Certificateless signature: a new security model and an improved generic construction

Certificateless cryptography involves a Key Generation Center (KGC) which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC who knows only the partial key but not the additional secret key is not able to do any cryptographic operation on behalf of the user; and a third party who replaces the public/secret key pair but does not know the partial key cannot do any cryptographic operation as the user either. We call this attack launched by the third party as the key replacement attack. In ACISP 2004, Yum and Lee proposed a generic construction of digital signature schemes under the framework of certificateless cryptography. In this paper, we show that their generic construction is insecure against key replacement attack. In particular, we give some concrete examples to show that the security requirements of some building blocks they specified are insufficient to support some of their security claims. We then propose a modification of their scheme and show its security in a new and simplified security model. We show that our simplified definition and adversarial model not only capture all the distinct features of certificateless signature but are also more versatile when compared with all the comparable ones. We believe that the model itself is of independent interest.A conventional certificateless signature scheme only achieves Girault’s Level 2 security. For achieving Level 3 security, that a conventional signature scheme in Public Key Infrastructure does, we propose an extension to our definition of certificateless signature scheme and introduce an additional security model for this extension. We show that our generic construction satisfies Level 3 security after some appropriate and simple modification. A preliminary version of the extended abstract of partial results appeared in ACISP 2006 [9].     

Group signature schemes with forward secure properties

A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature can be revealed by a designated entity. We introduce a forward secure schemes into group signature schemes. When the group public key remains fixed, a group signing key evolves over time. Because the signing key of a group member is evolving at time, the possibility of the signing key being exposed is decreased. We propose a forward secure group signature scheme based on Ateniese and Camenisch et al.’s group signature scheme. The security is analyzed and the comparisons between our scheme with other group signature schemes are made.     

Comparing two pairing-based aggregate signature schemes

In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto–Naehrig (BN) elliptic curves are employed.     

Attack on Han et al.’s ID-based confirmer (undeniable) signature at ACM-EC’03

In ACM conference on electronic commerce (EC’03), Han et al. [Identity-based confirmer signatures from pairings over elliptic curves, in: Proceedings of ACM Conference on Electronic Commerce Citation 2003, San Diego, CA, USA, June 09–12, 2003, pp. 262–263] proposed an ID-based confirmer signature scheme using pairings (the scheme is in fact an ID-based undeniable signature scheme). In this paper, we show that this signature scheme is not secure and the signer can deny any signature, even if it is a valid signature, and any one can forge a valid confirmer signature of a signer with identity ID on an arbitrary message and confirm this signature to the verifier.     

对一个无证书盲签名方案的攻击与改进

对黄茹芬等提出的一个高效的无证书盲签名方案进行了安全性分析,指出方案不能抵抗公钥替换攻击.为此,提出了一个改进方案.改进方案在随机预言模型和计算Diffie-Hellman(CDH)问题、q-强Diffie-Hellman(q-SDH)问题及逆计算Diffie-Hellman(inv-CDH)问题困难的假设下对适应性选择消息和身份攻击是存在不可伪造的.     

改进的基于ECDLP的无证书部分盲签名机制

对邵国金等人(四川大学学报(工程科学版),2012年第1期)提出的基于椭圆曲线离散对数难题(ECDLP)的无双线性对运算的部分盲签名方案进行安全性分析,发现方案不能抵抗公钥替换攻击.为此,提出了一个改进方案.在随机谕言模型下证明了改进方案对自适应选择消息和身份攻击是存在性不可伪造性的.将所提方案与部分现有的无证书部分盲签名方案的计算性能进行了比较,结果显示改进方案具有较高的运算效率.     

一种无证书的环签名方案和一个基于身份的多重签名方案

在这篇文章里,我们用双线性对构造了一种无证书的环签名方案,并证明它是无条件匿名的,且在随机预言模型中,计算性Diffie-Hellman问题是难解的,我们方案在适应性选择消息攻击下是存在性不可伪造的,它的安全性比在基于身份的公钥密码体制下高.本文首次用多线性形式构造了一个基于身份的广播多重签名方案,它的安全性是基于计算性Diffie-Hellman困难问题.     

Security of meta-He digital signature scheme based on factoring and discrete logarithms

To enhance the security of signature schemes, Pon et al., recently, investigated all eight variants of the He’s digital signature scheme. The security of the proposed schemes is based on the difficulties of simultaneously solving the factoring and discrete logarithm problems with almost the same sizes of arithmetic modulus. This paper shows that the all eight variants of the He’s digital signature scheme, as well as two more variants, are not secure if attackers can solve discrete logarithm problems. Moreover, the attackers can easily forge signatures of the most optimal signature schemes of the generalized He’ signature schemes even though they can solve neither discrete logarithm problems nor factoring.     

Improvement on Hwang et al.’s generalization of proxy signature schemes based on elliptic curves

Hwang et al. proposed their generalization of proxy signature schemes based on elliptic curves. However, two attacks are proposed to show that their schemes have serious security flaws. By the first attack, an adversary can forge an illegal proxy signature that verifiers cannot actually find out the original signers of proxy signatures. The second attack is used to change proxy signatures into multi-signatures belonging to the group that actually generates the proxy signatures. To overcome these flaws, our improvement on Hwang et al.’s scheme is also proposed.     

基于身份的动态数字签名方案

数字签名是解决信息安全问题的重要途径,用于鉴别用户身份.随着计算机、网络的发展,安全的用户数字签名显得尤为重要.目前,现代的数字签名技术正向智能化、密码化、多因素、大容量和快速响应方向发展.结合数论中的中国剩余定理及RSA公钥体制,提出了一种基于身份的动态数字签名方案.     

