A Backward Unlinkable Secret Handshake Scheme with Revocation Support in the Standard Model

: Secret handshake schemes have been proposed to achieve private mutual authentications, which allow the members of a certain organization to anonymously authenticate each other without exposing their afﬁliations. In this paper, a backward unlinkable secret handshake scheme with revocation support (BU-RSH) is constructed. For a full-ﬂedged secret handshake scheme, it is indispensable to furnish it with practical functionality, such as unlinkability, revocation and traceability. The revocation is achieved in the BU-RSH scheme, as well as the unlinkability and the traceability. Moreover, the anonymity of revoked members is improved, so that the past transcripts of revoked members remain private, i.e. , backward unlinkability. In particular, the BU-RSH scheme is provably secure in the standard model by assuming the intractability of the (cid:96) -hidden strong


Introduction
Since online applications via public networks are widely popularized, privacy is more and more important for the development of web services.Privacy-preserving authentication plays a pivotal role among the whole privacy concerns.A well-known method for realizing privacy-preserving authentication is anonymous credentials [1].However, anonymous authentication usually needs to exchange the information about the trusted certificate authority (CA; i.e., affiliation).A promising cryptographic protocol named secret handshake was first introduced by Balfanz et al. [2] for mutually-anonymous authentication.During an interactive secret handshake protocol, one user will only reveal his/her affiliation to the other user if they belong to the same organization.Thus, participants only distinguish that they are members of the same organization, without leaking their true identities in this organization.Therefore, secret handshakes can not only protect the identity information of participants, but also provide a privacy-preserving property for their affiliations.
Besides the pioneering publication of Balfanz et al. [2], many two-party secret handshake schemes have been proposed from different cryptographic primitives.For instances, CA-oblivious encryption [3], ElGamal signature [4] and RSA [5].All of those works use one-time pseudonyms to ensure the unlinkability of secret handshakes, which are executed by the same members.In addition, it is very easy for the group authority (GA) to trace and revoke its members, because the GA knows all one-time pseudonyms of the members.However, those schemes based on one-time pseudonyms require more storage and computation cost in practice.Moreover, since it knows all secret information of the group members, the GA is able to impersonate and frame its members to execute malicious behaviors.Therefore, the anonymity against GA can be hardly achieved by using one-time pseudonyms.
Based on reusable credentials, Xu and Yung [6] first offered a secret handshake scheme that has a "weaker" unlinkability than the schemes from one-time pseudonyms.By using identity-based encryption [7], Ateniese et al. [8] presented the first efficient unlinkable secret handshake scheme with reusable credentials, which can achieve the dynamic matching model.However, Ateniese et al.'s scheme only realizes limited dynamic matching.Since the different sister groups are created and distinguished by group name in Ateniese et al.'s scheme, the different groups still share the same group public/private keys, which are actually managed by an upper operator.Hence, the limited dynamic matching model still relies on a single GA for different groups.Afterwards, Jarecki and Liu [9] proposed a revocable secret handshake scheme with unlinkability via broadcast encryption.However, the scheme [9] is based on the assumption that all groups have the same numbers of revoked members synchronously.Furthermore, the amount of group public keys is increased linearly with the number of group members.Thus, Jarecki and Liu's scheme [9] becomes inappropriate in practice.Based on Ateniese et al.'s scheme [8], Sorniotti and Molva [10,11] proposed revocable secret handshake schemes.Their proposals provide the revocation checking of the participants who have initiatively left their groups during handshakes.Nevertheless, they are still unable to trace and revoke malicious group members for complete unlinkability and untraceability.Moreover, their proposals still have the same weakness of Ateniese et al.'s scheme [8].
Particularly, a practical secret handshake scheme should realize similar security properties as a group signature scheme.Namely, secret handshakes with reusable credentials are required to be traceable, revocable and unlinkable.The illustration of the practical secret handshake scheme is described in Figure 1.Kawai et al. [12] proposed the definition of strong anonymity for secret handshakes at ISPEC 2009, which takes a malicious GA into consideration.They constructed an unlinkable secret handshake scheme with reusable credentials, which supports strong detector resistance and co-traceability by using a group signature with message recovery.However, the revocation mechanism is not explicitly considered in their scheme.In CRYPTO 2009, Jarecki and Liu [13] proposed a practical unlinkable secret handshake scheme, which supports both revocation and traceability with reusable credentials.However, the anonymity of revoked members cannot be guaranteed in Jarecki and Liu's scheme [13].Namely, once a member is revoked, all past transcripts of the member can be recognized and traced by the adversary after running revocation checking.As shown in [14], the property is also considered as backward unlinkability.It has been left by Jarecki and Liu [13] as an open question if there exists a secret handshake scheme with backward unlinkability.Derived from the idea of Kawai et al.' scheme [12] and Jarecki and Liu's scheme [13], Wen and Zhang [15] constructed a new revocable secret handshake scheme with backward unlinkability, which is provably secure with random oracles.Yang et al. [16] also proposed a generic approach for providing revocation support in secret handshakes, which did not consider backward unlinkability for revoked members and was still provably secure with random oracles.In this paper, we provide a new backward unlinkable secret handshake scheme with revocation supports (BU-RSH).Our new proposal, BU-RSH, aims to presents a more complete secret handshake scheme, which can also be proven secure in the standard model.Compared to the previous schemes, the contributions of our new scheme are three-fold.Firstly, the revocation mechanism is appended to the secret handshake schemes, which is not achieved by Kawai et al.'s scheme [12].In addition, the anonymity of our schemes is enhanced in view of revoked members, which enables the past transcripts of revoked members to still remain anonymous, i.e., backward unlinkability.More importantly, BU-USH is provably secure without random oracles by assuming the intractability of the -hidden strong Diffie-Hellman problem and the subgroup decision problem.
The remainder of this paper is organized as follows.In Section 2, we recall some preliminaries related to our work, including the definition and security properties of secret handshakes.In Section 3, BU-RSH is presented in detail.We focus on discussing the security analyses of BU-RSH, along with the performance of the related schemes in Section 4. The conclusion is given in Section 5.

Preliminaries
In this section, we recall the notions and definitions of bilinear pairings of composite order [17] and complexity assumptions, which will be used in later sections.Additionally, the definition and security properties of secret handshakes are reviewed.

Bilinear Pairings of Composite Order
Composite order bilinear pairings were first introduced in [17], which will be used in our proposal.We first review some general notions about bilinear groups and pairings.Most of the cryptosystems based on pairings are based on bilinear groups with prime order for simplicity.In our case, we define G as a (multiplicative) cyclic group of composite order N , where N = pq is the product of two different primes p and q.Let g be a generator of G.A one-way map e : G × G → G T is a bilinear pairing if the following conditions hold.
• Bilinear: For all g ∈ G, s.t., g is a generator of G and a, b ∈ Z N , e(g a , g b ) = e(g, g) ab .

Complexity Assumptions
Definition 1. ( -hidden strong Diffie-Hellman ( -HSDH) problem [18]): Let (G, G T ) be two cyclic groups of prime order p.For an integer and ω ∈ R Z p , g, u ∈ G, given: -HSDH assumption: We say that the ( , t, )-SR assumption holds if there exists no algorithm that can solve the -HSDH problem with a non-negligible advantage in a polynomial time bound t.Since the -HSDH problem does not rely on the composite order N , the -HSDH assumption can be applied to the generic group as described in the literature [18].Definition 2. (Subgroup decision (SD) problem [18,19]): Given a tuple (p, q, G, G T , e), in which p and q are independent secure primes, G and G T are two cyclic groups of order N = pq with efficiently-computable group operations and e : G × G → G T is a bilinear map.Let G q ⊂ G be the q-order subgroup of G. Given an element x, which is selected randomly either from G or from G q , the subgroup decision problem is to distinguish whether x is in G q or not.
The subgroup decision assumption: Let the success probability of solving the subgroup decision problem be defined as Adv sd = 1 2 + ε; we say that the subgroup decision assumption holds if ε is negligible.

Secret Handshakes: Definition and Security Properties
The secret handshake scheme (SHS) operates in an environment that consists of a set of groups managed by a set of group authorities and a set of users U 1 , • • • , U n registered into some groups.Based on the definitions in [2,13,15], a secret handshake scheme consists of the following probabilistic polynomial-time algorithms: • Setup: The Setup algorithm selects a security parameter κ to generate the public parameters params common to all subsequently generated groups.
• CreateGroup: CreateGroup is a key generation algorithm executed by the GA to establish a group G.It takes params as input and outputs group public key and private key (gpk G , gsk G ). • AddUser: AddUser is a two-party protocol run by the user and the GA.The GA plays the role of the CA for the group, which issues the credentials for a legitimate user of the group.After verifying the users' real identity, the GA will issue credential cred i for i ∈ [1, n] to each user after the protocol.• Handshake: Handshake is a two-party authenticate protocol executed by a pair of anonymous users (A, B), where (A, B) are possible users who may belong to different groups.This protocol takes as input the anonymous user' secrets (cred i , gpk i , tpk i ) and other public information, where tpk i is a group public key of the target group for the participator's authentication policy.The output of the protocol for either party is either "1" or "0".If the output is "1", this means that the secret handshake protocol is successful, and a session key K will be produced that can be used for subsequent secure communication between the two users.Otherwise, the handshake protocol is a failure, and the two users cannot distinguish the other's group information.• TraceUser: TraceUser is a polynomial time algorithm that is executed by the GA.The protocol outputs the identity of user U , whilst a transcript of the secret handshake involved with user U is submitted.• RemoveUser: RemoveUser is a polynomial time algorithm that is authorized by the GA.It takes its current revocation list (RL) and U 's revocation tokens as the inputs, whilst outputting an up-to-date RL that includes new revocation records.
For the untraceable secret handshake scheme, the TraceUser and RemoveUser algorithms will be not included.Now, we review some basic security definitions of SHS in brief.The formal definitions can be referred to the literature [2,12,13].In general, a secret handshake scheme must obey the following security properties: (1) Completeness: It requires that the SH protocol always outputs "1" when any interactive participators U i and U j honestly execute the Handshake protocol and satisfy the authentication policy of the counter-party, respectively.(2) Impersonator resistance: An adversary who attempts to impersonate a legitimate user of one group cannot succeed with a non-negligible probability.In other words, any adversary not satisfying the authentication policies cannot accomplish a successful secret handshake.Formally, the property is defined in the following game Game IR between an adversary A and a challenger B: • Init: The adversary A first sets Chosen = {G * , i * }.Then, B simulates Setup, CreateGroup and AddMember and sends the group public keys and up-to-date RL to A. • Queries: A can make the following queries, such that the responses will be simulated by B.
-Corruption queries: The corruption list Cor is initialized as ∅.The adversary A can query CreateGroup and AddMember for the secret information of some groups and members, except for Chosen.B will respond to the simulated information and update the corruption list Cor.-Handshake queries: The adversary A can make queries on the Handshake protocol with the group members.The transcripts of the queried members can be generated by B. During a handshake, A can query the hash functions used in the Handshake protocol.In particular, A can request a non-interactive proof of knowledge of a random message for any member at the current interval.
• Challenge: The challenger B acts as the group member i * of G * and executes the handshake protocol with the adversary A. A attempts to convince B that A is a legitimate member of the group G * .• Output: If the adversary A on half of a member i in the group G * succeeds in executing Handshake with B, the output of the game is "1".Otherwise, the output is "0".Note that it is required that A never queried any secret information with respect to the member i of the group G * , i.e., i ∩ Cor = ∅.
