Cryptanalysis of a Generalized Ring Signature Scheme

The concept of ring signature was first introduced by Rivest et al. in 2001. In a ring signature, instead of revealing the actual identity of the message signer, it specifies a set of possible signers. The verifier can be convinced that the signature was indeed generated by one of the ring members; however, the verifier is unable to tell which member actually produced the signature. A convertible ring signature scheme allows the real signer to convert a ring signature into an ordinary signature by revealing secret information about the ring signature. Thus, the real signer can prove the ownership of a ring signature if necessary, and the the other members in the ring cannot prove the ownership of a ring signature. Based on the original ElGamal signature scheme, a generalized ring signature scheme was proposed for the first time in 2008. The proposed ring signature can achieve unconditional signer ambiguity and is secure against adaptive chosen-message attack in the random oracle model. By comparing to ring signatures based on RSA algorithm, the authors claimed that the proposed generalized ring signature scheme is convertible. It enables the actual message signer to prove to a verifier that only she is capable of generating the ring signature. Through cryptanalysis, we show that the convertibility of the generalized ring signature scheme cannot be satisfied. Everyone in the ring signature has the ability to claim that she generates the generalized ring signature.     

Comment on Saeednia et al.'s strong designated verifier signature scheme

In 1996, Jakobsson et al. proposed a designated verifier signature scheme in which only one specified person, called a designated verifier, can be convinced of the validity of the signature and the identity of the signer. This is possible by giving the designated verifier the ability to simulate a signature him/herself in an indistinguishable way. Therefore, the other third party cannot determine whether the signature is from the signer or the designated verifier. However, in some circumstances, the third party may be convinced that a signature intended for the designated verifier is actually generated by the signer.In 2003, Saeednia et al. proposed a strong designated verifier signature scheme to overcome this problem. However, we found that Saeednia et al.'s scheme would reveal the identity of the signer if the secret key of this signer is compromised. In this paper, we provide a new strong designated verifier signature scheme that provides signer ambiguity, even if the secret key of the signer is compromised. We also analyze the proposed scheme.     

Proxy-protected signature secure against the undelegated proxy signature attack

The proxy signature scheme enables an original signer to delegate his/her signing capability to a designated proxy signer, thereby the proxy signer can sign messages on behalf of the original signer. Recently, Zhou et al. proposed two proxy-protected signature schemes. One is based on the RSA problem and the other is based on the integer factorization problem. In this paper, however, we point out that Zhou et al.’s schemes are insecure against undelegated proxy signature attack because any user without the delegation of the original signer can generate a valid proxy signature. To solve this problem, an improved scheme is proposed and its security is analyzed.     

基于双线性对的具有已知签名人的门限代理签名方案

（t,n）门限代理签名是代理签名的一种变形,其代理签名密钥由原始签名者指定n个代理签名者分享保存,只有t个或更多的代理签名者才能代表原始签名者产生对消息的签名。最近,钱海峰等人提出了一个基于双线性对的门限代理签名方案。不幸的是。本文显示了钱海峰等人的方案易受伪造攻击,即一小敌手能够伪造任意消息的门限代理签名。此外,钱海峰等人的方案还存在代理签名者能够任意更改门限值这一缺陷,而对此无论是原始签名者还是验证者都无法发现,这一点可能违背原始签名者的意图。本文提出了一个新的门限代理签名方案,新方案克服了钱海峰等人的上述缺陷。     

对两种基于离散对数代理盲签名的分析

高炜等人和Yu Bao-zheng等人分别提出了两种基于离散对数的代理盲签名方案。对这两种方案进行了安全性分析。研究表明,这两种方案存在以下不足之处：高炜等人的代理盲签名方案是对谭等方案的改进,新的方案仍然具有可连接性,即代理签名者可以从一个合法的代理盲签名中恢复出此签名的中间值从而跟踪消息的拥有者。Yu Bao-zheng等人的代理盲签名方案同样具有可连接性的缺点。除此之外,用户可以通过自己持有的代理盲签名信息恢复出代理签名私钥,从而可以冒充代理签名者伪造消息m的代理盲签名或者直接利用一个合法的代理盲签名伪造出其它消息的合法代理盲签名。为了避免上述不足之处,给出了一个防止代理签名者连接性攻击的改进方案。     

Comment on “The enhanced quantum blind signature protocol”

Recently, Yang et al. (Quantum Inf Process 12:109–117, 2013) proposed an enhancement on a quantum blind signature based on the two-state vector formalism, afterward a special attack strategy on Yang et al.’s enhanced scheme is put forward, in which the dishonest signer can illegally reveal 25 % of the message of the blind signature requester, but an effective solution has not been presented in their paper. In this paper, we further analyze Yang el al.’s enhanced scheme and find that there is another potential loophole which the blind signature requester can forge the message signer’s signature. Then, an improvement scheme is proposed. Finally, analysis results show that our improved scheme can withstand the blind signature requester’s forgery attack and the above special attack strategy, and our quantum efficiency will still be the same as the primary scheme.     

对一个代理环签名方案的分析和改进

通过对Yu等人提出的代理环签名方案进行分析,发现该方案不能抵抗伪造攻击。针对该方案的这一缺陷,提出了一个新的代理签名方案。新方案不仅满足代理签名的各种性质,并且还满足环签名的匿名性。     

A novel identity-based strong designated verifier signature scheme

Unlike ordinary digital signatures, a designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party. In a strong designated verifier signature scheme, no third party can even verify the validity of a designated verifier signature, since the designated verifier’s private key is required in the verifying phase. Firstly, this paper proposes the model of identity-based strong designated verifier signature scheme based on bilinear pairings by combining identity-based cryptosystem with the designated verifier signature scheme, and then, provides one concrete strong identity-based designated verifier signature scheme, which has short size of signature, low communication and computational cost. We provide security proofs for our scheme.     

Improved convertible authenticated encryption scheme with provable security

Convertible authenticated encryption (CAE) schemes allow a signer to produce an authenticated ciphertext such that only a designated recipient can decrypt it and verify the recovered signature. The conversion property further enables the designated recipient to reveal an ordinary signature for dealing with a later dispute over repudiation. Based on the ElGamal cryptosystem, in 2009, Lee et al. proposed a CAE scheme with only heuristic security analyses. In this paper, we will demonstrate that their scheme is vulnerable to the chosen-plaintext attack and then further propose an improved variant. Additionally, in the random oracle model, we prove that the improved scheme achieves confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA).     

一种无证书的代理环签名方案

2003年,Zhang等人提出了代理环签名方案,具有代理签名和环签名的优点,在代理人代表授权人签名时,能提供代理人的匿名性。鉴于无证书密码体制的优点,在一种无证书的环签名的基础上,并在授权时采用短签名方案,提出一种无证书的代理环签名方案,该方案不需要证书的管理,也没有密钥的托管问题,并且满足代理环签名所要求的可验证性,无条件匿名性,不可伪造性,不可否认性,可鉴别性等性质。     

一个改进的强代理签名方案

数字签名是密码学的重要问题之一;代理签名是一种特殊的数字签名,它是指当某个签名人（原始签名人）由于某种原因不能签名时,将签名权委托给他人（代理签名人）替自己行使签名权。回顾了Lee等人提出的强代理签名方案和代理多签名方案以及Sun等人提出对其强不可伪造性的分析。在强代理签名方案的基础上,提出了改进的强代理签名方案,该方案具有强不可伪造性,从而可以有效地防止原始签名人对代理签名人进行恶意攻击,并将其推广到代理多签名方案中。     

Generalized Ring Signatures

Ring signature was first introduced in 2001. In a ring signature, instead of revealing the actual identity of the message signer, it specifies a set of possible signers. The verifier can be convinced that the signature was indeed generated by one of the ring members, however, she is unable to tell which member actually produced the signature. In this paper, we propose a generalized ring signature scheme and a generalized multi-signer ring signature based on the original ElGamal signature scheme. The proposed ring signature can achieve unconditional signer ambiguity and is secure against adaptive chosen-message attacks in the random oracle model. Comparing to ring signature based on RSA algorithm, the proposed generalized ring signature scheme has three advantages: (1) all ring members can share the same prime number and all operations can be performed in the same domain; (2) by combining with multi-signatures, we can develop the generalized multi-signer ring signature schemes to enforce cross-organizational involvement in message leaking. It may result in a higher level of confidence or broader coverage on the message source; and (3) the proposed ring signature is a convertible ring signature. It enables the actual message signer to prove to a verifier that only she is capable of generating the ring signature.     

一个门限代理签名方案的改进

1996年Mambo,Usuba和Okamoto提出了代理签名的概念，即在一个代理签名方案中，一个被指定的代理签名人可以代表原始签名人生成有效的代理签名，Mambo,Usuda和Okamoto指出代理签名方案应满足不可否认性，可验证性，不可伪造性，可区分性等性质并给出3种类型的代理签名：完全代理签名，部分代理签名和带有授权证书的代理签名，Sun,Lee和Hwang提出了一个门限代理签名方案（记为S－L－H方案），分析克服了由Zhang和Kim等提出的门限代理签名方案的缺点并给出了一个改进方案，这里指出S－L－H方案不能抵抗公钥替换攻击，并给出了一个改进的门限代理签名方案，进一步利用零知识的思想给出了抵抗公钥替换攻击的一般方法，改进后的方案除具有S－L－H方案的安全性外，还具有不可否认性，不使用安全信道，能抵抗公钥替换攻击和全谋攻击等特点。     

An efficient anonymous proxy signature scheme with provable security

Since the concept of proxy signature was introduced in 1996, many proxy signature schemes have been proposed. Among of them, the requirement of proxy signer's privacy protection is needful in some practical applications. In this paper, a new and provably secure anonymous proxy signature scheme from bilinear pairing, which is the organic combination of proxy signature and ring signature, is proposed to provide the privacy protection for the proxy signer. As for the security analysis, we classify the adversaries into three types according to different resources they can obtain and prove in the random oracle model that, the proposed scheme is unforgeable against all kinds of adversaries. Compared with Zhang et al.'s proxy ring signature scheme proposed in 2003, our scheme is more efficient in computation.     

