### Rekeyability - Shared Secret with Private Key Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Demonstrates how to rekey the shared secret 's' with respect to a private key share Z_1 to a new secret key \hat{Z}. This involves algebraic manipulation of the shared secret formula. ```plaintext The shared secret s can be rekeyed with respect to the secret key Z_1 to a new secret key \hat{Z} = [\alpha] Z_1 + Z_2, as the new shared secret \hat{s} = s^{\alpha} e(U, Z_2) = e(U, [\alpha] Z_2)e(U, Z_2) = e(U, [\alpha]Z_1 + Z_2). ``` -------------------------------- ### Verify Decryption Shares Individually (Fallback) Source: https://github.com/anoma/ferveo/blob/main/book/src/tx.md Fallback protocol initiated when `TPKE.BatchVerifyDecryptionShares` fails, used to discover which validators sent valid decryption shares by checking each validator's shares separately. ```go TPKE.VerifyDecryptionShares() ``` -------------------------------- ### Rekeyability - Shared Secret with Public Key Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Shows how to rekey the shared secret 's' with respect to a public key Y_1 to a new public key \hat{Y}. This involves algebraic manipulation using the properties of the encryption scheme. ```plaintext The shared secret s can be rekeyed with respect to the public key Y_1 to a new public key \hat{Y} = [\alpha] Y_1 + Y_2 as the new shared secret \hat{s} = s^{\alpha} e([r] Y_2, H) = e([r\alpha] Y_1, H)e([r]Y_2, H) = e([r]([\alpha]Y_1 + Y_2), H). ``` -------------------------------- ### Batch Verify Decryption Shares Source: https://github.com/anoma/ferveo/blob/main/book/src/tx.md Optimistic verification of all decryption shares before accepting a block. This is the preferred method for checking share validity. ```go TPKE.BatchVerifyDecryptionShares() ``` -------------------------------- ### Encryption Steps Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Steps to encrypt data using the threshold encryption scheme. This involves deriving a shared secret 's' and constructing the public key portion of the ciphertext (U, W). ```plaintext 1. Let r be a random scalar 2. Let s = e([r] Y, H) 3. Let U = [r] G 4. Let W = [r] H_{\mathbb{G}_2} (U) 5. Let k = HKDF(s) ``` -------------------------------- ### TPKE Create Decryption Share Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke-concrete.md Creates a decryption share for a specific ciphertext (U_j) using a validator's private key (dk_i). This share is used in the decryption process. ```Go func (tpke *TPKE) CreateDecryptionShare(dk_i *btcec.PrivateKey, U_j *btcec.PublicKey) *btcec.PublicKey { // D_{i,j} = [dk_i^{-1}] U_j inv := new(big.Int).ModInverse(dk_i.D, tpke.curve.Params().N) D := tpke.curve.ScalarMult(U_j.X, inv) return &btcec.PublicKey{X: D} } ``` -------------------------------- ### Threshold Decryption (Simple Method) Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Combines individual decryption shares to reconstruct the shared secret 's'. Each share C_i is computed using the ciphertext component 'U' and a private key share Z_i. The combination uses Lagrange coefficients. ```plaintext 1. Check ciphertext validity. 2. Each decryption share is C_i = e(U, Z_i). 3. To combine decryption shares, s = \prod C_i^{\lambda_i(0)} where \lambda_i(0) is the lagrange coefficient over the appropriate size domain. ``` -------------------------------- ### Combine Decryption Shares for Valid Transactions Source: https://github.com/anoma/ferveo/blob/main/book/src/tx.md Used by block proposers in the optimistic case to obtain the shared secret and symmetric key for each transaction, assuming all transactions are constructed correctly. ```go TPKE.CombineDecryptionShares() ``` -------------------------------- ### Threshold Decryption (Fast Method) - Decryption Share Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Generates a decryption share using a blinded private key share. This method is efficient, requiring only a G1 multiplication. ```plaintext The validator's decryption share is D_i = [b^{-1}] U ``` -------------------------------- ### TPKE Verify Decryption Shares Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke-concrete.md Verifies the validity of decryption shares provided by a single validator (i) for multiple ciphertexts (U_j). This