random oracle model as in the original paper [14]. First of all, we prove that

our cooperative protocol perfectly realizes a XS group signature, and thus that

it verifies the correctness property.

Theorem 1. The Coop-XSGS protocol ensures the Correctness property.

Proof. Recall that for this property we assume that the intermediary has a

honest behaviour and executes perfectly his part of the protocol. We remark

that only the signature of knowledge U slightly deviates from the standard one

and we need to verify its correctness. More precisely, the deviation is on the P 6

value. Based on the pairing property (see Section A.1) it is obvious that:

P 6 = e ( T 3 ,G 2 ) r x e ( Rpk 1 , GMpk ) − ( r α 1 + r β 1 ) e ( P 6 ,G 2 )

= e ( T 3 ,G 2 ) r x e ( Rpk 1 , GMpk ) − ( r α 1 + r β 1 ) e ( Rpk 1 ,G 2 ) r z

Thus, the whole group signature is computed identically as in the standard

protocol. Consequently, the cooperative protocol is correct.

Theorem 2. The Coop-XSGS protocol ensures the Anonymity property.

Proof. As explained in Section 3.3 and since the scheme ensures correctness, the

proposed cooperative scheme ensures the anonymity.

Theorem 3. The Coop-XSGS protocol ensures the Traceability property.

Proof. This proof is obvious since the adversary has no more information than

the adversary in the standard model. Indeed, this property is verified even when

the adversary represents a collusion of members (thus knowing their group se-

cret keys and certificates). Thus, the cooperative version of the XSGS protocol

trivially verifies the traceability property.

Theorem 4. The Coop-XSGS protocol ensures the Non-Frameabilty property.

Proof. In the original proof (see proof of Theorem 11 in [14]), the authors use the

“unforgeability techniques” to retrieve the certificate and the group secret key

used in a signature outputted by an adversary. Thus, they build an algorithm

which interacts with this adversary in order to break the discrete logarithm

either in

G 2 (depending of the retrieved group secret key). This proof

only works if the adversary does not know the group secret key of the targeted

user. As the Join procedure does not leak any information about it, their proof

is correct. For the cooperative protocol, this proof can also be applied if we prove

that an active adversary cannot learn any information about this secret key.

For this purpose, we first highlight the fact that the protocol between the

constrained device and the intermediary can be interpreted as a Schnorr proto-

col (see [33] for further details) which has been proven to be a zero-knowledge

proof of knowledge. As a consequence, the values P 6 and s z do not reveal any

information about gsk . It is next obvious that the intermediary has no informa-

tion about the value r z

G 1 or in

under the discrete logarithm assumption. Consequently,