Cryptography Reference
In-Depth Information
production of the group signature. The group member is here the constrained
device, while the role of the intermediary is played by a more powerful entity, e.g.
a personal computer. Note that the cooperative system also requires verifiers,
which have the same role as in standard group signatures. The problem on
which we focus is that the intermediary may have some more knowledge that is
traditionally not available for the adversary. We thus give all the assumptions
about the intermediary and we next adapt the security properties of a group
signature scheme in this context. This work has not been totally done in [27,6].
3.1 Concept and Assumptions
We first assume that the intermediary does not know any secret information and
thus, at the beginning of a protocol, the signer may transfer some data to the
intermediary in order to decrease its computation complexity. Consequently, an
adversary may obtain more information to break the security of the scheme, e.g.
by eavesdropping. It is thus obvious that we must model all her new abilities.
In the cooperative setting, the “standard” adversary (meaning the adversary
of the original group signature scheme) can be improved in three different man-
ners. Firstly, the adversary can obtain from the intermediary all data that have
been sent by the device. Secondly, she can eavesdrop all communications during
a signature protocol (at least the shared data but potentially more information).
Finally, she can impersonate the intermediary, and thus obtain all the exchanged
information. Moreover, she can learn all the choices made by the intermediary
during the protocol (e.g. random values). It is clear that the last adversary is
more powerful than the two others. Consequently, we only formally model this
one in the cooperative setting and thus introduce the new following oracle.
O
PartialSign
(
i,m
)
: this oracle simulates for the adversary the behaviour of the
user
i
realizing the cooperative signature of a message
m
. Several exchanges
between the oracle and the adversary can be done as it simulates a real coop-
erative protocol execution between a constrained device and the adversary
playing the role of the intermediary.
-
Based on this new adversary's ability, we must adapt the security properties of
group signature schemes to the cooperative setting, based on the formal model
of Bellare et al. [2].
3.2 Adaptation of the Correctness
The first security property concerns the correctness and focus on the signature,
the opening and the judge verification. In our cooperative context, we decide
that the intermediary realizes the connection with the “outside world”. Thus, if
it decides to send a false signature, the signer cannot do anything to rectify this.
Consequently, it seems impossible to ensure such correctness when the adversary
can actively participate during the experiment. Nevertheless, the cooperative
protocol should at least ensure the “standard” correctness property.
Search WWH ::
Custom Search