Let Adv IR A = Pr[Game IR = 1]; we say that SHS satisfies the impersonator resistance if the function Adv IR A is negligible for any polynomially-bounded adversary.
(3) Detector resistance: An adversary will not succeed with non-negligible probability when he activates Handshake with one honest member in order to determine whether he satisfies the authentication policies or not.Formally, the property is defined in the following game Game DR between an adversary A and a challenger B: • Init: The adversary A first sets Chosen = {i 0 , G 0 , i 1 , G 1 }.Then, B simulates Setup, CreateGroup and AddMember and sends group public keys together with revocation lists of all groups to A. • Queries: A can make the following queries, such that the responses will be simulated by B.
-Corruption queries: The corruption list Cor is initialized as ∅.The adversary A can query CreateGroup and AddMember for the secret information of some groups and members, except for Chosen.Thus, B will respond to the simulated information and update the corruption list Cor.-Handshake queries: The adversary A can make queries on the Handshake protocol with the group members.The transcripts of the queried members can be generated by B. During a handshake, A can query the hash functions used in the Handshake protocol.In particular, A can request the non-interactive proof of knowledge of a random message for any member at the current interval.
• Challenge: The challenger B selects a random bit φ ← {0, 1}.Then, B acts as the member i φ in the group G φ and executes the handshake protocol with the adversary A. A attempts to distinguish to which group B belongs.• Output: The adversary A outputs φ as its guess of φ.
we say that SHS satisfies the detector resistance if the function Adv DR A is negligible for any polynomially-bounded adversary.
(4) Unlinkability: This requirement implies that any adversary cannot find any relation between two instances of the Handshake algorithm, which is involved with the same honest members.Anyone except the GA could not distinguish whether two instances of the SH protocol are executed by the same honest member.In addition, the GA will never link two executions run by the same member, unless it carries out the TraceMember algorithm.Thus, the TraceMember algorithm can be authorized by a separate trace authority of the GA in order to improve the unlinkability.In the security definition of SHS [13], the privacy property explicitly implies both the unlinkability and the detector resistance.The formal definition of unlinkability is easily derived from Game DR of the detector resistance when the "Challenge" phase is executed twice.Let φ 0 and φ 1 be the random bits of the two challenges, respectively.If φ 0 = φ 1 , let φ = 1, else let φ = 0. Therefore, the adversary outputs φ as its guess of φ to distinguish the two different challenges.We say that SHS satisfies the unlinkability if the probability of outputting the correct φ is negligible for any polynomially-bounded adversary.
Remark on backward unlinkability: If a group member is removed from his group, i.e., his revocation token is added to the RL, the anonymity of the revoked member before the revocation is desirable to be sustained (i.e., backward unlinkability).This means that even after a member is revoked, all past handshake behaviors produced from the revoked member remain private and unlinkable.The formal definition of the property is easily obtained by revising the Chosen and "Challenge" phase of Game DR , which is similar to backward unlinkability in [14].

A Backward Unlinkable Secret Handshake Scheme with Revocation Support in the Standard Model
Developed from the idea of group signatures with verifier local revocation and backward unlinkability [19] and private mutual authentications [13], a new backward unlinkable secret handshake scheme (BU-RSH) that supports revocation in the standard model is designed as follows.
• Setup: Given a security parameter κ, the algorithm runs Setup(1 κ ) → params.The public which are shared by all participators in the scheme.Here, g is a generator of a subgroup G of composite order N = pq, where p and q are random primes.Let G p and G q be the cyclic subgroups of G with respective order p and q.The algorithm picks a generator h of G q .u, v 0 , • • • , v n are selected randomly from G. In addition, H 1 : {0, 1} * → G and H 2 : {0, 1} * → Z * N are two cryptographic hash functions.T is the number of time intervals in the secret handshake system, and τ j ← R {0, 1} * represents the j-th time interval for each j ∈ [1, T ].Finally, F is a function that represents the attribute.Suppose one attribute P is denoted by n-bits string (µ N and generates φ = e(g, g) α , Ω = g ω .The GA outputs its group secret key gsk = (α, ω) and group public key gpk = (φ, Ω).
