Next: Basic Structures, Up: Application Programming Interface [Contents][Index]

Please note that the following macros are fixed at compile time of LibTMCG and cannot be changed by your application. They are only provided here for informational purposes.

- Macro:
**TMCG_MR_ITERATIONS** Defines the number of iterations for the Miller-Rabin primality test. The default value is

`64`

which implies a soundness error probability*{} \le 4^{-64}*.

- Macro:
**TMCG_MAX_ZNP_ITERATIONS** Defines the maximum number of iterations for the prover in cut-and-choose style zero-knowledge protocols of Schindelhauer’s toolbox. The default value is

`80`

which limits the soundness error probability to*{} \ge 2^{-80}*, however, it protects against some obvious denial-of-service attacks from a malicious verifier.

- Macro:
**TMCG_GROTH_L_E** Defines the security parameter

*\ell_e*of Groth’s (interactive) shuffle argument [Gr05]. The default value is`80`

which implies a soundness error probability*{} \le 2^{-80}*. For the intended purposes of LibTMCG this seems to be reasonable.

- Macro:
**TMCG_DDH_SIZE** Defines the security parameter (finite field size in bit) of the group

*G*which is used by the card encoding scheme of Barnett and Smart [BS03]. The underlying assumptions are DDH, CDH, and DLOG. The default value is`2048`

.

- Macro:
**TMCG_DLSE_SIZE** Defines the security parameter (subgroup size in bit) of the group

*G*which is used by the card encoding scheme of Barnett and Smart [BS03]. The underlying assumptions are DLSE (related to DDH) and DLOG. The default value is`256`

.

- Macro:
**TMCG_AIO_HIDE_SIZE** Defines the security parameter for hiding the length of integers in derived classes from

`aiounicast`

. The default value is`256`

.

- Macro:
**TMCG_GCRY_MD_ALGO** Defines the main message digest algorithm (i.e. hash function

*h()*) for digital signatures with PRab [BR96] and mask generation for Rabin encryption with SEAP [Bo01] in`TMCG_SecretKey`

. This algorithm is also used for the construction of a special hash function*g()*, which is needed for the Fiat-Shamir heuristic [FS87]. Recently we switched^{3}to the hash function SHA-256 (default value`GCRY_MD_SHA256`

^{4}) for improved collision resistance. Thus we gain a security level of approximately*2^{128}*, assuming that a birthday-attack is the best known attack against this message digest.Please note that the security of the non-interactive zero-knowledge proofs resp. arguments (NIZK) is proved in the so-called random oracle model (ROM), i.e., we suppose that the instantiated hash function

*g()*behaves like an ideal random function (which obviously cannot hold in a real world scenario with deterministic computations). However, this assumption seems to be reasonable, if the underlying hash function is collision-resistant and if it is carefully implemented with respect to other instantiations [BR93].

- Macro:
**TMCG_GCRY_MAC_ALGO** Defines the message authentication algorithm for authenticated channels established by the class

`aiounicast`

. The default value is`GCRY_MAC_HMAC_SHA256`

^{5}, i.e. the HMAC based scheme with hashing algorithm SHA-256.

- Macro:
**TMCG_GCRY_ENC_ALGO** Defines the symmetric encryption algorithm (sometimes also called cipher) for private channels established by the class

`aiounicast`

. The default value is`GCRY_CIPHER_AES256`

^{6}, i.e. the cipher AES256, which is used by LibTMCG in CFB (Cipher Feedback) mode.

- Macro:
**TMCG_KEYID_SIZE** Defines the length (in characters w.r.t.

`TMCG_MPZ_IO_BASE`

) for the distinctive suffix of the unique TMCG key identifier. The default value is`8`

which spans a reasonable name space for at least*2^{20}*different TMCG keys (see`TMCG_PublicKey`

). However, sometimes it is required to use even smaller sizes due to artificial protocol restrictions (e.g. the IRC nickname is sometimes restricted to 9 characters).Each key identifier starts with the string

`"ID"`

followed by the decimal encoded value of`TMCG_KEYID_SIZE`

and the appended carret symbol`"^"`

. The final suffix contains`TMCG_KEYID_SIZE`

alphanumerical characters from the self signature of TMCG key. This signature has enough entropy included to be used as unique key identifier.

- Macro:
**TMCG_KEY_NIZK_STAGE1** Defines the security parameter (number of iterations) of the NIZK proof [GMR98] (stage 1) which convince all verifiers that the TMCG key was correctly generated. The default value is

`16`

which implies a soundness error probability*{} \le d^{-16}*, where*d = {\rm gcd}(m, \phi(m))*and*m*is part of the public key. This parameter is only relevant for the card encoding scheme of Schindelhauer, where the key has a very special format.

- Macro:
**TMCG_KEY_NIZK_STAGE2** Defines the security parameter (number of iterations) of the NIZK proof [GMR98] (stage 2) which convince all verifiers that the TMCG key was correctly generated. The default value is

`128`

which implies a soundness error probability*{} \le 2^{-128}*. This parameter is only relevant for the card encoding scheme of Schindelhauer.

