Succinct Attribute-Based Signatures for Bounded-Size Circuits by Combining Algebraic and Arithmetic Proofs

Abstract

AbstractAttribute-based signatures allow fine-grained attribute-based authentication and at the same time keep a signer’s privacy as much as possible. While there are constructions of attribute-based signatures allowing arbitrary circuits or Turing machines as an authentication policy, none of them is practically very efficient. Some schemes have long signatures or long user secret keys which grow as the sizes of a policy or attributes grow. Some scheme relies on a vast Karp reduction which transforms public-key and secret-key operations into an arithmetic circuit. We propose an attribute-based signature scheme for bounded-size arbitrary arithmetic circuits with constant-size signatures and user secret keys without relying on such a Karp reduction. The scheme is based on bilinear groups and is proven secure in the generic bilinear group model. To achieve this we develop a new extension of SNARKs (succinct non-interactive arguments of knowledge). We formalize this extension as constrained SNARKs, which can be seen as a simplification of commit-and-prove SNARKs both in syntax and technique. In a constrained SNARK, one can force a prover to use a witness satisfying some constraint by announcing a succinct constraint string which encodes a constraint on a witness. If a proof is valid under some constraint string, it is ensured that the witness behind the proof satisfies the constraint that is behind the constraint string. By succinct, we mean that a constraint string has a constant length independent of the length of the plain description of the constraint, and notably a verifier need not know the (potentially long) plain description of the constraint for verifying a proof. We construct a constrained SNARK in the generic bilinear group model.