UC-Secure Star DKG for Non-Exportable Key Shares with VSS-Free Enforcement

UC-Secure Star DK G for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t Vipin Singh Sehra wat {vipin.sehrawat.cs@gmail.com} Circle In ternet ⋆ Abstract. Distributed Key Generation (DKG) lets parties derive a common public key while keeping the signing k ey secret-shared. In UC-secure DKG, the transcript must enforce (i) secrecy against unauthorized corruptions and (ii) uniqueness and aﬃne consistency of the induced sharing. Classically , these obligations are satisﬁed by a V eriﬁable-Sharing Enforcement (VSE) la yer—realized via V eriﬁable Secret Sharing (VSS) and/or commitment- and-pro of mechanisms—that distributes and later manipulates shares. This pap er targets the Non-eXportable Key (NXK) setting enforced by hardware-bac k ed k ey-isolation modules (e.g., secure enclav es/TEEs conﬁgured as restricted keystores, or HSM-like APIs), formalized via an ideal KeyBox (keystore) functionalit y F KeyBox that k eeps shares non-exportable (including caller-in vertible aﬃne images) and permits only attested KeyBox-to- KeyBo x sealing. In this setting, conﬁdentialit y can be delegated to the NXK/KeyBox b oundary; the remaining c hallenge in realizing VSE lay er, without VSS-style mechanisms (op ening/complain ts/resharing), is to enforce transcript-deﬁned aﬃne consistency without exp orting, opening, or resharing the secret shares. Assuming a k ey- opaque, state-contin uous NXK/KeyBox boundary , classical rewinding/forking-lemma extraction argumen ts are not implementable. Hence, straight-line extraction is required. W e presen t a Universally Comp osable (UC) DKG design for NXK by combining (i) NXK/KeyBox conﬁdentialit y; (ii) Unique Structure V eriﬁcation (USV), whic h is a publicly veriﬁable certiﬁcate mechanism intended for tightly coupled NXK deplo yments where the certiﬁed scalar is non-exp ortable and never leav es the KeyBo x, yet the corresp onding public group element is deterministically deriv able from the transcript; and (iii) UC-extractable non- in teractive zero-knowledge arguments of knowledge via the Fischlin transform in our gRO-CRP-h ybrid (global Random Oracle with Context-Restricted Programmabilit y) mo del to enforce the aﬃne constrain ts normally certiﬁed by VSS-st yle machinery . Using these to ols, we construct a UC-secure Star DK G (SDKG) scheme that is tailored to multi-device wallets with a designated service that must co-sign but can nev er sign alone. SDKG realizes a 1 + 1 -out-of- n star access structure wherein the cen ter (mandatory) and any leaf of a star graph form a minimal authorized subset. SDKG implements a tw o-leaf star o ver roles (primary vs. recov ery) and supp orts role-based registration. In the F KeyBox -h ybrid and gRO-CRP models, assuming authenticated conﬁdential channels (leaking only message lengths), under DL and DDH hardness assumptions with adaptiv e corruptions and secure erasures, SDK G UC-realizes a transcript-driv en reﬁnement of the standard UC-DKG functionality . Over a prime-order group of size p , SDK G incurs e O ( n log p ) communication ov erhead and e O ( n log 2 . 585 p ) bit-op eration cost, while registering a reco very device incurs e O ( log p ) comm unication and e O ( log 2 . 585 p ) bit-operation costs, respectively . F or a 128-bit instan tiation with ﬁxed Fischlin parameters, the base transcript (for 1+1-out-of-3 SDKG) is ≈ 11 – 13 KiB. Keyw ords: DK G · UC security · Non-exp ortable k eys · TEE · HSM · UC-NIZK-AoK · V eriﬁable-sharing enforcemen t · Star access structure · MPC wallets ⋆ The views expressed in this paper are solely those of the author and do not necessarily reﬂect those of Circle In ternet or any other aﬃliated organizations. T able of Con ten ts List of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1 In tro duction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Our Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Related W ork . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2 The NXK and KeyBo x Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 T erminology and leakage mo del . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Notation, conv entions, and ideal channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Admissible KeyBo x proﬁles and key-opacit y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 State contin uity and failure mo des . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.5 Hybrid execution mo del and NXK-restricted material . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.6 Real-world instan tiations of admissible KeyBox proﬁles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Implemen tation note (non-normative). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3 The Conﬂict: V eriﬁable Sharing vs. NXK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.1 DKG subsumes dealerless (R)VSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2 Exp orted-share enforcement vs. NXK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4 Cryptographic Primitiv es for State-Contin uous KeyBoxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5 Enforcing Public Structure without Exp ort: USV Certiﬁcates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Relation to standard notions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.1 Why USV is needed under hardened NXK proﬁles (ov erview) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.2 An Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Prop erties of the USV certiﬁcate scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 5.3 UC Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 6 Enforcing Consistency via Straigh t-Line Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 6.1 Aﬃne DL relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7 Star DK G (SDKG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 7.1 The Proto col . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Hardened deplo yment: what runs where (KeyBox vs. host). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 8 UC Securit y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 8.1 F rom F SDKG to the standard NXK-DK G interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 8.2 F ormal necessity of USV under hardened proﬁles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 What m ust b e transcript-deﬁned (and wh y). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 8.3 Main Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 9 UC Securit y of the 1+1-out-of- n SDKG Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 10 Complexit y and Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 11 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 A Programmable Secure Hardw are Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 B Candidate KeyBo x Implementations and Proﬁle-Capture Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 B.1 Candidate classes of implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 C A dditional application: NXK-compatible commit–rev eal randomness b eacons . . . . . . . . . . . . . . . . . . . . . . . . . . 66 UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcement 3 List of Results Lemma 1 (A dditive degradation under approximate state con tinuit y) . . . . . . . . . . . . . . . . . . . . . . . . 13 Theorem 1 (UC-DK G implies UC-R VSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Lemma 2 (Uniqueness is necessary for UC-DK G) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Prop osition 1 (External fresh-share enrollmen t and NXK) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Lemma 3 (Pre-query b ound for gRO-CRP programming) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Lemma 4 (No cross-con text inﬂuence in gRO-CRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Lemma 5 (Negligible Fisc hlin error for admissible parameters) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Prop osition 2 (Strict GR O is insuﬃcient for Fischlin univ ersal simulation) . . . . . . . . . . . . . . . . . . . . . . . 25 Lemma 6 (Fisc hlin-based UC-NIZK-AoKs for DL and DLEQ in gRO-CRP) . . . . . . . . . . . . . . . . . . 26 Lemma 7 (Op ening-conditional tag simulatabilit y) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Lemma 8 (Equiv o cation resistance of the USV instan tiation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Lemma 9 (Handle-b ound non-malleability) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Theorem 2 (UC securit y of F USV ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Lemma 10 (Unique resp onses for Schnorr) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Lemma 11 (Unique resp onses for Chaum–Pedersen) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Observ ation 1 (LinOS do es not violate key-opacit y) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Observ ation 2 (Lagrange w eights) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Lemma 12 ( A cc SDKG need not call F USV . V erify ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Lemma 13 (Laten t (marginal) uniformity of the SDKG k ey) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Lemma 14 (Closure under in terface restriction) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Observ ation 3 (DK G prop erties captured b y F ⋆, NXK DKG ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Lemma 15 (Commit-only transcripts cannot deﬁne M 2 under NXK/ F KeyBox ) . . . . . . . . . . . . . . . . . . . 52 Lemma 16 (T ranscript uniquely determines the k ey) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Theorem 3 (UC realization of F SDKG b y Ψ (3) SDKG ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Lemma 17 (F resh tagged statemen ts for SDKG extraction) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Lemma 18 (Registration/RDR sim ulation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Corollary 1 (Standard NXK-DK G interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Corollary 2 (Compiling out F USV ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Theorem 4 (UC securit y of F ( n ) SDKG ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4 Vipin Singh Sehraw at 1 In tro duction The rise of crypto currencies and decen tralized applications has heightened the necessity for secure and v ersatile key managemen t solutions. Multiparty Computation (MPC) [62, 34] wallets, implementing Distributed Key Generation (DK G) [52, 33] and threshold signing [22, 23], hav e b ecome prev alent because they provide robust security without the need for a trusted party . In practice, some users may prefer managing multiple authorized devices, { P i } n i =2 , in collab oration with a service pro vider, P 1 , forming a star top ology with P 1 as the cen ter and { P i } n i =2 as the lea ves. F urthermore, some deploymen ts require a designated service that m ust alwa ys b e inv olv ed in signing, yet can never sign alone. T ypical examples include: (i) regulated custo dians that must co-sign for compliance and auditing; (ii) “reco very-with-friction” consumer wallets, where a risk engine enforces sp ending limits and/or anomaly detection; and (iii) en terprise wallets, where all transactions m ust ﬂo w through a corporate signing service. In suc h settings, a uniform threshold structure is ill-suited b ecause it: (i) either authorizes subsets ⊆ { P i } n i =2 , excluding P 1 , or (ii) forces P 1 to hold a threshold n umber of shares, eﬀectively authorizing a singleton access structure. This work targets the star access structure in which the minimal authorized sets are { P 1 , P i } for i ≥ 2 . F ormally , the family of minimal authorized subsets (Γ 0 ) and the corresp onding access structure (Γ) are deﬁned as: Γ 0 : = {{ P 1 , P i }} n i =2 ; Γ : = { S ⊆ { P i } i ∈ [ n ] : ∃ i ≥ 2 , { P 1 , P i } ⊆ S } . This mandatory-cen ter co-signing pattern is reminiscent of mediated / server-supported signature systems [8, 7, 24] and more recen t server-assisted key-use designs [45]. Our fo cus diﬀers b ecause w e need dealerless DKG under secret non-exp ortabilit y and Univ ersally Comp osable (UC) [13] comp osition—natural requirements for MPC wallets deplo yed in complex en vironments. Hardw are-back ed key-isolation mo dules—e.g., secure enclav es/TEEs when conﬁgured as restricted k eystores, or HSM-lik e APIs [58]—can enforce a Non-eXp ortable Key (NXK) mo del which binds secrets to hardware and forbids exp orting them (including an y caller-in vertible aﬃne image), p ermitting only attested KeyBox-to-KeyBo x sealing. Th us, in a DKG p erformed under NXK, each signing share is generated and stored inside the mo dule in which it was created and can only be accessed via a restricted in terface. This constraint rules out classical rewinding/forking-lemma extraction [53, 5] for Sc hnorr/Fiat–Shamir-style pro ofs [29, 55, 56] at the hardware b oundary . Throughout, we use “KeyBo x” to denote this kind of hardware-bac ked key-isolation mo dule. W e in tro duce Unique Structure V eriﬁcation (USV), whic h is mean t to op erate precisely at this NXK/KeyBox b oundary . In particular, USV targets the tightly coupled setting in which the scalar b eing committed-to/certiﬁed is KeyBo x-resident and non-exp ortable, so it cannot b e rev ealed to the host or app ear in the public transcript. The proto col exp orts only a publicly veriﬁable certiﬁcate, from whic h an y veriﬁer can deterministically derive the asso ciated public group element needed by transcript-deﬁned chec ks, without ever exp orting the scalar or its inv ertible aﬃne image. A UC-secure DK G must realize the secrecy and uniqueness guaran tees of dealerless (random) V eriﬁable Secret Sharing (VSS) [20, 28, 52] as a subtask (formalized in Section 3 (p. 16)). Therefore, existing UC-secure DKGs include some V eriﬁable-Sharing Enforcement (VSE) la yer that preven ts equivocation and enforces aﬃne consistency of parties’ con tributions. Classically , this la yer is instantiated using VSS and its v ariants (e.g., [61, 10]) via commitmen ts [6] and complaint/opening logic [28, 33]. In other UC(-style) threshold key-generation comp onen ts (e.g., [28, 52, 33]), VSE lay er is realized via commitment-and-proof / (Non)Interactiv e Zero-Knowledge ((N)IZK)-based mechanisms that enforce the required VSS-st yle obligations. Either wa y , traditional UC-secure DKG requires that (linear combinations of ) shares can b e computed and transmitted outside the device that holds them, an assumption that is incompatible with NXK. R oles vs. devic es. W e distinguish b et ween cryptographic roles and the ph ysical devices / secure hardware instances that host those roles. Our base construction realizes a tw o-leaf star o ver roles: the mandatory service P 1 (cen ter) m ust co-sign with either (i) a primary-role share (held by a designated primary device, sa y P 2 ) or (ii) a recov ery-role share. Our n -device extension supp orts Role-based Device Registration (RDR) under NXK by enrolling additional recov ery devices as redundant front-ends for the same reco very role. Concretely , eac h recov ery device contains an indep enden t KeyBo x instance that ultimately holds the same recov ery-role share k rec , but this replication is not a share exp ort: UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcement 5 enrollmen t is p erformed via attested KeyBox-to-KeyBo x sealing and a one-shot installation procedure that nev er places shar e-deriving plaintext in the public transcript and preserves the KeyBox proﬁle assumptions (key-opacit y/state con tinuit y). Th us, the access structure is star-shap ed ov er devices, while b eing implemented as a t wo-leaf star ov er unique role shares (primary vs. reco very); and hence we also call it 1+1-out-of- n (star) access structure. 1.1 Our Con tributions W e model the NXK/KeyBo x boundary as an ideal functionality: the KeyBox provides conﬁdentialit y for non-exp ortable shares via a restricted API. W e leverage that, together with other to ols summarized in T able 1 (p. 5), to realize VSE la yer under NXK without VSS-style exp orted-share mac hinery . Our con tributions are m ultifold and can b e summarized as follo ws: Hardw are constraint Standard approac hes’ shortcomings Our mechanism State contin uity (no rollbac k) Rewinding/forking-lemma extraction requires rolling back a prov er to reuse the same commitment under tw o c hallenges. Fisc hlin-based UC-NIZK-A oK with straigh t-line sim ulation/extraction (formalized in gRO-CRP). NXK (non-exp ortable secrets) VSS/resharing/op ening t ypically assumes exportable shares or share-derived witnesses to enforce polynomial relations and reconﬁgure trust; NXK blo c ks exp orting the needed witnesses. USV certiﬁcates (KeyBox-residen t witness): certify transcript-deﬁned public structure v eriﬁable outside the KeyBox, while the witness never lea ves. No caller-decryptable “wrap” Exp orting encrypted shares under caller-known k eys breaks key-opacit y [9]. KeyBo x-to-KeyBox sealing + RDR (ciphertexts only unwrap inside a KeyBox; the caller learns no decryption handle). T able 1: Mapping KeyBo x/NXK constrain ts to wh y UC-DK G enforcement via exp ortable shares breaks, and the to ols w e use instead. 1. W e introduce Unique Structure V eriﬁcation (USV) as a non-interactiv e, publicly v eriﬁable certiﬁcate designed for NXK-coupled deplo yments, where the scalar witness is non-exp ortable and conﬁned to a KeyBox, and only the certiﬁcate is released outside the KeyBox b oundary . Conceptually , USV is a publicly extractable commitment- to-group-elemen t abstraction: any party can deterministically derive the canonical public group elemen t, while the committed scalar remains hidden (and non-exp ortable). Moreo ver, tags are eﬃciently sim ulatable conditioned on the deriv ed opening. W e formalize USV b oth as a primitiv e and as a handle-b ound ideal functionalit y , and pro ve its UC security in our global Random Oracle with Context-Restricted Programmabilit y (gRO-CRP)-h ybrid mo del (Deﬁnition 9 (p. 19)) with adaptiv e corruptions and secure erasures, under the Discrete Logarithm (DL) and Decision Diﬃe-Hellman (DDH) hardness assumptions. 2. W e enforce transcript-deﬁned aﬃne relations directly using Fisc hlin-style [30] UC-NIZK Arguments of Knowledge (A oKs) with straight-line extraction in the gRO-CRP model. 3. W e iden tify and formalize the sp eciﬁc enforcement functionalit y needed b y UC-DK Gs in the NXK setting: enforcing transcript-deﬁned linear/aﬃne relations b et w een parties’ hidden scalars while keeping designated signing shares non-exp ortable and resilient to adaptive corruptions, without in voking resharing. W e show how to enforce these relations b y: (a) routing sensitiv e state through a KeyBox interface (conﬁden tiality), (b) using USV to obtain canonical, handle-b ound public op enings to the group elements corresp onding to KeyBo x- residen t scalars, and (c) using UC-NIZK-AoKs to certify the cross-party aﬃne constraints that an exp orted-share enforcement lay er w ould normally chec k via commitments, and VSS(-like) veriﬁcation and dispute logic. 6 Vipin Singh Sehraw at W e also formalize the incompatibility b et ween classical VSE and the NXK/KeyBox b oundary: VSS-style complain- t/op ening/resharing (and related reconﬁguration mechanisms) inherently rely on exp orting shares or share-derived v alues, whic h our NXK mo del rules out (Sections 3 (p. 16) and 8.2 (p. 51)). 4. W e construct a constant-round UC-secure Star DKG (SDKG) scheme, supp orting a 1+1-out-of-3 star access structure as the base case: P 1 m ust co-sign with either a primary device P 2 or a recov ery role P 3 . Our n -device extension supp orts Role-based Device Registration (RDR) by enrolling additional recov ery devices as redundan t front-ends with indep enden t KeyBoxes. Our constan t-round UC-secure SDKG for the 1+1-out-of- n star access structure incurs e O ( n log p ) comm unication cost and e O ( n log 2 . 585 p ) bit-ops computation ov erhead. The RDR extension adds per device O (log p ) communication bits and e O (log p 2 . 585 ) w ork. 1.2 Related W ork Closest in application spirit to our “mandatory service participates” setting, Snetko v et al. [60] give a UC treatment of server-supported signatures for smartphones. Their fo cus is t w o-party server-assisted signing, whereas w e target dealerless DKG for star access structure under NXK with p ost-DK G RDR. F or a recent systematization of DL-based DK G proto cols, see [3]. When reviewing the rest of the related literature, w e restrict attention to UC-secure DKGs, and ev aluate them ov er tw o cen tral axes: (i) NXK compatibilit y and (ii) RDR supp ort. Lindell–Nof [44] giv e a practical full-threshold ECDSA proto col. Instantiating their ideal functionalities with UC-secure commitments and Zero-Kno wledge (ZK) yields a proto col that UC-realizes an ideal ECDSA functionality . Ho wev er, their sc heme targets a ﬁxed party set and manipulates shares via generic MPC ov er plain text shares and ciphertexts (no RDR; not NXK). Canetti et al. [15] provide UC threshold ECDSA with proactiv e key refresh o ver a ﬁxed part y set; dynamic joins are not mo deled and several sub-proto cols compute or send non-trivial functions of shares (not NXK). Do erner et al. [25] give a three-round threshold ECDSA signing proto col and show that shared k eys can b e generated via a simple commit-release-and-complain pro cedure (without pro ofs of knowledge). How ev er, their setting still assumes exp ortable shares (not NXK) and do es not address RDR. Lindell [43] gives a three-round, straight-line-sim ulatable DK G for Sc hnorr signatures [55, 56]; again the party set is ﬁxed and the proto col performs linear op erations ov er shares outside the NXK model. F riedman et al. [32] supp ort reconﬁguration in a tw o-tier 2PC–MPC framework [31] via Publicly VSS [61] and threshold additively homomorphic encryption; this achiev es RDR for v alidators but relies on public ciphertexts and homomorphic op erations that lie outside the NXK mo del. Outside the UC framework, Katz [39] studies the round complexit y of fully secure synchronous DKG in the DL setting. Unlik e [15] wherein the security proof is carried out in the strict Global Random Oracle (GR O) setting, we op erate under a gR O-CRP model that provides a single global oracle but with local-call seman tics and restricted programmabilit y tailored to NXK/KeyBox en vironment. In contrast to VSS-based (and VSS-lik e) UC-DKGs, which require all-to-all distribution of share material and therefore incur Θ ( n 2 ) aggregate communication in the party count ev en b efore accounting for complaint/opening traﬃc, SDKG incurs only a constant n umber of pro of ob jects in the base run (1+1-out-of-3 setting) and one additional pro of p er registered device for the extension to the generic 1+1-out-of- n setting. Asymptotically , w e treat the Fisc hlin parameters as functions of the security parameter and c ho ose them to satisfy the standard Fischlin conditions so that the transform’s soundness/kno wledge-extraction error is negligible in the securit y parameter. F or concrete 128-bit security , we instan tiate with ﬁxed parameters and report explicit concrete b ounds and sizes. T able 2 (p. 7) summarizes the resulting asymptotic costs. Note 1. SDK G is sp ecialized to a star access structure (1+1-out-of- n ) in the NXK/KeyBox setting. Most prior UC- secure DKGs are analyzed for t -out-of- n threshold access structures, whose Θ ( n 2 ) costs largely reﬂect the all-to-all comm unication pattern inherent to threshold DK G/VSS-style proto cols. Accordingly , T able 2 (p. 7) is intended as a qualitative comparison of mo dels/techniques and rep orted asymptotics, not a like-for-lik e complexity comparison across iden tical access structures. 1.3 Organization The rest of this pap er is organized as follows: Section 2 (p. 7) formalizes the NXK/KeyBox setting and our UC execution mo del, including ideal secure channels and the KeyBox functionalit y capturing non-exp ortable long-term UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 7 Supp ort DK G RDR W ork NXK RDR Bit-ops Comm. (bits) Bit-ops Comm. (bits) SDK G ✓ ✓ e O ( nκ 2 . 585 ) e O ( nκ ) e O ( κ 2 . 585 ) e O ( κ ) CGGMP21 [15] × × e O ( n 2 κ 2 . 585 ) Θ ( n 2 κ ) N/A N/A Lindell–Nof [44] × × e O ( n 2 κ 2 . 585 + n 2 η 2 . 585 ) Θ ( n 2 ( κ + η )) N/A N/A Lindell [43] × × e O ( nκ 2 . 585 ( t + 1 + n )) O ( n ( t + 1 + n ) κ ) N/A N/A F riedman [32] × ✓ e O ( n 2 κ 2 . 585 + nη 2 . 585 ) O ( n 2 ( κ + η )) e O ( n 2 κ 2 . 585 + n 2 η 2 . 585 ) Θ ( n 2 ( κ + η )) T able 2: Comparing UC-secure DKG schemes on dominan t costs (Karatsuba mo del [38]). Notations: κ : = log p for a prime p ; N is a Paillier/class-group mo dulus; η : = log N ; and t is the Shamir p olynomial degree. secrets and state contin uit y . Section 3 (p. 16) isolates the VSE obligations that any UC-secure DK G must satisfy , and explains wh y standard exp orted-share enforcement and resharing mec hanisms clash with NXK. It also recalls relev an t cryptographic primitives, namely UC, and the DL and DDH hardness assumptions (along with Decisional DL Equiv alence (DDLEQ) for the equiv alen t DDH game in the “same-exp onen t across G , H ” form aligned with DLEQ/Chaum–P edersen statements). Section 4 (p. 19) collects cryptographic and mo deling preliminaries: the gRO- CRP mo del and its lo cal-call seman tics, and the UC/NIZK(-AoK) notions we use, including the optimized Fischlin transform enabling straight-line extraction; in particular, Prop osition 2 (p. 25) explains why strict GR O is not enough for the required simulation interface. Section 5 (p. 27) in tro duces Unique Structure V eriﬁcation (USV), gives a concrete instan tiation, and pro ves UC securit y of the corresp onding handle-b ound functionality . Section 6 (p. 35) develops the UC-extractable NIZK-A oKs used throughout, including DL, DLEQ, and the aﬃne-DL relations enforced by the transcript. Section 7 (p. 37) presents the SDK G proto col: the base 1 + 1 -out-of- 3 run and the one-shot role-based device registration (RDR) mechanism used to enroll additional recov ery devices under NXK (Algorithm 1 (p. 45)). Section 8 (p. 47) pro ves UC security for the base proto col via a transcript-driven ideal functionality and derives the corresp onding standard NXK-star DKG interface, including the follo wing wa yp oin ts: – F ormal necessity of USV under hardened proﬁles: Section 8.2 (p. 51). – Main theorem: Theorem 3 (p. 54). – Compilation (eliminating F USV via UC comp osition): Corollary 2 (p. 59). Section 9 (p. 59) formalizes the 1 + 1 -out-of- n extension and establishes UC securit y of the scalable RDR mechanism. Section 10 (p. 61) provides a fo cused complexity and ov erhead discussion, including concrete parameterization and transcript sizes. Section 11 (p. 62) concludes. Appendix A (p. 64) discusses an optional tigh ter integration with programmable KeyBo x implemen tations (e.g., TEEs and certain HSM/KMS-back ed designs). Appendix B (p. 65) collects concrete candidate implemen tation classes and a proﬁle-capture chec klist for enforcing a KeyBox API proﬁle in practice. 2 The NXK and KeyBox Setting W e w ork in an NXK/KeyBox mo del wherein long-term shares remain inside state-contin uous KeyBoxes (no rewind/fork) and are API-non-exp ortable in the sense of R e ader Note 2.1 (p. 8). The only permitted cross-KeyBox transfer of share-dependent data is attested KeyBo x-to-KeyBox sealing, whic h returns only ciphertexts to the caller. Any c al ler-re c over able exp ort of a residen t share—whether as ra w bytes, a caller-inv ertible aﬃne image, or via any other API-visible b eha vior that is not sim ulatable from the corresp onding public information—is disallo wed. F ormally , we assume admissible KeyBox proﬁles satisfy key-opacit y . Informally , key-opacit y means that the KeyBo x’s external outputs are simulatable from the public key alone; the formal statement app ears as Assumption 1 (p. 11) b elo w. W e mo del (i) authenticated conﬁden tial point-to-point c hannels with adv ersary-controlled scheduling via an ideal functionalit y F channel (Fig. 1 (p. 9)), (ii) an authenticated public dissemination mechanism for transcript-public v alues via an ideal functionalit y F pub (Fig. 2 (p. 9)), and (iii) a p er-part y NXK hardw are b oundary via a KeyBox functionalit y F KeyBox (Fig. 3 (p. 11)) that generates and stores long-term shares inte rnally and exp oses only a restricted API. 8 Vipin Singh Sehraw at 2.1 T erminology and leakage mo del Reader Note 2.1: T erminology: exp ortability vs. visibility W e distinguish four places where a v alue may reside or be observed: – KeyBo x internal state: data stored inside the trusted KeyBox b oundary . – Host RAM: v olatile party state outside the KeyBox (sub ject to erasure and adaptive corruption). – A dversary-visible transcript: everything observ able to A outside honest KeyBo xes, including all messages sen t o ver adv ersary-visible c hannels, all explicit leakage outputs of ideal functionalities (e.g., F channel ’s length leakage and sc heduling metadata), and all outputs returned to adversary-con trolled ITMs. – P ersistent storage (outside the KeyBo x): disk/logs/swap outside the KeyBo x; we conserv atively treat any suc h data as part of the adv ersary-visible transcript. W e use the follo wing terms throughout: – (API-)exp ort / (API-)non-exp ortable (KeyBox-residen t shares): A KeyBo x-resident share is API-non-exp ortable if no KeyBo x API call enables the caller to recov er the share (or any caller-inv ertible aﬃne image of it), even when com bined with caller-held secrets. This is captured formally by key-op acity (Assumption 1 (p. 11)). – T ranscript-visible vs. transcript-priv ate: A v alue is tr anscript-visible if it app ears in the adversary-visible tran- script; otherwise it is tr anscript-private . Speciﬁcally , payloads delivered ov er F channel are transcript-priv ate unless an endp oin t is corrupted; only F channel ’s explicit leakage (e.g., lengths) is transcript-visible. – Proto col transcript / lo cal views (unqualiﬁed “transcript”): When we refer to “the transcript” without the qualiﬁer adversary-visible , w e mean the parties’ lo cal proto col views: the tuple of messages deliv ered to the parties (including plain texts carried ov er F channel ) together with the public v alues. This full transcript is not necessarily adv ersary-visible. – NXK-restricted material (share-deriving material): NXK-restricted material must be transcript-priv ate and must nev er b e written to p ersisten t storage outside a KeyBox. It may b e handled transien tly in host RAM during an atomic local step and must then b e securely erased; under adaptive corruptions with secure erasures, such RAM v alues leak only if corruption o ccurs b efore erasure. In this paper “non-exp ortable” refers to API-non-exp ortability of KeyBox-residen t shares and do es not mean that related ephemeral/share-deriving material can never appear transien tly in host RAM. Adv ersarial access to honest host RAM is mo deled only via the UC corruption interface with secure erasures (Deﬁnition 1 (p. 8)), instan tiated in our F KeyBox -h ybrid mo del below (Deﬁnition 5 (p. 14)): until corruption, an honest part y executes its lo cal steps atomically and may hold NXK-restricted material transien tly , after which it is securely erased; after corruption, the adversary con trols the host ITM and learns its curren t (non-erased) state. W e do not mo del an “alwa ys-on” adv ersary that can contin uously scrap e the RAM of an honest host without triggering a corruption ev ent. The secure-c hannel functionality F channel abstracts both authenticated key establishment and the subsequen t symmetric protection of pa yloads; its in ternal session-k ey material is not part of an y part y’s KeyBox state and is not mo deled explicitly . In our NXK setting, the only role of F channel is to k eep NXK-restricted / share-deriving material transcript-priv ate unless an endp oint is corrupted ( R e ader Note 2.1 (p. 8)). When mapping to a concrete implemen tation, these channel keys can be realized as ordinary ephemeral host state (e.g., via an AKE or ephemeral IND-CCA KEM establishing p er-session AEAD keys) and are sub ject to the same adaptive-corruption-with-secure- erasures discipline as other transient v alues: they may reside in host RAM during an atomic step and must be erased once no longer needed. This forward-secure/erasure discipline preven ts later corruptions from retroactively decrypting previously recorded ciphertexts, matc hing the semantics of F channel (Fig. 1 (p. 9)). Alternativ ely , one may place c hannel cryptograph y inside the KeyBo x/proﬁle adapter (at the cost of extending the admissible proﬁle with the required symmetric primitiv es), but our mo del and pro ofs do not require this stronger placement. Deﬁnition 1 (A daptive corruptions with secure erasures). W e work in the UC framew ork with adaptive corruptions and an explicit erasure discipline. Each part y P i main tains a lo cal (host) state st i outside any KeyBox b oundary (cf. R e ader note 2.1 (p. 8)). A proto col ma y explicitly erase designated local v ariables/buﬀers from st i once they are no longer needed. Up on corruption of P i , the adversary learns only P i ’s current lo cal state st i at the momen t of corruption; any v alues explicitly erased by the proto col prior to corruption are not revealed. Thereafter, the UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 9 ♦ Pa rameters: session identiﬁer sid ; endp oin ts ( P s , P r ) ; leakage Φ( c ) = | c | . ♦ State: active ∈ { 0 , 1 } (init 0 ); multiset Q of ( ρ, c, ϕ ) ; set D of delivered tic kets. ♦ Up on receiving ( Init , sid , P s , P r ) from b oth P s and P r : set active ← 1 ; send ( ChReady , sid , P s , P r ) to A . ♦ Up on receiving ( Send , sid , c ) from P s with active = 1 : sample ρ ← $ { 0 , 1 } λ , set ϕ ← Φ( c ) , insert ( ρ, c, ϕ ) into Q , send ρ to P s , and send ( Leak , sid , P s , P r , ρ, ϕ ) to A . If P s is corrupted, additionally rev eal c to A . ♦ Up on receiving ( Deliver , sid , ρ ) from A : if ( ρ, c, ϕ ) ∈ Q and ρ / ∈ D , delete it from Q , add ρ to D , and deliver ( Recv , sid , P s , c ) to P r . If P r is corrupted, reveal c to A at delivery time. ♦ Up on receiving ( Insp ect , sid ) from A : if b oth P s and P r are corrupted, reveal c for all ( ρ, c, ϕ ) ∈ Q . Fig. 1: Ideal authenticated, length-leaking secure channel F channel ♦ Pa rameters: session identiﬁer sid ; sender P s ∈ P ; leakage Φ ( c ) = | c | . ♦ State: multiset Q of ( ρ, P s , c, ϕ ) ; set D of delivered tic kets. ♦ Up on receiving ( Publish , sid , c ) from P s : sample ρ ← $ { 0 , 1 } λ , set ϕ ← Φ ( c ) , insert ( ρ, P s , c, ϕ ) into Q , send ρ to P s , and send ( Leak , sid , P s , ρ, c, ϕ ) to A . ♦ Up on receiving ( Deliver , sid , ρ ) from A : if ( ρ, P s , c, ϕ ) ∈ Q and ρ / ∈ D , delete it from Q , add ρ to D , and deliver ( Recv , sid , P s , c ) to every P ∈ P . Fig. 2: Ideal authenticated public broadcast F pub (adv ersary-visible, adv ersary-scheduled). adv ersary controls P i and ma y arbitrarily inﬂuence its future actions and state. W e assume honest-part y activ ations are atomic with resp ect to corruption, i.e., corruptions can o ccur only b et w een activ ations. Consequently , temp orary v alues created and erased within a single honest activ ation are never rev ealed by a later corruption. 