前向安全的指定验证人代理多重签名方案

基于有限域上离散对数难解问题和强RSA假设,提出了一个前向安全的指定验证人代理多重签名方案.在方案中,代理签名人不仅可以代表多个原始签名人生成指定验证人的代理多重签名,确保只有原始签名人指定的验证人可以验证代理多重签名的有效性;而且在该方案中,代理多重签名是前向安全的,即使代理签名人当前时段的代理多重签名密钥被泄漏,敌手也不能伪造此时段之前的代理多重签名,以前所产生的代理多重签名依然有效.     

改进的基于ECDLP的无证书部分盲签名机制

对邵国金等人(四川大学学报(工程科学版),2012年第1期)提出的基于椭圆曲线离散对数难题(ECDLP)的无双线性对运算的部分盲签名方案进行安全性分析,发现方案不能抵抗公钥替换攻击.为此,提出了一个改进方案.在随机谕言模型下证明了改进方案对自适应选择消息和身份攻击是存在性不可伪造性的.将所提方案与部分现有的无证书部分盲签名方案的计算性能进行了比较,结果显示改进方案具有较高的运算效率.     

ID-based cryptography using symmetric primitives

A general method for deriving an identity-based public key cryptosystem from a one-way function is described. We construct both ID-based signature schemes and ID-based encryption schemes. We use a general technique which is applied to multi-signature versions of the one-time signature scheme of Lamport and to a public key encryption scheme based on a symmetric block cipher which we present. We make use of one-way functions and block designs with properties related to cover-free families to optimise the efficiency of our schemes.      

Group signature schemes with forward secure properties

A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature can be revealed by a designated entity. We introduce a forward secure schemes into group signature schemes. When the group public key remains fixed, a group signing key evolves over time. Because the signing key of a group member is evolving at time, the possibility of the signing key being exposed is decreased. We propose a forward secure group signature scheme based on Ateniese and Camenisch et al.’s group signature scheme. The security is analyzed and the comparisons between our scheme with other group signature schemes are made.     

A variant of Digital Signature Algorithm

In this paper we present a variant of the Digital Signature Algorithm based on a factorization problem and two discrete logarithm problems. We prove that our signature scheme is at least as secure as the original Digital Signature Algorithm and withstands all known attacks.      

Security of meta-He digital signature scheme based on factoring and discrete logarithms

To enhance the security of signature schemes, Pon et al., recently, investigated all eight variants of the He’s digital signature scheme. The security of the proposed schemes is based on the difficulties of simultaneously solving the factoring and discrete logarithm problems with almost the same sizes of arithmetic modulus. This paper shows that the all eight variants of the He’s digital signature scheme, as well as two more variants, are not secure if attackers can solve discrete logarithm problems. Moreover, the attackers can easily forge signatures of the most optimal signature schemes of the generalized He’ signature schemes even though they can solve neither discrete logarithm problems nor factoring.     

Fine-grained forward-secure signature schemes without random oracles

We propose the concept of fine-grained forward-secure signature schemes. Such signature schemes not only provide non-repudiation w.r.t. past time periods the way ordinary forward-secure signature schemes do but, in addition, allow the signer to specify which signatures of the current time period remain valid when revoking the public key. This is an important advantage if the signer produces many signatures per time period as otherwise the signer would have to re-issue those signatures (and possibly re-negotiate the respective messages) with a new key.Apart from a formal model for fine-grained forward-secure signature schemes, we present practical schemes and prove them secure under the strong RSA assumption only, i.e., we do not resort to the random oracle model to prove security. As a side-result, we provide an ordinary forward-secure scheme whose key-update time is significantly smaller than that of known schemes which are secure without assuming random oracles.     

一种改进的代理多重签名方案

周等人提出的一种代理多重签名方案由于执行效率高、实现相对简单,因而有着广泛的应用.通过对该方案进行安全性分析,指出该方案容易受到内外两种伪造攻击,因此在安全性上有所欠缺,同时文中给出了相应的攻击方法.最后提出一种新的改进方案,通过加入公钥验证和签名参数处理机制,从而能够有效抵抗内外两种伪造攻击.     

对一群签名方案的分析与改进

通过对夏祥盛等人的动态门限群签名方案的研究,指出该方案的若干不足,其中最主要的不足是通过伪造和不可追踪性,并对该方案进行了改进．与现有群签名方案不同,新方案中用户的秘密数由用户自己选取,从而避免了双线性对的计算,大大提高了效率．分析说明改进的群签名方案几乎克服了原方案的所有缺点．     

Computing discrete logarithms in real quadratic congruence function fields of large genus

The discrete logarithm problem in various finite abelian groups is the basis for some well known public key cryptosystems. Recently, real quadratic congruence function fields were used to construct a public key distribution system. The security of this public key system is based on the difficulty of a discrete logarithm problem in these fields. In this paper, we present a probabilistic algorithm with subexponential running time that computes such discrete logarithms in real quadratic congruence function fields of sufficiently large genus. This algorithm is a generalization of similar algorithms for real quadratic number fields.

     

Computation of discrete logarithms in prime fields

The presumed difficulty of computing discrete logarithms in finite fields is the basis of several popular public key cryptosystems. The secure identification option of the Sun Network File System, for example, uses discrete logarithms in a field GF(p) with p a prime of 192 bits. This paper describes an implementation of a discrete logarithm algorithm which shows that primes of under 200 bits, such as that in the Sun system, are very insecure. Some enhancements to this system are suggested.     

Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem

The new signature scheme presented by the authors in [13] is the first signature scheme based on the discrete logarithm problem that gives message recovery. The purpose of this paper is to show that the message recovery feature is independent of the choice of the signature equation and that all ElGamal-type schemes have variants giving message recovery. For each of the six basic ElGamal-type signature equations five variants are presented with different properties regarding message recovery, length of commitment and strong equivalence. Moreover, the six basic signature schemes have different properties regarding security and implementation. It turns out that the scheme proposed in [13] is the only inversionless scheme whereas the message recovery variant of the DSA requires computing of inverses in both generation and verification of signatures. In general, message recovery variants can be given for ElGamal-type signature schemes over any group with large cyclic subgroup as the multiplicative group of GF(2n) or elliptic curve over a finite field.The present paper also shows how to integrate the DLP-based message recovery schemes with secret session key establishment and ElGamal encryption. In particular, it is shown that with DLP-based schemes the same functionality as with RSA can be obtained. However, the schemes are not as elegant as RSA in the sense that the signature (verification) function cannot at the same time be used as the decipherment (encipherment) function.     

一种灵活的基于身份的签名方案

在基于身份的密钥提取过程中,使密钥生成器在私钥中嵌入随机数,从而使得密钥提取具有较好的灵活性,使得用户对一个身份可具备多个私钥,这无疑会增加密钥使用的安全性;基于这种新的密钥提取思路,给出一个基于身份的签名体制,新的密钥提取方式使得它具有更好的安全性和灵活性;新的基于身份的签名体制中具有最少对运算,因此,与类似的方案相比,其具备较好的计算效率;新签名体制的安全性依赖于k-合谋攻击问题(k-CAAP)的困难性,其在适应性选择消息和ID攻击下具备强不可伪造性,并且其安全性证明具有紧规约性.     

Certificateless signature: a new security model and an improved generic construction

Certificateless cryptography involves a Key Generation Center (KGC) which issues a partial key to a user and the user also independently generates an additional public/secret key pair in such a way that the KGC who knows only the partial key but not the additional secret key is not able to do any cryptographic operation on behalf of the user; and a third party who replaces the public/secret key pair but does not know the partial key cannot do any cryptographic operation as the user either. We call this attack launched by the third party as the key replacement attack. In ACISP 2004, Yum and Lee proposed a generic construction of digital signature schemes under the framework of certificateless cryptography. In this paper, we show that their generic construction is insecure against key replacement attack. In particular, we give some concrete examples to show that the security requirements of some building blocks they specified are insufficient to support some of their security claims. We then propose a modification of their scheme and show its security in a new and simplified security model. We show that our simplified definition and adversarial model not only capture all the distinct features of certificateless signature but are also more versatile when compared with all the comparable ones. We believe that the model itself is of independent interest.A conventional certificateless signature scheme only achieves Girault’s Level 2 security. For achieving Level 3 security, that a conventional signature scheme in Public Key Infrastructure does, we propose an extension to our definition of certificateless signature scheme and introduce an additional security model for this extension. We show that our generic construction satisfies Level 3 security after some appropriate and simple modification. A preliminary version of the extended abstract of partial results appeared in ACISP 2006 [9].     

Comment: A new blind signature based on the discrete logarithm problem for untraceability

In 2004, Lee et al. [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press] proposed a new untraceable blind signature based on DLP in order to overcome the “security limits” of Carmenisch et al.’s scheme. However, we show there are two mistakes in [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press]: 1. The Carmenisch et al.’s scheme does meet the requirement of untraceability and the cryptanalysis proposed by Lee et al. is not correct; 2. Though Lee et al.’s scheme is untraceable, the proof of its untraceability in [C.C. Lee, M.S. Hwang, W.P. Yang, A new blind signature based on the discrete logarithm problem for untraceability, Appl. Math. Comput., in press] is wrong (in this paper we also give the correct proof of its untraceability). So Lee et al.’s scheme does not have any advantage and it is unpractical since the cost of the scheme is higher compared with Carmenisch et al.’s scheme.     

可证明安全的基于证书聚合签名方案

对刘云芳等人提出的基于证书聚合签名方案进行安全性分析,指出方案不能抵抗类型Ⅱ敌手攻击,并给出两种攻击方法,在此基础上提出了一个新的可证安全的基于证书聚合签名方案,利用Diffie-Hellman困难问题,在随机预言模型下证明了新方案是存在性不可伪造的.另外,新方案的聚合签名长度是固定常数,与签名者的数量无关,在签名验证中只需要4个对运算和n个标量乘运算,因此,新方案的签名验证效率得到很大提高.     

Certificateless signature and proxy signature schemes from bilinear pairings

Due to avoiding the inherent escrow of identity-based cryptography and yet not requiring certificates to guarantee the authenticity of public keys, certificateless public key cryptography has received a significant attention. Due to various applications of bilinear pairings in cryptography, numerous pairing-based encryption schemes, signature schemes, and other cryptographic primitives have been proposed. In this paper, a new certificateless signature scheme based on bilinear pairings is presented. The signing algorithm of the proposed scheme is very simple and does not require any pairing computation. Combining our signature scheme with certificateless public key cryptography yields a complete solution of certificateless public key system. As an application of the proposed signature scheme, a certificateless proxy signature scheme is also presented. We analyze both schemes from security point of view.__________Published in Lietuvos Matematikos Rinkinys, Vol. 45, No. 1, pp. 95–103, January–March, 2005.     

Cryptography in Quadratic Function Fields

We describe severalcryptographic schemes in quadratic function fields of odd characteristic.In both the real and the imaginary representation of such a field,we present a Diffie-Hellman-like key exchange protocol as wellas a public-key cryptosystem and a signature scheme of ElGamaltype. Several of these schemes are improvements of systems previouslyfound in the literature, while others are new. All systems arebased on an appropriate discrete logarithm problem. In the imaginarysetting, this is the discrete logarithm problem in the idealclass group of the field, or equivalently, in the Jacobian ofthe curve defining the function field. In the real case, theproblem in question is the task of computing distances in theset of reduced principal ideals, which is a monoid under a suitableoperation. Currently, the best general algorithms for solvingboth discrete logarithm problems are exponential (subexponentialonly in fields of high genus), resulting in a possibly higherlevel of security than that of conventional discrete logarithmbased schemes.     

Provable certificateless generalized signcryption scheme

Generalized signcryption can adaptively work as an encryption scheme, a signature scheme or a signcryption scheme with only one algorithm. It is very suitable for storage-constrained environments. In this paper, we introduce a formal security model for certificateless generalized signcryption schemes secure against the malicious-but-passive key generation center attacks and propose a novel scheme. Our scheme is proved to be IND-CCA2 secure under the GBDH assumption and CDH assumption and existentially unforgeable under the GDH’ assumption and CDH assumption in random oracle model. Furthermore, performance analysis shows the proposed scheme is efficient and practical.