PublicKey Cryptography – PKC 2016 pp 283300  Cite as
AttributeBased Signatures for Circuits from Bilinear Map
 14 Citations
 1.3k Downloads
Abstract
In attributebased signatures, each signer receives a signing key from the authority, which is associated with the signer’s attribute, and using the signing key, the signer can issue a signature on any message under a predicate, if his attribute satisfies the predicate. One of the ultimate goals in this area is to support a wide class of predicates, such as the class of arbitrary circuits, with practical efficiency from a simple assumption, since these three aspects determine the usefulness of the scheme. We present an attributebased signature scheme which allows us to use an arbitrary circuit as the predicate with practical efficiency from the symmetric external DiffieHellman assumption. We achieve this by combining the efficiency of GrothSahai proofs, which allow us to prove algebraic equations efficiently, and the expressiveness of GrothOstrovskySahai proofs, which allow us to prove any NP relation via circuit satisfiability.
Keywords
Attributebased signatures GrothSahai proofs GrothOstrovskySahai proofs1 Introduction
1.1 AttributeBased Signatures
In an ordinary digital signature scheme, a signer has a signing key and publicizes its corresponding verification key. The verification is performed with respect to such a public key, and hence during the verification process, those who made the signature is uniquely determined. In other words, digital signatures provide nothing for privacy or anonymity requirements.
The concept of attributebased signatures is introduced by Maji, Prabhakaran, and Rosulek [21], in order to relax this firm correspondence between a signer and a signature. In an attributebased signature scheme, there is an attribute authority, and each signer receives from the authority a signing key associated with his attribute. Once a signer receives a signing key, he is able to issue a signature on any message, under a predicate satisfied by his attribute. The signature is anonymous, that is, the signature tells a verifier that the party who generates the signature has an attribute satisfying the predicate, but further information on the signer’s identity or attribute is completely hidden from the verifier.
One of the active lines of research on attributebased signatures is to support a larger class of predicates with practical efficiency. The stateoftheart results along this line is the scheme by Okamoto and Takashima for nonmonotone span programs from bilinear groups [24] and the scheme by Tang, Li, and Liang for any circuits from multilinear maps [27]. The ultimate goal in this line is achieving a large class of predicate, such as the class of arbitrary circuits, while keeping the scheme practically efficient and relying on a simple assumption, since these three aspects determine the usefulness of the scheme in practice. However, neither of above two schemes and in fact neither of any existing scheme does not achieve this ultimate goal.
Bellare and Fuchsbauer proposed a versatile cryptographic primitive called policybased signatures [2]. They showed a generic construction of an attributebased signature scheme from a policybased signature scheme. There are two ways of instantiating their generic construction. Namely, the one is an instantiation with NIZK for general NP languages such as the GrothOstrovskySahai proof system [13], and the other is an instantiation with NIZK for specific algebraic equations such as the GrothSahai proof system [14]. Although the authors of [2] did not explicitly mention (they only dealt with monotone predicates), the former may be extended to support the class of arbitrary circuits. However, it suffers from a large overhead of the signature size due to a Karp reduction to an NPcomplete problem. The latter can be instantiated efficiently, but the supported class is restricted to conjunctions and disjunctions of pairingproduct equations.
In summary, it still remains open whether it is possible to construct an attributebased signature scheme that supports circuit predicates with practical efficiency from simple assumptions.
1.2 Efficient Noninteractive ZeroKnowledge
In this section we review noninteractive zeroknowledge (NIZK) proofs, which can be useful building blocks for constructing attributebased signatures.
NIZK proofs allow us to prove that a secret information satisfies a public condition without revealing the secret beyond the truth of the condition. This primitive is extremely useful and widely studied in the area of cryptography. It has been an important research topic to expand the class of the predicate that proof systems support, as well as to improve the efficiency of proof systems.
Recent developments in zeroknowledge proofs include the proof system by Groth, Ostrovsky, and Sahai [13] and the one by Groth and Sahai [14]. The former can prove any NP relation via circuit satisfiability, but it suffers from large overhead due to a Karp reduction. The latter is very efficient, but the class of the relation is restricted to algebraic equations, and hence it cannot treat arbitrary NP relation in general.
A natural question is whether it is possible to construct a proof system which is as expressive as the GrothOstrovskySahai proof system, and is at the same time as efficient as the GrothSahai proof system. In this paper, we investigate a case study of a fusion of GrothOstrovskySahai and GrothSahai proofs in case of attributebased signatures, and show that by this idea, we can construct a practical attributebased signature for circuits from bilinear maps.
1.3 Our Contribution
In this paper, we present an attributebased signature scheme for arbitrary circuits of unbounded size and depth with practical efficiency, from a simple assumption over bilinear groups. Our attributebased signature scheme satisfies perfect privacy and adaptive unforgeability. The scheme is based on a witness indistinguishable and extractable noninteractive proof system and an existentially unforgeable signature scheme. All the building blocks can be instantiated solely from the symmetric external DiffieHellman (SXDH) assumption [14, 16], and thus we can obtain a perfectly private and adaptively unforgeable scheme from the same assumption.
Our scheme is fairly practical. The signature size grows as around one kilobyte per each gate, which is comparable to the existing schemes such as the schemes by Maji et al. [21] and the scheme by Okamoto and Takashima [24]. We note that Maji et al.’s schemes and the OkamotoTakashima scheme are less expressive than ours, namely, Maji et al.’s schemes support monotone span programs, while the OkamotoTakashima scheme supports nonmonotone span programs. In addition, our scheme drastically improves efficiency when we compare it with related schemes of Bellare and Fuchsbauer [2] and Tang, Li, and Liang [27]. As stated above, the former scheme is a generic construction of attributebased signatures from policybased signatures and the latter scheme is an attributebased signature scheme for circuits from multilinear maps.
It would be interesting to note the contrast between our scheme and its encryption counterparts, namely, the attributebased encryption schemes for circuits [9, 11, 12]. We highlight that our scheme only requires a simple and popular bilinear map assumption, namely the SXDH assumption to prove its security, whereas the encryption counterparts require powerful lattice assumptions or multilinear maps. This is reminiscent of the fact that an identitybased signature scheme can be constructed only from a standard digital signature scheme [3, 17, 22], while identitybased encryption requires a very strong assumption [5].
1.4 Technique
The basic idea behind our construction is simple: to sign anonymously, a signer receives a signature on his attribute from the authority, and proves the knowledge of this signature together with a proof that shows the signed attribute satisfies a public circuit. The signature that the signer receives works as a certificate, which certifies the signer having the attribute, and forbids the third party from signing in the name of his attribute.
To implement this idea, we need to overcome two difficulties. The first difficulty is (1) simultaneously and efficiently proving circuit satisfiability of the attribute and the validity of the certificate on that attribute. The other difficulty is (2) binding the proof from the first part to a message to be signed. In the following we give more detailed explanations on these difficulties and our idea for overcoming them.
(1) Proving Circuit Satisfiability and Certificate Validity. The first difficulty is expressing circuit satisfiability of an attribute in zeroknowledge, while keeping the entire proof system efficient. We need to prove not only circuit satisfiability of an attribute, but also validity of a certificate. The GrothOstrovskySahai proof system enables us to prove circuit satisfiability, but its direct use does not allow us to prove the validity of the certificate efficiently, since, if we were to use the GrothOstrovskySahai proof system, we must represent validity of a certificate in a circuit via a Karp reduction, which is highly inefficient.
Nevertheless, our starting point is still the technique of Groth, Ostrovsky, and Sahai [13]. In this technique, to prove circuit satisfiability, the prover first computes commitments to assignments to each wire, and then proves that for each gate the incoming wires u and v and the outgoing wire w satisfy the NAND relation \(\lnot (u \wedge v) = w\).
We instantiate this idea with GrothSahai proofs. We need GrothSahai proofs, rather than a simple adoption of the GrothOstrovskySahai proof system because we need to handle not only Boolean relations (for the NAND gates as above), but also algebraic equations at the same time. The need for algebraic equations comes from the necessity to certifying attributes. As stated above, the authority signs on attributes to certify that each signer can sign in the name of his attribute. Hence we need to prove the validity of the certificate, and for this purpose we employ GrothSahai proofs, together with structurepreserving signatures [1].
Therefore, we need to translate the idea of the GrothOstrovskySahai proof system into the GrothSahai proof system. Namely, we need to translate the NAND relation \(\lnot (u \wedge v) = w\) into a bilinear equation, which is what the GrothSahai proofs can prove. We do this by arithmetizing the relation. That is, let u and v be the assignments to incoming wires then w be the assignment to the outgoing wire, and the prover proves the equation \(1  u \cdot v = w\) to prove the NAND relation.
(2) Binding the Proof to a Message. The other difficulty is binding the proof to a single message in order to resist chosenmessage attacks. Although we want to prove knowledge of certificates to sign anonymously, this dose not suffice for resisting chosenmessage attacks. This is because the proof is not bound to the message, and hence the adversary can reuse the signature (the proof) on some message to a signature on another message.
To overcome this difficulty, we introduce an ORproof technique, following Maji et al. [21]. In this technique, the signer proves the knowledge of the certificate or a signature on a dummy attribute, which is an extra attribute unused in the real protocol, and differs message by message.
The point is that different messages have different dummy attributes. To be more specific, an (attributebased) signature on message M proves the knowledge of a signature on some attribute or a signature on a dummy attribute x, while a signature on a different message \(M^{*}\) proves the knowledge of a signature on an attribute or a signature on another dummy attribute \(x^{*}\). By this means, if an adversary sees a signature on M and forges a signature on \(M^{*}\), then a reduction extracts a witness from the forgery and obtains a signature on \(x^{*}\) of the underlying signature scheme. With this \(x^{*}\) the reduction reduces the forgery for the attributebased signature scheme to a forgery for the underlying signature scheme.
1.5 Related Work
Maji et al. [20, 21] introduced the notion of attributebased signatures, and presented three constructions which have perfect privacy and adaptive unforgeability. The first two schemes combine a digital signature scheme and GrothSahai proofs. These two schemes are instantiated respectively with the BonehBoyen signature scheme [4] and with the Waters signature scheme [29]. The third construction is proven secure in the generic group model. Following Maji et al.’s results, Li and Kim [19], Siamak and SafaviNaini [26], and Li et al. [18] presented attributebased signature schemes, which are proven secure only in the selective model of unforgeability. Another drawback of these schemes is relatively narrow class of the supported predicates. Namely Li and Kim’s scheme [19] only supports conjunction predicates, while Siamak and SafaviNaini’s scheme [26] and Li et al.’s scheme [18] support threshold predicates. Escala, Herranz, and Morillo presented an attributebased signature with adaptive unforgeability [8]. Okamoto and Takashima presented an attributebased signature scheme which is adaptively unforgeable and supports nonmonotone span programs as predicates [24]. Recently, Herranz et al. [15], followed by Chen et al. [6], presented attributebased signature schemes with constantsize signatures for threshold predicates. The former has selective unforgeability while the latter has adaptive unforgeability. Wang and Chen [28] presented an attributebased signature scheme from a lattice assumption with selective unforgeability. Tang, Li, and Liang [27] presented an attributebased signature scheme for boundeddepth circuits from multilinear maps. Most recently, Mridul and Pandit presented various attributebased signature schemes such as for Boolean formulas or for regular languages from qtype assumptions [23].
Escala, Herranz, and Morillo presented a traceable attributebased signature scheme (under the name of “revocable” attributebased signatures) [8], which allows a trusted authority to identify who made a signatures. Okamoto and Takashima presented a decentralized attributebased signature scheme [25], which removes the necessity of any trusted setup in the system. Following these works, El Kaafarani, Ghadafi, and Khader presented a decentralized traceable attributebased signature scheme [7]. Ghadafi revisited the security notion of decentralized traceable attributebased signatures, and introduced, among other things, a new security notion of nonframeability [10].
As for attributebased encryption for circuits, Gorbunov, Vaikuntanathan, and Wee [11] presented the first attributebased encryption scheme for circuits. After that, Garg et al. [9] presented an attributebased encryption scheme for circuits from multilinear maps. Recently, Gorbunov, Vaikuntanathan, and Wee presented a predicate encryption scheme for circuits from a class of learningwitherrors assumptions [12].
2 Preliminary
We say that a function \(f :\mathbb {N} \rightarrow \mathbb {R}\) is negligible if for all \(c\in \mathbb {N}\) there exists \(x_{0} \in \mathbb {N}\) such that \(f(x) \le x^{c}\) for all \(x \ge x_{0}\).
Representation of Circuit. Here we explain notation for circuits, especially how we identify a circuit. Let C be a circuit with Lbit input and N gates. We assume C is entirely represented by NAND gates. We distinguish the input wires, the internal wires, and the output wire by indices 1, \(\ldots \), L, \(L+1\), \(\ldots \), \(L+N\), where 1, \(\ldots \), L are the input wires, \(L+1\), \(\ldots \), \(L+N1\) are the internal wires, and \(L+N\) is the output wire. The topology of the circuit is specified by two functions \(I_{1}\), \(I_{2} :\{ L+1, \ldots , L+N \} \rightarrow \{ 1, \ldots , L+N1 \}\). They map a noninput wire to its first and second incoming wires in which these three wires are connected by a NAND gate. We require that \(I_{1}(i) < i\) and \(I_{2}(i) < i\).
Bilinear Groups. Let \(\mathcal {G}\) be a probabilistic polynomialtime algorithm that on input \(1^{k}\) outputs a group description \(\mathsf {gk}= (p, \mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, e, g, \tilde{g})\) where p is a prime, \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are multiplicative groups generated by g and \(\tilde{g}\), respectively, \(\mathbb {G}_{T}\) is a multiplicative group of order p, and \(e :\mathbb {G}_{1} \times \mathbb {G}_{2} \rightarrow \mathbb {G}_{T}\) is a nondegenerate efficiently computable bilinear map.
GrothSahai and GrothOstrovskySahai Proofs. A noninteractive proof system for the NP relation \(R \subset \{0,1\}^{*} \times \{0,1\}^{*}\) is defined by following three algorithms \((\mathsf {WISetup},\mathsf {WIProve},\mathsf {WIVerify})\): the setup algorithm \(\mathsf {WISetup}\) takes as input the security parameter \(1^{k}\) and outputs a common reference string \(\mathsf {crs}\); the proof algorithm takes as input the common reference string \(\mathsf {crs}\), a statement x, and a witness w, and outputs a proof \(\pi \); the verification algorithm \(\mathsf {WIVerify}\) takes as input the common reference string \(\mathsf {crs}\), the statement x, and the proof \(\pi \), and outputs 1 or 0 which indicate validity of the proof. As a correctness condition, we require that for all \(k \in \mathbb {N}\), \((x,w) \in R\), and \(\mathsf {crs}\leftarrow \mathsf {WISetup}(1^{k})\), it holds that \(\mathsf {WIVerify}(\mathsf {crs},x,\mathsf {WIProve}(\mathsf {crs},x,w)) = 1\).
GrothOstrovskySahai proofs are the proof system which can prove satisfiability of a circuit which solely consists of NAND gates. The proof algorithm proceeds with a similar way to the GrothSahai proofs. Namely, the prover first computes commitments to the assignments to the wires, and then proves each triple (u, v, w) of wires connected by a NAND gate satisfies the NAND relation \(\lnot (u \wedge v) = w\). See [13] for further detail.
StructurePreserving Signatures. A signature scheme consists of the following three algorithms \((\mathsf {Kg},\mathsf {Sign},\mathsf {Verify})\): the key generation algorithm takes as input a security parameter \(1^{k}\) and outputs a pair \((\mathsf {vk},\mathsf {sk})\) of the verification key and the signing key; the signing algorithm \(\mathsf {Sign}\) takes as input the signing key \(\mathsf {sk}\) and a message m and outputs a signature \(\theta \); the verification algorithm \(\mathsf {Verify}\) takes as input the verification key \(\mathsf {vk}\), the message m, and the signature \(\theta \), and outputs 1 or 0 indicating validity of the signature. As the correctness condition, it is required to hold that for all \(k \in \mathbb {N}\), \((\mathsf {vk},\mathsf {sk}) \leftarrow \mathsf {Kg}(1^{k})\), and \(m \in \{0,1\}^{*}\), it \(\mathsf {Verify}(\mathsf {vk}, m, \mathsf {Sign}(\mathsf {sk},m)) = 1\).
A signature scheme \((\mathsf {Kg},\mathsf {Sign},\mathsf {Verify})\) is said to be existentially unforgeable, if the probability \( \Pr [ (\mathsf {vk},\mathsf {sk}) \leftarrow \mathsf {Kg}(1^{k}); (m^{*},\theta ^{*}) \leftarrow {\mathcal {A}}^{\mathsf {Sign}(\mathsf {sk},{\cdot })}(\mathsf {vk}) : \mathsf {Verify}(\mathsf {vk},m^{*},\theta ^{*}) = 1 \wedge \text {m}^{*}\text { is not queried} ]\) is negligible for all probabilistic polynomialtime adversaries \(\mathcal {A}\).

