通用可组合安全的门限签名协议

门限签名协议使得签名团体中任何t个参与者合作可以生成某个消息的有效签名;而少于t个参与者就无法得到该消息的合法签名.目前关于门限签名协议的安全性研究只是专注于单一协议执行时的安全性,针对这点,引入通用可组合框架.利用该框架的通用可组合性可以模块化地设计与分析门限签名协议.首先定义了门限签名协议在通用可组合框架下的安全模型,并证明其等价于门限签名协议标准概念下的安全模型,然后以前摄门限签名协议为例描述如何应用这个安全模型.提出的门限签名协议和前摄性门限签名协议不仅满足可证明安全性,还具有通用可组合安全性.     

基于椭圆曲线密码体制的门限代理盲签名方案

提出一种门限代理盲签名方案。该方案是代理盲签名与门限签名的有机集成，解决了已有代理盲签名方案中代理签名人的权利过于集中的问题，且所有的通信都不需要使用安全的秘密通道，可在公共信道上进行。方案中所有协议都是基于椭圆曲线密码体制构造的，使得密钥尺寸较小，执行效率更高。     

基于离散对数的多重代理多重签名方案的改进

在多重代理多重签名体制中,多个原始签名者可以将签名权利委托给多个代理签名者,再由这些代理签名者联合生成一个代表所有原始签名者的数字签名。文献[1]提出了相应的方案,并且证明了在授权者和代理者都遵守签名协议的假设下安全性等价于离散对数难解问题。但这只是一种理想情况。经研究我们发现这个体制存在部分原始签名者日后抵赖授权和部分代理签名者日后抵赖签名的情况。本文对该方案进行改进,使方案具有抗抵赖性。     

具有指定验证者的短签名方案

基于双线性对运算,提出了一个只能被指定验证者验证的新的短签名方案.把消息的签名从基于RSA签名算法的1024比特下降到170比特左右,降低了网络数据流量,有效地避免了网络中常见的阻塞问题,提高了网络使用率.同时满足了只有签名者指定的验证人才能正确验证该签名的正确性,可以有效防止对与签名人相关信息的泄露.在计算性Diffie-Hellman问题困难假设下利用随机预言模型证明了该方案的安全性.并且根据实际情况下的遗嘱签定,给出了遗嘱签定协议的具体应用.     

对一种代理盲多重签名的分析与改进

分析了Wang等人提出的一种基于椭圆曲线密码体制的代理盲多重签名方案,指出在该方案中代理签名人通过自己保留的盲签名信息和消息拥有者公布的签名消息,可以确定自己的代理盲签名行为和公布的签名信息之间的联系,从而达到对消息拥有者身份的追踪,即不满足盲签名方案的不可追踪性.在此基础上给出了一种改进的方案,安全性分析表明,改进后的代理盲多重签名方案满足不可追踪性和其他安全特性.     

基于并发签名的公平交易协议的分析与改进

针对一个基于完美并发签名的公平交易协议,分析指出此协议在假设参与双方都诚实可信的情况下不满足不可滥用性,即双方交换2个模糊签名及相关交易数据后,在秘密消息公布之前,任何人都能辨认出是谁签了哪一个签名.进而,提出了一个新的改进方案,改进的方案不仅弥补了原方案的缺陷,实现了不可滥用性,同时保持了原协议的公平性、不可否认性以及简洁高效的特性.     

基于DSA和变型DSA的盲签名

盲签名体制是保证参与者匿名性的基本的、重要的密码协议。本文提出了两个新的盲签名体制,它们分别基于DSA签名体制和变型DSA签名体制。     

基于无证书的多方合同签署协议

线上合同签署在电子商务中日益普及,在互不信任的签署方之间签署一份合同并不是一件简单的事情,各方就合同签署问题提出过许多合同签署协议。其中较多的协议是带有第三方参与的,但是在效率方面并不占优势,且易出现安全问题。现有借助区块链技术取代第三方参与的合同签署协议中,区块链的公开验证对不管是签署方还是待签署合同的敏感信息又发起了挑战。且大多协议针对于双方合同签署,随着签署方数量的增加,协议的通信成本和复杂度都在急剧增加。该文结合现有协议,提出一个高效的多方合同签署协议,协议中通过基于无证书的高效聚合签名方案,用于提高区块链下签署方签名验证效率,在区块链上仅公开签署方的临时密钥以减少系统开销。该协议满足正确性、安全性、公平性、私密性以及高效性。     

基于身份的公平不可否认协议

利用基于身份的密码体制,提出了一种基于身份的一次性盲公钥签名方案,并以此为基础提出了一个新的公平不可否认协议,实现了协议中发送方的匿名性,解决了通信中因发方身份公开而带来的信息内容被猜到以至被故意延迟阅读或拒收的问题,保证了收发双方的公平性及不可否认性.分析表明,该一次性盲公钥签名方案及不可否认协议是安全的,且具有较高的效率.     

