This class implements the discrete logarithm instantiation of the VTMF primitive in the field \bf Z/p\bf Z, where p is a large prime number. The mathematical computations are performed in the finite cyclic subgroup G of prime order q such that p = kq + 1 holds for some k\in \bf Z. The security relies on the DDH assumption in G, i.e., the distribution \g^a, g^b, g^ab\ is computationally indistinguishable from \g^a, g^b, g^c\, where g is a generator of G and a, b, c are chosen at random from \bf Z_q. Currently, this well-established assumption is believed to hold, if p and q are chosen according to the predefined security parameters of LibTMCG.

— Member of BarnettSmartVTMF_dlog: mpz_t p

This is the public prime number p which defines the underlying field \bf Z/p\bf Z.

— Member of BarnettSmartVTMF_dlog: mpz_t q

This is the public prime number q which defines the underlying cyclic group G. G is a subgroup of \bf Z/p\bf Z and is exactly of order q.

— Member of BarnettSmartVTMF_dlog: mpz_t g

This is the fixed public generator g of the underlying group G.

— Member of BarnettSmartVTMF_dlog: mpz_t k

This is a public integer k such that p = kq + 1 holds.

— Member of BarnettSmartVTMF_dlog: mpz_t h

This is the common public key h = \prod_i=1^k h_i which contains the public keys h_i of each player P_i. Note that in the above formula k denotes the number of players.

— Constructor on BarnettSmartVTMF_dlog: BarnettSmartVTMF_dlog (unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor creates a new VTMF instance. That means, the primes p and q are randomly and uniformly chosen such that they have length fieldsize bit and subgroupsize bit, respectively. Further, a generator g for the unique subgroup of order q is chosen at random. If the arguments are omitted, then fieldsize and subgroupsize are set to their default values TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively. Depending on fieldsize and subgroupsize the group generation is a very time-consuming task and some dots are sent to std::cerr as a progress indicator.

— Constructor on BarnettSmartVTMF_dlog: BarnettSmartVTMF_dlog (std::istream& in, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor initializes the VTMF instance from a correctly formatted input stream in. For example, such a stream can be generated by calling the method PublishGroup of an already created instance. The arguments fieldsize and subgroupsize are stored for later following usage, e.g. by the method CheckGroup as explained below. If these arguments are omitted, then they are set to the default values TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively.

— Method on BarnettSmartVTMF_dlog: bool CheckGroup ()

This method checks whether p and q have appropriate sizes with respect to the bit lengths given during the initialization of the corresponding instance. Further, it checks whether p has the correct form (i.e. p = kq +1), whether p and q are probable prime, and whether g is a generator of the subgroup G. It returns true, if all of these checks have been passed successfully.

— Method on BarnettSmartVTMF_dlog: void PublishGroup (std::ostream& out)

This method exports all necessary group parameters of G to the given output stream out, so other VTMF instances of G can be initialized, e.g. with the second constructor of BarnettSmartVTMF_dlog.

— Method on BarnettSmartVTMF_dlog: void KeyGenerationProtocol_GenerateKey ()

This method generates a VTMF key pair and stores the pair internally for a later following usage. It must be called before any other part of the key generation protocol is executed. Otherwise, the produced results are wrong.

— Method on BarnettSmartVTMF_dlog: void KeyGenerationProtocol_PublishKey (std::ostream& out)

This method exports the public part of the generated VTMF key pair to the given output stream out. Further, it appends a non-interactive zero-knowledge proof of knowledge which shows that the instance knows the secret part. Due to the non-interactive nature of this proof the method has to be called only once while the computed output can be reused multiple times if necessary.

— Method on BarnettSmartVTMF_dlog: bool KeyGenerationProtocol_UpdateKey (std::istream& in)

This method reads the public part of a VTMF key and the proof of knowledge from the input stream in. It appends the key to the common public key and returns true, if the given proof was sound. Otherwise, false is returned.

— Method on BarnettSmartVTMF_dlog: bool KeyGenerationProtocol_RemoveKey (std::istream& in)

This method reads the public part of a VTMF key and the corresponding proof of knowledge from the input stream in. It removes the key from the common public key and returns true, if the key was previously appended by KeyGenerationProtocol_UpdateKey as explained above.