\(\mathsf {Kg}(\mathsf {gk},1^{L})\) . Given a description \(\mathsf {gk}= (p, \mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, e, g, \tilde{g})\) of bilinear groups and a message length L, choose a, \(b \leftarrow \mathbb {Z}_{p}\), \(K \leftarrow \mathbb {Z}_{p}{}^{(L+1) \times 2}\), let \(A = (1 \vert a)^{\top } \in \mathbb {Z}_{p}{}^{2 \times 1}\), \(B = (1 \vert b)^{\top } \in \mathbb {Z}_{p}{}^{2 \times 1}\), choose \(K_{0}\), \(K_{1} \leftarrow \mathbb {Z}_{p}{}^{2 \times 2}\), let \(C \leftarrow KA\), \(C_{0} \leftarrow K_{0} A\), \(C_{1} \leftarrow K_{1} A\), \(P_{0} \leftarrow B^{\top } K_{0}\), \(P_{1} \leftarrow B^{\top } K_{1}\). Let \(\mathsf {vk}_{\mathsf {Sign}} \leftarrow ([C_{0}]_{2}, [C_{1}]_{2}, [C]_{2}, [A]_{2})\) and \(\mathsf {sk}_{\mathsf {Sign}} \leftarrow (\mathsf {vk}_{\mathsf {Sign}},K,[P_{0}]_{1},[P_{1}]_{1},[B]_{1})\), and output \((\mathsf {vk}_{\mathsf {Sign}},\mathsf {sk}_{\mathsf {Sign}})\).
 \(\mathsf {Sign}(\mathsf {sk}_{\mathsf {Sign}},[\varvec{m} ]_{1})\) . Given a signing key \(\mathsf {sk}_{\mathsf {Sign}} \leftarrow (\mathsf {vk}_{\mathsf {Sign}},K,[P_{0}]_{1},[P_{1}]_{1},[B]_{1})\) and a message \([\varvec{m}]_{1} \in \mathbb {G}_{1}{}^{L}\), choose \(\varvec{r} \leftarrow \mathbb {Z}_{p}{}^{2}\) and \(\tau \leftarrow \mathbb {Z}_{p}\), computeLet \(\theta \leftarrow (\theta _{1},\theta _{2},\theta _{3},\theta _{4})\) and output \(\theta \).$$\begin{aligned} \theta _{1}&\leftarrow [(1 \vert \varvec{m}^{\top }) K + \varvec{r}^{\top } (P_{0} + \tau P_{1})]_{1} \in \mathbb {G}_{1}{}^{1 \times 2}, \\ \theta _{2}&\leftarrow [ \varvec{r}^{\top } B^{\top }]_{1} \in \mathbb {G}_{1}{}^{1 \times 2}, \\ \theta _{3}&\leftarrow [ \varvec{r}^{\top } B^{\top } \tau ]_{1} \in \mathbb {G}_{1}{}^{1 \times 2}, \\ \theta _{4}&\leftarrow [\tau ]_{2} \in \mathbb {G}_{2}. \end{aligned}$$
 \(\mathsf {Verify}(\mathsf {vk}_{\mathsf {Sign}},\theta )\) . Given the verification key \(\mathsf {vk}_{\mathsf {Sign}} = ([C_{0}]_{2}, [C_{1}]_{2}, [C]_{2}, [A]_{2})\), a message \([\varvec{m}]_{1} \in \mathbb {G}_{1}{}^{L}\), and a signature \(\theta = (\theta _{1},\theta _{2},\theta _{3},\theta _{4})\), checkIf they hold, output 1. Otherwise output 0.$$\begin{aligned} e(\theta _{1}, [A]_{2})&= e([(1 \vert \varvec{m})]_{1}, [C]_{2}) e(\theta _{2}, [C_{0}]_{2}) e(\theta _{3}, [C_{1}]_{2}), \\ e(\theta _{2}, \theta _{4})&= e(\theta _{3}, [1]_{2}). \end{aligned}$$

