diff --git a/README.md b/README.md index 384541c..4156799 100644 --- a/README.md +++ b/README.md @@ -46,18 +46,23 @@ $`H_{a_{i}} \leftarrow g_{1}^{r_{i}}`$ The CA randomly selects $`r_{ISK}, r, \bar{r}`$ and computes bases $`H_{ISK} \leftarrow g_{1}^{r_{ISK}}`$ + $`H_{r} \leftarrow g_{1}^{r}`$ + $`\bar{g_1} \leftarrow g_{1}^{\bar{r}}`$ + $`\bar{g_2} \leftarrow \bar{g_1}^{ISK}`$ Then the CA randomly selects $`r_p`$ and computes $`t_1 \leftarrow g_2^{r_p}`$ + $`t_2 \leftarrow \bar{g_1}^{r_p}`$ It also generates $`C \leftarrow H(t_1||t_2||g_2||\bar{g_1}||W||\bar{g_2})`$ + $`s \leftarrow r_{p} %2B C \cdot ISK`$ The issuer public key $`PK_{I}`$ is @@ -79,13 +84,17 @@ $`sk_{c} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ and random elements $`r_{sk} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`nonce \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ and then computes $`N \leftarrow H_{ISK}^{sk_{c}}`$ + $`t \leftarrow H_{ISK}^{r_{sk}}`$ + $`C \leftarrow H(t||H_{ISK}||N||nonce||h_{CA})`$ + $`s \leftarrow r_{sk} %2B C \cdot sk_{c}`$ The credential request sent to the CA is $`\{ N, nonce, C, s \}`$. @@ -101,12 +110,15 @@ $`C = H(t'||H_{ISK}||N||nonce||h_{CA})`$ If so, the CA picks random elements $`E \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`S \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ and computes $`B \leftarrow g_{1} \cdot N \cdot H_{r}^S \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{ci}}`$ + $`e \leftarrow \frac{1}{E %2B ISK}`$ + $`A \leftarrow B^e`$ The CA returns the credential $`\{ A, B, S, E \}`$ to the user. @@ -131,38 +143,63 @@ $`Nym \leftarrow N \cdot H_{r}^{r_{n}}`$ And then generates the new signature as follows $`n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_1 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_2 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_3 \leftarrow \frac{1}{r_1}`$ + $`A' \leftarrow A^{r_1}`$ + $`\bar{A} \leftarrow B^{r1} \cdot A'^{-E}`$ + $`B' \leftarrow \frac{B^{r1}}{H_{r}^{r_2}}`$ + $`S' \leftarrow S-r_2 \cdot r_3`$ The client then generates random elements $`r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{e} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{r_2} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{r_3} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{S'} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{a_{0}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{a_{1}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{a_{2}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{a_{3}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ and then generates $`t_1 \leftarrow A'^{r_{e}} \cdot H_{r}^{r_{r_2}}`$ + $`t_2 \leftarrow B'^{r_{r_3}} \cdot H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{S'}} \cdot \prod_{i=0}^4 H_{a_{i}}^{r_{a_{i}} \bar{d}_i}`$ + $`t_3 \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}`$ + $`C \leftarrow H(H(t_1||t_2||t_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)`$ + $`S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C`$ + $`S_{E} \leftarrow r_{e} - E C`$ + $`S_{r_2} \leftarrow r_{r_2} %2B r_2 C`$ + $`S_{r_3} \leftarrow r_{r_3} - r_3 C`$ + $`S_{S'} \leftarrow r_{S'} %2B S' C`$ + $`S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C`$ and for each attribute $`a_{i}`$ that requires disclosure, it generates @@ -180,7 +217,9 @@ $`e(W, A') = e(g_{2}, \bar{A})`$ If so, it recomputes $`t'_1 \leftarrow \frac{A'^{S_{E}} \cdot H_{r}^{S_{r_2}}}{\left( \bar{A} \cdot B'^{-1} \right)^C}`$ + $`t'_2 \leftarrow H_{r}^{S_{S'}} \cdot B'^{S_{r_3}} \cdot H_{ISK}^{S_{sk_{c}}} \cdot \prod_{i=0}^4 H_{a_{i}}^{S_{a_{i}} \bar{d}_i} \cdot \left(g_{1} \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{i} d_i} \right)^C`$ + $`t'_3 \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}`$ and accepts the signature if @@ -194,14 +233,19 @@ This verification also verifies the disclosed subset of attributes. Differently from a standard signature, a pseudonymous signature does not prove that the pseudonym possesses a user certificate signed by a CA. It only proves that the pseudonym $`Nym`$ signed message $`m`$. The signature is generated starting from the pseudonym (as generated in the section above) together with secret key $`sk_{c}`$ and randomness $`r_{n}`$ as follows: at first it picks random elements $`n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ Then it generates $`t \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}`$ + $`C \leftarrow H(H(t||Nym||h_{CA}||m)||n)`$ + $`S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C`$ + $`S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C`$ The signature $`\sigma`$ is $`\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}`$. @@ -227,6 +271,7 @@ The enrollment id is one of the cerified attributes ($`a_{2}`$ with value $`a_{c The pseudonym is computed by sampling $`r_{eid} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ + $`r_{r_{eid}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$ and by generating the pseudonym