Efficient and secure attribute-based signature for monotone predicates

Abstract

Attribute-based signature (ABS) is a novel cryptographic primitive, which can make the signing party sign a message with fine-grained control over identifying information. ABS only reveals the fact that the verified message must be signed by a user with a set of attributes satisfying a predicate. Thus, ABS can hide any identifying information and make fine-grained control on signing. Presently, many attribute-based signature schemes have been proposed, but most of them are not very efficient. Maji et al. recently presented a complete definition and construction about ABS for monotone predicates and showed three instantiations under their framework for ABS. Although the most practical one of their instantiations is efficient, the instantiation is constructed in the generic group model and has been proved to be insecure. Then, Okamoto et al. proposed an attribute-based signature scheme in the standard model, which can support generalized non-monotone predicates over access structure. However, their scheme is not efficient in practice. In this paper, we present a framework for ABS and show a detailed security model for ABS. Under our framework, we present an attribute-based signature scheme for monotone predicates in the standard model, where we choose the Waters’ signature scheme as the prototype of our attribute-based signature scheme. Compared with the Maji’s scheme in the generic group model, the proposed scheme is constructed in the standard model. Furthermore, compared with the Okamoto’s scheme, the proposed scheme is more efficient by decreasing the computation cost.

Appendices

Appendix 1: Correctness proof

1.1 Proof of Claim 7.1

Proof

In the proposed scheme, attribute-based signature \(\sigma = \left\{ {X_1},{X_2},\left( {{I_1},\ldots ,{I_l}} \right) ,\left( {Q_1},\ldots ,{Q_{{t_{max }}}} \right) \right\} \), where

$$\begin{aligned} {X_1}= & {} {g^{r+r_0}}, {X_2} = {g^{{d_0}}}, {I_i} = {g^{{d_i}}} \cdot X_1^{\frac{{{\eta _i}}}{{{\upsilon _i}}}},\\ {Q_j}= & {} {X_0} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{s_{i,j}}} \right) }^{{\Lambda _{i,j}}}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {r_0}}}\\= & {} {g_2^a \cdot {\left( {\mu '} \right) ^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0} \cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i} \cdot {\Lambda _{i,j}} }}}, \end{aligned}$$

Then \(\sigma \) may be verified by the following equations:

$$\begin{aligned}&e\left( {{g_2},{g_1}} \right) \cdot e\left( {\mu ',X_1^{H(\lambda )}} \right) \cdot e\left( {\varpi \cdot \tau ^{H\left( {\Upsilon \parallel \mathfrak {M}} \right) },X_2} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{I_i} \cdot {X_1}} \right) }\\&\quad = e\left( {{g_2},{g^a}} \right) \cdot e\left( {\mu ',{g^{(r+r_0) \cdot H(\lambda )}}} \right) \cdot e\left( {\varpi \cdot \tau ^{H\left( {\Upsilon \parallel \mathfrak {M}} \right) },g^{d_0}} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{I_i}} \right) }\\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{X_1}} \right) }\\&\quad = e\left( {g_2^a,g} \right) \cdot e\left( {{{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}},g} \right) \cdot e\left( {\varpi ^{d_0}\cdot \tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) },g} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{g^{{d_i}}} \cdot X_1^{\frac{{{\eta _i}}}{{{\upsilon _i}}}}} \right) }\\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{X_1}} \right) } \\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }},g} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}},g} \right) } \\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\Lambda _{i,j}} \cdot {\eta _i}}},{X_1}} \right) } \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{X_1}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\Lambda _{i,j}} \cdot {\eta _i}}},{X_1}} \right) } \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{g^{r+r_0}}} \right) }; \end{aligned}$$

when \(j=1\), we have that \(\sum \nolimits _{i = 1}^l {{\Lambda _{i,j}} \cdot {\eta _i} = 1}\), so

$$\begin{aligned}&e\left( {{g_2},{g_1}} \right) \cdot e\left( {\mu ',X_1^{H(\lambda )}} \right) \cdot e\left( {\varpi \cdot \tau ^{H\left( {\Upsilon \parallel \mathfrak {M}} \right) },X_2}\right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{I_i} \cdot {X_1}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\Lambda _{i,j}} \cdot {\eta _i}}},{X_1}} \right) }\\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{g^{r+r_0}}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \cdot e\left( {{\mu _j},{X_1}} \right) \\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{g^{r+r_0}}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \cdot e\left( {{\mu _j},{X_1}} \right) \\&\qquad \cdot e\left( {\prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i} \cdot {\Lambda _{i,j}} }}},g} \right) \\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i} \cdot {\Lambda _{i,j}} }}},g} \right) \\&\qquad \cdot e\left( {{\mu _j},{X_1}}\right) = e\left( {{Q_j},g} \right) \cdot e\left( {{\mu _j},{X_1}} \right) ; \end{aligned}$$

