Information Technology Reference
In-Depth Information
and let P
m
denote the cost of a batch pairing verification of
m
pairings, as described in
[18, 32]. Obviously, the computational cost of pairing is much more than that in the
groups. 2) For the RSA-based DAA schemes, as above, we denote the computation of
single-exponentiation and multi-exponentiation in
as G
i
,
(
i
=
N
,
ρ
)
respective-
N
ρ
ly. Note that the cost of the exponent computation in the group
is almost the same
as that in the group
, see [15]. Besides, we denote the number of the entries in the
rogue list RL as
n
.
Note that the computational cost of Join/Issue protocol is not compared in this pa-
per, due to that the number of the executed Join/Issue protocol is much less than that
of the Sign protocol. From the table 1, we can see that our scheme has lower compu-
tational cost than the existing DAA schemes. In the signing phase, for the TPM, when
linkability is not requested (i.e.,
bsn
=⊥ ) our scheme needs to perform only one expo-
nentiation and when linkability is requested (i.e.,
bsn
≠⊥ ) it needs to compute just
two exponentiations. We let
1G / 2G denote the cost of this computation; For the
host, our scheme needs to compute only three exponentiations (unlinkability) or near-
ly four exponentitions (linkability) in Sign protocol. We use
1
1
3G / 3G
+
1G
L
2
1
1
1(
)
(
L
< ) to denote the cost of this computation. And compared with other DAA
schemes in the computational cost aspect of the verification algorithm, our scheme is
also better, due to our scheme only needs one pairing equation.
At the length aspect of DAA signature, from the table 1 we can observe that the
signature length in our scheme is the minimum. When it does not request linkability,
the signature length is just 1278 bits, and when it requests linkability, the signature
length is just 1534 bits.
p
Table 1.
The Comparisons between our DAA scheme and other DAA schemes in
Computational Cost and Signature Length
)C000
1+
ρ
+
+
1
+
ρ
+++ +
+
+
)
)+
1
+
+
)
+
)+
+
+
B
+
+
.""5
ρ
ρ
ABA
1+
1+ D+
+
19
+
)
++++
)+
1
09
=
+
."65
1+
+
)+
)
++
9
+
"955A
)CB
)+
+
+
1
)
)
"5
)
+
+
+
+
+++
+
+
9D+
)C1
)
1+
+++
)
)
)
+
+
+
9
+
+++
+
+
9D +
.65)C
)C1
)
)
+ 8 )+
+ 8 +
+
+
+
)
9 D +
+
."651
018AEC
=
1+ 8 1+
+
)
+ 8 )+
+
+
)
+
9 D +
)
35
)A2801
=
7
Conclusion
In this paper, we have introduced the security model that contains two security no-
tions for DAA, namely user-controlled anonymity and user-controlled traceability.
And then by making use of 2PC protocol and complexity assumptions, we have also
presented a new approach to construct a DAA scheme, which requires lower compu-
tational cost and less length of signature than other existing DAA schemes. Finally,
we have proved the security of the new DAA scheme under the security notions.
