Information Technology Reference
In-Depth Information
SIGK
: Calling this
signing key
oracle enables the adversary to obtain the DAA
signing key of signer
ID
. The signer remains honest.
SK
: The adversary can call this
signer secret key
oracle to obtain the signer secret
keys of signer
ID
∈
HS
, and then the oracle moves
ID
from HS to CS.
Sig
: The signing oracle, enabling the adversary to specify the identity
ID
of a
signer, a message
m
and a basename
bsn
, and obtain the DAA signature of
m
under
the signing key
sigk
ID
of
ID
, as long as
ID
is an honest signer whose DAA signing key
is defined.
Ch
: The adversary sends a pair of honest identities (
ID
0
,
ID
1
), a message
m
and a
basename
bsn
to the challenge oracle and gets back a DAA signature
˃
by the signer
ID
b
,
b
∈
R
{0,1}.
Correctness.
The DAA signatures generated by honest signers are accepted by verifi-
ers. In addition, two DAA signatures generated by the same signer with the same
basename
can
be
linked.
To
formalize
this,
we
define
corr
corr
Adv
(
κ
)
=
Pr[Game
(
κ
)
=
1]
and we say that the DAA scheme is
correct
if
corr
κ ∈
. The game Game
corr
Adv
(
κ
)
=
0
for all adversaries
and
(
κ
)
is defined as
below:
Attack-Game Game
corr
(
κ
) :
κ
(,
ipk isk
) t 1 ; HS
←
←
φ
; (,
ID m
,
m
,
bsn
)
←
( :
ipk
;
0
1
AddS
If
i
∉
HS then return 0; If
sigk
=
⊥
then return 0.
ID
σ
σ
←
←
Sign(
:(
ipk sigk
,
,
m
,
n
,
bsn
),
:(
sk
,
ipk
));
0
ID
0
ID
Sign(
: (
ipk sigk
,
,
m
,
n
,
bsn
),
: (
sk
,
ipk
));
1
ID
1
ID
If
Verify(
ipk m
,
,
bsn
, RL,
σ
σ
σσ
)=0 then return 1.
0
0
If Verify(
ipk m
,
,
bsn
, RL,
)=0 then return 1.
1
1
If
bsn
≠⊥
∧
Link(
ipk
,
,
m
,
,
m
,
bsn
)=0 then return 1.
0011
Return 0.
User-Controlled Anonymity.
The definition of user-controlled anonymity requires
two security properties in the DAA scheme. The first one is
anonymity
that no adver-
sary can reveal the identity of the signer from its signature without the signer's secret
key
sk
. The second property is
user-controlled unlinkability
that given two signatures
0
σ associated with two different basenames, it is infeasible for an adversary to
distinguish whether or not the two signatures are generated by the same signer. We
define Adv
σ
and
1
anon
anon
−
b
(
κ
)
=
| Pr[Game
(
κ
)
=
1]
−
1 / 2 |
and say that the DAA scheme has
anon
user-controlled anonymity
if Adv
(
κ
)
is negligible in
κ
for any polynomial-time
adversary
. The game Game
anon
−
b
(
κ
)
is defined as below:
anon
−
b
Attack-Game Game
(
κ
) :
//
b
∈
R
{0,1}
k
(,
ipk isk
) t 1 ;CS
←
←
φ
;HS
←
φ
;
′
←
b
(,
ipk isk
:
,
,
,
,
;
SndToS
SigK
SK
Sig
Ch
′
=
If
bb
then return 1 else return 0.
