Information Technology Reference
In-Depth Information
r
←
and sets
*
p
r
*
bsn
to de-
queries,
chooses a random
H(
bsn
):
=
u
. We use
note the
i
unique query.
Hash
: Let
q
be the expected number of hash queries of H
1
and H
3
. If the query
string
str
has been queried,
returns the previously queried result to ensure consis-
tency. Otherwise,
chooses a random uniformly at random from
(the result of
*
H, H).
SndToS
:
requests for creating a new signer with
ID
. Let
q
j
be the expected num-
ber of joining requests from
. There are two cases for
to respond:
Case
1: If the query
and
simulates
's view by using the black-box simulation technique of theorem 1.
stores
*
ii
s
D
∈∈
,
s
*
=
,
lets
sigk
=
(
D
,
D
)
where
R1
R
p
*
s
DD
(
ID
,
⊥
,
(, )
in L
j
where
*
ID
denotes the identity of this signer, and
*
adds
ID
→ .
Case
2: If the query
HS
, runs the Join/Issue pro-
tocol as the signer by interacting with
as the issuer, and obtains
/ (
*
ii
f
←
*
p
≠
,
chooses a random
f
f
+
γ
)
1/ (
f
+
γ
)
ID
→
HS
sigk
=
(
g
,
g
)
.
stores (,
ID f
,
sigk
)
in L
j
and adds
.
Sig
: Given a signer's identity
ID
, a message
m
to be signed, a nonce
n
from
,
a basename
bsn
,
responds with a DAA signature
˃
as follows:
Case
1: If the identity
,
finds the corresponding secret key
sk
and sign-
ing key
sigk
associated with
ID
in L
j
, runs the Sign protocol and outputs
˃
to
. Then
stores (
ID
,
m
,
˃, bsn
) in L
S
.
Case
2: If the identity
ID
≠
ID
*
ID
=
ID
*
,
needs to forge a DAA signature as follows:
*
a
′
∈
1)
If
bsn
=
bsn
,
aborts and outputs
R
{0,1}
. Otherwise,
researches the
r
:
r
log of H
2
queries and retrieves
r
where
H(
bsn
):
=
u
.
sets
Ju
=
and
:
r
K
= .
2)
chooses a random
, computes
1
:(
st
TD
⋅
2
:
t
t
←
=
,
TD
=
,
p
TD
γ
ts
(
+
)
3
:
=
.
3)
computes
t
=
H (
J
||
K
||
T
||
T
)
and
1
t
=
H(
JKTT
, and
||
||
||
)
0
α
1
2
β
1
2
:
t t
:
t t
sets
VTJ
=⋅
,
WTK
=⋅
.
0
1
0
1
κ
4)
picks a nonce
n
←
(0,1)
and
cs
∈
,
, then computes
f
R
p
UV W
−
s
c
:
=⋅
.
f
5)
patches
the
oracle
H
3
by
setting
H(H( |
T
3
1
1
TTn nKUmn
||
||
||
) ||
||
||
||
)
=
c
.
If
H (H (
TT
||
||
2
3
V
M
3
1
1
2
Tn nKUmn
3
||
||
) ||
||
||
||
)
has been queried before,
aborts and outputs
V
M
a
′
∈
.
6)
forwards the signature
R
{0,1}
σ =
:(, , , ,, ,
f
TT T Kcs
nn
to
.
stores
, )
VM
123
*
,
(
ID m
,
˃, bsn
) in L
S
.
SIGK
: We assume that
has already made the
SndToS
queries with the identity
ID
, then
responds with the signing key corresponding to
ID
in L
j
.
SK
: If a query is for a signer
, then
responds with the signer secret key
corresponding to
ID
in L
j
, removes
ID
from HS and adds
ID
in CS. Otherwise,
ab-
orts and outputs
ID
≠
ID
*
a
′
∈
.
Ch
:
outputs a message
m
, a basename
bsn
and two identities
R
{0,1}
(
ID
,
ID
)
. If
0
1
*
*
∉
HU
bsn
≠
bsn
or
ID
∉
(
ID
,
ID
)
or
(
ID
,
ID
)
, then
aborts and outputs
0
1
0
1
a
′
∈
*
R
{0,1}
. Otherwise,
picks
b
∈
{0,1}
such that
ID
=
ID
, and generates a DAA
b
*
signature
σ
for
m
by performing the following steps: