Abstract
An attribute-based signature (ABS), is a cryptographic scheme where someone can sign a message using any kind of predicates verified by the attributes he owns. For such scheme, it is expected to be impossible for users to collude to sign a message if none of them is originally able to sign the message on his own. The main advantage of such a solution is that the signer can remain anonymous in the set of users fulfilling the chosen predicate. It can then be used for anonymous authentication for instance. In this paper, our main contribution is a new designated verifier attribute based signature scheme. In other words, the signer is using his attributes to authenticate a message according to a predicate, and while doing so he can pick another policy such that only users owning attributes fulfilling this policy can check the validity of the signature. It can be used to extend anonymous authentication, ensuring that the designated verifier cannot prove to anyone that a valid authentication has been performed. In addition to classical anonymity, this also increases the privacy of users as no further statistics on valid connection can be deduced. To do so, we first propose a generic construction of this primitive using standard cryptographic building blocks. An instantiation of this primitive is then described and proved through security games under the Symmetric External Diffie–Hellman (\(\textsf {SXDH}\)) assumption. This main contribution is compared to state-of-the-art solutions in terms of both security and efficiency.
Similar content being viewed by others
Notes
The relation leads to a partial order, i.e. \(\forall x,y, x \ne y \Rightarrow x \preceq y = \texttt {false} \vee y \preceq x= \texttt {false}\).
For simplicity we assume that \({\mathbb {F}}\) is a policy expressed in \(\textsf {DNF}\) form.
\(q_k\) is the maximal number of query to the \(\textsf {Eval}\) oracle.
References
Ateniese G, Camenisch J, Hohenberger S, de Medeiros B (2005) Practical group signatures without random oracles. Cryptology ePrint Archive, Report 2005/385. http://eprint.iacr.org/2005/385. Accessed 2022
Bellare M, Garay JA, Rabin T (1998) Fast batch verification for modular exponentiation and digital signatures. In: Nyberg K (ed) EUROCRYPT’98, Springer, Heidelberg, LNCS, vol 1403, pp 236–250
Blazy O, Kiltz E, Pan J (2014) (Hierarchical) identity-based encryption from affine message authentication. In: Garay JA, Gennaro R (eds) CRYPTO 2014, Part I, Springer, Heidelberg, LNCS, vol 8616, pp 408–425, https://doi.org/10.1007/978-3-662-44371-2_23
Blazy O, Conchon E, Germouty P, Jambert A (2017) Efficient id-based designated verifier signature. In: Proceedings of the 12th International Conference on availability, reliability and security, Reggio Calabria, Italy, August 29 - September 01, 2017, ACM, pp 44:1–44:8, https://doi.org/10.1145/3098954.3103157,
Blazy O, Germouty P, Phan DH (2019) Downgradable identity-based encryption and applications. In: Topics in cryptology–CT-RSA 2019–the Cryptographers’ Track at the RSA Conference 2019, San Francisco, CA, USA, March 4–8, 2019, Proceedings, pp 44–61, https://doi.org/10.1007/978-3-030-12612-4_3,
Chaum D, Van Antwerpen H (1989) Undeniable signatures. In: Conference on the theory and application of cryptology. Part of the Lecture Notes in Computer Science book series (LNCS), vol 435. Springer, pp 212–216
Cui Y, Fujisaki E, Hanaoka G, Imai H, Zhang R (2007) Formal security treatments for signatures from identity-based encryption. In: Susilo W, Liu JK, Mu Y (eds) ProvSec 2007, Springer, Heidelberg, LNCS, vol 4784, pp 218–227
Escala A, Herold G, Kiltz E, Ràfols C, Villar J (2013) An algebraic framework for Diffie–Hellman assumptions. In: Canetti R, Garay JA (eds) CRYPTO 2013, Part II, Springer, Heidelberg, LNCS, vol 8043, pp 129–147, https://doi.org/10.1007/978-3-642-40084-1_8
