Aggregatable Signature-based Broadcast Sample Clauses

Aggregatable Signature-based Broadcast. An ASBB scheme can be used simultaneously as a signature scheme and a broad- cast scheme. It exploits the duality between decryption keys and signatures which has been noticed in ID-based encryption [3] and certificate-based encryption [17], but the encryption in ASBB does not take input the receivers’ identities. The security of an ASBB scheme incorporates the standard notion of security for a signature scheme, i.e., existential unforgeability under a chosen message attack (EUF-CMA) [18] and the security as an encryption scheme. ← – π ParaGen(1λ): On input a security parameter λ, output the public para- meters π. – (pk, sk) KeyGen(π): On input π, output a public/secret key pair (pk, sk). ← – σ Sign(pk, sk, s): On input the key pair (pk, sk) and any string s, output a signature σ. ← – 0/1 Verify(pk, s, σ): On input the public pk and a signature σ of string ← – c Encrypt(pk, m): On input a public key pk and a plaintext m, output a ciphertext c. ← – m Decrypt(pk, s, σ, c): On input the public key pk, any valid string- signature (s, σ) and a ciphertext c, output the plaintext m. − | A | Given the system parameters π, a public key pk and a challenge ciphertext c = Encrypt(pk, mρ) for m0 and m1 chosen by an attacker , where ρ is the challenger’s random coin flip, the attacker wins if it outputs a guess bit ρj = ρ. An ASBB scheme is said to be semantically indistinguishable against chosen plaintext attacks (Ind-CPA) if, for any polynomial-time attacker , Pr[ρ = ρj] 1 is negligible in λ. An ASBB scheme is said to be EUF-CMA-Ind-CPA secure if the underlying signature is EUF-CMA secure and the encryption is Ind-CPA secure. 1. This means that, given two signatures on the same message under two public keys, one can efficiently produce a signature of the same message under a new public key derived from the original two public keys. ← ⊗ × → Ⓢ × → Ⓢ ← ⊗ ⊗ Ⓢ ⊗