1 Introduction

There exist two types of digital signature designs: (1) signature schemes in which the original message of the signature is required to be transmitted together with the signature, and (2) signature schemes with message recovery in which the message is embedded in a signature and can be recovered from the signature during verification process. The latter approach reduces the total size of the original message and the appended signature, hence interesting for applications where bandwidth is at prime concern. Message recovery signatures are also appropriate for applications in which small messages should be signed.

Attribute Based Signature (ABS) schemes are broadly categorized as (i) key-policy ABS [6, 12]: the signing key is associated with an access structure and a message is signed with an attribute set satisfying the access structure, and (ii) signature-policy ABS [10, 11]: the signing key is tagged with an attribute set and a message is signed with an access structure (or predicate) satisfied by the attribute set.

Maji et al. [10, 11] proposed signature-policy ABS schemes with formal security definitions of existential unforgeability and signer privacy. The signature leaks no other attribute information about the original signer except the fact that a single user with some set of attributes satisfying the predicate has generated the signature. A formal definition and security model for threshold key-policy ABS are presented in [6, 12] together with schemes that support small as well as large attribute universe. In small universe schemes, the set of attributes used in the system is fixed during system setup. On the contrary, in large universe constructions, the size of the attribute universe can be exponentially large in the security parameter as the attribute parameters are dynamically computed after the system setup. The signer privacy for key-policy ABS of [6, 12] ensures that the signature of a message for the attribute set W reveals nothing about the access structure \(\mathbb {A}\) of the signer except the fact that \(\mathbb {A}\) is satisfied by W. Specifically, even a computationally unbounded adversary cannot recognize the access structure or the signing key used to compute the given signature. ABS has found several applications like attribute based messaging, attribute based authentication and trust-negotiation, leaking secrets, etc.

The protection of secret key (decryption key in case of encryption whereas signing key in case of digital signature) is pivotal to all security guarantees in any cryptosystem. Standard notions of security cannot protect the system once its secret key gets compromised. In practice, we cannot assume the secret keys are kept perfectly secure at all times. For instance, an adversary might learn secret information from a physically compromised device or from a malicious user. A variety of frameworks have been proposed in an attempt to mitigate the potential damages caused by secret key exposure, including forward security [2], key-insulated cryptography [5] and intrusion resilience [7]. We focus here on key-insulation mechanism in the context of digital signature design. In this framework, a physically secure but computationally limited device, called helper, is involved. Initially, the key generation authority creates a helper key and initial signing key for every user. The helper key is stored in helper whereas the initial signing key is issued to respective user. The lifetime of the system is divided into several discrete time periods. The user can update his initial signing key at regular time periods with the help of helper without further access to the key generation authority. This greatly reduces unnecessary burden on the authority. The updated signing keys are called temporary signing keys. In every time period, the user can obtain the temporary signing key for the current time period by combining the temporary signing key of the previous time period with the partial key returned by the helper. The partial key is computed using helper key. Note also that any temporary signing key can be updated to either future time periods or past time periods according to user choice. The public key remains same throughout the lifetime. A temporary signing key for some time period is used to sign every message during that time period. The signatures are labeled with the time period during which they were generated. The exposure of signing keys for some time periods do not enable an adversary to create signing keys for non-exposed time periods as long as the helper is not compromised (it is assumed that helper is physically secure). Thus this framework can minimize the damage caused by signing key exposure.

Recently, Chen et al. [4] added key-insulation mechanism to the key-policy ABS of [9] and constructed an attribute based key-insulated signature (ABKIS) scheme in the key-policy setting. The ordinary ABS schemes are not appropriate for certain applications. For instance, consider a scenario in which Alice, who is a bank manager, wishes to take a vacation and wants to delegate her subordinate Bob to complete her daily business. Clearly, the mere ABS schemes are not enough to meet such requirements. Using ABKIS frame work, Alice can compute the temporary signing keys correspond to the time periods of her vacation and send those keys to Bob. Consequently, Bob can sign on behalf of Alice during the designated time periods.

There are several limitations of [4]: (a) The scheme handles only threshold policies, i.e., the signing key is computed according to threshold policy. The signing and verification attribute sets are essentially the same, i.e., the scheme reveals the attributes that the signer used to generate the signature. This may not desirable for certain applications like secret-leaking environments [11]. However, the scheme preserves signer privacy, a legitimate signer is indistinguishable among all the users whose access structures accepting the attribute set specified in the signature verification. (b) The size of the signature and the number of pairings required in verification are proportional to the number of underlying attributes. Specifically, the signature includes 4 group elements for each involved attribute and verification process requires 4 pairing operations for each required attribute, which could be prohibitively costly. (c) The scheme works for small universes of attributes. We address each of these limitations in this work.

Wang et al. [13] proposed a threshold policy ABS scheme with message recovery based on [8] and an identity based message recovery signature [15]. The size of the signature and the number of pairings during verification grow linearly with the number of involved attributes, in [13]. There is no ABKIS with message recovery proposed so far. Note that one can extend the ABKIS of [4] to support message recovery mechanism using the framework of [15], but the above mentioned limitations (a), (b) and (c) remain unchanged. To the best of our knowledge, [4] is the only ABKIS scheme (without message recovery) available in the literature.

1.1 Our Contribution

In this work, we consider designing key-insulated signatures with message recovery in the attribute based setting to achieve the following three main goals (i) secret key security: to mitigate the damage caused by the signing key exposure, (ii) communication efficiency: to realize constant message-signature size and (iii) expressive access policies: to exploit as expressive access structures as possible.

We propose the first attribute based key-insulated signature, ABKIS, schemes with message recovery for expressive linear secret-sharing scheme (LSSS)-realizable access structures in the key-policy framework. Our designs feature constant number of pairing computations for signature verification and constant message-signature length. In these constructions, the signing key is computed according to LSSS-realizable access structure over signer’s attributes. We present two variants of these schemes, the first for small attribute universe and the second for large universe setting.