- Macro:
**TMCG_KEY_NIZK_STAGE3** Defines the security parameter (number of iterations) of the NIZK proof [Sc98] (stage 3) which convince all verifiers that the TMCG key was correctly generated. The default value is

`128`

which implies a soundness error probability*{} \le 2^{-128}*. This parameter is only relevant for the card encoding scheme of Schindelhauer.

- Macro:
**TMCG_LIBGCRYPT_VERSION** Defines the required minimum version number of the GNU Crypto Library. The default value is

`"1.6.0"`

. During the initialization of LibTMCG (see`init_libTMCG`

) it is checked, whether the version number of the linked shared object fulfills this condition.

- Macro:
**TMCG_LIBGMP_VERSION** Defines the required minimum version number of the GNU Multiple Precision Arithmetic Library. The default value is

`"4.2.0"`

. During the initialization of LibTMCG (see`init_libTMCG`

) it is checked, whether the version number provided by the header file`gmp.h`and used at compile time of LibTMCG fulfills this condition.

- Macro:
**TMCG_MAX_CARDS** Defines the maximum number of stackable cards. The default value is

`1024`

.

- Macro:
**TMCG_MAX_PLAYERS** Defines the maximum number of players. The default value is

`32`

. This parameter is only relevant for the card encoding scheme of Schindelhauer.

- Macro:
**TMCG_MAX_TYPEBITS** Defines the maximum number of bits to represent the card type in the scheme of Schindelhauer. On the other hand, this value determines the maximum size of the message space in the scheme of Barnett and Smart. The default value is

`10`

which implies that 1024 different card types are possible. For each type some memory will be allocated, thus this value should modified very carefully.

- Macro:
**TMCG_MPZ_IO_BASE** Defines the input and output base of the

`std::iostream`

operators`<<`

and`>>`

which is used to encode large integers (`mpz_t`

). The former value was`36`

which was some years ago the largest base supported by the GNU Multiple Precision Arithmetic Library. Since version 1.2.0 of LibTMCG the new default value is`62`

.

- Macro:
**TMCG_PRAB_K0** Defines the security parameter

*k_0*(in characters) of the PRab scheme [BR96]. The default value is`20`

which implies a security level around*2^{80}*.

- Macro:
**TMCG_QRA_SIZE** Defines the security parameter (size of the modulus

*m = p \cdot q*in bit) of the TMCG key. The underlying assumptions are QRA and FACTOR. The default value is`2048`

. This parameter is only relevant for TMCG keys and Schindelhauer’s encoding scheme.

- Macro:
**TMCG_SAEP_S0** Defines the security parameter

*s_0*(in characters) of the Rabin-SAEP scheme [Bo01]. The default value is`20`

which implies a security level around*2^{80}*against CCA (chosen-ciphertext attack).

- Macro:
**TMCG_HASH_COMMITMENT** Defines whether shortened commitments are used in the shuffle verification procedure of Schindelhauer [Sc98]. The default value is

`true`

, because this will decrease the communication complexity significantly. However, as an immediate consequence the soundness property is violated, if the hash function`TMCG_GCRY_MD_ALGO`

is broken.

- Macro:
**TMCG_MAX_FPOWM_T** Defines the maximum size of admissible exponents (in bit) used by our fast exponentiation procedures. The default value is

`2048`

. Note that this parameter has a strong influence on the amount of memory allocated by LibTMCG since it determines the size of the precomputed tables. However, it should be at least greater or equal than`TMCG_DDH_SIZE`

and`TMCG_QRA_SIZE`

in order to support the possible exponents of common finite field sizes.

- Macro:
**TMCG_MAX_FPOWM_N** Define the maximum number of different bases for doing the above precomputation. This value is a trade-off between fast exponentiation for all possible bases and memory allocation. Currently it is only relevant for the generators

*g_1, \ldots, g_n*in Groth’s variant of Pedersen commitment scheme (see GrothVSSHE). The default value is`256`

.

- Macro:
**TMCG_MAX_SSRANDOMM_CACHE** Define the maximum size of the cache for function

`mpz_ssrandomm`

. The cache must be proper initialized and is useful in interactive protocols, where entropy is limited and a lot of very secure randomness is required immediately. Thus some values should be aquired and cached before the protocol starts. The default value is`256`

.

In former versions of LibTMCG the default value of this symbol was `GCRY_MD_RMD160`

,
i.e. the hash algorithm RIPEMD-160 (see Dobbertin, Bosselaers, Preneel: *RIPEMD-160,
a strengthened version of RIPEMD*, 1996), which is a function that has only an output length
of 160 bit.

This is also a constant defined by the GNU Crypto Library.

This is also a constant defined by the GNU Crypto Library.

This is also a constant defined by the GNU Crypto Library.

Next: Basic Structures, Up: Application Programming Interface [Contents][Index]