when \(j>1\), we have that \(\sum \nolimits _{i = 1}^l {{\Lambda _{i,j}} \cdot {\eta _i} = 0}\), so

$$\begin{aligned}&e\left( {{g_2},{g_1}} \right) \cdot e\left( {\mu ',X_1^{H(\lambda )}} \right) \cdot e\left( {\varpi \cdot \tau ^{H\left( {\Upsilon \parallel \mathfrak {M}} \right) },X_2} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{I_i} \cdot {X_1}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\Lambda _{i,j}} \cdot {\eta _i}}},{X_1}} \right) } \\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}},{g^{r+r_0}}} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}},g} \right) \\&\qquad \cdot \prod \limits _{i = 1}^l {e\left( {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i}\cdot {\Lambda _{i,j}}}},g} \right) }\\&\quad = e\left( {g_2^a \cdot {{\left( {\mu '} \right) }^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0}\cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i} \cdot {\Lambda _{i,j}} }}},g} \right) \\&\quad = e\left( {{Q_j},g} \right) . \end{aligned}$$

Thus, Claim 7.1 follows. \(\square \)

Appendix 2: Comparisons of three schemes

Tables 1 and 2 show the comparisons of the three schemes (the scheme of Sect. 6.2, the Maji’s third instantiation [23] and the simple form of the Okamoto’s scheme [24]). Table 1 shows the signature length comparison of the three schemes. In Table 1, the proposed scheme (the scheme of Sect. 6.2) and the Maji’s scheme have the same signature length. Furthermore, the signature length of the proposed scheme is shorter than that of the Okamoto’s scheme. Table 2 shows other differences of the three schemes.

Table 1 Signature length comparison of three schemes

Table 2 Other comparisons of three schemes

Appendix 3: Security proof

1.1 Proof of Theorem 7.1

Proof

Let ABS be an attribute-based signature scheme of Sect. 6.2. Additionally, let \(\mathcal {A}\) be an (\(\hbar \), \(\varepsilon \), \(q_e\), \(q_s\))-adversary attacking ABS. From the adversary \(\mathcal {A}\), we construct an algorithm \(\mathcal {B}\), for (g, \(g^a\), \(g^b\))\(\in \mathbb {G}_1\), the algorithm \(\mathcal {B}\) is able to use \(\mathcal {A}\) to compute \(g^{a\cdot b}\). Thus, we assume the algorithm \(\mathcal {B}\) can solve CDH with probability at least \(\varepsilon '\) and in time at most \(\hbar '\), contradicting the (\(\hbar '\), \(\varepsilon '\))-CDH assumption. Such a simulation may be created in the following way:⁵ \(^{,}\) ⁶

Setup: The algorithm inputs a security parameter \(1^k\). Additionally, let \(\mathbb {G}_1\) and \(\mathbb {G}_2\) be groups of prime order q and g be a generator of \(\mathbb {G}_1\), and let \(e :{\mathbb {G}_1 \times \mathbb {G}_1 \rightarrow \mathbb {G}}_2\) denote the bilinear map. The size of the group is determined by the security parameter, and we set \(\mathbb {A}\subseteq \mathbb {Z}_q\) as the universe of attributes. One hash function, \(H:\{0,1\}^*\rightarrow \mathbb {Z}_{1^k\cdot q}\) can be defined and used to generate any integer value in \(\mathbb {Z}_{1^k\cdot q}\) (where \(1^k\) represents the corresponding decimal number). And our construction supports the claim-predicates whose monotone span programs have width at most \(t_{max}\), where \(t_{max}\) is an arbitrary parameter.

Then the system parameters are generated as follows. The algorithm sets \(g_1=g^a\) and \(g_2=g^b\) with \(a, b\in \mathbb {Z}_q\) (\(\mathcal {B}\) doesn’t know a and b), chooses \(\varrho , \partial _0 \in \mathbb {Z}_q\), and then sets \(\varpi =g^{\varrho }\) and \(\tau = g_2^{\partial _0}\cdot g\). And the algorithm chooses \(\ell _0, \ell _j \in \mathbb {Z}_q\) for all j with \(j\in \{1,2,\ldots ,t_{max}\}\), and then sets \(\mu ' = g_2^{{\ell _0}} \cdot g\) and \({\mu _j} = {g^{{\ell _j}}}\) for all j with \(j\in \{1,2,\ldots ,t_{max}\}\). Finally, the algorithm outputs the public parameters (\(\mathbb {G}_1\), \(\mathbb {G}_2\), e, g, \(g_1\), \(g_2\), \(\varpi \), \(\tau \), \(\mu '\), \((\mu _j)\)).

