# Notation used in formulas¶

Heissler

Schoen-makers

Tang et al.

Description

$${\alpha_j}_0$$

$$\alpha_j$$

$$\alpha_j$$

Secret coefficients for $$f_0$$

$${\alpha_j}_1$$

$$\beta_j$$

Secret coefficients for $$f_1$$

$$a_i$$

First part of ElGamal ciphertext.

$$a'_i$$

Randomized commitment for $$a_i$$.

$$b_i$$

Second part of ElGamal ciphertext.

$$C_j$$

$$C_j$$

$$C_j$$

Commitments for the coefficients $${\alpha_j}_{0,1}$$.

$$c$$

$$c$$

$$c$$

Challenge for zero knowledge proofs, generated by hash function.

$$e$$

Identity element of (image) group.

$$e'$$

Randomized commitment for $$e$$.

$$f_0(i)$$

$$p(x)$$

$$f(x)$$

Polynomial with secret coefficients $${\alpha_j}_0$$

$$f_1(i)$$

$$g(x)$$

Polynomial with secret coefficients $${\alpha_j}_1$$

$$G_0$$

$$G$$

$$G$$

Generator for $$G_q$$

$$G_1$$

$$H$$

Generator for $$G_q$$

$$G_q$$

$$G_q$$

$$G_q$$

Finite cyclic group of prime order $$q$$, used as the image group for all group isomorphisms. Computing discrete logarithms in this group must be infeasible.

$$g_0$$

$$g$$

$$g$$

Generator for $$G_q$$

$$g_1$$

$$h$$

Generator for $$G_q$$

$$i$$

$$i$$

$$i$$

Unique index for user, $$i \in [0,q)$$, usually $$1 \leq i \leq n$$.

$$i'$$

$$j$$

$$j$$

Another iterator for user indices, used during reconstruction.

$$j$$

$$j$$

$$j$$

Indices for coefficients, $$0 \leq j \lt t$$

$$k_…$$

$$w$$

$$s,t$$

Values $$\in_R Z_q$$ for computing the Prover’s commitment in zero knowledge proofs.

$$n$$

$$n$$

$$n$$

Number of users.

$$q$$

$$q$$

$$q$$

Size of $$G_q$$ and $$Z_q$$

$$S$$

$$S$$

$$S$$

Shared secret $$\in G_q$$, generated by dealer and reconstructed by receiver.

$$S_i$$

$$S_i$$

$$S_i$$

User $$i$$’s share of the shared secret.

$$s_…$$

$$r_i$$

$$r_{i1},r_{i2}$$

Responses for zero knowledge proofs.

$$t$$

$$t$$

$$t$$

Size of qualified subset of users able to reconstruct the secret, $$1 \leq t \leq n$$.

$$v_{0,1}$$

Helper variables used in zero-knowledge proof for re-encryption.

$$w_{0,1}$$

Random values for ElGamal encryption.

$$X_i$$

$$X_i$$

$$X_i$$

Shares with alternative generator $$g_{0,1}$$.

$$X'_i$$

$$a_{1i}/X_i^c$$

$$a_{1i}/X_i^c$$

Randomized commitment for $$X_i$$.

$$x_i$$

$$x_i$$

$$x_i$$

Private key $$\in_R Z_q^*$$ for user $$i$$

$$x_r$$

Private key $$\in_R Z_q^*$$ for recipient

$$Y_i$$

$$Y_i$$

$$Y_i$$

Encrypted share for each user.

$$Y'_i$$

$$a_{2i}/Y_i^c$$

$$a_{2i}/Y_i^c$$

Randomized commitment for $$Y_i$$.

$${y_i}_0$$

$$y_i$$

$$y_{i1}$$

First public key part for users, $${y_i}_0 = G_0^{x_i}$$

$${y_i}_1$$

$$y_{i2}$$

Second public key part for users, $${y_i}_1 = G_1^{x_i}$$

$$y_i$$

y_i

Product of public key parts, $$y_i = {y_i}_0 \cdot {y_i}_1$$

$$y'_i$$

Randomized commitment for $$y_i$$.

$${y_r}_0$$

First public key part for recipient, $${y_r}_0 = G_0^{x_r}$$

$${y_r}_1$$

Second public key part for recipient, $${y_r}_1 = G_1^{x_r}$$

$$Z_q$$

$$Z_q$$

$$Z_q$$

Additive group of integers modulo prime $$q$$, used as the pre-image group for all group isomorphisms.

$$Z_q^*$$

$$Z_q^*$$

$$Z_q^*$$

$$Z_q \setminus \{0\}$$