Functional Credentials

Abstract A functional credential allows a user to anonymously prove possession of a set of attributes that fulfills a certain policy. The policies are arbitrary polynomially computable predicates that are evaluated over arbitrary attributes. The key feature of this primitive is the delegation of verification to third parties, called designated verifiers. The delegation protects the privacy of the policy: A designated verifier can verify that a user satisfies a certain policy without learning anything about the policy itself. We illustrate the usefulness of this property in different applications, including outsourced databases with access control. We present a new framework to construct functional credentials that does not require (non-interactive) zero-knowledge proofs. This is important in settings where the statements are complex and thus the resulting zero-knowledge proofs are not efficient. Our construction is based on any predicate encryption scheme and the security relies on standard assumptions. A complexity analysis and an experimental evaluation confirm the practicality of our approach.

Download Full-text

Publicly auditable conditional blind signatures

Journal of Computer Security ◽

10.3233/jcs-181270 ◽

2021 ◽

Vol 29 (2) ◽

pp. 229-271

Author(s):

Panagiotis Grontas ◽

Aris Pagourtzis ◽

Alexandros Zacharakis ◽

Bingsheng Zhang

Keyword(s):

Proof Of Concept ◽

Equivalence Test ◽

Zero Knowledge ◽

Private Key ◽

Blind Signatures ◽

Cryptographic Primitive ◽

Security Properties ◽

Designated Verifier

This work formalizes Publicly Auditable Conditional Blind Signatures (PACBS), a new cryptographic primitive that allows the verifiable issuance of blind signatures, the validity of which is contingent upon a predicate and decided by a designated verifier. In particular, when a user requests the signing of a message, blinded to protect her privacy, the signer embeds data in the signature that makes it valid if and only if a condition holds. A verifier, identified by a private key, can check the signature and learn the value of the predicate. Auditability mechanisms in the form of non-interactive zero-knowledge proofs are provided, so that a cheating signer cannot issue arbitrary signatures and a cheating verifier cannot ignore the embedded condition. The security properties of this new primitive are defined using cryptographic games. A proof-of-concept construction, based on the Okamoto–Schnorr blind signatures infused with a plaintext equivalence test is presented and its security is analyzed.

Download Full-text

An access control model for the Internet of Things based on zero-knowledge token and blockchain

EURASIP Journal on Wireless Communications and Networking ◽

10.1186/s13638-021-01986-4 ◽

2021 ◽

Vol 2021 (1) ◽

Author(s):

Lihua Song ◽

Xinran Ju ◽

Zongke Zhu ◽

Mengchen Li

Keyword(s):

Internet Of Things ◽

Access Control ◽

Single Point ◽

Control Model ◽

Third Party ◽

Security Level ◽

Zero Knowledge ◽

Access Control Model ◽

Test Analysis ◽

Zero Knowledge Proof

AbstractInformation security has become a hot topic in Internet of Things (IoT), and traditional centralized access control models are faced with threats such as single point failure, internal attack, and central leak. In this paper, we propose a model to improve the access control security of the IoT, which is based on zero-knowledge proof and smart contract technology in the blockchain. Firstly, we deploy attribute information of access control in the blockchain, which relieves the pressure and credibility problem brought by the third-party information concentration. Secondly, encrypted access control token is used to gain the access permission of the resources, which makes the user's identity invisible and effectively avoids attribute ownership exposure problem. Besides, the use of smart contracts solves the problem of low computing efficiency of IoT devices and the waste of blockchain computing power resources. Finally, a prototype of IoT access control system based on blockchain and zero-knowledge proof technology is implemented. The test analysis results show that the model achieves effective attribute privacy protection, compared with the Attribute-Based Access Control model of the same security level, the access efficiency increases linearly with the increase of access scale.