Queries: When running the adversary \(\mathcal {A}\), private key queries and signature queries can occur. The algorithm \(\mathcal {B}\) answers these in the following way:

• Key queries: Given an attribute set \(\mathfrak {A}\subseteq \mathbb {A}\) of user, the algorithm \(\mathcal {B}\) constructs a private key \(sk_{\mathfrak {A}}\) by the following computation: Compute \(\lambda = \prod \nolimits _{i = 1}^{|\mathfrak {A}|} {{\upsilon _i}}\) with the attribute \(\upsilon _i \in \mathfrak {A}\) and \(i\in \{1,2,\ldots ,|\mathfrak {A}|\}\), and then choose a random \(r \in \mathbb {Z}_q\), compute \({x_0} = g_1^{ - \frac{1}{{{\ell _0}}}} \cdot {\left( {\mu '} \right) ^{{\frac{r}{{H(\lambda )}}}}}\), \({x_1} = {\left( {g_1^{ - \frac{1}{{{\ell _0}}}} \cdot {g^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{1}{{H(\lambda )}}}}\), where \(|\mathfrak {A}|\) is the size of \(\mathfrak {A}\); To each attribute \(\upsilon _i \in \mathfrak {A}\) with \(i\in \{1,2,\ldots ,|\mathfrak {A}|\}\), compute \({s_{i,j}} = {\left( {g_1^{ - \frac{{{\ell _j}}}{{{\ell _0}}}} \cdot {{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}}\) for all j with \(j\in \{1,2,\ldots ,t_{max}\}\). Thus, the algorithm outputs a private key \(s{k_{\mathfrak {A}}} = \left\{ {{x_0},{x_1},\left( {{s_{i,j}}} \right) } \right\} \) with \(i\in \{1,2,\ldots ,|\mathfrak {A}|\}\) and \(j\in \{1,2,\ldots ,t_{max}\}\) for the adversary \(\mathcal {A}\). To the correctness of \(sk_{\mathfrak {A}}\), \(sk_{\mathfrak {A}}\) may be changed as follows:

  $$\begin{aligned} {x_0}= & {} g_1^{ - \frac{1}{{{\ell _0}}}} \cdot {\left( {\mu {{'}}} \right) ^{{\frac{r}{{H(\lambda )}}}}} = g_2^a \cdot g_2^{ - a} \cdot g_1^{ - \frac{1}{{{\ell _0}}}} \cdot {\left( {\mu {{'}}} \right) ^{{\frac{r}{{H(\lambda )}}}}}\\= & {} g_2^a \cdot g_2^{ - a} \cdot {g^{ - \frac{a}{{{\ell _0}}}}} \cdot {\left( {\mu {{'}}} \right) ^{{\frac{r}{{H(\lambda )}}}}} = g_2^a \cdot {\left( {g_2^{{\ell _0}} \cdot g} \right) ^{ - \frac{a}{{{\ell _0}}}}} \cdot {\left( {\mu {{'}}} \right) ^{{\frac{r}{{H(\lambda )}}}}}\\= & {} g_2^a \cdot {\left( {\mu {{'}}} \right) ^{ - \frac{a}{{{\ell _0}}}}} \cdot {\left( {\mu {{'}}} \right) ^{{\frac{r}{{H(\lambda )}}}}} = g_2^a \cdot {\left( {\mu {{'}}} \right) ^{{{\frac{r}{{H(\lambda )}}}} - \frac{a}{{{\ell _0}}}}},\\ {x_1}= & {} {\left( {g_1^{ - \frac{1}{{{\ell _0}}}} \cdot {g^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{1}{{H(\lambda )}}}} = {\left( {{g^{ - \frac{a}{{{\ell _0}}}}} \cdot {g^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{1}{{H(\lambda )}}}} = {\left( {{g^{\frac{r}{{H(\lambda )}} - \frac{a}{{{\ell _0}}}}}} \right) ^{\frac{1}{{H(\lambda )}}}} = {g^{\left( {\frac{r}{{H(\lambda )}} - \frac{a}{{{\ell _0}}}} \right) \cdot \frac{1}{{H(\lambda )}}}},\\ {s_{i,j}}= & {} {\left( {g_1^{ - \frac{{{\ell _j}}}{{{\ell _0}}}} \cdot {{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}} = {\left( {{g^{ - \frac{{a \cdot {\ell _j}}}{{{\ell _0}}}}} \cdot {{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}} = {\left( {{{\left( {{g^{{\ell _j}}}} \right) }^{ - \frac{a}{{{\ell _0}}}}} \cdot {{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}}\\= & {} {\left( {{{\left( {{\mu _j}} \right) }^{ - \frac{a}{{{\ell _0}}}}} \cdot {{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}} = {\left( {{{\left( {{\mu _j}} \right) }^{\frac{r}{{H(\lambda )}} - \frac{a}{{{\ell _0}}}}}} \right) ^{\frac{{{\upsilon _i}}}{{H(\lambda )}}}} = {\left( {{\mu _j}} \right) ^{\left( {\frac{r}{{H(\lambda )}} - \frac{a}{{{\ell _0}}}} \right) \cdot \frac{{{\upsilon _i}}}{{H(\lambda )}}}}. \end{aligned}$$

