AN EFFICIENT ID-BASED GROUP SIGNATURE SCHEME
盲签名、群签名及共同不可约多项式
摘要盲签名和群签名的概念是由Chaum首次提出的.由于盲签名和群签名能分别为用户和签名者提供很好的匿名性,所以它们在电子货币和电子投票等实用系统中都有着广泛的应用.本文首先介绍了盲签名和群签名的研究及应用现状,然后分别详细介绍作者在盲签名和群签名领域所做的工作.除此之外,本文还讨论了两个不同数域上的共同不可约多项式的性质.盲签名要求签名者在不知道消息内容的情况下对消息进行签名,即使以后签名者得到一个消息签名对,他也不能确定这个消息的来源.本文不仅对已提出的盲签名方案进行概述,指出其优缺点,而且还分析丁分别由Lietal和Heetal针对两种不同的盲签名提出的两种关联方法,并证明他们的方法无效.另外,本文还提出了一个新的基于椭圆曲线的盲签名方案.群签名允许群成员代表整个群体进行签名.而且,一旦发生争议,群管理人熊够识别出签名者.本文不仅对已提出的群签名方案进行概述,指出其优缺点,而且还分析了现有的群签名方案中所存在的一些问题,并指出其研究方向.此外,我们还分析了分别由Posescu和王晓明等提出的两个群签名方案,并分别给出了一种通用攻击方法,所以这两个方案仍然是不安全的.由不可约多项式构造的有限域有着很好的性质,可以用来设计更加安全高效的密码系统,从而不可约多项式的研究对现代密码学的发展有着重要的意义.在本文中,我们首次提出了在不同数域上寻找共同不可约多项式的问题,并证明其不一定存在.而且,我们还给出了一种从割圆多项式中寻找共同不可约多项式方法.此外,文中还给出了一些命题.在附录里,我们还给出了一个特殊的乘法群中所有元素阶的分布.关键词公钥密码学,椭圆曲线,数字签名,盲签名,群签名,不关联性,通用攻击,不可约多项式,割圆多项式AbstractTheconceptsofblinddigitalsignatureandgroupdigitalsignaturearefirstlyproposedbyChaum.Bothareimportanttomanypracticalapplicationssuchaselectroniccashandvoting.Thisthesis6rstsurveystheachievementsinthesetwofieldsandtheirapplications、andthenweintroduceOllrworkonblindsignatureandgroupsignatureindetailrespectively.Inaddition,wealsoflJscus8thepropertiesotthecommonhrre(1uclDiepolvnommisovertwoamerentnnll—fields.BlindsignaturesrequirethatasignerbeabletosignamessagewithoutknowingitsCOn-tents.Moreover,shouldthesignereverseethemessage-signaturepair,heshouldnotbeabletodeterminewhenorforwhomhesignedit.Inthisthesis,wegiveabroadoverviewoftheproposedblindsignatures.WealsoanalyzetwolinkingstrategiespresentedbyLietalandHeetalrespectively,anddemonstratebothattacksareinvalid.Inaddition,wealsogiveanewblindsignatureschemebasedonellipticcurve,whichcanprotectuseruntraceable.Groupsignatureschemesallowagroupmembertoanonymously8ignongroup’sbehalf.Moreover,incaseofanonymityInisliBe,agroupmanagercanrecovertheissuerofasignature.Thisthesisgivesabroadoverviewofthepmpeaedgroupsignatures.Someproblemsinthestudyofthisfieldarepresentedandseveralmainresearchdirectionsarepointedouta8well.Wealsoanalyzethesecurityoftwogroupsignaturesrecentlyproposedrespectively蚵PosescuandWangeta1..andshowthatboths(_hemesareuniversallyforgeable.Finitefieldsconstructedbyirreduciblepolynomialshavegoodpropertiesthatcanbeap-pliedtodesignmoresecureandefficientcryptosystems.Inthisthesis,wefirstputforwardtheproblemoffindingthecommonirreduciblepolynomialsovertwodifferentfinitefieldsandprovethatthecommonirreduciblepolynomialsdonotalwaysexist,Amethodtofindthecoininoilirreduciblepolynomialsfromcyclotomicpolynomialsispresentedandsomepropositionsarealsoprovided.Intheappendi】(,wealsogivethedistributionoftheorderoftheelementsinaspecialmultiplicativegroup.Keywordspublickeycryptography,ellipticcurve,digitalsignature,blindsignature,groupsignature,unlinkability,univeraalforgery,irreduciblepolynomial,cyclotomicpolynomialII致谢非常感谢陈鲁生教授.本文从选题到定稿自始至终得到了陈老师悉心严格的指导,使我对密码学这个广阔的学术领域有了更加透彻的认识.在南开大学求学的近7年中,我深深地感受到了陈老师渊博的知识,严谨的作风,谦逊的为人和广阔的胸怀.在此,谨向陈老师在这几年来对我的指导和教诲表示衷心的感谢.感i捌'ttl!!:ttt教授和符方伟教授.两位老师均给予我耐心的指导和帮助,他们敏锐的学术洞察力以及博大糟深的知识让我受益匪浅.感谢数学院各位授课老师,他们严谨的治学作风和一丝不苟的工作精神很值得我学习.感谢党委刘艳霞老师以及学院办公室的各位老师,感谢他们在工作上对我的关心和支持.作者还要感谢数学学院信息论方向的所有同学.尤其要感谢廖嘉,符景云,张青坡,王立鹏,尚越,张勇.感谢他们在我南开求学的7年里给予我的诸多关怀和帮助.感谢室友李艳婷和曲艳萍同学,与她们同窗三年的朝夕相处,将是我一生美好的回忆.深深感谢含辛茹苦养育我的父母.母亲几次重病期问,总是对我隐瞒病情。
一种基于格的高效签密方案的分析与设计
一种基于格的高效签密方案的分析与设计郑晓;王茜;鲁龙【摘要】Signcryption is a cryptographic primitive that performs simultaneously both the functions of digital signature and public-key encryption, at a cost significantly lower than that required by the traditional signature-then-encryption approach. Designs an efficient signcryption scheme that can send a message of length L one time. Proves that the proposed scheme has the indistinguishability against adaptive cho-sen ciphertext attacks under the learning with errors assumption and strong unforgeability against adaptive chosen messages attacks under the inhomogeneous small integer solution assumption inthe random oracle model. Compared with the schemes based on factoring or dis-crete log, the public and secret keys of the scheme are large, but it requires only linear operation on small integers.%签密是同时执行数字签名和公共密钥加密两种功能的一个加密原语,所需成本比通过传统的先签名后加密的方法低。
一种安全高效的VANET无证书聚合签名改进方案
第54卷 第5期2021年5月通信技术Communications TechnologyVol.54 No.5May 2021文献引用格式:久美草,王迪,刘芳芳,等.一种安全高效的VANET无证书聚合签名改进方案[J].通信技术,2021,54(5):1189-1198.JIU Meicao,WANG Di,LIU Fangfang,et al.A secure and efficient VANET certificateless aggregatesignature improvement scheme[J].Communications Technology,2021,54(5):1189-1198.doi:10.3969/j.issn.1002-0802.2021.05.024一种安全高效的VANET无证书聚合签名改进方案*久美草,王 迪,刘芳芳,芦殿军(青海师范大学 数学与统计学院,青海 西宁 810008)摘 要:Thumbur等人提出了一种无证书聚合签名方案,以解决VANET中的安全认证和效率问题,并声称该方案是安全的。
然而,该方案容易受到签名伪造攻击。
为了解决上述安全挑战,提出了一种新的无配对无证书聚合签名方案,并在随机预言模型下证明了其安全性,最后进行了效率分析和比较。
安全性分析和效率分析表明,新方案能够以较低的计算成本和通信成本获得更高的安全,且新方案的聚合签名长度是固定的,更适用于资源受限的VANET环境。
