#LyX 2.3 created this file. For more info see http://www.lyx.org/
\lyxformat 544
\begin_document
\begin_header
\save_transient_properties true
\origin unavailable
\textclass article
\begin_preamble
\usepackage{a4wide}
\end_preamble
\use_default_options true
\maintain_unincluded_children false
\language english
\language_package default
\inputencoding auto
\fontencoding global
\font_roman "default" "default"
\font_sans "default" "default"
\font_typewriter "default" "default"
\font_math "auto" "auto"
\font_default_family default
\use_non_tex_fonts false
\font_sc false
\font_osf false
\font_sf_scale 100 100
\font_tt_scale 100 100
\use_microtype false
\use_dash_ligatures true
\graphics default
\default_output_format default
\output_sync 0
\bibtex_command default
\index_command default
\paperfontsize default
\spacing single
\use_hyperref false
\papersize default
\use_geometry false
\use_package amsmath 1
\use_package amssymb 1
\use_package cancel 1
\use_package esint 1
\use_package mathdots 1
\use_package mathtools 1
\use_package mhchem 1
\use_package stackrel 1
\use_package stmaryrd 1
\use_package undertilde 1
\cite_engine basic
\cite_engine_type default
\biblio_style plain
\use_bibtopic false
\use_indices false
\paperorientation portrait
\suppress_date false
\justification true
\use_refstyle 1
\use_minted 0
\index Index
\shortcut idx
\color #008000
\end_index
\secnumdepth 3
\tocdepth 3
\paragraph_separation indent
\paragraph_indentation default
\is_math_indent 0
\math_numbering_side default
\quotes_style english
\dynamic_quotes 0
\papercolumns 1
\papersides 1
\paperpagestyle default
\tracking_changes false
\output_changes false
\html_math_output 0
\html_css_as_file 0
\html_be_strict false
\end_header

\begin_body

\begin_layout Subsection*
Parameters
\end_layout

\begin_layout Itemize
\begin_inset Formula $\mathbb{G}_{1},$
\end_inset

 
\begin_inset Formula $\mathbb{G}_{2}$
\end_inset

 - elliptic curve points.
\end_layout

\begin_layout Itemize
Curves are of the same order 
\begin_inset Formula $P$
\end_inset

 [is that required?].
\end_layout

\begin_layout Itemize
Two curve generators: 
\begin_inset Formula $g\in\mathbb{G}_{1}$
\end_inset

, 
\begin_inset Formula $h\in\mathbb{G}_{2}$
\end_inset


\end_layout

\begin_layout Itemize
\begin_inset Formula $z\in\mathbb{G}_{T}$
\end_inset

, where 
\begin_inset Formula $z$
\end_inset

 is the result of pairing: 
\begin_inset Formula $z=e\left(g,h\right)$
\end_inset

.
\end_layout

\begin_layout Standard
We denote 
\begin_inset Formula $\mathbb{P}=\left[1,P-1\right]$
\end_inset

 (nonzero scalars).
\end_layout

\begin_layout Subsection*
Scheme
\end_layout

\begin_layout Standard
Scalar operations assumed to be done 
\begin_inset Formula $\mod P$
\end_inset

.
 We are creating values for the threshold 
\begin_inset Formula $T$
\end_inset

, total shares 
\begin_inset Formula $N\ge T$
\end_inset

, and 
\begin_inset Formula $\tilde{N}$
\end_inset

 key slivers [or whatever we end up calling them].
\end_layout

\begin_layout Subsubsection*
Keymakers
\end_layout

\begin_layout Standard
Each party 
\begin_inset Formula $n$
\end_inset

, 
\begin_inset Formula $1\le n\le\tilde{N}$
\end_inset

, independently:
\end_layout

\begin_layout Enumerate
Generates a secret value 
\begin_inset Formula $\alpha_{1}^{(n)}\in\mathbb{P}$
\end_inset

 (a part of the decrypting key).
\end_layout

\begin_layout Enumerate
Calculates 
\begin_inset Formula $p^{(n)}=\alpha_{1}^{(n)}*z\in\mathbb{G}_{T}$
\end_inset

 and publishes it as a part of the encrypting key.
\end_layout

\begin_layout Subsubsection*
Encryptor
\end_layout

\begin_layout Enumerate
Chooses the Keymaker parties and calculates the encrypting key 
\begin_inset Formula $p=\sum_{n=1}^{\tilde{N}}p^{(n)}\in\mathbb{G}_{T}$
\end_inset

.
 