一个安全的广义指定验证者签名证明系统

广义指定验证者签名(UDVS) 可以实现任意的签名持有者能向任意的验证者证明签名者确实签署了该签名,而且验证者没有能力向第三方证明该签名是有效的。这种签名方案可以保护签名持有者的隐私信息,因而在证书系统中有着重要的应用。然而,UDVS需要签名持有者(designator)与指定的验证者(designated-verifier)通过签名者(signer)的公钥体系来生成自己的密钥对,这在现实情况下是不合理的。最近,Baek等人(2005)在亚洲密码会提出UDVSP (Universal Designated Verifier Signature Proof)来解决这个问题。该文首先指出Baek等人所给出的UDVSP协议存在一个安全性缺陷,即不满足UDVS系统中的不可传递性(non-transferability),然后提出一种新的UDVSP协议,并证明该方案满足所定义的安全属性。     

基于聚合签名算法的DSR路由认证技术

分析了Ad Hoc网络中DSR按需路由发现原理及黑洞攻击原理,针对DSR路由协议面临的黑洞攻击问题,提出了一种基于JYH聚合签名算法的路由记录认证机制,新方案在DSR路由请求和路由应答消息中定义了路径证明属性,并设计了与之适应的输入签名算法和输出验证算法;最后,采用形式化逻辑SVO方法对该路由记录认证机制的安全性进行了分析。分析表明,提出的路由记录认证机制可以有效抵御针对DSR路由协议的黑洞攻击。     

A provably secure proxy signature scheme from bilinear pairings

A proxy signature allows an entity, called original signer, to delegate its signing power to another entity, called proxy signer, to sign messages on its behalf. Proxy signatures have many practical applications and are very important cryptographic protocol. In this paper, we propose an efficient proxy signature scheme from bilinear pairings. We prove it secure in the random oracle model and analyze computation cost of our scheme. Our scheme satisfies all the properties required for proxy signatures.     

A novel authenticated group key agreement protocol for mobile environment

An authenticated group key agreement protocol allows a group of parties to authenticate each other and then determine a group key via an insecure network environment. In 2009, Lee et al. first adopted bilinear pairings to propose a new nonauthenticated group key agreement protocol and then extend it to an authenticated group key agreement protocol. This paper points out that the authenticated protocol of Lee et al. is vulnerable to an impersonation attack such that any adversary can masquerade as a legal node to determine a group key with the other legal nodes and the powerful node. This paper shall employ the short signature scheme of Zhang et al. to propose a new authenticated group key agreement protocol. The short signature scheme of Zhang et al. is proven to be secure against the adaptive chosen-message attacks in the random oracle model, so the proposed protocol can withstand the possible attacks. Besides, compared with the authenticated protocol of Lee et al., the proposed protocol is more secure and efficient.     

Identity‐based proxy signature over NTRU lattice

Proxy signature scheme is an important cryptographic primitive, for an entity can delegate his signing right to another entity. Although identity‐based proxy signature schemes based on conventional number‐theoretic problems have been proposed for a long time, the researchers have paid less attention to lattice‐based proxy signature schemes that can resist quantum attack. In this paper, we first propose an identity‐based proxy signature scheme over Number Theory Research Unit (NTRU)‐lattice. We proved that the proposed paradigm is secure under the hardness of the γ‐shortest vector problem on the NTRU lattice in random oracle model; furthermore, the comparison with some existing schemes shows our scheme is more efficient in terms of proxy signature secret key size, proxy signature size, and computation complexity. As the elemental problem of the proposed scheme is difficult even for quantum computation model, our scheme can work well in quantum age.     

对一个基于身份的多重签密方案的分析和改进

Waters提出了一个标准模型下的基于身份的加密和签名方案,Paterson和Schuldt在此基础上提出了一个基于身份的签名方案.Zhang和Xu在上述两个方案的基础上,提出了一个基于身份的多重签密方案.本文指出Zhang-Xu的方案会受到私钥随机化攻击,并在标准模型下提出了一个改进的基于身份的多重签密方案,其中将解...     

