Show description

Proof Because the data are encrypted by owners, it is obvious that the server cannot decrypt the data without the owners’ secret key. The secret hash key and the secret tag key are kept secret to the server and the server cannot deduce them based on the received information during the auditing procedure. Therefore, the data and the secret tag key are confidential against the server in the auditing protocols. On the auditor side, it can only get the product of all the challenged data tags from the tag proof TP.

G(a ) , g(a q q+2 ) , . . , g(a ∀1≤j≤q gs·bj , ga/bj , . . , g(a q /b j) ∀1≤j,k≤q,k=j ga·s·bk /bj , . . , g(a 2q ) , g(a q ·s·b q+2 /b k /bj ) j) , . . , g(a 2q /b j) ), q+1 it must be hard to distinguish a valid tuple e(g, g)a s ∈ GT from a random element R in GT . An algorithm B that outputs z ∈ {0, 1} has advantage ε in solving q-parallel BDHE in G if Pr[B(y, T = e(g, g)a q+1 s ) = 0] − Pr[B(y, T = R) = 0] ≥ ε. 3 The decisional q-parallel BDHE assumption holds if no polynomial time algorithm has a non-negligible advantage in solving the q-parallel BDHE problem.

Note that for unauthorized sets, no such constants {wi } exist. 3 Bilinear Pairing Let G1 , G2 and GT be three multiplicative groups with the same prime order p. A bilinear map is a map e : G1 × G2 → GT with the following properties: 1. Bilinearity: e(ua , vb ) = e(u, v)ab for all u ∈ G1 , v ∈ G2 and a, b ∈ Zp . 2. Non-degeneracy: There exist u ∈ G1 , v ∈ G2 such that e(u, v) = I, where I is the identity element of GT . 3. Computability: e can be computed in an efficient way. 42 3 ABAC: Attribute-Based Access Control Such a bilinear map is called a bilinear pairing.