2023-03-13
Cait-Sith Security (2): Key Sharing
So, there'a few steps to defining key sharing,
since we want to reuse some of these intermediate protocols.
Basically, first we define a way to convert additive shares to threshold
shares,
then a way to do key sharing,
but with each of the steps accessible,
then we define a way to do key generation, with each step accessible,
and then then we can collapse all of the steps by performing them in sequence.
The reason we need this "accessible steps" thing is because other protocols
will call them interleaved with other protocols, so we need to be able
to analyze this aspect.
Conversion
As mentioned above, the goal here is to define a protocol for transforming
additive shares into threshold shares.
Definition: (Conversion)
We define the following protocol for conversion.
P [ Convert ] P i Z _ j i , f i ← ⊥ ( 1 ) SetMask i ( ) : ‾ f i ← $ { f i ∈ F q [ X ] _ ≤ t − 1 ∣ f i ( 0 ) = 0 } F i ← f i ⋅ G SetCommit i ( F i ) Commit i ( ) WaitMask i ( ) : ‾ WaitCommit i ( ) ( 1 ) Share i ( z i ) : ‾ Open i ( ) Z i ← z i ⋅ G π i ← Prove i φ ( Z i ; z i ) ↱ i ( ⋆ , ( Z i , π i ) , 0 ) ↱ i ( ⋆ , [ z i + f i ( j ) ∣ j ∈ [ n ] ] , 1 ) WaitShare i ( ) : ‾ F _ ∙ ← WaitOpen i ( ) ( Z _ ∙ i , π _ ∙ i ) ← ↰ i ( ⋆ , 0 ) if ∃ j . ¬ Verify φ ( π _ j i , Z j ) stop ( ⋆ , 0 ) x _ ∙ i ← ↰ i ( ⋆ , 1 ) x i ← ∑ j x _ j i , Z ← ∑ j Z j , F ← Z + ∑ j F j if ∃ j . ( deg ( F j ) ≠ t − 1 ∨ F j ( 0 ) ≠ 0 ) ∨ x i ⋅ G ≠ F ( i ) : stop ( ⋆ , 1 ) return ( x i , Z ) Z i ( j ) : ‾ return Z _ j i F [ ZK ( φ ) ] ⊗ F [ SyncComm ] ⊚ F [ Stop ] Leakage : = { stop } ⊲ P [ Commit ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{Convert}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&Z\_{j i}, f_i \gets \bot\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
f_i \xleftarrow{\$} \{ f_i \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f_i(0) = 0 \}
\cr
&\enspace
F_i \gets f_i \cdot G
\cr
&\enspace
\text{SetCommit}_i(F_i)
\cr
&\enspace
\text{Commit}_i()
\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\text{WaitCommit}_i()
\cr
\cr
&\underline{
(1)\text{Share}_i(z_i):
}\cr
&\enspace
\text{Open}_i()
\cr
&\enspace
Z_i \gets z_i \cdot G
\cr
&\enspace
\pi_i \gets \text{Prove}_i^\varphi(Z_i; z_i)
\cr
&\enspace
\Rsh_i(\star, (Z_i, \pi_i), 0)
\cr
&\enspace
\Rsh_i(\star, [z_i + f_i(j) \mid j \in [n]], 1)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
F\_\bullet \gets \text{WaitOpen}_i()
\cr
&\enspace
(Z\_{\bullet i}, \pi\_{\bullet i}) \gets \Lsh_i(\star, 0)
\cr
&\enspace
\texttt{if } \exists j.\ \neg \text{Verify}^\varphi(\pi\_{ji}, Z_j)
\cr
&\enspace\enspace
\texttt{stop}(\star, 0)
\cr
&\enspace
x\_{\bullet i} \gets \Lsh_i(\star, 1)
\cr
&\enspace
x_i \gets \sum_j x\_{ji},\ Z \gets \sum_j Z_j, \enspace F \gets Z + \sum_j F_j
\cr
&\enspace
\texttt{if } \exists j.\ (\text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0) \lor x_i \cdot G \neq F(i):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\texttt{return } (x_i, Z)
\cr
\cr
&\underline{
\text{Z}_i(j):
}\cr
&\enspace
\texttt{return } Z\_{ji}
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
F[\text{ZK}(\varphi)]\cr
\otimes\cr
F[\text{SyncComm}]\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
}
\lhd \mathscr{P}[\text{Commit}] P [ C o n v e r t ] P i Z _ ji , f i ← ⊥ ( 1 ) S e t M a s k i ( ) : f i $ { f i ∈ F q [ X ] _ ≤ t − 1 ∣ f i ( 0 ) = 0 } F i ← f i ⋅ G S e t C o m m i t i ( F i ) C o m m i t i ( ) W a i t M a s k i ( ) : W a i t C o m m i t i ( ) ( 1 ) S h a r e i ( z i ) : O p e n i ( ) Z i ← z i ⋅ G π i ← P r o v e i φ ( Z i ; z i ) ↱ i ( ⋆ , ( Z i , π i ) , 0 ) ↱ i ( ⋆ , [ z i + f i ( j ) ∣ j ∈ [ n ]] , 1 ) W a i t S h a r e i ( ) : F _ ∙ ← W a i t O p e n i ( ) ( Z _ ∙ i , π _ ∙ i ) ← ↰ i ( ⋆ , 0 ) if ∃ j . ¬ V e r i f y φ ( π _ ji , Z j ) stop ( ⋆ , 0 ) x _ ∙ i ← ↰ i ( ⋆ , 1 ) x i ← j ∑ x _ ji , Z ← j ∑ Z j , F ← Z + j ∑ F j if ∃ j . ( d e g ( F j ) = t − 1 ∨ F j ( 0 ) = 0 ) ∨ x i ⋅ G = F ( i ) : stop ( ⋆ , 1 ) return ( x i , Z ) Z i ( j ) : return Z _ ji F [ Z K ( φ )] ⊗ F [ S y n c C o m m ] ⊚ F [ S t o p ] L e a k a g e := { stop } ⊲ P [ C o m m i t ] □ \square □
The basic idea behind this protocol is that you first commit
to a polynomial you'll use for the threshold sharing,
without committing to the value you want to share.
Then, in a later step, you'll contribute your additive share of the secret
value,
and send threshold shares using this polynomial.
Next, we get to the ideal functionality this protocol implements.
The basic idea is that parties get z + f ( j ) z + f(j) z + f ( j ) z z z f f f f f f f h f^h f h f m f^m f m f m ⋅ G f^m \cdot G f m ⋅ G
Definition (Ideal Conversion):
P [ IdealConvert ] P i ( 1 ) SetMask i ( ) : ‾ SetMask i ( ⋆ ) WaitMask i ( ) : ‾ WaitMask i ( ⋆ , true ) ( 1 ) Share i ( z ) : ‾ Share i ( ⋆ , z ) WaitShare i ( ) : ‾ return WaitShare i ( true ) Z i ( j ) : ‾ return Z i ( j ) F [ Convert ] f h ← $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } F m , ready _ i j , z _ i j , x j ← ⊥ SetMask i ( S ) : ‾ ready _ i j ← true ( ∀ j ∈ S ) ( 1 ) Cheat ( F ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F m ← F WaitMask i ( S , m ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S . ready _ j i ∧ ( m → F m ≠ ⊥ ) Share i ( S , z _ ∙ ) : ‾ assert ∃ j . ready _ i j z _ i j ← z j ( ∀ j ∈ S ) CheatShare ( S , x ^ _ ∙ ) : ‾ assert F m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j WaitShare i ( h ) : ‾ if h : wait _ ( i , 1 ) x i ≠ ⊥ ∧ ∀ j . ∧ z _ j i ≠ ⊥ return ∑ _ j z _ j i + f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . z _ j i ≠ ⊥ return ∑ _ j ∈ H z _ j i + f h ( i ) Z j ( i ) : ‾ return z _ i j ⋅ G F h ( ) : ‾ wait F m ≠ ⊥ ∧ ∀ i . ∃ j . ready _ i j return f h ⋅ G ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealConvert}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\text{SetMask}_i(\star)
\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\text{WaitMask}_i(\star, \texttt{true})
\cr
\cr
&\underline{
(1)\text{Share}_i(z):
}\cr
&\enspace
\text{Share}_i(\star, z)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\cr
&\underline{
\text{Z}_i(j):
}\cr
&\enspace
\texttt{return } \text{Z}_i(j)
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{Convert}]$
}\cr
\cr
&f^h \xleftarrow{\$} \{f \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f(0) = 0\}\cr
&F^m, \text{ready}\_{ij}, z\_{ij}, x_j \gets \bot\cr
\cr
&\underline{
\text{SetMask}_i(S):
}\cr
&\enspace
\text{ready}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
(1)\text{Cheat}(F):
}
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^m \gets F
\cr
\cr
&\underline{
\text{WaitMask}_i(S, m):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S.\ \text{ready}\_{ji} \land (m \to F^m \neq \bot)
\cr
\cr
&\underline{
\text{Share}_i(S, z\_\bullet):
}\cr
&\enspace
\texttt{assert } \exists j.\ \text{ready}\_{ij}
\cr
&\enspace
z\_{ij} \gets z_j\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{CheatShare}(S, \hat{x}\_\bullet):
}
}\cr
&\enspace
\texttt{assert } F^m \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^m(j)
\cr
&\enspace
\texttt{for } j. x_j = \bot: x_j \gets \hat{x}_j
\cr
\cr
&\underline{
\text{WaitShare}_i(h):
}\cr
&\enspace
\texttt{if } h:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} x_i \neq \bot \land \forall j. \land z\_{ji} \neq \bot
\cr
&\enspace\enspace
\texttt{return } \sum\_j z\_{ji} + f^h(i) + x_i
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{H}. z\_{ji} \neq \bot
\cr
&\enspace\enspace
\texttt{return } \sum\_{j \in \mathcal{H}} z\_{ji} + f^h(i)
\cr
&\underline{
\text{Z}_j(i):
}\cr
&\enspace
\texttt{return } z\_{ij} \cdot G
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{F}^h():
}
}\cr
&\enspace
\texttt{wait } F^m \neq \bot \land \forall i. \exists j. \text{ready}\_{ij}
\cr
&\enspace
\texttt{return } f^h \cdot G
\cr
\end{aligned}
}
}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ I d e a l C o n v e r t ] P i ( 1 ) S e t M a s k i ( ) : S e t M a s k i ( ⋆ ) W a i t M a s k i ( ) : W a i t M a s k i ( ⋆ , true ) ( 1 ) S h a r e i ( z ) : S h a r e i ( ⋆ , z ) W a i t S h a r e i ( ) : return W a i t S h a r e i ( true ) Z i ( j ) : return Z i ( j ) F [ C o n v e r t ] f h $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } F m , r e a d y _ ij , z _ ij , x j ← ⊥ S e t M a s k i ( S ) : r e a d y _ ij ← true ( ∀ j ∈ S ) ( 1 ) C h e a t ( F ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F m ← F W a i t M a s k i ( S , m ) : wait _ ( i , 0 ) ∀ j ∈ S . r e a d y _ ji ∧ ( m → F m = ⊥ ) S h a r e i ( S , z _ ∙ ) : assert ∃ j . r e a d y _ ij z _ ij ← z j ( ∀ j ∈ S ) C h e a t S h a r e ( S , x ^ _ ∙ ) : assert F m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j W a i t S h a r e i ( h ) : if h : wait _ ( i , 1 ) x i = ⊥ ∧ ∀ j . ∧ z _ ji = ⊥ return ∑ _ j z _ ji + f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . z _ ji = ⊥ return ∑ _ j ∈ H z _ ji + f h ( i ) Z j ( i ) : return z _ ij ⋅ G F h ( ) : wait F m = ⊥ ∧ ∀ i . ∃ j . r e a d y _ ij return f h ⋅ G ⊚ F [ S t o p ] L e a k a g e := { stop } □ \square □
For slight technical reasons, this functionality can't be reduced
to one where the polynomial is simply chosen randomly,
although it's functionally equivalent.
This is because the adversary has to effectively commit to their contribution
to the random polynomial in advance, before having seen any other information,
which thus prevents this contribution from meaningfully affecting the randomness.
In fact, if you have a stronger model of how the group here functions,
like the AGM or something, then in fact this would reduce to the standard
functionality, because you would be able to extract out the discrete
logarithm of the cheating polynomial early.
However, to make the analysis more concrete, we instead deal with this
annoyance of functionality directly.
Lemma:
For a negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ Convert ] ⇝ ϵ P [ IdealConvert ] \mathscr{P}[\text{Convert}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealConvert}] P [ C o n v e r t ] ⇝ ϵ P [ I d e a l C o n v e r t ] Proof:
First, P [ Convert ] ⇝ P 0 \mathscr{P}[\text{Convert}] \leadsto \mathscr{P}^0 P [ C o n v e r t ] ⇝ P 0 P 0 \mathscr{P}^0 P 0 P [ Commit ] \mathscr{P}[\text{Commit}] P [ C o m m i t ] P [ IdealCommit ] \mathscr{P}[\text{IdealCommit}] P [ I d e a l C o m m i t ]
Unrolling, we get:
Γ H 0 ( 1 ) SetMask i ( ) : ‾ … ⊗ Γ M 0 = 1 ( ↱ k , ↰ k , Prove k , Verify , SetCommit k , WaitCommit k , Open k , WaitOpen k , Sync k , WaitSync k , stop ) ∘ F [ ZK ( φ ) ] ⊗ F [ SyncComm ] ⊗ F [ Commit ] ⊗ F [ Sync ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^0_M$
} = 1
\begin{pmatrix}
\Rsh_k
,\cr
\Lsh_k
,\cr
\text{Prove}_k
,\cr
\text{Verify}
,\cr
\text{SetCommit}_k
,\cr
\text{WaitCommit}_k
,\cr
\text{Open}_k
,\cr
\text{WaitOpen}_k
,\cr
\text{Sync}_k
,\cr
\text{WaitSync}_k
,\cr
\texttt{stop}
\end{pmatrix}
}
\cr
\circ
\cr
F[\text{ZK}(\varphi)] \otimes F[\text{SyncComm}] \otimes F[\text{Commit}] \otimes F[\text{Sync}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 ( 1 ) S e t M a s k i ( ) : … ⊗ Γ M 0 = 1 ↱ k , ↰ k , P r o v e k , V e r i f y , S e t C o m m i t k , W a i t C o m m i t k , O p e n k , W a i t O p e n k , S y n c k , W a i t S y n c k , stop ∘ F [ Z K ( φ )] ⊗ F [ S y n c C o m m ] ⊗ F [ C o m m i t ] ⊗ F [ S y n c ] ⊚ F [ S t o p ] Next, inline messages to get rid of synchronous communication.
Our goal for now is to simplify the communication patterns, merging
what's going on into a functionality.
Γ H 1 ( 1 ) SetMask i ( ) : ‾ f i ← $ { f i ∈ F q [ X ] _ ≤ t − 1 ∣ f i ( 0 ) = s i } F i ← f i ⋅ G SetCommit i ( F i ) Commit i ( ⋆ ) WaitMask i ( ) : ‾ WaitCommit i ( ⋆ ) Sync i ( ⋆ , 0 ) ( 1 ) Share i ( z i ) : ‾ Open i ( ⋆ ) Z i ← z i ⋅ G π i ← Prove i ( Z i ; z i ) Z _ i j ← Z i , π _ i j ← π i x _ i j ← z i + f i ( j ) WaitShare i ( ) : ‾ WaitSync i ( ⋆ , 0 ) F _ ∙ ← WaitOpen i ( ⋆ ) wait _ ( i , 1 ) ∀ j . Z _ j i , π _ j i ≠ ⊥ if ∃ j . deg ( F j ) ≠ t − 1 ∨ F j ( 0 ) ≠ 0 ∨ ¬ Verify ( π _ j i , Z _ j i ) : stop ( ⋆ , 1 ) wait _ ( i , 2 ) ∀ j . x _ j i ≠ ⊥ x i ← ∑ j x _ j i , F ← ∑ j Z _ j i + ∑ j F j if x i ⋅ G ≠ F ( i ) : stop ( ⋆ , 2 ) return ( x i , F ( 0 ) ) ⊗ Γ M 1 … ↱ k ( S , m _ ∙ , 1 ) : ‾ ∀ j ∈ S . ( Z _ k j , π _ k j ) ← m _ j ↱ k ( S , m _ ∙ , 2 ) : ‾ ∀ j ∈ S . x _ k j ← m _ j ↰ k ( S , 1 ) : ‾ wait _ ( k , 1 ) ∀ j ∈ S . Z _ j k , π _ j k ≠ ⊥ return [ ( Z _ j k , π _ j k ) ∣ j ∈ S ] ↰ k ( S , 2 ) : ‾ wait _ ( k , 2 ) ∀ j ∈ S . x _ j k ≠ ⊥ return [ x _ j k ∣ j ∈ S ] ⊗ 1 ( … ) ∘ F 0 F i , com _ i j , open _ i j ← ⊥ pub Z _ i j , π _ i j , x _ i j ← ⊥ ( 1 ) SetCommit i ( F ) : ‾ F i ← F Commit i ( S ) : ‾ assert F i ≠ ⊥ com _ i j ← true ( ∀ j ∈ S ) WaitCommit i ( S ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S . com _ j i Open i ( S ) : ‾ assert F i ≠ ⊥ open _ i j ← true ( ∀ j ∈ S ) WaitOpen i ( S ) : ‾ wait _ ( i , 2 ) ∀ j ∈ S . open _ j i return F _ ∙ ⊗ F [ ZK ( φ ) ] ⊗ F [ SyncComm ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^1_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
f_i \xleftarrow{\$} \{ f_i \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f_i(0) = s_i \}
\cr
&\enspace
F_i \gets f_i \cdot G
\cr
&\enspace
\text{SetCommit}_i(F_i)
\cr
&\enspace
\text{Commit}_i(\star)
\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\text{WaitCommit}_i(\star)
\cr
&\enspace
\text{Sync}_i(\star, 0)
\cr
\cr
&\underline{
(1)\text{Share}_i(z_i):
}\cr
&\enspace
\text{Open}_i(\star)
\cr
&\enspace
Z_i \gets z_i \cdot G
\cr
&\enspace
\pi_i \gets \text{Prove}_i(Z_i; z_i)
\cr
&\enspace
\colorbox{bae6fd}{$
Z\_{ij} \gets Z_i,\ \pi\_{ij} \gets \pi_i
$}
\cr
&\enspace
\colorbox{bae6fd}{$
x\_{ij} \gets z_i + f_i(j)
$}
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\text{WaitSync}_i(\star, 0)
\cr
&\enspace
\colorbox{bae6fd}{$
F\_\bullet \gets \text{WaitOpen}_i(\star)
$}
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{wait}\_{(i, 1)} \forall j.\ Z\_{ji}, \pi\_{ji} \neq \bot
$}
\cr
&\enspace
\texttt{if } \exists j.\ \text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0 \lor \neg \text{Verify}(\pi\_{ji}, Z\_{ji}):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{wait}\_{(i, 2)} \forall j.\ x\_{ji} \neq \bot
$}
\cr
&\enspace
x_i \gets \sum_j x\_{ji}, \enspace F \gets \sum_j Z\_{ji} + \sum_j F_j
\cr
&\enspace
\texttt{if } x_i \cdot G \neq F(i):
\cr
&\enspace\enspace
\texttt{stop}(\star, 2)
\cr
&\enspace
\texttt{return } (x_i, F(0))
\cr
\end{aligned}
}
}
\otimes
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^1_M$
}\cr
&\ldots\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 1):
}\cr
&\enspace
\forall j \in S.\ (Z\_{kj}, \pi\_{kj}) \gets m\_j
\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 2):
}\cr
&\enspace
\forall j \in S.\ x\_{kj} \gets m\_j
\cr
\cr
&\underline{
\Lsh_k(S, 1):
}\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S.\ Z\_{jk}, \pi\_{jk} \neq \bot
\cr
&\enspace
\texttt{return } [(Z\_{jk}, \pi\_{jk}) \mid j \in S]
\cr
\cr
&\underline{
\Lsh_k(S, 2):
}\cr
&\enspace
\texttt{wait}\_{(k, 2)} \forall j \in S.\ x\_{jk} \neq \bot
\cr
&\enspace
\texttt{return } [x\_{jk} \mid j \in S]
\cr
\end{aligned}
}
}\cr
\otimes\cr1(\ldots)
\end{matrix}
\cr
\circ
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$F^0$
}\cr
\cr
&F_i, \text{com}\_{ij}, \text{open}\_{ij} \gets \bot\cr
&\texttt{pub } Z\_{ij}, \pi\_{ij}, x\_{ij} \gets \bot\cr
\cr
&\underline{
(1)\text{SetCommit}_i(F):
}\cr
&\enspace
F_i \gets F
\cr
\cr
&\underline{
\text{Commit}_i(S):
}\cr
&\enspace
\texttt{assert } F_i \neq \bot
\cr
&\enspace
\text{com}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\text{WaitCommit}_i(S):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S.\ \text{com}\_{ji}
\cr
\cr
&\underline{
\text{Open}_i(S):
}\cr
&\enspace
\texttt{assert } F_i \neq \bot
\cr
&\enspace
\text{open}\_{ij} \gets \texttt{true} (\forall j \in S)
\cr
\cr
&\underline{
\text{WaitOpen}_i(S):
}\cr
&\enspace
\text{wait}\_{(i, 2)} \forall j \in S.\ \text{open}\_{ji}
\cr
&\enspace
\texttt{return } F\_\bullet
\cr
\end{aligned}
}
}
\otimes
F[\text{ZK}(\varphi)] \otimes F[\text{SyncComm}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 1 ( 1 ) S e t M a s k i ( ) : f i $ { f i ∈ F q [ X ] _ ≤ t − 1 ∣ f i ( 0 ) = s i } F i ← f i ⋅ G S e t C o m m i t i ( F i ) C o m m i t i ( ⋆ ) W a i t M a s k i ( ) : W a i t C o m m i t i ( ⋆ ) S y n c i ( ⋆ , 0 ) ( 1 ) S h a r e i ( z i ) : O p e n i ( ⋆ ) Z i ← z i ⋅ G π i ← P r o v e i ( Z i ; z i ) Z _ ij ← Z i , π _ ij ← π i x _ ij ← z i + f i ( j ) W a i t S h a r e i ( ) : W a i t S y n c i ( ⋆ , 0 ) F _ ∙ ← W a i t O p e n i ( ⋆ ) wait _ ( i , 1 ) ∀ j . Z _ ji , π _ ji = ⊥ if ∃ j . d e g ( F j ) = t − 1 ∨ F j ( 0 ) = 0 ∨ ¬ V e r i f y ( π _ ji , Z _ ji ) : stop ( ⋆ , 1 ) wait _ ( i , 2 ) ∀ j . x _ ji = ⊥ x i ← j ∑ x _ ji , F ← j ∑ Z _ ji + j ∑ F j if x i ⋅ G = F ( i ) : stop ( ⋆ , 2 ) return ( x i , F ( 0 )) ⊗ Γ M 1 … ↱ k ( S , m _ ∙ , 1 ) : ∀ j ∈ S . ( Z _ kj , π _ kj ) ← m _ j ↱ k ( S , m _ ∙ , 2 ) : ∀ j ∈ S . x _ kj ← m _ j ↰ k ( S , 1 ) : wait _ ( k , 1 ) ∀ j ∈ S . Z _ jk , π _ jk = ⊥ return [( Z _ jk , π _ jk ) ∣ j ∈ S ] ↰ k ( S , 2 ) : wait _ ( k , 2 ) ∀ j ∈ S . x _ jk = ⊥ return [ x _ jk ∣ j ∈ S ] ⊗ 1 ( … ) ∘ F 0 F i , c o m _ ij , o p e n _ ij ← ⊥ pub Z _ ij , π _ ij , x _ ij ← ⊥ ( 1 ) S e t C o m m i t i ( F ) : F i ← F C o m m i t i ( S ) : assert F i = ⊥ c o m _ ij ← true ( ∀ j ∈ S ) W a i t C o m m i t i ( S ) : wait _ ( i , 0 ) ∀ j ∈ S . c o m _ ji O p e n i ( S ) : assert F i = ⊥ o p e n _ ij ← true ( ∀ j ∈ S ) W a i t O p e n i ( S ) : w a i t _ ( i , 2 ) ∀ j ∈ S . o p e n _ ji return F _ ∙ ⊗ F [ Z K ( φ )] ⊗ F [ S y n c C o m m ] ⊚ F [ S t o p ] By stopping inside Γ M \Gamma_M Γ M
