Territorio: Un encuentro y construcción de ideas

Theorem 6.3.1. Our generic construction is unforgeable if the revocation scheme is sound, the pseudonym scheme is key-extractable, the commitment scheme is opening-extractable and binding, and the PABS scheme is unforgeable.

Proof. We prove the above theorem through a sequence of games played with the unforgeability adversary A. The first game Game 0 is the normal security experiment as defined in §3.3.3. The last game is such that, given an adversary A who has non-negligible success in winning it, we can construct a polynomial-time adversaryB against the unforgeability of the signature scheme, cf. Definition4.3.2. For each hop between intermediate games, we show that they are indistinguishable from the adversary’s view under appropriate assumptions.

Game 0: This is the original unforgeability experiment as defined in §3.3.3.

Game 1: This game relies on the revocation soundness property (see Definition4.4.2) to gener- ate simulated system parameters (spar_r, τr)←$ Er1(sparg) and extract the revocation han-

dles and opening information (rhr_i, or

rh,i) ← $ _Er

2(sparr, τr, crh,i,rti) from all commitments

crh,iin presentation and issuance tokens produced by the adversary in the setsF andIT. LetRIibe the revocation information used in each token and letepoch_ibe the highest value so that (ipk_i,RIi,epoch_i) ∈ RI. The game aborts if ComOpenVf(crh,i,rhri, orrh,i) =reject or if rhr_i was revoked at epoch_i, i.e., if there exists (ipk_i,rhi,epoch0_i) ∈ RRH such that epoch0_i ≤epoch_i.

Any adversary A that causes this to happen can be used to build an adversary B that breaks the revocation soundness by, on input rpk,RI,spar_r, using rpk and RI as part of the public key and revocation information of a random honest issuer I∗. It runs the code of Game 1, but responds to revocation queries for issuer I∗ using its ownOrevoke _oracle.

At the end of the game, B outputs a commitment crh,i and revocation token rti from a random presentation or issuance token and for a randomisuch that ipki=ipk∗I∗.

As simulated and real parameters are indistinguishable, this game is indistinguishable from the previous one, as long as no abort happens. However, by the above arguments, the latter only happens with negligible probability.

Game 2: This game relies on the key extractability of the pseudonym scheme (see Defini- tion 4.5.2) to generate the pseudonym parameters as (spar_p, τp) ←$ Ep₁(sparg) and extract

the user secret keys and opening information (uskp_{, o}p

usk)← $ _Ep

2(sparp, τp, cusk,scope,nym, π) from all presentation and issuance tokens inF ∪IT for whichscope6=ε. Note that the key extractability property guarantees thatNymGen(usk,scope) =nymand ComOpenVf(uskp, cusk, op_usk) =accept.

As simulated and real parameters are indistinguishable, this game is indistinguishable from the previous one.

Game 3: This game uses the opening extractability of the commitment scheme (see Defini- tion 4.2.4) to generate the commitment parameters as (spar_c, τc)←$ Ec1(1κ, `0).

As simulated and real parameters are indistinguishable, this game is indistinguishable from the previous one.

Game 4: This game uses the unforgeability of thePABSscheme as per Definition4.3.2to extract signatures from all presentation and issuance tokens produced by the adversary. More specifically, it generates (spar_s, τs) ←$ Es1(sparg) and extracts (sigi,((αsi,j)j6∈Ri,usk

s i,rhsi), ((os i,j)j∈Ei, o s usk,i, osrh,i)) ← $ _E2(τ

s,ipki,(ai,j)j∈Ri,((ceq(i,j))j∈Ei, cusk, crh,i),spti) for all pre- sentation and issuance tokens in F ∪ IT and for all iwhere ipk_i ∈ IK∗. Letαs

i,j ← ai,j for all j ∈ Ri. If for some of the extracted signatures, attributes, and opening infor- mation SigVf(sig_i,(αs

i,1, . . . , αsi,ni,usk s

i,rhsi),ipk) = reject, ComOpenVf(αsi,j, ceq(i,j), osi,j) = reject for some j ∈ Ei, ComOpenVf(usksi, cusk, osusk,i) = reject, or ComOpenVf(rhsi, crh,i,

os

rh,i) =reject, then the game aborts.

An adversary A that causes the game to abort can be used to build a forger B for the PABS scheme as follows. On input spar_s,ipk, algorithm B generates parameters for the pseudonym and revocation scheme and guesses a random issuer index I∗ ←$

{1, . . . , nI}. It generates fresh user secret keys (usk∗i)ni=1U for all users and fresh revocation keys (rski,rpki,RIi)ni=1I for all issuers. It also generates fresh issuer keys (ipk

∗ i,isk ∗ i) nI i=1,i6=I∗

for all issuers i6=I∗, but setsipk∗_I∗ ←ipk. It answersA’s oracle queries as follows:

• Oissuer_{(issue,nym,pit,scope,rh,(ipk}

i,RIi,(ai,j)j∈Ri)

k+1

i=1, E,M): Algorithm B first verifies the issuance token pit and, if ipk_k+1 6= ipk∗_I∗, performs a normal issuance

protocol since it knows all required keys. If ipk_k+1 = ipk∗_I∗, B queries its own or-

acleOissuer_((ak+1,j)j

∈Rk+1,(ceq(k+1,j), πeq(k+1,j))j∈Ek+1,(cj, πj)j6∈Rk+1∪Ek+1) and for- wards all forthcoming messages back and forth betweenAand the oracle.

• Oissuer_{(revoke, I,rh): As in the normal game.} • Ouser_{(present, U,scope,(ipk}

i,RIi,cidi, Ri)ki=1, E,M): It follows the steps ofPresent, but for thoseiwhereipk_i =ipk∗_I∗Bgeneratesspt_iby querying its ownOuser oracle on

input (token,cidi, Ri,((ceq(i,j), oeq(i,j))j∈Ei,(cusk, ousk),(crh,i, orh,i)),M

0_{), where M}0 ₌ presentationkMkscopek(ipk_i,(ai,j)j∈Ri)

k i=1kE.