Attribute-Based Designated Combiner Transitive Signature Scheme

Abstract

Transitive signatures allow any entity to obtain a valid signature of $(i,k)$ by combining signatures of $(i,j)$ and $(j,k)$. However, the traditional transitive signature scheme does not offer fine-grained control over the combiner. To address this issue, we propose a formal definition of the attribute-based designated combiner transitive signature (ABDCTS) and its security model, where only entities whose inherent attributes meet the access policy can combine signatures. By introducing the fine-grained access control structure, control over the combiner is achieved. To demonstrate the feasibility of our primitive, this paper presents the first attribute-based designated combiner transitive signature scheme. Under an adaptive chosen-message attack, we prove its security based on the one-more CDH problem and the co-CDH problem, and that its algorithms have robustness.

1. Introduction

A digital signature is an important technology in the cryptography for protecting data security. It uses specific algorithms to verify the source and integrity of data, and is typically used to ensure the authenticity of network data and to prevent data tampering. Currently, digital signatures are widely used in electronic contract, electronic voting, electronic payment, and other fields.

Traditional digital signatures only involve simple signing and verification services, which obviously cannot meet the needs of some scenarios. Fo exaple, given an administrative domain with n nodes; clearly, a graph with n nodes can have $O\left(n^2\right)$ edges, and when using a traditional digital signature to authenticate the entire graph, we need to sign each edge, which will result in the signing complexity, as $O\left(n^2\right)$. In order to optimize the authentication operations of large-graph data, Micali and Rivest [1] proposed the concept of a transitive signature, allowing any entity to obtain an effective signature of $(i,k)$ by combining two signatures of $(i,j)$ and $(j,k)$. Thus, a valid signature for $(i,j)$ can be obtained by combining any signature chain of edge sequences on the path from i to j. This only requires $O\left(n\right)$ signatures to authenticate the entire administrative domain, thereby greatly reducing the signing complexity.

Even though the ability to combine signatures offers great convenience for authenticating large-graph data, in some cases, the signer might not want that combinability to be public. As shown in Figure 1, a chairman provides each member of his company a transitive signature, but only wants the department manager Alice (resp., Bob) to be able to combine his team A (resp., B) members’ signatures, while the others cannot. To achieve this goal, one solution is to issue public and private keys to each manager, and then use their public keys to disguise the signatures of their team members. However, this approach would result in a high cost. Another measure is to establish an access control policy to achieve fine-grained control over combiners, allowing only entities with both “A” and “manager” attributes to combine the signatures of A department members. Access control policy is a kind of authorization. The signer sets an access control policy that authorizes the combination capability of transitive signatures to entities with a specific set of attributes, that is, entities that do not meet the access control policy cannot combine signatures. In 2000, Rivest posed an open question: how to design transitive signature with a designated combiner, allowing only the entity specified by the signer to have the ability to combine signatures. There is currently no proposed transitive signature with a designated combiner, making further research in this area worthwhile.

Figure 1. An administrative domain that includes multiple departments like A and B.

1.1. Relate Works

The concept of transitive signatures was proposed by Micali and Rivest [1] in 2002. They designed two schemes based on the discrete logarithm problem and the RSA problem, but the security of the RSA-based scheme is limited to non-adaptive chosen message attacks. In 2005, Bellare and Neven [2,3] proposed multiple transitive signature schemes based on RSA, one-more discrete logarithm problem, and one-more gap Diffie–Hellman problem, all of which offer performance improvements greater than [1]. To address the efficiency issues caused by using special hash functions in the schemes, Lin et al. [4] introduced a scheme constructed using general hash functions, significantly improving efficiency by reducing computation time.

Hou et al. [5] proposed the universal designated verifier transitive signature (UDVTS) scheme for preventing transitive signature abuse. Zhu et al. [6] introduced the universal designated multiple verifier transitive signature (UDMVTS), a variant with multiple designated verifiers. Lin et al. [7] improved the UDVTS scheme efficiency with an RSA-based approach. Hou et al. [8] proposed a scheme with traceability features to resolve the signature dispute of UDVTS, introducing a tracer into the system to be able to trace back to the true source of the signature.

Lattice-based cryptosystems can withstand quantum computing attacks, unlike other cryptosystems that are vulnerable to such threats. In 2019, Geontae et al. [9] designed two lattice-based signature schemes under the random oracle model and the standard model, marking the first research on lattice-based signatures. Subsequently, Geontae et al. [10] combined the idea of identity-based signatures to design an identity-based lattice signature scheme.

This article will concisely introduce the access structure of the scheme. In 2011, Waters [11] proposed a method for describing any boolean function related to attribute control using a linear secret sharing scheme. Inspired by [11], numerous digital signature schemes have emerged, enabling fine-grained control over the signer or message, such as: [12,13,14].

1.2. Our Contributions

This paper aims to develop a transitive signature scheme enabling precise control over combiners, allowing the signer to designate specific entities with certain attributes for combined operations. The signer sets varying access control policies for combiners based on different data types, controlling “who can combine what data”. The main contributions of this paper are summarized as follows:

• This study presents a new access control mechanism for transitive signature combiners, and formally defines attribute-based designated combiner transitive signature and its security models. It also suggests a method to finely regulate unauthorized combined operations.
• We propose the first construction of the attribute-based designated combiner transitive signature (ABDCTS). Our proposal introduces ABDCTS via a monotone span program and linear secret sharing scheme, concealing transitive signatures by a secret, such that only those meeting specific attributes can reveal and combine it. Its security is subsequently demonstrated based on the one-more CDH problem and the co-CDH problem.

2. Definitions and Preliminaries

This section introduces some general notations and reviews some related concepts.

2.1. Notions

We introduce some symbols and their definitions in Table 1.

Table 1. Symbols and their definitions.

Symbol	Definition
$G=(V,E)$	undirected graph
V	Vertex set
E	Edge set
$\tilde{G}$	Transitive closure of G
$G^{*}$	Transitive reduction of G
PPT	Probabilistic polynomial time
CDH	Computational Diffie Hellman
${\mathcal{O}}^X$	Oracle X
$x\stackrel{\$}{\leftarrow }Y$	x is randomly selected from Y
KGC	Key generation center

2.2. Bilinear Groups and Complexity Assumptions

Definition 1

([15]). Let ${\mathbb{G}}_1,{\mathbb{G}}_2$ and ${\mathbb{G}}_{\mathbb{T}}$ be three cyclic groups of large prime order p, with a bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_{\mathbb{T}}$. If $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}},e,\phi )$ is referred to as a bilinear group tuple, then it satisfies the following conditions:

1.

e can be efficiently computed.

2.

$\forall h\in {\mathbb{G}}_1,g\in {\mathbb{G}}_2$ and $a,b\in \mathbb{Z}$, $e(h^a,g^b)=e{(h,g)}^{ab}$.

