Group Signatures are Suitable for Constrained Devices - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

3.4 Adaptation of the Traceability

Concerning the two remaining security properties, it is necessary to give access to

the adversary the

O PartialSign ( i,m ) oracle in the cooperative versions of the related

experiments.

Definition 3 (Traceability Property). The traceability predicate of a group

signature scheme, denoted

GSS

trac

, is verified for ( m, σ ) if and only if the following

conditions are verified:

Open ( m, σ, rsk )= ⊥∨

Open ( m, σ, rsk )=( Upk,τ )

Verif ( m, σ )=1 ∧

∧ Judge ( σ, m, τ, Upk )=

⊥

trac ( m, σ )=1 if this predicate is true, and 0 otherwise.

A cooperative scheme ensures the traceability property if there exists a negli-

gible function ( λ ) such that for any polynomial adversary A , who have access

to O

GSS

We denote

CreateU , O

AddU , O

SJoin , O

UJoin , O

CrptU , O

Reveal , O

SignU , O

Open , O

PartialSign :

trac ( m, σ )=1 < ( λ ) .

GSS

( gmsk )

→

( m, σ ):

Note that the traceability predicate is verified even when the user, which possess

Upk , is corrupted, as in the standard security definition [2].

3.5 Adaptation of the Non-frameability

We next study the non-frameability property, for which we introduce a list Set

which contains all valid signatures outputted during the experiment (i.e. realized

by the

O SignU oracle).

Definition 4 (Non-Frameability Property). The non-frameability predicate

of a group signature scheme, denoted

NonFra , is verified for ( m, σ ) if and only if

the following conditions are verified, where ( Upk i ,τ )= Open ( m, σ, rsk, Tab ) :

Verif ( m, σ )=1

GSS

∧

( m, σ, i ) /

∈ Set ∧

∈HU∧ Judge ( m, σ, τ, Upk i , Tab )=1 .

GSS

We denote

NonFra ( m, σ )=1 if this predicate is true, and 0 otherwise.

A cooperative scheme ensures the non-frameability property if there exists a

negligible function ( λ ) such that for any polynomial adversary

, who have

AddU ,

CrptU ,

Reveal ,

SignU ,

Open ,

PartialSign :

access to

NonFra ( m, σ )=1 < ( λ ) .

GSS

( gmsk, rsk )

→

( m, σ ):

4 The Cooperative Version of XSGS

Our aim is now to adapt the XSGS protocol [14] (described in Appendix A) in

a secure cooperative manner such that it can be embedded in a RFID tag. For

this reason, we consider that the tag is not anonymous w.r.t. the reader. We

thus describe a cooperative version of the XSGS scheme and prove its security.

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home