Γ H 2 WaitMask i ( ) : ‾ … wait _ ( i , 1 ) ∀ j . Z _ j i , π _ j i ≠ ⊥ wait _ ( i , 1 ) ∀ j . x _ j i ≠ ⊥ if ∃ j . deg ( F j ) ≠ t − 1 ∨ F j ( 0 ) ≠ 0 ∨ ¬ Verify ( π _ j i , Z _ j i ) : stop ( ⋆ , 1 ) … ⊗ Γ M 2 … F k , μ [ ∙ ] ← ⊥ ( 1 ) SetCommit k ( F ) : ‾ F k ← F SetCommit k ( F ) Prove k ( Z ; z ) : ‾ π ← Prove k ( B ; b ) μ [ π ] ← Z return π ↱ k ( S , m _ ∙ , 1 ) : ‾ for j ∈ S ∩ H : ( Z j , π j ) ← m j if deg ( F k ) ≠ t − 1 ∨ F k ( 0 ) ≠ 0 ∨ μ [ π ] ≠ Z j stop ( { j } , 1 ) ∀ j ∈ S . ( Z _ k j , π _ k j ) ← m _ j ⊗ 1 ( … ) ∘ F 0 ⊗ F [ ZK ( φ ) ] ⊗ F [ SyncComm ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^2_H$
}\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\ldots
\cr
&\enspace
\texttt{wait}\_{(i, 1)} \forall j.\ Z\_{ji}, \pi\_{ji} \neq \bot
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{wait}\_{(i, 1)} \forall j.\ x\_{ji} \neq \bot
$}
\cr
&\enspace
\texttt{if } \exists j.\ \text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0 \lor \neg \text{Verify}(\pi\_{ji}, Z\_{ji}):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^2_M$
}\cr
&\ldots\cr
&\colorbox{bae6fd}{$
F_k, \mu[\bullet] \gets \bot
$}\cr
\cr
&\underline{
(1)\text{SetCommit}_k(F):
}\cr
&\enspace
\colorbox{bae6fd}{$
F_k \gets F
$}
\cr
&\enspace
\text{SetCommit}_k(F)
\cr
\cr
&\underline{
\text{Prove}_k(Z;z):
}\cr
&\enspace
\colorbox{bae6fd}{$
\pi \gets \text{Prove}_k(B;b)
$}
\cr
&\enspace
\colorbox{bae6fd}{$
\mu[\pi] \gets Z
$}
\cr
&\enspace
\texttt{return } \pi
\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 1):
}\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{for } j \in S \cap \mathcal{H}:
$}
\cr
&\enspace\enspace
\colorbox{bae6fd}{$
(Z_j, \pi_j) \gets m_j
$}
\cr
&\enspace\enspace
\colorbox{bae6fd}{$
\texttt{if } \text{deg}(F_k) \neq t - 1 \lor F_k(0) \neq 0 \lor \mu[\pi] \neq Z_j
$}
\cr
&\enspace\enspace\enspace
\colorbox{bae6fd}{$
\texttt{stop}(\{j\}, 1)
$}
\cr
&\enspace
\forall j \in S.\ (Z\_{kj}, \pi\_{kj}) \gets m\_j
\cr
\end{aligned}
}
}\cr
\otimes\cr
1(\ldots)
\end{matrix}
\cr
\circ
\cr
F^0
\otimes
F[\text{ZK}(\varphi)] \otimes F[\text{SyncComm}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 2 W a i t M a s k i ( ) : … wait _ ( i , 1 ) ∀ j . Z _ ji , π _ ji = ⊥ wait _ ( i , 1 ) ∀ j . x _ ji = ⊥ if ∃ j . d e g ( F j ) = t − 1 ∨ F j ( 0 ) = 0 ∨ ¬ V e r i f y ( π _ ji , Z _ ji ) : stop ( ⋆ , 1 ) … ⊗ Γ M 2 … F k , μ [ ∙ ] ← ⊥ ( 1 ) S e t C o m m i t k ( F ) : F k ← F S e t C o m m i t k ( F ) P r o v e k ( Z ; z ) : π ← P r o v e k ( B ; b ) μ [ π ] ← Z return π ↱ k ( S , m _ ∙ , 1 ) : for j ∈ S ∩ H : ( Z j , π j ) ← m j if d e g ( F k ) = t − 1 ∨ F k ( 0 ) = 0 ∨ μ [ π ] = Z j stop ({ j } , 1 ) ∀ j ∈ S . ( Z _ kj , π _ kj ) ← m _ j ⊗ 1 ( … ) ∘ F 0 ⊗ F [ Z K ( φ )] ⊗ F [ S y n c C o m m ] ⊚ F [ S t o p ] Next, make it so that we open 3 things at once.
$$\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^4_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
f_i \xleftarrow{\$} \{ f_i \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f_i(0) = s_i \\}
\cr
&\enspace
F_i \gets f_i \cdot G
\cr
&\enspace
\text{SetCommit}_i(F_i)
\cr
&\enspace
\text{Commit}_i(\star)
\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\text{WaitCommit}_i(\star)
\cr
&\enspace
\text{Sync}_i(\star, 0)
\cr
\cr
&\underline{
(1)\text{Share}_i(z_i):
}\cr
&\enspace
Z_i \gets z_i \cdot G
\cr
&\enspace
\pi_i \gets \text{Prove}_i(Z_i; z_i)
\cr
&\enspace
\colorbox{bae6fd}{$
\text{Open}_i(\star, Z_i, \pi_i, z_i + f_i(j))
$}
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\text{WaitSync}_i(\star, 0)
\cr
&\enspace
\colorbox{bae6fd}{$
(F\_\bullet, Z\_\bullet, \pi\_\bullet, x\_\bullet) \gets \text{WaitOpen}_i(\star)
$}
\cr
&\enspace
\texttt{if } \exists j.\ \text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0 \lor \neg \text{Verify}(\pi\_{ji}, Z\_{ji}):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
x_i \gets \sum_j x\_{ji}, \enspace F \gets \sum_j Z\_{ji} + \sum_j F_j
\cr
&\enspace
\texttt{if } x_i \cdot G \neq F(i):
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\texttt{return } (x_i, F(0))
\cr
\cr
\end{aligned}
}
}
\otimes
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$\Gamma^4_M$
}\cr
\cr
&\mu[\bullet], \text{open}\_{kj}, \text{sync}\_{kj}, Z\_{kj}, \pi\_{kj}, x\_{kj} \gets \bot\cr
\cr
&\underline{
(1)\text{SetCommit}_k(F):
}\cr
&\enspace
F_k \gets F
\cr
&\enspace
\text{SetCommit}_k(F)
\cr
\cr
&\underline{
(1)\text{Prove}_k(Z;z):
}\cr
&\enspace
\pi \gets \text{Prove}_k(Z;z)
\cr
&\enspace
\mu[Z] \gets z
\cr
&\enspace
\texttt{return } \pi
\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 1):
}\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}:
\cr
&\enspace\enspace
\colorbox{bae6fd}{$
(Z_j, \pi_j) \gets m_j
$}
\cr
&\enspace\enspace
\colorbox{bae6fd}{$
\texttt{if } \text{deg}(F_k) \neq t - 1 \lor F_k(0) \neq 0 \lor \mu[\pi] \neq Z_j
$}
\cr
&\enspace\enspace\enspace
\colorbox{bae6fd}{$
\texttt{stop}(\{j\}, 1)
$}
\cr
&\enspace
\forall j \in S.\ (Z\_{kj}, \pi\_{kj}) \gets m\_j
\cr
&\enspace
\text{Open?}_k()
\cr
\cr
&\underline{
\Rsh_k(S, m\_\bullet, 2):
}\cr
&\enspace
\forall j \in S.\ x\_{kj} \gets m\_j
\cr
&\enspace
\text{Open?}_k()
\cr
\cr
&\underline{
\Lsh_k(S, 1):
}\cr
&\enspace
(\forall j \in \mathcal{H})\ (\bullet, Z\_{jk}, \pi\_{j k}, \bullet) \gets \texttt{nowait } \text{WaitOpen}\_k(\{j\})
\cr
&\enspace
\texttt{wait}\_{(k, 3)} \forall j \in S.\ Z\_{jk}, \pi\_{jk} \neq \bot
\cr
&\enspace
\texttt{return } [(Z\_{jk}, \pi\_{jk}) \mid j \in S]
\cr
\cr
&\underline{
\Lsh_k(S, 2):
}\cr
&\enspace
(\forall j \in \mathcal{H})\ (\bullet, \bullet, \bullet, x\_{j k}) \gets \texttt{nowait } \text{WaitOpen}\_k(\{j\})
\cr
&\enspace
\texttt{wait}\_{(k, 3)} \forall j \in S.\ x\_{jk} \neq \bot
\cr
&\enspace
\texttt{return } [x\_{jk} \mid j \in S]
\cr
\cr
&\underline{
\text{Sync}_k(S):
}\cr
&\enspace
\forall j \in S.\ \text{sync}\_{kj} \gets \texttt{true}
\cr
&\enspace
\text{Open?}_k()
\cr
\cr
&\underline{
\text{WaitSync}_k(S):
}\cr
&\enspace
o\_{kj} \gets \texttt{nowait } \text{WaitOpen}_k(\{j\})\ (j \in S \cap \mathcal{H})
\cr
&\enspace
o\_{kj} \gets \text{sync}\_{kj}\ (j \in S \cap \mathcal{M})
\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S.\ o\_{kj}
\cr
\cr
&\underline{
\text{Open}_k(S):
}\cr
&\enspace
\text{open}\_{kj} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\text{Open?}_k()
\cr
\cr
&\underline{
\text{WaitOpen}_k(S):
}\cr
&\enspace
(F_j, \bullet, \bullet, \bullet) \gets \text{WaitOpen}_k(S \cap \mathcal{H})\ (j \in S \cap \mathcal{H})
\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S \cap \mathcal{M}.\ \text{open}\_{kj}
\cr
&\enspace
\texttt{return } [F_j \mid j \in S]
\cr
\cr
&\underline{
\text{Open?}_k():
}\cr
&\enspace
\texttt{for } j \in \mathcal{H}.\ \text{open}\_{kj}, \text{sync}\_{kj}, Z\_{kj}, \pi\_{kj}, x\_{kj} \neq \bot:
\cr
&\enspace\enspace
\text{Open}_i(\{j\}, Z\_{kj}, \pi\_{kj}, x\_{kj})
\cr
\cr
\ldots
\end{aligned}
}
}\cr
\otimes\cr1(\ldots)
\end{matrix}
\cr
\circ
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F^1$
}\cr
\cr
&F_i, \text{com}\_{ij}, \text{open}\_{ij} \gets \bot\cr
&Z\_{ij}, \pi\_{ij}, x\_{ij} \gets \bot\cr
\cr
&\ldots\cr
\cr
&\colorbox{bae6fd}{$
\underline{
\text{Open}_i(S, Z\_\bullet, \pi\_\bullet, x\_\bullet):
}$}\cr
&\enspace
\texttt{assert } F_i \neq \bot
\cr
&\enspace
\text{open}\_{ij} \gets \texttt{true} (\forall j \in S)
\cr
&\enspace
\texttt{for } j \in S.\ Z\_{ij}, \pi\_{ij}, x\_{ij} = \bot:
\cr
&\enspace\enspace
Z\_{ij}, \pi\_{ij}, x\_{ij} \gets Z_j, \pi_j, x\_j
\cr
\cr
&\underline{
\text{WaitOpen}_i(S):
}\cr
&\enspace
\text{wait}\_{(i, 1)} \forall j \in S.\ \text{open}\_{ji}
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{return } (F\_\bullet, Z\_{\bullet i}, \pi\_{\bullet i}, x\_{\bullet i})
$}
\cr
\end{aligned}
}
}
\otimes
F[\text{ZK}(\varphi)] \circledcirc F[\text{Stop}]
\end{matrix}$$This is just a simulation of a protocol P 1 \mathscr{P}_1 P 1
Let's unroll again.