3.

If h and g generates ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, respectively, then $e(h,g)$ generates ${\mathbb{G}}_{\mathbb{T}}$.

4.

Isomorphism $\phi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ can be efficiently computed.

Definition 2

(one-more CDH problem [16]). Given g and $g^a\in {\mathbb{G}}_1$ for unknown $a\in \mathbb{Z}$, and two oracles ${\mathcal{O}}^{Chall}$ and ${\mathcal{O}}^{CDH}$ as follows:

• ${\mathcal{O}}^{Chall}$: input a point i, output a random point $h_i$ from ${\mathbb{G}}_1$.
• ${\mathcal{O}}^{CDH}$: input a point $h_i\in {\mathbb{G}}_1$, output $g^{alo{g}_g{h}_i}$.

We say that an adversary solves one-more CDH problem if he successfully outputs the CDH value $g^{alo{g}_g{h}_i}$ of n points while calling ${\mathcal{O}}^{Chall}$ less than n.

Definition 3

(co-CDH problem [17]). Given $h\in {\mathbb{G}}_1$ and $g,g^a\in {\mathbb{G}}_2$ for unknown $a\in {\mathbb{Z}}_p^{*}$, compute $h^a\in {\mathbb{G}}_1$.

2.3. Access Structure

Definition 4

([18]). Let $P=\left\{P_1,P_2,\cdots ,P_n\right\}$ be a set of parties. We refer to an access structure $\mathbb{A}\subseteq 2^P\backslash \{\varnothing \}$ as monotonic if $B\in \mathbb{A},B\subseteq C$ implies that $C\in \mathbb{A}$. If $D\in \mathbb{A}$ (resp., $D\notin \mathbb{A}$), then D is called an authorized (resp., unauthorized) set.

2.4. Monotone Span Program (MSP)

Definition 5

([19]). Consider a field K and a set of variables $\{x_1,\cdots ,x_n\}$. A monotone span program over K is represented by a labeled matrix $\widehat{\mathbf{E}}=(\mathbf{E},\rho )$, where $\mathbf{E}$ is a matrix over K, and ρ labels the rows of $\mathbf{E}$ with literals from $\{x_1,\cdots ,x_n\}$ (each row is labeled by one literal). This program accepts or rejects inputs based on whether a linear combination of rows labeled by literals in the input set yields the all-one vector $\overrightarrow{1}$. The size of the program is determined by the number of rows in the matrix $\mathbf{E}$.

We use MSP to convert a monotone boolean function into an equivalent matrix, with the specific process as follows: we convert the monotone boolean formula into an access binary tree using the method described in [19]. In a binary tree, each internal node represents an AND or OR gate, while the leaf nodes represent the attributes.

Converting a binary tree into an equivalent matrix E can be achieved using the method outlined in [20]. Each tree node is assigned a vector. Initially, the vector of the root node is $\mathbf{a}$. The setting method for the vectors on the rest of the internal nodes is as follows: if the parent node represents an OR gate, the vectors of both left and right child nodes are equal to the parent node vector; if the parent node represents an AND gate, the vectors of the left and right child nodes are $\mathbf{a}|1$ and ${(0,\cdots ,0)}_{\left|\mathbf{a}\right|}|-1$, respectively. After labeling the entire tree, if the lengths of vectors of all of the leaf nodes are unequal, append (0,⋯,0) to the right of the shorter vectors until all of the lengths are equal. The vectors from all of the leaf nodes constitute a linear secret sharing matrix.

Figure 2 shows an conversion example: $\left(m_{1}AND{m}_2\right)AND\left(m_{3}OR\left(m_{4}AND{m}_5\right)\right)$. In the example in Figure 2, the vector $(1,1,1,0,0)$ represents the set of variables $\{m_1,m_2,m_3\}$ as an input to $P=\left(m_{1}AND{m}_2\right)AND\left(m_{3}OR\left(m_{4}AND{m}_5\right)\right)$. $P(1,1,1,0,0)=1$ as the combination of the first, second, and third rows of matrix $\mathbf{E}$ can span $(1,0,0)$. This satisfies the policy for $\{m_1,m_2,m_3\}$. In our context, attributes will replace parties, labeling each row of matrix $\mathbf{E}$.

Figure 2. Converting a binary tree to a matrix.

2.5. Linear Secret-Sharing Scheme (LSSS))

Definition 6

([18]). A secret sharing scheme ${\Pi }_{\mathbb{A}}$ for a set S and a access structure $\mathbb{A}$ is called linear (over ${\mathbb{Z}}_p$) if:

1. 

Each share value of the secret $s\in {\mathbb{Z}}_p$ forms a vector over ${\mathbb{Z}}_p$.

2. 

For each access structure $\mathbb{A}$ on set S, there exits a sharing-generating matrix $\mathbf{E}\in {\mathbb{Z}}_p^{t\times n}$. Define a function ρ that labels the i-th row of $\mathbf{E}$ as $\rho \left(i\right)$. Let $\mathbf{w}=(s,y_2,\cdots ,y_n)$ be a vector, where $y_2,\cdots ,y_n$ are chosen randomly in ${\mathbb{Z}}_p$. $\mathbf{Ew}$ is a column vector with t secret sharing values of s, where the i-th row represents the share allocated to the entity corresponding to $\rho \left(i\right)$.

Ref. [18] presents a model that equivalently converts the matrix of MSP into the sharing-generating matrix of LSSS. Taking the matrix $\mathbf{E}$ in Figure 2 as an example, we use it as the sharing-generating matrix for LSSS. Let $(b_1,b_2,\cdots ,b_t)=\mathbf{Ew}=\mathbf{E}(s,y_2,\cdots ,y_n)$, and at this point, $\{m_1,m_2,m_3\}$ is an authorized set, then there exists constants ${\left\{{\omega }_i\right\}}_{i=1,2,3}$ such that ${\omega }_1{b}_1+{\omega }_2{b}_2+{\omega }_3{b}_3=s$. Ref. [21] has already proven that ${\left\{{\omega }_i\right\}}_{i=1,2,3}$ can be found in polynomial time.

Lemma 1

(Forking Lemma [22]). Let Π be a signature scheme, k be the security parameter, and $\mathcal{A}$ be a PPT adversary. If $\mathcal{A}$ can, within time T and with at most $q_1$ and $q_2$ inquiries to the random oracle and the sign oracle, respectively, output a valid signature $(m,{\sigma }_1,h,{\sigma }_2)$ with probability $\epsilon \ge 10(q_2+1)((q_1+q_2)/2^k$, then he can output two valid signatures $(m,{\sigma }_1,h,{\sigma }_2)$ and $(m,{\sigma }_1^{\prime },h^{\prime },{\sigma }_2^{\prime })$ with probability $\epsilon \ge 1/9$ within time $T^{\prime }\le 120686T{q}_1/\epsilon$, such that $h\ne h^{\prime }$.

