Cryptography Reference
In-Depth Information
In [20], the IND-sID-CPA security of blind IBE was defined. Similarly, we give
the security definitions for blind ABE as follows.
Definition 4.
(Secure Blind ABE) A blind ABE
Π
=(
Setup
,
BlindKeyGen
,
En-
crypt
,
Decrypt
) is called IND-sAtt-CPA-secure (resp. IND-Att-CPA) if and only
if: (1) the CP-ABE
Π
=(
Setup
,
KeyGen
,
Encrypt
,
Decrypt
)isIND-sAtt-CPAse-
cure (resp. IND-Att-CPA), and (2)
BlindKeyGen
is leak free and selective-failure
blind.
Next, we will give the definition of IND-sAtt-CPA security for CP-ABE, and
leak freeness and selective-failure blindness for
BlindKeyGen
protocol.
Definition 5.
(Selective-Attribute Secure CP-ABE (IND-sAtt-CPA))[15] An
CP-ABE
Π
=(
Setup
,
KeyGen
,
Encrypt
,
Decrypt
)iscalledIND-sAtt-CPA-secure
if every PPT adversary
has only an advantage negligible in
κ
(which is a se-
curity parameter) for the following game carried out between the adversary
A
A
and a challenger
C
:
chooses a target access tree
τ
∗
and gives it to
-
Initialization A
C
.
runs
Setup
(1
κ
)
algorithm to obtain
(
pk, sk
)
, and give
pk
to
-
Setup C
A
.
-
Phase 1 A
may query private keys for attribute sets
ω
1
,...,ω
q
l
,whereeach
attribute set
ω
i
does not satisfy
τ
∗
.
-
Challenge A
outputs two messages
m
0
,m
1
, where the length of them is the
Selects a random bit
b
and encrypts
m
b
to
τ
∗
. The resulting cipher-
text
c
∗
is given to
same.
C
A
.
-
Phase 2 A
may continue to query private keys for attribute sets
ω
q
l
+1
,...,ω
q
as in
Phase 1
.
-
Guess A
outputs
b
∈{
0
,
1
}
.
Pr
[
b
=
b
]
1
2
We define
A
's advantage in the above game as
|
−
|
.
A secure
BlindKeyGen
protocol should satisfy two properties:
-
Leak-freeness
A possibly cheating user cannot learn anything by executing
the
BlindKeyGen
protocol with an honest
KGC
except for the necessarily
known knowledge.
-
Selective-failure blindness
cannot learn anything
about the user's attributes during the
BlindKeyGen
protocol. Moreover, the
KGC
A possibly cheating
KGC
cannot cause the
BlindKeyGen
protocol to fail selectively depending on
the user's attributes.
The formal definitions for leak-freeness and selective-failure blindness of
Blind-
KeyGen
protocol associated with an ABE scheme are described in Appendix
B.
4.2 The Generic Construction for CAC-OT
In this part, a generic construction for CAC-OT from a blind ABE and a cre-
dential signature scheme will be presented and it is proved to be secure in the
standard model.
Search WWH ::
Custom Search