2.2 Notation, con ven tions, and ideal channels W e call an algorithm eﬃcien t if, for input size λ , its running time is b ounded by p oly ( λ ) . Throughout the text, λ ∈ N denotes the securit y parameter with negl ( λ ) denoting a negligible function on it; and ≈ c represen ts computational indistinguishabilit y . W e write x ← $ S to denote uniform sampling from a ﬁnite set S . Throughout, for an elliptic curv e E ( F q ) , G ⊆ E ( F q ) denotes a cyclic subgroup of prime order p > 3 written additively , with ﬁxed generator G . W e ﬁx an injectiv e, self-delimiting enco ding ⟨·⟩ of mixed tuples in to { 0 , 1 } ∗ . All hash/oracle in vocations are applied only to enco dings of the form ⟨·⟩ , and all “equality of enco ded tuples” statements are with resp ect to this enco ding. Our e O ( · ) b ounds hide factors that are p olynomial in the Fischlin parameters ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) (which are themselves at most p olylog ( λ ) in the asymptotic analysis); for any ﬁxed concrete instantiation at a target securit y level λ = λ 0 , these factors b ecome constants. The UC security parameter is λ . Our prime-order group is generated as a function of λ and has order p = p ( λ ) . Let κ ( λ ) : = ⌈ log 2 p ( λ ) ⌉ denote the bitlength of the group order. W e assume κ ( λ ) = Θ ( λ ) ; in particular, κ ( λ ) = O ( λ ) and, for concrete instan tiations, typically κ ( λ ) ≥ λ up to a constant factor; so that “PPT in λ ” and “PPT in κ ” are equiv alent up to p olynomial factors. Unless stated otherwise, all auxiliary proto col parameters are deterministic functions of λ (equiv alen tly , of κ under κ = Θ ( λ ) ). Note 2. Concrete realization for F channel from [42]: IND-CCA KEM + IND-CP A and INT-CTXT AEAD [54]. T o match the adaptiv e-corruption-with-secure-erasures semantics of F channel , p er-session channel keys are treated as ephemeral and are securely erased after use (or k ept inside a trusted b oundary). 2.3 A dmissible KeyBox proﬁles and k ey-opacity Let K b e a key space and let ξ b e a distribution o v er K . Let F adm b e a set of PPT stateful admissible op erations, mo deled as state-transition algorithms f : K × { 0 , 1 } ∗ × { 0 , 1 } ∗ → { 0 , 1 } ∗ × { 0 , 1 } ∗ , 10 Vipin Singh Sehraw at where on input ( k , st , m ) , the operation outputs a new priv ate state st ′ and a response y . Let PubMap : K → { 0 , 1 } ∗ b e an eﬃciently computable public-information map. Let GetPub ∈ F adm denote the stateless admissible op eration GetPub ( k , st , m ) := ( st , PubMap ( k )) , whic h ignores m and do es not change state. Fix a PPT In teractive T uring Machine (ITM) simulator Sim and a PPT adv ersary A . Deﬁne an exp erimen t Exp opq A , Sim , F adm ,ξ, PubMap (1 λ ) : Some admissible in terfaces are m ulti-stage (e.g., a Sta rt / Prove pair) and therefore require that later calls read in ternal state written by earlier calls. T o mo del this in a proﬁle-centric w ay , w e asso ciate to eac h admissible op eration a deterministic state-family iden tiﬁer via a map 𭟋 : F adm → Fam , where F am is a ﬁnite iden tiﬁer set ﬁxed by the KeyBox API proﬁle. The KeyBox maintains one internal state string p er family , and all inv o cations of op erations f with the same family id 𭟋 ( f ) share that state comp onen t. Unless stated otherwise, w e take singleton families, i.e., 𭟋 ( f ) = f . 1. Sample k ← $ ξ and set pk ← PubMap ( k ) . Sample a hidden bit β ← $ { 0 , 1 } . 2. Initialize a state table st [ · ] b y setting st [ φ ] ← ϵ for ev ery family identiﬁer φ ∈ im ( 𭟋 ) . Initialize a simulator oracle Sim pk b y running Sim on input (1 λ , pk ) . Hence, Sim pk ma y maintain state across oracle calls. 3. R un A (1 λ , pk ) with oracle access to O β ( · , · ) deﬁned as: O β ( f , m ) :=      let φ ← 𭟋 ( f ); let ( st ′ , y ) ← f ( k , st [ φ ] , m ); st [ φ ] ← st ′ ; y if β = 1 and f ∈ F adm , Sim pk ( f , m ) if β = 0 and f ∈ F adm , ⊥ if f / ∈ F adm . 4. A outputs a bit β ′ ∈ { 0 , 1 } . Output 1 iﬀ β ′ = β . Fig. 3 (p. 11) sp eciﬁes a generic p er-party KeyBo x instance. W e denote the instance o wned b y part y P i as F ( i ) KeyBox , and sometimes write F KeyBox when the o wner is clear from context. Within an instance, keys are indexed by the lo cal handle µ ∈ { 0 , 1 } ∗ ; globally w e refer to a slot as ( P i , µ ) . The SealT oPeer / OpenFromP eer API assumes that each part y’s sealing public key pk ( P ) seal is authenticated and b ound to that party’s KeyBox instance (e.g., via attestation). W e abstract the attestation/k ey-distribution mechanism b y an authen ticated sealing-key directory { pk ( P ) seal } P ∈ P that is ﬁxed and not adversary-inﬂuenceable. Hence, SealT oP eer encrypts to the directory-deﬁned pk ( P peer ) seal for the designated p eer, rather than accepting a raw recipient key as input. Enc / Dec denote encryption/decryption functions of an ideal public-k ey authenticated-encryption sc heme with asso ciated data, ad . W e will use that ( Enc , Dec ) is probabilistic and IND-CCA secure (hence secure for p olynomially many encryptions under a ﬁxed public key). Thus, even when many SealT oP eer calls encrypt diﬀerent slot-resident plain texts to the same recipien t key pk ( P peer ) seal , the resulting ciphertexts are jointly simulatable as indep endent encryptions of a ﬁxed dummy plain text of the appropriate length under the same pk ( P peer ) seal (with fresh and indep endent randomness p er call, and no other cross-call leakage at the API boundary). T o supp ort m ultiple sessions on the same state-con tinuous KeyBo x, we treat the mnemonic slot names as tags rather than literal constan ts. Concretely , in a session with iden tiﬁer sid , we deﬁne the lo cal slot handle used for tag as ⟨ sid , tag ⟩ ∈ { 0 , 1 } ∗ , where ⟨·⟩ is the ﬁxed injectiv e tuple enco ding used throughout. Our KeyBox abstraction is a narrow, k eystore-style resource tailored to NXK. F or more general-purp ose formal UC abstractions and discussion of subtle comp osability issues stemming from globally shared attestation keys, see [51, 49]. Making the attestation proto col explicit mandates extending our mo del, which can b e done via a separate (sub-)proto col/functionalit y and instan tiated indep enden tly , as in UC-style treatments of [49, 51, 12, 63]. Given that protecting against physically in v asiv e or side-channel attacks necessitates sp ecialized equipment [59], we consider suc h threats out of scop e. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 11 ♦ P arameters: ﬁxed owner P own ∈ P ; authen ticated sealing-k ey directory { pk ( P ) seal } P ∈ P with lo cal k eypair ( pk seal , sk seal ) suc h that pk seal = pk ( P own ) seal ; and a set of public parameters pp . ♦ State: key table Λ : { 0 , 1 } ∗ ⇀ K (init ∅ ) for lo cal slot µ ∈ { 0 , 1 } ∗ ; op eration state st [ µ, φ ] ∈ { 0 , 1 } ∗ (init ϵ ) for each family id φ ∈ im( 𭟋 ) ; priv ate buﬀer buf : { 0 , 1 } λ ⇀ ( { 0 , 1 } ∗ × { 0 , 1 } ∗ ) (init ∅ ). ♦ A dmissible routines: deriv ations χ adm and operations F adm with a designated key-independent subset F KI ⊆ F adm (e.g., Op enF romP eer , USV.Cert ∈ F KI and SealT oPeer ∈ F adm \ F KI ). ♦ Pro cedure Resolve ( m ) : parse m as ⟨ m 1 , . . . , m t ⟩ ; for each comp onen t that parses as a typed handle ⟨ hdl , τ ⟩ with τ ∈ dom ( buf ) , let ( ad , s ) := buf [ τ ] and substitute ⟨ ad , s ⟩ . If parsing fails or a referenced typed handle is missing, return ⊥ and leav e buf unc hanged. Otherwise delete all used τ from buf and return the substituted tuple. ♦ Up on receiving ( Load , µ, g , m ) from party P own : – If µ ∈ dom (Λ) or g / ∈ χ adm , return ⊥ . Let m ′ ← Resolve ( m ) ; if m ′ = ⊥ return ⊥ . – Compute k ← g (1 λ , m ′ ) . If k = ⊥ , return ⊥ . Set Λ[ µ ] ← k and return ok . ♦ Up on receiving ( Use , µ, f , m ) from part y P own : – If f / ∈ F adm , return ⊥ . – If f / ∈ F KI and µ / ∈ dom (Λ) , return ⊥ . – If f = SealT oP eer : parse m = ⟨ P peer , ad ⟩ . If P peer / ∈ P , return ⊥ . – Let pk peer ← pk ( P peer ) seal and s ← Λ[ µ ] . Return c ← Enc pk peer ( ad , s ) . – If f = Op enF romP eer : parse m = ⟨ c, ad ⟩ . Compute s ← Dec sk seal ( ad , c ) ; if decryption fails return ⊥ . Sample τ ← $ { 0 , 1 } λ , set buf [ τ ] ← ( ad , s ) , and return ⟨ hdl , τ ⟩ . – If f = USV.Cert : ignore µ . Sample m cert ← $ Z ∗ p and compute ⟨ C, ζ ⟩ ← Cert ( pp , m cert ) (deﬁned in Section 5 (p. 27)); erase m cert and return ⟨ C , ζ ⟩ . – Otherwise: let φ ← 𭟋 ( f ) ; compute ( st ′ , y ) ← f (Λ[ µ ] , st [ µ, φ ] , m ) , set st [ µ, φ ] ← st ′ , and return y . Fig. 3: Per-part y KeyBox functionalit y F ( P own ) KeyBox for an NXK KeyBo x with KeyBo x-to-KeyBox sealing. Deﬁnition 2 (Key-opacit y). Let K b e a k ey space, let ξ b e an eﬃcien tly sampleable distribution ov er K , and let PubMap : K → { 0 , 1 } ∗ b e an eﬃciently computable public-information map. F or security parameter λ , F adm is key-op aque with respect to ( ξ , PubMap ) if for ev ery PPT adversary A there exists a PPT ITM simulator Sim suc h that A dv opq A ( λ ) :=    Pr h Exp opq A , Sim , F adm ,ξ, PubMap (1 λ ) = 1 i − 1 2    ≤ negl( λ ) . When ξ is clear from context, we ma y omit it and simply say “key-opaque w.r.t. PubMap . ” Assumption 1 (Key-opacit y (proﬁle-lev el, multi-slot)) Fix an admissible KeyBox API proﬁle ( χ adm , F adm , 𭟋 ) (Deﬁnition 3 (p. 12)) and a public-information map PubMap : K → { 0 , 1 } ∗ . W e assume slot-separable k ey-opacity for this proﬁle: – Single-slot opacit y: F adm is k ey-opaque w.r.t. PubMap in the sense of Deﬁnition 2 (p. 11). – Slot separability / no cross-slot opacit y couplings: In the multi-slot F KeyBox functionalit y (Fig. 3 (p. 11)), every k ey-dep enden t admissible op eration f ∈ F adm is slot-lo cal: on a call Use ( µ, f , m ) it may read the residen t key k i,µ := Λ[ µ ] and the p er-slot family state st [ µ, 𭟋 ( f )] , but it do es not read or update any other slot’s k ey/state (Λ[ µ ′ ] , st [ µ ′ , · ]) for µ ′  = µ . Moreov er, the externally visible randomness/state used by distinct slots can b e taken indep enden t. Any randomized admissible routine (including SealT oPeer ) is mo deled as using fresh, indep enden t coins per inv o cation, and w e do not mo del any additional cross-slot/cross-call leakage (e.g., shared-DRBG artifacts or timing c hannels) b ey ond the explicit transcript leakage of the ideal functionalities. Although SealT oPeer encrypts diﬀeren t slot-resident v alues under the same recipien t directory key pk ( P peer ) seal , IND-CCA securit y of ( Enc , Dec ) implies that the joint distribution of all such ciphertexts (across slots and across calls) is computationally indistinguishable from a product distribution of indep enden tly generated dumm y ciphertexts under pk ( P peer ) seal . Hence, these outputs can be simulated either b y indep enden t p er-slot simulators (each using fresh encryption randomness) or b y a single k ey-indep enden t sealing simulator shared across slots. Key-independent interfac es f ∈ F KI are assumed simulatable without kno wing any resident k ey (and may b e handled by separate key-independent wrapp er state). 12 Vipin Singh Sehraw at F or the scalar-share slots used in SDKG we instantiate PubMap ( k ) := k G (so GetPub returns k G ). The sim ulator is understo od to run in the same amb ient execution model as the surrounding proto col and it ma y use any simulator-only in terface provided by that model. R emark 1 (K ey-op acity in multi-slot K eyBoxes). In the F KeyBox -h ybrid mo del each party’s KeyBox instance stores m ultiple keys indexed by lo cal slots µ ∈ { 0 , 1 } ∗ , with k i,µ := Λ[ µ ] and pk i,µ := PubMap ( k i,µ ) . As implied by Assumption 1 (p. 11), in h ybrids/pro ofs we ma y simulate diﬀerent slots b y running independent copies of the single-slot k ey-opacity simulator, one p er slot ( i, µ ) , eac h maintaining its o wn state across queries to that slot. Key-indep enden t calls suc h as Op enF romP eer are handled b y separate key-independent sim ulation state when needed. When the proﬁle includes SealT oPeer , note that ciphertexts across diﬀerent slots may b e under the same recipient key pk ( P peer ) seal ; nev ertheless, by IND-CCA security the sim ulator may treat each SealT oPeer output as an indep enden tly simulatable ciphertext, so running indep enden t p er-slot simulators remains sound at the level of the join t external transcript. R emark 2 (Slot sep ar ability is an ide alization (implementation c ave at)). Assumption 1 (p. 11) treats diﬀerent slots as indep enden t black b o xes: admissible op erations are slot-lo cal and (crucially) the randomness used across slots and across calls can be taken indep endent, with no additional cross-slot/cross-call leakage at the KeyBo x API b oundary b ey ond the explicit leakage of our ideal functionalities. This is an idealization. In concrete KeyBo x/HSM implemen tations, cross-slot correlations can arise from shared entrop y/DRBG state, nonce/- coun ter reuse, related-key deriv ation from a common ro ot, or microarc hitectural/timing side channels. Suc h correlations ma y inv alidate k ey-opacity ev en when the underlying primitive is IND-CCA secure under the standard assumption of fresh, indep enden t coins p er encryption. The argument that many SealT oP eer outputs are jointly simulatable as indep enden t dummy encryptions relies on p er-call independent randomness and the absence of extra correlated leakage. A ccordingly , to instan tiate Assumption 1 (p. 11) in practice, implemen tations should ensure: (i) domain-separated key deriv ation and p er-purp ose/per-slot RNG (or otherwise demonstrably indep enden t coins) for randomized op erations, including sealing; (ii) nonce/coin generation that is robust against reuse/correlation (or the use of misuse-resistant constructions where applicable); and (iii) a strict allowlist/proﬁle adapter that preven ts dangerous cross-mec hanism comp ositions (as in the PKCS#11 API-level attac k literature; e.g., [9]). Deﬁnition 3 (KeyBo x API proﬁle). A K eyBox API pr oﬁle is a quadruple ( χ adm , F adm , F KI , 𭟋 ) where χ adm is the set of admissible deriv ation routines that may b e inv ok ed via Load , F adm is the set of admissible op erations that may b e in vok ed via Use , F KI ⊆ F adm is the (proﬁle-ﬁxed) subset of key-indep endent admissible op erations, and 𭟋 : F adm → Fam is the state-family map. A KeyBox instance accepts only calls Load ( µ, g , · ) with g ∈ χ adm and Use ( µ, f , · ) with f ∈ F adm ; for op erations f / ∈ F KI the addressed slot µ m ust b e p opulated (con tain a resident k ey), while operations in F KI ma y b e inv oked on empty slots and are interpreted as ignoring µ (and using only k ey-indep enden t KeyBox state, if any). Opaque buﬀer handles returned by Op enF romP eer are t yp e-tagged in the global enco ding: a handle is alwa ys represen ted as ⟨ hdl , τ ⟩ = ⟨ hdl , τ ⟩ for τ ∈ { 0 , 1 } λ , and Resolve substitutes only such tagged handles (preven ting acciden tal collisions with ordinary ﬁelds). R emark 3 (Line ar/one-shot hand le c onsumption). In F KeyBox (Fig. 3 (p. 11)), Resolve is one-shot : every t yp ed han- dle ⟨ hdl , τ ⟩ that is successfully substituted is deleted from buf b efore Resolve returns. Hence, handles returned by Op enF romP eer are linear resources: they cannot b e reused across m ultiple Load / Use calls. Proto col steps that need the same sealed pa yload more than once must in vok e Op enF romP eer again to obtain fresh handles; Algorithm 1 (p. 45) do es this explicitly . R emark 4 (Pr oﬁles must not hide extr actor-r elevant or acle lo gs). In the gRO-CRP mo del, straight-line extraction for our Fisc hlin-based UC-NIZK-AoKs requires the prov er’s oracle-log Log P ∗ under the corresponding pro of con text (Deﬁnition 10 (p. 22), Remark 9 (p. 19)). Since KeyBo x-internal oracle calls are not exp osed at the host/API b oundary , w e require that an y pro of for which the UC argumen t in vok es oracle-log-based extraction is generated by the host/part y ITM (outside the KeyBo x). Concretely , an admissible KeyBo x proﬁle must not include any op eration that produces the UC-context consistency AoKs used by the surrounding protocol, nor any equiv alen t pro of-generation in terface that w ould cause the relev ant oracle queries to o ccur inside the KeyBo x b oundary . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 13 This requiremen t is sometimes read as b eing in tension with the intuition that, in a deploymen t where the host OS/h yp ervisor is treated as adversarial, one would like all witness-b earing scalars to remain inside the trusted b oundary . Our model does not claim (and do es not require) this stronger prop ert y . In SDKG, the witnesses used for the UC-con text consistency A oKs are treated as NXK-restricted material (Remark 6 (p. 14)): they may exist transien tly in host RAM during an atomic lo cal step and are then securely erased. The NXK guaran tee enforced by F KeyBox is the non-exp ortability of long-term KeyBo x-residen t shares, not protection against an “alw ays-on” RAM adv ersary on an otherwise honest host. Ac hieving the latter would require either strengthening the mo del to expose an extractor-visible oracle log from within the trusted b oundary , or replacing oracle-log-based straight-line extraction with a diﬀeren t UC pro of mec hanism. 2.4 State con tinuit y and failure mo des Assumption 2 (State contin uit y) W e assume that each F ( i ) KeyBox instance mo dels a single hardware root whose in ternal sealed state is state-contin uous, i.e., a PPT adv ersary A cannot (a) roll back F ( i ) KeyBox to a previous sealed snapshot, nor (b) fork/clone F ( i ) KeyBox in to tw o indep enden t instances that can b e queried in parallel from the same prior state. Equiv alen tly , A has no interface that resets F ( i ) KeyBox ’s priv ate state to an earlier v alue. In our NXK setting, a corrupted part y may delegate witness-b earing computation to a state-con tinuous KeyBox instance. By Assumption 2 (p. 13), such an instance cannot b e rolled back or forked to answer the same commitmen t under tw o diﬀerent challenges, and therefore extraction strategies that fundamentally dep end on rewinding are not implemen table at the hardware b oundary . Note that state contin uit y is a strong assumption and real implementations ma y require additional mechanisms to preven t rollback/forking-st yle state-con tinuit y attacks [48]. In practice state con tinuit y can b e approximated using a monotonic freshness mechanism (e.g., hardware-bac k ed monotonic counters in secure NVRAM/TPM, trusted time, or a serv er-maintained freshness oracle; details follow). Deﬁnition 4 (State-con tinuit y failure ev en t and parameter). Let Bad sc denote the even t that, in a given execution, some KeyBox instance violates Assumption 2 (p. 13), i.e., its sealed state is rolled bac k to a prior v alue or fork ed/cloned in to tw o indep enden tly query able con tinuations from the same prior state. In a concrete deploymen t that approximates state con tinuit y with an anti-rollbac k mechanism, let ε sc ( λ ) b e any b ound (ov er all randomness, faults, and adv ersarial actions) on Pr[ Bad sc ] for the lifetime of an execution at securit y parameter λ . Lemma 1 (A dditive degradation under appro ximate state contin uit y). Consider any se curity statement in this p ap er pr ove d in the F KeyBox -hybrid mo del under A ssumption 2 (p. 13), yielding an advantage b ound of the form negl ( λ ) . In a c oncr ete r e alization in which A ssumption 2 (p. 13) holds exc ept with pr ob ability at most ε sc ( λ ) (Deﬁnition 4 (p. 13)), the c orr esp onding advantage b ound b e c omes negl( λ ) + ε sc ( λ ) . Pr o of Sketch. Let E b e the relev ant distinguishing/forgery even t. Then Pr [ E ] ≤ Pr [ E ∧ ¬ Bad sc ] + Pr [ Bad sc ] ≤ Pr [ E | ¬ Bad sc ] + ε sc ( λ ) . Conditioned on ¬ Bad sc , the execution matc hes the idealized mo del with state con tinuit y , so Pr [ E | ¬ Bad sc ] ≤ negl( λ ) . ■ R emark 5 (Convention for the or em statements). W e do not restate ε sc ( λ ) in every theorem. By Lemma 1 (p. 13), all negligible securit y b ounds in the remainder of the pap er should b e read as negl ( λ ) + ε sc ( λ ) for the relev an t deplo yment. A ppr oximate state c ontinuity (formal de gr adation mo del). Assumption 2 (p. 13) is a hard safet y requiremen t for an y KeyBox interface that is in tended to b e one-shot. If the an ti-rollback mechanism enforcing state con tinuit y fails ev en once—e.g., a monotonic coun ter wraps, sealed snapshots can b e restored from backup, or a freshness oracle is bypassed—then rollback/forking b ecomes p ossible and the degradation is typically not graceful: the adv ersary ma y obtain multiple outputs from an in terface intended to b e one-shot and can often recov er the resident share (e.g., by sp ecial soundness from tw o resp onses). Accordingly , we parameterize the failure of state contin uit y by the execution-lev el bad even t Bad sc (Deﬁnition 4 (p. 13)). In an y deploymen t where Pr [ Bad sc ] ≤ ε sc ( λ ) , Lemma 1 (p. 13) implies that ev ery adv antage b ound pro ved under Assumption 2 (p. 13) increases additively b y ε sc ( λ ) . 14 Vipin Singh Sehraw at Concr ete ac c ounting for ε sc ( λ ) (non-normative). The cryptographic results in this pap er do not attempt to b ound ε sc ( λ ) ; it is a deplo yment/engineering parameter that upper-b ounds the probability of any rollback/fork ev ent Bad sc o ver an execution (Deﬁnition 4 (p. 13)). W e record tw o common approximation patterns to clarify what t ypically con tributes to ε sc : (i) Monotonic coun ters: Suppose state contin uity is approximated by a b -bit monotonic counter that is incremen ted once p er state adv ance (e.g., per sealing ep och), and the implementation is engineered to fail close d (refuse to unseal/adv ance) b efore wrap-around and to require re-pro visioning/rekeying b efore exhaustion. Then counter wrap-around contributes zero to ε sc ( λ ) for an y deploymen t whose lifetime adv ance budget N max satisﬁes N max < 2 b (ignoring ph ysical faults). F or scale, 2 64 ≈ 1 . 8 × 10 19 incremen ts; even at 10 6 adv ances/day , exhaustion w ould o ccur only after ≈ 5 × 10 10 y ears. In practice, how ev er, the eﬀective budget is often dominated by write-endurance limits, rate limits, or administrative rotation, rather than bit-width; the same accoun ting applies by replacing 2 b with the enforced safe-adv ance cap. (ii) Serv er-/time-based freshness: F or oracle- or time-based approac hes, the dominant contribution to ε sc is t ypically p olicy , not cryptographic guessing: if the device ever contin ues to unseal/adv ance without a fresh tok en or a non- decreasing trusted-time reading (i.e., it fails op en), w e count that execution under Bad sc . Conv ersely , if the mec hanism is engineered to fail closed, outages impact a v ailability but do not increase ε sc ( λ ) . App endix A (p. 64) discusses engineering trade-oﬀs and re-pro visioning strategies. 2.5 Hybrid execution mo del and NXK-restricted material Deﬁnition 5 ( F KeyBox -h ybrid model). Let F ( i ) KeyBox denote the ideal functionality for P i ’s KeyBo x i . The F KeyBox - h ybrid mo del is deﬁned b y a PPT environmen t Z , a PPT adv ersary A , a set of PPT parties { P i } i ∈ [ n ] , and a collection of ideal functionalities  F ( i ) KeyBox  i ∈ [ n ] that are created as: 1. Instan tiation: for every i ∈ [ n ] , generate a fresh functionality instance F ( i ) KeyBox , initialized with an empt y state. 2. Comm unication b et ween parties is p erformed via F channel for conﬁdential authenticated p oin t-to-p oin t messages, and via F pub for authen ticated transcript-public dissemination. 3. A daptive corruptions with secure erasures: parties are corrupted adaptively under Deﬁnition 1 (p. 8). Upon corruption of P i , A learns only P i ’s current host state (outside the KeyBox b oundary); any v alues explicitly erased b y the proto col are not rev ealed. Thereafter, A con trols P i and ma y inv oke F ( i ) KeyBox . Load and F ( i ) KeyBox . Use , but KeyBo x-resident secret state (in particular the map Λ of resident shares) is nev er revealed. In the F KeyBox -h ybrid mo del, “ P i in vok es F ( i ) KeyBox . Load / Use ( · · · ) ” denotes a party-local call o ver the internal channel, executed immediately up on activ ation if P i is honest. A corrupted P i lea ves the timing and admissible inputs to the adv ersary , i.e., the ideal functionality cannot directly write in to F ( i ) KeyBox or force installation/registration for corrupted parties. R emark 6 (NXK-r estricte d state). W e call a (possibly structured) bitstring v ∈ { 0 , 1 } ∗ shar e-deriving only relative to a designated KeyBo x share. Fix a part y P i and a local KeyBox slot µ ∈ { 0 , 1 } ∗ in F ( i ) KeyBox that con tains a scalar long-term share k i,µ ∈ Z p . W e say that v is share-deriving for ( i, µ ) if there exist PPT-computable functions a ( · ) , b ( · ) , y ( · ) (ﬁxed indep enden tly of the secret share k i,µ ) suc h that on input v they output a ( v ) ∈ Z ∗ p , b ( v ) ∈ Z p , and y ( v ) ∈ Z p with y ( v ) = a ( v ) · k i,µ + b ( v ) (mod p ) . Equiv alently , from v alone one can compute a c al ler-invertible aﬃne image y ( v ) = L a ( v ) ,b ( v ) ( k i,µ ) together with map parameters ( a ( v ) , b ( v )) , where L a,b ( x ) := ax + b (so the caller can reco ver k i,µ = a ( v ) − 1 ( y ( v ) − b ( v )) mo d p ). When the target slot is clear from context, w e omit ( i, µ ) and simply sa y that v is share-deriving. If ( a, b ) are ﬁxed b y the KeyBo x proﬁle or chosen by the caller, the functions a ( · ) , b ( · ) ma y hard-co de those public parameters or parse them from v . Because we ﬁx an injective, self-delimiting enco ding ⟨·⟩ of mixed tuples in to { 0 , 1 } ∗ , this deﬁnition applies equally to an y ﬁnite collection of v alues ( v 1 , . . . , v t ) by taking v := ⟨ v 1 , . . . , v t ⟩ . W e will sometimes abuse notation and refer to suc h a collection as shar e-deriving material . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 15 W e treat share-deriving material as NXK-r estricte d : it must not app ear in the adv ersary-visible transcript b ey ond the explicit leakage mo deled b y our channels (e.g., F channel ’s length leakage), and it must not be written to p ersisten t storage outside a KeyBox. Honest parties may nev ertheless handle share-deriving material transiently in host memory and may transmit it ov er authenticated, conﬁdential channels (modeled b y F channel ) when required by the surrounding proto col, provided that (i) whenev er it is used to install a long-term share in F ( i ) KeyBox it is deliv ered only via the internal secure c hannel betw een P i and F ( i ) KeyBox , and (ii) it is securely erased from host memory immediately after its last use. This transien t handling is proto col-internal and is distinct from a KeyBox exp ort interface: under an admissible KeyBo x proﬁle (Assumption 1 (p. 11)), F KeyBox nev er returns residen t shares (or caller-inv ertible aﬃne images) in the clear. Consequently , an adv ersary can learn enough share-deriving material to recompute an honest device’s share only b y corrupting the relev an t endp oin t(s) during the proto col before erasure, not from the public transcript alone. Share-deriving is inten tionally a transcript-only notion: it captures v alues from whic h the caller can reco ver k i,µ from v alone (i.e., without an y additional secret inputs). An API can still leak a resident share indirectly by returning an output that is not share-deriving b y itself but b ecomes share-deriving once combined with caller-held secrets p ermitted b y the proﬁle (e.g., a ciphertext under a caller-supplied wrapping key). Such caller-recov erable exports are ruled out b y k ey-opacity , so we explicitly exclude caller-decryptable wrapping/exp ort: if the caller knows the decryption key , it can decrypt to obtain share-deriving plain text (or an inv ertible aﬃne image), whic h is not simulatable from PubMap ( k i,µ ) alone and therefore violates k ey-opacity [9]. 2.6 Real-w orld instantiations of admissible KeyBo x proﬁles Our KeyBox idealization is deliberately pr oﬁle-c entric (Deﬁnition 3 (p. 12)): the surrounding proto col ﬁxes an admissible KeyBo x proﬁle ( χ adm , F adm ) , and the KeyBo x is assumed to accept only those deriv ations and op erations. This is essential as API-lev el non-exp ortabilit y alone do es not suﬃce for our securit y argumen ts. Many deplo yed k eystore/HSM APIs exp ose op erations that either (a) directly leak share-deriving material, or (b) let a caller recov er a residen t share indirectly (e.g., via caller-decryptable wrapping/exp ort under a caller-con trolled k ey), even when ra w secret key bytes are nominally non-exp ortable. In our mo del this is captured b y (i) pinning the proﬁle and (ii) requiring k ey-opacity (Assumption 1 (p. 11)) for the induced external transcript, i.e., that everything observ able outside the KeyBox boundary is simulatable giv en only the corresponding public k ey PubMap ( k ) and the public query inputs. F urther, Remark 6 (p. 14) treats all share-deriving material (including caller-inv ertible aﬃne images of a stored share) as NXK-restricted, and separately excludes caller-decryptable wrapping/exp ort via key-opacit y even though the ciphertext alone need not b e share-deriving under the transcript-only deﬁnition. Implemen tation note (non-normative). As men tioned earlier, this pap er’s security pro ofs assume a proﬁle-cen tric KeyBo x, satisfying key-opacit y and state contin uity (Assumption 2 (p. 13)). In practice, suc h a proﬁle can be enforced b y construction by in terp osing a narrow “proﬁle adapter” b et ween the proto col and a broader vendor API (e.g., a minimal TEE enclav e used purely as a keystore, an attested enclav e ↔ KMS integration, or an HSM under a strict allo wlist). The adapter must (i) forbid share-deriving outputs; (ii) prohibit caller-decryptable wrapping/exp ort (to preserv e key-opacit y); (iii) pin sealing recipien ts to attested identities while engineering explicit freshness/anti-rollbac k (to appro ximate state contin uit y). App endix B (p. 65) summarizes candidate deplo yment families (T able 7 (p. 65)) and giv es a proﬁle-capture c hecklist. Throughout, when w e sa y that some computation runs “inside the KeyBo x boundary ,” w e include any minimal, pinned “proﬁle adapter” that is itself part of the same attested, state-contin uous trusted b oundary as the KeyBox; and (iv) forbid an y KeyBo x API primitive that can generate the UC-extractable consistency A oKs used by the proto col (e.g., Fischlin-based UC-context proofs): these AoKs must b e generated b y the host/party ITM so that the UC sim ulator can record the prov er’s gRO-CRP query log required for straight-line extraction (Remark 9 (p. 19)). It must also ensure that randomized op erations (including sealing) use fresh, domain-separated randomness across slots and across calls (Remark 2 (p. 12)); otherwise the slot-separabilit y comp onen t of key-opacit y ma y fail in spite of IND-CCA security of the abstract sc heme. 16 Vipin Singh Sehraw at 3 The Conﬂict: V eriﬁable Sharing vs. NXK In this section, we isolate the structural reason that mandates UC-secure DK G proto cols to enforce the core (R)VSS obligations: secrecy against unauthorized sets and uniqueness (a single well-deﬁned shared secret) together with aﬃne consistency of honest parties’ lo cal outputs. In the literature, these obligations are ensured by a VSE lay er, which is classically instan tiated via (R)VSS and its v arian ts (PVSS/A VSS) using p olynomial sharing [57], commitments, and complain t/op ening logic. In other UC(-st yle) DK Gs, the same role is alternativ ely realized via commitment-and-proof / (N)IZK-based authenticated sharing that prev ents equiv o cation and certiﬁes transcript-deﬁned aﬃne relations (e.g., [44, 15]). Deﬁnition 6 (DL exp eriment). Let G b e a cyclic group of prime order p = p ( λ ) with generator G ∈ G . F or a PPT adv ersary A , deﬁne A dv dl A ( λ ) := Pr h x ← $ Z ∗ p ; X := x G ; x ′ ← A ( G , X ) : x ′ = x i . Assumption 3 (DL) F or all PPT adversaries A , Adv dl A ( λ ) ≤ negl( λ ) . Deﬁnition 7 (DDLEQ game). Let G b e a cyclic group of prime order p = p ( λ ) with (public) generators G , H ∈ G . Consider the exp erimen t that samples r , s ← $ Z ∗ p and a bit b ← $ { 0 , 1 } . If b = 1 set ( A, B ) := ( r G , r H ) ; if b = 0 set ( A, B ) := ( r G , s H ) . An adv ersary A is given ( G , H , A, B ) and outputs a bit b ′ . Deﬁne A dv ddleq A ( λ ) :=   Pr[ b ′ = b ] − 1 2   . Assumption 4 (DDLEQ) F or all PPT adversaries A , Adv ddleq A ( λ ) ≤ negl( λ ) . R emark 7 (T erminolo gy: DDLEQ is DDH). Deﬁnition 7 (p. 16) is exactly the standard DDH distinguishing game on the tuple ( G , H , A, B ) , written in the “same-exp onen t across t wo bases” form matching DLEQ statements. W e use the name DDLEQ only to align notation with the Chaum–Pedersen relation. (If log G ( H ) w ere kno wn, the game w ould b e trivial b y chec king B = (log G H ) · A .) W e use the standard UC framework with ITMs as in Canetti [13]. Let Exec (Ψ , A , Z , λ ) and Ideal ( F , Sim , Z , λ ) denote the standard real and ideal execution ensem bles (Exec/Ideal exp erimen ts). Deﬁnition 8 (UC realization). A proto col Ψ UC-realizes an ideal functionality F if for ev ery PPT adversary A there exists a PPT sim ulator Sim such that for every PPT en vironment Z , Exec (Ψ , A , Z , λ ) ≈ c Ideal ( F , Sim , Z , λ ) . Note 3. Our only proto col securit y notion is UC realization. Other exp eriment - based deﬁnitions in the pap er are standard assumptions or lo cal prop erties of underlying resources/primitiv es used solely as hypotheses to establish UC realization of our ideal functionalities. Informally , a DL-based DKG outputs: (i) a public key K to every one and (ii) a secret sharing of its discrete log k among the parties according to the access structure Γ , so that authorized sets A ∈ Γ can reconstruct k or jointly sign using their shares while unauthorized sets learn no (non-negligible) information about k b ey ond K . In a UC form ulation, the (DL-based) ideal functionality F Γ DKG samples a fresh secret k ← $ Z p , distributes shares ( k 1 , . . . , k n ) consisten t with Γ , and outputs K := k G . This implies three tightly coupled obligations that are classically asso ciated with (R)VSS: – Secrecy: for an y corruption set B / ∈ Γ , the adver sary learns no (non-negligible) information ab out k b ey ond K . – Uniqueness (strong correctness): whenever honest parties accept completion, there exists a single v alue k suc h that ev ery authorized set A ∈ Γ can reconstruct that same k . – Aﬃne consistency: honest parties’ local outputs are consistent with one global sharing instance of k under Γ : the transcript cannot induce incompatible sharings across diﬀeren t honest subsets. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 17 3.1 DK G subsumes dealerless (R)VSS W e capture the veriﬁable-sharing subtask by an ideal functionalit y for dealerless random (R)VSS that is exactly the UC-DK G functionality with its public-key output suppressed. Concretely , for a ﬁxed access structure Γ , the functionalit y F Γ RVSS is deﬁned as follows: on session identiﬁer sid and up on receiving init from all parties, it samples k ← $ Z p and distributes shares ( k 1 , . . . , k n ) consisten t with Γ , and outputs no additional public v alue. Equiv alently , F Γ RVSS is obtained from F Γ DKG b y lo cally dropping the public output K := k G 1 . Theorem 1 (UC-DK G implies UC-R VSS). L et Ψ b e any pr oto c ol that UC-r e alizes F Γ DKG in some mo del M . Deﬁne Ψ ′ to run Ψ and ignor e the public output K . Then Ψ ′ U C-r e alizes F Γ RVSS in the same mo del M . Pr o of Sketch. This is immediate from UC closure under eﬃcient post-pro cessing: Ψ ′ is obtained from Ψ b y lo cally suppressing a public output, and F Γ RVSS is obtained from F Γ DKG b y the same transformation. F ormally , given an y A for Ψ ′ , build A ⋆ for Ψ that forwards messages unchanged and drops K , and apply the simulator for Ψ with the same p ost-processing. ■ Hence, any UC-secure DK G proto col m ust already satisfy the (R)VSS prop erties em b odied by F Γ RVSS : secrecy against unauthorized sets and a unique, w ell-deﬁned shared secret underlying honest outputs. Thus, in the standard mo del (without trusted hardware), a DK G protocol needs a mechanism that enforces exactly these VSS-style guarantees. Whether it is realized via (R)VSS/PVSS/A VSS and/or via commitment-and-proof / ZK-based authenticated sharing, it pla ys the same conceptual role which is that of a VSE la yer. Lemma 2 (Uniqueness is necessary for UC-DK G). L et Ψ b e a pr oto c ol intende d to UC-r e alize F Γ DKG . Supp ose ther e exists a non-ne gligible pr ob ability event wher ein an exe cution of Ψ terminates without honest ab ort, yet ther e exist authorize d sets A, B ∈ Γ whose r esp e ctive r e c onstructions yield k A  = k B , then Ψ do es not U C-r e alize F Γ DKG . Pr o of Sketch. Deﬁne a PPT environmen t Z that runs one execution and then adaptively corrupts all parties in A ∪ B . F rom their rev ealed states, Z computes k A and k B using the prescrib ed reconstruction algorithm and outputs 1 iﬀ k A  = k B . By assumption, Pr [ Z outputs 1] is non-negligible in the real world. In the ideal world, F Γ DKG samples a single secret k and distributes shares consistent with that k , so an y authorized set m ust reconstruct the same k . Thus, Pr [ Z outputs 1] = 0 (up to negligible reconstruction error) in the ideal world, contradicting UC indistinguishability . ■ Therefore, an y UC-secure DKG must implemen t a mechanism that preven ts (or detects and neutralizes) equivocation in the distribution of share material and/or in the public data that deﬁnes the sharing. F or additional discussion of DK G security notions and constructions, see [41]. 3.2 Exported-share enforcemen t vs. NXK In the traditional, transcript-visible share (a.k.a. “exportable-share”) mo del, parties exc hange explicit share-derived v alues ov er the net work (so they become part of the adversary-visible transcript), and an adaptive adv ersary can later corrupt parties and insp ect their lo cal states. 1. Hiding of eac h contribution: parties must contribute randomness to the ﬁnal key without revealing their secret con tribution to unauthorized corruptions. 2. Binding/consistency of eac h contribution: a malicious party must not b e able to send inconsisten t information to diﬀeren t recipien ts in a w ay that makes honest parties accept incompatible sharings. Moreov er, the transcript must supp ort the simulation/extraction requirements demanded b y UC. This is exactly what classical VSS-based mechanisms provide: eac h party acts as a dealer, shares a random secret in a veriﬁable wa y , and the ﬁnal secret is the sum of the non-disqualiﬁed con tributions. In DL-based con- structions, F eldman/Pedersen-st yle commitmen ts [28, 52] additionally exp ose the public group elemen t corresp onding to each dealer’s secret, enabling computation of the public key . The same enforcement role can also b e realized via “authenticated sharing” based on commitmen ts and (N)IZK proofs: parties commit to contributions and prov e kno wledge/consistency of the relations that the transcript induces. 1 An R VSS functionality that also outputs K := k G can b e denoted by F Γ, pk RVSS ; we will not use it here. 18 Vipin Singh Sehraw at Prop osition 1 (External fresh-share enrollment and NXK). Fix a prime ﬁeld F p . L et t ≥ 1 and f ( X ) ∈ F p [ X ] b e uniformly r andom of de gr e e at most t . Deﬁne k i := f ( i ) for i ∈ [ n ] . L et x new ∈ F p with x new / ∈ [ n ] . L et pp denote public p ar ameters and any ﬁxe d public information. A ssume f ( x new ) is c omputational ly unpr e dictable given pp : ther e exists a function ε = ε ( λ ) such that for every PPT pr e dictor B and every r e alization of pp in the supp ort, Pr  B ( pp ) = f ( x new )   pp  ≤ ε ( λ ) . Consider any enr ol lment pr oto c ol that aims to output b k new ∈ F p intende d to e qual f ( x new ) . A ssume the NXK mo del is enfor c e d by F KeyBox with admissible F adm that is key-op aque w.r.t. PubMap , and that al l ac c ess to long-term se cr ets o c curs only thr ough F KeyBox . Use with f ∈ F adm . L et τ ext b e the external enr ol lment tr anscript/view outside al l K eyBox instanc es. Then for any PPT str ate gy that c omputes b k new fr om ( pp , τ ext ) , Pr  b k new = f ( x new )   pp  ≤ ε ( λ ) + negl( λ ) . Pr o of. Deﬁne Hybrid ⅁ 0 as the real enrollmen t execution and hybrid ⅁ 1 b y mo difying ⅁ 0 as follo ws: main tain a table of simulator instances indexed by KeyBox slots. Whenev er a slot ( P , µ ) is ﬁrst queried and has an installed key k P,µ := Λ[ P , µ ] , set pk P,µ ← PubMap ( k P,µ ) and initialize an indep enden t simulator instance Sim P,µ b y running Sim on input (1 λ , pk P,µ ) . Thereafter, for every call to F KeyBox . Use ( µ, f , m ) initiated by o wner P with f ∈ F adm , resp ond as follo ws: – Key-dep enden t interfaces (slot-b ound): If f  = Op enF romP eer , replace the real reply pro duced by f ( k P,µ , st [ P , µ, 𭟋 ( f )] , m ) with the output of Sim P,µ ( f , m ) . – Key-indep enden t interfaces (sealing-only): If f = Op enF romP eer , answ er using a separate k ey-indep enden t sim ulator state Sim KI P as allo wed by Assumption 1 (p. 11). Concretely , Sim KI P is stateful across Op enF romP eer calls and maintains its own buﬀer state for t yp ed handles so that subsequen t uses of those handles (via Resolve ) are answered consistently with the handles it issued. The instance Sim P,µ is reused across all queries to the same slot so it may maintain state, while diﬀerent slots use indep enden t instances (cf. Assumption 1 (p. 11) and Remark 1 (p. 12)). By k ey-opacity of F adm w.r.t. PubMap , the external transcript/view τ ext in ⅁ 0 and ⅁ 1 are computationally indis- tinguishable; hence for an y even t E ,   Pr[ E | ⅁ 0 ] − Pr[ E | ⅁ 1 ]   ≤ negl( λ ) . In ⅁ 1 , b y construction, all externally visible k ey-dep enden t outputs are generated by the slot wise simulators from pp and the corresp onding public v alues pk P,µ only , while the k ey-indep enden t sealing-only interface Op enF romP eer is handled b y the separate simulator state Sim KI P (whic h, p er Assumption 1 (p. 11), do es not require any resident k ey). Let A out b e the (PPT) pro cedure that outputs b k new from ( pp , τ ext ) . Deﬁne a PPT predictor B that on input pp samples τ ext according to ⅁ 1 (using the same slot wise simulators { Sim P,µ } and k ey-indep enden t sealing simulator states { Sim KI P } as ab o v e) and outputs A out ( pp , τ ext ) . Then for ev ery ﬁxed pp in the supp ort, Pr  b k new = f ( x new )   pp , ⅁ 1  = Pr  B ( pp ) = f ( x new )   pp  ≤ ε ( λ ) . T ransferring bac k to ⅁ 0 via indistinguishabilit y yields Pr[ b k new = f ( x new ) | pp ] ≤ ε ( λ ) + negl( λ ) . ■ R emark 8 (Min-entr opy vs. public gr oup elements in pp ). In a prime-order group with ﬁxed generator G , the map a 7→ a G is a bijection on Z p . Th us, if pp con tains a group element that is a deterministic one-to-one function of f ( x new ) , then the information-theoretic conditional min-entrop y of f ( x new ) given pp is 0 , even though recov ering f ( x new ) from pp ma y b e computationally hard under DL. Accordingly , Prop osition 1 (p. 18) is stated in terms of computational unpredictabilit y . As a sp ecial case, if pp is such that max a ∈ F p Pr [ f ( x new ) = a | pp ] ≤ 2 − h for some h ( λ ) (e.g., when pp is statistically independent of f ( x new ) ), then the unpredictability hypothesis holds with ε ( λ ) = 2 − h , reco vering the corresp onding information-theoretic b ound. Note that Prop osition 1 (p. 18) is a statement ab out external deriv ation/exp ort: it rules out computing a clear v alue b k new in tended to equal f ( x new ) using only ( pp , τ ext ) , where τ ext is the view outside all KeyBox instances. It UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 19 ♦ Global setup: A nonempt y con text set Ctx ⊆ { 0 , 1 } ∗ and a ﬁnite range Y := { 0 , 1 } λ . Fix a partition Ctx = Ctx np ˙ ∪ Ctx p in to non-programmable contexts Ctx np and restricted-programmable contexts Ctx p . ♦ State: a lazy table T : Ctx × { 0 , 1 } ∗ ⇀ Y (init empt y). ♦ Semantics (direct access): All in terfaces b elo w are deliv ered lo cally to the inv oking ITM (i.e., not as netw ork messages). If the inv oking ITM is adversary-con trolled, then A is notiﬁed of the full query/answer transcript: for eac h inv o cation it learns ( ctx , x, y ) where y is the returned v alue. ♦ Interfaces: – Query ( ctx , x ) : if ( ctx , x ) / ∈ dom ( T ) , sample y ← $ Y and set T [ ctx , x ] ← y . Return T [ ctx , x ] . – SimProgram ( ctx , x, y ) (simulator-only) : If ctx / ∈ Ctx p or ( ctx , x ) ∈ dom ( T ) , return ⊥ . Set T [ ctx , x ] ← y and return ok . Fig. 4: Global setup functionalit y G gRO - CRP implemen ting gR O-CRP . do es not rule out enrollment mechanisms in whic h share-derived material is transferred only via attested KeyBox-to- KeyBo x sealing and is decrypted/consumed inside a KeyBox. Dynamic joins that assign a fresh indep endent Shamir share t ypically require some part y outside KeyBoxes to compute, reveal, or otherwise exp ort share-deriv ed v alues. Prop osition 1 (p. 18) captures this obstruction under key-opacit y: no PPT strategy can externally compute such a fresh share from ( pp , τ ext ) . Therefore, join proto cols that require exp orting share-derived v alues are incompatible with NXK. Therefore, in our SDKG proto col, w e instead realize p ost-DKG enrollment via RDR, where additional devices are enrolled as redundan t front-ends for an existing role/share using SealT oPeer / Op enF romPeer , av oiding exported share-deriv ed plaintexts and preserving the public key . 4 Cryptographic Primitives for State-Con tinuous KeyBoxes Our end-to-end securit y claim is a UC realization theorem for SDKG. T o keep the exp osition mo dular, we state required prop erties of underlying proof/certiﬁcate mechanisms using standard game-based deﬁnitions in the gR O-CRP global-setup mo del, and we instantiate them in disjoin t, domain-separated contexts so these guarantees apply within the surrounding UC execution. W e analyze our proto cols in the UC framework augmented with a global resource shared across all sessions: a random-oracle-lik e functionality H that is sampled once p er UC execution and used by all ITMs. This is in the spirit of UC formulations with a global random oracle (e.g., [14, 16, 47, 26, 11]). F ormally , H is join t state that p ersists across sessions and sub-proto cols (cf. [17]). R emark 9 (Or acle-tap e c onvention). When we say that an extractor or sim ulator insp ects Log P ∗ , we mean that it runs the ITM P ∗ with explicit oracle access to the global functionality G gRO - CRP and records the transcript of its lo cal calls to Query ( ctx , x ) together with the corresp onding replies. When a set of contexts is relev ant, Log P ∗ is understoo d to b e restricted to those contexts. U C usage. In our UC pro ofs, whenev er straight-line extraction is applied to a proof pro duced b y an adv ersary-controlled host prov er (i.e., outside any KeyBox boundary), the sim ulator obtains the required oracle transcript by recording the Query calls made b y that adv ersary-controlled ITM (cf. Fig. 4 (p. 19)). W e nev er assume access to Query traces issued inside an honest KeyBo x instance; suc h KeyBox-in ternal oracle calls are not exp osed at the host/API b oundary under lo cal-call semantics. Deﬁnition 9 (gR O-CRP). The gR O-CRP-hybrid mo del is the UC mo del augmented with the single global setup functionalit y G gRO - CRP (Fig. 4 (p. 19)). It implements an oracle H : Ctx × { 0 , 1 } ∗ → { 0 , 1 } λ with lo cal-call semantics. The context set Ctx is partitioned as Ctx = Ctx np ˙ ∪ Ctx p . All ITMs may in vok e Query ( ctx , x ) . In programmable con texts ctx ∈ Ctx p , the sim ulator additionally has access to SimProgram ( ctx , x, y ) as sp eciﬁed in Fig. 4 (p. 19); no other ITM can in vok e SimProgram . Th us, unlike existing approac hes (e.g., [15]) wherein the UC pro of is carried out in a strict GRO setting, we w ork in gR O-CRP: a single global oracle resource with lo cal-call seman tics and explicit context-based domain separation. Our gR O-CRP mo del is b est viewed as a con text-partitioned instance of the restricted-programmable GRO v ariants 20 Vipin Singh Sehraw at in the taxonomy of Camenisch et al. [11]: it coincides with strict GR O on the non-programmable contexts Ctx np and adds only fresh-p oin t, non-ov erwriting programmabilit y for the simulator on the designated pro of contexts Ctx p . On non-programmable contexts Ctx np (used for transcript digests/receipts), gRO-CRP coincides with the standard non-programmable GR O. F or pro of contexts Ctx p , gR O-CRP additionally exposes a sim ulator-only programming ho ok SimProgram to realize the univ ersal sim ulation interface required by our UC-NIZK(-A oK)s (Deﬁnition 10 (p. 22)) instan tiated via the optimized Fischlin transform (Deﬁnition 15 (p. 24)). On pro of contexts Ctx p , gR O-CRP exp oses only a simulator-only programming ho ok SimProgram . No protocol part y (and hence no adv ersary) can program oracle outputs. Thus, in Ctx p con texts, the simulator can fail only if an external ITM pr e-queries an input that the simulator in tends to program. Lemma 3 (p. 20) b ounds this pre-query even t and implies that, for our uses (Fischlin-based UC-NIZKs in con texts in Ctx p ) , the sim ulator programs only fresh p oin ts except with negligible probability . F or an y PPT mac hine making p oly ( λ ) Query calls, each fresh ( ctx , x ) returns an indep enden t uniform y ← Y . More- o ver, for any ( ctx ∗ , x ∗ ) that w as neither queried nor sim ulator-programmed, H ( ctx ∗ , x ∗ ) is uniform conditioned on the mac hine’s view. This aligns with the standard programmable-random-oracle abstraction used to express the universal sim ulation in terface for NIZKs: the simulator may set oracle v alues at a (negligible) set of fresh inputs associated with sim ulated pro ofs, while all non-proof uses of hashing (con texts in Ctx np ) remain strictly non-programmable. The programming ho ok is a simulator in terface in the idealized mo del (and has no concrete analogue for a ﬁxed hash); it is included solely to realize the universal simulation interface for R O-based NIZKs. Accordingly , instantiating Query b y a ﬁxed domain-separated hash function should b e read as the usual (global) RO heuristic for programmable-R O-based UC-NIZKs, with instan tiation cav eats as studied in the GRO literature (e.g., [11]) and in recent work on limitations for distributing R O-based pro ofs (e.g., [26]). Because G gRO - CRP has lo cal-call semantics, the simulator can obtain an oracle query/answer log Log P ∗ only for pro vers that are themselv es adversary-con trolled ITMs. Sp eciﬁcally , KeyBo x ITM is nev er adversary-con trolled (even when its owner party is corrupted), so an y Query ( · , · ) calls issued inside a KeyBox are transcript-priv ate and are una v ailable to the UC simulator. Therefore, whenev er our UC pro ofs rely on straigh t-line extraction from Log P ∗ (e.g., for Fischlin-based UC-context A oKs in con texts in Ctx p ), the corresp onding prov er m ust b e the host/party ITM outside an y KeyBox boundary . Equiv alently , the admissible KeyBox API proﬁle m ust not exp ose an y op eration that outputs those UC-context pro ofs (or an y artifact that would verify as suc h a pro of ) in a wa y that keeps the relev ant oracle queries inside the KeyBox. KeyBo x-resident pro of-generation primitives, if presen t, m ust be instan tiated in disjoin t contexts and are used only under ZK/simulation (no extraction). R elation to standar d mo dels. It is useful to compare three increasingly strong global-oracle abstractions: – Strict GR O: only Query ( ctx , x ) is a v ailable in all con texts. In this mo del the univ ersal simulation interface required b y our Fischlin-based UC-NIZKs is unattainable (Prop osition 2 (p. 25)). – gR O-CRP strict GRO on Ctx np plus a sim ulator-only , fresh-p oin t programming hook on Ctx p . Programming is non-overwriting (fails on pre-queried p oints) and is used only to realize the UC-NIZK sim ulation interface in proof con texts. – F ully programmable global RO: a sim ulator can program arbitrary points (p oten tially even ov erwrite) in all con texts. W e do not assume this: gR O-CRP disallows programming outside Ctx p and disallo ws ov erwriting anywhere. Th us, gR O-CRP is strictly stronger than strict GRO but strictly w eaker than a fully programmable GRO. F or a broader study of GR O formulations (strict, programmable, restricted programmable/observ able), see [11]. Lemma 3 (Pre-query bound for gRO-CRP programming). Fix any c ontext ctx ∈ Ctx p . Consider a UC exe cution (p ossibly involving many c oncurr ently interle ave d pr oto c ol sessions) in which the ide al-world simulator makes at most m = m ( λ ) c al ls to SimProgram ( ctx , x j , y j ) at (p ossibly adaptive) inputs x 1 , . . . , x m ∈ { 0 , 1 } ∗ . L et Bad pre denote the event that for some j , the j -th c al l to SimProgram ( ctx , x j , y j ) r eturns ⊥ (e quivalently, ( ctx , x j ) ∈ dom ( T ) at the time of that c al l). Supp ose that imme diately b efor e e ach x j is ﬁxe d, c onditione d on the c omplete external view view j of al l non-simulator ITMs, the p oint x j has c onditional min-entr opy at le ast h j ( λ ) in the sense that max u ∈{ 0 , 1 } ∗ Pr[ x j = u | view j ] ≤ 2 − h j ( λ ) . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 21 If the total numb er of Query ( ctx , · ) c al l s made by al l non-simulator ITMs b efor e the j -th pr o gr amming attempt is at most Q j ( λ ) , then Pr[ Bad pre ] ≤ m X j =1 Q j ( λ ) · 2 − h j ( λ ) . In p articular, if m, Q j = p oly ( λ ) and h j ( λ ) = ω (log λ ) for al l j , then Pr[ Bad pre ] = negl( λ ) . Pr o of Sketch. F or a ﬁxed j , let S j b e the set of inputs queried via Query ( ctx , · ) by non-sim ulator ITMs prior to the j -th call to SimProgram . By assumption | S j | ≤ Q j . Conditioned on view j , w e hav e Pr[ x j ∈ S j | view j ] ≤ X u ∈ S j Pr[ x j = u | view j ] ≤ | S j | · 2 − h j ≤ Q j · 2 − h j . A union b ound ov er j ∈ [ m ] yields the claim. ■ Lemma 4 (No cross-context inﬂuence in gR O-CRP). Fix any exe cution in the gR O-CRP-hybrid mo del. F or every non-pr o gr ammable c ontext ctx ∈ Ctx np , the joint distribution of al l r eplies to c al ls Query ( ctx , · ) is identic al to that of a standar d (non-pr o gr ammable) GRO for that c ontext, even c onditione d on an arbitr ary se quenc e of simulator c al ls SimProgram ( ctx ′ , · , · ) in c ontexts ctx ′ ∈ Ctx p . Pr o of Sketch. In Fig. 4 (p. 19), the oracle table T is indexed b y pairs ( ctx , x ) . A call to SimProgram ( ctx ′ , x ′ , y ′ ) can write only the entry T [ ctx ′ , x ′ ] and only when ctx ′ ∈ Ctx p . Therefore no en try with ctx ∈ Ctx np is ever written b y SimProgram ; suc h entries are p opulated only by lazy sampling up on the ﬁrst corresp onding Query ( ctx , x ) call. Th us, H ( ctx , · ) for ctx ∈ Ctx np is distributed exactly as in a standard global random oracle and is unaﬀected by programming in other con texts. ■ R emark 10 (Per-c ontext domain sep ar ation in gRO-CRP). In G gRO - CRP (Fig. 4 (p. 19)) the oracle table T is indexed b y pairs ( ctx , x ) . Consequently , oracle activity in one con text cannot aﬀect an y other con text: a call Query ( ctx ′ , · ) (resp. SimProgram ( ctx ′ , · , · ) ) reads/writes only entries of the form T [ ctx ′ , · ] and never touc hes T [ ctx , · ] for ctx  = ctx ′ . In particular: – for ctx ∈ Ctx np , the induced oracle H ( ctx , · ) is a strict (non-programmable) random oracle for that context ev en conditioned on arbitrary sim ulator programming in other contexts (cf. Lemma 4 (p. 21)); – for ctx ∈ Ctx p , the induced oracle H ( ctx , · ) is a restricted-programmable random oracle for that context, where programming is non-o verwriting and conﬁned to that same ctx . Th us, when logically distinct uses of hashing are assigned disjoint con texts (and inputs are injectiv ely enco ded), they b eha v e as domain-separated uses of indep enden t per-context oracles. This is the precise sense in which w e apply R OM/gRO-CRPsecurit y arguments mo dularly inside an arbitrarily in terleav ed UC execution. R emark 11 (Concr ete entr opy sour c es for gR O-CRP pr o gr amming in this p ap er). Lemma 3 (p. 20) reduces sim ulator programming failure to the conditional min-entrop y of the programmed inputs x j . In all of our uses of Fischlin-based UC-NIZK simulation (DL and DLEQ), ev ery SimProgram call is on an input that includes at least one fresh simulator- sampled pro ver resp onse z i ∈ Z p (or the analogous response comp onent for the underlying Σ -proto col (Deﬁnition 14 (p. 23))), embedded in the injective tuple enco ding ⟨·⟩ as in Deﬁnition 15 (p. 24). T able 3 (p. 22) summarizes the concrete en tropy sources for the relev ant inputs. Ev en under concurrency and adaptive corruptions, the “external view” view j in Lemma 3 (p. 20) may include (a) the entire public transcript so far, (b) all corruption-revealed host state (sub ject to the proto col’s explicit erasures), and (c) all prior gRO-CRP replies to non-simulator ITMs; nevertheless, the simulator chooses eac h z i after view j is ﬁxed, so z i remains uniform conditioned on view j . Since log p = Θ ( λ ) , this yields h j ≥ log p − O (1) = Θ ( λ ) . Plugging h j = Θ ( λ ) and Q j = p oly ( λ ) in to Lemma 3 (p. 20) yields Pr[ Bad pre ] ≤ m X j =1 Q j ( λ ) · 2 − Θ ( λ ) = negl ( λ ) , 22 Vipin Singh Sehraw at Programming even t Pro of context F resh high-entrop y comp onen t in programmed input Sim ulating UC-con text DL proofs ctx UC ∈ Ctx p Programmed inputs include a fresh response z i ∈ Z p inside ⟨ x, a , i, e i , z i ⟩ (Deﬁnition 15 (p. 24)); conditioned on the full external view, z i is uniform, so H ∞ ( x ) ≥ log p − O (1) . Sim ulating UC-con text DLEQ proofs ctx DLEQ ∈ Ctx p Programmed inputs contain a fresh simulator-c hosen response comp onen t z i ∈ Z p inside the encoded Fischlin query input, giving H ∞ ( x ) ≥ log p − O (1) . Sim ulating KeyBox-con text DL proofs ctx KeyBox ∈ Ctx p Eac h programmed p oin t includes a fresh z i ∈ Z p c hosen by the sim ulator and embedded in the programmed Fischlin in- put. Under LinOS (Fig. 6 (p. 38)), this input is of the form ⟨ sid , K, a , i, e i , z i ⟩ , so conditioned on the external view, z i is uni- form and contributes H ∞ = Θ ( λ ) to that input. T able 3: Concrete en tropy sources: in all cases, a fresh z i ∈ Z p con tributes Θ ( λ ) conditional min-entrop y . where m = m ( λ ) is the total n umber of sim ulator programming attempts SimProgram ( ctx , · , · ) in the given proof con text ctx ∈ Ctx p o ver the entire UC execution (i.e., summed o ver all concurren tly in terleav ed sessions). Since the sim ulator and all non-simulator ITMs are PPT, we hav e m ( λ ) = p oly ( λ ) and Q j ( λ ) = p oly ( λ ) ev en under p oly ( λ ) concurren t sessions; hence a union b ound o ver all programmed p oints (across all sessions) remains negligible. In the UC sim ulations for USV and SDK G, the simulator nev er in vok es SimProgram ( ctx DLEQ , · , · ) . In tuitively , USV certiﬁcates are generated honestly (with witnesses) and are only v eriﬁed/op ened b y the simulator in those UC hybrids; no UC h ybrid ever requires simulating a new accepting USV/DLEQ proof without a witness. UC-NIZKs in the adaptive-corruption setting hav e b een studied since Groth et al. [36, 37]. F or practical adaptive UC-NIZK-P oK constructions in (G)R O via straight-line compilation of Σ -protocols, see [46]. Our use requires the stronger A oK interface with straight-line extraction in gR O-CRP deﬁned as: Deﬁnition 10 (NIZK pro ofs/arguments and AoKs). Let R ⊆ X × W b e an NP relation and let L R := { x ∈ X : ∃ w ∈ W s.t. ( x, w ) ∈ R} . A Non-Interactiv e Zero-Knowledge (NIZK) argument system for R is a triple of PPT algorithms ( K , P , V ) : Setup: K (1 λ ) → pp , Prov e: P ( pp , x, w ) → π for ( x, w ) ∈ R , V erify: V ( pp , x, π ) → { 0 , 1 } , satisfying: – Completeness: for all ( x, w ) ∈ R , Pr[ V ( pp , x, π ) = 1 | pp ← K (1 λ ) , π ← P ( pp , x, w )] ≥ 1 − negl( λ ) . – (Computational) soundness: for all PPT P ∗ and all x / ∈ L R , Pr[ V ( pp , x, π ) = 1 | pp ← K (1 λ ) , π ← P ∗ ( pp , x )] ≤ negl( λ ) . – Zero-kno wledge with univ ersal simulation in terface (in the gRO-CRP mo del): There exists a PPT simulator Sim = ( Sim 1 , Sim 2 ) and (p ossibly empty) simulator-only state τ such that: (i) { pp ← K (1 λ ) } ≈ c { pp : ( pp , τ ) ← Sim 1 (1 λ ) } . (ii) (Indistinguishability on true statements) F or all ( x, w ) ∈ R , { ( pp , π ) : pp ← K (1 λ ) , π ← P ( pp , x, w ) } ≈ c { ( pp , π ) : ( pp , τ ) ← Sim 1 (1 λ ) , π ← Sim 2 ( pp , τ , x ) } . (iii) (Universal simulation interface) F or every statement x ∈ X , letting π ← Sim 2 ( pp , τ , x ) we hav e Pr  π  = ⊥ ∧ V ( pp , x, π ) = 1  ≥ 1 − negl( λ ) . The simulator Sim 2 ma y in vok e the simulator-only in terface SimProgram in the pro of’s gRO-CRP con text(s), which m ust lie in Ctx p . If a required call to SimProgram returns ⊥ , then Sim 2 outputs ⊥ 2 . 2 Throughout this pap er we use this universal notion. Thus, the real setup is transparent and no proto col party ev er learns τ or can program H . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 23 A dditionally , ( K , P , V ) is a NIZK-AoK for R if for every PPT pro ver P ∗ (with oracle access to H ) there exists a PPT straigh t-line extractor Ext P ∗ suc h that, in the exp erimen t pp ← K (1 λ ); ( x, π ) ← P ∗ H ( pp ); w ← Ext P ∗ ( pp , x, π ; Log P ∗ ) , w e hav e Pr  V ( pp , x, π ) = 1 ∧ ( x, w ) / ∈ R  ≤ negl( λ ) . Deﬁnition 11 (Sim ulation soundness). Let Π = ( K , P , V ) b e a NIZK for relation R with simulator Sim = ( Sim 1 , Sim 2 ) . W e say Π is simulation-sound (for R ) if for every PPT adv ersary A , the follo wing exp erimen t has negligible success probability: sample ( pp , τ ) ← Sim 1 (1 λ ) , giv e pp to A , and grant A oracle access to Sim 2 ( pp , τ , · ) pro ducing simulated proofs for adaptively c hosen statemen ts. Let Q b e the set of statements queried by A to this oracle. A outputs ( x ∗ , π ∗ ) and wins only if (i) V ( pp , x ∗ , π ∗ ) = 1 , (ii) x ∗ / ∈ Q , and (iii) ( x ∗ , w ) / ∈ R for all w . Deﬁnition 12 (Sim ulation-extractability / sim ulation-sound AoK). Let Π = ( K , P , V ) b e a NIZK for relation R in the gR O-CRP mo del with simulator Sim = ( Sim 1 , Sim 2 ) . W e say Π is simulation-extr actable (a.k.a. simulation- sound A oK ) if there exists a PPT extractor Ext suc h that for every PPT adv ersary A , the following holds with all but negligible probability: ( pp , τ ) ← Sim 1 (1 λ ) . Run A on input pp with oracle access to (i) the pro of-sim ulation oracle Sim 2 ( pp , τ , · ) and (ii) the global oracle interface Query ( · , · ) , while recording the oracle query/answer transcript Log A (restricted to the gRO-CRP context(s) used by Π , cf. Remark 9 (p. 19)). Let Q b e the set of statements queried by A to Sim 2 ( pp , τ , · ) . When A outputs ( x ∗ , π ∗ ) with V ( pp , x ∗ , π ∗ ) = 1 and x ∗ / ∈ Q , the extractor outputs w ∗ ← Ext A ( pp , τ , x ∗ , π ∗ ; Log A ) suc h that ( x ∗ , w ∗ ) ∈ R . Deﬁnition 13 (Public-coin proto col). [2] A pro of system Π = ( P , V ) is public-coin if each v eriﬁer message consists only of freshly sampled public randomness. Concretely , in round i , V samples c i ← $ C i uniformly from some ﬁnite set C i and sends c i . If C i = { 0 , 1 } t for all v eriﬁer rounds, we say that Π has t -bit c hallenges. Next, w e recall the standard folklore deﬁnition of Σ -proto col. Deﬁnition 14 ( Σ -proto col with t -bit c hallenge). Let R b e an NP relation. A Σ -proto col for R with t -bit c hallenges is a three-mo ve proto col Σ = ( P Σ , V Σ ) : (i) P Σ sends a ; (ii) V Σ samples e ← $ { 0 , 1 } t and sends e ; (iii) P Σ resp onds with z . The proto col satisﬁes the follo wing prop erties: – Completeness: for all ( x, w ) ∈ R , an honest interaction accepts with probability 1. – Sp ecial soundness: there exists a PPT extractor Ext suc h that from any t wo accepting transcripts ( a, e, z ) and ( a, e ′ , z ′ ) with e  = e ′ (one and the same ﬁrst message a ), Ext outputs w with ( x, w ) ∈ R . – (Computational) Sp ecial Honest-V eriﬁer Zero-Kno wledge: there exists a PPT sim ulator Sim suc h that for all ( x, w ) ∈ R and all e ∈ { 0 , 1 } t , the simulated transcript Sim ( x, e ) is computationally indistinguishable from the veriﬁer’s view in an honest execution with c hallenge ﬁxed to e . W e assume 2 t ( λ ) < p ( λ ) for ev ery security parameter λ . Hence eac h t -bit c hallenge e ∈ { 0 , 1 } t is in terpreted as the corresp onding integer ¯ e ∈ { 0 , . . . , 2 t − 1 } ⊂ Z p via the natural injection. All prov er responses and veriﬁer c hecks treat ¯ e as an elemen t of Z p . Throughout, the public parameters pp and the gR O-CRP oracle H (together with the relev ant context string) are ﬁxed once p er UC execution and are treated as implicit inputs to all algorithms. When this improv es readabilit y , we omit pp from signatures and write P ( x, w ) for P ( pp , x, w ) and V ( x, π ) for V ( pp , x, π ) . Likewise, for a Σ -proto col we write V Σ ( x ; a, e, z ) = 1 to denote acceptance of transcript ( a, e, z ) for statement x (with pp implicit in x ). Fisc hlin transform [30] is a metho d to conv ert interactiv e public-coin pro of systems in to non-interactiv e ones. Unlik e the Fiat–Shamir transform [29], whic h directly derives c hallenges from a random oracle, the Fisc hlin transform enforces an output structure criterion on the pro ver’s transcript. Sp eciﬁcally , the pro ver must generate outputs that satisfy a rare structural condition (e.g., several trailing zeros), which is delib erately c hosen to b e rare, requiring the 24 Vipin Singh Sehraw at pro ver to p erform m ultiple attempts to ﬁnd a v alid output. By observing the prov er’s queries to the random oracle, an extractor can identify at least tw o transcripts with the same initial commitment but diﬀerent challenge s. Then, sp e cial soundness prop erty of the underlying Σ -protocol allows straight-line extraction of the witness. In gRO-CRP , “observing oracle queries” means em ulating the adversarial prov er ITM and recording its lo cal Query calls under the pro of context (cf. Remark 9 (p. 19)). Because witness-b earing computation may b e delegated to a state-contin uous KeyBo x, w e require pro of systems with straight-line extractors (no rewinding). Hence, w e employ Fisc hlin-based UC-NIZKs. See [46] for an explicit formalization of adaptiv e straight-line compilation of Σ -protocols and a pro of that the randomized Fisc hlin transform satisﬁes it. Deﬁnition 15 (Fisc hlin transform in gR O-CRP). Let Σ = ( P Σ , V Σ ) be a three-mov e proto col for an NP relation R with t = O ( log λ ) -bit c hallenges. F or securit y parameter λ , ﬁx parameter functions b = b ( λ ) , r = r ( λ ) , and S = S ( λ ) satisfying b, r = O ( log λ ) , b ≤ t , br = ω ( log λ ) , 2 t − b = ω ( log λ ) , and S = Θ ( r ) . Let H : Ctx × { 0 , 1 } ∗ → { 0 , 1 } λ b e the global oracle pro vided by G gRO - CRP in the gRO-CRP mo del. Assume b ( λ ) ≤ λ . F or u ∈ { 0 , 1 } ∗ , deﬁne H b ( ctx , u ) : = lsb b  H ( ctx , u )  ∈ { 0 , . . . , 2 b − 1 } . When the Fischlin transform F [Σ] is used as a (UC-)NIZK (including when run inside an honest KeyBox), instan tiate it with a pro of context ctx ∈ Ctx p . Let ⟨·⟩ b e any ﬁxed injective enco ding of tuples into { 0 , 1 } ∗ . F [Σ] pro duces a non-interactiv e proof system ( P ′ , V ′ ) as: Pro ver P ′ ( x, w ) : R un r indep enden t ﬁrst mov es of Σ on ( x, w ) to obtain commitmen ts a := ( a 1 , . . . , a r ) . F or each i ∈ [ r ] do: 1. Initialize b s i ← 2 b − 1 and ( b e i , b z i ) ← ( ⊥ , ⊥ ) . 2. F or e = 0 , 1 , . . . , 2 t − 1 do: – Compute the Σ -response z i,e for c hallenge e (using w ), and set s i,e : = H b  ctx , ⟨ x, a , i, e, z i,e ⟩  . – If s i,e = 0 , set ( e i , z i ) ← ( e, z i,e ) and break. – Else, if s i,e ≤ b s i , set b s i ← s i,e and ( b e i , b z i ) ← ( e, z i,e ) . 