Add Definitions for GS

This commit is contained in:
Fabrice Mouhartem 2018-04-11 17:34:59 +02:00
parent 413cfa5bc4
commit 71f9598540
2 changed files with 470 additions and 2 deletions

444
chap-GS-background.tex Normal file
View File

@ -0,0 +1,444 @@
\chapter{Dynamic Group Signatures} \label{ch:gs-background}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}
In this Part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions.
An implementation is available and the timing are detailed in \cref{ch:sigmasig}.
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
This construction has been the first fully secure group signature scheme from lattices.
Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions.
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
This section recalls the syntax and the security definitions of dynamic group signatures based on the model of Kiayias and Yung~\cite{KY06}.
A \emph{group signature} allows a group member to
attest that a message was provided by a member of a \emph{group} without being
altered during the process and preserving the \emph{anonymity} of the users.
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03}
in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang
({BSZ}) in 2005~\cite{BSZ05}.
\begin{figure}
\centering
\begin{tikzpicture}
\node (GM) {Group manager};
\node[right=of GM] (User) {User $i$};
\node[right=of User] (OA) {Opening Authority};
\node[below=of User] (M) {$\sigma$, M};
\node[right=of M] (Other) {Anyone};
\node[above=of User] (Setup) {Trusted Setup};
\draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User);
\draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M);
\draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M);
\draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M);
\draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM);
\draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA);
\end{tikzpicture}
\caption{Relations between the protagonists in a dynamic group signature
scheme}
\label{fig:relations}
\end{figure}
In the setting of \emph{dynamic groups}, the syntax of group signatures includes
an interactive protocol which allows users to register as new members of the
group at any time. The syntax and the security model are those defined by
Kiayias and Yung~\cite{KY06}.
Like the very similar {BSZ} model~\cite{BSZ05}, the Kiayias-Yung
({KY}) model assumes an interactive \emph{join} protocol whereby a
prospective user becomes a group member by interacting with the group manager.
This protocol provides the user with a membership certificate, $\crt_i$, and a
membership secret, $\scr_i$.
%\paragraph{Syntax.}
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
\begin{definition}[Dynamic Group Signature]
A \emph{dynamic group signature} scheme consists of the following algorithms
or protocols.
\begin{description}
\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$
and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm
is run by a trusted party to generate a group public key $\mathcal{Y}$,
the group manager's private key $\mathcal{S}_{\GM}$ and the opening
authority's private key $\mathcal{S}_{\OA}$. Each key is given to the
appropriate authority while $\mathcal{Y}$ is made public. The algorithm
also initializes a public state $St$ comprising a set data structure
$St_{\users}=\emptyset$ and a string data structure $St_{\trans}=
\epsilon$.\\
In the following, all algorithms have access to the public parameters
$\gspk$.
%
\item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager
GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
The protocol involves two interactive Turing machines $\join_{\user}$ and
$\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution
$\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,
ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,
that no one else knows, and a membership certificate $\crt_{i }$. If the
protocol is successful, the group manager updates the public state $St$ by
setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as
$St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$.
%
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$
%that identifies the users to be revoked.
%It outputs an updated revocation list $RL_t$ for period $t$.
%%
\item[\textsf{Sign($\crt_i, \scr_i, M$)}:] given
%a revocation period $t$ with its revocation list $RL_t$,
a membership certificate $\crt_{i }$, a membership secret $\scr_{i }$ and
a message $M$, this \emph{probabilistic} algorithm outputs
%$\perp$ if $i \in \mathcal{R}_t$ and
a signature $\sigma$.
%
\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
%a revocation period $t $, the corresponding revocation list $RL_t$,
a message $M$ and a group public key $\mathcal{Y}$, this
\emph{deterministic} algorithm returns either $0$ or $1$.
%
\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
message $M$, a valid signature $\sigma$ w.r.t.
$\mathcal{Y}$ %for the indicated revocation period $t$
, the opening authority's private key $\mathcal{S}_{\OA}$ and the public
state $St$.
It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of
a group member or a symbol indicating an opening failure.
%
\end{description}
Each membership certificate contains a unique \emph{tag} that identifies the user.
\end{definition}
The correctness requirement basically captures that, if all parties
\emph{honestly} run the protocols, all algorithms are correct with respect to
their specification described as above.