Γ H 5 ( 1 ) SetMask i ( ) : ‾ … ⊗ Γ M 5 = 1 ( Prove k , Verify , SetCommit k , WaitCommit k , Open k , WaitOpen k , stop ) ∘ F 1 ⊗ F [ ZK ( φ ) ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^5_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^5_M$
} = 1
\begin{pmatrix}
\text{Prove}_k
,\cr
\text{Verify}
,\cr
\text{SetCommit}_k
,\cr
\text{WaitCommit}_k
,\cr
\text{Open}_k
,\cr
\text{WaitOpen}_k
,\cr
\texttt{stop}
\end{pmatrix}
}
\cr
\circ
\cr
F^1 \otimes F[\text{ZK}(\varphi)] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 5 ( 1 ) S e t M a s k i ( ) : … ⊗ Γ M 5 = 1 P r o v e k , V e r i f y , S e t C o m m i t k , W a i t C o m m i t k , O p e n k , W a i t O p e n k , stop ∘ F 1 ⊗ F [ Z K ( φ )] ⊚ F [ S t o p ] Next, except with negligible probability, we can extract
a z i z_i z i
Γ H 6 ( 1 ) SetMask i ( ) : ‾ … ⊗ Γ M 6 … μ [ ∙ ] ← ⊥ ( 1 ) Prove k ( Z ; z ) : ‾ π ← Prove k ( Z ; z ) μ [ π ] ← z return π Open k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) : ‾ for j ∈ S ∩ H . μ [ π j ] ⋅ G ≠ Z j : stop ( { j } , 1 ) Open k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) ∘ F 1 ⊗ F [ ZK ( φ ) ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^6_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^6_M$
}\cr
&\ldots\cr
&\mu[\bullet] \gets \bot\cr
\cr
&\colorbox{bae6fd}{$
\underline{
(1)\text{Prove}_k(Z; z):
}$}\cr
&\enspace
\pi \gets \text{Prove}_k(Z; z)
\cr
&\enspace
\mu[\pi] \gets z
\cr
&\enspace
\texttt{return } \pi
\cr
\cr
&\underline{
\text{Open}_k(S, Z\_\bullet, \pi\_\bullet, x\_\bullet):
}\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{for } j \in S \cap \mathcal{H}.\ \mu[\pi_j] \cdot G \neq Z_j:
$}
\cr
&\enspace\enspace
\colorbox{bae6fd}{$
\texttt{stop }(\{j\}, 1)
$}
\cr
&\enspace
\text{Open}_k(S, Z\_\bullet, \pi\_\bullet, x\_\bullet)
\cr
\end{aligned}
}
}
\cr
\circ
\cr
F^1 \otimes F[\text{ZK}(\varphi)] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 6 ( 1 ) S e t M a s k i ( ) : … ⊗ Γ M 6 … μ [ ∙ ] ← ⊥ ( 1 ) P r o v e k ( Z ; z ) : π ← P r o v e k ( Z ; z ) μ [ π ] ← z return π O p e n k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) : for j ∈ S ∩ H . μ [ π j ] ⋅ G = Z j : stop ({ j } , 1 ) O p e n k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) ∘ F 1 ⊗ F [ Z K ( φ )] ⊚ F [ S t o p ] Now, we can get rid of the ZK proofs entirely,
by adding verification to the functionality itself.
Γ H 7 ( 1 ) Share i ( z i ) : ‾ … Open i ( ⋆ , z i , z i + f i ( ∙ ) ) WaitShare i ( ) : ‾ ( F _ ∙ , Z _ ∙ i , x _ ∙ i ) ← WaitOpen i ( ⋆ ) if ∃ j . deg ( F j ) ≠ t − 1 ∨ F j ( 0 ) ≠ 0 : … ⊗ Γ M 7 … π 1 , … , π n ← $ 01 λ F k , m _ i j , μ [ ∙ ] ← ⊥ ( 1 ) SetCommit k ( F ) : ‾ F k ← F SetCommit k ( F ) ( 1 ) Prove k ( B ; b ) : ‾ μ [ π k ] ← b return π k Open k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) : ‾ for j ∈ S ∩ H . μ [ π j ] ⋅ G ≠ Z _ j : stop ( { j } , 3 ) ∀ j ∈ S . m _ k j ← π j Open k ( S , μ [ π _ ∙ ] , x _ ∙ ) WaitOpen k ( S ) : ‾ ( F _ ∙ , Z _ ∙ k , x _ ∙ k ) ← WaitOpen i ( ⋆ ) ∀ j ∈ S ∩ H . m j ← π j ∀ j ∈ S ∩ M . m j ← m _ j k return ( F _ ∙ , Z _ ∙ k , m _ ∙ , x _ ∙ k ) ∘ F 2 F i , com _ i j , open _ i j ← ⊥ z _ i j , x _ i j ← ⊥ … Open i ( S , z _ ∙ , x _ ∙ ) : ‾ assert F i ≠ ⊥ open _ i j ← true ( ∀ j ∈ S ) for j ∈ S . z _ i j , x _ i j = ⊥ : z _ i j , x _ i j ← z j , x j WaitOpen i ( S ) : ‾ wait _ ( i , 2 ) ∀ j ∈ S . open _ j i return ( F _ ∙ , z _ ∙ i ⋅ G , x _ ∙ i ) ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^7_H$
}\cr
\cr
&\underline{
(1)\text{Share}_i(z_i):
}\cr
&\enspace
\ldots
\cr
&\enspace
\colorbox{bae6fd}{$
\text{Open}_i(\star, z_i, z_i + f_i(\bullet))
$}
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\colorbox{bae6fd}{$
(F\_\bullet, Z\_{\bullet i}, x\_{\bullet i}) \gets \text{WaitOpen}_i(\star)
$}
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{if } \exists j.\ \text{deg}(F_j) \neq t - 1 \lor F_j(0) \neq 0:
$}
\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^7_M$
}\cr
&\ldots\cr
&\colorbox{bae6fd}{$
\pi_1, \ldots, \pi_n \xleftarrow{\$} \texttt{01}^{\lambda}
$}\cr
&\colorbox{bae6fd}{$
F_k, m\_{ij}, \mu[\bullet] \gets \bot
$}\cr
\cr
&\colorbox{bae6fd}{$
\underline{
(1)\text{SetCommit}_k(F):
}$}\cr
&\enspace
F_k \gets F
\cr
&\enspace
\text{SetCommit}_k(F)
\cr
\cr
&\colorbox{bae6fd}{$
\underline{
(1)\text{Prove}_k(B; b):
}$}\cr
&\enspace
\mu[\pi_k] \gets b
\cr
&\enspace
\texttt{return } \pi_k
\cr
\cr
&\colorbox{bae6fd}{$
\underline{
\text{Open}_k(S, Z\_\bullet, \pi\_\bullet, x\_\bullet):
}$}\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}.\ \mu[\pi_j] \cdot G \neq Z\_j:
\cr
&\enspace\enspace
\texttt{stop }(\{j\}, 3)
\cr
&\enspace
\forall j \in S.\ m\_{kj} \gets \pi_j
\cr
&\enspace
\text{Open}_k(S, \mu[\pi\_\bullet], x\_\bullet)
\cr
\cr
&\colorbox{bae6fd}{$
\underline{
\text{WaitOpen}_k(S):
}$}\cr
&\enspace
(F\_\bullet, Z\_{\bullet k}, x\_{\bullet k}) \gets \text{WaitOpen}_i(\star)
\cr
&\enspace
\forall j \in S \cap \mathcal{H}.\ m_j \gets \pi_j
\cr
&\enspace
\forall j \in S \cap \mathcal{M}.\ m_j \gets m\_{j k}
\cr
&\enspace
\texttt{return } (F\_\bullet, Z\_{\bullet k}, m\_\bullet, x\_{\bullet k})
\cr
\end{aligned}
}
}
\cr
\circ
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F^2$
}\cr
\cr
&F_i, \text{com}\_{ij}, \text{open}\_{ij} \gets \bot\cr
&z\_{ij}, x\_{ij} \gets \bot\cr
\cr
&\ldots\cr
\cr
&\colorbox{bae6fd}{$
\underline{
\text{Open}_i(S, z\_\bullet, x\_\bullet):
}$}\cr
&\enspace
\texttt{assert } F_i \neq \bot
\cr
&\enspace
\text{open}\_{ij} \gets \texttt{true} (\forall j \in S)
\cr
&\enspace
\texttt{for } j \in S.\ z\_{ij}, x\_{ij} = \bot:
\cr
&\enspace\enspace
z\_{ij}, x\_{ij} \gets z_j, x_j
\cr
\cr
&\underline{
\text{WaitOpen}_i(S):
}\cr
&\enspace
\text{wait}\_{(i, 2)} \forall j \in S.\ \text{open}\_{ji}
\cr
&\enspace
\colorbox{bae6fd}{$
\texttt{return } (F\_\bullet, z\_{\bullet i } \cdot G, x\_{\bullet i})
$}
\cr
\end{aligned}
}
} \circledcirc F[\text{Stop}]
\end{matrix} Γ H 7 ( 1 ) S h a r e i ( z i ) : … O p e n i ( ⋆ , z i , z i + f i ( ∙ )) W a i t S h a r e i ( ) : ( F _ ∙ , Z _ ∙ i , x _ ∙ i ) ← W a i t O p e n i ( ⋆ ) if ∃ j . d e g ( F j ) = t − 1 ∨ F j ( 0 ) = 0 : … ⊗ Γ M 7 … π 1 , … , π n $ 01 λ F k , m _ ij , μ [ ∙ ] ← ⊥ ( 1 ) S e t C o m m i t k ( F ) : F k ← F S e t C o m m i t k ( F ) ( 1 ) P r o v e k ( B ; b ) : μ [ π k ] ← b return π k O p e n k ( S , Z _ ∙ , π _ ∙ , x _ ∙ ) : for j ∈ S ∩ H . μ [ π j ] ⋅ G = Z _ j : stop ({ j } , 3 ) ∀ j ∈ S . m _ kj ← π j O p e n k ( S , μ [ π _ ∙ ] , x _ ∙ ) W a i t O p e n k ( S ) : ( F _ ∙ , Z _ ∙ k , x _ ∙ k ) ← W a i t O p e n i ( ⋆ ) ∀ j ∈ S ∩ H . m j ← π j ∀ j ∈ S ∩ M . m j ← m _ jk return ( F _ ∙ , Z _ ∙ k , m _ ∙ , x _ ∙ k ) ∘ F 2 F i , c o m _ ij , o p e n _ ij ← ⊥ z _ ij , x _ ij ← ⊥ … O p e n i ( S , z _ ∙ , x _ ∙ ) : assert F i = ⊥ o p e n _ ij ← true ( ∀ j ∈ S ) for j ∈ S . z _ ij , x _ ij = ⊥ : z _ ij , x _ ij ← z j , x j W a i t O p e n i ( S ) : w a i t _ ( i , 2 ) ∀ j ∈ S . o p e n _ ji return ( F _ ∙ , z _ ∙ i ⋅ G , x _ ∙ i ) ⊚ F [ S t o p ] At this point, we're simulating a protocol P 2 \mathscr{P}^2 P 2
Γ H 8 ( 1 ) SetMask i ( ) : ‾ … ⊗ Γ M 8 = 1 ( SetCommit k , Commit k , WaitCommit k , Open k , WaitOpen k , stop ) ∘ F 2 ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^8_H$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^8_M$
} = 1
\begin{pmatrix}
\text{SetCommit}_k
,\cr
\text{Commit}_k
,\cr
\text{WaitCommit}_k
,\cr
\text{Open}_k
,\cr
\text{WaitOpen}_k
,\cr
\texttt{stop}
\end{pmatrix}
}
\cr
\circ
\cr
F^2 \circledcirc F[\text{Stop}]
\end{matrix} Γ H 8 ( 1 ) S e t M a s k i ( ) : … ⊗ Γ M 8 = 1 S e t C o m m i t k , C o m m i t k , W a i t C o m m i t k , O p e n k , W a i t O p e n k , stop ∘ F 2 ⊚ F [ S t o p ] From this point, we can jump directly to our desired protocol.
