Oblivious Transfer with Complex Attribute-Based Access Control - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

- Server security: After the protocol, any collection of possibly cheating users

cannot obtain the messages which none of them would have been able to

obtain individually according to the access control policies.

In the following, we will formally define the security of the oblivious transfer

with access control policies. We first define an ideal functionality

F CAC−OT

for

the protocol.

F CAC−OT

Functionality

Parameterized with ( N, n, l ), and running with a server

, n users

{U 1 ,...,

U n }

andanissuer

F CAC−OT works as follows:

F CAC−OT

maintains an initially empty set Att i for each user

U i .

- On input a message ( init, Ω, m 1 ,τ 1 ,...,m N ,τ N )from

,itstores

( Ω, m 1 ,τ 1 , ...,m N ,τ N ) and sends ( init, τ 1 ,...,τ N )toallusers.

- On input a message ( issue, id i ,a )from

U i , it sends ( issue, id i ,a )to

,and

receives a bit b from

.If b =1then

adds a to Att i and sends b to

U i ,

U i .

- On input a message ( transfer, id i ,ω i )from

otherwise it simply sends b to

U i ,where ω i ⊆

Ω , it sends

and receives a bit b . For all j

,if( b =1)

transfer to

∈{

1 ,...,N

}

∧

( ω i ⊆

Att i )

∧

( ω i

= τ j ), then it sends m j to

U i .

In the real experiment, a server, n users and an issuer works as defined in

section 3.1, and in the ideal experiment,

F CAC−OT works as defined above, with

aserver, n users and an issuer. Assume that the outputs of the real and ideal

experiment are Real A ( κ )and Ideal A ( κ ) respectively, where κ is a security pa-

rameter. In terms of the experiments, the formal security is defined as follows:

Server-Security: We say that CAC-OT is server-secure if for every PPT real-

world adversary

U 1 ,..., ˆ

who corrupts a collection of users

{

U t }

,thereexists

A who corrupts the the same participants, such

that for κ (which is a security parameter), and every PPT distinguisher

a PPT ideal-world adversary

Pr [ Real A ( κ )=1]

−

Pr [ Ideal A ( κ )=1]

is negligible in κ .

User-Security: We say that CAC-OT is user-secure if for every PPT real-world

adversary A who corrupts

S , ˆ

U 1 ,..., ˆ

I and a collection of users {

U t } ,thereexists

A who corrupts the the same participants, such

that for κ (which is a security parameter), and every PPT distinguisher

a PPT ideal-world adversary

Pr [ Real A ( κ )=1]

−

Pr [ Ideal A ( κ )=1]

is negligible in κ .

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home