Small Universe Construction. We construct an ABKIS scheme with message recovery for small universes of attributes, referred as SU-ABKIS, by adapting the message recovery technique of [15], in which the whole message is embedded in a signature and it can be recovered by the verification algorithm. The signer can update his signing key to any time period without help of the authority and without changing his access structure by interacting with a helper device (it holds another secret key called helper key which is user specific). The signature consists of 4 group elements and a fixed length string (the string is appeared due to message recovery mechanism), and the signature verification can be done within 4 pairing executions. These measures are independent of the number of required attributes.

Large Universe Construction. We also present another ABKIS scheme with message recovery that can deal with large universe of attributes, referred as LU-ABKIS. The LU-ABKIS preserves the same functionality as that of SU-ABKIS except the size of public parameters is linear to the maximum number of attributes used to sign a message, as opposed to the size of attribute universe in small universe construction. And, verification needs \(\delta \) exponentiations in addition to 4 pairings, \(\delta \) is the number of attributes used in signing process. In our LU-ABKIS, the actual attribute set used to sign a message is hidden inside a larger attribute set and the verifier is provided with the latter one to verify the signature. As a result, the verifier cannot recognize the actual set of attributes utilized in the signing process (see Remark 6 in Sect. 3.1 for details). In contrast, the ABKIS of [4] needs to reveal the original signing attribute set to verify the signature. This means the signing and verification attribute sets are equal. In sum, our LU-ABKIS construction overcomes all the limitations (a), (b) and (c) of [4] mentioned in the previous section (see Table 1).

Table 1. Comparative summary of ABKIS schemes.
Full size table

Both the proposed signature schemes protect signer privacy in the sense that the distribution of the signature is independent of the signing key used to compute it and hence no one can get any information about the signer’s access structure or attributes involved in the generation of a signature. Consequently, a legitimate signer is indistinguishable among all the users whose access structures accepting the attribute set specified in the signature verification. The signing key size in both the proposed constructions is quadratic in number of involved attributes. However, the number of required bilinear pairing evaluations is independent of this size. The key-insulated and strong key-insulated security of our ABKIS schemes are analyzed in selective attribute set and random oracle model under the computational Diffie Hellman Exponent (cDHE) assumption.

Table 1 presents comparative summary of our schemes against ABKIS (without message recovery) scheme [4].

2 Preliminaries

We use the following notations in the rest of the paper.

figure a

Definition 1

We use multiplicative cyclic groups \(\mathbb {G}, \mathbb {G}_{0}\) of prime order p with an efficiently computable mapping \(e:\mathbb {G} \times \mathbb {G} \rightarrow \mathbb {G}_{0}\) such that \(e(u^{a},v^{b})=e(u,v)^{ab},\) \(\forall ~u,v \in \mathbb {G}\), \(a,b \in \mathbb {Z}_{p}\) and \(e(u, v)\ne 1_{\mathbb {G}_{0}}\) whenever \(u, v\ne 1_{\mathbb {G}}.\) Here \(1_{\mathbb {G}}\) (or \(1_{\mathbb {G}_{0}}\)) is identity element in \(\mathbb {G}\) (or \(\mathbb {G}_{0}\)). We denote the bilinear group parameters as \(\Sigma =(p, \mathbb {G}, \mathbb {G}_{0}, e)\) in the remainder of the paper.    \(\square \)

Definition 2

Given the instance \((g, g^{a},\ldots , g^{a^{q}}, g^{a^{q+2}},\ldots , g^{a^{2q}})\in \mathbb {G}^{2q},\) where \(a\leftarrow _{R}\mathbb {Z}_{p},\) a random generator \( g\leftarrow _{R}\mathbb {G},\) the computational q-Diffie-Hellman Exponent (q-DHE) problem is to compute \(g^{a^{q+1}}\).    \(\square \)

Definition 3

Let U be the universe of attributes and \(\mathcal {P}(U)=\{S: S\subset U\}.\) Let \(\mathcal {P}(U)^{*}=\mathcal {P}(U)\setminus \{\emptyset \}.\) Every non-empty subset \(\mathbb {A}\) of \(\mathcal {P}(U)^{*}\) is called an access structure. Any access structure \(\mathbb {A}\) satisfying the condition \([A\subseteq B~{\text {and}} ~ A\in \mathbb {A}~{\text {implies}} ~B\in \mathbb {A}]\) is called a monotone access structure. An attribute set C satisfies the (monotone) access structure \(\mathbb {A}\) (in other words, \(\mathbb {A}\) accepts C) if and only if \(C\in \mathbb {A}.\) In this case, C is called an authorized set in \(\mathbb {A}.\) Note that C does not satisfy \(\mathbb {A}\) if and only if \(C\notin \mathbb {A}.\)    \(\square \)

Definition 4

Let \(\mathbb {A}\) be a monotone access structure. A linear secret sharing scheme (LSSS) for \(\mathbb {A}\) over a field \(\mathbb {Z}_{p}\) is an \(\ell \times k\) matrix \(\mathbb {M}\) with entries in \(\mathbb {Z}_{p},\) along with a row labeling function \(\rho \) which associates each row i of \(\mathbb {M}\) with an attribute \(\rho (i)\) in \(\mathbb {A},\) that consists of the following two polynomial time algorithms:

  • Share  \((\mathbb {M}, \rho , \alpha )\) takes as input \(\mathbb {M}, \rho \) and a secret \(\alpha \in \mathbb {Z}_{p}\) to be shared. It samples \(a_{2}, a_{3}, \ldots , a_{k} \leftarrow _{R} \mathbb {Z}_{p} \) and sets \(\mathbf {v}=(\alpha , a_{2}, a_{3}, \ldots , a_{k})\in \mathbb {Z}_{p}^{k}.\) It outputs a set \(\{\lambda _{\rho (i)}:\lambda _{\rho (i)}=\mathbf {M_{i}}\mathbf {v}\}_{i\in [\ell ]}\) of \(\ell \) shares, where \(\mathbf {M_{i}}\in \mathbb {Z}_{p}^{k}\) is ith row of the matrix \(\mathbb {M}.\) The share \(\lambda _{\rho (i)}\) belongs to the attribute \(\rho (i).\)

