Anonymous attribute-based designated verifier signature

An attribute-based signature (ABS), is a cryptographic scheme where someone can sign a message using any kind of predicates verified by the attributes he owns. For such scheme, it is expected to be impossible for users to collude to sign a message if none of them is originally able to sign the message on his own. The main advantage of such a solution is that the signer can remain anonymous in the set of users fulfilling the chosen predicate. It can then be used for anonymous authentication for instance. In this paper, our main contribution is a new designated verifier attribute based signature scheme. In other words, the signer is using his attributes to authenticate a message according to a predicate, and while doing so he can pick another policy such that only users owning attributes fulfilling this policy can check the validity of the signature. It can be used to extend anonymous authentication, ensuring that the designated verifier cannot prove to anyone that a valid authentication has been performed. In addition to classical anonymity, this also increases the privacy of users as no further statistics on valid connection can be deduced. To do so, we first propose a generic construction of this primitive using standard cryptographic building blocks. An instantiation of this primitive is then described and proved through security games under the Symmetric External Diffie–Hellman (SXDH\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf {SXDH}$$\end{document}) assumption. This main contribution is compared to state-of-the-art solutions in terms of both security and efficiency.


Introduction
In 1989, Chaum and van Antwerpen introduced the notion of undeniable signature Chaum and Van Antwerpen (1989) that allows signers to control access to their signatures.The signer participates in the verification process to avoid undesirable verifiers knowing about the validity of his signature.However, it is not always efficient because verifiers can collude so that an unauthorized one can obtain information from this interaction (including the validity of the signature).To solve this, Jakobsson et al.Jakobsson et al. (1996) introduced designated verifier signature to guarantee that only a specified verifier can verify the signature and can be convinced of its validity.They also introduced a strong designated verifier signature scheme, that implies that the verifier has to use his secret key in the verification phase to avoid signature validation from a third party.The designated verifier can not convince a third party of the validity of the signature and that is due to the fact that he (the designated verifier) can forge valid signatures.Later this concept was extended by Steinfeld et al. (2003), where they introduced the idea of Universal Designated Verifier Signature, that allows someone given a signature for which he possesses no secret to convert it into a designated verifier signature.Since 2004, several schemes have focused on revisiting these properties like Laguillaumie and Vergnaud (2004); Laguillaumie et al. (2006); Huang et al. (2008); Blazy et al. (2017).However, they do so by relying either on a q-type assumption, on the random oracle, or costly elements in the target group In 2011, Maji et al. introduced Attribute-Based Signature (ABS) Maji et al. (2011).In this kind of signatures, users sign message with their attributes (and an associated predicate) instead of using their secret key.Thereby, the signer is not explicitly identified and so it not possible to link the message to a specific user.
A summary of security properties of each kind of signature is depicted in Table 1.
Using those schemes in practical scenarios requires heavy public key management to designate and verify signatures.To solve this, some works were done with identity-based designated verifier signatures like Susilo et al. (2004) that allows the usage of such protocol by selecting designated verifiers with their identities without managing the keys of those users.For some applications, designating a group of users instead of a single user cannot be achieved easily with identity-based protocol.Attribute-based protocol (ABE) is more suitable for designating groups of users.To achieve this, Fan et al. proposed in Fan et al. (2012) a strong attributebased designated verifier signature.Since then, no other work around Attribute-based Designated Verifier Signature (ABDVS) were done.Our goal is to add a new construction for this primitive that is more efficient and usable in real scenarios.
A classical field of application for attribute-based protocols are cloud-based protocols where the identity of parties involved is less important than their attributes.For instance, the access to health data is often based on a specific attribute or on a specific access policy based on the possession of several attributes.Moreover, with the new GDPR, the privacy of requesters are now more important than ever.With an ABDVS it is therefore possible to propose an anonymous authentication on a cloud server.Indeed, upon reception of the signature, the server is able to authenticate the corresponding entities but it cannot prove this information to a third party.Furthermore thanks to the use of attributes, the identity of the emitter of the signature remains unknown to the cloud ensuring his anonymity.In addition, if the signature is stored by the cloud server, it can be used by researcher to have confidence on the information they are investigating on without being able to disclose or prove anything on these information to an external party.
A direct application of our ABDVS would be for protocols where a proof of valid authentication is damaging.An example would be a broadcast protocol for addresses of Tor bridges that are supposed to be available only to users with a good reputation.It should be impossible for an external authority to coerce a user into proving he is a valid recipient of those addresses, or to coerce them into proving that a broadcast address was validly signed or more generally to convince other users that fake addresses are valid.All those scenarios are encompassed by our security properties.
In this article, we present as a main contribution a new attribute-based designated-verifier signature (ABDVS) which used a transformation from Downgradable IBE to ABE (section 3.2).This transformation allows to switch from a set of attributes to an identity.From his set of attributes, the verifier upgrades his user secret key usk in a new verification key uusk.The new algorithm USKUp executes this modification.uusk is a randomization of a part of usk.
Concerning the security aspect, our construction is unforgeable, non-transferable and respect perfect privacy under the SXDH assumption.We also propose an implementation of our proposed construction and compare it to the Fan et al. (2012) scheme.

