基于多项式秘密共享的前摄性门限RSA签名方案

现有可证明安全的前摄性门限RSA签名方案均依赖加性秘密共享方法,存在每次签名均需所有成员参与,易暴露合法成员的秘密份额,签名效率低下等问题。该文以Shoup门限签名为基础,提出一种基于多项式秘密共享的前摄性门限RSA签名方案,并对其进行了详细的安全性及实用性分析。结果表明,在静态移动攻击者模型中,该方案是不可伪造的和稳健的,与现有同类方案相比,其通信开销更低,运算效率更高。     

门限RSA密码体制

本文了一种基于几何方式的（Ｔ,Ｎ）－门限ＲＳＡ密码体制,在这里,系统解密和签名的权力被分级Ｎ个成员,使得任意Ｔ个成员可以合作完成解和签名,而少于Ｔ个成员时则无法解密无文件或伪造签名。     

RSA-Based Undeniable Signatures

We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new setting, both the signature and verification exponents of RSA are kept secret by the signer, while the public key consists of a composite modulus and a sample RSA signature on a single public message. Our scheme possesses several attractive properties. First, provable security, as forging the undeniable signatures is as hard as forging regular RSA signatures. Second, both the confirmation and denial protocols are zero-knowledge. In addition, these protocols are efficient (particularly, the confirmation protocol involves only two rounds of communication and a small number of exponentiations). Furthermore, the RSA-based structure of our scheme provides with simple and elegant solutions to add several of the more advanced properties of undeniable signatures found in the literature, including convertibility of the undeniable signatures (into publicly verifiable ones), the possibility to delegate the ability to confirm and deny signatures to a third party without giving up the power to sign, and the existence of distributed (threshold) versions of the signing and confirmation operations. Due to the above properties and the fact that our undeniable nsignatures are identical in form to standard RSA signatures, the scheme we present becomes a very attractive candidate for practical implementations. Received 25 July 1997 and revised 5 November 1998     

A Short and Efficient Redactable Signature Based on RSA

The redactable signature scheme was introduced by Johnson and others in 2002 as a mechanism to support disclosing verifiable subdocuments of a signed document. In their paper, a redactable signature based on RSA was presented. In 2009, Nojima and others presented a redactable signature scheme based on RSA. Both schemes are very efficient in terms of storage. However, the schemes need mechanisms to share random prime numbers, which causes huge time consuming computation. Moreover, the public key in the scheme of Johnson and others is designed to be used only once. In this paper, we improve the computational efficiency of these schemes by eliminating the use of a random prime sharing mechanism while sustaining the storage efficiency of them. The size of our signature scheme is the same as that of the standard RSA signature scheme plus the size of the security parameter. In our scheme, the public key can be used multiple times, and more efficient key management than the scheme of Johnson and others is possible. We also prove that the security of our scheme is reduced to the security of the full domain RSA signature scheme.     

基于新型秘密共享方法的高效RSA门限签名方案

针对传统的门限RSA签名体制中需对剩余环Z(N)中元素求逆(而环中元素未必有逆)的问题,该文首先提出一种改进的Shamir秘密共享方法。 该方法通过在整数矩阵中的一系列运算来恢复共享密钥。由于其中涉及的参数均为整数,因此避免了传统方案中由Lagrange插值公式产生的分数而引起的环Z(N)中的求逆运算。然后基于该改进的秘密共享方法给出了一个新型的门限RSA Rivest Shanair Atleman签名方案。由于该方案无须在任何代数结构(比如Z(N))中对任何元素求逆,也无须进行代数扩张,因此在实际应用中更为方便、有效。     

矢量空间RSA数字签名方案

基于矢量空间秘密共享方案和RSA签名方案提出了一种新的签名方案，即矢量空间RSA签名方案，该方案包括文献[1]中方案作为其特殊情况。在该方案中，N个参与者共享RSA签名方案的秘密密钥，能保证矢量空间访问结构I中参与者的授权子集产生有效的RSA群签名，而参与者的非授权子集不能产生有效的RSA群签名。     

基于中国剩余定理的门限RSA签名方案的改进

针对基于中国剩余定理的门限RSA签名方案无法签署某些消息,以及部分签名合成阶段运算量大的问题,论文提出一种基于虚拟群成员的改进方法,使得改进后的方案能够签署所有消息,同时能够极大地减少部分签名合成阶段的运算量,当门限值为10时,可以将部分签名合成阶段的运算量减少为原来的1/6。对改进方案进行了详细的安全性和实用性分析。结果表明,改进方案在适应性选择消息攻击下是不可伪造的,且其运算效率较其他门限RSA签名方案更高。     

