Abstract
We present an honest-majority Distributed Key Generation protocol (DKG) based on Shamir’s (k, n)-threshold secret sharing in the setting of Very Hard Homogenous Spaces (VHHS). DKGs in the discrete logarithm setting use Pedersen commitments, for which there is no known analogue in the VHHS setting. As a replacement, we introduce a new primitive called piecewise verifiable proofs, which allow a prover to prove that a list of NP-statements is valid with respect to a common witness, and such that the different statements can be verified individually. Our protocol is robust and actively secure in the Quantum Random Oracle Model. For n participants, the total runtime of our protocol is \(2+\lambda +n(1+4\lambda )\) group action evaluations, where \(\lambda \) is the underlying security parameter, and is thus independent of the threshold k. When instantiated with CSIDH-512, this amounts to approximately \(4.5+18n\) seconds.
This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019, and by CyberSecurity Research Flanders with reference number VR20192203. Ward Beullens is funded by FWO fellowship 1S95620N. Date of this document: July 2, 2021
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
“Commutative Supersingular Isogeny Robust and Actively secure distributed Shamir secret sharing”, pronounced chirashi, in reference to the Japanese dish chirashi sushi, translated as “scattered sushi”.
- 2.
Our extractor is not guaranteed to output a witness, instead it is allowed to output a collision in \(\mathcal {C}\). This means that the extractor for the FS transformed protocol could also output a collision for \(\mathcal {C}\) instead of outputting a witness. This is not a problem, because \(\mathcal {C}\) is assumed to be collapsing, which implies that an efficient adversary can only output collisions with negligible probability [29].
- 3.
Similar to the proof of Lemma 2, our special soundness extractor outputs either a witness w such that \((x,w) \in R\), or a collision for \(\mathcal {C}\). Since \(\mathcal {C}\) is collision resistant, this is not a problem, because the PoK extractor can only output a collision with negligible probability.
References
Adida, B.: Helios: web-based open-audit voting. In: USENIX Security Symposium, vol. 17, pp. 335–348 (2008)
Beullens, W., Disson, L., Pedersen, R., Vercauteren, F.: CSI-RASHi: distributed key generation for CSIDH (2020)
Beullens, W., Katsumata, S., Pintore, F.: Calamari and falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Bonnetain, X., Schrottenloher, A.: Quantum security analysis of CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 493–522. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_17
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Castryck, W., Sotáková, J., Vercauteren, F.: Breaking the decisional Diffie-Hellman problem for class group actions using genus theory. IACR Cryptology ePrint Archive 2020, 151 (2020)
Chavez-Saab, J., Chi-Dominguez, J.-J., Jaques, S., Rodriguez-Henriquez, F.: The SQALE of CSIDH: square-root vélu quantum-resistant isogeny action with low exponents. Technical report, Cryptology ePrint Archive, Report 2020/1520 (2020). https://eprint.iacr.org
Couveignes, J.M.: Hard homogeneous spaces. IACR Cryptology ePrint Archive 2006, 291 (2006)
Cozzo, D., Smart, N.P.: Sashimi: cutting up CSI-FiSh secret keys to produce an actively secure distributed signing protocol. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 169–186. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_10
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from super singular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
De Feo, L., Meyer, M.: Threshold schemes from isogeny assumptions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 187–212. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_7
Desmedt, Y.: Threshold cryptosystems. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 1–14. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_47
Desmedt, Y., Frankel, Y.: Shared generation of authenticators and signatures. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 457–469. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_37
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20(1), 51–83 (2007)
Harn, L.: Group-oriented (t, n) threshold digital signature scheme and digital multisignature. IEE Proc. Comput. Digit. Tech. 141(5), 307–313 (1994)
Kate, A.: Distributed key generation and its applications (2010)
Meyer, M., Reith, S.: A faster way to the CSIDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 137–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_8
National Institute of Standards and Technology. Threshold cryptography (2020)
Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_47
Peikert, C.: He gives C-sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 73–85 (1989)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006, 145 (2006)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_15
Unruh, D.: Collapse-binding quantum commitments without random oracles. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 166–195. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_6
Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security Proof of NIPVP
A Security Proof of NIPVP
1.1 A.1 Completeness
Lemma 1
Algorithms 3 and 4 constitute a complete NIPVP in the QROM for the list of relations of (1) if the used commitment scheme is collapsing and quantum computationally hiding.
