Research and implement decryption share verification for simple tDec

[piotr-roslaniec]

• Originally mentioned in Ensure presence and correctness of validity checks #31 and backlogged.
• In plain words: "Prove or verify between decryption share, commitment and something public associated to the node's private share"
• Needed to figure out which Ursulas is responsible after final decryption fails
• Dependency of tpke security, isn't covered by verify_full from ferveo

[cygnusv]

Private info (server side)

• Blinding key $dk_i$, a random scalar Fr, ("validator's private key")
• Aggregated share $Z_i$, where $Z_i = dk_i^{-1} Y_i$, (tpke::private_key_share)

Public information

• Blinding public key $ek_i$, where $ek_i = dk_i H$
• Blinded aggregated share $Y_i$, where $Y_i = y_i\ ek_i = y_i\ dk_i H$, (note that $Y_i$ is an aggregate from multiple PVSS)

Request

• Requester has ciphertext commitment $U$ and sends it to servers
• Each server returns two values:
  • Decryption share $D_i = e(U, Z_i)$
  • Checksum value $C_i = dk_i^{-1} U$
• Requester uses $D_i$ values to combine
  • If the combination is successful, congratulations.
  • Otherwise, check 2 equations:
    • $D_i == e(C_i, Y_i)$
    • $e(C_i, ek_i) == e(U, H)$
    • If both equations don't hold, server $i$ returned an incorrect decryption share or checksum value.

---

Request - Light subvariant

• Requester has ciphertext commitment $U$ and a scalar $\lambda$, and sends it to servers
• Each server returns two values:
  • Decryption share $D_i = e(\lambda \cdot U, Z_i)$
  • Checksum value $C_i = dk_i^{-1} U$
• Requester uses $D_i$ values to combine
  • If the combination is successful, congratulations.
  • Otherwise, check 2 equations:
    • $D_i == e(\lambda \cdot C_i , Y_i)$
    • $e(C_i, ek_i) == e(U, H)$
    • If both equations don't hold, server $i$ returned an incorrect decryption share or checksum value.

[cygnusv]

For pessimistic case see issue #36