  Setting \(r' = \left( {\frac{r}{{H(\lambda )}} - \frac{a}{{{\ell _0}}}} \right) \cdot \frac{1}{{H(\lambda )}}\), \(s{k_{\mathfrak {A}}} = \left\{ {{x_0},{x_1},\left( {{s_{i,j}}} \right) } \right\} = \left\{ g_2^a \cdot {{\left( {\mu '} \right) }^{r' \cdot H(\lambda )}},{\text { }}{g^{r'}}, {{\left( {{\mu _j}} \right) }^{r' \cdot {\upsilon _i}}} \right\} \) is a valid private key on \(\mathfrak {A}\). If \({\ell _0} \cdot H(\lambda ) = 0\) mod q, then the above computation cannot be performed and the simulator will abort; otherwise a private key \(sk_{\mathfrak {A}}\) is passed to the adversary \(\mathcal {A}\).

• Signature queries: Given a claim-predicate \(\Upsilon \) on an attribute set \(\mathfrak {A}\) and a message \(\mathfrak {M}\), the algorithm \(\mathcal {B}\) constructs a simulated attribute-based signature \(\sigma \) by the following computation: Convert the claim-predicate \(\Upsilon \) to its corresponding monotone span program \(\Lambda \in {\left( {{{\mathbb {Z}}_q}} \right) ^{l \times {t_{\max }}}}\), with row labeling \(\upsilon :[l]\rightarrow \mathbb {A}\). Compute the vector \(\overrightarrow{\eta } = \left( {{\eta _i}} \right) \) that corresponds to the satisfying assignment \(\mathfrak {A}\), with \(i\in \{1,2,\ldots ,l\}\). Compute \(\lambda = \prod \nolimits _{i = 1}^{|{\mathfrak {A}}|} {{\upsilon _i}}\) with the attribute \(\upsilon _i \in \mathfrak {A}\) and \(i\in \{1,2,\ldots ,|\mathfrak {A}|\}\), and then choose \(r,d_0,d_1,\ldots ,d_l\in \mathbb {Z}_q\), compute

  $$\begin{aligned} {X_0}= & {} g_1^{ - \frac{1}{{{\partial _0}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot g_1^{ - \frac{\varrho }{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}},\\ {X_1}= & {} {g^r},~{X_2} = {\left( {g_1^{ - \frac{1}{{{\partial _0}}}} \cdot {g^{{d_0}}}} \right) ^{\frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}},~{I_i} = {g^{{d_i}}} \cdot X_1^{\frac{{{\eta _i}}}{{{\upsilon _i}}}},\\ {Q_j}= & {} {X_0} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{r \cdot {\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}}}, \end{aligned}$$

  where \(i\in \{1,2,\ldots ,l\}\) and \(j\in \{1,2,\ldots ,t_{max}\}\). Lastly, the algorithm outputs an attribute-based signature \(\sigma = \left\{ {{X_1},{X_2},\left( {{I_1},{I_2},\ldots ,{I_l}} \right) ,\left( {{Q_1},{Q_2},\ldots ,{Q_{{t_{max }}}}} \right) } \right\} .\) Remark: The value of r is randomly picked in its domain, \(X_1=g^r\) is uniformly distributed in its domain, thus the simulated signatures are not linkable. To the correctness of \(\sigma \), \(\sigma \) may be changed as follows:

  $$\begin{aligned} {X_0}= & {} g_1^{ - \frac{1}{{{\partial _0}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot g_1^{ - \frac{\varrho }{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} \\= & {} g_2^a \cdot g_2^{ - a} \cdot g_1^{ - \frac{1}{{{\partial _0}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot {\left( {{g^a}} \right) ^{ - \frac{\varrho }{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}\\= & {} g_2^a \cdot g_2^{ - a} \cdot {g^{ - \frac{a}{{{\partial _0}}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot {\left( {{g^\varrho }} \right) ^{ - \frac{a}{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}\\= & {} g_2^a \cdot {\left( {g_2^{{\partial _0}} \cdot g} \right) ^{ - \frac{a}{{{\partial _0}}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot {\varpi ^{ - \frac{a}{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}\\= & {} g_2^a \cdot {\tau ^{ - \frac{a}{{{\partial _0}}}}} \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0}}} \cdot {\varpi ^{{d_0} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }} - \frac{a}{{{\partial _0}}} \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} \\= & {} g_2^a \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\tau ^{{d_0} - \frac{a}{{{\partial _0}}}}} \cdot {\varpi ^{\left( {{d_0} - \frac{a}{{{\partial _0}}}} \right) \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}, \\ {X_2}= & {} {\left( {g_1^{ - \frac{1}{{{\partial _0}}}} \cdot {g^{{d_0}}}} \right) ^{\frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} = {\left( {{g^{ - \frac{a}{{{\partial _0}}}}} \cdot {g^{{d_0}}}} \right) ^{\frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}} = {\left( {{g^{{d_0} - \frac{a}{{{\partial _0}}}}}} \right) ^{\frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}\\= & {} {g^{\left( {{d_0} - \frac{a}{{{\partial _0}}}} \right) \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}}}. \end{aligned}$$

