Predicate signatures from pair encodings via dual system proof technique

Motivation

The available pair encoding schemes of [1, 5, 39] have been reached out to most of the practical predicate families. Therefore, it is interesting to see a framework of predicate signatures from pair encoding schemes which were solely introduced for predicate encryptions.

Our Result

Affirmatively, we answer the above question. That is, we provide a generic construction of predicate signature schemes from pair encoding schemes. If the underlying pair encoding scheme has a least security^[1] and fulfills some natural conditions, then the PS scheme will achieve unconditional signer privacy, and unforgeability in the adaptive model. The construction is given in the setting of composite order bilinear groups. The unforgeability of the proposed construction is proven under three subgroup assumptions DSG1, DSG2, DSG3, and extra hardness assumption(s) required for the CMH-security of the underlying pair encoding scheme. If the primitive pair encoding scheme has PMH-security, then we do not need any extra hardness assumption. In this case, we say that the corresponding PS scheme is cost free. Through this generic construction, what we achieved is summarized below.

All the pair encoding schemes of [1, 5, 39] possess the least security and satisfy the natural conditions (see Conditions 3.1 of Section 3.1). Therefore, the resultant predicate signature schemes are adaptively unforgeable and perfectly private. Our generic predicate signature can be used to derive the following new results (see Table 2 in Section 5).

1. PS for regular languages. Predicate signature schemes for regular languages in both the forms, key policy and signature policy, are provided in this paper. Both the schemes support a large universe alphabet. To the best of our knowledge, these are the first practical constructions of predicate signature schemes beyond ABS.

2. Unbounded KP-ABS. We present an unbounded KP-ABS scheme with large universes, where the size of the universe is super-polynomial and no restriction has been imposed on the access polices and sets of attributes. To the best of our knowledge, this is the first large universes KP-ABS construction with the feature unbounded.

3. Constant-size signatures and constant-size keys. Till date, the only available ABS scheme [3] with constant-size signatures for general access structures is known to be unforgeable in the selective model. We propose the first KP-ABS with constant-size signature, where unforgeability is proven in the adaptive model. A dual version, SP-ABS with constant-size keys, is also provided in this paper.

4. Cost free signatures. The following instantiations of predicate signature are cost free as the underlying pair encoding schemes are PMH secure.

   1. ABS for large universes,

   2. predicate signature scheme for policy over doubly spatial predicate,

   3. predicate signature schemes with constant-size keys and constant-size signatures, respectively, for both zero inner product and non-zero inner product predicates,

   4. predicate signature schemes for doubly spatial predicate and negated spatial predicate,

   5. spatial signature schemes with constant-size keys and constant-size signatures, respectively.

Outline of our construction

Let (N:=p1p2p3,𝔾,𝔾T,e) denote composite order bilinear groups, where e:𝔾×𝔾→𝔾T is a bilinear map and 𝔾 and 𝔾T are cyclic groups of order N. Note that 𝔾=𝔾p1×𝔾p2×𝔾p3, where 𝔾pi is subgroup of 𝔾 of order pi. Let gT:=e(g,g), where g∈𝔾p1. For 𝑿,𝒀∈𝔾n, the notation 𝑿⋅𝒀 represents the pairwise group operations, and therefore 𝑿⋅𝒀∈𝔾n. The notation e⁢(𝑿,𝒀) stands for ∏i=1ne⁢(Xi,Yi).

In brief, a pair encoding scheme [1] consists of four deterministic algorithms, 𝖯𝖺𝗋𝖺𝗆,𝖤𝗇𝖼𝟣,𝖤𝗇𝖼𝟤 and Pair. Let N∈ℕ.

1. 𝖯𝖺𝗋𝖺𝗆⁢(𝒋)→n, where 𝒋 is the index for the system parameter and n describes the length of the common parameters 𝒉∈ℤNn,

2. 𝖤𝗇𝖼𝟣⁢(x)→(𝒌x,m2), where 𝒌x is a sequence of polynomials over ℤN with |𝒌x|=m1 and m2 is the length of the random coin 𝒓∈ℤNm2,

3. 𝖤𝗇𝖼𝟤⁢(y)→(𝒄y,ω2), where 𝒄y is a sequence of polynomials over ℤN with |𝒄y|=ω1 and ω2+1 is the length of the random coin 𝒔=(s0,…,sω2)∈ℤNω2+1,

4. 𝖯𝖺𝗂𝗋⁢(x,y)→𝑬∈ℤNm1×ω1.

The correctness says that, for x∼y, (𝒌x,m2)←𝖤𝗇𝖼𝟣⁢(x), (𝒄y,ω2)←𝖤𝗇𝖼𝟤⁢(y) and 𝑬←𝖯𝖺𝗂𝗋⁢(x,y), we have

Before describing the outline of our predicate signature, we state the following two facts:

1. A signature is nothing but a diluted key for a policy y computed from an actual (strong) key 𝒮⁢𝒦x with x∼y, where the message m and the policy y are to be committed.

2. To maintain signer privacy, the signature is to be labeled with policy y, at least not labeled with the key index x.

The above facts are implicitly used in many predicate signatures and also provide insight to predicate signature. In the following, we first give an outline of the initial structure of our predicate signature using the structure of predicate encryption of [1] based on pair encodings. Recall that 𝒮⁢𝒦x=g𝒌x⁢(α,𝒓,𝒉)⋅𝑹3∈𝔾m1 with 𝑹3∈𝔾p3m1 is the key structure of [1] for the key index x.

1. Signature generation. Suppose Alice is playing the role of a sender. Let 𝒮⁢𝒦x=g𝒌x⁢(α,𝒓,𝒉)⋅𝑹3∈𝔾m1 be the key of Alice. To sign a message m under a policy y with x∼y, Alice first runs 𝑬←𝖯𝖺𝗂𝗋⁢(x,y). Then it generates the signature as 𝜹y:=𝒮𝒦x𝑬⋅𝑹3′∈𝔾ω1, where 𝑹3′⁢←U⁢𝔾p3ω1. On simplification, we have 𝜹y=g𝒌x⁢(α,𝒓,𝒉)⁢𝑬⋅𝑹3~, where 𝑹3~:=𝑹3E⋅𝑹3′. The signature 𝜹y plays the role of a diluted key, derived from the actual key 𝒮⁢𝒦x.

2. Signature verification. The verification process considered here is a probabilistic one as it is performed by running some routines which are similar to the encryption and decryption of the predicate encryption of [1]. Since a signature is a poor or diluted key, verifying a signature is nothing but checking its capability to extract out some information from the part of a ciphertext. Therefore, to verify a signature 𝜹y, we first prepare a verification text (that is same as the ciphertext, but without the message m) 𝒱:=(𝒱INT:=gTα⁢s0,𝓥y:=g𝒄y⁢(𝒔,𝒉)). The signature is accepted if e⁢(𝜹y,𝓥y)=𝒱INT, else rejected. We note that the 𝔾p3 part of 𝜹y gets canceled in the verification due to the orthogonal property of composite order bilinear groups.

3. Correctness. For x∼y, we have e⁢(𝜹y,𝓥y)=e⁢(g,g)𝒌x⁢(α,𝒓,𝒉)⁢𝑬⁢𝒄y⊤⁢(𝒔,𝒉)=gTα⁢s0, where the last equality is obtained from the correctness of the pair encoding scheme.

Limitations of the initial structure of the signature

The above initial structure of the signature only shows that Alice is capable to generate such a signature. We note that neither the message nor the policy is committed to the above signature, and this is very crucial to guarantee unforgeability. Although the above signature is not labeled with the key index x, it misses a very important property of predicate signature, perfect privacy of the signer.

To overcome the limitations of the above signature, we have to modify the initial structure. The modifications are explained briefly in the following two steps.

1. The initial structure of the signature is 𝜹y=g𝒌x⁢(α,𝒓,𝒉)⁢𝑬⋅𝑹3~∈𝔾ω1. To ensure unforgeability, the message m and the policy y are to be committed to 𝜹y. The binding is to be done in such a way that the binding part of the signature cannot be updated once the signature has been generated. The binding is made in the following way. A collision resistance hash function H:{0,1}∗→ℤN and two others parameters gθ1,gθ2 are added to the public parameters 𝒫⁢𝒫. A group element gτ⁢(θ1⁢ℏ+θ2) is composed with the first component of g𝒌x⁢(α,𝒓,𝒉)⁢𝑬, where τ⁢←U⁢ℤN and ℏ=H⁢(m,y). Additionally, g-τ is given as a part of the signature. In other words, the modified signature becomes 𝜹y=g𝒗⋅𝑹3~∈𝔾ω1+1, where 𝒗 is implicitly set to 𝒗:=(-τ,𝝍+𝒌x(α,𝒓,𝒉)𝑬)∈ℤNω1+1 and 𝝍:=(τ(θ1ℏ+θ2),0,…,0)∈ℤNω1.

   To verify this signature, the verification text is to be changed to 𝒱:=(𝒱INT:=gTα⁢s0,𝓥y:=g𝒄yM⁢(𝒔,θ1,θ2,𝒉)), where

   𝒄yM(𝒔,θ1,θ2,𝒉):=(c0(s0,θ1,θ2,ℏ),𝒄y(𝒔,𝒉))∈ℤNω1+1,

   c0(s0,θ1,θ2,ℏ):=s0(θ1ℏ+θ2) and ℏ:=H(m,y).

   The verification is the same as before, i.e., the signature is accepted if e⁢(𝜹y,𝓥y)=𝒱INT, else rejected. For correctness of the verification, we assume that cy,ι⁢(𝒔,𝒉)=s0 for some ι∈[ω1].

2. For perfect privacy, the authors of [29] assume the perfectly hiding property of the underlying non-interacting witness-indistinguishable (NIWI) scheme. For the ABS schemes of [31, 32, 33], an additional secret sharing (0-sharing) was used to assure perfect privacy. For perfect privacy of the proposed signature, we explore a novel approach (for details, refer to Section 3.4) which works irrespective of the predicate families. This is done by uniformly sampling from the orthogonal space (𝐕M)⊥ of 𝐕M:={𝒄yM(𝒔,θ1,θ2,𝒉)∈ℤNω1+1∣𝒔:=(s0,…,sω2)∈ℤNω2+1}. The final signature of the proposed construction (for a complete description, refer to Section 3.3) has the form 𝜹y=g𝒗+𝒗sp⋅𝑹3~∈𝔾ω1+1, where 𝒗sp⁢←U⁢(𝐕M)⊥. The verification is the same as before, where 𝒗sp gets canceled due to the orthogonality of 𝒗sp and 𝒄yM⁢(𝒔,θ1,θ2,𝒉).

   We show that uniformly sampling from (𝐕M)⊥ is done by solving the homogeneous system 𝑨⊤⁢𝑿=𝟎, where 𝑨∈ℤNω1×(ω2+1). For 1≤ι≤ω1 and 0≤j≤ω2, the (ι,j)-th entry of the matrix 𝑨 is of the form aι,j+∑i∈[n]aι,j,i⁢hi, where aι,j and aι,j,i are coefficients of the ι-th polynomial of 𝒄y. The only available information to solve the system are aι,j, aι,j,i and ghi for 1≤ι≤ω1, 0≤j≤ω2 and i∈[n]. Since hi are not given explicitly, applying Gaussian elimination on 𝑨 is troublesome. Although hi are not given explicitly, we manage to solve the system 𝑨⊤⁢𝑿=𝟎 perfectly. For that, we impose a restriction on the underlying pair encoding scheme, which is very natural. This restriction is given as condition (3) in Section 3.1. To the best of our knowledge, most of the pair encodings (in fact, all the pair encodings of [1, 5, 39]) satisfy this condition.

One of the motivations of this paper is to achieve adaptive security. We utilize the dual system proofs of [37] in a novel way to guarantee adaptive unforgeability of the proposed construction. For the proof of adaptive unforgeability of the proposed signature, we abstract out the dual system proof technique as a signature analogue of [1]. Hybrid arguments over the sequence of games considered in this signature analogue follow the style of [31, 33]. However, the hybrid arguments in [31, 33] were handled for a particular ABS through linear secret sharing scheme (LSSS). But here, we manage the dual system proof technique generically for arbitrary predicates. In this style, we consider semi-functional (mimic) forms of the original objects, viz., verification text, signatures and keys. Using hybrid arguments, we finally reach a game where 𝒱INT is chosen independently and uniformly at random from 𝔾T. This ensures that the forgery will be invalid with respect to the verification text 𝒱.

Related works

In addition to the fully CPA-secure construction of PE, Attrapadung [1] showed a dual conversion for pair encodings. If the source pair encoding 𝖯 is perfectly secure, then the dual of 𝖯, denoted by 𝔻⁢(𝖯) is also perfectly secure encoding. Using this conversion, full security of the dual of 𝖯𝖤, denoted by 𝔻⁢(𝖯𝖤), is guaranteed if the underlying pair encoding 𝖯 has perfect security. However, there are many PE schemes for which perfectly secure encodings were not known, so the fully secure realizations of their dual form were unsolved. Later, Attrapadung and Yamada [5] showed that the same dual conversion of [1] actually works for the computationally secure encodings. By applying this conversion on the underlying pair encoding of the previously proposed KP-ABE [1], the authors achieved the first fully secure unbounded CP-ABE and a CP-ABE with short keys for Boolean formulas. Recently, Chen, Gay and Wee [16] and Attrapadung [2] proposed new generic frameworks for achieving adaptively secure ABE in the prime order bilinear groups, which are nothing but the prime order version of [39] and [1], respectively. The main difference between the frameworks of [16] and [2] is that the former deals with only perfectly secure encodings, whereas the latter can deal with computationally secure encodings.

Attribute-based signature

In the literature, many ABS schemes [28, 29, 31, 19, 32, 27, 35, 36, 40, 36, 40] have been studied. Among them, only the schemes of [29, 31, 19] were known to achieve signer privacy, adaptive unforgeability in the standard model and support general access structures. In [29], the authors proposed a general framework for ABS using a credential bundle and a NIWI scheme as primitives. This general framework provides the attribute-based signatures for monotone span programs in signature-policy form. The authors showed two practical instantiations of ABS in the standard model using Groth–Sahai proof system [21] for satisfiability of pairing product equations. In the first instantiation, they used a Boneh–Boyen signature [9] as the candidate for a credential bundle, whereas, in the second instantiation, another Boneh–Boyen signature [8] was used. The ABS construction of [31] is based on the concept of the dual pairing vector space of [30] and relies on the DLIN assumption. The authors first utilized the dual system methodology [37] in ABS for adaptive unforgeability. The ABS of [31] is more efficient than the one of [29] since the latter uses the Groth–Sahai non-interactive zero-knowledge (NIZK) proof systems [21] as building blocks. Although the performance of the ABS construction [31] defeats that of [29], the scheme of [31] has the following drawbacks. The size of the public parameters is linear to the size of the sub-universe, and a bound is imposed on the number of times an attribute could appear in a policy. The ABS schemes of [29, 31, 19] have signature-policy form; among them, the schemes of [29, 31] support large universes.

Functional signature

Bellare and Fuchsbauer [6] proposed a notion of policy-based signature which unifies the existing signatures, e.g., group signatures [15], mess signatures [12], attribute-based signatures [29], etc. For a policy-based signature (PBS) scheme, the authors defined the policy language ℒ to be any member of the complexity class 𝐍𝐏. In this scheme, a key 𝒮⁢𝒦p which is associated with policy p can sign a message m (without revealing p) if (p,m)∈ℒ. Since ℒ∈𝐍𝐏, the message m together with the witness w is to be supplied while generating the signature. If we restrict the policy language to come from the complexity class 𝐏 (⊆𝐍𝐏), then what we have is nothing but the predicate signatures, where the witness is computed in polynomial time. At the same time, Boyle, Goldwasser and Ivan [13] introduced a concept of functional signatures. In this signature, a key 𝒮⁢𝒦f is associated with a function f, and the key 𝒮⁢𝒦f has the power to sign a message m if m belongs to its range. This can be considered as a special case of PBS, in which the policy language ℒ is the set of all pairs (f,m) such that m is in the range of f and the witness for (f,m) is a pre-image m under f.

The authors in [6] showed a generic construction of attribute-based signature from PBS, but they did not explicitly mention the practical instantiation of ABS. If we instantiate the ABS of [6] using the Groth–Ostrovsky–Sahai proof system [20] for 𝐍𝐏-complete languages such as circuit satisfiability, then there is a huge blowup in the size of the signature due to Karp reduction. On the other hand, if we use the Groth–Sahai proof system [21] for satisfiability of pairing product equations, then ABS supports only the restricted predicate family, viz., conjunction and disjunction of pairing product equations. Recently, Sakai, Attrapadung and Hanaoka [34] proposed an efficient ABS for arbitrary circuits from the symmetric external Diffie–Hellman assumption. Their ABS construction is based on the efficiency of the Groth–Sahai proof system [21] and the expressiveness of the Groth–Ostrovsky–Sahai proof system [20].

Organization

This paper is organized as follows. Basic notations, composite order bilinear groups, hardness assumptions, the syntaxes and security definitions of predicate signature and pair encoding schemes and other related things are given in Section 2. Framework, security and instantiations of predicate signature are respectively provided in Sections 3, 4 and 5.

2.1 Notations

For a set X, x⁢←R⁢X denotes that x is randomly picked from X according to the distribution R. Likewise, x⁢←U⁢X indicates that x is uniformly selected from X. For an algorithm A and variables x,y, the notation x←A⁢(y) (or A⁢(y)→x) carries the meaning that, when A is run on the input y, it outputs x. The symbol PPT stands for probabilistic polynomial-time. For a,b∈ℕ, define [a,b]:={i∈ℕ∣a≤i≤b} and [b]:=[1,b].

Throughout this paper, bold characters denote vector objects. For 𝒉∈ℤNn and |⁡pN, we define

For a vector 𝒙 (resp. 𝒙k), the i-th component is denoted by xi (resp. xk⁢i). For 𝒙,𝒚∈ℤNn, we define

For S⊂ℤNn and 𝜶∈ℤNn, we define 𝜶+S:={𝜶+𝜷∣𝜷∈S}.

For a matrix 𝑴, the notations 𝑴⊤ and Mi⁢j denotes the transpose of 𝑴 and an entry of 𝑴 at the (i,j)-th position, respectively. The notation 𝑴i denotes the i-th row of the matrix 𝑴, and Null⁡(𝑴) represents the nullity of the matrix 𝑴. The notation 𝟎m×n stands for an m×n matrix with all the entries as 0. For a group 𝔾 and n∈ℕ, the entries from 𝔾n are assumed to be the row vectors.

Let 𝔾 be a cyclic group of order N with respect to the group operation “⋅”. For g∈𝔾 and 𝒉∈ℤNn, we define g𝒉:=(gh1,…,ghn). For 𝑿,𝒀∈𝔾n, the notation 𝑿⋅𝒀 stands for component-wise group operations, i.e., 𝑿⋅𝒀:=(X1⋅Y1,…,Xn⋅Yn)∈𝔾n. For 𝑾∈𝔾n and 𝑬∈ℤNn×m, we define 𝑾𝑬:=𝒛∈𝔾m, where zi:=W1E1⁢i⋯WnEn⁢i. If 𝑾=g𝒘, for g∈𝔾 and 𝒘⊤∈ℤNn, then we can write 𝑾𝑬=g𝒘⁢𝑬.

For a matrix 𝑨∈ℤqℓ×ϑ, we define the linear space Ker(𝑨):={𝒖∈ℤqℓ∣𝒖⊤𝑨=𝟎}. For (𝑿,𝒙)∈ℤqℓ×ϑ×ℤqℓ, an affine space generated by (𝑿,𝒙) is defined by Aff(𝑿,𝒙):={𝑿𝒖+𝒙∣𝒖∈ℤqϑ}⊂ℤqℓ. The nullity of a matrix 𝑨 is defined by Null⁡(𝑨), which is the dimension of Ker⁡(𝑨⊤).

2.2 Composite order bilinear groups

Composite order bilinear groups [10, 26] are defined to be a tuple 𝒥:=(N:=p1p2p3,𝔾, 𝔾T,e), where p1,p2,p3 are three distinct primes and 𝔾 and 𝔾T are cyclic groups of order N and e:𝔾×𝔾→𝔾T is a map with the following properties:

1. Bilinear. For all g,h∈𝔾 and all s,t∈ℤp, we have e⁢(gs,ht)=e⁢(g,h)s⁢t.

2. Non-degenerate. There exists an element g∈𝔾 such that e⁢(g,g) has order N in 𝔾T.

3. Computable. There is an efficient algorithm for computing e⁢(g,h) for all g,h∈𝔾.

Let 𝒢cbg denote an algorithm which takes 1κ as a security parameter and returns a description of composite order bilinear groups 𝒥=(N=p1p2p3,𝔾,𝔾T,e). Composite order bilinear groups enjoy the orthogonal property defined below.

2.3 Hardness assumptions in composite order bilinear groups

We describe here three decisional subgroup (DSG) assumptions [25] for 3 primes, DSG1, DSG2 and DSG3, in composite order bilinear groups. Let 𝒥:=(N=p1p2p3,𝔾,𝔾T,e)←U𝒢cbg(1κ) be the common parameters for each assumptions. In the following, we define an instance for each assumption.

1. Let g⁢←U⁢𝔾p1, Z3⁢←U⁢𝔾p3, T0⁢←U⁢𝔾p1, T1⁢←U⁢𝔾p1⁢p2. Define 𝒟:=(𝒥,g,Z3).

2. Let g,Z1⁢←U⁢𝔾p1, Z2,W2⁢←U⁢𝔾p2, W3,Z3⁢←U⁢𝔾p3, T0⁢←U⁢𝔾p1⁢p3, T1⁢←U⁢𝔾. Define

   𝒟:=(𝒥,g,Z1Z2,W2W3,Z3).

3. Let α,s⁢←U⁢ℤN, g⁢←U⁢𝔾p1, W2,Y2,g2⁢←U⁢𝔾p2, Z3⁢←U⁢𝔾p3, T0:=e(g,g)α⁢s, T1⁢←U⁢𝔾T. Define

   𝒟:=(𝒥,g,gαY2,gsW2,g2,Z3).

The advantage of an algorithm 𝒜 in breaking DSGi, for i=1,2,3 is defined by

We say that the DSGi assumption holds in 𝒥 if, for every PPT algorithm 𝒜, the advantage Adv𝒜DSG⁢i⁢(κ) is negligible in the security parameter κ.

2.4 Some results of linear algebra

We recall the three types of elementary row operations (for details, refer to [23]) on a matrix.

1. Interchange rows i and j (in short, we write Ri↔Rj).

2. Multiply row i by k, with k≠0 (in short, Ri←k⁢Ri).

3. Add k-times row j to row i (in short, Ri←Ri+k⁢Rj).

Similarly, we can define three types of elementary column operations. Let 𝓔 be a matrix obtained by applying a single elementary row operation on the identity matrix, called elementary matrix. Note that the effect of a single elementary row (resp. column) operation on a matrix 𝑩 can also be obtained by pre- (resp. post-)multiplying the matrix 𝑩 by the corresponding elementary matrix 𝓔 (resp. 𝓔⊤).

A well-known result that will be used very often is given below.

But the scenario is slightly changed in case of column equivalence.

2.5 Predicate family

To define a predicate-based cryptosystem, we have to define a predicate family. The predicate family is defined for an index set Λ. For most of the predicate families, the index sets are considered to be subsets of {𝒋:𝒋∈ℕi⁢and⁢i∈ℕ}. The following definition of a predicate family is adopted from [7, 1].

The function ∼𝒋 is also called predicate or binary relation over 𝒳𝒋×𝒴𝒋. For (x,y)∈𝒳𝒋×𝒴𝒋, we write x∼𝒋y if ∼𝒋(x,y)=1, else x≁𝒋y. For a predicate family, the corresponding index set Λ is called system-index space. A member 𝒋 of the index space Λ is called index for the system parameter or simply system index. To design a predicate-based scheme for some predicate family, first a system index 𝒋 is fixed for that family. Then this index will define a predicate tuple (∼𝒋,𝒳𝒋,𝒴𝒋) for the corresponding predicate-based scheme. For example, the system indices for predicate families, regular languages, circuits, access structures, inner product and doubly spatial relation are respectively alphabet, maximum depth and number variables for circuits, attribute universe or size of the attribute universe, length of vectors and dimension of affine space.

In the current study, there are many predicate families which are used to provide access control over data. In the following, we describe some of the predicates. Note that, for most of the relations described below, the system indices are not given explicitly as it will be understood from the context.

1. Equality relation. Let 𝒳=𝒴={0,1}∗. For x,y∈{0,1}∗, we define x∼y if and only if x=y. The well-known predicate encryption for the equality relation is called identity-based encryption (IBE).

2. Inner product relation. Let 𝒳=𝒴=ℤqℓ. For x=(x1,…,xℓ)∈𝒳 and y=(y1,…,yℓ)∈𝒴, we define x∼y if and only if 〈x,y〉=0. This relation is called zero inner product relation. Similarly, a non-zero inner product relation is defined by x∼y if and only if 〈x,y〉≠0. The corresponding encryption schemes are known as inner-product encryption (IPE).

3. (Doubly) spatial relation.  𝒳=𝒴:={Aff(𝑨,𝒂)∣(𝑨,𝒂)∈ℤqℓ×k×ℤqℓ, 0≤k≤ℓ}. For x∈𝒳 and y∈𝒴, a doubly spatial relation is defined by x∼dsy if and only if y∩x≠∅. For the spatial relation, we restrict 𝒴 to be ℤqℓ. In [17], the doubly spatial relation was defined over 𝒳×𝒴, where 𝒳:={Ker(𝑿)∣𝑿∈ℤqℓ×k, 0≤k≤ℓ} and 𝒴:={Aff(𝑨,𝒂)∣(𝑨,𝒂)∈ℤqℓ×k×ℤqℓ, 0≤k≤ℓ}. The predicate encryption using the (doubly) spatial relation is called (doubly) spatial encryption ((D)SE). The authors in [17] showed that predicate encryption for the doubly spatial relation defined later generalizes the predicate encryption for the formerly defined doubly spatial relation.

4. Access structure based relation. Let 𝒰 be a universe of attributes. Define 𝒳=2𝒰 and 𝒴 to be the set of all access structures over 𝒰. For A∈𝒳 and Γ∈𝒴, we define a binary relation A∼Γ if and only if A∈Γ. The encryption scheme realizing this relation is called attribute-based encryption (ABE) for access structures.

5. Policy over doubly spatial relation. We have defined the access structure based relation above through the equality relation over a universe of attributes. Here we define a new access structure based relation of [1], called policy over doubly spatial relation, using the doubly spatial relation over a universe of affine subspaces. This predicate generalizes the former access structure based relation. Let ℓ be a system index for this new access structure based relation. We define 𝒰:={Aff(𝑨,𝒂)∣(𝑨,𝒂)∈ℤqℓ×k×ℤqℓ, 0≤k≤ℓ}. Let 𝒳:=2𝒰 and 𝒴 be the set of all policies of the form (𝑴,ρ), where 𝑴∈ℤqd×r and ρ:[d]→𝒰 is a row labeling function. For S:={Y1,…,Yt}∈𝒳 and 𝔸:=(𝑴,ρ)∈𝒴, we define S∼𝔸 if and only if there exist coefficients {μi}i∈ℐ with ℐ={i∈[d]∣there exists⁢Yj∈S⁢with⁢ρ⁢(i)∼dsYj} such that ∑i∈ℐμi⁢𝑴i=(1,𝟎). The encryption scheme realizing this relation is called policy over doubly spatial encryption [5, 1].

6. Acceptance relation in regular language. A deterministic finite automaton M is defined to be a quintuple (Q,Σ,δ,q0,F), where Q is a finite set of states, Σ is a finite set of symbols, called alphabet, q0∈Q is called the start state, F⊆Q is called the set of final states and δ:Q×Σ→Q is called transition function. The language, also called regular language, recognized by a deterministic finite automaton (DFA) M, is defined as

   ℒ(M)={σ1σ2⋯σn∈Σ*∣δ(⋯δ(δ(q0,σ1),σ2)⋯σn)∈F}.

   Let Tr denote the set of all transitions (qx,qy,σ)∈Q×Q×Σ with the understanding that δ⁢(qx,σ)=qy. If we identify the δ by Tr, then a DFA M can always be represented by (Q,Σ,Tr,q0,F). Let Σ be an alphabet, and let 𝒳:=Σ∗ and 𝒴 be the set of all DFAs with the same alphabet Σ. For w∈𝒳 and M∈𝒴, we define a binary relation w∼M if w∈ℒ⁢(M). We also call this relation a DFA-based relation. The corresponding encryption scheme is known as functional encryption (FE) [38] for regular languages.

