Secure Outsourced Attribute-Based Signatures with Perfect Anonymity in the Standard Model

Huang, Zhenjie; Duan, Runlong; Chen, Qunshan; Huang, Hui; Zhou, Yuping

doi:https://doi.org/10.1155/2021/7884007

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 7884007 | https://doi.org/10.1155/2021/7884007

Secure Outsourced Attribute-Based Signatures with Perfect Anonymity in the Standard Model

Zhenjie Huang,^1,2Runlong Duan,^1,3Qunshan Chen,³Hui Huang,³and Yuping Zhou³

Academic Editor: Helena Rifà-Pous

Received16 May 2021

Revised07 Sept 2021

Accepted11 Sept 2021

Published16 Oct 2021

Abstract

Outsourced attribute-based signatures (OABS) enable users to sign messages without revealing specific identity information and are suitable for scenarios with limited computing power. Recently, Mo et al. proposed an expressive outsourced attribute-based signature scheme (Peer-to-Peer Networking and Applications, 11, 2017). In this paper, we show that Mo et al.’s scheme does not achieve any of the three security properties. Their scheme is incorrect. The adversary can collude with the malicious signing-cloud service provider (S-CSP) to forge valid signatures on any message and any attribute set. And the S-CSP could trace the access structures used to generate the signatures. Then, we treat the S-CSP as an adversary and present more accurate unforgeability and anonymity models for OABS to remedy the drawbacks of the previous ones. Finally, we propose a simple but significant improvement to fix our attacks. The improved scheme achieves correctness, unforgeability, and perfect anonymity while keeping the efficiency almost unchanged. We also prove the security of the improved scheme under the standard model.

1. Introduction

Attribute-based cryptography is a powerful cryptographic primitive, enabling us to design various cryptosystems with fine-grained access control in a multiuser environment [1, 2]. Attribute-based signature (ABS) is one of the leading research contents of attribute-based cryptography. ABS can provide fine-grained privacy protection for signers and finds applications in many fields, such as private access control, trust negotiations, and anonymous credentials [2, 3]. ABS may also be applied to mobile authentication and two-factor/multifactor authentication in the future [4–6]. Since it was introduced, numerous ABS schemes for different access structures have been proposed one after another [7–15].

However, with the continuous enhancement of the expressiveness of the access structure, the computational overhead of ABS is increasing, which makes it challenging to execute in devices with limited computing power. Using outsourcing technology of cloud computing, Chen et al. [16] introduced outsourced attribute-based signatures (OABS) to overcome this problem. In OABS, the signer can delegate most of his/her signing workload to a signing-cloud service provider (S-CSP). After receiving the semisignature from the S-CSP, the signer can generate the final signature by little computations. In this way, ABS can be used in resource-constrained devices.

1.1. Related Works

While introducing OABS, Chen et al. [16] proposed two concrete OABS schemes. Their schemes are signature-policy OABS schemes with threshold access structures. After, Mo et al. [17] proposed an OABS scheme and applied it to the medical cloud. Mo et al.’s scheme is a key-policy OABS scheme that supports a more expressive monotonic access structure. Sun et al. [18, 19] introduced decentralization into OABS and proposed an outsourcing decentralized multiauthority attribute-based signature scheme. Their scheme is a signature-policy scheme for threshold access structure. In 2021, Huang et al. [20] proposed a new key-policy OABS scheme for circuits. Their scheme is a short signature scheme, and its final signature has only one element of the group.

Chen et al.’s OABS model assumes that the S-CSP is honest-but-curious, i.e., the S-CSP always runs the algorithm honestly and outputs the semisignatures correctly, but the S-CSP may forge signatures. As a remedy for the overly strong assumption of S-CSP’s honesty, Chen et al. [16] discussed the accountability of OABS, which provides an audit function for S-CSP’s honesty. Liu et al. [21] studied OABS under the concept of server-assisted anonymous attribute authentication, added the correctness verification of the semisignature to OABS, and defined the outsourcing verifiability. After that, Ren and Jiang [22] formally introduced the concept of Verifiable Outsourced Attribute-Based Signatures (VOABS) with a concrete scheme supporting threshold access structure. Unfortunately, Uzunkol [23] presented two attacks on the verifiability of Ren et al.’s scheme. Moreover, one of the attacks enables the untrusted S-CSP to forge signatures.

