Next: JareckiLysyanskayaEDCF, Previous: CachinKursawePetzoldShoupRBC, Up: Classes [Contents][Index]
The two classes of this subsection are concrete instantiations of Barnett and Smart’s VTMF primitive [BS03]. More formally, the authors specify four different protocols:
Each protocol uses low-level operations on an appropriately chosen algebraic group G. The choice of this group is crucial to the security of the card encoding scheme and thus also to the security of high-level operations on cards resp. stacks.
There are just a few methods and members of these classes that might be of
general interest for an application programmer, e.g. the methods of the key
generation protocol. The other stuff is only used internally by high-level
operations of SchindelhauerTMCG. Therefore this manual omits the
description of such internal functions and members.
This class implements the discrete logarithm instantiation of the VTMF primitive in the field {\bf Z}/p{\bf Z}, where p is a large prime number. The mathematical computations are performed in the finite cyclic subgroup G of prime order q such that p = kq + 1 holds for some k\in {\bf Z}. The security relies on the DDH assumption in G, i.e., the distribution \{g^a, g^b, g^{ab}\} is computationally indistinguishable from \{g^a, g^b, g^c\}, where g is a generator of G and a, b, c are chosen at random from {\bf Z}_q. Currently, this well-established assumption is believed to hold, if p and q are chosen according to the predefined security parameters of LibTMCG.
This is the public prime number p which defines the underlying finite field {\bf Z}/p{\bf Z}.
This is the public prime number q which defines the underlying cyclic group G. G is a subgroup of {\bf Z}/p{\bf Z} and is exactly of order q.
This is the fixed public generator g of the underlying group G.
This is a public integer k such that p = kq + 1 holds.
This is the common public key h = \prod_{i=1}^k h_i which contains the public keys h_i of each player P_i. Note that in the above formula k denotes the number of players.
This is the public key h_i of this player instance.
const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int subgroupsize =TMCG_DLSE_SIZE, const bool canonical_g_usage =false, const bool initialize_group =true)This constructor creates a new VTMF instance. That means, the primes
p and q are randomly and uniformly chosen such that
they have length fieldsize bit and subgroupsize bit, respectively.
Further, either a generator g for the unique subgroup of order q is
chosen at random or, if canonical_g_usage is set true, the
generator g is chosen in a verifiable way (cf. FIPS 186-3 A.2.3).
If the arguments are omitted, then fieldsize, subgroupsize and
canonical_g_usage are set to their default values TMCG_DDH_SIZE,
TMCG_DLSE_SIZE, and false, respectively.
The argument initialize_group should be always set true.
Depending on fieldsize and subgroupsize the group generation
is a very time-consuming task that should be taken into account by the
application designer.
std::istream& in, const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int subgroupsize =TMCG_DLSE_SIZE, bool canonical_g_usage =false, const bool precompute =true)This constructor initializes the VTMF instance from a correctly formatted
input stream in. For example, such a stream can be generated by calling
the method PublishGroup of an already created instance. The arguments
fieldsize, subgroupsize, and canonical_g_usage are stored
for later following usage, e.g. by the method CheckGroup as explained
below. The argument precompute should be always set true.
If these arguments are omitted, then they are set to the default values
TMCG_DDH_SIZE, TMCG_DLSE_SIZE, false, and true respectively.
This method checks whether p and q have appropriate sizes
with respect to the bit lengths given during the initialization of the
corresponding instance. Further, it checks whether p has the correct
form (i.e. p = kq +1), whether p and q are probable
prime, and whether g is a generator of the subgroup G. If
canonical_g_usage is set true during the call of constructor,
then it additionally checks whether g was generated in a verifiable
way (cf. FIPS 186-3 A.2.3). It returns true, if all of these checks
have been passed successfully.
std::ostream& out)This method exports all necessary group parameters of G to
the given output stream out, so other VTMF instances of G
can be initialized, e.g. with the second constructor of
BarnettSmartVTMF_dlog.