involves checking the relationship between the shares, the public key, and the ciphertexts. ```Go func (tpke *TPKE) VerifyDecryptionShares(ek_i *btcec.PublicKey, U, D []*btcec.PublicKey) bool { // TODO: Implement verification return false } ``` -------------------------------- ### Threshold Decryption (Fast Method) - Combination Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Aggregates decryption shares to compute the shared secret 's'. This involves pairing the derived decryption shares D_i with blinded private key shares and combining the results. ```plaintext An aggregator computes for each decryption share D_i = [b^{-1}] U: S_i = e( D_i, [\sum_{\omega_j \in \Omega_i} \lambda_{\omega_j}(0)] [b] Z_{i,\omega_j} ) The shared secret is then s = \prod S_i ``` -------------------------------- ### Verify Aggregated Combination for Invalid Transactions Source: https://github.com/anoma/ferveo/blob/main/book/src/tx.md Allows full nodes to efficiently check the validity of combined decryption shares for allegedly invalid transactions. This mitigates the cost of invalidity verification. ```go TPKE.VerifyAggregatedCombination() ``` -------------------------------- ### TPKE Encryption Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke-concrete.md Encrypts data using a public threshold key and generates an ephemeral shared secret. Additional authenticated data can be included. The ephemeral shared secret can be used to derive a symmetric encryption key. ```Go func (tpke *TPKE) Encrypt(Y *btcec.PublicKey, aad []byte) (*btcec.PublicKey, *btcec.PublicKey, error { r, err := rand.Int(rand.Reader, tpke.curve.Params().N) if err != nil { return nil, nil, err } // S = e([r] Y, H) S := tpke.e(new(big.Int).Mul(r, Y.X), tpke.H) // U = [r] G U := tpke.curve.ScalarBaseMult(r.Bytes()) // W = [r] H_G2(U, aad) W := tpke.H_G2(U, aad) W = tpke.curve.ScalarMult(W, r) return U, W, nil } ``` -------------------------------- ### TPKE Batch Ciphertext Validity Check Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke-concrete.md Optimistically verifies the validity of multiple TPKE ciphertexts in a block using a single pairing product. This is efficient for block proposers. ```Go func (tpke *TPKE) BatchCiphertextValidity(U, W []*btcec.PublicKey) bool { // TODO: Implement batch verification return false } ``` -------------------------------- ### Aggregate Decryption Shares for Invalid Transactions Source: https://github.com/anoma/ferveo/blob/main/book/src/tx.md Handles invalid transactions by aggregating their decryption shares. This is used to avoid high costs and DoS attacks associated with individual invalid transaction verification. ```go TPKE.AggregateDecryptionShares() ``` -------------------------------- ### Simple Decryption Method Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md A straightforward method for decrypting a ciphertext using a private key share. It first checks validity and then derives the shared secret 's' from the ciphertext component 'U' and the private key share 'Z'. ```plaintext 1. Check ciphertext validity. 2. Let s = e(U, Z) ``` -------------------------------- ### Public Verification of Decryption Shares Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Verifies the validity of decryption shares by checking a pairing equation involving the decryption share D_i and the validator's blinded public key P_i. ```plaintext e(D_i, P_i) = e(U, H) ``` -------------------------------- ### TPKE Ciphertext Validity Check Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke-concrete.md Checks the validity of a single TPKE ciphertext (U, W). This is crucial for chosen ciphertext security. It involves a pairing operation to verify the relationship between U and W. ```Go func (tpke *TPKE) CiphertextValidity(U, W *btcec.PublicKey) bool { // e(U, H_G2(U)) = e(G, W) return tpke.e(U.X, tpke.H_G2(U.X, nil)).Equals(tpke.e(tpke.G, W.X)) } ``` -------------------------------- ### Ciphertext Validity Check Source: https://github.com/anoma/ferveo/blob/main/book/src/tpke.md Check for ciphertext validity to ensure IND-CCA2 security. This involves verifying a specific pairing equation. ```plaintext Check that e(U, H_{\mathbb{G}_2} (U)) = e(G, W) for ciphertext validity. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.