无随机预言机下的指定验证者代理签名方案

在指定验证者代理签名中,原始签名者把自己的签名权力授权给一个代理签名者,后者可以代表前者签名消息,但是仅仅只有指定验证者能够相信签名的有效性。已知的指定验证者代理签名方案的安全性证明都是在随机预言机模型中的,该文中基于Waters签名方案,首次提出无随机预言机下可证安全的指定验证者代理签名方案。在弱Gap Bilinear Diffie-Hellman假设下,证明所提方案能够抵抗适应性选择消息攻击下的存在性伪造。     

用于电子政府的数字签名-一种长期的安全结构

The framework of digital signature based on qualified certificates and X.509 architecture is known to have many security risks. Moreover, the fraud prevention mechanism is fragile and does not provide strong guarantees that can be necessary for flow of legal documents. Mediated signatures have been proposed as a mechanism to effectively disable signature cards. In this paper we propose further mechanisms that can be applied on top of mediated RSA, compatible with the standard format, but providing security guarantees even in the case when RSA becomes broken or the keys are compromised. The solution is immune tokleptographic attacks as only deterministic algorithms are used on user's side.     

基于MI和TPM混合的多变量数字签名方案

 本文基于MI和TPM两类多变量公钥密码的公钥,利用"减"方法将其混合,提出了多变量数字签名方案的中心映射构造新方法,给出了基于MI和TPM混合的多变量数字签名方案,该方案能够有效抵抗高阶线性化方程攻击、秩攻击、XL&Grbner基攻击、差分攻击等现有典型攻击,并且与Rainbow、Sflash^v2等典型多变量数字签名方案相比,在签名长度、密钥存储规模等方面具有优势.     

A provably secure code‐based short signature scheme and its nontransferable variant

Signatures with partially message recovery in which some parts of messages are not transmitted with signatures to make them shorter are helpful where bandwidth is one of the critical concern. This primitive is especially used for signing short messages in applications such as time stamping, certified email services, and identity‐based cryptosystems. In this paper, to have quantum‐attack‐resistant short signatures, the first signature scheme with partially message recovery based on coding theory is presented. Next, it is shown that the proposal is secure under Goppa Parametrized Bounded Decoding and the Goppa Code Distinguishing assumptions in the random oracle model. Relying on the partially message recovery property, the proposal is shorter than Dallot signature scheme, the only provably secure and practical code‐based signature scheme, while it preserves Dallot signature efficiency. We should highlight that our scheme can be used as a building block to construct short code‐based signature schemes with special properties. To show this, we present a provably secure short designated verifier signature scheme, a nontransferable form of short signatures, which is used in electronic voting and deniable authentication protocols.     

Short Signatures from the Weil Pairing

We introduce a short signature scheme based on the Computational Diffie–Hellman assumption on certain elliptic and hyperelliptic curves. For standard security parameters, the signature length is about half that of a DSA signature with a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or are sent over a low-bandwidth channel. We survey a number of properties of our signature scheme such as signature aggregation and batch verification.     

Security Arguments for Digital Signatures and Blind Signatures

Since the appearance of public-key cryptography in the seminal Diffie—Hellman paper, many new schemes have been proposed and many have been broken. Thus, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure. A much more convincing line of research has tried to provide ``provable' security for cryptographic protocols. Unfortunately, in many cases, provable security is at the cost of a considerable loss in terms of efficiency. Another way to achieve some kind of provable security is to identify concrete cryptographic objects, such as hash functions, with ideal random objects and to use arguments from relativized complexity theory. The model underlying this approach is often called the ``random oracle model.' We use the word ``arguments' for security results proved in this model. As usual, these arguments are relative to well-established hard algorithmic problems such as factorization or the discrete logarithm. In this paper we offer security arguments for a large class of known signature schemes. Moreover, we give for the first time an argument for a very slight variation of the well-known El Gamal signature scheme. In spite of the existential forgery of the original scheme, we prove that our variant resists existential forgeries even against an adaptively chosen-message attack. This is provided that the discrete logarithm problem is hard to solve. Next, we study the security of blind signatures which are the most important ingredient for anonymity in off-line electronic cash systems. We first define an appropriate notion of security related to the setting of electronic cash. We then propose new schemes for which one can provide security arguments. Received 24 October 1997 and revised 22 May 1998     

LHL门限签名方案安全性分析

门限签名是群签名的推广,它在电子商务、身份认证以及信息安全领域有着广泛的应用。门限签名的重要安全要求是防伪造性。LHL门限签名方案是一个不需要可信中心的门限签名方案。根据一种针对它的合谋攻击方法,对LHL方案的安全性进行了分析、研究和探索,发现在LHL方案中通过伪造签名实施攻击无法通过部分签名的验证,同时对LHL签名方案的不足之处进行了一些改进,使其能够兼具匿名性与可追踪性。     

一种新的多方多合同签署协议

基于GDH签名方案,结合可验证承诺签名体制,提出了可分密钥的可截取签名体制,并证明了该体制在随机预言模型下是安全的.在此方案的基础上设计了一种一对多的、可以同时对不同合同文本的签名进行交换的合同签署协议,在该协议中协议发起方在最坏情况下签名的信息量与参与方的个数相同;协议中第三方的信息传递量也被有效地减少了,且新的协议避免了已有文献中只有固定集合中的参与方得到合同的局限,具有高效和实用的特点.     

On the existence of statistically hiding bit commitment schemes and fail-stop signatures

We show that the existence of a statistically hiding bit commitment scheme with noninteractive opening and public verifiability implies the existence of fail-stop signatures. Therefore such signatures can now be based on any one-way permutation. We also show that genuinely practical fail-stop signatures follow from the existence of any collision-intractable hash function. These are the weakest assumptions known to be sufficient for fail-stop signatures. Conversely, we show that any fail-stop signature scheme with a property we call thealmost unique secret key property can be transformed into a statistically hiding bit commitment scheme. All previously known fail-stop signature schemes have this property. We even obtain an equivalence, because we can modify the construction of fail-stop signatures from bit commitments such that it has this property.     

Hierarchical watermarking for secure image authentication withlocalization

Several fragile watermarking schemes presented in the literature are either vulnerable to vector quantization (VQ) counterfeiting attacks or sacrifice localization accuracy to improve security. Using a hierarchical structure, we propose a method that thwarts the VQ attack while sustaining the superior localization properties of blockwise independent watermarking methods. In particular, we propose dividing the image into blocks in a multilevel hierarchy and calculating block signatures in this hierarchy. While signatures of small blocks on the lowest level of the hierarchy ensure superior accuracy of tamper localization, higher level block signatures provide increasing resistance to VQ attacks. At the top level, a signature calculated using the whole image completely thwarts the counterfeiting attack. Moreover, "sliding window" searches through the hierarchy enable the verification of untampered regions after an image has been cropped. We provide experimental results to demonstrate the effectiveness of our method.     

限制联合验证者签名

基于门限的思想,该文提出一种新签名方案限制联合验证者签名的精确定义和安全模型,并构造了一个有效的限制联合验证者签名方案。新方案支持将消息的知情权和签名的验证权控制给t个验证者,并且当且仅当t个验证者合作才能验证签名,同时签名的长度不随验证者的增加而增加。在随机预言模型下,新方案达到了所需的安全要求。     

Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups

We describe a short signature scheme that is strongly existentially unforgeable under an adaptive chosen message attack in the standard security model. Our construction works in groups equipped with an efficient bilinear map, or, more generally, an algorithm for the Decision Diffie-Hellman problem. The security of our scheme depends on a new intractability assumption we call Strong Diffie-Hellman (SDH), by analogy to the Strong RSA assumption with which it shares many properties. Signature generation in our system is fast and the resulting signatures are as short as DSA signatures for comparable security. We give a tight reduction proving that our scheme is secure in any group in which the SDH assumption holds, without relying on the random oracle model. An extended abstract entitled “Short Signatures Without Random Oracles” (Boneh and Boyen in Advances in Cryptology—EUROCRYPT 2004, LNCS, vol. 3027, pp. 56–73, 2004) appears in Eurocrypt 2004. Dan Boneh: Supported by NSF and the Packard Foundation.     

抗噪的攻击特征自动提取方法

现有的特征提取方法或不具有良好的抗噪性,或具有一定抗噪能力但特征提取的准确性较差.针对这一问题,利用多序列比算法能够求解序列间相同元素的全局最大一致性这一特点,提出一种包括多序列比对算法ClustalW+CSR、自适应噪声消除、特征转化这3个步骤的抗噪特征提取方法.实验结果表明,与当前其他基于网络的攻击特征自动提取方法相比较,该方法不仅特征提取的准确性较高,而且还具有良好的抗噪能力.     

Practical and provably secure release of a secret and exchange of signatures

We present a protocol that allows a sender to release gradually and verifiably a secret to a receiver. We argue that the protocol can be efficiently applied to the exchange of secrets in many cases, such as when the secret is a digital signature. This includes Rabin, low-public-exponent RSA, and El Gamal signatures. In these cases, the protocol requires an interactive three-pass initial phase, after which each bit (or block of bits) of the signature can be released noninteractively (i.e., by sending one message). The necessary computations can be done in a couple of minutes on an up-to-date PC. The protocol is statistical zero-knowledge, and therefore releases a negligible amount of side information in the Shannon sense to the receiver. The sender is unable to cheat, if he cannot factor a large composite number before the protocol is completed.     