3. Attribute-Based Designated Combiner Transitive Signature Scheme

This section provides the formal definitions of ABDCTS and its security models.

3.1. The Formal Definition of ABDCTS

Unlike traditional transitive signature, ABDCTS allows the signer to set an access control policy $\mathcal{P}$ at the time of signing, so only entities that meet $\mathcal{P}$ can perform combination operations on the signature, as shown in Figure 3. A ABDCTS scheme consists of seven PPT algorithms $\Pi$ = (Setup, SKGen, TSign, AKGen, DVry, Comp, Vry).

Figure 3. Flowchart of ABDCTS.

• $\mathbf{Setup}\left(1^k\right)$. The algorithm takes the security parameter k as the input and outputs the public parameters $pp$ and the master secret key $MSK$.
• $\mathbf{SKGen}\left(pp\right)$. The algorithm takes the public parameters $pp$ as the input and outputs the signer’s public/secret key pairs $(PK,SK)$.
• $\mathbf{TSign}(i,j,SK)$. The algorithm takes the signer’s secret key $SK$ and nodes $i,j\in {\{0,1\}}^{*}$ as the input. It outputs a signature ${\sigma }_{ij}$ of edge $(i,j)$ and an access control policy $\mathcal{P}$ of combiners (it is specified by the signer).
• $\mathbf{AKGen}(msk,\mathcal{P},S)$. The algorithm takes the master secret key $MSK$ and a set of attributes S as the input. It outputs a secret key $S{K}_S$ specific to S.
• $\mathbf{DVry}(i,j,S,PK,S{K}_S,\mathcal{P},{\sigma }_{ij})$. The algorithm takes the signer’s public key $PK$, nodes $i,j\in {\{0,1\}}^{*}$, a set of attributes S, a secret key $S{K}_S$, an access control policy $\mathcal{P}$, and a signature ${\sigma }_{ij}$ as the input. It outputs 1 (accept) or 0 (reject).
• $\mathbf{Comp}(i,j,k,S,PK,S{K}_S,\mathcal{P},{\sigma }_{ij},{\sigma }_{jk})$. The algorithm takes a public key $PK$, a set of attributes S, a secret key $S{K}_S$, an access control policy $\mathcal{P}$, nodes $i,j,k\in {\{0,1\}}^{*}$, and two signatures ${\sigma }_{ij},{\sigma }_{jk}$ as the input. It outputs the composed signature $\sigma$ on edge $(i,k)$ or ⊥.
• $\mathbf{Vry}(i,j,PK,\sigma )$. The algorithm takes the signer’s public key $PK$, nodes $i,j\in {\{0,1\}}^{*}$, and a combined signature $\sigma$ as the input. It outputs 1 (accept) or 0 (reject).

Next, we introduce ABDCTS’s correctness requirements.

• Correctness of the Sign algorithm. For ${\sigma }_{ij}\leftarrow \mathbf{TSign}(i,j,SK)$, it holds that

  $$1\leftarrow \mathbf{DVry}(i,j,S,PK,S{K}_S,\mathcal{P},{\sigma }_{ij}).$$
• Correctness of the Comp algorithm. For the output $\sigma$ of Comp, if both ${\sigma }_{ij}$ and ${\sigma }_{jk}$ are are accepted by DVry, it holds that

  $$1\leftarrow \mathbf{Vry}(i,k,PK,\sigma ).$$

3.2. Security Models

An attribute-based designated combiner transitive signature scheme should satisfy the following security requirements.

Collusion resistance. Collusion resistance requires that no entity can collaborate with other entities to combine transitive signatures without having the specified attributes.

Unforgeability. Unforgeability requires that only the signer and entities with specific attributes can generate valid signatures. Therefore, the unforgeability of ABDCTS is divided into the following two types: Type 1 Unforgeability (${\mathbf{UF}}_1$) requires that no adversary can forge a signature on a new edge $(i,j)$ (where no complete path from i to j has been signed by the signer), and because the entity with specific attributes has the most knowledge, the adversary can be seen as a malicious combiner. The malicious combiner can request the transitive signature of some edges and has the ability to combine signatures. Type 2 Unforgeability (${\mathbf{UF}}_2$) requires that entities whose own attributes do not satisfy the access policy cannot combine signatures. In this case, the adversary may request transitive signatures and combined signatures of some edges, and he can also ask for the attribute keys corresponding to some sets of attributes, but those attribute sets do not meet the access control policy.

The formal definition of ${\mathbf{UF}}_1$ is outlined through the following game between a challenger ${\mathcal{C}}_1$ and an adversary ${\mathcal{A}}_1$.

Definition 7.

A ABDCTS scheme satisfies ${\mathbf{UF}}_1$ if any PPT adversary ${\mathcal{A}}_1$ has a negligible advantage in the following game $\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_1,ABDCTS}\left(k\right)$:

• Setup: ${\mathcal{C}}_1$ runs Setup and SKGen to generate $pp$ and $(PK,SK)$, respectively. Then, $(pp,PK)$ is sent to ${\mathcal{A}}_1$.
• TSign Queries: Proceeding adaptively, ${\mathcal{A}}_1$ picks an edge $(i,j)$. Then, ${\mathcal{C}}_1$ runs TSign to generate $({\sigma }_{ij},\mathcal{P})$ and sends it to ${\mathcal{A}}_1$.
• Output: ${\mathcal{A}}_1$ outputs a pair $({\sigma }_{i^{\prime }{j}^{\prime }},(i^{\prime },j^{\prime }))$.

${\mathcal{A}}_1$ wins the game if $1\leftarrow \mathbf{Vry}(i^{\prime },j^{\prime },PK,{\sigma }^{\prime })$ and $(i^{\prime },j^{\prime })\notin \tilde{G}$, where G is made up of all edges $(i,j)$ that have been queried.

The formal definition of ${\mathbf{UF}}_2$ is outlined through the following game between a challenger ${\mathcal{C}}_2$ and an adversary ${\mathcal{A}}_2$. The advantage of ${\mathcal{A}}_1$ is

$${\mathbf{Adv}}_{{\mathcal{A}}_1,ABDCTS}^{{\mathbf{UF}}_1}=Pr[\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_1,ABDCTS}\left(k\right)=1].$$

Definition 8.