3. If the lo op ended without s i,e = 0 , set ( e i , z i ) ← ( b e i , b z i ) . Let s i : = H b  ctx , ⟨ x, a , i, e i , z i ⟩  . Output pro of as π : =  ( a i , e i , z i )  r i =1 . V eriﬁer V ′ ( x, π ) : Parse π = (( a i , e i , z i )) r i =1 , set a = ( a 1 , . . . , a r ) , and accept iﬀ: (i) ∀ i ∈ [ r ] , V Σ ( x ; a i , e i , z i ) = 1 and (ii) r X i =1 H b  ctx , ⟨ x, a , i, e i , z i ⟩  ≤ S . R emark 12 (A symptotic vs. c oncr ete Fischlin p ar ameters). Deﬁnition 15 (p. 24) ﬁxes parameter functions ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) and imp oses asymptotic growth conditions (e.g., 2 t − b = ω ( log λ ) and br = ω ( log λ ) ) that are used only to derive negligible completeness and soundness/extraction error as λ → ∞ (Lemma 5 (p. 25)). When we later quote a concrete tuple ( t, b, r , S ) , this is shorthand for an instan tiation at a ﬁxed target security level λ = λ 0 , i.e., ( t, b, r , S ) = ( t ( λ 0 ) , b ( λ 0 ) , r ( λ 0 ) , S ( λ 0 )) . In that concrete setting, we ev aluate the corresp onding explicit b ounds from Fisc hlin’s analysis, rather than claiming that a constant tuple satisﬁes the asymptotic gro wth conditions for all λ . Throughout this pap er, every UC-NIZK(-A oK) we use is instan tiated via the optimized Fischlin transform [19] in the gR O-CRP mo del (Deﬁnition 9 (p. 19)). Early-br e ak r arity se ar ch [19]. F or eac h i , the pro ver ev aluates H b ( ctx , ⟨ x, a , i, e, z i,e ⟩ ) on successiv e challenges and stops at the ﬁrst e with s i,e = 0 . Since H b is uniform o ver { 0 , . . . , 2 b − 1 } , the exp ected num b er of trials p er i is 2 b . F or a cap of 2 t , the p er-repetition “no hit” probability is p miss := Pr[ ∀ e ∈ { 0 , 1 } t : s i,e  = 0] = (1 − 2 − b ) 2 t ≈ e − 2 t − b . Under Deﬁnition 15 (p. 24), we require 2 t − b = ω ( log λ ) ; hence p miss = negl ( λ ) . With ﬁxed concrete parameters, p miss is an explicit completeness probability . The honest-rejection probability of an r -fold pro of is at most r · p miss b y a union b ound. This ev ent is an op erational / liv eness failure (an honest pro ver may ab ort and retry); it is not a security UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 25 failure. W e present the general slack- S form ulation in Deﬁnition 15 (p. 24). B y “optimized Fisc hlin”, w e mean the optimized v arian t from [19], that ﬁxes parameters and streamlines the prov er/v eriﬁcation logic for eﬃciency . W e say that a Σ -proto col Σ = ( P Σ , V Σ ) has unique r esp onses if for ev ery statemen t x , ﬁrst message a , and challenge e , there exists at most one resp onse z suc h that V Σ ( x ; a, e, z ) = 1 . If Σ has sp ecial soundness and unique resp onses, then in the random-oracle/gRO-CRP mo del F [Σ] is a NIZK-AoK with a straigh t-line (online) extractor [30, Thm. 2]. F or an y PPT adversary making at most Q distinct queries to H under a con text, the soundness / extraction-error is b ounded by Pr[ V ′ ( x, π ) = 1 for x / ∈ L ] ≤ ( Q + 1) · N r,S 2 br + negl( λ ) , where N r,S := S X T =0  T + r − 1 r − 1  =  S + r r  is the num b er of r -tuples ( s 1 , . . . , s r ) ∈ { 0 , . . . , 2 b − 1 } r with P i s i ≤ S . In particular, for any Q = p oly ( λ ) , the soundness/extraction error is negligible whenev er br − log N r,S = ω (log λ ) , e.g., under S = Θ ( r ) this is implied by br = ω (log λ ) since log N r,S = O ( r ) . Lemma 5 (Negligible Fisc hlin error for admissible parameters). L et ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) satisfy Deﬁni- tion 15 (p. 24). Then for every Q = p oly ( λ ) , the soundness/know le dge-extr action err or of F [ Σ ] against any PPT pr over that makes at most Q distinct queries under the tr ansform c ontext is ne gligible in λ . Mor e over, the honest-r eje ction pr ob ability is negl( λ ) . Pr o of Sketch. W e know that the soundness error is at most ( Q + 1) · N r,S / 2 br + negl ( λ ) . Under Deﬁnition 15 (p. 24), br − log N r,S = ω ( log λ ) ; hence the term is negligible for any Q = p oly ( λ ) . The honest-rejection b ound r · (1 − 2 − b ) 2 t is negligible since 2 t − b = ω (log λ ) . ■ F or completeness, note that in an honest execution eac h rep etition i yields s i = 0 whenever the pro ver’s rarity searc h ﬁnds some challenge e with H b ( · ) = 0 . In that case the veriﬁer’s sum test holds with P r i =1 s i = 0 ≤ S . Thus, an explicit (union-b ound) upp er b ound on honest-rejection is Pr[ V ′ rejects an honest pro of ] ≤ r · (1 − 2 − b ) 2 t + negl( λ ) ≈ r · exp( − 2 t − b ) + negl( λ ) . Soundness/kno wledge-extraction/security error of the Fischlin transform, for a prov er making at most Q distinct oracle queries, under the pro of context is b ounded by ε sec ( Q ) := ( Q + 1) · N r,S 2 br + negl( λ ) . Consequen tly , c ho osing parameter functions t ( λ ) , b ( λ ) , r ( λ ) , S ( λ ) as in Deﬁnition 15 (p. 24) yields negligible soundness and completeness error in λ . When quoting concrete num b ers, w e alwa ys label which b ound is liveness and which is securit y . The next proposition is essentially an immediate corollary of Fisc hlin soundness: in a strict GR O mo del the UC sim ulator has no programming capability and is therefore just another PPT pro ver for F [Σ] . W e nevertheless state it explicitly b ecause our UC-NIZK(-AoK) deﬁnition requires a universal sim ulation interface (Deﬁnition 10 (p. 22)) that m ust succeed even on oﬀ-language statements, and strict GR O rules this out. This motiv ates the mo ve to gRO-CRP (Deﬁnition 9 (p. 19)) and clariﬁes the mo del separation relative to works pro ved in strict GRO (e.g., [15]). Prop osition 2 (Strict GR O is insuﬃcient for Fisc hlin universal sim ulation). Fix an NP r elation R ⊆ X × W such that X \ L R  = ∅ , wher e L R := { x ∈ X : ∃ w ( x, w ) ∈ R} . L et Σ = ( P Σ , V Σ ) b e a Σ -pr oto c ol for R with sp e cial soundness and unique r esp onses. L et F [ Σ ] = ( K , P ′ , V ′ ) denote the (optimize d) Fischlin tr ansform (Deﬁnition 15 (p. 24)) instantiate d with p ar ameter functions ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) satisfying Deﬁnition 15 (p. 24). Consider the 26 Vipin Singh Sehraw at UC mo del augmente d with a strict glob al r andom or acle (GR O) that pr ovides only Query ( · , · ) (no simulator-only pr o gr amming interfac e), and assume the public p ar ameters pp ← K (1 λ ) ar e gener ate d by the honest/tr ansp ar ent setup of F [ Σ ] . Then F [ Σ ] c annot satisfy the universal simulation interfac e of Deﬁnition 10 (p. 22) by any PPT simulator. Concr etely, for every PPT simulator Sim = ( Sim 1 , Sim 2 ) that has ac c ess only to Query , for every ﬁxe d statement x ⋆ ∈ X \ L R , if ( pp , τ ) ← Sim 1 (1 λ ) and π ⋆ ← Sim 2 ( pp , τ , x ⋆ ) , then Pr  V ′ ( pp , x ⋆ , π ⋆ ) = 1  ≤ negl( λ ) , wher e the pr ob ability is over the c oins of Sim and the strict GRO. Pr o of Sketch. [Immediate from soundness (mo del-separation p oin t)] Fix an y x ⋆ ∈ X \ L R . In the strict GR O mo del the sim ulator has access only to Query ( · , · ) and has no programming interface. Consequen tly , Sim 2 ( pp , τ , · ) is simply a PPT prov er for the non-in teractive pro of system F [ Σ ] (with oracle access to Query in the pro of con text used by F [ Σ ] ). Let Q ( λ ) upp er bound the num ber of distinct oracle queries that Sim 2 mak es under that pro of context; since Sim 2 is PPT, Q ( λ ) = p oly ( λ ) . By Fisc hlin soundness for admissible parameters (Lemma 5 (p. 25)), an y PPT prov er making at most Q ( λ ) distinct oracle queries outputs an accepting pro of for an oﬀ-language statemen t with probability at most negl( λ ) . Applying this to Sim 2 yields Pr  V ′ ( pp , x ⋆ , π ⋆ ) = 1  ≤ negl( λ ) , where π ⋆ ← Sim 2 ( pp , τ , x ⋆ ) . Ho wev er, the univ ersal simulation in terface in Deﬁnition 10 (p. 22) requires that for ev ery statement x ∈ X (sp eciﬁcally , x ⋆ ), the sim ulator outputs an accepting pro of with probability 1 − negl ( λ ) . This contradiction sho ws that F [ Σ ] cannot satisfy the universal simulation interface in strict GR O. ■ F or DLEQ pro ofs we restrict the statement space to X DLEQ := ( G \ { 0 G } ) × ( G \ { 0 G } ) . Henceforth, w e refer to Π DL and Π DLEQ for the Fisc hlin transforms of the Schnorr and Chaum–Pedersen Σ -proto cols [56, 18] (for R DL and R DLEQ resp.), instan tiated in disjoint gRO-CRP contexts; concrete details app ear in Section 6 (p. 35). Lemma 6 (Fisc hlin-based UC-NIZK-AoKs for DL and DLEQ in gRO-CRP). A ssume DL har dness in the prime-or der gr oup ﬁxe d by the se curity p ar ameter λ . Fix Fischlin p ar ameters ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) satisfying Deﬁnition 15 (p. 24). L et Π DL denote the (optimize d) Fischlin instantiation describ e d in Se ction 6 (p. 35) for r elation R DL , instantiate d in a gRO-CRP c ontext in Ctx p . If, in addition, DDLEQ har dness holds, let Π DLEQ denote the c orr esp onding (optimize d) Fischlin instantiation for r elation R DLEQ , instantiate d in a disjoint gRO-CRP c ontext in Ctx p . Then the fol lowing hold for Π DL ; and, under the additional DDLEQ assumption, the same items also hold for Π DLEQ . (i) Zer o-know le dge (universal simulation interfac e): The pr o of system satisﬁes c omputational zer o-know le dge with the universal simulation interfac e of Deﬁnition 10 (p. 22) in its c orr esp onding c ontext in Ctx p . (ii) NIZK-A oK with str aight-line extr action: The pr o of system is a NIZK-A oK in the sense of Deﬁnition 10 (p. 22), with an online/str aight-line extr actor that may insp e ct the adversary’s gRO-CRP query/answer lo g under the c or- r esp onding pr o of c ontext. F or any Q = p oly ( λ ) distinct gRO-CRP queries under that pr o of c ontext, the r esulting know le dge/soundness err or is ne gligible (L emma 5 (p. 25)). (iii) Simulation-extr actability: The pr o of system is simulation-extr actable for fr esh statements in the sense of Deﬁni- tion 12 (p. 23). (iv) U se under UC c omp osition (domain sep ar ation in gR O-CRP): The guar ante es in (i)–(iii) r emain valid when the pr o of system is invoke d as a subr outine inside an arbitr arily interle ave d UC exe cution in the gRO-CRP-hybrid mo del, pr ovide d that every lo gic al ly distinct use of the glob al or acle is domain-sep ar ate d by disjoint gRO-CRP c ontexts and inje ctive enc o dings. Concr etely, if Π uses only its de dic ate d pr o of c ontext ctx Π ∈ Ctx p and al l other sub-pr oto c ols use UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 27 c ontexts disjoint fr om ctx Π , then or acle activity (including simulator pr o gr amming) in those other c ontexts c annot aﬀe ct the distribution of or acle answers in ctx Π (R emark 10 (p. 21)). Henc e, e ach invo c ation of Π se es exactly the same or acle b ehavior as in its standalone gRO-CRP analysis, up to the simulator’s pr e-query failur e event. Pr o of Sketch. Items (i) and (ii) follow by instantiating Fischlin’s analysis [30, Thm. 2] for Σ -proto cols with sp ecial soundness and unique responses (here, Schnorr for R DL and Chaum–Pedersen for R DLEQ ), with negligible error b y Lemma 5 (p. 25). The optimized pro ver/v eriﬁer organization of [19] aﬀects eﬃciency but not the underlying transform securit y argument. Item (iii) follows from Fisc hlin’s simulation-soundness / sim ulation-extractabilit y theorem [30, Thm. 3]. In our gRO-CRP formulation, the simulator’s universal simulation interface is realized via SimProgram in the corresp onding con texts in Ctx p . Since SimProgram fails on already-deﬁned points, the sim ulator’s only failure mo de is a pre-query collision on a programmed input; by Lemma 3 (p. 20), this o ccurs with negligible probabilit y for the Fischlin-based pro ofs whose programmed inputs include fresh high-entrop y material. F or item (iv), ﬁx any UC execution in the gRO-CRP-h ybrid mo del with arbitrarily many concurrently interlea ved sessions and sub-proto cols. By Remark 10 (p. 21), the oracle b eha vior in a ﬁxed con text ctx Π is unaﬀected by queries/programming in any other con text, and injectiv e enco dings plus disjoint contexts ensure that logically distinct uses never collide on the same pair ( ctx , x ) . Therefore, the view of an y prov er/veriﬁer/extractor for Π restricted to ctx Π is distributed exactly as in the standalone gR O-CRP analysis. Under concurrency , the only quan titative c hange is that the total n umber of oracle queries (and sim ulator programming attempts for simulated pro ofs) increases to at most p oly ( λ ) o ver the entire UC execution; Lemma 3 (p. 20) (with a union b ound ov er all programmed p oin ts) b ounds the resulting pre-query failure probabilit y by negl ( λ ) . Hence the guarantees in (i)–(iii) apply mo dularly inside the surrounding UC execution. ■ 5 Enforcing Public Structure without Exp ort: USV Certiﬁcates Unique Structure V eriﬁcation (USV) is a non-interactiv e, publicly veriﬁable certiﬁcate that lets any one derive a unique public op ening for a commitment to a hidden scalar without exp orting that scalar 3 . Extraction is public and straigh t-line: it is a deterministic function of the certiﬁcate and uses no trap do or or rewinding. Assumption 5 (T ransparent generator deriv ation) Let £ b e a public randomness source (e.g., [40]) that is sampled outside the protocol and is not adversary-inﬂuenceable: conditioned on the adv ersary’s view prior to publication, £ has min-entrop y at least λ . Fix a prime-order group G of size p with canonical generator G . F or a deterministic, publicly sp eciﬁed hash-to-group map, H2G [27], whose output distribution (ov er random £ ) is computationally indistinguishable from uniform o ver G \ { 0 G } , deﬁne H := H2G ( USV.H ∥ £ ) , with a deterministic counter-based resampling rule to ensure H / ∈ { 0 G , G } . Set pp := ( G , p, G , H ) , and deﬁne the deterministic public setup pro cedure Setup (1 λ , £ ) → pp Deﬁnitions 16 (p. 27)–18 (p. 28) describ e the stand - alone primitive; our composable statemen t is the UC realization of F USV (Theorem 2 (p. 34)). Deﬁnition 16 (USV certiﬁcate scheme). A USV certiﬁcate sc heme consists of the deterministic public setup pro cedure Setup (1 λ , £ ) → pp sp eciﬁed in Assumption 5 (p. 27), together with the following algorithms Cert ( pp , m ) → ( C, ζ ) , V cert ( pp , C , ζ ) ∈ { 0 , 1 } , Derive ( pp , C , ζ ) → (Υ or ⊥ ) , and a deterministic public-op ening pr oje ction PubOp en ( pp , · ) : O → G ∪ {⊥} , 3 In UC, we will mo del handle binding as v eriﬁer-scop ed; see Section 5.3 (p. 33) 28 Vipin Singh Sehraw at where O is the op ening space of Derive (and w e adopt the conv ention PubOp en ( pp , ⊥ ) = ⊥ ). W e deﬁne a veriﬁe d op ening algorithm as Op en ( pp , C, ζ ) := ( Derive ( pp , C , ζ ) if V cert ( pp , C , ζ ) = 1 , ⊥ otherwise . W e also deﬁne the asso ciated public op ening as Op en M ( pp , C , ζ ) := PubOp en  pp , Op en ( pp , C, ζ )  . There exists a p olynomial-time decidable relation R pp ⊆ C × O such that the following hold: 1. Completeness: F or ev ery m  = 0 , Pr h V cert ( pp , C , ζ ) = 1 ∧ Υ := Op en ( pp , C, ζ )  = ⊥ ∧ ( C, Υ) ∈ R pp ∧ Op en M ( pp ,C, ζ )  = ⊥ : ( C, ζ ) ← Cert ( pp , m ) i ≥ 1 − negl( λ ) . 2. Deterministic v eriﬁed op ening (uniqueness): F or any ﬁxed ( C, ζ ) , Derive ( pp , C , ζ ) is deterministic and returns either ⊥ or a single v alue Υ ∈ O . Moreov er, Op en ( pp , C , ζ ) = ⊥ iﬀ V cert ( pp , C , ζ ) = 0 , and whenever Op en ( pp , C , ζ ) = Υ  = ⊥ , w e ha ve ( C, Υ) ∈ R pp . F urther, PubOp en ( pp , Υ) is deterministic; hence Op en M ( pp , C , ζ ) is deterministic and returns either ⊥ or a single M ∈ G . 3. Op ening-conditional tag simulatabilit y: There exists a PPT simulator Sim cert suc h that: (a) Correctness of sim ulated tags: F or every ( C, Υ) ∈ R pp , if ˜ ζ ← Sim cert ( pp , C , Υ) then, except with probabilit y negl( λ ) , V cert ( pp , C , ˜ ζ ) = 1 and Derive ( pp , C , ˜ ζ ) = Υ . Equiv alently , except with probability negl ( λ ) , Op en ( pp , C , ˜ ζ ) = Υ , and therefore Op en M ( pp , C , ˜ ζ ) = PubOp en ( pp , Υ) . (b) Indistinguishabilit y conditioned on the op ening: F or ev ery m , n ( C, Υ , ζ ) : ( C, ζ ) ← Cert ( pp , m ); Υ ← Open ( pp , C, ζ ) o ≈ c n ( C, Υ , ˜ ζ ) : ( C , ζ ) ← Cert ( pp , m ); Υ ← Op en ( pp , C, ζ ); ˜ ζ ← Sim cert ( pp , C , Υ) o . F or the UC realization of F USV and for SDKG, we rely on completeness and deterministic veriﬁed op enings (Items 1–2 of Deﬁnition 16 (p. 27)) together with equiv o cation resistance (Deﬁnition 18 (p. 28)). The stronger opening-conditional tag-sim ulatability in terface (Item 3) is not required b y any UC h ybrid in this paper; w e include it because it is useful in v ariants where the ideal world ﬁxes an op ening ﬁrst and the simulator m ust later backﬁll a compatible accepting tag, and b ecause it holds for our instantiation (Lemma 7 (p. 31)). Deﬁnition 17 (Equiv o cation exp erimen t). W ork in the gRO-CRP-h ybrid model of Deﬁnition 9 (p. 19) with global oracle G gRO - CRP (Fig. 4 (p. 19)). The exp eriment and the adversary share access to the same oracle in terface Query ( · , · ) . Fix public parameters pp = ( G , p, G , H ) and the USV algorithms ( Cert , Derive , V cert , Op en , PubOp en ) from Deﬁnition 16 (p. 27). Exp erimen t Exp eqv A (1 λ ) is deﬁned as: 1. Sample £ according to the public randomness source/b eacon distribution (Assumption 5 (p. 27)), and set pp ← Setup (1 λ , £ ) . 2. R un A Query (1 λ , pp ) , i.e., A on input (1 λ , pp ) with oracle access to Query ( · , · ) , and obtain ( C, ζ , ζ ′ ) with ζ  = ζ ′ . 3. Let b ← 1 iﬀ V cert ( pp , C , ζ ) = 1 ∧ V cert ( pp , C , ζ ′ ) = 1 ∧ Op en M ( pp , C , ζ )  = Op en M ( pp , C , ζ ′ ) , where V cert (and the em b edded v eriﬁer V DLEQ ) ev aluates any needed oracle calls as Query ( ctx DLEQ , · ) in the dedicated USV/DLEQ pro of context ctx DLEQ ∈ Ctx p (disjoin t from ctx UC and ctx KeyBox ). Otherwise set b ← 0 . Output b . Deﬁne Adv eqv A ( λ ) := Pr[ Exp eqv A (1 λ ) = 1] . Deﬁnition 18 (Equiv o cation resistance). A USV certiﬁcate sc heme is e quivo c ation r esistant (in the gR O-CRP- h ybrid mo del) if for ev ery PPT adversary A with oracle access to Query ( · , · ) , Adv eqv A ( λ ) ≤ negl( λ ) . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 29 In the NXK/KeyBo x setting targeted by this pap er, USV certiﬁcate generation is mediated by the KeyBox API. Concretely , we include a key-independent admissible operation USV.Cert ∈ F adm that samples an internal witness scalar m ← Z ∗ p , computes ⟨ C, ζ ⟩ ← Cert ( pp , m ) , erases m , and returns only ⟨ C, ζ ⟩ to the host. F ormally , a part y obtains a certiﬁcate b y inv oking ⟨ C, ζ ⟩ ← F ( P ) KeyBox . Use ( µ, USV.Cert , ⟨ lbl ⟩ ) , where the slot argumen t µ is ignored (as for the key-independent OpenFromP eer interface in Fig. 3 (p. 11)). Relation to standard notions. USV can b e viewed as a small “commit-and-certify” primitiv e whose in terface diﬀers from similar abstractions as: – A standard commitmen t is opened b y revealing the full witness (message and randomness). USV never reveals the scalar; instead it yields a deterministic public opening to the induced group element that is suﬃcient for the transcript-deﬁned aﬃne consistency c hecks used under NXK. – Extractable commitments t ypically provide a privileged extractor that outputs the committed message (using trap doors and/or rewinding). USV instead mak es extraction public and deterministic, but extracts only the canonical group elemen t (not the scalar), aligning with NXK. – Equiv o cable commitmen ts enable op ening a ﬁxed commitment to diﬀerent messages. USV is the opp osite: it is op ening-unique and we explicitly require equivocation resistance. The sim ulator’s p o w er is orthogonal: it can sim ulate tags conditioned on a c hosen op ening, whic h is exactly what we need in the UC h ybrids. – PVSS-st yle ob jects certify w ell-formed encrypted shares or allo w recov ery by a set of parties. USV pro vides neither ciphertexts nor reco verable secrets; it certiﬁes only public structure needed to replace exported-share enforcement under NXK. – One can see ζ as a compact NIZK-style certiﬁcate of well-formedness, but with the sp ecial feature that it induces a canonical and deterministic public op ening that the transcript can reference. – USV supp orts publishing commitment-shaped material ( C, ζ ) that deterministically deﬁnes the canonical public p oin t M := Open M ( pp , C , ζ ) = m G . The scalar m remains non-exp ortable and is hidden computationally (under DL): since M is public and m 7→ m G is a bijection in a prime-order group, m is not information-theoretically hidden once a v alid certiﬁcate is published. In the SDKG base run (Section 7 (p. 37)), the leaf transmits ( C, ζ ) in Round 1, so M is transcript-deﬁned from the outset. 5.1 Wh y USV is needed under hardened NXK proﬁles (o v erview) Sev eral later c hecks (in SDKG veriﬁcation and in the transcript-driv en idealization) require certain group elements to b e deterministic functions of the public transcript in straigh t-line. The key example is a leaf-deﬁned p oin t M = m G (and deriv ed auxiliaries): veriﬁers and the UC sim ulator must b e able to compute these p oints from the transcript alone. In our NXK setting, long-term shares (and an y other KeyBox-residen t secrets) are API-non-exportable (Assump- tion 1 (p. 11)). Any share-deriving material is NXK-restricted: it must remain transcript-priv ate and must not b e written to p ersisten t storage outside a KeyBox, though it ma y b e handled transiently in host RAM during an atomic lo cal step and m ust then be securely erased ( R e ader Note 2.1 (p. 8); Remark 6 (p. 14)). State contin uity furthermore rules out rewinding/forking-based extraction at the hardw are b oundary (Assumption 2 (p. 13)). Finally , KeyBo x-lo cal oracle calls are not visible to the UC sim ulator (lo cal-call seman tics). Under hardened/minimal proﬁles, the scalar m underlying M = m G is generated inside a state-contin uous KeyBox and is not exported. A plain hiding commitment C = Commit ( m ; r ) therefore does not determine M unless one can extract m (or otherwise obtain m G ) in straight-line. This leav es three design options: 1. Publish M = m G directly: This remov es the need for USV, but assumes the proﬁle allows computing/exp orting m G for fresh ephemeral scalars. 30 Vipin Singh Sehraw at 2. Commit to m and extract m from an opening pro of: If the opening pro of is generated inside the KeyBox (to av oid exp orting m ), then straight-line extraction fails in our mo del: there is no rewinding/forking (state contin uit y) and no simulator access to the KeyBox’s oracle-log. If the op ening pro of is generated outside the KeyBo x, then the leaf m ust materialize ( m, r ) (or an equiv alent caller-inv ertible image suﬃcient to deriv e M ) in non-KeyBox state, whic h con tradicts the hardened/minimal-proﬁle design p oin t. 3. Publish commitment-shaped material with a publicly veriﬁable certiﬁcate that deterministically yields M : USV implemen ts exactly this: from ( C, ζ ) an yone can compute the unique public op ening M = Op en M ( pp , C , ζ ) , while m remains non-exp ortable. L e ast-privile ge motivation (why Option 1 may b e disal lowe d). This restriction can arise in deploymen ts where the proto col principal is authorized to use a non-exp ortable asymmetric k ey (e.g., sign/derive), but is explicitly denied the separate capability to retrieve its public k ey . 4 This is an interface/proﬁle assumption, not a claim that KeyBoxes in general cannot exp ort public p oin ts. F or the formal necessit y statement for the commit-only alternative, see Section 8.2 (p. 51) (Lemma 15 (p. 52)). 5.2 An Instan tiation Let R pp := { ( C, ( M , R )) ∈ G 3 : C = M + R } , and deﬁne the DLEQ relation R DLEQ :=  ( pp , A, B ) , r  : ( A, B ) ∈ X DLEQ ∧ r ∈ Z ∗ p ∧ A = r G ∧ B = r H  . Let Π DLEQ b e the UC-NIZK-AoK (via optimized Fischlin in the gRO-CRP mo del; see Section 6 (p. 35)) for R DLEQ . W e instan tiate Π DLEQ in the dedicated con text ctx DLEQ ∈ Ctx p , whic h is disjoint from ctx UC and ctx KeyBox . Concrete algorithms for an instan tiation follow: – Cert ( pp , m ) : on input m ← $ Z ∗ p sample r ← $ Z ∗ p \ {− m } . Set M := m G , R := r H , C := M + R , ν := mr − 1 mo d p , and υ := ( m + r ) G . Deﬁne A := υ − M and B := C − M . Compute π DLEQ ← P DLEQ ( pp , ( A, B ) , r ) and output ζ := ( ν , υ , π DLEQ ) together with C . Erase m, r . – Derive ( pp , C , ζ ) : parse ζ = ( ν, υ , π DLEQ ) . If ν = − 1 mo d p , output ⊥ . Else set M := ν ν +1 υ and R := C − M and output Υ := ( M , R ) . – PubOpen ( pp , Υ) : parse Υ = ( M , R ) and output M . If parsing fails, output ⊥ . – V cert ( pp , C , ζ ) : parse ζ = ( ν, υ , π DLEQ ) . Compute Υ ← Derive ( pp , C , ζ ) ; if Υ = ⊥ output 0 . Else parse Υ = ( M , R ) , set A := υ − M and B := C − M . Output 1 iﬀ V DLEQ ( pp , ( A, B ) , π DLEQ ) = 1 . – Open ( pp , C, ζ ) : Op en ( pp , C, ζ ) := Derive ( pp , C , ζ ) if V cert ( pp , C , ζ ) = 1 , and ⊥ otherwise. Prop erties of the USV certiﬁcate sc heme – Correctness: F or honest generation, υ = ( m + r ) G and ν = mr − 1 . Hence, ν ν +1 υ = mr − 1 mr − 1 +1 ( m + r ) G = m G , and R = C − M . Therefore, V cert ( pp , C , ζ ) = 1 and Op en ( pp , C, ζ ) = ( M , R ) ∈ R pp . – Unique v eriﬁed op ening: F or any ﬁxed ( C, ζ ) , Derive ( pp , C , ζ ) is deterministic. Hence, there is at most one candidate op ening Υ it can output. Moreo v er, whenever Op en ( pp , C , ζ )  = ⊥ , we ha v e Op en ( pp , C , ζ ) = Derive ( pp , C , ζ ) = ( M , R ) with M = ν ν +1 υ uniquely determined (for ν  = − 1 ), which leads to uniquely determined R = C − M . – Straigh t-line veriﬁed public extraction: Extraction of the public op ening is Op en ( pp , C, ζ ) . It is deterministic, uses no trap door, and is non-rewinding. 4 Concretely , several cloud KMS pro ducts gate “get public k ey” b ehind distinct permissions; e.g., A WS KMS kms:GetPublicKey [1], Go ogle Cloud KMS cloudkms.cryptoKeyVersions.viewPublicKey [35], and Azure Key V ault get reads the public part of a key [50]. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 31 – Op ening-conditional tag simulatabilit y: Given ( C, Υ) with Υ = ( M , R ) and ( C, Υ) ∈ R pp : sample ¯ ν ← $ Z ∗ p \ {− 1 } and set ¯ υ := (1 + ¯ ν − 1 ) M . Deﬁne ¯ A := ¯ υ − M and ¯ B := C − M . Compute ¯ π DLEQ ← Sim DLEQ ( pp , ( ¯ A, ¯ B )) using the UC-NIZK simulator, and output ˜ ζ := ( ¯ ν , ¯ υ , ¯ π DLEQ ) . Note that for a random ¯ ν , the deriv ed instance ( ¯ A, ¯ B ) need not lie in R DLEQ . A ccordingly , the simulator relies on the NIZK simulator to pro duce an accepting pro of even for oﬀ-language statemen ts, and indistinguishability holds under the DDLEQ assumption; see Lemma 7 (p. 31). By construction, Derive ( pp , C , ˜ ζ ) = ( M , R ) , and thus Open ( pp , C, ˜ ζ ) = Υ whenever V cert ( pp , C , ˜ ζ ) = 1 . Lemma 7 (Op ening-conditional tag sim ulatability). A ssume DDLEQ har dness and that the Fischlin-b ase d U C-NIZK Π DLEQ in the gRO-CRP mo del has the universal simulation interfac e and str aight-line extr action guar ante es of L emma 6 (p. 26). Then the simulator Sim c ert satisﬁes Item 3 (op ening-c onditional tag simulatability) of Deﬁnition 16 (p. 27). Pr o of. Fix λ and let D b e any PPT distinguisher. W e compare the following tw o exp erimen ts, whic h b oth output a tuple ( pp , C , Υ , ζ ) where Υ = ( M , R ) . Exp erimen t RealT ag (1 λ ) : 1. Sample pp ← Setup (1 λ , £ ) , m ← $ Z ∗ p , and r ← $ Z ∗ p \ {− m } . 2. Deﬁne M := m G , R := r H , C := M + R , ν := mr − 1 mo d p , υ := ( m + r ) G , A := υ − M and B := C − M . 3. Compute π DLEQ ← P DLEQ ( pp , ( A, B ) , r ) and set ζ := ( ν, υ , π DLEQ ) . Output ( pp , C , Υ , ζ ) where Υ := ( M , R ) . Exp erimen t SimT ag (1 λ ) : 1. Sample pp ← Setup (1 λ , £ ) , m ← $ Z ∗ p , and r ← $ Z ∗ p \ {− m } . 2. Deﬁne M := m G , R := r H , C := M + R and Υ := ( M , R ) . 3. Sample ¯ ν ← $ Z ∗ p \ {− 1 } and set ¯ υ := (1 + ¯ ν − 1 ) M . Let ¯ A := ¯ υ − M and ¯ B := C − M . 4. Compute ¯ π DLEQ ← Sim DLEQ ( pp , ( ¯ A, ¯ B )) and set ˜ ζ := ( ¯ ν , ¯ υ , ¯ π DLEQ ) . Output ( pp , C , Υ , ˜ ζ ) . W e pro ve that    Pr[ D ( RealT ag (1 λ )) = 1] − Pr[ D ( SimT ag (1 λ )) = 1]    ≤ negl( λ ) . Hybrid ⅁ 0 : This is iden tical to RealT ag . Hybrid ⅁ 1 : Mo dify ⅁ 0 b y replacing the real pro of π DLEQ ← P DLEQ ( pp , ( A, B ) , r ) with a simulated proof ˜ π DLEQ ← Sim DLEQ ( pp , ( A, B )) for the same statement ( A, B ) . All other v alues are unchanged. Since ( A, B ) is a true DLEQ statemen t in ⅁ 0 (indeed A = r G and B = r H ), the zero-knowledge property of Π DLEQ for true statemen ts implies ⅁ 0 ≈ c ⅁ 1 . ⅁ 1 vs. SimT ag : Assume for contradiction that there exists a PPT distinguisher D and a non-negligible function ϵ ( λ ) suc h that    Pr[ D ( ⅁ 1 (1 λ )) = 1] − Pr[ D ( SimT ag (1 λ )) = 1]    ≥ ϵ ( λ ) for inﬁnitely man y λ . W e construct a PPT distinguisher B for DDLEQ. Distinguisher B (for DDLEQ): B receiv es pp = ( G , H ) and a c hallenge pair ( A ⋆ , B ⋆ ) ∈ G × G sampled as: either ( A ⋆ , B ⋆ ) = ( r G , r H ) (DDLEQ-true) for uniform r ← Z ∗ p , or ( A ⋆ , B ⋆ ) = ( ρ G , r H ) (DDLEQ-false) for uniform indep enden t ρ, r ← Z ∗ p . B p erforms: 1. Sample ν ← $ Z ∗ p \ {− 1 } . 2. Deﬁne M := ν A ⋆ , R := B ⋆ , C := M + R , and υ := M + A ⋆ . Compute π DLEQ ← Sim DLEQ ( pp , ( A ⋆ , B ⋆ )) . 3. Output B ’s guess as D ( pp , C , ( M , R ) , ( ν, υ , π DLEQ )) . W e claim that the distribution fed to D b y B matc hes ⅁ 1 in the DDLEQ-true case, and matches SimT ag up to negligible statistical distance in the DDLEQ-false case. DDLEQ-true c ase: Here ( A ⋆ , B ⋆ ) = ( r G , r H ) for uniform r ∈ Z ∗ p . B samples ν ∈ Z ∗ p \ {− 1 } and sets M = ν r G , R = r H , C = M + R , and υ = M + r G = ( ν + 1) r G . Let m := ν r mo d p ; then M = m G and υ = ( m + r ) G and ν = mr − 1 . Moreov er r = − m w ould imply ν = − 1 , which is excluded; th us the supp ort condition r ∈ Z ∗ p \ {− m } holds 32 Vipin Singh Sehraw at automatically . Finally , the pro of is generated as Sim DLEQ ( pp , ( A ⋆ , B ⋆ )) = Sim DLEQ ( pp , ( r G , r H )) , which is exactly the pro of distribution in ⅁ 1 . Hence, the output distribution is iden tical to ⅁ 1 . DDLEQ-false c ase: Here ( A ⋆ , B ⋆ ) = ( ρ G , r H ) for independent uniform ρ, r ∈ Z ∗ p . B samples ν ∈ Z ∗ p \ {− 1 } and deﬁnes M = ν ρ G and R = r H and υ = M + ρ G . Let m := ν ρ mod p . Then M = m G , and also A ⋆ = ρ G = ν − 1 M , υ = M + A ⋆ = (1 + ν − 1 ) M , so the tuple ( ν, υ ) is distributed exactly as in Sim tag , and the pro of is generated b y the same simulator Sim DLEQ . The only diﬀerence from Sim tag is that Sim tag samples r ← Z ∗ p \ {− m } whereas here r ← Z ∗ p indep enden tly of m . These t wo r -distributions diﬀer by statistical distance at most Pr[ r = − m ] ≤ 1 p − 1 , whic h is negligible in λ since p is exp onen tial in λ . Therefore the DDLEQ-false output distribution is negligibly close to Sim tag . Thus, B distinguishes DDLEQ-true from DDLEQ-false with adv antage at least ϵ ( λ ) − negl ( λ ) , con tradicting DDLEQ. Hence, ⅁ 1 ≈ c SimT ag . Combining ⅁ 0 ≈ c ⅁ 1 (ZK) and ⅁ 1 ≈ c SimT ag (DDLEQ) yields RealT ag ≈ c SimT ag , as required. ■ R emark 13 (Status of op ening-c onditional tag simulatability). Lemma 7 (p. 31) prov es a stronger interface than what our UC hybrids need: no UC pro of in this pap er requires fabricating an accepting USV tag ζ for a ﬁxed commitment C without kno wing a witness. Consequently , the UC simulators constructed for Theorems 2 (p. 34) and 3 (p. 54) never call the DLEQ pro of simulator and nev er program ctx DLEQ . W e retain the lemma b ecause it is a natural prop ert y of USV as a standalone primitiv e and is useful for other comp ositions (e.g., “commit no w, op en-to- M later” designs under NXK). Lemma 8 (Equiv o cation resistance of the USV instan tiation). A ssume further that the emb e dde d pr o of system Π DLEQ use d inside V c ert is a NIZK-A oK for R DLEQ in the gRO-CRP mo del with an online extr actor Ext DLEQ (as in Se ction 6 (p. 35)). Then, under the DL assumption, the USV c ertiﬁc ate scheme of Se ction 5.2 (p. 30) is e quivo c ation r esistant (Deﬁnition 18 (p. 28)). Pr o of. Fix any PPT adv ersary A . W e construct a PPT algorithm B that, given pp = ( G , p, G , H ) , outputs x ∈ Z p suc h that H = x G with probabilit y Pr[ Exp eqv A (1 λ ) = 1] − negl( λ ) . This contradicts the assumed hardness and implies Adv eqv A ( λ ) ≤ negl( λ ) . Algorithm B A ( pp ) . B in ternally simulates the equivocation exp eriment for A : 1. Giv e pp to A and answ er A ’s gR O-CRP queries by lazy sampling, while recording the complete query/answer log Log A under eac h DLEQ-pro of con text. 2. Receiv e ( C , ζ , ζ ′ ) from A , where ζ = ( ν , υ , π DLEQ ) and ζ ′ = ( ν ′ , υ ′ , π ′ DLEQ ) . 3. Compute Υ ← Derive ( pp , C , ζ ) and Υ ′ ← Derive ( pp , C , ζ ′ ) . If either is ⊥ , output ⊥ . Otherwise parse Υ = ( M , R ) and Υ ′ = ( M ′ , R ′ ) . 4. If V cert ( pp , C , ζ ) = 0 or V cert ( pp , C , ζ ′ ) = 0 , output ⊥ . If M = M ′ , output ⊥ . 5. Deﬁne A := υ − M , B := C − M , A ′ := υ ′ − M ′ , and B ′ := C − M ′ . 6. R un the AoK extractor to obtain witnesses: r ← Ext DLEQ  pp , ( A, B ) , π DLEQ ; Log A  , r ′ ← Ext DLEQ  pp , ( A ′ , B ′ ) , π ′ DLEQ ; Log A  . If either extraction fails (outputs ⊥ ) or the extracted v alues do not satisfy A = r G , B = r H and A ′ = r ′ G , B ′ = r ′ H , output ⊥ . 7. Compute m := ν r mo d p and m ′ := ν ′ r ′ mo d p . 8. Compute ˆ r := r ′ − r mo d p . If ˆ r = 0 , output ⊥ . Otherwise output x := ( m − m ′ ) · ( ˆ r ) − 1 mo d p. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 33 Assume A wins, i.e., V cert ( pp , C , ζ ) = V cert ( pp , C , ζ ′ ) = 1 and M  = M ′ where Derive ( pp , C , ζ ) = ( M , R ) and Derive ( pp , C , ζ ′ ) = ( M ′ , R ′ ) . Since V cert ( pp , C , ζ ) = 1 , it follows that ν  = − 1 mo d p . Moreov er, b y deﬁnition of V cert and our setting of ( A, B ) , we ha ve V DLEQ ( pp , ( A, B ) , π DLEQ ) = 1 . By the NIZK-AoK property , except with negligi- ble probability the extractor returns a witness r ∈ Z ∗ p suc h that A = r G and B = r H . Similarly , except with negligible probabilit y , the extractor returns r ′ ∈ Z ∗ p suc h that A ′ = r ′ G and B ′ = r ′ H . Using Derive ’s deﬁning equations, for ζ = ( ν , υ , π DLEQ ) w e hav e M = ν ν + 1 υ , hence A = υ − M = 1 ν + 1 υ , so υ = ( ν + 1) A and therefore M = ν ν +1 υ = ν A = ν r G = m G where m := ν r mo d p. Lik ewise M ′ = m ′ G where m ′ := ν ′ r ′ mo d p . Also, b y deﬁnition, B = C − M = r H , B ′ = C − M ′ = r ′ H , so w e obtain tw o decomp ositions of C : C = M + r H = m G + r H and C = M ′ + r ′ H = m ′ G + r ′ H . Subtracting yields ( m − m ′ ) G = ( r ′ − r ) H . Since M  = M ′ and the map z 7→ z G is a bijection on Z p (prime-order group), we hav e m  = m ′ . Therefore, the abov e equalit y implies r ′  = r (otherwise ( m − m ′ ) G = 0 would force m = m ′ ). Hence, ˆ r := r ′ − r ∈ Z ∗ p and is in vertible, and the v alue x := ( m − m ′ ) · ( ˆ r ) − 1 mo d p satisﬁes x G = H . B outputs suc h an x whenev er A wins the equiv o cation exp erimen t and b oth extractor inv o cations succeed. The extractor failure probability is negligible b y the A oK guarantee. Thus, B breaks DL relation assumption with probabilit y Adv eqv A ( λ ) − negl( λ ) . Since this must b e negligible, it holds that Adv eqv A ( λ ) ≤ negl( λ ) . ■ 5.3 UC Securit y W e mo del certiﬁcates with a handle-bound ideal functionality that stores the veriﬁe d op ening implied by ( C, ζ ) , namely the (unique) v alue returned b y Op en ( pp , C , ζ ) , and binds a handle to ( C, M ) via a gRO-CRP receipt digest, where M := Op en M ( pp , C , ζ ) is the v eriﬁed public op ening implied b y ( C , ζ ) . In our applications, eac h USV handle is intended for a single committer–veriﬁer pair. A ccordingly , w e deﬁne F USV (Fig. 5 (p. 34)) so that each handle is scop ed to b oth endp oin ts: F USV main tains indep enden t state k eyed by ( sid , cid , P s , P r ) . This prev ents a party P ′ s  = P s from inv alidating another sender’s handle by reusing the same ( sid , cid ) to ward the same relying party P r , while still k eeping recipient-local state (so a corrupted committer may equivocate across diﬀerent relying parties, as in the real proto col). In F USV , sending d to Sim is only for b o okk eeping conv enience since d is deterministic and eﬃcien tly computable from the committed tuple and the (global) gRO-CRP oracle. R emark 14 (Game-b ase d e quivo c ation vs. UC-level non-mal le ability). Lemma 8 (p. 32) is a standalone game-based statemen t ab out the USV certiﬁcate scheme itself: it rules out pro ducing tw o ve rifying tags for the same commitmen t C that induce diﬀeren t public op enings. In the UC setting, the relev an t “no substitution under a ﬁxed handle” guarantee is instead enforced by F USV ’s receipt binding in the non-programmable context USV . rcpt ∈ Ctx np and captured by Lemma 9 (p. 33) (handle-b ound non-malleability), which is what the UC pro of of Theorem 2 (p. 34) relies on. Lemma 9 (Handle-b ound non-malleability). L et M := Op en M ( pp , C , ζ )  = ⊥ b e the USV op ening for the honest c ommit and let d := H ( USV . rcpt , ⟨ sid , cid , P s , P r , C , M ⟩ ) . Then for every ( C ′ , ζ ′ ) such that M ′ := Op en M ( pp , C ′ , ζ ′ )  = ⊥ and ( C ′ , M ′ )  = ( C, M ) , Pr h F USV . V erify ( sid , cid , P s , C ′ , ζ ′ ) = 1 i ≤ negl( λ ) . Pr o of Sketch. Let H rcpt ( u ) : = H ( USV . rcpt , u ) . Fix the honest receipt input u := ⟨ sid , cid , P s , P r , C , M ⟩ and receipt d := H rcpt ( u ) . F or any distinct pair ( C ′ , ζ ′ )  = ( C, ζ ) , injectivity of ⟨·⟩ implies that u ′ := ⟨ sid , cid , P s , P r , C ′ , M ′ ⟩  = u . A successful substitution (i.e., F USV . V erify ( sid , cid , C ′ , ζ ′ ) = 1 ) therefore implies a second-preimage for the ﬁxed target input u , namely H rcpt ( u ′ ) = H rcpt ( u ) = d with u ′  = u . 