Definitions
Let ggen be a probabilistic polynomial time (ppt) algorithm that on input K returns a description G = (p, G 1 , G 2 , G T , e, g 1 , g 2 ) of asymmetric pairing groups where G 1 , G 2 , G T are cyclic groups of order p for a K-bit prime p, g 1 and g 2 are generators of G 1 and G 2 , respectively, and e : G 1 × G 2 → G T is an efficiently computable (non-degenerated) bilinear map.Define g T := e(g 1 , g 2 ), which is a generator in G T .We use implicit representation of group elements as introduced in Escala et al. (2013).For s ∈ {1, 2, T } and a ∈ Z p define [a] s = g a s ∈ G s as the implicit representation of a in G s (we use [a] = g a ∈ G if we consider a unique group).More generally, for a matrix

Matricial Notation and Assumptions
We recall the definition of the matrix Diffie-Hellman (MDDH) assumption Escala et al. (2013).
, where the probability is taken over In our construction we use the previous definition in the case k = 1.In this specific case, the assumption is called Symmetric External Diffie-Hellman assumption (SXDH).
Definition 3 (Symmetric External Diffie-Hellman (SXDH Ateniese et al. (2005))) The SXDH assumption holds in G 1 and G 2 if DDH is hard to compute in both G 1 and G 2 .

Signature Primitives
In this part of the article, we present different signature schemes primitive that we use in our protocol in section 4.2.We recall definition of digital signature and security requirements in the appendix B.

Designated Verifier Signature
Designated verifier signature (DVS) allows a signer to sign a message that only one chosen user can verify.Extended to a set of multiple users is possible.The scheme presented below was introduced by Steinfeld et.al in Steinfeld et al. (2003).
Security requirements for DVS are: unforgeability, DV-unforgeability and non-transferability.This notions are defined in appendix B.

Attribute-Based Signature
The Attribute-Based Signature (ABS) was introduced by Maji et al. (2011).In ABS, a signer with a set of attributes, noted A, can sign a message with a predicate, noted Υ , that is satisfied by his attributes.We note by U the universe of attributes.

Security properties
The perfect privacy is a security requirement for ABS.The signer's privacy relies only on the signature trustee and not the authority.
An ABS achieves perfect privacy if the two following distributions are equal:

Building Blocks
In this section, we now give explicit instantiation of the various tools we need.

Downgradable IBE
We first present a downgradable IBE (DIBE) from Blazy et al. (2019), such schemes allow each user with a valid key for an identity id, to compute a valid key for every ĩd ⪯ id where ⪯ is a predetermined relation.We recall the DIBE construction based on the tight IBE from Blazy et al. (2014) and PR-ID-CPA secured under the D k -MDDH assumption in appendix C. We use this construction in our instantiation (Figure 2).
Following the same idea, one can define an Upgradable IBE, with an algorithm USKUp which upgrades a fresh secret key as long as id ⪯ ĩd.The generated key, noted uusk[ ĩd] allows the verification of the signature if and only if verifier's attributes match with the attributes needed to verify.For practical use, we consider only the presence of one of this algorithms.In presence of this two public algorithms, each user could generate any key.
Thanks to previous definitions, we are able to present our Attribute-Based Designated Verifier Signature.