— Method on BarnettSmartVTMF_dlog: void KeyGenerationProtocol_Finalize ()

This method must be called after any update (KeyGenerationProtocol_UpdateKey) or removal (KeyGenerationProtocol_RemoveKey) has been performed on the common public key.

— Destructor on BarnettSmartVTMF_dlog: ~BarnettSmartVTMF_dlog ()

This destructor releases all occupied resources.

This subclass implements the discrete logarithm instantiation of the VTMF primitive in the field \bf Z/p\bf Z, where p is a large prime number. The mathematical computations are performed in the finite cyclic subgroup G (quadratic residues modulo p) of prime order q, where p = 2q + 1 holds. The security relies on the DDH assumption in G, i.e., the distribution \g^a, g^b, g^ab\ is computationally indistinguishable from \g^a, g^b, g^c\, where g is a generator of G and a, b, c are chosen at random from \bf Z_q. Currently, this well-established assumption is believed to hold, if p and q are chosen according to the predefined security parameters of LibTMCG.

— Member of BarnettSmartVTMF_dlog_GroupQR: mpz_t p

This is the public prime number p which defines the underlying field \bf Z/p\bf Z.

— Member of BarnettSmartVTMF_dlog_GroupQR: mpz_t q

This is the public prime number q which defines the underlying cyclic group G. G denotes the unique subgroup of quadratic residues modulo p which is exactly of order q, if p = 2q + 1 holds.

— Member of BarnettSmartVTMF_dlog_GroupQR: mpz_t g

This is the fixed public generator g of the underlying group G.

— Member of BarnettSmartVTMF_dlog_GroupQR: mpz_t k

This integer is fixed here by k = 2.

— Member of BarnettSmartVTMF_dlog_GroupQR: mpz_t h

This is the common public key h = \prod_i=1^k h_i which contains the public keys h_i of each player P_i. Note that in the above formula k denotes the number of players.

— on BarnettSmartVTMF_dlog_GroupQR: BarnettSmartVTMF_dlog_GroupQR (unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int exponentsize =TMCG_DLSE_SIZE)

This constructor creates a new VTMF instance. That means, the safe prime p is randomly and uniformly chosen such that it has a length of fieldsize bit. Further, the generator g is initially set up by 2 and then shifted by fieldsize - exponentsize bit positions, according to the procedure described by Koshiba and Kurosawa (see Short Exponent Diffie-Hellman Problems, PKC 2004, LNCS 2947). If the arguments of the constructor are omitted, then fieldsize and exponentsize are set to their default values TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively. Depending on fieldsize and exponentsize the group generation is a very time-consuming task and some dots are sent to std::cerr as a progress indicator.

— on BarnettSmartVTMF_dlog_GroupQR: BarnettSmartVTMF_dlog_GroupQR (std::istream& in, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int exponentsize =TMCG_DLSE_SIZE)

This constructor initializes the VTMF instance from a correctly formatted input stream in. For example, such a stream can be generated by calling the method PublishGroup of an already created instance. The arguments fieldsize and exponentsize are stored for later following usage, e.g. by the method CheckGroup as explained below. If these arguments are omitted, then they are set to the default values TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively.

— Method on BarnettSmartVTMF_dlog_GroupQR: bool CheckGroup ()

This method checks whether p and q have appropriate sizes with respect to the bit lengths given during the initialization of the corresponding instance. Further, it checks whether p has the correct form (i.e. p = 2q +1), whether p and q are probable prime, and whether g is a generator of the subgroup G. It returns true, if all of these checks have been passed successfully.

— Method on BarnettSmartVTMF_dlog_GroupQR: void PublishGroup (std::ostream& out)

This method exports all necessary group parameters of G to the given output stream out, so other VTMF instances of G can be initialized, e.g. with the second constructor of BarnettSmartVTMF_dlog_GroupQR.

— Method on BarnettSmartVTMF_dlog_GroupQR: void KeyGenerationProtocol_GenerateKey ()

This method generates a VTMF key pair and stores the pair internally for a later following usage. It must be called before any other part of the key generation protocol is executed. Otherwise, the produced results are wrong.

