From 71f959854097f472b25804fb0da9e2bcbdaad06d Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Wed, 11 Apr 2018 17:34:59 +0200 Subject: [PATCH] Add Definitions for GS --- chap-GS-background.tex | 444 +++++++++++++++++++++++++++++++++++++++++ macros.tex | 28 ++- 2 files changed, 470 insertions(+), 2 deletions(-) create mode 100644 chap-GS-background.tex diff --git a/chap-GS-background.tex b/chap-GS-background.tex new file mode 100644 index 0000000..92c92ef --- /dev/null +++ b/chap-GS-background.tex @@ -0,0 +1,444 @@ +\chapter{Dynamic Group Signatures} \label{ch:gs-background} +\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique} + +In this Part, we will present two constructions for dynamic group signatures. +The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple. +This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions. +An implementation is available and the timing are detailed in \cref{ch:sigmasig}. + +The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups. +This construction has been the first fully secure group signature scheme from lattices. + +Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions. + +\section{Formal Definition and Correctness} \label{sse:gs-definitions} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} + +This section recalls the syntax and the security definitions of dynamic group signatures based on the model of Kiayias and Yung~\cite{KY06}. + +A \emph{group signature} allows a group member to +attest that a message was provided by a member of a \emph{group} without being +altered during the process and preserving the \emph{anonymity} of the users. +This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} +in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang +({BSZ}) in 2005~\cite{BSZ05}. + + +\begin{figure} + \centering + \begin{tikzpicture} + \node (GM) {Group manager}; + \node[right=of GM] (User) {User $i$}; + \node[right=of User] (OA) {Opening Authority}; + \node[below=of User] (M) {$\sigma$, M}; + \node[right=of M] (Other) {Anyone}; + \node[above=of User] (Setup) {Trusted Setup}; + + \draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User); + \draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M); + \draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M); + \draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M); + \draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM); + \draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA); + \end{tikzpicture} + \caption{Relations between the protagonists in a dynamic group signature + scheme} + \label{fig:relations} +\end{figure} + +In the setting of \emph{dynamic groups}, the syntax of group signatures includes +an interactive protocol which allows users to register as new members of the +group at any time. The syntax and the security model are those defined by +Kiayias and Yung~\cite{KY06}. +Like the very similar {BSZ} model~\cite{BSZ05}, the Kiayias-Yung +({KY}) model assumes an interactive \emph{join} protocol whereby a +prospective user becomes a group member by interacting with the group manager. +This protocol provides the user with a membership certificate, $\crt_i$, and a +membership secret, $\scr_i$. + +%\paragraph{Syntax.} +We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle. +\begin{definition}[Dynamic Group Signature] + A \emph{dynamic group signature} scheme consists of the following algorithms + or protocols. + + \begin{description} + \item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ + and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm + is run by a trusted party to generate a group public key $\mathcal{Y}$, + the group manager's private key $\mathcal{S}_{\GM}$ and the opening + authority's private key $\mathcal{S}_{\OA}$. Each key is given to the + appropriate authority while $\mathcal{Y}$ is made public. The algorithm + also initializes a public state $St$ comprising a set data structure + $St_{\users}=\emptyset$ and a string data structure $St_{\trans}= + \epsilon$.\\ + In the following, all algorithms have access to the public parameters + $\gspk$. +% + \item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager + GM and a user $\mathcal{U}_i$ where the latter becomes a group member. + The protocol involves two interactive Turing machines $\join_{\user}$ and + $\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution + $\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$, + ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$, + that no one else knows, and a membership certificate $\crt_{i }$. If the + protocol is successful, the group manager updates the public state $St$ by + setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as + $St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$. +% +%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM +%to generate an updated revocation list $RL_t$ for the new revocation period $t$. +%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$ +%that identifies the users to be revoked. +%It outputs an updated revocation list $RL_t$ for period $t$. +%% + \item[\textsf{Sign($\crt_i, \scr_i, M$)}:] given +%a revocation period $t$ with its revocation list $RL_t$, + a membership certificate $\crt_{i }$, a membership secret $\scr_{i }$ and + a message $M$, this \emph{probabilistic} algorithm outputs + %$\perp$ if $i \in \mathcal{R}_t$ and + a signature $\sigma$. +% + \item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$, +%a revocation period $t $, the corresponding revocation list $RL_t$, + a message $M$ and a group public key $\mathcal{Y}$, this + \emph{deterministic} algorithm returns either $0$ or $1$. +% + \item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a + message $M$, a valid signature $\sigma$ w.r.t. + $\mathcal{Y}$ %for the indicated revocation period $t$ + , the opening authority's private key $\mathcal{S}_{\OA}$ and the public + state $St$. + It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of + a group member or a symbol indicating an opening failure. +% + \end{description} + Each membership certificate contains a unique \emph{tag} that identifies the user. +\end{definition} + +The correctness requirement basically captures that, if all parties +\emph{honestly} run the protocols, all algorithms are correct with respect to +their specification described as above. + +%As mentioned in section~\ref{sec:art} +The Kiayias-Yung model~\cite{KY06} considers three security notions: the security against \textit{misidentification attacks} requires that, even if the adversary +can introduce users under its control in the group, it cannot produce a signature that traces outside the set of dishonest users. The notion of security against +\textit{framing attacks} implies that honest users can never be accused of having signed messages that they did not sign, even if the whole system conspired +against them. And finally the \textit{anonymity} property is also formalized by granting the adversary access to a signature opening oracle as in the models of~\cite{BSZ05}. + +\paragraph{Correctness for Dynamic Group Signatures.} +Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state +$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a +Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said +to \textit{extend} another state $St$ if it is within reach from $St$. + +Moreover, as in \cite{KY06}, when we write +$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists +coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid +public state $St'$, the execution of the interactive protocol +$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$ +provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$. + +\begin{definition}[Correctness] + A dynamic group signature scheme is correct if the following conditions are + all + satisfied: +% + \begin{enumerate}[(1)] +% + \item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and + two distinct entries of $St_{trans}$ always contain certificates with + distinct tag. +% + \item If + $[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$ + is run by two honest parties following the protocol and + $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then + we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$. +% + \item For each %revocation period $t$ and any + $\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i } + \leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have + $ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i + },M),M,\mathcal{Y}\big)=1$. +% + \item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid + $St$, + if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then + $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ +% + \end{enumerate} + % +\end{definition} + +\section{Associated Security Notions} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Notions de sécurité associées} + +\subsection{Oracles for Security Experiments} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Oracles nécessaires à la définition des expériences de sécurité} + +We formalize security properties via experiments where the adversary +interacts with a stateful interface $\mathcal{I}$ that maintains the following +variables: +% +\begin{itemize} +% + \item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the + state of the interface as the adversary invokes the various oracles + available in the attack games. It is initialized as + $\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM}, + %\linebreak[4] + \mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$. + It includes the (initially empty) set $St_{users}$ of group members and a + dynamically growing database $St_{trans}$ storing the transcripts of + previously executed join protocols. +%Finally, +%$\mathsf{state}_{\mathcal{I}}$ includes a counter +%$t$ (which is initialized to $0$) indicating the number of user revocation +%queries so far. + \item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group. +% + \item $\mathsf{Sigs}$: is a database of signatures created by the signing + oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that + message $M$ was signed by user $i$. +% + \item $U^a$: is the set of users that were introduced by the adversary in the + system in an execution of the join protocol. +% + \item $U^b$: is the set of honest users that the adversary, acting as a + dishonest group manager, introduced in the system. For these users, the + adversary obtains the transcript of the join protocol but not the user's + membership secret. +% +\end{itemize} + +\noindent In attack games, adversaries are granted access to the +following oracles: + +\begin{itemize} +% + \item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when + these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and + returns the group public key $\mathcal{Y}$, the GM's private key + $\mathcal{S}_{\GM}$ and the opening authority's private key + $\mathcal{S}_{\OA}$ respectively. +% + \item $Q_{\ajoin}$: allows the adversary to introduce users under its control + in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in + interaction with the $\join_{\user}$-executing adversary who plays the role of + the prospective user in the join protocol. If this protocol successfully + ends, the interface increments $n$, updates $St$ by inserting the new user + $n$ in both sets $St_{users}$ and $U^a$. It also sets + $St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$. +% + \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager, + to introduce new honest group members of its choice. The interface + triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in + interaction with the adversary who runs $\join_{\GM}$. If the protocol + successfully completes, the interface increments $n$, adds user $n$ to + $St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n, + \transcript_n \rangle$. It stores the membership certificate $\crt_{n }$ + and the membership secret $\scr_{n }$ in a \textit{private} part of + $\mathsf{state}_{\interface}$. +% + \item $Q_{\mathsf{sig}}$: given a message $M$, an index $i$, the interface + checks whether the private area of $\mathsf{state}_{\interface}$ contains a + certificate $\crt_{i }$ and a membership secret $\scr_{i }$. If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the + interface returns $\bot$. Otherwise, it outputs a signature $\sigma$ on + behalf of user + $i$ + and also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$. +% + \item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid + pair $(M,\sigma)$, + the interface runs algorithm $\mathsf{Open}$ using the current state $St $. + When $S$ is a set of pairs of the form $(M,\sigma)$, + $Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies + the opening algorithm to pairs $(M,\sigma)$ which are not in $S$. +% + \item $Q_{\mathsf{read}}$ and $Q_{\mathsf{write}}$: are used by the adversary + to read and write the content of $\mathsf{state}_{\interface}$. At each + invocation, $Q_{\mathsf{read}}$ outputs the whole $\mathsf{state}_{\interface}$ but + the public/private keys and the private part of $\mathsf{state}_{\interface}$ where + membership secrets are stored after $Q_{\bjoin}$-queries. By using + $Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at + will as long as it does not remove or alter elements of $St_{users}$, + $St_{trans}$ or invalidate the public state $St$: for example, the adversary + is allowed to create dummy users as long as it does not re-use already + existing certificate tags. + +\end{itemize} + +\noindent Based on the above syntax, the +security properties are formalized as follows. + +\subsection{Security Against Misidentification Attacks} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte} +\label{sec:RGSdefsecMisId} + +\begin{figure}[H] + \centering + \procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{% + \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ + (M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin}, + Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\ + \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ + \pcind \pcreturn{0}\\ + i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\ + \pcif i \not\in U^a \pcthen \\ + \pcind\pcreturn{1}\\ + \pcelse\\ + \pcind \pcreturn 0 + } + \caption{Experiment for security against misidentification attacks.} + \label{exp:mis-id} +\end{figure} + +In a misidentification attack, the adversary can corrupt the opening authority +using the $Q_{\mathsf{keyOA}}$ oracle and introduce +malicious users in the group via $Q_{\ajoin}$-queries. +It aims at producing a valid signature $\sigma^\star$ that does not open to any +adversarially-controlled user. + + +\begin{definition} \label{def:mis-id} + A dynamic group signature scheme is secure against \emph{misidentification + attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$ + described in Figure~\ref{exp:mis-id}, we have: + \[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq + \Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} = + \negl[\lambda].\] +\end{definition} + + + +\subsection{Non-Frameability} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées} +\label{sec:RGSdefsecMonFrame} + +\begin{figure}[H] + \centering + \procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{% + \mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ + (M^\star,\sigma^\star) + \gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM}, + Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}}, + Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\ + \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ + \pcind \pcreturn 0 \\ + \pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, + \mathcal{Y},St') \not \in U^b \pcthen\\ + \pcind \pcreturn 0\\ + \pcif + \bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast) + \not\in \mathsf{Sigs} \pcthen \\ + \pcind \pcreturn 1\\ + \pcelse \\ + \pcind\pcreturn 0 + } + \caption{Experiment for security against framing attacks.} \label{exp:frame} + \end{figure} + +Framing attacks consider the situation where the entire system is colluding against some honest user. +The adversary can corrupt the group manager as well as the opening authority +(via oracles $Q_{\mathsf{key}\GM}$ and $Q_{\mathsf{key}\OA}$, respectively). +It can also introduce honest group members (via +$Q_{\bjoin}$-queries), observe the system while these users sign messages and +create dummy users using $Q_{\mathsf{write}}$. %In addition, before the +%possible corruption of the group manager, the adversary can revoke +%group members at any time by invoking the $Q_{\mathsf{revoke}}$ +%oracle. As a potentially corrupted group manager, $\A$ is allowed to +%come up with his/her own revocation list $RL_{t^\star}$ at the end of the game. +%We assume that anyone can publicly verify that $RL_{t^\star}$ is +%correctly formed ({\it i.e.}, that it could be a legitimate output of +%$\mathsf{Revoke}$) so that the adversary does not come up with +%an ill-formed revocation list. +%For consistency, if $\A$ chooses not to corrupt the GM, the produced +%revocation list $RL_{t^\star}$ must be the one determined by the history +%of $Q_{\mathsf{revoke}}$-queries. +The adversary eventually aims at framing an honest group member. + +\begin{definition} \label{def:frame} +% + A dynamic group signature scheme is secure against \emph{framing attacks} if, + for any $\ppt$ adversary $\adv$ involved in the experiment~$\Exp{\mathrm{fra}}{\adv}(\lambda)$ described Figure~\ref{exp:frame}), it holds that + \[ \advantage{\adv}{\mathrm{fra}}(\lambda)=\Proba{\Exp{\mathrm{fra}}{\adv}(\lambda)=1} \in \negl[\lambda]. \] +% + +\end{definition} + +\subsection{Full Anonymity} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet} +\label{sec:RGSdefsecAnon} + +\begin{figure}[H] + \centering + \procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{ + \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\ + \big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star), + (\scr_{1}^\star,\crt_{1}^\star )\big) + \gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}}, + %Q_{\mathsf{revoke}}, + Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\ + %\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit} + %{\Return \bot\\} + %\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\} + \pcif + \neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star) + \wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star) + \wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\ + \pcind\pcreturn \bot\\ + %Pick random d \gets \bit; + \sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star, + \scr_{d}^\star,M^\star)\\ + d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}}, + Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}}, + Q_{\mathsf{read}},Q_{\mathsf{write}})\\ + \pcreturn d'; +% \If{d'=d}{\Return 1;} +% \Return 0\; + } + \caption{Security experiments for (full-)anonymity game.} \label{exp:anon} +\end{figure} + +The notion of anonymity is formalized by means of a game involving a two-stage +adversary. The first stage is called $\mathsf{play}$ stage and allows the +adversary $\adv$ to modify $\mathsf{state}_{\interface}$ via $Q_{\mathsf{write}}$-queries +and open arbitrary signatures by probing $Q_{\mathsf{open}}$. When the +$\mathsf{play}$ stage ends, $\adv$ chooses a message $M^\star$ as well as two +pairs $(\scr_{0}^\star,\crt_{0}^\star)$ and $(\scr_{1}^\star,\crt_{1}^\star )$, +consisting of a valid membership certificate and a corresponding membership +secret. Then, the challenger flips a coin $d \gets \bit$ and computes a +challenge signature $\sigma^\star$ using $(\scr_{d}^\star,\crt_{d}^\star)$. The +adversary is given $\sigma^\star$ with the task of eventually guessing the bit +$d \in \bit$. Before doing so, it is allowed further oracle queries +throughout the second stage, called \textsf{guess} stage, but is restricted not +to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$. + +\begin{definition} \label{def:anon} +% +A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary +$\adv$ +in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible: + \[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq + \left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\] + +% +\end{definition} + + + +%One can wonder why the \emph{revocation} is not in the \emph{dynamic group +%signature scheme} description, the reason is only pragmatic. It is a different +%problem to build a scheme that allows to revoke a group member than a scheme +%that allows inserting a group member~\cite{DP06}, and it has to be done in a +%case-by-case fashion. + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + + + + diff --git a/macros.tex b/macros.tex index ad055ab..43ac21c 100644 --- a/macros.tex +++ b/macros.tex @@ -51,11 +51,11 @@ \newcommand{\ROM}{\textsf{ROM}\xspace} %% Experience/Games \newcommand{\Exp}[2]{\ensuremath{\mathsf{Exp}^{#1}_{#2}}\xspace} +\newcommand{\Expt}{\ensuremath{\mathbf{Exp}}\xspace} \newcommand{\advantage}[2]{\ensuremath{\mathrm{Advt}^{#1}_{#2}}\xspace} \newcommand{\oracle}[2]{\ensuremath{\mathcal O^{\,\mathsf{#1}(\,#2\,)}_{}}\xspace} \newcommand{\ensemble}[1]{\ensuremath{\mathcal S_{\mathsf{#1}}^{}}\xspace} - - +\newcommand{\Proba}[1]{\ensuremath{\Pr\left[#1\right]}\xspace} % Operators \newcommand{\sample}{\xspace\ensuremath{\hookleftarrow}\xspace} @@ -83,5 +83,29 @@ \newcommand{\GT}{\xspace\ensuremath{\mathbb{G}_T}\xspace} \newcommand{\atob}[2]{\xspace\ensuremath{\{#1,\ldots,\#2\}}} +% Primitives +%% Dynamic Group Signatures +\newcommand{\crt}{\mathsf{cert}} +\newcommand{\scr}{\mathsf{sec}} +\newcommand{\usk}{\mathsf{usk}} +\newcommand{\upk}{\mathsf{upk}} +\newcommand{\Ngs}{{N_\mathsf{gs}}} +\newcommand{\gspk}{\mathcal{Y}} +\newcommand{\join}{\mathsf{J}} +\newcommand{\Sign}{\mathsf{Sign}} +\newcommand{\user}{\mathsf{user}} +\newcommand{\users}{\mathsf{users}} +\newcommand{\GM}{\mathsf{GM}} +\newcommand{\OA}{\mathsf{OA}} +\newcommand{\ok}{\mathsf{ok}} +\newcommand{\transcripts}{\mathsf{transcripts}} +\newcommand{\transcript}{\mathsf{transcript}} +\newcommand{\trace}{\mathsf{trace}} +\newcommand{\ajoin}{\mathsf{a}\textrm{-}\mathsf{join}} +\newcommand{\bjoin}{\mathsf{b}\textrm{-}\mathsf{join}} +\newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}} +\newcommand{\interface}{\mathcal{I}} + % Other \newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}} +