Decentralised Functional Signatures
 200 Downloads
Abstract
With the rapid development of the Internet of Things (IoT) a lot of critical information is shared however without having guarantees about the origin and integrity of the information. Digital signatures can provide important integrity guarantees to prevent illegal users from getting access to private and sensitive data in various IoT applications. Functional signatures, introduced by Boyle, Goldwasser and Ivan (PKC 2014) as signatures with a finegrained access control, allow an authority to generate signing keys corresponding to various functions such that a user with a signing key for a function f, can sign the image of the function f on a message m i.e., can sign f(m). Okamoto and Takashima (PKC 2013) firstly proposed the notion of a decentralized multiauthority functional signature (DMAFS) scheme, which supports nonmonotone access structures combined with innerproduct relations. In this paper, we generalise the definition of DMAFS proposed by Okamoto et al. (PKC13) for even more general policy functions, which support any polynomialsize boolean predicates other than the inner product relation and allow modifications of the original message. In our multiauthority functional signature (MAFS), there are multiple authorities and each one is able to certify a specific function and issue a corresponding functional signing key for each individual with some property, rendering them very useful in application settings such smart homes, smart cities, smart health care etc. We also provide a general transformation from a standard signature scheme to a MAFS scheme. Moreover, we present a way to build a function private MAFS from a FS without function privacy together with SNARKs.
Keywords
IoT Functional signatures Attributebased signature Decentralised multiauthority functional signatures1 Introduction
With the rapid development of the Internet of Things (IoT) in various application settings (e.g., smart homes [6, 7], smart cities [4, 8], and smart healthcare [1]), ensuring the communication integrity and authenticity of information shared between IoT devices becomes a major concern, since millions of devices sense and communicate large volumes of private and sensitive data. Digital signatures is one of simplest and more reliable approaches, that can be employed to achieve the integrity and authentication properties and thus, prevent illegal users from getting access to private and sensitive data.
A digital signature on a message, originally introduced by Diffie and Hellman [5], produces information that allows the receiver to verify that the original message was indeed signed by the claimed signer (sender). Boyle, Goldwasser and Ivan [2] have recently introduced a new type of signatures, called functional signatures. In a functional signature scheme, a trusted authority holds a master secret key known only to the authority. Given a description of a function f, the authority using the master secret key can generate a functional signing key sk_{f} associated with the function f. Anyone that has access to the functional signing key sk_{f} and a message m can compute f(m) as well as a functional signature σ of f(m). Such finegrained generation of signatures is extremely useful in multiple applications such as authentication and trustnegotiation. For instance, we can consider the case where a document (message m) has some fields to be filled in, i.e., the initial document m needs to be modified by applying a function on it f(m) and then subsequently signed. Thus, it is required to produce a signature σ that corresponds to f(m). In that case, a function f could be associated with the fields of the document that need to be filled in, as well as the type of the information (e.g., calendar date). Then, by generating a signing key sk_{f} for this specific function f, we can guarantee which documents have been filled in and signed by an individual.
In this paper, we go beyond standard functional signatures and we reexplore the existing concept: decentralised or multiauthority functional signatures for general policy functions, which aids for smart projects such for smart home, smart city, smart health care etc.
Decentralised functional signatures Although functional signatures (FS) are a very powerful primitive, the basic concept of FS has a serious challenge since it requires that a single authority issues for all users their secret signing keys associated with different functions. This definitely contradicts the distributed public key infrastructure that allows having multiple certification authorities with different levels of trust. When considering realistic applications of functional signatures, it is hard to imagine that a single central authority will be trusted by everyone and will manage all credentials and generate functional signing keys for different functions for all individuals. Inspired by the practical demand for the distributed trust, we explore the model for multiauthority functional signatures (MAFS).
Okamoto et al. [12] firstly proposed the concept of a decentralised multiauthority functional signature (DMAFS) scheme, which supports nonmonotone access structures combined with innerproduct relations [11]. Intuitively, the nonmonotone access structures combined with innerproduct relations [11] supported by the DMAFS scheme of Okamoto et al. are: for properties \(\mathbf {u}:=({u}_{1},\ldots ,{u}_{N})\in \mathbb {F}^{n_{1}+\ldots +n_{N}}_{q}\), a policy function \(F:= (\hat {M}, ({v}_{1},\ldots ,{v}_{N})\in \mathbb {F}^{n_{1}+\ldots +n_N}_{q})\) is the componentwise innerproduct relations for property vector components, e.g., {u_{i} ⋅ v_{i} = 0 or not}_{i∈{1,…,N}} that are taken as input to a span program \(\hat {M}\), and the property vector u satisfies the policy F iff the truthvalue vector of ((u_{1} ⋅ v_{1} = 0),…,(u_{N} ⋅ v_{N} = 0)) is accepted by the span program \(\hat {M}\). In their DMAFS setting, there are multiple authorities and each authority is able to generate a secret key associated with a sort of attributes u_{i}, i.e., a user obtains several secret keys w.r.t. the attributes it has, u := (u_{1},…,u_{N}), each of which is issued by corresponding authority. A user with secret keys w.r.t. the attributes u := (u_{1},…,u_{N}) is able to sign the message iff u s.t. ((u_{1} ⋅ v_{1} = 0),…,(u_{N} ⋅ v_{N} = 0)) is accepted by the span program \(\hat {M}\).
Contrary to Okamoto et al. [12] work, in this paper we consider whether it is possible to extend the DMAFS with respect to even more general policy functions, which are not limited to innerproduct predicates [11] but support any polynomial sized boolean predicate. Furthermore, we allow one to sign a message that is in the range of a function f, which can be considered as to make some operations on the original message first and then to sign the new resulting message.
Our results Our main results and contributions can be summarised as follows: (i) we introduce for the definition of multiauthority functional signatures (MAFSs) for general policy functions; (ii) we provide a general transformation from a standard signature scheme to a MAFS scheme and a corresponding construction; (iii) given a nonfunctionprivate FS scheme and a SNARK we provide a way to build a function private MAFS scheme.
In a MAFS scheme, multiple authorities can independently generate their master secret and master public verification keys. Any authority i should be able to generate a functional signing key for a user with identity UID and property U_{i} along with a policy F over various authorities. A user UID, with signing keys for a policy function F and different property U_{i} from the authority i ∈ [N], is allowed to generate a signature for the new message F(U_{1},…,U_{n},m) only if his property set {U_{i}}_{i∈ [N]} satisfies the policy, while anyone using the N authorities’ master verification keys should be able to verify the validity of the messagesignature pair. An important requirement for MAFS is the security (unforgeability) against collusion attacks, which states that colluding users e.g., whose identities are UID_{1} with property U_{1} and UID_{2} with property U_{2} (even if they collude with some corrupted authorities) should not be able to forge a signature endorsed by a user UID_{1} with properties U_{1} and U_{2}. Another desirable property of MAFS is function privacy, which implies that the signature should reveal neither the function F that the functional signing key used in the signing process corresponds to, nor the message m that F was applied to. In particular, the notion of MAFS generalizes that of multiauthority attribute based signature [12].
In this paper, we first give a construction of MAFS that is not function private, based on any standard signature scheme. Then, assuming the existence of succinct noninteractive arguments of knowledge (SNARKS) for NP languages, we propose a functionprivate MAFS scheme from a nonfunctionprivate FS scheme. The resulting functionprivate MAFS scheme is defined in the common reference string model, which means that we allow all algorithms (and the adversary) to get as input also a public uniformly distributed common reference string [9, 10]. Below we describe in an informal way, highlights of our results and the approaches we employ.
Theorem 1 (Informal)
Assuming the existence of an existentially unforgeable signature scheme, then there exists a multiauthority functional signature scheme satisfying the unforgeability requirement but not function privacy.
Overview of the approach The master signing and verification key for each authority i ∈ [N] will correspond to a key pair, (msk_{i},mvk_{i}), in an underlying (standard) signature scheme. To generate a signing key for a user with UID and property U for a function F, the authority i does the following. First, it samples a fresh signing and verification key pair (sk_{i},vk_{i}) in the underlying signature scheme, and then signs the concatenation UID∥U∥F∥vk_{i} using msk_{i}. The signing key consists of this certificate (signature) together with sk_{i}. Given N signing keys, a user can sign any message m^{∗} = F({(i,U_{i})}_{i∈[N]},m) by signing m using each sk_{i}, and outputting these N signatures, together with N certificates of UID∥U∥F∥vk_{i}.
Theorem 2 (Informal)
Assuming the existence of SNARKs and a functional signature scheme that is unforgeable, then there exists a multiauthority functional signature scheme in the common reference string model satisfying the unforgeability requirement and function privacy.
Overview of the approach The setup algorithm generates a common reference string crs. The authority setup and key generation algorithms are the same as those of the construction in Theorem 2. Given N signing keys, a user does the following. First, it signs m using each \(\textsf {sk}^f_{i}\), and then it generates a zeroknowledge SNARK for the following statement: ∀i ∈ [N], ∃σ_{i} such that σ_{i} is a valid signature of m^{∗} = f(m) under mvk_{i} in the functional signature scheme. The final signature consists of the proof together with N certificates of UID∥U∥F∥vk_{i}.
2 Related work
Multiauthority functional encryption Inspired by the distributed trust offered by publickey encryption, Chandran et al. [3] introduced a new primitive that is called MultiAuthority Functional Encryption (MAFE) as a generalization of both Functional Encryption and MultiAuthority AttributeBased Encryption (MAABE). Based on subexponentially secure indistinguishability obfuscation and injective oneway functions they show how to obtain MAFE for arbitrary polynomialsize circuits, namely \(F(\{U_{id}\}_{id\in \mathcal {S}}, m)\) which is a \(\mathcal {S}+ 1\) variate policy function (each component is in {0,1}^{k}) in MAFE that takes as input up to \(\mathcal {S}\) properties and a message and outputs a value. In this paper, we generalise the definition of DMAFS in [12] for even more general policy functions, which supports any polynomial sized boolean predicates other than the inner product relation and allows modifications of the original message. Such a generalisation is not straightforward. To achieve that we take advantage of the method that Chandran et al. [3] used to define the function policy in a multiauthority setting.
Multiauthority attribute based signature The concept of multiauthority attribute based signature (MAABS) was introduced by Okamoto et al. [9, 10]. In a MAABS model, there are multiple authorities and each authority is responsible for issuing a secret key associated with a category of attributes. But a central trustee is required in addition to multiple authorities. Okamoto et al. [12] showed that if the central authority is corrupted in MAABS, the security (unforgeability) of the system will be totally broken. Thus, in [12] they proposed the first MAABS scheme with no central authority, which supports more general predicates, nonmonotone access structures in which no central authority exists and no global coordination is required except for the setting of a parameter for a prime order bilinear group and hash functions under a standard assumption, the DLIN assumption in the random oracle model. They also proposed a more general signature scheme, DMAFS scheme, which supports nonmonotone access structures combined with innerproduct relations [11], and prove that the proposed DMAFS scheme is fully secure (adaptivepredicate unforgeable and perfect private in the DMA security model) under the DLIN assumption in the random oracle model.
From the point of view of the class of functions that multiauthority FS supports, the DMAFS scheme proposed by Okamoto et al. [12] is a special case of our generalized MAFS scheme, where the underlying predicate is specialized to be the inner product relation. Okamoto et al.’s DMAFS scheme is fully secure (adaptivepredicate unforgeable and perfect private in the DMA security model) under the DLIN assumption in the random oracle model, while our MAFS scheme is secure in the common reference string model satisfying the unforgeability requirement and function privacy. Moreover, the notion of MAABS proposed by Okamoto et al. [12] is a specific case of our generalized MAFS for general policy functions since the policy function in MAABS can be considered as the special case of our MAFS where the policy function F always outputs the message m if the properties satisfy F.
3 Preliminaries
Definition 1 (Functional signature 2)

