Abstract
Attribute-based signatures allow fine-grained attribute-based authentication and at the same time keep a signer’s privacy as much as possible. While there are constructions of attribute-based signatures allowing arbitrary circuits or Turing machines as an authentication policy, none of them is practically very efficient. Some schemes have long signatures or long user secret keys which grow as the sizes of a policy or attributes grow. Some scheme relies on a vast Karp reduction which transforms public-key and secret-key operations into an arithmetic circuit. We propose an attribute-based signature scheme for bounded-size arbitrary arithmetic circuits with constant-size signatures and user secret keys without relying on such a Karp reduction. The scheme is based on bilinear groups and is proven secure in the generic bilinear group model. To achieve this we develop a new extension of SNARKs (succinct non-interactive arguments of knowledge). We formalize this extension as constrained SNARKs, which can be seen as a simplification of commit-and-prove SNARKs both in syntax and technique. In a constrained SNARK, one can force a prover to use a witness satisfying some constraint by announcing a succinct constraint string which encodes a constraint on a witness. If a proof is valid under some constraint string, it is ensured that the witness behind the proof satisfies the constraint that is behind the constraint string. By succinct, we mean that a constraint string has a constant length independent of the length of the plain description of the constraint, and notably a verifier need not know the (potentially long) plain description of the constraint for verifying a proof. We construct a constrained SNARK in the generic bilinear group model.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This instantiation is optimized for the signature length. Boyle et al.’s construction requires the SNARK to be “trapdoor extractable” [10], but we ignore this requirement and assume that Groth’s SNARK has this property (Instead, to avoid this extra assumption, one may attach an encryption of the part of the witness that needs to be extracted to a signature). Furthermore, Groth’s SNARK is not necessarily optimized for RSA exponentiation, as it only supports arithmetic circuits of a prime modulus. Still, we adopt this SNARK for optimization for the signature length.
- 2.
A (constrained) SNARK is preprocessing if the sizes of the statements that can be proved are bounded at the time of generating a common reference string (CRS).
- 3.
- 4.
The point that we need to “wrap” a constrained SNARK is to avoid the following linkability issue: In our construction, a signer reuses his constraint string that encodes his attributes and was signed on by the authority every time he wants to issue an attribute-based signature; thus, making this constraint string public allows an adversary to track all the attribute-based signatures issued by him.
- 5.
One may think that the adversary knows the assignment to the polynomial before fixing a polynomial, and thus we cannot apply the Schwartz-Zippel lemma. This is not the case in the formal security proof. In the formal proof, which is carried on in the generic bilinear group model, the group operation oracles are simulated with polynomials and indeterminates, and the assignment is chosen after the adversary fixes a polynomial in question.
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016). https://doi.org/10.1007/s00145-014-9196-7
Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_37
Agrawal, S., Ganesh, C., Mohassel, P.: Non-interactive zero-knowledge proofs for composite statements. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 643–673. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_22
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_29
Campanelli, M., Fiore, D., Querol, A.: LegoSNARK: modular design and composition of succinct zero-knowledge proofs. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2075–2092. ACM (2019)
Costello, C., et al.: Geppetto: Versatile verifiable computation. In: 2015 IEEE Symposium on Security and Privacy, pp. 944–961 (2018)
Datta, P., Okamoto, T., Takashima, K.: Efficient attribute-based signatures for unbounded arithmetic branching programs. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 127–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_5
El Kaafarani, A., Katsumata, S.: Attribute-based signatures for unbounded circuits in the rom and efficient instantiations from lattices. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 89–119. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_4
Fiore, D., Fournet, C., Ghosh, E., Kohlweiss, M., Ohrimenko, O., Parno, B.: Hash first, argue later: adaptive verifiable computations on outsourced data. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1304–1316. ACM (2016)
Fiore, D., Nitulescu, A.: On the (in) security of SNARKs in the presence of oracles. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 108–138. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_5
Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Kosba, A., Papamanthou, C., Shi, E.: xJsnark: a framework for efficient verifiable computation. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 944–961. IEEE (2018)
Lipmaa, H., Mohassel, P., Sadeghian, S.: Valiant’s universal circuit: improvements, implementation, and applications. Cryptology ePrint Archive, Report 2016/017 (2016). https://eprint.iacr.org/2016/017
Maji, H.K., Prabhakaran, M., Rosulek, M.: Attribute-based signatures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 376–392. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_24
Okamoto, T., Takashima, K.: Efficient attribute-based signatures for non-monotone predicates in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 35–52. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_3
Sakai, Y., Attrapadung, N., Hanaoka, G.: Attribute-based signatures for circuits from bilinear map. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 283–300. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_11
Sakai, Y., Katsumata, S., Attrapadung, N., Hanaoka, G.: Attribute-based signatures for unbounded languages from standard assumptions. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 493–522. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_17
Shahandashti, S.F., Safavi-Naini, R.: Threshold attribute-based signatures and their application to anonymous credential systems. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 198–216. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_13
Tang, F., Li, H., Liang, B.: Attribute-based signatures for circuits from multilinear maps. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 54–71. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_4
Tsabary, R.: An equivalence between attribute-based signatures and homomorphic signatures, and new constructions for both. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 489–518. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_16
Valiant, L.G.: Universal circuits (preliminary report). In: Proceedings of the Eighth Annual ACM Symposium on Theory of Computing, pp. 196–203. ACM (1976)
Wegener, I.: The Complexity of Boolean Functions. John Wiley & Sons Inc., Hoboken (1987)
Acknowledgments
This work was supported by JSPS KAKENHI Grant Numbers JP18K18055 and JP19H01109. This work was partially supported by JST AIP Acceleration Research JPMJCR22U5, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sakai, Y. (2022). Succinct Attribute-Based Signatures for Bounded-Size Circuits by Combining Algebraic and Arithmetic Proofs. In: Galdi, C., Jarecki, S. (eds) Security and Cryptography for Networks. SCN 2022. Lecture Notes in Computer Science, vol 13409. Springer, Cham. https://doi.org/10.1007/978-3-031-14791-3_31
Download citation
DOI: https://doi.org/10.1007/978-3-031-14791-3_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14790-6
Online ISBN: 978-3-031-14791-3
eBook Packages: Computer ScienceComputer Science (R0)