A ABDCTS scheme satisfies ${\mathbf{UF}}_2$ if any PPT adversary ${\mathcal{A}}_2$ has a negligible advantage in the following game $\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_2,ABDCTS}\left(k\right)$:

• Setup: ${\mathcal{C}}_2$ runs Setup and SKGen to generate $pp$ and $(PK,SK)$, respectively. Then, $(pp,PK)$ is sent to ${\mathcal{A}}_2$.
• TSign Queries: Proceeding adaptively, ${\mathcal{A}}_2$ picks an edge $(i,j)$. Then, ${\mathcal{C}}_2$ runs TSign to generate $({\sigma }_{ij},\mathcal{P})$ and sends it to ${\mathcal{A}}_2$.
• AKGen Queries: Proceeding adaptively, ${\mathcal{A}}_2$ requests the secret key for attribute sets $S_1,\cdots ,S_t$ that that fail to meet the access structure $\mathcal{P}$.
• Comp Queries: Proceeding adaptively, ${\mathcal{C}}_2$ runs Comp to output the combined signature σ after ${\mathcal{A}}_2$ submits $(i,j,k,{\sigma }_{ij},{\sigma }_{jk})$.
• Output: ${\mathcal{A}}_2$ outputs a pair $({\sigma }_{i^{\prime }{j}^{\prime }},(i^{\prime },j^{\prime }))$.

${\mathcal{A}}_2$ wins the game if $1\leftarrow \mathbf{Vry}(i^{\prime },j^{\prime },PK,{\sigma }_{i^{\prime }{j}^{\prime }})$ and $(i^{\prime },j^{\prime })$ was not submitted to Comp Queries. The advantage of ${\mathcal{A}}_2$ is

$${\mathbf{Adv}}_{{\mathcal{A}}_2,ABDCTS}^{{\mathbf{UF}}_2}=Pr[\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_2,ABDCTS}\left(k\right)=1].$$

4. Our Construction

We reviewed the linear homomorphic signature scheme with the designated combiner provided in [23]; they used a random value $h_i$ to encrypt the signature ${\sigma }_i$, and only the signer or the designated combiner who can successfully calculate that random value can remove the disguise from signatures (e.g., ${\sigma }_i·h_i$ and ${\sigma }_j·h_j$) and combine them to obtain ${\sigma }_i·{\sigma }_j$. After that, the designated combiner uses the technology of IBS to generate reliable evidence to show the verifier that they have ${\sigma }_i·{\sigma }_j$.

Our approach draws from [23]. The signer calculates a hash value $h_{ij}$ to conceal signature ${\sigma }_{ij}$, and the published signature is ${\sigma }_{ij}·h_{ij}$, where the hash value $h_{ij}$ is tied to the access control policy set by the signer. Then, the key generation center distributes the key for calculating the hash value $h_{ij}$ according to the access control policy, sharing them according to the corresponding attributes. Only entities whose attribute sets meet the access policy can successfully compute $h_{ij}$ and obtain the original signature ${\sigma }_{ij}$. After combining signatures ${\sigma }_{ij}$ and ${\sigma }_{jk}$ to obtain ${\sigma }_{ik}$, the combiner uses the method of IBS to generate evidence to prove to other entities that they possess the signature $(i,k)$.

We construct our ABDCTS scheme $\Pi$ = (Setup, SKGen, TSign, AKGen, DVry, Comp, Vry) as follows:

• Setup($1^k)$. Take as input the security parameter k:
  • Let a bilinear group tuple $\mathcal{G}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}},e,\phi )$, as defined in Definition 1.
  • Let h and g be the generators of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, respectively.
  • Pick five hash functions $H:{\mathbb{Z}}_p^{n\times n}\times {\mathbb{G}}_2\to {\mathbb{Z}}_p^{*}$, $H_1:{\left\{0,1\right\}}^{*}\to {\mathbb{G}}_1$, $H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{G}}_1$, $H_3:{\mathbb{G}}_{\mathbb{T}}\to {\mathbb{G}}_1$ and $H_4:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\times {\mathbb{G}}_{\mathbb{T}}\to {\mathbb{Z}}_p^{*}$.
  • Let $U=\left\{1,2,\cdots ,n\right\}$ be the set that includes all attributes.
  • Pick $b\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ and set $B=g^b$.
  • Output the public parameters $pp=(\mathcal{G},p,h,g,B,U,H,H_1,H_2,H_3,H_4)$ and the master secret key $MSK=b$.
• SKGen($pp)$. The signer chooses $a\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ as $SK$ and sets $A=g^a$ as $PK$.
• TSign($i,j,SK$). Take $SK=a$ and nodes $i,j\in {\{0,1\}}^{*}$ as the input:
  • Set the access structure $\mathbb{A}$ for U, meaning the combiner is designated by the signer.
  • Characterize $\mathbb{A}$ as a monotone Boolean function and convert it into an access binary tree $\mathcal{T}$ based on MSP.
  • Convert $\mathcal{T}$ into a matrix $\mathbf{M}\in {\mathbb{Z}}_p^{t\times n}$ based on MSP and define ${\mathbf{M}}_i$ as the i-th row vector of matrix $\mathbf{M}$.
  • Calculate $c=H(\mathbf{M},B^a)$.
  • Compute ${\sigma }_{ij}={\left(h_i{h}_j^{-1}\right)}^a{H}_3\left(e{(H_2(i,j),B)}^{ac}\right)$, where $h_i=H_1\left(i\right),h_j=H_1\left(j\right)$.
  • Output $\mathcal{P}=(\mathbf{M},\mathbb{A})$ and ${\sigma }_{ij}$.
• AKGen$(MSK,\mathcal{P},S)$. Take $MSK=b$, the access structure $(\mathbf{M},\mathbb{A})$, and a set of attributes $S\subset U$ as the input:
  • Choose $x_2,x_3,\cdots ,x_n\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ and calculate $\mathbf{v}=(b,x_2,x_3,\cdots ,x_n)$.
  • Compute $(b_1,b_2,\cdots ,b_n)\leftarrow \mathbf{M}\mathbf{v},c=H(\mathbf{M},A^b)$ and ${\left\{A^{c{b}_i}\right\}}_{i\in S}$.
  • Output the secret key $S{K}_S={\left\{A^{c{b}_i}\right\}}_{i\in S}$ specific to S.
• DVry($i,j,PK,S{K}_S,S,\mathcal{P},{\sigma }_{ij}$). Take $PK=A$, nodes $i,j\in {\{0,1\}}^{*}$, and a signature ${\sigma }_{ij}$ as the input:
  • If $S\notin \mathbb{A}$, it returns ⊥.
  • If $S\in \mathbb{A}$, there are constants ${\left\{{\omega }_i\in \left\{0,1\right\}\right\}}_{i\in S}$, such that ${\sum }_{i\in S}{A}^{c{b}_i{\omega }_i}=A^{cb}$.
  • If $e({\sigma }_{ij},g)=e(h_i{h}_j^{-1},A)e(H_3\left(e(H_2(i,j),A^{cb})\right),g)$, then it outputs 1 (accept). Otherwise, it outputs 0 (reject).
• Comp($i,j,k,S,PK,S{K}_S,\mathcal{P},{\sigma }_{ij},{\sigma }_{jk}$). The algorithm does the following:
  • Check the validity of ${\sigma }_{ij},{\sigma }_{jk}$ by runing DVry. If either ${\sigma }_{ij}$ or ${\sigma }_{jk}$ is not valid, it returns ⊥.
  • Compute $K=H_3\left(e(H_2(i,j),A^{cb})\right)$ and $K_{ij}={\sigma }_{ij}·K^{-1}={\left(h_i{h}_j^{-1}\right)}^a$ and $K_{jk}={\sigma }_{jk}·K^{-1}={\left(h_j{h}_k^{-1}\right)}^a$.
  • Compute $K_{ik}=K_{ij}·K_{jk}={\left(h_i{h}_k^{-1}\right)}^a$.
  • Pick $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_P^{*}$ and calculate $R=e{(h,g)}^r,Y=H_4(i,k,R)$, and $T=K_{ik}^Y{h}^r$.
  • Output $(i,k)$ and a signature $\sigma =(Y,T)$.
• Vry($i,k,PK,\sigma$). Take $PK=A$, nodes $i,j\in {\{0,1\}}^{*}$, and a signature $\sigma$ as the input:
  • Calculate $R^{\prime }=e(T,g)/e{(h_i{h}_j^{-1},A)}^Y$.
  • If $Y=H_4(i,k,R^{\prime })$, then it outputs 1 (accept). Otherwise, it outputs 0 (reject).