ID-based cryptography using symmetric primitives

A general method for deriving an identity-based public key cryptosystem from a one-way function is described. We construct both ID-based signature schemes and ID-based encryption schemes. We use a general technique which is applied to multi-signature versions of the one-time signature scheme of Lamport and to a public key encryption scheme based on a symmetric block cipher which we present. We make use of one-way functions and block designs with properties related to cover-free families to optimise the efficiency of our schemes.      

Comment: A new blind signature based on the discrete logarithm problem for untraceability

In 2004, Lee et al. [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press] proposed a new untraceable blind signature based on DLP in order to overcome the “security limits” of Carmenisch et al.’s scheme. However, we show there are two mistakes in [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press]: 1. The Carmenisch et al.’s scheme does meet the requirement of untraceability and the cryptanalysis proposed by Lee et al. is not correct; 2. Though Lee et al.’s scheme is untraceable, the proof of its untraceability in [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press] is wrong (in this paper we also give the correct proof of its untraceability). So Lee et al.’s scheme does not have any advantage and it is unpractical since the cost of the scheme is higher compared with Carmenisch et al.’s scheme.     

Fine-grained forward-secure signature schemes without random oracles

We propose the concept of fine-grained forward-secure signature schemes. Such signature schemes not only provide non-repudiation w.r.t. past time periods the way ordinary forward-secure signature schemes do but, in addition, allow the signer to specify which signatures of the current time period remain valid when revoking the public key. This is an important advantage if the signer produces many signatures per time period as otherwise the signer would have to re-issue those signatures (and possibly re-negotiate the respective messages) with a new key.Apart from a formal model for fine-grained forward-secure signature schemes, we present practical schemes and prove them secure under the strong RSA assumption only, i.e., we do not resort to the random oracle model to prove security. As a side-result, we provide an ordinary forward-secure scheme whose key-update time is significantly smaller than that of known schemes which are secure without assuming random oracles.     

An improved signature scheme without using one-way Hash functions

Recently, Chang et al. give a digital signature scheme, where neither one-way hash function nor message redundancy schemes are used, but Zhang et al. has shown that the scheme was forgeable, namely, any one can forge a new signature by the signer’s signature, and give two forgery attacks. To the above attacks, we give an improved signature scheme based on Chang signature scheme and analyze the security of the improved scheme.     

一种灵活的基于身份的签名方案

在基于身份的密钥提取过程中,使密钥生成器在私钥中嵌入随机数,从而使得密钥提取具有较好的灵活性,使得用户对一个身份可具备多个私钥,这无疑会增加密钥使用的安全性;基于这种新的密钥提取思路,给出一个基于身份的签名体制,新的密钥提取方式使得它具有更好的安全性和灵活性;新的基于身份的签名体制中具有最少对运算,因此,与类似的方案相比,其具备较好的计算效率;新签名体制的安全性依赖于k-合谋攻击问题(k-CAAP)的困难性,其在适应性选择消息和ID攻击下具备强不可伪造性,并且其安全性证明具有紧规约性.     

The Diffie–Hellman Protocol

The 1976 seminal paper of Diffie and Hellman is a landmark in the history of cryptography. They introduced the fundamental concepts of a trapdoor one-way function, a public-key cryptosystem, and a digital signature scheme. Moreover, they presented a protocol, the so-called Diffie–Hellman protocol, allowing two parties who share no secret information initially, to generate a mutual secret key. This paper summarizes the present knowledge on the security of this protocol.     

Efficient Rabin-type Digital Signature Scheme

Rabin's cryptosystem was proved to be as hard as factorization. However, Rabin's digital signature schemes is probabilistic. This paper shows two efficient Rabin type digital signature schemes, a basic scheme and an improved scheme. Both schemes run much faster than Rabin's scheme. They are deterministic and the size of a signature is much smaller than that of a signature in Rabin's scheme. Furthermore, it is proved that, by applying the technique of Bellare and Rogaway, the proposed scheme is secure against chosen plaintext attack. More precisely, breaking the proposed digital signature scheme by chosen plaintext attack is as hard as factoring N.     

Provable certificateless generalized signcryption scheme

Generalized signcryption can adaptively work as an encryption scheme, a signature scheme or a signcryption scheme with only one algorithm. It is very suitable for storage-constrained environments. In this paper, we introduce a formal security model for certificateless generalized signcryption schemes secure against the malicious-but-passive key generation center attacks and propose a novel scheme. Our scheme is proved to be IND-CCA2 secure under the GBDH assumption and CDH assumption and existentially unforgeable under the GDH’ assumption and CDH assumption in random oracle model. Furthermore, performance analysis shows the proposed scheme is efficient and practical.     

Efficient Undeniable Signature Schemes Based on Ideal Arithmetic in Quadratic Orders

In undeniable signature schemes the correctness or incorrectness of a signature of some message cannot be checked without the agreement of and the interaction with the signer. This is a favorable property for some applications. Well-known undeniable signature schemes presented in the literature will cause operations for the signer which take cubic running time. For a real world implementation, e.g., on a chip card or a web server this might be too inefficient.In this paper, we present new efficient undeniable signature schemes which are constructed over an imaginary quadratic field. We compare our schemes to the only really competitive scheme so far, which is based on RSA. In all signature protocols presented here the signer's part involving the secret key is always of quadratic complexity, which is much faster in practice than the signer's part in the RSA-based undeniable signature protocol.     

一种基于无证书生物特征数据的签名方案

在基于ID的无证书签名方案的基础上,通过模糊提取器获取生物特征信息来构造密钥,结合CL-PKC私钥生成原理,提出了一种基于生物特征的无证书签名方案.新方案在随机预言模型下是可证安全的,而且能够抵抗适应性选择消息攻击和ID攻击下的存在性伪造.该方案不仅解决了密钥托管问题而且与传统的方案相比具有较高的效率.