Cryptography Reference
In-Depth Information
•
the secret key
gmsk
∈
R
Z
q
of the group manager
GM
and the associated
public key
GMpk
=
gmsk
.G
2
;
•
the parameters of Paillier's encryption scheme [32] for
ExtCommit
;
The public parameters of the system are
PP
=
{
λ, q,
G
1
,
G
2
,
G
T
,e
,
ψ
,
G
1
,
G
2
,G,G
,
GMpk
,
Rpk
1
,
Rpk
2
}
.
-
UserKeyGen
(1
λ
): before that a user, denoted
U
i
, can join a group, he has
to be registered in a PKI. This procedure permits to ensure the unlinkability
and the non-repudiation of the system. At the end of this procedure, the user
obtain a couple of key (
usk
i
,
Upk
i
). The value
Upk
i
is added in a table
UPK
which is supposed public.
-
Join
[
(
UPK
,
gmsk
)]: this interactive protocol between a
user
U
i
and the group manager results by the adhesion of the new user to the
group. Consequently, the user obtain a group certificate
cert
i
=(
A
i
,x
i
), and
his group secret key
gsk
i
. The group manager add an entry (
Upk
i
,A
i
,x
i
,S
)
in
Tab
,where
S
is a signature of
A
i
made by the user
U
i
with his secret key
usk
i
. This interactive protocol is presented in Figure 2 where
ExtCommit
is
an extractable commitment done with the Paillier's encryption scheme [32].
U
i
(
usk
i
,
Upk
i
)
↔GM
gsk
i
∈
R
Z
q
;
C
= gsk
i
.
Rpk
1
U
i
GM
c
= ExtCommit(gsk
i
)
c, C, U
U
= SoK(gsk
i
:
C
= gsk
i
.
Rpk
1
∧ c
= ExtCommit(gsk
i
))
Checks
U
et
C ∈
G
1
;
x
i
∈
R
Z
q
;
A
i
:=
G
1
+
1
gmsk+
x
i
.C
;
B
:=
e
(
G
1
+
C, G
2
)
/e
(
A
i
,
GMpk);
D
:=
e
(
A
i
,G
2
);
A
i
,V
V
= SoK(
α
:
B
=
α.D
);
B
:=
e
(
G
1
C, G
2
)
/e
(
A
i
,
GMpk);
D
:=
e
(
A
i
,G
2
);
Checks
V
et
A
i
∈
G
1
;
S
= PkiSign(usk
i
,A
i
)
S
Verif(
S,
Upk
i
,A
i
)
Adds
(Upk
i
,A
i
,x
i
,S
)inTab
x
i
Checks if (
x
i
+ gmsk)
.A
i
=
G
1
+ gsk
i
.
Rpk
1
with:
e
(
A
i
,G
2
)
x
i
e
(
A
i
,
GMpk)
e
(Rpk
1
,G
2
)
−
gsk
i
=
e
(
G
1
,G
2
)
Fig. 2.
XSGS
Join
protocol
-
Sign
(
m,
gsk
i
,
cert
i
): the signature of
m
is composed of two steps
•
a double linear encryption, namely, the user randomly chooses (
α
1
,
β
1
,
α
2
,
β
2
)
∈
R
Z
q
and computes the fours values
T
2
=
β
1
.G
;
T
1
=
α
1
.G
;
T
3
=
A
+(
α
1
+
β
1
)
Rpk
1
;
T
5
=
β
2
.G
;
T
4
=
α
2
.G
;
T
6
=
A
+(
α
2
+
β
2
)
Rpk
2
;
•
a signature of knowledge
U
,where
z
=(
α
1
+
β
1
)
.x
+
gsk
i
:
U
=
SoK
α
1
,β
1
,α
2
,β
2
,x,z
:
T
1
=
α
1
.G
T
2
=
β
1
.G
∧
∧
T
4
=
α
2
.G
T
5
=
β
2
.G
∧
∧
(
α
2
+
β
2
)
Rpk
2
∧
e
(
T
3
,G
2
)
x
e
(
Rpk
1
,
GMpk
)
−
(
α
1
+
β
1
)
e
(
Rpk
1
,G
2
)
−z
=
T
3
−
T
6
=(
α
1
+
β
1
)
Rpk
1
−
(
m
)
.
e
(
G
1
,G
2
)
e
(
T
3
,
GMpk
)
Search WWH ::
Custom Search