具有高安全性的指定验证者签名方案

分析指定验证者签名方案的安全性,通过引入签名者秘密信息,实现具有高安全性的指定验证者签名方案。克服原有方案中攻击者能在不知道指定验证者私钥的情况下实现签名验证的问题。该方案能保证签名不可区分,实现签名的不可抵赖性和密钥生成中心的不可诬陷性。与原有安全模式相比,其安全性更高。     

On the transferability of private signatures

In some situations, a user wants to sign a message in such a way that only a designated verifier is convinced of the validity of the signature, whereas other users cannot distinguish whether the signer has signed this message at all. In some cases, the signer may want to preserve this level of privacy forever, which means that the initial verifier should not be able to convince anyone else of the fact that the signer signed the message. In some other cases, the signer may want to give the initial verifier the possibility to transfer his conviction to someone else (maybe to everybody), when/if desired.In this paper we review this notion of private signatures, focusing on the level of transferability desired by the signer. We first consider the two extreme cases (non-transferability and complete transferability) which can be generically and efficiently solved by using very basic cryptographic primitives, as we show in this paper. Then we consider a case with partial transferability, for which we propose a generic solution based on the primitive of distributed ring signatures.     

基于离散对数的代理盲签名方案

通过对Tan等人的基于离散对数的代理盲签名方案进行分析,指出该方案不满足不可伪造性,利用一般性的伪造攻击方法,原始签名人和签名接收者都可以伪造一个有效的签名,同时当签名被公开后,代理签名人可以将盲消息的签名和消息签名联系起来,即签名是可追踪的。在此基础上提出了一种新方案,新方案不仅克服了原方案存在的安全缺陷,还具备签名速度快的特性。     

Forgery attacks on Kang et al.’s identity-based strong designated verifier signature scheme and its improvement with security proof

Recently, Kang et al. proposed a new identity-based strong designated verifier signature scheme (ID-SDVS) and identity-based designated verifier proxy signature scheme (ID-DVPS). They claimed that their schemes are unforgeable. However, we found out that their schemes are universally forgeable in the sense that anyone can forge valid ID-SDVS and ID-DVPS on an arbitrary message without the knowledge of the secret key of either the signer or the designated verifier. Finally, we propose an improved ID-SDVS which is unforgeable. We give formal security proof of universal unforgeability of our scheme. We also give an improved ID-DVPS.     

代理盲签名方案的安全性分析

代理签名是指原始签名人将签名权力委托给代理签名人,由代理签名人代表原始签名人对消息进行签名。盲签名是指签名人不知道所签消息的具体内容。Zhao和Liu结合代理签名和盲签名的特性提出了一种代理盲签名,该文指出Zhao和Liu提出的代理盲签名方案存在广泛的伪造攻击、原始签名人的伪造攻击和消息拥有者的伪造攻击等安全缺陷,并提出了改进的方案,改进后的方案可以有效地避免原始签名人和消息拥有者的伪造攻击。     

紧安全的环签名构造

对于一个密码方案而言,如何在安全证明中降低归约损失、实现紧归约是一个重要的问题。因为一般来说归约损失越大,就需要更大的参数来保证方案的理论安全强度,而在部署一个紧安全的密码方案的时候,则不需要牺牲效率来弥补归约损失。在这篇文章中,我们关注紧安全的环签名构造。环签名在2001年由Rivest等人首次提出,它允许用户在隐藏自己身份的同时进行签名,任何人都不能破坏环签名的匿名性,同时敌手不能冒充任意一个环成员生成相应的有效签名。虽然目前已有多种环签名的构造方案,但证明过程中的归约损失是高效实现的一大阻碍。在本文中,我们基于DDH假设在随机预言机模型下提出了一种环签名方案,其中安全证明的归约损失仅为常数,因此称为紧安全的环签名构造。在构造中,我们令每个用户的公钥由两个子公钥构成,用户私钥为其中一个子公钥对应的子私钥,再基于Goh与Jarecki提出的紧安全的EDL签名方案,我们利用标准的CDS变换构造了一个1/N-DDH非交互零知识证明系统,从而证明用户拥有有效的私钥,得到相应的环签名方案。得益于这种特殊的构造,在安全证明中我们不必使用分叉引理,也不必猜测敌手的目标公钥,从而实现了紧安全归约。...