Information Technology Reference
In-Depth Information
r
∈
*
,
2)
The user receives
e
and
c
, selects two random
r
∈
and
2R
p
3R
N
:()
r
f r
⋅
r
(
γ +⋅
fr rr r
+
2
c=gh
r
f
′′
computes
e
=
e
gh
=
g
h
m
o
d
N
,
a commitment
2
2
2
3
2123
2
1
′′
∈
f
:
=⋅
f
r
:
rr
′′
r
. The user and the issuer
run the fol
lo
wing
z
ero-knowledg
e
proof protocol with each other:
2
mod
n
for
r
n
, the value
and
=⋅
2
2
R/
p
′′
r
f
r
2
f
r
′′
r
f
r
*
PK
{(
f
,
f r
,
,
r
,
r
,
r
):
e
:
=
(
e
)
gh
mod
N
∧
c=gh n c gh
mod
∧ =
1
/ (
)
∧
r
,
f
∈
}
3
2
23
2
1
2
2
2
p
3)
The issuer decrypts
e
by computing
m
:P-Dec( ) (
=
e
=
γ
+
f
)
⋅
r
,
2
2
′
=∈
:
m
1/
1
computes and forwards
D
′ to the user.
Dg
1
:( )
r
′
g
γ +
1/ (
f
)
4)
The
user
computes
DD
=
=
and
verifies
that
2
1
1/ (
γ +
f
)
f
, if successfully, outputs
accept
.
The security of the above 2PC protocol follows straight forward from known
works i.e., [23, 24, 27]. The 2PC protocol ensures that the issuer cannot learn any
information about the secret value
f
of the user since the commitment has perfect
hiding property.
eg
(
,
g
⋅Ω =
)
eg g
(
,
)
1
2
1
2
Theorem 1.
The above 2PC protocol has correctness, and assuming the discrete
logarithm problem is hard, it is possible to black-box simulate views of both the user
and the issuer.
Proof
. It easy to see that correctness follows by direct verification. And since the
protocol is implemented by making use of zero-knowledge proof of knowledge proto-
col, there exists black-box simulators for both the malicious issuer and the adversary
user.
We will use this theorem to prove security of our DAA scheme in section 6. In ad-
dition, one can use more efficient additive homomorphic encryption schemes or veri-
fiable encryption schemes to construct the above 2PC protocol. In this paper, we just
give an example to implement this protocol.
5
Our DAA Scheme
5.1
The Setup Algorithm
On input of the security parameter 1
κ
, the setup algorithm executes the following:
1)
κ
Run the algorithm
Setup
(1 )
→
(
p
,
,
,
T
eg g
,, , )
.
Bilinear
1
2
12
*
H:{0,1}
2)
Select five hash functions
→
,
H:{0, }→
*
,
p
2
1
*
H:{0, }
*
H:{0, }
L
→
,
.
H:{0, }
*
→
{0, },
L
→
{0, }.
p
α
β
*
3)
Choose a random
γ ∈
uniformly as the issuer's private key and compute
R
p
Ω=
:
g
γ
. Output the DAA public key and the issuer's private key:
2
Note that, in the actual implementation, we can choose the same hash function for
Hand H , and implement H
α
and H
β
by many methods as mentioned in [31]. We
use different hash functions in order to prove the security.
(
ipk isk
,
):
=
((
,
,
,
p e g
, ,
,
g
,H ,H ,H ,H ,H ,
Ω
), ).
γ
1
2
T
1
2
1
2
3
αβ