关键词:VANET;安全高效;无证书;聚合签名;认证中图分类号:TP309 文献标识码:A 文章编号:1002-0802(2021)-05-1189-10A Secure and Efficient VANET Certificateless Aggregate SignatureImprovement SchemeJIU Meicao, WANG Di, LIU Fangfang, LU Dianjun(School of Mathematics and Statistics, Qinghai Normal University, Xining Qinghai 810008, China) Abstract: Thumbur et al. proposed a certificateless aggregate signature scheme to solve the security authentication and efficiency issues in VANET, and claimed that the scheme is secure. However, this scheme is vulnerable to signature forgery attacks. To solve the above security challenges, a new unmatched certificateless aggregate signature scheme is proposed, and its security is proved under the random oracle model. Finally, the efficiency is analyzed and compared. Security analysis and efficiency analysis indicate that the new scheme can obtain higher security with lower computation and communication costs, and the total signature length of the new scheme is fixed, which is more suitable for resource-constrained VANET environments.Keywords: VANET; secure and efficient; certificateless; aggregate signature; authentication0 引 言智能交通系统利用传感、控制、通信和数据分析等技术来提供创新性的服务,可以有效解决传统交通系统中固有的与交通相关的问题。
数字签名技术及其在网络安全中的应用
目录摘要 (1)关键词 (1)1 数字签名概述 (1)2 数字签名意义 (2)3 数字签名的种类 (2)3.1 盲签名 (2)3.1.1 盲签名的安全性需求 (2)3.2 群签名 (3)3.2.1 群签名的算法 (3)3.2.2 群签名的安全性需求 (4)3.3 环签名 (4)3.3.1 环签名的适用场合举例 (4)3.3.2 环签名的安全性需求 (5)4 数字签名技术与网络安全 (5)4.1 网络带来的挑战 (6)总结 (7)致谢 (7)参考文献 (7)数字签名技术在网络安全中的应用Lynawu摘要数字签名也称电子签名,digital signature,是给电子文档进行签名的一种电子方法,是对现实中手写签名的数字模拟,在电子商务的虚拟世界中,能够在电子文件中识别双方交易人的真实身份,保证交易的安全性、真实性及不可抵懒性的电子技术手段。
实现电子签名的技术手段有很多种,但目前比较成熟的、许多先进国家普遍使用的电子签名技术还是“数字签名”技术,它力图解决互联网交易面临的几个根本问题:数据保密、数据不被篡改、交易方能互相验证身份、交易发起方对自己的数据不能否认。
数字签名技术在其中起着极其重要的作用,如保证数据的完整性、私有性和不可抵赖性等方面,占据了特别重要的地位。
目前群盲签名(blind signature ,group signature)方案效率不高,这样的电子现今系统离现实应用还有一段距离,因此研究高效的群签名方案,对于实现这样的系统具有重要意义。
关键词数字签名,网络安全,blind signature,group signature,Rivest1 数字签名概述电子文档包括在计算机上生成或存储的一切文件,如电子邮件、作品、合同、图像等。
数字签名也称电子签名,digital signature,是给电子文档进行签名的一种电子方法,是对现实中手写签名的数字模拟,在电子商务的虚拟世界中,能够在电子文件中识别双方交易人的真实身份,保证交易的安全性、真实性及不可抵懒性的电子技术手段。
基于短群签名的密钥交换协议设计
基于短群签名的密钥交换协议设计孙钰;韩庆同;刘建伟【摘要】A new key exchange protocol using linear encryption based on short group signature is proposed in this paper. Typically, a short group signature system includes six steps: setup, join, sign, verify, open and revocation. It can provide conditional privacy to group members. The key exchange phase is added into short group signature system so that short group signature system may offer confidentiality after the new key exchange phase. The proposed protocol could implement key exchange between TA(trust authority) and a group member. With the help of TA, the seed of session key can be exchanged between two group members according to this protocol. The following communication can be encrypted by symmetric encipherment algorithm using the exchanged key after key exchange phase. No more parameters is introduced into short