F2P-ABS: A Fast and Secure Attribute-Based Signature for Mobile Platforms

Lin, Guofeng; Xia, Yunhao; Ying, Chun; Sun, Zhixin

doi:https://doi.org/10.1155/2019/5380710

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 5380710 | https://doi.org/10.1155/2019/5380710

F2P-ABS: A Fast and Secure Attribute-Based Signature for Mobile Platforms

Guofeng Lin,^1,2Yunhao Xia,²Chun Ying,³and Zhixin Sun^1,2

Academic Editor: Angel M. Del Rey

Received10 Jul 2019

Accepted14 Nov 2019

Published19 Dec 2019

Abstract

Attribute-based signature (ABS) is a promising cryptographic primitive. It allows the signer to generate a signature with attributes satisfying the predicate without leaking more information, so as to provide message authenticity in an anonymous manner. However, drawbacks concerning security and efficiency hinder its applications for authentication in mobile platforms. Here, we present F2P-ABS, an escrow-free and pairing-free attribute-based signature supporting perfect signer privacy for mobile anonymous authentication. To enhance its adaptiveness to mobile platforms, a novel key extraction is proposed so that the key escrow problem is mitigated over the single authority setting. It also helps to remarkably reduce the size of the signing key. Different from existing schemes, F2P-ABS is free from pairing operations. It performs no pairing operation for verification. Without the loss of security, we prove that F2P-ABS achieves signer privacy in perfect sense. It is also proven to guarantee existential unforgeability under corrupted and adaptive chosen predicate and message attack, which is securer than existing schemes.

1. Introduction

Nowadays, with rapid development of computer network, electrical messaging services have been widely used in industry, e-commerce, medical treatment, and so on. In order to reduce management cost, cloud-based messaging is gradually getting prevailing [1]. As a result, more and more messages are transferred by off-premise infrastructure that some organizations jointly held. Such an open environment makes it highly possible to be under persistent threat of tamper attack [2, 3].

Attribute-based signature (ABS) [4] is a variation of digital signature, which is one of the most promising cryptographic primitives. ABS stems from the identity-based signature [5, 6] but describes the signer by a set of attributes instead of a single unique identity. To endorse a message, the signer is allowed to generate a signature with his/her attributes satisfying the predicate without leaking other information. Providing data authenticity in this anonymous manner [7], ABS has been brought into much focus. It is widely accepted to build cloud-based messaging services [8–10], which make management of dynamic environment easier.

In terms of security, ABS inherently suffers from key escrow problem [11–14]. Having the absolute power to generate and issue signing keys, the attribute authority is required to be fully trusted. If got compromised, the attribute authority can forge signatures associated with any tampered messages. As a result, the whole system would be broken. Furthermore, electrical messaging services are now being mobilized with the popularity of wireless networks and smart devices. But, the resource limitation of power and computation is still a bottleneck. Existing ABS schemes have to consume much resource. For one thing, large numbers of pairing computation are involved for verification. For example, performing one pairing operation based on 512-bit Tate pairing costs about 2 times of time than performing one exponentiation on a 1024-bit module [15]. For another thing, the size of the signing key is challenging the storage capacity of signing devices such as edge nodes in the Internet of Things. If existing ABS schemes are deployed in such a mobile platform, the cost of time and other resources would be unacceptable when a large universe of attributes was involved in.

1.1. Related Work

Sahai and Waters [16] first introduced a fuzzy identity-based encryption as an extension of identity-based cryptography [5]. The user is identified by a set of attributes and capable of decrypting a ciphertext if the distance between this attribute set and the one embedded into the ciphertext is close enough. Their construction indicated a novel cryptographic primitive called attribute-based encryption. Goyal et al. [17] proposed a key-policy attribute-based encryption (KP-ABE) using a tree-based access policy. For KP-ABE, the ciphertext is associated with an attribute set while the private key is associated with an access policy. Bethencourt et al. [18] proposed a ciphertext-policy attribute-based encryption (CP-ABE), in which the ciphertext is associated with an access policy while the private key is associated with an attribute set. To allow the data owner to flexibly define access policy before encryption, their construction is more complicated than [17]. Chow [11] indicated a major drawback comes when deploying public key cryptosystem is the key escrow problem that the single key generation center could decrypt any message addressed to a user by generating that user’s private key. To address this problem in ABE, Chase and Chow [12] proposed a multiauthority scheme in which each authority secretly holds a unique secret. For key generation, each authority must communicate with the rest of authorities. Even if authorities corrupted, where is the number of authorities, it poses no threat to confidentiality of ciphertext at all. However, it results in communication overhead for each time of key generation. Zhang et al. [19] provided an improvement of [12] to reduce the size of keys, and more importantly, it deployed only one subauthority to generate keys by its interactions with the key authority. Hur [13] introduced a two-party computational protocol (2PC) between the key authority and the data-storing center for key issuing. His construction was a novel solution but failed to show more details about how 2PC works. Lin et al. [9] presented a collaborative key management protocol that prevents ABE-based data sharing system from key escrow and key exposure, which relies on much bilinear computation.