\end_layout

\begin_layout Enumerate
[Verify that all the key parts he used were generated by the chosen Keymakers?]
 
\end_layout

\begin_layout Enumerate
Creates his secret and public keys: 
\begin_inset Formula $s^{\mathrm{E}}\in\mathbb{P}$
\end_inset

, 
\begin_inset Formula $p^{\mathrm{E}}=s^{\mathrm{E}}*g\in\mathbb{G}_{1}$
\end_inset

.
\end_layout

\begin_layout Enumerate
Uses the secret 
\begin_inset Formula $y=s^{\mathrm{E}}*p\in\mathbb{G}_{T}$
\end_inset

 as a symmetric encryption key.
 Returns the ciphertext and 
\begin_inset Formula $\mathrm{Capsule}\left(p^{\mathrm{E}}\right)$
\end_inset

.
\end_layout

\begin_layout Standard
Note that at this point the recipient is still unknown, but Keymakers must
 store their generated 
\begin_inset Formula $\alpha_{1}^{(n)}$
\end_inset

.
\end_layout

\begin_layout Subsubsection*
Recipient
\end_layout

\begin_layout Enumerate
Creates a uniform random 
\begin_inset Formula $s^{\mathrm{R}}\in\mathbb{P}$
\end_inset

.
 That is his secret key.
 [I assume it can't be zero]
\end_layout

\begin_layout Enumerate
Creates a 
\begin_inset Formula $p^{\mathrm{R}}=s^{\mathrm{R}}*h\in\mathbb{G}_{2}$
\end_inset

.
 That is his public key.
\end_layout

\begin_layout Enumerate
Gives 
\begin_inset Formula $p^{\mathrm{R}}$
\end_inset

 to Author requesting access to the data.
\end_layout

\begin_layout Subsubsection*
Author
\end_layout

\begin_layout Enumerate
Author creates a policy label 
\begin_inset Formula $L$
\end_inset

 and sends it along with 
\begin_inset Formula $p^{\mathrm{R}}$
\end_inset

 to Keymakers requesting sliver generation.
\end_layout

\begin_layout Subsubsection*
Keymakers
\end_layout

\begin_layout Standard
Each party 
\begin_inset Formula $n$
\end_inset

, 
\begin_inset Formula $1\le n\le\tilde{N}$
\end_inset

, independently:
\end_layout

\begin_layout Enumerate
Generates 
\begin_inset Formula $T-1$
\end_inset

 secret random coefficients 
\begin_inset Formula $\alpha_{t}^{(n)}\in\mathbb{P}$
\end_inset

, 
\begin_inset Formula $2\le t\le T$
\end_inset

.
 [I assume here the coefficients can't be zero either] Note that we also
 use the previously created 
\begin_inset Formula $\alpha_{0}^{(n)}$
\end_inset

.
\end_layout

\begin_layout Enumerate
Generates shared values 
\begin_inset Formula $x_{m}\in\mathbb{P}$
\end_inset

, 
\begin_inset Formula $1\le m\le N$
\end_inset

 deterministically from 
\begin_inset Formula $L$
\end_inset

: 
\begin_inset Formula $x_{m}=H\left(L,m\right)$
\end_inset

, where 
\begin_inset Formula $H$
\end_inset

 is a hash function.
\end_layout

\begin_layout Enumerate
Calculates 
\begin_inset Formula $r_{m}^{(n)}=\left(\sum_{t=1}^{T}\alpha_{t}^{(n)}x_{m}^{t-1}\right)*p^{\mathrm{R}}\in\mathbb{G}_{2}$
\end_inset

.
\end_layout

\begin_layout Enumerate
Generates 
\begin_inset Formula $\mathrm{KeySliver}\left(r_{1}^{(n)},\dots,r_{N}^{(n)},x_{1},\dots,x_{N}\right)$
\end_inset

 and sends it to Author.
 
