### 2.1 Preprocessor Defined Global Symbols

Please note that the following macros are fixed at compile time of LibTMCG and cannot be changed by your application. They are only provided here for informational purposes.

Macro: TMCG_MR_ITERATIONS

Defines the number of iterations for the Miller-Rabin primality test. The default value is 64 which implies a soundness error probability {} \le 4^{-64}.

Macro: TMCG_MAX_ZNP_ITERATIONS

Defines the maximum number of iterations for the prover in cut-and-choose style zero-knowledge protocols of Schindelhauer’s toolbox. The default value is 80 which limits the soundness error probability to {} \ge 2^{-80}, however, it protects against some obvious denial-of-service attacks from a malicious verifier.

Macro: TMCG_GROTH_L_E

Defines the security parameter \ell_e of Groth’s (interactive) shuffle argument [Gr05]. The default value is 80 which implies a soundness error probability {} \le 2^{-80}. For the intended purposes of LibTMCG this seems to be reasonable.

Macro: TMCG_DDH_SIZE

Defines the security parameter (finite field size in bit) of the group G which is used by the card encoding scheme of Barnett and Smart [BS03]. The underlying assumptions are DDH, CDH, and DLOG. The default value is 2048.

Macro: TMCG_DLSE_SIZE

Defines the security parameter (subgroup size in bit) of the group G which is used by the card encoding scheme of Barnett and Smart [BS03]. The underlying assumptions are DLSE (related to DDH) and DLOG. The default value is 256.

Macro: TMCG_AIO_HIDE_SIZE

Defines the security parameter for hiding the length of integers in derived classes from aiounicast. The default value is 256.

Macro: TMCG_GCRY_MD_ALGO

Defines the main message digest algorithm (i.e. hash function h()) for digital signatures with PRab [BR96] and mask generation for Rabin encryption with SEAP [Bo01] in TMCG_SecretKey. This algorithm is also used for the construction of a special hash function g(), which is needed for the Fiat-Shamir heuristic [FS87]. Recently we switched 3 to the hash function SHA-256 (default value GCRY_MD_SHA2564) for improved collision resistance. Thus we gain a security level of approximately 2^{128}, assuming that a birthday-attack is the best known attack against this message digest.

Please note that the security of the non-interactive zero-knowledge proofs resp. arguments (NIZK) is proved in the so-called random oracle model (ROM), i.e., we suppose that the instantiated hash function g() behaves like an ideal random function (which obviously cannot hold in a real world scenario with deterministic computations). However, this assumption seems to be reasonable, if the underlying hash function is collision-resistant and if it is carefully implemented with respect to other instantiations [BR93].

Macro: TMCG_GCRY_MAC_ALGO

Defines the message authentication algorithm for authenticated channels established by the class aiounicast. The default value is GCRY_MAC_HMAC_SHA256 5, i.e. the HMAC based scheme with hashing algorithm SHA-256.

Macro: TMCG_GCRY_ENC_ALGO

Defines the symmetric encryption algorithm (sometimes also called cipher) for private channels established by the class aiounicast. The default value is GCRY_CIPHER_AES256 6, i.e. the cipher AES256, which is used by LibTMCG in CFB (Cipher Feedback) mode.

Macro: TMCG_KEYID_SIZE

Defines the length (in characters w.r.t. TMCG_MPZ_IO_BASE) for the distinctive suffix of the unique TMCG key identifier. The default value is 8 which spans a reasonable name space for at least 2^{20} different TMCG keys (see TMCG_PublicKey). However, sometimes it is required to use even smaller sizes due to artificial protocol restrictions (e.g. the IRC nickname is sometimes restricted to 9 characters).

Each key identifier starts with the string "ID" followed by the decimal encoded value of TMCG_KEYID_SIZE and the appended carret symbol "^". The final suffix contains TMCG_KEYID_SIZE alphanumerical characters from the self signature of TMCG key. This signature has enough entropy included to be used as unique key identifier.

Macro: TMCG_KEY_NIZK_STAGE1

Defines the security parameter (number of iterations) of the NIZK proof [GMR98] (stage 1) which convince all verifiers that the TMCG key was correctly generated. The default value is 16 which implies a soundness error probability {} \le d^{-16}, where d = {\rm gcd}(m, \phi(m)) and m is part of the public key. This parameter is only relevant for the card encoding scheme of Schindelhauer, where the key has a very special format.

Macro: TMCG_KEY_NIZK_STAGE2

Defines the security parameter (number of iterations) of the NIZK proof [GMR98] (stage 2) which convince all verifiers that the TMCG key was correctly generated. The default value is 128 which implies a soundness error probability {} \le 2^{-128}. This parameter is only relevant for the card encoding scheme of Schindelhauer.