Security Analysis of Randomize-Hash-then-Sign Digital Signatures

At CRYPTO 2006, Halevi and Krawczyk proposed two randomized hash function modes and analyzed the security of digital signature algorithms based on these constructions. They showed that the security of signature schemes based on the two randomized hash function modes relies on properties similar to the second preimage resistance rather than on the collision resistance property of the hash functions. One of the randomized hash function modes was named the RMX hash function mode and was recommended for practical purposes. The National Institute of Standards and Technology (NIST), USA standardized a variant of the RMX hash function mode and published this standard in the Special Publication (SP) 800-106. In this article, we first discuss a generic online birthday existential forgery attack of Dang and Perlner on the RMX-hash-then-sign schemes. We show that a variant of this attack can be applied to forge the other randomize-hash-then-sign schemes. We point out practical limitations of the generic forgery attack on the RMX-hash-then-sign schemes. We then show that these limitations can be overcome for the RMX-hash-then-sign schemes if it is easy to find fixed points for the underlying compression functions, such as for the Davies-Meyer construction used in the popular hash functions such as MD5 designed by Rivest and the SHA family of hash functions designed by the National Security Agency (NSA), USA and published by NIST in the Federal Information Processing Standards (FIPS). We show an online birthday forgery attack on this class of signatures by using a variant of Dean’s method of finding fixed point expandable messages for hash functions based on the Davies-Meyer construction. This forgery attack is also applicable to signature schemes based on the variant of RMX standardized by NIST in SP 800-106. We discuss some important applications of our attacks and discuss their applicability on signature schemes based on hash functions with ‘built-in’ randomization. Finally, we compare our attacks on randomize-hash-then-sign schemes with the generic forgery attacks on the standard hash-based message authentication code (HMAC).     

RSA-Based Undeniable Signatures

We present the first undeniable signatures scheme based on RSA. Since their introduction in 1989 a significant amount of work has been devoted to the investigation of undeniable signatures. So far, this work has been based on discrete log systems. In contrast, our scheme uses regular RSA signatures to generate undeniable signatures. In this new setting, both the signature and verification exponents of RSA are kept secret by the signer, while the public key consists of a composite modulus and a sample RSA signature on a single public message. Our scheme possesses several attractive properties. First, provable security, as forging the undeniable signatures is as hard as forging regular RSA signatures. Second, both the confirmation and denial protocols are zero-knowledge. In addition, these protocols are efficient (particularly, the confirmation protocol involves only two rounds of communication and a small number of exponentiations). Furthermore, the RSA-based structure of our scheme provides with simple and elegant solutions to add several of the more advanced properties of undeniable signatures found in the literature, including convertibility of the undeniable signatures (into publicly verifiable ones), the possibility to delegate the ability to confirm and deny signatures to a third party without giving up the power to sign, and the existence of distributed (threshold) versions of the signing and confirmation operations. Due to the above properties and the fact that our undeniable nsignatures are identical in form to standard RSA signatures, the scheme we present becomes a very attractive candidate for practical implementations. Received 25 July 1997 and revised 5 November 1998     

带系数的离散对数知识签名

知识签名就是签名者在非交互的情况下向别人证明其知道某个秘密而不泄露该秘密本身,现在知识签名广泛应用在群签名中.本文主要研究了带系数的离散对数知识签名,并对几种类型的带系数签名函数进行了定义和证明.通过对签名函数增加系数,可以有效地扩大签名函数的选择范围,增加知识签名的适用性.     

应用层负载特征定义及自动提取方法

针对现有网络流量识别中应用层负载特征提取方法对训练数据中字节值变化较为敏感的问题,首先定义了一种新的以位为最小特征单位的网络流量应用层负载特征,然后设计了相应的自动提取方法。通过3种常用标准协议的实验表明,自动提取方法可以快速获得负载特征,特征识别结果准确性高。对QQ私有应用协议的实验表明,使用获取到的负载特征进行网络流量识别,可以满足实际网络中对QQ网络流量识别的要求。     

Improving signature quality for network application identification

Network application identification is one of the core elements in network operations and management to provide enhanced network service and security. For accurate identification, an approach using common patterns called “signatures” is widely used to compensate the limitations of the traditional transport-layer port-based classification. However, our simulation results indicate that using the signatures generated from a set of well known algorithms may lead to very poor identification performance, with less than 60% of true positives even in an optimal case. To improve the quality of signatures, we present a technique in this paper, which consists of two steps: (i) pairwise merging to consider every possible combination of the initially collected signatures to reduce their specificity that causes the signatures to be less common; and (ii) signature reduction to identify effective signatures with greater importance from a large set of signatures produced in the merging step, so as to manage the space/time complexity in the identification process for greater scalability. Our experimental results show that the proposed technique can dramatically improve the performance, even with a small number of signatures (e.g., 95% true positives rate with 30 signatures per application) which is more compact than the initial signature set.     

Secure Mobile Agents in eCommerce with Forward‐Secure Undetachable Digital Signatures

We introduce the idea of a forward‐secure undetachable digital signature (FS‐UDS) in this paper, which enables mobile agents to generate undetachable digital signatures with forward security of the original signer's signing key. The definition and security notion of an FS‐UDS scheme are given. Then, the construction of a concrete FS‐UDS scheme is proposed; and the proof of security for the proposed scheme is also provided. In the proposed scheme, mobile agents need not carry the signing key when they generate digital signatures on behalf of the original signer, so the signing key will not be compromised. At the same time, the encrypted function is combined with the original signer's requirement; therefore, misuse of the signing algorithm can be prevented. Furthermore, in the case where a hacker has accessed the signing key of the original signer, he/she is not able to forge a signature for any time period prior to when the key was obtained.