In 2018, Cui et al. [24] introduced a new notion of Server-Aided Attribute-Based Signature (SA-ABS). SA-ABS outsources both signing tasks and verification tasks to cloud service providers, while OABS only outsources signing tasks. This is the main difference between the two. Cui et al. also proposed a signature-policy SA-ABS scheme for threshold access structure. But Hu et al. [25] pointed out that Cui et al.’s scheme [24] was forgeable and then proposed a new SA-ABS scheme for monotonic access structure.

Wang et al. studied the other side of ABS outsourcing and introduced Attribute-Based Server-Aided Verification Signature (ABSAVS) [26]. In ABSAVS, the signer outsources the verification workload to the server but does not outsource the signing workload. Wang et al. also proposed a ABSAVS scheme for threshold access structure. Recently, Chen et al. proposed a new ABSAVS scheme for tree access structure [27].

Previous schemes are summarized and compared in Table 1.

1.2. Contributions

The main contributions of this paper are as follows:(i)We analyze the security of Mo et al.’s EOABS scheme [17] and show that it does not achieve any of the three security properties. The scheme is incorrect. The adversary can collude with the malicious S-CSP to forge valid signatures on any message and any attribute set. The S-CSP could trace the access structures used to generate the signatures.(ii)We present more accurate security models for OABS. The main drawback of the previous security models is that the S-CSP’s attacks are not considered, and our security models make up for it.(iii)We propose a simple but significant improvement to fix our attacks. The improved scheme achieves correctness, unforgeability, and perfect anonymity while keeping the efficiency almost unchanged. We also prove its security under the standard model.

1.3. Organization

The rest of this paper is organized as follows. Section 2 presents preliminaries. Section 3 reviews Mo et al.’s EOABS scheme and analyzes its security. Section 4 presents a new definition and new security models for OABS. Section 5 proposes an improvement to fix our attacks with security proofs and performance analysis. Section 6 concludes this paper.

2. Preliminaries

Let denote sampling randomly from . Let for . For any vectors and , their inner product .

2.1. Bilinear Map

Let and be prime order multiplication cyclic groups. Let be a map satisfying the following properties:(i)For all and , .(ii)There exist such that .(iii)For all , can be computed efficiently.

2.1.1. Computational Diffie-Hellman Exponent (CDHE) Problem

Given to compute , where , [28].

2.2. Linear Secret Sharing Scheme

Let be a party set; a collection of nonempty subsets of is defined as an access structure. A set in is an authorized set, and a set not in is an unauthorized set. An access structure is monotone, if and implies for all .

A linear secret sharing scheme (LSSS) for a monotone access structure over is a matrix with a function indicating the th row of as an attribute, and it satisfies the following properties:(i)For any authorized set , there are constants such that , where , and is the th row of the matrix .(ii)For any unauthorized set , there are no constants such that , where .

The distribution and reconstruction algorithms of an LSSS are as follows:(i)Distribution: it takes as inputs a matrix with a function and a secret to be shared. It chooses , sets , and computes share set .(ii)Reconstruction: it takes as inputs a matrix with a function and an authorized set with its share set . It finds constants such that and then reconstructs the secret .

Lemma 1 (see [29]). Suppose thatis a monotone access structure with matrix. For any unauthorized set, there is a vectorsuch thatfor all.

3. Cryptanalysis of Mo et al.’s EOABS Scheme

3.1. Review of Mo et al.’s EOABS Scheme

In this section, we review the EOABS scheme proposed by Mo et al. [17]. It comprises five algorithms and involves four entities: attribute authority (AA), S-CSP, signer, and verifier.(i)Setup: Suppose is the attribute universe, is the default attribute, and is the maximal length of the message.(i)The AA chooses two prime order cyclic groups and with a bilinear map .(ii)It selects a generator of .(iii)It selects and computes .(iv)It samples .(v)It chooses and , . The system public parameters: the master secret key:(ii)KeyGen: it takes as inputs the master secret key and an access structure with its matrix .(i)It chooses , sets , and computes .(ii)For each , it chooses and computes(iii)It chooses and then computes The outsourced key: The signer’s signing key:(iii)OutSign: it takes as inputs an attribute set and an outsourced key .(i)If , the S-CSP finds such that .(ii)It chooses , , and computes The outsourced signature .(iv)Sign: it takes as inputs , , and , and the signer selects and computers The final signature .(v)Verify: it takes as inputs, and the verifier checks whether outputs 1 if it holds; otherwise it outputs 0.

3.2. Attacks on Mo et al.’s EOABS Scheme

Mo et al.’s EOABS scheme [17] does not achieve any of the three security properties, although it was proven to be secure under their security models.

3.2.1. On Correctness

Mo et al.’s EOABS scheme is incorrect.

In Mo et al.’s scheme

So we have

Thus, the verification equation does not hold.

3.2.2. Forgery Attack

Mo et al.’s EOABS scheme is forgeable. Adversaries can collude with the malicious S-CSP to forge signatures.

Suppose that is an attribute set, is adversary ’s access structure, and . Adversary can collude with the malicious S-CSP to forge signatures for as follows:(i)The malicious S-CSP finds an outsourced key with access structure satisfied by . It runs the OutSign algorithm with and generates and sends the outsourced signature for to adversary .(ii)With the outsourced signature and message , adversary runs the Sign algorithm with his signing key and then outputs a signature on and .

The attack above is executable for the following reasons:(i)The signing key is only related to the master secret key and the default attribute , but not to the access structure .(ii), so the outsourced signature for can be generated correctly using .

Obviously, the output of adversary above is a valid signature on the message and the attribute set . But the attribute set does not satisfy ’s access structure .

3.2.3. On Anonymity

Mo et al.’s EOABS scheme does not achieve anonymity. The S-CSP can identify the corresponding access structures of the signatures as follows:(i)The S-CSP stores all outsourced signature with its corresponding access structure into a list in the form of .(ii)Receiving a final signature , the S-CSP outputs the corresponding access structure if there is in .

The attack above is practicable for the following reasons:(i)The S-CSP needs to know the access structure when using to generate outsourced signatures. So it can maintain the list correctly.(ii)Since , the S-CSP can correctly establish the link between the final signature and the outsourced signature .

4. Outsourced Attribute-Based Signature

The attacks above suggest that the security models in [17] are not conforming to the actual. Their models are similar to the nonoutsourced models [2, 30]. We present more accurate security models in this section.

4.1. Definition

An outsourced attribute-based signature (OABS) scheme is composed of the following algorithms.(i). It takes the security parameter as input and returns the public parameters and master key .(ii). It takes the public parameters , master key , and an access structure with a flag as inputs and returns the outsourced key and private signing key .(iii). The outsourced signing algorithm takes the public parameters , an outsourced key , and an attribute set as inputs and returns an outsourced signature .(iv). The signing algorithm takes the public parameters , a private signing key , a message , and an outsourced signature as inputs and returns a signature for .(v). It takes the public parameters , a signature , a message , and an attribute set as inputs. If is valid, it returns 1; otherwise, it returns 0.

Note: The flag we introduced above is just an identifier used to match the outsourced key and private signing key correctly. It does not take part in any operation and does not affect efficiency and security.

4.2. Security

In this subsection, we present enhanced formal security models for OABS.

Definition 1 (correctness). An OABS scheme is correct, iffor any message, any access structure, and any attribute setsuch that.

