Abstract
Attribute-based signature scheme (ABS) is a functional variant of digital signature scheme proposed in 2008 by Maji et al. The two basic requirements of ABS (and a hard task to achieve) is collusion resistance and attribute privacy. In this paper, we employ the two-tier signature (TTS) technique to achieve the collusion resistance. Here TTS was proposed in 2007 by Bellare et al., where a signer receives two tier secret keys sequentially. The secondary secret key is served as a one-time key at the timing of signing. First, we propose a definition of an attribute-based two-tier signature scheme (ABTTS). Then we provide ABTTS concretely that enjoys existential unforgeability against chosen-message attacks, collusion resistance and attribute privacy, in the standard model. For the construction, enhancing the Camenisch-Lysyanskaya signature, we construct signature bundle schemes that are secure under the Strong RSA assumption and the Strong Diffie-Hellman assumption, respectively. These signature bundle schemes enable ABTTS to achieve attribute privacy. Then, using the signature bundle as a witness in the \(\varSigma \)-protocol of the boolean proof, we obtain attribute-based identification schemes (ABIDs). Finally, by applying the TTS technique to ABIDs, we achieve ABTTSs. A feature of our construction is that ABTTS in the RSA setting is pairing-free.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This limitation can be removed by adding negation attributes to \(\mathcal {U}\) for each attribute in the original \(\mathcal {U}\) though the size of the attribute universe \(|\mathcal {U}|\) doubles.
References
Anada, H., Arita, S., Handa, S., Iwabuchi, Y.: Attribute-based identification: definitions and efficient constructions. In: Boyd, C., Simpson, L. (eds.) ACISP. LNCS, vol. 7959, pp. 168–186. Springer, Heidelberg (2013)
Anada, H., Arita, S., Sakurai, K.: Attribute-based signatures without pairings via the fiat-shamir paradigm. In: ASIAPKC2014. ACM-ASIAPKC, vol. 2, pp. 49–58. ACM (2014)
Bellare, M., Shoup, S.: Two-tier signatures, strongly unforgeable signatures, and fiat-shamir without random oracles. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 201–216. Springer, Heidelberg (2007)
Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Camenisch, J.L., Lysyanskaya, A.: A signature scheme with efficient protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003)
Cramer, R.: Modular designs of secure, yet practical cyptographic protocols. Ph.D thesis, University of Amsterdam, Amsterdam, The Netherlands (1996)
Damgård, I.: On \(\sigma \)-protocols. In: Course Notes (2011). https://services.brics.dk/java/courseadmin/CPT/documents
El Kaafarani, A., Chen, L., Ghadafi, E., Davenport, J.: Attribute-based signatures with user-controlled linkability. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 256–269. Springer, Heidelberg (2014)
I. E. T. Force.: Request for comments: 6960. http://tools.ietf.org/html/rfc6960
Goyal,V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM-CCS 2006, vol. 263, pp. 89–98. ACM (2006)
Granger, R., Kleinjung, T., Zumbrägel, J.: Breaking ‘128-bit secure’ supersingular binary curves. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 126–145. Springer, Heidelberg (2014)
Guo, S., Zeng, Y.: Attribute-based signature scheme. In: ISA 2008, pp. 509–511. IEEE (2008)
Herranz, J.: Attribute-based signatures from RSA. Theoret. Comput. Sci. 527, 73–82 (2014)
Maji, H.K., Prabhakaran, M., Rosulek, M.: Attribute-based signatures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 376–392. Springer, Heidelberg (2011)
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)
Okamoto, T., Takashima, K.: Efficient attribute-based signatures for non-monotone predicates in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 35–52. Springer, Heidelberg (2011)
Yasuda, M., Shimoyama, T., Kogure, J., Izu, T.: On the strength comparison of the ECDLP and the IFP. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 302–325. Springer, Heidelberg (2012)
Acknowledgements
Concerning the first and the second authors, this work is partially supported by Grants-in-Aid for Scientific Research; Research Project Number:15K00029.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A Signature Bundle Scheme in Discrete Log
Appendix A Signature Bundle Scheme in Discrete Log
Our pairing-based signature bundle scheme, \(\texttt {SB}=(\mathbf{SB.KG}, \mathbf{SB.Sign}, \mathbf{SB.Vrfy})\), is described as follows.
\(\mathbf{SB.KG}(1^\uplambda ) \rightarrow (\text {PK}, \text {SK})\). Given \(1^\uplambda \), it executes a group generator \(\texttt {B}{} \texttt {l}{} \texttt {G}{} \texttt {r}{} \texttt {p}(1^\uplambda )\) to get \((p, \mathbb G_1, \mathbb G_2, \mathbb G_T, e(\cdot , \cdot ) )\). For \(i=1\) to n, it chooses \(g_{i,0}, g_{i,1}, g_{i,2} \mathop {\leftarrow }\limits ^{\$}\mathbb G_1, h_0 \mathop {\leftarrow }\limits ^{\$}\mathbb G_2, \alpha \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\) and it puts \(h_1:=h_0^{\alpha }\). It puts \(\text {PK}:=( (g_{i,0}, g_{i,1}, g_{i,2})_{i=1}^n, h_0, h_1)\) and \(\text {SK}:=\alpha \), and returns \((\text {PK}, \text {SK})\).
\(\mathbf{SB.Sign}(\text {PK}, \text {SK}, (m_i)_{i=1}^n ) \rightarrow (\tau , (\sigma _i)_{i=1}^n )\). Given \(\text {PK}, \text {SK}\) and messages \((m_i)_{i=1}^n\) each of which is of length \(l_\mathcal {M}\), it chooses \(e \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\). For \(i=1\) to n, it chooses \(s_i \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\), and it computes the value \(A_i\):
It puts \(\tau =e\) and \(\sigma _i=(s_i, A_i)\) for each i and returns \((\tau , (\sigma _i)_{i=1}^n )\).
\(\mathbf{SB.Vrfy}(\text {PK}, (m_i)_{i=1}^n, (\tau , (\sigma _i)_{i=1}^n ) ) \rightarrow 1/0\). Given \(\text {PK}\), \((m_i)_{i=1}^n\) and \((\tau , (\sigma _i)_{i=1}^n)\), it verifies whether the following holds: \(e(A_i, h_0^e h_1) =e(g_{i,0} g_{i,1}^{m_i} g_{i,2}^{s_i}, h_0), i=1,\dots , n\).
Theorem 4
(EUF-CMA of Our \({\mathtt {SB}}\) in Discrete Log). Our signature bundle scheme \(\texttt {SB}\) is existentially unforgeable against chosen-message attack under the Strong Diffie-Hellman assumption.
Our \(\texttt {ABID}\) and \(\texttt {ABTTS}\) in the discrete logarithm setting will be given in the full version.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Anada, H., Arita, S., Sakurai, K. (2016). Attribute-Based Two-Tier Signatures: Definition and Construction. In: Kwon, S., Yun, A. (eds) Information Security and Cryptology - ICISC 2015. ICISC 2015. Lecture Notes in Computer Science(), vol 9558. Springer, Cham. https://doi.org/10.1007/978-3-319-30840-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-30840-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30839-5
Online ISBN: 978-3-319-30840-1
eBook Packages: Computer ScienceComputer Science (R0)