Notation used in formulas¶
Heissler |
Schoen-makers |
Tang et al. |
Description |
|---|---|---|---|
\({\alpha_j}_0\) |
\(\alpha_j\) |
\(\alpha_j\) |
Secret coefficients for \(f_0\) |
\({\alpha_j}_1\) |
\(\beta_j\) |
Secret coefficients for \(f_1\) |
|
\(a_i\) |
First part of ElGamal ciphertext. |
||
\(a'_i\) |
Randomized commitment for \(a_i\). |
||
\(b_i\) |
Second part of ElGamal ciphertext. |
||
\(C_j\) |
\(C_j\) |
\(C_j\) |
Commitments for the coefficients \({\alpha_j}_{0,1}\). |
\(c\) |
\(c\) |
\(c\) |
Challenge for zero knowledge proofs, generated by hash function. |
\(e\) |
Identity element of (image) group. |
||
\(e'\) |
Randomized commitment for \(e\). |
||
\(f_0(i)\) |
\(p(x)\) |
\(f(x)\) |
Polynomial with secret coefficients \({\alpha_j}_0\) |
\(f_1(i)\) |
\(g(x)\) |
Polynomial with secret coefficients \({\alpha_j}_1\) |
|
\(G_0\) |
\(G\) |
\(G\) |
Generator for \(G_q\) |
\(G_1\) |
\(H\) |
Generator for \(G_q\) |
|
\(G_q\) |
\(G_q\) |
\(G_q\) |
Finite cyclic group of prime order \(q\), used as the image group for all group isomorphisms. Computing discrete logarithms in this group must be infeasible. |
\(g_0\) |
\(g\) |
\(g\) |
Generator for \(G_q\) |
\(g_1\) |
\(h\) |
Generator for \(G_q\) |
|
\(i\) |
\(i\) |
\(i\) |
Unique index for user, \(i \in [0,q)\), usually \(1 \leq i \leq n\). |
\(i'\) |
\(j\) |
\(j\) |
Another iterator for user indices, used during reconstruction. |
\(j\) |
\(j\) |
\(j\) |
Indices for coefficients, \(0 \leq j \lt t\) |
\(k_…\) |
\(w\) |
\(s,t\) |
Values \(\in_R Z_q\) for computing the Prover’s commitment in zero knowledge proofs. |
\(n\) |
\(n\) |
\(n\) |
Number of users. |
\(q\) |
\(q\) |
\(q\) |
Size of \(G_q\) and \(Z_q\) |
\(S\) |
\(S\) |
\(S\) |
Shared secret \(\in G_q\), generated by dealer and reconstructed by receiver. |
\(S_i\) |
\(S_i\) |
\(S_i\) |
User \(i\)’s share of the shared secret. |
\(s_…\) |
\(r_i\) |
\(r_{i1},r_{i2}\) |
Responses for zero knowledge proofs. |
\(t\) |
\(t\) |
\(t\) |
Size of qualified subset of users able to reconstruct the secret, \(1 \leq t \leq n\). |
\(v_{0,1}\) |
Helper variables used in zero-knowledge proof for re-encryption. |
||
\(w_{0,1}\) |
Random values for ElGamal encryption. |
||
\(X_i\) |
\(X_i\) |
\(X_i\) |
Shares with alternative generator \(g_{0,1}\). |
\(X'_i\) |
\(a_{1i}/X_i^c\) |
\(a_{1i}/X_i^c\) |
Randomized commitment for \(X_i\). |
\(x_i\) |
\(x_i\) |
\(x_i\) |
Private key \(\in_R Z_q^*\) for user \(i\) |
\(x_r\) |
Private key \(\in_R Z_q^*\) for recipient |
||
\(Y_i\) |
\(Y_i\) |
\(Y_i\) |
Encrypted share for each user. |
\(Y'_i\) |
\(a_{2i}/Y_i^c\) |
\(a_{2i}/Y_i^c\) |
Randomized commitment for \(Y_i\). |
\({y_i}_0\) |
\(y_i\) |
\(y_{i1}\) |
First public key part for users, \({y_i}_0 = G_0^{x_i}\) |
\({y_i}_1\) |
\(y_{i2}\) |
Second public key part for users, \({y_i}_1 = G_1^{x_i}\) |
|
\(y_i\) |
y_i |
Product of public key parts, \(y_i = {y_i}_0 \cdot {y_i}_1\) |
|
\(y'_i\) |
Randomized commitment for \(y_i\). |
||
\({y_r}_0\) |
First public key part for recipient, \({y_r}_0 = G_0^{x_r}\) |
||
\({y_r}_1\) |
Second public key part for recipient, \({y_r}_1 = G_1^{x_r}\) |
||
\(Z_q\) |
\(Z_q\) |
\(Z_q\) |
Additive group of integers modulo prime \(q\), used as the pre-image group for all group isomorphisms. |
\(Z_q^*\) |
\(Z_q^*\) |
\(Z_q^*\) |
\(Z_q \setminus \{0\}\) |