4.2.1. Unforgeability

A trivial requirement for the unforgeability is that the adversary cannot possess the key required for signing because anyone who has the signing key can run the signing algorithm to generate a valid signature. In the scenario of outsourced signatures, all outsourced keys are sent to the S-CSP, and the S-CSP is not necessarily trusted. Therefore, it should be assumed that the adversary may have all the outsourced keys and only restrict him from possessing the required private signing key. To this end, we need to provide different oracles for the outsourced key and the private signing key. In addition, since the adversary is permitted to obtain all outsourced keys and can generate outsourced signatures by himself, he need not make any outsourced signing oracle query.

The unforgeability model of Mo et al. [17] does not reflect the above requirements and is therefore inaccurate. We present a more accurate unforgeability model in the following. There are two main differences between our model and Mo et al.’s model: First, our model provides the adversary with two oracles, OSK-Oracle and SK-Oracle, while their model only provides one oracle, KeyGen-Oracle. Second, our model restricts the adversary from possessing any private signing key of the access structure satisfied by the challenge attribute. In contrast, their model does not prohibit the adversary from obtaining the private signing key. These two improvements reflect the ideas mentioned above.

(1) GAME 1 (EUF-sA-CMA).

(i)Initialization. Adversary selects and sends a challenge attribute set to challenger .(ii)Setup. generates and sends the public parameters to .(iii)OSK-Oracle. chooses and sends an access structure with a flag to . returns an outsourced key to .(iv)SK-Oracle. chooses and sends an access structure with a flag to . returns a private signing key to .(v)Sign-Oracle: chooses and sends a message M, an attribute set , and an outsourced signature with a flag to . returns a signature to .(vi)Forgery. Adversary outputs a triple .

Adversary wins the game, if(i) was not queried to Sign-Oracle;(ii)any access structure queried to SK-Oracle is not satisfied by ;(iii).

Adversary ’s advantage is defined as its probability of winning the above game, denoted as .

Definition 2 (unforgeability). An OABS scheme is existentially unforgeable under selective attribute set but adaptive chosen message attack, ifis negligible in the security parameterfor any PPT adversary.

4.2.2. Perfect Anonymity

In the outsourced attribute-based signature, the untrusted S-CSP generates the outsourced signature, and then the signer generates the final signature. This is the essential difference from the general attribute-based signature, which must be reflected in the security model. In the model of Mo et al., the outsourced signature is generated by the challenger, and the adversary has no way of knowing it. This makes it impossible for the adversary to determine the access structure through the outsourced signature. But in the outsourced attribute-based signature scheme, the outsourced signatures are calculated by the S-CSP, so that the S-CSP may track the access structures corresponding to the signatures through the outsourced signatures. This is why Mo et al.’s scheme is anonymous under their model, but the above attack exists. In our model, the outsourced signatures are generated by the adversary instead and then sent to the challenger. Under such a model, Mo et al.’s scheme does not achieve anonymity. Our model reflects the difference between outsourced attribute-based signatures and general attribute-based signatures.

We formalize our definition by a game between challenger and adversary as follows.

(1) GAME 2 (Perfect Anonymity).

(i)Setup. It is the same as that of GAME 1.(ii)Phase 1. The adversary is allowed to request OSK-Oracle, SK-Oracle, and Sign-Oracle for any access structure or message he/she chooses. OSK-Oracle, SK-Oracle, and Sign-Oracle are the same as those of GAME 1.(iii)Challenge.(i)Adversary chooses a message , an attribute set , and two challenge access structures and such that and and generates two outsourced signatures and using outsourced keys and , respectively. Then he sends to challenger .(ii) flips a fair coin , generates a signature on message and attribute set using the signing key , and then returns to .(iv)Phase 2. As in Phase 1, the adversary can continue to request OSK-Oracle, SK-Oracle, and Sign-Oracle for any access structure (including and ) or message he/she chooses.(v)Guess. outputs a bit .

The advantage of is defined as

Definition 3 (perfect anonymity). An OABS scheme is perfect anonymous, if for any adversarythe advantageis negligible for the security parameter.

5. Improvement

In this section, we propose a simple but significant improvement to fix our attacks. The ideas behind our improvement are as follows.

In Mo et al.’s scheme, the outsourced key and private signing key are independently generated with secret values and . Using such two keys to generate a signature, the public key will be canceled out in the verification equation. Since the outsourced key and the private signing key are independent of each other, using the outsourced key of Alice and the private signing key of Bob, one can also generate a correct signature, and the public key can also be canceled out in the verification equation. Our improvement fixes this shortcoming. We set as the master private key and as the public key and then use and to generate the outsourced key and private signing key, respectively. In this way, everyone’s outsourced key and private signing key are associated. The outsourced key and the private signing key of different users cannot be combined to generate a correct signature. If Alice’s outsourced key and Bob’s private signing key are combined to generate a signature, then will appear in the verification equation, which is not equal to the public key . The signature will not be accepted as a valid signature.

In Mo et al.’s scheme, is not blinded but directly used as a component of the final signature. This allows the adversary to track the access structure used to generate the signature. To ensure anonymity, the outsourced signature must be blinded. But the computation cost of blinding is the same as that of computing . Therefore, in our improved scheme, the user computes by himself, and the server no longer computes . in our improvement is equivalent to in Mo et al.’s scheme.

We split into and , and into and , all for the signature to satisfy the verification equation.

5.1. Improved Scheme

(i)Setup: it is the same as Mo et al.’s EOABS scheme, except that and .(ii)KeyGen: it is the same as Mo et al.’s EOABS scheme but chooses and sets .(iii)OutSign: it takes as the inputs an attribute set , an outsourced key with matrix , and a flag .(i)If , the S-CSP finds such that .(ii)computes The outsourced signature .(iv)Sign: with a private signing key , a message , and an outsourced signature , the signer selects and computes The final signature on is .(v)Verify: with , the verifier checks whether If the equation holds, the verifier outputs 1. Otherwise, it outputs 0.

5.2. Proofs of Security

Theorem 1 (correctness). The improved scheme is correct.

Proof. When , we can find such thatand thenSoThe verification equation holds, and the improved scheme is correct.

Theorem 2 (unforgeability). The improved scheme is existentially unforgeable. If an adversarycan win GAME 1 with advantage, then there exists an algorithmthat solves the CDHE problem with probability, whereis the maximum number of Sign-Oracle queries and m is the length of the message.

Proof. In the following, is an adversary with advantage , and is the challenger to the CDHE problem. We build as follows, which uses to solve the CDHE problem.
Without loss of generality, we assume the attribute universe . maintains an initially empty list .(i)CDHE Problem Gen.(i) chooses two prime order multiplicative cyclic groups , and a bilinear map .(ii)chooses a generator and and computes .(iii)sends to .(ii)Init Phase. chooses and sends to .(iii)Setup.(i) chooses and for all , and computes(ii)computes (i.e., it sets the master secret key implicitly).(iii)Let , choosing , picking , , , , and computing(iv)sends the public parameters to .(iv)OSK-Oracle. Assume queries an outsourced key on access structure with the matrix of size and flag . If in , it returns the corresponding outsourced key to . Otherwise, we compute the keys as follows:(i)If : (i) sets ( cannot query any private signing key for the access structure satisfied by ). (ii) runs KeyGen to get . (iii) returns to . (iv) adds into the key list .(ii)If : (i) finds a vector such that for each , where is the th row of (Lemma 1). (ii) chooses , and sets . (iii) For all , (i)if , choose and compute (ii)if , choose and compute(iv)selects and computes , .(v)returns to .(vi)adds into the key list .(iii) SK-Oracle. It is the same as the OSK-Oracle above, except that it returns a private signing key to .

