This Article 
 Bibliographic References 
 Add to: 
OACerts: Oblivious Attribute Certificates
October-December 2006 (vol. 3 no. 4)
pp. 340-352
Ninghui Li, IEEE
We propose Oblivious Attribute Certificates (OACerts), an attribute certificate scheme in which a certificate holder can select which attributes to use and how to use them. In particular, a user can use attribute values stored in an OACert obliviously, i.e., the user obtains a service if and only if the attribute values satisfy the policy of the service provider, yet the service provider learns nothing about these attribute values. This way, the service provider's access control policy is enforced in an oblivious fashion. To enable the oblivious access control using OACerts, we propose a new cryptographic primitive called Oblivious Commitment-Based Envelope (OCBE). In an OCBE scheme, Bob has an attribute value committed to Alice and Alice runs a protocol with Bob to send an envelope (encrypted message) to Bob such that: 1) Bob can open the envelope if and only if his committed attribute value satisfies a predicate chosen by Alice and 2) Alice learns nothing about Bob's attribute value. We develop provably secure and efficient OCBE protocols for the Pedersen commitment scheme and comparison predicates as well as logical combinations of them.

[1] M. Blaze, J. Feigenbaum, and J. Lacy, “Decentralized Trust Management,” Proc. 1996 IEEE Symp. Security and Privacy, pp.164-173, May 1996, .
[2] R.L. Rivest and B. Lampson, “SDSI—A Simple Distributed Security Infrastructure,” maker.pdfhttp:/ / , Oct. 1996.
[3] C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen, “SPKI Certificate Theory,” IETF RFC 2693, Sept. 1999.
[4] D. Clarke, J.-E. Elien, C. Ellison, M. Fredette, A. Morcos, and R.L. Rivest, “Certificate Chain Discovery in SPKI/SDSI,” J. Computer Security, vol. 9, no. 4, pp. 285-322, 2001.
[5] N. Li, W.H. Winsborough, and J.C. Mitchell, “Distributed Credential Chain Discovery in Trust Management,” J. Computer Security, vol. 11, no. 1, pp. 35-86, Feb. 2003.
[6] N. Li, J.C. Mitchell, and W.H. Winsborough, “Design of a Role-Based Trust Management Framework,” Proc. 2002 IEEE Symp. Security and Privacy, pp. 114-130, May 2002.
[7] R. Housley, W. Ford, T. Polk, and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and CRL Profile,” IETF RFC 2459, Jan. 1999,
[8] D. Chaum, “Security without Identification: Transaction Systems to Make Big Brother Obsolete,” Comm. ACM, vol. 28, no. 10, pp.1030-1044, 1985.
[9] S.A. Brands, Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Aug. 2000.
[10] A. Lysyanskaya, R.L. Rivest, A. Sahai, and S. Wolf, “Pseudonym Systems,” Proc. Sixth Workshop Selected Areas in Cryptography, pp.184-199, 1999.
[11] J. Camenisch and A. Lysyanskaya, “An Efficient System for Non-Transferable Anonymous Credentials with Optional Anonymity Revocation,” Advances in Cryptology, Proc. EUROCRYPT '01, pp.93-118, 2001.
[12] J. Camenisch and E.V. Herreweghen, “Design and Implementation of the Idemix Anonymous Credential System,” Proc. Ninth ACM Conf. Computer and Comm. Security, pp. 21-30, Nov. 2002.
[13] T.P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” Advances in Cryptology, Proc. CRYPTO '91, pp. 129-140, 1991.
[14] E. Fujisaki and T. Okamoto, “Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations,” Advances in Cryptology, Proc. CRYPTO '97, pp. 16-30, 1997.
[15] R. Cramer and I. Damgård, “Zero-Knowledge Proof for Finite Field Arithmetic, Or: Can Zero-Knowledge Be for Free,” Advances in Cryptology, Proc. CRYPTO '98, pp. 424-441, 1998.
[16] I. Damgård and E. Fujisaki, “An Integer Commitment Scheme Based on Groups with Hidden Order,” Advances in Cryptology, Proc. ASIACRYPT '02, pp. 125-142, Dec. 2002.
[17] R. Cramer, M.K. Franklin, B. Schoenmakers, and M. Yung, “Multi-Authority Secret-Ballot Elections with Linear Work,” Advances in Cryptology, Proc. EUROCRYPT '96, pp. 72-83, 1996.
[18] W. Mao, “Guaranteed Correct Sharing of Integer Factorization with Off-Line Shareholders,” Proc. First Int'l Workshop Practice and Theory in Public Key Cryptography, pp. 60-71, Feb. 1998.
[19] G. Durfee and M. Franklin, “Distribution Chain Security,” Proc. Seventh ACM Conf. Computer and Comm. Security, pp. 63-70, 2000.
[20] F. Boudot, “Efficient Proofs that a Committed Number Lies in an Interval,” Advances in Cryptology, Proc. EUROCRYPT '00, pp. 431-444, May 2000.
[21] A.C. Yao, “How to Generate and Exchange Secrets,” Proc. 27th IEEE Symp. Foundations of Computer Science, pp. 162-167, 1986.
