Cryptography Reference
In-Depth Information
Ω
of size
l
is
Ω
=
{
a
1
,a
2
,...,a
l
}
, where each element of
Ω
is a descriptive
attribute. Each user
U
i
is entitled to a subset of attributes
ω
i
⊆
Ω
.Aserver
maintains a database
DB
=
, and associates each message
m
i
with
an attribute-based access control structure
τ
i
⊆
{
m
1
,...,m
N
}
Ω
. Each structure
τ
i
specifies
which combination of attributes can obtain the corresponding message
m
i
.The
server requests that only the users whose attributes satisfy
τ
i
are able to have
access to the message
m
i
.Thatis,forevery
j
∈
[1
,N
] and every user
U
i
,only
if
ω
i
U
i
. Meanwhile,
the server should not get to know any information about each user's identity,
attributes or message choices.
In the following, we will give a solution to fulfill the functionality of CAC-OT.
It includes these participants:
n
users
|
=
τ
j
, the message
m
j
can be available, on request, to
U
1
,
U
2
,...,
U
n
,aserver
S
andanissuer
I
.
The protocol works as follows.
-
IssueSetup
(1
κ
)
The issuer
generates his key pair (
pk
I
,sk
I
) for generating credentials for
users, and publishes
pk
I
as the system-wide parameter.
-
DB-Initialization
(
Ω, pk
I
,m
1
, ..., m
N
,τ
1
, ..., τ
N
)
For a database containing messages
m
1
, ..., m
N
, the algorithm outputs a
key pair (
pk
DB
,sk
DB
) and encrypted messages
C
1
, ..., C
N
under the access
control policies
τ
1
, ..., τ
N
. The server keeps the key
sk
DB
secret, and publishes
(
C
1
,...,C
N
,pk
DB
) to make it available to all users.
-
ObtainCred
(
Ω, sk
I
;
ω
i
)
Each user interacts with the issuer to obtain the credentials for his attributes
that he is entitled to access. Assuming each user
I
U
i
's attribute set is
ω
i
⊆
Ω
,
at the end of the algorithm,
U
i
will obtain the credentials
cred
ω
i
for all
attributes of
ω
i
from the issuer.
-
Transfer
(
sk
DB
;
ω
i
,cred
ω
i
)
It is an interactive algorithm between the server
S
and users. The input for
S
U
i
includes his entitled
attributes
ω
i
and the corresponding credentials. At the end of the protocol,
U
i
can decrypt out a message subset
φ
i
⊆{
is his private key
sk
DB
. The inputs for each user
m
1
,...,m
N
}
, where the policies
for the messages in
φ
i
are all satisfied by
ω
i
.
During the protocol, when users request credentials from the issuer, the issuer
will know users' identities. However, when users interact with the server, the
server will know neither their identities nor their attributes. That is, the com-
munication links between the users and the issuer are authenticated and the
links between the users and the server are anonymous.
3.2 Security
We first discuss the security properties the CAC-OT should satisfy:
-
User privacy:
After each user executes the protocol with the server, the
server does not learn the user's identity or attributes, nor does it learn which
messages the user obtains. Even if the server colludes with the issuer, they
cannot tell the identity or attributes of the user.
Search WWH ::
Custom Search