Proof
If the protocol is followed correctly and if the input was a valid statement-witness pair \((x,w) \in R\), then the verifier will accept the proof piece with probability 1.
-
In the case \(i= 0\) the verifier will accept the proofs because the curves \(\widetilde{E}_j\) recomputed by the verifier match the curves \(\hat{E}_j\) computed by the prover: for each \(j \in \{1,\dots ,\lambda \} \), if \(c_j = 0\), then \(r_j = b_j\) and hence \(\widetilde{E}_j = [r_j(0)]E_0 = [b_j(0)]E_0 = \hat{E}_j\). If \(c_j = 1\), then \(r_j(0) = b_j(0)-f(0)\), so again we have \(\widetilde{E}_j = [r_j(0)]E_1 = [b_j(0)-f(0)][f(0)]E_0 = [b_j(0)]E_0 = \hat{E}_j\). Thus both \(\mathsf {C}_0\) are equal and the verifier will accept.
-
In the case \(i>0\) for each \(j \in \{1,\dots ,\lambda \} \), the prover computes \(b_j(i)\), and the verifier computes \(r_j(i) + c_j x_j = b_j(i) - c_jf(i) + c_j x_j=b_j(i)\), if \(x_i=f(i)\). So if the witness is valid, then the \(\mathsf {C}_i\) match and the verifier will accept. \(\square \)
1.2 A.2 Soundness
Our protocol can be seen as a “weak” Fiat-Shamir transformed version of a sigma protocol, where by “weak” we mean that, to obtain a challenge we only hash the commitment (instead of hashing both the commitment and the statement). The known results on the security of the FS transform in the QROM are about the strong FS transform. Therefore, before we can prove the soundness of our protocol we first prove the following lemma, which allows us to prove the security of the weak FS transform. This lemma bootstraps the known results for the strong FS transform to prove the soundness of the weak FS transform of a sigma protocol where the first message of the prover commits to the statement.
Lemma 2
Suppose \(\varSigma = (P_1,V_1,P_2,V_2)\) is a sigma protocol for the relation R with superpolynomially sized challenge space \(\mathcal {C}h\), special soundness and quantum computationally unique responses. Let \(\varSigma ' = (P',V')\) be the following sigma protocol:
![](http://media.springernature.com/lw515/springer-static/image/chp%3A10.1007%2F978-3-030-81293-5_14/MediaObjects/513547_1_En_14_Equ22_HTML.png)
Then the weak Fiat-Shamir transformed version of \(\varSigma '\) is a quantum proof of knowledge for the same relation R, assuming that \(\mathcal {C}\) is collapsing.
Proof
The strategy of the proof is to interpret the weak FS transform for the relation R as the strong FS transformed protocol for a different relation \(R'\). We can then use the techniques of Don et al. [16] on the security of the strong FS transform in the QROM. We define the following relation
and the following sigma protocol \(\varSigma '' = (P'',V'')\):
![](http://media.springernature.com/lw525/springer-static/image/chp%3A10.1007%2F978-3-030-81293-5_14/MediaObjects/513547_1_En_14_Equ23_HTML.png)
Observe that the adaptive proof of knowledge game against the weak FS transform of \(\varSigma '\) is identical to the adaptive proof of knowledge game against the strong FS transform of \(\varSigma ''\), so it suffices to prove that \(FS(\varSigma '')\) is a quantum proof of knowledge to finish the proof. We do this by invoking the theorems of Don et al. [16, Th. 25 and Cor. 16], which say that if \(\varSigma ''\) has special soundness, quantum computationally unique responses and a superpolynomial challenge space, then \(FS(\varSigma '')\) is a quantum proof of knowledge. Note that the challenge space \(\mathcal {C}h\) is superpolynomial by assumption.
Special Soundness.Footnote 2 Suppose we are given two accepting transcripts \(\mathsf {C}_x,com,ch,(x,y,rsp)\) and \(\mathsf {C}_x,com,ch',(x',y',rsp')\) with \(ch \not = ch'\), which means
Then, we can either extract a collision \(\mathcal {C}(x,y) = \mathcal {C}(x',y')\) for \(\mathcal {C}\) in the case \(x \not = x'\), or we can invoke the special soundness of \(\varSigma \) to obtain a witness w such that \((x,w) \in R\), which means we can construct a witness \(w' = (x,y,w)\) such that \((\mathsf {C}_x,w') \in R'\).
