|
|
@ -31,18 +31,46 @@ Bi := d Pi - h Ai |
|
|
|
verify h = Hash(P2, A1, A2, B1, B2) |
|
|
|
verify h = Hash(P2, A1, A2, B1, B2) |
|
|
|
----------------------------------------------------------------------------- |
|
|
|
----------------------------------------------------------------------------- |
|
|
|
CipherTextGT |
|
|
|
CipherTextGT |
|
|
|
P ; generator of GT |
|
|
|
P ; generator of GT, GT=<P> |
|
|
|
x1, x2 ; secrect key |
|
|
|
x1, x2 ; secrect key |
|
|
|
(P0, P1, P2, P3) := (P, x1 P, x2 P, x1 x2 P) ; public information |
|
|
|
(P0, P1, P2, P3) := (P, x1 P, x2 P, x1 x2 P) ; public information |
|
|
|
|
|
|
|
|
|
|
|
CipherText c = (A0, A1, A2, A3) |
|
|
|
CipherText c = (A0, A1, A2, A3) |
|
|
|
dec(c) = 0 <=> A0 = x2 A1 + x1 A2 - x1 x2 A3 ; (*) |
|
|
|
dec(c) = 0 <=> A0 = x2 A1 + x1 A2 - x1 x2 A3 ; (*) |
|
|
|
|
|
|
|
|
|
|
|
construction of ZKP for dec(c) = 0, i.e., show (*) |
|
|
|
F(a1, a2, a3) := a2 A1 + a1 A2 - a3 A3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dec(c) = 0 <=> A0 = F(x1, x2, x1 x2) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sigma-protocol for dec(c) = 0, i.e., show (*) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Prover: |
|
|
|
|
|
|
|
b1, b2, b3 ; rand |
|
|
|
|
|
|
|
Bi := bi P (i = 1, 2, 3) |
|
|
|
|
|
|
|
X := F(b1, b2, b3) |
|
|
|
|
|
|
|
send (B1, B2, B3, X) to Verfier |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Verifier: |
|
|
|
|
|
|
|
takes h randomly and send to Prover |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Prover: |
|
|
|
|
|
|
|
d1 := b1 + h x1 |
|
|
|
|
|
|
|
d2 := b2 + h x2 |
|
|
|
|
|
|
|
d3 := b3 + h x1 x2 |
|
|
|
|
|
|
|
send (d1, d2, d3) to Verifier |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Verifier: |
|
|
|
|
|
|
|
verify |
|
|
|
|
|
|
|
di P = Bi + h Pi (i = 1, 2, 3) |
|
|
|
|
|
|
|
X = F(d1, d2, d3) - h A0 |
|
|
|
|
|
|
|
and accept it |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fiat-Shamir transform: |
|
|
|
|
|
|
|
|
|
|
|
Prover: |
|
|
|
Prover: |
|
|
|
b1, b2, b3 ; random value |
|
|
|
b1, b2, b3 ; random value |
|
|
|
Bi := bi P for i = 1, 2, 3 |
|
|
|
Bi := bi P (i = 1, 2, 3) |
|
|
|
X := b1 A2 + b2 A1 - b3 A3 |
|
|
|
X := F(b1, b2, b3) |
|
|
|
h := Hash(P0, ..., P3, A0, ..., A3, B1, B2, B3, X) |
|
|
|
h := Hash(P0, ..., P3, A0, ..., A3, B1, B2, B3, X) |
|
|
|
d1 := b1 + h x1 |
|
|
|
d1 := b1 + h x1 |
|
|
|
d2 := b2 + h x2 |
|
|
|
d2 := b2 + h x2 |
|
|
@ -52,7 +80,7 @@ pi := (d1, d2, d3, h) |
|
|
|
Verifier: |
|
|
|
Verifier: |
|
|
|
(pi, {Pi}, {Ai}) given |
|
|
|
(pi, {Pi}, {Ai}) given |
|
|
|
Bi' := di P - h Pi for i = 1, 2, 3 |
|
|
|
Bi' := di P - h Pi for i = 1, 2, 3 |
|
|
|
X' := d1 A2 + d2 A1 - d3 A3 - h A0 |
|
|
|
X' := F(d1, d2, d3) - h A0 |
|
|
|
verify Hash({Pi}, {Ai}, {Bi'}, X') = h |
|
|
|
verify Hash({Pi}, {Ai}, {Bi'}, X') = h |
|
|
|
|
|
|
|
|
|
|
|
Completeness |
|
|
|
Completeness |
|
|
@ -60,8 +88,10 @@ Completeness |
|
|
|
B1' = d1 P - h P1 = (b1 + h x1) P - h x1 P = b1 P = B1 |
|
|
|
B1' = d1 P - h P1 = (b1 + h x1) P - h x1 P = b1 P = B1 |
|
|
|
B2' = d2 P - h P2 = (b2 + h x2) P - h x2 P = b2 P = B2 |
|
|
|
B2' = d2 P - h P2 = (b2 + h x2) P - h x2 P = b2 P = B2 |
|
|
|
B3' = d3 P - h P3 = (b3 + h x1 x2) P - h x1 x2 P = B3 |
|
|
|
B3' = d3 P - h P3 = (b3 + h x1 x2) P - h x1 x2 P = B3 |
|
|
|
X' = (b1 + h x1) A2 + (b2 + h x2) A1 - (b3 + h x1 x2)A3 - h A0 |
|
|
|
X' = F(b1 + h x1, b2 + h x2, b3 + h x1 x2) - h A0 |
|
|
|
= b1 A2 + b2 A1 - b3 A3 + h (x1 A2 + x2 A1 - x1 x2 A3 - A0) = b1 A2 + b2 A1 - b3 A3 = X |
|
|
|
= F(b1, b2, b3) + h F(x1, x2, x1 x2) - h A0 |
|
|
|
|
|
|
|
= F(b1, b2, b3) + h (F(x1, x2, x1 x2) - A0) |
|
|
|
|
|
|
|
= F(b1, b2, b3) = X |
|
|
|
OK |
|
|
|
OK |
|
|
|
|
|
|
|
|
|
|
|
Soundness |
|
|
|
Soundness |
|
|
@ -80,8 +110,10 @@ B1' = d1 P - h P1 = b1 P |
|
|
|
B2' = b2 P |
|
|
|
B2' = b2 P |
|
|
|
B3' = b3 P |
|
|
|
B3' = b3 P |
|
|
|
|
|
|
|
|
|
|
|
Y := x1 A2 + x2 A1 - x1 x2 A3 - A0 ; unknown, but it is fixed |
|
|
|
Y := F(x1, x2, x1 x2) - A0; unknown, but it is fixed |
|
|
|
X' = b1 A2 + b2 A1 - b3 A3 + h Y |
|
|
|
X' = F(d1, d2, d3) - h A0 = F(b1 + h x1, b2 + h x2, b3 + h x1 x2) - h A0 |
|
|
|
|
|
|
|
= F(b1, b2, b3) + h(F(x1, x2, x1 x2) - A0) |
|
|
|
|
|
|
|
= F(b1, b2, b3) + h Y |
|
|
|
|
|
|
|
|
|
|
|
Hash({Pi}, {Ai}, b1 P, b2 P, b3 P, b1 A2 + b2 A1 - b3 A3 + h Y) = h |
|
|
|
Hash({Pi}, {Ai}, b1 P, b2 P, b3 P, F(b1, b2, b3) + h Y) = h |
|
|
|
To found {b1, b2, b3, h} to hold this equation, Y must be 0. |
|
|
|
To found {b1, b2, b3, h} to hold this equation, Y must be 0. |
|
|
|