— Method on BarnettSmartVTMF_dlog_GroupQR: void KeyGenerationProtocol_PublishKey (std::ostream& out)

This method exports the public part of the generated VTMF key pair to the given output stream out. Further, it appends a non-interactive zero-knowledge proof of knowledge which shows that the instance knows the secret part. Due to the non-interactive nature of this proof the method has to be called only once while the computed output can be reused multiple times if necessary.

— Method on BarnettSmartVTMF_dlog_GroupQR: bool KeyGenerationProtocol_UpdateKey (std::istream& in)

This method reads the public part of a VTMF key and the proof of knowledge from the input stream in. It appends the key to the common public key and returns true, if the given proof was sound. Otherwise, false is returned.

— Method on BarnettSmartVTMF_dlog_GroupQR: bool KeyGenerationProtocol_RemoveKey (std::istream& in)

This method reads the public part of a VTMF key and the corresponding proof of knowledge from the input stream in. It removes the key from the common public key and returns true, if the key was previously appended by KeyGenerationProtocol_UpdateKey as explained above.

— Method on BarnettSmartVTMF_dlog_GroupQR: void KeyGenerationProtocol_Finalize ()

This method must be called after any update (KeyGenerationProtocol_UpdateKey) or removal (KeyGenerationProtocol_RemoveKey) has been performed on the common public key.

— on BarnettSmartVTMF_dlog_GroupQR: ~BarnettSmartVTMF_dlog_GroupQR ()

This destructor releases all occupied resources.

This class provides the low-level interface for Groth's protocol. There are just a few methods that might be of general interest. All other components are only used internally by high-level operations and thus their description is omitted here.

— Constructor on GrothVSSHE: GrothVSSHE (size_t n, mpz_srcptr p_ENC, mpz_srcptr q_ENC, mpz_srcptr k_ENC, mpz_srcptr g_ENC, mpz_srcptr h_ENC, unsigned long int ell_e =TMCG_GROTH_L_E, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor creates a new instance. The low-level operations are later used to show the correctness of a shuffle of at most n cards. The protocol and some parameters of the commitment scheme are initialized by the members of the corresponding VTMF instance. Consequently, p_ENC is the prime number p which determines the field \bf Z/p\bf Z, q_ENC is the order of the underlying subgroup G, i.e. the prime number q, and k_ENC is the integer such that p = qk + 1 holds. Further, g_ENC is the generator g, and finally h_ENC is the common public key h. The positive integer ell_e is the security parameter which controls the soundness error probability (2^-\ell_e) of the protocol. The default value is defined by TMCG_GROTH_L_E, if this argument is omitted. The fieldsize and the subgroupsize are supplied to internal classes and are only of interest, if p_ENC or q_ENC have lengths different from the default. If these arguments are omitted, they are set to TMCG_DDH_SIZE and TMCG_DLSE_SIZE, respectively.

Note that the generators g'_1, \ldots, g'_n of the Pedersen commitment scheme are randomly and uniformly chosen from \bf Z_q. Therefore this constructor should be instantiated only once by the session leader. All other instances must be created by the second constructor. Further, it is very important that the VTMF key generation protocol has been finished before the value of h is passed to the constructor. Otherwise, the correctness verification will definitely fail.

— Constructor on GrothVSSHE: GrothVSSHE (size_t n, std::istream& in, unsigned long int ell_e =TMCG_GROTH_L_E, unsigned long int fieldsize =TMCG_DDH_SIZE, unsigned long int subgroupsize =TMCG_DLSE_SIZE)

This constructor initializes the instance from a correctly formatted input stream in. For example, such a stream can be generated by calling the method PublishGroup of an already created instance. Later the instance can be used to show the correctness of a shuffle of at most n cards. The positive integer ell_e controls the soundness error probability of the protocol. The default value is defined by TMCG_GROTH_L_E, if this argument is omitted.

— Method on GrothVSSHE: bool CheckGroup ()

This method checks whether the initialized commitment scheme is sound. It returns true, if all tests have been passed successfully.

— Method on GrothVSSHE: void PublishGroup (std::ostream& out)

This method exports the instance configuration to the output stream out such that other instances can be initialized, e.g. with the second constructor.

— Destructor on GrothVSSHE: ~GrothVSSHE ()

This destructor releases all occupied resources.

