International Association
for Cryptologic Research

Attribute-based signatures allow a signer owning a set of attributes to anonymously sign a message w.r.t.\\ some signing policy. A recipient of the signature is convinced that a signer with a set of attributes satisfying the signing policy has indeed produced the signature without learning the identity of the signer or which set of attributes was used in the signing.

Traceable attribute-based signatures add anonymity revocation mechanisms to attribute-based signatures whereby a special tracing authority equipped with a secret key is capable of revealing the identity of the signer. Such a feature is important in settings where accountability and abuse prevention are required.

In this work, we first provide a formal security model for traceable attribute-based signatures. Our focus is on the more practical case where attribute management is distributed among different authorities rather than relying on a single central authority.

By specializing our model to the single attribute authority setting, we overcome some of the shortcomings of the existing model for the same setting.

Our second contribution is a generic construction for the primitive which achieves a strong notion of security. Namely, it achieves CCA anonymity and its security is w.r.t.\\ adaptive adversaries. Moreover, our framework permits expressive signing polices.

Finally, we provide some instantiations of the primitive whose security reduces to falsifiable intractability assumptions and without relying on idealized assumptions.