利用双线性对构造的面向电子商务的同时签密

Concurrent signature was introduced as an efficient approach to solving the problem of fair exchange of signatures. Almost all fair exchange e-commerce protocols based on concurrent signature that have been proposed until now either do not provide message privacy protection or adopt the sign-then-encrypt scheme to provide confidentiality. However, confidentiality is an important requirement of fair exchange e-commerce protocol. In this paper, a new concept called concurrent signcryption which combines the concepts of concurrent signature and signcryption together to resolve the confidentiality problem in e-commerce systems based on concurrent signature. We also propose a concurrent signcryption scheme using bilinear pairings and prove its security in the random oracle model. Compared with the sign-then-encrypt scheme using bilinear pairings, our scheme enjoys shorter message length and less operation cost. Moreover, in our scheme the two ambiguous signcryptions can be published in any order.     

A non-repudiation metering scheme

A metering scheme enables a Web server to measure the number of visits from clients. In addition, a proof needs to be presented by the server as evidence corresponding to this measured number. In this letter, we propose an efficient metering scheme that incorporates the hash-chaining technique and the digital signature algorithm to provide a nonrepudiation proof of this measured number     

An ID-based proxy signature schemes without bilinear pairings

The proxy signature schemes allow proxy signers to sign messages on behalf of an original signer, a company, or an organization. Such schemes have been suggested for use in a number of applications, particularly in distributed computing, where delegation of rights is quite common. Many identity-based proxy signature schemes using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group. In order to save the running time and the size of the signature, in this letter, we propose an identity-based signature scheme without bilinear pairings. With the running time being saved greatly, our scheme is more practical than the previous related schemes for practical application.     

Secure Distributed Key Generation for Discrete-Log Based Cryptosystems

A Distributed Key Generation (DKG) protocol is an essential component of threshold cryptosystems required to initialize the cryptosystem securely and generate its private and public keys. In the case of discrete-log-based (dlog-based) threshold signature schemes (ElGamal and its derivatives), the DKG protocol is further used in the distributed signature generation phase to generate one-time signature randomizers (r = g^k). In this paper we show that a widely used dlog-based DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated keys: we describe an efficient active attacker controlling a small number of parties which successfully biases the values of the generated keys away from uniform. We then present a new DKG protocol for the setting of dlog-based cryptosystems which we prove to satisfy the security requirements from DKG protocols and, in particular, it ensures a uniform distribution of the generated keys. The new protocol can be used as a secure replacement for the many applications of Pedersen's protocol. Motivated by the fact that the new DKG protocol incurs additional communication cost relative to Pedersen's original protocol, we investigate whether the latter can be used in specific applications which require relaxed security properties from the DKG protocol. We answer this question affirmatively by showing that Pedersen's protocol suffices for the secure implementation of certain threshold cryptosystems whose security can be reduced to the hardness of the discrete logarithm problem. In particular, we show Pedersen's DKG to be sufficient for the construction of a threshold Schnorr signature scheme. Finally, we observe an interesting trade-off between security (reductions), computation, and communication that arises when comparing Pedersen's DKG protocol with ours.     

Comments on A Signcryption

1　ＩｎｔｒｏｄｕｃｔｉｏｎＡｓｄｅｓｃｒｉｂｅｄｉｎＲｅｆ.[7],ａｓｉｇｎｃｒｙｐｔｉｏｎｓｃｈｅｍｅｉｓａｃｒｙｐｔｏｇｒａｐｈｉｃｍｅｔｈｏｄｔｈａｔｆｕｌｆｉｌｌｓｂｏｔｈｔｈｅｆｕｎｃ ｔｉｏｎｓｏｆｓｅｃｕｒｅｅｎｃｒｙｐｔｉｏｎａｎｄｄｉｇｉｔａｌｓｉｇｎａｔｕｒｅ,ｂｕｔｗｉｔｈａｃｏｓｔｓｍａｌｌｅｒｔｈａｎｔｈａｔｒｅｑｕｉｒｅｄｂｙｓｉｇｎａｔｕｒｅ ｔｈｅｎ ｅｎｃｒｙｐｔｉｏｎ .ＡｃｃｏｒｄｉｎｇｔｏＲｅｆ.[3 ],ａｄｉｇｉｔａｌｓｉｇｎａｔｕｒｅｗｉｔｈａｍｅｓｓａｇｅｒｅｃ…