Quantum Computationally Unique Responses ([16, Def. 24]). We define 3 games \(\mathsf {Game}_i\) for \(i \in \{1,2,3\}\), played by a two-stage poly-time adversary \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\):
Then the sigma protocol has quantum computationally unique responses if for any adversary \(\mathcal {A}\), the following advantage is a negligible function of the security parameter:
This follows immediately from the assumptions, because the assumption that \(\mathcal {C}\) is collapsing implies that \(\left| \Pr _{\mathsf {Game}_1^\mathcal {A}} [z = b = 1] - \Pr _{\mathsf {Game}_2^\mathcal {A}} [z = b = 1] \right| \) is negligible, and the assumption that \(\varSigma \) has quantum computationally unique responses implies that \(\left| \Pr _{\mathsf {Game}_2^\mathcal {A}} [z = b = 1] - \Pr _{\mathsf {Game}_3^\mathcal {A}} [z = b = 1] \right| \) is negligible. \(\square \)
Lemma 3
Algorithms 3 and 4 constitute a sound NIPVP in the QROM for the list of relations of (1) if the used commitment scheme is collapsing.
Proof
We need to prove that for any \(I \subseteq \{0,\dots ,n\} \) and any QPT adversary \(\mathcal {A}^\mathcal {O}\), the following advantage is negligible:
![](http://media.springernature.com/lw486/springer-static/image/chp%3A10.1007%2F978-3-030-81293-5_14/MediaObjects/513547_1_En_14_Equ24_HTML.png)
If \(|I|<k\), then \(\mathsf {Adv}^{\mathsf {sound}}_{\mathcal {A},I} = 0\) for any \(\mathcal {A}\), simply because for every \(x_I\), there exists a \(w \in \mathbb {Z}_N[x]_{\le k-1}\) such that \((x_I,w) \in R_I\). Therefore, we can focus on the case \(|I|\ge k\) for the remainder of the proof. We fix \(I \subset \{0,\dots ,n\} \) with \(|I|\ge k\). We define the function F as follows
where \(\mathsf {C}_0' = \mathcal {C}( [r_1(0)] E_{c_1} || \cdots || [r_\lambda (0)] E_{c_\lambda } || x_0 , y_0)\) (if \(0 \in I\)), and where \(\mathsf {C}_i' = \mathcal {C}( r_1(i) + c_1 x_i || \cdots || r_\lambda (i) + c_\lambda x_i || x_i , y_i)\). With this notation we have\(V^\mathcal {O}(i,x_i,\widetilde{\pi },\pi _i) = 1\) for all \(i \in I\) if and only if \(F( \mathcal {O}(\mathsf {C}) , x_I , y_I, \mathbf {r}) = \mathsf {C}_I \) and \(\mathsf {C}'_i = \mathcal {C}(x_i,y_i)\) for all \(i \in I\). So the claim that the advantage \(\mathsf {Adv}^{\mathsf {sound}}_{\mathcal {A},I}(\lambda )\) is negligible for every efficient adversary \(\mathcal {A}\) is equivalent to the claim that the “weak” FS transform of the following sigma protocol \(\varSigma ' = (P_1',V_1',P_2',V_2')\) is a quantum computationally sound proof for \(R_I\) ([16, Def. 9]):
Since quantum computational soundness is implied by the quantum proof of knowledge property, it suffices to prove that the weak FS transform of \(\varSigma '\) is a quantum proof of knowledge. This sigma protocol takes the form of \(\varSigma '\) in the statement of Lemma 2, so we can conclude that our NIPVP is sound if the sigma protocol \(\varSigma = (P_1,V_1,P_2,V_2)\) with
has a superpolynomial challenge space, special soundness and quantum computationally unique responses.
Superpolynomial Challenge Space. The size of the challenge space is \(2^\lambda \), which is superpolynomial in \(\lambda \).
