5.3 LOS CENTROS DE COLABORACIÓN.

The notion of non-frameability in DA-schemes can have several flavors. As before we can think of insider non-frameability, where coalitions of malicious group members should not be able to generate signatures that will then be traced to some honest group member. The strongest notion is still full non-frameability where the adversary is given further access to the secret keys of both group authorities. However, DA-schemes may also allow coalitions of malicious group members and only one authority (either issuer or opener). These latter flavors are clearly weaker than full non-frameability.

Insider Non-Frameability for DA-Schemes

In Definition 2.27 we formalize the notion of insider non-frameability for DA-schemes. This definition is widely similar to full non-frameability of group signatures with one group manager, except that it uses two different secret keys (ik and ok). Note that if the DA-scheme comes with explicit user PKI then the adversary can be given access to the AddPKI(·, ·) oracle but the output conditions should also check that this oracle has not been used to register i∗.

Definition 2.27 (Insider Non-Frameability : DA) A group signature scheme with dis­ tributed authorities Γ = (GKg, (JoinM, JoinU), GSign, GVrfy, Open, Judge) provides insider non­ frameability if for all PPT adversaries A, the following advantage function is negligible (in κ):

AdvI-NF_Γ,A (1κ) = Pr ExptI-NF_Γ,A (1κ) = 1 . The associated I-NF-experiment ExptI-NF_Γ,A (1κ) proceeds as follows:

Initialization. The key generation algorithm GKg(1κ_{) is executed to produce (gpk, ik, reg, ok).}

Attack Stage. Adversary A receives gpk.

1. A can submit queries to the oracles AddU(·), JoinM(ik, ·), Corrupt(·), GSign(gsk[·], ·), and Open(ok, ·, ·, reg).

2. A stops and eventually outputs a tuple (m ∗, σ∗, i∗, τ∗).

Output. If all of the following holds then the experiment outputs 1: 1. GVrfy(gpk, m ∗, σ∗) = 1

= 1

and i∗ ∈ [1, n] and Judge(gpk, m ∗, σ∗, i∗, τ∗) 2. A did not submit i∗ to JoinM(ik, ·)

3. A did not submit i∗ to Corrupt(·)

4. A did not submit (i∗, m ∗) to GSign(gsk[·], ·).

Otherwise it outputs 0. _♦

Remark 2.4.3 If the DA-scheme Γ does not provide verifiable opening then output conditions of the experiment ExptI-NF_Γ,A (1κ) should check whether Open(ok, m ∗, σ∗, reg) = i∗(as in Definition 2.14).

The notion of insider non-frameability can be strengthened towards stronger coalitions of group members with corrupted issuers and/or openers as discussed below.

Full Non-Frameability

In Definition 2.28 we formalize the notion of full non-frameability of DA-schemes. This is done similarly to the earlier definitions, except that now A receives two keys ik and ok. In particular, the experiment ensures that successful framing attack should be performed against a group member i∗ previously admitted through the JoinU(gpk, ·) oracle (check that gsk[i∗] = ε)

and not corrupted thereafter. Also this definition can be adopted to schemes with explicit user PKI by granting A additional access to the AddPKI(·, ·) oracle and prohibiting its use for the registration of i∗.

Definition 2.28 (Full Non-Frameability : DA) A group signature scheme with distributed authorities Γ = (GKg, (JoinM, JoinU), GSign, GVrfy, Open, Judge) provides full non-frameability

if for all PPT adversaries A, the following advantage function is negligible (in κ):

AdvF-NF_Γ,A (1κ) = Pr ExptF-NF_Γ,A (1κ) = 1 .

The associated F-NF-experiment ExptF-NF(1κ_{) proceeds as follows:} Γ,A

Initialization. The key generation algorithm GKg(1κ) is executed to produce (gpk, ik, reg, ok).

Attack Stage. Adversary A receives (gpk, ik, ok, reg).

1. A can submit queries to the oracles JoinU(gpk, ·), Corrupt(·), and GSign(gsk[·], ·). 2. A stops and eventually outputs a tuple (m ∗, σ∗, i∗, τ∗).

Output. If all of the following holds then the experiment outputs 1:

1. GVrfy(gpk, m ∗, σ∗) = 1 and i∗ ∈ [1, n] and Judge(gpk, m ∗, σ∗, i∗, τ∗) = 1

2. gsk[i∗] = ε

3. A did not submit i∗ to Corrupt(·)

4. A did not submit (i∗, m ∗) to GSign(gsk[·], ·).

Otherwise it outputs 0. _♦

Remark 2.4.4 If the DA-scheme Γ does not have verifiable opening then output conditions of the experiment ExptF-NF_Γ,A (1κ) should check whether Open(ok, m ∗, σ∗, reg ∗) = i∗, assuming that A additionally outputs a registration list reg ∗ (as in Definition 2.15). Instead of requiring that A outputs reg ∗ _{we could also give A access to the write oracle WReg(·, ·) and use the resulting} registration list in the above check.

Finally, we observe that several intermediate flavors residing between insider and full non­ frameability can be obtained by giving A partial access to the secret keys of both authorities. For example, A can be given as input the issuing key ik and write access to reg, but not the opening key ok. In this case A would have to get the opening oracle but the output conditions of experiment ExptF-NF(1κ_{) would remain the same. Alternatively, A can be given the opening}

Γ,A

key ok and the read access to reg, but not the issuing key ik. In this case one would remove the JoinU(gpk, ·) oracle and modify the second output condition according to the experiment for insider non-frameability from Definition 2.27.

� �

Hardness Assumptions

Foundations of modern cryptography include various hardnessassumptions for proving security of cryptographic schemes and a broad spectrum of cryptographic primitives serving as build­ ing blocks for more advanced cryptographic constructs. In this chapter we introduce several hardness assumptions and provide an overview of primitives that will become relevant in our description of modern group signatures. We start with general assumptions that consider exis­ tence of certain types of abstractly defined functions and continue with the description of more concrete hardness assumptions based on number theory. Additionally, we will give an overview of several basic cryptographic building blocks and their security properties.

3.1. General

Hardness

Assumptions

We describe two general hardness assumptions — existence of one-way functions/permutations and existence of trapdoor permutations. These assumptions are foundational for many crypto­ graphic primitives. As we will see the assumption on the existence of trapdoor permutations is important in the context of group signatures.