Proof of Knowledge on Monotone Predicates and its Application to Attribute-Based Identifications and Signatures

We propose a concrete procedure of a Σ-protocol proving knowledge that a set of witnesses satisfies a monotone predicate in witness-indistinguishable manner. Inspired by the high-level proposal by Cramer, Damg̊ard and Schoenmakers at CRYPTO ’94, we construct the concrete procedure by extending the so-called OR-proof. Next, using as a witness a signature-bundle of the Fiat-Shamir signatures, we provide an attribute-based identification scheme (ABID). Then, applying the Fiat-Shamir transform to our ABID, we obtain an attribute-based signature scheme (ABS). These generic schemes are constructed from a given Σ-protocol, and the latter scheme has a feature of linkable signatures. Applying the two-tier technique of Bellare et al. to our ABID, we obtain an attribute-based two-tier signature scheme (ABTTS). The scheme has a feature to attain attribute-privacy paying expense of the secondary-key issuing. We provide two directions of instantiation. One is to use the Guillou-Quisquater and the Schnorr Σ-protocols, which produce ABID, ABS and ABTTS schemes with a loose security reduction in the random oracle model in pairing-free. The other is to use the Camenisch-Lysyanskaya Σ-protocols in the RSA setting and discrete-logarithm setting, which produce ABTTS schemes with a tighter security reduction in the standard model.