• AddUser(n, T): Assuming that GA can add n users to the group in T time intervals, the GA issues attribute credential for each user.After verifying the identity of a user U i , the GA randomly selects secret key s i , β i ← R Z * N , and computes attribute credential cred U i ,P = (θ 1 , θ 2 , θ 3 , θ 4 ) = ((g α ) 1 ω+s i , g s i , u s i • F (P ) β i , g −β i ).The user verifies that the credential is valid by testing e(θ 1 , Ω • θ 2 ) ? = φ and e(θ 2 , u) ?= e(θ 3 , g) • e(θ 4 , F (P )).In addition, the GA will calculate this user's revocation token urt[i][j] = B ij = h s i j where h j = H 1 (τ j ) for each time interval τ j , such that j ∈ [1, T ].Then, U i becomes the valid member of the group, and the GA stores the user's credential and revocation tokens in the member database.
• Handshake: Suppose A and B are two parties who want to execute a secret handshake protocol to authenticate each other without leaking their privacy at time interval τ j .Participator A runs the protocol with cred A and gpk A , which are created by group G A , and participator B runs it with cred B and gpk B , which are created by group G B .Let (tpk A , P AT ) and (tpk B , P BT ) denote the target group public keys and target property (i.e., authentication policy) of the participators A and B, respectively.The protocol proceeds as follows: (1) -B retrieves σ 1 , σ 2 , π 1 from PROOF(cred A )[r A ] and uses his target group public key Ω BT to compute: . -B calculates k A by using σ 2 , σ 3 , σ 4 , P BT , π 2 as follows, -B will compute the following verification value V B , such that: Finally, B sends both PROOF(cred B )[r B ] and V B to A.
(3) A → B : V A (a) By checking T 2 = e(B ij , T 1 ) for all B ij ∈ RL j after getting T 1 , T 2 from B, A executes the similar revocation check to ensure that B is also not revoked at the time interval τ j .(b) If B is revoked at time interval τ j , A responds with a random value V A ← R Z * N , as well.Otherwise, A retrieves n B and k B from PROOF(cred B )[r B ] by using its own target group public key tpk A .(c) A verifies the V B with the equation ).If the above equation holds, A will output "1" and send Else A outputs "0" and also responds with a random value ). B outputs "1" only if the above equation holds, else B outputs "0".
• TraceUser: When a dispute happens, the GA first retrieves the proof information T 1 and T 2 from a transcript of a secret handshake instance at time interval τ j .Then, GA checks T 2 ?
= e(B ij , T 1 ) for all B ij in the user lists to identify who has executed the malicious secret handshakes.
• RemoveUser: The GA is responsible for the update of the RL for each time interval after tracing some malicious group users or receiving some users' revocation requests.In order to remove a user U i from one group at time interval τ j , the GA firstly looks up the user U i 's information from its user lists.Then, the GA removes the user's revocation tokens urt[i][j] = B ij for all j ≥ j from the RL of its group.Consequently, other unrevoked group users can execute the revocation check under the updated RL to identify whether the counter-party is revoked.Particularly, the revocation tokens before the time interval τ j are not added in the updated RL and will not satisfy the revocation check equation.Moreover, it is infeasible to deduce the previous revocation tokens B ij for all j < j from the revocation tokens B ij for all j ≥ j that have been added in the updated RL at the time interval τ j .Therefore, the past transcripts of revoked users still remain unrecognized and private, which achieves backward unlinkability.

Security and Performance Analysis
The security results on the new construction BU-RSH with respect to the impersonator resistance, detector resistance and unlinkability will be provided firstly.Then, the performance of our proposal is also analyzed.

Security
Theorem 1.The BU-RSH scheme satisfies the impersonator resistance (IR) assuming the -HSDH problem is hard.
