Attribute-Based Proxy Signature Scheme Supporting Flexible Threshold Predicate for UAV Networks

Abstract

Unmanned aerial vehicle (UAV) is an attractive application because of its flexibility and economy. It may use a digital signature scheme to protect commands sent to UAVs. Moreover, the digital signature scheme should guarantee the real-time performance of UAVs executing commands and protect the signer’s privacy. Therefore, we proposed an attribute-based proxy signature (ABPS) scheme supporting flexible threshold predicate for UAV networks and proved its security. It has existential unforgeability under selective-predicate and chosen message attacks (EUF-sP-CMA) and can protect the signer’s privacy. We analyzed its computation costs based on experimental data and communication costs. The analysis results indicate that our ABPS scheme has less computation costs than other ABPS schemes and is at the same level as other ABPS schemes on communication costs.

1. Introduction

Over the years, unmanned aerial vehicle (UAV) technology has made rapid advances. A UAV usually refers to an aircraft without a human pilot on board. It is equipped with special equipment and can perform different tasks, such as product delivery, surveillance, video shooting, reconnaissance, military strike, etc. For example, when a natural disaster occurs, UAVs can not only deliver supplies to the affected area, but also serve as an aerial emergency communication platform to provide communication signals to the affected area.

A UAV usually requires assistance of other computation devices and communication facilities to complete a task. These devices, facilities and UAVs may constitute a UAV network, which usually takes UAVs as the application core. A UAV network is illustrated in Figure 1 and may include UAVs, airships, satellites, a command center, etc. It has the characteristics of high mobility and dynamic topology [1,2].

When a UAV initially performs a task, only the command center has command authority. There is a delay between sending a command and receiving this command. A UAV network should ensure that the delay is as short as possible, especially for some location-based applications.

1.1. Problem Statement

A UAV must belong to a command center. This command center has initial command of the UAV. It generally uses a digital signature scheme to protect the commands sent to a UAV. A command center computes a signature and sends it to a UAV. The UAV verifies the signature and decides whether to execute the command based on the verification result.

The delay affects the real-time performance of UAV missions. It is proportional to the propagation distance between a sender and a receiver. Therefore, it is necessary to reduce propagation distance as much as possible to decrease delay. That is, the propagation distance between a sender and a UAV should be as short as possible.

However, a UAV often needs to perform remote tasks. It is difficult for a UAV to receive commands and corresponding signatures from the command center in time because of the characteristics of a UAV network. In this case, the command center may provisionally authorize some agents, such as ground control stations (GCSs) near the UAV, to command the UAV. These agents send commands and corresponding signatures to the UAV. The UAV decides whether to execute commands after verifying the signatures. This requirement can be achieved by using a proxy signature scheme.

As illustrated in Figure 1, there are many components in a UAV network. Some components may want to anonymously command a UAV. A solution is to command a UAV based on attribute instead of identity. Every component may have several attributes. Only the components whose attributes meet requirements can command a UAV. In this case, a UAV only needs to make sure that a command was issued by the component whose attributes meet the requirements without knowing the component’s identity, which protects the component’s privacy. This requirement can be achieved by using an attribute-based signature (ABS) scheme.

In short, we can draw the following conclusions:

• Using a proxy signature scheme may help UAVs execute commands promptly in UAV networks.
• Using an ABS scheme, a UAV verifies the signature to confirm that the signer’s attributes meet the requirements. The UAV does not obtain the signer’s identity, which protects the signer’s privacy.

Therefore, we propose an attribute-based proxy signature (ABPS) scheme for UAV networks.

1.2. Our Contributions

We proposed an ABPS scheme that supports flexible threshold predicate. In this scheme, a command center or its agents may change threshold value in the predicate without proposing a new signature scheme. Not all ABPS schemes support flexible threshold predicate. We analyzed the security of this ABPS scheme. It has existential unforgeability and protects the signer’s privacy. We compare our ABPS scheme with other ABPS schemes. The analysis shows that our scheme is more efficient than others in terms of computation costs and at the same level as others in terms of communication costs.

1.3. Structure of the Paper

Section 2 and Section 3 present related work and preliminaries, respectively. Our ABPS scheme is proposed in Section 4. Section 5 presents the formal model. The security model is also presented in this section. Our ABPS scheme is analyzed in Section 6. Section 7 concludes this paper.

2. Related Work

We review the latest related works of security solutions for UAV networks, ABS schemes, and proxy signature schemes. Some acronyms and their meanings are summarized in

Table 1. Some acronyms and their meanings.

Acronym	Meaning
ABS	Attribute-based signature
FANET	Flying ad hoc network
IoD	Internet of drones
HSC	Heterogeneous signcryption
CL-KESC	Certificateless key-encapsulated signcryption
CL-BS	Certificateless blind signature
CL-PSC	Certificateless proxy signcryption
OABS	Outsourced attribute-based signature
S-CSP	Signing-cloud service provider
LSSS	Linear secret-sharing scheme
SA-ABS	Server-aided attribute-based signature
CBPS	Certificate-based proxy signature
ABPS	Attribute-based proxy signature

.

2.1. Security Solutions for UAV Networks

Samanth et al. reviewed the Internet security of drones and considered that researchers may propose better digital signature schemes [3]. Khan et al. proposed an identity-based generalized signcryption scheme for FANETs [4] and an identity-based proxy signcryption scheme for IoD [5]. Din et al. analyzed the signcryption scheme [4] and showed that it is not secure. They proposed an improved signcryption scheme [6]. Pan et al. proposed a pairing-free HSC scheme for UAVs [7]. Khan et al. also proposed an HSC scheme for the IoD [8]. Khan et al. proposed a CL-KESC scheme for FANET [9]. Khan et al. also proposed a CL-BS scheme for FANET [10]. Qu and Zeng proposed a CL-PSC scheme for a UAV network [11]. Liu et al. presented a trustworthy message exchange scheme for UAV networks [12]. Guo et al. presented a trust evaluation scheme for federated learning in the digital twin for mobile networks [13]. We compare some security solutions. The results are shown in

Table 2. Comparison of security solutions.

Security Solutions	Confidentiality	Integrity	Authentication
Din et al. [6]	√	√	√
Pan et al. [7]	√	√	√
Khan et al. [9]	√	√	√

.

2.2. ABS Schemes

Maji et al. proposed some ABS schemes [14]. In an ABS scheme, a signer has some attributes that form an attribute set and satisfy a predicate. The signer computes a signature with the predicate. A verifier verifies the signature to confirm that the signer’s attribute set satisfies the predicate. Li et al. presented two ABS schemes [15]. Su et al. presented an expressive ABS scheme [16]. Okamoto and Takashima presented an ABS scheme that supports general non-monotone predicates [17].

To reduce the computation costs of the signer in an ABS scheme, Chen et al. presented two OABS schemes [18]. In these schemes, the signer outsources most of the computation of computing the signature to an S-CSP. Mo et al. presented an OABS scheme based on LSSS [19]. Huang et al. analyzed the OABS scheme [19] and showed that it is not secure [20]. They also proposed an improved OABS scheme [20]. Huang et al. presented an OABS scheme with perfect privacy [21].