\(\mathsf {AttrSetup}(1^{k},1^{\ell }) \rightarrow (\mathsf {pp},\mathsf {msk})\) . The setup algorithm takes as input the security parameter \(1^{k}\) and the length \(\ell \) of attributes, and outputs the public parameter \(\mathsf {pp}\) and the master secret key \(\mathsf {msk}\).

\(\mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x) \rightarrow \mathsf {sk}_{x}\) . The signing key generation algorithm takes as input the public parameter \(\mathsf {pp}\), the master secret key \(\mathsf {msk}\), and the attribute x, and outputs the signing key \(\mathsf {sk}_{x}\) for x.

\(\mathsf {AttrSign}(\mathsf {pp},\mathsf {sk}_{x},M,C) \rightarrow \sigma \) . The signing algorithm takes as input the public parameter \(\mathsf {pp}\), the signing key \(\mathsf {sk}_{x}\), the message M, and the circuit C, and outputs the signature \(\sigma \).

\(\mathsf {AttrVerify}(\mathsf {pp},M,C,\sigma ) \rightarrow 1/0\) . The verification algorithm takes as input the public parameter \(\mathsf {pp}\), the message M, the circuit C, and the signature \(\sigma \), and outputs 1 or 0 indicating the validity of the signature.
As the correctness condition, it is required to satisfy that for all k, \(\ell \in \mathbb {N}\), \((\mathsf {pp},\mathsf {msk}) \leftarrow \mathsf {AttrSetup}(1^{k},1^{\ell })\), \(x \in \{0,1\}^{\ell }\), \(\mathsf {sk}_{x} \leftarrow \mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x)\), \(M \in \{0,1\}^{*}\), and C such that \(C(x) = 1\), it holds that \(\mathsf {AttrVerify}(\mathsf {pp},M,C,\mathsf {AttrSign}(\mathsf {pp},\mathsf {sk}_{x},M,C)) = 1\).
We define two security notions for attributebased signatures. The first notion is privacy, which requires the signature to not leak any information on the signer’s identity and attribute beyond the fact that the attribute satisfies the predicate. The other notion is unforgeability, which requires any collusion of signers is unable to forge a new signature with a predicate which is not satisfied by any attribute in the collusion even if they see signatures on messages of their choice.
Definition 1
An attributebased signature scheme is perfectly private, if for all k, \(\ell \in \mathbb {N}\), \((\mathsf {pp},\mathsf {msk}) \leftarrow \mathsf {AttrSetup}(1^{k},1^{\ell })\), \(x_{0}\), \(x_{1} \in \{0,1\}^{\ell }\), C such that \(C(x_{0}) = C(x_{1}) = 1\), \(\mathsf {sk}_{0} \leftarrow \mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x_{0})\), \(\mathsf {sk}_{1} \leftarrow \mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x_{1})\), and \(M \in \{0,1\}^{*}\), the distribution \(\mathsf {AttrSign}(\mathsf {pp},\mathsf {sk}_{0},M,C)\) and \(\mathsf {AttrSign}(\mathsf {pp},\mathsf {sk}_{1},M,C)\) distributes identically.
Definition 2
 1.
The experiment sets up a public parameter and a master secret key as \((\mathsf {pp},\mathsf {msk}) \leftarrow \mathsf {AttrSetup}(1^{k},1^{\ell })\). Then the experiment sends the adversary \(\mathsf {pp}\).
 2.
The adversary is allowed to access the key reveal oracle and the signing oracle: the former, given a query x, returns \(\mathsf {sk}_{x} \leftarrow \mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x)\); the latter, given a query (M, C), returns \(\sigma \leftarrow \mathsf {AttrSign}(\mathsf {pp},\mathsf {sk},M,C)\) with arbitrary \(\mathsf {sk}\leftarrow \mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x)\) such that \(C(x) = 1\).
 3.
The adversary halts with output \((M^{*},C^{*},\sigma ^{*})\).
 4.
The adversary wins if the following three conditions hold: (i) \(\mathsf {AttrVerify}(\mathsf {pp},M^{*},C^{*},\sigma ^{*}) = 1\), (ii) the adversary did not query x such that \(C^{*}(x) = 1\), and (iii) the adversary did not query \((M^{*},C^{*})\) to the signing oracle.
3 AttributeBased Signatures for Circuits
In this section we present our attributebased signature scheme. We assume the input length \(\ell \) is longer than or equal to the output length \(\ell _{\mathcal {H}}\) of the hash function, i.e., \(\ell \ge \ell _{\mathcal {H}}\). If it does not, we can simply think of a circuit that ignores the extra inputs.
Before presenting the concrete scheme, we explain an overview of the scheme.
As stated in the introduction, the basic idea is that the authority issues a signature (a certificate) on an attribute to certify that the corresponding signer is allowed to sign in the name of his attribute. This corresponds to the \(\mathsf {AttrGen}\) algorithm, which computes a structurepreserving signature on the given attribute.
To sign anonymously, the signer proves the knowledge of the certificate received from the authority, as well as proves that the certified attribute satisfies the public circuit. To do this, the signer computes commitments to all the assignments to each wire. Then for each triple (u, v, w) which are connected by a NAND gate, the signer proves that the triple satisfies the NAND relation \(1  u \cdot v = w\). This is implemented by Eqs. (2), (5), and (6).
Since we are instantiating our scheme with a Type III pairing, for each wire we need two commitments in both \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\). This is because we need to take a pairing of two wire assignments (Eqs. (5) and (6)) for proving the NAND relation of the three wires. This further requires the signer to prove that two commitments are commitments to the same message. This is done by proving Eqs. (3) and (4), which ensure that the exponents of \(W_{i}\) and \(\tilde{W}_{i}\) are identical.
Lastly, the ORproof technique is implemented by modifying the circuit C into \(\hat{C}\) as in Eq. (1). This circuit ensures that the input \((X_{2},\ldots ,X_{l+1})\) is either a satisfying assignment of C or the hash value h. Equation (2) ensures that \(\theta \) is a valid signature on \((X_{2}, \ldots , X_{l+1})\). They constitute a proof of knowledge of a signature on an attribute or a signature on the dummy attribute determined by the message.
The full description of our scheme is as follows.