This class implements the main core of Schindelhauer's toolbox, i.e. important functions like masking, opening, and shuffling of cards and stacks, respectively. Some exotic operations are still missing, e.g., the possibility to insert a masked card secretly into a stack or the verifiable subset properties of stacks. All implemented operations are available for the original encoding scheme of Schindelhauer (see TMCG_Card) and, of course, for the more efficient encoding scheme of Barnett and Smart (see VTMF_Card and BarnettSmartVTMF_dlog) as well.

— Member of SchindelhauerTMCG: unsigned long int TMCG_SecurityLevel

This read-only nonnegative integer represents the security parameter t which was given to the constructor of this class. It defines the number of protocol iterations and hence the soundness error probability (2^-t) of the zero-knowledge proofs in the encoding scheme of Schindelhauer. Further it defines the soundness error probability (also 2^-t) of the shuffle argument in the encoding scheme of Barnett and Smart, if the efficient protocol of Groth [Gr05] is not used.

— Member of SchindelhauerTMCG: size_t TMCG_Players

This read-only nonnegative integer represents the number of players as given to the constructor of this class.

— Member of SchindelhauerTMCG: size_t TMCG_TypeBits

This read-only nonnegative integer contains the number of bits that are necessary to encode the card types in the binary representation. It was given as an argument to the constructor of this class.

— Constructor on SchindelhauerTMCG: SchindelhauerTMCG (unsigned long int security, size_t k, size_t w)

This constructor creates an instance, where security is a nonnegative integer that represents the security parameter t. The parameter k is the number of players and w is the number of bits which are necessary to represent all possible card types in a binary representation.

The integer t controls the maximum soundness error probability (2^-t) of the zero-knowledge proofs in the encoding scheme of Schindelhauer. Specifically, security defines the number of sequential iterations of the involved protocols and thus has a major impact on the computational and communication complexity. If the encoding scheme of Barnett and Smart [BS03] is used, then it only defines the soundness error probability (also 2^-t) of the shuffle proof. However, if only the efficient shuffle verification protocol of Groth [Gr05] is used, then the parameter security is dispensable, because the parameter ell_e given during instantiation of GrothVSSHE (e.g. the LibTMCG default security parameter TMCG_GROTH_L_E) determines this soundness error probability (2^-\ell_e).

Unfortunately, the parameters k and w have a major impact on the complexity in the encoding scheme of Schindelhauer, too. Therefore you should always use reasonable values. For example, to create a deck with M different card types simply set w to \lceil\log_2 M\rceil which is an tight upper-bound for the binary representation. Furthermore, set k to the number of players which are really involved and not to a possible maximum value. Note that k and w are limited by the global constants TMCG_MAX_PLAYERS and TMCG_MAX_TYPEBITS, respectively.

— Method on SchindelhauerTMCG: void TMCG_CreateOpenCard (TMCG_Card& c, const TMCG_PublicKeyRing& ring, size_t type)

This method initializes the open card c with the given type using the encoding scheme of Schindelhauer. The type MUST be an integer from the interval [0, 2^w - 1], where w is the number given to the constructor of this class. The w MUST be the same number as used at creation of c (see TMCG_Card). The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The k MUST be the same number as used at the creation of c.

— Method on SchindelhauerTMCG: void TMCG_CreateOpenCard (VTMF_Card& c, BarnettSmartVTMF_dlog* vtmf, size_t type)

This method initializes the open card c with the given type using the encoding scheme of Barnett and Smart. The type MUST be an integer from the interval [0, 2^w - 1], where w is the number given to the constructor of this class. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol was successfully finished (see BarnettSmartVTMF_dlog and BarnettSmartVTMF_dlog_GroupQR, respectively).

— Method on SchindelhauerTMCG: void TMCG_CreateCardSecret (TMCG_CardSecret& cs, const TMCG_PublicKeyRing& ring, size_t index)

This method initializes the card secret cs with random values which is necessary to perform later a masking operation on a card. The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. It MUST be the same number as used at the creation of cs (see TMCG_CardSecret). The parameter index is from the interval [0, k - 1] and determines the position of the players public key in the container ring.

