SPCABS: Signature-Policy Comparable Attribute-Based Signatures

Chen, Hongying; Huang, Zhenjie; Huang, Hui; Guo, Yafeng

doi:https://doi.org/10.1155/2022/9287026

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 9287026 | https://doi.org/10.1155/2022/9287026

SPCABS: Signature-Policy Comparable Attribute-Based Signatures

Hongying Chen,¹Zhenjie Huang,^2,3Hui Huang,⁴and Yafeng Guo¹

Academic Editor: Youwen Zhu

Received20 Nov 2021

Accepted23 Mar 2022

Published18 Jun 2022

Abstract

Attribute-based signature is an attractive cryptographic primitive and finds broad applications in many fields. Existing attribute-based signature schemes deal with attributes in the way of “with” or “without,” and there is no attribute-based signature scheme that supports comparing attributes. Using the 0-encoding and 1-encoding, we propose an access structure algorithm and an attribute expansion algorithm, enabling the attribute-based signature scheme to effectively deal with the comparative attributes. Then, we propose a signature-policy comparable attribute-based signature scheme using the proposed expansion algorithms. The proposed scheme is existentially unforgeable under the computational Diffie–Hellman exponent (CDHE) assumption and achieves privacy in the sense of information theory. Theoretical analysis and simulation experiments show that our method is practical and has significant advantages in storage and computation overhead compared with the trivial way. Comparable attribute-based signature dramatically expands the application scenarios of attribute-based signature.

1. Introduction

Attribute-based signature is a very attractive cryptographic primitive [1]. ABS is divided into key-policy ABS (KP-ABS) and signature-policy ABS (SP-ABS). The former KP-ABS uses the access policy (structure) to generate the signing key, and the message can be signed only when its attribute set satisfies the access policy. The latter SP-ABS is the opposite. The signer possesses the signing key corresponding to his attributes and the message with an access policy. In the signature generation stage, a valid signature can be generated if and only if the attributes of the signer satisfy the access policy. In the signature verification phase, the verifier can only ensure that the signer’s attributes satisfy the message’s access policy but cannot distinguish the signer’s identity. These are the unforgeability and privacy (anonymity) of ABS. Since ABS has fine-grained access control, anonymous authentication, privacy protection, and other good properties, it finds broad applications in many fields, such as private access control and anonymous credential.

The concept of ABS was introduced by Maji et al. [1]. They presented the definition and security model and proposed concrete schemes with security proof under the general group model. Later, Li et al. [2, 3], Shahandashti et al. [4], and Gagné et al. [5] constructed the ABS schemes under the selection model. These schemes only support threshold predicates. Maji et al. [6] and Gu et al. [7] proposed ABS schemes for monotone predicates. In 2011, Okamoto et al. [8, 9] proposed ABS schemes supporting nonmonotone predicates, improving access control flexibility, and satisfying adaptive security. In 2012, Herranz et al. [10] constructed a threshold ABS scheme with constant signature length, and its security is improved from the original selective unforgeability to adaptive unforgeability. In the same year, Chen et al. [11] combined ABS with attribute-based encryption (ABE) to construct a hybrid ABS/ABE scheme. The advantage is that ABS and ABE share the same user private key, which reduces the cost of key generation. Su et al. [12] proposed an attribute signature scheme that supports the threshold tree access structure. While the expression and security of ABS continue to improve, its functions are also constantly evolving. Wang and Chen [13] constructed a lattice-based ABS scheme to resist quantum computing attacks. Escala et al. [14] introduced the concept of traceability, allowing a trusted authority to control the signer’s identity and hold the signer accountable when the signer breaks the law. Tang et al. [15] proposed an ABS scheme for circuits from multilinear, and Sakai et al. [16] proposed an ABS scheme for circuits from bilinear maps. Based on lattices, Kaafarani et al. [17] proposed an ABS scheme for unbounded circuits. Datta et al. [18] proposed an ABS scheme for unbounded arithmetic branching programs.

All ABS schemes mentioned above have a single attribute authority. This attribute authority knows the signing keys of all users, so it must be trustworthy. Moreover, this attribute authority may become the bottleneck of the system. To overcome this shortcoming, the concepts of multiauthority attribute-based signature [19–21] and decentralized attribute-based signature [22–24] were introduced.

The existing works are summarized in Table 1.

1.1. Related Works

Generally, the computational overhead of ABS is too large, making it unsuitable for resource-constrained equipment. To this end, using cloud computing outsourcing technology, Chen et al. [25] introduced the concept of outsourced attribute-based signature. After that, several outsourced attribute-based signature schemes were proposed [26, 27]. In addition, several ABS schemes with various additional properties have also been proposed, such as group signature [28], signcryption [29], proxy signature [30], traceability [23], revocation [14], hierarchical [31], linkability [21], message recovery [32], and self-revealability [33].