ABS is a new attribute-based cryptographic primitive that stems from ABE. In ABS, a signer who possesses a set of attributes from the attribute authority can sign a message with a predicate that is satisfied by his attributes. It can be noted that predicate in ABS generally indicates the access policy or access structure. Waters [20] transformed IBE to an identity-based signature (IBS) through a method proposed in [5]. After that, Yang et al. [21] first proposed a fuzzy identity-based signature (FIBE), in which the signer can endorse a message on behalf of an organization if his or her identity is similar enough to the claimed predicate. Yang et al.’s scheme is of some basic functions of ABS but does not guarantee signer privacy. Maji et al. [4] first formulated ABS with formal security definitions of existential unforgeability and signer privacy. Moreover, they built the predicate by monotone span program to provide flexible access control and the multiauthority construction to avoid leaking secrets when the attribute authority gets corrupted. However, they just proved security in the generic group model. It can be noted that those schemes stated above are generally considered as laying a theoretical foundation of ABS. Li et al. [22] proposed an ABS scheme with one central attribute authority and a group of distributed attribute authority, which, respectively, generate different components of a signing key. Although they provided provable security in the standard model, the construction is lack of expressiveness due to threshold predicate. To improve efficiency, a novel threshold ABS with a constant size signature was proposed [23]. For the -ABS scheme, each signature contains just two elements from group . And, for the -ABS scheme, the signature size is linear in the number of signing attributes. Su et al. [24] proposed an efficient ABS scheme for Internet of Things that provides flexible access control. It supports any predicate consists of AND and OR threshold gates. Li et al. [25] indicated that, to guarantee integrity of outsourced data, the server needs to respond to mass authentication requests when receiving data from large numbers of users. It sets a huge challenge for performance of the server due to large numbers of bilinear pairing operations in authentication. They proposed a novel ABS that supports verifying different signatures in a batch manner so as to improve verification efficiency. Cui et al. [14] separated the attribute authority into two independent parties, namely, the attribute certifying authority and the key generation center. The attribute certifying authority is responsible for authenticating users’ attributes while the key generation center is known as taking over key generation. They designed an interactive protocol between the key generation center and the user based on zero-knowledge proof, by which only the user himself or herself knows the signing key after the interaction. As a result, the key generation center can by no means forge a valid signature even it gets corrupted. Rao and Dutta [26] proposed a novel key-policy ABS in which the predicate is built by linear secret sharing scheme (LSSS) to provide rich expressiveness. In addition, only 3 times of bilinear pairing operations are executed in verification. Rao [27] introduced a key-insulated mechanism for ABS to reduce the possibility of occurrence of key exposure when deploying ABS in performance-restrained platforms such as mobile devices. Due to periodical key updating, even if the unauthorized user obtains the signing key, the valid signature cannot still be forged unless within the current time slot.

1.2. Our Contributions

In this paper, we focus on constructing a secure and efficient ABS scheme and try to mitigate problems that existing schemes [24–27] suffer. We try to realize the vital properties which include escrow-free, pairing-free, and perfect signer privacy. As is shown in Table 1, the ABS schemes [24, 26, 27] are not able to guarantee security if the attribute authority got compromised when it holds signing keys in escrow. The scheme in [25] mitigates the key escrow problem with dependency on multiauthority setting, which makes it cumbersome in computation and communications (see Tables 2 and 3).

The key extraction of our F2P-ABS is elegant and effective. It mitigates the key escrow problem on the condition of the single authority setting. With the participation of both attribute authority and data-storing center, anyone of them getting compromised will have no impact on security. By the key extraction of F2P-ABS, the size of the signing key is reduced by nearly half of that in [24–27] (see Table 2).

Since pairing computation is considered the most expensive operation, the number of pairing operations is a critical factor of feasibility in practical scenes. Most ABS schemes are dependent on pairing, so the signer has to execute pairing operations to validate the message. The required number of pairing operations in [24] proliferates linearly with the number of attributes in a minimum attribute set of a signing predicate. The required number of pairing operations in [25, 27] proliferates linearly with the number of attributes in a signing predicate. It demonstrates that a feasible ABS scheme which provides both strong reliability and high-efficiency scheme is far-fetched, especially for authentication in mobile platform. For our F2P-ABS, in contrast, it does not need any pairing operations for verifying (see Table 3). This is even less than that in [26], which is 3 pairing operations.

To enhance security, we provide a novel security model called existential unforgeability under corrupted and adaptive chosen predicate and message attack (EUF-ca-CPMA). And, our F2P-ABS is proven to be EUF-ca-CPMA secure assuming the hardness of discrete logarithm (DL) problem. It is stronger than existential unforgeability under a selective predicate/attribute set and adaptive chosen-message attack (EUF-sP-CMA/EUF-sA-CMA), which is met by [24–27]. Furthermore, it guarantees signer privacy in a perfect sense as in [26].