34 Vipin Singh Sehraw at ♦ State: table T indexed by ( sid , cid , P s , P r ) with entries ( M , d, status ) where M ∈ G ∪ {⊥} , d ∈ { 0 , 1 } λ , and status ∈ { p ending , invalid } . ♦ Up on receiving ( Commit , sid , cid , P r , C, ζ ) from party P s : – Compute the veriﬁed public op ening M ⋆ : = Op en M ( pp , C, ζ ) = PubOp en  pp , Op en ( pp , C , ζ )  ∈ G ∪ {⊥} . Compute receipt digest d : = H  USV . rcpt , ⟨ sid , cid , P s , P r , C, M ⋆ ⟩  , where USV . rcpt ∈ Ctx np . – If ( sid , cid , P s , P r ) ∈ dom ( T ) , set T [ sid , cid , P s , P r ] . status ← invalid , send ( receipt , sid , cid , P r , d ) to P s and Sim , and return. – If M ⋆ = ⊥ , store T [ sid , cid , P s , P r ] ← ( ⊥ , d, invalid ) . – Otherwise store T [ sid , cid , P s , P r ] ← ( M ⋆ , d, p ending ) . – Send ( receipt , sid , cid , P r , d ) to P s and Sim . ♦ Up on receiving ( Verify , sid , cid , P s , C, ζ ) from party P r : – If ( sid , cid , P s , P r ) / ∈ dom ( T ) , return ⊥ . If T [ sid , cid , P s , P r ] . status = invalid , return 0 . – Let ( M , d, p ending ) := T [ sid , cid , P s , P r ] . Compute M ′ : = Op en M ( pp , C, ζ ) . Return 1 iﬀ M ′  = ⊥ ∧ M ′ = M ∧ H  USV . rcpt , ⟨ sid , cid , P s , P r , C, M ′ ⟩  = d, else return 0 . ♦ Up on receiving ( Op en , sid , cid , P s ) from party P r : if ( sid , cid , P s , P r ) / ∈ dom ( T ) or T [ sid , cid , P s , P r ] . status = invalid then send ( ab o rt , sid , cid ) to P r and Sim ; else send ( Op en , sid , cid , T [ sid , cid , P s , P r ] .M ) to P r and Sim . Fig. 5: T wo-part y USV certiﬁcate functionalit y F USV with gRO-CRP receipt binding and veriﬁed op enings. In the random-oracle/gR O-CRP mo del, supp ose the adv ersary makes at most Q = p oly ( λ ) queries to H rcpt b efore the V erify call. The V erify pro cedure itself ev aluates H rcpt ( u ′ ) once. Hence Pr  H rcpt ( u ′ ) = d  ≤ Q + 1 |Y | ( in particular ≤ ( Q + 1) / 2 λ when |Y | = 2 λ ) , whic h is negligible. ■ The PPT simulator Sim only needs pp . In the ideal world, on receiving each ( Commit , sid , cid , C, ζ ) , F USV computes the receipt d : = H  USV . rcpt , ⟨ sid , cid , P s , P r , C , M ⟩  and stores the public op ening M := Op en M ( pp , C , ζ ) only if the certiﬁcate veriﬁes, i.e., only if V cert ( pp , C , ζ ) = 1 . When a party is adaptively corrupted after a successful Commit , Sim reconstructs Υ deterministically as Op en ( pp , C , ζ ) . This matc hes the real w orld since the veriﬁed op ening is a ﬁxed deterministic function of ( C, ζ ) . Theorem 2 (UC security of F USV ). L et Π USV denote the c oncr ete pr oto c ol that implements the interfac es of Fig. 5 (p. 34) using the USV algorithms ( Cert , V c ert , Derive , PubOpen ) and the r e c eipt digest H  USV . rcpt , ⟨ sid , cid , P s , P r , C , M ⟩  wher e M := Op en M ( pp , C , ζ ) , in c ontext USV . rcpt ∈ Ctx np . Then Π USV UC-r e alizes F USV in the ( F channel , gRO-CRP)-hybrid mo del; i.e., for every PPT adversary A ther e exists a PPT simulator Sim such that for every PPT envir onment Z , Exec (Π USV , A , Z , λ ) ≈ c Ideal ( F USV , Sim , Z , λ ) . Pr o of. Fix any PPT adv ersary A and PPT environmen t Z . W e construct a PPT simulator Sim and employ the follo wing sequence of hybrids: – Hybrid ⅁ 0 (real execution): P arties generate ( C , ζ ) via Cert , broadcast them, and generate receipt d = H  USV . rcpt , ⟨ sid , cid , P s , P r , C , M ⟩  where M := Op en M ( pp , C , ζ ) . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 35 – Hybrid ⅁ 1 (syn tactic resampling / explicit Cert randomness): Pro ceed identically to ⅁ 0 , except that for eac h honest certiﬁcate w e (re-)sample the full random tape of Cert and re-ev aluate it. Concretely , we sample r ← $ Z ∗ p \ {− m } together with the internal randomness used by the randomized prov er P DLEQ (and hence by the Fischlin transform), and then compute ( C, ζ ) by running Cert ( pp , m ) with that sampled randomness (and the ﬁxed global oracle H ). All other external inputs and proto col randomness are unc hanged. This is a purely syntactic refactoring of ho w Cert ’s coins are sampled, so ⅁ 0 d = ⅁ 1 . – Hybrid ⅁ 2 (ideal execution), switch to F USV and Sim : F or eac h honest handle, F USV stores the same receipt d = H  USV . rcpt , ⟨ sid , cid , P s , P r , C , M ⟩  . Since honest certiﬁcates v erify , F USV stores M := Op en M ( pp , C , ζ ) . By Lemma 9 (p. 33), an y in-ﬂight substitution under a ﬁxed handle is detected in b oth worlds. Adaptiv e corruptions reveal iden tical internal states b ecause the veriﬁed op ening Op en ( pp , C , ζ ) is public and deterministic. Hence, ⅁ 1 ≈ c ⅁ 2 , and therefore ⅁ 0 ≈ c ⅁ 2 . In terpreting ⅁ 0 as the real execution Exec (Π USV , A , Z , λ ) and ⅁ 2 as the ideal execution Ideal ( F USV , Sim , Z , λ ) , w e conclude Exec (Π USV , A , Z , λ ) ≈ c Ideal ( F USV , Sim , Z , λ ) . ■ The simulator in this UC pro of nev er in vok es SimProgram in ctx DLEQ (indeed it nev er needs to simulate USV/DLEQ pro ofs); it only forwards veriﬁer oracle queries via Query . Br o ader applic ability of USV Although USV is introduced here to make the SDKG transcript “structure-complete” under NXK, the primitive is not speciﬁc to DKG since it turns a KeyBox-residen t, non-exportable scalar in to a transcript-deﬁned public group elemen t via a publicly v eriﬁable certiﬁcate. As an orthogonal illustration, App endix C (p. 66) sho ws how to build NXK-compatible commit–reveal randomness beacons using USV. 6 Enforcing Consistency via Straight-Line Extraction Since G generates G , every M ∈ G can b e written as M = m G for some m ∈ Z p . A ccordingly , for DL-style statemen ts the relev ant security notion in our use-cases is know le dge soundness (extractability of the witness), rather than language non-mem b ership soundness. W e use standard Schnorr (DL) and Chaum–Pedersen (DLEQ) Σ -proto cols, which hav e sp ecial soundness and unique resp onses in prime-order groups. Applying the optimized Fisc hlin transform in gRO-CRP yields UC-NIZK-A oKs with straight-line extractors for b oth relations. Deﬁne the NP relation R DL := { (( pp , M ) , m ) : m ∈ Z p ∧ M = m G } . W e in tentionally allo w m = 0 (and hence M = 0 G ), since proto col-deriv ed witnesses (e.g., aﬃne-relation witnesses and deriv ed shares) can be 0 under adversarial choice. F or the hardness assumption (Deﬁnition 6 (p. 16)) w e sample x ← Z ∗ p to a void the trivial instance X = 0 G ; including x = 0 would c hange success probability by at most 1 /p = negl( λ ) . T agge d DL statements . T o rule out replay/mauling of UC-context pro ofs across sessions and to justify the use of sim ulation-extractability for fresh statemen ts in concurren t executions, we bind every UC-context DL statemen t to the session iden tiﬁer sid and a ﬁxed lab el ℓ ∈ { 0 , 1 } ∗ describing the pro of p osition. Concretely , we use the tagged relation R tag DL := { (( pp , sid , ℓ, M ) , m ) : m ∈ Z p ∧ M = m G } . In SDKG, every in vocation of Π UC DL is on a tagged statement of the form x := ⟨ sid , ℓ, M ⟩ (with pp implicit), so the Fisc hlin hash input in Deﬁnition 15 (p. 24) includes ( sid , ℓ ) along with M . W e will slightly abuse notation and keep writing P DL and V DL for this tagged v arian t. In this section, all pro ofs con texts are in Ctx p . Given statemen t ( pp , M ) and witness m suc h that M = m G , the standard Sc hnorr Σ -proto col for R DL is: 1. Commit: Pro ver samples j ← $ Z p and sends J := j G . 2. Challenge: V eriﬁer samples e ← $ { 0 , 1 } t , in terprets it as an integer ¯ e ∈ [0 , 2 t − 1] , em b eds it in to Z p (e.g., require 2 t < p ) , and sends ¯ e to the prov er. 3. Resp onse: Prov er sends z := j + ¯ e · m mod p . 4. V erify: accept iﬀ z G = J + ¯ e · M . 36 Vipin Singh Sehraw at Sp ecial soundness holds since from t wo accepting transcripts ( J, ¯ e, z ) and ( J, ¯ e ′ , z ′ ) with ¯ e  = ¯ e ′ one extracts m = ( z − z ′ )( ¯ e − ¯ e ′ ) − 1 mo d p . Lemma 10 (Unique responses for Schnorr). The Schnorr Σ -pr oto c ol for R DL has unique r esp onses. Pr o of Sketch. F or ﬁxed ( M , J, e ) , v eriﬁcation requires z G = J + eM in a prime-order group. Since G generates G , this equation has a unique solution z ∈ Z p . ■ Recall the public parameters pp = ( G , p, G , H ) and the NP relation R DLEQ := n  ( pp , A, B ) , r  : ( A, B ) ∈ X DLEQ ∧ r ∈ Z ∗ p ∧ A = r G ∧ B = r H o . Chaum–Pe dersen Σ -pr oto c ol for R DLEQ . Given statement ( pp , A, B ) and witness r suc h that A = r G and B = r H , the Chaum–P edersen Σ -proto col (with t -bit challenge) is: 1. Commit: Pro ver samples j ← $ Z p , and sends J 1 := j G and J 2 := j H . 2. Challenge: V eriﬁer samples e ← $ { 0 , 1 } t , interprets it as ¯ e ∈ [0 , 2 t − 1] , embeds it into Z p (e.g., require 2 t < p ) , and sends ¯ e . 3. Resp onse: Prov er sends z := j + ¯ e · r mo d p . 4. V erify: reject if A = 0 G or B = 0 G ; otherwise accept iﬀ z G = J 1 + ¯ e · A and z H = J 2 + ¯ e · B . Sp ecial soundness for Chaum–P edersen: F rom an y tw o accepting transcripts ( J 1 , J 2 , ¯ e, z ) and ( J 1 , J 2 , ¯ e ′ , z ′ ) with ¯ e  = ¯ e ′ , one can eﬃcien tly extract a witness r = ( z − z ′ ) · ( ¯ e − ¯ e ′ ) − 1 mo d p satisfying A = r G and B = r H . Lemma 11 (Unique resp onses for Chaum–P edersen). The Chaum–Pe dersen Σ -pr oto c ol for R DLEQ has unique r esp onses. Pr o of Sketch. Fix any statemen t ( A, B ) , ﬁrst message ( J 1 , J 2 ) , and challenge ¯ e . If an accepting resp onse z exists, it m ust satisfy z G = J 1 + ¯ e · A . Since G generates a prime-order group, the map z 7→ z G is a bijection on Z p , so z is uniquely determined. Hence, there is at most one accepting resp onse. ■ UC-NIZK-A oK for DLEQ fr om Fischlin in gRO-CRP. Applying the (optimized) Fischlin transform to the abov e Chaum–P edersen Σ -proto col yields a UC-NIZK-A oK for R DLEQ in the gR O-CRP mo del. W e denote it by Π DLEQ = ( K DLEQ , P DLEQ , V DLEQ ) , with a straight-line extractor Ext DLEQ that may insp ect the adv ersary’s gRO-CRP query/answer log under the DLEQ-pro of context(s). U C-NIZK-A oK for DL fr om Fischlin in gR O-CRP. Applying the (optimized) Fisc hlin transform to the ab o v e Schnorr Σ -proto col yields a UC-NIZK-AoK for R DL in the gRO-CRP mo del. W e denote this system b y Π DL = ( K DL , P DL , V DL ) and summarize its prop erties (which also apply to Π DLEQ ) : – Completeness: honest proofs pro duced using witness m verify . – (Computational) ZK: real pro ofs are computationally indistinguishable from sim ulated pro ofs. – Sim ulation-extractability (fresh statement) in the sense of Deﬁnition 12 (p. 23) [30, Thm. 3]. – Kno wledge soundness / extraction: there exists a straight-line PPT extractor Ext DL suc h that for any PPT adv ersarial pro ver P ∗ that outputs ( M , π ) with V DL ( pp , M , π DL ) = 1 , the extractor outputs m ← Ext DL ( pp , M , π ; Log P ∗ ) satisfying M = m G , except with negligible probability , where Log P ∗ is the pro ver’s logged gRO-CRP query/answer transcript under the pro of context. Our use of Fischlin-st yle straight-line compilation of DL-based Σ -proto cols into UC - NIZK-P oK/AoK is closely aligned with [46], which targets adaptive UC security in global random-oracle mo dels; we further tailor the mo del/usage to gR O-CRP and KeyBox lo cal-call semantics. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 37 6.1 Aﬃne DL relation Let Op en M ( pp , C , ζ ) denote the public op ening deriv ed from a USV certiﬁcate as in Deﬁnition 16 (p. 27). Fix γ ∈ Z p and public p oin ts X, M , B , ∆ ∈ G . Deﬁne aﬃne DL NP relation R aﬀ := n  ( X, γ , M , B , ∆) , ( α, δ )  : α G = M + γ B ∧ δ G = X − ∆ − ( M + γ B ) o . Equiv alen tly , deﬁne Y := M + γ B and D := X − ∆ − Y . Then ( α, δ ) is a witness iﬀ Y = α G and D = δ G , where Y and D are deterministically deriv ed from the public tuple ( X , γ , M , B , ∆) . R emark 15 (R e alizing a UC-NIZK-A oK for R aﬀ fr om Π DL ). Let Π DL b e the UC-NIZK-A oK for R DL . A UC-NIZK-AoK for R aﬀ is obtained b y parallel comp osition of t wo instances of Π DL : – pro ve knowledge of α suc h that Y = M + γ B = α G ; – pro ve knowledge of δ suc h that D = X − ∆ − ( M + γ B ) = δ G . Concretely , the pro of is π aﬀ := ( π Y , π D ) where π Y ← P DL ( pp , Y , α ) and π D ← P DL ( pp , D , δ ) . V eriﬁcation of π aﬀ c hecks b oth π Y and π D . The corresp onding extractor outputs ( α, δ ) by running the t wo Π DL extractors. As noted earlier, w e instantiate UC-NIZK(-AoK)s via the Fischlin transform in the gRO-CRP mo del. F or eﬃciency w e assume the optimized prov er/veriﬁer organization and batch-v eriﬁcation techniques of [19]. Accordingly , we omit lo w-level optimization details and refer to [19] for the optimized algorithms, while relying on [30] for the core transform securit y pro of. 7 Star DKG (SDKG) Fix Fischlin parameter functions t = t ( λ ) , b = b ( λ ) , r = r ( λ ) , S = S ( λ ) as in Deﬁnition 15 (p. 24). Whenever the proto col refers to t, b, r , S , it means their v alues at the current securit y parameter λ . Let H s32 denote the gR O-CRP H under context SDK G . s32 ∈ Ctx np , i.e., H s32 ( u ) := H ( SDK G . s32 , u ) . All in vocations of H s32 are on an enco ded tuple, i.e., H s32 ( ⟨·⟩ ) . F or the sak e of readabilit y , we b egin by pro viding our proto col, Ψ (3) SDKG , for Γ 0 = {{ P 1 , P 2 } , { P 1 , P 3 }} and then extend it to a 1+1-out-of- n SDK G scheme. Hence, w e ﬁrst present Ψ (3) SDKG in the ( F KeyBox , F USV , F channel , F pub ) -h ybrid and gRO-CRP mo dels. A ccordingly , the proto col description contains explicit inv ocations of the ideal certiﬁcate functionalit y F USV . The corresponding real-world protocol b Ψ (3) SDKG is obtained b y replacing each call to F USV with an execution of its concrete realization Π USV (Corollary 2 (p. 59)). In Section 8 (p. 47), Theorem 3 (p. 54) establishes UC securit y of the h ybrid proto col Ψ (3) SDKG ; Corollary 2 (p. 59) then compiles out F USV via UC comp osition to obtain UC securit y of b Ψ (3) SDKG in the ( F KeyBox , F channel , F pub ) -h ybrid (and gRO-CRP) mo del. R emark 16. W e use three pro of contexts in Ctx p (all m utually disjoint) for domain separation: – Π UC DL : UC-NIZK-A oK for DL-based consistency statemen ts, instantiated under ctx UC ∈ Ctx p . This is the only pro of t yp e from whic h the UC pro of extracts witnesses. – Π KeyBox DL : the sealed one-shot DL pro ver inside a KeyBox, instan tiated under the disjoint con text ctx KeyBox ∈ Ctx p . These pro ofs are treated under ZK/simulation only; the UC pro of never extracts from them. – Π DLEQ : the DLEQ NIZK-AoK em b edded in USV certiﬁcates, instantiated under the disjoint con text ctx DLEQ ∈ Ctx p . In the UC sim ulations for F USV and SDK G, the simulator never programs ctx DLEQ . Fig. 6 (p. 38) deﬁnes LinOS (Linear One-Shot), a sealed, handle-b ound prov er for Schnorr DL that runs the optimized Fischlin transform inside the KeyBox. LinOS ensures: (i) all p er-c hallenge linear ev aluations j i + ek remain in ternal; (ii) at most one ( e i , z i ) ever lea v es the KeyBox per commitment a i (enforced by sealing and state contin uit y); and (iii) all rare-structure oracle queries are issued in ternally under a dedicated gRO-CRP context. In the UC pro of, LinOS proofs are treated only as Π KeyBox DL pro ofs, whereas all protocol-consistency proofs that require straigh t-line extraction use Π UC DL under a disjoint context. F or corrupted parties, the simulator mediates gR O-CRP access. W e get the follo wing security semantics: 38 Vipin Singh Sehraw at ♦ Fixed Fischlin pa rameters: Let ( t, b, r , S ) := ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) b e the canonical parameter tuple ﬁxed for this KeyBox proﬁle (Deﬁnition 15 (p. 24)). Callers do not supply (and cannot inﬂuence) these v alues. ♦ FS.Sta rt ( sid , K ) : Check K = PubMap ( k ) ; allo cate a fresh handle µ FS ∈ slot f s , where slot f s ∈ { 0 , 1 } λ . Sample j 1 , . . . , j r ← $ Z p ; set J i : = j i G , a i : = J i for i ∈ [ r ] ; bind the tuple ( µ FS 7→ ( sid , K, { j i } i ∈ [ r ] , { a i } i ∈ [ r ] , t, b, r , S )) and return ( µ FS , a ) , where a : = ( a 1 , . . . , a r ) . ♦ FS.Prove ( µ FS ) : If µ FS is sealed, return ⊥ . Else, for each i ∈ [ r ] , the KeyBox runs an early-break rarity search: initialize b s i ← 2 b − 1 and ( b e i , b z i ) ← ( ⊥ , ⊥ ) . F or e = 0 , 1 , . . . , 2 t − 1 it in ternally computes z ← j i + e k mod p, s ← H b  ctx KeyBox , ⟨ sid , K, a , i, e, z ⟩  . If s = 0 , it sets ( e i , z i ) ← ( e, z ) and breaks; otherwise, if s ≤ b s i it updates b s i ← s and ( b e i , b z i ) ← ( e, z ) . If the lo op ends without s = 0 , it sets ( e i , z i ) ← ( b e i , b z i ) . It discards all p er- e temp orary v alues other than the selected ( e i , z i ) , outputs the optimized-Fisc hlin proof π DL = (( a i , e i , z i )) r i =1 , and seals µ FS . Subsequent calls on µ FS return ⊥ . ♦ FS.Verify ( sid , K, π DL ) : Accept iﬀ (i) ∀ i , z i G = a i + e i K , and (ii) P r i =1 H b ( ctx KeyBox , ⟨ sid , K, a , i, e i , z i ⟩ ) ≤ S Fig. 6: LinOS-Fischlin API with proﬁle-ﬁxed parameters. – The statement K is b ound at FS.Start to the KeyBo x’s resident key (share); the host cannot request a pro of for an y other statement. – F or each commitment a i pro duced by FS.Start , at most one ( e i , z i ) ever leav es the KeyBo x (enforced by sealing), prev enting an external party from obtaining t wo resp onses to the same a i . – No in termediate z i,e is exposed b eyond the selected ( e i , z i ) ; hence an adversary cannot solve for k b y diﬀerencing t wo resp onses with the same a i . – The “one-shot” sealing of µ assumes state contin uity (Assumption 2 (p. 13)); in particular, an adv ersary cannot roll bac k or fork the KeyBox to obtain t wo accepting resp onses ( e, z ) and ( e ′ , z ′ ) for the same commitmen t a . If this w ere p ossible, Sc hnorr sp ecial soundness w ould reveal the resident share: k = ( z − z ′ ) · ( e − e ′ ) − 1 mo d p, whic h would violate key-opacit y and break the NXK security argument. – All gR O-CRP oracle calls H b ( ctx , · ) made during FS.Prove are lo cal to the KeyBox ITM and are not visible at the host/API b oundary . The host observes only ( a , π DL ) and the public v eriﬁcation outcome. When LinOS is run on a KeyBox-residen t share stored in a lo cal KeyBox slot µ ∈ { 0 , 1 } ∗ (with public key K = PubMap ( k ) ), the interfaces are inv ok ed via the KeyBox API: ( µ FS , a ) ← F ( P ) KeyBox . Use ( µ, FS.Start , ⟨ sid , K ⟩ ) , π DL ← F ( P ) KeyBox . Use ( µ, FS.Prove , µ FS ) . The v eriﬁer-side predicate FS.Verify ( sid , K, π DL ) is public and is ev aluated outside the KeyBox. Observ ation 1 (LinOS does not violate k ey-opacity) W ork in the gRO-CRP-h ybrid mo del. Assume the base- line KeyBo x proﬁle is key-opaque w.r.t. PubMap (Deﬁnition 2 (p. 11)), and extend the admissible op erations by adding FS.Start / FS.Prove / FS.V erify as in Fig. 6 (p. 38). Instan tiate LinOS under a dedicated Fisc hlin pro of con text ctx KeyBox ∈ Ctx p that is disjoint from all other contexts. W e show that the extended proﬁle remains key-opaque. Fix any KeyBo x slot holding k with public key K = PubMap ( k ) . Extend the slot-wise key-opacit y sim ulator Sim K (Remark 1 (p. 12)) to answ er LinOS queries as follows: Sim ulating FS.Start : On input FS.Sta rt ( sid , K ′ ) , if K ′  = K output ⊥ . Otherwise sample a fresh handle µ FS and run the Fischlin-based UC-NIZK simulator for the DL statement “ ∃ k : K = PubMap ( k ) ” in context ctx KeyBox to obtain an accepting pro of π DL = (( a i , e i , z i )) r i =1 . This sim ulation ma y inv oke SimProgram only in ctx KeyBox . Return ( µ FS , a ) where a := ( a 1 , . . . , a r ) , and store π DL under µ FS . Sim ulating FS.Prove : On input FS.Prove ( µ FS ) , if µ FS is unknown or already sealed output ⊥ ; otherwise output the stored π DL and mark µ FS sealed, matc hing LinOS one-shot semantics. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 39 ♦ SDK G.LeafInit ( sid ) (k ey-indep endent) : sample m 2 ← $ Z ∗ p and b 2 ← Z p ; deﬁne f 2 ( x ) := m 2 + b 2 x . Compute B 2 := b 2 G and σ 2 , 1 := f 2 (2) , σ 2 , 2 := f 2 (3) , σ 2 , 3 := f 2 (1) in Z p . Compute ( C 2 , ζ 2 ) ← Cert ( pp , m 2 ) . Erase ( m 2 , b 2 , f 2 ) and return ( C 2 , ζ 2 , B 2 , σ 2 , 1 , σ 2 , 2 , σ 2 , 3 ) . Fig. 7: Key-indep enden t leaf routine for hardened/minimal NXK deplo yments of SDKG. Sim ulating FS.Verify : On input FS.V erify ( K ′ , π ) , output the deterministic veriﬁcation result, which is simulatable without k . Indistinguishabilit y argument: In a real LinOS execution, the externally visible output is a Fisc hlin-based UC-NIZK transcript for the DL statement K = PubMap ( k ) under context ctx KeyBox . By the computational ZK guaran tee of the Fischlin transform in gR O-CRP (Lemma 6 (p. 26)), the join t distribution of the sim ulated transcript and the adv ersary’s oracle view is computationally indistinguishable from the real one (up to the simulator’s programming failure ev ent). The only sim ulator failure mo de is that a SimProgram ( ctx KeyBox , x, y ) attempt returns ⊥ b ecause the host/adversary pre-queried ( ctx KeyBox , x ) . By Lemma 3 (p. 20), this pre-query even t is negligible because the programmed inputs x include fresh high-en tropy comp onen ts. Finally , b y gRO-CRP lo cal-call seman tics (Fig. 4 (p. 19)), the host/API b oundary never observes the KeyBox’s internal oracle-query trace; only the released transcript must be sim ulated. Hence, adding LinOS preserv es key-opacit y . F or the star access structure Γ 0 :=  { P 1 , P 2 } , { P 1 , P 3 }  , our end-to-end claim is UC realization of an NXK-star DK G interface for Γ 0 : applications should see only a public key (or ab ort) and the induced installation of non-exp ortable long-term shares inside the parties’ KeyBo xes. Reader Note 7.1: Application-visible functionalit y The functionality exp osed to applications is F ⋆, NXK DKG (Deﬁnition 21 (p. 49)), which is obtained b y wrapping the pro of-orien ted transcript-driv en functionalit y F SDKG (Fig. 8 (p. 48)) as F ⋆, NXK DKG = W DKG ◦ F SDKG . W e prov e UC realization for F SDKG and then lift it to F ⋆, NXK DKG via in terface restriction (Lemma 14 (p. 49)). F ⋆, NXK DKG exp oses only: – DK G output: up on successful completion, output a public k ey K ∈ G to all parties (and no output on ab ort / selectiv e-ab ort is allo wed, as usual in UC-DKG); – NXK share installation: install long-term shares in to the parties’ lo cal KeyBoxes (via F KeyBox ), with no export in terface for the underlying scalars or caller-inv ertible aﬃne images; and – Optional p ost-ﬁnalization registration (RDR): if inv ok ed, output the corresp onding registered ev ent(s) and install the reco very-role share in the joining device’s KeyBox. All transcript b o okk eeping and the simulator-only Program ho ok in F SDKG are not part of the application in terface and are hidden b y the wrapp er W DKG (Deﬁnition 21 (p. 49)). W e prov e UC realization ﬁrst for the proof-oriented functionality F SDKG (Fig. 8 (p. 48)), and then obtain the application-visible in terface F ⋆, NXK DKG b y lo cal in terface restriction (Lemma 14 (p. 49)). In the proto col and deﬁnition b elo w, σ i,j denote the scalar p olynomial ev aluations for SDKG and KeyBox installation/registration, resp ectiv ely . Deﬁnition 19 (SDK G KeyBo x deriv ation routines). Fix public parameters pp = ( G , p, G , H ) and let ⟨·⟩ b e a tuple enco ding. All arithmetic b elo w is in Z p . – g 1 , 2 (1 λ , l ) : parse l = ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 ⟩ with eac h σ i,j ∈ Z p . If parsing fails, output ⊥ . Set x 1 := σ 1 , 1 + σ 2 , 1 + σ 3 , 1 and output k 1 , 2 := 3 x 1 . – g 1 , 3 (1 λ , l ) : parse l = ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 , σ 1 , 3 ⟩ with each comp onen t in Z p . If parsing fails, output ⊥ . Set x 1 := σ 1 , 1 + σ 2 , 1 + σ 3 , 1 and output k 1 , 3 := 2 σ 1 , 3 − x 1 . – g 2 (1 λ , l ) : parse l = ⟨ σ 1 , 2 , σ 2 , 2 , σ 3 , 2 ⟩ with each comp onen t in Z p . If parsing fails, output ⊥ . Set x 2 := σ 1 , 2 + σ 2 , 2 + σ 3 , 2 and output k 2 := − 2 x 2 . – g 3 (1 λ , l ) : parse l as either 40 Vipin Singh Sehraw at (a) ⟨ σ 2 , 3 , σ 3 , 2 , σ 3 , 1 , K , K 1 , 3 ⟩ with σ 2 , 3 , σ 3 , 2 , σ 3 , 1 ∈ Z p and K, K 1 , 3 ∈ G , or (b) ⟨⟨ ad 23 , σ 2 , 3 ⟩ , ⟨ ad 32 , σ 3 , 2 ⟩ , ⟨ ad 31 , σ 3 , 1 ⟩ , K, K 1 , 3 ⟩ where each ad · ∈ { 0 , 1 } ∗ and each σ · ∈ Z p . In case (b), additionally parse eac h ad xy as ad xy = ⟨ SDKG.reg , sid ′ , P ′ s , P ′ r , tag ⟩ and require the tag matc hes the intended slot: tag = k23 for ad 23 , tag = k32 for ad 32 , and tag = k31 for ad 31 5 . If parsing fails (including the case-(b) tag chec ks), output ⊥ . Compute k 3 := 2 · ( σ 2 , 3 + 2 σ 3 , 1 − σ 3 , 2 ) mo d p. Let K 3 := k 3 G . If K 1 , 3 + K 3  = K , output ⊥ , else output k 3 . – F or each ( i, j ) ∈ { (3 , 1) , (3 , 2) , (2 , 3) } deﬁne g reg i,j (1 λ , l ) as: parse l as either (a) ⟨ σ i,j ⟩ with σ i,j ∈ Z p ; in this case output k reg i,j := σ i,j , or (b) ⟨⟨ ad , σ i,j ⟩⟩ with ad ∈ { 0 , 1 } ∗ and σ i,j ∈ Z p . In this case, parse ad = ⟨ SDKG.reg , sid ′ , P ′ s , P ′ r , tag ⟩ and require the tag matc hes the intended slot: tag = k31 if ( i, j ) = (3 , 1) , tag = k32 if ( i, j ) = (3 , 2) , and tag = k23 if ( i, j ) = (2 , 3) 5 (p. 40) . If the ad parse or tag c heck fails, output ⊥ ; else output k reg i,j := σ i,j . If parsing fails, output ⊥ . R emark 17 (A sso ciate d-data ﬁelds vs. g -r outine che cks). In SDK G registration we use AEAD asso ciated data strings of the form ad = ⟨ SDKG.reg , sid , P s , P r , tag ⟩ . The AEAD lay er (via SealT oPeer / Op enF romPeer in F KeyBox ) binds the en tire tuple ( sid , P s , P r , tag ) to the ciphertext: in Fig. 3 (p. 11), Op enF romP eer computes s ← Dec sk seal ( ad , c ) and returns a handle that later resolv es to ⟨ ad , s ⟩ only if the ciphertext authen ticates under that exact ad . Imp ortan tly , the proto col do es not accept ad strings from the netw ork. In Algorithm 1 (p. 45), the receiv er P 3 deterministically recomputes the in tended ad 31 , ad 32 , ad 23 from ( sid , P s , P r , tag ) and supplies them to Op enF romP eer . Therefore, when P 3 is honest, any cross-session/cross-peer mix-and-matc h attempt w ould require opening a ciphertext under an ad that do es not match its sealing ad , whic h causes Op enF romP eer to return ⊥ . A ccordingly , our deriv ation routines g 3 and g reg i,j insp ect only the ﬁnal tag comp onen t: this is the only additional chec k needed b ey ond AEAD binding to enforce slot disjointness (prev enting a k31 v alue from b eing installed into k32 or k23 , etc.). If the sp onsor is corrupted during registration, it may send arbitrary ciphertexts. Any in-transit mo diﬁcation of a ciphertext (or cross-session/slot substitution) is rejected by Op enF romP eer due to AEAD integrit y under the receiv er- supplied asso ciated data (Fig. 3 (p. 11) and Algorithm 1 (p. 45)). Moreov er, even if a corrupted sp onsor generates fresh ciphertexts under the correct asso ciated data but encrypting incorrect scalars, the joiner’s reco very-share installation via g 3 will reject unless the decrypted v alues are consistent with the ﬁxed base-run transcript, b ecause g 3 enforces K 1 , 3 + K 3 = K where K 3 = k 3 G (Deﬁnition 19 (p. 39)). Hence, the sp onsor can at most force an abort (denial of registration). Fix the KeyBox ideal functionality F KeyBox (Fig. 3 (p. 11)) and the LinOS interface (Fig. 6 (p. 38)). W e ﬁx the admissible KeyBox proﬁle ( χ SDKG adm , F SDKG adm , F SDKG KI , 𭟋 SDKG ) (Deﬁnition 3 (p. 12)) as follows: the only deriv ation routines in vok ed via Load are χ SDKG adm := { g 1 , 2 , g 1 , 3 , g 2 , g 3 , g reg 3 , 1 , g reg 3 , 2 , g reg 2 , 3 } . The only op erations inv oked via Use are F SDKG adm := { GetPub , SDK G.LeafInit , USV.Cert , FS.Sta rt , FS.Prove , SealT oPeer , OpenFromP eer } , F SDKG KI := { Op enF romP eer , USV.Cert , SDKG.LeafInit } , where FS.* are as in Fig. 6 (p. 38) and SealT oPeer / Op enF romPeer are the KeyBo x-to-KeyBox sealing op erations sp eciﬁed as part of F KeyBox in Fig. 3 (p. 11). Recall that the predicate FS.V erify ( sid , K , π ) is public/deterministic and is ev aluated outside the KeyBox. W e ﬁx the proﬁle’s family map 𭟋 SDKG b y identifying the LinOS start/prov e pair: 𭟋 SDKG ( FS.Sta rt ) = 𭟋 SDKG ( FS.Prove ) =: FS , 𭟋 SDKG ( f ) = f for all other f ∈ F SDKG adm . Note 4. The proﬁle inten tionally omits any op eration for pro ducing the UC-extractable consistency AoKs (e.g., Π UC DL / R aﬀ ) inside the KeyBox: those pro ofs are generated by the host/party ITM so that the simulator can log the prov er’s gR O-CRP queries for straight-line extraction. 5 Only tag must b e re-c heck ed for slot-disjoin tness; the rest is enforced by AEAD binding (see Remark 17 (p. 40)). UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 41 7.1 The Proto col Our Ψ (3) SDKG proto col is inspired by the DK G from [4]. Sp eciﬁcally , the high-lev el idea of mapping p olynomial ev aluations in to compatible shares is shared by the tw o solutions. Ho w ever, the settings and techniques diﬀer: [4] constructs a (2 , 3) threshold ECDSA scheme with an oﬄine party in a standalone, game-based mo del, and relies on F eldman VSS, P aillier - based MtA/MtA w c, and interactiv e ZK pro ofs ov er freely manipulable shares. By contrast, our scheme targets a star-shap ed access structure in the NXK mo del. W e obtain UC securit y in this setting by emplo ying USV + NXK + UC-NIZK(-A oK) to replace the role of VSS and homomorphic share manipulations in [4]. Plac ement / pr oﬁle c onvention. The proto col steps below are written at the level of algebraic relations (e.g., “sample m 2 and set f 2 ( x ) = m 2 + b 2 x ”) and should not b e read as ﬁxing where a scalar is materialized. In the minimal/hardened NXK proﬁle that motiv ates USV (Section 8.2 (p. 51)), the leaf ’s Round 1 linear-p olynomial setup is realized b y the key-indep endent KeyBox op eration SDK G.LeafInit ∈ F SDKG KI (Fig. 7 (p. 39)), whic h samples m 2 and b 2 inside the KeyBo x b oundary , outputs only ( C 2 , ζ 2 , B 2 , σ 2 , 1 , σ 2 , 2 , σ 2 , 3 ) , and erases ( m 2 , b 2 ) b efore returning. Thus, m 2 is nev er a v ailable as host state and no generic “exp ort m 2 ” or “exp ort m 2 G ” in terface is assumed. If, instead, one permits a transient-host-RAM deploymen t in which m 2 is sampled/held outside the KeyBox as NXK-restricted material with secure erasure, then one ma y simplify Round 1 by publishing M 2 := m 2 G directly and omitting the USV instance; w e keep USV so the same transcript format co vers the hardened proﬁle in whic h the adversary-visible transcript m ust still deterministically ﬁx M 2 . Ev en in the minimal (KeyBo x-hardened long-term-share) proﬁle, SDK G.LeafInit returns σ 2 , 1 , σ 2 , 2 , σ 2 , 3 to the host. These v alues are share-deriving and therefore NXK-restricted (Remark 6 (p. 14)); they are held only as transient host state needed to (i) generate the UC-context consistency AoKs and (ii) in vok e the internal F KeyBox . Load calls, and are then securely erased. This is inten tional: the UC-context AoKs are host-generated so that the simulator can observe the pro ver’s gRO-CRP query log (Remark 4 (p. 12)). Next, w e detail our Ψ (3) SDKG proto col. Session setup designates P 2 as the initiating leaf (primary role). All computa- tions are p erformed in Z p . Let pp : = ( G , p, G , H ) b e the set of public parameters. Each step of the proto col is atomic for the lo cal state. Detailed description follows: Round 1 P 2 → P 1 : – Leaf setup (hardened/minimal proﬁle): P 2 obtains its Round 1 v alues b y inv oking the k ey-indep enden t KeyBox op eration SDKG.LeafInit : ( C 2 , ζ 2 , B 2 , σ 2 , 1 , σ 2 , 2 , σ 2 , 3 ) ← F (2) KeyBox . Use ( ⟨ sid , ki ⟩ , SDK G.LeafInit , ⟨ sid ⟩ ) . Deﬁne the leaf ’s transcript-deﬁned group element M 2 : = Op en M ( pp , C 2 , ζ 2 ) (b y USV correctness, M 2 = m 2 G for the in ternal m 2 sampled inside SDK G.LeafInit ). In the transient-host-RAM deploymen t, this step may equiv alently b e implemented by sampling ( m 2 , b 2 ) in host state, setting f 2 ( x ) = m 2 + b 2 x , and computing the same outputs, treating all σ -scalars as NXK-restricted and securely erased after their last use. – F or a fresh commitment identiﬁer cid 2 , P 2 sends ( Commit , sid , cid 2 , P 1 , C 2 , ζ 2 ) to F USV and receives receipt digest d from F USV . – P 2 generates σ 3 , 2 ← $ Z p ; computes h 3 , 2 : = H s32 ( ⟨ sid , cid 2 , σ 3 , 2 G ⟩ ) and sends ( C 2 , ζ 2 , B 2 , h 3 , 2 , σ 2 , 1 , sid , cid 2 , d ) to P 1 . Round 2 P 1 → P 2 : – P 1 v eriﬁes that sid and cid 2 are fresh, calls F USV . V erify ( sid , cid 2 , P 2 , C 2 , ζ 2 ) , and requires it returns 1; else, P 1 ab orts. – P 1 computes M 2 ← Op en M ( pp , C 2 , ζ 2 ) (ab ort if M 2 = ⊥ ) and c hecks that d = H  USV . rcpt , ⟨ sid , cid 2 , P 2 , P 1 , C 2 , M 2 ⟩  . It ab orts if the chec k fails. – P 1 parses ζ 2 = ( ν 2 , υ 2 , π DLEQ 2 ) , c hecks ( i ) ν 2  = − 1 mo d p and ( ii ) σ 2 , 1 G − 2 B 2 = M 2 . It ab orts if any veriﬁcation fails. 42 Vipin Singh Sehraw at – P 1 samples m 1 ← $ Z ∗ p and b 1 , σ 3 , 1 ← $ Z p ; sets f 1 ( x ) : = m 1 + b 1 x , and computes M 1 : = m 1 G , B 1 : = b 1 G , σ 1 , 1 : = f 1 (2) , σ 1 , 2 : = f 1 (3) , σ 1 , 3 : = f 1 (1) , X 1 : = σ 1 , 1 G + σ 2 , 1 G + σ 3 , 1 G (equiv alen tly , X 1 = x 1 G for the conceptual scalar x 1 := σ 1 , 1 + σ 2 , 1 + σ 3 , 1 , which is nev er materialized in host memory). Then, deletes m 1 , b 1 , and f 1 . – P 1 sends ( sid , X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) to P 2 , where π aﬀ 1 is a UC-NIZK-AoK for the aﬃne relation R aﬀ on statement ( X 1 , γ 1 , M 1 , B 1 , ∆ 1 ) with γ 1 := 2 , ∆ 1 := σ 2 , 1 G , using witness 6 ( α 1 , δ 1 ) := ( σ 1 , 1 , σ 3 , 1 ) , i.e., P 1 generates UC-NIZK-A oKs for the DL relation R DL : π Y 1 ← P DL ( pp , ⟨ sid , SDKG.aff1.Y , Y 1 ⟩ , α 1 ) with witness α 1 := σ 1 , 1 ; π D 1 ← P DL ( pp , ⟨ sid , SDKG.aff1.D , D 1 ⟩ , δ 1 ) with witness δ 1 := σ 3 , 1 , then π aﬀ 1 = ( π Y 1 , π D 1 ) . Round 3 P 2 → P 1 : – P 2 v eriﬁes that σ 1 , 2 G = M 1 + 3 B 1 , and ab orts if the chec k fails. – P 2 computes Y 1 = M 1 + 2 B 1 , D 1 = X 1 − σ 2 , 1 G − Y 1 , and accepts iﬀ V DL ( pp , ⟨ sid , SDKG.aff1.Y , Y 1 ⟩ , π Y 1 ) = 1 ∧ V DL ( pp , ⟨ sid , SDKG.aff1.D , D 1 ⟩ , π D 1 ) = 1 – P 2 computes the public group element X 2 : = σ 1 , 2 G + σ 2 , 2 G + σ 3 , 2 G (equiv alen tly , X 2 = x 2 G for the conceptual scalar x 2 := σ 1 , 2 + σ 2 , 2 + σ 3 , 2 , which is never materialized in host memory). Compute M 2 ← Op en M ( pp , C 2 , ζ 2 ) ; deﬁne Y 2 := M 2 + 3 B 2 and D 2 := X 2 − σ 1 , 2 G − Y 2 . – P 2 generates t wo UC-NIZK-AoKs for the discrete-log relation R DL : π Y 2 ← P DL ( pp , ⟨ sid , SDKG.aff2.Y , Y 2 ⟩ , α 2 ) with witness α 2 := σ 2 , 2 ; π D 2 ← P DL ( pp , ⟨ sid , SDKG.aff2.D , D 2 ⟩ , δ 2 ) with witness δ 2 := σ 3 , 2 . Equiv alen tly , π aﬀ 2 := ( π Y 2 , π D 2 ) is a UC-NIZK-A oK for the aﬃne relation R aﬀ on statement ( X 2 , γ 2 , M 2 , B 2 , ∆ 2 ) with γ 2 := 3 and ∆ 2 := σ 1 , 2 G . – P 2 computes the public k ey K = 3 X 1 − 2 X 2 , and sends ( X 2 , π aﬀ 2 , K ) to P 1 . A dditionally , P 2 publishes K via the authen ticated public broadcast functionality: it sends ( Publish , sid , K ) to F pub . V eriﬁc ation by P 1 : P arse ( X 2 , π aﬀ 2 , K ) as ( X 2 , ( π Y 2 , π D 2 ) , K rec ) and compute M 2 ← Op en M ( pp , C 2 , ζ 2 ) , Y 2 := M 2 + 3 B 2 , D 2 := X 2 − σ 1 , 2 G − Y 2 , K = 3 X 1 − 2 X 2 , and accepts iﬀ: V DL ( pp , ⟨ sid , SDKG.aff2.Y , Y 2 ⟩ , π Y 2 ) = 1 ∧ V DL ( pp , ⟨ sid , SDKG.aff2.D , D 2 ⟩ , π D 2 ) = 1 ∧ h 3 , 2 = H s32 ( ⟨ sid , cid 2 , D 2 ⟩ ) ∧ K = K rec . 6 The witnesses ( α i , δ i ) are σ -v alues and hence share-deriving material (Remark 6 (p. 14)). They are held only transien tly for UC-pro of generation and the subsequent KeyBo x installation steps, then securely erased. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 43 Post-ac c ept K eyBox instal lation. If P 1 accepts the transcript ab ov e (and P 2 has not ab orted), then eac h honest party ﬁnalizes b y installing its long-term NXK shares and the retained registration scalars inside its lo cal KeyBo x via Load calls o ver the internal c hannel to F ( i ) KeyBox : – P 1 in vok es: F (1) KeyBox . Load ( ⟨ sid , k12 ⟩ , g 1 , 2 , ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 ⟩ ) , F (1) KeyBox . Load ( ⟨ sid , k13 ⟩ , g 1 , 3 , ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 , σ 1 , 3 ⟩ ) , F (1) KeyBox . Load ( ⟨ sid , k31 ⟩ , g reg 3 , 1 , ⟨ σ 3 , 1 ⟩ ) . – P 2 in vok es: F (2) KeyBox . Load ( ⟨ sid , k2 ⟩ , g 2 , ⟨ σ 1 , 2 , σ 2 , 2 , σ 3 , 2 ⟩ ) , F (2) KeyBox . Load ( ⟨ sid , k32 ⟩ , g reg 3 , 2 , ⟨ σ 3 , 2 ⟩ ) , F (2) KeyBox . Load ( ⟨ sid , k23 ⟩ , g reg 2 , 3 , ⟨ σ 2 , 3 ⟩ ) . On exp osur e of shar e-deriving material. The scalars σ i,j are proto col-in ternal and share-deriving in the sense of Remark 6 (p. 14): learning the appropriate tuple(s) of σ -v alues suﬃces to recompute a part y’s installed long-term share via the public deriv ation routines (Deﬁnition 19 (p. 39)). Accordingly , σ -v alues are never placed in the adversary- visible transcript: whenev er they are transmitted, they are sent only o ver F channel , so the adversary learns at most the explicit leakage mo deled by F channel , unless it corrupts an endp oin t. Bey ond transp ort conﬁden tiality , the proto col enforces an explicit erasure discipline compatible with adaptive corruptions with secure erasures (Deﬁnition 5 (p. 14)): eac h honest party k eeps share-deriving scalars in host memory only until their last use, and then securely erases them. Concretely , the only times share-deriving material is in tentionally fed into long-term state are the internal F KeyBox . Load calls that install signing shares and the three registration scalars used for RDR; immediately after the corresp onding Load calls return, the host erases the consumed v alues. Per party , (i) ephemerals erased immediately , (ii) the precise σ -tuples passed in to F KeyBox . Load and then erased, and (iii) the v alues retained only inside KeyBo x slots ⟨ sid , k31 ⟩ , ⟨ sid , k32 ⟩ , ⟨ sid , k23 ⟩ for later use via SealT oPeer / Op enF romPeer (Algorithm 1 (p. 45)). Optionally , to av oid an y exp osure of ephemeral scalars in host memory , the KeyBox can b e extended with a small non-exporting interface that (i) samples ephemerals in ternally and (ii) p erforms the required group/ﬁeld op erations on opaque handles (and for RDR, seals pa yloads TEE-to-TEE via SealT oPeer / Op enF romP eer ) ; more details in App endix A (p. 64). Er asur e discipline (adaptive c orruptions). All lo cal steps in the base run are atomic w.r.t. adaptive corruptions: whenev er an honest party outputs an outgoing message (including one carrying a UC-context NIZK), it immediately p erforms the explicit secure erasures listed b elo w before yielding control to the adv ersary/scheduler. Consequently , an y corruption that o ccurs after the message is emitted rev eals none of the erased v alues (Deﬁnition 5 (p. 14)). – P 1 (Round 2): After computing π aﬀ 1 = ( π Y 1 , π D 1 ) and sending ( sid , X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) , P 1 securely erases all randomness and intermediate state used by the UC-NIZK pro ver(s). It retains only the σ -v alues needed for the later F (1) KeyBox . Load ( · ) calls. – P 2 (Round 3): After computing π aﬀ 2 = ( π Y 2 , π D 2 ) and sending ( X 2 , π aﬀ 2 , K ) , P 2 securely erases all UC-NIZK prov er randomness and Fischlin prov er scratch state for π Y 2 and π D 2 (including p er-trial rarity-searc h temp oraries, whic h need not be retained b ey ond the current iteration under a streaming implemen tation), and retains only the σ -v alues needed for the later F (2) KeyBox . Load ( · ) calls. – All parties (post-install): Immediately after the ﬁnal KeyBox installation step returns, each honest party securely erases all share-deriving scalars that w ere consumed by its Load calls (cf. Remark 6 (p. 14)). The only share-derived v alues retained after this point are the NXK-conﬁned KeyBo x slots themselves. In particular, after an honest part y has sen t its proto col messages, an adaptiv e corruption reveals at most the retained σ -v alues (un til installation) and never rev eals any p er-proof randomness b ey ond what is already enco ded in the public pro of strings. Se cur e er asur e in pr actic e (non-normative). Our UC execution mo del uses the standard idealization of adaptive corruption with secure erasures: once the protocol explicitly erases a buﬀer, a later corruption rev eals only the remaining (non-erased) lo cal state (Deﬁnition 5 (p. 14)). W e do not claim that commo dit y host platforms provide this prop ert y as a default. Rather, the intended in terpretation is that NXK-restricted host-side material (including UC-con text AoK witnesses and the pro ver’s ephemeral randomness/scratch state) is handled in a hardened pro cess 44 Vipin Singh Sehraw at Comp onen t R uns in Wh y this placemen t is necessary Long-term share generation/stor- age; Load deriv ations; GetPub ; SealT oPeer / OpenFromP eer KeyBo x Enforces NXK non-exp ortabilit y and key-opacit y: long-term shares and any caller-in v ertible aﬃne images nev er cross the KeyBo x b oundary; only restricted API outputs are visible. NXK-restricted witnesses for UC- con text consistency AoKs Host Must remain outside to enable oracle-log-based straight-line extrac- tion for Fischlin-based UC-NIZK-A oKs. These scalars are treated as NXK-restricted material and are securely erased after proof gen- eration and Load . USV certiﬁcate generation Cert ( pp , m ) KeyBo x Cert is implemented inside the hardened b oundary and only ( C, ζ ) is exp orted. USV v eriﬁcation/op ening V cert , Derive , Op en M and receipt bind- ing H ( USV . rcpt , ⟨ sid , cid , P s , P r , C, ζ ⟩ ) Host These are public deterministic c hecks/deriv ations and must b e transcript-deﬁned for veriﬁers and the UC sim ulator; no secrets are required. Receipt binding is in a non-programmable context USV . rcpt ∈ Ctx np . UC-con text consistency AoKs Host Must b e outside to enable straight-line extraction from corrupted- part y proofs b y insp ecting the adversary’s gRO-CRP query log. KeyBo x-resident one-shot DL pro ofs KeyBox Used only under ZK/simulation; sealing + state contin uity ensure at most one response per commitmen t leav es the KeyBo x. gR O-CRP programming SimProgram Sim ulator only Only the ideal-world sim ulator programs in con texts in Ctx p ; par- ties and KeyBoxes never program H . T able 4: Threat/placement summary for hardened SDK G deplo yments (host vs. KeyBox). b oundary and is engineered to (i) never reach p ersisten t storage (swap/hibernation, crash dumps, logs), and (ii) b e o verwritten promptly with compiler-resistant zeroization primitiv es. The optimized Fischlin pro ver need not store a large rarity-searc h “trace” in memory: for eac h rep etition it can main tain only the current best candidate and ov erwrite p er-c hallenge temp oraries immediately , so the long-lived w orking set is O (1) scalars/group elements p er rep etition. Op erational mitigations commonly used to approximate the erasure assumption include lo c king sensitive pages to av oid paging, disabling core dumps, and av oiding runtimes that ma y transparently cop y or in tern sensitiv e buﬀers. If suc h controls cannot be ensured, then the host should b e treated as eﬀectively “alwa ys-on” adversarial (outside our corruption-with-erasures mo del), or the design should mo ve witness-b earing computation into a hardened b oundary with an explicit in terface that supp orts the required sim ulation/extraction view. Hardened deplo yment: what runs where (KeyBo x vs. host). Our security arguments rely on a precise boundary b et w een computations that may run inside a state-con tinuous KeyBox (or an encla ve-residen t proﬁle adapter that is part of the same trusted boundary) and computations that m ust remain outside on the host. By “hardened” we mean that long-term shares are conﬁned to the KeyBox and remain API-non-exportable ev en if the host is later corrupted (Deﬁnition 5 (p. 14)). W e still p ermit NXK-restricted ephemerals (including witnesses for UC-con text AoKs) to exist transien tly in host RAM during an atomic lo cal step and to b e protected only by secure erasures against adaptive corruptions; w e do not aim to protect against an “alwa ys-on” RAM adv ersary on an otherwise honest host. The k ey distinction b elo w is extractability: proofs that the UC simulator must extract from (via oracle-log insp ection) cannot b e generated inside a KeyBo x, b ecause gRO-CRP has lo cal-call seman tics and the sim ulator do es not observe KeyBo x-internal Query traces (Remark 9 (p. 19) and Deﬁnition 9 (p. 19)). T able 4 (p. 44) summarizes the intended placemen t in hardened deplo yments and the reason each placemen t is necessary . This placement is not merely an implemen tation preference: it is required by the combination of (i) state con tinuit y (no rewinding/forking inside the KeyBo x; Assumption 2 (p. 13)) and (ii) oracle-log-based straight-line extraction for Fischlin-based UC-NIZK-AoKs (Deﬁnition 10 (p. 22) and Remark 9 (p. 19)). If one wishes to mov e UC-extractable AoKs into a hardened b oundary , the mo del m ust b e strengthened to expose an extractable interface (e.g., a simulator-visible oracle-log/receipt in terface) UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 45 Algo rithm 1: One-shot r e gistr ation of r e c overy devic e P 3 . Input: sid , public K for this session (learned by P 3 from the base-run publication via F pub ), and parties P 1 , P 2 with sealed registration scalars installed inside their resp ective KeyBoxes—i.e., ⟨ sid , k13 ⟩ , ⟨ sid , k31 ⟩ for P 1 and ⟨ sid , k32 ⟩ , ⟨ sid , k23 ⟩ for P 2 . P 1 and P 2 (along with any already-registered parties/devices) additionally hold the public session metadata point K 1 , 3 deriv ed from the base-run transcript (Deﬁnition 20 (p. 45)). Asso ciated data. P 3 ignores any associated-data strings received from the netw ork. Else, it recomputes the following lo cally from ( sid , P s , P r , tag ) and supplies them to Op enF romPeer : ad 31 := ⟨ SDKG.reg , sid , P 1 , P 3 , k31 ⟩ , ad 32 := ⟨ SDKG.reg , sid , P 2 , P 3 , k32 ⟩ , ad 23 := ⟨ SDKG.reg , sid , P 2 , P 3 , k23 ⟩ . P 1 retriev es the session metadata K 1 , 3 ; computes ϖ 1 ← F (1) KeyBox . Use ( ⟨ sid , k31 ⟩ , SealT oPeer , ⟨ P 3 , ad 31 ⟩ ) , and sends ( sid , ϖ 1 , K 1 , 3 , K ) . P 2 uses the session metadata K 1 , 3 and computes tw o ciphertexts: ϖ 2 a ← F (2) KeyBox . Use ( ⟨ sid , k32 ⟩ , SealT oPeer , ⟨ P 3 , ad 32 ⟩ ) and ϖ 2 b ← F (2) KeyBox . Use ( ⟨ sid , k23 ⟩ , SealT oPeer , ⟨ P 3 , ad 23 ⟩ ) , and sends ( sid , ϖ 2 a , ϖ 2 b , K 1 , 3 ) . T ransp ort. The tw o registration messages ( P 1 → P 3 and P 2 → P 3 ) are delivered ov er authenticated c hannels (mo deled b y F channel ). Input consistency . Up on receiving ( sid , ϖ 1 , K (1) 1 , 3 , K net ) from P 1 , require K net = K (otherwise ab ort). Up on receiving ( sid , ϖ 2 a , ϖ 2 b , K (2) 1 , 3 ) from P 2 , require K (1) 1 , 3 = K (2) 1 , 3 (otherwise ab ort), and set K 1 , 3 ← K (1) 1 , 3 . P 3 forw ards ( ϖ 1 , ϖ 2 a , ϖ 2 b , ad 31 , ad 32 , ad 23 , K, K 1 , 3 ) into F (3) KeyBox whic h executes the following installation pro cedure (mo deled as an atomic transaction): (1) Install sp onsor state. Op en ϖ 2 a with ad 32 and ϖ 2 b with ad 23 in ternally via Op enF romP eer to obtain opaque handles τ reg 3 , 2 and τ reg 2 , 3 , then inv oke Load ( ⟨ sid , k32 ⟩ , g reg 3 , 2 , ⟨ τ reg 3 , 2 ⟩ ) and Load ( ⟨ sid , k23 ⟩ , g reg 2 , 3 , ⟨ τ reg 2 , 3 ⟩ ) . (2) Install the recov ery share. (Re-)op en ϖ 1 with ad 31 , ϖ 2 a with ad 32 , and ϖ 2 b with ad 23 in ternally via Op enF romPeer to obtain fresh opaque handles τ 3 , 1 , τ 3 , 2 , τ 2 , 3 , and then in vok e Load ( ⟨ sid , k3 ⟩ , g 3 , ⟨ τ 2 , 3 , τ 3 , 2 , τ 3 , 1 , K, K 1 , 3 ⟩ ) . A ccept iﬀ all Load inv o cations ab o ve return ok . or one must switch to a proof mechanism whose UC extraction does not rely on observing the prov er’s gRO-CRP queries. Deﬁnition 20 (T ranscript-derived K 1 , 3 ). In any accepted base-run transcript with T 2 = ( X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) , deﬁne the public metadata p oin t K 1 , 3 := Derive K 1 , 3 ( T 2 ) := 2( M 1 + B 1 ) − X 1 ∈ G . Equiv alently , K 1 , 3 = PubMap ( k 1 , 3 ) for k 1 , 3 := 2 σ 1 , 3 − x 1 , but the proto col uses only the public deriv ation ab o ve and nev er inv okes GetPub on slot ⟨ sid , k13 ⟩ . The one-shot registration proto col in Algorithm 1 (p. 45) is mo deled in F SDKG (Fig. 8 (p. 48)) by (i) leaking only the lengths of the tw o registration messages, denoted b y ℓ reg , 1 for the P 1 → P 3 message and ℓ reg , 2 for the sp onsor-to- P 3 message, and (ii) installing the corresp onding recov ery-role share and sp onsor-state slots inside F (3) KeyBox up on successful completion. When the receiver P 3 is corrupted, an authenticated conﬁdential-c hannel functionality reveals the entire deliv ered message to the adversary . Therefore, in F SDKG w e do not mo del registration transp ort by uniform dummy strings. Instead, the registration payloads are treated as syntactically v alid enco dings of the same tuple-structured messages as in Algorithm 1 (p. 45), with ciphertext components sampled from the same distribution as real SealT oPeer outputs. Concretely , F SDKG conceptually samples sealing ciphertexts ϖ 1 ← Enc pk ( P 3 ) seal ( ad 31 , σ 3 , 1 ) , ϖ 2 a ← Enc pk ( P 3 ) seal ( ad 32 , σ 3 , 2 ) , ϖ 2 b ← Enc pk ( P 3 ) seal ( ad 23 , σ 2 , 3 ) , 46 Vipin Singh Sehraw at Algo rithm 2: A c c eptanc e pr e dic ate Acc SDKG ( sid , P s , P r , T ) Input: session identiﬁer sid ; USV committer P s and relying party P r ; transcript T = ( T 1 , T 2 , T 3 ) , where T 1 = ( cid 2 , C 2 , ζ 2 , B 2 , σ 2 , 1 , h 3 , 2 , d ) , T 2 = ( X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) , T 3 = ( X 2 , π aﬀ 2 , K rec ) . Output: 1 iﬀ all chec ks b elo w pass; otherwise 0 . P arse / deriv e. If parsing fails, return 0 . D1: Compute M 2 ← Open M ( pp , C 2 , ζ 2 ) (if M 2 = ⊥ , return 0 ) and d ⋆ ← H  USV . rcpt , ⟨ sid , cid 2 , P s , P r , C 2 , M 2 ⟩  . D2: Deriv e aﬃne-chec k auxiliaries: Y 1 ← M 1 + 2 B 1 ; D 1 ← X 1 − σ 2 , 1 G − Y 1 ; Y 2 ← M 2 + 3 B 2 ; D 2 ← X 2 − σ 1 , 2 G − Y 2 . D3: Deriv e K 1 , 3 ← 2( M 1 + B 1 ) − X 1 and key b K ← 3 X 1 − 2 X 2 . Chec ks. Accept iﬀ all of the following hold: C1: USV receipt consistency: d = d ⋆ . C2: USV certiﬁcate linkage: σ 2 , 1 G − 2 B 2 = M 2 . C3: Aﬃne AoK for X 1 : write π aﬀ 1 = ( π Y 1 , π D 1 ) and require σ 1 , 2 G = M 1 + 3 B 1 ∧ V DL ( pp , ⟨ sid , SDKG.aff1.Y , Y 1 ⟩ , π Y 1 ) = 1 ∧ V DL ( pp , ⟨ sid , SDKG.aff1.D , D 1 ⟩ , π D 1 ) = 1 . C4: Aﬃne AoK for X 2 : write π aﬀ 2 = ( π Y 2 , π D 2 ) and require V DL ( pp , ⟨ sid , SDKG.aff2.Y , Y 2 ⟩ , π Y 2 ) = 1 ∧ V DL ( pp , ⟨ sid , SDKG.aff2.D , D 2 ⟩ , π D 2 ) = 1 . C5: Digest chec k for h 3 , 2 : h 3 , 2 = H s 32 ( ⟨ sid , cid 2 , D 2 ⟩ ) . C6: Key consistency: chec k K rec = b K . return 1 . for the slot-b ound associated data ( ad 31 , ad 32 , ad 23 ) deﬁned in Algorithm 1 (p. 45), and then forms the delivered net work messages as the self-delimiting enco dings ⟨ sid , ϖ 1 , K 1 , 3 , K ⟩ , ⟨ sid , ϖ 2 a , ϖ 2 b , K 1 , 3 ⟩ . This ensures that if P 3 is corrupted, the adversary observes well-formed messages and can inv ok e Op enF romP eer on the receiv ed ciphertexts. When P 3 is honest, the externally visible distribution of these sealed blobs remains simulatable from public information under our KeyBo x k ey-opacity assumption (Assumption 1 (p. 11)), so the only explicit leakage retained b y F SDKG is message length. Observ ation 2 (Lagrange w eigh ts) It follows trivially that for some scalars α, β ∈ Z p , it holds that K = k G = k 1 , 2 G + k 2 G = k 1 , 3 G + k 3 G = αx 1 G − β x 2 G = ( α − β )( m 1 + m 2 ) G + (2 α − 3 β )( b 1 + b 2 ) G + ασ 3 , 1 G − β σ 3 , 2 G . F or u = 2 and v = 3 , the unique α, β satisfying α − β = 1 and αu − β v = 0 are α = 3 and β = 2 . Consequen tly , αx 1 − β x 2 = ( m 1 + m 2 ) + ασ 3 , 1 − β σ 3 , 2 . More generally , for distinct u, v ∈ Z ∗ p , the unique choice is α = v v − u and β = u v − u . F or α = 3 , β = 2 (the Lagrange weigh ts for u = 2 , v = 3) , in any accepting transcript T , the UC-NIZK(-AoK)s and the USV op ening uniquely determine ( x 1 , x 2 ) . Hence, the only T -consisten t shares with k = k 1 , 2 + k 2 are ( k 1 , 2 , k 2 ) = (3 x 1 , − 2 x 2 ) . Since f 1 , f 2 are linear, m 1 = f 1 (0) = 2 f 1 (1) − f 1 (2) = 2 σ 1 , 3 − σ 1 , 1 and m 2 = f 2 (0) = 2 f 2 (1) − f 2 (2) = 2 σ 2 , 3 − σ 2 , 1 . By Observ ation 2 (p. 46), k = ( m 1 + m 2 ) + 3 σ 3 , 1 − 2 σ 3 , 2 . Substituting and regrouping yields k = (2 σ 1 , 3 − x 1 ) + 2( σ 2 , 3 − σ 3 , 2 + 2 σ 3 , 1 ) = k 1 , 3 + k 3 . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 47 Lemma 12 ( A cc SDKG need not call F USV . V erify ). Consider any r e al exe cution of Ψ (3) SDKG in ( F KeyBox , F USV , F channel ) - hybrid mo del wher ein P 1 is honest. If the R ound 2 message T 2 = ( X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) is deliver e d to P 2 over F channel , then P 1 must have pr eviously exe cute d the che ck F USV . V erify ( sid , cid 2 , P 2 , C 2 , ζ 2 ) = 1 and the r e c eipt-digest c onsistency che ck d = H  USV . rcpt , ⟨ sid , cid 2 , P 2 , P 1 , C 2 , M 2 ⟩  wher e M 2 := Op en M ( pp , C 2 , ζ 2 ) . Conse quently, for any tr anscript that c an arise with honest P 1 and authentic ate d channels, the digest che ck C1 in A lgorithm 2 (p. 46) alr e ady c aptur es the eﬀe ct of the explicit F USV . V erify p erforme d by honest P 1 in R ound 2. Pr o of Sketch. An honest P 1 sends T 2 only if F USV . V erify ( sid , cid 2 , C 2 , ζ 2 ) = 1 and the receipt digest chec k succeeds; otherwise it aborts b efore sending. Since F channel is authen ticated, an adversary cannot forge T 2 on behalf of honest P 1 . ■ The KeyBo x/ Load step is mo deled as an atomic transaction. This can be implemented by delaying the sealed- storage write un til after v alidation. Registering devices P i for i > 3 follows the same pattern: P 1 alw ays seals σ 3 , 1 from slot ⟨ sid , k31 ⟩ , and the sponsor leaf seals the sp onsor-state scalars from its lo cal slots ⟨ sid , k32 ⟩ and ⟨ sid , k23 ⟩ . The joining device installs (i) its long-term reco very share in slot ⟨ sid , k3 ⟩ via g 3 , and (ii) the sp onsor-state slots ⟨ sid , k32 ⟩ and ⟨ sid , k23 ⟩ via g reg 3 , 2 and g reg 2 , 3 . Consequently , every already-registered leaf can serv e as sp onsor for future registrations. In the setting of Prop osition 1 (p. 18), an y enrollment mechanism that requires a part y to exp ort or externally derive a fresh share-deriving material from the public/external view conﬂicts with NXK under key-opacit y . Prop osition 1 (p. 18) b ounds the success probability of an y PPT strategy that computes b k new from ( pp , τ ext ) . SDK G’s one-shot registration of P 3 do es not attempt to compute f ( x new ) (or any share-deriv ed plain text) from τ ext . Instead, existing devices transfer the required registration scalars to P 3 only via (attested) KeyBo x-to-KeyBox sealing using SealT oPeer / Op enF romPeer , and P 3 ’s KeyBox derives and installs k 3 in ternally (via g 3 ). Externally , the transp orted ciphertexts are part of τ ext and remain sim ulatable under key-opacit y . Bey ond i = 3 , our scalable NXK-compatible RDR enrollmen t registers additional devices as redundan t front-ends for the recov ery role. 8 UC Security In the ideal functionalit y F SDKG (Fig. 8 (p. 48)), to av oid distributional mismatches under adaptiv e corruption, we use a transcript-driv en ﬁnalization rule. In any accepting transcript, the UC-extractable aﬃne A oKs and the s 32 -digest c heck pin down unique v alues ( x 1 , x 2 ) , the v alue σ 3 , 2 b ound into h 3 , 2 , and (via the aﬃne A oK for X 1 ) the v alue σ 3 , 1 b ound b y D 1 = X 1 − σ 2 , 1 G − ( M 1 + 2 B 1 ) = σ 3 , 1 G . A ccordingly , F SDKG do es not sample ( x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) at ﬁnalization time. Instead, ﬁnalization is gated on a single simulator-only Program message supplying these transcript-consistent v alues; F SDKG c hecks consistency against the stored transcript b efore outputting K and installing KeyBo x shares. In F SDKG , the base-run record T = ( T 1 , T 2 , T 3 ) is supplied via the ideal functionality’s adversary interface (i.e., by the ideal-w orld simulator) through the Tin 1 / Tin 2 / Tin 3 messages. This is purely bo okk eeping used to couple the ideal execution to the simulated real execution; it should not b e interpreted as adversar y-visible leakage. The slot tuples T i ma y include ﬁelds that are transmitted only ov er F channel in honest executions (e.g., σ -scalars), even though the adv ersary learns at most the explicit F channel leakage unless it corrupts an endp oin t. R emark 18 (Ide al-world K eyBox instal lation). In Fig. 3 (p. 11), F ( P own ) KeyBox accepts ( Load , µ, g, m ) and ( Use , µ, f , m ) only from its o wner party P own . Therefore, under standard UC seman tics an ideal functionality (e.g., F SDKG ) cannot directly “imp ersonate” P i to issue Load / Use to F ( i ) KeyBox . T o make KeyBo x installation eﬀects well-deﬁned in the ideal world, we in terpret ev ery o ccurrence of the phrase “ha ve P i in vok e F ( i ) KeyBox . Load / Use ( · ) ” inside F SDKG (and F ( n ) SDKG ) as shorthand for the following ﬁxed mechanism: in the ideal execution, the canonical dummy part y for P i is comp osed with a deterministic KeyBox-driv er wrapper W ( i ) KB that b eha ves like the dumm y party on all external p orts, but additionally implemen ts an in ternal command p ort from the ideal functionality: up on receiving ( KBcmd , sid , ops ) from F SDKG , where ops is a list of KeyBox calls of the form ( Load , µ, g, m ) and/or ( Use , µ, f , m ) , if P i is honest then W ( i ) KB executes the listed calls sequentially against its lo cal instance F ( i ) KeyBox o ver the in ternal channel, suppresses the command from Z , and returns ( KBret , sid , res ) to F SDKG with the list of return v alues. If P i is corrupted, A con trols W ( i ) KB and may dela y/mo dify/ignore these commands, as usual. 48 Vipin Singh Sehraw at ♦ State (p er session sid ): corruption set Co r ⊆ { 1 , 2 , 3 } ; ﬂags ﬁnalized , RegP ending , RegDone ∈ { 0 , 1 } (init 0 ); appro v als A uth ⊆ { 1 , 2 } (init ∅ ); transcript slots T 1 , T 2 , T 3 (init ⊥ ); optional programmed v alues ( x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) ∈ ( Z p ∪ {⊥} ) 4 (init ⊥ ) ; retain the registration scalars ( σ 3 , 1 , σ 2 , 3 , σ 3 , 2 ) ∈ Z 3 p and K 1 , 3 ∈ G after ﬁnalization; registration-channel state multiset Q reg of ( ρ, P s , P r , w, ϕ ) , and delivered set D reg (init empty); deliv ered registration pa yload buﬀers w del reg , 1 , w del reg , 2 ∈ { 0 , 1 } ∗ ∪ {⊥} (init ⊥ ). ♦ Init: Up on ( init , 2 , sid ) from P 2 , send ( init , sid ) to P 1 , P 2 , P 3 and A . ♦ T ranscript feed (ideal adversary/simulato r interface; bo okkeeping): Up on receiving one of the following messages from A , if the corresp onding transcript slot is empt y then store it and run T ryFinalize : – ( Tin 1 , sid , cid 2 , C 2 , ζ 2 , B 2 , σ 2 , 1 , h 3 , 2 , d ) : if T 1 = ⊥ then set T 1 ← ( cid 2 , C 2 , ζ 2 , B 2 , σ 2 , 1 , h 3 , 2 , d ) . – ( Tin 2 , sid , X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) : if T 2 = ⊥ then set T 2 ← ( X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) . – ( Tin 3 , sid , X 2 , π aﬀ 2 , b K ) : if T 3 = ⊥ then set T 3 ← ( X 2 , π aﬀ 2 , b K ) . ♦ T ryFinalize: If ﬁnalized = 1 or some T i = ⊥ , do nothing. Otherwise let T := ( T 1 , T 2 , T 3 ) . If A cc SDKG ( sid , P 2 , P 1 , T ) = 0 (Algorithm 2 (p. 46)), do nothing. If A cc SDKG ( sid , P 2 , P 1 , T ) = 1 , then: 1. If x 1 = ⊥ or x 2 = ⊥ or σ 3 , 1 = ⊥ or σ 3 , 2 = ⊥ , do nothing and return. Let T 1 = ( cid 2 , C 2 , ζ 2 , B 2 , σ 2 , 1 , h 3 , 2 , d ) , T 2 = ( X 1 , M 1 , B 1 , σ 1 , 2 , π aﬀ 1 ) , and T 3 = ( X 2 , π aﬀ 2 , K rec ) . Deﬁne Y 1 := M 1 + 2 B 1 and D 1 := X 1 − σ 2 , 1 G − Y 1 . Require X 1 = x 1 G , X 2 = x 2 G , h 3 , 2 = H s32 ( ⟨ sid , cid 2 , σ 3 , 2 G ⟩ ) , D 1 = σ 3 , 1 G . Deﬁne σ 1 , 1 := x 1 − σ 2 , 1 − σ 3 , 1 mo d p, σ 1 , 3 := 2 σ 1 , 1 − σ 1 , 2 mo d p, k 1 , 2 := 3 x 1 , k 2 := − 2 x 2 , k 1 , 3 := 2 σ 1 , 3 − x 1 mo d p, K 1 , 3 := 2( M 1 + B 1 ) − X 1 , k := k 1 , 2 + k 2 mo d p, σ 2 , 2 : = x 2 − σ 1 , 2 − σ 3 , 2 mo d p. 2. Deﬁne recov ery-role and sp onsor-state scalars: k 3 := ( k − k 1 , 3 ) mo d p, σ 2 , 3 := k 3 · 2 − 1 − 2 σ 3 , 1 + σ 3 , 2 mo d p. Output K := k G to P 1 , P 2 , P 3 and A . Set ﬁnalized ← 1 . 3. If 1 / ∈ Cor , send to P 1 the internal KeyBo x command  KBcmd , sid ,  ( Load , ⟨ sid , k12 ⟩ , g 1 , 2 , ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 ⟩ ) , ( Load , ⟨ sid , k13 ⟩ , g 1 , 3 , ⟨ σ 1 , 1 , σ 2 , 1 , σ 3 , 1 , σ 1 , 3 ⟩ ) , ( Load , ⟨ sid , k31 ⟩ , g reg 3 , 1 , ⟨ σ 3 , 1 ⟩ )  . 4. If 2 / ∈ Cor , send to P 2 the internal KeyBo x command  KBcmd , sid ,  ( Load , ⟨ sid , k2 ⟩ , g 2 , ⟨ σ 1 , 2 , σ 2 , 2 , σ 3 , 2 ⟩ ) , ( Load , ⟨ sid , k32 ⟩ , g reg 3 , 2 , ⟨ σ 3 , 2 ⟩ ) , ( Load , ⟨ sid , k23 ⟩ , g reg 2 , 3 , ⟨ σ 2 , 3 ⟩ )  . ♦ Registration of P 3 : Up on ﬁrst ( register , 3 , sid ) from P 3 : require ﬁnalized = 1 and RegDone = 0 ; set RegP ending ← 1 , A uth ← ∅ ; set w del reg , 1 ←⊥ and w del reg , 2 ←⊥ ; notify P 1 , P 2 and A with ( RegReq , 3 , sid ) . Up on ( app rove , 3 , sid ) from P j with j ∈ { 1 , 2 } and RegPending = 1 , set Auth ← Auth ∪ { j } and notify A . Up on ( RegGo , 3 , sid , w ⋆ 1 , w ⋆ 2 ) from A : if RegP ending = 1 , A uth = { 1 , 2 } , RegDone = 0 , and Q reg = ∅ , then: deﬁne slot- b ound ad as in Algorithm 1 (p. 45): ad 31 := ⟨ SDKG.reg , sid , P 1 , P 3 , k31 ⟩ , ad 32 := ⟨ SDKG.reg , sid , P 2 , P 3 , k32 ⟩ , ad 23 := ⟨ SDKG.reg , sid , P 2 , P 3 , k23 ⟩ . Sample ρ 1 , ρ 2 ← $ { 0 , 1 } λ . – If 1 / ∈ Cor , sample ϖ 1 ← Enc pk ( P 3 ) seal ( ad 31 , σ 3 , 1 ) and set w reg , 1 := ⟨ sid , ϖ 1 , K 1 , 3 , K ⟩ . If 1 ∈ Cor , set w reg , 1 := w ⋆ 1 . – If 2 / ∈ Cor , sample ϖ 2 a ← Enc pk ( P 3 ) seal ( ad 32 , σ 3 , 2 ) and ϖ 2 b ← Enc pk ( P 3 ) seal ( ad 23 , σ 2 , 3 ) . Set w reg , 2 := ⟨ sid , ϖ 2 a , ϖ 2 b , K 1 , 3 ⟩ . If 2 ∈ Co r , set w reg , 2 := w ⋆ 2 . F or each j ∈ { 1 , 2 } with w reg ,j  = ⊥ : let ϕ j := | w reg ,j | ; insert ( ρ j , P j , P 3 , w reg ,j , ϕ j ) into Q reg ; send ( Leak , sid , P j , P 3 , ρ j , ϕ j ) to A . If j ∈ Cor , additionally reveal w reg ,j to A . Up on receiving ( Deliver , sid , ρ ) from A : if ( ρ, P s , P 3 , w, ϕ ) ∈ Q reg and ρ / ∈ D reg , delete it from Q reg , add ρ to D reg , and deliver ( Recv , sid , P s , w ) to P 3 . If 3 ∈ Cor , reveal w to A at delivery time. If P s = P 1 , set w del reg , 1 ← w . If P s = P 2 , set w del reg , 2 ← w . If RegPending = 1 , Auth = { 1 , 2 } , RegDone = 0 , Q reg = ∅ , and w del reg , 1  = ⊥ and w del reg , 2  = ⊥ , then: – If 3 ∈ Co r : set RegDone ← 1 and RegPending ← 0 and output ( registered , 3 , sid ) to P 3 and A . – If 3 / ∈ Cor : parse w del reg , 1 = ⟨ sid , ϖ 1 , K (1) 1 , 3 , K ⋆ ⟩ and w del reg , 2 = ⟨ sid , ϖ 2 a , ϖ 2 b , K (2) 1 , 3 ⟩ . Require K (1) 1 , 3 = K (2) 1 , 3 and set K ⋆ 1 , 3 ← K (1) 1 , 3 . If parsing fails then do nothing further. Otherwise, hav e P 3 attempt the KeyBox installation pro cedure from Algorithm 1 (p. 45) using ( ϖ 1 , ϖ 2 a , ϖ 2 b , ad 31 , ad 32 , ad 23 , K ⋆ , K ⋆ 1 , 3 ) , i.e., by in voking Op enF romP eer and Load ( · ) exactly as in Algorithm 1 (p. 45). If all in vok ed Load calls return ok , then set RegDone ← 1 and RegP ending ← 0 and output ( registered , 3 , sid ) to P 3 and A . Otherwise do nothing further. ♦ Co rruptions: Up on ( Co rrupt , i ) from A , add i to Co r and reveal P i ’s lo cal state. Thereafter, A con trols P i and may inv oke F ( i ) KeyBox . Load / Use directly; F SDKG do es not mediate these calls. ♦ Programming (simulator-only): Before ﬁnalization, Sim ma y once send ( Program , sid , x ⋆ 1 , x ⋆ 2 , σ ⋆ 3 , 1 , σ ⋆ 3 , 2 ) ; set x 1 ← x ⋆ 1 , x 2 ← x ⋆ 2 , σ 3 , 1 ← σ ⋆ 3 , 1 , σ 3 , 2 ← σ ⋆ 3 , 2 . Then run T ryFinalize . Finalization o ccurs only if the transcript slots are ﬁlled and the programmed v alues satisfy the T ryFinalize consistency chec ks. Fig. 8: T ranscript-driven ideal functionality F SDKG . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 49 Lemma 13 (Laten t (marginal) uniformity of the SDK G k ey). Fix any session identiﬁer sid of b Ψ (3) SDKG . L et x 1 := σ 1 , 1 + σ 2 , 1 + σ 3 , 1 and x 2 := σ 1 , 2 + σ 2 , 2 + σ 3 , 2 denote the (c onc eptual) sc alars deﬁne d by the p arties’ sample d σ -values in the b ase run, and deﬁne the c andidate key sc alar and gr oup element ˆ k := 3 x 1 − 2 x 2 mo d p, b K := ˆ k G ∈ G . If at le ast one of σ 3 , 1 or σ 3 , 2 is sample d uniformly, then b K is uniform in G mar ginal ly over that honest p ad r andomness. Pr o of. F or the Lagrange weigh ts u = 2 and v = 3 , Observ ation 2 (p. 46) gives ˆ k = ( m 1 + m 2 ) + 3 σ 3 , 1 − 2 σ 3 , 2 mo d p, and hence b K = ˆ k G . If σ 3 , 1 is sampled honestly , then 3 σ 3 , 1 is uniform in Z p and therefore ˆ k = (( m 1 + m 2 ) − 2 σ 3 , 2 ) + 3 σ 3 , 1 is uniform in Z p . If instead σ 3 , 2 is sampled honestly , then − 2 σ 3 , 2 is uniform in Z p and therefore ˆ k = (( m 1 + m 2 ) + 3 σ 3 , 1 ) − 2 σ 3 , 2 is uniform in Z p . In either case ˆ k is uniform in Z p , and since z 7→ z G is a bijection, b K = ˆ k G is uniform in G . Since w e mak e no fairness/guaranteed-output-deliv ery claim, the distribution of the delivered k ey conditioned on completion ma y b e biased b y selective ab ort (cf. Cleve [21]). ■ 8.1 F rom F SDKG to the standard NXK-DKG interface Fix the 1+1-out-of-3 star access structure Γ 0 :=  { P 1 , P 2 } , { P 1 , P 3 }  . The functionality F SDKG (Fig. 8 (p. 48)) is deliberately transcript-driven: b esides pro ducing the public k ey K and installing non-exp ortable KeyBox shares, it (i) records the public transcript items that determine acceptance and (ii) oﬀers a sim ulator-only one-shot Program ho ok used exclusiv ely to couple real and ideal executions under adaptive corruptions and straigh t-line extraction. Deﬁnition 21 (Standard NXK-star DK G functionalit y F ⋆, NXK DKG ). Fix the follo wing deterministic p olynomial- time wrapp er ITM W DKG that sits b et ween the environmen t and an instance of F SDKG and exp oses only the in terface that w e regard as the standard NXK-DKG API for Γ 0 , namely: 1. the public k ey output K for each accepting session (and the corresp onding absence of output on ab ort); 2. the induced KeyBo x installation eﬀects (via the surrounding F KeyBox instances); and 3. if in vok ed, the p ost-ﬁnalization registered ev ents for device registration (RDR). The wrapp er suppresses F SDKG ’s internal transcript b ookkeeping (e.g., the transcript slots T 1 , T 2 , T 3 ) and do es not exp ose the simulator-only Program p ort to the environmen t. Deﬁne F ⋆, NXK DKG := W DKG ◦ F SDKG . As usual, F ⋆, NXK DKG mak es no fairness guarantee: a corrupted part y and/or the adv ersary-controlled scheduler may dela y or preven t completion (selective ab ort), and may ev en condition its decision to ab ort on partial information ab out the (w ould-b e) k ey . 7 Consequen tly , the uniformity guarantee w e target is the conv en tional UC-DK G latent (marginal) uniformit y (prior to conditioning on completion), not uniformity conditioned on completion. Lemma 14 (Closure under in terface restriction). L et W DKG b e the ﬁxe d wr app er fr om Deﬁnition 21 (p. 49) and let F ⋆, NXK DKG := W DKG ◦ F SDKG . If a pr oto c ol Ψ UC-r e alizes F SDKG in some mo del M , then Ψ UC-r e alizes F ⋆, NXK DKG in the same mo del M . 7 A ccordingly , while w e can pro ve laten t/marginal uniformity of the key prior to conditioning on completion, the distribution of the output k ey conditioned on completion may b e biased via selective ab ort. This limitation is inherent in DK G/coin-ﬂipping st yle tasks without guaranteed output delivery; see, e.g., Cleve [21]. 50 Vipin Singh Sehraw at Pr o of Sketch. This is UC closure under eﬃcien t local p ost-pro cessing. Fix any PPT adversary A for Ψ when the ideal functionalit y is F ⋆, NXK DKG . Deﬁne an adversary A ′ for Ψ when the ideal functionality is F SDKG that runs A and lo cally applies the same forwarding/output-ﬁltering that W DKG applies betw een the environmen t and F SDKG (i.e., it suppresses exactly the b o okk eeping outputs/p orts hidden by W DKG ). By the hypothesis that Ψ UC-realizes F SDKG , there exists a PPT sim ulator Sim ′ for A ′ in the F SDKG -ideal execution. Composing Sim ′ with the same local ﬁltering yields a sim ulator for A in the F ⋆, NXK DKG -ideal execution. ■ Observ ation 3 (DKG prop erties captured b y F ⋆, NXK DKG ) F or Γ 0 := {{ P 1 , P 2 } , { P 1 , P 3 }} and an y session sid of F ⋆, NXK DKG , the follo wing prop erties hold: (i) NXK: No interface ever outputs the secret scalar k or any share-deriving plaintext. All long-term shares remain conﬁned to the parties’ F KeyBox instances, and the adversary has only black-box access via the ﬁxed admissible KeyBo x proﬁle. (ii) Uniqueness / consistency of the induced key: If the session completes (outputs K ), then there exists a unique scalar k ∈ Z p suc h that K = k G , and the KeyBox-installed shares are consistent with a single global key under Γ 0 (i.e., the t wo authorized sets induce the same k ). Concretely , the accepting transcript uniquely determines x 1 , x 2 and hence k = (3 x 1 − 2 x 2 ) mo d p (Lemma 16 (p. 53)). (iii) Secrecy against unauthorized corruption sets: F or an y corruption set B ⊆ { P 1 , P 2 , P 3 } with B / ∈ Γ 0 , the functionalit y do es not enable reco very of k : the adv ersary never obtains enough long-term shares to reconstruct k , and any leakage from interacting with corrupted parties’ KeyBoxes is limited to the admissible KeyBox proﬁle and hence is sim ulatable from public information under key-opacit y (Assumption 1 (p. 11)). (iv) Laten t (marginal) uniformity (no fairness): As usual for UC-DKG, no fairness is guaran teed; how ev er, if at least one of the designated pad scalars is honestly sampled, then the resulting public k ey K is uniform in G marginally (prior to conditioning on completion) (Lemma 13 (p. 49)). Pr o of Sketch. Item (i) follows from the NXK/ F KeyBox mo del (Deﬁnition 5 (p. 14) and Remark 6 (p. 14)). Item (ii) is Lemma 16 (p. 53) together with the deterministic KeyBox-installation logic in F SDKG / F ⋆, NXK DKG . Item (iii) is exactly the in tended DKG secrecy statement under Γ 0 in the NXK mo del: unauthorized sets lack a reconstructing share set, and admissible KeyBox interactions do not reveal share-deriving plaintexts under ke y-opacity . Item (iv) is Lemma 13 (p. 49). ■ F or the star access structure Γ 0 = {{ P 1 , P 2 } , { P 1 , P 3 }} , in the ( F KeyBox , F channel , F pub ) -h ybrid mo del, W DKG ◦ F SDKG matc hes the standard NXK-DKG semantics for Γ 0 in the follo wing concrete sense: 1. Laten t (marginal) uniformity under one honest pad: Deﬁne the transcript-deriv ed candidate key b K := 3 X 1 − 2 X 2 whenev er X 1 and X 2 are deﬁned (cf. Algorithm 2 (p. 46), Step D4 ). If at least one of σ 3 , 1 or σ 3 , 2 is sampled by an honest part y , then b K is uniform in G , marginally o ver that honest pad randomness (i.e., prior to conditioning on session completion) (Lemma 13 (p. 49)). 2. Consistency with a single key: Acceptance implies there exist unique transcript-deﬁned x 1 , x 2 ∈ Z p and thus a unique k ∈ Z p suc h that K = k G and the KeyBox-installed shares are consisten t with k under Γ 0 (Lemma 16 (p. 53) and the deﬁnition of the installed slots in Fig. 8 (p. 48)). 