So far, attribute-based signatures are still receiving widespread attention. In 2021, Perera et al. [34] constructed an attribute-based group signature (ABGS) scheme with verifier-local revocation (VLR). In the same year, Chen et al. [35] presented a novel ABS scheme using the attribute tree as an access policy that expresses flexible access control. They utilized the server-aid technique to verify signatures and reduce the computation burden. Luo et al. [36] introduced attribute-based proxy resignatures (ABPRS), which allows a semitrusted proxy to transform a signature of one entity into a signature of another, without revealing any signing key and information about the signer. Zhao et al. [37] constructed a novel attribute-based signcryption (ABSC) scheme realizing multiauthority access control and constant-size ciphertext that does not depend on the number of attributes or authorities.

In recent years, attribute-based signature has found new applications in many fields. Yang et al. [38] and Guo et al. [39] construct medical record management systems based on attribute-based signature and blockchain, respectively. Liu et al. [40] proposed a secure vehicular crowdsensing scheme based on multiauthority attribute-based signature (TRAMS), which allows the publisher to flexibly customize a fine-grained policy that the potential participants must satisfy and uses the attribute-based signature to authenticate sensed messages while protecting the privacy of the sensing vehicle. Also, they proposed a multiauthority key management scheme, which can improve vehicle-based sensing efficiency on the Internet of vehicles.

1.2. Motivation and Contributions

So far, the existing attribute-based signature schemes have dealt with attributes in a way that is “with” or “without”. No attribute-based signature scheme supports comparative attributes or more complex relationship attributes. Consider such a simple illustrative example. On the forum of a game community, it is required that only players who meet the following conditions can postexperience and guide novices:

Member of the community AND

((Register before 2018 AND More than 10 million game points) OR Top 32 in first-class competitions).

Suppose member Alice was registered in 2017 and has 20 million game points. We can easily determine that her attributes meet the above access structure, but none of the existing attribute-based signature schemes can handle it directly. The previous processing method is to expand the access structure or attributes. For example, expand “Register before 2018” and “More than 10 million game points” to

“Registered in 2000 OR Registered in 2002 OR OR Registered in 2017” and

“11 million game points OR 12 million game points OR OR 127 million game points”.

Although this trivial method can solve the problem, it brings level attribute amount expansion, where is the size of the value space of the attribute. This will make the storage overhead and computation overhead increase linearly with . The trivial method is not practical, so it is urgent to propose a practical comparative attribute management method.

The main contributions of this paper are as follows:(i)Using the 0-encoding and 1-encoding of Lin and Tzeng [41], we propose an access structure algorithm and an attribute expansion algorithm, which reduce the data expansion from to . These two algorithms enable the attribute-based signature scheme to deal with the comparative attributes effectively.(ii)Using the proposed expansion algorithms, we propose an efficient attribute-based signature scheme that supports comparative attributes. Assuming that the computational Diffie–Hellman exponent (CDHE) problem is hard, the proposed scheme is existentially unforgeable under adaptive chosen message but selective access structure attack. The proposed scheme achieves privacy in the sense of information theory, and the adversary cannot break the privacy even if he has infinite capabilities.(iii)Theoretical analysis and simulation experiments show that our method is practical and has significant advantages in storage and computation overhead compared with the trivial way.(iv)Comparable attribute-based signature dramatically expands the application scenarios of attribute-based signature.

1.3. Organization

The rest of the paper is organized as follows. The necessary background and notations are presented and reviewed in Section 2. Section 3 reviewed the attribute-based signature with its security model. Section 4 describes comparative attribute management. Our CABS constructions are proposed in Section 5. The security proof and performance analysis of the proposed scheme are given in Sections 6 and 7, respectively. Finally, the paper is concluded in Section 8.

2. Preliminaries

2.1. Notations

The notations are summarized in Table 2.

2.2. Bilinear Mapping and the Complexity Assumptions

In this section, we introduce the notions of bilinear maps, complexity assumption, access structure, and linear secret sharing scheme.

Definition 1 (bilinear maps). Letbe a prime number. Letandbe multiplicative cyclic groups of order. A mapis called a bilinear map or (bilinear) pairing if the following hold:(i)Bilinearity..(ii)Nondegeneracy., whenever, where 1 (or) is the identity element inor.(iii)Computability.is efficiently computable,.

Definition 2 (computational Diffie–Hellman exponent (CDHE) assumption). The challenger chooses,at random and outputs. The CDHE problem is to computeaccording to. The-CDHE assumption holds if no -time adversary has at leastadvantage to solve the CDHE problem.