\(\mathsf {AttrSetup}(1^{k},1^{\ell })\) . Given a security parameter \(1^{k}\) and an input size \(1^{\ell }\) for circuit, generate bilinear group parameter \(\mathsf {gk}= (p,\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,g,\tilde{g}) \leftarrow \mathcal {G}(1^{k})\), a witness indistinguishable common reference string \(\mathsf {crs}\leftarrow \mathsf {WISetup}(\mathsf {gk})\), a verification key and a signing key \((\mathsf {vk}_{\mathsf {Sign}},\mathsf {sk}_{\mathsf {Sign}}) \leftarrow \mathsf {Kg}(\mathsf {gk},1^{\ell +1})\) and a hash key \(\mathsf {hk}\leftarrow \mathcal {H}(1^{k})\). Set \(\mathsf {pp}= (\ell ,\mathsf {crs},\mathsf {vk}_{\mathsf {Sign}},\mathsf {hk})\) and \(\mathsf {msk}\leftarrow \mathsf {sk}_{\mathsf {Sign}}\), and output \((\mathsf {pp},\mathsf {msk})\).
 \(\mathsf {AttrGen}(\mathsf {pp},\mathsf {msk},x)\) . Parse x as \((x_{1},\ldots ,x_{\ell })\). Generate a structurepreserving signature \(\theta \) on the messageSet \(\mathsf {sk}_{x} \leftarrow (x,\theta )\) and output \(\mathsf {sk}_{x}\).$$\begin{aligned} (g^{0},g^{x_{1}},\ldots ,g^{x_{\ell }}) \in \mathbb {G}_{1}{}^{\ell +1}. \end{aligned}$$
 \(\mathsf {AttrSign}(\mathsf {pp},\mathsf {sk}_{x},M,C)\) . Parse \(\mathsf {sk}_{x}\) into \(((x_{1}, \ldots , x_{\ell }),\theta )\) and proceed as follows:
 1.Let \(h \leftarrow {\mathsf {Hash}}(\mathsf {hk}, \langle M, C \rangle )\). Expand the circuit C into a larger circuit \(\hat{C}\) with \(\ell +1\)bit input aswhere the hash value h is hardwired into \(\hat{C}\). Let N be the number of gates in \(\hat{C}\) and \(I_{1}\) and \(I_{2}\) be the functions that specify the topology of \(\hat{C}\).$$\begin{aligned}&\hat{C}(X_{1},X_{2},\ldots ,X_{\ell +1}) = 1 \nonumber \\&\qquad \qquad \qquad \iff \Bigl ( X_{1} = 0 \wedge C(X_{2}, \ldots , X_{\ell +1}) = 1 \Bigr ) \nonumber \\&\qquad \qquad \qquad \qquad \qquad \qquad \quad \vee \Bigl ( X_{1} = 1 \wedge X_{2} \Vert \cdots \Vert X_{\ell _{\mathcal {H}+1}} = h \Bigr ) \end{aligned}$$(1)
 2.Let \(X_{1} \leftarrow 0\), \(X_{2} \leftarrow x_{1}\), \(\ldots \), \(X_{\ell +1} \leftarrow x_{\ell }\), and then compute the assignment to each noninput wires in \(\hat{C}\): for all \(i = (\ell +1)+1\), \(\ldots \), \((\ell +1)+(N1)\)$$\begin{aligned} X_{i} \leftarrow 1  X_{I_{1}(i)} \cdot X_{I_{2}(i)}. \end{aligned}$$
 3.For all \(i = 1\), \(\ldots \), \((\ell +1)+(N1)\), let$$\begin{aligned}&W_{i} \leftarrow g^{X_{i}},&\tilde{W}_{i} \leftarrow \tilde{g}^{X_{i}}. \end{aligned}$$
 4.
Compute a GrothSahai commitment \({{\mathsf {com}}}_{\theta }\) to \(\theta \).
 5.
For all \(i = 1\), \(\ldots \), \((\ell +1)+(N1)\), compute GrothSahai commitments \({{\mathsf {com}}}_{W_{i}}\) to \(W_{i}\) and \({{\mathsf {com}}}_{\tilde{W}_{i}}\) to \(\tilde{W}_{i}\).
 6.Generate a proof \(\pi _{\mathsf {Sign}}\) for the verification equation$$\begin{aligned} \mathsf {Verify}(\mathsf {vk}_{\mathsf {Sign}}, (W_{1},\ldots ,W_{\ell +1}), \theta ) = 1. \end{aligned}$$(2)
 7.For all \(i = 1\), \(\ldots \), \(\ell +1\), generate proofs \(\pi _{i}\) proving the equation$$\begin{aligned} e(g, \tilde{W}_{i}) = e(W_{i}, \tilde{g}). \end{aligned}$$(3)
 8.For all \(i = (\ell +1)+1\), \(\ldots \), \((\ell +1) + (N1)\), generate proofs \(\pi _{i}\) proving the equations$$\begin{aligned} e(g, \tilde{W}_{i}) = e(W_{i}, \tilde{g}), \end{aligned}$$(4)$$\begin{aligned} e(W_{I_{1}(i)}, \tilde{W}_{I_{2}(i)}) e(W_{i}, \tilde{g}) = e(g,\tilde{g}). \end{aligned}$$(5)
 9.Generate a proofs \(\pi _{(\ell +1)+N}\) proving$$\begin{aligned} e(W_{I_{1}((\ell +1)+N)}, \tilde{W}_{I_{2}((\ell +1)+N)}) = 1. \end{aligned}$$(6)
 10.Letand output \(\sigma \).$$\begin{aligned}&\sigma = ({{\mathsf {com}}}_{\theta }, {{\mathsf {com}}}_{W_{1}}, \ldots , {{\mathsf {com}}}_{W_{(\ell + 1) + (N  1)}}, \\&\qquad \qquad \qquad \quad \,{\mathsf {com}}_{\tilde{W}_{1}}, \ldots , {\mathsf {com}}_{\tilde{W}_{(\ell + 1) + (N  1)}}, \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \quad \pi _{\mathsf {Sign}}, \pi _{1}, \ldots , \pi _{(\ell + 1) + N}) \end{aligned}$$
 1.

