Cryptography Reference
In-Depth Information
3.4 Adaptation of the Traceability
Concerning the two remaining security properties, it is necessary to give access to
the adversary the
O
PartialSign
(
i,m
)
oracle in the cooperative versions of the related
experiments.
Definition 3 (Traceability Property).
The
traceability predicate
of a group
signature scheme, denoted
GSS
trac
E
, is verified for
(
m, σ
)
if and only if the following
conditions are verified:
Open
(
m, σ, rsk
)=
⊥∨
Open
(
m, σ, rsk
)=(
Upk,τ
)
Verif
(
m, σ
)=1
∧
∧
Judge
(
σ, m, τ, Upk
)=
⊥
trac
(
m, σ
)=1
if this predicate is true, and
0
otherwise.
A cooperative scheme ensures the
traceability
property if there exists a negli-
gible function
(
λ
)
such that for any polynomial adversary
A
, who have access
to
O
E
GSS
We denote
CreateU
,
O
AddU
,
O
SJoin
,
O
UJoin
,
O
CrptU
,
O
Reveal
,
O
SignU
,
O
Open
,
O
PartialSign
:
Pr
trac
(
m, σ
)=1
<
(
λ
)
.
GSS
A
(
gmsk
)
→
(
m, σ
):
E
Note that the traceability predicate is verified even when the user, which possess
Upk
, is corrupted, as in the standard security definition [2].
3.5 Adaptation of the Non-frameability
We next study the non-frameability property, for which we introduce a list
Set
which contains all valid signatures outputted during the experiment (i.e. realized
by the
O
SignU
oracle).
Definition 4 (Non-Frameability Property).
The
non-frameability predicate
of a group signature scheme, denoted
NonFra
, is verified for
(
m, σ
)
if and only if
the following conditions are verified, where
(
Upk
i
,τ
)=
Open
(
m, σ, rsk, Tab
)
:
Verif
(
m, σ
)=1
E
GSS
∧
(
m, σ, i
)
/
∈ Set ∧
i
∈HU∧
Judge
(
m, σ, τ, Upk
i
, Tab
)=1
.
GSS
We denote
NonFra
(
m, σ
)=1
if this predicate is true, and
0
otherwise.
A cooperative scheme ensures the
non-frameability
property if there exists a
negligible function
(
λ
)
such that for any polynomial adversary
E
A
, who have
AddU
,
CrptU
,
Reveal
,
SignU
,
Open
,
PartialSign
:
access to
O
O
O
O
O
O
Pr
NonFra
(
m, σ
)=1
<
(
λ
)
.
GSS
A
(
gmsk, rsk
)
→
(
m, σ
):
E
4 The Cooperative Version of XSGS
Our aim is now to adapt the XSGS protocol [14] (described in Appendix A) in
a secure cooperative manner such that it can be embedded in a RFID tag. For
this reason, we consider that the tag is not anonymous w.r.t. the reader. We
thus describe a cooperative version of the XSGS scheme and prove its security.
Search WWH ::
Custom Search