Macro: TMCG_KEY_NIZK_STAGE3

Defines the security parameter (number of iterations) of the NIZK proof [Sc98] (stage 3) which convince all verifiers that the TMCG key was correctly generated. The default value is 128 which implies a soundness error probability {} \le 2^{-128}. This parameter is only relevant for the card encoding scheme of Schindelhauer.

Macro: TMCG_LIBGCRYPT_VERSION

Defines the required minimum version number of the GNU Crypto Library. The default value is "1.6.0". During the initialization of LibTMCG (see init_libTMCG) it is checked, whether the version number of the linked shared object fulfills this condition.

Macro: TMCG_LIBGMP_VERSION

Defines the required minimum version number of the GNU Multiple Precision Arithmetic Library. The default value is "4.2.0". During the initialization of LibTMCG (see init_libTMCG) it is checked, whether the version number provided by the header file gmp.h and used at compile time of LibTMCG fulfills this condition.

Macro: TMCG_MAX_CARDS

Defines the maximum number of stackable cards. The default value is 1024.

Macro: TMCG_MAX_PLAYERS

Defines the maximum number of players. The default value is 32. This parameter is only relevant for the card encoding scheme of Schindelhauer.

Macro: TMCG_MAX_TYPEBITS

Defines the maximum number of bits to represent the card type in the scheme of Schindelhauer. On the other hand, this value determines the maximum size of the message space in the scheme of Barnett and Smart. The default value is 10 which implies that 1024 different card types are possible. For each type some memory will be allocated, thus this value should modified very carefully.

Macro: TMCG_MPZ_IO_BASE

Defines the input and output base of the std::iostream operators << and >> which is used to encode large integers (mpz_t). The former value was 36 which was some years ago the largest base supported by the GNU Multiple Precision Arithmetic Library. Since version 1.2.0 of LibTMCG the new default value is 62.

Macro: TMCG_PRAB_K0

Defines the security parameter k_0 (in characters) of the PRab scheme [BR96]. The default value is 20 which implies a security level around 2^{80}.

Macro: TMCG_QRA_SIZE

Defines the security parameter (size of the modulus m = p \cdot q in bit) of the TMCG key. The underlying assumptions are QRA and FACTOR. The default value is 2048. This parameter is only relevant for TMCG keys and Schindelhauer’s encoding scheme.

Macro: TMCG_SAEP_S0

Defines the security parameter s_0 (in characters) of the Rabin-SAEP scheme [Bo01]. The default value is 20 which implies a security level around 2^{80} against CCA (chosen-ciphertext attack).

Macro: TMCG_HASH_COMMITMENT

Defines whether shortened commitments are used in the shuffle verification procedure of Schindelhauer [Sc98]. The default value is true, because this will decrease the communication complexity significantly. However, as an immediate consequence the soundness property is violated, if the hash function TMCG_GCRY_MD_ALGO is broken.

Macro: TMCG_MAX_FPOWM_T

Defines the maximum size of admissible exponents (in bit) used by our fast exponentiation procedures. The default value is 2048. Note that this parameter has a strong influence on the amount of memory allocated by LibTMCG since it determines the size of the precomputed tables. However, it should be at least greater or equal than TMCG_DDH_SIZE and TMCG_QRA_SIZE in order to support the possible exponents of common finite field sizes.

Macro: TMCG_MAX_FPOWM_N

Define the maximum number of different bases for doing the above precomputation. This value is a trade-off between fast exponentiation for all possible bases and memory allocation. Currently it is only relevant for the generators g_1, \ldots, g_n in Groth’s variant of Pedersen commitment scheme (see GrothVSSHE). The default value is 256.

Macro: TMCG_MAX_SSRANDOMM_CACHE

Define the maximum size of the cache for function mpz_ssrandomm. The cache must be proper initialized and is useful in interactive protocols, where entropy is limited and a lot of very secure randomness is required immediately. Thus some values should be aquired and cached before the protocol starts. The default value is 256.

### (3)

In former versions of LibTMCG the default value of this symbol was GCRY_MD_RMD160, i.e. the hash algorithm RIPEMD-160 (see Dobbertin, Bosselaers, Preneel: RIPEMD-160, a strengthened version of RIPEMD, 1996), which is a function that has only an output length of 160 bit.

### (4)

This is also a constant defined by the GNU Crypto Library.

### (5)

This is also a constant defined by the GNU Crypto Library.

### (6)

This is also a constant defined by the GNU Crypto Library.