

- Member of JareckiLysyanskayaEDCF:
*size_t***n** This is the total number of parties

*n*involved in this protocol.

- Member of JareckiLysyanskayaEDCF:
*size_t***t** This is the maximum number of faulty parties

*t*(reconstruction threshold).

- Constructor on JareckiLysyanskayaEDCF:
**JareckiLysyanskayaEDCF***(*`const size_t`

n_in,`const size_t`

t_in,`mpz_srcptr`

p_CRS,`mpz_srcptr`

q_CRS,`mpz_srcptr`

g_CRS,`mpz_srcptr`

h_CRS,`const unsigned long int`

fieldsize`=TMCG_DDH_SIZE`

,`const unsigned long int`

subgroupsize`=TMCG_DLSE_SIZE`

) This constructor creates a new EDCF instance. That means, the required primes

*p*and*q*and the generators*g*and*h*are initialized from the given arguments`p_CRS`,`q_CRS`,`g_CRS`, and`h_CRS`, respectively.`n_in`is the total number of participating players, for which at most`t_in`are faulty or act malicious during the protocol execution.

- Method on JareckiLysyanskayaEDCF:
*bool***CheckGroup***()* This method checks whether

*p*and*q*have appropriate sizes with respect to the bit lengths given during the initialization of the corresponding instance. Further, it checks whether*p*has the correct form (i.e.*p = kq +1*), whether*p*and*q*are probable prime, and whether*g*resp.*h*are different generators of the subgroup*G_q*. It returns`true`

, if all of these checks have been passed successfully.

- Method on JareckiLysyanskayaEDCF:
*bool***Flip***(*`const size_t`

i,`mpz_ptr`

a,`aiounicast*`

aiou,`CachinKursawePetzoldShoupRBC*`

rbc,`std::ostream&`

err,`const bool`

simulate_faulty_behaviour`=false`

) This method starts the protocol which produces a public value

*a = \sum_{i=1}^n a_i \bmod q*such that*0 \le a < q*is random and uniformly distributed, if at least one party*P_i, 1 \le i \le n*has chosen their corresponding share*a_i\in{\bf Z}_q*uniformly at random. If it returns`true`

, then`a`contains this common random value. The argument`i`is an index of the running instance with respect to already initialized instances of asynchronous point-to-point channels`aiou`and a reliable broadcast channel`rbc`. Logging and debug messages are printed to the provided output stream`err`.

- Method on JareckiLysyanskayaEDCF:
*bool***Flip_twoparty***(*`const size_t`

i,`mpz_ptr`

a,`std::istream&`

in,`std::ostream&`

out,`std::ostream&`

err,`const bool`

simulate_faulty_behaviour`=false`

) This is the two-party version of the above method. Thus there are only an input stream

`in`and output stream`out`for communication between the players. The other arguments are as above.

- Destructor on JareckiLysyanskayaEDCF:
**~JareckiLysyanskayaEDCF***()* This destructor releases all occupied resources.

- Member of JareckiLysyanskayaEDCF:

Next: GrothVSSHE, Previous: BarnettSmartVTMF, Up: Classes [Contents][Index]