SPCABS: Signature-Policy Comparable Attribute-Based Signatures
Attribute-based signature is an attractive cryptographic primitive and finds broad applications in many fields. Existing attribute-based signature schemes deal with attributes in the way of “with” or “without,” and there is no attribute-based signature scheme that supports comparing attributes. Using the 0-encoding and 1-encoding, we propose an access structure algorithm and an attribute expansion algorithm, enabling the attribute-based signature scheme to effectively deal with the comparative attributes. Then, we propose a signature-policy comparable attribute-based signature scheme using the proposed expansion algorithms. The proposed scheme is existentially unforgeable under the computational Diffie–Hellman exponent (CDHE) assumption and achieves privacy in the sense of information theory. Theoretical analysis and simulation experiments show that our method is practical and has significant advantages in storage and computation overhead compared with the trivial way. Comparable attribute-based signature dramatically expands the application scenarios of attribute-based signature.
Attribute-based signature is a very attractive cryptographic primitive . ABS is divided into key-policy ABS (KP-ABS) and signature-policy ABS (SP-ABS). The former KP-ABS uses the access policy (structure) to generate the signing key, and the message can be signed only when its attribute set satisfies the access policy. The latter SP-ABS is the opposite. The signer possesses the signing key corresponding to his attributes and the message with an access policy. In the signature generation stage, a valid signature can be generated if and only if the attributes of the signer satisfy the access policy. In the signature verification phase, the verifier can only ensure that the signer’s attributes satisfy the message’s access policy but cannot distinguish the signer’s identity. These are the unforgeability and privacy (anonymity) of ABS. Since ABS has fine-grained access control, anonymous authentication, privacy protection, and other good properties, it finds broad applications in many fields, such as private access control and anonymous credential.
The concept of ABS was introduced by Maji et al. . They presented the definition and security model and proposed concrete schemes with security proof under the general group model. Later, Li et al. [2, 3], Shahandashti et al. , and Gagné et al.  constructed the ABS schemes under the selection model. These schemes only support threshold predicates. Maji et al.  and Gu et al.  proposed ABS schemes for monotone predicates. In 2011, Okamoto et al. [8, 9] proposed ABS schemes supporting nonmonotone predicates, improving access control flexibility, and satisfying adaptive security. In 2012, Herranz et al.  constructed a threshold ABS scheme with constant signature length, and its security is improved from the original selective unforgeability to adaptive unforgeability. In the same year, Chen et al.  combined ABS with attribute-based encryption (ABE) to construct a hybrid ABS/ABE scheme. The advantage is that ABS and ABE share the same user private key, which reduces the cost of key generation. Su et al.  proposed an attribute signature scheme that supports the threshold tree access structure. While the expression and security of ABS continue to improve, its functions are also constantly evolving. Wang and Chen  constructed a lattice-based ABS scheme to resist quantum computing attacks. Escala et al.  introduced the concept of traceability, allowing a trusted authority to control the signer’s identity and hold the signer accountable when the signer breaks the law. Tang et al.  proposed an ABS scheme for circuits from multilinear, and Sakai et al.  proposed an ABS scheme for circuits from bilinear maps. Based on lattices, Kaafarani et al.  proposed an ABS scheme for unbounded circuits. Datta et al.  proposed an ABS scheme for unbounded arithmetic branching programs.
All ABS schemes mentioned above have a single attribute authority. This attribute authority knows the signing keys of all users, so it must be trustworthy. Moreover, this attribute authority may become the bottleneck of the system. To overcome this shortcoming, the concepts of multiauthority attribute-based signature [19–21] and decentralized attribute-based signature [22–24] were introduced.
The existing works are summarized in Table 1.
1.1. Related Works
Generally, the computational overhead of ABS is too large, making it unsuitable for resource-constrained equipment. To this end, using cloud computing outsourcing technology, Chen et al.  introduced the concept of outsourced attribute-based signature. After that, several outsourced attribute-based signature schemes were proposed [26, 27]. In addition, several ABS schemes with various additional properties have also been proposed, such as group signature , signcryption , proxy signature , traceability , revocation , hierarchical , linkability , message recovery , and self-revealability .
So far, attribute-based signatures are still receiving widespread attention. In 2021, Perera et al.  constructed an attribute-based group signature (ABGS) scheme with verifier-local revocation (VLR). In the same year, Chen et al.  presented a novel ABS scheme using the attribute tree as an access policy that expresses flexible access control. They utilized the server-aid technique to verify signatures and reduce the computation burden. Luo et al.  introduced attribute-based proxy resignatures (ABPRS), which allows a semitrusted proxy to transform a signature of one entity into a signature of another, without revealing any signing key and information about the signer. Zhao et al.  constructed a novel attribute-based signcryption (ABSC) scheme realizing multiauthority access control and constant-size ciphertext that does not depend on the number of attributes or authorities.