The correctness of the scheme is as follows:

• Correctness of the Sign algorithm. For ${\sigma }_{ij}\leftarrow \mathbf{TSign}(i,j,SK)$, we have:

  $$\begin{array}{cc}\hfill e({\sigma }_{ij},g)& =e({\left(h_i{h}_j^{-1}\right)}^a{H}_3\left(e(H_2(i,j),B^{ac})\right),g)\hfill \\ \hfill & =e(h_i{h}_j^{-1},A)·e(H_3\left(e(H_2(i,j),A^{cb})\right),g).\hfill \end{array}$$

  (1)
• Correctness of the Comp algorithm. For the output $(i,k)$ and $\sigma =(Y,T)$ of Comp, if both ${\sigma }_{ij}$ and ${\sigma }_{jk}$ are valid, then we have:

  $$\begin{array}{cc}\hfill H_4(i,k,R^{\prime })& =H_4(i,k,e(T,g)/e{(h_i{h}_j^{-1},A)}^Y)\hfill \\ \hfill & =H_4(i,k,e(K_{ik}^Y,g)e{(h,g)}^r/e{(h_i{h}_j^{-1},A)}^Y)\hfill \\ \hfill & =H_4(i,k,e{(h,g)}^r)\hfill \\ \hfill & =Y.\hfill \end{array}$$

  (2)

5. Security Analysis

This section analyzes the security of our proposed ABDCTS scheme. With attribute-based cryptosystems, a key challenge is preventing user collusion. The scheme proposed in this paper is akin to  [11], where the user’s attribute private key is randomized, preventing the merging of different users’ keys. More precisely, this paper incorporates secret $A^{bc}$ in the signature, then allocates shares linked to attributes to each combiner via LSSS. Only combiners whose attributes meet the access structure can reconstruct the secret, verify the signature, and combine it. Due to the use of different random numbers in assigning secret shares to various combiners, collusion attempts among users will prove futile.

Assuming an adversary has compromised the signature scheme in ${\mathbf{UF}}_1$, we construct a challenger ${\mathcal{C}}_1$ who can simulate the signature scheme, and solve the one-more CDH problem in $({\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}})$. Similarly, we show that the presence of a successful adversary ${\mathcal{A}}_2$ allows challenger ${\mathcal{C}}_2$ to solve the co-CDH problem in ${\mathbf{UF}}_2$.

Theorem 1.

Let Π be the ABDCTS scheme described above. If the one-more CDH problem is difficult, then Π satisfies ${\mathbf{UF}}_1$ against an adaptive chosen-message attack.

Proof. 

let ${\mathcal{A}}_1$ be a PPT adversary. Define

$${\epsilon }_1\left(k\right)=Pr[\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_1,\Pi }\left(k\right)=1].$$

Our goal is to build a PPT algorithm ${\mathcal{C}}_1$ to solve one-more CDH problem in $({\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}})$: given a tuple $({\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}},e,p,g,g^a)$ and two oracles ${\mathcal{O}}^{Chall}$ and ${\mathcal{O}}^{CDH}$, output the CDH solution $g^{a·lo{g}_g{h}_i}$ with respect to $h_i$ of all n points output by ${\mathcal{O}}^{Chall}$, using strictly less than n calls to its ${\mathcal{O}}^{CDH}$.

${\mathcal{C}}_1$ maintains two lists $L_1$, $L_2$, $L_3$ to record the output values of ${\mathtt{H}}_{\mathtt{1}}\mathtt{Queries}$, ${\mathtt{H}}_{\mathtt{2}}\mathtt{Queries}$ and TSign Queries, respectively. The game $\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_1,\Pi }\left(k\right)$ is described as follows:

• Setup.
  • ${\mathcal{C}}_1$ sets $PK=g^a=A$ and the parameter $pp=(\mathcal{G},p,h,g,B,U,H_3)$.
  • Sends $(PK,pp)$ to ${\mathcal{A}}_1$.
• ${\mathtt{H}}_{\mathtt{1}}\mathtt{Queries}$. When ${\mathcal{A}}_1$ requests the value of $H_1\left(i\right)$, answer it as follows:
  • If $(i,H_1\left(i\right))$ is found in list $L_1$, $H_1\left(i\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ calculates $H_1\left(i\right)=h_i\leftarrow {\mathcal{O}}^{Chall}\left(i\right)$ and adds $(i,H_1\left(i\right))$ to $L_1$.
  • Sends $H_1\left(i\right)$ to ${\mathcal{A}}_1$.
• ${\mathtt{H}}_{\mathtt{2}}\mathtt{Queries}$. When ${\mathcal{A}}_1$ requests the value of $H_2(i,j)$, answer it as follows:
  • If $(i,j,H_2(i,j))$ is found in list $L_2$, $H_2(i,j)$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ picks $x_{ij}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_2(i,j)=\phi {\left(g\right)}^{x_{ij}}$ and adds $H_2(i,j)$ to $L_2$.
  • Sends $H_2(i,j)$ to ${\mathcal{A}}_1$.
• TSign Queries. When ${\mathcal{A}}_1$ requests a signature of $(i,j)$, answer it as follows:
  • If $i>j$, then swap i and j.
  • If $(i,H_1\left(i\right))$ is found in list $L_1$, $H_1\left(i\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ calculates $H_1\left(i\right)=h_i\leftarrow {\mathcal{O}}^{Chall}\left(i\right)$ and adds $(i,H_1\left(i\right))$ to $L_1$.
  • If $(j,H_1\left(j\right))$ is found in list $L_1$, $H_1\left(j\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ calculates $H_1\left(j\right)=h_j\leftarrow {\mathcal{O}}^{Chall}\left(j\right)$ and adds $(j,H_1\left(j\right))$ to $L_1$.
  • If $(i,j,H_2(i,j))$ is found in list $L_2$, $H_2(i,j)$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ picks $x_{ij}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_2(i,j)=\phi {\left(g\right)}^{x_{ij}}$ and adds $(i,j,H_2(i,j))$ to $L_2$.
  • If $(i,j,{\sigma }_{ij})$ is found in list $L_3$, $(\mathcal{P},{\sigma }_{ij})$ will be returned.
  • Otherwise, ${\mathcal{C}}_1$ sets the combiner control policy $\mathcal{P}$ and picks $c\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$.
  • Then ${\mathcal{C}}_1$ calculates ${\left(h_i{h}_j^{-1}\right)}^a\leftarrow {\mathcal{O}}^{CDH}\left(h_i{h}_j^{-1}\right)$ and ${\sigma }_{ij}={\left(h_i{h}_j^{-1}\right)}^a·H_3\left(e{(\phi \left(A\right),B)}^{c{x}_{ij}}\right)$, and adds $(i,j,\mathcal{P},{\sigma }_{ij})$ to $L_3$.
  • Sends $(\mathcal{P},{\sigma }_{ij})$ to ${\mathcal{A}}_1$.
• Output. Eventually, ${\mathcal{A}}_1$ outputs a tuple $(i^{\prime },j^{\prime },{\sigma }^{\prime })$, where ${\sigma }^{\prime }=(Y,T)$, $Y=H_4(i^{\prime },j^{\prime },R)$ and $R=e{(h,g)}^r$ for $r\in {\mathbb{Z}}_p^{*}$ chosen by ${\mathcal{A}}_1$. The output of the experiment is 1 if $1\leftarrow \mathbf{Vry}(i^{\prime },j^{\prime },P{K}_A,{\sigma }^{\prime })$ and $(i^{\prime },j^{\prime })$ is a new edge.

We have:

$$\begin{array}{cc}\hfill R^{\prime }& =e(T,g)/e{(h_i{h}_j^{-1},A)}^Y\hfill \\ \hfill & =e(K_{i^{\prime }{j}^{\prime }}^Y{h}^r,g)/e{(h_i{h}_j^{-1},A)}^Y\hfill \\ \hfill & =e(K_{i^{\prime }{j}^{\prime }}^Y,g)e(h^r,g)/e{(h_i{h}_j^{-1},A)}^Y\hfill \\ \hfill & =e{(h,g)}^r\hfill \\ \hfill & =R.\hfill \end{array}$$

(3)

Therefore $K_{i^{\prime }{j}^{\prime }}={\left(h_{i^{\prime }}{h}_{j^{\prime }}^{-1}\right)}^a$. Calculate the CDH values of all vertices in $L_1$ using the following method. First, ${\mathcal{C}}_1$ divides all of the vertices into m disjoint sets $V_1,V_2,\cdots ,V_m$, where $i^{\prime }\in V_{k^{\prime }}$ but $j^{\prime }\notin V_{k^{\prime }}$.

For $k=1,\cdots ,k-1,k+1,\cdots ,m$, ${\mathcal{C}}_1$ selects $t_k\stackrel{\$}{\leftarrow }{V}_k$, then:

• ${\left(H_1\left(t_k\right)\right)}^a\leftarrow {\mathcal{O}}^{CDH}\left(H_1\left(t_k\right)\right)$.
• For $t\in V_k\backslash t_k,{\left(H_1\left(t\right)H_1{\left(t_k\right)}^{-1}\right)}^a\leftarrow {\mathcal{O}}^{CDH}\left(H_1\left(t\right)H_1{\left(t_k\right)}^{-1}\right)$.
• ${\left(H_1\left(t\right)\right)}^a\leftarrow {\left(H_1\left(t\right)H_1{\left(t_k\right)}^{-1}\right)}^a·{\left(H_1\left(t_k\right)\right)}^a$.

For $V_{k^{\prime }}$, ${\mathcal{C}}_1$ does the following:

• ${\left(H_1\left(i^{\prime }\right)\right)}^a\leftarrow K_{i^{\prime }{j}^{\prime }}·{\left(H_1\left(j^{\prime }\right)\right)}^a$.
• For $t\in V_{k^{\prime }}\backslash i^{\prime },{\left(H_1\left(t\right)H_1{\left(i^{\prime }\right)}^{-1}\right)}^a\leftarrow {\mathcal{O}}^{CDH}\left(H_1\left(t\right)H_1{\left(i^{\prime }\right)}^{-1}\right)$.
• ${\left(H_1\left(t\right)\right)}^a\leftarrow {\left(H_1\left(t\right)H_1{\left(i^{\prime }\right)}^{-1}\right)}^a·{\left(H_1\left(i^{\prime }\right)\right)}^a$.

It is clearly visible that ${\mathcal{C}}_1$ outputs the CDH value of $\left|L\right|$ vertices, but only calls ${\mathcal{O}}^{CDH}$${\sum }_{k\ne k^{\prime }}\left|V_k\right|+\left|V_{k^{\prime }}\right|-1=\left|L\right|-1$ times. Thus, ${\mathcal{C}}_1$ solves the one-more CDH problem, and the probability $Ad{v}_{{\mathcal{C}}_1}^{one-moreCDH}\ge {\epsilon }_1\left(k\right).$   □

Theorem 2.

Let Π be the ABDCTS scheme described above. If the co-CDH problem is challenging, then Π satisfies ${\mathbf{UF}}_2$ against an adaptive chosen-message attack.

Proof. 

let ${\mathcal{A}}_2$ be a PPT adversary. Define

$${\epsilon }_2\left(k\right)=Pr[\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_2,\Pi }\left(k\right)=1].$$

Our goal is to build a PPT algorithm ${\mathcal{C}}_2$ to solve co-CDH problem in $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}})$: given a bilinear group tuple $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}},e,\phi )$ and $(g,g^a,h,\phi \left(g\right),\phi \left(A\right))$, output $h^a$, where $a\in {\mathbb{Z}}_p^{*}$, $h,\phi \left(g\right),\phi \left(A\right)\in {\mathbb{G}}_1$ and $g,g^a\in {\mathbb{G}}_2$.