P i ( 1 ) SetMask i ( ) : ‾ SetMask i ( ⋆ ) WaitMask i ( ) : ‾ WaitMask i ( ⋆ , true ) ( 1 ) Share i ( z ) : ‾ Share i ( ⋆ , z ) WaitShare i ( ) : ‾ return WaitShare i ( true ) ⊗ S left ← H bad k , sampled i ← false F m , F i , α _ i k ← ⊥ ( 1 ) SetCommit k ( F ) : ‾ F k ← F bad k ← deg ( F ) ≠ t − 1 ∨ F ( 0 ) ≠ 0 if ∀ k ∈ M . F k ≠ ⊥ ∧ F h = ⊥ : F m ← ∑ k F k Cheat ( F m ) Commit k ( S ) : ‾ assert F k ≠ ⊥ SetMask k ( S ) WaitCommit k ( S ) : ‾ WaitMask k ( S , false ) Open k ( S , z _ ∙ , x _ ∙ ) : ‾ if bad k : stop ( S ∩ H , 1 ) for j ∈ S ∩ H . ∀ k . x _ k j ≠ ⊥ ∧ ∑ k x _ k j ⋅ G ≠ F m ( j ) : stop ( { j } , 1 ) Share ( S , z _ ∙ ) CheatShare ( S , x _ ∙ ) WaitOpen k ( S ) : ‾ r j ← ( F j , z _ k j ⋅ G , x _ k j ) ( j ∈ S ∩ M ) r j ← Sim k ( j ) ( j ∈ S ∩ H ) return [ r j ∣ j ∈ S ] Sim k ( j ) : ‾ wait _ ( k , 1 ) Z k ( j ) ≠ ⊥ left ← left / { j } if ∣ left ∣ = 0 : Z ← ∑ _ i ∈ H Z k ( i ) F ← F h ( ) − ∑ _ i ∈ H / { j } F j x k ← WaitShare k ( false ) − ∑ _ i ∈ H / { j } α _ i k else : ( Z , F , x _ ∙ ) ← Sample k ( ) return ( Z , F ( k ) , x k ) Sample k ( j ) ‾ if ¬ sampled j : sampled j ← true Z j ← Z k ( j ) f ← $ F q [ X ] _ ≤ t − 1 F j ← f ⋅ G F j ( 0 ) ← 0 α _ j k ← $ F q ( ∀ k ∈ M ) F j ( k ) ← α _ j k ⋅ G − Z j ( ∀ k ∈ M ) return ( Z j , F j , α _ j ∙ ) … ∘ F [ Convert ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{SetMask}_i():
}\cr
&\enspace
\text{SetMask}_i(\star)
\cr
\cr
&\underline{
\text{WaitMask}_i():
}\cr
&\enspace
\text{WaitMask}_i(\star, \texttt{true})
\cr
\cr
&\underline{
(1)\text{Share}_i(z):
}\cr
&\enspace
\text{Share}_i(\star, z)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\end{aligned}
}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\text{left} \gets \mathcal{H}\cr
&\text{bad}_k, \text{sampled}_i \gets \texttt{false}\cr
&F^m, F_i, \alpha\_{ik} \gets \bot\cr
\cr
&\underline{
(1)\text{SetCommit}_k(F):
}\cr
&\enspace
F_k \gets F
\cr
&\enspace
\text{bad}_k \gets \text{deg}(F) \neq t - 1 \lor F(0) \neq 0
\cr
&\enspace
\texttt{if } \forall k \in \mathcal{M}.\ F_k \neq \bot \land F^h = \bot:
\cr
&\enspace\enspace
F^m \gets \sum_k F_k
\cr
&\enspace\enspace
\text{Cheat}(F^m)
\cr
\cr
&\underline{
\text{Commit}_k(S):
}\cr
&\enspace
\texttt{assert } F_k \neq \bot
\cr
&\enspace
\text{SetMask}_k(S)
\cr
\cr
&\underline{
\text{WaitCommit}_k(S):
}\cr
&\enspace
\text{WaitMask}_k(S, \texttt{false})
\cr
\cr
&\underline{
\text{Open}_k(S, z\_\bullet, x\_\bullet):
}\cr
&\enspace
\texttt{if } \text{bad}_k:\ \texttt{stop}(S \cap \mathcal{H}, 1)
\cr
&\enspace
\texttt{for } j \in S \cap \mathcal{H}.\ \forall k.\ x\_{kj} \neq \bot \land \sum_k x\_{kj} \cdot G \neq F^m(j):
\cr
&\enspace\enspace
\texttt{stop}(\{j\}, 1)
\cr
&\enspace
\text{Share}(S, z\_\bullet)
\cr
&\enspace
\text{CheatShare}(S, x\_\bullet)
\cr
\cr
&\underline{
\text{WaitOpen}_k(S):
}\cr
&\enspace
r_j \gets (F_j, z\_{kj} \cdot G, x\_{kj})\ (j \in S \cap \mathcal{M})
\cr
&\enspace
r_j \gets \text{Sim}_k(j)\ (j \in S \cap \mathcal{H})
\cr
&\enspace
\texttt{return } [r_j \mid j \in S]
\cr
\cr
&\underline{
\text{Sim}_k(j):
}\cr
&\enspace
\texttt{wait}\_{(k, 1)} \text{Z}_k(j) \neq \bot
\cr
&\enspace
\text{left} \gets \text{left} / \{j\}
\cr
&\enspace
\texttt{if } |\text{left}| = 0:
\cr
&\enspace\enspace
Z \gets \sum\_{i \in \mathcal{H}} \text{Z}_k(i)
\cr
&\enspace\enspace
F \gets \text{F}^h() - \sum\_{i \in \mathcal{H} / \{j\}} F_j
\cr
&\enspace\enspace
x_k \gets \text{WaitShare}_k(\texttt{false}) - \sum\_{i \in \mathcal{H} / \{j \}} \alpha\_{ik}
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
(Z, F, x\_\bullet) \gets \text{Sample}_k()
\cr
&\enspace
\texttt{return } (Z, F(k), x_k)
\cr
\cr
&\underline{
\text{Sample}_k(j)
}\cr
&\enspace
\texttt{if } \neg \text{sampled}_j:
\cr
&\enspace\enspace
\text{sampled}_j \gets \texttt{true}
\cr
&\enspace\enspace
Z_j \gets \text{Z}_k(j)
\cr
&\enspace\enspace
f \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}
\cr
&\enspace\enspace
F_j \gets f \cdot G
\cr
&\enspace\enspace
F_j(0) \gets 0
\cr
&\enspace\enspace
\alpha\_{jk} \xleftarrow{\$} \mathbb{F}_q \ (\forall k \in \mathcal{M})
\cr
&\enspace\enspace
F_j(k) \gets \alpha\_{jk} \cdot G - Z_j\ (\forall k \in \mathcal{M})
\cr
&\enspace
\texttt{return } (Z_j, F_j, \alpha\_{j \bullet})
\cr
\cr
&\ldots
\end{aligned}
}
}
\cr
\circ
\cr
F[\text{Convert}] \circledcirc F[\text{Stop}]
\end{matrix} P i ( 1 ) S e t M a s k i ( ) : S e t M a s k i ( ⋆ ) W a i t M a s k i ( ) : W a i t M a s k i ( ⋆ , true ) ( 1 ) S h a r e i ( z ) : S h a r e i ( ⋆ , z ) W a i t S h a r e i ( ) : return W a i t S h a r e i ( true ) ⊗ S l e f t ← H b a d k , s a m p l e d i ← false F m , F i , α _ ik ← ⊥ ( 1 ) S e t C o m m i t k ( F ) : F k ← F b a d k ← d e g ( F ) = t − 1 ∨ F ( 0 ) = 0 if ∀ k ∈ M . F k = ⊥ ∧ F h = ⊥ : F m ← k ∑ F k C h e a t ( F m ) C o m m i t k ( S ) : assert F k = ⊥ S e t M a s k k ( S ) W a i t C o m m i t k ( S ) : W a i t M a s k k ( S , false ) O p e n k ( S , z _ ∙ , x _ ∙ ) : if b a d k : stop ( S ∩ H , 1 ) for j ∈ S ∩ H . ∀ k . x _ kj = ⊥ ∧ k ∑ x _ kj ⋅ G = F m ( j ) : stop ({ j } , 1 ) S h a r e ( S , z _ ∙ ) C h e a t S h a r e ( S , x _ ∙ ) W a i t O p e n k ( S ) : r j ← ( F j , z _ kj ⋅ G , x _ kj ) ( j ∈ S ∩ M ) r j ← S i m k ( j ) ( j ∈ S ∩ H ) return [ r j ∣ j ∈ S ] S i m k ( j ) : wait _ ( k , 1 ) Z k ( j ) = ⊥ l e f t ← l e f t / { j } if ∣ l e f t ∣ = 0 : Z ← ∑ _ i ∈ H Z k ( i ) F ← F h ( ) − ∑ _ i ∈ H / { j } F j x k ← W a i t S h a r e k ( false ) − ∑ _ i ∈ H / { j } α _ ik else : ( Z , F , x _ ∙ ) ← S a m p l e k ( ) return ( Z , F ( k ) , x k ) S a m p l e k ( j ) if ¬ s a m p l e d j : s a m p l e d j ← true Z j ← Z k ( j ) f $ F q [ X ] _ ≤ t − 1 F j ← f ⋅ G F j ( 0 ) ← 0 α _ jk $ F q ( ∀ k ∈ M ) F j ( k ) ← α _ jk ⋅ G − Z j ( ∀ k ∈ M ) return ( Z j , F j , α _ j ∙ ) … ∘ F [ C o n v e r t ] ⊚ F [ S t o p ] The main trick used in the simulator here is that all of the shares
of the honest parties, save one, can be completely random.
All we need to do is ensure
that the sum of the honest parties shares corresponds to the
honest part generated by the ideal functionality.
■ \blacksquare ■
Sharing
Next we look at key sharing, which is like conversion,
except that we know our share from the very start of the protocol,
allowing us to commit to it, and thus provide stronger guarantees.
We also look at a "split" version, where each phase of the protocol
has its own function.
Definition: (Key Sharing)
$$\boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{SplitShare}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Set}_i(z):
}\cr
&\enspace
f_i \xleftarrow{\$} \{ f_i \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f_i(0) = z \\}
\cr
&\enspace
F_i \gets f_i \cdot G
\cr
&\enspace
\text{SetCommit}_i(F_i)
\cr
&\enspace
\text{Commit}_i()
\cr
\cr
&\underline{
\text{WaitSet}_i():
}\cr
&\enspace
\text{WaitCommit}_i()
\cr
\cr
&\underline{
\text{Share}_i():
}\cr
&\enspace
\text{Open}_i()
\cr
&\enspace
\pi_i \gets \text{Prove}_i^\varphi(F_i(0); z_i)
\cr
&\enspace
\Rsh_i(\star, \pi_i, 0)
\cr
&\enspace
\Rsh_i(\star, [f_i(j) \mid j \in [n]], 1)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
F\_\bullet \gets \text{WaitOpen}_i()
\cr
&\enspace
\pi\_{\bullet i} \gets \Lsh_i(\star, 1)
\cr
&\enspace
\texttt{if } \exists j.\ \neg \text{Verify}^\varphi(\pi\_{ji}, F_j(0))
\cr
&\enspace\enspace
\texttt{stop}(\star, 0)
\cr
&\enspace
x\_{\bullet i} \gets \Lsh_i(\star, 1)
\cr
&\enspace
x_i \gets \sum_j x\_{ji}, \enspace F \gets \sum_j F_j(0)
\cr
&\enspace
\texttt{if } \exists j.\ \text{deg}(F_j) \neq t - 1 \lor x_i \cdot G \neq F(i):
\cr
&\enspace\enspace
\texttt{stop}(\star, 3)
\cr
&\enspace
\texttt{return } (x_i, F(0))
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
F[\text{SyncComm}]\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
}
\lhd \mathscr{P}[\text{Commit}]$$□ \square □
This protocol is basically the same as conversion, just with an earlier
secret value.