A relation defined over 𝒳×𝒴 is called symmetric if 𝒳=𝒴 and x∼y⇔y∼x for all x,y∈𝒳; otherwise, it is called asymmetric. For an asymmetric relation, we can define its dual relation as follows.

Here we are interested to design a predicate signature over composite order bilinear groups (CBG) and let N be the order of the groups. This N describes some domain; for example, the domain of IBE is ℤN with equality predicate. We therefore reserve the first entry of 𝒋 to be N as described in [1]. For notational simplicity, we omit 𝒋 and write (∼N,𝒳N,𝒴N) or simply (∼,𝒳,𝒴) depending upon requirements.

2.6 Predicate signature

A predicate signature (PS) scheme for a predicate family ∼ consists of four PPT algorithms – Setup, KeyGen, Sign and Ver.

1. Setup takes a security parameter κ and a system index 𝒋 as input and outputs public parameters 𝒫⁢𝒫 and master secret key ℳ⁢𝒮⁢𝒦.

2. KeyGen takes 𝒫⁢𝒫, ℳ⁢𝒮⁢𝒦 and a key index x∈𝒳 as input and outputs a secret key 𝒮⁢𝒦x corresponding to x.

3. Sign takes 𝒫⁢𝒫, a message m∈ℳ, a secret key 𝒮⁢𝒦x and an associated data index y∈𝒴 with x∼y and returns a signature δ.

4. Ver receives 𝒫⁢𝒫, a message m∈ℳ, a signature δ and a claimed associated data index y as input. It returns a Boolean value 1 for acceptance or 0 for rejection.

2.7 Security of predicate signature

Note that the signer privacy defined above is also called perfect privacy. A predicate signature scheme with signer privacy is called perfectly private.

Figure 1

Experiments for unforgeability.

We may refer the above security model as the Ad-EUF-CMA security model in this paper.

2.8 Pair encoding scheme

A pair encoding scheme 𝖯 (see [1]) for a predicate family ∼ consists of four deterministic algorithms, Param, Enc1, Enc2 and Pair.

1. 𝖯𝖺𝗋𝖺𝗆⁢(𝒋)→n∈ℕ, where n describes the number of common variables involved in Enc1 and Enc2. Let 𝒉:=(h1,…,hn)∈ℤNn denote the common variables in Enc1 and Enc2.

2. 𝖤𝗇𝖼𝟣(x∈𝒳,N)→(𝒌x:=(k1,…,km1),m2), where kι for ι∈[m1] are polynomial over ℤN and m2∈ℕ specifies the number of its own variables. We require that each polynomial kι is a linear combination of monomials α,rj,hi⁢rj, where α, r1,…,rm2, h1,…,hn are variables. In other words, it outputs a set of coefficients {bι,bι,j,bι,j,i}ι∈[m1],j∈[m2],i∈[n] which define the sequence of polynomials

   (kι(α,𝒓,𝒉):=bια+(∑j∈[m2]bι,jrj)+(∑j∈[m2]i∈[n]bι,j,ihirj))ι∈[m1],where𝒓:=(r1,…,rm2).

3. 𝖤𝗇𝖼𝟤(y∈𝒴,N)→(𝒄y:=(c1,…,cω1),ω2), where cι for ι∈[ω1] are polynomial over ℤN and ω2∈ℕ specifies the number of its own variables. We require that each polynomial cι is a linear combination of monomials sj,hi⁢sj, where s0,…,sω2, h1,…,hn are variables. In other words, it outputs a set of coefficients {aι,j,aι,j,i}ι∈[ω1],j∈[0,ω2],i∈[n] which define the sequence of polynomials

   (cι(𝒔,𝒉):=∑j∈[0,ω2]aι,jsj+∑j∈[0,ω2]i∈[n]aι,j,ihisj)ι∈[ω1],where𝒔:=(s0,…,sω2).

4. 𝖯𝖺𝗂𝗋⁢(x,y,N)→𝑬∈ℤNm1×ω1.

2.9 Security of pair encoding scheme

We consider two forms of security, viz., perfect security and computational security as defined in [1].