IND-CCA2完全匿名的高效短群签名方案*

基于DDH、TCRv、KEA3假设下的改进Cramer-Shoup加密方案和SDH假设,提出一种新的SDH问题的零知识证明协议,并基于此协议构造了一种在BMW模型下可证明安全的短群签名方案,该方案具有IND-CCA2完全匿名性,签名长度仅为1 193 bit。与最近其他方案相比,该方案以强假设为代价提高系统的效率并缩短签名长度。     

IND-CCA2完全匿名的高效短群签各方案

基于DDH、TCRv、KEA3假设下的改进Cramer—Shoup加密方案和SDH假设,提出一种新的SDH问题的零知识证明协议,并基于此协议构造了一种在BMW模型下可证明安全的短群签名方案,该方案具有IND-CCA2完全匿名性,签名长度仅为1／93bit。与最近其他方案相比,该方案以强假设为代价提高系统的效率并缩短签名长度。     

一种新的无随机预言的短群签名方案

在BBS短群签名方案的基础上,基于SDH假设和判定性线性假设,提出了一种标准模型下的短群签名方案.并证明了方案的安全性满足完全匿名性和完全可追踪性.与目前最新的在标准模型下已证明安全的方案相比,该方案具有较短的签名长度和更高的运行效率,且允许新成员的加入.     

一种适合大群组的完全匿名的短群签名*

基于CS98加密方案和SDH假设,提出一种新的三元组(A,x,y)的零知识证明协议,并基于此协议构造了一种可证明安全的短群签名方案。该方案具有INDCCA2完全匿名性,允许新成员动态加入,并且群管理员不能伪造任何成员的签名,具有不可陷害性。签名长度仅为1 534 bit。     

新的无随机预言的短群签名方案

在BBS短群签名方案的基础上,基于强Diffie-Hellman(SDH)假设和判定性线性Diffie-Hellman假设,提出了一种标准模型下的短群签名方案。并证明了方案的安全性满足完全匿名性和完全可追踪性。与目前较新的在标准模型下已证明安全的方案相比,该方案具有较短的签名长度和更高的运行效率,且允许新成员的加入。     

一种新的（A，x，y）知识的零知识证明协议

基于线性假设下的Cramer-shoup加密方案和SDH假设,提出一种新的（A,x,y）知识的零知识证明协议。该协议比文献中SDH对（A,x）知识的零知识证明协议多了一个参数。     

一种新的(A,x,y)知识的零知识证明协议

基于线性假设下的Cramer-shoup加密方案和SDH假设,提出一种新的(A,x,y)知识的零知识证明协议。该协议比文献[2]中SDH对(A,x)知识的零知识证明协议多了一个参数。     

标准模型下的高效短群签名

基于SDH假设下BB签名方案,构造了一个两层签名方案,通过应用合理的假设和非交互知识证明系统,提出了一种标准模型下完全匿名的动态短群签名方案,并证明了该方案满足BSZ模型的安全需求.与最近的其他方案相比,该方案具有较高的运行效率和较短的签名长度,且允许新成员的动态加入,群管理员不能伪造成员的签名.     

具有可追查性的抗合谋攻击门限签名方案

好的门限签名方案应该具有很高的安全性,能够检测出任意不诚实成员的欺诈行为,同时能实现签名的匿名性和可追查性,并能抵抗合谋攻击和各种伪造性攻击。通过密码学分析和算法结构设计,首先讨论了实现门限签名匿名性和可追查性的一种有效方法,然后基于Waters基础签名方案,引入Gennaro分布式密钥生成协议、可验证秘密共享技术及部分签名验证协议,提出了一个具有匿名性和可追查性,抗合谋攻击及其他各种伪造性攻击,部分签名可验证的（t,n）门限签名方案,并在离散对数问题和双线性对逆运算问题两个困难问题假设下,给出了方案安全性的详细证明。     

环签名的通用可组合安全模型及其应用研究

环签名是一种匿名签名技术,能保证签名用户的无条件匿名性.针对目前环签名协议只考虑单一协议执行时的安全性这一问题,定义了环签名在通用可组合框架下的安全模型,证明其等价于基于游戏的安全模型,并以前向安全环签名协议为例描述了如何应用环签名的通用可组合安全模型来设计复杂协议,为签名协议的模块化设计提供了理论依据.     

A new provably secure certificateless short signature scheme

Certificateless public key cryptography simplifies the complex certificate management in the traditional public key cryptography and resolves the key escrow problem in identity-based cryptography. In 2007, Huang et al. revisited the security models of certificateless signature scheme. They classified adversaries according to their attack power into normal, strong, and super adversaries (ordered by their attack power). Recently, Du and Wen proposed a short certificateless signature scheme and presented that their scheme is secure against the strong adversary in the random oracle model. In this paper, we show that their short signature scheme is insecure against the strong adversary. We then propose a new short certificateless signature scheme which is secure against the super adversary. Our scheme is the first certificateless signature scheme which satisfies both the strongest security level and the shortest signature length.     

Security weaknesses of a signature scheme and authenticated key agreement protocols

At ACISP 2012, a novel deterministic identity-based (aggregate) signature scheme was proposed that does not rely on bilinear pairing. The scheme was formally proven to be existentially unforgeable under an adaptive chosen message and identity attack. The security was proven under the strong RSA assumption in the random oracle model. In this paper, unfortunately, we show that the signature scheme is universally forgeable, i.e., an adversary can recover the private key of a user and use it to generate forged signatures on any messages of its choice having on average eight genuine signatures. This means, that realizing a deterministic identity-based signature scheme in composite order groups is still an open problem. In addition, we show that a preliminary version of the authenticated key exchange protocol proposed by Okamoto in his invited talk at ASIACRYPT 2007 is vulnerable to the key-compromise impersonation attack and therefore cannot be secure in the eCK model. We also show that the two-party identity-based key agreement protocol of Hölbl et al. is vulnerable to the unknown key-share attack.     

Ciphertext verification security of symmetric encryption schemes

This paper formally discusses the security problem caused by the ciphertext verification,presenting a new security notion named IND-CVA(indistinguishability under ciphertext verification attacks) to characterize the privacy of encryption schemes in this situation. Allowing the adversary to access to both encryption oracle and ciphertext verification oracle,the new notion IND-CVA is slightly stronger than IND-CPA(indistinguishability under chosen-plaintext attacks) but much weaker than IND-CCA(indistinguisha...     

一个基于椭圆曲线的可证明安全签密方案*

签密能够在一个合理的逻辑步骤内同时完成数字签名和加密两项功能。与实现信息保密性和认证性的先签名后加密方案相比,签密具有较低的计算和通信代价。提出一个基于椭圆曲线的签密方案,能够同时完成数字签名和加密两项功能。基于可证明安全性理论,在GDH(gap Diffie-Hellman)问题难解的假设之下,该方案在随机预言机模型中被证明是安全的。该方案能够抵御自适应选择明文/密文攻击。     

A provable secure fuzzy identity based signature scheme

To use biometrics identities in an identity based encryption system,Sahai and Waters first introduced the notion of fuzzy identity based encryption(FIBE) in 2005.Yang et al.extended it to digital signature and introduced the concept of fuzzy identity based signature(FIBS) in 2008,and constructed an FIBS scheme based on Sahai and Waters’s FIBE scheme.In this paper,we further formalize the notion and security model of FIBS scheme and propose a new construction of FIBS scheme based on bilinear pairing.The proposed scheme not only provides shorter public parameters,private key and signature,but also have useful structures which result in more efficient verification than that of Yang et al.’s FIBS scheme.The proposed FIBS scheme is proved to be existentially unforgeable under a chosen message attack and selective fuzzy identity attack in the random oracle model under the discrete logarithm assumption.     

A New Public-Key Encryption Scheme

This paper proposes a new public-key encryption scheme which removes one element from the public-key tuple of the original Cramer-Shoup scheme. As a result, a ciphertext is not a quadruple but a triple at the cost of a strong assumption, the third version of knowledge of exponent assumption （KEA3）. Under assumptions of KEA3, a decision Diffie-Hellman （DDH） and a variant of target collision resistance （TCRv）, the new scheme is proved secure against indistinguishable adaptive chosen ciphertext attack （IND-CCA2）. This scheme is as efficient as Damgard ElGamal （DEG） scheme when it makes use of a well-known algorithm for product of exponentiations. The DEG scheme is recently proved IND-CCA1 secure by Bellare and Palacio in ASIACRYPT 2004 under another strong assumption. In addition to our IND-CCA2 secured scheme, we also believe that the security proof procedure itself provides a well insight for ElGamal-based encryption schemes which are secure in real world.     

Aleakage-resilient certificateless public key encryption scheme with CCA2 security

In recent years, much attention has been focused on designing provably secure cryptographic primitives in the presence of key leakage. Many constructions of leakage-resilient cryptographic primitives have been proposed. However, for any polynomial time adversary, most existing leakage-resilient cryptographic primitives cannot ensure that their outputs are random, and any polynomial time adversary can obtain a certain amount of leakage on the secret key from the corresponding output of a cryptographic primitive. In this study, to achieve better performance, a new construction of a chosen ciphertext attack 2 (CCA2) secure, leakage-resilient, and certificateless public-key encryption scheme is proposed, whose security is proved based on the hardness of the classic decisional Diffie-Hellman assumption. According to our analysis, our method can tolerate leakage attacks on the private key. This method also achieves better performance because polynomial time adversaries cannot achieve leakage on the private key from the corresponding ciphertext, and a key leakage ratio of 1/2 can be achieved. Because of these good features, our method may be significant in practical applications.