Security pitfalls of "ePASS: An expressive attribute-based signature scheme"

Attribute-based signature (ABS) enables a signer, who possesses a set of attributes, to anonymously sign a message with respect to some signing policy. A recipient of the signature can just ensure that a signer owing attributes that satisfy the signing policy has indeed generated the signature, without learning any information about the signer's identity or which attributes of the signer were used to produce the signature. Thus, it can be used in many fields, such as anonymous authentication, access control and trust-negotiation. Recently, Su et al. proposed an interesting ABS scheme named ePASS to deal with the problem of privacy-preserving and authentication existing in the Internet of Things. Su et al. claimed that ePASS enjoys provable security under the computational Diffie-Hellman assumption, and can preserve the signer's privacy. However, after carefully revisiting ePASS, we find that it cannot resist forgery attacks and provide attribute signer privacy, hence fails to meet the basic security definitions of the ABS system. Consequently, ePASS is not feasible for practical applications. We conclude that constructing an expressive ABS scheme from the standard Diffie-Hellman assumption is still an open problem. (C) 2016 Elsevier Ltd. All rights reserved.