3. Non-exp ortabilit y: All long-term shares remain conﬁned to F KeyBox b y construction, and share-deriving material are NXK-restricted (Remark 6 (p. 14)). As usual, no fairness guarantee is made: a corrupted party ma y selectively abort after learning enough to decide whether to pro ceed. R emark 19 (On tr anscript-driven ﬁnalization). The simulator-only Program in terface in F SDKG is a proof device used to handle adaptive corruptions with straight-line extraction: it delays committing to certain in ternal scalars until the sim ulator can derive them from the public transcript. Program do es not give the ideal world extra freedom to choose outputs: ﬁnalization is gated b y deterministic transcript c hecks, and in an y accepting transcript the induced v alues are uniquely determined (Lemma 16 (p. 53)). The wrapper W DKG hides Program and all transcript slots from applications, yielding the standard NXK-DK G interface F ⋆, NXK DKG . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 51 8.2 F ormal necessity of USV under hardened proﬁles Section 5.1 (p. 29) ga ve the short design-space motiv ation; this section pro vides the formal obstruction and pro of in the NXK/ F KeyBox + gR O-CRP mo del. The concrete SDKG base run already transmits a full USV instance ( C 2 , ζ 2 ) , and hence M 2 is deterministically computable from the transcript as M 2 = Op en M ( pp , C 2 , ζ 2 ) . The purp ose of this section is to address a natural alternativ e design in which one attempts to replace USV by a generic hiding commitment to m 2 (a commit-only transcript that contains C 2 but no public material that ﬁxes m 2 G ), and then tries to recov er M 2 b y straight-line extraction of m 2 under NXK/ F KeyBox . W e sho w this fails unless the model is strengthened or hiding is broken. Equiv alen tly , in the NXK setting one m ust provide either explicit M 2 or USV-st yle public op ening material that deterministically ﬁxes M 2 without exp orting m 2 . What must b e transcript-deﬁned (and why). In the SDKG base run, b oth honest v eriﬁcation and the UC sim ulator must be able to compute certain group elements as deterministic functions of the public transcript, in straigh t-line. Concretely , v eriﬁcation (Algorithm 2 (p. 46)) and transcript-driv en programming of F SDKG (Fig. 8 (p. 48)) require forming the leaf-dep enden t auxiliary p oin t Y 2 := M 2 + 3 B 2 where M 2 := m 2 G , for a leaf scalar m 2 ∈ Z p that is not exported under NXK. Equiv alen tly , the transcript must determine M 2 via a deterministic PPT map (an “op ening-to- G ” map), so that Y 2 and the subsequent aﬃne auxiliaries are well-deﬁned from the transcript alone. Design options under NXK/ F KeyBox . Under our KeyBox/gR O-CRP mo del, there are essentially three wa ys to make M 2 transcript-deﬁned: 1. Publish M 2 directly: If the leaf can compute M 2 = m 2 G outside the KeyBo x, then it can simply transmit M 2 . This trivially makes Y 2 transcript-deﬁned and remov es the need for USV. W e treat this as a diﬀerent design p oin t: it b ypasses the commit-shap ed transcript setting and assumes the leaf has a w ay to compute and publish m 2 G without relying on straigh t-line extraction from a KeyBox-in ternal pro of. Our fo cus is the hardened proﬁle-cen tric setting in whic h m 2 is generated inside the KeyBox/proﬁle-adapter and the admissible proﬁle do es not expose a generic “exp ort m G ” in terface for fresh ephemeral scalars. F or example, when the admissible KeyBox proﬁle corresp onds to a cloud KMS role that p ermits signing/deriv ation but denies public-k ey retriev al [1, 35, 50]. In that setting, an alternativ e attempt using only a hiding commitment (commit-only transcript) would fail. 2. Commit to m 2 and extract via an opening-AoK: One could hav e the leaf publish C 2 ← Commit ( m 2 ; r 2 ) and an A oK π open of an op ening, then let the v eriﬁer/simulator extract m 2 and set M 2 = m 2 G . In our setting this fails in straigh t-line: witness-b earing computation may b e delegated to a state-contin uous KeyBox (Assumption 2 (p. 13)), so rewinding/forking is unav ailable; and straight-line extraction for our Fischlin-st yle UC-NIZK-AoKs relies on access to the prov er’s gRO-CRP query log in the pro of context (Remark 9 (p. 19)), whic h is hidden by lo cal-call seman tics (Deﬁnition 9 (p. 19)). F orcing π open outside the KeyBo x restores observ abilit y but requires the leaf to materialize ( m 2 , r 2 ) (or an equiv alent caller-inv ertible aﬃne image suﬃcient to derive M 2 ) in its non-KeyBox state, whic h contradicts the hardened/minimal-proﬁle design p oin t of this section: m 2 is not av ailable outside the KeyBo x/proﬁle-adapter and the admissible proﬁle exp oses no exp o rt - m 2 or exp o rt - ( m 2 G ) in terface 8 . Lemma 15 (p. 52) formalizes this obstruction. 3. A dd public op ening material that deterministically ﬁxes M 2 without exp orting m 2 : in the hardened proﬁle-centric setting, the leaf runs ( C 2 , ζ 2 ) ← Cert ( pp , m 2 ) inside the KeyBo x b oundary and releases only ( C 2 , ζ 2 ) ; every one deriv es M 2 = Op en M ( pp , C 2 , ζ 2 ) outside. USV provides this and mak es Y 2 (and the induced transcript-deﬁned auxiliaries and shares) w ell-deﬁned from the transcript, enabling both honest v eriﬁcation and straight-line UC sim ulation/programming. 8 If one allows such materialization, one can instead publish M 2 = m 2 G directly as mentioned previously . 52 Vipin Singh Sehraw at Hence, the SDKG v eriﬁcation predicate and the UC proof need M 2 (hence Y 2 ) to b e a deterministic function of the public transcript, while NXK prev ents exp orting m 2 , m 2 G and the KeyBo x/lo cal-call seman tics preven t straigh t-line extraction of m 2 from a KeyBox-in ternal opening-AoK. USV resolv es this by providing a public “op ening-to- G ” map M 2 = Op en M ( pp , C 2 , ζ 2 ) that is transcript-deﬁned yet do es not violate KeyBo x’s conﬁden tiality assumptions. Our subsequen t transcript analysis is stated in terms of Op en M ( pp , C 2 , ζ 2 ) rather than in terms of extracted witnesses. Lemma 15 (Commit-only transcripts cannot deﬁne M 2 under NXK/ F KeyBox ). Fix the NXK/ F KeyBox setting (A ssumptions 1 (p. 11),2 (p. 13)) in the gRO-CRP mo del (Deﬁnition 9 (p. 19)). L et Com = ( Commit , Op en ) b e a c omputational ly hiding c ommitment scheme for messages in Z p . Consider any pr oto c ol variant in which the le af ’s public c ontribution c ontains only a c ommitment C 2 := Commit ( m 2 ; r 2 ) to m 2 ∈ Z p , and the tr anscript c ontains no additional public material that deterministic al ly ﬁxes the gr oup element M 2 := m 2 G as a function of the tr anscript. Supp ose that honest veriﬁc ation and/or the UC pr o of r e quir e forming a tr anscript-deﬁne d auxiliary Y 2 := M 2 + 3 B 2 for public B 2 ∈ G , and that the simulator must c ompute the same Y 2 in str aight-line fr om the public tr anscript. Then no PPT str aight-line U C simulator, given only the public tr anscript and black-b ox ac c ess to c orrupte d K eyBoxes via admissible pr oﬁles, c an c ompute the r e quir e d Y 2 with non-ne gligible pr ob ability, unless either (i) hiding of Com is violate d, or (ii) the mo del is str engthene d b eyond NXK/ F KeyBox . Pr o of. Assume for contradiction that there exists a PPT straight-line sim ulator Sim that, on accepting transcripts, outputs the correct Y 2 . Public tr anscript notation. Let τ pub denote the tr anscript-visible p ortion of an execution ( R e ader Note 2.1 (p. 8)), i.e., ev erything outside honest KeyBoxes and outside authenticated conﬁdential channels. In the c ommit-only design p oin t of this lemma, the leaf ’s only τ pub -dep endence on m 2 is through C 2 = Commit ( m 2 ; r 2 ) (b y hypothesis: the transcript con tains no additional public material that deterministically ﬁxes M 2 = m 2 G ). Equiv alently , the remaining public ﬁelds τ \ C 2 pub admit a PPT sampler Sample ( pp , C 2 ) that outputs τ \ C 2 pub distributed as in a real execution conditioned on the giv en C 2 9 . Case 1 (transcript-only deriv ation): Assume Sim ’s output Y 2 is determined b y τ pub alone (i.e., it does not rely on extracting m 2 from a KeyBo x-internal in teraction). F ormally , ﬁx the induced PPT map Derive Y ( τ pub ) that outputs the same Y 2 v alue that Sim outputs on public view τ pub . Since B 2 is public, deﬁne Derive M ( τ pub ) := Derive Y ( τ pub ) − 3 B 2 ∈ G . By correctness on accepting transcripts, whenev er the execution is accepting we hav e Derive Y ( τ pub ) = Y 2 = M 2 + 3 B 2 , and th us Derive M ( τ pub ) = M 2 = m 2 G except with negligible probability . W e no w build a hiding adv ersary B against Com . On input a hiding challenge C ⋆ = Commit ( m b ; r ) for b ∈ { 0 , 1 } (for chosen distinct messages m 0 , m 1 ∈ Z p ), B samples τ \ C 2 pub ← Sample ( pp , C ⋆ ) and sets τ pub := ( C 2 := C ⋆ , τ \ C 2 pub ) . It computes M ⋆ := Derive M ( τ pub ) and outputs b ′ = 0 iﬀ M ⋆ = m 0 G . Because τ pub is distributed as a real public transcript conditioned on C 2 = Commit ( m b ; r ) , the abov e correctness implies Pr [ b ′ = b ] ≥ 1 2 + ϵ ( λ ) for some non-negligible ϵ , con tradicting computational hiding of Com . Case 2, Sim obtains m 2 (or M 2 ) by extraction from an op ening-A oK: T o av oid Case 1, the only generic route is to require an AoK π open of an opening ( m 2 , r 2 ) and extract m 2 to set M 2 = m 2 G . If π open is generated outside the KeyBo x so that standard extraction applies, then the leaf must ﬁrst obtain ( m 2 , r 2 ) (or an y caller-inv ertible aﬃne image of m 2 suﬃcien t to compute M 2 ) in its non-K eyBox state. This contradicts the hardened/minimal-proﬁle premise of this subsection, in which m 2 is generated inside the KeyBox/proﬁle-adapter and no admissible API exp orts m 2 (or 9 If τ \ C 2 pub con tains any public NIZK ob jects whose honest generation w ould normally use witness material depending on m 2 , then Sample generates those ob jects using the corresp onding NIZK simulator/univ ersal simulation in terface; ZK guarantees indistinguishabilit y . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 53 m 2 G ) in the clear 10 . If instead π open is generated inside the KeyBox to preserve NXK, then straigh t-line extraction for our Fisc hlin-based UC-NIZK(-AoK) mechanisms requires access to the prov er’s gR O-CRP query log in the relev an t pro of con text (Remark 9 (p. 19)), whic h is hidden by local-call semantics (Deﬁnition 9 (p. 19)); and Assumption 2 (p. 13) rules out rewinding/forking the KeyBox. Thus Sim cannot extract in straight-line without strengthening the mo del as stated. Com bining the cases, a commit-only transcript cannot yield a transcript-deﬁned M 2 (hence Y 2 ) under NXK/ F KeyBox without either breaking hiding or relaxing the mo del constrain ts. Therefore an additional public-op ening mec hanism that deterministically maps commitmen t material to M 2 (e.g., USV or an explicit M 2 ) is necessary . ■ 8.3 Main Theorem In F SDKG , the state Q reg , D reg and the ( Leak / Deliver / Recv ) scheduling are an inlined instance of F channel (Fig. 1 (p. 9)), sp ecialized to the tw o registration payloads with leakage ℓ reg , 1 , ℓ reg , 2 . Lemma 16 (T ranscript uniquely determines the key). L et T b e a b ase-run (1+1-out-of-3) tr anscript such that A cc SDKG ( sid , P 2 , P 1 , T ) = 1 (Algorithm 2 (p. 46)), and let M 2 , Y 1 , D 1 , Y 2 , D 2 , b K b e the values derive d by A cc SDKG fr om T . Then ther e exist unique x 1 , x 2 ∈ Z p such that X 1 = x 1 G and X 2 = x 2 G . Mor e over, exc ept with ne gligible pr ob ability in λ , the (str aight-line) A oK extr actors applie d to the verifying DL subpr o ofs in π aﬀ 1 = ( π Y 1 , π D 1 ) and π aﬀ 2 = ( π Y 2 , π D 2 ) r e c over witnesses α i , δ i ∈ Z p such that Y i = α i G and D i = δ i G for i ∈ { 1 , 2 } . Sp e ciﬁc al ly, they determine x 1 = σ 2 , 1 + α 1 + δ 1 mo d p, x 2 = σ 1 , 2 + α 2 + δ 2 mo d p. In addition, write T 1 = ( cid 2 , C 2 , ζ 2 , B 2 , σ 2 , 1 , h 3 , 2 , d ) and let U ∈ G denote the (unique, if any) p oint for which the sender’s R ound 1 digest was obtaine d as an or acle r eply h 3 , 2 = H s32 ( ⟨ sid , cid 2 , U ⟩ ) . 11 Then, exc ept with ne gligible pr ob ability, Acc SDKG ( sid , P 2 , P 1 , T ) = 1 implies D 2 = U . In honest exe cutions, U = σ 3 , 2 G . Conse quently, K = b K = 3 X 1 − 2 X 2 = (3 x 1 − 2 x 2 ) G . Pr o of Sketch. Existence and uniqueness of x 1 , x 2 are unconditional b ecause G is cyclic of prime order with generator G (so z 7→ z G is a bijection on Z p ). Because A cc SDKG ( sid , P 2 , P 1 , T ) = 1 , the DL veriﬁc ations for Y 1 , D 1 , Y 2 , D 2 all accept. By the A oK prop erty of Π DL , except with negligible extraction error the straight-line extractor outputs α i , δ i suc h that Y i = α i G and D i = δ i G for i ∈ { 1 , 2 } . F rom the deﬁnitions Y 1 := M 1 + 2 B 1 and D 1 := X 1 − σ 2 , 1 G − Y 1 , w e get X 1 = σ 2 , 1 G + Y 1 + D 1 = ( σ 2 , 1 + α 1 + δ 1 ) G , and similarly X 2 = ( σ 1 , 2 + α 2 + δ 2 ) G , yielding the stated form ulas for x 1 , x 2 . Consider the Round 1 v alue h 3 , 2 and the later deriv ed point D 2 used in Check C5 . If the sender is honest, it computes h 3 , 2 = H s32 ( ⟨ sid , cid 2 , σ 3 , 2 G ⟩ ) and th us ﬁxes the p oin t U := σ 3 , 2 G b efore D 2 is formed. If the sender is corrupted, there are t wo p ossibilities: (i) it queried H s32 ( ⟨ sid , cid 2 , U ⟩ ) for some p oin t U ∈ G and set h 3 , 2 to the reply , or (ii) it outputs a fresh λ -bit guess for h 3 , 2 without querying. In case (ii), since H s32 ( ⟨ sid , cid 2 , D 2 ⟩ ) is uniform conditioned on the adversary’s view, Check C5 holds with probability at most 2 − λ . In case (i), Check C5 implies H s32 ( ⟨ sid , cid 2 , D 2 ⟩ ) = H s32 ( ⟨ sid , cid 2 , U ⟩ ) . Thus, unless a collision/second-preimage o ccurs for H s32 , we must hav e D 2 = U . In honest executions this sp ecializes to D 2 = σ 3 , 2 G . Finally , K = 3 X 1 − 2 X 2 = (3 x 1 − 2 x 2 ) G is algebraic. ■ 10 Again, if such materialization is allow ed, the protocol can instead publish M 2 = m 2 G directly . 11 If the sender does not query and instead guesses h 3 , 2 , then Check C5 holds only with probability 2 − λ . If tw o distinct queried p oin ts map to the same h 3 , 2 , this is an oracle collision. Both ev ents are negligible. 54 Vipin Singh Sehraw at Theorem 3 (UC realization of F SDKG b y Ψ (3) SDKG ). Fix Fischlin p ar ameter functions ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) satis- fying Deﬁnition 15 (p. 24). Then assuming har dness of DL, pr oto c ol Ψ (3) SDKG UC-r e alizes the functionality F SDKG in the ( F KeyBox , F USV , F channel , F pub ) -hybrid and gRO-CRP mo dels against arbitr ary adaptive c orruptions of any subset of p arties in { P i } i ∈ [3] . Pr o of. Fix any PPT real-world adversary A and PPT en vironment Z . W e construct a PPT sim ulator Sim such that Exec  Ψ (3) SDKG , A , Z  ≈ c Ideal ( F SDKG , Sim , Z ) in the ( F KeyBox , F USV , F channel , F pub ) -h ybrid and gRO-CRP mo dels, against adaptiv e corruptions with secure erasures. A c c eptanc e pr e dic ate. A session is accepting iﬀ the deterministic chec ks in the proto col description v erify (USV v alidit y/digest, aﬃne consistency equations, and all UC-NIZK veriﬁcations). The simulator applies the same c hecks and mirrors ab orts. By Lemma 12 (p. 47), when P 1 is honest through Round 2 the F USV . V erify gate is implied b y the presence of T 2 , hence Algorithm 2 (p. 46) captures acceptance. If P 1 is corrupted, no suc h implication is required. UC-N IZK interfac es. All UC-NIZK pro ofs that matter for extraction use the dedicated UC context(s). By the AoK prop ert y of the Fischlin-based UC-NIZK, there exists a straight-line PPT extractor Ext DL that, given a verifying pro of for a DL statemen t and the pro ver’s gR O-CRP query/answer log under the UC proof context, outputs the corresp onding witness except with negligible probabilit y . F or an aﬃne pro of π aﬀ i = ( π Y i , π D i ) , deﬁne Ext aﬀ ( π aﬀ i ) :=  Ext DL ( π Y i ) , Ext DL ( π D i )  . Moreov er, b y the ZK prop ert y of the same UC-NIZK in the (programmable) gR O-CRP UC con texts, there exists a PPT simulator Sim UC that can pro duce accepting pro ofs without witnesses in those con texts. Simulator Sim . The sim ulator Sim runs A as a subroutine and maintains, for eac h session iden tiﬁer sid , a session record containing the functionality tr anscript slots T sid := ( T 1 , T 2 , T 3 ) (Fig. 8 (p. 48)), a stage v ariable, and (when deﬁned) v alues x 1 ( sid ) , x 2 ( sid ) , σ 3 , 1 ( sid ) , σ 3 , 2 ( sid ) . It forwards all of A ’s gR O-CRP queries to the global oracle H and logs all ( ctx , x, H ( ctx , x )) triples for the UC pro of contexts used b y Π UC DL . F or the non-programmable digest context SDK G . s32 , Sim only forw ards queries (no programming). Whenever Sim ’s real-w orld em ulation ﬁxes the v alue that will p opulate one of the transcript slots T 1 , T 2 , T 3 for session sid , Sim supplies it to F SDKG b y sending the corresp onding ( Tin i , sid , . . . ) message on the ideal adversary/sim ulator interface. These transcript-slot v alues are used only to drive F SDKG ’s deterministic acceptance/ﬁnalization logic and may include ﬁelds that are not adv ersary-visible in honest executions (they can be carried only o ver F channel ); they are nev er output b y F SDKG and are hidden from Z b y the wrapp er W DKG . F SDKG ’s stored transcript slots trac k the simulated real transcript under adversarial sc heduling. Hybrid ar gument. W e deﬁne h ybrids o ver the joint execution (potentially many concurrent sessions); Sim k eeps a separate record p er sid . Since the environmen t Z , adv ersary A , and all parties are PPT, the total num b er of sessions initiated and the total num b er of UC-context proofs simulated/v eriﬁed in the execution are b ounded by p oly ( λ ) . Sp eciﬁcally , for each programmable pro of context ctx ∈ Ctx p , the simulator makes at most m ctx ( λ ) = p oly ( λ ) total calls to SimProgram ( ctx , · , · ) across all sessions. Therefore, Lemma 3 (p. 20) applies with this global m ctx ( λ ) , and the resulting union bound ov er all programming attempts (across all sessions) remains negligible. Indistinguishability is sho wn by a standard p er-session hybrid argument together with this global union b ound. Hybrid ⅁ 0 (real execution): This is Ψ (3) SDKG with honest parties, in the ( F KeyBox , F USV , F channel , F pub ) -h ybrid and gRO- CRP mo dels. Hybrid ⅁ 1 (sim ulate honest UC-NIZKs): Mo dify ⅁ 0 as follows: whenever an honest part y would output a UC-context UC-NIZK pro of, replace it with a pro of generated by Sim UC in the corresp onding UC con text. All other v alues/messages are unc hanged. By the ZK prop erty of the Fischlin-based UC-NIZK in the UC gR O-CRP contexts, we hav e ⅁ 1 ≈ c ⅁ 0 . Concretely , Sim uses SimProgram to realize the universal simulation in terface; b ecause SimProgram fails on already- deﬁned p oin ts, the only divergence is the pre-query bad even t of Lemma 3 (p. 20), whic h o ccurs with negligible probabilit y . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 55 Bo okke eping. In ⅁ 1 , Sim still samples and records (p er session sid ) the honest-part y lo cal scalars that determine the public points X 1 , X 2 and the digest chec k (e.g., the v alues used to form X 1 = x 1 G , X 2 = x 2 G , σ 3 , 1 G , and σ 3 , 2 G ), exactly as in ⅁ 0 ; only the sent UC-con text pro of strings are replaced by simulated pro ofs via Sim UC . Importantly , Sim will never inv ok e the Fisc hlin/AoK extractor on any pro of output b y Sim UC (whic h may ha ve b een pro duced using SimProgram ). Lemma 17 (F resh tagged statements for SDKG extraction). L et Q b e the set of UC-c ontext DL statements (acr oss al l sessions in the exe cution) for which the simulator invoke d the U C-pr o of simulator Sim UC . In any session sid , SDK G veriﬁes UC-c ontext DL pr o ofs only on tagge d statements of the form ⟨ sid , ℓ, M ⟩ wher e the lab el ℓ is ﬁxe d by the pr o of p osition (one of SDKG.aff1.Y , SDKG.aff1.D , SDKG.aff2.Y , SDKG.aff2.D ). Then any UC-c ontext DL pr o of c ontribute d by a c orrupte d p arty in session sid and veriﬁe d by an honest p arty is on a tagge d statement x satisfying x / ∈ Q . Pr o of Sketch. Fix an y session identiﬁer sid . By construction of Hybrid ⅁ 1 , the simulator in vok es the UC-pro of simulator Sim UC only for UC-context DL pro ofs that are generated by honest parties in that session (i.e., in honest pro of p ositions). Let Q sid := { x ∈ Q : x is of the form ⟨ sid , ℓ, M ⟩ } . Then Q sid con tains exactly the tagged statements for which Sim UC pro duced simulated UC-context pro ofs in session sid . Consider any UC-con text DL pro of con tributed by a corrupted party in session sid and v eriﬁed by an honest party . Suc h a pro of necessarily comes from a proof p osition whose generating party is corrupted in that session, and therefore Sim did not in vok e Sim UC for that position in session sid . Hence the corresponding tagged statement x is not in Q sid , and thus x / ∈ Q . Finally , because the tag sid is part of the statemen t, statements from diﬀeren t sessions cannot collide; injectivit y of ⟨·⟩ rules out any other collisions. ■ Hybrid ⅁ 2 (extract from adv ersarial UC-NIZKs; abort on failure): Mo dify ⅁ 1 as follows: whenev er A deliv ers a v erifying UC-con text aﬃne pro of π aﬀ i = ( π Y i , π D i ) attributed to a corrupted part y , Sim runs Ext aﬀ ( π aﬀ i ) using Log A in that UC con text to obtain ( α i , δ i ) . If extraction fails or the extracted witnesses do not satisfy the relation, ab ort the session. Because ⅁ 1 ma y exp ose A to simulated pro ofs pro duced using SimProgram , the appropriate guaran tee here is simulation-extr actability (Deﬁnition 12 (p. 23)), not merely plain A oK soundness. Concretely , let Q b e the set of UC-con text statements for whic h Sim in vok ed the simulator Sim UC . By Lemma 17 (p. 55), ev ery corrupted-party UC-con text DL statement on which Sim runs extraction is fresh relativ e to the simulator-produced statement set Q . Therefore, the sim ulation-extractability guaran tee of Lemma 6 (p. 26)(iii) applies to these pro ofs and we get the bad ev ent Bad ext / forge := { a corrupted part y’s UC-context pro of veriﬁes but no v alid witness is extracted } o ccurs with probability at most negl ( λ ) , and thus ⅁ 2 ≈ c ⅁ 1 . Hybrid ⅁ 3 (switc h to the ideal functionality via transcript-deﬁned programming): Mo dify ⅁ 2 b y replacing the real-w orld k ey-deriv ation eﬀect with interaction with F SDKG as follows. Sim con tinues to sim ulate the netw ork transcript tow ards A and Z and mirrors the same accept/ab ort predicate. Whenever ⅁ 2 reac hes an accepting transcript for some session sid , Sim deﬁnes ( x 1 ( sid ) , x 2 ( sid ) , σ 3 , 1 ( sid ) , σ 3 , 2 ( sid )) as follo ws, without extracting from any simulated proof: Fix a session sid and suppose the simulator’s emulated transcript reaches a p oint where the stored transcript slots T sid = ( T 1 , T 2 , T 3 ) satisfy A cc SDKG ( sid , P 2 , P 1 , T sid ) = 1 (Algorithm 2 (p. 46)). Let Y 1 , D 1 , Y 2 , D 2 b e the derived points from T sid , and write π aﬀ i = ( π Y i , π D i ) . Deﬁne Bad ext ( sid ) to be the even t that, for some DL subpro of in this session that is attributed to a corrupted part y and veriﬁes under V DL , straight-line extraction fails or yields a v alue not satisfying the DL relation. Let Bad s32 ( sid ) b e the even t that the s 32 -digest chec k in A cc SDKG holds by a fresh guess without a prior query or b y an orac le collision/second-preimage. In Hybrid ⅁ 2 , the sim ulator ab orts the session on Bad ext ( sid ) , so below we condition on ¬ Bad ext ( sid ) ; and b y standard RO reasoning, Pr[ Bad s32 ( sid )] is negligible. Conditioned on ¬ ( Bad ext ( sid ) ∨ Bad s32 ( sid )) , the simulator deﬁnes ( x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) b y the following corruption-pattern analysis and then issues the one-shot F SDKG programming command ( Program , sid , x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) . 56 Vipin Singh Sehraw at P attern How Sim ﬁxes ( x 1 , σ 3 , 1 ) Ho w Sim ﬁxes ( x 2 , σ 3 , 2 ) P 1 honest, P 2 honest F rom the honest em ulation record: X 1 = x 1 G and D 1 = σ 3 , 1 G w ere formed using sampled scalars; Sim sets ( x 1 , σ 3 , 1 ) to those recorded v alues. F rom the honest emulation record: X 2 = x 2 G and h 3 , 2 = H s32 ( ⟨ sid , cid 2 , σ 3 , 2 G ⟩ ) were formed using sampled σ 3 , 2 ; Sim sets ( x 2 , σ 3 , 2 ) to those recorded v alues. P 1 corrupted, P 2 honest Extract ( α 1 , δ 1 ) from π aﬀ 1 = ( π Y 1 , π D 1 ) and set σ 3 , 1 := δ 1 , x 1 := σ 2 , 1 + α 1 + δ 1 . As in the all-honest row (recorded from honest P 2 em ulation). P 1 honest, P 2 corrupted As in the all-honest row (recorded from honest P 1 em ula- tion). Extract ( α 2 , δ 2 ) from π aﬀ 2 = ( π Y 2 , π D 2 ) and set σ 3 , 2 := δ 2 , x 2 := σ 1 , 2 + α 2 + δ 2 . P 1 corrupted, P 2 corrupted Extract ( α 1 , δ 1 ) and ( α 2 , δ 2 ) and deﬁne σ 3 , 1 := δ 1 , x 1 := σ 2 , 1 + α 1 + δ 1 and σ 3 , 2 := δ 2 , x 2 := σ 1 , 2 + α 2 + δ 2 . (same as left cell) T able 5: Explicit determination of the programmed v alues in Theorem 3 (p. 54). Hence, for corrupted parties, the simulator nev er needs to argue that the extracted witnesses equal some hidden in ternal σ -v ariables of the adversary . It only needs them to satisfy Y i = α i G and D i = δ i G for the transcript-deﬁned p oin ts Y i , D i . Because z 7→ z G is a bijection, these witnesses (when extracted) are uniquely determined by Y i and D i , and therefore the programmed v alues are canonical given the accepting transcript. Finally , by Lemma 16 (p. 53), the resulting programmed key is K = (3 x 1 − 2 x 2 ) G , matching the real transcript-derived k ey b K whenev er the session accepts. Then Sim in vok es the one-shot programming interface of F SDKG : ( Program , sid , x 1 ( sid ) , x 2 ( sid ) , σ 3 , 1 ( sid ) , σ 3 , 2 ( sid )) . By transcript mirroring, at the p oin t Sim in vok es ( Program , sid , . . . ) the ideal F SDKG has already received the same public transcript items via Tin 1 / Tin 2 / Tin 3 (up to adv ersarial scheduling), and since F SDKG runs T ryFinalize on b oth transcript stores and Program , the ideal output even t is triggered exactly when the simulated transcript b ecomes accepting. Or dering and slot c onsistency for r e gistr ation. In Fig. 8 (p. 48), the registration handler is gated on ﬁnalized = 1 . By construction, ﬁnalized is set only inside T ryFinalize , and T ryFinalize returns early unless the simulator has already supplied the one-shot Program message ﬁxing ( x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) . Therefore, every registration attempt o ccurs only after the ab o v e programming step has ﬁxed these v alues. Moreo ver, at the same p oin t where T ryFinalize sets ﬁnalized ← 1 , it deterministically deﬁnes the registration scalars ( σ 3 , 1 , σ 3 , 2 , σ 2 , 3 ) (Fig. 8 (p. 48), Steps (1)–(2)) and, for each honest sender, issues the corresp onding KeyBox installation commands that load these scalars in to the dedicated slots ⟨ sid , k31 ⟩ (for P 1 ) and ⟨ sid , k32 ⟩ , ⟨ sid , k23 ⟩ (for P 2 ) (Fig. 8 (p. 48)). Consequen tly , in the real proto col the subsequent sealing calls in Algorithm 1 (p. 45) encrypt exactly these same residen t v alues, i.e., ϖ 1 d = Enc pk ( P 3 ) seal ( ad 31 , σ 3 , 1 ) , ϖ 2 a d = Enc pk ( P 3 ) seal ( ad 32 , σ 3 , 2 ) , ϖ 2 b d = Enc pk ( P 3 ) seal ( ad 23 , σ 2 , 3 ) , whic h matc hes the ciphertext sampling p erformed b y F SDKG on honest senders in the ideal world. If a sender is corrupted, b oth the real protocol and F SDKG allo w the adversary to supply the delivered pa yload directly (via w ⋆ 1 , w ⋆ 2 ), so no additional slot-consistency condition is required in that case. By the gR O-CRP assumption for the non-programmable context SDK G . s32 , Pr [ Bad s32 ] ≤ negl ( λ ) . Conditioned on ¬ ( Bad ext / forge ∨ Bad s32 ) , the extracted scalars satisfy the relations in Lemma 16 (p. 53), and in particular the real-w orld output satisﬁes K real = (3 x 1 ( sid ) − 2 x 2 ( sid )) G . After programming, F SDKG outputs K ( sid ) = (3 x 1 ( sid ) − 2 x 2 ( sid )) G = K real . Th us, conditioned on no bad even t, the public key output seen by Z is iden tical in ⅁ 3 and ⅁ 2 , and the sim ulated transcript/ab ort b eha vior is unchanged. Hence ⅁ 3 ≈ c ⅁ 2 . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 57 R e gistr ation of P 3 . In ⅁ 3 , when F SDKG receiv es ( register , 3 , sid ) and ﬁnalized = 1 , the resulting in teraction with F KeyBox is exactly as sp eciﬁed by F SDKG (Fig. 8 (p. 48)). The only observ able outcome is whether the host obtains K 3 = PubMap ( k 3 ) from F (3) KeyBox . Use . Since F KeyBox is an ideal functionalit y whose internal state is never revealed, and since Sim forw ards F KeyBox calls on b ehalf of corrupted parties exactly as in the real execution, Z ’s observ able view of registration matches the real execution. Additionally , F SDKG emits tw o adversary-sc heduled, length-leaking c hannel messages (via Leak / Deliver / Recv ) that mo del the sealed-pa yload transp ort in Algorithm 1 (p. 45). Concretely , F SDKG sets the delivered payloads to w reg , 1 := ⟨ sid , ϖ 1 , K 1 , 3 , K ⟩ and w reg , 2 := ⟨ sid , ϖ 2 a , ϖ 2 b , K 1 , 3 ⟩ , where ϖ 1 , ϖ 2 a , ϖ 2 b are fresh sealing ciphertexts sampled as Enc pk ( P 3 ) seal ( ad , σ ) . Lemma 18 (p. 57) formalizes that: if P 3 is corrupted, A observ es w ell-formed ciphertexts and can inv ok e Op enF romP eer on them exactly as in the real proto col; and if P 3 is honest, the adv ersary learns only the explicit length leakage ℓ reg , 1 , ℓ reg , 2 . Lemma 18 (Registration/RDR simulation). Fix a session sid after b ase ﬁnalization. Under F channel and the K eyBox se aling interfac es SealT oPeer / Op enF romPeer (Fig. 3 (p. 11)), the r e gistr ation phase of Algorithm 1 (p. 45) is indistinguishable fr om the r e gistr ation subr outine implemente d by F SDKG (Fig. 8 (p. 48)), for any adaptive c orruption p attern with se cur e er asur es. Mor e pr e cisely: (i) if the r e c eiver P 3 is honest, the adversary le arns only the explicit length le akage ℓ reg , 1 , ℓ reg , 2 , and F SDKG pr o duc es exactly the same le akage and (ii) if P 3 is c orrupte d, then the deliver e d p aylo ads in F SDKG c ontain ciphertext c omp onents sample d as Enc pk ( P 3 ) seal ( ad , σ ) , which matches exactly the distribution of r e al SealT oPeer outputs, so the adversary’s view (including subse quent Op enFromP eer c al ls) is identic al ly distribute d. Pr o of Sketch. By deﬁnition of F SDKG (Fig. 8 (p. 48)), registration is enabled only once ﬁnalized = 1 , whic h implies that ( σ 3 , 1 , σ 3 , 2 , σ 2 , 3 ) hav e been ﬁxed by T ryFinalize (after the sim ulator’s one-shot Program ) and, for honest senders, loaded in to the corresp onding KeyBo x slots used by SealT oPeer . If a sender is corrupted, b oth the real protocol and F SDKG allo w the adversary to supply arbitrary payloads (via w ⋆ 1 , w ⋆ 2 ), yielding identical distributions. If the receiver is honest, F channel rev eals only message lengths; F SDKG matc hes this via ( Leak , · , ℓ reg , 1 /ℓ reg , 2 ) . If the receiv er is corrupted, then in the real protocol each ciphertext is produced b y SealT oP eer as c ← Enc pk ( P 3 ) seal ( ad , σ ) ; F SDKG samples the same distribution explicitly , so the delivered messages are iden tically distributed. If the sp onsor (either P 2 or an already-registered leaf) is corrupted, it may try to disrupt registration by sending malformed or altered ciphertext components in ( ϖ 2 a , ϖ 2 b ) . How ever, P 3 recomputes the intended asso ciated-data strings ad 32 , ad 23 lo cally (Algorithm 1 (p. 45)) and supplies them to Op enF romP eer ; by AEAD in tegrity in F KeyBox (Fig. 3 (p. 11)), an y tamp ering or mix-and-match across sessions/slots causes Op enF romP eer to return ⊥ and the KeyBo x-side installation transaction ab orts. If instead the corrupted sp onsor crafts fresh ciphertexts under the correct asso ciated data but encrypting arbitrary scalars, then the subsequent recov ery-share deriv ation Load ( ⟨ sid , k3 ⟩ , g 3 , · ) rejects unless the decrypted v alues are transcript-consisten t, since g 3 computes K 3 := k 3 G and c hecks K 1 , 3 + K 3 = K (Deﬁnition 19 (p. 39)). Th us, a malicious sp onsor can at most cause denial of registration, but cannot make an honest joiner install a share inconsisten t with the established public key K . Finally , when P 3 is honest, b oth worlds attempt the same KeyBo x-internal sequence of Op enF romP eer and Load calls, so the observ able success/failure outcome (and any subsequen t public GetPub output) matches. ■ A daptive c orruptions with se cur e er asur es: explicit state c onsistency. W e mak e explicit ho w the sim ulator answers adaptiv e corruptions under Deﬁnition 1 (p. 8). F or each session sid and each honest part y P i , the sim ulator maintains a shadow host state st sid i consisting of exactly those host v ariables that the real protocol retains (i.e., do es not erase) after P i ’s most recent honest activ ation in that session. Because honest activ ations are atomic w.r.t. corruption (Deﬁnition 1 (p. 8)), a real corruption rev eals precisely the current st sid i and nothing erased within past activ ations. The simulator up dates st sid i in lo c kstep with its honest-part y emulation and, up on corruption of P i , returns st sid i (together with the already transcript-visible messages) as the rev ealed host state. Crucially , in the base run the only NXK-restricted v alues that remain in host RAM across activ ations are the σ -scalars needed for the deferred p ost-accept F KeyBox . Load calls; all UC-NIZK/Fischlin prov er randomness and rarity- searc h scratch state is erased in the same activ ation that emits the pro of-b earing message (as stated in the proto col’s erasure discipline), and therefore nev er app ears in st sid i and is nev er revealed by later corruptions. 