\(\mathsf {AttrVerify}(\mathsf {pp},M,C,\sigma )\) . Verify the proofs with respect to the circuit \(\hat{C}\) in Eq. (1) and its topology \(I_{1}\), \(I_{2}\) defined by given M and C. Output 1 if all the proofs are verified as valid. Otherwise output 0.
Theorem 1
Provided the proof system is perfectly witness indistinguishable, the above attributebased signature scheme is perfectly private. Provided the proof system is perfectly extractable and perfectly witness indistinguishable, the signature scheme is existentially unforgeable, and the hash function family is collision resistant, the above attributebased signature scheme is adaptively unforgeable.
Proof
Perfect privacy directly followed from witness indistinguishability of the proof system.

Game 1. This game is identical to the experiment for adaptive unforgeability.
 Game 2. In this game, the behavior of the signing oracle is modified as follows. Given a signing query (M, C), the experiment computes the hash value \(h \leftarrow {\mathsf {Hash}}(\mathsf {hk}, \langle M, C \rangle )\), let \((h_{1} \Vert \cdots \Vert h_{\ell _{\mathcal {H}}}) \leftarrow h\), compute a signature \(\theta \) on the messagewith the master secret key \(\mathsf {msk}= \mathsf {sk}_{\mathsf {Sign}}\), and then use \(\theta \) as the witness to compute a signature \(\sigma \).$$\begin{aligned} (g^{1}, g^{h_{1}}, \ldots , g^{h_{\ell _{\mathcal {H}}}}, 1, \ldots , 1) \in \mathbb {G}_{2}{}^{\ell +1} \end{aligned}$$

Game 3. In this game, the common reference string \(\mathsf {crs}\) in \(\mathsf {pp}\) is switched to the extractable common reference string \(\mathsf {crs}\) generated by the \(\mathsf {ExtSetup}\) algorithm as \((\mathsf {crs},\mathsf {ek}) \leftarrow \mathsf {ExtSetup}(1^{k})\).

Setup. The simulator receives a hash key \(\mathsf {hk}\) from the experiment. The simulator then generates an extractable common reference string as \((\mathsf {crs},\mathsf {ek}) \leftarrow \mathsf {ExtSetup}(1^{k})\) and verification and signing keys \((\mathsf {vk}_{\mathsf {Sign}},\mathsf {sk}_{\mathsf {Sign}}) \leftarrow \mathsf {Kg}(1^{k})\), and then sets \(\mathsf {pp}\leftarrow (\ell ,\mathsf {crs},\mathsf {vk},\mathsf {hk})\) and sends \(\mathsf {pp}\) to the adversary.

Key reveal query. When the adversary requests the signing key for \(x = (x_{1}, \ldots , x_{\ell })\), the simulator runs the signing algorithm to obtain a signature \(\theta \leftarrow \mathsf {Sign}(\mathsf {sk}_{\mathsf {Sign}}, (g^{0},g^{x_{1}},\ldots ,g^{x_{\ell }}))\). The simulator responds with \(\mathsf {sk}_{x} = (x,\theta )\).

Signing query. When the adversary requests a signature on M under a circuit C, the simulator computes the hash value \(h \leftarrow {\mathsf {Hash}}(\mathsf {hk}, \langle M, C \rangle )\), lets \((h_{1} \Vert \cdots \Vert h_{\ell _{\mathcal {H}}}) \leftarrow h\), then further computes the signature \(\theta \leftarrow \mathsf {Sign}(\mathsf {sk}_{\mathsf {Sign}}, (g^{1}, g^{h_{1}}, \ldots , g^{h_{\ell _{\mathcal {H}}}}, 1, \ldots , 1))\), the circuit \(\hat{C}\) as in Eq. (1), and proof \(\pi \) using \(\theta \) as the witness. The simulator responds with \(\sigma = \pi \).

