Find in Library

Transitive signatures allow any entity to obtain a valid signature of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mo>(</mo><mi>i</mi><mo>,</mo><mi>k</mi><mo>)</mo></mrow></semantics></math></inline-formula> by combining signatures of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mo>(</mo><mi>i</mi><mo>,</mo><mi>j</mi><mo>)</mo></mrow></semantics></math></inline-formula> and <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mo>(</mo><mi>j</mi><mo>,</mo><mi>k</mi><mo>)</mo></mrow></semantics></math></inline-formula>. However, the traditional transitive signature scheme does not offer fine-grained control over the combiner. To address this issue, we propose a formal definition of the attribute-based designated combiner transitive signature (ABDCTS) and its security model, where only entities whose inherent attributes meet the access policy can combine signatures. By introducing the fine-grained access control structure, control over the combiner is achieved. To demonstrate the feasibility of our primitive, this paper presents the first attribute-based designated combiner transitive signature scheme. Under an adaptive chosen-message attack, we prove its security based on the one-more CDH problem and the co-CDH problem, and that its algorithms have robustness.