#LyX 2.3 created this file. For more info see http://www.lyx.org/ \lyxformat 544 \begin_document \begin_header \save_transient_properties true \origin unavailable \textclass article \begin_preamble \usepackage{a4wide} \end_preamble \use_default_options true \maintain_unincluded_children false \language english \language_package default \inputencoding auto \fontencoding global \font_roman "default" "default" \font_sans "default" "default" \font_typewriter "default" "default" \font_math "auto" "auto" \font_default_family default \use_non_tex_fonts false \font_sc false \font_osf false \font_sf_scale 100 100 \font_tt_scale 100 100 \use_microtype false \use_dash_ligatures true \graphics default \default_output_format default \output_sync 0 \bibtex_command default \index_command default \paperfontsize default \spacing single \use_hyperref false \papersize default \use_geometry false \use_package amsmath 1 \use_package amssymb 1 \use_package cancel 1 \use_package esint 1 \use_package mathdots 1 \use_package mathtools 1 \use_package mhchem 1 \use_package stackrel 1 \use_package stmaryrd 1 \use_package undertilde 1 \cite_engine basic \cite_engine_type default \biblio_style plain \use_bibtopic false \use_indices false \paperorientation portrait \suppress_date false \justification true \use_refstyle 1 \use_minted 0 \index Index \shortcut idx \color #008000 \end_index \secnumdepth 3 \tocdepth 3 \paragraph_separation indent \paragraph_indentation default \is_math_indent 0 \math_numbering_side default \quotes_style english \dynamic_quotes 0 \papercolumns 1 \papersides 1 \paperpagestyle default \tracking_changes false \output_changes false \html_math_output 0 \html_css_as_file 0 \html_be_strict false \end_header \begin_body \begin_layout Subsection* Parameters \end_layout \begin_layout Itemize \begin_inset Formula $\mathbb{G}_{1},$ \end_inset \begin_inset Formula $\mathbb{G}_{2}$ \end_inset - elliptic curve points. \end_layout \begin_layout Itemize Curves are of the same order \begin_inset Formula $P$ \end_inset [is that required?]. \end_layout \begin_layout Itemize Two curve generators: \begin_inset Formula $g\in\mathbb{G}_{1}$ \end_inset , \begin_inset Formula $h\in\mathbb{G}_{2}$ \end_inset \end_layout \begin_layout Itemize \begin_inset Formula $z\in\mathbb{G}_{T}$ \end_inset , where \begin_inset Formula $z$ \end_inset is the result of pairing: \begin_inset Formula $z=e\left(g,h\right)$ \end_inset . \end_layout \begin_layout Standard We denote \begin_inset Formula $\mathbb{P}=\left[1,P-1\right]$ \end_inset (nonzero scalars). \end_layout \begin_layout Subsection* Scheme \end_layout \begin_layout Standard Scalar operations assumed to be done \begin_inset Formula $\mod P$ \end_inset . We are creating values for the threshold \begin_inset Formula $T$ \end_inset , total shares \begin_inset Formula $N\ge T$ \end_inset , and \begin_inset Formula $\tilde{N}$ \end_inset key slivers [or whatever we end up calling them]. \end_layout \begin_layout Subsubsection* Keymakers \end_layout \begin_layout Standard Each party \begin_inset Formula $n$ \end_inset , \begin_inset Formula $1\le n\le\tilde{N}$ \end_inset , independently: \end_layout \begin_layout Enumerate Generates a secret value \begin_inset Formula $\alpha_{1}^{(n)}\in\mathbb{P}$ \end_inset (a part of the decrypting key). \end_layout \begin_layout Enumerate Calculates \begin_inset Formula $p^{(n)}=\alpha_{1}^{(n)}*z\in\mathbb{G}_{T}$ \end_inset and publishes it as a part of the encrypting key. \end_layout \begin_layout Subsubsection* Encryptor \end_layout \begin_layout Enumerate Chooses the Keymaker parties and calculates the encrypting key \begin_inset Formula $p=\sum_{n=1}^{\tilde{N}}p^{(n)}\in\mathbb{G}_{T}$ \end_inset . \end_layout \begin_layout Enumerate [Verify that all the key parts he used were generated by the chosen Keymakers?] \end_layout \begin_layout Enumerate Creates his secret and public keys: \begin_inset Formula $s^{\mathrm{E}}\in\mathbb{P}$ \end_inset , \begin_inset Formula $p^{\mathrm{E}}=s^{\mathrm{E}}*g\in\mathbb{G}_{1}$ \end_inset . \end_layout \begin_layout Enumerate Uses the secret \begin_inset Formula $y=s^{\mathrm{E}}*p\in\mathbb{G}_{T}$ \end_inset as a symmetric encryption key. Returns the ciphertext and \begin_inset Formula $\mathrm{Capsule}\left(p^{\mathrm{E}}\right)$ \end_inset . \end_layout \begin_layout Standard Note that at this point the recipient is still unknown, but Keymakers must store their generated \begin_inset Formula $\alpha_{1}^{(n)}$ \end_inset . \end_layout \begin_layout Subsubsection* Recipient \end_layout \begin_layout Enumerate Creates a uniform random \begin_inset Formula $s^{\mathrm{R}}\in\mathbb{P}$ \end_inset . That is his secret key. [I assume it can't be zero] \end_layout \begin_layout Enumerate Creates a \begin_inset Formula $p^{\mathrm{R}}=s^{\mathrm{R}}*h\in\mathbb{G}_{2}$ \end_inset . That is his public key. \end_layout \begin_layout Enumerate Gives \begin_inset Formula $p^{\mathrm{R}}$ \end_inset to Author requesting access to the data. \end_layout \begin_layout Subsubsection* Author \end_layout \begin_layout Enumerate Author creates a policy label \begin_inset Formula $L$ \end_inset and sends it along with \begin_inset Formula $p^{\mathrm{R}}$ \end_inset to Keymakers requesting sliver generation. \end_layout \begin_layout Subsubsection* Keymakers \end_layout \begin_layout Standard Each party \begin_inset Formula $n$ \end_inset , \begin_inset Formula $1\le n\le\tilde{N}$ \end_inset , independently: \end_layout \begin_layout Enumerate Generates \begin_inset Formula $T-1$ \end_inset secret random coefficients \begin_inset Formula $\alpha_{t}^{(n)}\in\mathbb{P}$ \end_inset , \begin_inset Formula $2\le t\le T$ \end_inset . [I assume here the coefficients can't be zero either] Note that we also use the previously created \begin_inset Formula $\alpha_{0}^{(n)}$ \end_inset . \end_layout \begin_layout Enumerate Generates shared values \begin_inset Formula $x_{m}\in\mathbb{P}$ \end_inset , \begin_inset Formula $1\le m\le N$ \end_inset deterministically from \begin_inset Formula $L$ \end_inset : \begin_inset Formula $x_{m}=H\left(L,m\right)$ \end_inset , where \begin_inset Formula $H$ \end_inset is a hash function. \end_layout \begin_layout Enumerate Calculates \begin_inset Formula $r_{m}^{(n)}=\left(\sum_{t=1}^{T}\alpha_{t}^{(n)}x_{m}^{t-1}\right)*p^{\mathrm{R}}\in\mathbb{G}_{2}$ \end_inset . \end_layout \begin_layout Enumerate Generates \begin_inset Formula $\mathrm{KeySliver}\left(r_{1}^{(n)},\dots,r_{N}^{(n)},x_{1},\dots,x_{N}\right)$ \end_inset and sends it to Author. \end_layout \begin_layout Subsubsection* Author (or Publisher?) \end_layout \begin_layout Enumerate Checks that the shared values \begin_inset Formula $x_{m}$ \end_inset in all the slivers are the same. \end_layout \begin_layout Enumerate Calculates \begin_inset Formula $r_{m}=\sum_{n=1}^{\tilde{N}}r_{m}^{(n)}\in\mathbb{G}_{2}$ \end_inset , \begin_inset Formula $1\le m\le N$ \end_inset . \end_layout \begin_layout Enumerate Creates \begin_inset Formula $N$ \end_inset key frags: \begin_inset Formula $\mathrm{KeyFrag}\left(r_{m},x_{m}\right)$ \end_inset , \begin_inset Formula $1\le m\le N$ \end_inset . \end_layout \begin_layout Subsubsection* Proxies \end_layout \begin_layout Standard Each proxy \begin_inset Formula $m$ \end_inset , \begin_inset Formula $1\le m\le N$ \end_inset , independently: \end_layout \begin_layout Enumerate Receives the capsule (that is, \begin_inset Formula $p^{\mathrm{E}}$ \end_inset ) and the key frag \begin_inset Formula $m$ \end_inset . \end_layout \begin_layout Enumerate [Verifies that all the parts generated by Keymakers are present?] [Would the proxy really care about it though?] \end_layout \begin_layout Enumerate Reencrypts: \begin_inset Formula $c_{m}=e\left(p^{\mathrm{E}},r_{m}\right)\in\mathbb{G}_{T}$ \end_inset , \begin_inset Formula $1\le n\le\tilde{N}$ \end_inset . \end_layout \begin_layout Enumerate Generates \begin_inset Formula $\mathrm{CapsuleFrag}\left(c_{m},x_{m}\right)$ \end_inset . \end_layout \begin_layout Subsubsection* Recipient \end_layout \begin_layout Enumerate Collects a subset \begin_inset Formula $M$ \end_inset of \begin_inset Formula $T$ \end_inset capsule frags (out of \begin_inset Formula $N$ \end_inset total) \end_layout \begin_layout Enumerate [Verifies that the cfrags were made with the participation of Keymakers?] \end_layout \begin_layout Enumerate [Verifies that the cfrags were made with the participation of Author?] \end_layout \begin_layout Enumerate [Verifies that the cfrags were made for his public key? Well if they aren't, he just can't decrypt, right?] \end_layout \begin_layout Enumerate Calculates \begin_inset Formula $\lambda_{m}=\prod_{m^{\prime}\in M,\,m^{\prime}\ne m}\frac{x_{m^{\prime}}}{x_{m^{\prime}}-x_{m}}$ \end_inset , \begin_inset Formula $m\in M$ \end_inset . \end_layout \begin_layout Enumerate Calculates the symmetric key \begin_inset Formula $y^{\prime}=\left(\sum_{m\in M}c_{m}\lambda_{m}\right)\frac{1}{s^{\mathrm{R}}}=y$ \end_inset and uses it to decrypt the ciphertext. \end_layout \end_body \end_document