Add Definitions for GS
This commit is contained in:
parent
413cfa5bc4
commit
71f9598540
444
chap-GS-background.tex
Normal file
444
chap-GS-background.tex
Normal file
@ -0,0 +1,444 @@
|
||||
\chapter{Dynamic Group Signatures} \label{ch:gs-background}
|
||||
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}
|
||||
|
||||
In this Part, we will present two constructions for dynamic group signatures.
|
||||
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
|
||||
This gives us a constant-size group signature scheme that is competitive with other construction based on less standard assumptions.
|
||||
An implementation is available and the timing are detailed in \cref{ch:sigmasig}.
|
||||
|
||||
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
|
||||
This construction has been the first fully secure group signature scheme from lattices.
|
||||
|
||||
Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions.
|
||||
|
||||
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
|
||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
|
||||
|
||||
This section recalls the syntax and the security definitions of dynamic group signatures based on the model of Kiayias and Yung~\cite{KY06}.
|
||||
|
||||
A \emph{group signature} allows a group member to
|
||||
attest that a message was provided by a member of a \emph{group} without being
|
||||
altered during the process and preserving the \emph{anonymity} of the users.
|
||||
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03}
|
||||
in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang
|
||||
({BSZ}) in 2005~\cite{BSZ05}.
|
||||
|
||||
|
||||
\begin{figure}
|
||||
\centering
|
||||
\begin{tikzpicture}
|
||||
\node (GM) {Group manager};
|
||||
\node[right=of GM] (User) {User $i$};
|
||||
\node[right=of User] (OA) {Opening Authority};
|
||||
\node[below=of User] (M) {$\sigma$, M};
|
||||
\node[right=of M] (Other) {Anyone};
|
||||
\node[above=of User] (Setup) {Trusted Setup};
|
||||
|
||||
\draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User);
|
||||
\draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M);
|
||||
\draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M);
|
||||
\draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M);
|
||||
\draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM);
|
||||
\draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA);
|
||||
\end{tikzpicture}
|
||||
\caption{Relations between the protagonists in a dynamic group signature
|
||||
scheme}
|
||||
\label{fig:relations}
|
||||
\end{figure}
|
||||
|
||||
In the setting of \emph{dynamic groups}, the syntax of group signatures includes
|
||||
an interactive protocol which allows users to register as new members of the
|
||||
group at any time. The syntax and the security model are those defined by
|
||||
Kiayias and Yung~\cite{KY06}.
|
||||
Like the very similar {BSZ} model~\cite{BSZ05}, the Kiayias-Yung
|
||||
({KY}) model assumes an interactive \emph{join} protocol whereby a
|
||||
prospective user becomes a group member by interacting with the group manager.
|
||||
This protocol provides the user with a membership certificate, $\crt_i$, and a
|
||||
membership secret, $\scr_i$.
|
||||
|
||||
%\paragraph{Syntax.}
|
||||
We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.
|
||||
\begin{definition}[Dynamic Group Signature]
|
||||
A \emph{dynamic group signature} scheme consists of the following algorithms
|
||||
or protocols.
|
||||
|
||||
\begin{description}
|
||||
\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$
|
||||
and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm
|
||||
is run by a trusted party to generate a group public key $\mathcal{Y}$,
|
||||
the group manager's private key $\mathcal{S}_{\GM}$ and the opening
|
||||
authority's private key $\mathcal{S}_{\OA}$. Each key is given to the
|
||||
appropriate authority while $\mathcal{Y}$ is made public. The algorithm
|
||||
also initializes a public state $St$ comprising a set data structure
|
||||
$St_{\users}=\emptyset$ and a string data structure $St_{\trans}=
|
||||
\epsilon$.\\
|
||||
In the following, all algorithms have access to the public parameters
|
||||
$\gspk$.
|
||||
%
|
||||
\item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager
|
||||
GM and a user $\mathcal{U}_i$ where the latter becomes a group member.
|
||||
The protocol involves two interactive Turing machines $\join_{\user}$ and
|
||||
$\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution
|
||||
$\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,
|
||||
ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,
|
||||
that no one else knows, and a membership certificate $\crt_{i }$. If the
|
||||
protocol is successful, the group manager updates the public state $St$ by
|
||||
setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as
|
||||
$St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$.
|
||||
%
|
||||
%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM
|
||||
%to generate an updated revocation list $RL_t$ for the new revocation period $t$.
|
||||
%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$
|
||||
%that identifies the users to be revoked.
|
||||
%It outputs an updated revocation list $RL_t$ for period $t$.
|
||||
%%
|
||||
\item[\textsf{Sign($\crt_i, \scr_i, M$)}:] given
|
||||
%a revocation period $t$ with its revocation list $RL_t$,
|
||||
a membership certificate $\crt_{i }$, a membership secret $\scr_{i }$ and
|
||||
a message $M$, this \emph{probabilistic} algorithm outputs
|
||||
%$\perp$ if $i \in \mathcal{R}_t$ and
|
||||
a signature $\sigma$.
|
||||
%
|
||||
\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,
|
||||
%a revocation period $t $, the corresponding revocation list $RL_t$,
|
||||
a message $M$ and a group public key $\mathcal{Y}$, this
|
||||
\emph{deterministic} algorithm returns either $0$ or $1$.
|
||||
%
|
||||
\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a
|
||||
message $M$, a valid signature $\sigma$ w.r.t.
|
||||
$\mathcal{Y}$ %for the indicated revocation period $t$
|
||||
, the opening authority's private key $\mathcal{S}_{\OA}$ and the public
|
||||
state $St$.
|
||||
It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of
|
||||
a group member or a symbol indicating an opening failure.
|
||||
%
|
||||
\end{description}
|
||||
Each membership certificate contains a unique \emph{tag} that identifies the user.
|
||||
\end{definition}
|
||||
|
||||
The correctness requirement basically captures that, if all parties
|
||||
\emph{honestly} run the protocols, all algorithms are correct with respect to
|
||||
their specification described as above.
|
||||
|
||||
%As mentioned in section~\ref{sec:art}
|
||||
The Kiayias-Yung model~\cite{KY06} considers three security notions: the security against \textit{misidentification attacks} requires that, even if the adversary
|
||||
can introduce users under its control in the group, it cannot produce a signature that traces outside the set of dishonest users. The notion of security against
|
||||
\textit{framing attacks} implies that honest users can never be accused of having signed messages that they did not sign, even if the whole system conspired
|
||||
against them. And finally the \textit{anonymity} property is also formalized by granting the adversary access to a signature opening oracle as in the models of~\cite{BSZ05}.
|
||||
|
||||
\paragraph{Correctness for Dynamic Group Signatures.}
|
||||
Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state
|
||||
$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a
|
||||
Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said
|
||||
to \textit{extend} another state $St$ if it is within reach from $St$.
|
||||
|
||||
Moreover, as in \cite{KY06}, when we write
|
||||
$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists
|
||||
coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid
|
||||
public state $St'$, the execution of the interactive protocol
|
||||
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$
|
||||
provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
|
||||
|
||||
\begin{definition}[Correctness]
|
||||
A dynamic group signature scheme is correct if the following conditions are
|
||||
all
|
||||
satisfied:
|
||||
%
|
||||
\begin{enumerate}[(1)]
|
||||
%
|
||||
\item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and
|
||||
two distinct entries of $St_{trans}$ always contain certificates with
|
||||
distinct tag.
|
||||
%
|
||||
\item If
|
||||
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$
|
||||
is run by two honest parties following the protocol and
|
||||
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
|
||||
we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.
|
||||
%
|
||||
\item For each %revocation period $t$ and any
|
||||
$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }
|
||||
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have
|
||||
$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i
|
||||
},M),M,\mathcal{Y}\big)=1$.
|
||||
%
|
||||
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid
|
||||
$St$,
|
||||
if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then
|
||||
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$
|
||||
%
|
||||
\end{enumerate}
|
||||
%
|
||||
\end{definition}
|
||||
|
||||
\section{Associated Security Notions}
|
||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Notions de sécurité associées}
|
||||
|
||||
\subsection{Oracles for Security Experiments}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Oracles nécessaires à la définition des expériences de sécurité}
|
||||
|
||||
We formalize security properties via experiments where the adversary
|
||||
interacts with a stateful interface $\mathcal{I}$ that maintains the following
|
||||
variables:
|
||||
%
|
||||
\begin{itemize}
|
||||
%
|
||||
\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the
|
||||
state of the interface as the adversary invokes the various oracles
|
||||
available in the attack games. It is initialized as
|
||||
$\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM},
|
||||
%\linebreak[4]
|
||||
\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.
|
||||
It includes the (initially empty) set $St_{users}$ of group members and a
|
||||
dynamically growing database $St_{trans}$ storing the transcripts of
|
||||
previously executed join protocols.
|
||||
%Finally,
|
||||
%$\mathsf{state}_{\mathcal{I}}$ includes a counter
|
||||
%$t$ (which is initialized to $0$) indicating the number of user revocation
|
||||
%queries so far.
|
||||
\item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group.
|
||||
%
|
||||
\item $\mathsf{Sigs}$: is a database of signatures created by the signing
|
||||
oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that
|
||||
message $M$ was signed by user $i$.
|
||||
%
|
||||
\item $U^a$: is the set of users that were introduced by the adversary in the
|
||||
system in an execution of the join protocol.
|
||||
%
|
||||
\item $U^b$: is the set of honest users that the adversary, acting as a
|
||||
dishonest group manager, introduced in the system. For these users, the
|
||||
adversary obtains the transcript of the join protocol but not the user's
|
||||
membership secret.
|
||||
%
|
||||
\end{itemize}
|
||||
|
||||
\noindent In attack games, adversaries are granted access to the
|
||||
following oracles:
|
||||
|
||||
\begin{itemize}
|
||||
%
|
||||
\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when
|
||||
these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and
|
||||
returns the group public key $\mathcal{Y}$, the GM's private key
|
||||
$\mathcal{S}_{\GM}$ and the opening authority's private key
|
||||
$\mathcal{S}_{\OA}$ respectively.
|
||||
%
|
||||
\item $Q_{\ajoin}$: allows the adversary to introduce users under its control
|
||||
in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in
|
||||
interaction with the $\join_{\user}$-executing adversary who plays the role of
|
||||
the prospective user in the join protocol. If this protocol successfully
|
||||
ends, the interface increments $n$, updates $St$ by inserting the new user
|
||||
$n$ in both sets $St_{users}$ and $U^a$. It also sets
|
||||
$St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$.
|
||||
%
|
||||
\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,
|
||||
to introduce new honest group members of its choice. The interface
|
||||
triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in
|
||||
interaction with the adversary who runs $\join_{\GM}$. If the protocol
|
||||
successfully completes, the interface increments $n$, adds user $n$ to
|
||||
$St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n,
|
||||
\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$
|
||||
and the membership secret $\scr_{n }$ in a \textit{private} part of
|
||||
$\mathsf{state}_{\interface}$.
|
||||
%
|
||||
\item $Q_{\mathsf{sig}}$: given a message $M$, an index $i$, the interface
|
||||
checks whether the private area of $\mathsf{state}_{\interface}$ contains a
|
||||
certificate $\crt_{i }$ and a membership secret $\scr_{i }$. If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the
|
||||
interface returns $\bot$. Otherwise, it outputs a signature $\sigma$ on
|
||||
behalf of user
|
||||
$i$
|
||||
and also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$.
|
||||
%
|
||||
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
|
||||
pair $(M,\sigma)$,
|
||||
the interface runs algorithm $\mathsf{Open}$ using the current state $St $.
|
||||
When $S$ is a set of pairs of the form $(M,\sigma)$,
|
||||
$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies
|
||||
the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.
|
||||
%
|
||||
\item $Q_{\mathsf{read}}$ and $Q_{\mathsf{write}}$: are used by the adversary
|
||||
to read and write the content of $\mathsf{state}_{\interface}$. At each
|
||||
invocation, $Q_{\mathsf{read}}$ outputs the whole $\mathsf{state}_{\interface}$ but
|
||||
the public/private keys and the private part of $\mathsf{state}_{\interface}$ where
|
||||
membership secrets are stored after $Q_{\bjoin}$-queries. By using
|
||||
$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at
|
||||
will as long as it does not remove or alter elements of $St_{users}$,
|
||||
$St_{trans}$ or invalidate the public state $St$: for example, the adversary
|
||||
is allowed to create dummy users as long as it does not re-use already
|
||||
existing certificate tags.
|
||||
|
||||
\end{itemize}
|
||||
|
||||
\noindent Based on the above syntax, the
|
||||
security properties are formalized as follows.
|
||||
|
||||
\subsection{Security Against Misidentification Attacks}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques par identification incorrecte}
|
||||
\label{sec:RGSdefsecMisId}
|
||||
|
||||
\begin{figure}[H]
|
||||
\centering
|
||||
\procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{%
|
||||
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
||||
(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},
|
||||
Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\
|
||||
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
|
||||
\pcind \pcreturn{0}\\
|
||||
i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\
|
||||
\pcif i \not\in U^a \pcthen \\
|
||||
\pcind\pcreturn{1}\\
|
||||
\pcelse\\
|
||||
\pcind \pcreturn 0
|
||||
}
|
||||
\caption{Experiment for security against misidentification attacks.}
|
||||
\label{exp:mis-id}
|
||||
\end{figure}
|
||||
|
||||
In a misidentification attack, the adversary can corrupt the opening authority
|
||||
using the $Q_{\mathsf{keyOA}}$ oracle and introduce
|
||||
malicious users in the group via $Q_{\ajoin}$-queries.
|
||||
It aims at producing a valid signature $\sigma^\star$ that does not open to any
|
||||
adversarially-controlled user.
|
||||
|
||||
|
||||
\begin{definition} \label{def:mis-id}
|
||||
A dynamic group signature scheme is secure against \emph{misidentification
|
||||
attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$
|
||||
described in Figure~\ref{exp:mis-id}, we have:
|
||||
\[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq
|
||||
\Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} =
|
||||
\negl[\lambda].\]
|
||||
\end{definition}
|
||||
|
||||
|
||||
|
||||
\subsection{Non-Frameability}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Sécurité face aux attaques ciblées}
|
||||
\label{sec:RGSdefsecMonFrame}
|
||||
|
||||
\begin{figure}[H]
|
||||
\centering
|
||||
\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%
|
||||
\mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||
\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\
|
||||
(M^\star,\sigma^\star)
|
||||
\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},
|
||||
Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},
|
||||
Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\
|
||||
\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\
|
||||
\pcind \pcreturn 0 \\
|
||||
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
|
||||
\mathcal{Y},St') \not \in U^b \pcthen\\
|
||||
\pcind \pcreturn 0\\
|
||||
\pcif
|
||||
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
|
||||
\not\in \mathsf{Sigs} \pcthen \\
|
||||
\pcind \pcreturn 1\\
|
||||
\pcelse \\
|
||||
\pcind\pcreturn 0
|
||||
}
|
||||
\caption{Experiment for security against framing attacks.} \label{exp:frame}
|
||||
\end{figure}
|
||||
|
||||
Framing attacks consider the situation where the entire system is colluding against some honest user.
|
||||
The adversary can corrupt the group manager as well as the opening authority
|
||||
(via oracles $Q_{\mathsf{key}\GM}$ and $Q_{\mathsf{key}\OA}$, respectively).
|
||||
It can also introduce honest group members (via
|
||||
$Q_{\bjoin}$-queries), observe the system while these users sign messages and
|
||||
create dummy users using $Q_{\mathsf{write}}$. %In addition, before the
|
||||
%possible corruption of the group manager, the adversary can revoke
|
||||
%group members at any time by invoking the $Q_{\mathsf{revoke}}$
|
||||
%oracle. As a potentially corrupted group manager, $\A$ is allowed to
|
||||
%come up with his/her own revocation list $RL_{t^\star}$ at the end of the game.
|
||||
%We assume that anyone can publicly verify that $RL_{t^\star}$ is
|
||||
%correctly formed ({\it i.e.}, that it could be a legitimate output of
|
||||
%$\mathsf{Revoke}$) so that the adversary does not come up with
|
||||
%an ill-formed revocation list.
|
||||
%For consistency, if $\A$ chooses not to corrupt the GM, the produced
|
||||
%revocation list $RL_{t^\star}$ must be the one determined by the history
|
||||
%of $Q_{\mathsf{revoke}}$-queries.
|
||||
The adversary eventually aims at framing an honest group member.
|
||||
|
||||
\begin{definition} \label{def:frame}
|
||||
%
|
||||
A dynamic group signature scheme is secure against \emph{framing attacks} if,
|
||||
for any $\ppt$ adversary $\adv$ involved in the experiment~$\Exp{\mathrm{fra}}{\adv}(\lambda)$ described Figure~\ref{exp:frame}), it holds that
|
||||
\[ \advantage{\adv}{\mathrm{fra}}(\lambda)=\Proba{\Exp{\mathrm{fra}}{\adv}(\lambda)=1} \in \negl[\lambda]. \]
|
||||
%
|
||||
|
||||
\end{definition}
|
||||
|
||||
\subsection{Full Anonymity}
|
||||
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Anonymat complet}
|
||||
\label{sec:RGSdefsecAnon}
|
||||
|
||||
\begin{figure}[H]
|
||||
\centering
|
||||
\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{
|
||||
\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})
|
||||
\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\
|
||||
\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),
|
||||
(\scr_{1}^\star,\crt_{1}^\star )\big)
|
||||
\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},
|
||||
%Q_{\mathsf{revoke}},
|
||||
Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\
|
||||
%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit}
|
||||
%{\Return \bot\\}
|
||||
%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}
|
||||
\pcif
|
||||
\neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star)
|
||||
\wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star)
|
||||
\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\
|
||||
\pcind\pcreturn \bot\\
|
||||
%Pick random d \gets \bit;
|
||||
\sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star,
|
||||
\scr_{d}^\star,M^\star)\\
|
||||
d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},
|
||||
Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},
|
||||
Q_{\mathsf{read}},Q_{\mathsf{write}})\\
|
||||
\pcreturn d';
|
||||
% \If{d'=d}{\Return 1;}
|
||||
% \Return 0\;
|
||||
}
|
||||
\caption{Security experiments for (full-)anonymity game.} \label{exp:anon}
|
||||
\end{figure}
|
||||
|
||||
The notion of anonymity is formalized by means of a game involving a two-stage
|
||||
adversary. The first stage is called $\mathsf{play}$ stage and allows the
|
||||
adversary $\adv$ to modify $\mathsf{state}_{\interface}$ via $Q_{\mathsf{write}}$-queries
|
||||
and open arbitrary signatures by probing $Q_{\mathsf{open}}$. When the
|
||||
$\mathsf{play}$ stage ends, $\adv$ chooses a message $M^\star$ as well as two
|
||||
pairs $(\scr_{0}^\star,\crt_{0}^\star)$ and $(\scr_{1}^\star,\crt_{1}^\star )$,
|
||||
consisting of a valid membership certificate and a corresponding membership
|
||||
secret. Then, the challenger flips a coin $d \gets \bit$ and computes a
|
||||
challenge signature $\sigma^\star$ using $(\scr_{d}^\star,\crt_{d}^\star)$. The
|
||||
adversary is given $\sigma^\star$ with the task of eventually guessing the bit
|
||||
$d \in \bit$. Before doing so, it is allowed further oracle queries
|
||||
throughout the second stage, called \textsf{guess} stage, but is restricted not
|
||||
to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$.
|
||||
|
||||
\begin{definition} \label{def:anon}
|
||||
%
|
||||
A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary
|
||||
$\adv$
|
||||
in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible:
|
||||
\[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq
|
||||
\left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\]
|
||||
|
||||
%
|
||||
\end{definition}
|
||||
|
||||
|
||||
|
||||
%One can wonder why the \emph{revocation} is not in the \emph{dynamic group
|
||||
%signature scheme} description, the reason is only pragmatic. It is a different
|
||||
%problem to build a scheme that allows to revoke a group member than a scheme
|
||||
%that allows inserting a group member~\cite{DP06}, and it has to be done in a
|
||||
%case-by-case fashion.
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
|
||||
|
||||
|
28
macros.tex
28
macros.tex
@ -51,11 +51,11 @@
|
||||
\newcommand{\ROM}{\textsf{ROM}\xspace}
|
||||
%% Experience/Games
|
||||
\newcommand{\Exp}[2]{\ensuremath{\mathsf{Exp}^{#1}_{#2}}\xspace}
|
||||
\newcommand{\Expt}{\ensuremath{\mathbf{Exp}}\xspace}
|
||||
\newcommand{\advantage}[2]{\ensuremath{\mathrm{Advt}^{#1}_{#2}}\xspace}
|
||||
\newcommand{\oracle}[2]{\ensuremath{\mathcal O^{\,\mathsf{#1}(\,#2\,)}_{}}\xspace}
|
||||
\newcommand{\ensemble}[1]{\ensuremath{\mathcal S_{\mathsf{#1}}^{}}\xspace}
|
||||
|
||||
|
||||
\newcommand{\Proba}[1]{\ensuremath{\Pr\left[#1\right]}\xspace}
|
||||
|
||||
% Operators
|
||||
\newcommand{\sample}{\xspace\ensuremath{\hookleftarrow}\xspace}
|
||||
@ -83,5 +83,29 @@
|
||||
\newcommand{\GT}{\xspace\ensuremath{\mathbb{G}_T}\xspace}
|
||||
\newcommand{\atob}[2]{\xspace\ensuremath{\{#1,\ldots,\#2\}}}
|
||||
|
||||
% Primitives
|
||||
%% Dynamic Group Signatures
|
||||
\newcommand{\crt}{\mathsf{cert}}
|
||||
\newcommand{\scr}{\mathsf{sec}}
|
||||
\newcommand{\usk}{\mathsf{usk}}
|
||||
\newcommand{\upk}{\mathsf{upk}}
|
||||
\newcommand{\Ngs}{{N_\mathsf{gs}}}
|
||||
\newcommand{\gspk}{\mathcal{Y}}
|
||||
\newcommand{\join}{\mathsf{J}}
|
||||
\newcommand{\Sign}{\mathsf{Sign}}
|
||||
\newcommand{\user}{\mathsf{user}}
|
||||
\newcommand{\users}{\mathsf{users}}
|
||||
\newcommand{\GM}{\mathsf{GM}}
|
||||
\newcommand{\OA}{\mathsf{OA}}
|
||||
\newcommand{\ok}{\mathsf{ok}}
|
||||
\newcommand{\transcripts}{\mathsf{transcripts}}
|
||||
\newcommand{\transcript}{\mathsf{transcript}}
|
||||
\newcommand{\trace}{\mathsf{trace}}
|
||||
\newcommand{\ajoin}{\mathsf{a}\textrm{-}\mathsf{join}}
|
||||
\newcommand{\bjoin}{\mathsf{b}\textrm{-}\mathsf{join}}
|
||||
\newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}}
|
||||
\newcommand{\interface}{\mathcal{I}}
|
||||
|
||||
% Other
|
||||
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user