A Research on Anonymous Attribute-based Cryptosystems
Information security technology is used to protect confidentiality, integrity, and availability. Nowadays, several services which includes information security technology are provided such as SUICA (Super Urban Intelligent CArd), ETC (Electronic Toll Collection System), and so on. In other words, the research of information security technology is useful to improve electronic society. Recently, Attribute-Based Encryption (ABE) and Attribute-Based Group Signature (ABGS) have been proposed as extended Identity-Based Encryption (IBE) and group signature, respectively. ABE is an encryption scheme, where users with some attributes can decrypt the ciphertext associated with these attributes. ABE captures plural recipients who have the common attributes (one attribute, many users). ABGS is a kind of group signature, where a user with a set of attributes can prove anonymously whether he/she has these attributes or not. Some schemes with user's identities have a restriction such that an encryptor only indicates a single decryptor. Therefore, there is an advantage to treat user's attributes, where an encryptor can compute ciphertexts without detecting each individual user, and can consider the user's privacy.
In this research, we propose a ABE, a ABGS, and a k-Times Anonymous Authentication (k-TAA) schemes, which are characterized as follows: our ABE enables the constant length of both ciphertext and the number of pairing computations, and the CCA security with approximately 1/10 overhead compared with previous schemes. Our ABGS is the first dynamic ABGS, where relationships among attributes can be changed after setup phase. Due to the dynamic property, our ABGS is efficient in that re-issuing of the attribute certificate previously issued for each user is not necessary. Our k-TAA enables the allowable number selectability, where an allowable number k to be assigned for each user. We introduce a relaxed security notion called relaxed anonymity, where an intermediate level of privacy required between total anonymity and linkability. Under conditions of relaxed anonymity, a user's taste is not exposed among different APs. Our selectable k-TAA scheme enables the constant proving cost with constant size public key and secret key without increasing the number of the secret and public key. We insist that these efficiencies are due to relaxed anonymity offering a tradeoff between privacy preservation and efficiency.