Algebraic Distinguishers: From Discrete Logarithms to Decisional Uber Assumptions

“…The idea is to extract thw polynomial from the Sigma proof with AGM. This proof is similar to Uber assumptions in AGM [44], but repeat it here with our notation. For each commitment(c e i , K i , s i , φ s ), c e i = (g φ i α ) e i g γφ i (α) and K = (g φ r i α )g γφ r i (α) .…”

“…(transcript, π) ← S SNARK .Prove(td srs , td comm , C x, I) (14) For each polycommit C in transcript: (15) Create share of C for each honest P i , consistent (16) with the f shares of corrupt parties and C (1) (17) Create share of π for each honest P i , consistent (18) with the f shares of corrupt parties and π (2) (19) Store (transcript, shares, π, F, o) (20) Pass F to the simulated Auditor, simulating (21) F ReactiveMPC substituting o as the output (22) On input (m, M ) from Z: (23) If M is an honest C i or P i : end activation (24) If M is a corrupt data-client C i : (25) If m is sending (φ x i , φ r i ) to F ReactiveMPC : (26) Instruct C i to send φ x i (0) to F AuditableMPC (27) and wait for message C i from F AuditableMPC (28) Send (m, M ) to simulated D. (29) If D returns m, forward m to Z (30) If M is a corrupt server P i : (31) Send (m, M ) to simulated D. (32) If D returns m, forward m to Z (33) If M is F RO , F Setup , or F ReactiveMPC : (34) Send (m, M ) to simulated D. (35) If D returns m, forward m to Z (36) If M is F BulletinBoard : (37) Send m to simulated F BulletinBoard (38) If D returns (P j , BB) for corrupt P j and bulletin (39) board BB: (40) Replace honest shares of Marlin commits (41) in BB with stored shares from (1) (42) Replace honest shares of π in BB with (43) stored shares from (2) (44) Send Send (m, M ) to simulated D. (25) When D returns m, forward m to Z, unless the (26) if statement below is triggered (27) If the simulated Auditor provides F to F ReactiveMPC : (28) For each input commit C x i on the bulletin board: (29) If x i is not calculated for a corrupt party's C x i : (30) a 1...k ← AGM repr. of C x i provided by Z in (31) terms of SRS and group elems S sent Z (32) a 1...l ← repr.…”

Publicly Auditable MPC-as-a-Service with succinct verification and universal setup

“…The idea is to extract thw polynomial from the Sigma proof with AGM. This proof is similar to Uber assumptions in AGM [44], but repeat it here with our notation. For each commitment(c e i , K i , s i , φ s ), c e i = (g φ i α ) e i g γφ i (α) and K = (g φ r i α )g γφ r i (α) .…”

“…(transcript, π) ← S SNARK .Prove(td srs , td comm , C x, I) (14) For each polycommit C in transcript: (15) Create share of C for each honest P i , consistent (16) with the f shares of corrupt parties and C (1) (17) Create share of π for each honest P i , consistent (18) with the f shares of corrupt parties and π (2) (19) Store (transcript, shares, π, F, o) (20) Pass F to the simulated Auditor, simulating (21) F ReactiveMPC substituting o as the output (22) On input (m, M ) from Z: (23) If M is an honest C i or P i : end activation (24) If M is a corrupt data-client C i : (25) If m is sending (φ x i , φ r i ) to F ReactiveMPC : (26) Instruct C i to send φ x i (0) to F AuditableMPC (27) and wait for message C i from F AuditableMPC (28) Send (m, M ) to simulated D. (29) If D returns m, forward m to Z (30) If M is a corrupt server P i : (31) Send (m, M ) to simulated D. (32) If D returns m, forward m to Z (33) If M is F RO , F Setup , or F ReactiveMPC : (34) Send (m, M ) to simulated D. (35) If D returns m, forward m to Z (36) If M is F BulletinBoard : (37) Send m to simulated F BulletinBoard (38) If D returns (P j , BB) for corrupt P j and bulletin (39) board BB: (40) Replace honest shares of Marlin commits (41) in BB with stored shares from (1) (42) Replace honest shares of π in BB with (43) stored shares from (2) (44) Send Send (m, M ) to simulated D. (25) When D returns m, forward m to Z, unless the (26) if statement below is triggered (27) If the simulated Auditor provides F to F ReactiveMPC : (28) For each input commit C x i on the bulletin board: (29) If x i is not calculated for a corrupt party's C x i : (30) a 1...k ← AGM repr. of C x i provided by Z in (31) terms of SRS and group elems S sent Z (32) a 1...l ← repr.…”

Publicly Auditable MPC-as-a-Service with succinct verification and universal setup

Algebraic Distinguishers: From Discrete Logarithms to Decisional Uber Assumptions

On Pairing-Free Blind Signature Schemes in the Algebraic Group Model