Cui et al. presented an SA-ABS scheme with revocation to reduce the computation costs of the signer and verifier [22]. A server assists with signature generation and verification. Xiong et al. presented an SA-ABS scheme based on LSSS [23]. Huang and Lin analyzed the two schemes [22,23] and showed that they are not secure [24]. Huang and Lin presented an improved SA-ABS scheme [24]. Bao et al. presented an SA-ABS scheme with resistance to key exposure [25].

2.3. Proxy Signature Schemes

Mambo et al. presented proxy signature [26]. Huang et al. presented a proxy signature scheme without random oracle [27]. Wu et al. presented an identity-based proxy signature scheme [28]. Verma et al. presented a CBPS scheme without pairing [29]. Qiao et al. analyzed the signature scheme [29] and showed that it is not secure [30]. They also proposed three CBPS schemes [30]. Liu et al. presented an ABPS scheme for personal health records [31]. Sun et al. presented an ABPS scheme [32]. He et al. presented an ABPS scheme for UAV networks [33].

3. Preliminaries

3.1. Complexity Assumption

Definition 1.

(Computational Diffie-Hellman (CDH) Problem). Given $g,g^x,g^y\in \mathbb{G}$, and $x,y\in {\mathbb{Z}}_q^{*}$ are unknown, compute $g^{xy}$.

3.2. Supported Predicate

Our ABPS scheme supports the predicates $\mathrm{{\rm Y}}$. The predicate ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}\left({\omega }^{\prime }\right)=1$ if $|{\omega }^{\diamond }\cap {\omega }^{\prime }|\ge k$. Otherwise, ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}\left({\omega }^{\prime }\right)=0$.

3.3. Lagrange Interpolation

It is assumed that there are d points $t\left(1\right),t\left(2\right),\cdots ,t\left(d\right)$ on a $(d-1)$ degree polynomial. A set S has d elements. It can compute $t\left(i\right)={\sum }_{j=1}^{d}t\left(j\right){\Delta }_{j,S}\left(i\right)$ where ${\Delta }_{j,S}\left(i\right)={\prod }_{\eta \in S,\eta \ne j}\frac{i-\eta }{j-\eta }$.

4. ABPS Scheme for UAV Networks

4.1. Overview

It is assumed that there are an attribute authority, a command center, a GCS, and a UAV in the UAV network. The command center is the original signer and has attribute set ${\omega }_o$ and private key $s{k}_o$. The GCS is the proxy signer and has attribute set ${\omega }_p$ and private key $s{k}_p$. The UAV is the verifier. It is assumed that they satisfy the same predicate $\mathrm{{\rm Y}}$ in our ABPS scheme. The command center delegates the GCS to compute the signature. The UAV verifies this signature and outputs the result. The brief process of our ABPS scheme is illustrated as Figure 2. It mainly includes the following steps.

• The attribute authority generates system parameters. It generates $s{k}_o$ based on the attribute set $\widehat{{\omega }_o}={\omega }_o\cup \mathsf{\Omega }$. Similarly, it also generates $s{k}_p$ based on the attribute set $\widehat{{\omega }_p}={\omega }_p\cup \mathsf{\Omega }$. The default attribute set $\mathsf{\Omega }$ is added to achieve a flexible threshold predicate in this system, which allows a user to change threshold value in the predicate without proposing a new signature scheme.
• The command center generates a warrant w and uses its attribute set and private key to compute the delegation on $(w,\mathrm{{\rm Y}})$ for the GCS.
• The GCS verifies the delegation. If it is valid, the GCS will keep the delegation.
• Based on the delegation, the GCS uses its attribute set and $s{k}_p$ to compute the proxy signature on $(m,w,\mathrm{{\rm Y}})$.
• The UAV verifies the signature and outputs the result.

4.2. Our ABPS Scheme

Our ABPS scheme mainly consists of the algorithms Setup, Extract, DelGen, DelVer, Sign, and Verify.

(1)

Setup

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be cyclic groups with a prime order q. It is assumed that $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ is a bilinear map. It selects a random generator $g\in \mathbb{G}$, a random element $g_2\in \mathbb{G}$, and a random number $\alpha \in {\mathbb{Z}}_q^{*}$. It computes $g_1=g^{\alpha }$ and $Z=e(g_1,g_2)$. It defines hash functions $H_1,H_2,H_3:{\{0,1\}}^{*}\to \mathbb{G}$. It also defines the attributes and a default attribute set $\mathsf{\Omega }=\{{\mathsf{\Omega }}_1,{\mathsf{\Omega }}_2,\cdots ,{\mathsf{\Omega }}_{d-1}\}$ in ${\mathbb{Z}}_q$. The default attribute set $\mathsf{\Omega }$ helps to achieve flexible threshold predicate. It outputs system parameters $(g,g_1,g_2,Z,d,H_1,H_2,H_3)$ and $\alpha$ as the master secret key.

(2)

Extract

This algorithm computes $s{k}_o$ and $s{k}_p$. It is assumed ${\omega }_o$ is the attribute set of the original signer and ${\omega }_p$ is the attribute set of the proxy signer. This algorithm selects a (d − 1) degree polynomial $t(·)$ and $t\left(0\right)=\alpha$. It generates two new attribute sets $\widehat{{\omega }_o}={\omega }_o\cup \mathsf{\Omega }$ and $\widehat{{\omega }_p}={\omega }_p\cup \mathsf{\Omega }$. It selects random numbers $r_{i_o}\in {\mathbb{Z}}_q$ and computes $s{k}_o$ as $D_{i_o}=(d_{i_{o}0},d_{i_{o}1})=(g_2^{t\left(i_o\right)}{H}_1{\left(i_o\right)}^{r_{i_o}},g^{r_{i_o}})$ for every $i_o\in \widehat{{\omega }_o}$. Similarly, it selects random numbers $r_{i_p}\in {\mathbb{Z}}_q$ and computes $s{k}_p$ as $D_{i_p}=(d_{i_{p}0},d_{i_{p}1})=(g_2^{t\left(i_p\right)}{H}_1{\left(i_p\right)}^{r_{i_p}},g^{r_{i_p}})$ for every $i_p\in \widehat{{\omega }_p}$.

(3)

DelGen

The original signer needs to prove its attribute set ${\omega }_o$ satisfies the predicate ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}(·)$. The original signer generates the warrant w and selects a subset ${\omega }_o^{\prime }\subseteq {\omega }_o\cap {\omega }^{\diamond }$ with $|{\omega }_o^{\prime }|=k$ and a default attribute set ${\mathsf{\Omega }}_o^{\prime }\subseteq \mathsf{\Omega }$ with $|{\mathsf{\Omega }}_o^{\prime }|=d-k$. It then generates $(n+d-k)$ random numbers $r_{i_o}^{\prime }\in {\mathbb{Z}}_q$ for $i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }$ and a random number $s_o\in {\mathbb{Z}}_q$. The original signer computes ${\sigma }_{o,0}=[{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}{d}_{i_{o}0}^{{\Delta }_{i_o,S_o}\left(0\right)}][{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{\left(i_o\right)}^{r_{i_o}^{\prime }}]H_2{\left(w\right)}^{s_o}$, ${\{{\sigma }_{i_o}=d_{i_{o}1}^{{\Delta }_{i_o,S_o\left(0\right)}}{g}^{r_{i_o}^{\prime }}\}}_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}$, ${\{{\sigma }_{i_o}=g^{r_{i_o}^{\prime }}\}}_{{\omega }^{\diamond }/{\omega }_o^{\prime }}$, and ${\sigma }_{o,0}^{\prime }=g^{s_o}$. It sends $(w,{\sigma }_{o,0},{\{{\sigma }_{i_o}\}}_{{\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }},{\sigma }_{o,0}^{\prime })$ to the proxy signer.