${\mathcal{C}}_2$ maintains two lists $L_1$, $L_2$, $L_3$, $L_4$ to record the output values of ${\mathtt{H}}_{\mathtt{1}}\mathtt{Queries}$, ${\mathtt{H}}_{\mathtt{2}}\mathtt{Queries}$, TSign Queries and ${\mathtt{H}}_{\mathtt{4}}\mathtt{Queries}$, respectively. The game $\mathtt{Sig}\text{-}{\mathtt{forge}}_{{\mathcal{A}}_2,\Pi }\left(k\right)$ is described as follows:

• Setup.
  • ${\mathcal{C}}_2$ sets $P{K}_A=g^a=A$ and the parameter $pp=(\mathcal{G},p,h,g,B,U,H_3)$.
  • Sends $(P{K}_A,pp)$ to ${\mathcal{A}}_2$.
• ${\mathtt{H}}_{\mathtt{1}}\mathtt{Queries}$. When ${\mathcal{A}}_2$ requests the value of $H_1\left(i\right)$, answer it as follows:
  • If $(i,H_1\left(i\right))$ is found in list $L_1$, $H_1\left(i\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $x_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_1\left(i\right)=\phi {\left(g\right)}^{x_i}$ and adds $(i,H_1\left(i\right))$ to $L_1$.
  • Sends $H_1\left(i\right)$ to ${\mathcal{A}}_2$.
• ${\mathtt{H}}_{\mathtt{2}}\mathtt{Queries}$. When ${\mathcal{A}}_2$ requests the value of $H_2(i,j)$, answer it as follows:
  • If $(i,j,H_2(i,j))$ is found in list $L_2$, $H_2(i,j)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $x_{ij}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_2(i,j)=\phi {\left(g\right)}^{x_{ij}}$ and adds $(i,j,H_2(i,j))$ to $L_2$.
  • Sends $H_2(i,j)$ to ${\mathcal{A}}_2$.
• TSign Queries. When ${\mathcal{A}}_2$ requests a signature of $(i,j)$, answer it as follows:
  • If $i>j$, then swap i and j.
  • If $(i,H_1\left(i\right))$ is found in list $L_1$, $H_1\left(i\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $x_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_1\left(i\right)=\phi {\left(g\right)}^{x_i}$ and adds $(i,H_1\left(i\right))$ to $L_1$.
  • If $(j,H_1\left(j\right))$ is found in list $L_1$, $H_1\left(j\right)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $x_j\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_1\left(j\right)=\phi {\left(g\right)}^{x_j}$ and adds $(j,H_1\left(j\right))$ to $L_1$.
  • If $(i,j,H_2(i,j))$ is found in list $L_2$, $H_2(i,j)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $x_{ij}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, calculates $H_2(i,j)=\phi {\left(g\right)}^{x_{ij}}$ and adds $(i,j,H_2(i,j))$ to $L_2$.
  • If $(i,j,\mathcal{P},{\sigma }_{ij})$ is found in list $L_3$, $(\mathcal{P},{\sigma }_{ij})$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ sets the combiner control policy $\mathcal{P}$ and picks $c\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$.
  • Then calculates ${\sigma }_{ij}=\phi {\left(A\right)}^{x_i-x_j}·H_3\left(e{(\phi \left(A\right),B)}^{c{x}_{ij}}\right)$ and adds $(i,j,\mathcal{P},{\sigma }_{ij})$ to $L_3$.
  • Sends $(\mathcal{P},{\sigma }_{ij})$ to ${\mathcal{A}}_2$.
• AKGen Queries. When ${\mathcal{A}}_2$ requests the private key corresponding to the attribute set S, where S does not satisfy $\mathcal{P}$, answer it as follows:
  • For all $i\in S$, ${\mathcal{C}}_2$ picks $t_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p$ and calculates $A^{c{t}_i}$.
  • ${\mathcal{C}}_2$ sends ${\left\{A^{c{t}_i}\right\}}_{i\in S}$ to ${\mathcal{A}}_2$.
• ${\mathtt{H}}_{\mathtt{4}}\mathtt{Queries}$. When ${\mathcal{A}}_2$ requests the value of $H_4(i,j,R)$, answer it as follows:
  • If $H_4(i,j,R)$ is found in list $L_4$, $H_4(i,j,R)$ will be returned.
  • Otherwise, ${\mathcal{C}}_2$ picks $Y_{ij}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ and adds $(i,j,R,H_4(i,j,R))$ to $L_4$.
• Comp Queries. When ${\mathcal{A}}_2$ submits $(i,j,k,{\sigma }_{ij},{\sigma }_{jk})$ to Comp Queries, answer it as follows:
  • If ${\sigma }_{ij}$ and ${\sigma }_{jk}$ are both valid, ${\mathcal{C}}_2$ calculates $K_{ij}={\sigma }_{ij}·H_3{\left(e{(\phi \left(A\right),B)}^{c{x}_{ij}}\right)}^{-1}$ and $K_{jk}={\sigma }_{jk}·H_3{\left(e{(\phi \left(A\right),B)}^{c{x}_{jk}}\right)}^{-1}$.
  • ${\mathcal{C}}_2$ calculates $K_{ik}=K_{ij}·K_{jk}$.
  • ${\mathcal{C}}_2$ picks $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ and computes $R=e{(h,g)}^r$.
  • ${\mathcal{C}}_2$ submits $(i,k,R)$ to ${\mathtt{H}}_{\mathtt{4}}\mathtt{Queries}$ to obtain $Y_{ik}$ and computes $T=K_{ik}^{Y_{ik}}{h}^r$.
  • Adds $(Y_{ik},T)$ to $L_5$ and sends $(Y_{ik},T)$ to ${\mathcal{A}}_2$.
• Output. Eventually, ${\mathcal{A}}_2$ outputs a tuple $(i^{\prime },j^{\prime },{\sigma }^{\prime })$, where ${\sigma }^{\prime }=(Y,T)$, $Y=H_4(i^{\prime },j^{\prime },R)$ and $R=e{(h,g)}^r$ for $r\in {\mathbb{Z}}_p^{*}$ chosen by ${\mathcal{A}}_2$. The output of the experiment is 1 if $1\leftarrow \mathbf{Vry}(i^{\prime },j^{\prime },P{K}_A,{\sigma }^{\prime })$ and $(Y,T)$ does not belong to list $L_5$.

Therefore, ${\mathcal{A}}_2$ can output a valid forgery $(Y,T)$ on $(i^{\prime },j^{\prime })$ with probability ${\epsilon }_2\ge 10(q_2+1)(q_1+q_2)/2^k$ under the conditions of time t, $q_1$ and $q_2$ inquiries to ${\mathtt{H}}_{\mathtt{4}}\mathtt{Queries}$ and Comp Queries, respectively.

