Cryptography Reference
In-Depth Information
Definition 1.
The
correctness predicate
of a group signature scheme, denoted
E
GSS
corr
, is verified for a user
i
andamessage
m
if and only if the following
conditions are verified:
∧
Open
(
rsk, Tab,m,
Sign
(
gsk
[
i
]
,m
)) = (
i, τ
)
∧
Judge
(
Tab,m,
Sign
(
gsk
[
i
]
,m
)
,i,τ
)=1
Verif
(
m,
Sign
(
gsk
[
i
]
,m
)) = 1
GSS
We denote
corr
(
i, m
)=1
if this predicate is true, and 0 otherwise.
A cooperative scheme ensures the
correctness
property if there exists a negli-
gible function
(
λ
)
such that:
E
GSS
corr
(
i, m
)=0]
<
(
λ
)
Remark 1.
In case the intermediary is “behind” the signer and has no link with
the verifier, it is possible to define a strong cooperative completeness where
the intermediary can be corrupted. Since this is not the practical case we are
studying, we will not consider it.
∀
(
i, m
):
Pr
[
E
We say that a protocol is the
cooperative version
of another one (called the
standard one) if their outputs are constructed identically. Then, a cooperative
version of a protocol ensures the correctness property if the standard is also
correct in the BSZ model [2].
3.3 Adaptation of the Anonymity
From the anonymity point of view, it is possible to assume that the signer and
the intermediary live in a personal environment. In fact, as the intermediary
can most of the time recognize the signer by some other means, allowing it to
know the user identity does not introduce a threat. In this case, the cooperative
scheme should only verifies the “standard” anonymity property. More precisely,
if the initial group signature scheme provides anonymity (in the BSZ sense),
then a cooperative version necessarily verifies this “weak” anonymity property.
By doing this assumption, it is generally possible to transfer more data to the
intermediary and thus to reduce the signer's complexity by a better factor.
Definition 2 (Anonymity Property).
A cooperative scheme ensures the
ano-
nymity
property if there exists a negligible function
(
λ
)
such that:
1
b
=0
1
b
=1
−
Pr
A
Pr
A
(
gmsk
)
→
(
gmsk
)
→
<
(
λ
)
A
O
CreateU
,
O
AddU
,
O
SJoin
,
for any polynomial adversary
, who have access to
O
UJoin
,
O
CrptU
,
O
Reveal
,
O
SignU
,
O
Open
and
O
Choose
b
.
Remark 2.
In some cases, being unlinkable
w.r.t.
the intermediary is a really
important issue and needs to be studied. For the completeness of the model,
it is consequently possible to provide a stronger definition for the coopera-
tive anonymity property. The adversary is thus additionally given access to the
O
PartialSign
oracle in the above experiment.
Search WWH ::
Custom Search