Attribute-Based Signatures without Pairings by the Fiat-Shamir Transformation

We propose an attribute-based signature scheme (ABS) with features of pairing-free, short signatures and security proof in the random oracle model. Our strategy is in the Fiat-Shamir paradigm; we first provide a concrete procedure of the Σ-protocol which enables a prover to prove possession of witnesses that satisfy a statement of a monotone boolean formula. Next, using a signature bundle scheme of the Fiat-Shamir signature as those witnesses in the Σ-protocol, we obtain a generic attribute-based identification scheme (ABID). Then, we apply the Fiat-Shamir transform to our ABID to obtain a scheme of ABS. The series of these generic constructions are obtained from a given Σ-protocol. Finally, we provide our ABID and ABS schemes concretely in the Discrete-Logarithm setting and the RSA setting. These concretions are pairing-free. Signatures of our ABS are linkable, hence attribute privacy does not hold; it holds only as a one-time signature.