Fan CI, Wu CN, Chen WK, Sun WZ (2012) Attribute-based strong designated-verifier signature scheme. J Systems and Software 85:944–959
Ferrara AL, Green M, Hohenberger S, Pedersen MØ (2009) Practical short signature batch verification. In: Fischlin M (ed) CT-RSA 2009, Springer, Heidelberg, LNCS, vol 5473, pp 309–324
Fiat A (1990) Batch RSA. In: Brassard G (ed) CRYPTO’89, Springer, Heidelberg, LNCS, vol 435, pp 175–185
Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308
Huang X, Susilo W, Mu Y, Wu W (2008) Secure universal designated verifier signature without random oracles. Int J Inf Sec 7(3):171–183. https://doi.org/10.1007/s10207-007-0021-2
Jakobsson M, Sako K, Impagliazzo R (1996) Designated verifier proofs and their applications. In: Maurer UM (ed) EUROCRYPT’96, Springer, Heidelberg, LNCS, vol 1070, pp 143–154
Katsumata S, Nishimaki R, Yamada S, Yamakawa T (2020) Compact nizks from standard assumptions on bilinear maps. In: Canteaut A, Ishai Y (eds) Advances in Cryptology—EUROCRYPT 2020 - 39th Annual International Conference on the theory and applications of cryptographic techniques, Zagreb, Croatia, May 10–14, 2020, Proceedings, Part III, Springer, Lecture Notes in Computer Science, vol 12107, pp 379–409, https://doi.org/10.1007/978-3-030-45727-3_13,
Laguillaumie F, Vergnaud D (2004) Designated verifier signatures: Anonymity and efficient construction from any bilinear map. In: Blundo C, Cimato S (eds) Security in Communication Networks, 4th International Conference, SCN 2004, Amalfi, Italy, September 8–10, 2004, Revised Selected Papers, Springer, Lecture Notes in Computer Science, vol 3352, pp 105–119, https://doi.org/10.1007/978-3-540-30598-9_8,
Laguillaumie F, Libert B, Quisquater J (2006) Universal designated verifier signatures without random oracles or non-black box assumptions. In: Prisco RD, Yung M (eds) Security and Cryptography for Networks, 5th International Conference, SCN 2006, Maiori, Italy, September 6–8, 2006, Proceedings, Springer, Lecture Notes in Computer Science, vol 4116, pp 63–77, https://doi.org/10.1007/11832072_5,
Maji HK, Prabhakaran M, Rosulek M (2011) Attribute-based signatures. In: Kiayias A (ed) CT-RSA 2011, Springer, Heidelberg, LNCS, vol 6558, pp 376–392
Sahai A, Waters BR (2005) Fuzzy identity-based encryption. In: Cramer R (ed) EUROCRYPT 2005, Springer, Heidelberg, LNCS, vol 3494, pp 457–473
Steinfeld R, Bull L, Wang H, Pieprzyk J (2003) Universal designated-verifier signatures. In: Laih CS (ed) ASIACRYPT 2003, Springer, Heidelberg, LNCS, vol 2894, pp 523–542, https://doi.org/10.1007/978-3-540-40061-5_33
Susilo W, Zhang F, Mu Y (2004) Identity-based strong designated verifier signature schemes. In: Australasian Conference on information security and privacy. Part of the Lecture Notes in Computer Science book series (LNCS), vol 3108. Springer, pp 313–324
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Digital signature
Definition 7
A signature scheme is composed by four algorithms:
-
\(\textsf {Setup}({\mathfrak {K}})\): generates the global parameter of the system \(\textsf {param}\).
-
\(\textsf {KeyGen}( \textsf {param})\): outputs a pair of key \((\textsf {sk},\textsf {pk})\) where \(\textsf {sk}\) is the (secret) signing key and \(\textsf {pk}\) the (public) verification key.
-
\(\textsf {Sign}(\textsf {sk},m;\mu )\): outputs a signature \(\sigma\) on the message m thanks under \(\textsf {sk}\), and some randomness \(\mu\).
-
\(\textsf {Verify}(\textsf {vk},m,\sigma )\): checks the validity of the signature \(\sigma\) with \(\textsf {vk}\).
Digital Signature has to verify two security properties: correctness and existential unforgeability under chosen message attacks \((\mathsf {EUF-CMA})\).
-
Correctness For every pair \((\textsf {sk},\textsf {pk})\leftarrow \textsf {KeyGen}( \textsf {param})\), for every message \(m\in {\mathcal {M}}\) and for all randomness \(\mu\), we have \(\textsf {Verify}(\textsf {vk},m, \textsf {Sign}(\textsf {sk},m;\mu ))=1\).
