A is then given the corresponding verification key [mathematical expression not reproducible] be the challenge value chosen by A.
To generate the public verification key VKX, algorithm [CFEval.sub.Poly](x) is executed together with one time pairing arithmetic.
With the use of the above closed form efficient PRF in Algorithm 3, we can realize public verifiability by letting the PRF value be a part of the verification key. Then our remaining goal is to make this public verification process "blind".
For simplicity, we assume that verification keys
of the one-time signature are encoded as elements from [Z.sup.*.sub.q].
verification key, and thus there is no concern for collisions where
verification key can check that that the signer did in fact sign the
The verification algorithm takes a message M, verification key
Description [pk.sub.F] Public key [ek.sub.F] Evaluation key [[sigma].sub.[omega],G] Problem description [vk.sub.[omega],G] Verification key
Sizes [pk.sub.F] 4 [absolute value of G] + 2 [absolute value of [G.sub.T]] [ek.sub.F] (41 + 2n + 2) [absolute value of G] [[sigma].sub.[omega],G] (21 + 2n + 2) [absolute value of G] + 2 [absolute value of [G.sub.T]] [vk.sub.[omega],G] 2 [absolute value of G] Table 3: Group operations analysis in each phase of our SV-OC protocol.
The user transmits a public verification key [PK.sub.ID], along with his/her identity ID, to the server.
(4) Server: the server imports the stored public verification key, [PK.sub.ID], corresponding to the user's identity ID.
In response, the ETA sends a partial token along with a token verification key (i.e., (PT, TVK1)) to the DU.
(2) To reuse the token T, A replaces its verification key part, that is, c = [E.sub.Y](TVK1), with c' in such a way that the SS considers a forged T = (T', c') as a fresh token and returns a result R.