Anonymous attribute-based designated verifier signature

Abstract

An attribute-based signature (ABS), is a cryptographic scheme where someone can sign a message using any kind of predicates verified by the attributes he owns. For such scheme, it is expected to be impossible for users to collude to sign a message if none of them is originally able to sign the message on his own. The main advantage of such a solution is that the signer can remain anonymous in the set of users fulfilling the chosen predicate. It can then be used for anonymous authentication for instance. In this paper, our main contribution is a new designated verifier attribute based signature scheme. In other words, the signer is using his attributes to authenticate a message according to a predicate, and while doing so he can pick another policy such that only users owning attributes fulfilling this policy can check the validity of the signature. It can be used to extend anonymous authentication, ensuring that the designated verifier cannot prove to anyone that a valid authentication has been performed. In addition to classical anonymity, this also increases the privacy of users as no further statistics on valid connection can be deduced. To do so, we first propose a generic construction of this primitive using standard cryptographic building blocks. An instantiation of this primitive is then described and proved through security games under the Symmetric External Diffie–Hellman (\(\textsf {SXDH}\)) assumption. This main contribution is compared to state-of-the-art solutions in terms of both security and efficiency.

Appendices

Digital signature

Definition 7

A signature scheme is composed by four algorithms:

• \(\textsf {Setup}({\mathfrak {K}})\): generates the global parameter of the system \(\textsf {param}\).

• \(\textsf {KeyGen}( \textsf {param})\): outputs a pair of key \((\textsf {sk},\textsf {pk})\) where \(\textsf {sk}\) is the (secret) signing key and \(\textsf {pk}\) the (public) verification key.

• \(\textsf {Sign}(\textsf {sk},m;\mu )\): outputs a signature \(\sigma\) on the message m thanks under \(\textsf {sk}\), and some randomness \(\mu\).

• \(\textsf {Verify}(\textsf {vk},m,\sigma )\): checks the validity of the signature \(\sigma\) with \(\textsf {vk}\).

Fig. 7

\(\mathsf {EUF-CMA}\) Game for a Signature Scheme

Digital Signature has to verify two security properties: correctness and existential unforgeability under chosen message attacks \((\mathsf {EUF-CMA})\).

• Correctness For every pair \((\textsf {sk},\textsf {pk})\leftarrow \textsf {KeyGen}( \textsf {param})\), for every message \(m\in {\mathcal {M}}\) and for all randomness \(\mu\), we have \(\textsf {Verify}(\textsf {vk},m, \textsf {Sign}(\textsf {sk},m;\mu ))=1\).

• Existential Unforgeability under Chosen Message Attacks (Goldwasser et al. 1988) even after querying n valid signatures on chosen messages \((m_i)\), \({\mathcal {A}}\) should not be able to output a valid signature on a fresh message m. We define a signing oracle: \(\textsf {OSign}(\textsf {vk},m)\) outputs a signature on m valid under the verification key \(\textsf {vk}\). The requested message is added to the signed messages set \({{\mathcal {S}}}{{\mathcal {M}}}\). The probability of success against the game given in Fig. 7 is denoted by

  $$\begin{aligned} {\mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}},{\mathcal {A}}}({\mathfrak {K}}) = \Pr \left[ \mathsf {Exp}_{{\mathcal {S}},{\mathcal {A}}}^{ \textsf {euf}}({\mathfrak {K}}) = 1\right] ,} {\mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}}}({\mathfrak {K}},t) = \max \limits _{{\mathcal {A}} \le t} \mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}},{\mathcal {A}}}({\mathfrak {K}}).} \end{aligned}$$

Designated verifier signature: security properties

Fig. 8

Unforgeability experiment for \(\mathsf {DVS}\)

A \(\mathsf {DVS}\) has to verify different security properties:

• Unforgeability as any regular signature Even after querying n valid signatures on chosen messages, an adversary should not be able to output a valid signature on a fresh message.

• DV-unforgeability only the signer or the designated verifier should be able to generate a verifiable message signature pair for (m,\({\hat{\sigma }}\)). The security experiment is presented in Fig. 8. We denote by \(\textsf {KGS}\): Key Generation Signature and \(\textsf {KGV}\): Key Generation Verification. In Fig. 8, we used two oracles described below.

• \(\textsf {OSign}(\textsf {pk}_1,m):\) outputs a signature \(\sigma\) on the message m and adds m to the set of signed messages \({{\mathcal {S}}}{{\mathcal {M}}}\).

• \(\textsf {OVerify}(\textsf {pk}_2,m,{\hat{\sigma }})\) checks the validity of the designated signature \({\hat{\sigma }}\).

• Non-transferability an adversary should not be able to convince a third party about the validity (or invalidity) of a designated signature. An adversary \({\mathcal {A}}\) must have at best a negligible advantage in distinguishing the two following distributions:

  $$\begin{aligned} \Delta _0=\left\{ (m,{\hat{\sigma }}) \begin{array}{l} \left( \textsf {sk}_1,\textsf {pk}_1\right) \leftarrow \textsf {KGS}( \textsf {param})\\ \left( \textsf {sk}_2,\textsf {pk}_2\right) \leftarrow \textsf {KGV}( \textsf {param})\\ {\hat{\sigma }}= \textsf {Des}\left( \textsf {pk}_1,\textsf {pk}_2,m, \textsf {Sign}\left( \textsf {sk}_1,m\right) \right) \end{array} \right\} \\ \\ \Delta _1=\left\{ \left( m,{\hat{\sigma }}\right) \begin{array}{l} \left( \textsf {sk}_1,\textsf {pk}_1\right) \leftarrow \textsf {KGS}( \textsf {param})\\ \left( \textsf {sk}_2,\textsf {pk}_2\right) \leftarrow \textsf {KGV}( \textsf {param})\\ {\hat{\sigma }}\leftarrow {\mathcal {S}}\end{array} \right\} \end{aligned}$$

Downgradable IBE

We present in Fig. 9 the \(\textsf {DIBE}\) used in our protocol.

Fig. 9

\(\textsf {DIBE}\) fromBlazy et al. (2019)

Theorem 4

Under the \({\mathcal {D}}_k\)-\(\textsf {MDDH}\) assumption, the \(\textsf {DIBE}\) is \(\mathsf {PR\text{- }ID\text{- }CPA}\) secure. For all adversaries \({\mathcal {A}}\), there exists an adversary \({\mathcal {B}}\) with \(\mathsf {TIME}({\mathcal {A}})\approx \mathsf {TIME}({\mathcal {B}})\) and³

$$\begin{aligned}&{\mathsf {Adv}}_{ \textsf {DIBE},{\mathcal {D}}_k}({\mathcal {B}})^{\mathsf {PR\text{- }ID\text{- }CPA}}\le \left( {\mathsf {Adv}}_{{\mathcal {D}}_k,\textsf {Setup}}({\mathcal {B}})\right. \\&\left. \quad + 2q_k\left( {\mathsf {Adv}}_{{\mathcal {D}}_k,\textsf {Setup}}\left( {\mathcal {B}}\right) \right) +1/q\right) . \end{aligned}$$