Attribute-Based Two-Tier Signatures: Definition and Construction

Abstract

Attribute-based signature scheme (ABS) is a functional variant of digital signature scheme proposed in 2008 by Maji et al. The two basic requirements of ABS (and a hard task to achieve) is collusion resistance and attribute privacy. In this paper, we employ the two-tier signature (TTS) technique to achieve the collusion resistance. Here TTS was proposed in 2007 by Bellare et al., where a signer receives two tier secret keys sequentially. The secondary secret key is served as a one-time key at the timing of signing. First, we propose a definition of an attribute-based two-tier signature scheme (ABTTS). Then we provide ABTTS concretely that enjoys existential unforgeability against chosen-message attacks, collusion resistance and attribute privacy, in the standard model. For the construction, enhancing the Camenisch-Lysyanskaya signature, we construct signature bundle schemes that are secure under the Strong RSA assumption and the Strong Diffie-Hellman assumption, respectively. These signature bundle schemes enable ABTTS to achieve attribute privacy. Then, using the signature bundle as a witness in the \(\varSigma \)-protocol of the boolean proof, we obtain attribute-based identification schemes (ABIDs). Finally, by applying the TTS technique to ABIDs, we achieve ABTTSs. A feature of our construction is that ABTTS in the RSA setting is pairing-free.

Appendix A Signature Bundle Scheme in Discrete Log

Our pairing-based signature bundle scheme, \(\texttt {SB}=(\mathbf{SB.KG}, \mathbf{SB.Sign}, \mathbf{SB.Vrfy})\), is described as follows.

\(\mathbf{SB.KG}(1^\uplambda ) \rightarrow (\text {PK}, \text {SK})\). Given \(1^\uplambda \), it executes a group generator \(\texttt {B}{} \texttt {l}{} \texttt {G}{} \texttt {r}{} \texttt {p}(1^\uplambda )\) to get \((p, \mathbb G_1, \mathbb G_2, \mathbb G_T, e(\cdot , \cdot ) )\). For \(i=1\) to n, it chooses \(g_{i,0}, g_{i,1}, g_{i,2} \mathop {\leftarrow }\limits ^{\$}\mathbb G_1, h_0 \mathop {\leftarrow }\limits ^{\$}\mathbb G_2, \alpha \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\) and it puts \(h_1:=h_0^{\alpha }\). It puts \(\text {PK}:=( (g_{i,0}, g_{i,1}, g_{i,2})_{i=1}^n, h_0, h_1)\) and \(\text {SK}:=\alpha \), and returns \((\text {PK}, \text {SK})\).

\(\mathbf{SB.Sign}(\text {PK}, \text {SK}, (m_i)_{i=1}^n ) \rightarrow (\tau , (\sigma _i)_{i=1}^n )\). Given \(\text {PK}, \text {SK}\) and messages \((m_i)_{i=1}^n\) each of which is of length \(l_\mathcal {M}\), it chooses \(e \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\). For \(i=1\) to n, it chooses \(s_i \mathop {\leftarrow }\limits ^{\$}\mathbb Z_p\), and it computes the value \(A_i\):

$$\begin{aligned} A_i :=(g_{i,0} g_{i,1}^{m_i} g_{i,2}^{s_i})^{\frac{1}{\alpha + e}}. \end{aligned}$$

(5)

It puts \(\tau =e\) and \(\sigma _i=(s_i, A_i)\) for each i and returns \((\tau , (\sigma _i)_{i=1}^n )\).

\(\mathbf{SB.Vrfy}(\text {PK}, (m_i)_{i=1}^n, (\tau , (\sigma _i)_{i=1}^n ) ) \rightarrow 1/0\). Given \(\text {PK}\), \((m_i)_{i=1}^n\) and \((\tau , (\sigma _i)_{i=1}^n)\), it verifies whether the following holds: \(e(A_i, h_0^e h_1) =e(g_{i,0} g_{i,1}^{m_i} g_{i,2}^{s_i}, h_0), i=1,\dots , n\).

Theorem 4

(EUF-CMA of Our \({\mathtt {SB}}\) in Discrete Log). Our signature bundle scheme \(\texttt {SB}\) is existentially unforgeable against chosen-message attack under the Strong Diffie-Hellman assumption.

Our \(\texttt {ABID}\) and \(\texttt {ABTTS}\) in the discrete logarithm setting will be given in the full version.