Claim 1. The keys simulated above are correct.

Proof. If , and is generated by KeyGen, it is correct certainly.
If , according to Lemma 1, we can find a vector such that for each . We prove is a correct outsourced key with as follows:(i)When , , and , we have(ii)When , we have , and where .This concludes that is a correct outsourced key.
Since the first component of is , thenThus is a correct private signing key.(vi)Sign-Oracle. It takes as inputs. Define functions If , it aborts. Otherwise, chooses , and computes and returns

Claim 2. The simulated signatures are correct.

Proof. By simple calculating, we have . If , then , because we can assume for any reasonable values of , and . Then, we haveThen haveThe verification equation holds. Thus the simulated signature is correct.(vii)Forgery. outputs a signature on .(viii)Output. If , it aborts. Otherwise, computes and outputs

Claim 3. The output of is .

Proof. Because , so .
is a valid signature on message for , so we haveand then

Claim 4. The probability that the simulation is not aborted is .

Proof. The same as Claim 2 of Waters [31].
Claims 1 and 2 show that the simulation above is correct. Thus, by Claim 3 and Claim 4, can compute with probability .

Theorem 3 (perfect anonymity). The improved scheme is perfect anonymous.

Proof. Challenger executes the Setup algorithm to set up the system and responds to the oracle requests by running the corresponding algorithm.
Receiving , flips a fair coin , chooses , and computes and returns a signature from using .
Challenger continues to respond to the oracle requests by running the corresponding algorithm.
Since is an outsourced signature on using , we haveAnd is a signature calculated from , so we haveWe can rewrite aswhere , , , .
This concludes that is also a signature calculated from out using and . Because are randomly selected from , the probability of selecting is the same as that of , and both are . Therefore, even if the adversary has an unlimited capability, it is impossible to distinguish which access structure was used to generate the signature.
On the other hand, the adversary may generate signatures by him/herself. Assuming that the random integer selected by the adversary is , then the probabilities of and are the same . So, even if the adversary possesses all the private signing keys and outsourced keys, it is impossible to determine which access structure was used to generate the signature.
In summary, adversary ’s advantage is 0, and the improved scheme achieves perfect anonymity.

5.3. Performance Analysis

Denote by an element of , by an element of , by an exponentiation in , by a multiplication in , by a computation of the pairing, and by an inner product operation. Let be the size of the attribute universe , be the length of the message, be the number of rows of , be the number of rows whose attribute belongs to the attribute set, i.e., , and be the size of the attribute set, i.e., . We compare our scheme to Mo et al.’s scheme in Table 2.

In terms of data size, our scheme has one less integer in the master private key and one more group element in the final signature. The other items are the same size. There is not much difference between the two schemes.

In terms of computational overhead, our scheme has an extra in signature generation. Estimated with the message length , this is an increase of about .

Although our scheme is slightly inferior to Mo et al.’s schemes in terms of data length and computational overhead, our scheme has an overwhelming advantage in terms of security. Our scheme achieves correctness, unforgeability, and perfect anonymity, while their scheme does not achieve any of these three properties. It shows that our improvement is meaningful.

6. Conclusion

OABS was introduced to solve the problem that ABS is not suitable for scenarios with limited computing power. Recently, Mo et al. proposed an expressive outsourced attribute-based signature scheme. In this paper, we analyze the security of Mo et al.’s EOABS scheme. We show that it does not achieve the correctness, unforgeability, and anonymity that they claimed. We present more accurate security models for OABS and propose an improved OABS scheme to fix our attacks. Our scheme is provably secure in the standard model.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the National Social Science Fund of China (No. 21XTQ015), the Natural Science Foundation of Fujian Province of China (Nos. 2019J01750, 2019J01752, and 2020J01814), and the Fujian Province Young and Middle-Aged Teacher Education Research Project (No. JAT200293).