[22] O. Goldreich, S. Micali, and A. Wigderson, “How to Play Any Mental Game,” Proc. 19th ACM Conf. Theory of Computing, pp. 218-229, May 1987.
[23] O. Goldreich, The Foundations of Cryptography—Volume 2. Cambridge Univ. Press, May 2004.
[24] M. Bellare and P. Rogaway, “Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols,” Proc. First ACM Conf. Computer and Comm. Security, pp. 62-73, 1993.
[25] J.E. Holt, R.W. Bradshaw, K.E. Seamons, and H. Orman, “Hidden Credentials,” Proc. Second ACM Workshop Privacy in the Electronic Soc., pp. 1-8, Oct. 2003.
[26] R. Bradshaw, J. Holt, and K. Seamons, “Concealing Complex Policies with Hidden Credentials,” Proc. 11th ACM Conf. Computer and Comm. Security, pp. 146-157, Oct. 2004.
[27] K.B. Frikken, M.J. Atallah, and J. Li, “Hidden Access Control Policies with Hidden Credentials,” Proc. Third ACM Workshop Privacy in the Electronic Soc., Oct. 2004.
[28] D. Balfanz, G. Durfee, N. Shankar, D. Smetters, J. Staddon, and H.-C. Wong, “Secret Handshakes from Pairing-Based Key Agreements,” Proc. IEEE Symp. and Security and Privacy, pp. 180-196, May 2003.
[29] N. Li, W. Du, and D. Boneh, “Oblivious Signature-Based Envelope,” Proc. 22nd ACM Symp. Principles of Distributed Computing, pp. 182-189, July 2003.
[30] G.D. Crescenzo, R. Ostrovsky, and S. Rajagopalan, “Conditional Oblivious Transfer and Timed-Release Encryption,” Advances in Cryptology, Proc. EUROCRYPT '99, pp. 74-89, Mar. 1999.
[31] C. Crépeau, “Verifiable Disclosure of Secrets and Applications (Abstract),” Advances in Cryptology, Proc. EUROCRYPT '89, pp.150-154, 1990.
[32] J. Garay, P. MacKenzie, and K. Yang, “Efficient and Universally Composable Committed Oblivious Transfer and Applications,” Proc. Theory of Cryptography Conf. (TCC '04), pp.297-316, 2004.
[33] M. Naor and B. Pinkas, “Efficient Oblivious Transfer Protocols,” Proc. SIAM Symp. Discrete Algorithms, pp. 448-457, Jan. 2001.
[34] W.-G. Tzeng, “Efficient 1-Out-n Oblivious Transfer Schemes,” Proc. Fifth Int'l Workshop Practice and Theory in Public Key Cryptography, pp. 159-171, 2002.
[35] M. Fischlin, “A Cost-Effective Pay-per-Multiplication Comparison Method for Millionaires,” Proc. 2001 Conf. Topics in Cryptology (CT-RSA '01), pp. 457-472, 2001.
[36] S. Boeyen, T. Howes, and P. Richard, “Internet X.509 Public Key Infrastructure LDAPc2 Schema,” IETF RFC 2587, June 1999.
[37] S. Farrell and R. Housley, “An Internet Attribute Certificate Profile for Authorization,” IETF RFC 3281, Apr. 2002,
[38] E. Rescorla, SSL, TLS: Designing, and Building Secure Systems. Addison-Wesley, 2001.
[39] W.H. Winsborough, K.E. Seamons, and V.E. Jones, “Automated Trust Negotiation,” Proc. DARPA Information Survivability Conf. and Exposition, vol. I, pp. 88-102, Jan. 2000.
[40] W.H. Winsborough and N. Li, “Towards Practical Automated Trust Negotiation,” Proc. Third Int'l Workshop Policies for Distributed Systems and Networks, pp. 92-103, June 2002.
[41] M. Winslett, T. Yu, K.E. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, and L. Yu, “Negotiating Trust on the Web,” IEEE Internet Computing, vol. 6, no. 6, pp. 30-37, Nov./Dec. 2002.
[42] T. Yu, M. Winslett, and K.E. Seamons, “Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation,” ACM Trans. Information and System Security, vol. 6, no. 1, pp. 1-42, Feb. 2003.
[43] S. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM J. Computing, vol. 18, pp. 186-208, Feb. 1989.
[44] W. Diffie and M.E. Hellman, “New Directions in Cryptography,” IEEE Trans. Information Theory, vol. 22, pp. 644-654, 1976.
[45] N. Li, W. Du, and D. Boneh, “Oblivious Signature-Based Envelope,” Distributed Computing, vol. 17, no. 4, pp. 293-302, 2005.
[46] JCSI, Java Cryptographic Secure Implementation, Wedgetail Communications, 2004, http://www.wedgetail.comjcsi/.

Index Terms:
Security and privacy protection, access controls, privacy, cryptographic controls.
Jiangtao Li, Ninghui Li, "OACerts: Oblivious Attribute Certificates," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 340-352, Oct.-Dec. 2006, doi:10.1109/TDSC.2006.54
Usage of this product signifies your acceptance of the Terms of Use.