In recent years, attribute-based signature has found new applications in many fields. Yang et al.  and Guo et al.  construct medical record management systems based on attribute-based signature and blockchain, respectively. Liu et al.  proposed a secure vehicular crowdsensing scheme based on multiauthority attribute-based signature (TRAMS), which allows the publisher to flexibly customize a fine-grained policy that the potential participants must satisfy and uses the attribute-based signature to authenticate sensed messages while protecting the privacy of the sensing vehicle. Also, they proposed a multiauthority key management scheme, which can improve vehicle-based sensing efficiency on the Internet of vehicles.
1.2. Motivation and Contributions
So far, the existing attribute-based signature schemes have dealt with attributes in a way that is “with” or “without”. No attribute-based signature scheme supports comparative attributes or more complex relationship attributes. Consider such a simple illustrative example. On the forum of a game community, it is required that only players who meet the following conditions can postexperience and guide novices:
Member of the community AND
((Register before 2018 AND More than 10 million game points) OR Top 32 in first-class competitions).
Suppose member Alice was registered in 2017 and has 20 million game points. We can easily determine that her attributes meet the above access structure, but none of the existing attribute-based signature schemes can handle it directly. The previous processing method is to expand the access structure or attributes. For example, expand “Register before 2018” and “More than 10 million game points” to
“Registered in 2000 OR Registered in 2002 OR OR Registered in 2017” and
“11 million game points OR 12 million game points OR OR 127 million game points”.
Although this trivial method can solve the problem, it brings level attribute amount expansion, where is the size of the value space of the attribute. This will make the storage overhead and computation overhead increase linearly with . The trivial method is not practical, so it is urgent to propose a practical comparative attribute management method.
The main contributions of this paper are as follows:(i)Using the 0-encoding and 1-encoding of Lin and Tzeng , we propose an access structure algorithm and an attribute expansion algorithm, which reduce the data expansion from to . These two algorithms enable the attribute-based signature scheme to deal with the comparative attributes effectively.(ii)Using the proposed expansion algorithms, we propose an efficient attribute-based signature scheme that supports comparative attributes. Assuming that the computational Diffie–Hellman exponent (CDHE) problem is hard, the proposed scheme is existentially unforgeable under adaptive chosen message but selective access structure attack. The proposed scheme achieves privacy in the sense of information theory, and the adversary cannot break the privacy even if he has infinite capabilities.(iii)Theoretical analysis and simulation experiments show that our method is practical and has significant advantages in storage and computation overhead compared with the trivial way.(iv)Comparable attribute-based signature dramatically expands the application scenarios of attribute-based signature.
The rest of the paper is organized as follows. The necessary background and notations are presented and reviewed in Section 2. Section 3 reviewed the attribute-based signature with its security model. Section 4 describes comparative attribute management. Our CABS constructions are proposed in Section 5. The security proof and performance analysis of the proposed scheme are given in Sections 6 and 7, respectively. Finally, the paper is concluded in Section 8.
The notations are summarized in Table 2.
2.2. Bilinear Mapping and the Complexity Assumptions
In this section, we introduce the notions of bilinear maps, complexity assumption, access structure, and linear secret sharing scheme.
Definition 1 (bilinear maps). Letbe a prime number. Letandbe multiplicative cyclic groups of order. A mapis called a bilinear map or (bilinear) pairing if the following hold:(i)Bilinearity..(ii)Nondegeneracy., whenever, where 1 (or) is the identity element inor.(iii)Computability.is efficiently computable,.
Definition 2 (computational Diffie–Hellman exponent (CDHE) assumption). The challenger chooses,at random and outputs. The CDHE problem is to computeaccording to. The-CDHE assumption holds if no -time adversary has at leastadvantage to solve the CDHE problem.
2.3. 0-Encoding and 1-Encoding
The 0-encoding and the 1-encoding are used by Lin et al. to solve the millionaire problem . Let be an -length binary string of a value:(i)The 0-encoding of is defined as a set(ii)The 1-encoding of is the set
Intuitively, the 1-encoding of is the set of all its odd prefix substrings, and the 0-encoding is the set of all of its modified even prefix substrings, where the least significant bit is flipped from “0” to “1”. For example, , its 0-encoding , and 1-encoding .
Lemma 1 (see ). if and only if.
2.4. Access Structure and Linear Secret Sharing Scheme
Let be an attribute universe; an access structure is a Boolean function over . An attribute set is an authorized set, if . An access structure is monotone if and implies for all .
A Linear Secret Sharing Scheme (LSSS) for monotone access structure over is a matrix along with a function to indicate the -th row of as an attribute in , which consists of the following polynomial time operations:(i)Distribution of Shares . The distribution of a secret is performed by the dealer. The dealer first samples and sets . Then, the dealer outputs a set , where is the th row of the matrix .(ii)Reconstruction of the Secret . Suppose that is an authorized set. The secret reconstruction constants , where , satisfying . Hence, .
