Information Technology Reference
In-Depth Information
, but the secret value
sk
is only known to
. Formally, the protocol can be
written as:
Sign:
The protocol consists of two interactive algorithms, Sign
and Sign
,
which implement the
's and
's sides of interaction respectively. The input of
Sign
is (
sk
,
ipk
), and that of Sign
is a message
m
that includes the date to be
signed, a verifier's nonce
n
for freshness, a basename
bsn
(the name string of
or a
special symbol
Join/ Issue(In
: (
ipk sk
,
), In
: (
ipk isk
,
))
→
Out
:
sigk
.
⊥
) and
ipk
,
sigk
. The final output by Sign
is a randomized signa-
ture
on
m
under (
sk
,
sigk
) associated with
bsn
. The basename
bsn
is used for
controlling the linkability. Formally, the protocol can be written as:
Sign(In
σ
: (
ipk sigk m n
,
,
,
,
bsn
), In
: (
sk ipk
,
))
→
Out
:
σ
for
m
, and a set of revoked
signer's secret keys RL,
uses this deterministic algorithm to return either 1(accept)
or 0 (reject). How to build the rogue list RL is out of the scope of the DAA scheme.
Formally, the algorithm can be written as:
Verify(
Verify:
On input of
m
,
bsn
, a candidate signature
σ
ipk m bsn
,
,
, RL,
σ
)
→
1 / 0.
Link
: On input of two message-signature pairs
and
,
uses this
(,
m
σ
)
(,
m
σ
)
00
11
deterministic algorithm to return 1 (linked), 0 (unlinked) or
⊥
(invalid signatures).
Link will output
m
σ )
holds. Otherwise, Link will output 1 if signatures can be linked or 0 if the signatures
cannot be linked. Formally, the algorithm can be written as:
⊥
if, by using an empty RL, either Verify(
m
,
σ
) or Verify(
00
11
Link(
ipk
,
σσ
,
m
,
,
m
,
bsn
)
→
1 / 0.
0
0
1
1
2.2
Security Model of DAA
We use the game-based model to formalize our security notions of DAA. In our en-
hanced security model of DAA, a DAA scheme must hold the notions of correctness,
user-controlled anonymity and user-controlled traceability.
To define these notions, we need to present a series of oracles that an adversary can
access to. All oracles maintain the following global variables, a set HS of honest sign-
ers, a set CS of corrupted signers, a set Ch
ID
of challenge
ID
and a list L
S
of queries to
the Sign queries. All the sets and lists are assumed to be initially empty.
AddS
: By calling this
add signer
oracle with an identity
ID
, the adversary can
create an honest signer
ID
. The oracle adds
ID
to the set HS of honest signers, and
generates a signer secret key
sk
ID
for
ID
. Then it executes the Join/Issue protocol on
behalf of
ID
and the issuer. Its final state is recorded as the signing key
sigk
ID
for
ID
.
SndToI
: The adversary can use this
send to issuer
oracle to impersonate signer
ID
∈
CS and engage in a Join/Issue protocol with the honest, Issue-executing issuer.
The oracle computes a response as per Issue, returns the outgoing message to the
adversary.
SndToS
: The
send to signer
oracle can be used by such an adversary to engage in a
Join/Issue protocol with an honest, Join-executing signer, itself playing the role of the
issuer. On successful completion of the Join/Issue protocol the oracle adds
ID
to HS
and sets the DAA signing key
sigk
ID
of
ID
to Join's final state. Since the internal state
of the signer
ID
is exposed, the adversary knows the corresponding
sigk
ID
and can be
able to make DAA signatures on behalf of the signer.