Download Full-text

Convertible Authenticated Encryption Scheme with Hierarchical Access Control

Applied Mathematics & Information Sciences ◽

10.12785/amis/080338 ◽

2014 ◽

Vol 8 (3) ◽

pp. 1239-1246 ◽

Cited By ~ 3

Author(s):

Chien-Lung Hsu ◽

Han-Yu Lin

Keyword(s):

Access Control ◽

Encryption Scheme ◽

Authenticated Encryption

Download Full-text

Exploring Type-and-Identity-Based Proxy Re-Encryption Scheme to Securely Manage Personal Health Records

International Journal of Computational Models and Algorithms in Medicine ◽

10.4018/jcmam.2010040101 ◽

2010 ◽

Vol 1 (2) ◽

pp. 1-21

Author(s):

Luan Ibraimi ◽

Qiang Tang ◽

Pieter Hartel ◽

Willem Jonker

Keyword(s):

Access Control ◽

Health Data ◽

Third Party ◽

Personal Health ◽

Encryption Scheme ◽

Health Records ◽

Web Based ◽

The Third ◽

Access Control Policies ◽

Identity Based

Commercial Web-based Personal-Health Record (PHR) systems can help patients to share their personal health records (PHRs) anytime from anywhere. PHRs are very sensitive data and an inappropriate disclosure may cause serious problems to an individual. Therefore commercial Web-based PHR systems have to ensure that the patient health data is secured using state-of-the-art mechanisms. In current commercial PHR systems, even though patients have the power to define the access control policy on who can access their data, patients have to trust entirely the access-control manager of the commercial PHR system to properly enforce these policies. Therefore patients hesitate to upload their health data to these systems as the data is processed unencrypted on untrusted platforms. Recent proposals on enforcing access control policies exploit the use of encryption techniques to enforce access control policies. In such systems, information is stored in an encrypted form by the third party and there is no need for an access control manager. This implies that data remains confidential even if the database maintained by the third party is compromised. In this paper we propose a new encryption technique called a type-and-identity-based proxy re-encryption scheme which is suitable to be used in the healthcare setting. The proposed scheme allows users (patients) to securely store their PHRs on commercial Web-based PHRs, and securely share their PHRs with other users (doctors).

Download Full-text

An Attribute-Based Searchable Encryption Scheme for Non-Monotonic Access Structure

Handbook of Research on Intrusion Detection Systems - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-2242-4.ch013 ◽

2020 ◽

pp. 263-283 ◽

Cited By ~ 1

Author(s):

Mamta ◽

Brij B. Gupta

Keyword(s):

Access Control ◽

Searchable Encryption ◽

Access Structure ◽

Encryption Scheme ◽

Security Model ◽

Secret Key ◽

Fine Grained ◽

Diffie Hellman ◽

Attribute Based Encryption ◽

Encryption Schemes

Attribute based encryption (ABE) is a widely used technique with tremendous application in cloud computing because it provides fine-grained access control capability. Owing to this property, it is emerging as a popular technique in the area of searchable encryption where the fine-grained access control is used to determine the search capabilities of a user. But, in the searchable encryption schemes developed using ABE it is assumed that the access structure is monotonic which contains AND, OR and threshold gates. Many ABE schemes have been developed for non-monotonic access structure which supports NOT gate, but this is the first attempt to develop a searchable encryption scheme for the same. The proposed scheme results in fast search and generates secret key and search token of constant size and also the ciphertext components are quite fewer than the number of attributes involved. The proposed scheme is proven secure against chosen keyword attack (CKA) in selective security model under Decisional Bilinear Diffie-Hellman (DBDH) assumption.

Download Full-text

A Pairing-Based Three-Party Authenticated Encryption Scheme without Shared Secrets

Symmetry ◽

10.3390/sym11050605 ◽

2019 ◽

Vol 11 (5) ◽

pp. 605

Author(s):

Han-Yu Lin

Keyword(s):

Computational Efficiency ◽

Encryption Scheme ◽

Authenticated Encryption ◽

Random Oracles ◽

Comparison Results ◽

Communication Environments ◽

Single User ◽

Designated Verifier

The Traditional Authenticated Encryption (AE) scheme is a single-user cryptographic mechanism which only enables one designated verifier to authenticate the ciphertext. Although several group-oriented AE variants have also been proposed to eliminate such a limitation, they require shared verification. This motivated us to think of a scenario of three-party communication environments where each party runs independent processes without cooperation. In this paper, we realize a novel three-party AE (abbreviated to TPAE) scheme in which two designated verifiers can solely decrypt the same ciphertext and then inspect the validity of embedded signature. Additionally, we also show that our TPAE construction is computationally secure using the well-defined IND-CCA2 and the EF-CMA adversary games in the proof model of random oracles. The comparison results will demonstrate the computational efficiency of our mechanism.

Download Full-text

Access control scheme with tracing for outsourced databases

Frontiers of Computer Science ◽

10.1007/s11704-012-1193-0 ◽

2012 ◽

Vol 6 (6) ◽

pp. 677-685

Author(s):

Xiaoming Wang ◽

Guoxiang Yao

Keyword(s):

Access Control ◽

Control Scheme ◽

Outsourced Databases

Download Full-text

Proxy Re-Encryption Scheme For Complicated Access Control Factors Description in Hybrid Cloud

ICC 2020 - 2020 IEEE International Conference on Communications (ICC) ◽

10.1109/icc40277.2020.9149306 ◽

2020 ◽

Author(s):

Zheng Lian ◽

Mang Su ◽

Anmin Fu ◽

Huaqun Wang ◽

Chunyi Zhou

Keyword(s):

Access Control ◽

Encryption Scheme ◽

Hybrid Cloud ◽

Control Factors

Download Full-text

MOONACS: a mobile on-/offline NFC-based physical access control system

International Journal of Pervasive Computing and Communications ◽

10.1108/ijpcc-01-2016-0012 ◽

2016 ◽

Vol 12 (1) ◽

pp. 2-22

Author(s):

Dominik Gruntz ◽

Christof Arnosti ◽

Marco Hauri

Keyword(s):

Control System ◽

Access Control ◽

Mobile Phone ◽

Third Parties ◽

Content Type ◽

Access Points ◽

Access Request ◽

Access Control System ◽

Physical Access ◽

Secure Element

Purpose The purpose of this paper is to present a smartphone-based physical access control system in which the access points are not directly connected to a central authorization server, but rather use the connectivity of the mobile phone to authorize a user access request online by a central access server. The access points ask the mobile phone whether a particular user has access or not. The mobile phone then relays such a request to the access server or presents an offline ticket. One of the basic requirements of our solution is the independence from third parties like mobile network operators, trusted service managers and handset manufacturers. Design/methodology/approach The authentication of the smartphone is based on public key cryptography. This requires that the private key is stored in a secure element or in a trusted execution environment to prevent identity theft. However, due to the intended independence from third parties, subscriber identity module (SIM)-based secure elements and embedded secure elements (i.e. separate hardware chips on the handset) were not an option and only one of the remaining secure element architectures could be used: host card emulation (HCE) or a microSD-based secure element. Findings This paper describes the implementation of such a physical access control system and discusses its security properties. In particular, it is shown that the HCE approach cannot solve the relay attack under conservative security assumptions and an implementation based on a microSD secure element is presented and discussed. Moreover, the paper also describes an offline solution which can be used if the smartphone is not connected to the access server. In this case, an access token is sent to the access point in response to an access request. These tokens are renewed regularly and automatically whenever the smartphone is connected. Originality/value In this paper, a physical access control system is presented which operates as fast as existing card-based solutions. By using a microSD-based secure element (SE), the authors were able to prevent the software relay attack. This solution is not restricted to microSD-based SEs, it could also be implemented with SIM-based or embedded secure elements (with the consequence that the solution depends on third parties).

Download Full-text