(4)

DelVer

The proxy signer checks the following equation.

$$\begin{array}{c}\hfill \frac{e(g,{\sigma }_{o,0})}{\left[{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1\left(i_o\right),{\sigma }_{i_o})\right]e(H_2\left(w\right),{\sigma }_{o,0}^{\prime })}=Z\end{array}$$

If the equation holds, the GCS will keep the delegation.

(5)

Sign

The proxy signer performs the following steps.

(i)

It selects a subset ${\omega }_p^{\prime }\subseteq {\omega }_p\cap {\omega }^{\diamond }$ with $|{\omega }_p^{\prime }|=k$ and a default attribute set ${\mathsf{\Omega }}_p^{\prime }\subseteq \mathsf{\Omega }$ with $|{\mathsf{\Omega }}_p^{\prime }|=d-k$.

(ii)

It generates $(n+d-k)$ random numbers $r_{i_p}^{\prime }\in {\mathbb{Z}}_q$ for $i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }$ and a random number $s_p\in {\mathbb{Z}}_q$.

(iii)

It computes ${\sigma }_{p,0}={\sigma }_{o,0}[{\prod }_{i_p\in {\omega }_p^{\prime }\cup {\mathsf{\Omega }}_p^{\prime }}{d}_{i_{p}0}^{{\Delta }_{i_p,S_p}\left(0\right)}][{\prod }_{i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }}{H}_1{\left(i_p\right)}^{r_{i_p}^{\prime }}]H_3{\left(m\right)}^{s_p}$, ${\{{\sigma }_{i_p}=d_{i_{p}1}^{{\Delta }_{i_p,S_p\left(0\right)}}{g}^{r_{i_p}^{\prime }}\}}_{i_p\in {\omega }_p^{\prime }\cup {\mathsf{\Omega }}_p^{\prime }}$, ${\{{\sigma }_{i_p}=g^{r_{i_p}^{\prime }}\}}_{{\omega }^{\diamond }/{\omega }_p^{\prime }}$, and ${\sigma }_{p,0}^{\prime }=g^{s_p}$.

(iv)

The proxy signer sends $(w,m,{\sigma }_{p,0},{\{{\sigma }_{i_p}\}}_{{\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }},{\sigma }_{p,0}^{\prime },{\{{\sigma }_{i_o}\}}_{{\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }},{\sigma }_{o,0}^{\prime })$ to the verifier.

(6)

Verify

The verifier checks the following equation.

$$\begin{array}{c}\hfill \frac{e(g,{\sigma }_{p,0})}{\left[{\prod }_{i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }}e(H_1\left(i_p\right),{\sigma }_{i_p})\right]e(H_3\left(m\right),{\sigma }_{p,0}^{\prime })}·\frac{1}{\left[{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1\left(i_o\right),{\sigma }_{i_o})\right]e(H_2\left(w\right),{\sigma }_{o,0}^{\prime })}=Z^2\end{array}$$

If the equation holds, it outputs $Accept$. Otherwise, it outputs $Reject$.

5. Formal Model and Security Model

5.1. Formal Model

Generally, an ABPS scheme includes four participants, an attribute authority, an original signer, a proxy signer and a verifier. The attribute authority initializes the system and generates $s{k}_o$ and $s{k}_p$. The original signer generates a warrant and computes a delegation. The proxy signer computes the signature. The verifier verifies the signature. An ABPS scheme consists mainly of the following algorithms:

(1)

Setup: It inputs the system security parameter and outputs public parameters $params$ and a master secret key $MSK$.

(2)

Extract: The attribute authority computes $s{k}_o$ for the original signer based on attribute set ${\omega }_o$. It also computes $s{k}_p$ for the proxy signer based on attribute set ${\omega }_p$.

(3)

DelGen: The inputs of this algorithm include $params$, a warrant w, predicate $\mathrm{{\rm Y}}\left({\omega }_o^{\prime }\right)=1$ where ${\omega }_o^{\prime }\subseteq {\omega }_o$, and $s{k}_o$. This algorithm outputs a delegation $del$.

(4)

DelVer: Its inputs include $params$, w, $\mathrm{{\rm Y}}$, and $del$. This algorithm determines whether the $del$ is valid. If it is valid, the proxy signer will keep the delegation.

(5)

Sign: Its inputs include $params$, w, $del$, predicate $\mathrm{{\rm Y}}\left({\omega }_p^{\prime }\right)=1$ where ${\omega }_p^{\prime }\subseteq {\omega }_p$, $s{k}_p$, and message m. It outputs the proxy signature $\sigma$.

(6)

Verify: Its inputs include $params$, w, $\mathrm{{\rm Y}}$, m, and $\sigma$. This algorithm determines whether the signature is valid. If it is valid, the verifier will output a boolean value $Accept$. Otherwise, it will output a boolean value $Reject$.

5.2. Security Model

An ABPS scheme should provide unforgeability and signer’s privacy. The unforgeability requires that an adversary can forge a signature only if the adversary’s attributes meet the requirement. The signer’s privacy requires that the signature does not reveal the signer’s identity.

5.2.1. Unforgeability

According to the security models respectively defined in [27,28], we divide adversaries into three types, namely ${\mathcal{A}}_{\mathcal{I}}$, ${\mathcal{A}}_{\mathcal{II}}$, and ${\mathcal{A}}_{\mathcal{III}}$.

• ${\mathcal{A}}_{\mathcal{I}}$: The adversary only has the public key of the original signer $p{k}_o$ and the public key of the proxy signer $p{k}_p$.
• ${\mathcal{A}}_{\mathcal{II}}$: The adversary has $p{k}_o$, $p{k}_p$, and $s{k}_p$.
• ${\mathcal{A}}_{\mathcal{III}}$: The adversary has $p{k}_o$, $p{k}_p$, and $s{k}_o$.

According to the classification above, we only consider ${\mathcal{A}}_{\mathcal{II}}$ and ${\mathcal{A}}_{\mathcal{III}}$ in our security model. We present the definition of existential unforgeability under selective-predicate and chosen message attacks (EUF-sP-CMA).

Firstly, we define EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ through the following game.

(1)

Initialization: ${\mathcal{A}}_{\mathcal{II}}$ chooses the challenge predicate ${\mathrm{{\rm Y}}}^{*}$.

(2)

Setup: A challenger $\mathcal{C}$ selects the security parameter and generates $params$ and $MSK$. It runs algorithm Extract to generate $s{k}_o$, $p{k}_o$, $s{k}_p$, and $p{k}_p$. $\mathcal{C}$ keeps $MSK$ and $s{k}_o$ secret and sends $params$ and $(p{k}_o,s{k}_p,p{k}_p)$ to ${\mathcal{A}}_{\mathcal{II}}$.