Attribute-Based Designated Verifier Signature
An Attribute-Based Designated Verifier Signature, noted ABDVS, uses the different blocks presented earlier in order to verify a signature with only some attributes.
The Figure 1 highlights the use of these different blocks.
-Thanks to the Downgradable IBE we generate a key for id 1 ||m by downgrading the key received by the user id 1 , using the Naor transform, this is an equivalent of id-signing m. -DIBE protocol generates verifier's keys and allows keys upgrade.It also used to mask the signature.-The USKUp algorithm allows designated verifier to obtain his key uusk, generated by all his attributes, by upgrading his old key usk.
Concerning the security requirements, ABDVS has to verify unforgeability, non-transferability and perfect privacy.In the following, we are showing that properties can be proved by relying on the security of protocols under used.

Framework
The concept of Attribute-Based Encryption (ABE) was introduced by Sahai and Waters in Sahai and Waters (2005).In an ABE, a key is associated with a set A of attributes while a ciphertext is associated with an access policy2 F. The decryption can be done if A satisfies F. As in Blazy et al. (2019), we work with a small-universe of attributes noted U = {1, . . ., ℓ}, with ℓ the length of the identity used in our construction.For any set S ⊆ U, we define id S ∈ {0, 1} ℓ where its i-th position is defined by: In our construction, we used boolean formula in Disjunctive Normal Form (DNF).We note by k the number of disjunction in the DNF formula.
Our construction is presented in Figure 1.  and σ 1 Verify(sk 2 , C): Fig. 1 Generic algorithms of our ABDVS framework At first, each potential verifier asks the authority to generate a set of k secret keys corresponding to his policy where k is the number of disjunctions on his policy.
When he wants to verify a signature, he selects one of his key, that can be derived into the expected verification key, noted uusk using the USKUp algorithm.
Then, thanks to a pairing verification, the designated verifier checks the validity of the signature only if his policy matches with attributes needed for the verification.An important point is if none of the key works, the verifier cannot gather any information.Now, we present a concrete instantiation of our framework in Figure 2.
We note by id 1 the identity containing the attributes needed for the verification.id 2 is the identity of the verifier i.e. id 2 contains all the verifier's attributes.In Figure 2, we use two KeyGen algorithms: -KeyGen Sign : generates the signing key sk and ek used for signature generation.-KeyGen: generates the verifier user secret key usk for id 2 and dk used to randomize usk.Thanks to encapsulation of the DIBE protocol, we hide our signature with K.The capsule, C, allows signature verification in Decap algorithm.
In USKUp, we modify usk in uusk.The verifier, with uusk, is able to verify the signature because uusk contains attributes required.
Decap verify the signature thanks to the decapsulation of C.
For our construction, we don't have to prove DVunforgeability because this property is similar to unforgeability.
First, we show the correctness of our protocol.In other words, a signature generated honestly can be verified by an honest verifier.
The signer computes: By simplifying the first pairing in the verification, we get: The previous equation is obtained by using that, in the honest case, uusk 2 = l i=1 id i z i which is in c 1 .We can see that this equality is verified as soon as the attributes used by the verifier are the ones expected by the signer.Using bilinearity, we can see that Theorem 1 Under the indistiguishability of the DIBE used, our construction is unforgeable under the SXDH assumption.
Proof As presented in the article Cui et al. (2007)  Proof Let A be an adversary against the non-transferability of our signature.In this proof, we are going to build a simulator B giving A access to USKGen, USKUp and Encap, and using A to break the IND-ID-CPA security of the IBE scheme.
Game 1.A queries m times USKGen and Encap for different identities but not the challenged one.The simulator answers honestly to each query.
For the identity challenge, id * , we replace the signature σ 2 by a random group element α.This modification in the algorithm Encap is presented in Figure 3.In other words, we randomize a part of the key K j .The indistinguishability of a real key from a random one is ensured by the indistinguishability of the DIBE used in our construction.Hence, G 1 is indistinguishable from G 0 .Thus, we have: Theorem 3 Our signature achieves perfect privacy under the ANON-ID-CPA security of the DIBE.
Proof Let A be an adversary against the perfect privacy of our signature.In this proof, we are going to build a simulator B giving A access to USKGen, USKUp and Encap, and using A to break the ANON-ID-CPA security of the IBE.
Game 0. This is the real attack game.We don't modify existing algorithms.
Game 1.In this game, B simulates the signing key associated to different attributes sets.This simulation is presented in Figure 4 where α is either one of the attribute set.The difference between the two signing procedures can directly be reduced to the difference between the output of the Encap algorithm associated with the two different possible id α , hence the ANON-ID-CPA property of the underlying DIBE.
If he is able to figure out the difference, he breaks the anonymity of the DIBE used.Thus, we have: In the following section, we present computational times of our protocol.

Performance evaluation
In this section we will first start with a theoretical comparison of our work with state-of-the-art where we will focus on communication costs based on cryptographic keys sizes and signatures sizes.We then present a practical evaluation of an implementation of our proposition and an implementation of Fan et al. work.

Theoretical comparison
In Table 2, we compare our solutions to other existing schemes.It must be noted that only Fan et al. offers the same security properties as our proposition as depicted in Table 1.Two other schemes are presented in this comparison to have some ground truth for both key and signatures sizes.In all schemes, elements in the target group are evaluated as hashed bitstring in order to gain efficiency.
We inherit from Attribute-Based construction, the linear size of the public key in term of the number n of attributes.We can see, that compared to the other existing Attribute-Based Designated Verifier Signature scheme, we drop the dependency in the number u of users in the signature, we are still linear in the number k of disjunctions in the policy.In term of security hypotheses, our scheme is proven in the standard model under a classical hypothesis, which is also an upgrade compared to the reliance on the Random Oracle Model in the previous scheme.
In Table 3 is depicted the time taken by the three main algorithm of our two schemes (e.g.Setup,Sign and Verify).t i nv is the time taken to do an inversion; t m is the time taken to perform a multiplication between two group elements; t e is the time to do a modular exponentiation between a group element and a scalar in Z p ; t p is the time to realize a pairing operation between two group elements; t s the time cost of a scalar multiplication in G 1 .As a reminder, ℓ is the number of attributes and k the number of disjunctions under use.Based on these different operations, Table 3 shows that our proposition is expected to have better results than Fan et al. for both Sign and Verify as we have less complexity on these operations.Please note, that compared to the table in the initial paper, we consider their scheme have a linear dependency in the policy size, as their Verify algorithm is expected to do a computation for every node in the tree they build.Fan et al. have better results for Setup as they only rely on inversions and multiplication between two group elements whereas we need some modular exponentiation which is more time consuming.But, this is not problematic for real world applications as this step is performed only once prior to communication between parties (i.e offline).

Practical evaluation
The aim of this prototype and the proposed experiment is to highlight the usability of the framework for real world applications in terms of computation time.To achieve that, we use a virtual machine with 4 GB of dedicated RAM running on a host computer with a 2.6 GHz Intel Core i7 processor.Since Fan et al. proposed the only attribute-based designated verifier scheme to our knowledge, we use it to compare our performances.
Our scheme is implemented with Python Library Charm-Crypto and the Asymmetric Charm curve MNT159 while Fan et al. scheme is implemented using the Symmetric Charm Curve SS512.It was not possible to use the same curve as the two schemes are not using the same kind of pairings (asymmetric against symmetric).We obtain better performances for our scheme for two reasons, we can rely on much faster curves, and due to the way we handle policy, we have no efficiency loss when increasing the number of disjunctions during verification.
In all experiments, the signing operation is performed on a hashed message with a length of 128bits.All computation times are displayed in Table 4 and were computed for ten attributes.
It can be viewed in Table 4 that our scheme takes less time to generate master and secret keys than Fan et al. (2012).Indeed, our KeyGen algorithm depends only on the number of attributes as for Fan et al. proposal but our key sizes are smaller which explains this better performances.It must also be noted that in our evaluation, KeyGen algorithm generates both verify and signing key.As previously explained, we can also see that the Verify algorithm has much better performances.Indeed, with our design, users can pinpoint the disjunctions their credential fulfill when checking the validity of a signature avoiding a linear loss, which allows us to have a constant verification time.
As illustrated in Figure 5 and Figure 6, experimental results for Sign and Verify algorithms are more efficient and outperforms Fan et al. solution.Their signing algorithm depends on the number of disjunctions as ours do, but we require fewer operations.However, we are only using a constant number of pairings in the verification algorithm.
Fan et al.Practical instantiations would also be concerned with batching verification of several signatures.This concept was introduced in Fiat (1990).In 1998, Bellare et al. (1998) proposed the first systematic look at batch verification and described several techniques for conducting  2009) presented a careful study on how to securely batch-verify a set of pairing-based equations.As our signature scheme verification only requires evaluation of pairing product equations, these techniques can also be applied to drastically reduce the number of pairings evaluation by transforming most of the additional ones into exponentiation and group elements products.

Conclusion
In this paper we propose a new construction of attributebased designated verifier signature in the standard model.This construction relies on Blazy-Kiltz-Pan IBE and a transformation to obtain ABE from DIBE.Compare to the previous existing proposition, this construction provides better performances to generate a designated verifier signature and to verify it.It makes it suitable for real case usage such as in a cloud context where it can be used to perform anonymous authentication between users and a cloud server.Furthermore the proposed construction can be generalized so that it is possible to designate attributes for verification instead of an identity which opens new perspectives for cloud environments and health applications where attribute-based encryption is widely used.
One current limitation of our scheme is that the generated encapsulation is linear in the size k of the policy.One may hope, that by using standard packing technique, one can obtain a more reasonable size in log(k) or even achieve a constant size.Another line of research, would be to prepare for the advent of quantum computing, and as such future work might focus on proposing a lattice-based version of such scheme.Lattices have the basic tool required to build an ABDVS, some extra care would however be needed to take care of the noise growth and as such a naive version with a bounded policy size might be an interesting first step.-Setup(K): generates the global parameter of the system param.-KeyGen(param): outputs a pair of key (sk, pk) where sk is the (secret) signing key and pk the (public) verification key.-Sign(sk, m; µ): outputs a signature σ on the message m thanks under sk, and some randomness µ. -Verify(vk, m, σ): checks the validity of the signature σ with vk.
Digital Signature has to verify two security properties: correctness and existential unforgeability under chosen message attacks (EUF − CMA).
-Correctness: For every pair (sk, pk) ← KeyGen(param), for every message m ∈ M and for all randomness µ, we have Verify(vk, m, Sign(sk, m; µ)) = 1.-Existential Unforgeability under Chosen Message Attacks Goldwasser et al. (1988): even after querying n valid signatures on chosen messages (m i ), A should not be able to output a valid signature on a fresh message m.We define a signing oracle: OSign(vk, m): outputs a signature on m valid under the verification key vk.The requested message is added to the signed messages set SM.

B Designated Verifier Signature: Security Properties
A DVS has to verify different security properties: -Unforgeability as any regular signature.Even after querying n valid signatures on chosen messages, an adversary should not be able to output a valid signature on a fresh message.-DV-unforgeability: only the signer or the designated verifier should be able to generate a verifiable message signature pair for (m,σ).The security experiment is presented in Figure 8.We denote by KGS: Key Generation Signature and KGV: Key Generation Verification.In Figure 8, we used two oracles described below.
-OSign(pk 1 , m) : outputs a signature σ on the message m and adds m to the set of signed messages SM. -OVerify(pk 2 , m, σ) : checks the validity of the designated signature σ.
-Non-transferability: an adversary should not be able to convince a third party about the validity (or invalidity) of a designated signature.An adversary A must have at best a negligible advantage in distinguishing the two following distributions: +2q k (Adv D k ,Setup (B)) + 1/q). 33 q k is the maximal number of query to the Eval oracle of A and A ∈ Z 1×n p denotes the last row of A.

Definition 1 (
Matrix Distribution) Let k ∈ N. We call D k a matrix distribution if it outputs matrices in Z (k+1)×k p of full rank k in polynomial time.Without loss of generality, we assume the first k rows of A $ ← D k form an invertible matrix.The D k -Matrix Diffie-Hellman problem is to distinguish the two distributions ([A], [Aw]) and ([A], [u]) where A D k -Matrix Diffie-Hellman Assumption D k -MDDH) Let D k be a matrix distribution and s ∈ {1, 2, T }.We say that the D k -Matrix Diffie-Hellman (D k -MDDH) Assumption holds relative to ggen in group G s if for all PPT adversaries D,

Fig. 2
Fig. 2 Algorithms of our ABDVS scheme based on the SXDH assumption

Table 1
Properties Comparison of the various flavors of signature.We will always use this implicit notation of elements in G s , i.e., we let [a] s ∈ G s be an element in G s .Note that from [a] s ∈ G s it is generally hard to compute the value a (discrete logarithm problem in G s by Cui et al., a signature generated thanks to the Naor transformation, is unforgeable if the IBE used is semantically secure.The IBE used in our construction is IND-ID-CPA under the BDH assumption.So, our ABDVS is unforgeable under the SXDH assumption.Theorem 2 Our ABDVS is non-transferable under the IND-ID-CPA security of the IBE.

Table 3
Comparison with Fan et al. in terms of number of operations.