Special Soundness.Footnote 3 Let \(x_I, \mathsf {C}_I, \mathbf {c} , \mathbf {r}\) and \(x_I, \mathsf {C}_I, \mathbf {c}'' , \mathbf {r}'\) be two accepting transcripts with \(\mathbf {c} \not = \mathbf {c}'\). Take \(j \in \{1,\dots ,\lambda \} \) such that \(c_j \not = c'_j\), without loss of generality we can assume \(c_j = 0\) and \(c'_j = 1\). Then, if \(0 \in I\) and \([r_j(0)] E_0 \ne [r'(0)] E_1\), we found a collision in \(\mathcal {C}\). Similarly, if for some non-zero \(i \in I\) we have \(r_j(i) \not = r'_j(i) + x_i\), we also have a collision for \(\mathcal {C}\). If there is no collision, we have
so \(r_j(x) - r'_j(x)\) is a witness for \(x_I\).
Quantum Computationally Unique Responses. Notice that F factors as \(F = G \circ H\), where H is the function that given \(\mathbf {c},x_I\) and \(\mathbf {r}\) computes the input to the commitment function \(\mathcal {C}\), and where G takes the output of H and the commitment randomness \(y_I\) and outputs \(\mathsf {C}_I\). We define 3 games \(\mathsf {Game}_i\) for \(i \in \{1,2,3\}\), played by a two-stage poly-time adversary \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\):
We need to prove that for any efficient \(\mathcal {A}\) the following is a negligible function:
Since G is just the parallel composition of |I| instances of \(\mathcal {C}\), and since we assumed that \(\mathcal {C}\) is collapsing it follows that G is collapsing. Therefore we have that \(\left| \Pr _{\mathsf {Game}_1^{\mathcal {A}}}[z=b=1] - \Pr _{\mathsf {Game}_2^{\mathcal {A}}}[z=b=1] \right| \) is negligible. Since for a fixed value of \(x_I\) and \(\mathbf {c}\), the function \(H(\mathbf {c},x_I,\cdot )\) is injective (here we use that \(|I| \ge k\)), we get that after measuring h and \(\mathbf {c}\), the register \(\mathbf {r}\) is not in a superposition of basis vectors. Therefore, the measurement \(\mathbf {r} \leftarrow \mathcal {M}(\mathbf {r})\) does not affect the state of the system and we have \(\Pr _{\mathsf {Game}_2^{\mathcal {A}}}[z=b=1] = \Pr _{\mathsf {Game}_3^{\mathcal {A}}}[z=b=1]\). \(\square \)
1.3 A.3 Zero-Knowledge
For a fixed \(I \subseteq \{0,\dots ,n\} \), our security definition of zero-knowledge for NIPVP is similar to the standard definition of non-interactive zero-knowledge in the QROM (e.g. [31, Def. 6]), except that the simulator is only given a partial statement \(x_I\), instead of the full statement \(\mathbf {x}\). Our proof strategy is to first reduce the NIPVP soundness to the standard zero-knowledge property of a standard sigma protocol. Then, we can use the results of Unruh [31] to finish the proof.
Lemma 4
Fix \(I \subset \{0,\dots ,n\} \) and suppose \(\mathsf {Sim}= (\mathsf {Sim}_1,\mathsf {Sim}_2)\) is a zero-knowledge simulator for the “weak” FS transform of the sigma protocol \(\varSigma = (P_1,V_1,P_2,V_2)\) for the relation \(R_I\).
Then there exists a simulator \(\mathsf {Sim}' = (\mathsf {Sim}_1',\mathsf {Sim}_2')\) such that for any QPT distinguisher \(\mathcal {A}\), the distinguishing advantage
is a negligible function of the security parameter, where \(P'\) is an oracle that on input \((\mathbf {x},w) \in R\) runs \(\pi := P^\mathcal {O}(\mathbf {x},w)\) and outputs \(\pi _I = (\tilde{\pi }, \{ \pi _i \}_{i \in I})\) and \(S'\) is an oracle that on input \((\mathbf {x},w) \in R\) returns \(\mathsf {Sim}'_1( \{x_i\}_{i \in I} )\).
Proof
The simulator \(\mathsf {Sim}_2'\) simply forwards all its queries to \(\mathsf {Sim}_2\), and \(\mathsf {Sim}_1'\) forwards his queries to \(\mathsf {Sim}_1\) to obtain \(\mathsf {C}_I,y_I,y'_I,\mathbf {r}\). Then, for all \(i \not \in I\) the simulator \(\mathsf {Sim}_1'\) commits to dummy values to produce \(\mathsf {C}_i\) and \(\mathsf {C}'_i\). Then \(\mathsf {Sim}_1'\) outputs \(\tilde{\pi } = (\mathsf {C},\mathsf {C}',\mathbf {r}), \{ \pi _i = (y_i,y'_i) \}_{i \in I}\).
