A multi-authority attribute ring signature supporting dynamic policies and dual anonymity for zero-trust networks
Jinhong Chen, Xueguang Zhou, Wei Fu, Yihuan Mao, Jiaqi Wang

TL;DR
This paper introduces a new secure authentication method for zero-trust networks using decentralized identity and anonymity-preserving signatures.
Contribution
A novel multi-authority attribute ring signature scheme is proposed, supporting dynamic policies and dual anonymity.
Findings
The scheme enables distributed key generation by multiple authorities and achieves existential unforgeability.
The proposed method reduces computational costs by approximately 30% compared to existing ring signatures.
The approach is based on the SM9 cryptographic standard and is suitable for DID-driven zero-trust networks.
Abstract
The advent of Decentralized Identity (DID) technology is fundamentally changing the way digital identity is managed, allowing user-controlled, privacy-preserving authentication across trust domains a fundamental requirement if zero trust architectures are to be realized, in which continuous verification and least-privilege access are inherent properties. Under traditional ABS (attribute-based signature) schemes, these are difficult to achieve as fine-grained access control is not always possible in practice and anonymity may not be straightforward when policy is evolving dynamically and different authorities may be involved. In this paper, we present a new multi-authority attribute ring signature scheme, which leverages DID philosophy and anonymous credential techniques, enabling users to mix attributes dynamically according to the policies of veriers without disclosing their pseudonyms…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2- —Science and Technology Research Project of Jiangxi Provincial Department of Education
- —https://doi.org/10.13039/501100001809National Natural Science Foundation of China
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Security in Wireless Sensor Networks · Access Control and Trust
Introduction
With the progression of digital transformation in enterprises, the network structures of numerous companies have grown increasingly intricate and are progressively transitioning to the cloud^1,2^. Nevertheless, border-based gateway identity and access control systems struggle to address emerging threats, resulting in escalating security risks^3^. When enterprises employ traditional security paradigms to tackle these challenges, the zero-trust concept offers a novel security perspective^4^. The Jericho Forum introduced the initial iteration of zero trust^5^. Meanwhile, John Kindvag, a former analyst at Forrester Research, officially coined the term “zero trust” and articulated the zero-trust architecture principle with the mantra “never trust, always verify”^6^.This principle mandates that every access request must come with the minimum necessary privileges and verifiable identity or attribute credentials^4^. The rapid emergence of Decentralized Identity (DID) technologies has re-defined digital identity management by shifting control from centralized authorities to individual users^7,8^.Meanwhile DID has aligned perfectly with the identity management and granular access control requirements of zero-trust networks^9,10^.Leveraging distributed ledgers, DID systems enable privacy-preserving, cross-domain authentication without relying on a single trusted third party^11^. Despite this paradigm shift, two intertwined challenges remain open: enforcing fine-grained access control and providing anonymous authentication in a fully decentralized setting.
Recent breakthroughs in succinct non-interactive zero-knowledge proofs (zk-SNARKs) have inspired new privacy-preserving credential systems. Notably, the zk-creds framework^7^ transforms existing identity documents into unlinkable credentials while supporting dynamic policy composition. Yet, these benefits come at the cost of computationally expensive generic zero-knowledge proofs, which limits practical adoption.
Attribute-Based Signatures (ABS) offer an alternative that natively supports fine-grained access control and signer anonymity^12,13^. In an ABS scheme, a signer can create a valid signature only if the attributes embedded in her private key satisfy a predicate specified by the verifier. Although conceptually aligned with DID requirements, traditional ABS constructions suffer from two major limitations: (i) policy rigidity caused by linear secret-sharing mechanisms^14–17^, and (ii) signature bloat that arises when strong security guarantees are required^18–20^. These drawbacks become critical bottlenecks in real-world deployments involving multiple, mutually distrusting authorities.
Motivation: In a zero-trust network, a gateway (verifier) may require a user to prove they hold “Manager” AND “Finance” attributes today, but “Director” OR “Auditor” tomorrow. Traditional ABS requires re-issuing keys for every policy change. Furthermore, standard ring signatures hide the identity but not the attributes. There is a critical lack of a solution that combines dynamic policy enforcement (verifier chooses the policy on the fly) with dual anonymity (hiding both who signed and which attributes were used) while maintaining efficiency suitable for mobile clients.In this paper, we present a new multi-authority attribute ring signature scheme.
Related work
The evolution of anonymous authentication for zero-trust networks can be categorized into three developmental stages: Traditional Attribute-Based Signatures, Decentralized variants, and SM9-specific adaptations.
Traditional and attribute-based signatures (ABS)
The concept of ABS was developed to provide fine-grained access control with signer privacy. Early works, such as Maji et al.^12^ and Guo et al.^15^, established the foundational security requirements. Li and Kim^14^ and Toluee et al.^16^ extended this to attribute-based ring signatures to enhance anonymity, while Li et al.^17^ applied it to personal health records. However, these traditional schemes rely heavily on linear secret-sharing schemes (LSSS) or monotone span programs embedded in the keys.
Limitation: This results in “policy rigidity.” While Ling et al.^13^ attempted to achieve dynamic policies, most constructions fix the access structure at issuance. Furthermore, works like Herranz et al.^18^ and Okamoto et al.^19,20^ focused on constant-size signatures but often at the cost of high computational overhead in the standard model.
