We then describe a trade-off between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients.
To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the $q$-SDH assumption.
Finally, we show that our dynamic $k$-TAA scheme, constructed from bilinear pairing, is secure in the random oracle model.
Category / Keywords: public-key cryptography / k-TAA, anonymity Publication Info: This paper is the extended version of the paper that appear in SCN '06 under the same title Date: received 27 Mar 2008 Contact author: mhaa456 at uow edu au Available format(s): PDF | BibTeX Citation Version: 20080331:140711 (All versions of this report) Discussion forum: Show discussion | Start new discussion