We prove the lemma with a simple hybrid argument: Let \(\mathsf {Sim}''\) be identical to \(\mathsf {Sim}'\) except that it interacts with a real prover for \(\varSigma \), instead of with \(\mathsf {Sim}\). Then, because \(\mathsf {Sim}\) is supposed to be computationally indistinguishable from a real prover, we have that \(\left| \Pr \left[ \mathcal {A}^{S', \mathsf {Sim}_2'} ( 1^\lambda ) = 1 \right] - \Pr \left[ \mathcal {A}^{S'', \mathsf {Sim}_2''} ( 1^\lambda ) = 1 \right] \right| \) is negligible. Secondly, since the only difference between an honest prover for the NIPVP protocol and \(\mathsf {Sim}''\) is that \(\mathsf {Sim}''\) commits to dummy values instead of real values for \(i \not \in I\), it follows from the quantum computationally hiding property of the commitment scheme that \(\left| \Pr \left[ \mathcal {A}^{P',\mathcal {O}} (1^\lambda ) = 1 \right] - \Pr \left[ \mathcal {A}^{S'', \mathsf {Sim}_2''} ( 1^\lambda ) = 1 \right] \right| \) is negligible. \(\square \)
Lemma 5
Algorithms 3 and 4 form a zero-knowledge NIPVP in the QROM for the list of relations of (1) if the used commitment scheme is quantum computationally hiding and collapsing.
Proof
In light of Lemma 4, if suffices to prove that for every \(I \subseteq \{0,\dots ,n\} \), the “weak” FS transform of the sigma protocol \(\varSigma _I\) is zero-knowledge. Unruh proved (Theorem 20 of [31]) that if a sigma protocol has HVZK, completeness and unpredictable commitments, then the “strong” FS transform of that sigma protocol is zero-knowledge, but the proof goes through without problems in case of a “weak” FS transform also. Therefore, it suffices to prove for each \(I \subset \{0,\dots ,n\} \), that \(\varSigma _I\) has HVZK, completeness and unpredictable commitments.
Completeness. The protocol has perfect completeness. The proof is similar to the proof of Lemma 1.
Unpredictable Commitments. We say the sigma protocol has unpredictable commitments if the commitments have superlogarithmic collision entropy. More concretely, if there exists a negligible function \(\mu (\lambda )\), such that for every \((x_I,w) \in R_I\) we have
Let \(i \in I\), then since \(\mathsf {C}_i\) and \(\mathsf {C}''_i\) are commitments, there are two possible ways to get a collision:
-
The first possibility is that both commit to the same value. But since \(\mathsf {C}_i\) commits to \(\lambda \) uniformly random elements of \(\mathcal {G}\) (or \(\mathcal {E}\) in case \(i = 0\)), the probability that this happens is negligible.
-
The second possibility is that both commitments commit to different values. Since we assume that \(\mathcal {C}\) is collapsing (which implies collision resistance), this can also only happen with negligible probability.
Honest Verifier Zero Knowledge. The protocol has perfect HVZK. Consider the simulator that picks \(y_I, y'_I, \mathbf {r}\) and \(\mathbf {c}\) uniformly at random and sets \(\mathsf {C}_I = F(\mathbf {c},x_I,y_I,\mathbf {r})\) and \( \mathsf {C}'_i = \mathcal {C}(x_i,y'_i) \) for all \(i \in I\).
This produces the same distribution of transcripts as honest executions of the protocol, because in both cases \(y_I. y'_I, \mathbf {r}\) and \(\mathbf {c}\) are uniformly random, and the rest of the transcript is a function of \(y_I, y'_I, \mathbf {r}\) and \( \mathbf {c}\).
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Beullens, W., Disson, L., Pedersen, R., Vercauteren, F. (2021). CSI-RAShi: Distributed Key Generation for CSIDH. In: Cheon, J.H., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2021. Lecture Notes in Computer Science(), vol 12841. Springer, Cham. https://doi.org/10.1007/978-3-030-81293-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-81293-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81292-8
Online ISBN: 978-3-030-81293-5
eBook Packages: Computer ScienceComputer Science (R0)