\end_layout

\begin_layout Subsubsection*
Author (or Publisher?)
\end_layout

\begin_layout Enumerate
Checks that the shared values 
\begin_inset Formula $x_{m}$
\end_inset

 in all the slivers are the same.
\end_layout

\begin_layout Enumerate
Calculates 
\begin_inset Formula $r_{m}=\sum_{n=1}^{\tilde{N}}r_{m}^{(n)}\in\mathbb{G}_{2}$
\end_inset

, 
\begin_inset Formula $1\le m\le N$
\end_inset

.
\end_layout

\begin_layout Enumerate
Creates 
\begin_inset Formula $N$
\end_inset

 key frags: 
\begin_inset Formula $\mathrm{KeyFrag}\left(r_{m},x_{m}\right)$
\end_inset

, 
\begin_inset Formula $1\le m\le N$
\end_inset

.
\end_layout

\begin_layout Subsubsection*
Proxies
\end_layout

\begin_layout Standard
Each proxy 
\begin_inset Formula $m$
\end_inset

, 
\begin_inset Formula $1\le m\le N$
\end_inset

, independently:
\end_layout

\begin_layout Enumerate
Receives the capsule (that is, 
\begin_inset Formula $p^{\mathrm{E}}$
\end_inset

) and the key frag 
\begin_inset Formula $m$
\end_inset

.
\end_layout

\begin_layout Enumerate
[Verifies that all the parts generated by Keymakers are present?] [Would
 the proxy really care about it though?]
\end_layout

\begin_layout Enumerate
Reencrypts: 
\begin_inset Formula $c_{m}=e\left(p^{\mathrm{E}},r_{m}\right)\in\mathbb{G}_{T}$
\end_inset

, 
\begin_inset Formula $1\le n\le\tilde{N}$
\end_inset

.
\end_layout

\begin_layout Enumerate
Generates 
\begin_inset Formula $\mathrm{CapsuleFrag}\left(c_{m},x_{m}\right)$
\end_inset

.
\end_layout

\begin_layout Subsubsection*
Recipient
\end_layout

\begin_layout Enumerate
Collects a subset 
\begin_inset Formula $M$
\end_inset

 of 
\begin_inset Formula $T$
\end_inset

 capsule frags (out of 
\begin_inset Formula $N$
\end_inset

 total)
\end_layout

\begin_layout Enumerate
[Verifies that the cfrags were made with the participation of Keymakers?]
\end_layout

\begin_layout Enumerate
[Verifies that the cfrags were made with the participation of Author?]
\end_layout

\begin_layout Enumerate
[Verifies that the cfrags were made for his public key? Well if they aren't,
 he just can't decrypt, right?]
\end_layout

\begin_layout Enumerate
Calculates 
\begin_inset Formula $\lambda_{m}=\prod_{m^{\prime}\in M,\,m^{\prime}\ne m}\frac{x_{m^{\prime}}}{x_{m^{\prime}}-x_{m}}$
\end_inset

, 
\begin_inset Formula $m\in M$
\end_inset

.
\end_layout

\begin_layout Enumerate
Calculates the symmetric key 
\begin_inset Formula $y^{\prime}=\left(\sum_{m\in M}c_{m}\lambda_{m}\right)\frac{1}{s^{\mathrm{R}}}=y$
\end_inset

 and uses it to decrypt the ciphertext.
\end_layout

\end_body
\end_document