Decentralized and multi-authority schemes
To address the single-point-of-failure in centralized authorities, multi-authority schemes were introduced. Guo et al.^21^proposed a multi-authority ABS resilient to collusion, and Hou et al.^22^ explored designated-combiner signatures. Various functional extensions have also been proposed to address specific needs: Ma et al.^23,24^ introduced blind and designated-verifier ABS for privacy; Zhang et al. proposed Verifier-Policy ABS^25^ and Registered ABS^26^to shift policy control; and others developed puncturable^27^, forward-secure^28^, and proxy signatures^29^ for specific scenarios. Tao et al.^30^ and Kang et al.^31^ focused on lightweight or outsourced designs to reduce client burden.
Limitation: Despite these functional rich variants, they often fail to provide “dual anonymity” in a fully distributed setting. They typically hide the identity but leak the attributes, or lack the flexibility to mix attributes from different authorities dynamically. Additionally, recent lattice-based constructions^32–34^ offer post-quantum security but currently suffer from large signature sizes that hinder deployment on constrained devices.
SM9-based cryptographic schemes
The SM9 standard^35^, based on bilinear pairings, was designed for high efficiency, with its security formally analyzed by Lai et al.^36^. Recent works have attempted to adapt SM9 for advanced privacy. Tang et al.^37^ and Zhu et al.^38^ proposed traceable and online/offline attribute signatures based on SM9, while Zhou et al.^39^ achieved partial policy hiding.
Limitation: While highly efficient, these schemes generally focus on a single authority or lack the ring-signature structure required to hide the signer among a set of potential users completely. Existing SM9 ring signatures, such as the classic ID-based construction by Chow et al.^40^, the standard SM9 scheme by Peng et al.^41^, and the recent work by Xie et al.^42^, achieve identity anonymity but do not natively support dynamic attribute policies. Currently, none of these schemes simultaneously supports multi-authority issuance, dynamic attribute composition, and full anonymity. (see Table 1).Table 1. Comparison of existing functionalities.SchemeMulti-authorityDynamic attributesIdentity anon.Attribute anon.Lai et al.^36^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document} Tang et al.^37^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document} Zhu et al.^38^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\checkmark$$\end{document}
Our contribution
Leveraging the SM9 signature algorithm and ring signatures, we design the first multi-authority anonymous attribute ring signature that supports dynamic attribute composition. Our contributions are as follows:
- Decentralized key issuance. Each authority independently issues attribute-specific keys without further coordination.
- Dynamic policy enforcement. Signers can combine their attributes on-the-fly to satisfy any access structure chosen by the verifier, without additional interaction with authorities.
- Dual anonymity. Both the signer’s identity and the subset of attributes used remain unconditionally anonymous within a ring of potential signers.
- Provable security. Under the random oracle model, the scheme is existentially unforgeable against adaptive chosen-message, identity, and attribute attacks (EUF-CMIAA) and achieves full anonymity.
- Practical efficiency. Compared with the state-of-the-art SM9 ring signature^42^, our construction reduces \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} exponentiations and scalar multiplications during signing by approximately 30%, yielding significant performance gains for resource-constrained clients.
Preliminaries
Notation
Throughout the paper, we adopt the following conventions.
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {Z}_N^*$$\end{document} denotes the set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\{1,2,\dots ,N-1\}$$\end{document} ; sampling uniformly at random is written \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x\!\leftarrow _R\!\mathbb {Z}_N^*$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\{0,1\}^*$$\end{document} represents the set of all finite-length binary strings.
- p and N are large primes with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$N\mid (p^{12}-1)$$\end{document} for the 256-bit BN curve used in SM9.
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_p$$\end{document} is the prime field of order p; its extension is denoted \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{p^i}$$\end{document} for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i>1$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$E(\mathbb {F}_{p^i})$$\end{document} is an elliptic curve over \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {F}_{p^i}$$\end{document} ; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_1,\mathbb {G}_2\subset E(\mathbb {F}_{p^{12}})$$\end{document} are cyclic subgroups of prime order N with fixed generators \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P_1,P_2$$\end{document} respectively.
- Group law is written additively; scalar multiplication is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$[a]P=\underbrace{P+\dots +P}_{a}$$\end{document} .
Bilinear pairings
Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathbb {G}_1,+)$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathbb {G}_2,+)$$\end{document} be additive cyclic groups of prime order N, and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathbb {G}_T,\cdot )$$\end{document} a multiplicative cyclic group of the same order. Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P_1,P_2$$\end{document} be generators of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_1,\mathbb {G}_2$$\end{document} , respectively, and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\psi \!:\mathbb {G}_2\rightarrow \mathbb {G}_1$$\end{document} an efficiently computable homomorphism such that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\psi (P_2)=P_1$$\end{document} . A (Type-3) bilinear pairing is a map
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T$$\end{document}satisfying
- Bilinearity: \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e([a]P,[b]Q)=e(P,Q)^{ab}$$\end{document} for all \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P\in \mathbb {G}_1,Q\in \mathbb {G}_2,a,b\in \mathbb {Z}_N^*$$\end{document} .
- Non-degeneracy: \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\exists \,P\in \mathbb {G}_1,Q\in \mathbb {G}_2$$\end{document} such that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e(P,Q)\ne 1_{\mathbb {G}_T}$$\end{document} .