  Setting \({d_0}' = \left( {{d_0} - \frac{a}{{{\partial _0}}}} \right) \cdot \frac{1}{{H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}\), \(\sigma \) has that

  $$\begin{aligned} {X_1}= & {} {g^r}, {X_2} = {g^{{d_0}'}}, {I_i} = {g^{{d_i}}} \cdot X_1^{\frac{{{\eta _i}}}{{{\upsilon _i}}}},\\ {Q_j}= & {} {X_0} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{r \cdot {\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}}} = g_2^a \cdot {\left( {\mu '} \right) ^{r \cdot H(\lambda )}} \cdot {\varpi ^{{d_0}'}} \cdot {\tau ^{{d_0}' \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}\\&\cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{r \cdot {\upsilon _i}}}^{ \cdot {\Lambda _{i,j}}}}. \end{aligned}$$

  So, \(\sigma \) is a valid attribute-based signature. If \({\partial _0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) = 0\) mod q, then the above computation cannot be performed and the simulator will abort; otherwise an attribute-based signature \(\sigma \) is passed to the adversary \(\mathcal {A}\).

Forgery: If the algorithm \(\mathcal {B}\) does not abort as a consequence of one of the queries above, the adversary \(\mathcal {A}\) will, with probability at least \(\varepsilon \), return a message \(\mathfrak {M}^*\), a claim-predicate \(\Upsilon ^*\) on an attribute set \(\mathfrak {A}^*\), a vector \({\overrightarrow{\eta } ^*} = \left( {\eta _i^*} \right) \) (where we don’t temporarily consider the privacy) and a valid attribute-based signature forgery (the claim-predicate \(\Upsilon ^*\) has its corresponding monotone span program \({\Lambda ^*} \in {\left( {{{\mathbb {Z}}_q}} \right) ^{l \times {t_{\max }}}}\); the vector \({\overrightarrow{\eta } ^*} = \left( {\eta _i^*} \right) \) corresponds to the satisfying assignment \(\mathfrak {A}^*\) with \(i\in \{1,2,\ldots ,l\}\); each attribute \(\upsilon _i^* \in \mathfrak {A}^*\) and \(i\in \{1,2,\ldots ,|\mathfrak {A}^*|\}\), and \({\lambda ^*} = \prod \nolimits _{i = 1}^{|{\mathfrak {A}^*}|} {\upsilon _i^*}\))

$$\begin{aligned} {\sigma ^*} = \left\{ {{X_1}^*,{X_2}^*,\left( {{I_1}^*,{I_2}^*,\ldots ,{I_l}^*} \right) ,\left( {{Q_1}^*,{Q_2}^*,\ldots ,{Q_{{t_{max }}}}^*} \right) } \right\} , \end{aligned}$$

where \(\Upsilon ^*(\mathfrak {A})=0\) for all \(\mathfrak {A} \subseteq \mathbb {A}\) queried to the key query oracle, and

$$\begin{aligned}&\displaystyle {X_1}^* = {g^{{r^*}}}, {X_2}^* = {g^{d_0^{^*}}}, {I_i}^* = {g^{d_i^*}} \cdot {\left( {X_1^{^*}} \right) ^{\frac{{\eta _i^*}}{{\upsilon _i^*}}}},\\&\displaystyle {Q_j}^* = g_2^a \cdot {\left( {\mu {{'}}} \right) ^{{r^*} \cdot H({\lambda ^*})}} \cdot \varpi ^{d_0^*} \cdot {\tau ^{d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}^*{ \cdot {\Lambda _{i,j}}^* \cdot d_i^*}}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{r^*} \cdot {\upsilon _i}^*{ \cdot {\Lambda _{i,j}}^*}}}}, \end{aligned}$$

where \(i\in \{1,2,\ldots ,l\}\) and \(j\in \{1,2,\ldots ,t_{max}\}\).