To conclude, the proposed F2P-ABS outperforms the existing schemes in terms of security and efficiency.

1.3. Organization

The rest of the paper is organized as follows. We review essential preliminaries in Section 2, show the architecture in Section 3, show the security requirements in Section 4, propose main construction of F2P-ABS in Section 5, provide security analysis in Section 6, present performance comparison against similar schemes in Section 7, and draw conclusion and highlight our future work in Section 8.

2. Preliminaries

In this section, we will introduce some essential cryptographic preliminaries. Before it, we first describe some important notations, which is shown in Table 4. These are required for an unambiguous presentation of the paper, some of which will be interpreted in the following sections.

2.1. Predicate

Definition 1 (access structure). Let be a party of several participants. An access structure is defined as an arbitrary collection of nonempty subsets of , namely, . We consider a set authorized if .
For two arbitrary sets and such that , we say is monotonic if . It can be noted that the term access structure mentioned in the following means monotonic access structure if there is no particular revelatory. For ABS, we note that a predicate generally indicates an access structure. From now on, to avoid confusion, we only use the term predicate.

Definition 2 (tree-based predicate). Let be a tree-based predicate, which is associated with a tree consisting of some leaf nodes and nonleaf nodes. Each nonleaf node represents a threshold gate, described by the number of its children and a threshold value. Each tree also defines an ordering among all nodes, and accordingly each index value is uniquely assigned to a node in an arbitrary manner. Without loss of generality, let be an index of node. If is the number of children of a node and is its threshold value, then . When , the threshold gate is an “OR” gate, and when , it is an “AND” gate. Each leaf node represents an attribute. For arbitrary attribute set , we have if it satisfies the predicate that we described; otherwise, we have .

Definition 3 (minimum attribute set). For all attribute set such that , there exists a minimum attribute set such that and for all . For instance, there is a tree-based predicate whose postfix expression is {“D,” “E,” “F,” “2 of 3,” “A,” “B,” “C,” “1 of 3,” “2 of 2”}. Each character represents a leaf node associated with an attribute. Each string like “x of y” represents a nonleaf node where x is its threshold and y is the number of its child nodes. A signer, whose attribute set is {“A,” “B,” “D,” “E,” “F”}, sends a message signed through ABS with this predicate. Obviously, one of his minimum attribute sets is {“A,” “D,” “E”}.

2.2. Garbled Circuit

Definition 4 (garbled circuit). Garbled circuit allows two parties holding inputs and , respectively, to evaluate an arbitrary function without leaking any information about their inputs beyond what is implied by the function output. The basic idea is that one party (the garbler) prepares an encrypted version of the function ; the data transmitter and receiver then obliviously compute the output of the circuit without learning any intermediate values.
Starting with a Boolean circuit where and are one-bit inputs, respectively, from input wires and . The circuit generator associates two random cryptographic keys and ( and ) with each input wire (). Then, for each output , the generator computes ciphertext . The resulting four ciphertexts, in a random order, constitute a garbled table. Then, the garbled table is sent to the evaluator.
The evaluator also obtains the keys corresponding to each input. The circuit generator can first simply send , which corresponds to the actual input from the circuit generator. Then, it uses 1-out-of-2 oblivious transfer (see Definition 5) to enable the circuit evaluator to obliviously obtain the key corresponding to its own input.
Given keys associated with both inputs from wires and , the evaluator can extract an output key by decrypting the appropriate ciphertext. Only one single decryption suffices the extraction [28]. Mapping from output keys to output bits, the evaluator can finally learn the actual output of . If desired, the evaluator can share the output with the circuit generator. By using the framework proposed by Huang et al. [29], it is efficient to modularly build a secure protocol computing the function .

Definition 5 (1-out-of-m oblivious transfer). A 1-out-of-m oblivious transfer protocol [30] refers to a protocol where at the beginning of the protocol, one party, Bob, has inputs and at the end of the protocol, the other party, Alice, learns one of the inputs for an () of own choice, without learning anything about the other inputs and without allowing Bob to learn anything about . An efficient was proposed by Tzeng [31].

2.3. Complexity Assumption

Definition 6 (discrete logarithm assumption). Given a multiplicative cyclic group with a prime order . The discrete logarithm (DL) problem is given and a generator of , to find a unique which makes . For clarity, we denote DLP by . If there is a polynomial-time algorithm extracting with a probability that satisfies , we denote the advantage to solve DLP by . The DL assumption says that there is no such an algorithm which can solve DL problem with a nonnegligible advantage.
It is well known that this problem is considered to be intractable. The DL assumption has been used to create many cryptosystems, including the ElGamal cryptosystem. This intractable assumption has also been used to create signature schemes [32].