  • Recover  \((\mathbb {M}, \rho , L)\) takes as input \(\mathbb {M}, \rho \) and an authorized attribute set \(L\in \mathbb {A}.\) It outputs a set of constants \(\{\omega _{i}\}_{i\in I}\subset \mathbb {Z}_{p},\) where \(I=\{i\in [\ell ]:\rho (i)\in L\},\) satisfying \(\sum _{i\in I} \omega _{i}\mathbf {M_{i}}=(1, 0, \ldots , 0),\) i.e., \(\sum _{i\in I} \omega _{i}\lambda _{\rho (i)}=\alpha .\)    \(\square \)

Remark 1

Note that the constants \(\{\omega _{i}\}_{i\in I}\) can be computed in time polynomial in the size of the matrix \(\mathbb {M}\) using Gaussian elimination. We denote \(\mathbb {A}\) by the LSSS \((\mathbb {M}, \rho )\) and is called LSSS-realizable access structure.    \(\square \)

2.1 ABKIS with Message Recovery Template

Apart from the Trusted Authority (TA), this model employs another device called helper which is physically secure but computationally limited. The TA creates a helper key and initial signing key for every user. The initial signing key is computed according to some access structure over user attributes. An ABKIS with message recovery is a set of the following six algorithms.

  • \(\mathsf{Setup}(\kappa ).\) The TA takes as input a security parameter \(\kappa \) and generates the system public parameters \(\mathsf{params}\) and system master key \(\mathsf{MK}.\) The public parameters \(\mathsf{params}\) include a description of the attribute universe U,  time period index space T and the message space \(\mathcal {M}.\) Here \(\mathsf{params}\) are publicly available to all users and \(\mathsf{MK}\) is kept secret by TA.

  • \(\mathsf{KeyGen}(\mathsf{params, MK}, \mathbb {A}).\) On input \(\mathsf{params, MK}\) and an access structure \(\mathbb {A}\) over a set of attributes \(L_{\mathbb {A}}\subset U,\) the TA computes a helper key \(\mathsf{HK}_{\mathbb {A}}\) and an initial signing key \(\mathsf{SK}_{\mathbb {A}}^{0}\) associated with \(\mathbb {A}.\) The helper key \(\mathsf{HK}_{\mathbb {A}}\) is stored in the helper and the user holds the initial signing key \(\mathsf{SK}_{\mathbb {A}}^{0}\).

  • \(\mathsf{HelperUpdate}(\mathsf{params}, \mathsf{HK}_{\mathbb {A}}, t_{1}, t_{2}).\) This algorithm is executed by the helper for the user holding an access structure \(\mathbb {A}\) with the input \(\mathsf{params}, \mathsf{HK}_{\mathbb {A}},\) time period indices \(t_{1}, t_{2}\) and returns an update key \(\mathsf{UK}_{\mathbb {A}}^{t_{1}\rightarrow t_{2}}\) for \(\mathbb {A}\) from the time period \(t_{1}\) to time period \(t_{2}.\)

  • \(\mathsf{UserUpdate}(\mathsf{params}, \mathsf{SK}_{\mathbb {A}}^{t_{1}}, t_{1}, t_{2}, \mathsf{UK}_{\mathbb {A}}^{t_{1}\rightarrow t_{2}}).\) Given public parameters \(\mathsf{params}\), temporary signing key \(\mathsf{SK}_{\mathbb {A}}^{t_{1}}\) associated with \(\mathbb {A}\) for time period \(t_{1},\) time period indices \(t_{1}, t_{2}\) and update key \(\mathsf{UK}_{\mathbb {A}}^{t_{1}\rightarrow t_{2}},\) the user performs this algorithm and obtains the temporary signing key \(\mathsf{SK}_{\mathbb {A}}^{t_{2}}\) associated with \(\mathbb {A}\) for time period \(t_{2}.\) The user erases the temporary signing key \(\mathsf{SK}_{\mathbb {A}}^{t_{1}}\) for the time period \(t_{1}\).

  • \(\mathsf{Sign}(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{\mathbb {A}}^{t}, W).\) To generate a signature on a message \(\mathsf{msg}\in \mathcal {M}\) with respect to an attribute set \(W\in \mathbb {A}\) at time period t,  the signer runs this algorithm with the input \(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{\mathbb {A}}^{t}, W\) and outputs a signature \(\langle t, \Gamma \rangle \) consisting of the time period t and a signature \(\Gamma .\)

  • \(\mathsf{Verify}(\mathsf{params}, \langle t, \Gamma \rangle , W).\) Given a candidate signature \(\langle t, \Gamma \rangle \) and an attribute set W,  this algorithm outputs 1 if \(\Gamma \) is a valid signature with respect to the attribute set W in time period t. Otherwise, it returns 0.

Remark 2

In the above ABKIS, one can update the temporary signing key \(\mathsf{SK}_{\mathbb {A}}^{t_{1}}\) to \(\mathsf{SK}_{\mathbb {A}}^{t_{2}}\) in one step for any time periods \(t_{1}, t_{2}.\) This mechanism is called random-access key updates. Neither forward secure systems [2] nor intrusion resilience systems [7] support this functionality.   \(\square \)

2.2 Security Definitions for ABKIS with Message Recovery

Following [4, 14], we formalize here the key-insulated and strong key-insulated security, and signer privacy which are the typical security requirements for ABKIS schemes.

Key-insulated and strong key-insulated security. In key-insulated security notion, the exposure of any of the temporary signing keys for some time periods do not enable an adversary to create a valid signature for the non-exposed time periods as long as the corresponding helper keys are not compromised. On the other hand, in strong key-insulated security model, the exposure of helper keys do not enable an adversary to generate a valid signature for any time period as long as none of the temporary signing keys are compromised. These security notions are defined based on existential unforgeability under selective attribute set and time period index, and adaptive chosen message attack framework, in which the adversary needs to submit an attribute set and time period index pair before obtaining the system public parameters and the forgery must be created for that pair on any message. Formally, we define these security notions as follows.

Definition 5

(Key-insulated Security). An ABKIS scheme with message recovery is said to be \((\mathcal {T}, q_\mathsf{KG}, q_\mathsf{TSK}, q_\mathsf{Sign}, \epsilon )\)-key-insulated if for any probabilistic polynomial time (PPT) adversary \(\mathcal {A}\) running in time at most \(\mathcal {T}\) that makes at most \(q_\mathsf{KG}\) key generation queries, \(q_\mathsf{TSK}\) temporary signing key queries and \(q_\mathsf{Sign}\) signature queries, the adversary’s advantage \(Adv_{\mathcal {A}}^\mathsf{key\text{- }ins}=\mathrm{{Pr}}[\mathcal {A}~\text {wins}]\le \epsilon \) in the following game (between a challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\)):

figure b

We say that \(\mathcal {A}\) succeeds if \(\mathsf{Verify}(\mathsf{params}, \langle t^{*}, \Gamma ^{*}\rangle , W^{*})=1\) and \((\mathsf{msg}^{*}, W^{*}, t^{*})\) was never queried to the signature oracle.    \(\square \)

Remark 3

In the foregoing definition, the adversary can obtain the helper key and initial signing key for any access structure which is not satisfied by the challenged attribute set \(W^{*}\) by issuing key generation queries. So, he can further compute temporary signing key of that access structure for any time period of his choice including \(t^{*}\), without accessing temporary signing key oracle because he knows the corresponding helper key.

On the other hand, the temporary signing key oracle is actually meant for the access structures accepting \(W^{*}.\) Adversary can get temporary signing key of an access structure accepting \(W^{*}\) for any time period except \(t^{*}\) by querying the temporary signing key oracle. The helper keys of such access structures are not known to adversary. Wlog, we can assume that adversary issues only temporary signing key queries for the access structures accepting \(W^{*}.\)    \(\square \)

In the strong key-insulated security notion defined below, the adversary is prohibited to request temporary signing keys and hence the challenge time period index \(t^{*}\) is not necessary to submit before receiving the system public parameters.

Definition 6

(Strong key-insulated Security). An ABKIS scheme with message recovery is said to be \((\mathcal {T}, q_\mathsf{KG}, q_\mathsf{HK}, q_\mathsf{Sign}, \epsilon )\)-strong-key-insulated if for any PPT adversary \(\mathcal {A}\) running in time at most \(\mathcal {T}\) that makes at most \(q_\mathsf{KG}\) key generation queries, \(q_\mathsf{HK}\) helper key queries and \(q_\mathsf{Sign}\) signature queries, the adversary’s advantage \(Adv_{\mathcal {A}}^\mathsf{strong\text{- }key\text{- }ins}=\mathrm{{Pr}}[\mathcal {A}~\text {wins}]\le \epsilon \) in the following game (between a challenger \(\mathcal {C}\) and \(\mathcal {A}\)):

figure c

We say that \(\mathcal {A}\) succeeds if \(\mathsf{Verify}(\mathsf{params}, \langle t^{*}, \Gamma ^{*}\rangle , W^{*})=1\) and \((\mathsf{msg}^{*}, W^{*}, t^{*})\) was never queried to the signature oracle.    \(\square \)

Remark 4

In Definition 6, temporary signing key queries are not explicitly provided for the adversary. However, the adversary can derive temporary signing keys for the access structures \(\mathbb {A}\) such that \(W^{*}\notin \mathbb {A}\) through key generation oracle \(\mathcal {O}_\mathsf{KG}(\cdot ).\) Hence the adversary can compromise a temporary signing key in any time period for the access structures not accepting the challenged attribute set \(W^{*}.\) On the other hand, he can obtain helper key of any access structure independent of such restriction by querying helper key oracle \(\mathcal {O}_\mathsf{HK}(\cdot ).\)    \(\square \)

Signer Privacy. This property ensures that the distribution of a signature is independent of the temporary signing key that is used to generate it. This means that one cannot get any information about the access structure \(\mathbb {A}\) held by the signer from a signature for the attribute set W in time period t,  other than the fact that W satisfies \(\mathbb {A}.\) Precisely, the actual signer is indistinguishable from all the users whose access structures accepting the attribute set specified in the signature. Formally, this security notion is defined as follows.

Definition 7

An ABKIS scheme is said to provide signer privacy if for any message \(\mathsf{msg}\in \mathcal {M},\) all \(\langle \mathsf{params, MK}\rangle \leftarrow \mathsf{Setup}(\kappa ),\) all signing access structures \(\mathbb {A}\) and \( \mathbb {A}',\) all time periods t,  all signing temporary signing keys \(\mathsf{SK}_{\mathbb {A}}^{t}\) and \(\mathsf{SK}_{\mathbb {A}'}^{t},\) all attribute sets W such that W satisfies both \(\mathbb {A}\) and \( \mathbb {A}',\) the distributions of \(\mathsf{Sign}(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{\mathbb {A}}^{t}, W)\) and \(\mathsf{Sign}(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{\mathbb {A'}}^{t}, W)\) are equal.    \(\square \)

3 Proposed ABKIS with Message Recovery

3.1 ABKIS Scheme with Message Recovery for Small Universe

In this section, we present an ABKIS scheme with message recovery for small universes of attributes, referred as SU-ABKIS, that supports fixed length messages. We adapt the key updating technique used in [3] where the keys are randomized by means of pseudorandom function (PRF). A simple randomness is not adequate because the same attribute might held by several users and a user may derive the random exponents for other time periods from the current time period. Hence the randomness introduced in the key update process must be the time period as well as the attribute specific. To this end, we use a PRF family \(\mathcal {F}=\{\mathsf{PRF}_{s}:s\leftarrow _{R}\{0, 1\}^{\kappa }\},\) where \(\mathsf{PRF}_{s}:\{0, 1\}^{2\kappa }\rightarrow \{0, 1\}^{\kappa }\) such that given a \(\kappa \)-bit seed s and \(2\kappa \)-bit input ip, the PRF \(\mathsf{PRF}_{s}\) outputs \(\kappa \)-bit string \(\mathsf{PRF}_{s}(ip).\) We treat each time period index as an element in \(\mathbb {Z}_{p}^{*},\) i.e., \(T=\mathbb {Z}_{p}^{*}\) and the message space is \(\mathcal {M}=\{0, 1\}^{\ell _{1}}.\) Let \(U=\{1, 2, \ldots , n\}=[n]\) be the attribute universe. Our SU-ABKIS is composed of the following six algorithms.

