Attribute-based Blind Signature Scheme based on Elliptic Curve Cryptography

Blind signature is a special digital signature that allows the signer to sign a document without knowing its content. However, in many situations, multiple people need to blindly sign messages. At this time, the traditional blind signature can no longer satisfy the application requirements. To solve this problem, attribute-based cryptography has been combined with the blind signature. The concept of the attribute-based blind signature is generated. At present, all attribute-based blind signature schemes require the support of bilinear pairing technology, which involves several complex pairing and exponential operations in the signature and verification processes, and the computational efficiency is not high. In this paper, we present an attribute-based blind signature scheme based on elliptic curve cryptography (ECC), and the security of new scheme is proved under the intractability of elliptic curve discrete logarithm problem (ECDLP). Our scheme is a key policy attribute-based signature (KP-ABS). The new scheme uses linear secret sharing scheme (LSSS) matrix technology that does not require recursive operation to achieve more flexible and fine-grained access control. In addition, the scheme is based on Elliptic Curve Cryptography (ECC) using scalar multiplication on an elliptic curve instead of a bilinear pairing operation. Our scheme has significant advantages in terms of computational efficiency and storage compared with existing attribute-based blind signature schemes.


I. INTRODUCTION
In 1982, Chaum first proposed the blind signature [1], which is a digital signature that can protect user privacy. Blind signature enables the signer to sign the document without knowing the content of the signed document. In addition, the signer cannot match the signature obtained by the message owner unblinded to the blind signature with the message signed by him/herself. Therefore, blind signatures are widely used on many occasions that require anonymity and authentication, such as electronic cash, electronic auctions, electronic voting and other places. Since then, blind signatures have attracted considerable research attention. Various blind signature schemes have been proposed. These blind signature schemes are often one-to-one; that is, one person blindly signs the message and one person verifies the validity of the blind signature. However, in many situations, multiple people who meet certain attributes or access structures must blindly sign messages. Obviously, a traditional blind signature can no longer satisfy the application requirements. To solve this problem, attribute-based cryptography and blind signatures are combined to produce the concept of the attribute-based blind signature.
Attribute-based cryptography can realize fine-grained access control, and has become a very active topic in the development of cryptography in recent years because of its broad application prospects. Attribute-based signature (ABS) extends identity-based signatures. Signers are defined as a set of attributes or access structures in attribute-based signature schemes. When the signer satisfies the corresponding attributes or access structures, the signer can use a private key to sign the message. The verifier only knows that the signer satisfies the corresponding attribute or access structure but does not know the identity information of the signer. Attribute-based signatures can be classified into signature policy attribute-based signatures (SP-ABS) and key policy attribute-based signatures (KP-ABS) according to access policy. In SP-ABS, the key generation algorithm needs to input a set of signer attributes, and the signature algorithm is completed by the access structures and the private key.
KP-ABS requires the key generation algorithm to input access structures, and the signature algorithm is completed by the attribute set and private key.
On the one hand, attribute-based blind signature has the characteristics of blind signature, and on the other hand, it can also implement fine-grained access control, allowing signers that satisfy certain attributes or access structures to blindly sign messages. However, existing attribute-based blind signature schemes are all supported by bilinear pairings, which involve several complex pairing and exponential operations in the process of signature and verification, resulting in low computational efficiency [2].
In addition, current attribute-based blind signature schemes are based on the access tree structure. The access tree structure can represent flexible access control policies. However, because the access structure is represented as a tree, recursion is required to perform operations. When the recursion depth reaches a certain level, the running time space of the program is affected to a certain extent. The linear secret sharing scheme (LSSS) access structure solves this problem well. LSSS uses the linear recombination property of the linear secret-sharing scheme to reconstruct secrets without recursive operation, which is more efficient, and the expressivity of LSSS and the access tree structure is equivalent.
Based on the above background, we propose an attribute-based blind signature scheme based on elliptic-curve cryptography. The new scheme uses scalar multiplication on an elliptic curve instead of a bilinear pairing operation, which reduces the overhead of signature and verification and solves the problem that recursion is required to the access tree structure.