2.3. 0-Encoding and 1-Encoding

The 0-encoding and the 1-encoding are used by Lin et al. to solve the millionaire problem [41]. Let be an -length binary string of a value:(i)The 0-encoding of is defined as a set(ii)The 1-encoding of is the set

Intuitively, the 1-encoding of is the set of all its odd prefix substrings, and the 0-encoding is the set of all of its modified even prefix substrings, where the least significant bit is flipped from “0” to “1”. For example, , its 0-encoding , and 1-encoding .

Lemma 1 (see [41]). if and only if.

2.4. Access Structure and Linear Secret Sharing Scheme

Let be an attribute universe; an access structure is a Boolean function over . An attribute set is an authorized set, if . An access structure is monotone if and implies for all .

A Linear Secret Sharing Scheme (LSSS) for monotone access structure over is a matrix along with a function to indicate the -th row of as an attribute in , which consists of the following polynomial time operations:(i)Distribution of Shares . The distribution of a secret is performed by the dealer. The dealer first samples and sets . Then, the dealer outputs a set , where is the ^th row of the matrix .(ii)Reconstruction of the Secret . Suppose that is an authorized set. The secret reconstruction constants , where , satisfying . Hence, .

3. Attribute-Based Signature

3.1. Algorithms

An attribute-based signature (ABS) scheme consists of the following algorithms:(i)Setup: it takes as input the security parameter and returns the system public parameters and master secret key .(ii)KeyGen: it takes the master secret key and an attribute set as inputs and returns the signing key .(iii)Sign: it takes a signing key , a message , and an access structure as inputs and returns a signature if .(iv)Verify: it takes a signature , a message , and an access structure as inputs and returns 1 or 0.

3.2. Security

A secure ABS scheme should have the properties of correctness, unforgeability, and privacy. We present formal definitions of them in the following.

Definition 3 (correctness). An ABS scheme is correct, iffor any,, andsuch that.
The popular notion of unforgeability for ABS is unforgeable under adaptive chosen message and selective access structure (EUF-sA-CMA). We describe the EUF-sA-CMA attack by the following game between challenger and adversary .

GAME 1.(EUF-sA-CMA):(i)Init. sends a challenge access structure to .(ii)Setup. generates and sends the system public parameters to .(iii)Queries Phase. can access the following oracles.(a)KeyGen-Oracle. A sends an attribute set A to C, C returns a signing key skA.(b)Sign-Oracle. A sends a message M and an access structure A to C, C returns a signature.(iv)Forgery. outputs a triple

wins the GAME 1, if(i).(ii) has never been queried to Sign-Oracle.(iii)Any attribute set queried to KeyGen-Oracle does not satisfy the challenge access structure .

The advantage is defined as the probability of winning the game above.

Definition 4. (unforgeability). An ABS scheme is existentially unforgeable under adaptive chosen message but selective attribute attack if the advantageis negligible for any PPT adversary.
For a secure ABS scheme, an adversary cannot find the attribute set used to generate the signature. We describe privacy by the following game between challenger and adversary .

GAME 2.(privacy):(i)Setup and Queries Phase 1 are the same as Setup and Queries Phase in GAME 1, respectively(ii)Challenge. chooses and sends such that to . chooses , runs Sign with inputs to generate , and returns to .(iii)Queries Phase 2. The same as the Queries Phase 1 above.(iv)Guess. outputs his guess .

The advantage of is .

Definition 5 (privacy). An ABS scheme achieves privacy if the advantageis negligible for any adversary.

4. Comparative Attribute Management

4.1. Expansion Algorithms

Denote the usual attribute as and the comparative attribute as . The comparative attribute is further expressed as or , where is its attribute name and is its threshold. Denote the user attribute corresponding to the comparative attribute as .

In the above example, “Member of the community” is a usual attribute, “Register before 2018,” “More than 10 million game points”, and “Top 32 in the first-class competition” are comparative attributes; they can be denoted as , , , and . Then, the access structure is . Alice’s attributes can be denoted as .

We can easily see that Alice’s attributes satisfy the access structure , but the algorithm cannot. It is necessary to extend the comparative attributes and access structure so that the algorithm can use Lemma 1 to determine whether it is satisfied. We propose the following algorithms to extend the access structure and user attributes.

4.1.1. AccStruExpan

The access structure expansion algorithm inputs an access structure with its matrix and outputs a new access structure with its matrix .

For all comparative attributes ,

If , encode it to 0-coding .

If , encode it to 1-coding .

Sets

where .

Repeat the -th row of the matrix times as rows to obtain a new matrix.

Replace each comparative attribute in with to get the new access structure .

4.1.2. UserAttExpan

The user attribute expansion algorithm inputs a user attribute set and outputs a new attribute set .(i)Encode each attribute to 0-coding and 1-coding (ii)Replace each attribute in with to get the new attribute set

4.2. Example

To facilitate understanding the above algorithms, we use the above example to execute the algorithms as follows.