\(\mathsf{Setup}(\kappa )\!:\) The TA carries out the following steps.

  1. 1.

    Choose \(\Sigma =(p, \mathbb {G}, \mathbb {G}_{0}, e)\) according to the security parameter \(\kappa .\)

  2. 2.

    Select four collision resistant hash functions \(H:\{0, 1\}^{*}\rightarrow \mathbb {G}\), \(H_{1}:\{0, 1\}^{\ell _{1}}\rightarrow \{0, 1\}^{\ell _{2}}\), \(H_{2}:\{0, 1\}^{\ell _{2}}\rightarrow \{0, 1\}^{\ell _{1}}\) and \(H':\{0, 1\}^{*}\rightarrow \{0, 1\}^{\ell _{1}+\ell _{2}}\), where \(\ell _{1}, \ell _{2}\in \mathbb {N},\) the set of all natural numbers.

  3. 3.

    Sample \(\alpha \leftarrow _{R} \mathbb {Z}_{p},\) a random generator \( g\leftarrow _{R} \mathbb {G}\) and set \(Y=e(g, g)^{\alpha }.\)

  4. 4.

    Pick \(w_{1}, w_{2}\leftarrow _{R} \mathbb {G}.\) Define a function \(F:\mathbb {Z}_{p}\rightarrow \mathbb {G}\) by \(F(t)=w_{1}w_{2}^{t}.\)

  5. 5.

    Select \(v\leftarrow _{R} \mathbb {G}.\) For each attribute \(k\in U=[n],\) choose \(v_{k}\leftarrow _{R} \mathbb {G}.\)

  6. 6.

    The system master key is \(\mathsf{MK}=\alpha \) and the system public parameters are published as \(\mathsf{params}=\langle \Sigma , g, Y, v, w_{1}, w_{2}, \{v_{k}\}_{k\in [n]}, H, H_{1}, H_{2}, H', F, U=[n], T=\mathbb {Z}_{p}^{*}, \mathcal {M}=\{0, 1\}^{\ell _{1}}\rangle .\)

\(\mathsf{KeyGen}(\mathsf{params, MK}, (\mathbb {M}, \rho ))\!\!:\) To compute a helper key \(\mathsf{HK}_{(\mathbb {M}, \rho )}\) and an initial signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{0}\) associated with an access structure \((\mathbb {M}, \rho ),\) the TA performs as follows. Each ith row \(\mathbf {M_{i}}\) of the LSSS matrix \(\mathbb {M}\) of size \(\nu \times \tau \) is associated with an attribute \(\rho (i)\in [n].\) We assume that the time period index is 0 for initial signing key.

  1. 1.

    Pick \(\mathsf{hk}_{(\mathbb {M}, \rho )} \leftarrow _{R} \{0, 1\}^{\kappa }\) and choose \(\mathsf{PRF}_{\mathsf{hk}_{(\mathbb {M}, \rho )}}\in \mathcal {F}.\)

  2. 2.

    Sample \(z_{2}, \ldots , z_{\tau }\leftarrow _{R}\mathbb {Z}_{p}\) and set \(\mathbf {v}=(\alpha , z_{2}, \ldots , z_{\tau }).\)

  3. 3.

    For each row \(i\in [\nu ],\)

    • compute \(\lambda _{\rho (i)}=\mathbf {M_{i}}\mathbf {v}\) and \(\gamma _{i, 0}=\mathsf{PRF}_{\mathsf{hk}_{(\mathbb {M}, \rho )}}(0||\rho (i))\) (if the length of each input string for \(\mathsf{PRF}\) is less than \(\kappa ,\) then we add required number of 0 s on the left side of the string to make \(2\kappa \)-bit long),

    • pick \(r_{i}\leftarrow _{R} \mathbb {Z}_{p}\) and set \(d_{i, 1}^{0}=g^{r_{i}}, d_{i, 2}^{0}=g^{\gamma _{i,0}}, d_{i, 3}^{0}=g^{\lambda _{\rho (i)}}(vv_{\rho (i)})^{r_{i}}F(0)^{\gamma _{i,0}},\) \(d_{i, 4}^{0}=\{d_{i, 4, k}^{0}=v_{k}^{r_{i}}\}_{k\in [n]\setminus \{\rho (i)\}}.\)

  4. 4.

    The initial signing key is \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{0}=\langle (\mathbb {M}, \rho ), \{d_{i, 1}^{0}, d_{i, 2}^{0}, d_{i, 3}^{0}, d_{i, 4}^{0}:i\in [\nu ]\}\rangle .\)

  5. 5.

    The helper key is \( \mathsf{HK}_{(\mathbb {M}, \rho )}=\langle \rho , \mathsf{hk}_{(\mathbb {M}, \rho )}\rangle .\)

\(\mathsf{HelperUpdate}(\mathsf{params}, \mathsf{HK}_{(\mathbb {M}, \rho )}, t_{1}, t_{2})\!\!:\) To construct the update key \(\mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}\) for \((\mathbb {M}, \rho )\) from the time period \(t_{1}\) to time period \(t_{2},\) the helper carries out the following steps.

  1. 1.

    For each row \(i\in [\nu ],\)

    • compute \(\gamma _{i,t_{1}}=\mathsf{PRF}_{\mathsf{hk}_{(\mathbb {M}, \rho )}}(t_{1}||\rho (i)),\) \(\gamma _{i,t_{2}}=\mathsf{PRF}_{\mathsf{hk}_{(\mathbb {M}, \rho )}}(t_{2}||\rho (i)),\)

    • set \(\mathsf{UK}_{i,1}^{t_{1}\rightarrow t_{2}}=F(t_{2})^{\gamma _{i,t_{2}}}\cdot F(t_{1})^{-\gamma _{i,t_{1}}},\) \( \mathsf{UK}_{i,2}^{t_{1}\rightarrow t_{2}}=g^{\gamma _{i,t_{2}}}.\)

  2. 2.

