Efficient attribute-based signature and signcryption realizing expressive access structures

Abstract

This paper addresses the open problem of designing attribute-based signature (ABS) schemes with constant number of bilinear pairing operations for signature verification or short signatures for more general policies posed by Gagné et al. in Pairing 2012. Designing constant-size ABS for expressive access structures is a challenging task. We design two key-policy ABS schemes with constant-size signature for expressive linear secret-sharing scheme (LSSS)-realizable monotone access structures. Both the schemes utilize only 3 pairing operations in signature verification process. The first scheme is small universe construction, while the second scheme supports large universes of attributes. The signing key is computed according to LSSS-realizable access structure over signer’s attributes, and the message is signed with an attribute set satisfying the access structure. Our ABS schemes provide the existential unforgeability in selective attribute set security model and preserve signer privacy. We also propose a new attribute-based signcryption (ABSC) scheme for LSSS-realizable access structures utilizing only 6 pairings and making the ciphertext size constant. Our scheme is significantly more efficient than existing ABSC schemes. While the secret key (signing key or decryption key) size increases by a factor of number of attributes used in the system, the number of pairing evaluations is reduced to constant. Our protocol achieves (a) ciphertext indistinguishability under adaptive chosen ciphertext attacks assuming the hardness of decisional Bilinear Diffie–Hellman Exponent problem and (b) existential unforgeability under adaptive chosen message attack assuming the hardness of computational Diffie–Hellman Exponent problem. The security proofs are in selective attribute set security model without using any random oracle heuristic. In addition, our ABSC achieves public verifiability of the ciphertext, enabling any party to verify the integrity and validity of the ciphertext.

Appendix: Proof of Claim 3

We have

$$\begin{aligned} \widehat{\mathbf{a}}=(a^{n}, a^{n-1}, \ldots , a)~\mathrm{{and}}~\varvec{\rho }_{\mathbf{i}}=(1, \rho (i), \ldots , \rho (i)^{n-1}). \end{aligned}$$

Then,

$$\begin{aligned} \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}=\sum _{k\in [n]}a^{n+1-k}\rho (i)^{k-1}. \end{aligned}$$

Note that \(r_{i}=r'_{i}-\dfrac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}\) and

$$\begin{aligned} \lambda _{\rho (i)}=\mathbf{S}_{\mathbf{i}}(\mathbf{v}_{\mathbf{2}}-\alpha '\mathbf{v}_{\mathbf{1}})-a^{n+1}\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}. \end{aligned}$$

Also, we have \(\mathbf{y}^{{\varvec{*}}}=(y_{1}^{*}, \ldots , y_{n}^{*})\) and \(\mathbf{a}=(a, a^{2}, \ldots , a^{n}).\) Now,

$$\begin{aligned} D'_{i}= & {} g^{r'_{i}}\prod _{k\in [n]}g_{n+1-k}^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}\\= & {} g^{r'_{i}}\cdot g^{-\sum _{k\in [n]}\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}a^{n+1-k}\rho (i)^{k-1}}\\= & {} g^{r'_{i}}\cdot g^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} g^{r_{i}},\\ D_{i}= & {} g^{\mathbf{S}_{\mathbf{i}}(\mathbf{v}_{\mathbf{2}}-\alpha '\mathbf{v}_{\mathbf{1}})}\cdot V_{0}^{r'_{i}}\cdot \prod _{k\in [n]}g_{n+1-k}^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}\\&\cdot \prod _{s\in [n]}~\prod _{k\in [n],k\ne s}g_{n+1+s-k}^{y_{s}^{*}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}\\= & {} g^{\mathbf{S}_{\mathbf{i}}(\mathbf{v}_{\mathbf{2}}-\alpha '\mathbf{v}_{\mathbf{1}})}\cdot \boxed {g^{-a^{n+1}\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}}\cdot V_{0}^{r'_{i}}\\&\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum \limits _{k\in [n]}a^{n+1-k}\rho (i)^{k-1}} \\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum \limits _{s\in [n]}\sum \limits _{k\in [n],k\ne s}a^{n+1+s-k}\cdot y_{s}^{*}\cdot \rho (i)^{k-1}}\cdot \boxed {g^{a^{n+1}\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}}\\= & {} g^{\mathbf{S}_{\mathbf{i}}(\mathbf{v}_{\mathbf{2}}-\alpha '\mathbf{v}_{\mathbf{1}})-a^{n+1}\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}\cdot V_{0}^{r'_{i}}\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{s\in [n]}\sum _{k\in [n],k\ne s}a^{n+1+s-k}\cdot y_{s}^{*}\cdot \rho (i)^{k-1}} \\&\cdot g^{a^{n+1}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{s\in [n]}\sum _{k\in [n],k\ne s}a^{n+1+s-k}\cdot y_{s}^{*}\cdot \rho (i)^{k-1}}\\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j\in [n]}a^{n+1}\cdot y_{j}^{*}\cdot \rho (i)^{j-1}}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{s\in [n]}\sum _{k\in [n]}a^{n+1+s-k}\cdot y_{s}^{*}\cdot \rho (i)^{k-1}}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}(\sum _{s\in [n]}a^{s}\cdot y_{s}^{*})(\sum _{k\in [n]}a^{n+1-k}\cdot \rho (i)^{k-1})}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot g^{-\beta _{0}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}(\mathbf{a}\mathbf{y}^{{\varvec{*}}})(\widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}})}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot \big (g^{\beta _{0}-\mathbf{a}\mathbf{y}^{{\varvec{*}}}}\big )^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r'_{i}}\cdot V_{0}^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} g^{\lambda _{\rho (i)}}\cdot V_{0}^{r_{i}}. \end{aligned}$$