3. Attribute-Based Signature
An attribute-based signature (ABS) scheme consists of the following algorithms:(i)Setup: it takes as input the security parameter and returns the system public parameters and master secret key .(ii)KeyGen: it takes the master secret key and an attribute set as inputs and returns the signing key .(iii)Sign: it takes a signing key , a message , and an access structure as inputs and returns a signature if .(iv)Verify: it takes a signature , a message , and an access structure as inputs and returns 1 or 0.
A secure ABS scheme should have the properties of correctness, unforgeability, and privacy. We present formal definitions of them in the following.
Definition 3 (correctness). An ABS scheme is correct, iffor any,, andsuch that.
The popular notion of unforgeability for ABS is unforgeable under adaptive chosen message and selective access structure (EUF-sA-CMA). We describe the EUF-sA-CMA attack by the following game between challenger and adversary .
GAME 1.(EUF-sA-CMA):(i)Init. sends a challenge access structure to .(ii)Setup. generates and sends the system public parameters to .(iii)Queries Phase. can access the following oracles.(a)KeyGen-Oracle. A sends an attribute set A to C, C returns a signing key skA.(b)Sign-Oracle. A sends a message M and an access structure A to C, C returns a signature.(iv)Forgery. outputs a triple
wins the GAME 1, if(i).(ii) has never been queried to Sign-Oracle.(iii)Any attribute set queried to KeyGen-Oracle does not satisfy the challenge access structure .
The advantage is defined as the probability of winning the game above.
Definition 4. (unforgeability). An ABS scheme is existentially unforgeable under adaptive chosen message but selective attribute attack if the advantageis negligible for any PPT adversary.
For a secure ABS scheme, an adversary cannot find the attribute set used to generate the signature. We describe privacy by the following game between challenger and adversary .
GAME 2.(privacy):(i)Setup and Queries Phase 1 are the same as Setup and Queries Phase in GAME 1, respectively(ii)Challenge. chooses and sends such that to . chooses , runs Sign with inputs to generate , and returns to .(iii)Queries Phase 2. The same as the Queries Phase 1 above.(iv)Guess. outputs his guess .
The advantage of is .
Definition 5 (privacy). An ABS scheme achieves privacy if the advantageis negligible for any adversary.
4. Comparative Attribute Management
4.1. Expansion Algorithms
Denote the usual attribute as and the comparative attribute as . The comparative attribute is further expressed as or , where is its attribute name and is its threshold. Denote the user attribute corresponding to the comparative attribute as .
In the above example, “Member of the community” is a usual attribute, “Register before 2018,” “More than 10 million game points”, and “Top 32 in the first-class competition” are comparative attributes; they can be denoted as , , , and . Then, the access structure is . Alice’s attributes can be denoted as .
We can easily see that Alice’s attributes satisfy the access structure , but the algorithm cannot. It is necessary to extend the comparative attributes and access structure so that the algorithm can use Lemma 1 to determine whether it is satisfied. We propose the following algorithms to extend the access structure and user attributes.
The access structure expansion algorithm inputs an access structure with its matrix and outputs a new access structure with its matrix .
For all comparative attributes ,
If , encode it to 0-coding .
If , encode it to 1-coding .
Repeat the -th row of the matrix times as rows to obtain a new matrix.
Replace each comparative attribute in with to get the new access structure .
The user attribute expansion algorithm inputs a user attribute set and outputs a new attribute set .(i)Encode each attribute to 0-coding and 1-coding (ii)Replace each attribute in with to get the new attribute set
To facilitate understanding the above algorithms, we use the above example to execute the algorithms as follows.
AccStruExpan: Take as input , where ,(i)For ,Encode to 1-coding: Set , , . Repeat the 2-th row 2 times as rows to obtain a new matrix(ii)For , Encode to 0-coding: Set , , . Repeat the 4-th row 5 times as rows to obtain a new matrix:(iii)For ,Encode to 1-coding:Set , , . Repeat the 9-th row 2 times as rows to obtain the final matrix which is Replace , and with , and respectively; the final access structure is
UserAttExpan: take as input .(i)Encode attribute to 0-coding:and 1-coding(ii)Encode attribute to 0-coding:and 1-coding(iii)The new user attribute set .
When running the algorithms above, we assume that the value spaces of the comparative attributes , and are , and , respectively. If the trivial expansion method is used, the matrix of the access structure will increase from 4 rows to 168 rows, while using our expansion method, the matrix only grows to 10 rows. There is a 15.8 times gap between the two, which shows that our expansion method is effective.
5. Comparable Attribute-Based Signature Scheme
Based on the above comparative attribute management method and Chen et al.’s attribute-based signature scheme , we propose a practical attribute-based signature scheme that supports comparative attributes.
5.1. The Overall Framework
The overall framework of our scheme is shown in Figure 1. The Setup algorithm generates the public parameters and master private key for the system. The KeyGen algorithm calls the UserAttExpan algorithm to generate the private key. The Sign algorithm and the Verify algorithm call the AccStruExpan algorithm to generate a signature and verify the signature, respectively.
5.2. The Proposed Scheme
Chen et al.’s scheme inputs the attribute universe in the Setup phase and its public key is related to the attribute universe, so it is challenging to support attribute expansion. We use the hash value of attribute instead of the public key in Chen et al.’s scheme. So the scheme can support the dynamic attribute universe and solve the problem of not supporting attribute expansion. Another advantage is that the size of the public key is significantly reduced.(i)Setup: Choose two prime order multiplicative cyclic groups , with a generator and a bilinear map . Choose two collision-resistant hash functions , Choose , then compute . Choose . The public parameters and the master secret key .(ii)KeyGen: Run the user attribute expansion algorithm UserAttExpan, and extend to . Pick a random value , and computeThe private key .(iii)Sign: Run the access structure expansion algorithm AccStruExpan, extend to .Let , and find such that , where . Set for . Pick random satisfying , where . Choose , randomize part of the private keyCompute and .Choose , and computeThe final signature .(iv)Verify: Run the access structure expansion algorithm AccStruExpan, and extend to . Pick a random vector , and compute the shares for . Compute and . The verifier checks the equation
6. Proofs of Security
Theorem 1 (correctness). The proposed scheme is correct.
Proof. Becausewe haveThen,Therefore,The verification equation is established, so the proposed scheme is correct. □
Theorem 2 (unforgeability). If the CDHE problem is difficult, then the proposed scheme above is existentially unforgeable under adaptive chosen message but selective access structure attack.
Proof. Let be an adversary against our scheme, and let be a challenger who generates a random instance of the CDHE problem. We construct an adversary , which uses as a subroutine, to solve the CDHE problem as follows. Here, acts as a challenger of our scheme for as well. Let be the maximum number of columns of the access structure matrixes and let be the maximum number of Sign-Oracle queries.(i)CDHE Problem Gen. generates a random instance of the CDHE problem and sends it to .(ii)Init. sends a challenge access structure to . extends to by running AccStruExpan.(iii)Setup. Choose and set , where . Let , choose and , and set and , . Forward to .(iv)H1-Oracle. sends an attribute to . chooses . If there exists such that , then letOtherwise, let .Return to .(v)H2-Oracle. sends access structure and a message to . chooses and returns it to .(vi)KeyGen-Oracle. sends an attribute set to . extends to by running UserAttExpan. Finds such that for all .Choose and setwhere . For all , request H1-Oracle on . If there exists such that , then letOtherwise, letReturn .(v)Sign-Oracle. sends a message and an access structure to . extends to by running AccStruExpan. Finds such that , where , . Set for .Request H2Oracle on and get . ComputeIf , the simulation stops. If , then , because we can assume for any reasonable values of and . Choose , and such that , and then computewhere .Return the signature .(vi)Output: outputs a triple . If , then the simulation stops. Otherwise, computes and outputsThe calculation of the above equation is as follows:According to Claim 2 of Waters , the probability that the simulation is not aborted is . Therefore, if can successfully forge a valid signature with probability , then can solve the CDHE problem with probability .
Theorem 3 (privacy). The proposed scheme achieves privacy.
Proof. The adversary and the challenger perform the following interactive game:(i) executes the Setup algorithm to set up the system and responds to the oracle requests by running the corresponding algorithm.(ii) chooses and sends such that to .(iii) chooses , runs Sign with inputs to generate , and returns it to .(iv) continues to respond to the oracle requests by running the corresponding algorithm.Since is a signature on using , we havewhere and such thatLet , and find such that , where . Set for .
Let and ; then,Now, we rewrite aswhere .
This concludes that is also a signature using . Therefore, even if the adversary has an unlimited capability, it is impossible to distinguish which attribute set was used to generate the signature, and the advantage of of winning GAME 2 is 0. The proposed scheme achieves privacy.
7. Performance Analysis and Experimental Simulation
7.1. Performance Analysis
We compare our method with the trivial method in terms of data size and computational overhead. Without loss of generality, we assume that the attribute universe , where is a comparative attribute and its value space is ; takes the number near the median of the value space; the access structure contains attributes and each attribute only appears once; the user’s attribute set . Let be the length of the output of the Hash function, and let and be an element of and , respectively. Denote by a pairing operation and by an exponentiation operation, respectively.
The comparison is carried out on five schemes, and the results are shown in Tables 3–10. In these tables, the left column shows the theoretical calculation results, and the right column shows the results in the case of the above example.