(3)

Queries: ${\mathcal{A}}_{\mathcal{II}}$ can query the private key extraction oracle, delegation generation oracle, and signing oracle.

Private key extraction oracle: Its input is an attribute set $\omega$ and its output is a private key.

Delegation generation oracle: Its inputs include a predicate $\mathrm{{\rm Y}}$ and a warrant w and its output is a delegation.

Signing oracle: Its inputs include a predicate $\mathrm{{\rm Y}}$, w, and a message m and its output is a signature $\sigma$.

(4)

Forgery: ${\mathcal{A}}_{\mathcal{II}}$ outputs the signature ${\sigma }^{*}$.

When the forgery satisfies the following requirements, ${\mathcal{A}}_{\mathcal{II}}$ wins the game.

• ${\mathcal{A}}_{\mathcal{II}}$ has never submitted $\omega$ where there is not a subset ${\omega }_o\subset \omega$ satisfying ${\mathrm{{\rm Y}}}^{*}\left({\omega }_o\right)=1$ to the private key extraction oracle.
• ${\mathcal{A}}_{\mathcal{II}}$ has never submitted ($w^{*}$, ${\mathrm{{\rm Y}}}^{*}$) to the delegation generation oracle.
• ${\mathcal{A}}_{\mathcal{II}}$ has never submitted ($m^{*}$, $w^{*}$, ${\mathrm{{\rm Y}}}^{*}$) to the signing oracle.
• The ${\sigma }^{*}$ is valid.

The success probability of ${\mathcal{A}}_{\mathcal{II}}$ is defined as the advantage $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{II}}}^{EUF-sP-CMA}$.

Definition 2.

(EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$). An ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ if $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{II}}}^{EUF-sP-CMA}$ is negligible, that is, $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{II}}}^{EUF-sP-CMA}\le \epsilon$ where ε is negligible.

Secondly, we define EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$ through the following game.

(1)

Initialization: ${\mathcal{A}}_{\mathcal{III}}$ chooses the challenge predicate ${\mathrm{{\rm Y}}}^{*}$.

(2)

Setup: $\mathcal{C}$ runs algorithm Extract to generate $s{k}_o$, $p{k}_o$, $s{k}_p$, and $p{k}_p$. $\mathcal{C}$ keeps $MSK$ and $s{k}_p$ secret and sends $params$ and $(s{k}_o,p{k}_o,p{k}_p)$ to ${\mathcal{A}}_{\mathcal{III}}$.

(3)

Queries: ${\mathcal{A}}_{\mathcal{III}}$ can query the private key extraction oracle and signing oracle.

Private key extraction oracle: It takes an attribute set $\omega$ as input and outputs a private key.

Signing oracle: This oracle takes a predicate $\mathrm{{\rm Y}}$, a warrant w, and a message m as inputs and outputs a signature $\sigma$.

(4)

Forgery: ${\mathcal{A}}_{\mathcal{III}}$ outputs the signature ${\sigma }^{*}$.

If the forgery satisfies the following requirements, ${\mathcal{A}}_{\mathcal{III}}$ wins the game.

• ${\mathcal{A}}_{\mathcal{III}}$ has never submitted $\omega$ where there is not a subset ${\omega }_p\subset \omega$ satisfying ${\mathrm{{\rm Y}}}^{*}\left({\omega }_p\right)=1$ to the private key extraction oracle.
• ${\mathcal{A}}_{\mathcal{III}}$ has never submitted ($m^{*}$, $w^{*}$, ${\mathrm{{\rm Y}}}^{*}$) to the signing oracle.
• The ${\sigma }^{*}$ is valid.

The success probability of ${\mathcal{A}}_{\mathcal{III}}$ is defined as the advantage $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{III}}}^{EUF-sP-CMA}$.

Definition 3.

(EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$). An ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$ if $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{III}}}^{EUF-sP-CMA}$ is negligible, that is, $Ad{v}_{ABPS,{\mathcal{A}}_{\mathcal{III}}}^{EUF-sP-CMA}\le \epsilon$ where ε is negligible.

Definition 4.

(EUF-sP-CMA). An ABPS scheme has EUF-sP-CMA if it has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ and EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$.

5.2.2. Signer’s Privacy

The signer’s privacy is defined through the following game.

(1)

Setup: $\mathcal{C}$ chooses security parameter and generates $params$ and $MSK$.

(2)

Queries: $\mathcal{A}$ queries two attribute sets ${\omega }_1^{*}$ and ${\omega }_2^{*}$ to obtains private keys $s{k}_{{\omega }_1^{*}}$ and $s{k}_{{\omega }_2^{*}}$.

(3)

Challenge: $\mathcal{A}$ outputs a message $m^{*}$, ${\omega }_1^{*}$, ${\omega }_2^{*}$, and predicate, which satisfies ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}\left({\omega }_1^{*}\right)=1$ and ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}\left({\omega }_2^{*}\right)=1$. $\mathcal{C}$ randomly chooses $u\in \{1,2\}$ and computes signature ${\sigma }^{*}$ on $m^{*}$ with ${\omega }_u^{*}$. It sends ${\sigma }^{*}$ to $\mathcal{A}$.

(4)

Guess: $\mathcal{A}$ guesses ${\sigma }^{*}$ was computed from ${\omega }_1^{*}$ or ${\omega }_2^{*}$ and outputs $u^{\prime }\in \{1,2\}$. If $\mathcal{A}$ guesses that ${\sigma }^{*}$ was computed from ${\omega }_1^{*}$, it will output $u^{\prime }=1$. Otherwise, it will output $u^{\prime }=2$. If $u^{\prime }=u$, $\mathcal{A}$ wins this game.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{ABPS,\mathcal{A}}^{Priv}=|Pr[u^{\prime }=u]-\frac{1}{2}|$.

Definition 5.

(Signer’s privacy). An ABPS scheme the provides signer’s privacy if any adversary $\mathcal{A}$ cannot win this game with non-negligible advantage.

6. ABPS Scheme Analysis

6.1. Correctness

We prove that our ABPS scheme is correct through two steps. Firstly, we prove the algorithms DelGen and DelVer are correct.

$$\begin{array}{cc}\hfill & \frac{e(g,{\sigma }_{o,0})}{[{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1(i_o),{\sigma }_{i_o})]e(H_2(w),{\sigma }_{o,0}^{\prime })}\hfill \\ \hfill =& \frac{e(g,{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}{d}_{i_{o}0}^{{\Delta }_{i_o,S_o}(0)})e(g,{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{(i_o)}^{r_{i_o}^{\prime }})}{[{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1(i_o),d_{i_{o}1}^{{\Delta }_{i_o,S_o}(0)}{g}^{r_{i_o}^{\prime }})][{\prod }_{i_o\in {\omega }^{\diamond }/{\omega }_o^{\prime }}e(H_1(i_o),g^{r_{i_o}^{\prime }})]}\hfill \\ \hfill =& \frac{e(g,{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}{(g_2^{t(i_o)}{H}_1{(i_o)}^{r_{i_o}})}^{{\Delta }_{i_o,S_o}(0)})e(g,{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{(i_o)}^{r_{i_o}^{\prime }})}{[{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1(i_o),g^{r_{i_o}{\Delta }_{i_o,S_o}(0)}{g}^{r_{i_o}^{\prime }})][{\prod }_{i_o\in {\omega }^{\diamond }/{\omega }_o^{\prime }}e(H_1(i_o),g^{r_{i_o}^{\prime }})]}\hfill \\ \hfill =& \frac{e(g,{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}{g}_2^{t(i_o){\Delta }_{i_o,S_o}(0)})e(g,{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{(i_o)}^{r_{i_o}{\Delta }_{i_o,S_o}(0)})e(g,{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{(i_o)}^{r_{i_o}^{\prime }})}{[{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1{(i_o)}^{r_{i_o}{\Delta }_{i_o,S_o}(0)},g)][{\prod }_{i_o\in {\omega }_o^{\prime }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1{(i_o)}^{r_{i_o}^{\prime }},g)][{\prod }_{i_o\in {\omega }^{\diamond }/{\omega }_o^{\prime }}e(H_1{(i_o)}^{r_{i_o}^{\prime }},g)]}\hfill \\ \hfill =& e(g,g_2^{\alpha })\hfill \\ \hfill =& Z\hfill \end{array}$$

Secondly, we prove the algorithms Sign and Verify are correct.

$$\begin{array}{cc}\hfill & \frac{e(g,{\sigma }_{p,0})}{[{\prod }_{i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }}e(H_1(i_p),{\sigma }_{i_p})]e(H_3(m),{\sigma }_{p,0}^{\prime })}·\frac{1}{[{\prod }_{i_o\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_o^{\prime }}e(H_1(i_o),{\sigma }_{i_o})]e(H_2(w),{\sigma }_{o,0}^{\prime })}\hfill \\ \hfill =& \frac{e(g,[{\prod }_{i_p\in {\omega }_p^{\prime }\cup {\mathsf{\Omega }}_p^{\prime }}{d}_{i_{p}0}^{{\Delta }_{i_p,S_p}(0)}][{\prod }_{i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }}{H}_1{(i_p)}^{r_{i_p}^{\prime }}])}{[{\prod }_{i_p\in {\omega }^{\diamond }\cup {\mathsf{\Omega }}_p^{\prime }}e(H_1(i_p),{\sigma }_{i_p})]}·Z\hfill \\ \hfill =& e(g,g_2^{\alpha })·Z\hfill \\ \hfill =& Z^2\hfill \end{array}$$

6.2. Security Analysis

We prove that our ABPS scheme has unforgeability and protects the signer’s privacy.

6.2.1. Unforgeability

We prove that our ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ and EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$. Afterwards, we conclude that our ABPS scheme has EUF-sP-CMA.

Theorem 1.

The proposed ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ if the CDH assumption holds in $\mathbb{G}$.

Proof. 

It is assumed that an adversary ${\mathcal{A}}_{\mathcal{II}}$ attacks our ABPS scheme with the probability $\epsilon$. By using ${\mathcal{A}}_{\mathcal{II}}$, an algorithm $\mathcal{B}$ solves the CDH problem with the probability ${\epsilon }^{\prime }$. It is assumed that ${\mathcal{A}}_{\mathcal{II}}$ makes $q_{H_1},q_{H_2},q_{H_3},q_K,q_D$ and $q_S$ queries to $H_1$-Oracle, $H_2$-Oracle, $H_3$-Oracle, private key extraction oracle, delegation generation oracle, and signing oracle, respectively. It sets $X=g^x$ and $Y=g^y$ where $x,y\in {\mathbb{Z}}_q$ are random numbers. We will build an algorithm $\mathcal{B}$ to compute $g^{xy}$.

It is assumed that the default attribute set is $\mathsf{\Omega }=\{{\mathsf{\Omega }}_1,{\mathsf{\Omega }}_2,\cdots ,{\mathsf{\Omega }}_{d-1}\}$ where d is a predefined integer. ${\mathcal{A}}_{\mathcal{II}}$ selects the challenge predicate ${\mathrm{{\rm Y}}}^{*}$. $\mathcal{B}$ randomly selects $\zeta \in \{1,2,...,q_{H_2}\}$, $\delta \in \{1,2,...,q_{H_3}\}$, and a subset ${\mathsf{\Omega }}^{*}\subseteq \mathsf{\Omega }$ with $|{\mathsf{\Omega }}^{*}|=d-k$. It sets $g_1=X$ and $g_2=Y$.

$H_1$-Oracle: When ${\mathcal{A}}_{\mathcal{II}}$ queries the $H_1$-Oracle with i, $\mathcal{B}$ will return the corresponding $H_1\left(i\right)$ in the $H_1-list$. Otherwise, $\mathcal{B}$ computes $H_1\left(i\right)$ as

$$H_1\left(i\right)=\left\{\begin{array}{cc}{g}^{b_i}\hfill & i\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}\hfill \\ g_1^{-b_i}{g}^{a_i}\hfill & i\notin {\omega }^{*}\cup {\mathsf{\Omega }}^{*}.\hfill \end{array}\right.$$

Here, $a_i$ and $b_i$ are random numbers and $a_i,b_i\in {\mathbb{Z}}_q$. $\mathcal{B}$ returns $H_1\left(i\right)$ to ${\mathcal{A}}_{\mathcal{II}}$ and adds it to the $H_1-list$.

$H_2$-Oracle: When ${\mathcal{A}}_{\mathcal{II}}$ queries the $H_2$-Oracle with $w_{i^{\prime }}$, $\mathcal{B}$ will return the corresponding $H_2\left(w_{i^{\prime }}\right)$ in the $H_2-list$. Otherwise, $\mathcal{B}$ computes $H_2\left(w_{i^{\prime }}\right)$ as

$$H_2\left(w_{i^{\prime }}\right)=\left\{\begin{array}{cc}{g}_1^{c_{i^{\prime }}^{\prime }}{g}^{a_{i^{\prime }}^{\prime }}\hfill & i^{\prime }\ne \zeta \hfill \\ g^{a_{i^{\prime }}^{\prime }}\hfill & i^{\prime }=\zeta .\hfill \end{array}\right.$$

Here, $c_{i^{\prime }}^{\prime }$ and $a_{i^{\prime }}^{\prime }$ are random numbers and $c_{i^{\prime }}^{\prime },a_{i^{\prime }}^{\prime }\in {\mathbb{Z}}_q$. $\mathcal{B}$ returns $H_2\left(w_{i^{\prime }}\right)$ to ${\mathcal{A}}_{\mathcal{II}}$ and adds it to the $H_2-list$.