%As mentioned in section~\ref{sec:art}
The Kiayias-Yung model~\cite{KY06} considers three security notions: the security against \textit{misidentification attacks} requires that, even if the adversary
can introduce users under its control in the group, it cannot produce a signature that traces outside the set of dishonest users. The notion of security against
\textit{framing attacks} implies that honest users can never be accused of having signed messages that they did not sign, even if the whole system conspired
against them. And finally the \textit{anonymity} property is also formalized by granting the adversary access to a signature opening oracle as in the models of~\cite{BSZ05}.
\paragraph{Correctness for Dynamic Group Signatures.}
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a
Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said
to \textit{extend} another state $St$ if it is within reach from $St$.
Moreover, as in \cite{KY06}, when we write
$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
public state $St'$, the execution of the interactive protocol
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$
provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
\begin{definition}[Correctness]
A dynamic group signature scheme is correct if the following conditions are
all
satisfied:
%
\begin{enumerate}[(1)]
%
\item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and
two distinct entries of $St_{trans}$ always contain certificates with
distinct tag.
%
\item If
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$
is run by two honest parties following the protocol and
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.
%
\item For each %revocation period $t$ and any
$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have
$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i
},M),M,\mathcal{Y}\big)=1$.
%
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid
$St$,
if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$
%
\end{enumerate}
%
\end{definition}
\section{Associated Security Notions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Notions de sécurité associées}
\subsection{Oracles for Security Experiments}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Oracles nécessaires à la définition des expériences de sécurité}
We formalize security properties via experiments where the adversary
interacts with a stateful interface $\mathcal{I}$ that maintains the following
variables:
%
\begin{itemize}
%
\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
state of the interface as the adversary invokes the various oracles
available in the attack games. It is initialized as
$\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM},
%\linebreak[4]
\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
It includes the (initially empty) set $St_{users}$ of group members and a
dynamically growing database $St_{trans}$ storing the transcripts of
previously executed join protocols.
%Finally,
%$\mathsf{state}_{\mathcal{I}}$ includes a counter
%$t$ (which is initialized to $0$) indicating the number of user revocation
%queries so far.
\item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group.
%
\item $\mathsf{Sigs}$: is a database of signatures created by the signing
oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that
message $M$ was signed by user $i$.
%
\item $U^a$: is the set of users that were introduced by the adversary in the
system in an execution of the join protocol.
%
\item $U^b$: is the set of honest users that the adversary, acting as a
dishonest group manager, introduced in the system. For these users, the
adversary obtains the transcript of the join protocol but not the user's
membership secret.
%
\end{itemize}
\noindent In attack games, adversaries are granted access to the
following oracles:
\begin{itemize}
%
\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
returns the group public key $\mathcal{Y}$, the GM's private key
$\mathcal{S}_{\GM}$ and the opening authority's private key
$\mathcal{S}_{\OA}$ respectively.
%
\item $Q_{\ajoin}$: allows the adversary to introduce users under its control
in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in
interaction with the $\join_{\user}$-executing adversary who plays the role of
the prospective user in the join protocol. If this protocol successfully
ends, the interface increments $n$, updates $St$ by inserting the new user
$n$ in both sets $St_{users}$ and $U^a$. It also sets
$St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$.
%
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
to introduce new honest group members of its choice. The interface
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
interaction with the adversary who runs $\join_{\GM}$. If the protocol
successfully completes, the interface increments $n$, adds user $n$ to
$St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n,
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
and the membership secret $\scr_{n }$ in a \textit{private} part of
$\mathsf{state}_{\interface}$.
%
\item $Q_{\mathsf{sig}}$: given a message $M$, an index $i$, the interface
checks whether the private area of $\mathsf{state}_{\interface}$ contains a
certificate $\crt_{i }$ and a membership secret $\scr_{i }$. If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the
interface returns $\bot$. Otherwise, it outputs a signature $\sigma$ on
behalf of user
$i$
and also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$.
%
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
pair $(M,\sigma)$,
the interface runs algorithm $\mathsf{Open}$ using the current state $St $.
