Hidden credential retrieval without random oracles

Abstract

To address the question of secure and efficient management of the access credentials so that a user can store and retrieve them using a 'short and easy-to-remember' password in a connected world, X. Boyen proposed a user-centric model in ASIACCS'09, named Hidden Credential Retrieval (HCR). The protocol was shown secure under random-oracle model. However, the construction does not explicitly prevent an HCR server from colluding with the third party service provider (i.e., an online bank), which can result into retrieving the hidden credential without the user's participation. In this paper, we show the HCR construction without the random-oracles with enhanced properties based on Okamoto's blind signature scheme proposed in TCC'06. For the "Insider attack" model, we provide the attacker (server) with more computational ability in trying to recover the plaintext message from the ciphertext that has been stored in the server by the user, being completely offline. Moreover, we include an explicit notion of identity ID that is useful in practice, so that the server knows whose encrypted credential is to be used in the protocol. © 2011 Springer-Verlag.