To prove full traceability and full anonymity of the general construction in Section 6.2, we introduce three entities. An adversary Adam who tries to break the security of the AAS scheme. Charles who will be the challenger of the adversarial game models of the group signature scheme. Eve who plays the role of the challenger when dealing with Adam and the role of the adversary when dealing with Charles. Assuming that Adam breaks the security of the AAS scheme, we will show how Eve would win the challenge against Charles. We shall start with the full anonymity of the general construction. Theorem 6.3.1. Anonymity of AAS: Given a group signature that is fully anonymous the attribute based authentication scheme created by the general construction is fully anonymous too.
Consider the following game:
• Init: Adam chooses (t1,...,tm) ∈ Z∗p as master keys.
• Setup: Charles runs SGS.Setup to produce the Spub and Spri. Charles sends
Spub to Eve. Eve adds two hash functions H1 and H2 to Spub and sends them to
Adam.
• Phase(1): This stage consists of three oracles. In the USK oracle Adam sends Eve an index i. Eve sends that index to Charles as a query to the PriKey oracle (See Section 4.2.2). Charles replies with bsk[i]. Eve sends Ai = H1(bsk[i]) of
member i together with bsk[i] to Adam.
In the Signature oracle, Adam can calculate a D since he has the master keys (t1,...,tm). He sends D, a message M and an index i to Eve. Eve sends i to
6.3. General Construction Security Proofs 6. General Construction
Charles and queries the PriKey oracle. Charles responds back with bsk[i]. Eve calculates Ai = H1(bsk[i]). She calculates GSσ. She has the master keys to
calculate as many Ti,j as she needs. She chooses a β ∈R Z∗p which will help her
calculate (Froot, td) as shown in the general construction. Eve can send Adam
σ = (GS.σ, Froot, td).
Open oracle Adam can either send a signature he received in the Signature oracle or a signature he creates from one of the private keys he got from the private key oracle. Along with σ he sends the message M and the verification key D. Eve sends GSσ and M to Charles accessing the Open oracle of the group signature anonymity game. Charles sends back an index. Eve sends that index to Adam.
• Challenge: Adam sends Eve two indexes (i0, i1), a message M and D as a chal-
lenge. Eve sends Charles (i0, i1, M ) as her challenge. Charles replies with GSσb.
Eve can calculate (Froot, td) by choosing a random td ∈ G1. She then calculates
td1/tj for all attributes needed. Finally she can calculate F
root= e(td, w)α. Adam
will not be able to tell it is an invalid pair since he can not distinguish between td = H1(bsk[i])β and a random generator. Eve sends σb = (GS.σ, Froot, td) to
Adam.
• Phase 2: Phase 2 is similar to phase 1 as long as the open oracle is not queried with the same index used in the challenge.
• Guess: Adam gives a guess ¯b to Eve and she sends ¯b to Charles as her own guess.
If Adam can guess ¯b then Eve can guess the signer of GSσb. Note that we dropped L
and T K from the anonymity analysis. L is an element that preserves the randomness of the signature in the public key and has nothing related to the signer. It is hard to distinguish between L = e(td, H2(bsk[i])) and just a random L unless you have the
tracing list T . T K is a signature on Froot and is anonymous since the group signature
is anonymous. It also reveals nothing about the signer unless you have the tracing keys since both T K and GSσ should trace to the same signer.
Next we shall prove the Theorem 6.3.2 by the same methodology we have followed for proving full anonymity. In the game in Section 5.4.2 we gave the adversary any information that will help him trace a signature but in this game since we need the private key bsk[i] for creating the registration key Ai and Eve does not have all bsk[i]
values, we shall have a Tracing-key oracle. The oracle is defined in the queries phase below:
Theorem 6.3.2. Traceability of AAS: Given a group signature that is fully traceable the attribute based authentication scheme created by the general construction is fully traceable too.
Consider the following game:
• Init: Adam chooses (t1,...,tm) ∈ Z∗p as master keys.
• Setup: The Setup of this game model is similar to the setup in the anonymity game model where Charles runs SGS.Setup to produce the Spub and Spri, then
he sends Spub to Eve. Eve adds hash functions H1 and H2 to Spub and sends
them to Adam. However, in this game model Adam is given the secret tracing keys tk.
• Queries: This stage consists of three oracles, the USK oracle, the Signature oracle and finally a Tracing-key oracle. The USK and Signature oracle are queried exactly as done in the anonymity game where Adam sends a query to Eve and Eve sends a query to the PriKey Oracle. Once Eve gets the private key from Charles, she can respond to Adam by either signing a message and sending σ = (GS.σ, Froot, td, L, T K) (Signature oracle) or by sending the pair
(Ai = H1(bsk[i]), bsk[i]) (USK oracle).
The last oracle is the Tracing-key oracle where Adam queries a tracing key of a user. He sends Eve an index i. Eve sends the index she got to Charles querying the PriKey oracle. She gets bsk[i] and responds to Adam by sending H2(bsk[i]).
Giving Adam access to this oracle and giving him the tracing key tk makes it possible for him to trace any signature he likes, therefore there is no need for the Open oracle in this game.
• Output: Adam asks to be challenged on a message M which he sends to Eve. Eve calculates a random D and sends to Adam. Adam replies with a forged signature σ. Eve challenges Charles on the same message. She sends GS.σ to Charles as her output to the challenge.
If Adam is successful in breaking full traceability, then σ should verify, which means GS.σ should verify too. The signature σ should also trace to a nonmember of the group or to a member that has not been queried. Running SGS.Open on GS.σ is one step in the AAS scheme’s Open algorithm. That means GS.σ should also trace to either a nonmember or a member that has not been queried. We can conclude that if Adam was successful in winning the game, Eve would be successful in winning the game against Charles.
After having introduced a general construction and proving its security dependent on the security of the group signature used, we shall give an example of the general construction. Section 6.4 recalls the Bellare, Micciancio and Warinschi Group Signature and uses their scheme in demonstrating the general construction in Section 6.2.