Next: , Previous: , Up: Classes   [Contents][Index]

#### 2.2.3.3 Adaptively Secure Threshold Cryptography

Jarecki and Lysyanskaya [JL00] have introduced some useful building blocks in order to gain security against an adaptive adversary for threshold cryptography.

Class: JareckiLysyanskayaEDCF

This class provides the erasure-free distributed coinflip (EDCF) protocol. It also needs a group G_q of prime order q where the discrete logarithm problem is computationally hard. The protocol produces a public value a = \sum_{i=1}^n a_i \bmod q such that 0 \le a < q is random and uniformly distributed, if at least one party P_i, 1 \le i \le n has chosen their corresponding coin share a_i\in{\bf Z}_q uniformly at random.

The coinflip protocol is useful in order to transform a public-coin honest-verifier zero-knowledge proof of knowledge (HVZKP) into interactive proof resp. argument which preserve the zero-knowledge property even in case of malicious verifiers. Such proof systems are called simultaneous zero-knowledge proofs of knowledge. The underlying general model of Jarecki and Lysyanskaya [JL00] considers a synchronous communication network of n players with access to a reliable broadcast channel, where an adaptive adversary can corrupt up to a minority t < n/2 of the players.

Member of JareckiLysyanskayaEDCF: mpz_t p

This is the public prime number p which defines the underlying finite field {\bf Z}/p{\bf Z}.

Member of JareckiLysyanskayaEDCF: mpz_t q

This is the public prime number q which defines the underlying cyclic group G_q. Note that G_q is a subgroup of {\bf Z}/p{\bf Z} and it must be chosen to have order q.

Member of JareckiLysyanskayaEDCF: mpz_t g

This is the fixed public generator g of the underlying group G_q.

Member of JareckiLysyanskayaEDCF: mpz_t h

This is the common public value h \in G_q such that nobody knows \log_g h. It can be obtained by the above key generation protocol (see BarnettSmartVTMF).

Jarecki and Lysyanskaya [JL00]: “When secure channels are present, h can be obtained by using general techniques of multi-party computation [BGW88, CDD+99]. When secure channel are not there, and implementing them by erasure is not an option, we can use another protocol, where each player generates his share h_i of h, and then all players, in parallel, prove knowledge of \log_g h_i to each other.”

Member of JareckiLysyanskayaEDCF: size_t n

This is the total number of parties n involved in this protocol.

Member of JareckiLysyanskayaEDCF: size_t t

This is the maximum number of faulty parties t (reconstruction threshold).

Constructor on JareckiLysyanskayaEDCF: JareckiLysyanskayaEDCF (const size_t n_in, const size_t t_in, mpz_srcptr p_CRS, mpz_srcptr q_CRS, mpz_srcptr g_CRS, mpz_srcptr h_CRS, const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor creates a new EDCF instance. That means, the required primes p and q and the generators g and h are initialized from the given arguments p_CRS, q_CRS, g_CRS, and h_CRS, respectively. n_in is the total number of participating players, for which at most t_in are faulty or act malicious during the protocol execution.

Method on JareckiLysyanskayaEDCF: bool CheckGroup ()

This method checks whether p and q have appropriate sizes with respect to the bit lengths given during the initialization of the corresponding instance. Further, it checks whether p has the correct form (i.e. p = kq +1), whether p and q are probable prime, and whether g resp. h are different generators of the subgroup G_q. It returns true, if all of these checks have been passed successfully.

Method on JareckiLysyanskayaEDCF: bool Flip (const size_t i, mpz_ptr a, aiounicast* aiou, CachinKursawePetzoldShoupRBC* rbc, std::ostream& err, const bool simulate_faulty_behaviour =false)

This method starts the protocol which produces a public value a = \sum_{i=1}^n a_i \bmod q such that 0 \le a < q is random and uniformly distributed, if at least one party P_i, 1 \le i \le n has chosen their corresponding share a_i\in{\bf Z}_q uniformly at random. If it returns true, then a contains this common random value. The argument i is an index of the running instance with respect to already initialized instances of asynchronous point-to-point channels aiou and a reliable broadcast channel rbc. Logging and debug messages are printed to the provided output stream err.

Method on JareckiLysyanskayaEDCF: bool Flip_twoparty (const size_t i, mpz_ptr a, std::istream& in, std::ostream& out, std::ostream& err, const bool simulate_faulty_behaviour =false)

This is the two-party version of the above method. Thus there are only an input stream in and output stream out for communication between the players. The other arguments are as above.

Destructor on JareckiLysyanskayaEDCF: ~JareckiLysyanskayaEDCF ()

This destructor releases all occupied resources.

Next: , Previous: , Up: Classes   [Contents][Index]