Warmup: a TLCS protocol from general-purpose NIZK proofs

Consider the following protocol. The generic party \(i=1,... \) does the following. It computes \(PK_i=g^{sk_i} \), where \(sk_i \) is randomly chosen in \(Z_q \). It chooses random \(t_i \) from \(Z_p \) and computes \(T_i=g_2^{t_i} \), \(Z_i=e(H(C),PK_L)^{t_i} \) and \(y_i=H(Z_i) \oplus sk_i \). The party \(i \) posts on the blokchain: \)(T_i, y_i) \). Note that \(Z_i \) is not posted, and the honest party is required to delete \(Z_i, t_i,sk_i \) from his memory, so that until time \(C \) nobody can get \(sk_i \).

At some point, the public key construction phase terminates and no new party can participate. Then, the public key \(PK \) is set to \(PK=\prod_i PK_i=g^{sk} \), where \(sk=\sum_i sk_i \mod q \).

When the secret \(SK_C=H(C)^{sk_L} \) of LOE is published at time \(C \), anyone can publicly do the following based on the information posted on the blockchain. For any \(i \) compute \(e(SK_C,T_i)=Z_i \) and then can compute \(sk_i=y_i \oplus H(Z_i) \).

From all \(sk_i \)'s, anyone can then recover \(sk=\sum_i sk_i \mod q \).

The security here guarantees that if only a single party is trusted in having deleted his memory at the of the computation, then the secret key \(sk \) corresponding to \(PK \) is protected until time \(C \) assuming that the majority of LOE members are honest. That is, the only added assumption beyond LOE is that there is a single honest party. Observe that, since anyone can publicly participate in the protocol (that is the committee allows on-fly join), if someone does not trust the system can decide on participating in the protocol freely.

To be able to decrypt we need to assume that the values \(y_i \)'s posted on the blockchain are computed correctly according to the above procedure, so each \(y_i \) needs to be accompained with a ZK proof of well-formedness, that is a proof that the tuple \((g_2,PK_L,C,T_i,PK_i,y_i) \) is such that there exist values \(t_i\in Z_p \), \(sk_i\in Z_q \) such that \(T_i=g_2^{t_i} \), \(Z_i=e(H(C),PK_L)^{t_i} \), \(y_i=H(Z_i) \oplus sk_i \) and \(PK_i=g^{sk_i} \). The proof system needs to be non-malleable to prevent attacks in which the last party can induce a public key of which he knows the corresponding secret key; alternatively, a standard non-interactive Schnorr's proof must be attacked to each partial public key \(PK_i \).

This requires a NIZK proof of computation of exponentiation in the target group. Notice that if a tuple \((PK_i,T_i,y_i) \) does not come with a valid proof, it will not be used for the computation of \(PK \).