Forgery. When the adversary outputs a tuple \((M^{*},C^{*},\sigma ^{*})\), the simulator searches for a signing query (M, C) that satisfies \({\mathsf {Hash}}(\mathsf {hk}, \langle M, C \rangle ) = {\mathsf {Hash}}(\mathsf {hk}, \langle M^{*}, C^{*} \rangle )\). If it is found and the winning condition (i)–(iii) in Definition 2 is satisfied, the simulator outputs \((\langle M, C \rangle , \langle M^{*}, C^{*} \rangle )\) as a collision. Otherwise, the simulator outputs \((\bot ,\bot )\).
The simulator successfully outputs a collision, if the event \({\mathsf {succ}}_{3} \wedge {\mathsf {coll}}\) occurs. In particular, whenever the simulator outputs \((\langle M, C \rangle , \langle M^{*}, C^{*} \rangle )\), we have that \(\langle M, C \rangle \ne \langle M^{*}, C^{*} \rangle \). This is because the winning condition forbids the adversary to output \(M^{*}\) and \(C^{*}\) which are queried to the signing oracle, and thus (M, C) differs from \((M^{*},C^{*})\). Hence \(\Pr [{\mathsf {succ}}_{3} \wedge {\mathsf {coll}}]\) is negligible.
For \(\Pr [{\mathsf {succ}}_{3} \wedge \lnot {\mathsf {coll}}]\), we construct a simulator that attacks the existential unforgeability of the underlying signature scheme. The construction of the simulator is as follows.

Setup. The simulator is given a verification key \(\mathsf {vk}_{\mathsf {Sign}}\) of the signature scheme. The simulator sets up the extractable common reference string of the proof system as \((\mathsf {crs},\mathsf {ek}) \leftarrow \mathsf {ExtSetup}(1^{k})\). The simulator sends \(\mathsf {pp}= (\ell ,\mathsf {crs},\mathsf {vk}_{\mathsf {Sign}},\mathsf {hk})\) to the adversary.
 Key reveal query. When the adversary requests the signing key for an attribute \(x = (x_{1}, \ldots , x_{\ell })\), the simulator requests, to its signing oracle, a signature on the messageThen the simulator receives a signature \(\theta \). The simulator sends \(\mathsf {sk}_{x} = \theta \) to the adversary.$$\begin{aligned} (g^{0}, g^{x_{1}}, \ldots , g^{x_{\ell }}) \in \mathbb {G}_{1}{}^{\ell +1}. \end{aligned}$$
 Signing query. When the adversary requests a signature on a message M under the circuit C, the simulator computes the hash value \(h = (h_{1} \Vert \cdots \Vert h_{\ell _{\mathcal {H}}}) \leftarrow {\mathsf {Hash}}(\mathsf {hk},\langle M, C \rangle )\), then requests a signature on the messageto its signing oracle. The simulator receives a signature \(\theta \). The simulator computes a proof \(\pi \) using the signature \(\theta \) as the witness. The simulator sends \(\sigma = \pi \) to the adversary.$$\begin{aligned} (g^{1}, g^{h_{1}}, \ldots , g^{h_{\ell _{\mathcal {H}}}}, 1, \ldots , 1) \in \mathbb {G}_{1}{}^{\ell +1} \end{aligned}$$
 Forgery. When the adversary outputs a forgery \((M^{*},C^{*},\sigma ^{*})\), the simulator extracts the witnessDue to the extractability of the GrothSahai proof system, we can assume that the witness satisfies Eqs. (2)–(6).$$\begin{aligned} \theta , W_{1}, \ldots , W_{(\ell +1)+(N1)}, \tilde{W}_{1}, \ldots , \tilde{W}_{(\ell +1)+(N1)}. \end{aligned}$$Now below we argue that the pairconstitutes a legitimate forgery for the underlying signature scheme. We have three cases to be dealt with.$$\begin{aligned} ((W_{1}, \ldots , W_{\ell +1}), \theta ) \end{aligned}$$
 1.Assume that \((W_{1}, \ldots , W_{\ell +1})\) is of the formIn this case, due to Eqs. (3)–(6), we have that \(\hat{C}(X_{1},\ldots ,X_{\ell +1}) = 1\), and hence we also have that \(C(X_{2}, \ldots X_{\ell +1}) = 1\). Because the experiment forbids the adversary to query such \((X_{2},\ldots ,X_{\ell +1})\) as a key reveal query, we can conclude that the simulator has not queried \((g^{0}, g^{X_{2}}, \ldots g^{X_{\ell +1}})\) to its signing oracle. Hence, due to the equation Eq. (2), the pair \(((g^{0}, g^{X_{2}}, \ldots , g^{X_{\ell +1}}), \theta )\) constitutes a legitimate forgery to the signature scheme.$$\begin{aligned} (g^{X_{1}}, \ldots g^{X_{\ell +1}}) \in \mathbb {G}_{2}{}^{\ell +1} \,\text {where}\,X_{1} = 0\,\text {and}\,X_{2}, \ldots , X_{\ell +1} \in \{0,1\}. \end{aligned}$$
 2.Assume that \((W_{1}, \ldots , W_{\ell +1})\) is of the formIn this case, due to Eqs. (3)–(6), we have that \((X_{2} \Vert \cdots \Vert X_{\ell _{\mathcal {H}}+1}) = {\mathsf {Hash}}(\mathsf {hk}, \langle C^{*}, M^{*} \rangle )\). Since we are now considering the event \(\lnot {\mathsf {coll}}\), we have that the adversary has not queried (C, M) such that \({\mathsf {Hash}}(\mathsf {hk}, \langle C, M \rangle ) = {\mathsf {Hash}}(\mathsf {hk}, \langle C^{*}, M^{*} \rangle )\) to the signing oracle. Therefore the simulator has not queried \((g^{1}, g^{X_{2}}, \cdots g^{X_{\ell _{\mathcal {H}}}}, 1, \ldots , 1)\) to its signing oracle, and thus \(((g^{1}, g^{X_{2}}, \cdots g^{X_{\ell _{\mathcal {H}}}}, 1, \ldots , 1), \theta )\) constitutes a legitimate forgery.$$\begin{aligned}&(g^{X_{1}}, \ldots , g^{X_{\ell +1}}) \in \mathbb {G}_{2}{}^{\ell +1} \\&\quad \,\text {where}\,X_{1} = 1, X_{2}, \ldots , X_{\ell _{\mathcal {H}}+1} \in \{0,1\}, X_{\ell _{\mathcal {H}}+2} = \cdots = X_{\ell +1} = 0 \end{aligned}$$
 3.
Assume that \((W_{1}, \ldots , W_{\ell +1})\) is neither of the above two forms. In this case, the simulator does not issue any query of this form at all, and thus \(((W_{1}, \ldots , X_{\ell +1}), \theta )\) is a legitimate forgery.
In any case, the pair \(((W_{1}, \ldots , X_{\ell +1}), \theta )\) constitutes the forgery, and thus the simulator outputs this pair as a forgery.
 1.
The above construction shows that whenever the event \({\mathsf {succ}}_{3} \wedge \lnot {\mathsf {coll}}\) occurs, the simulator succeeds in producing the forgery of the signature scheme. It implies that \(\Pr [{\mathsf {succ}}_{3} \wedge \lnot {\mathsf {coll}}]\) is negligible. \(\square \)
4 Performance
Comparison among pairingbased attributebased signature schemes.
Scheme  Signature size  Assumption  Predicate 

