Secure Outsourced Attribute-Based Signatures with Perfect Anonymity in the Standard Model

Outsourced attribute-based signatures (OABS) enable users to sign messages without revealing specific identity information and are suitable for scenarios with limited computing power. Recently, Mo et al. proposed an expressive outsourced attribute-based signature scheme (Peer-to-Peer Networking and Applications, 11, 2017). In this paper, we show that Mo et al.’s scheme does not achieve any of the three security properties.,eir scheme is incorrect. ,e adversary can collude with the malicious signing-cloud service provider (S-CSP) to forge valid signatures on any message and any attribute set. And the S-CSP could trace the access structures used to generate the signatures. ,en, we treat the S-CSP as an adversary and present more accurate unforgeability and anonymity models for OABS to remedy the drawbacks of the previous ones. Finally, we propose a simple but significant improvement to fix our attacks. ,e improved scheme achieves correctness, unforgeability, and perfect anonymity while keeping the efficiency almost unchanged. We also prove the security of the improved scheme under the standard model.


Introduction
Attribute-based cryptography is a powerful cryptographic primitive, enabling us to design various cryptosystems with fine-grained access control in a multiuser environment [1,2]. Attribute-based signature (ABS) is one of the leading research contents of attribute-based cryptography. ABS can provide fine-grained privacy protection for signers and finds applications in many fields, such as private access control, trust negotiations, and anonymous credentials [2,3]. ABS may also be applied to mobile authentication and twofactor/multifactor authentication in the future [4][5][6]. Since it was introduced, numerous ABS schemes for different access structures have been proposed one after another [7][8][9][10][11][12][13][14][15].
However, with the continuous enhancement of the expressiveness of the access structure, the computational overhead of ABS is increasing, which makes it challenging to execute in devices with limited computing power. Using outsourcing technology of cloud computing, Chen et al. [16] introduced outsourced attribute-based signatures (OABS) to overcome this problem. In OABS, the signer can delegate most of his/her signing workload to a signing-cloud service provider (S-CSP). After receiving the semisignature from the S-CSP, the signer can generate the final signature by little computations. In this way, ABS can be used in resourceconstrained devices.

Related Works.
While introducing OABS, Chen et al. [16] proposed two concrete OABS schemes. eir schemes are signature-policy OABS schemes with threshold access structures. After, Mo et al. [17] proposed an OABS scheme and applied it to the medical cloud. Mo et al.'s scheme is a key-policy OABS scheme that supports a more expressive monotonic access structure. Sun et al. [18,19] introduced decentralization into OABS and proposed an outsourcing decentralized multiauthority attribute-based signature scheme.
eir scheme is a signature-policy scheme for threshold access structure. In 2021, Huang et al. [20] proposed a new key-policy OABS scheme for circuits. eir scheme is a short signature scheme, and its final signature has only one element of the group.
Chen et al.'s OABS model assumes that the S-CSP is honest-but-curious, i.e., the S-CSP always runs the algorithm honestly and outputs the semisignatures correctly, but the S-CSP may forge signatures. As a remedy for the overly strong assumption of S-CSP's honesty, Chen et al. [16] discussed the accountability of OABS, which provides an audit function for S-CSP's honesty. Liu et al. [21] studied OABS under the concept of server-assisted anonymous attribute authentication, added the correctness verification of the semisignature to OABS, and defined the outsourcing verifiability. After that, Ren and Jiang [22] formally introduced the concept of Verifiable Outsourced Attribute-Based Signatures (VOABS) with a concrete scheme supporting threshold access structure. Unfortunately, Uzunkol [23] presented two attacks on the verifiability of Ren et al.'s scheme. Moreover, one of the attacks enables the untrusted S-CSP to forge signatures.
In 2018, Cui et al. [24] introduced a new notion of Server-Aided Attribute-Based Signature (SA-ABS). SA-ABS outsources both signing tasks and verification tasks to cloud service providers, while OABS only outsources signing tasks.
is is the main difference between the two. Cui et al. also proposed a signature-policy SA-ABS scheme for threshold access structure. But Hu et al. [25] pointed out that Cui et al.'s scheme [24] was forgeable and then proposed a new SA-ABS scheme for monotonic access structure.
Wang et al. studied the other side of ABS outsourcing and introduced Attribute-Based Server-Aided Verification Signature (ABSAVS) [26]. In ABSAVS, the signer outsources the verification workload to the server but does not outsource the signing workload. Wang et al. also proposed a ABSAVS scheme for threshold access structure. Recently, Chen et al. proposed a new ABSAVS scheme for tree access structure [27].
Previous schemes are summarized and compared in Table 1.

