Information Technology Reference
In-Depth Information
User-Controlled Traceability.
The definition of user-controlled traceability requires
two security properties in the DAA scheme. The first one is
unfakeability
that means
no adversary can create a valid DAA signature under a faked signing key. The second
property is
user-controlled linkability
that means given a single basename it is hard
for an adversary to generate two different DAA signatures under the same signer se-
cret key and the same basename, while the output of the algorithm Link is 0 (un-
linked). We define Adv
trace
trace
(
κ
)
=
Pr[Game
(
κ
)
=
1]
and say that the DAA scheme
trace
has
user-controlled traceability
if Adv
(
κ
)
is negligible in
κ
for any polynomi-
trace
al-time adversary
. The game Game
(
κ
)
is defined as below:
trace
Attack-Game Game
(
κ
) :
(,
ipk isk
) t 1 ;CS
←
k
←
φ
;HS
←
φ
Case 1://
Unfakeability
.
(,,
m nID
σ
, )
←
(
i k
:
,
,
)
SndTol
AddS
SK
If Verify(
ipk m
,
,
σ
, RL,
bsn
)
=∧
1
ID
∉
CS
then return 1.
Case 2: //
User
-
controlled linkability
(,
m
σσ
,
m
,
,
bsn ID
,
)
←
AddS
( :
ipk
,
,
)
0011
l
SK
If Link(
ipk m
,
,
σσ =∧
,
m
,
,
bsn
)
0
bsn
≠⊥
then return 1.
0011
Return 0.
3
Preliminaries
3.1
Bilnear Groups and Complexity Assumptions
Bilinear Groups.
Bilinear groups are a set of three groups
1
and
, of order
p
, along with a bilinear map
. We write
for two
e
:
×
→
=
g
,
=
g
1
2
T
1
1
2
2
explicitly given generators
2
g
to
be the set of pairing group parameters. The function e must have the following three
properties.
•
g
and
g
, and define
par
=
(, ,
p
,
,, ,
e g
Bilinear
1
2
T
1
a
b
ab
Bilinearity:
∀∈
f
,
∀ ∈
f
and
a
∀∈
, we have
ef
(,
f
) (,
=
ef f
)
;
1
1
2
2
1
2
1
2
•
Non-degeneracy: The value
eg g
generates
(, )
;
12
•
Computability: The function e is efficiently computable.
Following [26] there are three distinct types of bilinear groups, in this paper we
consider type-3 pairings. Such type is the asymmetric setting in which
and
≠
1
2
there is no known efficiently computable isomorphism between
and
. For a
κ
,
κ
security parameter
we let
Setup
(1 )
denote an algorithm which produces a
Bilinear
pairing group instance
par
of type-3.
In these groups, we rely on hardness assumptions that are all falsifiable.
Definition 1
(eXternal Diffie-Hellman (XDH) assumption). The XDH assumption
[25]
holds in
Bilinear
, if the following probability is negligible in the security parameter
κ
,
κ
for all adversaries
and all parameter sets
par
output by
Setup
(1 )
:
Bilinear
Bilinear
