Security of Schemes with Prekey

As the zero-knowledge proof scheme in a standard fail-stop signature scheme with prekey is required to be secure in itself, and alljtest decides membership in All correctly, it is natural to reduce the security of such a scheme to criteria that only deal with the remaining components.. This is done in the following theorem. The criteria are considerably simpler than the original definitions, because interaction in key generation no longer has to be considered. The constructions in Chapters 9 and 10 only have to be proved with respect to these criteria. 

Theorem 7.34 (Simplified security criteria). If a standard fail-stop signature scheme with prekey fulfils the following three criteria, then 

Effectiveness of authentication. For all acceptable prekeys and all key pairs based on it, all correct signatures are acceptable.  

Security for the risk bearer. If the risk bearer s entity generates the prekey correctly, it is infeasible to find a valid proof of forgery for it. 

More precisely For all probabilistic polynomial-time algorithms A and all polynomials Qsig (determining the growth of eras a function of k)  

---