FS.Setup(1^{λ}) → (msk,mvk) : on input the security parameter 1^{λ}, the setup algorithm outputs the master signing key and the master verification key.

FS.KeyGen(msk,f) →sk_{f} : on input the master signing key and a function \(f\in \mathcal {F}\), the key generation algorithm outputs a signing key for f .

FS.Sign(f,sk_{f},m) → (f(m),σ) : on input the signing key for function \(f\!\in \mathcal {F}\) and a message \(m\in \mathcal {D}_f\), the signing algorithm outputs f(m) and a signature of f(m).

FS.Verify(mvk,m^{∗},σ) →{0,1} : on input the master verification key mvk, a message m^{∗} and a signature σ, the verification algorithm outputs 1 if the signature is valid.
We require it to satisfy the following conditions:

The challenger generates (msk,mvk) ←FS.Setup(1^{λ}), and gives mvk to \(\mathcal {A}\);
 The adversary is allowed to query a key generation oracle O_{key}, and a signing oracle O_{sign}, that share a dictionary indexed by tuples \((f, i)\in \mathcal {F}\times \mathbb {N}\), whose entries are signing keys: \(\textsf {sk}_{i}^{f}\leftarrow \textsf {FS.KeyGen}(\textsf {msk}, f)\). This dictionary keeps track of the keys that have been previously generated during the unforgeability game. The oracles are defined as follows:
 O_{key}(f,i) :

If there exists an entry for the key (f,i) in the dictionary, then output the corresponding value, \(\textsf {sk}^{i}_{f}\).

Otherwise, sample a fresh key \(\textsf {sk}^{i}_{f} \leftarrow \textsf {FS.Key} \textsf {Gen}(\textsf {msk}, f)\), add an entry \((f, i)\rightarrow \textsf {sk}^i_f\) to the dictionary, and output \(\textsf {sk}^i_f\).

 O_{sign}(f,i,m) :

If there exists an entry for the key (f,i) in the dictionary, then generate a signature on f(m) using this key: \(\sigma \leftarrow \textsf {FS.Sign}(f, \textsf {sk}^i_f, m)\).

Otherwise, sample a fresh key \(\textsf {sk}^i_f \leftarrow \textsf {FS.Key} \textsf {Gen}(\textsf {msk}, f)\), add an entry \((f, i)\rightarrow \textsf {sk}^{i}_{f}\) to the dictionary, and generate a signature on f(m) using this key: \(\sigma \leftarrow \textsf {FS.Sign}(f, \textsf {sk}^{i}_{f}, m)\).


 The adversary wins if it can produce (m^{∗},σ) such that:

FS.Verify(mvk,m^{∗},σ) = 1.

There exists no m such that m^{∗} = f(m) for any f which was sent as a query to the O_{key} oracle.

There exists no (f,m) pair such that (f,m) was a query to the O_{sign} oracle and m^{∗} = f(m).


The challenger honestly generates (mvk,msk) ←FS.Setup(1^{λ}) and gives both values to the adversary.

The adversary \(\mathcal {A}\) chooses a function f_{0} and receives an (honestly generated) secret key \(\textsf {sk}_{f_{0}}\leftarrow \textsf {FS.KeyGen} (\textsf {msk}, f_{1})\).

The adversary \(\mathcal {A}\) chooses a second function f_{1} for which f_{0} = f_{1} and receives an (honestly generated) secret key \(\textsf {sk}_{f_{1}}\leftarrow \textsf {FS.KeyGen}(\textsf {msk}, f_{1})\).

The adversary chooses a pair of messages m_{0},m_{1} for which m_{0} = m_{1} and f_{0}(m_{0}) = f_{1}(m_{1}).

The challenger selects a random bit b ←{0,1} and generates a signature on the image f_{0}(m_{0}) = f_{1}(m_{1}) using secret key \(\textsf {sk}_{f_{b}}\), and gives the resulting signature \(\sigma \leftarrow \textsf {Sign}(\textsf {sk}_{f_{b}}, m_{b})\) to the adversary.

