A Security of Attribute based Signature Scheme

In the attribute typed signature scheme, the user can sign a document with any predicate that is satisfied by his attributes issued from the attribute agency. Based on this assumption, the signature does not show the identity of a user who signed the document. It only shows the demand related to the attributes that the underlying signer possesses. In attribute based signature, participants cannot forge signature with attributes they don’t have even by conspiring. Alternatively, an authorized signer stays anonymous without concern for revocation and is identical among the participants whose attributes meet a predicate specified in a signature. Attribute based signature is functional in various uses. For example, in anonymous authentication and attribute typed message schemes. In this paper, we describe the characteristics of security of certain attribute typed signature scheme. Also, we illustrate multiple attacks in a presented threshold attribute typed signature scheme. We show tha...

Progress in Cryptology–AFRICACRYPT …, 2009

Abstarct. Inspired by the recent developments in attribute-based encryption, in this paper we propose threshold attribute-based signatures (t-ABS). In a t-ABS, signers are associated with a set of attributes and verification of a signed document against a verification attribute set succeeds if the signer has a threshold number of (at least t) attributes in common with the verification attribute set. A t-ABS scheme enables a signature holder to prove possession of signatures by revealing only the relevant (to the verification attribute set) attributes of the signer, hence providing signer-attribute privacy for the signature holder. We define t-ABS schemes, formalize their security and propose two t-ABS schemes: a basic scheme that is selectively unforgeable and a second one that is existentially unforgeable, both provable in the standard model, assuming hardness of the computational Diffie-Hellman problem. We show that our basic t-ABS scheme can be augmented with two extra protocols that are used for efficiently issuing and verifying t-ABS signatures on committed values. We call the augmented scheme a threshold attribute based c-signature scheme (t-ABCS). We show how a t-ABCS scheme can be used to realize a secure threshold attribute-based anonymous credential system (t-ABACS) providing signer-attribute privacy. We propose a security model for t-ABACS and give a concrete scheme using t-ABCS scheme. Using the simulation paradigm, we prove that the credential system is secure if the t-ABCS scheme is secure.

Cryptology and Network Security, 2018

Despite the recent advances in attribute-based signatures (ABS), no schemes have yet been considered under a strong privacy definition. We enhance the security of ABS by presenting a strengthened simulation-based privacy definition and the first attribute-based signature functionality in the framework of universal composability (UC). Additionally, we show that the UC definition is equivalent to our strengthened experiment-based security definitions. To achieve this we rely on a general unforgeability and a simulation-based privacy definition that is stronger than standard indistinguishability-based privacy. Further, we show that two extant concrete ABS constructions satisfy this simulation-based privacy definition and are therefore UC secure. The two concrete constructions are the schemes by Sakai et al. (PKC'16) and by Maji et al. (CT-RSA'11). Additionally, we identify the common feature that allows these schemes to meet our privacy definition, giving us further insights into the security requirements of ABS.

Computer Security – ESORICS 2016, 2016

This paper presents an anonymous certification (AC) scheme, built over an attribute based signature (ABS). After identifying properties and core building blocks of anonymous certification schemes, we identify ABS limitations to fulfill AC properties, and we propose a new system model along with a concrete mathematical construction based on standard assumptions and the random oracle model. Our solution has several advantages. First, it provides a data minimization cryptographic scheme, permitting the user to reveal only required information to any service provider. Second, it ensures unlinkability between the different authentication sessions, while preserving the anonymity of the user. Third, the derivation of certified attributes by the issuing authority relies on a non interactive protocol which provides an interesting communication overhead.

Lecture Notes in Computer Science, 2014

In this paper, we introduce Attribute-Based Signatures with User-Controlled Linkability (ABS-UCL). Attribute-based signatures allow a signer who has enough credentials/attributes to anonymously sign a message w.r.t. some public policy revealing neither the attributes used nor his identity. User-controlled linkability is a new feature which allows a user to make some of his signatures directed at the same recipient linkable while still retaining anonymity. Such a feature is useful for many reallife applications. We give a general framework for constructing ABS-UCL and present an efficient instantiation of the construction that supports multiple attribute authorities.

