Efficient discrete logarithm based multi-signature scheme in the plain public key model

In this paper, we provide a new multi-signature scheme that is proven secure in the plain public key model. Our scheme is practical and efficient according to computational costs, signature size and security assumptions. At first, our scheme matches the single ordinary discrete logarithm based signature scheme in terms of signing time, verification time and signature size. Secondly, our scheme requires only two rounds of interactions and each signer needs nothing more than a certified public key to produce the signature, meaning that our scheme is compatible with existing PKIs. Thirdly, our scheme has been proven secure in the random oracle model under standard discrete logarithm (DL) assumption. It outperforms a newly proposed multi-signature scheme by Bagherzandi, Cheon and Jarecki (BCJ scheme) in terms of both computational costs and signature size.     

Efficient Undeniable Signature Schemes Based on Ideal Arithmetic in Quadratic Orders

In undeniable signature schemes the correctness or incorrectness of a signature of some message cannot be checked without the agreement of and the interaction with the signer. This is a favorable property for some applications. Well-known undeniable signature schemes presented in the literature will cause operations for the signer which take cubic running time. For a real world implementation, e.g., on a chip card or a web server this might be too inefficient.In this paper, we present new efficient undeniable signature schemes which are constructed over an imaginary quadratic field. We compare our schemes to the only really competitive scheme so far, which is based on RSA. In all signature protocols presented here the signer's part involving the secret key is always of quadratic complexity, which is much faster in practice than the signer's part in the RSA-based undeniable signature protocol.     

Attack on Han et al.’s ID-based confirmer (undeniable) signature at ACM-EC’03

In ACM conference on electronic commerce (EC’03), Han et al. [Identity-based confirmer signatures from pairings over elliptic curves, in: Proceedings of ACM Conference on Electronic Commerce Citation 2003, San Diego, CA, USA, June 09–12, 2003, pp. 262–263] proposed an ID-based confirmer signature scheme using pairings (the scheme is in fact an ID-based undeniable signature scheme). In this paper, we show that this signature scheme is not secure and the signer can deny any signature, even if it is a valid signature, and any one can forge a valid confirmer signature of a signer with identity ID on an arbitrary message and confirm this signature to the verifier.     

Provable certificateless generalized signcryption scheme

Generalized signcryption can adaptively work as an encryption scheme, a signature scheme or a signcryption scheme with only one algorithm. It is very suitable for storage-constrained environments. In this paper, we introduce a formal security model for certificateless generalized signcryption schemes secure against the malicious-but-passive key generation center attacks and propose a novel scheme. Our scheme is proved to be IND-CCA2 secure under the GBDH assumption and CDH assumption and existentially unforgeable under the GDH’ assumption and CDH assumption in random oracle model. Furthermore, performance analysis shows the proposed scheme is efficient and practical.     

Signcryption schemes with threshold unsigncryption,and applications

The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.     

Identity-based non-interactive key distribution with forward security

Identity-based non-interactive key distribution (ID-NIKD) is a cryptographic primitive that enables two users to establish a common secret key without exchanging messages. All users of the system have access to public system parameters and a private key, obtained through the help of a trusted key generation center. In this contribution, we discuss how to capture an intuitive form of forward security for ID-NIKD schemes in a security model. Building on results of Sakai et?al. as well as of Paterson and Srinivasan, we discuss how the proposed notion of forward security can be achieved in the random oracle model, using a Bilinear Diffie-Hellman assumption in combination with a forward-secure pseudorandom bit generator. We also show how a forward-secure ID-NIKD scheme can be used to realize forward-secure identity-based encryption.     

基于MSP秘密共享的（t，n）门限群签名方案

门限群签名是群签名中重要的—类，它是秘钥共享与群签名的有机结合．本文通过文献[5]中的MSP方案（Monotone Span Program），提出了一种新的门限群签名方案．在本签名方案建立后，只有达到门限的群成员的联合才能生成—个有效的群签名，并且可以方便的加入或删除成员．一旦发生争议，只有群管理员才能确定签名人的身份．该方案能够抵抗合谋攻击：即群中任意一组成员合谋都无法恢复群秘钥k．本方案的安全性基于Gap Diffie-Hellman群上的计算Diffie-Hellmanl可题难解上，因此在计算上是最安全的．     

Group signature schemes with forward secure properties

A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature can be revealed by a designated entity. We introduce a forward secure schemes into group signature schemes. When the group public key remains fixed, a group signing key evolves over time. Because the signing key of a group member is evolving at time, the possibility of the signing key being exposed is decreased. We propose a forward secure group signature scheme based on Ateniese and Camenisch et al.’s group signature scheme. The security is analyzed and the comparisons between our scheme with other group signature schemes are made.     

How (Not) to design strong-RSA signatures

This paper considers strong-RSA signature schemes built from the scheme of Cramer and Shoup. We present a basic scheme encompassing the main features of the Cramer-Shoup scheme. We analyze its security in both the random oracle model and the standard model. This helps us to spot potential security flaws. As a result, we show that a seemingly secure signature scheme (Tan in Int J Security Netw 1(3/4): 237?C242, 2006) is universally forgeable under a known-message attack. In a second step, we discuss how to turn the basic scheme into a fully secure signature scheme. Doing so, we rediscover several known schemes (or slight variants thereof).     

一种基于无证书生物特征数据的签名方案

在基于ID的无证书签名方案的基础上,通过模糊提取器获取生物特征信息来构造密钥,结合CL-PKC私钥生成原理,提出了一种基于生物特征的无证书签名方案.新方案在随机预言模型下是可证安全的,而且能够抵抗适应性选择消息攻击和ID攻击下的存在性伪造.该方案不仅解决了密钥托管问题而且与传统的方案相比具有较高的效率.     

Security of meta-He digital signature scheme based on factoring and discrete logarithms

To enhance the security of signature schemes, Pon et al., recently, investigated all eight variants of the He’s digital signature scheme. The security of the proposed schemes is based on the difficulties of simultaneously solving the factoring and discrete logarithm problems with almost the same sizes of arithmetic modulus. This paper shows that the all eight variants of the He’s digital signature scheme, as well as two more variants, are not secure if attackers can solve discrete logarithm problems. Moreover, the attackers can easily forge signatures of the most optimal signature schemes of the generalized He’ signature schemes even though they can solve neither discrete logarithm problems nor factoring.     

Certificateless signature: a new security model and an improved generic construction

Certificateless cryptography involves a Key Generation Center (KGC) which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC who knows only the partial key but not the additional secret key is not able to do any cryptographic operation on behalf of the user; and a third party who replaces the public/secret key pair but does not know the partial key cannot do any cryptographic operation as the user either. We call this attack launched by the third party as the key replacement attack. In ACISP 2004, Yum and Lee proposed a generic construction of digital signature schemes under the framework of certificateless cryptography. In this paper, we show that their generic construction is insecure against key replacement attack. In particular, we give some concrete examples to show that the security requirements of some building blocks they specified are insufficient to support some of their security claims. We then propose a modification of their scheme and show its security in a new and simplified security model. We show that our simplified definition and adversarial model not only capture all the distinct features of certificateless signature but are also more versatile when compared with all the comparable ones. We believe that the model itself is of independent interest.A conventional certificateless signature scheme only achieves Girault’s Level 2 security. For achieving Level 3 security, that a conventional signature scheme in Public Key Infrastructure does, we propose an extension to our definition of certificateless signature scheme and introduce an additional security model for this extension. We show that our generic construction satisfies Level 3 security after some appropriate and simple modification. A preliminary version of the extended abstract of partial results appeared in ACISP 2006 [9].     

一种灵活的基于身份的签名方案

在基于身份的密钥提取过程中,使密钥生成器在私钥中嵌入随机数,从而使得密钥提取具有较好的灵活性,使得用户对一个身份可具备多个私钥,这无疑会增加密钥使用的安全性;基于这种新的密钥提取思路,给出一个基于身份的签名体制,新的密钥提取方式使得它具有更好的安全性和灵活性;新的基于身份的签名体制中具有最少对运算,因此,与类似的方案相比,其具备较好的计算效率;新签名体制的安全性依赖于k-合谋攻击问题(k-CAAP)的困难性,其在适应性选择消息和ID攻击下具备强不可伪造性,并且其安全性证明具有紧规约性.     

可证明安全的基于证书聚合签名方案

对刘云芳等人提出的基于证书聚合签名方案进行安全性分析,指出方案不能抵抗类型Ⅱ敌手攻击,并给出两种攻击方法,在此基础上提出了一个新的可证安全的基于证书聚合签名方案,利用Diffie-Hellman困难问题,在随机预言模型下证明了新方案是存在性不可伪造的.另外,新方案的聚合签名长度是固定常数,与签名者的数量无关,在签名验证中只需要4个对运算和n个标量乘运算,因此,新方案的签名验证效率得到很大提高.     

Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem

The new signature scheme presented by the authors in [13] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in [13] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2n) or elliptic curve over a finite field.The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.     

A Signature Scheme Based on the Intractability of Computing Roots

We present RDSA, a variant of the DSA signature scheme, whose security is based on the intractability of extracting roots in a finite abelian group. We prove that RDSA is secure against an adaptively chosen message attack in the random oracle model if and only if computing roots in the underlying group is intractable. We report on a very efficient implementation of RDSA in the class group of imaginary quadratic orders. We also show how to construct class groups of algebraic number fields of degree < 2 in which RDSA can be implemented.     

前向安全的指定验证人代理多重签名方案

基于有限域上离散对数难解问题和强RSA假设,提出了一个前向安全的指定验证人代理多重签名方案.在方案中,代理签名人不仅可以代表多个原始签名人生成指定验证人的代理多重签名,确保只有原始签名人指定的验证人可以验证代理多重签名的有效性;而且在该方案中,代理多重签名是前向安全的,即使代理签名人当前时段的代理多重签名密钥被泄漏,敌手也不能伪造此时段之前的代理多重签名,以前所产生的代理多重签名依然有效.     

Security of message authentication codes in the presence of key-dependent messages

In recent years, the security of encryption and signature schemes in the presence of key-dependent plaintexts received attention, and progress in understanding such scenarios has been made. In this article we motivate and discuss a setting where an adversary can access tags of a message authentication code (MAC) on key-dependent message inputs, and we propose a way to formalize the security of MACs in the presence of key-dependent messages (KD?EUF). Like signature schemes, MACs have a verification algorithm, and hence the tagging algorithm must be stateful. We present a scheme MAC-ver which offers KD?EUF security and also yields a forward-secure scheme.     

Security of Signature Schemes in a Multi-User Setting

This paper initiates the study of the security of signature schemes in the multi-user setting. We argue that the well-accepted notion of security for signature schemes, namely existential unforgeability against adaptive chosen-message attacks, is not adequate for the multi-user setting. We propose an extension of this security notion to the multi-user setting and show that signature schemes proven secure in the single-user setting can, under reasonable constraints, also be proven secure in the multi-user setting.     

Nonexistence of a class of variate generation schemes

Motivated by a problem arising in the regenerative analysis of discrete-event system simulation, we ask whether a certain class of random variate generation schemes exists or not. Under very reasonable conditions, we prove that such variate generation schemes do not exist. The implications of this result for regenerative steady-state simulation of discrete-event systems are discussed.