If \({\ell _0} \cdot H({\lambda ^*}) \ne 0\) mod q or \({\partial _0} \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) \ne 0\) mod q, then the algorithm \(\mathcal {B}\) will abort.

If \({\ell _0} \cdot H({\lambda ^*}) = 0\) mod q and \({\partial _0} \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) = 0\) mod q, then the algorithm \(\mathcal {B}\) computes and outputs

$$\begin{aligned}&\frac{{{Q_j}^*}}{{{{\left( {{g^{{r^*}}}} \right) }^{H({\lambda ^*})}} \cdot (g^{d_0^*})^{\varrho }\cdot {{\left( {{g^{d_0^{^*}}}} \right) }^{H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{r^*}}}} \right) }^{{\ell _j} \cdot {{{\upsilon _i}^*}}{{ \cdot {\Lambda _{i,j}}^*}} }}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {\frac{{{I_i}^*}}{{{{\left( {X_1^{^*}} \right) }^{\frac{{{\eta _i}^*}}{{{\upsilon _i}^*}}}}}}} \right) }}^{{{\ell _j} \cdot }{{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}} }}\\&\quad = \frac{{g_2^a \cdot {{\left( {\mu {{'}}} \right) }^{{r^*} \cdot H({\lambda ^*})}} \cdot \varpi ^{d_0^*} \cdot {\tau ^{d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{\mu _j}} \right) }}^{{{\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^* \cdot d_i^*}}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{\mu _j}} \right) }}^{{{r^*} \cdot {\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^*}}} }}{{{{\left( {{g^{{r^*}}}} \right) }^{H({\lambda ^*})}} \cdot (g^{d_0^*})^{\varrho }\cdot {{\left( {{g^{d_0^{^*}}}} \right) }^{H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{r^*}}}} \right) }^{{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {\frac{{g^{d_i^*}} \cdot {\left( {X_1^{^*}} \right) ^{\frac{{\eta _i^*}}{{\upsilon _i^*}}}}}{{{{\left( {X_1^{^*}} \right) }^{\frac{{{\eta _i}^*}}{{{\upsilon _i}^*}}}}}}} \right) }^{{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}}} }}\\&\quad = \frac{{g_2^a \cdot {{\left( {g_2^{{\ell _0}} \cdot g} \right) }^{{r^*} \cdot H({\lambda ^*})}} \cdot (g^\varrho )^{d_0^*}\cdot {{\left( {g_2^{{\partial _0}} \cdot g} \right) }^{d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{\ell _j}}}} \right) }}^{{{\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^* \cdot d_i^*}}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{\ell _j}}}} \right) }}^{{{r^*} \cdot {\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^*}}} }}{{{{\left( {{g^{{r^*}}}} \right) }^{H({\lambda ^*})}} \cdot (g^{d_0^*})^{\varrho }\cdot {{\left( {{g^{d_0^{^*}}}} \right) }^{H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{r^*}}}} \right) }^{{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{d_i^*}}} \right) }^{{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}}} }}\\&\quad = \frac{{g_2^a \cdot {{ {g_2^{{\ell _0}\cdot {r^*} \cdot H({\lambda ^*})} \cdot g^{{r^*} \cdot H({\lambda ^*})}} }} \cdot g^{\varrho \cdot d_0^*}\cdot {{ {g_2^{{\partial _0}\cdot d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) } \cdot g^{d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) }} }} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{\ell _j}\cdot {{{\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^* \cdot d_i^*}} }}} \right) }}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{\ell _j}\cdot {{{r^*} \cdot {\upsilon _i}^*}{ \cdot {\Lambda _{i,j}}^*}}}}} \right) }}} }}{{{{{{g^{{r^*}\cdot {H({\lambda ^*})}}}}} } \cdot g^{d_0^*\cdot {\varrho }} \cdot {{ {{g^{d_0^{*}\cdot {H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) } }}} } } \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{{r^*}\cdot {{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}} }}} \right) }}} \cdot \prod \nolimits _{i = 1}^l {{{\left( {{g^{d_i^*\cdot {{\ell _j} \cdot {{{{\upsilon _i}^*}}{ \cdot {\Lambda _{i,j}}^*}}}}}} \right) }}} }}\\&\quad = {g_2^a \cdot {{ {g_2^{{\ell _0}\cdot {r^*} \cdot H({\lambda ^*})} } }}\cdot {{ {g_2^{{\partial _0}\cdot d_0^* \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) } } }} }= {g_2^a \cdot {{ {g_2^{{r^*}\cdot {\ell _0}\cdot H({\lambda ^*})} } }}\cdot {{ {g_2^{ d_0^* \cdot {\partial _0}\cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) } } }} }\\&\quad = g_2^a = {g^{a \cdot b}}, \end{aligned}$$

which is the solution to the given CDH problem.

