Short attribute-based signatures for arbitrary Turing machines from standard assumptions

Abstract

AbstractThis paper presents the first attribute-based signature () scheme supporting signing policies representable by Turing machines (), based on well-studied computational assumptions. Our work supports arbitrarys as signing policies in the sense that the s can accept signing attribute strings of unbounded polynomial length and there is no limit on their running time, description size, or space complexity. Moreover, we are able to achieve input-specific running time for the signing algorithm. All other known expressive schemes could at most support signing policies realizable by either arbitrary polynomial-size circuits or s having a pre-determined upper bound on the running time. Consequently, those schemes can only deal with signing attribute strings whose lengths are a priori bounded, as well as suffers from the worst-case running time problem. On a more positive note, for the first time in the literature, the signature size of our scheme only depends on the size of the signed message and is completely independent of the size of the signing policy under which the signature is generated. This is a significant achievement from the point of view of communication efficiency. Our construction makes use of indistinguishability obfuscation () for polynomial-size circuits and certain -compatible cryptographic tools. Note that, all of these building blocks including for polynomial-size circuits are currently known to be realizable under well-studied computational assumptions.