-
Existential Unforgeability under Chosen Message Attacks (Goldwasser et al. 1988) even after querying n valid signatures on chosen messages \((m_i)\), \({\mathcal {A}}\) should not be able to output a valid signature on a fresh message m. We define a signing oracle: \(\textsf {OSign}(\textsf {vk},m)\) outputs a signature on m valid under the verification key \(\textsf {vk}\). The requested message is added to the signed messages set \({{\mathcal {S}}}{{\mathcal {M}}}\). The probability of success against the game given in Fig. 7 is denoted by
$$\begin{aligned} {\mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}},{\mathcal {A}}}({\mathfrak {K}}) = \Pr \left[ \mathsf {Exp}_{{\mathcal {S}},{\mathcal {A}}}^{ \textsf {euf}}({\mathfrak {K}}) = 1\right] ,} {\mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}}}({\mathfrak {K}},t) = \max \limits _{{\mathcal {A}} \le t} \mathsf {Succ}^{ \textsf {euf}}_{{\mathcal {S}},{\mathcal {A}}}({\mathfrak {K}}).} \end{aligned}$$
Designated verifier signature: security properties
A \(\mathsf {DVS}\) has to verify different security properties:
-
Unforgeability as any regular signature Even after querying n valid signatures on chosen messages, an adversary should not be able to output a valid signature on a fresh message.
-
DV-unforgeability only the signer or the designated verifier should be able to generate a verifiable message signature pair for (m,\({\hat{\sigma }}\)). The security experiment is presented in Fig. 8. We denote by \(\textsf {KGS}\): Key Generation Signature and \(\textsf {KGV}\): Key Generation Verification. In Fig. 8, we used two oracles described below.
-
\(\textsf {OSign}(\textsf {pk}_1,m):\) outputs a signature \(\sigma\) on the message m and adds m to the set of signed messages \({{\mathcal {S}}}{{\mathcal {M}}}\).
-
\(\textsf {OVerify}(\textsf {pk}_2,m,{\hat{\sigma }})\) checks the validity of the designated signature \({\hat{\sigma }}\).
-
Non-transferability an adversary should not be able to convince a third party about the validity (or invalidity) of a designated signature. An adversary \({\mathcal {A}}\) must have at best a negligible advantage in distinguishing the two following distributions:
$$\begin{aligned} \Delta _0=\left\{ (m,{\hat{\sigma }}) \begin{array}{l} \left( \textsf {sk}_1,\textsf {pk}_1\right) \leftarrow \textsf {KGS}( \textsf {param})\\ \left( \textsf {sk}_2,\textsf {pk}_2\right) \leftarrow \textsf {KGV}( \textsf {param})\\ {\hat{\sigma }}= \textsf {Des}\left( \textsf {pk}_1,\textsf {pk}_2,m, \textsf {Sign}\left( \textsf {sk}_1,m\right) \right) \end{array} \right\} \\ \\ \Delta _1=\left\{ \left( m,{\hat{\sigma }}\right) \begin{array}{l} \left( \textsf {sk}_1,\textsf {pk}_1\right) \leftarrow \textsf {KGS}( \textsf {param})\\ \left( \textsf {sk}_2,\textsf {pk}_2\right) \leftarrow \textsf {KGV}( \textsf {param})\\ {\hat{\sigma }}\leftarrow {\mathcal {S}}\end{array} \right\} \end{aligned}$$
Downgradable IBE
We present in Fig. 9 the \(\textsf {DIBE}\) used in our protocol.
Theorem 4
Under the \({\mathcal {D}}_k\)-\(\textsf {MDDH}\) assumption, the \(\textsf {DIBE}\) is \(\mathsf {PR\text{- }ID\text{- }CPA}\) secure. For all adversaries \({\mathcal {A}}\), there exists an adversary \({\mathcal {B}}\) with \(\mathsf {TIME}({\mathcal {A}})\approx \mathsf {TIME}({\mathcal {B}})\) andFootnote 3
Rights and permissions
About this article
Cite this article
Blazy, O., Brouilhet, L., Conchon, E. et al. Anonymous attribute-based designated verifier signature. J Ambient Intell Human Comput 14, 1–11 (2023). https://doi.org/10.1007/s12652-022-03827-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-022-03827-8