This method generates a VTMF key pair and stores the numbers internally for a later following usage. It must be called before any other part of the key generation protocol is executed. Otherwise, the produced results are wrong.
std::ostream& out)This method exports the public part h_i of the generated VTMF key pair to the given output stream out. Further, it appends a non-interactive zero-knowledge proof of knowledge (NIZK) which shows that the instance knows the secret part x_i such that h_i \equiv g^{x_i} \pmod{p} holds. Due to the non-interactive nature of this proof the method has to be called only once while the computed output can be reused multiple times if necessary.
std::istream& in)This method reads the public part of a VTMF key and the NIZK from the input
stream in. It appends the key to the common public key and returns
true, if the given proof was sound. Otherwise, false
is returned.
std::istream& in)This method reads the public part of a VTMF key and the corresponding NIZK
from the input stream in. It removes the key from the common public
key and returns true, if the key was previously appended
by KeyGenerationProtocol_UpdateKey as explained above.
This method must be called after any update
(KeyGenerationProtocol_UpdateKey) or removal
(KeyGenerationProtocol_RemoveKey) has been performed
on the common public key.
This destructor releases all occupied resources.
BarnettSmartVTMF_dlog: BarnettSmartVTMF_dlog_GroupQRThis subclass implements the discrete logarithm instantiation of the VTMF primitive in the field {\bf Z}/p{\bf Z}, where p is a large prime number. The mathematical computations are performed in a special finite cyclic subgroup G (quadratic residues modulo p) of prime order q, where p = 2q + 1 holds. The security also relies on the DDH assumption w.r.t. G, i.e., the distribution \{g^a, g^b, g^{ab}\} is computationally indistinguishable from \{g^a, g^b, g^c\}, where g is a generator of G and a, b, c are chosen at random from {\bf Z}_q. Currently, this well-established assumption is believed to hold, if p and q are chosen according to the predefined security parameters of LibTMCG.
This is the public prime number p which defines the underlying finite field {\bf Z}/p{\bf Z}.
This is the public prime number q which defines the underlying cyclic group G. G denotes the unique subgroup of quadratic residues modulo p which is exactly of order q, if p = 2q + 1 holds.
This is the fixed public generator g of the underlying group G.
This integer is fixed here by k = 2.
This is the common public key h = \prod_{i=1}^k h_i which contains the public keys h_i of each player P_i. Note that in the above formula k denotes the number of players.
This is the public key h_i of this player instance.
const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int exponentsize =TMCG_DLSE_SIZE)This constructor creates a new VTMF instance. That means, the safe prime
p is randomly and uniformly chosen such that it has a length of
fieldsize bit.
Further, the generator g is initially set up by 2 and then
shifted by fieldsize - exponentsize bit positions,
according to the procedure described by Koshiba and Kurosawa (see
Short Exponent Diffie-Hellman Problems, PKC 2004, LNCS 2947).
If the arguments of the constructor are omitted, then fieldsize and
exponentsize are set to their default values TMCG_DDH_SIZE and
TMCG_DLSE_SIZE, respectively.
Depending on fieldsize and exponentsize the group generation
is a very time-consuming task that should be taken into account by the
application designer.
std::istream& in, const unsigned long int fieldsize =TMCG_DDH_SIZE, const unsigned long int exponentsize =TMCG_DLSE_SIZE)This constructor initializes the VTMF instance from a correctly formatted
input stream in. For example, such a stream can be generated by calling
the method PublishGroup of an already created instance. The arguments
fieldsize and exponentsize are stored for later following usage,
e.g. by the method CheckGroup as explained below.
If these arguments are omitted, then they are set to the default values
TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively.
This method checks whether p and q have appropriate sizes
with respect to the bit lengths given during the initialization of the
corresponding instance. Further, it checks whether p has the correct
form (i.e. p = 2q +1), whether p and q are probable
prime, and whether g is a generator of the subgroup G. It
returns true, if all of these checks have been passed successfully.
This destructor releases all occupied resources.
Next: JareckiLysyanskayaEDCF, Previous: CachinKursawePetzoldShoupRBC, Up: Classes [Contents][Index]