On the Importance of Eliminating Errors in Cryptographic Computations

We present a model for attacking various cryptographic schemes by taking advantage of random hardware faults. The model consists of a black-box containing some cryptographic secret. The box interacts with the outside world by following a cryptographic protocol. The model supposes that from time to time the box is affected by a random hardware fault causing it to output incorrect values. For example, the hardware fault flips an internal register bit at some point during the computation. We show that for many digital signature and identification schemes these incorrect outputs completely expose the secrets stored in the box. We present the following results: (1) The secret signing key used in an implementation of RSA based on the Chinese Remainder Theorem (CRT) is completely exposed from a single erroneous RSA signature, (2) for non-CRT implementations of RSA the secret key is exposed given a large number (e.g. 1000) of erroneous signatures, (3) the secret key used in Fiat—Shamir identification is exposed after a small number (e.g. 10) of faulty executions of the protocol, and (4) the secret key used in Schnorr's identification protocol is exposed after a much larger number (e.g. 10,000) of faulty executions. Our estimates for the number of necessary faults are based on standard security parameters such as a 1024-bit modulus, and a 2 ^-40 identification error probability. Our results demonstrate the importance of preventing errors in cryptographic computations. We conclude the paper with various methods for preventing these attacks. Received July 1997 and revised August 2000 Online publication 27 November, 2000     

一个高效的基于身份和RSA的紧致多重数字签名方案

紧致多重数字签名是指多个用户对同一个消息进行多重签名,所得多重签名的长度和单个用户签名的长度相当。该文提出一个高效的基于身份和RSA的紧致多重签名方案。签名和验证的效率比Bellare和Neven的多重签名方案提高了接近50%,多重签名的长度和单个RSA签名长度相当,因为使用了基于身份的公钥密码,新方案很好地实现了多重签名的紧致性目标。在随机预言模型和RSA假设下证明了方案的安全性。     

拥有RSA数字签名的零知识证明

提出了一种拥有RSA数字签名的零知识证明方案。该方案给出了防止RSA数字签名任意传播的一种新方法——签名者不直接提供对信息M的签名,而是提供拥有对该信息的数字签名的一个零知识证明。该方案是可证实数字签名的改进,但比证实签名简单且不需要第三方的参与。本文中给的方案,可广泛应用于信息产品的版权保护中。1     

Player Simulation and General Adversary Structures in Perfect Multiparty Computation

The goal of secure multiparty computation is to transform a given protocol involving a trusted party into a protocol without need for the trusted party, by simulating the party among the players. Indeed, by the same means, one can simulate an arbitrary player in any given protocol. We formally define what it means to simulate a player by a multiparty protocol among a set of (new) players, and we derive the resilience of the new protocol as a function of the resiliences of the original protocol and the protocol used for the simulation. In contrast to all previous protocols that specify the tolerable adversaries by the number of corruptible players (a threshold), we consider general adversaries characterized by an adversary structure, a set of subsets of the player set, where the adversary may corrupt the players of one set in the structure. Recursively applying the simulation technique to standard threshold multiparty protocols results in protocols secure against general adversaries. The classical results in unconditional multiparty computation among a set of n players state that, in the passive model, any adversary that corrupts less than n/2 players can be tolerated, and in the active model, any adversary that corrupts less than n/3 players can be tolerated. Strictly generalizing these results we prove that, in the passive model, every function (more generally, every cooperation specified by involving a trusted party) can be computed securely with respect to a given adversary structure if and only if no two sets in the adversary structure cover the full set of players, and, in the active model, if and only if no three sets cover the full set of players. The complexities of the protocols are polynomial in the number of maximal adverse player sets in the adversary structure. Received 31 December 1997 and revised 26 February 1999     

A THRESHOLD BLIND SIGNATURE FROM WEIL PAIRING ON ELLIPTIC CURVES

The idea behind a （t, n） threshold blind signature is that a user can ask at least t out of n players of a group to cooperate to generate a signature for a message without revealing its content, This paper first presents a new blind signature scheme from Weil pairing on elliptic curves. Based on this scheme, a threshold blind signature scheme is proposed. It is efficient and has the security properties of robustness and unforgeability. In the proposed scheme, the group manger is introduced to take the role of distributing the group secret key to each player, However, he cannot forge the players to generate partial blind signatures （Each partial blind signature depends on not only the secret key of the player, but also a random number the player picks）. Compared with a threshold signature with a trusted third party, its advantage is obvious; Compared with a threshold signature without a trusted third party, it is more simple and efficient.     

Structure-Preserving Signatures and Commitments to Group Elements

A modular approach to constructing cryptographic protocols leads to simple designs but often inefficient instantiations. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest a new design paradigm, structure-preserving cryptography, that provides a way to construct modular protocols with reasonable efficiency while retaining conceptual simplicity. A cryptographic scheme over a bilinear group is called structure-preserving if its public inputs and outputs consist of elements from the bilinear groups and their consistency can be verified by evaluating pairing-product equations. As structure-preserving schemes smoothly interoperate with each other, they are useful as building blocks in modular design of cryptographic applications. This paper introduces structure-preserving commitment and signature schemes over bilinear groups with several desirable properties. The commitment schemes include homomorphic, trapdoor and length-reducing commitments to group elements, and the structure-preserving signature schemes are the first ones that yield constant-size signatures on multiple group elements. A structure-preserving signature scheme is called automorphic if the public keys lie in the message space, which cannot be achieved by compressing inputs via a cryptographic hash function, as this would destroy the mathematical structure we are trying to preserve. Automorphic signatures can be used for building certification chains underlying privacy-preserving protocols. Among a vast number of applications of structure-preserving protocols, we present an efficient round-optimal blind-signature scheme and a group signature scheme with an efficient and concurrently secure protocol for enrolling new members.     

一种基于RSA密码体制的盲签名方案

盲签名是一种重要的密码与计算机网络安全技术,它的使用可以保证所传送的信息不被篡改和伪造。在盲签名方案中,消息的内容对签名者是不可见的,签名被泄露后,签名者不能追踪其签名。论文基于RSA密码体制,利用扩展Euclidean算法构造了一种不可跟踪盲签名方案。     

基于博弈论的门限签名体制分析与构造

为了使门限签名体制更具有普适性,引入了“理性参与人”的概念,将所有参与者视为理性的个体,任何阶段以最大化自身利益为目标。基于博弈论对密钥生成和签名合成阶段各参与者的策略和效用进行了分析,证明了在传统门限签名方案中理性参与者没有动机参与签名,导致无法完成对消息的签名,并提出了理性密钥分发和理性签名合成的解决机制。经分析该方法能更好地满足实际需求。     

一种高效群签名方案的密码学分析

2005年,张键红等提出了一种基于RSA的高效群签名方案,签名与验证的计算量只需要9次模幂乘运算。该文提出了一种伪造攻击方案指出张等的方案是不安全的,任一群成员在撤消中心的帮助下可以不利用自己的秘密参数对任何消息生成有效的群签名。同时,指出了群成员的识别算法是错误的,身份追踪式是与具体签名无关的常量,即身份追踪算法无法追踪到真实的签名者。最后,指出了他们的方案具有关联性。     

Identity-based key-insulated proxy signature

In proxy signature schemes, the proxy signer B is permitted to produce a signature on behalf of the original signer A. However, exposure of proxy signing keys can be the most devastating attack on a proxy signature scheme since any adversary can sign messages on behalf of the proxy signer. In this paper, we applied Dodis, et al.’s key-insulation mechanism and proposed an Identity-Based (ID-based) Key-Insulated Proxy Signature (IBKIPS) scheme with secure key-updates. The proposed scheme is strong key-insulated and perfectly key-insulated. Our scheme also supports unbounded period numbers and random-access key-updates.     

一个可验证的门限多秘密分享方案

基于离散对数计算和大整数分解的困难性,利用RSA加密体制提出了一个新的门限多秘密分享方案.该方案通过零知识证明等协议来防止秘密分发者和秘密分享者的欺诈行为,因而是一个可验证的门限多秘密分享方案.该方案还具有:秘密影子可重复使用;子秘密影子可离线验证;供分享的秘密不须事先作预计算等特点.该方案可用于会议密钥(秘密)分配、安全多方计算、门限数字签名等应用领域.     

A SECURE THRESHOLD GROUP SIGNATURE SCHEME

The threshold group signature is an important kind of signature. So far, many threshold group signature schemes have been proposed, but most of them suffer from conspiracy attack and are insecure. In this paper, a secure threshold group signature scheme is proposed.It can not only satisfy the properties of the threshold group signature, but also withstand the conspiracy attack.     

办公自动化系统中数字签名应用研究

数字签名是保证信息安全的一种重要手段,针对安全要求级别不同的办公自动化系统信息,利用椭圆曲线数字签名算法（ECDSA）具有较短的密钥长度和较高的安全强度,及公钥加密算法（RSA）具有密钥加解密的可逆性特点,设计了两种不同的方案,即基于RSA密钥的原文及其摘要签名策略,及基于RSA和ECC的3套密钥签名策略,并对方案的功能性和安全性进行了分析,保障办公信息的身份认证和传输的完整性和保密性,解决了办公自动化系统存在的一些安全隐患。