References

S. Amit and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of Advances in Cryptology-EUROCRYPT 2005 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, R. Cramer, Ed., vol. 3494, pp. 457–473, Springer, Aarhus, Denmark, May 2005.
View at: Google Scholar
K. Hemanta, Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures,” in Proceedings of Topics in Cryptology 2011 (CT-RSA 2011)-The Cryptographers Track at the RSA Conference 2011, A. Kiayias, Ed., vol. 6558, pp. 376–392, Springer, San Francisco, CA, USA, February 2011.
View at: Publisher Site | Google Scholar
S. F. Shahandashti and R. Safavi-Naini, “Threshold attribute-based signatures and their application to anonymous credential systems,” in Progress In Cryptology – AFRICACRYPT 2009, B. Preneel, Ed., vol. 5580, pp. 198–216, Springer, Africa, Gammarth, Tunisia, June 2009.
View at: Publisher Site | Google Scholar
S. Jarecki, H. Krawczyk, M. Shirvanian, and N. Saxena, “Two-factor authentication with end-to-end password security,” in Proceedings of Public-Key Cryptography – PKC 2018, M. Abdalla and R. Dahab, Eds., vol. 10770, pp. 431–461, Springer, Rio de Janeiro, Brazil, March 2018.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2020.
View at: Publisher Site | Google Scholar
P. Datta, T. Okamoto, and K. Takashima, “Efficient attribute-based signatures for unbounded arithmetic branching programs,” in Proceedings of Public-Key Cryptography–PKC 2019, D. Lin and K. Sako, Eds., vol. 11442, pp. 127–158, Springer, Beijing, China, April 2019.
View at: Publisher Site | Google Scholar
A. El Kaafarani and S. Katsumata, “Attribute-based signatures for unbounded circuits in the rom and efficient instantiations from lattices,” in Proceedings of Public-Key Cryptography – PKC 2018, vol. 10770, pp. 89–119, Springer, Rio de Janeiro, Brazil, March 2018.
View at: Publisher Site | Google Scholar
K. Gu, W. Jia, G. Wang, and S. Wen, “Efficient and secure attribute-based signature for monotone predicates,” Acta Informatica, vol. 54, no. 5, pp. 521–541, 2017.
View at: Publisher Site | Google Scholar
G. Lin, Y. Xia, Y. Chun, and Z. Sun, “F2p-abs: a fast and secure attribute-based signature for mobile platforms,” Security And Communication Networks, vol. 2019, Article ID 5380710, 12 pages, 2019.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” in Proceedings of Public Key Cryptography – PKC 2011, D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, Eds., vol. 6571, pp. 35–52, Springer, Taormina, Italy, March 2011.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based encryption and signatures,” IEICE Trans Fundamentals, vol. E103-A, pp. 41–73, 2020.
View at: Publisher Site | Google Scholar
C. Sun, Y. Liu, X. Zeng, and H. Si, “Provable secure attribute-based proxy signature,” Journal of Intelligent and Fuzzy Systems, vol. 38, no. 1, pp. 337–343, 2020.
View at: Publisher Site | Google Scholar
F. Tang, H. Li, and B. Liang, “Attribute-based signatures for circuits from multilinear maps,” in Information Security, S. S. M. Chow, C. Jan, L. C. K. Hui, and M. Y. Siu, Eds., vol. 8783, pp. 54–71, Springer, Cham, 2014.
View at: Publisher Site | Google Scholar
Y. Zhang, X. Liu, Y. Hu, Q. Zhang, and H. Jia, “Attribute-based signatures for Inner-Product predicate from lattices,” in Proceedings of Cyberspace Safety And Security, J. Vaidya, X. Zhang, and L. Jin, Eds., vol. 11982, pp. 173–185, Springer, Guangzhou, China, January 2019.
View at: Publisher Site | Google Scholar
X. Chen, J. Li, X. Huang, J. Li, Y. Xiang, and D. S. Wong, “Secure outsourced attribute-based signatures,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 12, pp. 3285–3294, 2014.
