As a new type of cryptographic primitive,attribute-based signature (ABS) can achieve the fine-grained access control over the identifying information.In an ABS system,the signer receives from the trusted authority a secret key depending on the set of attributes that he or she possesses.A valid signature can convince the verifier that it was produced by some signer with a set of attributes satisfying the given signing policy while it will reveal nothing else.Compared with the traditional identity-based signature (IBS) system,ABS has stronger anonymity,namely,given a valid signature,the verifier cannot get the knowledge of the identity of the real signer.Moreover,the signers in the ABS system cannot forge a valid signature with attributes that they do not own.Compared with the traditional anonymous signature system,such as group signatures and ring signatures,ABS is able to provide more abundant signing strategies.Hidden attributebased signature (HABS) is a new signature notion inspired by the recent developments in the ABS system.The signer of HABS is able to sign messages with any subset of his or her attributes,and given the valid messages-signatures,the verifier can effectively decide that these messages are indeed signed by the signers who own the attributes,while the verifier cannot determine the specific identity of the underling signers.Furthermore,HABS can ensure that the anonymity still exists even the signer has been revoked,namely,the verifier still cannot determine which messages have been signed by the revoked signer and the signer cannot forge valid signatures with certain attributes which he or she has not been issued.HABS can be regarded as a special ring signature,when some signer of HABS signs messages with certain subset of his or her attributes,the users who own the same subset of attributes could be combined into a ring automatically,while the signer will not know which users are included in this ring,what is more,the signature size has nothing to do with the number of the ring users.As one of the most efficient candidates of post-quantum cryptography,lattice-based cryptography not only allows to construct powerful primitives which have no feasible instantiations in traditional number-theoretic cryptography,but it can also provide several advantages over the later,such as the conjectured resistance against quantum computers,the worst-case hardness assumptions and the faster arithmetic operations.During the last decade,lattice based cryptography has received a permanent interest and to design some efficient and powerful lattice-based cryptographic constructions has become more challenging.Based on the small integer solution (SIS) problem and the basis-splicing technique due to Boyen,in this paper,we construct the first HABS scheme without anonymity revocation from lattices in the random oracle model and this construction has proven to be existentially unforgeable against selective-attribute and adaptive chosen message attacks (EUF-sA-aCMA).Further,using the fully secure short signature with lattice mixing and vanishing trapdoors,the above construction can be extended to be in the standard model.Compared with other latticebased cryptographic constructions,the proposed two constructions have the shorter key size and signature size,in particular,the second one also obtains a stronger secure.%隐藏的属性签名的签名者可利用其属性的任意子集签署消息,同时验证者可以有效地由消息的合法签名判定该消息的确是由拥有某些属性的签名者签署,而无法确定签名者的具体身份.隐藏的属性签名能够保证签名者即使被撤销,其匿名性仍然存在,即验证者无法确定哪些消息是由该签名者签署;而且不拥有某些属性的签名者无法伪造一个由该属性签署的合法签名.基于格上小整数解困难问题,文中利用Boyen给出的格基剪接技术,构造出第1个随机预言机模型下抵抗选择属性和适应性选择消息攻击的存在性不可伪造的格上无匿名性撤销的隐藏的属性签名方案;进一步地,利用格混合和陷门消失的完全安全的短签名方案,可将上述方案扩展到标准模型.
展开▼
