Information Technology Reference
In-Depth Information
3)
Verify that
eT
(,)
Ω=
eT
( /, )
T g
.
2
3
1
2
′
=
4)
If
bsn
≠⊥
, set
J
:H(
bsn
)
and compute
0
t
=
H(
JKTT
,
||
||
||
)
2
α
1
2
′
:
t t
′
t t
TK
′
=
t
=
H (
J
||
K
||
T
||
T
)
,
VTJ
=⋅
and
W
′ =
:
⋅
; Otherwise set
VT
0
1
0
1
1
2
1
β
1
2
′
=
UV W
−
′
′
s
′
c
and
WT
.
Computes
:
=⋅
and
verify
that:
f
1
′
c
=
If any of the above verification fails, return 0 (reject), otherwise, return 1(accept).
H (H (
T
||
T
||
T
||
n
||
bsn
) ||
K
||
U
||
m
||
n
).
3
1
1
2
3
V
T
5.5
The Link Algorithm
This algorithm is run by a given verifier
who has a set of non-null basenames in
order to determine if the pair of signatures was produced by the same TPM. Signa-
tures can only be linked if they were produced by the same TPM and the signer
wanted them to be able to be linked together. On input a tuple
((
m
,
σ
),
00
(,
mbsn ipk
σ
,
,
)
, the algorithm performs the following steps:
11
, run the verification algorithm. If ei-
ther of two verification returns 0, output
⊥
(invalid).
2)
For each signature
σ
where
b
∈
{0,1}
1)
b
If
(, )
JK
∈
σ
are the same as
(, )
JK
∈
σ
, output 1 (linked), otherwise out-
0
1
put 0 (unlinked).
6
Security Proof and Performance
6.1
Security Proof
In this subsection, we will state the security results for our DAA scheme under the
definitions of security notions in section 2.2. We argue that our DAA scheme is se-
cure, i.e., correct, user-controlled anonymous and user-controlled traceable.
Theorem 2.
The DAA scheme specified in section 5 is correct.
Proof
. This theorem follows directly from the specification of the scheme.
Theorem 3.
Under the XDH assumption, our DAA scheme is user-controlled ano-
nymous. More specifically, if there is an adversary
that succeeds with a non-
negligible probability to break the user-controlled anonymity game, then there is a
simulator
running in polynomial-time that solves the XDH problem with a non-
negligible probability.
Proof
. In our DAA scheme, since there are two types of signatures depend on the
basename is empty or not, we use the following two lemmas to prove this theorem.
Lemma 1.
If the basename is empty, our DAA scheme meets anonymity under the
XDH assumption.
x
y
uz
as input where
Proof
. Given a XDH problem ( ,
uv
=
u w
,
=
,)
u
∈
,,
xy
∈
1
p
and either
zu
=
xy
or
z
is a random element in
,
decides which
z
was given by
interacting with
as follows.
