Next: GrothVSSHE, Previous: BarnettSmartVTMF, Up: Classes [Contents][Index]
Jarecki and Lysyanskaya [JL00] have introduced some useful building blocks in order to gain security against an adaptive adversary for threshold cryptography.
This class provides the erasure-free distributed coinflip (EDCF) protocol. It also needs a group G_q of prime order q where the discrete logarithm problem is computationally hard. The protocol produces a public value a = \sum_{i=1}^n a_i \bmod q such that 0 \le a < q is random and uniformly distributed, if at least one party P_i, 1 \le i \le n has chosen their corresponding coin share a_i\in{\bf Z}_q uniformly at random.
The coinflip protocol is useful in order to transform a public-coin honest-verifier zero-knowledge proof of knowledge (HVZKP) into interactive proof resp. argument which preserve the zero-knowledge property even in case of malicious verifiers. Such proof systems are called simultaneous zero-knowledge proofs of knowledge. The underlying general model of Jarecki and Lysyanskaya [JL00] considers a synchronous communication network of n players with access to a reliable broadcast channel, where an adaptive adversary can corrupt up to a minority t < n/2 of the players.
This is the public prime number p which defines the underlying finite field {\bf Z}/p{\bf Z}.
This is the public prime number q which defines the underlying cyclic group G_q. Note that G_q is a subgroup of {\bf Z}/p{\bf Z} and it must be chosen to have order q.
This is the fixed public generator g of the underlying group G_q.
This is the common public value h \in G_q such that nobody knows \log_g h. It can be obtained by the above key generation protocol (see BarnettSmartVTMF).
Jarecki and Lysyanskaya [JL00]: “When secure channels are present, h can be obtained by using general techniques of multi-party computation [BGW88, CDD+99]. When secure channel are not there, and implementing them by erasure is not an option, we can use another protocol, where each player generates his share h_i of h, and then all players, in parallel, prove knowledge of \log_g h_i to each other.”
This is the total number of parties n involved in this protocol.
This is the maximum number of faulty parties t (reconstruction threshold).
const size_t n_in, const size_t t_in, mpz_srcptr p_CRS, mpz_srcptr q_CRS, mpz_srcptr g_CRS, mpz_srcptr h_CRS, const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int subgroupsize =TMCG_DLSE_SIZE)This constructor creates a new EDCF instance. That means, the required primes p and q and the generators g and h are initialized from the given arguments p_CRS, q_CRS, g_CRS, and h_CRS, respectively. n_in is the total number of participating players, for which at most t_in are faulty or act malicious during the protocol execution.
This method checks whether p and q have appropriate sizes
with respect to the bit lengths given during the initialization of the
corresponding instance. Further, it checks whether p has the correct
form (i.e. p = kq +1), whether p and q are probable
prime, and whether g resp. h are different generators of the
subgroup G_q. It returns true, if all of these checks
have been passed successfully.
const size_t i, mpz_ptr a, aiounicast* aiou, CachinKursawePetzoldShoupRBC* rbc, std::ostream& err, const bool simulate_faulty_behaviour =false)This method starts the protocol which produces a public
value a = \sum_{i=1}^n a_i \bmod q such that 0 \le a < q is
random and uniformly distributed, if at least one party
P_i, 1 \le i \le n has chosen their corresponding share
a_i\in{\bf Z}_q uniformly at random. If it returns
true, then a contains this common random value.
The argument i is an index of the running instance with
respect to already initialized instances of asynchronous point-to-point
channels aiou and a reliable broadcast channel rbc. Logging
and debug messages are printed to the provided output stream err.
const size_t i, mpz_ptr a, std::istream& in, std::ostream& out, std::ostream& err, const bool simulate_faulty_behaviour =false)This is the two-party version of the above method. Thus there are only an input stream in and output stream out for communication between the players. The other arguments are as above.
This destructor releases all occupied resources.
Next: GrothVSSHE, Previous: BarnettSmartVTMF, Up: Classes [Contents][Index]