AccStruExpan: Take as input , where ,(i)For ,Encode to 1-coding: Set , , . Repeat the 2-th row 2 times as rows to obtain a new matrix(ii)For , Encode to 0-coding: Set , , . Repeat the 4-th row 5 times as rows to obtain a new matrix:(iii)For ,Encode to 1-coding:Set , , . Repeat the 9-th row 2 times as rows to obtain the final matrix which is Replace , and with , and respectively; the final access structure is

UserAttExpan: take as input .(i)Encode attribute to 0-coding:and 1-coding(ii)Encode attribute to 0-coding:and 1-coding(iii)The new user attribute set .

When running the algorithms above, we assume that the value spaces of the comparative attributes , and are , and , respectively. If the trivial expansion method is used, the matrix of the access structure will increase from 4 rows to 168 rows, while using our expansion method, the matrix only grows to 10 rows. There is a 15.8 times gap between the two, which shows that our expansion method is effective.

5. Comparable Attribute-Based Signature Scheme

Based on the above comparative attribute management method and Chen et al.’s attribute-based signature scheme [11], we propose a practical attribute-based signature scheme that supports comparative attributes.

5.1. The Overall Framework

The overall framework of our scheme is shown in Figure 1. The Setup algorithm generates the public parameters and master private key for the system. The KeyGen algorithm calls the UserAttExpan algorithm to generate the private key. The Sign algorithm and the Verify algorithm call the AccStruExpan algorithm to generate a signature and verify the signature, respectively.

5.2. The Proposed Scheme

Chen et al.’s scheme inputs the attribute universe in the Setup phase and its public key is related to the attribute universe, so it is challenging to support attribute expansion. We use the hash value of attribute instead of the public key in Chen et al.’s scheme. So the scheme can support the dynamic attribute universe and solve the problem of not supporting attribute expansion. Another advantage is that the size of the public key is significantly reduced.(i)Setup: Choose two prime order multiplicative cyclic groups , with a generator and a bilinear map . Choose two collision-resistant hash functions , Choose , then compute . Choose . The public parameters and the master secret key .(ii)KeyGen: Run the user attribute expansion algorithm UserAttExpan, and extend to . Pick a random value , and computeThe private key .(iii)Sign: Run the access structure expansion algorithm AccStruExpan, extend to .Let , and find such that , where . Set for . Pick random satisfying , where . Choose , randomize part of the private keyCompute and .Choose , and computeThe final signature .(iv)Verify: Run the access structure expansion algorithm AccStruExpan, and extend to . Pick a random vector , and compute the shares for . Compute and . The verifier checks the equation

6. Proofs of Security

Theorem 1 (correctness). The proposed scheme is correct.

Proof. Becausewe haveThen,Therefore,The verification equation is established, so the proposed scheme is correct. □

Theorem 2 (unforgeability). If the CDHE problem is difficult, then the proposed scheme above is existentially unforgeable under adaptive chosen message but selective access structure attack.

Proof. Let be an adversary against our scheme, and let be a challenger who generates a random instance of the CDHE problem. We construct an adversary , which uses as a subroutine, to solve the CDHE problem as follows. Here, acts as a challenger of our scheme for as well. Let be the maximum number of columns of the access structure matrixes and let be the maximum number of Sign-Oracle queries.(i)CDHE Problem Gen. generates a random instance of the CDHE problem and sends it to .(ii)Init. sends a challenge access structure to . extends to by running AccStruExpan.(iii)Setup. Choose and set , where . Let , choose and , and set and , . Forward to .(iv)H₁-Oracle. sends an attribute to . chooses . If there exists such that , then letOtherwise, let .Return to .(v)H₂-Oracle. sends access structure and a message to . chooses and returns it to .(vi)KeyGen-Oracle. sends an attribute set to . extends to by running UserAttExpan. Finds such that for all .Choose and setwhere . For all , request H₁-Oracle on . If there exists such that , then letOtherwise, letReturn .(v)Sign-Oracle. sends a message and an access structure to . extends to by running AccStruExpan. Finds such that , where , . Set for .Request H₂Oracle on and get . ComputeIf , the simulation stops. If , then , because we can assume for any reasonable values of and . Choose , and such that , and then computewhere .Return the signature .(vi)Output: outputs a triple . If , then the simulation stops. Otherwise, computes and outputsThe calculation of the above equation is as follows:According to Claim 2 of Waters [42], the probability that the simulation is not aborted is . Therefore, if can successfully forge a valid signature with probability , then can solve the CDHE problem with probability .

Theorem 3 (privacy). The proposed scheme achieves privacy.