Proof.Suppose B is given a -HSDH challenge, such that for an integer and ω+s ) for some s / ∈ {s 1 , • • • , s }.Now, we describe how the algorithm B can successfully solve the -HSDH problem by executing a security game with an adversary A. Note that the attribute credentials of users in the BU-RSH scheme are constructed from the initial signature based on the two-level hybrid signature scheme [18].Actually, the security of IR can depend on the existential unforgeability of the attribute credential derived from the signature.Since the new scheme is converted from the constant-size group signature [19], the detailed proof can be referred to Theorem 2 in [19] with respect to full traceability.Hence, we deduce that the BU-RSH satisfies the impersonator resistance under the -HSDH assumption.
• Init: To achieve the simulation, B first initiates the interaction settings where B can simulate Setup, CreateGroup and AddUser(n, T) for every group in BU-RSH.In the Setup phase, B selects , where q A means the number of queries of AddUser, and then prepares the public parameters params for the adversary A, params = (p, G, G T , e : In the CreateGroup phase, B first sets Chosen = {G * , i * }.For the group G * , B sets the group public key to be gpk G * = (φ = e(g, g) α * , Ω * i = g ω * ) for group G * , where α * , ω * ← R Z N .Additionally, B prepares n pairs (cred ] from the -HSDH challenge are distributed randomly in the user sets.For each i ∈ [1, n], we mark either i = 1 if (cred U i ,P ) is known or i = 0 if (cred U i ,P ) is not from the -HSDH challenge and selected randomly from Z * N .Finally, B calculates h j = g ζ j , ζ j for all For other groups and their users, B randomly generates gsk G and s i for every group and user and then executes CreateGroup and AddUser(n, T) just as the underlying algorithms in BU-RSH.
• Queries: A can make the following queries, each of which is serviced by B sequentially.
-Corruption queries: The corruption list Cor is initialized as ∅.
), B can respond with the corresponding proof to the adversary.
-Handshake queries: The adversary A can make queries on the Handshake protocol with the group users.The transcripts of the queried users can be generated by B using the corresponding attribute certificates, which are in accordance with the Handshake algorithm.
• Output: The output of the security game is "1", only if the adversary A on half of one user i * in the group G * succeeds in executing Handshake with B. After at most n − 1 total queries, A will be dedicated to forge the PROOF on one random message r A on behalf of one group user i * from G * and execute the handshake protocol with B.
According to the description of the above security game, the probability that B does not abort is n .Hence, for all AddUser queries, B simulates successfully with the probability θ ≥ q A −1 λ=0 −λ n−λ , where q A (< n) is the number of queries for AddUser.
The perfect proof system implies that the adversary has to forge the corresponding blinded credential proof of user i * .For some generate u * and then retrieves a full tuple (g Thus, if A's successful advantage is non-negligible, we can deduce the successful probability of B. By using the extractor of the PROOF shown in [18,19], B can solve the -HSDH problem with the probability .The detailed analysis of can be referred to [18]. Theorem 2. The BU-RSH scheme satisfies the detector resistance (DR), and unlinkability assuming the subgroup decision (SD) problem is hard.
Proof.For the DR property, the adversary A has to distinguish a handshake instance with a true group member from an instance with a simulator SIM .During the handshake in our proposed scheme, we and the modular exponential operations with respect to the schemes in our comparison.T p denotes the time for one bilinear pairing operation in the elliptic curve groups, which costs about 12.23 ms.T E denotes the time for one modular exponential operation, which costs about 2.42 ms.T M E denotes the time for one multi-exponentiation operation, which costs about 3.24 ms.The experiments are based on Intel Pentium-4 2.8 GHz with 512 MB RAM.Table 1.A comparison of related secret handshake schemes.BU-RSH, backward unlinkable secret handshake scheme with revocation support.
