NEW TRANSITIVE SIGNATURE SCHEME BASED ON DISCRETED LOGARITHM PROBLEM*
Definition 2 We say that TS is transitive unforgeable under adaptive chosen- chosen-message attack if the function is negligible for any adversary F
whose running time is polynomial in the security parameter
2.
New undirected transitive signature scheme
In this section we describe an new transitive signature scheme for working on undirected graphs. it is based on the difficulty of the discrete logarithm problem.
Standard signature scheme
Our new scheme use an underling standard digital signature scheme SDS=
(SKG, SSign, SVf), where SKG is polynomial time key generation, SSign is signing algorithm, and SVf is verification algorithm. We use the security definition proposed by Goldwasser, Micali and Rivest in [GoldMic].A forger B is given adaptive oracle access to the signing algorithm, and its advantage in breaking SDS is defined as the probability that it outputs a valid signature for a message that was not one of its previous oracle queries.
The scheme SDS is said to be secure against forgery under adaptive chosen message attack if is negligible for every forgery B with running time polynomial in the security parameter
Discrete logarithm problem
A modulus generator is a randomized, polynomial time algorithm that on input returns a triple where and q are large primes,
such that q divides and is a generator of order, the group generated by is denoted by We do not restrict the tpye of generator, but only assume that the associated discrete logarithm problem is hard. Formally, for any adverary A and any we let
We say that discrete logarithm problem is hard if function is negigible for every A whose running time is polynomial in New transitive signature scheme
Given a modulus generator and a standard signature scheme SDS=(SKG, SSign, SVf), we design a new transitive signature scheme DLPTS=(TKG, TSign, TVf, Comp) as follows.
Given input the key gerneration algorithm TKG first runs SKG on input to generate a key pair for the standard signature scheme SDS. It then runs the modulus generator MG on input to get a triple It outputs as the public key. Let Legit=true, NotOk=f alse.
The signing algorithm TSign maintains state where is the set of all queried nodes, the function assigns to each node a secret label while the function
assigns to each node a puvlic label and the function
assigns to each node a standard signature on under secret
New Transitive Signature Scheme based on Discreted Logarithm Problem 117 key When invoked on inputs meaning asked to produce a signature on edge it does the following:
If then Legit false
If then swap and
If then If then
If then NotOK true
We refer to as a certificate of node Return as the signature of
Return Legit NotOK
The verification algorithm TVf, on input nodes and a candidate signature proceeds as follows:
If then swap and
Let and and If or
then return 0
If then return 1 else return 0.
The composition algorithm Comp takes nodes a signature
of the edge and a signature of the
edge and processds as follows:
If or or are not all distinct,
thenLegit false
Let and
Let and
If then return
Let and
If then Return
If then Return
If then Return
If then Return
If then Return
If then Return
Let
If or then NotOK true
Return Legit NotOK 3.
Correctness
In this section, we will prove the correctness of this new scheme. We first have the following lemma.
Lemma 1: Suppose that G* = (V*,E*) is a transitively closed graph. We will make transitive signature on this graph with above DLPTS. Let S be the set of edges and corresponding signature in processing Tsign algorithm. For
we have the following equations.
Proof: In DLPTS transitive signature scheme, there are two algorithms gener-ating new element to be added to S, one is Tsign, other is Comp.
At the beginning ofDLPTs,
Firstly, we consider the Tsign oracle query with
If legit is set to false, and the stop Tsign, no new element is added toS, so the above claim is right.
Else, a new element is added to S, where is the output of
Therefor, the newly added element satisfies the above Equation (1). Because Tsign only adds new element to S, but never changes existing elements in S, after the Tsign oracle query, all elements of S still satisfie the above Equation (1). The above claim is right.
Second, we onsider the Comp oracle query with
If or or are not all distinct, then legit
is set to false, and the stop Comp, no new element is added to S, so the above claim holds true.
Else, the composition algorithm is run, and a new element is created, and is added to S, where
If If
where where
New Transitive Signature Scheme based on Discreted Logarithm Problem 119 Depending on the relations between and the variable inside the compostion algorithm gets diferent values as following.
If If If If If If
Therefor, the newly added element satisfies the above Equation (1). Because Comp only adds new element to S, but never changes existing elements in S, so all elements of S still satisfie the above Equation (1). The above claim is right. Lemma 1 has been proved.
In order to verfify the validity of any in the DLPTS transitive
signature scheme, where we must
verify the following two equations.
(1) (2)
and and
For SSign is one section of a standard signature scheme SDS, SVf is the signature verifing sectin in the same SDS, so
the is true.
On the other hand, from the Lemma 1, we have the equation
Lemma 2: At any time in DLPTS transitive signature scheme,