When $S$ is a set of pairs of the form $(M,\sigma)$,
$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies
the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
%
\item $Q_{\mathsf{read}}$ and $Q_{\mathsf{write}}$: are used by the adversary
to read and write the content of $\mathsf{state}_{\interface}$. At each
invocation, $Q_{\mathsf{read}}$ outputs the whole $\mathsf{state}_{\interface}$ but
the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
membership secrets are stored after $Q_{\bjoin}$-queries. By using
$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at
will as long as it does not remove or alter elements of $St_{users}$,
$St_{trans}$ or invalidate the public state $St$: for example, the adversary
is allowed to create dummy users as long as it does not re-use already
existing certificate tags.
\end{itemize}
\noindent Based on the above syntax, the
security properties are formalized as follows.
\subsection{Security Against Misidentification Attacks}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte}
\label{sec:RGSdefsecMisId}
\begin{figure}[H]
\centering
\procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
\pcind \pcreturn{0}\\
i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\
\pcif i \not\in U^a \pcthen \\
\pcind\pcreturn{1}\\
\pcelse\\
\pcind \pcreturn 0
}
\caption{Experiment for security against misidentification attacks.}
\label{exp:mis-id}
\end{figure}
In a misidentification attack, the adversary can corrupt the opening authority
using the $Q_{\mathsf{keyOA}}$ oracle and introduce
malicious users in the group via $Q_{\ajoin}$-queries.
It aims at producing a valid signature $\sigma^\star$ that does not open to any
adversarially-controlled user.
\begin{definition} \label{def:mis-id}
A dynamic group signature scheme is secure against \emph{misidentification
attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$
described in Figure~\ref{exp:mis-id}, we have:
\[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq
\Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} =
\negl[\lambda].\]
\end{definition}
\subsection{Non-Frameability}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées}
\label{sec:RGSdefsecMonFrame}
\begin{figure}[H]
\centering
\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
\mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
(M^\star,\sigma^\star)
\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
\pcind \pcreturn 0 \\
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
\mathcal{Y},St') \not \in U^b \pcthen\\
\pcind \pcreturn 0\\
\pcif
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
\not\in \mathsf{Sigs} \pcthen \\
\pcind \pcreturn 1\\
\pcelse \\
\pcind\pcreturn 0
}
\caption{Experiment for security against framing attacks.} \label{exp:frame}
\end{figure}
Framing attacks consider the situation where the entire system is colluding against some honest user.
The adversary can corrupt the group manager as well as the opening authority
(via oracles $Q_{\mathsf{key}\GM}$ and $Q_{\mathsf{key}\OA}$, respectively).
It can also introduce honest group members (via
$Q_{\bjoin}$-queries), observe the system while these users sign messages and
create dummy users using $Q_{\mathsf{write}}$. %In addition, before the
%possible corruption of the group manager, the adversary can revoke
%group members at any time by invoking the $Q_{\mathsf{revoke}}$
%oracle. As a potentially corrupted group manager, $\A$ is allowed to
%come up with his/her own revocation list $RL_{t^\star}$ at the end of the game.
%We assume that anyone can publicly verify that $RL_{t^\star}$ is
%correctly formed ({\it i.e.}, that it could be a legitimate output of
%$\mathsf{Revoke}$) so that the adversary does not come up with
%an ill-formed revocation list.
%For consistency, if $\A$ chooses not to corrupt the GM, the produced
%revocation list $RL_{t^\star}$ must be the one determined by the history
%of $Q_{\mathsf{revoke}}$-queries.
The adversary eventually aims at framing an honest group member.