— Method on SchindelhauerTMCG: void TMCG_CreateCardSecret (VTMF_CardSecret& cs, BarnettSmartVTMF_dlog* vtmf)

This method initializes the card secret cs with a random value which is necessary to perform later a masking operation on a card. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished (see BarnettSmartVTMF_dlog and BarnettSmartVTMF_dlog_GroupQR, respectively).

— Method on SchindelhauerTMCG: void TMCG_CreatePrivateCard (TMCG_Card& c, TMCG_CardSecret& cs, const TMCG_PublicKeyRing& ring, size_t index, size_t type)

This method initializes a masked card c with the given type and a corresponding card secret cs using the encoding scheme of Schindelhauer. The type MUST be an integer from the interval [0, 2^w - 1], where w is the number given to the constructor of this class. The w MUST be the same number as used at creation of c (see TMCG_Card) and cs (see TMCG_CardSecret). The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The k MUST be the same number as used at the creation of c and cs. The parameter index is from the interval [0, k - 1] and determines the position of the players public key in the container ring. Internally, TMCG_CreatePrivateCard calls

1. TMCG_CreateOpenCard to initialize c with type,
2. TMCG_CreateCardSecret to initialize cs with random values, and
3. TMCG_MaskCard to mask c with the secret cs.

— Method on SchindelhauerTMCG: void TMCG_CreatePrivateCard (VTMF_Card& c, VTMF_CardSecret& cs, BarnettSmartVTMF_dlog* vtmf, size_t type)

This method initializes a masked card c with the given type and a corresponding card secret cs using the encoding scheme of Barnett and Smart. The type MUST be an integer from the interval [0, 2^w - 1], where w is the number given to the constructor of this class. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished (see BarnettSmartVTMF_dlog and BarnettSmartVTMF_dlog_GroupQR, respectively). Specifically, TMCG_CreatePrivateCard directly executes the masking operation of the verifiable masking protocol.

— Method on SchindelhauerTMCG: void TMCG_MaskCard (const TMCG_Card& c, TMCG_Card& cc, const TMCG_CardSecret& cs, const TMCG_PublicKeyRing& ring, bool TimingAttackProtection =true)

This method performs a masking operation on the open or already masked card c using the encoding scheme of Schindelhauer. Finally it returns the result in cc. The parameter cs MUST be an initialized fresh card secret which has NEVER been involved in a masking operation before. The parameters c, cc, and cs MUST be created such that their k and w corresponds to the numbers given to the constructor of this class, respectively. The parameter ring is a container with exactly k public keys. The protection against timing attacks is turned on, if TimingAttackProtection is set to true.

— Method on SchindelhauerTMCG: void TMCG_MaskCard (const VTMF_Card& c, VTMF_Card& cc, const VTMF_CardSecret& cs, BarnettSmartVTMF_dlog* vtmf, bool TimingAttackProtection =true)

This method performs a masking operation on the open or already masked card c using the encoding scheme of Barnett and Smart. Finally it returns the result in cc. Specifically, TMCG_MaskCard directly executes the masking operation of the verifiable re-masking protocol. The parameter cs MUST be an initialized fresh card secret which has NEVER been involved in a masking operation before. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished (see BarnettSmartVTMF_dlog and BarnettSmartVTMF_dlog_GroupQR, respectively). The protection against timing attacks is turned on, if TimingAttackProtection is set to true.

— Method on SchindelhauerTMCG: void TMCG_ProveMaskCard (const TMCG_Card& c, const TMCG_Card& cc, const TMCG_CardSecret& cs, const TMCG_PublicKeyRing& ring, std::istream& in, std::ostream& out)

This method should be called by the prover after TMCG_MaskCard to show that he performed the masking operation correctly. The parameters c, cc, and cs are the input, the result, and the used card secret of TMCG_MaskCard, respectively. They MUST be created such that their k resp. w corresponds to the numbers given to the constructor of this class. The parameter ring is a container with exactly k public keys. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: void TMCG_ProveMaskCard (const VTMF_Card& c, const VTMF_Card& cc, const VTMF_CardSecret& cs, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method should be executed by the prover after calling TMCG_MaskCard to show that he performed the masking operation correctly. Specifically, TMCG_ProveMaskCard directly calls the prove operation of the verifiable re-masking protocol. The parameters c, cc, and cs are the input, the result, and the used card secret of TMCG_MaskCard, respectively. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: bool TMCG_VerifyMaskCard (const TMCG_Card& c, const TMCG_Card& cc, const TMCG_PublicKeyRing& ring, std::istream& in, std::ostream& out)