Thus, the ideal protocol it implements is going to look quite similar:
Definition: (Ideal Key Sharing)
P [ IdealSplitShare ] P i ( 1 ) Set i ( z ) : ‾ Set i ( ⋆ , z , ⊥ ) WaitSet i ( ) : ‾ WaitSet i ( ⋆ , true ) ( 1 ) Share i ( ) : ‾ Share i ( ⋆ ) WaitShare i ( ) : ‾ return WaitShare i ( true ) F [ SplitShare ] f h ← $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } F m , ready _ i j , z _ i j , x j ← ⊥ Set i ( S , z , Z ) : ‾ ready _ i j ← true ( ∀ j ∈ S ) assert z ≠ ⊥ ∨ Z ≠ ⊥ if z i , Z i = ⊥ ∧ z ≠ ⊥ : z i ← z , Z i ← z i ⋅ G if Z i = ⊥ ∧ z = ⊥ = : Z i ← Z ( 1 ) Cheat ( F ) : ‾ assert ∀ i j . ready _ i j ∧ F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F m ← F WaitSet i ( S , m ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S . ready _ j i ∧ ( m → F m ≠ ⊥ ) Share i ( S , z ) : ‾ assert Z i ≠ ⊥ if z i = ⊥ : assert z ⋅ G = Z i z i ← z CheatShare ( S , x ^ _ ∙ ) : ‾ assert F m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j WaitShare i ( h ) : ‾ if h : wait _ ( i , 1 ) x i ≠ ⊥ ∧ ∀ j . ∧ z j ≠ ⊥ return ∑ _ j z j + f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . z j ≠ ⊥ return ∑ _ j ∈ H z j + f h ( i ) Z ( i ) : ‾ return z i ⋅ G F h ( ) : ‾ wait F m ≠ ⊥ ∧ ∀ i . ∃ j . ready _ i j return f h ⋅ G ⊗ F [ Sync ] ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealSplitShare}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Set}_i(z):
}\cr
&\enspace
\text{Set}_i(\star, z, \bot)
\cr
\cr
&\underline{
\text{WaitSet}_i():
}\cr
&\enspace
\text{WaitSet}_i(\star, \texttt{true})
\cr
\cr
&\underline{
(1)\text{Share}_i():
}\cr
&\enspace
\text{Share}_i(\star)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{SplitShare}]$
}\cr
\cr
&f^h \xleftarrow{\$} \{f \in \mathbb{F}_q[X]\_{\leq t - 1} \mid f(0) = 0\}\cr
&F^m, \text{ready}\_{ij}, z\_{ij}, x_j \gets \bot\cr
\cr
&\underline{
\text{Set}_i(S, z, Z):
}\cr
&\enspace
\text{ready}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\texttt{assert } z \neq \bot \lor Z \neq \bot
\cr
&\enspace
\texttt{if } z_i, Z_i = \bot \land z \neq \bot:\ z_i \gets z, Z_i \gets z_i \cdot G
\cr
&\enspace
\texttt{if } Z_i = \bot \land z = \bot = :\ Z_i \gets Z
\cr
\cr
&\underline{
\textcolor{ef4444}{
(1)\text{Cheat}(F):
}
}\cr
&\enspace
\texttt{assert } \forall ij.\ \text{ready}\_{ij} \land F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^m \gets F
\cr
\cr
&\underline{
\text{WaitSet}_i(S, m):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S.\ \text{ready}\_{ji} \land (m \to F^m \neq \bot)
\cr
\cr
&\underline{
\text{Share}_i(S, z):
}\cr
&\enspace
\texttt{assert } Z_i \neq \bot
\cr
&\enspace
\texttt{if } z_i = \bot:
\cr
&\enspace\enspace
\texttt{assert } z \cdot G = Z_i
\cr
&\enspace\enspace
z_i \gets z
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{CheatShare}(S, \hat{x}\_\bullet):
}
}\cr
&\enspace
\texttt{assert } F^m \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^m(j)
\cr
&\enspace
\texttt{for } j. x_j = \bot: x_j \gets \hat{x}_j
\cr
\cr
&\underline{
\text{WaitShare}_i(h):
}\cr
&\enspace
\texttt{if } h:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} x_i \neq \bot \land \forall j. \land z_j \neq \bot
\cr
&\enspace\enspace
\texttt{return } \sum\_j z_j + f^h(i) + x_i
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{H}. z_j \neq \bot
\cr
&\enspace\enspace
\texttt{return } \sum\_{j \in \mathcal{H}} z_j + f^h(i)
\cr
&\underline{
\text{Z}(i):
}\cr
&\enspace
\texttt{return } z_i \cdot G
\cr
&\underline{
\textcolor{ef4444}{
\text{F}^h():
}
}\cr
&\enspace
\texttt{wait } F^m \neq \bot \land \forall i. \exists j. \text{ready}\_{ij}
\cr
&\enspace
\texttt{return } f^h \cdot G
\cr
\end{aligned}
}
}\cr
\otimes\cr
F[\text{Sync}]\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ I d e a l S p l i t S h a r e ] P i ( 1 ) S e t i ( z ) : S e t i ( ⋆ , z , ⊥ ) W a i t S e t i ( ) : W a i t S e t i ( ⋆ , true ) ( 1 ) S h a r e i ( ) : S h a r e i ( ⋆ ) W a i t S h a r e i ( ) : return W a i t S h a r e i ( true ) F [ S p l i t S h a r e ] f h $ { f ∈ F q [ X ] _ ≤ t − 1 ∣ f ( 0 ) = 0 } F m , r e a d y _ ij , z _ ij , x j ← ⊥ S e t i ( S , z , Z ) : r e a d y _ ij ← true ( ∀ j ∈ S ) assert z = ⊥ ∨ Z = ⊥ if z i , Z i = ⊥ ∧ z = ⊥ : z i ← z , Z i ← z i ⋅ G if Z i = ⊥ ∧ z = ⊥ =: Z i ← Z ( 1 ) C h e a t ( F ) : assert ∀ ij . r e a d y _ ij ∧ F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F m ← F W a i t S e t i ( S , m ) : wait _ ( i , 0 ) ∀ j ∈ S . r e a d y _ ji ∧ ( m → F m = ⊥ ) S h a r e i ( S , z ) : assert Z i = ⊥ if z i = ⊥ : assert z ⋅ G = Z i z i ← z C h e a t S h a r e ( S , x ^ _ ∙ ) : assert F m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j W a i t S h a r e i ( h ) : if h : wait _ ( i , 1 ) x i = ⊥ ∧ ∀ j . ∧ z j = ⊥ return ∑ _ j z j + f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . z j = ⊥ return ∑ _ j ∈ H z j + f h ( i ) Z ( i ) : return z i ⋅ G F h ( ) : wait F m = ⊥ ∧ ∀ i . ∃ j . r e a d y _ ij return f h ⋅ G ⊗ F [ S y n c ] ⊚ F [ S t o p ] L e a k a g e := { stop } Lemma:
For some negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ SplitShare ] ⇝ ϵ P [ IdealSplitShare ] \mathscr{P}[\text{SplitShare}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealSplitShare}] P [ S p l i t S h a r e ] ⇝ ϵ P [ I d e a l S p l i t S h a r e ] Proof:
P [ SplitShare ] ⇝ P 0 ⊲ ( P [ Commit ] ⊗ P [ Convert ] ) \mathscr{P}[\text{SplitShare}] \leadsto \mathscr{P}^0 \lhd (\mathscr{P}[\text{Commit}] \otimes \mathscr{P}[\text{Convert}]) P [ S p l i t S h a r e ] ⇝ P 0 ⊲ ( P [ C o m m i t ] ⊗ P [ C o n v e r t ])
P i z i , Z i ← ⊥ ( 1 ) Set i ( z ) : ‾ SetMask i ( ) z i ← z , Z i ← z ⋅ G SetCommit i ( Z i ) Commit i ( ) WaitSet i ( ) : ‾ WaitMask i ( ) WaitCommit i ( ) Share i ( ) : ‾ Share i ( z i ) Open i ( ) WaitShare i ( ) : ‾ Z _ ∙ ← WaitOpen i ( ) x i ← WaitShare i ( ) if ∃ j . Z j ( i ) ≠ Z j : stop ( ⋆ , 1 ) return ( x i , ∑ j Z j ( i ) ) S ( 1 ) SetCommit i ′ ( F ) : ‾ SetCommit i ( F ( 0 ) ) SetCommit i ′ ( F − F ( 0 ) ) Open i ′ ( S ) : ‾ Open i ( S ) Open i ′ ( S ) … ∘ F [ Commit ] ⊗ F [ Commit ] ⊗ F [ ZK ( φ ) ] ⊗ F [ SyncComm ] ⊗ F [ Sync ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&z_i, Z_i \gets \bot\cr
\cr
&\underline{
(1)\text{Set}_i(z):
}\cr
&\enspace
\text{SetMask}_i()
\cr
&\enspace
z_i \gets z, Z_i \gets z \cdot G
\cr
&\enspace
\text{SetCommit}_i(Z_i)
\cr
&\enspace
\text{Commit}_i()
\cr
\cr
&\underline{
\text{WaitSet}_i():
}\cr
&\enspace
\text{WaitMask}_i()
\cr
&\enspace
\text{WaitCommit}_i()
\cr
\cr
&\underline{
\text{Share}_i():
}\cr
&\enspace
\text{Share}_i(z_i)
\cr
&\enspace
\text{Open}_i()
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
Z\_\bullet \gets \text{WaitOpen}_i()
\cr
&\enspace
x_i \gets \text{WaitShare}_i()
\cr
&\enspace
\texttt{if } \exists j.\ \text{Z}_j(i) \neq Z_j:
\cr
&\enspace\enspace
\texttt{stop}(\star, 1)
\cr
&\enspace
\texttt{return } (x_i, \sum_j \text{Z}_j(i))
\cr
\end{aligned}
}
}
\quad
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\underline{
(1)\text{SetCommit}'_i(F):
}\cr
&\enspace
\text{SetCommit}_i(F(0))
\cr
&\enspace
\text{SetCommit}'_i(F - F(0))
\cr
\cr
&\underline{
\text{Open}'_i(S):
}\cr
&\enspace
\text{Open}_i(S)
\cr
&\enspace
\text{Open}'_i(S)
\cr
\cr
&\ldots
\end{aligned}
}
}
\cr
\circ\cr
F[\text{Commit}] \otimes F[\text{Commit}] \otimes F[\text{ZK}(\varphi)] \otimes F[\text{SyncComm}] \otimes F[\text{Sync}] \circledcirc F[\text{Stop}]
\end{matrix} P i z i , Z i ← ⊥ ( 1 ) S e t i ( z ) : S e t M a s k i ( ) z i ← z , Z i ← z ⋅ G S e t C o m m i t i ( Z i ) C o m m i t i ( ) W a i t S e t i ( ) : W a i t M a s k i ( ) W a i t C o m m i t i ( ) S h a r e i ( ) : S h a r e i ( z i ) O p e n i ( ) W a i t S h a r e i ( ) : Z _ ∙ ← W a i t O p e n i ( ) x i ← W a i t S h a r e i ( ) if ∃ j . Z j ( i ) = Z j : stop ( ⋆ , 1 ) return ( x i , j ∑ Z j ( i )) S ( 1 ) S e t C o m m i t i ′ ( F ) : S e t C o m m i t i ( F ( 0 )) S e t C o m m i t i ′ ( F − F ( 0 )) O p e n i ′ ( S ) : O p e n i ( S ) O p e n i ′ ( S ) … ∘ F [ C o m m i t ] ⊗ F [ C o m m i t ] ⊗ F [ Z K ( φ )] ⊗ F [ S y n c C o m m ] ⊗ F [ S y n c ] ⊚ F [ S t o p ] Then:
