hbACSS Long-Term Key Use

# hbACSS Long-Term Key Use Each peer $i\in[1,N]$ has keypair $\{sk_i,pk_i=sk_i * G\}$. All public keys are know; the private keys must not be revealed. - $VSS$ is Feldman's verifiable secret sharing. - $H(message)$ is 64 bytes from SHA-512 - $HKDF[salt, info](key)$ is 32 bytes of HKDF from RFC-5869 with SHA-256 - $encrypt[key](plaintext)$, $decrypt[key](ciphertext)$ is ChaCha20-Poly1305 from RFC-7539 with a zero nonce. ##### Deal(s) *Input:* secret $s$ to share Dealer broadcasts result to all peers. - $C, S \gets VSS.Share(s, \lfloor\frac{N}{3}\rfloor+1, N)$ - $sk_d \gets^R$; $pk_d \gets sk_d * G$ - For $s_i \in S$: - $k^i_d \gets sk_d * pk_i$ - $key \gets HKDF[\emptyset,\emptyset](k^i_d)$ - $z_i \gets encrypt[key](s_i)$ - Return $C, pk_d, \{z_i\}_{i\in[1,N]}$ ##### ExtractShare($(C, pk_d, Z)$) *Input:* deal $(C, pk_d, Z)$ Peer $i$ decrypts and validates its share. - $k^i_d \gets sk_i * pk_d$ - $key \gets HKDF[\emptyset,\emptyset](k^i_d)$ - $s_i \gets decrypt[key](z_i)$ - if not $VSS.Verify(C, i, s_i)$: - fail - Return $s_i$ ##### Implicate() Peer $i$ received an invalid deal and returns proof of faulty dealer. Add $NIZK\{(sk_i): sk_i * pk_d = k^i_d\}$ - $k^i_d \gets sk_i * pk_d$ - $r \gets^R$; $R \gets r * pk_d$ - $c \gets H(k^i_d || R || k^i_d)$ - $\pi \gets sk_i \cdot c + r$ - Return $k^i_d, \pi , R$ ##### CheckImplicate($(C, pk_d, Z), (k^j_d, \pi , R)$) *Input:* deal $(C, pk_d, Z)$; implication from $j$ $(k^j_d, \pi , R)$ Other peers verify the implication from peer $j$, if `true` the implication is correct and the dealer is faulty. - $c \gets H(k^j_d || R || k^j_d)$ - if not $\pi * pk_d == c * k^j_d + R$: - Return `false` - $key \gets HKDF[\emptyset,\emptyset](k^j_d)$ - $s_j \gets decrypt[key](z_j)$ - if decrypt fails or not $VSS.Verify(C, j, s_j)$: - Return `true` - Return `false` ## ToDOs - Schnorr Commitment needs to be improved - Domain separation, by selecting `salt`/`info` in $HKDF$ - Check for and exclude low-order points