Attribute-Based Signatures for Range of Inner Product and Its Applications

In attribute-based signatures (ABS) for inner products, the digital signature analogue of attribute-based encryption for inner products (Katz et al., EuroCrypt'08), a signing-key (resp. signature) is labeled with an n-dimensional vector x is an element of Z(p)(n) (resp. y is an element of Z(p)(n)) for a prime p, and the signing succeeds iff their inner product is zero, i.e., < x, y > = 0 (mod p). We generalize it to ABS for range of inner product (ARIP), requiring the inner product to be within an arbitrarily-chosen range [L, R]. As security notions, we define adaptive unforgeablity and perfect signer-privacy. The latter means that any signature reveals no more information about x than < x, y > is an element of [L, R]. We propose two efficient schemes, secure under some Diffie-Hellman type assumptions in the standard model, based on noninteractive proof and linearly homomorphic signatures. The 2nd (resp. 1st) scheme is independent of the parameter n in secret-key size (resp. signature size and verification cost). We show that ARIP has many applications, e.g., ABS for range evaluation of polynomials/weighted averages, fuzzy identity-based signatures, time-specific signatures, ABS for range of Hamming/Euclidean distance and ABS for hyperellipsoid predicates.