\begin{definition} \label{def:frame}
%
A dynamic group signature scheme is secure against \emph{framing attacks} if,
for any $\ppt$ adversary $\adv$ involved in the experiment~$\Exp{\mathrm{fra}}{\adv}(\lambda)$ described Figure~\ref{exp:frame}), it holds that
\[ \advantage{\adv}{\mathrm{fra}}(\lambda)=\Proba{\Exp{\mathrm{fra}}{\adv}(\lambda)=1} \in \negl[\lambda]. \]
%
\end{definition}
\subsection{Full Anonymity}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet}
\label{sec:RGSdefsecAnon}
\begin{figure}[H]
\centering
\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
(\scr_{1}^\star,\crt_{1}^\star )\big)
\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
%Q_{\mathsf{revoke}},
Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit}
%{\Return \bot\\}
%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
\pcif
\neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star)
\wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star)
\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
\pcind\pcreturn \bot\\
%Pick random d \gets \bit;
\sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star,
\scr_{d}^\star,M^\star)\\
d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},
Q_{\mathsf{read}},Q_{\mathsf{write}})\\
\pcreturn d';
% \If{d'=d}{\Return 1;}
% \Return 0\;
}
\caption{Security experiments for (full-)anonymity game.} \label{exp:anon}
\end{figure}
The notion of anonymity is formalized by means of a game involving a two-stage
adversary. The first stage is called $\mathsf{play}$ stage and allows the
adversary $\adv$ to modify $\mathsf{state}_{\interface}$ via $Q_{\mathsf{write}}$-queries
and open arbitrary signatures by probing $Q_{\mathsf{open}}$. When the
$\mathsf{play}$ stage ends, $\adv$ chooses a message $M^\star$ as well as two
pairs $(\scr_{0}^\star,\crt_{0}^\star)$ and $(\scr_{1}^\star,\crt_{1}^\star )$,
consisting of a valid membership certificate and a corresponding membership
secret. Then, the challenger flips a coin $d \gets \bit$ and computes a
challenge signature $\sigma^\star$ using $(\scr_{d}^\star,\crt_{d}^\star)$. The
adversary is given $\sigma^\star$ with the task of eventually guessing the bit
$d \in \bit$. Before doing so, it is allowed further oracle queries
throughout the second stage, called \textsf{guess} stage, but is restricted not
to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$.
\begin{definition} \label{def:anon}
%
A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary
$\adv$
in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible:
\[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq
\left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\]
%
\end{definition}
%One can wonder why the \emph{revocation} is not in the \emph{dynamic group
%signature scheme} description, the reason is only pragmatic. It is a different
%problem to build a scheme that allows to revoke a group member than a scheme
%that allows inserting a group member~\cite{DP06}, and it has to be done in a
%case-by-case fashion.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

View File

@ -51,11 +51,11 @@
\newcommand{\ROM}{\textsf{ROM}\xspace}
%% Experience/Games
\newcommand{\Exp}[2]{\ensuremath{\mathsf{Exp}^{#1}_{#2}}\xspace}
\newcommand{\Expt}{\ensuremath{\mathbf{Exp}}\xspace}
\newcommand{\advantage}[2]{\ensuremath{\mathrm{Advt}^{#1}_{#2}}\xspace}
\newcommand{\oracle}[2]{\ensuremath{\mathcal O^{\,\mathsf{#1}(\,#2\,)}_{}}\xspace}
\newcommand{\ensemble}[1]{\ensuremath{\mathcal S_{\mathsf{#1}}^{}}\xspace}
\newcommand{\Proba}[1]{\ensuremath{\Pr\left[#1\right]}\xspace}
% Operators
\newcommand{\sample}{\xspace\ensuremath{\hookleftarrow}\xspace}
@ -83,5 +83,29 @@
\newcommand{\GT}{\xspace\ensuremath{\mathbb{G}_T}\xspace}
\newcommand{\atob}[2]{\xspace\ensuremath{\{#1,\ldots,\#2\}}}
% Primitives
%% Dynamic Group Signatures
\newcommand{\crt}{\mathsf{cert}}
\newcommand{\scr}{\mathsf{sec}}
\newcommand{\usk}{\mathsf{usk}}
\newcommand{\upk}{\mathsf{upk}}
\newcommand{\Ngs}{{N_\mathsf{gs}}}
\newcommand{\gspk}{\mathcal{Y}}
\newcommand{\join}{\mathsf{J}}
\newcommand{\Sign}{\mathsf{Sign}}
\newcommand{\user}{\mathsf{user}}
\newcommand{\users}{\mathsf{users}}
\newcommand{\GM}{\mathsf{GM}}
\newcommand{\OA}{\mathsf{OA}}
\newcommand{\ok}{\mathsf{ok}}
\newcommand{\transcripts}{\mathsf{transcripts}}
\newcommand{\transcript}{\mathsf{transcript}}
\newcommand{\trace}{\mathsf{trace}}
\newcommand{\ajoin}{\mathsf{a}\textrm{-}\mathsf{join}}
\newcommand{\bjoin}{\mathsf{b}\textrm{-}\mathsf{join}}
\newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}}
\newcommand{\interface}{\mathcal{I}}
% Other
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}}