P 0 ⊲ … ⇝ P 1 = P 0 ⊲ ( P [ IdealCommit ] ⊗ P [ IdealConvert ] ) \mathscr{P}^0 \lhd \ldots \leadsto \mathscr{P}^1 = \mathscr{P}^0 \lhd (\mathscr{P}[\text{IdealCommit}] \otimes \mathscr{P}[\text{IdealConvert}]) P 0 ⊲ … ⇝ P 1 = P 0 ⊲ ( P [ I d e a l C o m m i t ] ⊗ P [ I d e a l C o n v e r t ]) Unrolling, we get:
Γ H 0 ( 1 ) Set i ( ) : ‾ … ⊗ Γ M 0 = 1 ( SetCommit k , Commit k , WaitCommit k , Open k , WaitOpen k , SetMask k , WaitMask k , Share k , WaitShare k , Z k , Cheat , CheatShare , stop ) ∘ F [ Convert ] ⊗ F [ Commit ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}\cr
\cr
&\underline{
(1)\text{Set}_i():
}\cr
&\enspace
\ldots
\cr
\end{aligned}
}
}
\otimes
\boxed{\colorbox{FBCFE8}{\large
$\Gamma^0_M$
} = 1
\begin{pmatrix}
\text{SetCommit}_k
,\cr
\text{Commit}_k
,\cr
\text{WaitCommit}_k
,\cr
\text{Open}_k
,\cr
\text{WaitOpen}_k
,\cr
\text{SetMask}_k
,\cr
\text{WaitMask}_k
,\cr
\text{Share}_k
,\cr
\text{WaitShare}_k
,\cr
\text{Z}_k
,\cr
\text{Cheat}
,\cr
\text{CheatShare}
,\cr
\texttt{stop}
\end{pmatrix}
}
\cr
\circ
\cr
F[\text{Convert}] \otimes F[\text{Commit}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 ( 1 ) S e t i ( ) : … ⊗ Γ M 0 = 1 S e t C o m m i t k , C o m m i t k , W a i t C o m m i t k , O p e n k , W a i t O p e n k , S e t M a s k k , W a i t M a s k k , S h a r e k , W a i t S h a r e k , Z k , C h e a t , C h e a t S h a r e , stop ∘ F [ C o n v e r t ] ⊗ F [ C o m m i t ] ⊚ F [ S t o p ] This simulates the desired protocol:
Γ H 1 = Γ H 0 ⊗ S ( 1 ) Cheat ( F ) : ‾ F m ← F return Cheat ( F ) ( 1 ) SetCommit k ( Z ) : ‾ Z k ← Z Commit k ( S ) : ‾ assert Z k ≠ ⊥ com _ k j ← true ( ∀ j ∈ S ) Set? k ( ) SetMask k ( S ) : ‾ ready _ k j ← true Set? k ( ) Set? k ( ) : ‾ for j ∈ H . com _ k j ∧ ready _ k j : Set k ( { j } , ⊥ , Z k ) WaitCommit k ( S ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S ∩ M . com _ j k WaitMask k ( S ∩ H , false ) WaitMask k ( S , m ) : ‾ wait _ ( k , 0 ) ∀ j ∈ S ∩ M . ready _ j k ∧ ( m ⟹ F m ≠ ⊥ ) WaitSet k ( S ∩ H , m ) Open k ( S ) : ‾ open _ k j ← true ( ∀ j ∈ S ) Share? k ( ) Share k ( S , z _ ∙ ) : ‾ assert Z k ≠ ⊥ z _ k j ← z _ j ( ∀ j ∈ S ) Share? k ( ) Share? k ( ) ‾ for j ∈ H . open _ k j ∧ z _ k j ≠ ⊥ : if z _ k j ⋅ G ≠ Z k : stop ( { j } , 1 ) else : Share k ( { j } , z _ k j ) WaitOpen k ( S ) : ‾ wait _ ( k , 1 ) ∀ j ∈ S ∩ M . open _ k j wait _ ( k , 1 ) ∀ j ∈ S ∩ H . Z ( j ) ≠ ⊥ r j ← Z _ j ( ∀ j ∈ S ∩ M ) r j ← Z ( j ) ( ∀ j ∈ S ∩ H ) return r _ ∙ … ∘ F [ SplitShare ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^1_H$
} = \Gamma^0_H\cr
\end{aligned}
}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\underline{
(1)\text{Cheat}(F):
}\cr
&\enspace
F^m \gets F
\cr
&\enspace
\texttt{return } \text{Cheat}(F)
\cr
\cr
&\underline{
(1)\text{SetCommit}_k(Z):
}\cr
&\enspace
Z_k \gets Z
\cr
\cr
&\underline{
\text{Commit}_k(S):
}\cr
&\enspace
\texttt{assert } Z_k \neq \bot
\cr
&\enspace
\text{com}\_{kj} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\text{Set?}_k()
\cr
\cr
&\underline{
\text{SetMask}_k(S):
}\cr
&\enspace
\text{ready}\_{kj} \gets \texttt{true}
\cr
&\enspace
\text{Set?}_k()
\cr
\cr
&\underline{
\text{Set?}_k():
}\cr
&\enspace
\texttt{for } j \in \mathcal{H}.\ \text{com}\_{kj} \land \text{ready}\_{kj}:
\cr
&\enspace\enspace
\text{Set}_k(\{j\}, \bot, Z_k)
\cr
\cr
&\underline{
\text{WaitCommit}_k(S):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S \cap \mathcal{M}.\ \text{com}\_{jk}
\cr
&\enspace
\text{WaitMask}_k(S \cap \mathcal{H}, \texttt{false})
\cr
\cr
&\underline{
\text{WaitMask}_k(S, m):
}\cr
&\enspace
\texttt{wait}\_{(k, 0)} \forall j \in \mathcal{S} \cap \mathcal{M}.\ \text{ready}\_{jk} \land (m \implies F^m \neq \bot)
\cr
&\enspace
\text{WaitSet}_k(S \cap \mathcal{H}, m)
\cr
\cr
&\underline{
\text{Open}_k(S):
}\cr
&\enspace
\text{open}\_{kj} \gets \texttt{true}\ (\forall j \in S)
\cr
&\enspace
\text{Share?}_k()
\cr
\cr
&\underline{
\text{Share}_k(S, z\_\bullet):
}\cr
&\enspace
\texttt{assert } Z_k \neq \bot
\cr
&\enspace
z\_{kj} \gets z\_j \ (\forall j \in S)
\cr
&\enspace
\text{Share?}_k()
\cr
\cr
&\underline{
\text{Share?}_k()
}\cr
&\enspace
\texttt{for } j \in \mathcal{H}.\ \text{open}\_{kj} \land z\_{kj} \neq \bot:
\cr
&\enspace\enspace
\texttt{if } z\_{kj} \cdot G \neq Z_k:
\cr
&\enspace\enspace\enspace
\texttt{stop}(\{j\}, 1)
\cr
&\enspace\enspace
\texttt{else}:
\cr
&\enspace\enspace\enspace
\text{Share}_k(\{j\}, z\_{kj})
\cr
\cr
&\underline{
\text{WaitOpen}_k(S):
}\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S \cap \mathcal{M}.\ \text{open}\_{kj}
\cr
&\enspace
\texttt{wait}\_{(k, 1)} \forall j \in S \cap \mathcal{H}.\ \text{Z}(j) \neq \bot
\cr
&\enspace
r_j \gets Z\_j\ (\forall j \in S \cap \mathcal{M})
\cr
&\enspace
r_j \gets \text{Z}(j)\ (\forall j \in S \cap \mathcal{H})
\cr
&\enspace
\texttt{return } r\_\bullet
\cr
\cr
&\ldots
\end{aligned}
}
}
\cr
\circ
\cr
F[\text{SplitShare}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 1 = Γ H 0 ⊗ S ( 1 ) C h e a t ( F ) : F m ← F return C h e a t ( F ) ( 1 ) S e t C o m m i t k ( Z ) : Z k ← Z C o m m i t k ( S ) : assert Z k = ⊥ c o m _ kj ← true ( ∀ j ∈ S ) S e t ? k ( ) S e t M a s k k ( S ) : r e a d y _ kj ← true S e t ? k ( ) S e t ? k ( ) : for j ∈ H . c o m _ kj ∧ r e a d y _ kj : S e t k ({ j } , ⊥ , Z k ) W a i t C o m m i t k ( S ) : wait _ ( i , 0 ) ∀ j ∈ S ∩ M . c o m _ jk W a i t M a s k k ( S ∩ H , false ) W a i t M a s k k ( S , m ) : wait _ ( k , 0 ) ∀ j ∈ S ∩ M . r e a d y _ jk ∧ ( m ⟹ F m = ⊥ ) W a i t S e t k ( S ∩ H , m ) O p e n k ( S ) : o p e n _ kj ← true ( ∀ j ∈ S ) S h a r e ? k ( ) S h a r e k ( S , z _ ∙ ) : assert Z k = ⊥ z _ kj ← z _ j ( ∀ j ∈ S ) S h a r e ? k ( ) S h a r e ? k ( ) for j ∈ H . o p e n _ kj ∧ z _ kj = ⊥ : if z _ kj ⋅ G = Z k : stop ({ j } , 1 ) else : S h a r e k ({ j } , z _ kj ) W a i t O p e n k ( S ) : wait _ ( k , 1 ) ∀ j ∈ S ∩ M . o p e n _ kj wait _ ( k , 1 ) ∀ j ∈ S ∩ H . Z ( j ) = ⊥ r j ← Z _ j ( ∀ j ∈ S ∩ M ) r j ← Z ( j ) ( ∀ j ∈ S ∩ H ) return r _ ∙ … ∘ F [ S p l i t S h a r e ] ⊚ F [ S t o p ] This is quite similar to the previous simulator we had,
where we try and aggregate all of the malicious contributions
into a single one.
■ \blacksquare ■
Key Generation
Finally, we apply these ideas to key generation.
The basic idea is to do key sharing, but with a random additive share.
Definition (Key Generation):
P [ SplitGen ] P i ( 1 ) Set i ( ) : ‾ z ← $ F q Set i ( ⋆ , z , ⊥ ) WaitSet i ( ) : ‾ WaitSet i ( ⋆ , true ) ( 1 ) Share i ( ) : ‾ Share i ( ⋆ ) WaitShare i ( ) : ‾ return WaitShare i ( true ) ⊲ P [ SplitShare ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{SplitGen}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Set}_i():
}\cr
&\enspace
z \xleftarrow{\$} \mathbb{F}_q
\cr
&\enspace
\text{Set}_i(\star, z, \bot)
\cr
\cr
&\underline{
\text{WaitSet}_i():
}\cr
&\enspace
\text{WaitSet}_i(\star, \texttt{true})
\cr
\cr
&\underline{
(1)\text{Share}_i():
}\cr
&\enspace
\text{Share}_i(\star)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd \mathscr{P}[\text{SplitShare}] P [ S p l i t G e n ] P i ( 1 ) S e t i ( ) : z $ F q S e t i ( ⋆ , z , ⊥ ) W a i t S e t i ( ) : W a i t S e t i ( ⋆ , true ) ( 1 ) S h a r e i ( ) : S h a r e i ( ⋆ ) W a i t S h a r e i ( ) : return W a i t S h a r e i ( true ) ⊲ P [ S p l i t S h a r e ] □ \square □
The main interest in doing this is that we get a slightly
more succinct ideal functionality out of it.
The idea here is that we have a random polynomial
f h f^h f h f m f^m f m f m ⋅ G f^m \cdot G f m ⋅ G
Definition (Ideal Key Generation):
P [ IdealSplitGen ] P i ( 1 ) Set i ( z ) : ‾ Set i ( ⋆ ) WaitSet i ( ) : ‾ WaitSet i ( ⋆ , true ) ( 1 ) Share i ( ) : ‾ Share i ( ⋆ ) WaitShare i ( ) : ‾ return WaitShare i ( true ) F [ SplitGen ] f h ← $ F q [ X ] _ ≤ t − 1 F m , ready _ i j , x j ← ⊥ Set i ( S ) : ‾ ready _ i j ← true ( ∀ j ∈ S ) ( 1 ) Cheat ( F ) : ‾ assert deg ( F ) = t − 1 F m ← F WaitSet i ( S , m ) : ‾ wait _ ( i , 0 ) ∀ j ∈ S . ready _ j i ∧ ( m → F m ≠ ⊥ ) Share i ( S ) : ‾ shared _ i j ← true ( ∀ j ∈ S ) CheatShare ( S , z , x ^ _ ∙ ) : ‾ assert F m ≠ ⊥ assert z ⋅ G = F m ( 0 ) assert ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j ∈ S . x j = ⊥ : x j ← x ^ j WaitShare i ( h ) : ‾ if h : wait _ ( i , 1 ) x i ≠ ⊥ ∧ ∀ j . shared _ j i return f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . shared _ j i return f h ( i ) F h ( ) : ‾ wait F m ≠ ⊥ ∧ ∀ i . ∃ j . ready _ i j return f h ⋅ G ⊚ F [ Stop ] Leakage : = { stop } \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{IdealSplitGen}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Set}_i(z):
}\cr
&\enspace
\text{Set}_i(\star)
\cr
\cr
&\underline{
\text{WaitSet}_i():
}\cr
&\enspace
\text{WaitSet}_i(\star, \texttt{true})
\cr
\cr
&\underline{
(1)\text{Share}_i():
}\cr
&\enspace
\text{Share}_i(\star)
\cr
\cr
&\underline{
\text{WaitShare}_i():
}\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\end{aligned}
}
}
\quad
\begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$F[\text{SplitGen}]$
}\cr
\cr
&f^h \xleftarrow{\$} \mathbb{F}_q[X]\_{\leq t - 1}\cr
&F^m, \text{ready}\_{ij}, x_j \gets \bot\cr
\cr
&\underline{
\text{Set}_i(S):
}\cr
&\enspace
\text{ready}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
(1)\text{Cheat}(F):
}
}\cr
&\enspace
\texttt{assert } \text{deg}(F) = t - 1
\cr
&\enspace
F^m \gets F
\cr
\cr
&\underline{
\text{WaitSet}_i(S, m):
}\cr
&\enspace
\texttt{wait}\_{(i, 0)} \forall j \in S.\ \text{ready}\_{ji} \land (m \to F^m \neq \bot)
\cr
\cr
&\underline{
\text{Share}_i(S):
}\cr
&\enspace
\text{shared}\_{ij} \gets \texttt{true}\ (\forall j \in S)
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{CheatShare}(S, z, \hat{x}\_\bullet):
}
}\cr
&\enspace
\texttt{assert } F^m \neq \bot
\cr
&\enspace
\texttt{assert } z \cdot G = F^m(0)
\cr
&\enspace
\texttt{assert } \forall j \in S.\ \hat{x}_j \cdot G = F^m(j)
\cr
&\enspace
\texttt{for } j \in S.\ x_j = \bot: x_j \gets \hat{x}_j
\cr
\cr
&\underline{
\text{WaitShare}_i(h):
}\cr
&\enspace
\texttt{if } h:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} x_i \neq \bot \land \forall j. \text{shared}\_{ji}
\cr
&\enspace\enspace
\texttt{return } f^h(i) + x_i
\cr
&\enspace
\texttt{else}:
\cr
&\enspace\enspace
\texttt{wait}\_{(i, 1)} \forall j \in \mathcal{H}. \text{shared}\_{ji}
\cr
&\enspace\enspace
\texttt{return } f^h(i)
\cr
\cr
&\underline{
\textcolor{ef4444}{
\text{F}^h():
}
}\cr
&\enspace
\texttt{wait } F^m \neq \bot \land \forall i.\ \exists j.\ \text{ready}\_{ij}
\cr
&\enspace
\texttt{return } f^h \cdot G
\cr
\end{aligned}
}
}\cr
\circledcirc \cr
F[\text{Stop}]
\end{matrix}\cr
\cr
\text{Leakage} := \{\texttt{stop}\}
\end{matrix}
} P [ I d e a l S p l i t G e n ] P i ( 1 ) S e t i ( z ) : S e t i ( ⋆ ) W a i t S e t i ( ) : W a i t S e t i ( ⋆ , true ) ( 1 ) S h a r e i ( ) : S h a r e i ( ⋆ ) W a i t S h a r e i ( ) : return W a i t S h a r e i ( true ) F [ S p l i t G e n ] f h $ F q [ X ] _ ≤ t − 1 F m , r e a d y _ ij , x j ← ⊥ S e t i ( S ) : r e a d y _ ij ← true ( ∀ j ∈ S ) ( 1 ) C h e a t ( F ) : assert d e g ( F ) = t − 1 F m ← F W a i t S e t i ( S , m ) : wait _ ( i , 0 ) ∀ j ∈ S . r e a d y _ ji ∧ ( m → F m = ⊥ ) S h a r e i ( S ) : s h a r e d _ ij ← true ( ∀ j ∈ S ) C h e a t S h a r e ( S , z , x ^ _ ∙ ) : assert F m = ⊥ assert z ⋅ G = F m ( 0 ) assert ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j ∈ S . x j = ⊥ : x j ← x ^ j W a i t S h a r e i ( h ) : if h : wait _ ( i , 1 ) x i = ⊥ ∧ ∀ j . s h a r e d _ ji return f h ( i ) + x i else : wait _ ( i , 1 ) ∀ j ∈ H . s h a r e d _ ji return f h ( i ) F h ( ) : wait F m = ⊥ ∧ ∀ i . ∃ j . r e a d y _ ij return f h ⋅ G ⊚ F [ S t o p ] L e a k a g e := { stop } Lemma:
For some negligible ϵ \epsilon ϵ t − 1 t - 1 t − 1
P [ SplitGen ] ⊲ P [ SplitShare ] ⇝ ϵ P [ IdealSplitGen ] \mathscr{P}[\text{SplitGen}] \lhd \mathcal{P}[\text{SplitShare}] \overset{\epsilon}{\leadsto} \mathscr{P}[\text{IdealSplitGen}] P [ S p l i t G e n ] ⊲ P [ S p l i t S h a r e ] ⇝ ϵ P [ I d e a l S p l i t G e n ] Proof
First, we can jump to a protocol where P [ SplitShare ] \mathcal{P}[\text{SplitShare}] P [ S p l i t S h a r e ] P [ IdealSplitShare ] \mathcal{P}[\text{IdealSplitShare}] P [ I d e a l S p l i t S h a r e ]
Γ H 0 … ⊗ S Z ^ i ← $ G F m , Z k , z k , x i ← ⊥ Set k ( S , z , Z ) : ‾ Set k ( S ) assert z ≠ ⊥ ∨ Z ≠ ⊥ if z k , Z k = ⊥ ∧ z ≠ ⊥ : z k ← z Z k ← z ⋅ G elif Z k ≠ ⊥ ∧ Z ≠ ⊥ : Z k ← Z Cheat? ( ) ( 1 ) Cheat ( F ) : ‾ assert F ( 0 ) = 0 ∧ deg ( F ) = t − 1 F m ← F Cheat? ( ) Cheat? ( ) ‾ if ∀ k . Z k , F m ≠ ⊥ : Cheat ( F m + ∑ _ k ∈ M Z k ) WaitSet k ( S , m ) : ‾ WaitSet k ( S , m ) Share k ( S , z ) : ‾ assert Z k ≠ ⊥ if z k = ⊥ : assert z ⋅ G = Z k z k ← z CheatShare? ( ) CheatShare k ( S , x ^ _ ∙ ) : ‾ assert F m ≠ ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j CheatShare? ( ) CheatShare? ( ) : ‾ if ∀ k ∈ M . z k ≠ ⊥ : for j . x j ≠ ⊥ : z ← ∑ k z k CheatShare ( { j } , z , x _ ∙ + z ) WaitShare k ( h ) : ‾ WaitShare k ( h ) Z ( i ) : ‾ nowait F h ( 0 ) − ∑ _ i ∈ H Z ^ i if i = 1 else Z ^ i F h ( ) : ‾ return F h ( ) − F h ( 0 ) ∘ F [ SplitGen ] ⊚ F [ Stop ] \begin{matrix}
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$\Gamma^0_H$
}
\ldots
\end{aligned}
}
}
\otimes
\boxed{
\small{
\begin{aligned}
&\colorbox{bae6fd}{\large
$S$
}\cr
\cr
&\hat{Z}_i \xleftarrow{\$} \mathbb{G}\cr
&F^m, Z_k, z_k, x_i \gets \bot\cr
\cr
&\underline{
\text{Set}_k(S, z, Z):
}\cr
&\enspace
\text{Set}_k(S)
\cr
&\enspace
\texttt{assert } z\neq \bot \lor Z \neq \bot
\cr
&\enspace
\texttt{if } z_k, Z_k = \bot \land z \neq \bot:
\cr
&\enspace\enspace
z_k \gets z
\cr
&\enspace\enspace
Z_k \gets z \cdot G
\cr
&\enspace
\texttt{elif } Z_k \neq \bot \land Z \neq \bot :\ Z_k \gets Z
\cr
&\enspace
\text{Cheat?}()
\cr
\cr
&\underline{
(1)\text{Cheat}(F):
}\cr
&\enspace
\texttt{assert } F(0) = 0 \land \text{deg}(F) = t - 1
\cr
&\enspace
F^m \gets F
\cr
&\enspace
\text{Cheat?}()
\cr
\cr
&\underline{
\text{Cheat?}()
}\cr
&\enspace
\texttt{if } \forall k.\ Z_k, F^m \neq \bot:
\cr
&\enspace\enspace
\text{Cheat}(F^m + \sum\_{k \in \mathcal{M}} Z_k)
\cr
\cr
&\underline{
\text{WaitSet}_k(S, m):
}\cr
&\enspace
\text{WaitSet}_k(S, m)
\cr
\cr
&\underline{
\text{Share}_k(S, z):
}\cr
&\enspace
\texttt{assert } Z_k \neq \bot
\cr
&\enspace
\texttt{if } z_k = \bot:
\cr
&\enspace\enspace
\texttt{assert } z \cdot G = Z_k
\cr
&\enspace\enspace
z_k \gets z
\cr
&\enspace
\text{CheatShare?}()
\cr
\cr
&\underline{
\text{CheatShare}_k(S, \hat{x}\_\bullet):
}\cr
&\enspace
\texttt{assert } F^m \neq \bot \land \forall j \in S.\ \hat{x}_j \cdot G = F^m(j)
\cr
&\enspace
\texttt{for } j.\ x_j = \bot:\ x_j \gets \hat{x}_j
\cr
&\enspace
\text{CheatShare?}()
\cr
\cr
&\underline{
\text{CheatShare?}():
}\cr
&\enspace
\texttt{if } \forall k \in \mathcal{M}.\ z_k \neq \bot:
\cr
&\enspace\enspace
\texttt{for } j.\ x_j \neq \bot:
\cr
&\enspace\enspace\enspace
z \gets \sum_k z_k
\cr
&\enspace\enspace\enspace
\text{CheatShare}(\{j\}, z, x\_\bullet + z)
\cr
\cr
&\underline{
\text{WaitShare}_k(h):
}\cr
&\enspace
\text{WaitShare}_k(h)
\cr
\cr
&\underline{
\text{Z}(i):
}\cr
&\enspace
\texttt{nowait } \text{F}^h(0) - \sum\_{i \in \mathcal{H}} \hat{Z}_i \texttt{ if } i = 1 \texttt{ else } \hat{Z}_i
\cr
\cr
&\underline{
\text{F}^h():
}\cr
&\enspace
\texttt{return } \text{F}^h() - \text{F}^h(0)
\cr
\end{aligned}
}
}
\cr
\circ
\cr
F[\text{SplitGen}] \circledcirc F[\text{Stop}]
\end{matrix} Γ H 0 … ⊗ S Z ^ i $ G F m , Z k , z k , x i ← ⊥ S e t k ( S , z , Z ) : S e t k ( S ) assert z = ⊥ ∨ Z = ⊥ if z k , Z k = ⊥ ∧ z = ⊥ : z k ← z Z k ← z ⋅ G elif Z k = ⊥ ∧ Z = ⊥ : Z k ← Z C h e a t ? ( ) ( 1 ) C h e a t ( F ) : assert F ( 0 ) = 0 ∧ d e g ( F ) = t − 1 F m ← F C h e a t ? ( ) C h e a t ? ( ) if ∀ k . Z k , F m = ⊥ : C h e a t ( F m + ∑ _ k ∈ M Z k ) W a i t S e t k ( S , m ) : W a i t S e t k ( S , m ) S h a r e k ( S , z ) : assert Z k = ⊥ if z k = ⊥ : assert z ⋅ G = Z k z k ← z C h e a t S h a r e ? ( ) C h e a t S h a r e k ( S , x ^ _ ∙ ) : assert F m = ⊥ ∧ ∀ j ∈ S . x ^ j ⋅ G = F m ( j ) for j . x j = ⊥ : x j ← x ^ j C h e a t S h a r e ? ( ) C h e a t S h a r e ? ( ) : if ∀ k ∈ M . z k = ⊥ : for j . x j = ⊥ : z ← k ∑ z k C h e a t S h a r e ({ j } , z , x _ ∙ + z ) W a i t S h a r e k ( h ) : W a i t S h a r e k ( h ) Z ( i ) : nowait F h ( 0 ) − ∑ _ i ∈ H Z ^ i if i = 1 else Z ^ i F h ( ) : return F h ( ) − F h ( 0 ) ∘ F [ S p l i t G e n ] ⊚ F [ S t o p ] The core thing the simulator needs to accomplish is to
fold the Z Z Z F m F^m F m
We also need to simulate an honest polynomial without the secret 0 0 0
■ \blacksquare ■
As a final note, the actual key sharing protocol one might
use in practice directly doesn't expose each individual functionality,
instead calling them in sequence:
P [ KeyShare ] P i ( 1 ) Share i ( z ) : ‾ Set i ( ⋆ , z , ⊥ ) WaitSet i ( ⋆ , true ) Share i ( ⋆ ) return WaitShare i ( true ) ⊲ P [ SplitShare ] \boxed{
\begin{matrix}
\colorbox{FBCFE8}{\large
$\mathscr{P}[\text{KeyShare}]$
}\cr
\cr
\boxed{
\small{
\begin{aligned}
&\colorbox{FBCFE8}{\large
$P_i$
}\cr
\cr
&\underline{
(1)\text{Share}_i(z):
}\cr
&\enspace
\text{Set}_i(\star, z, \bot)
\cr
&\enspace
\text{WaitSet}_i(\star, \texttt{true})
\cr
&\enspace
\text{Share}_i(\star)
\cr
&\enspace
\texttt{return } \text{WaitShare}_i(\texttt{true})
\cr
\end{aligned}
}
}
\end{matrix}
}
\lhd \mathscr{P}[\text{SplitShare}] P [ K e y S h a r e ] P i ( 1 ) S h a r e i ( z ) : S e t i ( ⋆ , z , ⊥ ) W a i t S e t i ( ⋆ , true ) S h a r e i ( ⋆ ) return W a i t S h a r e i ( true ) ⊲ P [ S p l i t S h a r e ] This protocol should match the one implemented in the specification,
although with less modularity, naturally.
