Information Technology Reference
In-Depth Information
Adv
XDH
(
κ
)
=
Pr[ ,
xy
←← =
;
b
{0,1};
h
g
xy
,
h
←
:
(
h g g par
,
x
,
y
,
)
→
b
]
p
0
1
1
1
b
1
1
Bilinear
.
Definition 2
(
q
-Strong Diffie-Hellman (
q
-SDH) assumption). The
q
-SDH assumption
[25] holds, if the following probability is negligible in the security parameter
κ
, for
all adversaries
and all parameter sets
par
output by
Setup
(1 )
κ
:
Bilinear
Bilinear
2
q
2
q
A v
q
-SDH
()P [
κ =←
x
; , ,,
g
x
g
x
g
x
←
;
g
x
←
:(, ,, , ,
g
x
g
x
g
x
g
x
par
)
p
11
1
12
2
11
1 2
ili r
→∈
(
g
1/ (
xc
+
)
,
c
)].
1
p
3.2
Paillier Cryptosystem
Paillier cryptosystem
[23] has additive homomorphic and self-blinding properties, and
is usually employed to construct various cryptography schemes. The cryptosystem
consists of three algorithms as follows:
P-Setup
( 1
κ
): On input of the security parameter
κ
, the algorithm picks two ran-
∈
*
N
dom primes (, )
PQ
and computes
NPQ
=⋅
. It also selects a random base
g
2
λ
()
N
2
which meet
gcd(
L
(
g
mod
N
),
N
)1
=
where
Lu
()
=
(
u
−
) /
N
and
λ
()
N
=
r
∈
and computes
*
N
N
2
lcm(
P
-1,
Q
-1). Then it chooses a random
h
=
r
mod
N
,
2
explicitly the order of h is
. Finally, the algorithm outputs the public key PK
P
=
(
N
,
g
,
h
) and the secret key SK
P
= (
P
,
Q
).
P-Enc
(PK
P
,
m
): On input of the public key PK
P
and a plaintext
m
, the algorithm
chooses a random value
λ
()
N
*
N
ms
2
s
∈
and computes the ciphertext as
C
=⋅
gh
as
mod
N
output.
P-Dec
(SK
P
,
C
): On input of the secret key SK
P
and a ciphertext
C
, the algorithm
retrieves the plaintext as:
λ
()
N
2
λ
()
N
2
mLC
=
(
(
m d) /
N L
(
g
m d)) m d.
N
N
4
The 2PC Protocol for the SDH Instance
The framework and security model of our 2PC protocol are based on previous work
which has been done in [27]. In this section, based on Paillier cryptosystem and veri-
fiable encryption technique, we give an instantiation of such a protocol which has not
been done in [27]. Our 2PC protocol actively involves two parties, an issuer with a
secret value
ʳ
and a user with a secret value
f
, and passively involves one party who is
a trusted third party TTP. Notes that TTP does not directly participate in the 2PC
protocol, but only provides the public parameters
par
=
(
n, g,h
where
n=pq
is a
)
T
*
RSA modulus and
(
g,h
) ∈
n
, and keeps
p
and
q
secret. In order to generate a SDH
1/ (
f
+
γ
)
instance
(
g
,
f
)
within bilinear group parameters
par
=
(, ,
p
,
,,
e
1
Bilinear
1
2
T
gg
for the user, we design the processes of the 2PC protocol as follows:
1)
The issuer generates the parameters of Paillier cryptosystem, (PK
P
,
SK
P
):=((
N
,
g
,
h
), (
P
,
Q
)) and publishes the PK
P
to the user. The issuer picks a random
1R
N
,
)
12
r
∈
and computes a ciphertext
1
e
=
P-Enc( )
γ
and a commitment
c=gh
r
γ
′
′
∈
r
. Then the issuer and the user execute the
following zero-knowledge proof protocol with each other:
1
mod
n
with a random
1
R
′
PK
{( ,
γ
r
,
r
′
) :Ω
=∧=
g
γ
e
γ
r
mod
N
2
∧
c=gh n
γ
r
mod
∧∈
γ
*
gh
}.
1
2
1
1
p