Cryptography Reference
In-Depth Information
Construction Overview.
We import a credential issuer external to the pro-
tocol who is responsible to issuing credentials for each user's attributes into the
protocol. A server maintains a database
DB
=
, and associates an
attribute-based access control structure
τ
i
with each message
m
i
.Eachuser
{
m
1
,...,m
N
}
U
i
is entitled to an attribute subset
ω
i
⊆
Ω
andanidentity
id
i
.
The server first generates the parameters for a blind ABE. Then he initializes
the database by encrypting each message
m
i
under
τ
i
such that the message can
only be decrypted by the users who can obtain the private keys corresponding
to an attribute subset satisfying
τ
i
. The encrypted database is published to
all users. In the transfer phase, each user makes queries for the private keys
corresponding to his entitled attributes by running
BlindKeyGen
algorithm with
the server. Simultaneously, the user must make a proof of knowledge that he
possesses a valid credential signature for the requested attributes issued by the
issuer. If the user is verified, he will obtain the private keys for the requested
attributes from the server. Then he can use the keys to arbitrarily decrypt the
messages available to him according to the policies. We assume that at the end
of the protocol, each user will output a message subset that includes all the
messages available to them.
The above gives the basic construction idea for CAC-OT. After each user ob-
tains the private keys for the requested attributes, he can check the correctness of
the keys. So the protocol is resistant against the possibly cheating server who may
cause the selective-failure attacks. However, a problem during the simulation of a
cheating user comes along with this property. The simulator of a collection of pos-
sibly cheating users works as a server in the real word. It must encrypt
N
random
values in the
DB-Initialization
phase since it does not know the correct messages,
and in the
Transfer
phase open some of these values to the corresponding correct
messages received from the trusted party during simulation. To solve the prob-
lem, we can use a commitment scheme or programming a random oracle here. In
addition, a zero-knowledge proof
PoK
{
(
sk
DB
):(
pk
DB
,sk
DB
)
∈
Setup
(1
κ
,pk
I
)
}
is also needed in the simulation of a cheating server.
The Construction.
Next, we will describe the solution similar to [20], by using
a secure commitment scheme such as Pedersen's scheme [28]
=(
CSetup
,
Commit
,
Decommit
) and present a secure generic construction for CAC-OT as
follows. In the commitment scheme,
CSetup
is the system parameters generation
algorithm which generates public parameters
ρ
. Taking a message
m
as input,
Commit
(
m, ρ
) algorithm outputs (
COM
C
,
D
). The
Decommit
algorithm outputs 1 if
D
to
m
, or 0 otherwise. Moreover, for the commitment scheme,
we require that the knowledge of a decommitment
decommits
C
D
canbeprovedeciently
with respect to (
ρ, m,
C
). In the following, we assume that the credential signa-
ture scheme used is
CS
=(
ISetup
,
IssueCred
,
VerifyCred
,
ProveCred
) and the blind
ABE used is
=(
Setup
,
BlindKeyGen
,
Encrypt
,
Decrypt
), where
BlindKeyGen
algorithm consists of three sub-algorithms
Blind
,
BKeyGen
and
Unblind
. The pa-
rameters for the commitment scheme and a collision-resistant hash function
H
can be generated by a trusted party.
BABE
Search WWH ::
Custom Search