Notation used in formulas¶
Heissler 
Schoenmakers 
Tang et al. 
Description 

\({\alpha_j}_0\) 
\(\alpha_j\) 
\(\alpha_j\) 
Secret coefficients for \(f_0\) 
\({\alpha_j}_1\) 
\(\beta_j\) 
Secret coefficients for \(f_1\) 

\(a_i\) 
First part of ElGamal ciphertext. 

\(a'_i\) 
Randomized commitment for \(a_i\). 

\(b_i\) 
Second part of ElGamal ciphertext. 

\(C_j\) 
\(C_j\) 
\(C_j\) 
Commitments for the coefficients \({\alpha_j}_{0,1}\). 
\(c\) 
\(c\) 
\(c\) 
Challenge for zero knowledge proofs, generated by hash function. 
\(e\) 
Identity element of (image) group. 

\(e'\) 
Randomized commitment for \(e\). 

\(f_0(i)\) 
\(p(x)\) 
\(f(x)\) 
Polynomial with secret coefficients \({\alpha_j}_0\) 
\(f_1(i)\) 
\(g(x)\) 
Polynomial with secret coefficients \({\alpha_j}_1\) 

\(G_0\) 
\(G\) 
\(G\) 
Generator for \(G_q\) 
\(G_1\) 
\(H\) 
Generator for \(G_q\) 

\(G_q\) 
\(G_q\) 
\(G_q\) 
Finite cyclic group of prime order \(q\), used as the image group for all group isomorphisms. Computing discrete logarithms in this group must be infeasible. 
\(g_0\) 
\(g\) 
\(g\) 
Generator for \(G_q\) 
\(g_1\) 
\(h\) 
Generator for \(G_q\) 

\(i\) 
\(i\) 
\(i\) 
Unique index for user, \(i \in [0,q)\), usually \(1 \leq i \leq n\). 
\(i'\) 
\(j\) 
\(j\) 
Another iterator for user indices, used during reconstruction. 
\(j\) 
\(j\) 
\(j\) 
Indices for coefficients, \(0 \leq j \lt t\) 
\(k_…\) 
\(w\) 
\(s,t\) 
Values \(\in_R Z_q\) for computing the Prover’s commitment in zero knowledge proofs. 
\(n\) 
\(n\) 
\(n\) 
Number of users. 
\(q\) 
\(q\) 
\(q\) 
Size of \(G_q\) and \(Z_q\) 
\(S\) 
\(S\) 
\(S\) 
Shared secret \(\in G_q\), generated by dealer and reconstructed by receiver. 
\(S_i\) 
\(S_i\) 
\(S_i\) 
User \(i\)’s share of the shared secret. 
\(s_…\) 
\(r_i\) 
\(r_{i1},r_{i2}\) 
Responses for zero knowledge proofs. 
\(t\) 
\(t\) 
\(t\) 
Size of qualified subset of users able to reconstruct the secret, \(1 \leq t \leq n\). 
\(v_{0,1}\) 
Helper variables used in zeroknowledge proof for reencryption. 

\(w_{0,1}\) 
Random values for ElGamal encryption. 

\(X_i\) 
\(X_i\) 
\(X_i\) 
Shares with alternative generator \(g_{0,1}\). 
\(X'_i\) 
\(a_{1i}/X_i^c\) 
\(a_{1i}/X_i^c\) 
Randomized commitment for \(X_i\). 
\(x_i\) 
\(x_i\) 
\(x_i\) 
Private key \(\in_R Z_q^*\) for user \(i\) 
\(x_r\) 
Private key \(\in_R Z_q^*\) for recipient 

\(Y_i\) 
\(Y_i\) 
\(Y_i\) 
Encrypted share for each user. 
\(Y'_i\) 
\(a_{2i}/Y_i^c\) 
\(a_{2i}/Y_i^c\) 
Randomized commitment for \(Y_i\). 
\({y_i}_0\) 
\(y_i\) 
\(y_{i1}\) 
First public key part for users, \({y_i}_0 = G_0^{x_i}\) 
\({y_i}_1\) 
\(y_{i2}\) 
Second public key part for users, \({y_i}_1 = G_1^{x_i}\) 

\(y_i\) 
y_i 
Product of public key parts, \(y_i = {y_i}_0 \cdot {y_i}_1\) 

\(y'_i\) 
Randomized commitment for \(y_i\). 

\({y_r}_0\) 
First public key part for recipient, \({y_r}_0 = G_0^{x_r}\) 

\({y_r}_1\) 
Second public key part for recipient, \({y_r}_1 = G_1^{x_r}\) 

\(Z_q\) 
\(Z_q\) 
\(Z_q\) 
Additive group of integers modulo prime \(q\), used as the preimage group for all group isomorphisms. 
\(Z_q^*\) 
\(Z_q^*\) 
\(Z_q^*\) 
\(Z_q \setminus \{0\}\) 