Cryptography Reference
In-Depth Information
Assume that the attributes set is Ω =
{
a 1 ,a 2 ,...,a l }
,whereeach a j
Z p .
Without loss of generality, we assume that the user
U i has identity id i and at-
tributes ω i =
l . In the protocol, the number of each
user's attributes may be different. Then during the Transfer phase, if the server
colludes with the issuer, then they may guess out some users' identities from
the numbers of these users' attributes. So the number of each user's attributes
should be protected against the server and issuer. We give a solution to this prob-
lem as follows: in the Transfer phase, for the user
{
a 1 ,...,a m }
,where m
U i , we model his attributes
as a tuple of l attributes ω i
a 1 ,a 2 ,...,a m ,a m +1 ,...,a l
subset ω i
=
{
}←
( a 1 ,a 2 ,...,a m ,a 1 ,...,a 1
U i can make queries to
the server and prove that he has the credentials for the requested attributes
without revealing the number of the attributes. And meanwhile, the user can
only obtain the private keys for his entitled attributes.
). Thus in the Transfer phase,
- IssueSetup( 1 κ )
1.
:
(a) generates the keys ( G, G T ,p,e,g 0 ,y l ,y 2 ,y 3 ,y I ; x I )
I
ISetup (1 κ );
g x 0 ;
pk I
( G, G T ,p,e,g 0 ,y 1 ,y 2 ,y 3 ,y I ); sk I
x I ; y I
(b) publishes pk I as the system-wide parameters.
- DB-Initialization( Ω, m 1 ,...,m N 1 ,...,τ N )
1. S :
(a) generates ( g, g 1 ,g 2 ,h 1 ,...,h l )
Setup (1 κ ,pk I );
pk DB
( g, g 1 ,g 2 ,h 1 ,...,h l ); sk DB
α ;
(b) for each m j
G T , computes C j Encrypt ( pk DB ,m j j ), j =
1 ,...,N , chooses a random value z
Z p and computes
C←
g H ( C 1 ,...,C N ) h z ;
(c) publishes (
C
,pk DB ) to all users, and does a proof of knowledge
( α ): g 1 = g α
PoK 1 {
}
;
- ObtainCred( Ω, x I )
1.
U i : verifies the PoK 1 , and aborts if the verification fails;
2.
U i : authenticates his identity and attributes ( id i i )to
I
;
3.
: generates the credentials for ω i as follows:
(a) for each attribute a j ∈ ω i ,chooses r a j ,s a j ∈ Z p at random, and
computes σ a j
I
( g 0 y a 1 y id 2 y r a j
) 1 / ( x I + s a j ) ;
3
(b) sends
{
( σ a j ,r a j ,s a j )
} a j ∈ω i
to
U i as the credential for ω i ;
U i : checks whether e ( σ a j ,g s a j
y I )= e ( g 0 y a 1 y id 2 y r a j
,g 0 )holds.
4.
0
3
- Transfer
1.
U i :
(a) models his attribute subset as a tuple ω i =
a 1 ,a 2 ,...,a m ,a m +1 ,...,a l }
{
;
chooses values r 1 ,...,r l
Z p
at random, and for j =1 ,...,l , computes
g a 1 g r j ;
h j
Search WWH ::




Custom Search