$H_3$-Oracle: When ${\mathcal{A}}_{\mathcal{II}}$ queries the $H_3$-Oracle with message $m_{i^{″}}$, $\mathcal{B}$ will return the corresponding $H_3\left(m_{i^{″}}\right)$ in the $H_3-list$. Otherwise, $\mathcal{B}$ will compute $H_3\left(m_{i^{″}}\right)$ as

$$H_3\left(m_{i^{″}}\right)=\left\{\begin{array}{cc}{g}_1^{c_{i^{″}}^{″}}{g}^{a_{i^{″}}^{″}}\hfill & i^{″}\ne \delta \hfill \\ g^{a_{i^{″}}^{″}}\hfill & i^{″}=\delta .\hfill \end{array}\right.$$

Here, $c_{i^{″}}^{″}$ and $a_{i^{″}}^{″}$ are random numbers and $c_{i^{\prime \prime }}^{\prime \prime },a_{i^{\prime \prime }}^{\prime \prime }\in {\mathbb{Z}}_q$. $\mathcal{B}$ returns $H_3\left(m_{i^{\prime \prime }}\right)$ to ${\mathcal{A}}_{\mathcal{II}}$ and adds it to the $H_3-list$.

Private key extraction oracle: When ${\mathcal{A}}_{\mathcal{II}}$ queries this oracle with an attribute set $\omega$ with $|\omega \cap {\omega }^{*}|<k$, $\mathcal{B}$ sets $\mathsf{\Gamma }={\mathsf{\Omega }}^{*}\cup (\omega \cap {\omega }^{*})$. It also sets $\mathsf{\Gamma }\subseteq {\mathsf{\Gamma }}^{\prime }\subseteq S$ with $|{\mathsf{\Gamma }}^{\prime }|=d-1$ and $S=\left\{0\right\}\cup {\mathsf{\Gamma }}^{\prime }$.

For $i\in {\mathsf{\Gamma }}^{\prime }$, $\mathcal{B}$ simulates the key as $D_i=(d_{i0},d_{i1})=(g_2^{f_i}{H}_1{\left(i\right)}^{r_i},g^{r_i})$ where $f_i$ and $r_i$ are random numbers and $f_i,r_i\in {\mathbb{Z}}_q$.

For $i\notin {\mathsf{\Gamma }}^{\prime }$, $\mathcal{B}$ sets $r_i=\frac{{\Delta }_{0,S}\left(i\right)}{b_i}y+r_i^{\prime }$ and $t\left(i\right)={\Sigma }_{j\in {\mathsf{\Gamma }}^{\prime }}{\Delta }_{j,S}\left(i\right)t\left(j\right)+{\Delta }_{0,S}\left(i\right)t\left(0\right)$ where $t\left(0\right)=x$. It simulates the key as $D_i=(d_{i0},d_{i1})=(g_2^{\frac{{\Delta }_{0,S}\left(i\right)a_i}{b_i}+{\Sigma }_{j\in {\mathsf{\Gamma }}^{\prime }}{\Delta }_{j,S}\left(i\right)t\left(j\right)}{\left(H_1\left(i\right)\right)}^{r_i^{\prime }},g_2^{\frac{{\Delta }_{0,S}\left(i\right)}{b_i}}{g}^{r_i^{\prime }})$ where $r_i^{\prime }$ is random number and $r_i^{\prime }\in {\mathbb{Z}}_q$.

Delegation generation oracle: When $\mathcal{B}$ receives the delegation generation queries on warrant w for $\omega$, it will output the delegation.

• If $|{\omega }^{*}\cap \omega |<k$, $\mathcal{B}$ generates the delegation normally by obtaining the simulated private key.
• If $|{\omega }^{*}\cap \omega |\ge k$ and $H_2\left(w_{i^{\prime }}\right)=g^{a_{i^{\prime }}^{\prime }}$, it is aborted.
• If $|{\omega }^{*}\cap \omega |\ge k$ and $H_2\left(w_{i^{\prime }}\right)\ne g^{a_{i^{\prime }}^{\prime }}$, $\mathcal{B}$ selects a random subset ${\mathsf{\Omega }}^{\prime }$ with $|{\mathsf{\Omega }}^{\prime }|=(d-\left|\omega \right|)$ from $\mathsf{\Omega }$. It sets $s=-\frac{y}{c_{i_d}^{\prime }}+s^{\prime }$ and simulates as ${\sigma }_{o,0}={\left(g_1^{c_{i_d}^{\prime }}{g}^{a_i^{\prime }}\right)}^{s^{\prime }}{\prod }_{i\in \omega \cup {\mathsf{\Omega }}^{\prime }}{H}_1{\left(i\right)}^{r_i}{g}_2^{\frac{-a_i^{\prime }}{c_{i_d}^{\prime }}}$, ${\{{\sigma }_{o,i}=g^{r_i}\}}_{i\in \omega \cup {\mathsf{\Omega }}^{\prime }}$, ${\sigma }_{o,0}^{\prime }=g_2^{-\frac{1}{c_{i_d}^{\prime }}}{g}^{s^{\prime }}$. Here, $s^{\prime }$ is a random number and $s^{\prime }\in {\mathbb{Z}}_q$.

Signing oracle: ${\mathcal{A}}_{\mathcal{II}}$ makes queries on message m and w for $\omega$. If $H_2\left(w_{i^{\prime }}\right)=g^{a_{i^{\prime }}^{\prime }}$ and $H_3\left(m_{i^{\prime \prime }}\right)=g^{a_{i^{\prime \prime }}^{\prime \prime }}$, it is aborted. Otherwise, $\mathcal{B}$ can compute and output the signature.

$Forgey$: After all queries, ${\mathcal{A}}_{\mathcal{II}}$ outputs a forged signature ${\sigma }^{*}$ on $m^{*}$ and $w^{*}$ with ${\omega }^{*}$ and $\overline{{\mathsf{\Omega }}^{*}}$. If $H_2\left(w^{*}\right)\ne g^{a_{\zeta }^{\prime }}$, or $H_3\left(m^{*}\right)\ne g^{a_{\delta }^{\prime \prime }}$, or $\overline{{\mathsf{\Omega }}^{*}}\ne {\mathsf{\Omega }}^{*}$, $\mathcal{B}$ will abort. Otherwise, this signature is verified as

$$\begin{array}{cc}\hfill & {(\frac{e(g,{\sigma }_{p,0}^{*})}{[{\prod }_{i_p\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(H_1(i_p),{\sigma }_{i_p}^{*})]e(H_3(m),{\sigma }_{p,0}^{\prime *})}·\frac{1}{[{\prod }_{i_o\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(H_1(i_o),{\sigma }_{i_o}^{*})]e(H_2(w),{\sigma }_{o,0}^{\prime *})})}^{\frac{1}{2}}\hfill \\ \hfill =& {(\frac{e(g,{\sigma }_{p,0}^{*})}{[{\prod }_{i_p\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(g^{b_{i_p}},{\sigma }_{i_p}^{*})]e(g^{a_{\delta }^{\prime \prime }},{\sigma }_{p,0}^{\prime *})}·\frac{1}{[{\prod }_{i_o\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(g^{b_{i_o}},{\sigma }_{i_o}^{*})]e(g^{a_{\zeta }^{\prime }},{\sigma }_{o,0}^{\prime *})})}^{\frac{1}{2}}\hfill \\ \hfill =& {(\frac{e(g,{\sigma }_{p,0}^{*})}{[{\prod }_{i_p\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(g,{({\sigma }_{i_p}^{*})}^{b_{i_p}})]e(g,{({\sigma }_{p,0}^{\prime *})}^{a_{\delta }^{\prime \prime }})}·\frac{1}{[{\prod }_{i_o\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}e(g,{({\sigma }_{i_o}^{*})}^{b_{i_o}})]e(g,{({\sigma }_{o,0}^{\prime *})}^{a_{\zeta }^{\prime }})})}^{\frac{1}{2}}\hfill \\ \hfill =& e(g,g^{xy}).\hfill \end{array}$$

$\mathcal{B}$ can compute $g^{xy}={(\frac{{\sigma }_{p,0}^{*}}{[{\prod }_{i_p\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}{\left({\sigma }_{i_p}^{*}\right)}^{b_{i_p}}][{\prod }_{i_o\in {\omega }^{*}\cup {\mathsf{\Omega }}^{*}}{\left({\sigma }_{i_o}^{*}\right)}^{b_{i_o}}]{\left({\sigma }_{p,0}^{\prime *}\right)}^{a_{\delta }^{\prime \prime }}{\left({\sigma }_{o,0}^{\prime *}\right)}^{a_{\zeta }^{\prime }}})}^{\frac{1}{2}}$.

Therefore, $\mathcal{B}$ solves the CDH problem. According to the security model, we compute ${\epsilon }^{\prime }\approx \frac{1}{q_{H_2}}\frac{1}{\left(\genfrac{}{}{0pt}{}{d-k}{d-1}\right)}\frac{1}{q_{H_2}}\frac{1}{q_{H_3}}\frac{1}{\left(\genfrac{}{}{0pt}{}{d-k}{d-1}\right)}\epsilon$. Namely, $\mathcal{B}$ solves CDH problem with the probability ${\epsilon }^{\prime }\approx \frac{\epsilon }{q_{H_2}^2{q}_{H_3}{\left(\genfrac{}{}{0pt}{}{d-k}{d-1}\right)}^2}$. Therefore, our ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$. □

Theorem 2.

The proposed ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$ if the CDH assumption holds in $\mathbb{G}$.

Proof. 

The proof of Theorem 2 is similar to the proof of Theorem 1. $\mathcal{B}$ solves the CDH problem with the probability ${\epsilon }^{\prime }\approx \frac{\epsilon }{q_{H_2}{q}_{H_3}\left(\genfrac{}{}{0pt}{}{d-k}{d-1}\right)}$. Therefore, the proposed ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$. □

Our ABPS scheme has EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{II}}$ and EUF-sP-CMA against ${\mathcal{A}}_{\mathcal{III}}$. Therefore, our ABPS scheme has EUF-sP-CMA.

6.2.2. Signer’s Privacy

We prove that our ABPS scheme can protect the original signer’s privacy and the proxy signer’s privacy, respectively.

Theorem 3.

The proposed ABPS scheme protects the original signer’s privacy.

Proof. 

The delegation in our ABPS scheme can be seen as a signature on the warrant. It uses an attribute set that satisfies the predicate ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}$ to compute the delegation in our ABPS scheme. Other attribute sets that satisfy the predicate ${\mathrm{{\rm Y}}}_{k,{\omega }^{\diamond }}$ can also compute the delegation. Namely, the delegation can be generated from any subset of k attributes in the given attributes. An adversary cannot infer the original signer’s identity. Next, we prove that our scheme protects the original signer’s privacy when $k=n$ where $n=|{\omega }^{\diamond }|$. It is assumed that the attribute authority generates parameters and a master secret key $\alpha$ and sends them to the adversary. The adversary outputs two attribute sets ${\omega }_{o,u}^{*}$ where $u\in \{1,2\}$ and sets ${\overline{\omega }}_o^{*}={\omega }_{o,1}^{*}\cap {\omega }_{o,2}^{*}$. The default attribute set $\mathsf{\Omega }$ contains $(d-1)$ elements. The challenger or adversary computes the private key $s{k}_{\widehat{{\omega }_{o,1}^{*}}}$ and $s{k}_{\widehat{{\omega }_{o,2}^{*}}}$ where $\widehat{{\omega }_{o,1}^{*}}={\omega }_{o,1}^{*}\cup \mathsf{\Omega }$ and $\widehat{{\omega }_{o,2}^{*}}={\omega }_{o,2}^{*}\cup \mathsf{\Omega }$.

The adversary outputs a warrant $w^{*}$ and ${\omega }_o^{*}$ that satisfies ${\omega }_o^{*}\subseteq {\overline{\omega }}_o^{*}$, $|{\omega }_o^{*}|=k$, and $k\le d$. It requires the challenger to compute the delegation on the warrant $w^{*}$ with the attribute set ${\omega }_o^{*}$. The challenger randomly chooses $u\in \{1,2\}$ and an attribute set ${\mathsf{\Omega }}_o^{\prime }$ that satisfies ${\mathsf{\Omega }}_o^{\prime }\subseteq \mathsf{\Omega }$ and $|{\mathsf{\Omega }}_o^{\prime }|=d-k$. The challenger outputs the delegation ${\sigma }_{o,0}^{*}=g_2^{\alpha }[{\prod }_{i_o\in {\omega }_o^{*}\cup {\mathsf{\Omega }}_o^{\prime }}{H}_1{\left(i_o\right)}^{r_{i_o}}]H_2{\left(w\right)}^{s_o}$, $\{{\left({\sigma }_{i_o}\right)}_{i_o\in {\omega }_o^{*}\cup {\mathsf{\Omega }}_o^{\prime }}=g^{r_{i_o}}\}$, and ${\sigma }_{o,0}^{\prime }=g^{s_o}$ by running the algorithm DelGen. It is obvious that the delegation can be generated from $s{k}_{\widehat{{\omega }_{o,1}^{*}}}$ or $s{k}_{\widehat{{\omega }_{o,2}^{*}}}$. Namely, if the delegation is computed by $s{k}_{\widehat{{\omega }_{o,1}^{*}}}$, it can also be computed by $s{k}_{\widehat{{\omega }_{o,2}^{*}}}$. In the similar method, we can prove that if the delegation is computed by $s{k}_{\widehat{{\omega }_{o,2}^{*}}}$, it can also be computed by $s{k}_{\widehat{{\omega }_{o,1}^{*}}}$. Therefore, our ABPS scheme protects the original signer’s privacy. □

Next, we will prove that our ABPS scheme protects the proxy signer’s privacy in a similar way.

Theorem 4.

The proposed ABPS scheme protects the proxy signer’s privacy.

Proof. 

The proxy signature contains the delegation $\{{\sigma }_{o,0},{\sigma }_{i_o},{\sigma }_{o,0}^{\prime }\}$. The delegation does not reveal the original signer’s identity and protects its privacy. Next, we will prove that the proxy signature also protects the proxy signer’s privacy when $k=n$ where $n=|{\omega }^{\diamond }|$. It is assumed that the attribute authority generates parameters and a master secret key $\alpha$ and sends them to an adversary. The adversary outputs two attribute sets ${\omega }_{p,u}^{*}$ where $u\in \{1,2\}$ and sets ${\overline{\omega }}_p^{*}={\omega }_{p,1}^{*}\cap {\omega }_{p,2}^{*}$. The default attribute set $\mathsf{\Omega }$ contains $(d-1)$ elements. The challenger or adversary computes the private key $s{k}_{\widehat{{\omega }_{p,1}^{*}}}$ and $s{k}_{\widehat{{\omega }_{p,2}^{*}}}$ where $\widehat{{\omega }_{p,1}^{*}}={\omega }_{p,1}^{*}\cup \mathsf{\Omega }$ and $\widehat{{\omega }_{p,2}^{*}}={\omega }_{p,2}^{*}\cup \mathsf{\Omega }$. The adversary outputs a message $m^{*}$ and ${\omega }_p^{*}$ that satisfies ${\omega }_p^{*}\subseteq {\overline{\omega }}_p^{*}$, $|{\omega }_p^{*}|=k$, and $k\le d$. It requires the challenger to compute the signature on the message $m^{*}$ with the attribute set ${\omega }_p^{*}$. The challenger randomly chooses $u\in \{1,2\}$ and ${\mathsf{\Omega }}_p^{\prime }$ that satisfies ${\mathsf{\Omega }}_p^{\prime }\subseteq \mathsf{\Omega }$ and $|{\mathsf{\Omega }}_p^{\prime }|=d-k$. The challenger outputs the signature ${\sigma }_{p,0}^{*}={\sigma }_{o,0}^{*}{g}_2^{\alpha }[{\prod }_{i_p\in {\omega }_p^{*}\cup {\mathsf{\Omega }}_p^{\prime }}{H}_1{\left(i_p\right)}^{r_{i_p}}]H_3{\left(m\right)}^{s_p}$, $\{{({\sigma }_{i_p})}_{i_p\in {\omega }_p^{*}\cup {\mathsf{\Omega }}_p^{\prime }}=g^{r_{i_p}}\}$, and ${\sigma }_{p,0}^{\prime }=g^{s_p}$ by running the algorithm Sign. The signature can be generated from $s{k}_{\widehat{{\omega }_{p,1}^{*}}}$ or $s{k}_{\widehat{{\omega }_{p,2}^{*}}}$. Namely, if the signature is computed by $s{k}_{\widehat{{\omega }_{p,1}^{*}}}$, it can also be computed by $s{k}_{\widehat{{\omega }_{p,2}^{*}}}$. Similarly, we can prove that if the signature is computed by $s{k}_{\widehat{{\omega }_{p,2}^{*}}}$, it can also be computed by $s{k}_{\widehat{{\omega }_{p,1}^{*}}}$. Therefore, our ABPS scheme protects the proxy signer’s privacy. □

Our ABPS scheme protects the signer’s privacy. We compare our ABPS scheme with ABPS-LXM [31], ABPS-SCX [32], and ABPS-HL [33], as shown in

Table 3. Comparison of different ABPS schemes.

Signature Schemes	Authentication	Signer’s Privacy	Flexible Threshold Predicate
Our ABPS	√	√	√
ABPS-LXM	√	√	√
ABPS-SCX	√	√	×
ABPS-HL	√	√	×

.

6.3. Efficiency Analysis

We compare the efficiency of our ABPS scheme with ABPS-LXM, ABPS-SCX, and ABPS-HL.

6.3.1. Computation Costs

We theoretically analyze our ABPS scheme, ABPS-LXM, and ABPS-SCX and obtain the amount of some basic operations, such as exponential operation, hash operation, and pairing operation in the algorithms Sign and Verify. The results are presented in

Table 4. Amount of some basic operations in the algorithm Sign of different ABPS schemes.

Signature Schemes	Exponential Operation	Hash Operation	Pairing Operation
Our ABPS	2n + 4d − 2k + 2	n + d − k + 1	0
ABPS-LXM	(n + d − k)(n + 4) + 2d + 4	0	0
ABPS-SCX	2	1	0
ABPS-HL	6d	d + 1	0

and

Table 5. Amount of some basic operations in the algorithm Verify of different ABPS schemes.

Signature Schemes	Exponential Operation	Hash Operation	Pairing Operation
Our ABPS	0	2(n + d − k + 1)	2(n + d − k) + 3
ABPS-LXM	2(n + d − k)(n + 2)	0	2(n + d − k) + 3
ABPS-SCX	(n + 3)d	2	3d + 2
ABPS-HL	2d	2d + 2	4d + 1

. We use the Java pairing-based cryptography (jPBC) library [34] to implement these basic operations. The computer has 13th Gen Intel(R) Core(TM) i5-13400 CPU and 16 GB RAM. We obtain the computation time of performing these basic operations as listed in

Table 6. Computation time of some basic operations.

Basic Operation	Computation Time (ms)
Exponential operation	8.96
Hash operation	19.84
Pairing operation	9.61

.

We can estimate the computation time of the algorithms Sign and Verify in our ABPS scheme, ABPS-LXM, ABPS-SCX, and ABPS-HL. For the convenience of research and presentation, we assume that the variables in our ABPS scheme, as well as the ABPS-LXM, are such that $n=d=2k$ and $n=d,S_A=S_B$ in the ABPS-SCX scheme. Our estimation results are illustrated as Figure 3 and Figure 4. For the algorithms Sign and Verify, it is obvious that our ABPS scheme has less computation time than ABPS-LXM and almost equal computation time to ABPS-HL. Our ABPS scheme has more computation time in the algorithm Sign and less computation time in the algorithm Verify than ABPS-SCX. We sum the computation time of the algorithms Sign and Verify in the four signature schemes, respectively. The results are illustrated as Figure 5. Our ABPS scheme has a lower sum of computation time than ABPS-LXM and ABPS-SCX and almost an equal sum of computation time to ABPS-HL. Therefore, our APBS scheme has less computation costs.

6.3.2. Communication Costs

We analyze the signature lengths of these ABPS scheme, as listed in

Table 7. Signature lengths of different ABPS schemes.

Signature Schemes	Signature Length
Our ABPS	$\left(2\right(n+d-k)+3)\left|G\right|$
ABPS-LXM	$\left(2\right(n+d-k)+3)\left|G\right|$
ABPS-SCX	$(3d+2)\left|G\right|$
ABPS-HL	$(4d+1)\left|G\right|$

. The signature length of our ABPS scheme is equal to the signature length of ABPS-LXM. The signature length of our ABPS is at the same level with ABPS-SCX and ABPS-HL. Especially, the signature length of our ABPS scheme is shorter than that of ABPS-HL and almost equal to the signature length of ABPS-SCX if $n=d=2k$. Therefore, the communication costs of our ABPS scheme are at the same level as other ABPS schemes.

7. Conclusions

A digital signature scheme can protect the commands in the UAV networks. An ABPS scheme allows a proxy signer to compute the digital signature and protects the signer’s privacy. We proposed an ABPS scheme that supports flexible threshold predicate in the UAV networks and proved its security. It has EUF-sP-CMA and protects the signer’s privacy. We compared the efficiency of our ABPS scheme with other ABPS schemes. We theoretically analyzed the computation costs of ABPS schemes and provided an estimation based on the experimental data. The results indicate that our ABPS scheme has lower computation costs. We also theoretically analyzed the communication costs of these ABPS schemes. The results indicate that the communication costs of our ABPS scheme are at the same level as other ABPS schemes.

In the future, we will continue to research efficient ABPS schemes for UAV networks. We will further reduce the computation costs of UAV by decreasing the amount of some basic operations and reduce the computation costs by shortening the signature length.