For \(k=2, \ldots , n,\)

$$\begin{aligned} D''_{i,k}= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot \prod _{j\in [n]}g_{n+1-j}^{(\beta _{1}\rho (i)^{k-1}-\beta _{k})\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{j-1}}\\&\cdot \prod _{j=2}^{n}g_{n+2-j}^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k+j-2}}\cdot \prod _{j\in [n],j\ne k}g_{n+1+k-j}^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{j-1}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\\&\cdot g^{(\beta _{1}\rho (i)^{k-1}-\beta _{k})\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j\in [n]}a^{n+1-j}\cdot \rho (i)^{j-1}} \\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j=2}^{n}a^{n+2-j}\cdot \rho (i)^{k+j-2}}\cdot \boxed {g^{a^{n+1}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}}\\&\cdot g^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j\in [n],j\ne k}a^{n+1+k-j}\cdot \rho (i)^{j-1}}\\&\cdot \boxed {g^{-a^{n+1}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot g^{(\beta _{1}\rho (i)^{k-1}-\beta _{k})\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}} \\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}\sum _{j=2}^{n}a^{n+2-j}\cdot \rho (i)^{j-1}+\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}} \cdot \rho (i)^{k-1}\cdot a^{n+1}}\\&\cdot g^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j\in [n],j\ne k}a^{n+1+k-j}\cdot \rho (i)^{j-1}-a^{n+1}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot g^{(\beta _{1}\rho (i)^{k-1}-\beta _{k})\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}} \\&\cdot g^{\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}\sum _{j=1}^{n}a^{n+2-j}\cdot \rho (i)^{j-1}}\\&\cdot g^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\sum _{j\in [n]}a^{n+1+k-j}\cdot \rho (i)^{j-1}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot g^{(\beta _{1}\rho (i)^{k-1}-\beta _{k})\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\&\cdot g^{a\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \rho (i)^{k-1}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\cdot g^{-a^{k}\cdot \frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot \big (g^{-\beta _{1}\rho (i)^{k-1}+\beta _{k}}\\&\cdot g_{1}^{-\rho (i)^{k-1}}\cdot g_{k}\big )^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot \big ((g^{\beta _{1}}g_{1})^{-\rho (i)^{k-1}}\cdot (g^{\beta _{k}}g_{k})\big )^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r'_{i}}\cdot \big (V_{1}^{-\rho (i)^{k-1}}\cdot V_{k}\big )^{-\frac{\mathbf{S}_{\mathbf{i}}\mathbf{v}_{\mathbf{1}}}{\mathbf{y}^{{\varvec{*}}}\varvec{\rho }_{\mathbf{i}}}\cdot \widehat{\mathbf{a}}\varvec{\rho }_{\mathbf{i}}}\\= & {} \big (V_{1}^{-\rho (i)^{k-1}}V_{k}\big )^{r_{i}}. \end{aligned}$$

Thus, the adversary’s view to the values of \(D_{i}, D'_{i}, D''_{i}=\{D''_{i,k}\}_{k=2}^{n}\) simulated by \(\mathcal {C}\) are identical to that of the original construction. This proves the Claim.