Attribute-based versions of Schnorr and ElGamal

Abstract

We design in this paper the first attribute-based cryptosystems that work in the classical discrete logarithm, pairing-free, setting. The attribute-based signature scheme can be seen as an extension of Schnorr signatures, with adaptive security relying on the discrete logarithm assumption, in the random oracle model. The attribute-based encryption schemes can be seen as extensions of ElGamal cryptosystem, with adaptive security relying on the decisional Diffie–Hellman assumption, in the standard model. The proposed schemes are secure only in a bounded model: the systems admit L secret keys, at most, for a bound L that must be fixed in the setup of the systems. The efficiency of the cryptosystems, later, depends on this bound L. Although this is an important drawback that can limit the applicability of the proposed schemes in some real-life applications, it turns out that the bounded security of our key-policy attribute-based encryption scheme (in particular, with L=1L=1) is enough to implement the generic transformation of Parno, Raykova and Vaikuntanathan at TCC’2012. As a direct result, we obtain a protocol for the verifiable delegation of computation of boolean functions, which does not employ pairings or lattices, and whose adaptive security relies on the decisional Diffie–Hellman assumption.