    The update key is \(\mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}= \big \{\mathsf{UK}_{i,1}^{t_{1}\rightarrow t_{2}}, \mathsf{UK}_{i,2}^{t_{1}\rightarrow t_{2}}:i\in [\nu ]\big \}.\)

\(\mathsf{UserUpdate}(\mathsf{params}, \mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{1}}, t_{1}, t_{2}, \mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}):\) The user computes the temporary signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{2}}\) for time period \(t_{2}\) from the temporary signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{1}}\) for time period \(t_{1}\) by using update key \(\mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}\) as follows.

  1. 1.

    Parse the temporary signing key for \((\mathbb {M}, \rho )\) at time period \(t_{1}\) as \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{1}}=\langle (\mathbb {M}, \rho ), \{d_{i, 1}^{t_{1}}, d_{i, 2}^{t_{1}}, d_{i, 3}^{t_{1}}, d_{i, 4}^{t_{1}}:i\in [\nu ]\}\rangle ,\) where \(d_{i, 1}^{t_{1}}=g^{r_{i}}, d_{i, 2}^{t_{1}}=g^{\gamma _{i,t_{1}}},\) \( d_{i, 3}^{t_{1}}=g^{\lambda _{\rho (i)}}(vv_{\rho (i)})^{r_{i}}F(t_{1})^{\gamma _{i,t_{1}}},\) \(d_{i, 4}^{t_{1}}=\{d_{i, 4, k}^{t_{1}}=v_{k}^{r_{i}}\}_{k\in [n]\setminus \{\rho (i)\}}.\)

  2. 2.

    The update key \(\mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}\) is parsed as \(\mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}}= \big \{\mathsf{UK}_{i,1}^{t_{1}\rightarrow t_{2}}, \mathsf{UK}_{i,2}^{t_{1}\rightarrow t_{2}}:i\in [\nu ]\big \}.\)

  3. 3.

    The user sets the temporary signing key for \((\mathbb {M}, \rho )\) and time period \(t_{2}\) as \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{2}}=\langle (\mathbb {M}, \rho ), \{d_{i, 1}^{t_{2}}, d_{i, 2}^{t_{2}}, d_{i, 3}^{t_{2}}, d_{i, 4}^{t_{2}}:i\in [\nu ]\}\rangle ,\) where \(d_{i, 1}^{t_{2}}=d_{i, 1}^{t_{1}}, d_{i, 2}^{t_{2}}=\mathsf{UK}_{i,2}^{t_{1}\rightarrow t_{2}},\) \(d_{i, 3}^{t_{2}}=d_{i, 3}^{t_{1}}\cdot \mathsf{UK}_{i,1}^{t_{1}\rightarrow t_{2}}\) and \(d_{i, 4,k}^{t_{2}}=d_{i, 4,k}^{t_{1}}, \forall k\in [n]\setminus \{\rho (i)\}.\)

  4. 4.

    The temporary signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{1}}\) for the time period \(t_{1}\) will be discarded.

Note: At time period \(t_{2},\) it can be seen that \(d_{i, 1}^{t_{2}}=g^{r_{i}}, d_{i, 2}^{t_{2}}=g^{\gamma _{i,t_{2}}}, d_{i, 3}^{t_{2}}=g^{\lambda _{\rho (i)}}(vv_{\rho (i)})^{r_{i}}F(t_{2})^{\gamma _{i,t_{2}}},\) \(d_{i, 4}^{t_{2}}=\{d_{i, 4, k}^{t_{2}}=v_{k}^{r_{i}}\}_{k\in [n]\setminus \{\rho (i)\}}.\)

\(\mathsf{Sign}(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{(\mathbb {M}, \rho )}^{t}, W)\!\!:\) The signer with a temporary signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t}\) for LSSS access structure \((\mathbb {M}, \rho )\) and time period t generates the signature on a message \(\mathsf{msg}\in \{0, 1\}^{\ell _{1}}\) for the attribute set W satisfying \((\mathbb {M}, \rho )\) as follows. The temporary signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t}\) for the time period t is parsed as \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t}=\big \langle (\mathbb {M}, \rho ), \{d_{i, 1}^{t}, d_{i, 2}^{t}, d_{i, 3}^{t}, d_{i, 4}^{t}:i\in [\nu ]\}\big \rangle .\)

  1. 1.

    Compute \(\beta =H'(t||W||Y), m=H_{1}(\mathsf{msg})||(H_{2}(H_{1}(\mathsf{msg}))\oplus \mathsf{msg})\) and \(c=\beta \oplus m.\)

  2. 2.

    Obtain a set of constants \(\{\omega _{i}\in \mathbb {Z}_{p}:i\in I\}\leftarrow \mathsf{Recover}(\mathbb {M}, \rho , W),\) where \(I=\{i\in [\nu ]:\rho (i)\in W\},\) satisfying \(\sum _{i\in I} \omega _{i}\mathbf {M_{i}}=(1, 0, \ldots , 0).\) This is possible since W satisfies \((\mathbb {M}, \rho ).\)

  3. 3.

    Choose \(z'_{2}, \ldots , z'_{\tau }\leftarrow _{R} \mathbb {Z}_{p}\) and define \(\mathbf {z}=(0, z'_{2}, \ldots , z'_{\tau }).\)

  4. 4.

    For each \(i\in [\nu ],\) pick \(r'_{i}, b_{i, t}\leftarrow _{R} \mathbb {Z}_{p}\) and compute \(\widehat{d}_{i, 1}^{t}=d_{i, 1}^{t}\cdot g^{r'_{i}}, \widehat{d}_{i, 2}^{t}=d_{i, 2}^{t}\cdot g^{b_{i,t}},\) \( \widehat{d}_{i, 3}^{t}=d_{i, 3}^{t}\cdot g^{\mathbf {M_{i}}\mathbf {z}}(vv_{\rho (i)})^{r'_{i}}F(t)^{b_{i,t}}, \widehat{d}_{i, 4}^{t}=\{\widehat{d}_{i, 4, k}^{t}=d_{i, 4, k}^{t}\cdot v_{k}^{r'_{i}}\}_{k\in [n]\setminus \{\rho (i)\}}.\)

  5. 5.

    Sample \(\theta , \xi , \zeta \leftarrow _{R} \mathbb {Z}_{p}\) and set \(\sigma =g^{\theta }, \sigma _{1}=g^{\xi }\prod \limits _{i\in I}\big (\widehat{d}_{i,1}^{t}\big )^{\omega _{i}}, \sigma _{2}=g^{\zeta }\prod \limits _{i\in I}\big (\widehat{d}_{i, 2}^{t}\big )^{\omega _{i}},\) \(\sigma _{3}=\prod \limits _{i\in I}\Big (\widehat{d}_{i, 3}^{t}\prod \limits _{k\in W,k\ne \rho (i)}\widehat{d}_{i, 4,k}^{t}\Big )^{\omega _{i}}\cdot \big (v\prod \limits _{k\in W}v_{k}\big )^{\xi }\cdot H(c||\sigma ||\sigma _{1}||\sigma _{2}||t||W)^{\theta }\cdot F(t)^{\zeta }.\)

  6. 6.

    The signature is \(\Gamma =\langle c, \sigma , \sigma _{1}, \sigma _{2}, \sigma _{3} \rangle \) and finally outputs \(\langle t, \Gamma \rangle .\)

\(\mathsf{Verify}(\mathsf{params}, \langle t, \Gamma \rangle , W)\!\!\!:\) Given a signature \(\langle t, \Gamma =\langle c, \sigma , \sigma _{1}, \sigma _{2}, \sigma _{3} \rangle \rangle \) and an attribute set W,  the verifier performs in the following way.

  1. 1.

    Check validity of the following equation

    $$\begin{aligned} \frac{e(\sigma _{3}, g)}{e(v\prod _{k\in W}v_{k}, \sigma _{1})\cdot e(H(c||\sigma ||\sigma _{1}||\sigma _{2}||t||W), \sigma )\cdot e(F(t), \sigma _{2}) }\mathop {=}\limits ^{?}Y. \end{aligned}$$
    (1)

    If it is not valid, output 0. Otherwise, proceed as follows.

  2. 2.

    Compute \(\beta =H'(t||W||Y)\) and \(m=c\oplus \beta .\)

  3. 3.

    Recover the message \(\mathsf{msg}=[\![m]\!]^{\ell _{1}}\oplus H_{2}(^{\ell _{2}}[\![m]\!]).\)

  4. 4.

    Return 1 if \(^{\ell _{2}}[\![m]\!]=H_{1}(\mathsf{msg})\) and accept \(\Gamma \) as a valid signature of the message \(\mathsf{msg}\) in time period t. In this case, the message \(\mathsf{msg}\in \{0, 1\}^{\ell _{1}}\) is recovered. Otherwise, output 0.

Remark 5

We can modify the above construction for messages of fixed length \(\ell _{1}\) to deal with messages of any length, i.e., \(\mathsf{msg}\in \{0, 1\}^{*}.\) To sign a message of length less than \(\ell _{1},\) one can pad spaces after the message until \(\ell _{1}\) and can use the foregoing scheme. If message size is larger than \(\ell _{1},\) a part of the message of length \(\ell _{1}\) is embed in a signature and can be recovered in verification phase and the other message segment is sent together with the signature. Specifically, divide the message \(\mathsf{msg}\) into two parts as \(\mathsf{msg}=\mathsf{msg}_{1}||\mathsf{msg}_{2}\) such that size of \(\mathsf{msg}_{1}\) is \(\ell _{1}.\) In the corresponding scheme, replace \(\mathsf{msg}\) with \(\mathsf{msg}_{1},\) compute \(\beta =H'(t||W||Y||\mathsf{msg}_{2})\) instead of \(\beta =H'(t||W||Y)\) and everything else remains the same. In verification phase, recover \(\mathsf{msg}_{1}\) and pad with the available \(\mathsf{msg}_{2}\) as \(\mathsf{msg}_{1}||\mathsf{msg}_{2}\) in order to obtain \(\mathsf{msg}.\)    \(\square \)

Remark 6

In signing process, W satisfies \((\mathbb {M}, \rho )\) means there exists an attribute set \(\widehat{W}\subset W\bigcap L_{(\mathbb {M}, \rho )},\) \(L_{(\mathbb {M}, \rho )}\) is the set of attributes assigned to the rows of the matrix \(\mathbb {M},\) such that the rows of \(\mathbb {M}\) corresponding to the attributes of \(\widehat{W}\) (the row set I in the construction) spans the vector \((1, 0, \ldots , 0).\) The signer computes the signature using the signing key components corresponding to the attributes appeared in \(\widehat{W}.\) The set \(\widehat{W}\) is completely hidden in the process (i.e., hidden in W) and the verifier is given the attribute set W. In verifier or adversary point of view, the signer can use any subset of W. Consequently, the verifier cannot identify the subset of signer attributes which has originally been used to generate a signature from the set \(\mathcal {P}(W)^{*}\) of all non-empty subsets of W. But, he can verify the signature using the whole attribute set W. In contrast, the signing and verification attribute sets are same in existing ABKIS [4], i.e., the signer needs to expose the attributes used to create a signature.    \(\square \)

3.2 Large Universe ABKIS Scheme with Message Recovery

We present here an ABKIS scheme with message recovery for large universes of attributes, which we denote as LU-ABKIS. In this construction \(U=\mathbb {Z}_{p}^{*}\) be the attribute universe. We impose a bound, say N,  on the size of attribute set used in signing algorithm. Note that one can extend our small universe ABKIS construction to support large universe by using a collision resistant hash function to compute the attribute values after system setup. However, the signer needs to reveal his attributes used to create a signature as in ABKIS scheme of [4], which is not desirable. To preserve signer attribute anonymity as well as to realize constant-size signature like our small universe ABKIS scheme, we change the signing key generation process using the technique of [1].

\(\mathsf{Setup}(\kappa )\!\!:\) Given a security parameter \(\kappa \), the TA executes the following steps.

figure d

\(\mathsf{KeyGen}(\mathsf{params, MK}, (\mathbb {M}, \rho ))\!\!:\) The TA performs as follows. Each ith row \(\mathbf {M_{i}}\) of the matrix \(\mathbb {M}\) of size \(\nu \times \tau \) is associated with an attribute \(\rho (i)\in \mathbb {Z}_{p}^{*}.\)

figure e

\(\mathsf{HelperUpdate}(\mathsf{params}, \mathsf{HK}_{(\mathbb {M}, \rho )}, t_{1}, t_{2})\!\!:\) Same as SU-ABKIS construction.

\(\mathsf{UserUpdate}(\mathsf{params}, \mathsf{SK}_{(\mathbb {M}, \rho )}^{t_{1}}, t_{1}, t_{2}, \mathsf{UK}_{(\mathbb {M}, \rho )}^{t_{1}\rightarrow t_{2}})\!:\) Same as SU-ABKIS construction.

\(\mathsf{Sign}(\mathsf{params}, \mathsf{msg}, t, \mathsf{SK}_{(\mathbb {M}, \rho )}^{t}, W)\!\!:\) Here \(\mathsf{msg}\in \{0,1\}^{\ell _{1}}\) and W satisfies \((\mathbb {M}, \rho )\!\!.\)

The signing key \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t}\) is parsed as \(\mathsf{SK}_{(\mathbb {M}, \rho )}^{t}=\big \langle (\mathbb {M}, \rho ), \{d_{i, 1}^{t}, d_{i, 2}^{t}, d_{i, 3}^{t}, d_{i, 4}^{t}:i\in [\nu ]\}\big \rangle .\) Note that \(|W|<N\).

figure f

\(\mathsf{Verify}(\mathsf{params}, \langle t, \Gamma \rangle , W)\!\!\!:\) Given a signature \(\langle t, \Gamma =\langle c, \sigma , \sigma _{1}, \sigma _{2}, \sigma _{3} \rangle \rangle \) and an attribute set W with \(|W|<N,\) the verifier executes the following steps.

figure g

3.3 Security Proof of SU-ABKIS and LU-ABKIS

Theorem 1

Suppose the attribute universe U has q attributes (resp., \(N=q\) is a bound on the size of signing attribute set used in signing phase), the hash function H is modeled as random oracle, the hash functions \(H_{1}, H_{2}, H'\) are collision resistant and \(\mathcal {F}=\{\mathsf{PRF}_{s}:s\leftarrow _{R}\{0, 1\}^{\kappa }\}\) is PRF family. Assume the computational q-DHE problem is \((\mathcal {T}', \epsilon )\)-hard in \(\mathbb {G}.\) Then, our SU-ABKIS (resp., LU-ABKIS) scheme is \((\mathcal {T}, q_\mathsf{KG}, q_\mathsf{TSK}, q_\mathsf{Sign}, \epsilon )\)-key-insulated in the random oracle model, where \(\mathcal {T}=\mathcal {T}'-\mathcal {O}\big (q^{2}(q_\mathsf{KG}+q_\mathsf{TSK})+q_\mathsf{Sign}+q_\mathsf{H}\big )\mathcal {T}_{exp}-2\mathcal {T}_{pair}.\) Here, \(q_\mathsf{H}\) is number of H hash queries allowed during simulation, \(\mathcal {T}_{exp}\) is cost of one exponentiation and \(\mathcal {T}_{pair}\) is cost of one pairing computation.

Theorem 2

Suppose the attribute universe U has q attributes (resp., \(N=q\) is a bound on the size of signing attribute set used in signing phase), the hash function H is modeled as random oracle, the hash functions \(H_{1}, H_{2}, H'\) are collision resistant and \(\mathcal {F}=\{\mathsf{PRF}_{s}:s\leftarrow _{R}\{0, 1\}^{\kappa }\}\) is PRF family. Assume the computational q-DHE problem is \((\mathcal {T}', \epsilon )\)-hard in \(\mathbb {G}.\) Then, our SU-ABKIS (resp., LU-ABKIS) scheme is \((\mathcal {T}, q_\mathsf{KG}, q_\mathsf{HK}, q_\mathsf{Sign}, \epsilon )\)-strong-key-insulated in the random oracle model, where \(\mathcal {T}=\mathcal {T}'-\mathcal {O}\big (q^{2}\cdot q_\mathsf{KG}+q_\mathsf{Sign}+q_\mathsf{H}\big )\mathcal {T}_{exp}-2\mathcal {T}_{pair}.\)

Theorem 3

Both the proposed SU-ABKIS and LU-ABKIS schemes provide signer privacy.

Due to page restriction, the proofs will be given in full version of the paper.

4 Some Possible Extensions

Constructions Without Random Oracles. We can further extend our ABKIS schemes to realize security reduction in standard model as follows. The hash function H is redefined as \(H:\{0, 1\}^{*}\rightarrow \{0, 1\}^{\varrho }.\) Pick \(\varpi _{0}, \varpi _{1}, \ldots , \varpi _{\varrho }\leftarrow _{R}\mathbb {G}\) and define \(\widehat{F}:\{0, 1\}^{\varrho }\rightarrow \mathbb {G}\) by \(\widehat{F}(x_{1}, \ldots , x_{\varrho })=\varpi _{0}\varpi _{1}^{x_{1}}\cdots \varpi _{\varrho }^{x_{\varrho }}.\) In signature component \(\sigma _{3}\), replace \(H(c||\sigma ||\sigma _{1}||\sigma _{2}||t||W)^{\theta }\) with \(\widehat{F}\big (H(c||\sigma _{1}||\sigma _{2}||t||W)\big )^{\theta }\) and change the verification tests accordingly.

Schemes Supporting Negative Attributes. We can extend our constructions to support negative attributes by treating the negation of an attribute as a separate attribute. This doubles the total number of attributes used in the system. However, the resulting schemes attains the same efficiency as that of our monotone access structure primitives.

5 Conclusion

We presented the first ABKIS schemes with message recovery for expressive LSSS-realizable access structures that feature constant number of pairing computations required for signature verification process and constant message-signature length. The (strong) key-insulated security of ABKIS schemes are reduced to the computational q-DHE problem in selective attribute set and random oracle model. Both the proposed constructions provide signer privacy. The signing key size in our constructions is quadratic in number of involved attributes.