- Efficiency: e(P, Q) is computable in polynomial time. Security is based on the hardness of the following problems.
Definition 1
(q-SDH Problem) Given \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(P,Q,[\alpha ]Q,\dots ,[\alpha ^q]Q)$$\end{document} for unknown \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\alpha \in \mathbb {Z}_N^*$$\end{document} , output a pair \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(c,[\frac{1}{c+\alpha }]P)$$\end{document} with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in \mathbb {Z}_N$$\end{document} .
Definition 2
(q-BDHI Problem) Given \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(P,Q,[\alpha ]Q,\dots ,[\alpha ^q]Q)$$\end{document} for unknown \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\alpha \in \mathbb {Z}_N^*$$\end{document} , compute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e(P,Q)^{1/\alpha }$$\end{document} .
Both problems are assumed hard in the generic group model and underpin the security of SM9.
SM9 digital signature scheme
SM9 is an identity-based cryptographic suite standardized by the State Cryptography Administration of China (GM/T 0003-2016). For signatures, it employs a 256-bit Barreto–Naehrig curve with embedding degree \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k=12$$\end{document} . Below we summarize the signature component.
System setup
A Key Generation Centre (KGC) selects a master secret key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$d\!\leftarrow _R\!\mathbb {Z}_N^*$$\end{document} and publishes the master public key
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P_{\text {pub-s}}=[d]P_2\in \mathbb {G}_2.$$\end{document}Private-key extraction
For identity \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i$$\end{document} , the KGC computes
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{sk}_i=\bigl [d\,(H_1(\textsf{ID}_i)+d)^{-1}\bmod N\bigr ]P_1\in \mathbb {G}_1,$$\end{document}where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_1\!:\{0,1\}^*\rightarrow \mathbb {Z}_N$$\end{document} is a cryptographic hash.
Signature generation
To sign a message M, the signer chooses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r\!\leftarrow _R\!\mathbb {Z}_N^*$$\end{document} and computes
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$w=g^{r},\quad h=H_2(M\Vert w),\quad l=r-h\bmod N,\quad S=[l]\textsf{sk}_i,$$\end{document}with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g=e(P_1,P_{\text {pub-s}})\in \mathbb {G}_T$$\end{document} . The signature is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma =(h,S)$$\end{document} .
Signature verification
Given \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(M,\sigma =(h,S))$$\end{document} , the verifier computes
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=[H_1(\textsf{ID}_i)]P_2+P_{\text {pub-s}},\quad u=e(S,P),\quad w'=u\cdot g^{h},$$\end{document}and accepts if and only if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h=H_2(M\Vert w')$$\end{document} .
Under the q-BDHI assumption, SM9 signatures are existentially unforgeable against adaptive chosen-message attacks in the random oracle model.
Methods
System overview
We consider three distinct entities:
- Attribute Authorities (AAs): Trust domains within zero trust networks (such as HR domain, health domain, and finance domain). After collectively generating common parameters, they can independently issue attribute private keys to signers.
- Signers: The end-user who possesses a set of attributes and generates ABS. These signatures are created according to the access control structure specified by the verifier.
- Verifiers: In a zero trust network, the verifier is typically a zero trust gateway or policy engine. Based on actual circumstances, the verifier generates the corresponding access structure and verifies the ABS produced by the signer in accordance with this structure. Figure 1 illustrates the system workflow.Figure 1. System model.
Formal definition
The scheme consists of four polynomial-time algorithms:
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{Setup}(1^\lambda )\rightarrow (\textsf{params},\textsf{mpk})$$\end{document} :A probabilistic algorithm executed jointly by all AAs on input security parameter \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda$$\end{document} to output public parameters \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{params}$$\end{document} and a master public key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{mpk}$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{KeyGen}(\textsf{params},\textsf{mpk},\textsf{ID}_i,\mathscr {A}_{i,j})\rightarrow \textsf{sk}_{i,j}$$\end{document} :A deterministic algorithm run by a single AA to generate an attribute private key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{sk}_{i,j}$$\end{document} for identity \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i$$\end{document} and attribute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_{i,j}$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{AttrRingSign}(\textsf{params},M,\mathscr {U},\mathscr {A}_\textsf{c},\pi )\rightarrow \sigma$$\end{document} :A probabilistic algorithm executed by the signer \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi \in \mathscr {U}$$\end{document} on message M, user set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}=\{\textsf{ID}_1,\dots ,\textsf{ID}_n\}$$\end{document} , and policy \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\textsf{c}$$\end{document} to produce an attribute ring signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{AttrRingVerify}(M,\mathscr {U},\mathscr {A}_\textsf{c},\sigma )\rightarrow \{\texttt{accept},\texttt{reject}\}$$\end{document} :A deterministic algorithm that outputs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\texttt{accept}$$\end{document} if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma$$\end{document} is valid and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\texttt{reject}$$\end{document} otherwise.
Correctness
For any honestly generated parameters, keys and signatures,
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\Pr \!\bigl [\textsf{AttrRingVerify}(M,\mathscr {U},\mathscr {A}_\textsf{c},\sigma )=\texttt{accept}\bigr ]=1.$$\end{document}Security model
We formalise two standard security properties: unforgeability and anonymity.