Proof. The adversary and the challenger perform the following interactive game:(i) executes the Setup algorithm to set up the system and responds to the oracle requests by running the corresponding algorithm.(ii) chooses and sends such that to .(iii) chooses , runs Sign with inputs to generate , and returns it to .(iv) continues to respond to the oracle requests by running the corresponding algorithm.Since is a signature on using , we havewhere and such thatLet , and find such that , where . Set for .
Let and ; then,Now, we rewrite aswhere .
This concludes that is also a signature using . Therefore, even if the adversary has an unlimited capability, it is impossible to distinguish which attribute set was used to generate the signature, and the advantage of of winning GAME 2 is 0. The proposed scheme achieves privacy.

7. Performance Analysis and Experimental Simulation

7.1. Performance Analysis

We compare our method with the trivial method in terms of data size and computational overhead. Without loss of generality, we assume that the attribute universe , where is a comparative attribute and its value space is ; takes the number near the median of the value space; the access structure contains attributes and each attribute only appears once; the user’s attribute set . Let be the length of the output of the Hash function, and let and be an element of and , respectively. Denote by a pairing operation and by an exponentiation operation, respectively.

The comparison is carried out on five schemes, and the results are shown in Tables 3–10. In these tables, the left column shows the theoretical calculation results, and the right column shows the results in the case of the above example.

.

The analysis shows the following:(1)Our method has significant advantages in signature size, signature generation overhead, and signature verification overhead, which is less than 10% of the trivial method.(2)There is also a significant advantage in master public key size. Except for [11] which is about half, the others are less than 10%.(3)There are also advantages in the overhead of master public key generation, especially when applied to the schemes of [6, 9] and [22].(4)The sizes of the master secret keys are the same except for [22]. For [22], our method can reduce the size of the master private key to 3.47%.(5)In terms of signing key size and signing key generation overhead, our method is not as good as the trivial method, which is about three times theirs.

Generally, the system only needs to generate a signing key once for each user, and the user only needs one signing key. However, one user may sign multiple messages to generate multiple signatures, and a signature may be verified multiple times by different users. Our method has advantages in the case of “multiple,” while the disadvantages are “one-time.” Therefore, our method has significant advantages.

7.2. Experimental Simulation

Two main factors are affecting the system data size and computing overhead. One is the number of attributes, especially comparative attributes. The second is the size of the value space of the comparative attribute. We simulate and analyze these two cases, respectively. The simulation experiment is carried out on the windows 10 subsystem Debian-10.9, 11th Gen Intel(R) Core(TM) i7-11370H @3.30 GHz, CPU 4, RAM 16 GB, and the PBC-0.5.14 library. We use “a.param” as the incoming parameter file of the PBC library.

The first scenario we simulated assumes that the access structure has comparative attributes and usual attributes, and the user has comparative attributes and usual attributes. take five groups of data, which are , and . The results are shown in Figures 2–5.

The simulation results show that our scheme has significant advantages in data size and computational overhead. The details are as follows:(1)In terms of master public key size, using our method, the average sizes of the five schemes are 91, 51, 163, 794, and 1755 Kb, respectively. Using the trivial method, the average size of the five schemes increases to 2260, 1135, 1292, 19232, and 44054 Kb. In other words, our method reduces the master public key sizes to 4.03%, 4.49%, 12.61%, 4.13%, and 3.98%. See Figure 2.(2)In terms of master secret key size, using our method, the average sizes of the five schemes are 72.4, 71.4, 70.4, 36.2, and 34.2 Kb, respectively. Using the trivial method, the average size of the five schemes increases to 1130, 1129 1128, 565, and 563 Kb. That is, our method reduces the master public key sizes to 6.41%, 6.32%, 6.24%, 6.41%, and 6.07%. See Figure 3. Because the data of the [6, 7] and [11] schemes are very close, and the data of the [9, 22] schemes are also very close, it seems that there are only 2 schemes and 4 polylines in Figure 3. In fact, there are 5 schemes and 10 polylines.(3)The cost of signature generation for the 5 schemes grows linearly with the number of attributes, whether using our method or the trivial method. But the increase is much faster with the trivial method, and the 5 dashed lines representing the trivial method are all above the 5 solid lines representing our method. The signing overhead using our method is 0.10, 0.05, 0.08, 0.07, and 0.22 seconds on average, which are about 6% of the trivial method. See Figure 4.(4)Similarly, the overhead of signature verification can be reduced to about 6% of the trivial method with our method. Here, the advantage of the scheme [11] is obvious. The minimum overhead is 0.03 seconds, and the maximum overhead is only 0.09 seconds, which is only 1.28% of the trivial method. See Figure 5.

The second scenario we simulated uses the example above. The value space of comparative attributes , and takes five groups of data such as , and . The results are shown in Figures 6–9. They show that the advantages of our method are more significant in the second case.(1)When using our method, the signature size, signing overhead, and verification overhead all remain largely unchanged. Instead, they both grow exponentially faster using the trivial method. In all three aspects, our method reduces them to within 2%.(2)Our method also grows slower than the trivial method in terms of master public key size. It can be reduced to about 15% in all five schemes.(3)Using our method, the average size of the master public key for the 5 schemes is 241, 126, 163, 2072, and 4687 Kb; the average size of the signature for the 5 schemes is 30, 27, 28, 15, and 13 Kb, respectively.(4)Using our method, the average signature generation overhead for the 5 schemes is 0.04, 0.02, 0.03, 0.03, and 0.08 seconds; the average verification overhead for the 5 schemes is 0.56, 0.58, 0.04, 0.34, and 0.34 seconds, respectively.

Overall, the simulation results show that our method has significant advantages over the trivial method and is then practicable and meaningful.

8. Conclusion

Attribute-based signature is a widely used cryptographic primitive and has been studied by many scholars. However, none of the existing attribute-based signature schemes supports comparing attributes. Using the 0-encoding and 1-encoding, we propose a signature-policy comparable attribute-based signature scheme, which effectively deals with the comparative attributes. Theoretical analysis and simulation experiments show that our method is practical and has significant advantages in storage and computation overhead compared with the trivial method. CABS may be combined with other technologies for wider application in the future [43–46].

The method proposed in this paper does not seem to be suitable for the case of key-policy, and it is one of the future research directions to propose a key-policy comparable attribute-based signature scheme.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the Natural Science Foundation of Fujian Province of China (Nos. 2019J01750, 2019J01752, and 2020J01814), Zhangzhou Natural Science Foundation of China (Nos. ZZ2019127 and ZZ2021J48), and Fujian Provincial Young and Middle-Aged Teacher Education Research Project (Science and Technology) (Nos. JAT201384 and JAT201387). The first author and the fourth author thank the Fujian Key Laboratory of Granular Computing and Application (Minnan Normal University) for its support of this work.

References

H. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: achieving attribute-privacy and collusion-resistance,” Iacr Cryptology Eprint Archive, vol. 23, 2008.
View at: Google Scholar
Li Jin and K. Kim, “Attribute-based ring signatures,” IACR Cryptology ePrint Archive, vol. 394, p. 01, 2008.
View at: Google Scholar
Li Jin, M. Ho Au, W. Susilo, D. Xie, and K. Ren, “Attribute-based signature and its applications,” in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, April 2010, Association for Computing Machinery. [Online]. Available:.
View at: Publisher Site | Google Scholar
S. F. Shahandashti and R. Safavi-Naini, “Threshold attribute-based signatures and their application to anonymous credential systems,” Progress in Cryptology - AFRICACRYPT 2009, Springer Berlin Heidelberg, Berlin,Heidelberg, vol. volume 5580, pp. 198–216, 2009.
View at: Publisher Site | Google Scholar
M. Gagné, S. Narayan, and R. Safavi-Naini, “Short pairing-efficient threshold-attribute-based signature,” Pairing-Based Cryptography - Pairing 2012 Pairing-Based Cryptography – Pairing 2012, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 295–313, 2013.
View at: Publisher Site | Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures,” Topics in Cryptology - CT-RSA 2011 Topics in Cryptology – CT-RSA 2011, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 376–392, 2011.
View at: Publisher Site | Google Scholar
K. Gu, W. Jia, G. Wang, and S. Wen, “Efficient and secure attribute-based signature for monotone predicates,” Acta Informatica, vol. 54, no. 5, pp. 521–541, 2017.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” Dario Catalano, Nelly Fazio, Rosario Gennaro and Antonio Nicolosi Public Key Cryptography – PKC 2011, Springer Berlin Heidelberg, Berlin, Heidelberg, 2011.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” IEEE Transactions on Cloud Computing, vol. 2, no. 4, pp. 409–421, Oct 2014.
View at: Publisher Site | Google Scholar
J. Herranz, F. Laguillaumie, B. Libert, and C. Ràfols, “Short attribute-based signatures for threshold predicates,” Topics in Cryptology – CT-RSA 2012, Springer Berlin Heidelberg, Berlin, Heidelberg, 2012.
View at: Publisher Site | Google Scholar
C. Chen, J. Chen, H. W. Lim, Z. Zhang, and D. Feng, “Combined public-key schemes: the case of ABE and ABS,” Provable Security, Springer Berlin Heidelberg, Berlin,Heidelberg, vol. volume 7496, pp. 53–69, 2012.
View at: Publisher Site | Google Scholar
J. Su, D. Cao, B. Zhao, and X. Wang, “You: ePASS: an expressive attribute-based signature scheme with privacy and an unforgeability guarantee for the Internet of Things,” Future Generation Computer Systems, vol. 33, pp. 11–18, 2014.
View at: Publisher Site | Google Scholar
Q. Wang and S. Chen, “Attribute-based signature for threshold predicates from lattices,” Security and Communication Networks, vol. 8, no. 5, pp. 811–821, 2015.
View at: Publisher Site | Google Scholar
A. Escala, J. Herranz, and P. Morillo, “Revocable attribute-based signatures with adaptive security in the standard model,” Lecture Notes in Computer Science Progress in Cryptology – AFRICACRYPT 2011, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 224–241, 2011.
View at: Publisher Site | Google Scholar
F. Tang, H. Li, and B. Liang, “Attribute-based signatures for circuits from multilinear maps,” Lecture Notes in Computer Science Information Security, Springer International Publishing, Cham, pp. 54–71, 2014.
View at: Publisher Site | Google Scholar
Y. Sakai, N. Attrapadung, and G. HanaokaChen-Mou Cheng, “Attribute-based signatures for circuits from bilinear map,” Public-Key Cryptography - PKC 2016 Public-Key Cryptography – PKC 2016, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 283–300, 2016.
View at: Publisher Site | Google Scholar
A. El Kaafarani and E. Ghadafi, “Attribute-based signatures with user-controlled linkability without random oracles,” Cryptography and Coding Cryptography and Coding, Springer International Publishing, Cham, pp. 161–184, 2017.
View at: Publisher Site | Google Scholar
P. Datta, T. Okamoto, and K. Takashima, “Efficient attribute-based signatures for unbounded arithmetic branching programs,” IEICE - Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E104, 2021.
View at: Google Scholar
D. Cao, B. Zhao, X. Wang, J. Su, and G. Ji, “Multi-authority attribute-based signature,” in Proceedings of the 2011 Third International Conference on Intelligent Networking and Collaborative Systems, Fukuoka, Japan, November 2011.
View at: Publisher Site | Google Scholar
D. Cao, B. Zhao, X. Wang, and J. Su, “Flexible multi-authority attribute-based signature schemes for expressive policy,” Mobile Information Systems, vol. 8, no. 3, pp. 255–274, 2012.
View at: Publisher Site | Google Scholar
A. El Kaafarani, L. Chen, E. Ghadafi, and J. Davenport, “Attribute-based signatures with user-controlled linkability,” Cryptology and Network Security Dimitris Gritzalis, Aggelos Kiayias and Ioannis Askoxylakis Cryptology and Network Security, Springer International Publishing, Cham, pp. 256–269, 2014.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” Kaoru Kurosawa and Goichiro Hanaoka Public-Key Cryptography – PKC 2013, Springer Berlin Heidelberg, Berlin, Heidelberg, vol. 125–142, 2013.
View at: Publisher Site | Google Scholar
A. El Kaafarani, E. Ghadafi, and D. Khader, “Decentralized traceable attribute-based signatures,” Topics in Cryptology - CT-RSA 2014 Topics in Cryptology – CT-RSA 2014, Springer International Publishing, Cham, pp. 327–348, 2014.
View at: Publisher Site | Google Scholar
E. Ghadafi, “Stronger security notions for decentralized traceable attribute-based signatures and more efficient constructions,” Lecture Notes in Computer Science Topics in Cryptology — CT-RSA 2015, Springer International Publishing, Cham, pp. 391–409, 2015.
View at: Publisher Site | Google Scholar
F. Chen, Y. Han, D. Jiang, X. Li, and X. Yang, “Outsourcing the unsigncryption of compact attribute-based signcryption for general circuits,” Communications in Computer and Information Science Social Computing, Springer Singapore, Singapore, pp. 533–545, 2016.
View at: Publisher Site | Google Scholar
Z. Huang, Z. Lin, Q. Chen, Y. Zhou, and H. Huang, “Outsourced attribute-based signatures with perfect privacy for circuits in cloud computing,” Concurrency and Computation: Practice and Experience, vol. 33, no. 10, Article ID e6173, 2021.
View at: Publisher Site | Google Scholar
Z. Huang and Z. Lin, “Secure server-aided attribute-based signature with perfect anonymity for cloud-assisted systems,” Journal of Information Security and Applications, vol. 65, Article ID 103066, 2022.
View at: Publisher Site | Google Scholar
V. Kuchta, G. Sharma, R. A. Sahu, and O. Markowitch, “Generic framework for attribute-based group signature,” Information Security Practice and Experience Information Security Practice and Experience, Springer International Publishing, Cham, pp. 814–834, 2017.
View at: Publisher Site | Google Scholar
Y. Song, Z. Li, Y. Li, and J. Li, “Attribute-based signcryption scheme based on linear codes,” Information Sciences, vol. 417, pp. 301–309, 2017.
View at: Publisher Site | Google Scholar
C. Sun, Y. Guo, and Y. Li, “One secure attribute-based proxy signature,” Wireless Personal Communications, vol. 103, no. 2, pp. 1273–1283, Nov 2018.
View at: Google Scholar
C.-C. . Drǎgan, D. Gardham, and M. Manulis, “Hierarchical attribute-based signatures,” Jan Camenisch and Panos Papadimitratos Cryptology and Network Security, Springer International Publishing, Cham, pp. 213–234, 2018.
View at: Google Scholar
Y. S. Rao and R. Dutta, “Bandwidth-efficient attribute-based key-insulated signatures with message recovery,” Information Sciences, vol. 369, pp. 648–673, 2016.
View at: Publisher Site | Google Scholar
H. Cui, G. Wang, R. H. Deng, and B. Qin, “Escrow free attribute-based signature with self-revealability,” Escrow free attribute-based signature with self-revealability” Information Sciences, Information Sciences, vol. 367-368, pp. 660–672, 2016.
View at: Publisher Site | Google Scholar
Maharage Nisansala Sevwandi Perera, T. Nakamura, M. Hashimoto, H. Yokoyama, and K. Sakurai, “Almost fully anonymous attribute-based group signatures with verifier-local revocation and member registration from lattice assumptions,” Theoretical Computer Science, vol. 891, pp. 131–148, 2021.
View at: Google Scholar
Yu Chen, J. Li, C. Liu, J Han, Y Zhang, and P Yi, “Efficient attribute based server-aided verification signature,” IEEE Transactions on Services Computing, vol. 1, 2021.
View at: Publisher Site | Google Scholar
F. Luo, S. Al-Kuwari, W. Susilo, and D. H. Duong, “Attribute-based proxy re-signature from standard lattices and its applications,” Computer Standards & Interfaces, vol. 75, Article ID 103499, 2021.
View at: Publisher Site | Google Scholar
Y. Zhao, A. Ruan, G. Dan, J. Huang, and Yi Ding, “Efficient multi-authority attribute-based signcryption with constant-size ciphertext,” in Proceedings of the 2021 IEEE Conference on Dependable and Secure Computing (DSC), Fukushima, Japan, January 2021.
View at: Publisher Site | Google Scholar
X. Yang, T. Li, X. Pei, L. Wen, and C. Wang, “Medical data sharing scheme based on attribute cryptosystem and blockchain technology,” IEEE Access, vol. 8, pp. 45468–45476, 2020.
View at: Publisher Site | Google Scholar
H. Guo, W. Li, E. Meamari, C.-C. Shen, and M. Nejad, “Attribute-based multi-signature and encryption for ehr management: a blockchain-based solution,” in Proceedings of the 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), Toronto, ON, Canada, May 2020.
View at: Publisher Site | Google Scholar
X. Liu, W. Chen, Y. Xia, and R. Shen, “Trams: a secure vehicular crowdsensing scheme based on multi-authority attribute-based signature,” IEEE Transactions on Intelligent Transportation Systems, vol. 1–11, 2021.
View at: Publisher Site | Google Scholar
H.-Y. Lin and W.-G. Tzeng, “An efficient solution to the millionaires' problem based on homomorphic encryption,” Applied Cryptography and Network Security John Ioannidis, Angelos Keromytis and Moti Yung Applied Cryptography and Network Security, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 456–466, 2005.
View at: Publisher Site | Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” Advances in Cryptology – EUROCRYPT 2005, Springer Berlin Heidelberg, Berlin, Heidelberg, 2005.
View at: Publisher Site | Google Scholar
Li Qi, B. Xia, H. Huang, Y. Zhang, and T. Zhang, “Trac: traceable and revocable access control scheme for mhealth in 5g-enabled iiot,” IEEE Transactions on Industrial Informatics, vol. 1, 2021.
View at: Google Scholar
Y. Tian, Ta Li, and J. Xiong, “A blockchain-based machine learning framework for edge services in iiot,” IEEE Transactions on Industrial Informatics, vol. 18, no. 3, March 2022.
View at: Google Scholar
Y. Tian, Z. Wang, J. Xiong, and J. Ma, “A blockchain-based secure key management scheme with trustworthiness in dwsns,” IEEE Transactions on Industrial Informatics, vol. 16, no. 9, Sep. 2020.
View at: Google Scholar
J. Xiong, R. Bi, M. Zhao, J. Guo, and Q. Yang, “Edge-assisted privacy-preserving raw data sharing framework for connected autonomous vehicles,” IEEE Wireless Communications, vol. 27, no. 3, June 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Hongying Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

286

Downloads

296

Citations