When we replay the attack, if $i<j^{\prime }$, the lists $L_1,L_2$ and $L_4$ remain unchanged. If $i>j^{\prime }$, we randomly select values again according to the above simulation process. For $i=j^{\prime }$, we select $x_{j^{\prime }}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ and set $H_1\left(j^{\prime }\right)=h^{x_{j^{\prime }}}$. Note that $\mathcal{A}$ cannot query Comp Queries.

By using the technique in forking lemma, ${\mathcal{A}}_2$ can output two valid forgeries $(Y_1,T_1)$ and $(Y_2,T_2)$ with a probability of $1/9$ after conducting replay attacks up to $t^{\prime }\le 120686q_{1}t/{\epsilon }_2$.

For $i=j^{\prime }$, we have $H_1\left(j^{\prime }\right)=h^{x_{j^{\prime }}}\ne H_1^{\prime }\left(j^{\prime }\right)=h^{x_{j^{\prime }}^{\prime }}$ and compute ${\rho }_1=h^{x_{j^{\prime }}}\phi {\left(g\right)}^{x_{i^{\prime }}}$ and ${\rho }_2=h^{x_{j^{\prime }}^{\prime }}\phi {\left(g\right)}^{x_{i^{\prime }}}$.

As both $(Y_1,T_1)$ and $(Y_2,T_2)$ are valid; therefore,

$$e(T_1,g)=e{({\rho }_1,A)}^{Y_1}R$$

and

$$e(T_2,g)=e{({\rho }_2,A)}^{Y_2}R.$$

Combining both equations provides:

$$\begin{array}{cc}\hfill e(T_1/T_2,g)& =e{({\rho }_1/{\rho }_2,A)}^{Y_1-Y_2}\hfill \\ \hfill & =e(h^{(x_{j^{\prime }}-x_{j^{\prime }}^{\prime })(Y_1-Y_2)},A)\hfill \\ \hfill & =e(h^{a(x_{j^{\prime }}-x_{j^{\prime }}^{\prime })(Y_1-Y_2)},g).\hfill \end{array}$$

(4)

As $(x_{j^{\prime }}-x_{j^{\prime }}^{\prime })(Y_1-Y_2)$ is random in ${\mathbb{Z}}_p$, the probability that $(x_{j^{\prime }}-x_{j^{\prime }}^{\prime })(Y_1-Y_2)=0$ is $1/p$. Therefore, $h^a={(T_1/T_2)}^{1/(x_{j^{\prime }}-x_{j^{\prime }}^{\prime })(Y_1-Y_2)}$. In other words, the probability that ${\mathcal{C}}_2$ solves the co-CDH problem is $Ad{v}_{{\mathcal{C}}_1}^{one-moreCDH}\ge 1/9-1/p.$ □

Efficiency

Let $|{\mathbb{G}}_1|,|{\mathbb{G}}_2|,|{\mathbb{G}}_T|$, and $|{\mathbb{Z}}_p|$ be the bit length of the element in ${\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\mathbb{T}}$, and ${\mathbb{Z}}_p$, respectively. Let $T_1,T_2,T_3,T_4,T_5$ be the computation cost of performing one $exponent$, $pairing$, $hash$, $inverse$, and $multiply$ operation, respectively. Let $stand.pk$ and $stand.sigs$ be the public key and signature size of a standard digital signature, respectively.

Taking algorithm TSign as an example, we need to perform one $exponet$ and one $hash$ operation to obtain c, and then perform one $exponent$, $2pairing$, $4hash$, one $inverse$ and $2multiply$ operation. Thus, the computation cost of TSign is $2T_1+2T_2+5T_3+T_4+2T_5$. The detailed analysis results are shown in Table 2. In addition, we make a rough comparison of communication costs with some existing transitive signatuer schemes in Table 3. By comparing the computational cost, public key size, and signature size with some existing signature schemes, it is clear that our scheme has good practicality.

Table 2. Comparisons of computation costs.

Scheme	Algorithm	Time Cost
Ours	TSign	$2T_1+2T_2+5T_3+T_4+2T_5$
	DVry	$T_1+3T_2+4T_3+T_4+2T_5$
	Comp	$4T_1+2T_2+3T_3+T_4+5T_5$
	Vry	$T_1+2T_2+3T_3+2T_4+T_5$
[8]	TSign	$T_1+2T_3+T_4+T_5$
	TVry	$2T_2+2T_3+T_4$
	Comp	$T_5$
	Trans	$2T_1+T_5$
	DS	$4T_1+3T_2+T_3+2T_5$
	DV	$T_1+T_2+T_3+2T_4+4T_5$
	Sim	$5T_1+3T_2+T_3+T_5$

Table 3. Comparison to the existing transitive signature scheme for the undirected graph.

Scheme	Public Key	Signature Size	Designated Combiner
[1]	$\left|\mathbb{G}\right|$	$2|{\mathbb{Z}}_p^{*}|$	No
FBTS-1,RSATS-1 [3]	$\left|\mathbb{Z}\right|+stand.pk$	$3|{\mathbb{Z}}_N^{*}|+2stand.sigs$	No
DCTS-1M [2]	$stand.pk$	$|{\mathbb{Z}}_q|+2|\mathbb{G}|+2stand.sigs$	No
GapTS-1 [2]	$\left|\mathbb{G}\right|+stand.pk$	$3\left|\mathbb{G}\right|+2stand.sigs$	No
RSATS-2 [2]	N	$|{\mathbb{Z}}_N^{*}|$	No
FactTS-2 [2]	N	$|{\mathbb{Z}}_N^{*}|$	No
GapTS-2 [2]	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	No
[4]	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	No
[5]	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	No
[6]	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	No
[8]	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|$	No
[7]	$|{\mathbb{Z}}_N^{*}|$	$|{\mathbb{Z}}_N^{*}|$	No
[9]	$|{\mathbb{Z}}_p^{n\times m}|$	$2|{\mathbb{Z}}_p^n|$	No
Our scheme	$\left|\mathbb{G}\right|$	$\left|\mathbb{G}\right|+|{\mathbb{Z}}_p^{t\times n}|$	Yes

6. Conclusions

The paper introduces the formal definitions of ABDCTS and its security models, where the signer can set fine-grained combiner control policy, so that entities that do not satisfy the access policy of the attribute set cannot combine signatures. ABDCTS provides a solution for granting different entities the ability to combiner transitive signatures based on varied data requirements. Subsequently, a specific construction is proposed, and its security is proven based on the one-more CDH problem and the co-CDH problem in the random model. We analyze the communication cost and computational cost, showing that the scheme is quite practical. The public key, the transitive signature, and the combined siganture in our construction are $\left|{\mathbb{G}}_2\right|$ bits, $\left|{\mathbb{G}}_1\right|+\left|{\mathbb{Z}}_p^{t\times n}\right|$ bits, and $\left|{\mathbb{G}}_1\right|+\left|{\mathbb{Z}}_p^{*}\right|$, respectively.