Cryptography Reference
In-Depth Information
Assume that the attributes set is
Ω
=
{
a
1
,a
2
,...,a
l
}
,whereeach
a
j
∈
Z
p
.
Without loss of generality, we assume that the user
U
i
has identity
id
i
and at-
tributes
ω
i
=
l
. In the protocol, the number of each
user's attributes may be different. Then during the
Transfer
phase, if the server
colludes with the issuer, then they may guess out some users' identities from
the numbers of these users' attributes. So the number of each user's attributes
should be protected against the server and issuer. We give a solution to this prob-
lem as follows: in the
Transfer
phase, for the user
{
a
1
,...,a
m
}
,where
m
≤
U
i
, we model his attributes
as a tuple of
l
attributes
ω
i
a
1
,a
2
,...,a
∗
m
,a
∗
m
+1
,...,a
l
subset
ω
i
=
{
}←
(
a
1
,a
2
,...,a
m
,a
1
,...,a
1
U
i
can make queries to
the server and prove that he has the credentials for the requested attributes
without revealing the number of the attributes. And meanwhile, the user can
only obtain the private keys for his entitled attributes.
). Thus in the
Transfer
phase,
-
IssueSetup(
1
κ
)
1.
:
(a) generates the keys (
G, G
T
,p,e,g
0
,y
l
,y
2
,y
3
,y
I
;
x
I
)
I
←
ISetup
(1
κ
);
g
x
0
;
pk
I
←
(
G, G
T
,p,e,g
0
,y
1
,y
2
,y
3
,y
I
);
sk
I
←
x
I
;
y
I
←
(b) publishes
pk
I
as the system-wide parameters.
-
DB-Initialization(
Ω, m
1
,...,m
N
,τ
1
,...,τ
N
)
1.
S
:
(a) generates (
g, g
1
,g
2
,h
1
,...,h
l
,α
)
←
Setup
(1
κ
,pk
I
);
pk
DB
←
(
g, g
1
,g
2
,h
1
,...,h
l
);
sk
DB
←
α
;
(b) for each
m
j
G
T
, computes
C
j
←
Encrypt
(
pk
DB
,m
j
,τ
j
),
j
=
1
,...,N
, chooses a random value
z
∈
∈
Z
p
and computes
C←
g
H
(
C
1
,...,C
N
)
h
z
;
(c) publishes (
C
,pk
DB
) to all users, and does a proof of knowledge
(
α
):
g
1
=
g
α
PoK
1
{
}
;
-
ObtainCred(
Ω, x
I
,ω
)
1.
U
i
: verifies the
PoK
1
, and aborts if the verification fails;
2.
U
i
: authenticates his identity and attributes (
id
i
,ω
i
)to
I
;
3.
: generates the credentials for
ω
i
as follows:
(a) for each attribute
a
j
∈ ω
i
,chooses
r
a
j
,s
a
j
∈ Z
p
at random, and
computes
σ
a
j
←
I
(
g
0
y
a
1
y
id
2
y
r
a
j
)
1
/
(
x
I
+
s
a
j
)
;
3
(b) sends
{
(
σ
a
j
,r
a
j
,s
a
j
)
}
a
j
∈ω
i
to
U
i
as the credential for
ω
i
;
U
i
: checks whether
e
(
σ
a
j
,g
s
a
j
y
I
)=
e
(
g
0
y
a
1
y
id
2
y
r
a
j
,g
0
)holds.
4.
0
3
-
Transfer
1.
U
i
:
(a) models his attribute subset as a tuple
ω
i
=
a
1
,a
2
,...,a
∗
m
,a
∗
m
+1
,...,a
l
}
{
;
chooses values
r
1
,...,r
l
∈
Z
p
at random, and for
j
=1
,...,l
, computes
g
a
1
g
r
j
;
h
j
←
Search WWH ::
Custom Search