Cryptography Reference
In-Depth Information
4.1 Protocol Description
To obtain the best possible gain in terms of e
ciency, we adapt the XSGS proto-
col such that the user will not be anonymous for the intermediary. However, we
will prove that all the other security properties remain. Thus, at the beginning
of a signature protocol, the user transmits its certificate (
A, x
), which is part of
its group secret key (see Appendix A for details) to the intermediary which will
performs all the computations related to this certificate. The user keeps secret
his group secret key and computes all values based on it. The obtained cooper-
ative version of the protocol is described in Figure 1. The eciency gain from
the user's point of view is huge as there only remains one point multiplication
to compute instead of one pairing, 13 point multiplications and 2 modular expo-
nentiations in the DLIN based XSGS protocol. In this section we use notations
introduced in Section 2 and Appendix A. In a nutshell, a group member owns a
group secret key
gsk
and a certificate (
A, x
) obtained during the
Join
protocol.
The revocation manager has two couples of key (
rsk
1
,
Rpk
1
)
,
(
rsk
2
,
Rpk
2
). The
group public key is denoted
GMpk
. Finally, (
q,
G
1
,
G
2
,
G
T
,e,ψ
) is a bilinear en-
vironment (see Appendix A.1) and
H
denotes a cryptographically secure hash
function.
rz ∈
R
Z
q
U
I
A, x, P
6
α
1
,β
1
,α
2
,β
2
∈
R
Z
q
T
1
=
α
1
.G
;
T
2
=
β
1
.G
;
T
3
=
A
+(
α
1
+
β
1
)
.
Rpk
1
;
T
4
=
α
2
.G
;
T
5
=
β
2
.G
;
T
6
=
A
+(
α
2
+
β
2
)
.
Rpk
2
P
6
=
r
z
.
Rpk
1
r
α
1
,r
β
1
,r
α
2
,r
β
2
,r
x
∈
R
Z
q
P
1
=
rα
1
.G
;
P
2
=
r
β
1
.G
;
P
3
=
rα
2
.G
;
P
4
=
r
β
2
.G
;
P
5
=(
r
α
1
+
r
β
1
)
.
Rpk
1
−
(
r
α
2
+
r
β
2
)
.
Rpk
2
;
P
6
=
e
(
T
3
,G
2
)
r
x
e
(Rpk
1
,
GMpk)
−
(
r
α
2
+
r
β
2
)
e
(
P
6
,G
2
)
z
=(
α
1
+
β
1
)
x
;
c
=
H
(
m, T
1
,T
2
,T
3
,T
4
,T
5
,T
6
,P
1
,P
2
,P
3
,P
4
,P
5
,P
6
)
z
,c
z
=
z
+ gsk
s
z
=
r
z
+
c.z
s
z
s
α
1
=
r
α
1
+
c.α
1
(mod
q
);
s
β
1
=
r
β
1
+
c.β
1
(mod
q
);
s
α
2
=
r
α
2
+
c.α
2
(mod
q
);
s
β
2
=
r
β
2
+
c.β
2
(mod
q
);
s
x
=
r
x
+
c.x
(mod
q
)
U
=(
c, s
α
1
,s
β
1
,s
α
2
,s
β
2
,s
x
,s
z
)
σ
=(
U, T
1
,T
2
,T
3
,T
4
,T
5
,T
6
)
Fig. 1.
Sign procedure of the cooperative XSGS Protocol
4.2 Security Analysis
Intuitively, the transmission of the certificate does not introduce any security
flaw since both
Traceability
and
Non-Frameability
assume that even the
group manager cannot break these properties. As this entity knows all users'
certificates, it should be also hard for an active adversary to break them. Nev-
ertheless we will formally prove these results. Note that our proof are in the
Search WWH ::
Custom Search