This method should be executed by the verifier to check whether or not a masking operation was performed correctly. The parameters c and cc are the input and the result of TMCG_MaskCard, respectively. They MUST be created such that their k resp. w corresponds to the numbers given to the constructor of this class. The parameter ring is a container with exactly k public keys. The input/output protocol messages from and to the prover are transmitted on the streams in and out, respectively. The method returns true, if everything was sound.

— Method on SchindelhauerTMCG: bool TMCG_VerifyMaskCard (const VTMF_Card& c, const VTMF_Card& cc, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method should be executed by the verifier to check whether or not a masking operation was performed correctly. Specifically, TMCG_VerifyMaskCard directly calls the verify operation of the verifiable re-masking protocol. The parameters c and cc are the input and the result of TMCG_MaskCard, respectively. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the prover are transmitted on the streams in and out, respectively. The method returns true, if everything was sound.

— Method on SchindelhauerTMCG: void TMCG_ProveCardSecret (const TMCG_Card& c, const TMCG_SecretKey& key, size_t index, std::istream& in, std::ostream& out)

This method is used to reveal the card type of c to a verifier. Every player must execute this method as prover. The card c MUST be created such that its k resp. w corresponds to the numbers given to the constructor of this class. The parameter key is the corresponding secret key (see TMCG_SecretKey) of the prover. The parameter index is from the interval [0, k - 1] and contains the position of the provers public key in the container ring (same as in TMCG_CreateCardSecret). The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: void TMCG_ProveCardSecret (const VTMF_Card& c, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method is used to reveal the card type of c to a verifier. Every player must execute this method as prover. Specifically, TMCG_ProveCardSecret directly calls the prove operation of the verifiable decryption protocol. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: bool TMCG_VerifyCardSecret (const TMCG_Card& c, TMCG_CardSecret& cs, const TMCG_PublicKey& key, size_t index, std::istream& in, std::ostream& out)

This method is used to verify and accumulate card type information regarding c that are supplied by a prover. It is the opposite method of TMCG_ProveCardSecret and must be executed by the player who wants to know the type. The secrets provided by the single provers are accumulated in the parameter cs. Thus c and cs MUST be created such that their k resp. w corresponds to the numbers given to the constructor of this class. The parameter key is the corresponding public key (see TMCG_PublicKey) of the prover. The parameter index is from the interval [0, k - 1] and contains the position of the provers public key in the container ring (same as in TMCG_CreateCardSecret). The input/output protocol messages from and to the prover are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: bool TMCG_VerifyCardSecret (const VTMF_Card& c, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method is used to verify and accumulate card type information regarding c that are supplied by a prover. It is the opposite method of TMCG_ProveCardSecret and must be executed by the player who wants to know the type. The secrets provided by the single provers are accumulated internally, thus this method cannot be interleaved with the opening of other cards. Specifically, TMCG_VerifyCardSecret directly calls the verify and update operation of the verifiable decryption protocol. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: void TMCG_SelfCardSecret (const TMCG_Card& c, TMCG_CardSecret& cs, const TMCG_SecretKey& key, size_t index)

This method is used to compute and accumulate card type information regarding c. Analogously to TMCG_VerifyCardSecret it must be executed by the player who wants to know the type of c. The information is accumulated in the parameter cs. Thus c and cs MUST be created such that their k resp. w corresponds to the numbers given to the constructor of this class. The parameter key is the corresponding secret key (see TMCG_SecretKey) of the player. The parameter index is from the interval [0, k - 1] and contains the position of the players public key in the container ring (same as in TMCG_CreateCardSecret).

— Method on SchindelhauerTMCG: void TMCG_SelfCardSecret (const VTMF_Card& c, BarnettSmartVTMF_dlog* vtmf)

This method is used to compute and accumulate card type information regarding c. It MUST be called by the player who wants to know the type of c BEFORE TMCG_VerifyCardSecret and TMCG_TypeOfCard are executed. The secrets provided by the player are accumulated internally, thus this method cannot be interleaved with the opening of other cards. Specifically, TMCG_SelfCardSecret directly calls the initialize operation of the verifiable decryption protocol. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished.