The adversary outputs a bit b^{′}, and wins the game if b^{′} = b.
4 Multiauthority functional signature
We describe syntax and security notions of a multiauthority functional signature scheme.
Definition 2 (MultiAuthority FS (MAFS))

ASetup(id,1^{λ}) → (MVK_{id},MSK_{id}) : Each authority \(id\in \mathcal {I}\) runs the authority setup algorithm to generate its own public verification key and secret key pair, (MVK_{id},MSK_{id}). The authority id publishes MVK_{id} and stores MSK_{id}.

\(\textsf {KeyGen}(\textsf {MSK}_{id}, \textsf {UID}, U, F)\rightarrow K^{\textsf {UID},U}_{id,F}:\) When an authority id who wishes to issue a user, whose identity is UID, a secret key associated with a property U and a policy function F, it runs the key generation algorithm that outputs a secret key \(K^{\textsf {UID},U}_{id,F}\). The authority gives \(K^{\textsf {UID},U}_{id,F}\) to the user.

\(\textsf {Sign}(\{K^{\textsf {UID},U_{id}}_{id,F}\}_{(id,U_{id})\in {\Gamma }}, m) \rightarrow \) \((F(\{(id,U_{id})\}_{(id,U_{id}) \in {\Gamma }}, m),\) σ) : A user signs a message m with a Γ + 1 < O(poly(λ)) variate policy function F (each component is in {0,1}^{λ}), only if the user has obtained a set of secret keys {Kid,F UID,U_{id}(id,U_{id}) ∈Γ} from the authorities such that all properties included in Γ are satisfied by the policy function. Then, the user outputs the value \(F(\{(id,U_{id})\}_{(id,U_{id})\in {\Gamma }}, m)\) and a signature of \(F(\{(id,U_{id})\}_{(id,U_{id})\in {\Gamma }}, m)\). F takes as input up to Γ properties and a message and outputs a value.

Verify({MVK_{id}}_{id∈Γ},m^{∗},σ) →{0,1} : To verify a signature σ on a message m^{∗}, using a set of public keys for relevant authorities {MVK_{id}}_{id∈Γ}, a user runs the verification algorithm which outputs a boolean value accept := 1 or reject := 0.
Definition 3 (Correctness of MAFS)
Remark 1
 1.
We assume that each user is allowed to have only one particular property corresponding to one authority (category) id.
 2.
For Γ + 1 < O(poly(λ)) variate policy function F, any different component of property is associated with a different authority. In fact, a policy function F consists of a predicate Predic which is used to indicate the set of properties that are accepted or not, and a deterministic function f which is used to modify the input message. The functionality of \(F(\{(id,U_{id})\}_{(id,U_{id})\in {\Gamma }}, m)\) first checks whether \(\textsf {Predic}\\(\{(id,U_{id})\}\text {} _{(id,U_{id})\in {\Gamma }})= 1\), if it is true then it outputs f(m); else it outputs ⊥.
 3.
For a set of properties {(id,U_{id})}_{id} which is accepted by F, we denote it as Γ. Since a different property component in F corresponds to different authorities, we misuse the notation id ∈Γ to represent the authority that belongs to the accepted set.
Definition 4 (Unforgeability of MAFS)

The adversary \(\mathcal {A}\) outputs [N]. The challenger runs the ASetup for the authorities labelled in [N] and hands over the verification keys of all the authorities to \(\mathcal {A}\). Adversary \(\mathcal {A}\) specifies a set S ⊂ [N] of corrupted authorities, and gets {MSK_{i}}_{i∈S}. Let’s denote \(\bar {S} :=[N]\backslash S\).
 The adversary is allowed to query a key generation oracle O_{key} and a signing oracle O_{sign}, that share a dictionary indexed by tuples (UID,i,U_{i},F), whose entries are keys: Ki,F UID,U_{i} ←KeyGen(MSK_{i},UID,U_{i},F). This dictionary keeps track of the keys that have been previously generated during the unforgeability game. The oracles are defined as follows :
 O_{key}(UID,i,U_{i},F) : The attacker \(\mathcal {A}\) submits tuples of the form (UID,i,U_{i},F) to the challenger, where UID is a user’s identity and U_{i} is the user’s property w.r.t a non corrupted authority i. The challenger responds by giving \(\mathcal {A}\) the corresponding key Ki,F UID,U_{i}.

If there exists an entry for (UID,i,U_{i},F) in the dictionary, then output the corresponding value Ki,F UID,U_{i}.

Else, generate Ki,F UID,U_{i} ←KeyGen(MSK_{i},UID, U_{i},F), add an entry (UID,i,U_{i},F) → Ki,F UID,U_{i} to the dictionary, and output Ki,F UID,U_{i}.

 \(\textsf {O}_{\textsf {sign}}(\{\textsf {UID},i,U_{i},F\}\text {} _{i\in \bar {S}}, \{K^{\textsf {UID},U_{i}}_{i,F}\}\text {} _{i\in S}, m):\) The attacker selects a policy F and wishes to get the user UID’s signature.

For any \(i \in \bar {S}\), generate Ki,F UID,U_{i} ←KeyGen(MSK_{i},UID,U_{i},F) and add the entry (UID,i, U_{i},F) → Ki,F UID,U_{i} to the dictionary. Run Sign({Ki,F UID,U_{i}}_{i∈[N]},m) to generate a tuple (F({(i,U_{i})}_{i∈[N]},m),σ) and return it back.


 At the end, \(\mathcal {A}\) outputs (m^{∗},σ^{∗}). We say the adversary succeeds, if

Verify({MVK_{i}}_{i∈[N]},m^{∗},σ^{∗}) = 1.

\((\{\textsf {UID},i, U_{i}, F^{\ast }\}\text {} _{i\in \bar {S}}, \{K^{\textsf {UID},U_{i}}_{i,F^{\ast }}\}\text {} _{i\in S}, \tilde {m})\) has never been sent as a query to the oracle O_{sign} for any F^{∗} and \(\tilde {m}\) such that \(m^{\ast }= F^{\ast }(\{(i,U_{i})\}\text {} _{i\in [N]}, \tilde {m})\).

There doesn’t exist m such that m^{∗} = F^{∗}({(i,U_{i} )}_{i∈[N]},m) where for any \(i \in \bar {S}\), (UID,i,U_{i},F^{∗}) has been sent as a query to the oracle O_{key} and the user UID’s property set {(i,U_{i})}_{i∈[N]} is accepted by F^{∗}.

Remark 2
Since the predicate circuit Predic contained in the policy function F^{∗} is specified over N properties (i,U_{i}), we say that F^{∗} does not accept Γ_{UID} which means that when the properties corresponding to any authority \(i\in \bar {S}\) are taken from Γ_{UID} no matter what the leftover S properties of the user UID are, F^{∗} never accepts it.
Definition 5 (Function privacy of MAFS)

The adversary \(\mathcal {A}\) outputs [N]. The challenger runs the setup for all N authorities labelled in [N], namely generating a key pair (MVK_{i},MSK_{i}) ←ASetup(i,1^{λ}) and hands over the verification keys of all the authorities to \(\mathcal {A}\). The adversary \(\mathcal {A}\) specifies a set S ⊂ [N] of corrupted authorities, and gets their master secret keys {MSK_{i}}_{i∈S}. Let us denote this set of corrupted authorities as \(\bar {S} :=[N]\backslash S\).

The adversary \(\mathcal {A}\) chooses a policy function F_{0} as well as a tuple (UID,i,U_{i},F_{0}) for one specific user UID and his property U_{i} according to the category i, and receives an (honestly generated) key \(K^{\textsf {UID},U_{i}}_{i, F_{0}}\leftarrow \textsf {KeyGen}(\textsf {MSK}_{i}, \textsf {UID},U_{i}, F_{0})\) corresponding to an uncorrupted authority \(i\in \bar {S}\).

The adversary \(\mathcal {A}\) chooses a second policy function F_{1} for which F_{0} = F_{1}, as well as a tuple (UID,i,U_{i},F_{1}) for the same user UID and his property U_{i} according to the category i, and receives an (honestly generated) secret key \(K^{\textsf {UID},U_{i}}_{i,F_{1}}\leftarrow \textsf {KeyGen}(\textsf {MSK}_{i}, \textsf {UID},U_{i}, F_{1})\) corresponding to the uncorrupted authority \(i\in \bar {S}\).

The adversary chooses a pair of messages m_{0},m_{1} for which m_{0} = m_{1} and F_{0} ({(i,U_{i})}_{i∈[N]},m_{0}) = F_{1} ({(i,U_{i})}_{i∈[N]},m_{1}).

The challenger selects a bit b ←{0,1} and generates a signature on the image m^{′} = F_{0} ({(i,U_{i})}_{i∈[N]},m_{0}) = F_{1} ({(i,U_{i})}_{i∈[N]},m_{1}) using secret key \(K^{\textsf {UID},U_{i}}_{i, F_b}\), and gives the resulting signature \(\sigma \leftarrow \textsf {Sign}(\{K^{\textsf {UID},U_{i}}_{i,F_b} \}\text {} _{i\in [N]}, m_{b})\) to the adversary.

The adversary outputs a bit b^{′}, and wins the game if b^{′} = b.
Remark 3
The policy functions F_{0} and F_{1} should contain the same predicates, which means F_{0} = Predic∥f_{0} and F_{1} = Predic∥f_{1}.
Definition 6 (MAFS with CRS)
We say that (ASetup, KeyGen, Sign, Verify) is a MAFS scheme with CRS if Definition 2 is satisfied except that we allow all algorithm (and the adversary) to get as input also a public uniformly distributed common random string.
5 Our construction for MAFS
5.1 MAFS from standard signatures
In this section, we provide a construction of a MAFS scheme based on any standard signature scheme (i.e., existentially unforgeable under chosenmessage attacks). Our resulted MAFS scheme is proved to be unforgeable as the Definition 4, but not function private.
The main ideas of our construction are as follows. The master signing and public keys for each authority i(MSK_{i},MVK_{i}) will simply be a standard key pair for the underlying signature scheme. The signing key generated by the authority i for a user’s identity UID, a property U and a function F consists of a fresh key pair (sk,vk) for the underlying signature scheme, and a signature (with respect to MVK_{i}) on the user’s identity UID, a property U and a function F together with vk. We can regard this signature as a certificate authenticating that the owner of key vk is allowed to sign values resulted from the policy function F.

ASetup(i,1^{λ}) : Each authority i ∈ [N] runs Sig.Setup (1 ^{λ}) → (msk_{i},mvk_{i}) and sets MSK_{i} = msk_{i} and MVK_{i} = mvk_{i}.
 KeyGen(MSK_{i},UID,U,F) :

Sample a signing and verification key pair for signature scheme (sk_{i},vk_{i}) ←Sig.Setup(1^{λ}).

Parse MSK_{i} = msk_{i}. Run \(\sigma _{\textsf {vk}_{i}}\leftarrow \textsf {Sig.Sign}\) (msk_{i}, UID∥U∥F∥vk_{i}).

Create a certificate \(c^{\textsf {UID},U}_{i,F}=(\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}},\textsf {UID},\) U,F).

Set \(K^{\textsf {UID}, U}_{i,F}=(\textsf {sk}_{i}, c^{\textsf {UID},U}_{i,F})\) and output key \(K^{\textsf {UID}, U}_{i,F}\).

 Sign({Ki,F UID,U_{i}}_{i∈[N]},m) :

Parse Ki,F UID,U_{i} = (sk_{i},ci,F UID,U_{i}) where ci,F UID,U_{i} \( =(\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}}, \textsf {UID}, U_{i}, F)\), and run σ_{i} ←Sig.Sign(sk_{i},m) for all i ∈ [N].

Compute m^{∗} = F({(i,U_{i})}_{i∈[N]},m) and set σ = (m,{ci,F UID,U_{i},σ_{i}}_{i∈[N]}).

Output (m^{∗},σ).
Remark 4
When {(i,U_{i})}_{i∈[N]} is rejected by Predic the output of the policy function F will be ⊥, and the corresponding signature should also be ⊥.

 Verify({MVK_{i}}_{i∈[N]},m^{∗},σ) :
 Parse σ = (m,{ci,F UID,U_{i},σ_{i}}_{i∈[N]}) and ci,F UID,U_{i} \( =(\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}}, \textsf {UID}, U_{i}, F)\), and perform the following checks. If all of the checks pass output 1; otherwise output 0.
 1.
m^{∗} = F({(i,U_{i})}_{i∈[N]},m);
 2.
Sig.Verify(vk_{i},m,σ_{i}) = 1 for all i ∈ [N];
 3.
\(\textsf {Sig.Verify}(\textsf {mvk}_{i},\textsf {UID}\U_{i}\F\\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}})= 1\) for all i ∈ [N].
 1.

Theorem 3
If the signature schemeSig is existentially unforgeable under chosen message attacks, then our multiauthority functional signature scheme as specified above satisfies the unforgeability requirement defined in Section 4.
Proof
Let \(\mathcal {A}_{\textsf {MA}}\) be a PPT adversary in the unforgeability game for multiauthority functional signatures that is allowed to make query to the oracles O_{key} and O_{sign}. Assume \(\mathcal {A}_{\textsf {MA}}\) made polynomial numbers of queries, Q(λ) in total to the oracles O_{key} and O_{sign}. We construct an adversary \(\mathcal {B}_{\textsf {Sig}}\) with \(\mathcal {A}_{\textsf {MA}}\) as a subroutine such that, if \(\mathcal {A}_{\textsf {MA}}\) wins in the unforgeability game for MAFS with nonnegligible probability, then \(\mathcal {B}_{\textsf {Sig}}\) breaks the unforgeability game of underlying signature scheme, which is assumed to be unforgeable.

For each \(i\in \bar {S}\), \(\sigma ^{\ast }_{i}\) is a valid signature of \(\tilde {m}\) under the verification key vk_{i};

For each \(i\in \bar {S}\), \(\sigma _{\textsf {vk}_{i}}\) is a valid signature of UID∥U_{i}∥F∥vk_{i} under mvk_{i};

\(m^{\ast }=F^{\ast }(\{(i,U_{i})\}\text {} _{i\in [N]}, \tilde {m})\);

\(\mathcal {A}_{\textsf {MA}}\) has not sent a query of form ({UID,i,U_{i}, \( F^{\ast }\}\text {} _{i\in \bar {S}}, \{K^{\textsf {UID},U_{i}}_{i,F^{\ast }}\}\text {} _{i\in S}, \tilde {m})\) to the signing oracle O_{sign}.

\(\mathcal {A}_{\textsf {MA}}\) has not sent queries (UID,i,U_{i},F^{∗}) for all \(i \in \bar {S}\), to the oracle O_{key} such that the user’s UID property set {(i,U_{i})}_{i∈[N]} is accepted by F^{∗} and m^{∗} is in the range of the function F^{∗}.

Type I forgery: The tuples \((\textsf {vk}_{i^{\ast }},\textsf {UID}, U_{i^{\ast }}, F^{\ast })\) satisfy that \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) has not been signed under \(\textsf {mvk}_{i^{\ast }}\) for the queries of \(\mathcal {A}_{\textsf {MA}}\) to both the oracle O_{sign} and O_{key}.

Type II forgery: The tuples \((\textsf {vk}_{i^{\ast }},\textsf {UID}, U_{i^{\ast }}, F^{\ast })\) satisfy that \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) has been signed under \(\textsf {mvk}_{i^{\ast }}\) during the queries of \(\mathcal {A}_{\textsf {MA}}\) to both the oracle O_{sign} and O_{key}.
We now describe the signature adversary \(\mathcal {B}_{\textsf {Sig}}\). In the unforgeability game for the standard signature scheme, given the verification key vk_{Sig}, and access to a signing oracle \(\textsf {O}_{\textsf {Reg}_{\textsf {sig}}}\), \(\mathcal {B}_{\textsf {Sig}}\) wins the unforgeability game if he successfully outputs a forgery, i.e., a signature for a message that was not queried to \(\textsf {O}_{\textsf {Reg}_{\textsf {sig}}}\). In order to play the role of the challenger interacting with \(\mathcal {A}_{\textsf {MA}}\) in the security game for MAFS, \(\mathcal {B}_{\textsf {Sig}}\) must simulate the O_{key} and O_{sign} oracles. \(\mathcal {B}_{\textsf {Sig}}\) flips a coin b, and proceeds as following.
Case 1: b = 1 \(\mathcal {B}_{\textsf {Sig}}\) guesses that \(\mathcal {A}_{\textsf {MA}}\) will produce a Type I forgery:
 \(\textsf {O}_{\textsf {key}}(\textsf {UID}, i^{\ast }, U_{i^{\ast }}^{j}, F):\)

If there exists an entry for the tuple \((\textsf {UID}, i^{\ast }, U_{i^{\ast }}^{j},F)\) in the dictionary, then output the corresponding value \(K^{\textsf {UID}, U_{i^{\ast }}^{j}}_{i^{\ast }, F}\).

Otherwise, run (sk_{j},vk_{j}) ←Sig.Setup(1^{λ}) and send \(\textsf {UID}\U_{i^{\ast }}^{j}\F\\textsf {vk}_{j}\) to its own signing oracle to get \(\sigma _{\textsf {vk}_{i^{\ast }}^{j}}\leftarrow \textsf {O}_{\textsf {Reg}_{\textsf {sig}}}(\textsf {UID}\U_{i^{\ast }}^{j}\F\\textsf {vk}_{j})\). Set \(K^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast }, F} =(\textsf {sk}_j, c^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast },F})\) where \(c^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast },F}=(\textsf {vk}_j, \sigma \) \(_{\textsf {vk}_{i^{\ast }}^{j}}, \textsf {UID}, U_{i^{\ast }}^{j}, F)\), add it to the dictionary, and output it.

 \(\textsf {O}_{\textsf {sign}}(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}, \{K^{\textsf {UID},U_{i}}_{i, F}\}\text {} _{i\in [N]\backslash i^{\ast }}, m):\)

If there exists an entry for the tuple \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},\) F} in the dictionary, namely the key \(K^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast }, F}\), then it generates (F({(i,U_{i})}_{i∈[N]},m),σ) ←Sign({Ki,F UID,U_{i}}_{i∈[N]},m) and outputs the result.

Otherwise, \(\mathcal {B}_{\textsf {Sig}}\) samples a new pair of key for the signature scheme, \((\textsf {sk}_{i^{\ast }}, \textsf {vk}_{i^{\ast }})\leftarrow \textsf {Sig.Setup}(1^{\lambda })\), and obtains \(\sigma _{\textsf {vk}_{i^{\ast }}}\leftarrow \textsf {O}_{\textsf {Reg}_{\textsf {sig}}}\) \((\textsf {UID}\U_{i^{\ast }}\F\\textsf {vk}_{i^{\ast }})\) fr om its own signing oracle. It sets \(K^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast }, F} :=(\textsf {sk}_{i^{\ast }}, c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F})\) where \(c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F}=(\textsf {vk}_{i^{\ast }}, \sigma _{\textsf {vk}_{i^{\ast }}}, \textsf {UID}, U_{i^{\ast }}, F)\), and adds it to the dictionary. For each i ∈ [N], it then computes σ_{i} ←Sig.Sign(sk_{i},m) and m^{∗} = F({(i,U_{i})}_{i∈[N]},m). It sets σ := (m,{ci,F UID,U_{i}}_{i∈[N]},{σ_{i}}_{i∈[N]}), then outputs (m^{∗},σ).

Eventually, \(\mathcal {A}_{\textsf {MA}}\) outputs a message signature forgery \(\left (m^{\ast },\sigma ^{\ast }=(\tilde {m}, \{c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F^{\ast }}, \sigma ^{\ast }_{i^{\ast }}\},\{c^{\textsf {UID},U_{i}}_{i,F^{\ast }},\sigma ^{\ast }_{i}\}\text {} _{i\in [N]\backslash i^{\ast }})\right )\) where \(c^{\textsf {UID},U_{i}}_{i,F^{\ast }}=(\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}}, \textsf {UID}, U_{i}, F^{\ast })\) for each i ∈ [N]. Since the forgery satisfies Sig.Verify(mvk \(_{i^{\ast }}, \textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}, \sigma ^{\ast }_{\textsf {vk}_{i^{\ast }}})= 1\), \(\mathcal {B}_{\textsf {Sig}}\) outputs \((\textsf {UID}\U_{i^{\ast }}\) \(\F^{\ast }\\textsf {vk}_{i^{\ast }},\sigma ^{\ast }_{\textsf {vk}_{i^{\ast }}})\) as its messageforgery pair in the security game for the standard signature scheme.
Case 2: b = 0 \(\mathcal {B}_{\textsf {Sig}}\) guesses that \(\mathcal {A}_{\textsf {MA}}\) will produce a Type II forgery:
 \(\textsf {O}_{\textsf {key}}(\textsf {UID}, i^{\ast }, U_{i^{\ast }}^{j}, F):\)

If there exists an entry for tuple (UID,i^{∗}, \( U_{i^{\ast }}^{j}, F)\) in the dictionary, with value Chal, abort;

If there exists an entry for tuple (UID,i^{∗}, \( U_{i^{\ast }}^{j}, F)\) in the dictionary and its value is not Chal, then output the corresponding value \(K^{\textsf {UID}, U_{i^{\ast }}^{j}}_{i^{\ast }, F}\).

Otherwise, generate (sk_{j},vk_{j}) ←Sig.Setup (1^{λ}) and \(\sigma _{\textsf {vk}_{i^{\ast }}^{j}}\leftarrow \textsf {Sig.Sign}(\textsf {msk}_{i^{\ast }}, \textsf {UID}\U_{i^{\ast }}\) ^{j}∥F∥vk_{j}). Set \(K^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast }, F}=(\textsf {sk}_{j}, c^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast },F})\) where \(c^{\textsf {UID},U_{i^{\ast }}^{j}}_{i^{\ast },F}=(\textsf {vk}_{j}, \sigma _{\textsf {vk}_{i^{\ast }}^{j}}, \textsf {UID}, U_{i^{\ast }}^{j}, F)\), add it to the dictionary, and output it.

 \(\textsf {O}_{\textsf {sign}}(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}, \{K^{\textsf {UID},U_{i}}_{i, F}\}\text {} _{i\in [N]\backslash i^{\ast }}, m):\)

If there exists an entry for tuple \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}\) in the dictionary, namely the key \(K^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast }, F}\), then it runs (F({(i,U_{i})}_{i∈[N]}, m),σ) ←Sign({Ki,F UID,U_{i}}_{i∈[N]},m) and outputs the result.

If there is no \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}\) entry in the dictionary, and numkeys≠q^{∗}, then \(\mathcal {B}_{\textsf {Sig}}\) generates a new key pair of signature scheme, \((\textsf {sk}_{i^{\ast }}, \textsf {vk}_{i^{\ast }})\leftarrow \textsf {Sig.Setup}(1^{\lambda })\), signs \(\textsf {UID}\U_{i^{\ast }}\F\\textsf {vk}_{i^{\ast }}\) under \(\textsf {msk}_{i^{\ast }}\): \(\sigma _{\textsf {vk}_{i^{\ast }}}\leftarrow \textsf {Sig.Sign}(\textsf {msk}_{i^{\ast }},\textsf {UID}\U_{i^{\ast }}\F\\textsf {vk}_{i^{\ast }})\). \(\mathcal {B}_{\textsf {Sig}}\) sets \(K^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast }, F} :=(\textsf {sk}_{i^{\ast }}, c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F})\) where \(c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F}\) = \((\textsf {vk}_{i^{\ast }}, \sigma _{\textsf {vk}_{i^{\ast }}}, \textsf {UID}, U_{i^{\ast }}, F)\), and adds it to the dictionary. For each i ∈ [N], it computes σ_{i} ←Sig.Sign(sk_{i},m) and m^{∗} = F({(i,U_{i})}_{i∈[N]},m). Set σ = (m,{ci,F UID,U_{i}}_{i∈[N]},{σ_{i}}_{i∈[N]}), then output (m^{∗},σ). numkeys is then incremented.

If there is no \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}\) entry in the dictionary and numkeys = q^{∗}, or if the \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}\) entry in the dictionary is set to Chal, then \(\mathcal {B}_{\textsf {Sig}}\) sets \(\textsf {vk}_{i^{\ast }} :=\textsf {vk}_{\textsf {Sig}}\), signs \(\textsf {UID}\U_{i^{\ast }}\F\\textsf {vk}_{\textsf {Sig}}\) under \(\textsf {msk}_{i^{\ast }}\): \(\sigma _{\textsf {vk}_{i^{\ast }}}\leftarrow \textsf {Sig.Sign}(\textsf {msk}_{i^{\ast }},\textsf {UID}\U_{i^{\ast }}\F\\textsf {vk}_{\textsf {Sig}})\), and queries its oracle for a signature of m under vk_{Sig}, \(\sigma _{i^{\ast }}\leftarrow \textsf {O}_{\textsf {Reg}_{\textsf {sig}}}(m)\). Set \(c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F}=(\textsf {vk}_{i^{\ast }}, \sigma _{\textsf {vk}_{i^{\ast }}}, \textsf {UID}, U_{i^{\ast }}, F)\). For each i ∈ [N]∖i^{∗} it then runs σ_{i} ←Sig.Sign(sk_{i},m) and m^{∗} = F({(i,U_{i})}_{i∈[N]},m). Set σ = (m,{ci,F UID,U_{i}}_{i∈[N]},{σ_{i}}_{i∈[N]}), then output (m^{∗},σ). If there is no \(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F\}\) entry in the dictionary, \(\mathcal {B}_{\textsf {Sig}}\) sets it to Chal. And numkeys is then incremented.

If \(\mathcal {B}_{\textsf {Sig}}\) does not abort, \(\mathcal {A}_{\textsf {MA}}\) will output a signature \(\left (m^{\ast },\sigma ^{\ast }=(\tilde {m}, \{c^{\textsf {UID},U_{i^{\ast }}}_{i^{\ast },F^{\ast }}, \sigma ^{\ast }_{i^{\ast }}\},\{c^{\textsf {UID},U_{i}}_{i,F^{\ast }},\sigma ^{\ast }_{i}\}\text {} _{i\in [N]\backslash i^{\ast }})\right )\) wh ere \(c^{\textsf {UID},U_{i}}_{i,F^{\ast }}=(\textsf {vk}_{i}, \sigma _{\textsf {vk}_{i}}, \textsf {UID}, U_{i}, F^{\ast })\) for every i ∈ [N]. \(\mathcal {B}_{\textsf {Sig}}\) outputs \((\tilde {m},\sigma ^{\ast }_{i^{\ast }})\) as its forgery for the standard signature scheme under vk_{Sig}.
We will now argue that if \(\mathcal {A}_{\textsf {MA}}\) forges in the MAFS scheme with nonnegligible probability then \(\mathcal {B}_{\textsf {Sig}}\) wins the unforgeability game for the standard signature scheme with nonnegligible probability. We note that as long as \(\mathcal {A}_{\textsf {MA}}\) doesn’t query the O_{key} oracle for the secret key corresponding to the embedded vk_{Sig} challenge, then \(\mathcal {B}_{\textsf {Sig}}\) perfectly simulates the O_{key} and O_{sign} oracle.
Now, if \(\mathcal {A}_{\textsf {MA}}\) produces a Type I forgery, then this forgery must consist of a signature on a new message \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) that was not ever signed under the i^{∗} authority’s master verification key \(\textsf {mvk}_{i^{\ast }}\) during the queries of \(\mathcal {A}_{\textsf {MA}}\) to both the oracle O_{key} and O_{sign}, which means that \(\mathcal {A}_{\textsf {MA}}\) produces a forgery on a new message \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) that \(\mathcal {B}_{\textsf {Sig}}\) did not query to his signature oracle, which yields a forgery for the standard signature scheme.
If \(\mathcal {A}_{\textsf {MA}}\) produces a Type II forgery, by definition the corresponding \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) should already have been signed under the i^{∗} authority’s master verification key \(\textsf {mvk}_{i^{\ast }}\) during the queries of \(\mathcal {A}_{\textsf {MA}}\) to both the oracle O_{key} and O_{sign}. We declare that the tuple (UID, i^{∗}, \(U_{{i}^{\ast }}\), F^{∗}) cannot be queried to O_{key} by \(\mathcal {A}_{\textsf {MA}}\), since if it is then given the responded signing key, producing a signature under this signing key is not a valid forgery in the MAFS scheme. Therefore, the tuple (UID, i^{∗}, \({U}_{{i}^{\ast }}\), F^{∗}) must then have been issued as a query to O_{sign}. Namely, the verification key \(\textsf {vk}_{i^{\ast }}\) must be freshly generated for a query of form \(\textsf {O}_{\textsf {sign}}(\{\textsf {UID},i^{\ast },U_{i^{\ast }},F^{\ast }\}, \{K^{\textsf {UID},U_{i}}_{i, F^{\ast }}\}\text {} _{i\in [N]\backslash i^{\ast }}, m)\) for which no entry under index \((\textsf {UID}, i^{\ast }, U_{i^{\ast }}, F^{\ast })\) previously existed, and then the pair \(\textsf {UID}\U_{i^{\ast }}\F^{\ast }\\textsf {vk}_{i^{\ast }}\) was signed under the master signing key of identity i^{∗}. Note that if \(\mathcal {A}_{\textsf {MA}}\) produces a Type II forgery and \(\mathcal {B}_{\textsf {Sig}}\) correctly guessed q^{∗} where his challenge is embedded in as well as \(\mathcal {B}_{\textsf {Sig}}\) does not abort, the forgery produced by \(\mathcal {A}_{\textsf {MA}}\) must consist of a signature on a new message \(\tilde {m}\) under vk_{Sig}, for a \(\tilde {m}\) that \(\mathcal {B}_{\textsf {Sig}}\) has not queried from his own signing oracle, and therefore such a signature also constitutes a forgery for the standard signature scheme.
We note that, if \(\mathcal {B}_{\textsf {Sig}}\) does abort, it only can occur when \(\mathcal {B}_{\textsf {Sig}}\) did not guess the correct q^{∗}, since another possible condition of abort occurrence is when \(\mathcal {A}_{\textsf {MA}}\) made a query as \(\textsf {O}_{\textsf {key}}(\textsf {UID}, i^{\ast }, U_{i^{\ast }}, F^{\ast })\), which is not allowed since if the adversary has queried the \(\textsf {O}_{\textsf {key}}(\textsf {UID}, i^{\ast }, U_{i^{\ast }}, F^{\ast })\), no message in the range of F^{∗} would be considered a forgery in the MAFS game.
Thus, if \(\mathcal {A}_{\textsf {MA}}\) produces a forgery in MAFS scheme with nonnegligible probability \(\frac {1}{Poly(\lambda )}\), then \(\mathcal {B}_{\textsf {Sig}}\) successfully forges in the underlying signature scheme with nonnegligible probability \(\frac {1}{2Q(\lambda )Poly(\lambda )}\), which contradicts with the assumption that Sig is existentially unforgeable. We conclude that the MAFS scheme as specified above is unforgeable as defined in Section 4. □
5.2 Functionprivate MAFS from SNARKs
While the construction of MAFS above does not provide function privacy property, in this section we show how to obtain a MAFS scheme satisfying function privacy in the common reference string (CRS) model by employing the building blocks of a FS without function privacy guarantee and a succinct noninteractive argument of knowledge (SNARK). In the CRS model there is an additional setup algorithm, which takes as input the security parameter and outputs the CRS for the system.
As mentioned in the Remark 1, we considered the policy function F consisting of a predicate Predic which is to indicate the set of properties are accepted or not, and a deterministic function f which is to work on the input message. The functionality of policy function \(F(\{(id,U_{id})\}\text {} _{(id,U_{id})\in {\Gamma }}, m)\) is first to check \(\textsf {Predic}(\{(id, U_{id})\}\text {} _{(id,U_{id})\in {\Gamma }})= 1\), if it is true then output f(m); else output ⊥. In this section, we represent the policy function F as Predic∥f, which means for input \((\{(id,U_{id})\}\text {} _{(id,U_{id})\in {\Gamma }}, m)\), Predic∥f firstly compute \(\textsf {Predic}(\{(id,U_{id}) \}\text {} _{(id,U_{id})\in {\Gamma }})\), if the predicate circuit accepts then output f(m), otherwise output ⊥.
 Setup(1^{λ}) :

Choose a CRS for the ZKSNARK: crs ←SNARK.Gen(1^{λ}).

 ASetup(i,1^{λ}) :

Authority i ∈ [N] samples a pair of keys for Sig: (sk_{i},vk_{i}) ←Sig.Setup(1^{λ}).

Set the master secret key MSK_{i} = sk_{i}, and the master verification key MVK_{i} = vk_{i}.

 KeyGen(MSK_{i},UID,U,Predic∥f) :

Parse MSK_{i} = sk_{i} and sample a master secret and verification key for the functional signature scheme FS.Setup(1^{λ}) → (msk_{i},mvk_{i}).

Compute η_{i} ←Sig.Sign(sk_{i},UID∥U∥Predic∥mvk_{i}) and \(\textsf {sk}^{f}_{i}\leftarrow \textsf {FS.KeyGen}(\textsf {msk}_{i}, f)\).

Create the certificate \(c^{\textsf {UID},U}_{i,\textsf {Predic}}=(\eta _{i}, \textsf {UID}, U, \textsf {Predic}, \textsf {mvk}_{i})\).

Set \(K^{\textsf {UID}, U}_{i,\textsf {Predic}\f}=(\textsf {sk}^f_{i}, c^{\textsf {UID},U}_{i,\textsf {Predic}})\) and output a key \(K^{\textsf {UID}, U}_{i,\textsf {Predic}\f}\).

 Sign(crs,{Ki,Predic∥f UID,U_{i}}_{i∈[N]},m) :

Parse \(K^{\textsf {UID}, U_{i}}_{i,\textsf {Predic}\f}=(\textsf {sk}^f_{i}, c^{\textsf {UID},U_{i}}_{i,\textsf {Predic}})\) where ci,PredicUID,U_{i} = (η_{i},UID,U,Predic,mvk_{i}).

For all i ∈ [N] if UID are the same and Predic({(i,U_{i})}_{i∈[N]}) = 1, then run \((f(m),\sigma _{i})\rightarrow \textsf {FS.Sign}(\textsf {sk}^{f}_{i}, m)\).

Run π_{i} ←SNARK.Prove ((f(m),{mvk_{i}}_{i∈[N]}),{σ_{i}}_{i∈[N]},crs), a ZKSNARK that (f(m),{mvk_{i}}_{i∈[N]}) ∈ L, where L is defined as above.

Set m^{∗} = f(m) and σ = ({ci,PredicUID,U_{i}}_{i∈[N]},π).

Output (m^{∗},σ).

 Verify(crs,{MVK_{i}}_{i∈[N]},m^{∗},σ) :
 Parse MVK_{i} = vk_{i} and σ = ({ci,PredicUID,U_{i}}_{i∈[N]},π) where ci,PredicUID,U_{i} = (η_{i},UID,U,Predic,mvk_{i}), and perform the following checks. If all of the checks pass output 1; otherwise output 0.
 1.
UID are the same and Predic({(i,U_{i})}_{i∈[N]}) = 1;
 2.
Sig.Verify(vk_{i},UID∥U∥Predic∥mvk_{i},η_{i}) = 1for all i ∈ [N];
 3.
SNARK.Verify(crs,({mvk_{i}}_{i∈[N]},m^{∗}),π) = 1.
 1.

Theorem 4
Assume the existence of functional signature scheme FS supporting the class \(\mathcal {F}\) of polynomialsized circuits that satisfies unforgeability but not function privacy,Sig is an existentially unforgeable signature scheme, and SNARK be an adaptive zeroknowledge SNARK system for NP. Then, there exists a MAFS scheme as specified above, which satisfies both the unforgeability (Definition4) and function privacy (Definition 5).
Proof
We first prove that our scheme satisfies unforgeability. Let us fix a PPT adversary \(\mathcal {A}_{\textsf {MA}}\). We will use \(\mathcal {A}_{\textsf {MA}}\) to construct an adversary \(\mathcal {B}\) such that, if \(\mathcal {A}_{\textsf {MA}}\) wins in the unforgeability game for multiauthority functional signatures with nonnegligible probability, then \(\mathcal {B}\) either breaks the underlying signature scheme or functional signature scheme, which are assumed to be secure.

π^{∗} is a valid proof the statement ({mvk_{i}}_{i∈[N]},m^{∗}) ∈ L under CRS;

For each \(i\in \bar {S}\), \(\eta ^{\ast }_{i}\) is a valid signature of UID∥U_{i}∥Predic^{∗}∥mvk_{i} under vk_{i};

\(\mathcal {A}_{\textsf {MA}}\) has not sent a query of form \(\left (\{\textsf {UID},i, U_{i}, \textsf {Predic}^{\ast } \\tilde {f}\}\text {} _{i\in \bar {S}}, \{K^{\textsf {UID},U_{i}}_{i,\textsf {Predic}^{\ast }\\tilde {f}}\}\text {} _{i\in S}, \tilde {m}\right )\) to the signing oracle O_{sign} for any \(\tilde {f}\) and \(\tilde {m}\) such that \(\tilde {f}(\tilde {m})=m^{\ast }\).

\(\mathcal {A}_{\textsf {MA}}\) has not sent queries \((\textsf {UID}, i, U_{i}, \textsf {Predic}^{\ast }\\tilde {f})\) for all \(i \in \bar {S}\), to the oracle O_{key} such that the user UID’s property set {(i,U_{i})}_{i∈[N]} is accepted by Predic^{∗} and for any \(\tilde {f}\) that has m^{∗} in its range.
In Case 1, \(\mathcal {B}\) finally outputs \((\textsf {UID}\U_{i^{\ast }}\\) \(\textsf {Predic}^{\ast }\\textsf {mvk}_{i^{\ast }}, \eta ^{\ast }_{i^{\ast }})\) as its messageforgery pair for the standard signature scheme. Whereas, in Case 2, \(\mathcal {B}\) runs the extractor E_{2}(crs,trap,(m^{∗},{mvk_{i}}_{i∈[N]}),π^{∗}) to recover a witness \(w=\{\sigma ^{\ast }_{i}\}\text {} _{i\in [N]}\) such that \(\textsf {FS.Verify}(\textsf {mvk}_{i},m^{\ast }, \sigma ^{\ast }_{i})= 1\) for all i ∈ [N]. \(\mathcal {B}\) then outputs \((m^{\ast },\sigma ^{\ast }_{i^{\ast }})\) as a forgery for the FS scheme under mvk_{FS}.
We will now argue that if \(\mathcal {A}_{\textsf {MA}}\) forges the MAFS scheme with nonnegligible probability, then \(\mathcal {B}\) either wins the unforgeability game for the standard signature scheme or the functional signature with nonnegligible probability.
Hybrid 0 The real MAFS challenge experiment. Namely, the CRS is generated in the honest manner crs ←SNARK.Gen(1^{λ}). Let Forge_{0} denote the probability of the adversary producing a valid forgery in the MAFS scheme in this game.
Hybrid 1 The same experiment as Hybrid 0, except that the CRS is generated using the extractor, (crs,trap) ←E_{1}(1^{λ}). Let Forge_{1} denote the probability of the adversary producing a valid forgery in a MAFS scheme in this game. Following directly from the fact that the CRS values generated via the standard algorithm Gen and those generated by the extractor algorithm E_{1} are statistically close, we have Forge_{1} −Forge_{0} ≤ negl(λ).
Hybrid 2 The same experiment as Hybrid 1. And at the end we apply the ZKSNARK extraction algorithm on the adversary’s forgery \(\sigma ^{\ast }=(\{c^{\textsf {UID},U_{i}}_{i,\textsf {Predic}^{\ast }}\}\text {} _{i\in [N]}, \pi ^{\ast })\) (on message m^{∗}) in the MAFS scheme: i.e., \(\textsf {E}_{2}(\textsf {crs}, \textsf {trap}, (m^{\ast }, \{\textsf {mvk}_{i}\}\text {} _{i\in [N]}), \pi ^{\ast })\rightarrow \{\sigma ^{\ast }_{i}\}\text {} _{i\in [N]}\). Let Forge_{2} denote the probability that \(\sigma ^{\ast }_{i^{\ast }}\) is a valid signature in the underlying FS scheme on a message m^{∗}. Following directly from the extraction property of the ZKSNARK system, we have Forge_{2} −Forge_{1} ≤ negl(λ).
Since Forge_{2} is precisely the probability that the adversary \(\mathcal {B}\) constructed above produces a successful forgery in the unforgeability game for FS, due to the unforgeability of FS, we have Forge_{2} ≤ negl(λ).
To prove that our scheme satisfies function privacy, we show that if there exists a PPT adversary \(\mathcal {A}_{\textsf {priv}}\) wining the function privacy game for MAFS with nonnegligible advantage, then there exists an PPT adversary breaking the zero knowledge security game of the ZKSNARK. More specifically, consider the following two hybrid games:
Hybrid 0 The real function privacy game. Namely, the CRS for the ZKSNARK system is honestly generated crs ←SNARK.Gen(1^{λ}). To generate the challenge signature on message m_{b} for a random bit b ∈{0,1}, the challenger first generates a signature on m_{b} under the underlying FS scheme: \(({f}_{b}({m}_{b}),\sigma _{i})\rightarrow \textsf {FS.Sign}(\textsf {sk}^{{f}_{b}}_{i}, m_b)\) for each i ∈ [N] and then honestly generates a proof π ←SNARK.Prove ((f_{b}(m_{b}),{mvk_{i}}_{i∈[N]}),{σ_{i}}_{i∈[N]},crs).
Hybrid 1 The same game as Hybrid 0 except that the proof in the challenge signature is generated in the simulated manner. Namely, the CRS is generated using the simulator algorithm \((\textsf {crs}, \textsf {trap})\leftarrow \mathcal {S}^{\textsf {crs}}(1^{\lambda })\). The challenger then uses the simulator to generate the proof \(\pi \leftarrow \mathcal {S}^{\textsf {Proof}}((\textsf {crs}, \textsf {trap}),(m^{\ast }, \{\textsf {mvk}_{i}\}\text {} _{i\in [N]}))\), where m^{∗} = f_{0}(m_{0}) = f_{1}(m_{1}).
Following directly from the zero knowledge property of the ZKSNARK system, the difference between the advantage of the adversary \(\mathcal {A}_{\textsf {priv}}\) in guessing the bit b in Hybrid 0 and Hybrid 1 is negligible. Note that the view of \(\mathcal {A}_{\textsf {priv}}\) in Hybrid 1 is independent with the bit b, hence any PPT adversary cannot correctly guess the bit b with nonnegligible advantage. □
6 Conclusion
The emergence of the IoT, has led to millions of sensors and smart devices sending sensitive data across communication networks. Thus, it is of utmost importance to address the challenge of guaranteeing the integrity and authentication of the transmitted information. To achieve that we propose a generalized signature scheme with a fine grained access control, that can provide significant advantages to the digital world, in application settings where the authenticity of shared information is crucial e.g., smart healthcare, smart homes, smart cities. In this paper, we introduce the definition of multiauthority functional signatures (MAFSs) for general policy functions, and provide a general transformation from a standard signature scheme to a MAFS scheme satisfying unforgeability property but not function privacy. Given a nonfunctionprivate functional signature and a SNARK we provide a way to build a function private MAFS scheme.
Our MAFS can properly solve the problem we depicted in the IoT related delivery operation world and successfully provides both businesses and customers greater visibility and trackability of their products and parcels than ever before. In particular, by using our MAFS the records of all transactions during the enroute of delivery is able to be kept and renewed. Moreover, we allow the multiple authorities to be involved in the execution of the transactions, meanwhile ensuring that the users are able to verify all the transactions occurred in the network. We believe our MAFS can be applied to other IoT related application scenarios.
Notes
Acknowledgments
This work has been partially supported by a STINT SwedenJapan 150 Anniversary Grant and the VR project PRECIS.
References
 1.Amendola S, Lodato R, Manzari S, Occhiuzzi C, Marrocco G (2014) Rfid technology for iotbased personal healthcare in smart spaces. IEEE Internet Things J 1(2):144–152CrossRefGoogle Scholar
 2.Boyle E, Goldwasser S, Ivan I (2014) Functional signatures and pseudorandom functions. In: Proceedings of PKC 2014, pp 501–519. SpringerGoogle Scholar
 3.Chandran N, Goyal V, Jain A, Sahai A (2015) Functional encryption: decentralised and delegatable. IACR Cryptology ePrint Archive 2015:1017Google Scholar
 4.Cocchia A (2014) Smart and digital city: a systematic literature review. In: Smart city, pp 13–43. SpringerGoogle Scholar
 5.Diffie W, Hellman M (2006) New directions in cryptography. IEEE Trans Inf Theor 22(6):644–654MathSciNetCrossRefGoogle Scholar
 6.Du Kk, Wang Zl, Mi H (2013) Human machine interactive system on smart home of iot. J China Univ Posts Telecommun 20:96–99CrossRefGoogle Scholar
 7.Jie Y, Pei JY, Jun L, Yun G, Wei X (2013) Smart home system based on iot technologies. In: 2013 fifth international conference on computational and information sciences (ICCIS), pp 1789–1791. IEEEGoogle Scholar
 8.Jin J, Gubbi J, Marusic S, Palaniswami M (2014) An information framework for creating a smart city through internet of things. IEEE Internet Things J 1(2):112–121CrossRefGoogle Scholar
 9.Maji HK, Prabhakaran M, Rosulek M (2011) Attributebased signatures. In: Cryptographers’ track at the RSA conference, pp 376–392. SpringerGoogle Scholar
 10.Okamoto T, Takashima K (2011) Efficient attributebased signatures for nonmonotone predicates in the standard model. In: Proceedings of PKCGoogle Scholar
 11.Okamoto T, Takashima K (2010) Fully secure functional encryption with general relations from the decisional linear assumption. In: Annual cryptology conference, pp 191–208. SpringerGoogle Scholar
 12.Okamoto T, Takashima K (2013) Decentralized attributebased signatures. In: Proceedings of PKC 2013, pp 125–142Google Scholar
Copyright information
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.