3. F2P-ABS Architecture Overview

3.1. Definition of F2P-ABS

Following the definition in [26], our F2P-ABS consists of six algorithms:(1): the algorithm is run with a security parameter , which outputs a global parameter .(2): the algorithm takes as input and generates the data-storing center parameter and the data-storing center secret key . Finally, it publishes and stores .(3): the algorithm takes as input and generates the attribute authority parameter and the authority secret key . Finally, it publishes and stores .(4): the algorithm takes , , , , and as input, as well as an attribute set . Finally, it outputs a signing key .(5): the algorithm takes , , , and as input to endorse a message with respect to the predicate . Then, a valid signature is generated.(6): the algorithm takes , , , , , and as input. It outputs 1 if is a valid signature of corresponding to ; otherwise, it outputs 0.

3.2. System Description

As is shown in Figure 1, the framework of an anonymous message authentication system based on F2P-ABS consists of the following four entities:(1)Attribute Authority (AA). This is a semitrusted entity that generates and . By collaborating with the data-storing center (DSC), it issues to the signer. All communications between the AA, the signer, and the DSC are secured by secure shell (SSH) protocol.(2)Data-Storing Center (DSC). This is a semitrusted entity that stores messages and their corresponding signature. It takes part in issuing for the signer to avoid put in escrow in the AA. But, it also does not obtain any part of . Besides, it is responsible for transferring messages and signatures to corresponding verifiers by SSH protocol.(3)Signer. This is who wants to share authentic messages in public environments, such as in social network. The signer defines a predicate that exhibits the authenticity of the signer to the public. Then, the message will be signed by , and a signature is generated. As is shown in Figure 1, the predicate can be described by a postfix expression {“Professor,” “Associate Professor,” “Lecturer,” “1 of 3,” “Department of Informatics,” “University A,” “3 of 3”}. Alice whose attribute set is {“University A,” “Department of Informatics,” “Professor”} can sign the message with this predicate. Finally, and will be outsourced to the DSC.(4)Verifier. This is who receives and wants to verify it. By computation with and , the verifier will know whether the message is valid. As shown in Figure 1, Bob and Carol can verify that message comes from the signer satisfies that predicate but do not know who he/she is.

4. Security Requirements

For F2P-ABS, we adopt a semitrusted (also known as honest-but-curious) threat model, where attribute authorities and data-storing center are assumed to follow the protocol but may attempt to learn additional information from the protocol transcript. Although this is a bit weak, it is a standard security model for escrow-free computation. Studying F2P-ABS in the semitrusted setting is relevant for two reasons:(1)There may be instances where a semitrusted model is appropriate: (1) when parties are legitimately trusted but are prevented from divulging information for legal reasons, or want to protect against future break-in; (2) where it would difficult for parties to change the software attestation is used or due to internal controls in place (for example, when parties represent corporations or government agencies).(2)Protocols for the semitrusted setting are an important first step toward constructing protocols with stronger security guarantees. There exist generic ways to give full security against malicious authorities.

4.1. Correctness

Definition 7 (correctness of F2P-ABS). We define a valid signature to be the one that can be verified with success probability 1. We say F2P-ABS scheme guarantees correctness if, for all pairs of attribute set and predicate satisfying , all signing keys associated with can always be used to generate a valid signature of message with predicate .

4.2. Perfect Signer Privacy

Definition 8 (perfect signer privacy of F2P-ABS). Our F2P-ABS is perfectly private if, for all , all , all , all messages , all attribute sets and , all and , all predicates such that and , and the distributions of and are equal.

4.3. Existential Unforgeability

Based on the definition of existential unforgeability provided in [33], we build the definition of existential unforgeability under corrupted and adaptive chosen predicate and message attack (EUF-ca-CPMA).

Definition 9 (EUF-ca-CPMA of F2P-ABS). We define to be the success probability of an adversary in the following game with a challenger :(1)Initial Phase. submits a bit , which will be used to forge a signature over either the corrupted AA or the corrupted DSC.(2)Setup Phase. publishes all parameters independent with attributes to with the following steps:(1) runs and gives to .(2) runs and gives part of that is independent of attributes.(3) runs and gives part of that is independent to attributes(4)If , gives part of that is independent to attributes. Otherwise, gives part of that is independent to attributes.(3)Query Phase. adaptively issues a polynomially bounded number of queries to the following oracles:(1)Attribute Oracle. submits an attribute . If , returns to part of and that correspond to attributes. Otherwise, returns to part of and that correspond to attributes.(2)Key Extracting Oracle. submits an attribute set and obtains the corresponding signing key .(3)Signing Oracle. submits a message and a predicate . selects an attribute set such that computes a signing key and returns the corresponding signature .(4)Forge Phase. forges a signature of a message with a predicate and succeeds in this game if and are never queried to the signing oracle; does not accept any attribute set queried to key extracting oracle; eventually obtains .We say F2P-ABS is -EUF-CPMA secure if, for any probabilistic polynomial-time adversary running in time at most that makes at most attribute queries, key extracting queries, and signing queries, the ’s advantage is at most .

5. F2P-ABS Main Construction

In this section, the main construction of F2P-ABS and the details of how our F2P-ABS proceeds among the AA, the DSC, the singer, and the verifier are presented.

5.1. Global Setup

To initialize the system, the AA first calls the algorithm. It can be noted that the algorithm can be run by any other trusted party ahead of system initialization. It takes a security parameter as input and proceeds the following steps:(1)It selects a cyclic group of -bit prime order with generator (2)It generates an attribute universe , which is a large universe that contains attributes of all authorized users(3)It selects a hash function (4)Outputs the parameter

5.2. DSC Setup

It is also necessary for the DSC to participate in the system initialization. After the global setup, the DSC calls algorithm with and runs the following steps:(1)It selects and computes and (2)For each attribute , it selects and computes and (3)It generates a garbled circuit of the function (4)It published the DSC parameter and stores the DSC secret key

5.3. AA Setup

As the final procedure of system initialization, the AA calls the algorithm which takes as input. Then, it runs the following steps:(1)It selects and computes and (2)For each , it selects and computes and (3)It publishes the AA parameter and stores the AA secret key

5.4. Key Extraction

When the signer asks for authorization with an attribute set , the AA and the DSC jointly calls the algorithm, which takes as input , , , , , and the attribute set . The execution of the algorithm is as follows:(1)The AA selects (2) is generated by using between the AA and the DSC(3)For each , is generated by using between the AA and the DSC(4)The signing key returns to the signer

5.5. Signing

To sign a message with predicate , the signer calls the algorithm. It takes as input the predicate , the message , and the signing key . Then, it proceeds as follows:(1)It randomly selects a secret and then assigns a random polynomial for each node of as follows:(1)If node is the root node and its threshold is , set a random -degree polynomial such that , where .(2)If node is neither the root node nor a leaf node and its threshold is , set a random -degree polynomial such that , where .(3)If node is a leaf node, set a zero-degree polynomial .(2)It selects another secret and assigns another polynomial for each node of as follows:(1)If node is the root node, set a random 2-degree polynomial such that .(2)If node is neither the root node nor a leaf node, set a random 2-degree polynomial such that .(3)If node is a leaf node, set a 0-degree polynomial .(3)The signer chooses a minimum attribute set . For each leaf node in such that , the following computation will be executed:(1)If , compute and .(2)If , compute and .(4)Finally, it computes and and the signature is presented as .

Let denote the set of the all child nodes of node . Let denote the set of some child nodes of node such that cannot satisfy the predicate rooted at them, namely, . For F2P-ABS, there is only one restriction on predicate which is .

5.6. Verifying

To validate this message, the verifier calls for the algorithm. It takes as input the message and the corresponding signature . Then, it proceeds as follows:(1)For each node of , it recursively calls the function .(1)If is a leaf node, it computes as equation (1). For generality, we define that, for each node such that , it has a .(2)If is a nonleaf node, we denote the computation result of its arbitrary child node by . Then, it computes as equation (2). It is assured that the result of the root node can be computed with finite recursion, if holds:(2)It computes and output 1 if holds. That is, the message is indeed from a legal signer. Otherwise, it outputs 0 to indicate the signature is invalid.

6. Security Analysis

In this section, we will discuss how our F2P-ABS meets the security requirements mentioned in previous section.

6.1. Correctness

Theorem 1. F2P-ABS guarantees correctness.

Proof. Considering the algorithm, the result of the root node can be computed with finite recursion if holds. If the message is integrated, accordingly, equation (3) will always hold:In this case, the algorithm outputs 1 with success probability 1.

6.2. Perfect Signer Privacy

Theorem 2. F2P-ABS guarantees perfect signer privacy.

Proof. Considering the algorithm, the following assertion always holds:(1)Since the secret numbers and are randomly selected, both and are uniformly distributed in (2)For an arbitrary leaf node such that , we have and , which are uniformly distributed in because is from a random polynomial(3)For an arbitrary leaf node such that , we have and , which are also uniformly distributed in because is also from a random polynomialTherefore, for all , all , all , all messages , all attribute sets and , all signing keys and , all predicates such that and , and the distributions of and are equal.

6.3. Existential Unforgeability

Theorem 3. F2P-ABS is EUF-ca-CPMA secure in the random oracle assuming the hardness of DL problem.

Proof. Suppose there exists an adversary that can break F2P-ABS by chosen predicate and message attacks. We can build a simulator that can solve DL problem in a challenge game. The challenge game proceeds as follows:(1)Initial Phase. sends a challenge bit to .(2)Setup Phase. The challenger generates and sends and to . , a group of parameters are generated by as follows:(1) selects a random oracle and sends , , , and to .(2) randomly selects and computes and . Then, it checks and sends and to if . Otherwise, it sends and .(3) randomly selects and computes and . Then, it checks and sends and to if . Otherwise, it sends and to .(3)Query Phase. adaptively issues a polynomially bounded number of queries to the following oracles:(1)Attribute Oracle. maintains a list and scans it when makes a query for parameter associated with an attribute . It returns the corresponding , , , and if is in . Otherwise, it randomly chooses and under the Bernoulli distribution with , that is, and . If , computes , , , and . Otherwise, it computes , , , and . Then, checks and sends , , , and to . Otherwise, it sends , , , and to . Finally, it adds the new tuple into .(2)Key Extracting Oracle. maintains a list and scans when issues a query to the key extracting oracle with an attribute set . will abort the game if there exists an attribute that is not in because it is unable to coherently answer the query. We denote this abortion by . If not, scans and returns if is in . Otherwise, randomly selects and computes and for each attribute in . Then, returns to if , otherwise, returns to . Finally, adds the new tuple into .(3)Signing Oracle. maintains a list and scans when makes a signing query on a message with predicate . The game will be aborted if there exists an attribute of that is not in . We denote this abortion by . Otherwise, checks for each attribute of . The game will be aborted, which is denoted by , if there exists an attribute such that . If not, generates a random attribute set and runs the key extracting oracle to obtain . Then, it computes and for each leaf node , where is generated as the real algorithm. Then, it randomly chooses to compute and . Meanwhile, is computed by the random oracle . Finally, adds the new tuple into and sends to .(4)Forge Phase. forges a signature of message . will abort the game if there exist attributes of that is not in . We denote this abortion by . Otherwise, checks for each attribute that every leaf node is associated with. If there exists a , will abort the game. We denote this abortion by . If not, runs the verifying oracles as follows:(1)If is a leaf node, it runs as(2)If is a nonleaf node, we denote the computation result of its arbitrary child node by . It runs as equation (5). By those finite recursions, can validate the forged signature as the real F2P-ABS. We say wins the game if . In this case, chooses a tuple from and a tuple and finally returns to as the answer to DL problem:

Lemma 1. If , , and do not happen, all results output by in the query phase are valid and indistinguishable.

Lemma 1 holds because(1)For any query to the attribute oracle with an attribute , selects random and a random . No matter what the value of is, will be obtained. We note that are all randomly chosen, which are valid and indistinguishable from those generated by the real F2P-ABS. Likewise, will obtain if , and those are also randomly chosen and indistinguishable.(2)For any query to the key extracting oracle, selects two random numbers if does not happen. It generates a tuple where and . If , there always exist such that and . If , there always exist such that and . Therefore, the output is valid and indistinguishable from real singing keys.(3)For any query to the signing oracle, each leaf node of predicate has a corresponding attribute in if does not happen. And, if does not happen, will generate a tuple . Then, it computes the tuple in a way of the real F2P-ABS. So, the output of the signing oracle is valid and indistinguishable from real signatures.

Lemma 2. If and do not happen, can probably solve DLP when successfully breaks the F2P-ABS.

Lemma 2 holds because if and do not happen, each has corresponding , , , and in . In this case, can output the answer to the DL problem if it finds the proper in and proper and in .

Suppose makes at most queries to the attribute oracle, queries to the key extracting oracle and queries to the signing oracle. Let be the time required for to break F2P-ABS. Let and be the time required for one-time addition and scalar multiplication operation, respectively, in . Let be the time required for one-time exponentiation in . The total time required for to solve DL problem satisfies

The probability that , , and do not happen is . The probability that and do not happen is which achieves its upper bound when . That is, . Considering all situations mentioned above, the advantage of to solve DL problem satisfies

7. Performance Analysis

In this section, we analyze the performance of our F2P-ABS scheme against current ABS schemes [24–27] in Tables 2 and 3 in terms of public parameter size, secret key size and signing key size, signature size, and computation overhead (number of required exponentiation and pairing computation, which are time-consuming operations). For clarity, we list some essential notations for analysis in Table 5.

As is shown in Table 2, the size of the public parameter in [25] increases fast with the square of the number of authorities, which is less practical for initializing the system. The size of public parameter in [26, 27] is linear to the size of attribute universe. To mitigate key escrow problem, we assign part of public parameters to the AA and the DSC, respectively. As a result, our F2P-ABS has a group of public parameters two times the size of that in [26, 27]. The secret key in F2P-ABS has group elements, which is linear to the size of attribute universe. Although F2P-ABS has big-sized public parameters and secret key, it hardly causes performance dilemma considering significant storage capacity of the AA and the DSC.

We achieve a short signing key size compared to existing schemes [24–27]. The signing key size in [26] is linear to the size of attribute universe, which is a huge challenge to the storage capacity of signer when large numbers of attributes are engaged. The signing key of F2P-ABS consists of group elements, while that for [24, 25] is . Meanwhile, signing key in [27] consists of group elements. Hence, we successfully reduce the number of group elements in signing key by half. The signature of F2P-ABS totally has group elements, which is slightly less than that for [27].

Since pairing computation is considered the most expensive operation, number of pairing operations is a critical factor of feasibility in practical scenes. We note that there is a signcryption in [27], which is a mixture of ABE and ABS. It requires pairings for verification and 2 pairings to recover the message plaintext. The number of pairings in [24, 25] is also linear to the size of the minimum signing attribute set and the size of signing predicate, respectively. As clearly seen in Table 3, F2P-ABS requires no pairing for verification. This is even less than that for [26], which is 3 pairing operations. In addition, it achieves light computation at the cost of large signing key size being linear to the size attribute universe. It is worth noting that garbled circuit operations become the only performance bottleneck of F2P-ABS. Although we are unsatisfied with existing garbled circuit implementation, we believe there will be better ones in future which help to achieve better performance in practical scenes. Hence, F2P-ABS is efficient from computation point of view.

To sum up, our F2P-ABS achieves a better performance, in terms of signing key size, signature size, and computation cost, than existing schemes. Furthermore, it achieves other desirable goals such as expressive predicate, authenticity, and signer privacy.

8. Conclusion

ABS is a promising cryptographic primitive for anonymous authentication. However, existing ABS approaches have drawbacks with respect to security and efficiency, which hinders their application for authentication in mobile platforms. We focus on constructing an ABS scheme that is elegantly free from key escrow problem and heavy pairing operations. In addition, the size of the signing key is much less than existing schemes. Without the loss of security, it achieves perfect signer privacy. It is proven to guarantee existential unforgeability under corrupted and adaptive chosen predicate and message attack, which is securer than existing schemes. Therefore, it outperforms existing schemes and shows more feasibility for anonymous authentication in mobile platforms.

To further its application, we are exploiting a new method to enhance efficiency. Considering its performance bottleneck, our future work will build on the preliminary construction in this work to develop the proposed scheme by improving the performance of garbled circuit operations.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This study was supported by the National Natural Science Foundation of China under grants 61972208, 61373135, 61672299, and 61170276.

References

R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, and I. Brandic, “Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility,” Future Generation Computer Systems, vol. 25, no. 6, pp. 599–616, 2009.
View at: Publisher Site | Google Scholar
N. Santos, K. P. Gummadi, and R. Rodrigues, “Towards trusted cloud computing,” in Proceedings of the 2009 Conference on Hot Topics in Cloud Computing, HotCloud ’09, S. Sahu and P. J. Shenoy, Eds., vol. 3, USENIX, Berkeley, CA, USA, June 2009.
View at: Google Scholar
L. Aniello, R. Baldoni, E. Gaetani, F. Lombardi, A. Margheri, and V. Sassone, “A prototype evaluation of a tamper-resistant high performance blockchain-based transaction log for a distributed database,” in Proceedings of European Dependable Computing Conference (EDCC 2017), pp. 151–154, IEEE, Geneva, Switzerland, September 2017.
View at: Publisher Site | Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures,” in Topics in Cryptology—CT-RSA 2011 Lecture Notes in Computer Science, A. Kiayias, Ed., vol. 6558, pp. 376–392, Springer, Berlin, Germany, 2011.
View at: Google Scholar
D. Boneh and M. K. Franklin, “Identity-based encryption from the weil pairing,,” in Advances in Cryptology—CRYPTO 2001 Lecture Notes in Computer Science, J. Kilian, Ed., vol. 2139, pp. 213–229, Springer, Berlin, Germany, 2001.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, P. Ning, P. F. Syverson, and S. Jha, Eds., pp. 417–426, ACM, New York, NY, USA, October 2008.
View at: Publisher Site | Google Scholar
Z. Liu, H. Yan, and Z. Li, “Server-aided anonymous attribute-based authentication in cloud computing,” Future Generation Computer Systems, vol. 52, pp. 61–66, 2015.
View at: Publisher Site | Google Scholar
J. Liu, X. Huang, and J. K. Liu, “Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption,” Future Generation Computer Systems, vol. 52, pp. 67–76, 2015.
View at: Publisher Site | Google Scholar
G. Lin, H. Hong, and Z. Sun, “A collaborative key management protocol in ciphertext policy attribute-based encryption for cloud data sharing,” IEEE Access, vol. 5, pp. 9464–9475, 2017.
View at: Publisher Site | Google Scholar
G. Lin, L. You, B. Hu et al., “A coordinated ciphertext policy attribute-based PHR access control with user accountability,” KSII Transactions on Internet and Information Systems, vol. 12, no. 4, pp. 1832–1853, 2018.
View at: Publisher Site | Google Scholar
S. S. M. Chow, “Removing escrow from identity-based encryption,” in Public Key Cryptography—PKC 2009 Lecture Notes in Computer Science, S. Jarecki and G. Tsudik, Eds., vol. 5443, pp. 256–276, Springer, Berlin, Germany, 2009.
View at: Google Scholar
M. Chase and S. S. M. Chow, “Improving privacy and security in multi-authority attribute-based encryption,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, E. Al-Shaer, S. Jha, and A. D. Keromytis, Eds., pp. 121–130, ACM, New York, NY, USA, November 2009.
View at: Google Scholar
J. Hur, “Improving security and efficiency in attribute-based data sharing,” IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 10, pp. 2271–2282, 2013.
View at: Publisher Site | Google Scholar
H. Cui, G. Wang, R. H. Deng, and B. Qin, “Escrow free attribute-based signature with self-revealability,” Information Sciences, vol. 367-368, pp. 660–672, 2016.
View at: Publisher Site | Google Scholar
L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement protocols from pairings,” International Journal of Information Security, vol. 6, no. 4, pp. 213–241, 2007.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology—EUROCRYPT 2005 Lecture Notes in Computer Science, R. Cramer, Ed., vol. 3494, pp. 457–473, Springer, Berlin, Germany, 2005.
View at: Google Scholar
V. Goyal, O. Pandey, A. Sahai et al., “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS ’06), A. Juels, R. N. Wright, and S. D. C. di Vimercati, Eds., pp. 89–98, ACM, New York, NY, USA, October 2006.
View at: Publisher Site | Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of 2007 IEEE Symposium on Security and Privacy (SP ’07), pp. 321–334, IEEE, Washington, DC, USA, May 2007.
View at: Google Scholar
G. Zhang, L. Liu, and Y. Liu, “An attribute-based encryption scheme secure against malicious KGC,” in Proceedings of 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), G. Min, Y. Wu, L. C. Liu, X. Jin, S. A. Jarvis, and A. Y. Al-Dubai, Eds., pp. 1376–1380, IEEE, Liverpool, UK, June 2012.
View at: Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology—EUROCRYPT 2005 Lecture Notes in Computer Science, R. Cramer, Ed., vol. 3494, pp. 114–127, Springer, Berlin, Germany, 2005.
View at: Google Scholar
P. Yang, Z. Cao, and X. Dong, “Fuzzy identity based signature,” IACR Cryptology ePrint Archive, vol. 2008, p. 2, 2008.
View at: Google Scholar
J. Li, M. H. Au, W. Susilo, D. Xie, and K. Ren, “Attribute-based signature and its applications,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS ’10), D. Feng, D. A. Basin, and P. Liu, Eds., pp. 60–69, ACM, Beijing, China, April 2010.
View at: Google Scholar
M. Gagne, S. Narayan, and R. Safavi-Naini, “Short pairing-Efficient threshold-attribute-based signature,” in Pairing-Based Cryptography—Pairing 2012 Lecture Notes in Computer Science, M. Abdalla and T. Lange, Eds., vol. 7708, pp. 295–313, Springer, Berlin, Germany, 2012.
View at: Google Scholar
J. Su, D. Cao, B. Zhao, X. Wang, and I. You, “EPASS: an expressive attribute-based signature scheme with privacy and an unforgeability guarantee for the Internet of things,” Future Generation Computer Systems, vol. 33, pp. 11–18, 2014.
View at: Publisher Site | Google Scholar
J. Li, X. Chen, and X. Huang, “New attribute-based authentication and its application in anonymous cloud access service,” International Journal of Web and Grid Services, vol. 11, no. 1, pp. 125–141, 2015.
View at: Publisher Site | Google Scholar
Y. S. Rao and R. Dutta, “Efficient attribute-based signature and signcryption realizing expressive access structures,” International Journal of Information Security, vol. 15, no. 1, pp. 81–109, 2016.
View at: Publisher Site | Google Scholar
Y. S. Rao, “Signature-policy attribute-based key-insulated signature,” IET Information Security, vol. 11, no. 1, pp. 23–33, 2017.
View at: Publisher Site | Google Scholar
D. Malkhi, N. Nisan, B. Pinkas et al., “Fairplay-secure two-party computation system,” in Proceedings of the 13th Conference on USENIX Security Symposium (SSYM ’04), M. Blaze, Ed., pp. 287–302, USENIX, San Diego, CA, USA, August 2004.
View at: Google Scholar
Y. Huang, D. Evans, J. Katz et al., “Faster secure two-party computation using garbled circuit,” in Proceedings of the 20th USENIX Conference on Security (SEC ’11), pp. 331–335, USENIX, Berkeley, CA, USA, November 2011.
View at: Google Scholar
G. Brassard, C. Crepeau, and J. Robert, “All-or-nothing disclosure of secrets,,” in Advances in Cryptology—CRYPTO ’86 Lecture Notes in Computer Science, A. M. Odlyzko, Ed., vol. 263, pp. 234–238, Springer, Berlin, Germany, 1986.
View at: Google Scholar
W. Tzeng, “Efficient 1-out-of-n oblivious transfer schemes with universally usable parameters,” IEEE Transactions on Computers, vol. 53, no. 2, pp. 232–240, 2004.
View at: Publisher Site | Google Scholar
E. Van Heyst and T. P. Pedersen, “How to make efficient fail-stop signatures,” in Advances in Cryptology—EUROCRYPT ’92 Lecture Notes in Computer Science, R. A. Rueppel, Ed., vol. 658, pp. 366–377, Springer, Berlin, Germany, 1993.
View at: Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” in Public-Key Cryptography—PKC 2013 Lecture Notes in Computer Science, K. Kurosawa and G. Hanaoka, Eds., vol. 7778, pp. 125–142, Springer, Berlin, Germany, 2013.
View at: Google Scholar

Copyright

Copyright © 2019 Guofeng Lin et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1423

Downloads

868

Citations