— Method on SchindelhauerTMCG: size_t TMCG_TypeOfCard (const TMCG_CardSecret& cs)

This method returns the type of a masked card provided that the type information were properly accumulated in cs before (by calling TMCG_SelfCardSecret and TMCG_VerifyCardSecret, respectively).

— Method on SchindelhauerTMCG: size_t TMCG_TypeOfCard (const VTMF_Card& c, BarnettSmartVTMF_dlog* vtmf)

This method returns the type of a masked card c provided that the type information regarding c were properly accumulated internally before (by calling TMCG_SelfCardSecret and TMCG_VerifyCardSecret, respectively). It returns the value TMCG_MaxCardType, if the opening operation failed or if the card type was not among the set of valid types. This method MUST be performed by the player who wants to know the type AFTER TMCG_SelfCardSecret and TMCG_VerifyCardSecret are executed. Specifically, TMCG_TypeOfCard directly calls the finalize operation of the verifiable decryption protocol. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished.

— Method on SchindelhauerTMCG: size_t TMCG_CreateStackSecret (TMCG_StackSecret<TMCG_CardSecret>& ss, bool cyclic, const TMCG_PublicKeyRing& ring, size_t index, size_t size)

This method initializes the stack secret ss with a randomly chosen permutation and fresh card secrets. Later this stack secret can be used to perform a secret shuffle operation on a stack. If the parameter cyclic is set to true, then the permutation is only a cyclic shift which might be of interest for particular operations, e.g. cutting the deck. The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The parameter index is from the interval [0, k - 1] and contains the position of the players public key in the container ring. The parameter size determines the size of the created stack secret, i.e. the number of cards in the corresponding stack. The size is upper-bounded by TMCG_MAX_CARDS. The method returns the offset of the cyclic shift, if cyclic was set to true. Otherwise, the value 0 is returned.

— Method on SchindelhauerTMCG: size_t TMCG_CreateStackSecret (TMCG_StackSecret<VTMF_CardSecret>& ss, bool cyclic, size_t size, BarnettSmartVTMF_dlog* vtmf)

This method initializes the stack secret ss with a randomly chosen permutation and fresh card secrets. Later this stack secret can be used to perform a secret shuffle operation on a stack. If the parameter cyclic is set to true, then the permutation is only a cyclic shift which might be of interest for particular operations, e.g. cutting the deck. The parameter size determines the size of the created stack secret, i.e. the number of cards in the corresponding stack. The size is upper-bounded by TMCG_MAX_CARDS. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The method returns the offset of the cyclic shift, if cyclic was set to true. Otherwise, the value 0 is returned.

— Method on SchindelhauerTMCG: void TMCG_MixStack (const TMCG_Stack<TMCG_Card>& s, TMCG_Stack<TMCG_Card>& s2, const TMCG_StackSecret<TMCG_CardSecret>& ss, const TMCG_PublicKeyRing& ring, bool TimingAttackProtection =true)

This method shuffles a given stack s according to the previously created stack secret ss (see TMCG_CreateStackSecret). The result of the shuffle is returned in s2. The parameter ss MUST be a fresh stack secret which has NEVER been involved in a shuffle operation before. The parameters s and ss MUST be of the same size. The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The protection against timing attacks is turned on, if TimingAttackProtection is set to true.

— Method on SchindelhauerTMCG: void TMCG_MixStack (const TMCG_Stack<VTMF_Card>& s, TMCG_Stack<VTMF_Card>& s2, const TMCG_StackSecret<VTMF_CardSecret>& ss, BarnettSmartVTMF_dlog* vtmf, bool TimingAttackProtection =true)

This method shuffles a given stack s according to the previously created stack secret ss (see TMCG_CreateStackSecret). The result of the shuffle is returned in s2. The parameter ss MUST be a fresh stack secret which has NEVER been involved in a shuffle operation before. The parameters s and ss MUST be of the same size. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The protection against timing attacks is turned on, if TimingAttackProtection is set to true.