View at: Publisher Site | Google Scholar
R. Mo, J. Ma, X. Liu, and H. Liu, “Eoabs: expressive outsourced attribute-based signature,” Peer-to-Peer Networking and Applications, vol. 11, pp. 979–988, 2017.
View at: Publisher Site | Google Scholar
J. Sun, J. Qin, and J. Ma, “Securely outsourcing decentralized multi-authority attribute based signature,” in Proceedings of Cyberspace Safety And Security, S. Wen, W. Wu, and A. Castiglione, Eds., vol. 10581, pp. 86–102, Springer, Xi’an, China, October 2017.
View at: Publisher Site | Google Scholar
J. Sun, Y. Su, J. Qin, J. Hu, and J. Ma, “Outsourced decentralized multi-authority attribute based signature and its application in IoT,” IEEE Transactions on Cloud Computing, vol. 9, no. 3, pp. 1195–1209, 2019.
View at: Publisher Site | Google Scholar
Z. Huang, Z. Lin, Q. Chen, Y. Zhou, and H. Huang, “Outsourced attribute-based signatures with perfect privacy for circuits in cloud computing,” Concurrency and Computation: Practice and Experience, vol. 33, no. 10, p. e6173, 01 2021.
View at: Publisher Site | Google Scholar
Z. Liu, H. Yan, and Z. Li, “Server-aided anonymous attribute-based authentication in cloud computing,” Future Generation Computer Systems, vol. 52, pp. 61–66, 2015.
View at: Publisher Site | Google Scholar
Y. Ren and T. Jiang, “Verifiable outsourced attribute-based signature scheme,” Multimedia Tools and Applications, vol. 77, pp. 18105–18115, 2018.
View at: Publisher Site | Google Scholar
O. Uzunkol, “Comments on ’verifiable outsourced attribute-based signature scheme,” Multimedia Tools and Applications, vol. 78, no. 9, pp. 11735–11742, 2019.
View at: Publisher Site | Google Scholar
H. Cui, R. H. Deng, J. K. Liu, X. Yi, and Y. Li, “Server-aided attribute-based signature with revocation for resource-constrained industrial-internet-of-things devices,” IEEE Transactions on Industrial Informatics, vol. 14, no. 8, pp. 3724–3732, 2018.
View at: Publisher Site | Google Scholar
X. Hu, Y. Bao, X. Nie, and Y. I. Asoor, “Server-aided attribute-based signature supporting expressive access structures for industrial internet of things,” IEEE Transactions on Industrial Informatics, vol. 16, no. 2, pp. 1013–1023, 2020.
View at: Publisher Site | Google Scholar
Z. Wang, R. Xie, and S. Wang, “Attribute-based server-aided verification signature,” Applied Mathematics and Information Sciences, vol. 8, no. 6, pp. 3183–3190, 2014.
View at: Publisher Site | Google Scholar
Y. Chen, J. Li, C. Liu, J. Han, Y. Zhang, and P. Yi, “Efficient attribute based server-aided verification signature,” IEEE Transactions on Services Computing, p. 1, 2021.
View at: Publisher Site | Google Scholar
Y. Sreenivasa Rao and R. Dutta, “Efficient attribute-based signature and signcryption realizing expressive access structures,” International Journal of Information Security, vol. 15, no. 1, pp. 81–109, 2015.
View at: Publisher Site | Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” Israel Institute of Technology, Technion, Israel, 1996, Ph. D. thesis.
View at: Google Scholar
H. Cui, R. H. Deng, B. Qin, and J. Weng, “Key regeneration-free ciphertext-policy attribute-based encryption and its application,” Information Sciences, vol. 517, pp. 217–229, 2020.
View at: Publisher Site | Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Proceedings of In Advances In Cryptology–EUROCRYPT 2005, R. Cramer, Ed., pp. 114–127, Springer, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Zhenjie Huang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies