一种改进的前向安全数字签名方案

已有前向安全数字签名方案无法保证数字签名的后向安全性。对Abdalla-Reyzin的前向安全数字签名方案进行了改进,将单向散列链嵌入到该方案的签名中,使该方案具有后向安全检测功能。改进后的方案不仅具有数字签名的前向安全性,而且同样具有后向安全性。     

高效的可证安全短代理签名方案

代理签名在大规模无线工控物联网中应用广泛,利用代理签名可以大大提高签名主服务器的效率。为适应带宽受限和计算能力弱的应用环境,提出了一个基于双线性映射的短代理签名方案。首先,在随机预言机模型下基于计算Diffie-Hellman（CDH）问题和k-碰撞攻击算法（k-CAA）问题证明了该方案的安全性。然后,与其他现有代理签名和短代理签名方案进行了性能上的优势分析,并给出了该方案实现的关键代码。实验结果表明,所提方案在代理签名生成时进行了1次标量乘运算和1次哈希运算,签名验证时进行了2次双线性对运算、1次标量乘运算和2次哈希运算,与其他同类代理签名方案相比计算性能上具有优势,适用于计算能力较弱和传输能力受限的应用场景。     

Chameleon hash without key exposure based on Schnorr signature

Based on the famous Schnorr signature scheme, we propose a new chameleon hash scheme which enjoys all advantages of the previous schemes: collision-resistant, message-hiding, semantic security, and key-exposure-freeness.     

Efficient generic on-line/off-line (threshold) signatures without key exposure

The “hash–sign–switch” paradigm was firstly proposed by Shamir and Tauman with the aim to design an efficient on-line/off-line signature scheme. Nonetheless, all existing on-line/off-line signature schemes based on this paradigm suffer from the key exposure problem of chameleon hashing. To avoid this problem, the signer should pre-compute and store a plenty of different chameleon hash values and the corresponding signatures on the hash values in the off-line phase, and send the collision and the signature for a certain hash value in the on-line phase. Hence, the computation and storage cost for the off-line phase and the communication cost for the on-line phase in Shamir–Tauman’s signature scheme are still a little more overload. In this paper, we first introduce a special double-trapdoor hash family based on the discrete logarithm assumption and then incorporate it to construct a more efficient generic on-line/off-line signature scheme without key exposure. Furthermore, we also present the first key-exposure-free generic on-line/off-line threshold signature scheme without a trusted dealer. Additionally, we prove that the proposed schemes have achieved the desired security requirements.     

无证书签名方案的分析与改进

针对汤永利等提出的9种无证书签名方案（汤永利,王菲菲,叶青,等.改进的可证明安全无证书签名方案.北京邮电大学学报,2016,39(1):112-116）,首先使用线性化方程分析方法,发现所有方案中公钥之间存在线性关系,利用此缺陷完成对所有方案的签名伪造攻击;其次,为打破公钥之间的线性关系,使用改造哈希函数参数的方法改进方案,并在随机预言机模型下证明了改进方案的安全性;然后,提出一种无证书签名方案中的公钥构造格式,通过该格式构造出的签名方案无法被敌手进行公钥替换攻击;最后,通过仿真对改进方案与现有的无证书签名方案进行效率比较。实验结果表明,改进方案在提高安全性的同时未降低计算效率。     

强前向安全的代理签名方案

前向安全代理签名方案无法保证代理者密钥泄漏后未来时段代理签名的安全性。基于单向散列链,对王天银等提出的前向安全代理签名方案进行了改进,使该方案的代理签名具有强前向安全性：即使代理密钥被泄露,攻击者也无法伪造过去和未来时段的代理签名,并且具有密钥泄露检测功能。     

一种高效的门限部分盲签名方案

现有的门限签名方案使用一些低效的MapToPoint哈希函数,难以避免因多次使用哈希函数而带来的安全性危害。为此,将门限签名和部分盲签名相结合,提出一种新的基于双线性对的门限部分盲签名方案。分析结果表明,该方案使用高效的普通哈希函数,可提高执行效率,具有满足门限签名和部分盲签名的优点。     

Efficient and provably-secure certificateless short signature scheme from bilinear pairings

Certificateless public key cryptography is a recently proposed attractive paradigm which combines advantages of both certificate-based and ID-based public key cryptosystems as it avoids usage of certificates and does not suffer from key escrow. In this paper, we present a certificateless signature (CLS) scheme that is proved to be secure in the random oracle model under the hardness assumptions of k-CAA and Inv-CDHP. Our scheme upholds all desirable properties of previously proposed CLS schemes, and requires general cryptographic hash functions instead of the MapToPoint hash function which is inefficient. Furthermore, our scheme is significantly more efficient than all known CLS schemes, and the size of signatures generated by our scheme is approximate 160 bits, which is the shortest certificateless signatures so far. So it can be used widely, especially in low-bandwidth communication environments.     

Off-line/on-line signatures revisited: a general unifying paradigm, efficient threshold variants and experimental results

The notion of off-line/on-line digital signature scheme was introduced by Even, Goldreich and Micali. Informally such signatures schemes are used to reduce the time required to compute a signature using some kind of preprocessing. Even, Goldreich and Micali show how to realize off-line/on-line digital signature schemes by combining regular digital signatures with efficient one-time signatures. Later, Shamir and Tauman presented an alternative construction (which produces shorter signatures) obtained by combining regular signatures with chameleon hash functions. In this paper, we study off-line/on-line digital signature schemes both from a theoretic and a practical perspective. More precisely, our contribution is threefold. First, we unify the Shamir–Tauman and Even et al. approaches by showing that they can be seen as different instantiations of the same paradigm. We do this by showing that the one-time signatures needed in the Even et al. approach only need to satisfy a weak notion of security. We then show that chameleon hashing is basically a one-time signature which satisfies such a weaker security notion. As a by-product of this result, we study the relationship between one-time signatures and chameleon hashing, and we prove that a special type of chameleon hashing (which we call double-trapdoor) is actually a fully secure one-time signature. Next, we consider the task of building, in a generic fashion, threshold variants of known schemes: Crutchfield et al. proposed a generic way to construct a threshold off-line/on-line signature scheme given a threshold regular one. They applied known threshold techniques to the Shamir–Tauman construction using a specific chameleon hash function. Their solution introduces additional computational assumptions which turn out to be implied by the so-called one-more discrete logarithm assumption. Here, we propose two generic constructions that can be based on any threshold signature scheme, combined with a specific (double-trapdoor) chameleon hash function. Our constructions are efficient and can be proven secure in the standard model using only the traditional discrete logarithm assumption. Finally, we ran experimental tests to measure the difference between the real efficiency of the two known constructions for non-threshold off-line/on-line signatures. Interestingly, we show that, using some optimizations, the two approaches are comparable in efficiency and signature length.     

Chameleon Hashes Without Key Exposure Based on Factoring

Chameleon hash is the main primitive to construct a chameleon signature scheme which provides nonrepudiation and non-transferability simultaneously. However, the initial chameleon hash schemes suffer from the key exposure problem： non-transferability is based on an unsound assumption that the designated receiver is willing to abuse his private key regardless of its exposure. Recently, several key-exposure-free chameleon hashes have been constructed based on RSA assumption and SDH （strong Diffie-Hellman） assumption. In this paper, we propose a factoring-based chameleon hash scheme which is proven to enjoy all advantages of the previous schemes. In order to support it, we propose a variant Rabin signature scheme which is proven secure against a new type of attack in the random oracle model.     

高效的分簇传感器网络广播认证方案*

广播是无线传感器网络的重要通信手段,广播消息的安全性应得到保障。在分簇传感器网络结构基础上提出了一种无线传感器网络广播认证方案,簇头节点对广播进行签名认证,簇内使用消息认证码进行消息认证,网关节点负责广播消息在簇间的传递。分析表明,与部分现有的传感器网络广播认证方案相比,该方案以较低的能耗提供了较高的安全性。     

强不可伪造的在线/离线签名方案

针对标准模型下签名方案效率低的问题,利用目标抗碰撞杂凑函数和变色龙哈希函数,提出了一种在线/离线签名方案。在签名消息到来之前,离线阶段进行重签名的大部分计算,并将这些运算结果保存起来;在签名消息到来时,利用离线阶段保存的数据能在很短的时间内生成消息的在线重签名。在标准模型下,证明了新方案在适应性选择消息攻击下满足强不可伪造性。分析结果表明,新方案在效率上优于已有的标准模型下签名方案,在线签名算法仅需要1次模减法运算和1次模乘法运算,适合于计算能力较弱的低端计算设备。     

明文编码随机化加密方案

对著名的最优非对称填充加密方案（RSA-OAEP）及其改进方案进行分析发现：（1）这些方案的明文填充机制均采用Hash函数来隐藏明文统计特性,然而Hash函数特有的属性导致RSA-OAEP及其改进方案的安全性证明难以在标准模型下进行.很多研究工作表明,在标准模型下假定RSA（或者其变形）是困难的,无法证明RSA-OAEP及其改进方案对自适应性选择密文攻击是安全性的;（2）这些方案加密的消息是明文填充随机化处理后的信息,因此被加密信息比实际明文多出k位（设用于填充的随机数为k位）.针对这两个问题,构造了一个基于配对函数编码的RSA型加密方案.该方案具有如下属性：（1）无需Hash运算就可以隐藏明文统计特性,同时使得被加密消息的长度短于实际明文的长度;（2）在标准模型下对自适应选择密文攻击是安全的;（3）该方案应用于签密时不需要额外协商签名模与加密模的大小顺序.     

多源网络编码同态签名方案*

由于网络编码的系统很容易受到污染攻击,提出了一个适用于多源网络编码应对污染攻击的同态签名方案.该方案使用了同态哈希函数,能够阻止恶意修改的数据分组.被污染的数据分组会被验证者丢弃,从而保证了系统的安全性.该方案是同态的且是为多源网络编码特别设计的,与文件和分组的大小无关,而且方案中的公钥和每个分组的开销是常量.     

前向安全无证书代理盲签名方案的分析与改进

通过对魏俊懿等人提出的一种前向安全的无证书代理盲签名方案进行安全性分析,发现该方案不能抵抗原始签名人的伪造攻击、不具有盲性。针对上述问题,提出一种改进的方案。通过对代理密钥生成过程以及盲签名过程的改进,克服了原方案存在的安全缺陷。利用将单向散列链嵌入签名的方法,保证了改进的方案具有后向安全性。而且,密钥生成中心与用户之间不需要建立可信的安全通道,节省了额外的开销。安全分析表明,改进的方案满足前向安全无证书代理盲签名方案的安全要求。     

基于FPGA的Leighton-Micali签名方案密钥生成的高速可配置实现

由于量子计算机的飞速发展,现代密码学面临着巨大的挑战。为了实现抗量子计算机攻击的加密,人们提出了许多新的加密方案,并对后量子密码学(Post-Quantum Cryptography,PQC)开展了标准化进程。Leighton-Micali签名(Leighton-Micali signature,LMS)是一种基于哈希的后量子签名方案,其私钥和公钥尺寸都较小,且安全性已被充分研究。LMS被互联网工程小组(Internet Engineering Task Force,IETF)选为PQC签名协议的标准方案,同时被美国国家标准技术局(National Institute of Standardsand Technology,NIST)选为一种PQC过渡方案。然而,密钥生成过程中的效率低下,成为了LMS实际应用中的瓶颈。在本文中,我们首次对LMS进行基于FPGA的硬件实现与加速。首先,在不损失安全性的基础上,我们将LMS中的主要哈希函数由SHA2替换为SHA3函数。其次,我们设计了一个软硬件协同系统,将核心的哈希运算用硬件进行实现,该系统在消耗较少资源的前提下,可完成LMS协议的所有过程:密钥生成、签名与验证。该系统为物联网(Internet of things,IoT)场景下资源受限的LMS应用提供了参考。接着,我们提出了一个高速的密钥生成架构来加速LMS。该架构中具有可配置性,支持LMS的所有参数集,内部的哈希模块根据使用场景进行设计与部署,且并行度经过精心设计,以使得架构同时达到低延迟和高硬件利用率。此外,设计中的控制逻辑被设计为在适应不同参数集的情况下保持一定程度的恒定功率,以抵御功率分析攻击。该架构使用Verilog实现,并在Xilinx Zynq UltraScale+MPSoC ZCU104 FPGA平台上实验。实验结果表明,与在Intel (R) Core (TM) i7-6850K 3.60GHz CPU上启用多线程的目前较优软件实现相比,本文中的设计在不同参数配置下可实现55x~2091x的加速;与最新的各平台LMS工作相比,本文中设计可实现超过17x的加速;与相近方案的FPGA工作相比,本文中设计可实现约70x的加速。     

A pairing-free certificateless digital multisignature scheme using elliptic curve cryptography

In a digital multisignature scheme, two or more signers are allowed to produce a single signature on a common message, which can be verified by anyone. In the literature, many schemes are available based on the public key infrastructure or identity-based cryptosystem with bilinear pairing and map-to-point (MTP) hash function. The bilinear pairing and the MTP function are time-consuming operations and they need a large super-singular elliptic curve group. Moreover, the cryptosystems based on them are difficult to implement and less efficient for practical use. To the best of our knowledge, certificateless digital multisignature scheme without pairing and MTP hash function has not yet been devised and the same objective has been fulfilled in this paper. Furthermore, we formally prove the security of our scheme in the random oracle model under the assumption that ECDLP is hard.     

标准模型下的代理签名:构造模型与证明安全性

目前已经提出的代理签名方案缺乏在完整的代理签名安全模型下证明方案的安全性.在Boldyreva等人提出的代理签名安全模型的基础上,对代理签名的可证安全模型进行详细的形式化定义,提出一种完整的代理签名可证安全模型.同时,为了展示该安全模型的有效性和可扩展性,对Paterson等人提出的标准模型下基于身份的签名方案进行扩展,提出在标准模型下基于身份的代理签名方案,并在可证安全模型下,证明新方案具有在自适应选择消息攻击下存在基于身份的代理签名不可伪造性,其安全性在标准模型下可归约于CDH问题假定.新方案与标准模型下基于公钥密码体制的代理签名方案相比,不仅增加了用户身份的概念,还具有更完备的安全性.     

Key-dependent 3D model hashing for authentication using heat kernel signature

Multimedia-based hashing is considered an important technique for achieving authentication and copy detection in digital contents. However, 3D model hashing has not been as widely used as image or video hashing. In this study, we develop a robust 3D mesh-model hashing scheme based on a heat kernel signature (HKS) that can describe a multi-scale shape curve and is robust against isometric modifications. We further discuss the robustness, uniqueness, security, and spaciousness of the method for 3D model hashing. In the proposed hashing scheme, we calculate the local and global HKS coefficients of vertices through time scales and 2D cell coefficients by clustering HKS coefficients with variable bin sizes based on an estimated L² risk function, and generate the binary hash through binarization of the intermediate hash values by combining the cell values and the random values. In addition, we use two parameters, bin center points and cell amplitudes, which are obtained through an iterative refinement process, to improve the robustness, uniqueness, security, and spaciousness further, and combine them in a hash with a key. By evaluating the robustness, uniqueness, and spaciousness experimentally, and through a security analysis based on the differential entropy, we verify that our hashing scheme outperforms conventional hashing schemes.     

一种强前向安全数字签名方案

在Abdalla-Reyzin的前向安全签名方案的基础上,通过引入单向散列链机制,提出了一个强前向安全的数字签名方案,攻击者即使在第i时段入侵系统,也无法伪造以前或以后时段的签名,方案的安全性基于在Z^*_N上计算平方根的困难性和散列函数的单向性。