58 Vipin Singh Sehraw at Pre-install shadow state P ost-install shadow state Honest P 1 { σ 2 , 1 , σ 1 , 1 , σ 1 , 3 , σ 3 , 1 } (plus public transcript items) ∅ (all share-deriving scalars erased immedi- ately after the Load calls return) Honest P 2 { σ 1 , 2 , σ 2 , 2 , σ 2 , 3 , σ 3 , 2 } (plus public transcript items) ∅ Honest P 3 ∅ ∅ T able 6: NXK-restricted host v ariables retained across activ ations in Ψ (3) SDKG under the stated erasure discipline. Consistency with F SDKG . Whenever Sim supplies Tin 1 / Tin 2 / Tin 3 to F SDKG for session sid , any scalar ﬁelds not transcript-visible in honest executions (e.g., σ -v alues carried ov er F channel ) are tak en from the same shadow states st sid i . Th us, if an honest party is corrupted b efore p ost-accept installation, the corruption reveals exactly the v alues that (in b oth the real and ideal w orlds) would b e consumed b y the p ending Load calls; if it is corrupted after installation, these v alues ha ve b een erased and b oth worlds exp ose only black-box access to already-installed KeyBo x slots (Deﬁnition 5 (p. 14)). Let Bad := Bad ext / forge ∪ Bad s32 . W e hav e Pr [ Bad ] ≤ negl ( λ ) , and conditioned on ¬ Bad , the hybrids pro duce identical transcripts, accept/ab ort b eha vior and public key outputs along with iden tically distributed corruption views. The registration p ortion of the simulation follows from Lemma 18 (p. 57). Therefore, Exec  Ψ (3) SDKG , A , Z  ≈ c Ideal ( F SDKG , Sim , Z ) . This complete the pro of for Theorem 3 (p. 54). ■ R emark 20 (Dominating b ad events / failur e terms). In the pro of of Theorem 3 (p. 54), the sim ulation error is dominated b y the union of the following explicit bad even ts: – Bad sc : a violation of state contin uit y (rollback/fork) for any KeyBox instance relied up on by the proto col (Assump- tion 2 (p. 13)). In a concrete realization that approximates state contin uity via a freshness mechanism that can fail (e.g., coun ter exhaustion or oracle una v ailabilit y), let ε sc ( λ ) b ound Pr [ Bad sc ] ; then all distinguishing/forgery b ounds in the pap er should b e read as negl( λ ) + ε sc ( λ ) . – Bad rcpt : a second-preimage/collision for a receipt-binding digest in a non-programmable context (e.g., for H ( USV . rcpt , · ) in F USV ). – Bad s32 : either (a) a successful λ -bit guess of h 3 , 2 = H s32 ( ⟨ sid , cid 2 , D 2 ⟩ ) without ha ving queried that p oin t, or (b) a collision/second-preimage under H s32 that allows an accepting transcript with D 2  = U , where U is the p oin t committed b y h 3 , 2 . – Bad pre : a pre-query collision that causes a simulator programming attempt SimProgram ( ctx , x, y ) with ctx ∈ Ctx p to return ⊥ (Lemma 3 (p. 20)). – Bad fs : a Fischlin knowledge/soundness failure for any v erifying UC-context NIZK, i.e., acceptance of a pro of for whic h straight-line extraction fails or yields no v alid witness (Lemma 5 (p. 25)). – Bad hr : honest rejection of an honest Fischlin pro of due to a capp ed rarity-searc h miss. This is a liveness failure only (ab ort/retry) and is not a security break. – Bad hdl : an adv ersary guess of a liv e KeyBo x opaque handle (e.g., in buf ), allowing unintended resolution/use; bounded b y a union b ound o ver p olynomially many guesses as Pr[ Bad hdl ] ≤ p oly ( λ ) · 2 − λ . By a union b ound, the security distinguishing adv antage is upp er-b ounded by Pr[ Bad rcpt ] + Pr[ Bad s32 ] + Pr[ Bad pre ] + Pr[ Bad fs ] + Pr[ Bad hdl ] , and eac h term is negligible under the stated h yp otheses of Theorem 3 (p. 54). When compiling out F USV to the concrete USV proto col (Corollary 2 (p. 59)), additional negligible terms stemming from the USV/DLEQ-based instan tiation are b ounded under DDLEQ as in Theorem 2 (p. 34) and Lemmas 7 (p. 31) and 8 (p. 32). UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 59 If it holds for the corrupted set that B ∈ Γ , no secrecy claims can b e made on the conceptual signing k ey k . Even then, the functionality and the real proto col guarantee non-exp ortabilit y: long-term secrets remain conﬁned to the resp ectiv e F ( i ) KeyBox instances and the adv ersary only obtains black-box access via Use . In any session wherein at least one of P 1 or P 2 honestly samples its auxiliary scalar σ 3 , 1 (resp. σ 3 , 2 ), the resulting k ey K is uniformly distributed in G (see Lemma 13 (p. 49)). Corollary 1 (Standard NXK-DKG interface). Under the hyp otheses of The or em 3 (p. 54), pr oto c ol Ψ (3) SDKG U C-r e alizes F ⋆, NXK DKG in the same mo del. Pr o of. By Theorem 3 (p. 54), Ψ (3) SDKG UC-realizes F SDKG in the stated mo del. The claim follo ws by Lemma 14 (p. 49). ■ Corollary 2 (Compiling out F USV ). L et Π USV b e the c oncr ete pr oto c ol of Se ction 5.2 (p. 30) implementing F USV , and deﬁne b Ψ (3) SDKG := Ψ (3) SDKG [Π USV / F USV ] . Under the hyp otheses of The or em 2 (p. 34) and The or em 3 (p. 54), b Ψ (3) SDKG U C-r e alizes F SDKG in the ( F KeyBox , F channel , F pub ) -hybrid and gRO-CRP mo dels. Pr o of. Immediate from UC composition: Π USV UC-realizes F USV (Theorem 2 (p. 34)) and Ψ (3) SDKG UC-realizes F SDKG in the ( F KeyBox , F USV , F channel , F pub ) -h ybrid (Theorem 3 (p. 54)), with shared gRO-CRP access via domain-separated con texts. ■ 9 UC Security of the 1+1-out-of- n SDK G Extension T o enroll a new reco very device P i ( i ≥ 3 ), run the one-shot registration sub-proto col used for P 3 , sp onsored by P 2 or any already registered leaf. This installs the replicated share ( k 1 ,i , k i ) = ( k 1 , 3 , k 3 ) while preserving the public k ey . F ( n ) SDKG (Fig. 9 (p. 60)) lifts F SDKG to 1+1-out-of- n star access structure (for n ≥ 3) b y keeping the same transcript-driven base run for ( P 1 , P 2 ) and allowing a p olynomial num b er of p ost-ﬁnalization RDRs for leav es P i with i ∈ { 3 , . . . , n } , installing the same reco very-role share in F ( i ) KeyBox . Theorem 4 (UC securit y of F ( n ) SDKG ). Fix Fischlin p ar ameter functions ( t ( λ ) , b ( λ ) , r ( λ ) , S ( λ )) satisfying Deﬁni- tion 15 (p. 24). A ssume har dness of DL and DDLEQ, and the hyp otheses use d for The or ems 3 (p. 54) and 2 (p. 34). Then the c ompile d n -p arty pr oto c ol b Ψ ( n ) SDKG UC-r e alizes F ( n ) SDKG in the ( F KeyBox , F channel , F pub ) -hybrid and gR O-CRP mo dels against adaptive c orruptions with se cur e er asur es. Pr o of Sketch. Let A b e an y PPT real-world adv ersary and Z an y PPT en vironment. W e build a PPT simulator Sim ( n ) for the ideal execution with F ( n ) SDKG . Base run. Sim ( n ) sim ulates the base transcript exactly as in the proof of Theorem 3 (p. 54): it mediates A ’s gRO- CRP queries under the UC-pro of contexts, extracts witnesses from v erifying UC-NIZK-AoKs, computes the unique transcript-deﬁned ( x 1 , x 2 ) in accepting sessions, computes the corresp onding σ 3 , 1 and σ 3 , 2 as in Theorem 3 (p. 54), and programs F ( n ) SDKG once via ( Program , sid , x 1 , x 2 , σ 3 , 1 , σ 3 , 2 ) prior to ﬁnalization. This ensures that the public k ey output K and the base-installed KeyBox shares for P 1 and P 2 matc h the real execution distribution (up to negligible Bad ev ents as in Theorem 3 (p. 54)). R e gistr ations. After ﬁnalization, F ( n ) SDKG ma y receiv e an y num b er of registration requests ( register , i, sid ) for distinct i ∈ { 3 , . . . , n } . In the real execution, eac h registration aﬀects only: (i) the transcript/messages of that registration session and (ii) the internal state of F ( i ) KeyBox via a single Load call that installs the replicated recov ery-role share. Since F ( i ) KeyBox state is nev er revealed up on corruption (only black-box access via Use ), and since the installed reco very-role scalar is a deterministic function of the already-ﬁxed v alues ( k , K, K 1 , 3 ) , Sim ( n ) can sim ulate each device registration indep enden tly , while ensuring that F ( i ) KeyBox ends up storing the correct share and hence returns the same PubMap ( k 3 ) under Use as in the real proto col. 60 Vipin Singh Sehraw at ♦ State (p er session sid ): run the base-run state of F SDKG to completion. Main tain Reg ⊆ { 3 , . . . , n } (init ∅ ) and a p ending table P end [ i ] = ( sp onso r , ok 1 , ok s , ρ 1 , ρ s , w del 1 , w del s ) (init undeﬁned, with ρ 1 = ρ s = w del 1 = w del s = ⊥ ); registration-channel state m ultiset Q reg of ( ρ, i, P s , P r , w, ϕ ) and delivered set D reg (init empty). ♦ Base run: Iden tical to F SDKG up to and including T ryFinalize . ♦ Register: Up on ( register , i, sid , j ) from P i with i ∈ { 3 , . . . , n } : require ﬁnalized = 1 , i / ∈ Reg , and j ∈ { 2 } ∪ Reg . If P end [ i ] is undeﬁned, set Pend [ i ] ← ( j, 0 , 0 , ⊥ , ⊥ , ⊥ , ⊥ ) and notify A with ( RegReq , i, sid , j ) . Up on ( app rove , i, sid ) from P 1 (resp. from sp onsor P j ) : if P end [ i ] is deﬁned then set P end [ i ] . ok 1 ← 1 (resp. P end [ i ] . ok s ← 1 ); notify A . ♦ RegGo (sender-controlled on corruption): Up on ( RegGo , i, sid , w ⋆ 1 , w ⋆ s ) from A : if P end [ i ] is deﬁned, P end [ i ] . ok 1 = P end [ i ] . ok s = 1 , and ( Pend [ i ] .ρ 1 , P end [ i ] .ρ s ) = ( ⊥ , ⊥ ) , then: – Let j := Pend [ i ] . sponsor . Deﬁne slot-b ound asso ciated data strings: ad 1 i := ⟨ SDKG.reg , sid , P 1 , P i , k31 ⟩ , ad 32 j i := ⟨ SDKG.reg , sid , P j , P i , k32 ⟩ , ad 23 j i := ⟨ SDKG.reg , sid , P j , P i , k23 ⟩ . – Reset delivered-pa yload buﬀers: set Pend [ i ] .w del 1 ←⊥ and Pend [ i ] .w del s ←⊥ . – Sample ρ 1 , ρ s ← $ { 0 , 1 } λ . – If 1 / ∈ Cor , sample ϖ 1 ← Enc pk ( P i ) seal ( ad 1 i , σ 3 , 1 ) and set w reg , 1 := ⟨ sid , ϖ 1 , K 1 , 3 , K ⟩ and ϕ 1 := ℓ reg , 1 . If 1 ∈ Co r , set w reg , 1 := w ⋆ 1 and ϕ 1 := | w reg , 1 | . If w reg , 1  = ⊥ , then: set P end [ i ] .ρ 1 ← ρ 1 ; insert ( ρ 1 , i, P 1 , P i , w reg , 1 , ϕ 1 ) into Q reg ; send ( Leak , sid , P 1 , P i , ρ 1 , ϕ 1 ) to A ; and if 1 ∈ Co r additionally reveal w reg , 1 to A . – If j / ∈ Cor , sample ϖ sa ← Enc pk ( P i ) seal ( ad 32 j i , σ 3 , 2 ) , ϖ sb ← Enc pk ( P i ) seal ( ad 23 j i , σ 2 , 3 ) . Set w reg ,s := ⟨ sid , ϖ sa , ϖ sb , K 1 , 3 ⟩ and ϕ s := ℓ reg , 2 . If j ∈ Cor , set w reg ,s := w ⋆ s and ϕ s := | w reg ,s | . If w reg ,s  = ⊥ , then: set P end [ i ] .ρ s ← ρ s ; insert ( ρ s , i, P j , P i , w reg ,s , ϕ s ) into Q reg ; send ( Leak , sid , P j , P i , ρ s , ϕ s ) to A ; and if j ∈ Cor additionally reveal w reg ,s to A . ♦ Deliver: Up on ( Deliver , sid , ρ ) from A : if ( ρ, i, P s , P i , w, ϕ ) ∈ Q reg and ρ / ∈ D reg , delete it from Q reg , add ρ to D reg , and deliver ( Recv , sid , P s , w ) to P i . If i ∈ Cor reveal w to A at delivery time. If Pend [ i ] is deﬁned then: – If ρ = P end [ i ] .ρ 1 , set Pend [ i ] .ρ 1 ←⊥ and Pend [ i ] .w del 1 ← w . If ρ = Pend [ i ] .ρ s , set Pend [ i ] .ρ s ←⊥ and Pend [ i ] .w del s ← w . – If Pend [ i ] . ok 1 = P end [ i ] . ok s = 1 , ( Pend [ i ] .ρ 1 , P end [ i ] .ρ s ) = ( ⊥ , ⊥ ) , Q reg = ∅ , and Pend [ i ] .w del 1  = ⊥ and Pend [ i ] .w del s  = ⊥ , then: • If i ∈ Co r : set Reg ← Reg ∪ { i } , delete P end [ i ] , and output ( registered , i, sid ) to P i and A . • If i / ∈ Cor : let j := P end [ i ] . sp onso r and deﬁne the same ad 1 i , ad 32 j i , ad 23 j i as ab ov e. Parse P end [ i ] .w del 1 = ⟨ sid , ϖ 1 , K (1) 1 , 3 , K ⋆ ⟩ and P end [ i ] .w del s = ⟨ sid , ϖ sa , ϖ sb , K (2) 1 , 3 ⟩ . If parsing fails, do nothing further. Require K (1) 1 , 3 = K (2) 1 , 3 ; otherwise do nothing further. Set K ⋆ 1 , 3 ← K (1) 1 , 3 . If parsing fails, do nothing further. Otherwise, hav e P i forw ard ( ϖ 1 , ϖ sa , ϖ sb , ad 1 i , ad 32 j i , ad 23 j i , K ⋆ , K ⋆ 1 , 3 ) in to F ( i ) KeyBox , which executes the same KeyBox-side installation pro cedure as Algorithm 1 (p. 45) (with sp onsor P j ): op en the ciphertexts under the corresp onding ad strings and in v oke the corresp onding Load calls to install ⟨ sid , k32 ⟩ , ⟨ sid , k23 ⟩ , ⟨ sid , k3 ⟩ . If all inv oked Load calls return ok , then set Reg ← Reg ∪ { i } , delete P end [ i ] , and out- put ( registered , i, sid ) to P i and A . Otherwise do nothing further. ♦ Co rruptions/Programming: As in F SDKG (Fig. 8 (p. 48)). Before base ﬁnalization, Sim ma y once send ( Program , sid , x ⋆ 1 , x ⋆ 2 , σ ⋆ 3 , 1 , σ ⋆ 3 , 2 ) ; set x 1 ← x ⋆ 1 , x 2 ← x ⋆ 2 , σ 3 , 1 ← σ ⋆ 3 , 1 , and σ 3 , 2 ← σ ⋆ 3 , 2 . Fig. 9: T ranscript-driven ideal functionality F ( n ) SDKG . UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 61 Comp osition over many r e gistr ations. Because registrations for diﬀerent i touc h disjoint KeyBo x instances and do not mo dify ( x 1 , x 2 , K ) , we argue via a standard h ybrid o ver q = q ( λ ) ≤ p oly ( λ ) completed registrations: deﬁne h ybrids ⅁ ( j ) for j = 0 , . . . , q that replace the ﬁrst j real registrations by the F ( n ) SDKG -generated ones. Consecutive hybrids diﬀer in only one registration instance, so Lemma 18 (p. 57) gives a negligible p er-step change, and a union b ound ov er q steps keeps the total distinguishing adv antage negligible. Thus, it follows from Theorem 3 (p. 54) and Corollary 2 (p. 59) that Exec ( b Ψ ( n ) SDKG , A , Z ) ≈ c Ideal ( F ( n ) SDKG , Sim ( n ) , Z ) . ■ R emark 21 (Why the two-p arty sc oping is ne c essary). Under UC sc heduling, a corrupted committer can equivocate b y deliv ering distinct ﬁrst commits to diﬀerent relying parties. The compiled proto col Π USV necessarily yields recipien t- lo cal state in that case, so it can only UC-realize an ideal functionality with the same relying-part y scop ed seman tics. T o supp ort scalable RDR with an arbitrary already-registered leaf as sp onsor, SDK G designates a small subset of σ -v alues as r e gistr ation sc alars that are retained inside KeyBoxes in dedicated slots (Deﬁnition 19 (p. 39)). These retained v alues remain NXK-restricted and are used only via SealT oPeer . If an instantiation exp oses remote-attestation transcripts in the clear, this can introduce extra visible structure; mo deling such leakage is orthogonal to our NXK consistency enforcemen t. Optional. If external v eriﬁability is desired: after KeyBo x 3 installs k 3 , the host obtains K 3 := PubMap ( k 3 ) by inv oking F (3) KeyBox . Use ( ⟨ sid , k3 ⟩ , GetPub , · ) and obtains a pro of π DL 3 b y running the in-KeyBox optimized Fischlin pro ver: ( µ FS , a ) ← F (3) KeyBox . Use ( ⟨ sid , k3 ⟩ , FS.Sta rt , ⟨ sid , K 3 ⟩ ) , π DL 3 ← F (3) KeyBox . Use ( ⟨ sid , k3 ⟩ , FS.Prove , µ FS ) . The proof π DL 3 = (( a i , e i , z i )) r i =1 is a UC-NIZK-A oK for the DL relation R DL on statemen t ( pp , K 3 ) in the gRO-CRP mo del under context ctx KeyBox . By construction, FS . Prove nev er releases more than one resp onse p er commitment and issues all rare-structure hash queries in ternally under ctx KeyBox . V eriﬁcation is public via FS . V erify ( K 3 , π DL 3 ) . 10 Complexit y and Ov erhead W e summarize dominant computation and comm unication costs of SDK G (base 1 + 1 -out-of- 3 run) and its RDR extension to 1 + 1 -out-of- n . Let G b e a prime-order group of size p and write κ := log p (e.g., κ ≈ 256 for standard 128-bit ECC instantiations). All NIZK(-AoK)s are instan tiated via the optimized Fischlin transform in the gR O-CRP mo del with parameters ( t, b, r , S ) satisfying Deﬁnition 15 (p. 24). F or our concrete estimates, w e ﬁx a target security lev el λ = λ 0 and instan tiate ( t, b, r , S ) := ( t ( λ 0 ) , b ( λ 0 ) , r ( λ 0 ) , S ( λ 0 )) = (13 , 8 , 32 , 32) . Hence, for any prov er making at most Q distinct gRO-CRP queries under the relev an t pro of con text, the resulting Fisc hlin knowledge/soundness error is ≤ ( Q + 1) · 2 − 195 + negl ( λ ) (securit y). Separately , the early-break rarity searc h induces a per-pro of honest-rejection probabilit y b ounded by p rej ≤ r · (1 − 2 − b ) 2 t ≈ 2 − 41 for these parameters (liv eness/completeness). This p rej is an op erational failure probability of the pro of-generation subroutine, not an adv ersarial success probability; the pro ver can simply retry proof generation on rejection, with expected attempts 1 / (1 − p rej ) ≈ 1 . On rejection, the prov er retries b y inv oking FS.Start again to obtain a fresh handle and commitments. Using standard compressed enco dings, the dominant ob jects are: | π DL | ≈ 2 . 1 KiB , | π aﬀ | ≈ 4 . 1 KiB , | ( C, ζ ) | ≈ 3 . 1 – 3 . 3 KiB . The base SDK G transcript contains one USV certiﬁcate and t wo aﬃne A oKs, yielding a total transcript size of ≈ 11 – 13 KiB (excluding small constan t headers). V eriﬁcation of a Sc hnorr-DL Fischlin pro of p erforms Θ ( r ) Sc hnorr chec ks / Θ ( r ) scalar m ultiplications (one ﬁxed-base by G , one v ariable-base by the statement element K , plus additions), up 62 Vipin Singh Sehraw at to standard m ulti-scalar optimizations. The SDKG base run veriﬁes a constant num b er of pro of ob jects (one DLEQ pro of inside USV and tw o aﬃne pro ofs implemen ted by t w o DL pro ofs each), hence the veriﬁcation and proving costs are e O ( κ 2 . 585 ) bit-op erations in the Karatsuba mo del (dominated b y a constan t num b er of scalar m ultiplications). Registration of an additional recov ery device adds a constant-size exc hange and an optional DL pro of for external v eriﬁability . SDK G uses a constan t n umber of pro of ob jects in the base run and performs no resharing. Therefore, Comm SDKG = e O ( κ ) bits and Comp SDKG = e O ( κ 2 . 585 ) bit-ops . F or the 1 + 1 -out-of- n extension, RDR registers each additional device with Comm RDR , per device = e O ( κ ) bits and Comp RDR , per device = e O ( κ 2 . 585 ) bit-ops , so in total: Comm ( n ) = e O ( nκ ) and Comp ( n ) = e O ( nκ 2 . 585 ) . 11 Conclusion W e studied UC-secure Distributed Key Generation (DKG) in Non-eXp ortable Key (NXK) setting wherein long-term signing shares are conﬁned to state-contin uous trusted hardware (e.g., TEEs). In this NXK setting, the proto col cannot rely on classical VSE (VSS/PVSS/A VSS or commitmen t-and-pro of analogues) that exp orts and manipulates shares (or aﬃne images of shares), and state-con tinuit y rule out rewinding/forking-st yle extraction once witness- b earing computation is delegated to the hardware boundary . Our starting p oint is therefore to decouple conﬁdentialit y from consistency: conﬁden tiality can b e delegated to the NXK/TEE b oundary , while the proto col m ust still enforce transcript-deﬁned aﬃne consistency and uniqueness of the induced sharing without any share op ening or resharing. W e in tro duced Unique Structure V eriﬁcation (USV), a publicly veriﬁable certiﬁcate mec hanism that yields a deterministic public opening to a committed group elemen t while keeping the underlying scalar hidden under DL and DDLEQ hardness, providing canonical public structure without trap doors or programmable setup. W e combined USV with UC-extractable NIZK argumen ts of knowledge (via an optimized Fischlin transform in our gRO-CRP-h ybrid mo del) to obtain straight-line extraction without rewinding. Building on these tools, w e constructed Star DKG (SDK G), a constant-round UC-secure DK G for a 1 + 1 -out-of- n star access structure motiv ated by threshold crypto currency w allets where a designated service must co-sign y et can never sign alone. SDKG supports post-DKG device enrollment b y registering additional recov ery devices as replicated leav es, preserving the public k ey without resharing. Under DL and DDLEQ assumptions, and assuming KeyBox (TEE-resident NXK k eystore) opacity , state contin uity , and secure erasures, we prov e that SDKG UC-realizes a transcript-driv en ideal functionalit y . The proto col achiev es ˜ O ( n log p ) comm unication and ˜ O ( n log 2 . 585 p ) bit-op eration cost in a prime-order group of size p , while eac h additional device registration costs ˜ O ( log p ) communication and ˜ O ( log 2 . 585 p ) computation (with a base transcript of ≈ 11 – 13 KiB in a 128-bit instan tiation). A c knowledgmen ts I thank Nolan Miranda for helpful discussions and feedbac k on early versions of the SDK G idea and proto col sk etch. References 1. Amazon W eb Services: A WS Key Management Service API Reference: GetPublicKey. https://docs.aws.amazon.com/ kms/latest/APIReference/API_GetPublicKey.html , accessed 2026-02-17 2. Babai, L., Moran, S.: Arthur-Merlin games: A randomized pro of system, and a hierarc hy of complexity classes. Journal of Computer and System Sciences 36 (2), 254–276 (1988) 3. Bac ho, R., Ka vousi, A.: SoK: Dlog-Based Distributed Key Generation. In: IEEE S&P . pp. 614–632 (2025) 4. Battagliola, M., Longo, R., Meneghetti, A., Sala, M.: Threshold ECDSA with an oﬄine reco very part y . Mediterranean Journal of Mathematics 19 (4) (2022) 5. Bellare, M., Neven, G.: Multi-signatures in the plain public-k ey mo del and a general forking lemma. In: ACM CCS. pp. 390–399 (2006) 6. Blum, M.: Coin ﬂipping b y telephone a protocol for solving imp ossible problems. ACM SIGACT News 15 (1), 23–27 (1983) UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 63 7. Boneh, D., Ding, X., T sudik, G.: Fine-grained control of security capabilities. ACM T ransactions on Internet T echnology 4 (1), 60–82 (2004) 8. Boneh, D., Ding, X., T sudik, G., W ong, M.: A metho d for fast rev o cation of public key certiﬁcates and security capabilities. In: USENIX Security . pp. 297–308 (2001) 9. Bortolozzo, M., Centenaro, M., F o cardi, R., Steel, G.: A ttacking and ﬁxing PKCS#11 security tok ens. In: A CM CCS. pp. 260–269 (2010) 10. Cac hin, C., Kursaw e, K., Lysyanska ya, A., Strobl, R.: Asynchronous veriﬁable secret sharing and proactive cryptosystems. In: ACM CCS. pp. 88–97 (2002) 11. Camenisc h, J., Drijv ers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful w orld of global random oracles. In: EUR OCR YPT. pp. 280–312 (2018) 12. Camenisc h, J., Drijv ers, M., Lehmann, A.: Universally comp osable direct anonymous attestation. In: PKC. pp. 234–264 (2016) 13. Canetti, R.: Universally composable securit y: a new paradigm for cryptographic proto cols. In: F OCS. pp. 136–145 (2001) 14. Canetti, R., Do dis, Y., Pass, R., W alﬁsh, S.: Universally composable securit y with global setup. In: TCC. pp. 61–85 (2007) 15. Canetti, R., Gennaro, R., Goldfeder, S., Makriyannis, N., Peled, U.: UC non-interactiv e, proactive, threshold ECDSA with iden tiﬁable ab orts. Cryptology ePrin t Archiv e, Rep ort 2021/060 (2021), full version of CCS’20; strict GR OM and trace- prop ert y ideal functionality 16. Canetti, R., Jain, A., Scafuro, A.: Practical UC securit y with a global random oracle. In: ACM CCS (2014) 17. Canetti, R., Rabin, T.: Univ ersal comp osition with joint state. In: CR YPTO (2003) 18. Chaum, D., Pedersen, T.P .: W allet databases with observ ers. In: CR YPTO. pp. 89–105 (1993) 19. Chen, Y.H., Lindell, Y.: Optimizing and implementing Fisc hlin’s transform for UC-secure zero-knowledge. IACR CiC 1 (2) (2024) 20. Chor, B., Goldwasser, S., Micali, S., A w erbuch, B.: V eriﬁable secret sharing and achieving sim ultaneity in the presence of faults. In: FOCS. pp. 383–395 (1985) 21. Clev e, R.: Limits on the security of coin ﬂips when half the processors are faulty . In: STOC. pp. 364–369 (1986) 22. Desmedt, Y.: So ciet y and group oriented cryptograph y: A new concept. In: CR YPTO. pp. 120–127 (1987) 23. Desmedt, Y., F rankel, Y.: Threshold cryptosystems. In: CR YPTO. pp. 307–315 (1989) 24. Ding, X., Mazzo cc hi, D., T sudik, G.: Exp erimen ting with serv er-aided signatures. In: NDSS (2002) 25. Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA in Three Rounds. In: IEEE S&P . pp. 3053–3071 (2024) 26. Do erner, J., K ondi, Y., Rosenbloom, L.N.: Sometimes y ou can’t distribute random-oracle-based pro ofs. In: CR YPTO. pp. 323–358 (2024) 27. F az-Hernandez, A., Scott, S., Sulliv an, N., W ahb y , R.S., W o od, C.A.: RFC 9380: Hashing to elliptic curves (A ugust 2023), https://www.rfc- editor.org/rfc/rfc9380.html , iR TF, Informational 28. F eldman, P .: A practical sc heme for non-in teractive v eriﬁable secret sharing. In: FOCS. pp. 427–438 (1987) 29. Fiat, A., Shamir, A.: How to prov e yourself: Practical solutions to iden tiﬁcation and signature problems. In: CR YPTO. pp. 186–194 (1986) 30. Fisc hlin, M.: Communication-eﬃcien t non-in teractive pro ofs of kno wledge with online extractors. In: CR YPTO. pp. 152–168 (2005) 31. F riedman, O., Marmor, A., Mutzari, D., Sadika, O., Scaly , Y.C., Spiizer, Y., Y anai, A.: 2PC-MPC: Emulating tw o party ECDSA in large-scale MPC. Cryptology ePrint Arc hive, P ap er 2024/253 (2024) 32. F riedman, O., Marmor, A., Mutzari, D., Scaly , Y.C., Spitzer, Y.: Practical zero-trust threshold signatures in large-scale dynamic asynchronous net works. Cryptology ePrint Arc hive, Report 2025/297 (2025) 33. Gennaro, R., Jarecki, S., Kra wczyk, H., Rabin, T.: Secure distributed k ey generation for discrete-log based cryptosystem. Journal of Cryptology 20 , 51–83 (2007) 34. Goldreic h, O., Micali, S., Wigderson, A.: Ho w to play ANY men tal game. In: STOC. pp. 218–229 (1987) 35. Go ogle Cloud: Cloud Key Managemen t Service roles and permissions. https://docs.cloud.google.com/iam/docs/ roles- permissions/cloudkms , accessed 2026-02-17 36. Groth, J., Ostrovsky , R., Sahai, A.: Perfect non-interactiv e zero knowledge for NP. In: EUR OCR YPT. pp. 339–358 (2006) 37. Groth, J., Ostrovsky , R., Sahai, A.: New techniques for nonin teractive zero-kno wledge. Journal of ACM 59 (3), 11:1–11:35 (2012) 38. Karatsuba, A., Ofman, Y.: Multiplication of multidigit num bers on automata. Soviet Physics - Doklady 7 , 595–596 (1963) 39. Katz, J.: Round-optimal, fully secure distributed key generation. In: CR YPTO. pp. 285–316 (2024) 40. Kelsey , J., ao, L.T.A.N.B., P eralta, R., Booth, H.: A reference for randomness b eacons. T ec h. Rep. NISTIR 8213 (2019) 41. K omlo, C., Goldb erg, I., Stebila, D.: A formal treatment of distributed key generation, and new constructions. Cryptology ePrin t Arc hive, Report 2023/292 (2023) 64 Vipin Singh Sehraw at 42. Küsters, R., T uengerthal, M.: Universally comp osable symmetric encryption. In: IEEE Computer Securit y F oundations Symp osium. pp. 293–307 (2009) 43. Lindell, Y.: Simple three-round m ultiparty Schnorr signing with full simulatabilit y . Communications in Cryptology 1 (1), 1–49 (2024) 44. Lindell, Y., Nof, A.: F ast secure m ultiparty ECDSA with practical distributed k ey generation and applications to cryptocur- rency custo dy . In: ACM CCS. pp. 1837–1854 (2018) 45. Lueks, W., Hampiholi, B., Alpár, G., T roncoso, C.: T andem: Securing keys b y using a cen tral server while preserving priv acy . In: PET s. pp. 327–355 (2020) 46. Lysy anskay a, A., Rosenbloom, L.N.: Adaptiv e UC NIZK for practical applications. In: LA TINCR YPT. pp. 76–108 (2025) 47. Lysy anskay a, A., Rosen blo om, L.N.: Universally comp osable σ -proto cols in the global random-oracle model. In: TCC. pp. 203–233 (2022) 48. Martinico, L.: T rusted Execution for Priv ate and Secure Computation: a Comp osable Approach. Ph.D. thesis, Universit y of Edinburgh (2025) 49. Martinico, L., Kohlw eiss, M.: AGA TE: Augmen ted Global Attested T rusted Execution in the Univ ersal Comp osabilit y F ramework. In: IEEE Computer Security F oundations Symp osium (CSF). pp. 49–64 (2025) 50. Microsoft: Key t yp es, algorithms, and op erations — Azure Key V ault. https://learn.microsoft.com/en- us/azure/ key- vault/keys/about- keys- details , accessed 2026-02-17 51. P ass, R., Shi, E., T ramèr, F.: F ormal abstractions for attested execution secure pro cessors. In: EUROCR YPT. pp. 260–289 (2017) 52. P edersen, T.P .: Non-interactiv e and information-theoretic secure veriﬁable secret sharing. In: CR YPTO. pp. 129–140 (1991) 53. P ointc hev al, D., Stern, J.: Securit y proofs for signature schemes. In: EUROCR YPT. pp. 387–398 (1996) 54. Roga wa y , P .: A uthenticated-encryption with asso ciated-data. In: ACM CCS. pp. 98–107 (2002) 55. Sc hnorr, C.P .: Eﬃcien t iden tiﬁcation and signatures for smart cards. In: CR YPTO. pp. 239–252 (1989) 56. Sc hnorr, C.P .: Eﬃcien t signature generation by smart cards. Journal of Cryptology 4 , 161–174 (1991) 57. Shamir, A.: How to share a secret. Comm unications of the ACM 22 , 612–613 (Nov 1979) 58. Shepherd, C., Markantonakis, K.: T rusted Execution Environmen ts. Springer Cham (2024) 59. Shepherd, C., Markantonakis, K., v. Heijningen, N., Ab oulkassimi, D., Gaine, C., Hec kmann, T., Naccac he, D.: Ph ysical fault injection and side-channel attacks on mobile devices: A comprehensive analysis. Computers & Security 111 , 102471 (2021) 60. Snetk ov, N., V akarjuk, J., Laud, P .: Universally composable server-supported signatures for smartphones. Cryptology ePrint Arc hive, Rep ort 2024/1941 (2024) 61. Stadler, M.: Publicly veriﬁable secret sharing. In: In ternational Conference on the Theory and Applications of Cryptographic T echniques. pp. 190–199 (1996) 62. Y ao, A.C.: How to generate and exchange secrets. In: FOCS. pp. 162–167 (1986) 63. Zhang, X., Qin, K., Qu, S., W ang, T., Zhang, C., Gu, D.: T eamw ork Makes TEE W ork: Op en and Resilient Remote A ttestation on Decentralized T rust. IEEE T ransactions on Dep endable and Secure Computing (01), 1–16 (2024) 64. Zhang, Y., Qian, Y.: Randao: A DA O working as RNG of Ethereum (2019), https://github.com/randao/randao/ A Programmable Secure Hardw are Integration The main construction already assumes that USV certiﬁcate generation Cert ( pp , · ) is executed inside the KeyBo x b oundary and exports only ( C, ζ ) . This app endix describ es an optional additional hardening that further reduces exp osure of other ephemeral scalars and group/ﬁeld arithmetic in host memory b y shifting (i) sampling of ephemerals and (ii) scalar multiplication with public p oints into the KeyBo x/TEE. At a high lev el, the host is then restricted to routing public group elements, proto col transcripts, and ciphertexts, while the KeyBox p erforms ephemeral sampling and arithmetic and (optionally) authenticated encryption/decryption so plaintexts nev er leav e the KeyBox b oundary . Although this hardening is mostly written for TEEs (because they are a con venien t programmable substrate), the proﬁle applies to any KeyBo x realization that can exp ose the same non-exp orting ephemeral-handle op erations without violating k ey-opacity/state-con tinuit y . Sc op e / pr o of c omp atibility. This proﬁle is an implementation hardening and do es not change the proto col transcript or acceptance predicate. Our UC analysis contin ues to apply to the baseline proﬁle used in the main construction. UC-extractable consistency A oKs (whose straight-line extraction relies on observing the pro ver’s gR O-CRP query log) remain generated outside the KeyBox as in the main proto col; moving those A oKs inside the KeyBox would require a diﬀeren t extraction mechanism/model. UC-Secure Star DKG for Non-Exp ortable Key Shares with VSS-F ree Enforcemen t 65 F amily What matches F KeyBox Proﬁle adapter must forbid F reshness / anti- rollbac k TEE as restricted k eystore Minimal encla ve exports only Load / Use ; sealing to attestation-b ound p eer k eys W rap/exp ort under host-c hosen keys; APIs returning share-deriving out- puts; high-entrop y failure channels TPM/TEE coun ters, trusted time, or serv er freshness oracle A ttested encla ve ↔ KMS KMS authorizes use/sealing conditioned on enclav e measurement/attestation KMS exp ort/wrap features; host- selected recipients; policy gaps KMS-side monotonic state + server oracle HSM (PKCS#11 allo wlist) Non-extractable objects; sealing/wrap only to trusted/pinned recipien ts Caller-decryptable wrapping and key- deriving ops HSM coun ters or exter- nal freshness Endp oin t k ey- store Hardw are-b ound NXK keys + restricted built-in ops; optional attestation Limited programmabilit y; op eration men u may not support custom sub- routines Platform counters/time + server oracle TPM-assisted freshness Pro vides monotonic primitiv es to bind sealed state to freshness In tegration complexit y; coun ter ex- haustion/a v ailability TPM NV coun ters / PCR-b ound state T able 7: Non-normative summary: common substrates for enforcing a KeyBox API proﬁle. Il lustr ative har dene d interfac e (informal). Mo del this by augmenting the admissible KeyBox op eration set F adm (Deﬁnition 3 (p. 12)) with ephemeral-handle arithmetic that outputs only public group elemen ts. Let τ denote a t yp e-tagged opaque handle to an ephemeral scalar s ∈ Z p stored inside the KeyBo x (similar in spirit to in ternal buf handles in F KeyBox ; Fig. 3 (p. 11)). Handles refer only to KeyBox-in ternal ephemeral state and are not interc hangeable with long-term k ey slots. – GenScala r () → τ : sample s ← Z p in ternally and return only the handle τ . – Mul ( τ , P ) → Q : for public P ∈ G , output Q := sP (and optionally consume τ ). – MulGen ( τ ) → J : output J := s G (a wrapp er for Mul ( τ , G ) ). – (Optional conv enience) LinComb ( { ( τ i , P i ) } t i =1 , { α i } t i =1 ) → Q : for public α i ∈ Z p and P i ∈ G , output Q := P t i =1 α i · s i P i . – (Optional; needed for RDR / any KeyBox-to-KeyBo x transp ort of share-deriv ed payloads) retain the sealing in terfaces SealT oPeer and Op enF romP eer so the host supplies only p eer identit y and associated data and plain texts never leav e the KeyBo x b oundary . K ey-op acity intuition. Since the hardened interface returns only public group elements derived from fresh ephemerals and public inputs, its externally visible outputs remain simulatable given public information, aligning with the key- opacit y assumption used throughout the pap er. B Candidate KeyBox Implementations and Proﬁle-Capture Chec klist This app endix provides (i) concrete implemen tation classes that plausibly realize the KeyBox abstraction under a pinned proﬁle, and (ii) an op erational chec klist for deriving/enforcing such a proﬁle from vendor APIs. T able 7 (p. 65) summarizes candidate deplo yment families. B.1 Candidate classes of implemen tations The following implemen tation patterns are plausible realizations of the abstraction in Fig. 3 (p. 11), provided they are conﬁgured and constrained to enforce the intended KeyBox proﬁle (Deﬁnition 3 (p. 12)) and do not silently expose mec hanisms that violate key-opacit y (Assumption 1 (p. 11)) or state contin uit y (Assumption 2 (p. 13)). 1. Dedicated TEEs as restricted keystores: Implement the KeyBo x as a minimal enclav e exp osing only Load / Use endp oin ts. Appro ximate SealT oPeer b y pinning recipient keys to attested iden tities/measurements (e.g., HPKE- st yle sealing), and treat rollbac k/fork protection as an explicit subsystem (counters / trusted time / server freshness). 66 Vipin Singh Sehraw at 2. A ttested enclav e ↔ KMS / KMS-back ed encla ves: Split “KeyBox logic” (encla ve) from “p olicy enforcement” (KMS) so that k ey usage and sealing are authorized by attestation evidence and measurement-based p olicy , rather than host-supplied k eys. 3. HSMs under a strict allo wlist proﬁle (PKCS#11-st yle): Use HSM non-exp ortabilit y , but restrict mec hanisms to a small allowlist that rules out share-deriving outputs and caller-decryptable wrap/exp ort; if wrapping exists, constrain it to trusted/pinned recipien ts only (to preserve key-opacit y). 4. Endp oin t hardw are-back ed k eystores: Platform keystores often match the “NXK + restricted op erations” model, but t ypically exp ose a ﬁxed operation men u; they therefore realize only those proﬁles reducible to built-in op erations plus pinned sealing. 5. TPM-assisted freshness/anti-rollbac k: Ev en when the KeyBox is a TEE/encla ve, TPM-back ed monotonic primitiv es can supply the freshness mec hanism needed to approximate state contin uity in hostile host environmen ts. C A dditional application: NXK-compatible commit–reveal randomness b eacons Man y practical proto cols (e.g., lotteries, leader election, and randomness b eacons [21, 6, 64]) require a commit–rev eal discipline and/or VSS/VDF to preven t adaptive c hoice/grinding: if parties were to publish their contribution M i := m i G immediately , then a last-moving adversary can sample many candidate scalars m i after seeing the honest M j ’s and select one that biases a downstream predicate of the beacon (e.g., a target preﬁx), where the beacon is deﬁned as £ := P i M i (and t ypically ρ := H ( b eacon , ⟨ sid , £ ⟩ ) ). In a classical commit–reveal design one w ould commit to m i and later op en by revealing m i , but in the NXK setting the scalar is non-exp ortable. USV provides an NXK-friendly alternativ e in whic h the op ening is to the induced group element rather than to the scalar. Concretely , eac h party samples m i ← $ Z p inside its KeyBo x and computes a USV certiﬁcate ( C i , ζ i ) ← Cert ( pp , m i ) . – Commit: broadcast only C i (k eep ζ i priv ate). – Rev eal: broadcast ζ i . An yone chec ks V cert ( pp , C i , ζ i ) = 1 and deriv es the canonical public contribution M i := Op en M ( pp , C i , ζ i ) = m i G . – Output: set £ := P i M i and ρ := H ( b eacon , ⟨ sid , £ ⟩ ) . Hence, eac h M i is a deterministic function of the public transcript via ( C i , ζ i ) , so a veriﬁer (and, in UC, the simula- tor/extractor) can compute the exact statement points used by the protocol in straight-line without ever extracting or exp orting m i . A t the same time, withholding ζ i un til the reveal phase restores the usual commit–reveal discipline (the adversary cannot choose m i as a function of others’ rev ealed contributions), while remaining fully compatible with non-exp ortable scalars.

UC-Secure Star DKG for Non-Exportable Key Shares with VSS-Free Enforcement

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment