In this section we prove the AAS scheme and DAAS scheme constructed in Chapter 5 are attribute-unforgeable. In both proofs we explain the game model in detail and show how Adam can create a list of information about the attribute he lacks but he can not forge it without breaking the DLP.
A.3.1 Unforgeability of Attributes in AAS
Theorem A.3.1. Breaking the Unforgeability of Attributes in the AAS construction is as hard as solving the DLP.
The following shows details of the game model defined in Section 5.4. Following that is a table presenting all the information Adam can obtain within the game. We later prove that the information is not enough to break the unforgeability of attributes without solving the DLP.
• Setup: Charles sets up the system. He generates Spub and Spri. He also creates
a set of private key bases bsk[i] = hAi, xii. He chooses the set of master keys tj
for every attribute j and calculates the attribute public keys bpkj. He sends Spub
– Signature Oracle as described in section 5.4. Note that Charles has all private keys and attribute master keys he needs in order to create a valid signature σ and send it to Adam.
– USK Oracle as described in section 5.4. Charles has given Adam all the Ai
but not bsk[i] = hAi, xii
– AttPriKey Oracle as described in section 5.2 where Adam can send a key Ai and an index j and in return he gets Ti,j.
– AttMasKey Oracle as described in section 5.2 where Adam sends an at- tribute index j to get the master key tj.
Notice that the TVfy Oracle in Section 5.2 is not used here because the Signature Oracle is sufficient enough (i.e runs the T V erif y algorithm). Furthermore the Revoke oracle of section 5.4 is not required since all Ai are given to Adam and
he can run the open algorithm himself.
• Challenge: Adam sends a tree Γ1, user l and attribute z which he would like to
be challenged on. Charles replies with D for a tree Γ2 where Γ2 has two subtrees
the first is Γ1 and the other is based on tz. The threshold value of the root in Γ2
is 2. The challenge condition is that user l has not been queried in AttPriKey for the attribute z. Furthermore the challenged index z should not have been queried in AttMasKey. These two conditions are reasonable as they contradict the purpose of the game.
• Phase 2: This phase is similar to Phase 1 as long as the challenge conditions are not broken.
• Output: Adam outputs a signature σ for the user l on the verification key D. If that signature is valid then the adversary wins otherwise Adam loses.
From the traceability game one can conclude that the signature created in the output is for a user who has been queried in the USK oracle. Therefore Adam can easily create the elements of the signature σ = (r, C1, C2, C3, C4, c, sξ, sx, sδ) since we know he has
obtained bsk[i]. The table A.3.1 shows elements that Adam has gained through his queries. Our approach to show that Adam can not create a signature with the missing attribute z is similar to the proof in Section 5.2.
Let the root polynomial be qr(x). The subtree Γ1 has a root with the polynomial q1(x)
and the other child holding attribute tz has a polynomial q2(x). Further let qr(0) = α,
q1(0) = qr(x1) = y1 and q2(0) = qr(x2) = y2. The root polynomial is of degree 1
since the threshold gate is 2. This implies that Adam knows that Lagrange is applied therefore the following formula must hold:
Table A.1: Information Obtained by Adam
Information Source
Spub= hG1, G2, G3, e, H, H0, g1, g2i Setup Phase
List of Ai Setup Phase
List of bpkj = wtj Setup Phase
List of bsk[i] = hAi, xii USK Oracle
2D Array of Ti,j = A1/ti j where i 6= l and j 6= z AttPriKey Oracle
List of σ = (r, C1, C2, C3, C4, c, sξ, sx, sδ, Froot) Signature Oracle
List of tj where j 6= z AttMasKey
List of D = hbpk1,...,bpkκi Challenge
Froot = e(Al, w)αβ = (e(Al, w)y2.x2e(Al, w)−y1.x2)β/(x1−x2)
Adam also knows the value of elements (x1, x2, β, e(Al, w)y2, Al, w, wtz ).
Adam does not know e(Al, w)α, e(Al, w)y1, α, y1, and tz.
Note that values x1, x2, y1, y2, and α change in each round as D is created, including
in the challenge. α does not appear explicitly or implicitly in any of the elements Adam has obtained since it is random each time a D is created and that includes the challenge. This implies that Froot can be calculated only by deriving the term
e(Al, w)−y1.x2. Recall that y1 is random each time D is calculated. It appears within
the game just once and that is in the challenge in Dk = bpkky1 = wtzy1 where y1 is
totally bounded with tz since neither tz nor A1/tl z are known.
A.3.2 Unforgeability of Attributes in the DAAS scheme
Theorem A.3.2. Breaking the Unforgeability of Attributes in the DAAS construction is as hard as solving the DLP.
The following shows details of the game model defined in Section 5.5. Following that is a table presenting all the information Adam can obtain within the game. We later prove that the information is not enough to break the unforgeability of attributes without solving the DLP.
• AFDAAS.Setup: Charles sets up the system. He generates the tracing key tk, the issuer key isk, and the general public key gpk. Charles plays the role of all attribute authorities in the system. He creates the universal of attributes by choosing a list of master keys t1,...,tm. Charles calculates the attribute public
keys bpk1,...,bpkm which he sends together with tk and gpk to Adam. Charles
keeps to himself isk and list of tj.
• AFDAAS.Phase (1): Charles runs the oracles USK, Signature, CrptJoinUsr, AttPriKey, and AttMasKey. Adam can query these oracles in order to obtain information that may help him break the scheme.
he would like to be challenged on. Charles replies with D for a tree Γ2 where Γ2
has two subtrees: the first is Γ1 and the other is based on tz. The threshold value
of the root in Γ2 is 2. The challenge condition is that user l has not been queried
in AttPriKey for the attribute z. Furthermore the challenged index z should not have been queried in AttMasKey. These two conditions are reasonable as the contradict with the purpose of the game.
• AFDAAS.Phase (2): This phase is similar to Phase 1 as long as the challenge conditions are not broken.
• AFDAAS.Output: Adam outputs a signature σ for the user l on the verification key D. If that signature is valid then the adversary wins and Charles outputs 1 otherwise Adam loses and Charles outputs 0.
Charles can reply to the oracles without problems since he has all private keys needed in creating the outputs such as tk, isk, and list of tj. The proof for this scheme is similar
to the technique used in Section 5.2. From the traceability game we can conclude that for the signature to be valid, the signer had to query either the USK oracle or the CrptJoionUsr oracle by Adam. Therefore Adam can easily create the elements of the signature σ = (r, C1, C2, C3, C4, C5, C6, c, sξ, sx, sδ, sz, sδ) since we know he has
obtained bsk[i]. The table below summarizes the information Adam can obtain through the game model The challenge for Adam is to create an Frootwhere Froot1/αC5 = e(C4, C6).
Table A.2: Information Obtained by Adam
Information Source
isk = γ Setup Phase
gpk = he, G1, G2, G3, H, g1, g2, g3, g4, h, wi Setup Phase
List of Ai Setup Phase
List of bpkj = wtj Setup Phase
List of bsk[i] = hAi, xi, yii USK Oracle
List of bsk[i] = hAi, xii for a yi chosen by Adam CrptJoinUsr Oracle
2D Array of Ti,j = A 1/tj
i where i 6= l and j 6= z AttPriKey Oracle
List of σ = (C1, C2, C3, C4, C5, C6, Froot, c, sζ, sδ, sx, sz) Signature Oracle
List of tj where j 6= z AttMasKey
List of D = hbpk1,...,bpkκi Challenge
and α is unknown to Adam.
As in the Section A.3.1, let the root polynomial be qr(x). The subtree Γ1 has a root
with the polynomial q1(x) and the other child holding attribute tz has a polynomial
q2(x). Further let qr(0) = α, q1(0) = qr(x1) = y1 and q2(0) = qr(x2) = y2. The root
that Lagrange is applied therefore the following formula must hold: Froot = e(Al, w)αβ = (e(Al, w)y2.x2e(Al, w)−y1.x2)β/(x1−x2)
Adam also knows the value of elements (x1, x2, β, e(Al, w)y2, Al, w, wtz ).
Adam does not know e(Al, w)α, e(Al, w)y1, α, y1, and tz.
Note that values x1, x2, y1, y2, and α change each round a D is created, including in the
challenge. α does not appear explicitly or implicitly in any of the elements Adam has obtained since it is random each time a D is created and that includes the challenge. This implies that Froot can be calculated only by deriving the term e(Al, w)−y1.x2.
Recall that y1 is random each time D is calculated. It appears within the game just
once and that is in the challenge in Dk = bpkky1 = wtzy1 where y1 is totally bounded