Contributions.
e main contributions of this paper are as follows: (i) We analyze the security of Mo et al.'s EOABS scheme [17] and show that it does not achieve any of the three security properties. e scheme is incorrect. e adversary can collude with the malicious S-CSP to forge valid signatures on any message and any attribute set. e S-CSP could trace the access structures used to generate the signatures. (ii) We present more accurate security models for OABS. e main drawback of the previous security models is that the S-CSP's attacks are not considered, and our security models make up for it. (iii) We propose a simple but significant improvement to fix our attacks. e improved scheme achieves correctness, unforgeability, and perfect anonymity while keeping the efficiency almost unchanged. We also prove its security under the standard model.

1.3.
Organization. e rest of this paper is organized as follows. Section 2 presents preliminaries. Section 3 reviews Mo et al.'s EOABS scheme and analyzes its security. Section 4 presents a new definition and new security models for OABS. Section 5 proposes an improvement to fix our attacks with security proofs and performance analysis. Section 6 concludes this paper.

Preliminaries
Let a ∈ R A denote sampling a randomly from A.

Bilinear Map.
Let G and G T be prime order p multiplication cyclic groups. Let e: G × G ⟶ G T be a map satisfying the following properties: (iii) For all g 1 , g 2 ∈ G, e(g 1 , g 2 ) can be computed efficiently.

Linear Secret Sharing Scheme.
Let P � p 1 , p 2 , . . . , p n be a party set; a collection A of nonempty subsets of P is defined as an access structure. A set in A is an authorized set, and a set not in A is an unauthorized set. An access structure A ⊆ 2 P is monotone, if B ∈ A and B ⊆ C implies C ∈ A for all B, C.
A linear secret sharing scheme (LSSS) for a monotone access structure A over Z p is a matrix M l×k with a function π(i) indicating the i th row of M as an attribute, and it satisfies the following properties: (i) For any authorized set A ∈ A, there are constants w i ∈ Z p i∈I such that i∈I w i M i � (1, 0, . . . , 0), where I � i: π(i) ∈ A { }, and M i is the i th row of the matrix M.
(ii) For any unauthorized set B ∉ A, there are no constants w i ∈ Z p i∈I such that e distribution and reconstruction algorithms of an LSSS are as follows: (i) Distribution: it takes as inputs a matrix M l×k with a function π(.) and a secret s ∈ Z p to be shared. It chooses r 2 , r 3 , . . . , r k ∈ R Z p , sets v � (s, r 2 , r 3 , 2 Security and Communication Networks . . . , r k ) ∈ Z k p , and computes share set (ii) Reconstruction: it takes as inputs a matrix M l×k with a function π(.) and an authorized set A ∈ A with its share set λ i i∈I . It finds constants w i ∈ Z p i∈I such that i∈I w i M i � (1, 0, . . . , 0) and then reconstructs the secret s � i∈I w i λ i .
Lemma 1 (see [29]). Suppose that A is a monotone access structure with matrix M l×k . For any unauthorized set

Review of Mo et al.'s EOABS Scheme.
In this section, we review the EOABS scheme proposed by Mo et al. [17]. It comprises five algorithms and involves four entities: attribute authority (AA), S-CSP, signer, and verifier.
(i) Setup: Suppose U is the attribute universe, δ is the default attribute, and m is the maximal length of the message.
(i) e AA chooses two prime order p cyclic groups G and G T with a bilinear map e: e system public parameters: the master secret key: (ii) KeyGen: it takes as inputs the master secret key MSK and an access structure A with its matrix M l×k .
(iii) It chooses r δ ∈ R Z p and then computes (4) e outsourced key: e signer's signing key: (iii) OutSign: it takes as inputs an attribute set A and an outsourced key OSK A .
(iv) Sign: it takes as inputs PSK A , σ out , and M � m 1 m 2 · · · m m ∈ 0, 1 { } m , and the signer selects s δ ∈ R Z p and computers (v) Verify: it takes as inputs(PP, σ, M), and the verifier checks whether Security and Communication Networks 3 outputs 1 if it holds; otherwise it outputs 0.

Attacks on Mo et al.'s EOABS Scheme. Mo et al.'s EOABS
scheme [17] does not achieve any of the three security properties, although it was proven to be secure under their security models.
� g r δ +s δ g r+ i∈I r i w i , So we have e attack above is executable for the following reasons: (i) e signing key PSK A is only related to the master secret key b and the default attribute δ, but not to the access structure A. (ii) A ∈ A ' , so the outsourced signature σ out for A can be generated correctly using OSK A′ .
Obviously, the output of adversary B above is a valid signature on the message M and the attribute set A. But the attribute set A does not satisfy B's access structure A. e attack above is practicable for the following reasons: (i) e S-CSP needs to know the access structure A when using OSK A to generate outsourced signatures. So it can maintain the list L correctly. (ii) Since σ 3 � σ 3 ′ , the S-CSP can correctly establish the link between the final signature σ and the outsourced signature σ out .

Outsourced Attribute-Based Signature
e attacks above suggest that the security models in [17] are not conforming to the actual. eir models are similar to the nonoutsourced models [2,30]. We present more accurate security models in this section.

4.1.
Definition. An outsourced attribute-based signature (OABS) scheme is composed of the following algorithms.
It takes the public parameters pp, master key msk, and an access structure A with a flag f u as inputs and returns the outsourced key OSK Af u and private signing key PSK Af u . (iii) Sign out (pp, OSK Af u , A) ⟶ σ out . e outsourced signing algorithm takes the public parameters pp, an outsourced key OSK Af u , and an attribute set A ∈ A as inputs and returns an outsourced signature σ out .

Security and Communication Networks 5
Note: e flag f u we introduced above is just an identifier used to match the outsourced key and private signing key correctly. It does not take part in any operation and does not affect efficiency and security.

Security.
In this subsection, we present enhanced formal security models for OABS.

Definition 1 (correctness). An OABS scheme is correct, if
Pr Verify(pp, σ, M, A) � 1 (pp, msk)←Setup 1 λ , for any message M, any access structure A, and any attribute set A such that A ∈ A.

Unforgeability.
A trivial requirement for the unforgeability is that the adversary cannot possess the key required for signing because anyone who has the signing key can run the signing algorithm to generate a valid signature. In the scenario of outsourced signatures, all outsourced keys are sent to the S-CSP, and the S-CSP is not necessarily trusted. erefore, it should be assumed that the adversary may have all the outsourced keys and only restrict him from possessing the required private signing key. To this end, we need to provide different oracles for the outsourced key and the private signing key. In addition, since the adversary is permitted to obtain all outsourced keys and can generate outsourced signatures by himself, he need not make any outsourced signing oracle query. e unforgeability model of Mo et al. [17] does not reflect the above requirements and is therefore inaccurate. We present a more accurate unforgeability model in the following.
ere are two main differences between our model and Mo et al.'s model: First, our model provides the adversary with two oracles, OSK-Oracle and SK-Oracle, while their model only provides one oracle, KeyGen-Oracle. Second, our model restricts the adversary from possessing any private signing key of the access structure satisfied by the challenge attribute. In contrast, their model does not prohibit the adversary from obtaining the private signing key. ese two improvements reflect the ideas mentioned above.
(i) Initialization. Adversary A selects and sends a challenge attribute set A * to challenger C.

Perfect Anonymity.
In the outsourced attribute-based signature, the untrusted S-CSP generates the outsourced signature, and then the signer generates the final signature.
is is the essential difference from the general attributebased signature, which must be reflected in the security model. In the model of Mo et al., the outsourced signature is generated by the challenger, and the adversary has no way of knowing it. is makes it impossible for the adversary to determine the access structure through the outsourced signature. But in the outsourced attributebased signature scheme, the outsourced signatures are calculated by the S-CSP, so that the S-CSP may track the access structures corresponding to the signatures through the outsourced signatures. is is why Mo et al.'s scheme is anonymous under their model, but the above attack exists. In our model, the outsourced signatures are generated by the adversary instead and then sent to the challenger. Under such a model, Mo et al.'s scheme does not achieve anonymity. Our model reflects the difference between outsourced attribute-based signatures and general attribute-based signatures.
We formalize our definition by a game between challenger C and adversary A as follows.
(i) Setup. It is the same as that of GAME 1. (ii) Phase 1. e adversary is allowed to request OSK-Oracle, SK-Oracle, and Sign-Oracle for any access structure or message he/she chooses. OSK-Oracle, SK-Oracle, and Sign-Oracle are the same as those of GAME 1. (iii) Challenge.
(i) Adversary A chooses a message M, an attribute set A, and two challenge access structures A 0 and A 1 such that A ∈ A 0 and A ∈ A 1 and generates two outsourced signatures σ 0 out and σ 1 out using outsourced keys OSK A 0 f u 0 and OSK A 1 f u 1 , respectively. en he sends (M, A, A 0 , A 1 , σ 0 out , σ 1 out , f u 0 , f u 1 ) to challenger C.
(ii) C flips a fair coin b ∈ 0, 1 { }, generates a signature σ b on message M and attribute set A using the signing key PSK A b f u b , and then returns σ b to A.
(iv) Phase 2. As in Phase 1, the adversary can continue to request OSK-Oracle, SK-Oracle, and Sign-Oracle for any access structure (including A 0 and A 1 ) or message he/she chooses.
Definition 3 (perfect anonymity). An OABS scheme is perfect anonymous, if for any adversary A the advantage Adv PerAnon OABS,A (1 λ ) is negligible for the security parameter λ.

Improvement
In this section, we propose a simple but significant improvement to fix our attacks. e ideas behind our improvement are as follows.
In Mo et al.'s scheme, the outsourced key and private signing key are independently generated with secret values a and b. Using such two keys to generate a signature, the public key Y � e(g, g) a+b will be canceled out in the verification equation. Since the outsourced key and the private signing key are independent of each other, using the outsourced key of Alice and the private signing key of Bob, one can also generate a correct signature, and the public key can also be canceled out in the verification equation. Our improvement fixes this shortcoming. We set α ∈ R Z p as the master private key and Y � e(g, g) α as the public key and then use a ∈ R Z p and b � α − a to generate the outsourced key and private signing key, respectively. In this way, everyone's outsourced key and private signing key are associated. e outsourced key and the private signing key of different users cannot be combined to generate a correct signature. If Alice's outsourced key and Bob's private signing key are combined to generate a signature, then e(g, g) a A +α− a B will appear in the verification equation, which is not equal to the public key e(g, g) α . e signature will not be accepted as a valid signature.
In Mo et al.'s scheme, σ 3 ′ is not blinded but directly used as a component of the final signature. is allows the adversary to track the access structure used to generate the signature. To ensure anonymity, the outsourced signature must be blinded. But the computation cost of blinding σ 3 ′ is the same as that of computing σ 3 ′ . erefore, in our improved scheme, the user computes σ 4 by himself, and the server no longer computes σ 3 ′ . σ 4 in our improvement is equivalent to σ 3 in Mo et al.'s scheme.
(iv) Sign: with a private signing key PSK Af u , a message M � m 1 m 2 . . . m m , and an outsourced signature σ out , the signer selects r, s, s δ ∈ R Z p and computes If the equation holds, the verifier outputs 1. Otherwise, it outputs 0.

Proofs of Security
Theorem 1 (correctness). e improved scheme is correct.
Proof. When A ∈ A, we can find w i : i ∈ I A such that and then So e verification equation holds, and the improved scheme is correct.

Theorem 2 (unforgeability).
e improved scheme is existentially unforgeable. If an adversary A can win GAME 1 with advantage ϵ, then there exists an algorithm B that solves the CDHE problem with probability ϵ ′ ≥ (ϵ/8q s (m + 1)), where q s is the maximum number of Sign-Oracle queries and m is the length of the message.
Proof. In the following, A is an adversary with advantage ϵ, and C is the challenger to the CDHE problem. We build B as follows, which uses A to solve the CDHE problem.
Without loss of generality, we assume the attribute universe U � 1, 2, . . . , n { }. B maintains an initially empty list L key .
(i) C chooses two prime order p multiplicative cyclic groups G, G T and a bilinear map e: G × G ⟶ G T . (ii) chooses a generator g ∈ G and a ∈ R Z p and computes (g, g a , g a 2 , . . . , g a n , g a n+2 , . . . , g a 2n ). (iii) sends (p, G, G T , e, g, g i � g a i 2n i�1,i≠n+1 ) to B. (ii) Init Phase. A chooses and sends A * to B. (iii) Setup. 8 Security and Communication Networks (i) B chooses a ′ , t 0 ∈ R Z p and t u ∈ R Z p for all u ∈ U, and computes T u � g t u g n+1− u : u ∈ U , (ii) computes Y � e(g, g) a′ e(g 1 , g n ) (i.e., it sets the master secret key α � a ′ + a n+1 implicitly).
(iv) OSK-Oracle. Assume A queries an outsourced key on access structure A with the matrix M A of size l A × k A and flag f u . If (A, f u ) in L key , it returns the corresponding outsourced key OSK Af u to A. Otherwise, we compute the keys as follows: (i) If A * ∈ A: (i) sets PSK Af u � ⊥ (A cannot query any private signing key for the access structure A satisfied by A * ). (ii) runs KeyGen to get OSK Af u . (iii) returns OSK Af u to A. (iv) adds (OSK Af u , ⊥, A, f u ) into the key list L key . (ii) If A * ∉ A: (i) finds a vector w � (− 1, w 2 , . . . , w k A ) ∈ Z k A p such that M A i w � 0 for each i: π(i) ∈ A * , where M A i is the i th row of M A (Lemma 1). (ii) chooses v 1 , v 2 , . . . , v k A ∈ R Z p , and sets v ′ � (0, v 2 , . . . , v k A ). (iii) For all i ∈ [l A ], (i) if π(i) ∈ A * , choose r i ∈ R Z p and compute (ii) if π(i) ∉ A * , choose r i ′ ∈ R Z p and compute