Lecture Notes in Computer Science 5185
Lecture Notes in Computer Science 5185
Lecture Notes in Computer Science 5185
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
A User-Centric Protocol for Conditional Anonymity Revocation 189<br />
CipherVE−ida = EncVE(ida; Conditions; KARM public−VE ). Then, a PK is executed<br />
to prove that cida is the commitment for ida conta<strong>in</strong>ed <strong>in</strong> Cert1 issued by<br />
CertificateIssuer1 (this is achieved by us<strong>in</strong>g the proofofknowledgeofasignature<br />
on committed messages technique based on either the SRSA-CL or BM-CL<br />
signature scheme, depend<strong>in</strong>g on which signature scheme Cert1 is generated -<br />
see [7, 9] for details). This PK also proves that CipherVE−ida is an encryption<br />
of ida hidden <strong>in</strong> cida, under the ARM public key:<br />
PK{(Cert1,ida) : cida = Commit(ida,r) ∧<br />
V erifySign(ida,mb, .., mi; K CertificateIssuer1<br />
verify )=1∧<br />
CipherVE−ida = EncVE(ida; Conditions; K ARM<br />
public−VE )}(1)<br />
Protocol (1) allows a user to provide a verifiable encryption of ida without<br />
the verifier learn<strong>in</strong>g its value and still be conv<strong>in</strong>ced that CipherVE−ida conta<strong>in</strong>s<br />
ida. 1 However, CipherVE−ida can be trivially decrypted by ARM without the<br />
user’s knowledge, and there is no enforcement of Conditions fulfillment. Our<br />
UC-ARP protocol seeks to reduce the trust placed <strong>in</strong> the ARM.<br />
Universal Custodian Hid<strong>in</strong>g Verifiable Encryption (UCHVE): The<br />
UCHVE scheme [4] is used <strong>in</strong> 1Rh-UC-ARP. Consider a discrete log relation:<br />
y = gx (y and g are known to verifier, but the discrete log value of x is private to<br />
a prover). For a group R of n referee members, the UCHVE encryption scheme<br />
allows a user to verifiably encrypt x to some designated t members from a subset<br />
group T ⊂ R with any k out of these t members required to work jo<strong>in</strong>tly to recover<br />
x (1 ≤ k ≤ t ≤ n). T can be formed spontaneously and members of T can<br />
be different from session to session. The identities of the members of T are hidden.<br />
Averifier can only verify if the ciphertext received from a prover correctly<br />
encrypts x, <strong>in</strong> relation to the known value of y and g, and that any k members of<br />
T have to work together to recover x without learn<strong>in</strong>g the identity of the members<br />
of T ,orthevalueofx. This encryption is denoted as EncUCHVE(k,t,n). If k = t, thatis,EncUCHVE(t,t,n), then only when all t members of T work<br />
together can the encrypted message be recovered.<br />
For members of T , t well-formed ciphertext pieces will be generated, each encrypted<br />
us<strong>in</strong>g the correspond<strong>in</strong>g member ofT ’s public keys. For members of R not <strong>in</strong><br />
T , n−t random values are chosen from specific doma<strong>in</strong>s such that they are <strong>in</strong>dist<strong>in</strong>guishable<br />
from the well-formed ones. Regardless, there will be a total of n ciphertext<br />
pieces (well-formed + random). Intuitively, UCHVE scheme takes up substantial<br />
resources to perform, and therefore its use should be kept to a m<strong>in</strong>imum.<br />
To recover x (assum<strong>in</strong>g that k = t), all members of R have to firstly verify that<br />
he/she is member of T by apply<strong>in</strong>g validation check<strong>in</strong>g to the given ciphertext<br />
pieces (details <strong>in</strong> [4]). For members of R <strong>in</strong> T , such check<strong>in</strong>g will be successful,<br />
and thus they can decrypt the given ciphertext and produce a share.Formembers<br />
of R not <strong>in</strong> T , such check<strong>in</strong>g will be unsuccessful, thus output reject and stop.<br />
Once these t shares are collected, they are used as <strong>in</strong>put to a particular function<br />
1<br />
This protocol applies to any number of personal data items, not restricted to<br />
only ida.