Ateniese et al. [8] Kawai et al. [12] Wen and Zhang [15] BU-RSH From Table 1, we can see that Kawai et al.'s scheme [12] and Wen and Zhang's scheme [15] achieve traceability and unlinkability using the group signature method.However, those schemes are proven secure in the random oracle model.Compared to Kawai et al.'s scheme [12], Wen and Zhang's scheme [15] is more computationally efficient and achieves revocation support.For Ateniese et al's scheme [8], since it distinguishes different groups through group identities, which are all assumed to be n-bits strings, 2n + 3 modular exponentiations need to be computed in the Setup phase, and every group must know and maintain n + 2 modular exponentiations as the private values to issue group credentials in the CreateGroup phase.Towards the proposed scheme, BU-RSH, different groups are separate, which have respective group public and private keys without needing the group identities for distinction.Then, the computation costs of BU-RSH are reduced in both of the Setup and CreateGroup phases.More importantly, the revocation support, backward unlinkability and security in the standard model are all accomplished in our proposal, BU-RSH.
Moreover, for the sake of revocation checking, each member needs |RL j | bilinear pairing computations in the Wen and Zhang [15] and BU-RSH scheme.In order to achieve provable security in the standard model, each participant in the interactive handshakes needs a little more computation costs in our BU-RSH scheme.However, it is necessary to authenticate the revocation status of the counter-party in practical secret handshakes.It is also a better expectation if a scheme can be provably secure without random oracles.Hence, the trade-off is reasonable and acceptable in order to adapt our secret handshake scheme to more practical applications.

Conclusions
In this paper, we have proposed a backward unlinkable secret handshake scheme with revocation support in the standard model.Specifically, our proposal fulfills some practical functionalities, such as backward unlinkability, revocation, traceability and security, without random oracles.By using the idea of the verifier local revocation group signature in the standard model, our new scheme also achieves the advantages of a standard group signature scheme: the credential of each user could be short and reusable; mutual authentication could take constant rounds; revocation information could be at most linear in the number of revoked participators; and, finally, the scheme is proven in the standard model.In future work, a practical approach is to design an unlinkable secret handshake scheme that satisfies the computations of revocation checking to be sub-linear to the number of revoked users.How to provide a better design derived from multilinear maps or lattices is still a promising challenge.

Figure 1 .
Figure 1.An illustration of practical secret handshake scheme.

( 2 )
B → A : {PROOF(cred B )[r B ], V B } (a) By verifying T 2 = e(B ij , T 1 ) for all B ij ∈ RL j of the target group of B, B executes the revocation check to ensure that the A is not revoked at the time interval τ j .(b) B will verify the correctness of T 1 and T 2 by testing e(σ 5 , g) ?= e(h j , T 1 ) • e(h, π 4 ), e(σ 5 ,σ 2 ) e(h,π 3 ) ? = T 2 .(c) Similarly, B also generates proof knowledge of k B : PROOF(cred B )[r B ].(d) If A does not pass the revocation check, B will generate a random value V B ← R Z * N as the verification response.Otherwise, B will recover n A and k A from PROOF(cred A )[r A ] by using his target group public key tpk B and computes a verification value V B as follows.
The adversary A can query CreateGroup and AddUser for the secret information of some groups and users.If Cor ∩ Chosen = ∅, B will respond and update the corruption list Cor.If i = 1, B simulates the GA correctly, and A obtains the credential cred U i ,P .Otherwise, B reports failure and aborts.Since the verification equations e(θ 1 , Ω • θ 2 ) = φ and e(θ 2 , u) = e(θ 3 , g) • e(θ 4 , F (P )) are satisfied, this is not distinguishable from receiving the real credential.However, if Cor ∩ Chosen = ∅, B aborts, as well.-Hashqueries:The adversary A can query the hash functions used in the Handshake protocol.-PROOFQueries: The adversary A can query a proof of knowledge of message r A as user i at time interval τ j .If ω i = 1, B responds to the proof PROOF(cred i )[r A ] using the secret key {cred i , s i }.If i = i * , B selects t * ← R Z * p and implicitly defines (θ * 1