We analyze the probability of the algorithm \(\mathcal {B}\) not aborting. For the simulation to complete without aborting, we require that all private key queries will have \({\ell _0} \cdot H(\lambda ) \ne 0 ~\mathbf mod ~q\), and all signature queries will have \({\partial _0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) \ne 0 ~\mathbf mod ~q\), and that \({\ell _0} \cdot H({\lambda ^*}) = 0 ~\mathbf mod ~q\) and \({\partial _0} \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) = 0 ~\mathbf mod ~q\) in forgery. If the algorithm \(\mathcal {B}\) does not abort, then the following three conditions must hold:

1. (a)

   \({\ell _0} \cdot H(\lambda ) \ne 0 ~\mathbf mod ~q\) in key queries;

2. (b)

   \(\partial _0 \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) \ne 0 ~\mathbf mod ~q\) in signature queries;

3. (c)

   the algorithm \(\mathcal {B}\) does not abort in forgery, namely \({\ell _0} \cdot H({\lambda ^*}) = 0 ~\mathbf mod ~q\) and \({\partial _0} \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) = 0~\mathbf mod ~q\).

To make the analysis simpler, we will define the events \(E_i\), \(E^*\), \(R_j\), \(R^*\) as

\(E_i:{\ell _0} \cdot H(\lambda ) \ne 0 ~\mathbf mod ~q\), with \(i=1,2,\ldots ,q_e\), where \(q_e\) is the maximal number of private key queries;

\(E^*:{\ell _0} \cdot H({\lambda ^*}) = 0 ~\mathbf mod ~q\);

\(R_j:\partial _0 \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) \ne 0 ~\mathbf mod ~q\), with j=\(1,2,\ldots ,q_s\), where \(q_s\) is the maximal number of signature queries;

\(R^*:{\partial _0} \cdot H\left( {{\Upsilon ^*}\parallel {\mathfrak {M}^*}} \right) = 0~\mathbf mod ~q\).

So, the probability of \(\mathcal {B}\) not aborting is \(\Pr (not\_abort) \!=\! \Pr \Big ( \bigcap \nolimits _{i = 1}^{{q_e}} {{{E}_i}} \wedge {{E}^{\text {*}}} \wedge \bigcap \nolimits _{j = 1}^{{q_s}} {{{R}_j}} \wedge {{R}^*} \Big ).\) It is easy to see that the events \(\bigcap \nolimits _{i = 1}^{{q_e}} {{{E}_i}}\), \(E^*\), \(\bigcap \nolimits _{j = 1}^{{q_s}} {{{R}_j}}\), \(R^*\) are independent. Then we may compute

$$\begin{aligned} \Pr \left( \bigcap \limits _{i = 1}^{{q_e}} {{{{E}}_i}} \right)= & {} 1 - \Pr \left( \bigcup \limits _{i = 1}^{{q_e}} {\lnot {{{E}}_i}} \right) = 1 - {q_e} \cdot \frac{{{1^k}}}{{{1^k} \cdot q}} = 1 - \frac{{{q_e}}}{q};\;\Pr ({{{E}}^{{*}}}) = \frac{{{1^k}}}{{{1^k} \cdot q}} = \frac{1}{q};\\ \Pr \left( \bigcap \limits _{j = 1}^{{q_s}} {{{{R}}_j}} \right)= & {} 1 - \Pr \left( \bigcup \limits _{j = 1}^{{q_s}} {\lnot {{{R}}_j}} \right) = 1 - {q_s} \cdot \frac{{{1^k}}}{{{1^k} \cdot q}} = 1 - \frac{{{q_s}}}{q};~~\Pr ({{{R}}^{{*}}}) = \frac{{{1^k}}}{{{1^k} \cdot q}} = \frac{1}{q};\\ \Pr (not\_abort)= & {} \Pr \left( {\bigcap \limits _{i = 1}^{{q_e}} {{{E}_i}} \wedge {{E}^{\text {*}}} \wedge \bigcap \limits _{j = 1}^{{q_s}} {{{R}_j}} \wedge {{R}^*}} \right) \\= & {} \Pr \left( \bigcap \limits _{i = 1}^{{q_e}} {{{E}_i}} \right) \cdot \Pr ({{E}^{\text {*}}}) \cdot \Pr \left( \bigcap \limits _{j = 1}^{{q_s}} {{{R}_j}} \right) \cdot \Pr ({{R}^{\text {*}}})\\= & {} \left( {1 - \frac{{{q_e}}}{q}} \right) \cdot \frac{1}{q} \cdot \left( {1 - \frac{{{q_s}}}{q}} \right) \cdot \frac{1}{q} = \left( {1 - \frac{{{q_e}}}{q}} \right) \cdot \left( {1 - \frac{{{q_s}}}{q}} \right) \cdot \frac{1}{{{q^2}}} \end{aligned}$$

