Information Technology Reference
In-Depth Information
SK
: If a query is for a signer with
ID
, then
responds with the signer secret key
corresponding to
ID
in L
j
and moves
ID
from HS to CS.
Output.
Finally,
outputs a signer with
ID
, a message
m
, a basename
bsn
and a
DAA signature
˃
. There are two cases as defined by the user-controlled-traceability in
section 2.2:
Case
1: If
˃
can be successfully verified, i.e., Verify(
ipk m
,
,
σ
,
RL,
bsn
)
=∧
1
ID
∉
CS,
can rewind
to extract the underlying signer secret key
*
*
*
′
x
/ (
γ +
x
)
′
1/ (
γ +
x
)
sk
=
x
and signing key
sigk
=
(
g
,
g
)
by making use of the forking
1
1
lemma[29].
a).If
x
*
∉
{
x
, }
a
∧
sigk
*
∉
{
sigk
,...,
sigk
,
sigk
}
,
can
compute
i
i
=
1,
,
q
−
1
1
q
−
1
*
*
*
′
1/ (
γ
+
x
)
θ
⋅
f
(
γ
) / (
γ
+
x
)
g
θ
bC
⋅⋅
(/(
γ
+
xu
) ( )
+
γ
q
i
−
=
1
0
i
g
=
g
=
where
u
()
γ
=
c
⋅
γ
for
1
1
1
i
c
,
and
,
q
c
−
∈
C
∈
is a constant.
generates a SDH instance as follows:
*
0
1
p
p
i
′
1/(
γ
+
x
)
1/
b
⋅
θ
q
−
1
γ
−
c
1/
C
1/(
γ
+
x
)
Dg
=
((
)
⋅ ∏
(
g
)
)
=
g
.
i
1
i
=
0
1
1
*
x
*
∉
{,}
i
x
a
∧
sigk
*
=
sigk
gg
γ +
′
b
′
1/ (
x
)
b).If
,i.e.,
=
,
can use the same me-
i
=
1,
,
q
−
1
1
*
γ +
.
Case
2. If
bsn
≠⊥ ,
wins in this case if there exists another signature σ ′ for
1/ (
x
)
*
thod as the case a) to generate a SDH instance
(
g
,
x
)
1
m
′
by
the
same
signer
using
the
same
basename
bsn
that
′
′
Link(
ipk m
,
,
σσ
,
m
,
,
bsn
)
=
0
. Since the same
bsn
is used,
JJ
′
=
. However, two
signatures are unlinkable, thus
KK
′
≠
. This means
managed to create different
sk
and
sigk
for the same signer.
can use the same method as
Case 1
-a) to extract a
different
sigk
or as
Case
1-b) to extract an expected
sigk
, thus obtain an extra SDH
pair.
can also solve the
q
-SDH problem in this case.
In either of the above two cases,
can solve the
q
-SDH problem with a non-
negligible probability if
can wins the game with a non-negligible probability.
6.2
Performance
In this section, we compare our DAA scheme with the existing DAA schemes in the
signature length and the computational cost. At the beginning of the performance
comparison of each scheme, we need to define the security parameters of different
DAA schemes [4, 14, 17, 20, 21, 31]
at the 128-bit security level.
The security parameters are defined as follows: 1) Bilinear groups. Our scheme
makes use of the efficient BN elliptic curve algorithm [30], where the length of prime
p
is
l
=
255bits
at the 128-bit security level. According to this, the length of element
p
in
is 256 bits, and in
is 3072 bits, and the resulting length of the hash function
is
l
=
255.
2) RSA groups. At the 128-bit security,
l
=
2048
and
l
ρ
=
208
. The
H
corresponding lengths of parameters in [4] are
l
=
368
,
l
′
=
120
,
l
=
2536
and
l
=
respectively.
For the computational cost: 1) For the ECC-based DAA schemes, we denote the cost
of single-exponentiation and multi-exponentiation in
160
H
m
i
as G
,
,
(
i
=
1, 2,
T
)
1
2
T
m
=
1
m
>
1
respectively where
for single-exponentiation
, otherwise,
. In additions, we
let
G
iL
denote the cost of an exponentiation in the group with the size of the expo-
nent being
L
. Using BN elliptic curve [15], the computational cost in
()
is more than
13 times than that in
, and the computational cost in
is more than 3 times than
that in
. In addition, we denote exponentiation computation of single pairing as
P
,