|
|
|
|
P ; generator
|
|
|
|
|
x ; secret key
|
|
|
|
|
xP ; public key
|
|
|
|
|
Enc(m;r) = (mP + rxP, rP)
|
|
|
|
|
|
|
|
|
|
c = (S, T)
|
|
|
|
|
dec(c) := S - xT
|
|
|
|
|
dec(Enc(m;r)) = (mP + rxP) - x(rP) = mP
|
|
|
|
|
DLP(mP) := m
|
|
|
|
|
Dec(c) := DLP(dec(c))
|
|
|
|
|
|
|
|
|
|
ZKP of dec(c) = m
|
|
|
|
|
|
|
|
|
|
z := Enc(m;0) = (mP, 0)
|
|
|
|
|
|
|
|
|
|
c - z = (rxP, rP) ; r is unknown
|
|
|
|
|
|
|
|
|
|
ZKP of dec(c - z) = 0
|
|
|
|
|
(P1, P2) := (P, rP)
|
|
|
|
|
(A1, A2) := (xP, xrP)
|
|
|
|
|
|
|
|
|
|
Prover shows that x(P1, P2) = (A1, A2) without revealing x.
|
|
|
|
|
b ; rand
|
|
|
|
|
B = (b P1, b P2)
|
|
|
|
|
h = Hash(P2, A1, A2, B1, B2)
|
|
|
|
|
d = b + h a
|
|
|
|
|
pi = (d, h)
|
|
|
|
|
|
|
|
|
|
Verifier
|
|
|
|
|
Bi := d Pi - h Ai
|
|
|
|
|
verify h = Hash(P2, A1, A2, B1, B2)
|
|
|
|
|
-----------------------------------------------------------------------------
|
|
|
|
|
CipherTextGT
|
|
|
|
|
P ; generator of GT, GT=<P>
|
|
|
|
|
x1, x2 ; secrect key
|
|
|
|
|
(P0, P1, P2, P3) := (P, x1 P, x2 P, x1 x2 P) ; public information
|
|
|
|
|
|
|
|
|
|
CipherText c = (A0, A1, A2, A3)
|
|
|
|
|
dec(c) = 0 <=> A0 = x2 A1 + x1 A2 - x1 x2 A3 ; (*)
|
|
|
|
|
|
|
|
|
|
F(a1, a2, a3) := a2 A1 + a1 A2 - a3 A3
|
|
|
|
|
|
|
|
|
|
dec(c) = 0 <=> A0 = F(x1, x2, x1 x2)
|
|
|
|
|
|
|
|
|
|
Sigma-protocol for dec(c) = 0, i.e., show (*)
|
|
|
|
|
|
|
|
|
|
Prover:
|
|
|
|
|
b1, b2, b3 ; rand
|
|
|
|
|
Bi := bi P (i = 1, 2, 3)
|
|
|
|
|
X := F(b1, b2, b3)
|
|
|
|
|
send (B1, B2, B3, X) to Verfier
|
|
|
|
|
|
|
|
|
|
Verifier:
|
|
|
|
|
takes h randomly and send to Prover
|
|
|
|
|
|
|
|
|
|
Prover:
|
|
|
|
|
d1 := b1 + h x1
|
|
|
|
|
d2 := b2 + h x2
|
|
|
|
|
d3 := b3 + h x1 x2
|
|
|
|
|
send (d1, d2, d3) to Verifier
|
|
|
|
|
|
|
|
|
|
Verifier:
|
|
|
|
|
verify
|
|
|
|
|
di P = Bi + h Pi (i = 1, 2, 3)
|
|
|
|
|
X = F(d1, d2, d3) - h A0
|
|
|
|
|
and accept it
|
|
|
|
|
|
|
|
|
|
Fiat-Shamir transform:
|
|
|
|
|
|
|
|
|
|
Prover:
|
|
|
|
|
b1, b2, b3 ; random value
|
|
|
|
|
Bi := bi P (i = 1, 2, 3)
|
|
|
|
|
X := F(b1, b2, b3)
|
|
|
|
|
h := Hash(P0, ..., P3, A0, ..., A3, B1, B2, B3, X)
|
|
|
|
|
d1 := b1 + h x1
|
|
|
|
|
d2 := b2 + h x2
|
|
|
|
|
d3 := b3 + h x1 x2
|
|
|
|
|
pi := (d1, d2, d3, h)
|
|
|
|
|
|
|
|
|
|
Verifier:
|
|
|
|
|
(pi, {Pi}, {Ai}) given
|
|
|
|
|
Bi' := di P - h Pi for i = 1, 2, 3
|
|
|
|
|
X' := F(d1, d2, d3) - h A0
|
|
|
|
|
verify Hash({Pi}, {Ai}, {Bi'}, X') = h
|
|
|
|
|
|
|
|
|
|
Completeness
|
|
|
|
|
|
|
|
|
|
B1' = d1 P - h P1 = (b1 + h x1) P - h x1 P = b1 P = B1
|
|
|
|
|
B2' = d2 P - h P2 = (b2 + h x2) P - h x2 P = b2 P = B2
|
|
|
|
|
B3' = d3 P - h P3 = (b3 + h x1 x2) P - h x1 x2 P = B3
|
|
|
|
|
X' = F(b1 + h x1, b2 + h x2, b3 + h x1 x2) - h A0
|
|
|
|
|
= F(b1, b2, b3) + h F(x1, x2, x1 x2) - h A0
|
|
|
|
|
= F(b1, b2, b3) + h (F(x1, x2, x1 x2) - A0)
|
|
|
|
|
= F(b1, b2, b3) = X
|
|
|
|
|
OK
|
|
|
|
|
|
|
|
|
|
Soundness
|
|
|
|
|
{Ai}, pi=(d1, d2, d3, h) ; given
|
|
|
|
|
compute Bi', X' as above
|
|
|
|
|
Suppose Hash({Pi}, {Ai}, {Bi'}, X') = h
|
|
|
|
|
|
|
|
|
|
define
|
|
|
|
|
b1 := d1 - h x1
|
|
|
|
|
b2 := d2 - h x2
|
|
|
|
|
b3 := d3 - h x1 x2
|
|
|
|
|
where x1, x2 are unknown
|
|
|
|
|
d1, d2, d3 are free parameters, so b1, b2, b3 are also free.
|
|
|
|
|
|
|
|
|
|
B1' = d1 P - h P1 = b1 P
|
|
|
|
|
B2' = b2 P
|
|
|
|
|
B3' = b3 P
|
|
|
|
|
|
|
|
|
|
Y := F(x1, x2, x1 x2) - A0; unknown, but it is fixed
|
|
|
|
|
X' = F(d1, d2, d3) - h A0 = F(b1 + h x1, b2 + h x2, b3 + h x1 x2) - h A0
|
|
|
|
|
= F(b1, b2, b3) + h(F(x1, x2, x1 x2) - A0)
|
|
|
|
|
= F(b1, b2, b3) + h Y
|
|
|
|
|
|
|
|
|
|
Hash({Pi}, {Ai}, b1 P, b2 P, b3 P, F(b1, b2, b3) + h Y) = h
|
|
|
|
|
To found {b1, b2, b3, h} to hold this equation, Y must be 0.
|