A. RELATED WORKS
In 1983, Chaum proposed a blind signature scheme based on RSA [3], which can be used in electronic payment systems. In 1992, Okamoto proposed the Schnorr blind signature scheme [4] based on the Schnorr digital signature system. Compared to the previous RSA blind signature scheme, it has higher security and efficiency. In 1994, Camenisch et al. [5] presented two blind signature schemes based on a discrete logarithm problem. In 2000, Mohammed [8] and analyzed the safety of this scheme under the assumption of an elliptic curve discrete logarithm problem (ECDLP). In 2020, Duong et al. proposed a post-quantum blind ring signature scheme [9], which was constructed based on multivariate public key cryptography. In 2021, Huang et al. proposed an ECDSA-based partially blind signature scheme [10] compatible with the current bitcoin protocol.
Khader proposed an attribute-based group signature scheme in 2007 [11], in which members of the group satisfying certain attributes can sign, and the verifier can judge the true identity of the signer. In 2008, Maji et al. proposed an attribute-based signature scheme [12], where the signer's key is associated with its own attributes, and the scheme satisfies strong unforgeability. Subsequently, in 2009, an attribute-based signature scheme [13] that supports threshold access structures was proposed. In 2010, Maji et al. [14] proposed a general framework for attribute-based signature schemes, as well as several bilinear pair-based schemes. In 2014, the scheme proposed by Rao et al. [15] adopted the LSSS access policy, which can implement fine-grained access control more flexibly than the threshold access structure. In 2015, Kaafarani et al. [16] proposed three attribute-based signature schemes, namely DTABS, ABS-UCL, and ABS-HEP. Rani et al. [17] proposed a new ABS scheme with an access tree structure in 2017, which supports the flexible access control of AND and OR. In 2018, Guo et al. [18] proposed a multi-attribute-centric attribute-based signature scheme and applied it to electronic health-record systems. In 2020, Wang et al. proposed two efficient pairing-free ciphertext-policy attribute-based schemes [19] that eliminate the computation intensive bilinear pairing operation. With the development of the Internet of Things, in 2021, Liu et al. proposed a fuzzy detection strategy to prejudge the target tracking result [20] and a multi-layer template update mechanism to achieve effective monitoring in a multimedia environment [21]. In 2021, Chen et al. proposed the first instance of CL-ME [22] based on bilinear pairing. In 2021, Saju et al. analyzed elliptic curve digital signature algorithm (ECDSA) along with the primary operations of elliptic curves [23]. In 2022, the scheme [24] proposed by Liu et al. combined the relevant characteristics of human inertial thinking, and the integration of the proposed edge learning method with the IoT can be well applied to the construction of smart cities and future generation systems.
To meet the requirements of electronic voting, electronic auction, electronic payment, and other applications, Deng et al. proposed an attribute blind signature scheme based on an access tree structure in cloud storage [25], which combined attribute-based signature technology with a blind signature.

B. OUR CONTRIBUTIONS
Currently, all existing attribute-based blind signature schemes require the support of bilinear pairing technology, which involves several complex pairing and exponential operations in the signature and verification process. This leads to a low computational efficiency [2]. However, scalar multiplication on an elliptic curve is more computationally efficient than modular exponentials and bilinear pairing. Therefore, it is easier to implement in hardware. It can be seen that elliptic curve cryptography (ECC) has great advantages in encryption and decryption speed, computing efficiency and storage This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3162231, IEEE Access resource occupation [26]. The advantages of this study are as follows.  In this paper, an attribute-based blind signature scheme based on elliptic curve cryptography (ECC) is proposed. The security of our scheme is based on the intractability of the elliptic curve discrete logarithm problem (ECDLP). To the best of our knowledge, our scheme is the first attribute-based blind signature scheme constructed using elliptic curve cryptography. In this study, the complex bilinear pairing operation is replaced by scalar multiplication on the elliptic curve, reducing the computational overhead of the signature and verification.  A monotonic access structure LSSS matrix with high expressivity does not require recursive operations to achieve fine-grained access control, which is more efficient.  The new scheme achieves a fixed signature length independent of the number of signer attributes, reducing communication and computational overhead.

C. ORGANIZATION OF THE PAPER
The remainder of this paper is organized as follows. In Section II, we introduce the relevant knowledge and provide a generic attribute-based blind signature scheme with its security model. In Section III, we present an attribute-based blind signature scheme based on elliptic curve cryptography. In Section IV, the efficiency of the proposed scheme is analyzed. We conclude this paper in Section V.

II. PRELIMINARY
In this section, we introduce elliptic curve cryptography and provide the algorithm definition and security model of attribute-based blind signatures.

A. ELLIPTIC CURVE CRYPTOGRAPHY
Elliptic curve cryptography [27] is proposed by Neal Koblitz and Victor Miller in 1985. Compared with other cryptosystems, it not only has the characteristics of a small key size, required storage, and bandwidth resources, but also has great advantages in computational efficiency because there are no bilinear pairing and modular exponential operations [28]. Its security is based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP). Elliptic curves defined over a finite-field   GF p are binary cubic equations with both variables and coefficients over a finite-field It is difficult to calculate the discrete logarithm of an element on an elliptic curve defined over a finite-field   GF p when a base point is given. In other words, let G be the base point for order p . If a point , p Q kG k Z  is provided, it is difficult to compute the integer k in polynomial time. if, for any PPT adversary and any positive integer number 2 t  , the success probability of in the above game is negligibly close to1/2.

3) Definition 3 (Unforgeability).
An attribute-based blind signature scheme σ = Setup,Extand, The scheme is unforgeable if Adversary cannot succeed in the above game with a nonnegligible probability in polynomial time.

BASED ON ELLIPTIC CURVE CRYPTOGRAPHY
At present, most attribute-based blind signatures are supported by bilinear pairing operations whose computational efficiency is not high. This section presents an attribute-based blind signature scheme based on elliptic curve cryptography without a bilinear pairing operation, and its security analysis.

 
GF q be a finite field of order q , E be an elliptic curve defined over   GF q and G be an element of a large prime order p in E . Point G generates a cyclic subgroup of E , in which the elliptic curve discrete logarithm problem (ECDLP) is intractable. Suppose the set of attributes in the system is  

2)
Extract . Assume that the access structure The signer sends 1  to the message owner.

5)
UnBlind . The message owner computes 1 1 x    and then outputs the attribute-based blind signature  after blindness removal.

6)
Verify . To verify the attribute-based blind signature  for message M and public information PK , the verifier performs the following steps. In this section, we analyze the security properties of the proposed attribute-based blind signature scheme based on elliptic curve cryptography. Security properties include correctness, blindness, and unforgeability.

1) Theorem 1(Correctness).
The attribute-based blind signature scheme based on elliptic curve cryptography proposed by us satisfies the correctness. verifying the signature is as follows: To obtain the content of the message, the adversary must know the value of x and r , that is, to solve x by This is an elliptic curve discrete logarithm problem (ECDLP). Therefore, the probability that the adversary can determine the real message should not be greater than 1/2. Thus, our attribute-based blind signature scheme based on elliptic curve cryptography in this study satisfies blindness.

3) Theorem 3 (Unforgeability).
Under the assumption that the ECDLP is difficult, our attribute-based blind signature scheme based on elliptic curve cryptography is unforgeable.
Proof: Suppose there is an adversary that can successfully forge a valid attribute-based blind signature with a non-negligible probability in polynomial time; then, the challenger can use the algorithm of adversary to solve an elliptic curve discrete logarithm problem (ECDLP) in polynomial time. The interaction between adversary and challenger is as follows.
as a solution for the ECDLP. This means that challenger successfully solves the ECDLP, which contradicts the difficulty assumption of the ECDLP. Thus, no adversary can successfully forge an attribute-based blind signature with a non-negligible probability in polynomial time.

IV. EFFICIENCY ANALYSIS
In this section, we present an efficiency analysis of our attribute-based blind signature scheme based on elliptic curve cryptography. Table I  From table I, we can observe that our attribute-based blind signature scheme based on elliptic curve cryptography uses an LSSS matrix that does not require recursive operations but has a flexible access structure to achieve fine-grained access control. The new scheme belongs to the key policy attribute-based signature; therefore, the signer's private key is related to the number of rows of the LSSS matrix. However, since the result of multiplying the private key by the constant is added during the signature process, a fixed signature length is achieved. In terms of computational complexity, the new scheme is based on an elliptic-curve cryptosystem, replacing the bilinear pairing operation with scalar multiplication on the elliptic curve. Scalar multiplication on an elliptic curve is faster than a modular exponential operation and bilinear pairings in terms of computational efficiency [31]. Therefore, our scheme has significant advantages in terms of the signature speed, verification time, and storage space.

V. CONCLUSION
All existing attribute-based blind signature schemes currently use bilinear pairings, and the computation cost of the pairings is much higher than that of scalar multiplication over the elliptic curve group. In this paper, an attribute-based blind signature scheme based on elliptic curve cryptography without a bilinear pairing operation is proposed, and its security is analyzed. Our scheme realizes the blindness of signature messages and allows signers with access structure attributes to sign them, which can be used in electronic auctions, electronic voting, and other places. The scheme adopts a key policy and LSSS matrix technology to flexibly realize fine-grained access control and achieves a fixed signature length independent of the number of attributes of the signer. The scheme uses scalar multiplication over an elliptic curve group instead of bilinear pairings, which has great advantages in terms of signature speed, verification time, and storage space.