Existential unforgeability under adaptive chosen-message, identity and attribute attacks (EUF-CMAIA)
The EUF-CMAIA game between an adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} and a challenger \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} proceeds as follows:
- Initialisation. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} runs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{Setup}(1^\lambda )$$\end{document} , gives \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{params}$$\end{document} to \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} .
- Queries. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} adaptively issues:
- Key queries: \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\textsf{ID}_i,\mathscr {A}_{i,j})$$\end{document} ; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} returns \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{sk}_{i,j}$$\end{document} .
- Signing queries: \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(M,\mathscr {U}',\mathscr {A}_\textsf{c}')$$\end{document} ; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} returns a signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma$$\end{document} .
- Forgery. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} outputs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(M^*,\mathscr {U}^*,\mathscr {A}_\textsf{c}^*,\sigma ^*)$$\end{document} such that
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma ^*$$\end{document} is valid;
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} has not queried any key for an identity in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}^*$$\end{document} nor any signing query for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(M^*,\mathscr {U}^*,\mathscr {A}_\textsf{c}^*)$$\end{document} . The advantage of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} is defined as
The scheme is EUF-CMAIA secure if for every PPT adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} the advantage is negligible in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda$$\end{document} .
Full anonymity
Full anonymity requires that neither the signer’s identity nor the subset of attributes used can be linked. The anonymity game is defined between \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} :
- Initialisation. Same as above.
- Queries. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} may issue key and signing queries adaptively.
- Challenge. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} provides a challenge user set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}^*$$\end{document} , policy \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\textsf{c}^*$$\end{document} , message \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$M^*$$\end{document} , and two identities \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_{\pi _0},\textsf{ID}_{\pi _1}$$\end{document} together with the required attributes. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {C}$$\end{document} flips a bit \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$b\!\leftarrow _R\!\{0,1\}$$\end{document} and returns the signature produced by \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_{\pi _b}$$\end{document} .
- Guess. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} outputs a bit \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$b'$$\end{document} . It wins if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$b'=b$$\end{document} . The advantage is
The scheme satisfies full anonymity if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textbf{Adv}_{\mathscr {A}}^{\text {anon}}(\lambda )$$\end{document} is negligible for all PPT adversaries.
Scheme construction
We now present the complete specification of our SM9-based multi-authority anonymous attribute ring signature that supports dynamic attribute composition. All algorithms inherit the pairing groups \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)$$\end{document} defined by the SM9 curve.
System establishment—\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\textsf{Setup}(1^{\lambda })$$\end{document}
All attribute authorities cooperatively execute the following steps:
- Select the public SM9 parameters \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(p,N,P_1,P_2,e)$$\end{document} as described in Section 2.3.
- Each authority j chooses an attribute-specific secret \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e_j\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} for every attribute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_j$$\end{document} under its control and publishes the corresponding attribute public key
- The master secret key is implicitly \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{msk}=d\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} ; the master public key is
- Output
Attribute private-key generation—\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\textsf{KeyGen}(\textsf{params},\textsf{ID}_i,\mathscr {A}_{i,j})$$\end{document}
Given an identity \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i$$\end{document} and an attribute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_{i,j}$$\end{document} , the responsible authority computes
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{sk}_{i,j}= \frac{e_j}{d+H_1(\textsf{ID}_i\Vert \texttt{hid})} \; P_1\ \in \mathbb {G}_1,$$\end{document}where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_1:\{0,1\}^*\rightarrow \mathbb {Z}_N$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\texttt{hid}$$\end{document} is a public identity-encoding string. The user stores the set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\{\textsf{sk}_{i,j}\}$$\end{document} locally.
Attribute ring signature generation—\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\textsf{AttrRingSign}(\textsf{params},M,\mathscr {U},\mathscr {A}_\textsf{c},\pi )$$\end{document}
Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}=\{\textsf{ID}_1,\dots ,\textsf{ID}_n\}$$\end{document} denote the user ring and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\textsf{c}=\{\mathscr {A}_1,\dots ,\mathscr {A}_k\}$$\end{document} the verifier-specified access policy (attribute conjunction). The signer \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi \in \mathscr {U}$$\end{document} proceeds as follows:
- Eligibility check. If the attributes held by \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi$$\end{document} do not satisfy \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\textsf{c}$$\end{document} , abort.
- Aggregate attribute public keys. Compute
and set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{Amp}=\{g_1,\dots ,g_k\}$$\end{document} .
- Aggregate private key. Let
and compute
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g_\alpha =e(\textsf{sk}_\pi ,P_2),\qquad g_\beta =e(\textsf{sk}_\pi ,P_{\text {pub-s}}).$$\end{document}- Commit. Pick random \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r,r_0\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} and set
- Hash chain. Compute
- Ring loop. For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i=\pi ,\pi +1,\dots ,n,1,\dots ,\pi -1$$\end{document} (indices modulo n) and for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$j=\xi +1,\xi +2,\dots ,k,1,\dots ,\xi$$\end{document} (indices modulo k):
- i.If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$j>k$$\end{document} set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$j=1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_{i+1}^1=h_i^{k+1}$$\end{document} ; if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i>n$$\end{document} set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i=1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_1^1=h_{n+1}^1$$\end{document} .
- ii. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_i=H_1(\textsf{ID}_i\Vert \texttt{hid})$$\end{document} .
- iii. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\gamma _{i,j}\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} .
- iv. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$w_{i,j+1}=(g_\alpha ^{v_i}g_\beta )^{\gamma _{i,j}}\,g_j^{h_{i,j}}$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_{i,j+1}=H_2\!\bigl (\mathscr {U}\Vert \mathscr {A}_\textsf{c}\Vert M\Vert w_{i,j+1}\bigr )$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r_{i,j}=\gamma _{i,j}\,r$$\end{document} .
- v.If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(i,j)=(\pi ,\xi )$$\end{document} set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r_{\pi ,\xi }=(r_0-h_{\pi ,\xi })\,r$$\end{document} and exit both loops.
- Final response. Compute
- Output. The signature is
Signature verification—\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\textsf{AttrRingVerify}(M,\mathscr {U},\mathscr {A}_\textsf{c},\sigma )$$\end{document}
Upon receiving \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma '=(h_1^{\prime 1},\,S',\,\{r_{i,j}'\})$$\end{document} the verifier proceeds as follows:
- Pre-compute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g_\ell =e\!\bigl (P_1,\sum _{\mathscr {A}_\ell \in \mathscr {A}_\textsf{c}}P_{\text {pub-}e_\ell }\bigr )$$\end{document} for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell =1,\dots ,k$$\end{document} .
- Check formats. Abort if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_1^{\prime 1}\notin \mathbb {Z}_N^*$$\end{document} , any \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r_{i,j}'\notin \mathbb {Z}_N^*$$\end{document} or \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$S'\notin \mathbb {G}_1$$\end{document} .
- Re-compute chaining values. Let
For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i=1,\dots ,n$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$j=1,\dots ,k$$\end{document} compute
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_i=H_1(\textsf{ID}_i\Vert \texttt{hid}),\qquad w_{i,j+1}'=(g_\alpha ')^{v_i r_{i,j}'}\,(g_\beta ')^{r_{i,j}'}\,g_j^{h_{i,j}'},\qquad h_{i,j+1}'=H_2\!\bigl (\mathscr {U}\Vert \mathscr {A}_\textsf{c}\Vert M\Vert w_{i,j+1}'\bigr ).$$\end{document}- Accept if and only if \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_1^{\prime 1}=h_{n,k+1}'$$\end{document} .
Correctness
Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma '$$\end{document} be an honestly generated and un-tampered signature. Then
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_1^{\prime 1}=h_1^1,\quad M'=M,\quad S'=S,\quad r_{i,j}'=r_{i,j}\ \forall i,j.$$\end{document}The correctness follows from the algebraic derivation presented in the original manuscript, which we reproduce verbatim for completeness.
Case 1: For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$1\le i<\pi$$\end{document} or ( \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i=\pi$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$1\le j<\xi$$\end{document} )
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} w_{i,j+1}&=e\!\bigl ([r^{-1}]\textsf{sk}_\pi ,P_2\bigr )^{\gamma _{i,j}rv_i}\, e\!\bigl ([r^{-1}]\textsf{sk}_\pi ,P_{\text {pub-s}}\bigr )^{\gamma _{i,j}r}\, e\!\Bigl (P_1,\sum P_{\text {pub-}e_j}\Bigr )^{h_{i,j}} \\&=(g_\alpha ')^{v_i r_{i,j}'}\,(g_\beta ')^{r_{i,j}'}\,g_j^{h_{i,j}'} =w_{i,j+1}'. \end{aligned}$$\end{document}Case 2: For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$i=\pi$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$j=\xi$$\end{document}
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} w_{\pi ,\xi +1}'&=e\!\bigl (S',P_2\bigr )^{(r_0-h_{\pi ,\xi })rv_\pi }\, e\!\bigl (S',P_{\text {pub-s}}\bigr )^{(r_0-h_{\pi ,\xi })r}\, e\!\Bigl (P_1,\sum P_{\text {pub-}e_\xi }\Bigr )^{h_{\pi ,\xi }} \\&=e\!\bigl ((r_0-h_{\pi ,\xi })\textsf{sk}_\pi ,v_\pi P_2\bigr )\, e\!\bigl ((r_0-h_{\pi ,\xi })\textsf{sk}_\pi ,P_{\text {pub-s}}\bigr )\, e\!\Bigl (P_1,\sum P_{\text {pub-}e_\xi }\Bigr )^{h_{\pi ,\xi }} \\&=e\!\bigl ((r_0-h_{\pi ,\xi })e_\xi P_1,P_2\bigr )\, e\!\bigl (h_{\pi ,\xi }e_\xi P_1,P_2\bigr ) \\&=e\!\bigl (r_0 e_\xi P_1,P_2\bigr )=g_\xi ^{r_0}=w_{\pi ,\xi +1}. \end{aligned}$$\end{document}Case 3: For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(i=\pi ,\,\xi <j\le k)$$\end{document} or \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\pi <i\le n)$$\end{document} , the same algebraic chain ensures \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_{i,j+1}'=h_{i,j+1}$$\end{document} . Since \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_1^1=h_{n,k+1}$$\end{document} holds, the verification algorithm always returns \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\texttt{accept}$$\end{document} .
Security analysis
We provide formal proofs that the proposed attribute ring signature satisfies existential unforgeability (EUF-CMIAA) and full anonymity under the q-SDH assumption in the random oracle model. All equations and derivations are kept exactly as in the original manuscript, only refined for clarity and English readability.
Unforgeability
Theorem 1
Under the random oracle model, if the q-Strong Diffie–Hellman (q-SDH) problem is hard, the proposed attribute ring signature achieves existential unforgeability against adaptive chosen-message, identity and attribute attacks (EUF-CMIAA).
Proof
Assume there exists a probabilistic polynomial-time (PPT) adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} that wins the EUF-CMIAA game with non-negligible advantage \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon$$\end{document} . We construct a simulator \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} that, given a q-SDH instance
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\bigl (P,\,Q,\,[\alpha ]Q,\,[\alpha ^{2}]Q,\dots ,[\alpha ^{q}]Q\bigr ),$$\end{document}uses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}$$\end{document} to output a valid q-SDH solution \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(c,[\tfrac{1}{c+\alpha }]P)$$\end{document} .
Initialisation. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} fixes
- a maximum identity universe \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}_\theta =\{\textsf{ID}_1,\dots ,\textsf{ID}_\theta \}$$\end{document} ,
- a challenge identity set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}^*=\{\textsf{ID}^*_1,\dots ,\textsf{ID}^*_n\}$$\end{document} ,
- a maximum attribute universe \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\rho =\{\mathscr {A}_1,\dots ,\mathscr {A}_\rho \}$$\end{document} ,
- a challenge attribute set \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}^*=\{\mathscr {A}^*_1,\dots ,\mathscr {A}^*_k\}$$\end{document} . \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} chooses \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$q-1$$\end{document} distinct values \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_1,\dots ,v_{q-1}\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} and sets
It then computes
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P_2=[f(\alpha )]Q,\qquad P_1=\psi \!\bigl ([f(\alpha )]Q\bigr ),\qquad P_{\text {pub-s}}=\sum _{i=0}^{q-1}c_i[\alpha ^{i+1}]Q.$$\end{document}All public parameters are thus simulated from the q-SDH instance.
Oracle Simulation. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} maintains two initially empty lists \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {L}_1,\mathscr {L}_2$$\end{document} for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_2$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_1$$\end{document} queries. On input \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i$$\end{document} :
- If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i\in \mathscr {U}^*$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} picks \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_i\xleftarrow {\scriptscriptstyle R}\mathbb {Z}_N^*$$\end{document} and records \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\textsf{ID}_i,x_i)$$\end{document} .
- Otherwise, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} assigns the smallest unused \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$v_l$$\end{document} to \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_i$$\end{document} , increments l, and records \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\textsf{ID}_i,x_i)$$\end{document} .
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H_2$$\end{document} queries. On input \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathscr {U},\mathscr {A}_\textsf{c},M,w)$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} returns a fresh random value and stores the tuple.
- Key queries. On \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\textsf{ID}_i,\mathscr {A}_j)$$\end{document} :
- If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{ID}_i\notin \mathscr {U}^*$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} aborts.
- Otherwise, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} retrieves \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_i$$\end{document} and computes
via polynomial interpolation, which is possible because f(x) is known.
- Signing queries. For queries \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathscr {U}',\mathscr {A}_\textsf{c}',M)$$\end{document} with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {U}'\cap \mathscr {U}^*=\varnothing$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {A}_\textsf{c}'\cap \mathscr {A}^*=\varnothing$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} simulates a signature by choosing random \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$S\in \mathbb {G}_1$$\end{document} and random \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\{r_{i,j}\}$$\end{document} and programming the random oracle accordingly.
- Forgery and Extraction. By the Forking Lemma, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathscr {S}$$\end{document} can obtain two valid signatures
on the same \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(\mathscr {U}^*,\mathscr {A}^*,M^*)$$\end{document} such that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h_{\pi ,\xi }^{(1)}\ne h_{\pi ,\xi }^{(2)}$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r_{\pi ,\xi }^{(1)}\ne r_{\pi ,\xi }^{(2)}$$\end{document} . Solving the resulting linear equation yields
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(v_\pi ,W)=\Bigl (v_\pi ,\tfrac{1}{d}\Bigl (\tfrac{1}{e_\xi }\tfrac{r_{\pi ,\xi }^{(1)}-r_{\pi ,\xi }^{(2)}}{h_{\pi ,\xi }^{(2)}-h_{\pi ,\xi }^{(1)}}S^*-F(\alpha )P\Bigr )\Bigr ),$$\end{document}which satisfies
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$W=\frac{1}{\alpha +v_\pi }P.$$\end{document}Hence \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(v_\pi ,W)$$\end{document} is a valid q-SDH solution. The success probability is
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\frac{(\theta -n)\varepsilon }{n k}\cdot \frac{\varepsilon }{2 q_H}-\frac{q_S}{N},$$\end{document}which is non-negligible whenever \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\varepsilon$$\end{document} is non-negligible. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\square$$\end{document}
Anonymity
Theorem 2
If the random values used in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\textsf{AttrRingSign}$$\end{document} are uniformly distributed, the scheme achieves full anonymity: an adversary cannot distinguish the signer’s identity or the subset of attributes actually used beyond the required policy.
Proof
Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma =(h_1^1,S,r_{1,1},\dots ,r_{k,n})$$\end{document} be a signature generated by user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi _1$$\end{document} holding attributes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\Sigma \mathscr {A}_{\xi _1}\subseteq \mathscr {A}_\textsf{c}$$\end{document} . We show that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma$$\end{document} can be identically simulated by any other user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi _2\in \mathscr {U}$$\end{document} holding \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\Sigma \mathscr {A}_{\xi _2}\subseteq \mathscr {A}_\textsf{c}$$\end{document} .
Observe that
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$S=\frac{\sum e_{\xi _1}}{r(d+v_{\pi _1})}P_1=\frac{\sum e_{\xi _2}}{r'(d+v_{\pi _2})}P_1,$$\end{document}where
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r'=r\cdot \frac{d+v_{\pi _2}}{d+v_{\pi _1}}\cdot \frac{\sum e_{\xi _1}}{\sum e_{\xi _2}}.$$\end{document}Since r and all intermediate random values \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\{r_{i,j}\}$$\end{document} are chosen uniformly and independently, the joint distribution of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(h_1^1,S,\{r_{i,j}\})$$\end{document} is identical regardless of which \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\pi \in \mathscr {U}$$\end{document} is chosen. Consequently, any polynomial-time adversary has negligible advantage in distinguishing the real signer or the exact attributes used. \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\square$$\end{document}
Performance evaluation
We provide a comprehensive assessment of both theoretical complexity and empirical performance. All benchmarks are conducted on a Windows 10 workstation equipped with an AMD Ryzen 5 4600H (3.0 GHz, 6 cores, 16 GB RAM). The implementation is written in Python 3.10 on top of the open-source hggm library ^43^.
Analytical comparison
Table 2 summarises the dominant cryptographic operations for each phase, where
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}$$\end{document} : scalar multiplication in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_1$$\end{document} ,
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_2}$$\end{document} : scalar multiplication in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_2$$\end{document} ,
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_3}$$\end{document} : scalar multiplication in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} ,
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {bp}}$$\end{document} : bilinear pairing,
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {e}}$$\end{document} : exponentiation in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} ,
- \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {htp}}$$\end{document} : hash-to-point on the elliptic curve. Table 2. Asymptotic complexity comparison.SchemeKeyGenSignVerifyChow et al.^40^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {htp}}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$nT_{\text {htp}}+2nT_{\text {sm}_2}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$nT_{\text {sm}_2}+2T_{\text {bp}}$$\end{document} Peng et al.^41^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(n+1)T_{\text {sm}_1}+(n-1)T_{\text {sm}_2}+(n-1)T_{\text {e}}+nT_{\text {bp}}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$nT_{\text {sm}_2}+nT_{\text {e}}+nT_{\text {bp}}+nT_{\text {sm}_3}$$\end{document} Xie et al.^42^ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}+(3n-2)T_{\text {e}}+2nT_{\text {sm}_3}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$3nT_{\text {e}}+2T_{\text {bp}}+2nT_{\text {sm}_3}$$\end{document} Our scheme \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {sm}_1}+(2n-1)T_{\text {e}}+nT_{\text {sm}_3}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$3nT_{\text {e}}+2T_{\text {bp}}+2nT_{\text {sm}_3}$$\end{document}
To evaluate the proposed scheme against the most current standards, we compare our method with Peng et al.^41^, which represents the typical SM9 construction, and Xie et al.^42^, a recently published (2025) state-of-the-art optimization for SM9 ring signatures. As shown in Table 2, compared with the latest SOTA^42^, our proposed scheme eliminates one fixed-base exponentiation in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} and reduces \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} scalar multiplications by approximately 30%.
Experimental results
Setup and methodology
We instantiate the proposed scheme, Peng et al.^41^, and Xie et al.^42^ in Python using the hggm library ^43^. Each measurement is the mean of 50 independent executions.
Latency measurements
Table 3 reports the average running time (ms) for ring sizes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n\in \{4,16,64,256,1024\}$$\end{document} .The results substantiate the theoretical efficiency gains derived in the previous section.Table 3. Measured running time (ms).SchemePhase416642561024Peng et al.^41^Sign109.46413.081680.766720.6927318.90Xie et al.^42^Sign46.17188.98761.193034.1812391.90Our SchemeSign28.75122.75508.642037.948087.21Peng et al.^41^Verify114.07408.461641.076519.6926419.37Xie et al.^42^Verify196.82303.20874.673179.1012463.80Our SchemeVerify160.40332.13882.943151.3512264.77
Figure 2. Relative speed-up of the proposed scheme over Peng et al.^41^ and Xie et al.^42^.
Signature Generation (Client-Side Efficiency): As illustrated in Fig. 2, the signature generation time for all three schemes grows linearly with the ring size n. However, the growth rate (slope) of the proposed scheme is significantly lower than that of the baselines.
-
Comparison with Standard Scheme (Peng et al.^41^): Our scheme achieves a consistent speedup. At \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=1024$$\end{document} , our generation time is 8.08s compared to 27.31s, resulting in a speedup factor of approximately 3.43x.
-
Comparison with SOTA (Xie et al.^42^): Even against the most recent optimized scheme published in 2025, our approach maintains a clear advantage. Xie et al. requires 12.39s for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=1024$$\end{document} , whereas our scheme requires only 8.08s, yielding a speedup of 1.53x. Underlying Cause of Improvement: This performance gap is directly attributable to the algebraic optimizations detailed in Table 2. Operations in the multiplicative group \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} are significantly more expensive than those in the additive group \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_1$$\end{document} . By eliminating one fixed-base exponentiation in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} and reducing the coefficient of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} scalar multiplications from 2n (in Xie et al.) to n (in our scheme), the computational burden increases much more slowly as the ring size expands. This makes the proposed scheme particularly suitable for resource-constrained devices (e.g., mobile phones or IoT sensors) in decentralized identity systems. versus the most recent optimized scheme by Xie et al.^42^ when \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=1024$$\end{document} .This confirms that our scheme outperforms both the standard implementation^41^ and the latest published optimization^42^.
Verification (Server-Side Efficiency): Regarding verification (Table 3 , bottom rows), our scheme performs comparably to the baselines. For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n=1024$$\end{document} , our verification time (12.26s) is almost identical to Xie et al. (12.46s).
This behavior is expected because verification in SM9-based ring signatures is dominated by bilinear pairing operations ( \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{\text {bp}}$$\end{document} ) and the reconstruction of the pairing product chain, which are structurally similar across all valid constructions. In a Zero-Trust architecture, verification is typically performed by high-performance policy engines or gateways rather than end-users. Therefore, maintaining standard verification costs while significantly reducing client-side signing latency represents an optimal trade-off for real-world deployment.
Conclusion of Experiments: The empirical data confirms that while retaining the strong security properties of SM9, the proposed scheme successfully mitigates the “signature bloat” issue common in ring signatures. The scalability trends in Fig. 2 demonstrate that as the network size (ring size) increases, the efficiency advantage of our scheme becomes increasingly pronounced.
Discussion
The empirical speed-up is attributed to aggressive pre-computation of fixed-base exponentiations in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} and a reduced scalar multiplication count. Since signers are typically resource-constrained clients whereas verifiers are servers, the improvement in signing latency offers practical value. Future work will explore constant-size signatures independent of ring cardinality.
Conclusion
In this paper, we designed a multi-authority attribute ring signature scheme with the dynamic attribute composition and dual anonymity, which are very useful to satisfy important authentication needs for the zero trust networks based on DID systems. Under the framework of SM9 and with combination of the methods from ring signature and attribute-based crypto systems, it lets several authorities distribute attribute keys independently, and granters can sign for the their identity without leaking identity or attribute information to anyone and users can flexibly select the form of their attributes to meet verification rules of the verifiers.
We prove that our scheme is EUF-CMIAA and that it provides full anonymity of both signer and attribute with respect to a random oracle model. Empirical performance evaluations validate the computational cost reduction, and reveal a 30 percentage decrease in the number of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {G}_T$$\end{document} exponentiations and scalar multiplications during signing operation with respect to the state-of-the-art SM9-based ring signature scheme, which is tailored to the resource-limited clients participating in distributed and DID-based environments.
Nevertheless, the current construction inherits linear growth in signature size and verification time relative to the number of ring members and attributes. Future work will focus on designing a constant-size attribute ring signature that maintains security guarantees while eliminating scalability limitations. Incorporating these will make our approach more feasible to employ in the big scale zero-trust system where access control is dynamic, and data is distributed.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Rosenberg, M., White, J., Garman, C. et al. zk-creds: Flexible anonymous credentials from zksnarks and existing identity infrastructure. In Proc. 2023 IEEE Symposium on Security and Privacy (SP) 790–808, 10.1109/SP 46215.2023.10179430 (2023).
- 2Yan, Z. et al. Blockchain-driven decentralized identity management: An interdisciplinary review and research agenda. Information Management, 104026. 10.1016/j.im.2024.104026 (2024).
- 3Ahmadi, S. Distributed identity for zero trust and segmented access control: A novel approach to securing network infrastructure. ar Xiv preprint ar Xiv:2501.09032, 10.48550/ar Xiv.2501.09032 (2025).
- 4Maji, H. K., Prabhakaran, M. & Rosulek, M. Attribute-based signatures. In Topics in Cryptology – CT-RSA 2011, vol. 6558 of Lecture Notes in Computer Science, 376–392, 10.1007/978-3-642-19074-2_24 (Springer, Berlin, Heidelberg, 2011).
- 5Toluee, R., Asaar, M. R. & Salmasizadeh, M. Attribute-based ring signatures: Security analysis and a new construction. In Proc. 10th International ISC Conference on Information Security and Cryptology (ISCISC), 1–6, 10.1109/ISCISC.2013.6767342 (IEEE, Piscataway, NJ, USA, 2013).
- 6Herranz, J., Laguillaumie, F., Libert, B. & Ràfols, C. Short attribute-based signatures for threshold predicates. In Topics in Cryptology – CT-RSA 2012, vol. 7178 of Lecture Notes in Computer Science, 51–67, 10.1007/978-3-642-27954-6_4 (Springer, Berlin, Heidelberg, 2012).
- 7Zhang, Y., Zhao, J., Zhu, Z. et al. Registered attribute-based signature. In Public-Key Cryptography – PKC 2024, vol. 14601 of Lecture Notes in Computer Science, 133–162, 10.1007/978-3-031-57718-5_5 (Springer, Cham, 2024).
- 8Guo, C., Lu, Y., Xia, N. et al. User-friendly and expressive forward-secure attribute-based signature with server-aided signature and outsourced verification. IEEE Trans. Knowl. Data Eng.. 10.1109/TKDE.2025.3554973 (2025). In press.
