Information Technology Reference
In-Depth Information
κ
Initialization.
performs the Setup(1 )
algorithm to generate the public key and pri-
vate key of the issuer, i.e.,
(,
((
,
,
,
peg g
, ,
,
,H ,H ,H ,H ,H ,
ipk isk
:
=
1
2
T
1
2
1
2
3
αβ
and sends
ipk
and
isk
to
.
To maintain consistency between queries made by
,
keeps the lists: L
j
and L
S
.
Each item of L
j
is (
ID
,
sk
,
sigk
), and each item of L
s
is (
ID
,
m
,
˃
).
Hash
: Let
q
be the expected number of hash
queries. If the query string has been
queried,
returns the previously queried result to ensure consistency. Otherwise,
chooses a value uniformly at random from
*
(the result of H, H).
SndToS
:
requests for creating a new signer with
ID
. Let
q
j
be the expected num-
ber of Join/Issue requests from
.
chooses a random
Ω
),
γ
)
i
←{1, …,
q
j
}. There are two
cases for
to respond:
Case
1: If the query
u
and simulates
's view by using
the black-box simulation technique of theorem 1.
stores
*
ii
,
lets
=
sigk
=
(,
v
*
(
ID
,
⊥
, ( , ))
u v
in L
j
where
*
ID
denotes the identity of this signer, and adds
*
ID
→
HS
.
*
p
, runs the Join/Issue proto-
col as the signer by interacting with
as the issuer, and obtains
/ (
*
ii
,
chooses a random
f
←
Case
2: If the query
≠
f
f
+
γ
)
1/ (
f
+
γ
)
.
stores (,
ID
→
HS
sigk
=
(
g
,
g
)
ID f
,
sigk
)
in L
j
and adds
.
Sig
: Given a signer's identity
ID
, a message
m
to be signed, a nonce
n
from
,
responds with a DAA signature
˃
as follows:
Case
1: If the identity
,
finds the corresponding secret key
sk
and sign-
ing key
sigk
associated with
ID
in L
j
, runs the Sign protocol and outputs
˃
to
. Then
stores (
ID
,
m
,
˃
) to L
s
.
Case
2: If the identity
*
ID
≠
ID
*
,
needs to forge a DAA signature as follows:
ID
=
ID
*
p
Tvu
⋅
r
x r
2
:
r
Tv
γ ⋅
r
r
1)
selects a random
r
∈
, computes
1
:
==
,
Tu
=
,
3
:
=⋅
=
rx
(
+
γ
)
u
and sets
:
VT
=
,
WT
=
.
2
1
κ
c
,
2)
picks a nonce
n
←
(0,1)
and
s
∈
, then computes
f
R
p
UV W
−
s
c
:
=⋅
.
3)
patches the oracle H
3
by setting
f
H (H (
TT
||
||
Tn Umn
3
||
) ||
||
||
)
=
c
.
3
1
1
2
V
M
If
H (H (
TT T n Um
||
||
||
) ||
||
||
n
)
has been queried before,
aborts and out-
3
1
1
2
3
V
puts
.
4)
forwards the DAA signature
a
′ ∈
R
{0,1}
σ =
:(, , ,, ,
f
TT T cs
nn
to
. Then
, )
VM
123
*
,
stores (
ID m
,
˃
) to L
S
.
SIGK
: We assume that
has already made the
SndToS
queries with the identity
ID
, then
responds with the signing key corresponding to
ID
in L
j
.
SK
: If a query is for a signer
, then
responds with the signer secret key
corresponding to
ID
in L
j
, removes
ID
from HS and adds
ID
in CS. Otherwise,
ab-
orts and outputs
ID
≠
ID
*
.
Ch
:
submits a message
m
and two identities
a
′ ∈
R
{0,1}
*
(
ID
,
ID
)
. If
ID
∉
(
ID
,
ID
)
or
0
1
0
1
(
ID
,
ID
1
)HS
∉
, then
aborts and outputs
a
′ ∈
R
{0,1}
. Otherwise,
picks
b
∈
{0,1}
0
*
such that
ID
=
*
ID
, and generates a DAA signature
σ
for
m
by performing the
b
following steps:
1)
picks a random
1
:
r
2
:
r
r
γ ⋅
r
r
∈
, computes
Tz
=
,
Tw
=
,
Tz
3
:
=⋅
, and
Rp
sets
:
VT
=
,
WT
=
;
2
1