Cryptography Reference
In-Depth Information
-
IssueSetup(
1
κ
)
1.
does as follows:
(a) generates (
pk
I
,sk
I
)
I
←
ISetup
(1
κ
);
(b) publishes
pk
I
as the system-wide parameters.
The credential issuer generates the parameters for the credential signature
scheme, and makes his public key
pk
I
as the system-wide parameters.
-
DB-Initialization
:
1.
:
(a) generates (
pk
DB
,sk
DB
)
S
←
Setup
(1
k
,pk
I
);
(b) computes
C
j
←
Encrypt
(
pk
DB
,m
j
,τ
j
),
j
=1
,...,N
;
(c) computes (
C
,
D
)
←
Commit
(
H
(
C
1
,...,C
N
));
(d) publishes (
pk
DB
,
C
) to all users, and simultaneously executes a proof
of knowledge
Setup
(1
k
,pk
I
)
PoK
1
{
(
sk
DB
):(
pk
DB
,sk
DB
)
∈
}
;
The server
first generates the parameters for the blind ABE scheme. Then
he encrypts each message in the database by running
Encrypt
(
pk
DB
,m
j
,τ
j
)
to
C
j
and commits to the ciphertexts (
C
1
,...,C
N
) by using the commit-
ment scheme. Finally he publishes the commitment and public key
pk
DB
to
all users, and simultaneously conducts a proof of knowledge of
sk
DB
.More-
over, this proof will enable to decrypt the messages of the database in the
security proof.
S
-
ObtainCred(
Ω, sk
I
;
ω
i
,id
i
)
1.
U
i
: authenticates his identity and attributes (
ω
i
,id
)to
I
;
2.
:
(a) for each attribute
a
j
∈
I
ω
i
, computes
cred
i
a
j
←
IssueCred
(
sk
I
,
(
id
i
,a
j
));
(b) sends
cred
ω
i
=
{
cred
i
a
j
}
a
j
∈ω
i
U
i
;
to
3.
U
i
: verifies each credential by running
VerifyCred
(
pk
I
,
(
id
i
,a
j
)
,cred
i
a
j
)
algorithm.
For each attribute
a
j
∈
ω
i
, the issuer runs
IssueCred
(
sk
I
,
(
id
i
,a
j
)) to output
cred
i
a
j
as the credential of
a
j
for
U
i
. Alternatively, the issuer can issue the cre-
dentials for
a
j
}
a
j
∈ω
i
))
algorithm. By linking each attribute
a
j
with the user's identity
id
i
in the creden-
tial, the protocol can be resistant against multiple users' collusion attacks. Since
in the
Transfer
phase below, when each user requests messages, he must make a
proof that the credentials for the requested attributes are valid and linked with
one identity. So if two or more users collude by pooling their credentials, due to
the soundness of knowledge proof they cannot conduct such a knowledge proof
which can convince the server that the credentials are linked with one identity.
Note that
id
i
only appears in the user's credentials, and is not involved in the
blind ABE scheme as a new attribute.
U
i
's all attributes at once by running
IssueCred
(
sk
I
,
(
id
i
,
{
Search WWH ::
Custom Search