— Method on SchindelhauerTMCG: void TMCG_ProveStackEquality (const TMCG_Stack<TMCG_Card>& s, const TMCG_Stack<TMCG_Card>& s2, const TMCG_StackSecret<TMCG_CardSecret>& ss, bool cyclic, const TMCG_PublicKeyRing& ring, size_t index, std::istream& in, std::ostream& out)

This method should be called by the prover after TMCG_MixStack to show that he performed the shuffle operation correctly. The parameters s, s2, and ss are the input, the result, and the used stack secret of TMCG_MixStack, respectively. Of course, the parameters s, s2, and ss MUST be of the same size. The parameter cyclic determines whether a cyclic shift or a full permutation was used to shuffle the stack. The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The parameter index is from the interval [0, k - 1] and contains the position of the provers public key in the container ring. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: void TMCG_ProveStackEquality (const TMCG_Stack<VTMF_Card>& s, const TMCG_Stack<VTMF_Card>& s2, const TMCG_StackSecret<VTMF_CardSecret>& ss, bool cyclic, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method should be called by the prover after TMCG_MixStack to show that he performed the shuffle operation correctly. The parameters s, s2, and ss are the input, the result, and the used stack secret of TMCG_MixStack, respectively. Of course, the parameters s, s2, and ss MUST be of the same size. The parameter cyclic determines whether a cyclic shift or a full permutation was used to shuffle the stack. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively.

— Method on SchindelhauerTMCG: void TMCG_ProveStackEquality_Groth (const TMCG_Stack<VTMF_Card>& s, const TMCG_Stack<VTMF_Card>& s2, const TMCG_StackSecret<VTMF_CardSecret>& ss, BarnettSmartVTMF_dlog* vtmf, GrothVSSHE* vsshe, std::istream& in, std::ostream& out)

This is a method like above. The only difference is that the more efficient shuffle verification protocol of Groth is used. Thus vsshe is a pointer to an initialized instance of GrothVSSHE. The rest of the arguments are the same.

— Method on SchindelhauerTMCG: bool TMCG_VerifyStackEquality (const TMCG_Stack<TMCG_Card>& s, const TMCG_Stack<TMCG_Card>& s2, bool cyclic, const TMCG_PublicKeyRing& ring, std::istream& in, std::ostream& out)

This method should be executed by the verifier to check whether or not a shuffle operation was performed correctly. The parameters s and s2 are the input and the result of TMCG_MixStack, respectively. Of course, the parameters s and s2 should be of the same size. The parameter cyclic determines whether a cyclic shift or a full permutation was used to shuffle the stack. The parameter ring is a container with exactly k public keys, where k is the number given to the constructor of this class. The input/output protocol messages from and to the prover are transmitted on the streams in and out, respectively. This method returns true, if the shuffle operation was successfully verified.

— Method on SchindelhauerTMCG: bool TMCG_VerifyStackEquality (const TMCG_Stack<VTMF_Card>& s, const TMCG_Stack<VTMF_Card>& s2, bool cyclic, BarnettSmartVTMF_dlog* vtmf, std::istream& in, std::ostream& out)

This method should be executed by the verifier to check whether or not a shuffle operation was performed correctly. The parameters s and s2 are the input and the result of TMCG_MixStack, respectively. Of course, the parameters s and s2 should be of the same size. The parameter cyclic determines whether a cyclic shift or a full permutation was used to shuffle the stack. The parameter vtmf is a pointer to an already initialized VTMF instance, i.e. the key generation protocol MUST be successfully finished. The input/output protocol messages from and to the verifier are transmitted on the streams in and out, respectively. This method returns true, if the shuffle operation was successfully verified.

— Method on SchindelhauerTMCG: bool TMCG_VerifyStackEquality_Groth (const TMCG_Stack<VTMF_Card>& s, const TMCG_Stack<VTMF_Card>& s2, BarnettSmartVTMF_dlog* vtmf, GrothVSSHE* vsshe, std::istream& in, std::ostream& out)

This is a method like above. The only difference is that the more efficient shuffle verification protocol of Groth is used. Thus vsshe is a pointer to an initialized instance of GrothVSSHE. The rest of the arguments and the returned values are the same.

— Destructor on SchindelhauerTMCG: ~SchindelhauerTMCG ()

This destructor releases all occupied resources.