Public-Key Cryptography – PKC 2013, 2013

We present the first decentralized multi-authority attributebased signature (DMA-ABS) scheme, in which no central authority and no trusted setup are required. The proposed DMA-ABS scheme for a large class of (non-monotone) predicates is fully secure (adaptive-predicate unforgeable and perfectly private) under a standard assumption, the decisional linear (DLIN) assumption, in the random oracle model. Our DMA-ABS scheme is comparably as efficient as the most efficient ABS scheme. As a by-product, this paper also presents an adaptively secure DMA functional encryption (DMA-FE) scheme under the DLIN assumption.

We present a new notion called the attribute-based signature with message recovery. Compared with the existing attribute-based signature schemes, an attribute-based signature with message recovery scheme does not require transmission of the original message to verify the validity of the signature, since the original message can be recovered from the signature. Therefore, this scheme shortens the total length of the original message and the appended attribute-based signature. The contributions of this paper are threefold. First, we introduce the notion of attribute-based signature with message recovery. Second, we present a concrete construction of an attribute-based signature with message recovery scheme based on bilinear pairing. Finally, we extend our scheme to deal with large messages. The proposed schemes support exible threshold predicates and are proven to be existentially unforgeable against adaptively chosen message attacks in the random oracle model under the assumption that the Computational Die-Hellman problem is hard. We demonstrate that the proposed schemes are also equipped with the attribute privacy property.

Attribute-based signatures allow a signer owning a set of attributes to anonymously sign a message w.r.t. some signing policy. A recipient of the signature is convinced that a signer with a set of attributes satisfying the signing policy has indeed produced the signature without learning the identity of the signer or which set of attributes was used in the signing. Traceable attribute-based signatures add anonymity revocation mechanisms to attribute-based signatures whereby a special tracing authority equipped with a secret key is capable of revealing the identity of the signer. Such a feature is important in settings where accountability and abuse prevention are required. In this work, we first provide a formal security model for traceable attribute-based signatures. Our focus is on the more practical case where attribute management is distributed among different authorities rather than relying on a single central authority. By specializing our model to the single attribute authority setting, we overcome some of the shortcomings of the existing model for the same setting. Our second contribution is a generic construction for the primitive which achieves a strong notion of security. Namely, it achieves CCA anonymity and its security is w.r.t. adaptive adversaries. Moreover, our framework permits expressive signing polices. Finally, we provide some instantiations of the primitive whose security reduces to falsifiable intractability assumptions and without relying on idealized assumptions.

Lecture Notes in Computer Science, 2004

This paper focus on two security services for internet applications: authorization and anonymity. Traditional authorization solutions are not very helpful for many of the Internet applications; however, attribute certificates proposed by ITU-T seems to be well suited and provide adequate solution. On the other hand, special attention is paid to the fact that many of the operations and transactions that are part of Internet applications can be easily recorded and collected. Consequently, anonymity has become a desirable feature to be added in many cases. In this work we propose a solution to enhance the X.509 attribute certificate in such a way that it becomes a conditionally anonymous attribute certificate. Moreover, we present a protocol to obtain such certificates in a way that respects users' anonymity by using a fair blind signature scheme. We also show how to use such certificates and describe a few cases where problems could arise, identifying some open problems.

Journal of Computer Science and Technology, 2010

In this paper a new signature scheme, called Policy-Endorsing Attribute-Based Signature, is developed to correspond with the existing Ciphertext-Policy Attribute-Based Encryption. This signature provides a policy-and-endorsement mechanism. In this mechanism a single user, whose attributes satisfy the predicate, endorses the message. This signature allows the signer to announce his endorsement using an access policy without having to reveal the identity of the signer. The security of this signature, selfless anonymity and existential unforgeability, is based on the Strong Diffie-Hellman assumption and the Decision Linear assumption in bilinear map groups.