So, we can get that \(\varepsilon ' = \left( {1 - \frac{{{q_e}}}{q}} \right) \cdot \left( {1 - \frac{{{q_s}}}{q}} \right) \cdot \frac{\varepsilon }{{{q^2}}}.\)

If the simulation does not abort, the adversary \(\mathcal {A}\) will create a valid attribute-based signature forgery with probability at least \(\varepsilon \). The algorithm \(\mathcal {B}\) can then compute \(g^{a\cdot b}\) from the forgery as shown above. The time complexity of the algorithm \(\mathcal {B}\) is dominated by the time for the exponentiations and multiplications in the queries. We assume that the time for integer multiplication and hash computation can be ignored, then the time complexity of the algorithm \(\mathcal {B}\) ⁷ is

$$\begin{aligned} \hbar '= & {} \hbar + O\big ( {{q_e} \cdot \left[ {\left( {2 \cdot \left| \mathfrak {A} \right| \cdot {t_{max }} + 3} \right) \cdot {C_{exp}} + \left( {\left| \mathfrak {A} \right| \cdot {t_{max }} + 2} \right) \cdot {C_{mul}}} \right] }\\&+\,{ {q_s} \cdot \left[ {\left( {l \cdot {t_{max }} + 3 \cdot l + 7} \right) \cdot {C_{exp}} + \left( {2 \cdot l \cdot {t_{max }} + l + 5} \right) \cdot {C_{mul}} + {C_{conv}} + {C_{vec}}} \right] }\big ), \end{aligned}$$

where \(|\mathfrak {A}|\) is the size of \(\mathfrak {A}\).

Thus, Theorem 7.1 follows.

1.2 Proof of Theorem 7.2

Proof

Let ABS = (Setup, AttrKeyGen, ASign, AVerify) be an attribute-based signature scheme of Sect. 6.2. Unforgeability of ABS can be seen by Theorem 7.1. So, all adversaries cannot forge a valid attribute-based signature with respect to ABS. Namely, no other signature oracle can generate a valid attribute-based signature, but ABS.ASign is only a signature oracle. Then, to prove perfect privacy, ABS must show that, for any predicate \(\Upsilon \) and any attribute set \(\mathfrak {A}\) with \(\Upsilon (\mathfrak {A})=1\), ABS.ASign can output the valid and uniform distributed signature (the valid output is uniformly distributed among all signatures with respect to ABS).

Let \(\sigma = \left\{ {{X_1},{X_2},\left( {{I_1},{I_2},\ldots ,{I_l}} \right) ,\left( {{Q_1},{Q_2},\ldots ,{Q_{{t_{max }}}}} \right) } \right\} \) be a valid attribute-based signature generated by ABS.ASign, where

$$\begin{aligned} {X_1}= & {} {g^{r+r_0}}, {X_2} = {g^{{d_0}}}, {I_i} = {g^{{d_i}}} \cdot X_1^{\frac{{{\eta _i}}}{{{\upsilon _i}}}},\\ {Q_j}= & {} {X_0} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{s_{i,j}}} \right) }^{{\Lambda _{i,j}}}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {r_0}}}\\= & {} {g_2^a \cdot {\left( {\mu '} \right) ^{(r+r_0) \cdot H(\lambda )}} \cdot \varpi ^{d_0} \cdot {\tau ^{{d_0} \cdot H\left( {\Upsilon \parallel \mathfrak {M}} \right) }}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{{\upsilon _i}}}^{ \cdot {\Lambda _{i,j}} \cdot {d_i}}} \cdot \prod \limits _{i = 1}^l {{{\left( {{\mu _j}} \right) }^{(r+r_0) \cdot {\upsilon _i} \cdot {\Lambda _{i,j}} }}}, \end{aligned}$$

For \(\sigma = \left\{ {{X_1},{X_2},\left( {{I_1},{I_2},\ldots ,{I_l}} \right) ,\left( {{Q_1},{Q_2},\ldots ,{Q_{{t_{max }}}}} \right) } \right\} \), it is easy to see that for any setting of \({g^{{d_i}}}\), the values of \(I_1, I_2,\ldots ,I_l, Q_1, Q_2,\ldots ,Q_{t_{max}}\) are unique. So, because the values of \(r_0\), \(d_0\) and \(d_i\) are randomly picked in their respective domains, we can know \(X_1, X_2, I_1, I_2,\ldots ,I_l\) and \(Q_1, Q_2,\ldots ,Q_{t_{max}}\) outputted by ABS.ASign are uniformly distributed in their respective domains.

Thus, Theorem 7.2 follows.