MPR11 (1) [21]  \(36s+2t+24ks\)  qSDH, SXDH  Monotone span program 
MPR11 (2) [21]  \(28s+2t+12k+8\)  SXDH  Monotone span program 
MPR11 (3) [21]  \(s+t+2\)  Generic group  Monotone span program 
OT11 [24]  \(9s+11\)  DLIN  Nonmonotone span program 
Ours  \(12\ell +20N+26\)  SXDH  Nonmonotone circuit 
Table 2 shows a detailed calculation of the signature size of our scheme. The center and right columns respectively show the number of the group elements of \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) that is required for each component of a signature.
Signature size of our scheme.
\(\mathbb {G}_{1}\)  \(\mathbb {G}_{2}\)  

\({\mathsf {com}}_{\theta }\)  12  2 
\({\mathsf {com}}_{W_{i}}\)  \(2(\ell +N)\)  
\({\mathsf {com}}_{\tilde{W}_{i}}\)  \(2(\ell +N)\)  
\(\pi _{\mathsf {Sign}}\)  4  8 
\(\pi _{1}\), \(\ldots \), \(\pi _{\ell +1}\)  \(4(\ell +1)\)  \(4(\ell +1)\) 
\(\pi _{(\ell +1)+1}\), \(\ldots \), \(\pi _{(\ell +1)+(N1)}\)  \(8(N1)\)  \(8(N1)\) 
\(\pi _{(\ell +1)+N}\)  4  4 
Total  \(6\ell +10N+16\)  \(6\ell +10N+10\) 
References
 1.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 2.Bellare, M., Fuchsbauer, G.: Policybased signatures. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 520–537. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 3.Bellare, M., Namprempre, C., Neven, G.: Security proofs for identitybased identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 4.Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008)CrossRefMathSciNetzbMATHGoogle Scholar
 5.Boneh, D., Papakonstantinou, P.A., Rackoff, C., Vahlis, Y., Waters, B.: On the impossibility of basing identity based encryption on trapdoor permutations. In: 49th Annual Symposium on Foundations of Computer Science, pp. 283–292. IEEE (2008)Google Scholar
 6.Chen, C., Chen, J., Lim, H.W., Zhang, Z., Feng, D., Ling, S., Wang, H.: Fully secure attributebased systems with short ciphertexts/signatures and threshold access structures. In: Dawson, E. (ed.) CTRSA 2013. LNCS, vol. 7779, pp. 50–67. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 7.El Kaafarani, A., Ghadafi, E., Khader, D.: Decentralized traceable attributebased signatures. In: Benaloh, J. (ed.) CTRSA 2014. LNCS, vol. 8366, pp. 327–348. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 8.Escala, A., Herranz, J., Morillo, P.: Revocable attributebased signatures with adaptive security in the standard model. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 224–241. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 9.Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attributebased encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 10.Ghadafi, E.: Stronger security notions for decentralized traceable attributebased signatures and more efficient constructions. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048. Springer, Heidelberg (2015). doi: 10.1007/9783319167152 Google Scholar
 11.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attributebased encryption for circuits. In: Proceedings of the FortyFifth Annual ACM Symposium on Theory of Computing, pp. 545–554. ACM (2013)Google Scholar
 12.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 13.Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. J. ACM 59(3), 11: 1–11: 35 (2012)CrossRefMathSciNetGoogle Scholar
 14.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)CrossRefMathSciNetzbMATHGoogle Scholar
 15.Herranz, J., Laguillaumie, F., Libert, B., Ràfols, C.: Short attributebased signatures for threshold predicates. In: Dunkelman, O. (ed.) CTRSA 2012. LNCS, vol. 7178, pp. 51–67. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 16.Kiltz, E., Pan, J., Wee, H.: Structurepreserving signatures from standard assumptions, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 275–295. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 17.Kurosawa, K., Heng, S.H.: From digital signature to IDbased identification/signature. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 248–261. Springer, Heidelberg (2004)CrossRefGoogle Scholar
 18.Li, J., Au, M.H., Susilo, W., Xie, D., Ren, K.: Attributebased signature and its applications. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 60–69. ACM (2010)Google Scholar
 19.Li, J., Kim, K.: Attributebased ring signatures. Cryptology ePrint Archive, Report 2008/394 (2008). http://eprint.iacr.org/
 20.Maji, H., Prabhakaran, M., Rosulek, M.: Attributebased signatures: Achieving attributeprivacy and collu sionresistance. Cryptology ePrint Archive, Report 2008/328 (2008). http://eprint.iacr.org/
 21.Maji, H.K., Prabhakaran, M., Rosulek, M.: Attributebased signatures. In: Kiayias, A. (ed.) CTRSA 2011. LNCS, vol. 6558, pp. 376–392. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 22.Maurer, U.M., Yacobi, Y.: Noninterative publickey cryptography. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 498–507. Springer, Heidelberg (1991)Google Scholar
 23.Nandi, M., Pandit, T.: On the power of pair encodings: Frameworks for predicate cryptographic primitives. Cryptology ePrint Archive, Report 2015/955 (2015). http://eprint.iacr.org/
 24.Okamoto, T., Takashima, K.: Efficient attributebased signatures for nonmonotone predicates in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 35–52. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 25.Okamoto, T., Takashima, K.: Decentralized attributebased signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 125–142. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 26.Shahandashti, S.F., SafaviNaini, R.: Threshold attributebased signatures and their application to anonymous credential systems. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 198–216. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 27.Tang, F., Li, H., Liang, B.: Attributebased signatures for circuits from multilinear maps. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 54–71. Springer, Heidelberg (2014)Google Scholar
 28.Wang, Q., Chen, S.: Attributebased signature for threshold predicates from lattices. Secur. Commun. Netw. 8(5), 811–821 (2015)CrossRefGoogle Scholar
 29.Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar