Cryptography Reference
In-Depth Information
-
Transfer
(
sk
DB
;
ω
i
)
1.
U
i
: verifies the
PoK
1
and aborts if the verification fails;
ω
i
, computes
a
j
←
Blind(
pk
DB
,a
j
)
, sends
a
j
2.
U
i
:foreach
a
j
∈
to
S
,and
simultaneously conducts a proof of knowledge
PoK
2
{
(
ω
i
,id,cred
i
):
a
j
∈
Blind
(
pk
DB
,a
j
)
∧cred
ij
∈
IssueCred
(
sk
I
,
(
id, a
j
))
, ∀a
j
∈ ω
i
}
;
3.
:
(a) verifies the
PoK
2
, and aborts if the verification fails;
(b) computes
sk
ω
i
←
BKeyGen
(
sk
DB
,
S
a
j
}
a
j
∈ω
i
);
{
(c) sends (
sk
ω
i
,C
1
,...,C
N
)to
U
i
and conducts a proof of knowledge
PoK
3
{
(
D
):
Decommit(
H
(
C
1
,...,C
N
)
,
C
,
D
)=1
}
;
4.
U
i
:
(a) verifies the
PoK
3
and aborts if the verification fails;
(b) computes
sk
ω
i
←
Unblind
(
sk
ω
i
) as the private keys for
ω
i
and verifies
the correctness of the keys. If they do not verify, aborts;
(c) if for all
τ
j
,
ω
i
does not satisfy
τ
j
, returns “
⊥
”, otherwise for each
message
m
j
that satisfies
ω
i
=
τ
j
, runs
Decrypt
(
C
j
,sk
ω
i
) to decrypt
out
m
j
. At the end outputs a message subset
φ
i
⊆{
|
,
where the access control structure for each message in
φ
i
is satisfied
by
ω
i
.
m
1
,...,m
N
}
To retrieve the private keys to an attribute subset, each user and the server
engage in the
BlindKeyGen
protocol for the requested attribute subset. Simulta-
neously, the user must prove to the server by
PoK
2
that he possesses the valid
credentials for the requested attributes and the credentials are linked with one
identity. If the
BlindKeyGen
protocol and anonymous credential scheme are both
secure, and the proof is zero-knowledge, then the server will not learn any in-
formation about the requested attributes or the user's identity. Finally, the user
will obtain the private keys requested from the server, and decrypt arbitrarily
the messages allowed for him by using the private keys.
Security Analysis.
If the based blind ABE is IND-sAtt-CPA secure, then any
colluding users cannot combine their private keys to decrypt out a message that
none of them would have been able to obtain individually. Therefore, from the
construction of the CAC-OT, we can say that the CAC-OT can also be resistant
against this type of colluding users.
In the following, we will show that the generic construction for CAC-OT is
server-secure and user-secure under the security model presented in section 3.
Theorem 1.
If the based blind ABE is IND-sAtt-CPA secure, the commitment
scheme is secure, and the knowledge proof
PoK
2
and
PoK
3
is zero-knowledge,
then the generic construction for CAC-OT is server-secure.
We give a proof of theorem 1 in Appendix A.
Search WWH ::
Custom Search