group signature system by proposed protocol, which reduces the difficulty in system management. X. 509 certification or PKI is unnecessary in proposed protocol, which keeps the conditional privacy of short group signature. Key is exchanged in only two communications, which reduces network delay and congestion. Security analysis proves that the proposed protocol resists tampering attack, impersonal attack, replay attack and man-in-the-middle attack. It provides confidential to short group signature system, which makes short group signature system more suitable for VANET, trust computing and cloud computing.%本协议采用线性加密技术,在短群签名体制下实现了密钥交换,为短群签名系统加入了密钥交换阶段.典型的短群签名系统包含以下6个阶段:初始化、入网、签名、验签、身份验证和撤销,可为群成员提供条件隐私性.本协议加入了密钥交换阶段,使短群签名系统具有保密性.该协议既可实现群成员与TA(trust authority)间的密钥交换,也可在TA的协助下,实现群成员间的密钥交换,为TA与群成员、群成员间的信息传输提供了保密性.本协议无需引入X.509证书,仅利用短群签名系统原有的参数即可完成密钥交换,既保持了短群签名的条件隐私性,也降低了系统管理的难度.本密钥交换协议仅需要两次通信,通信开销小,能降低网络延时和拥塞.安全性分析证明了该协议可抵抗篡改攻击、伪装攻击、重放攻击和中间人攻击.该协议完善了群签名体制,可为车载网络、可信计算和云计算等网络提供保密性.【期刊名称】《计算机研究与发展》【年(卷),期】2012(049)012【总页数】4页(P2619-2622)【关键词】短群签名;线性加密;密钥交换;保密性;中间人攻击【作者】孙钰;韩庆同;刘建伟【作者单位】北京航空航天大学电子信息工程学院北京 100191;北京航空航天大学电子信息工程学院北京 100191;北京航空航天大学电子信息工程学院北京100191【正文语种】中文【中图分类】TP393.02Chaum和Van Heyst于1991年首次提出群签名方案[1],该方案允许群成员以群的名义签名.验签者使用唯一的群公钥验证群签名,只有TA(trust authority),即群管理员可以从群签名中获得签名者的身份,即群签名具有条件隐私性.Boneh,Boyen和Shacham于2004年提出了短群签名方案[2],进一步降低了群签名的运算开销和通信开销.群签名系统迫切需求密钥交换协议以提供保密性.群签名主要用于可信计算和车载网络.一旦发生争执或遇到险情,当事人需要向TA提供必要的信息以证明自己的清白或寻求帮助.当事人与TA间需要加密传输敏感信息.为了相互协作,群成员间也需要传输信息.文献[3]提出了适用于群签名的密钥交换协议,但需要引入数字证书,既增加了管理开销,也可能泄露用户隐私.本文利用线性加密,为短群签名系统加入了密钥交换阶段,使短群签名系统在提供条件隐私性的同时,也能提供保密性.1 短群签名基础1.1 符号和假设TA选择具有同构运算ψ的双线性对(G1,G2),在(G1,G2)上存在强 DH假设,G1上存在线性假设[2].随机选择 G2 的一个生成元g2,并设g1←ψ(g2).随机选择计算u,v∈G1,使并计算至此,TA 得到群公钥:gpk=(g1,g2,h,u,v,w),群管理员私钥TA 利用之前生成的γ为注册成员i生成私钥.TA首先随机选择,之后计算xi)构成了一个SDH元组,即为成员i的私钥,TA将成员i的身份信息IDi和Ai存入数据库.Alice和Bob均是合法的群成员.文中‖表示串接运算,xor表示异或运算,H(M)表示计算消息M 的摘要值,LE(M)表示对消息M进行线性加密.1.2 线性加密线性加密(linear encryption)是对ElGamal加密的一种改进,即使攻击者能计算群中的DDH判定,线性加密也是安全的[2].线性加密的公钥是群G1的3个生成元u,v,h∈G1,私钥是指数x,y∈ZZp,x,y满足ux=vy=h.为加密消息M,Alice选择随机数a,b∈ZZp,生成三元组(T1,T2,T3):Bob收到(T1,T2,T3)后,解密过程如下:2 基于短群签名的密钥交换协议短群签名系统包含以下6个阶段:初始化(setup)、入网(join)、签名(sign)、验签(verify)、身份验证(open)和撤销(revocation)[4].本文利用线性加密,为短群签名系统加入了密钥交换阶段,可为车载网络[5-6]、可信计算和云计算[7-9]等网络提供保密性.2.1 群成员与TA间的密钥交换一旦发生争执或遇到险情,群成员Alice可利用该协议与TA在不安全信道上建立共享密钥,利用AES等对称加密算法保护敏感信息.本文提出的群成员Alice与TA间的密钥交换协议描述如下:1)Alice选择随机数R1∈ZZp,并计算R1的短群签名s;2)Alice选择随机数a,b∈ZZp,利用群公钥gpk中的u,v,h,按照式(1)线性加密R1,计算并向 TA发送LE(R1)‖s;3)TA使用群管理员私钥gmsk,按照式(2)解密LE(R1),得到R1;4)TA验证R1的签名是否合法,是则选择随机数R2∈ZZp,向 Alice返回R2‖H (R1‖R2),否则拒绝 Alice的请求.H(R1‖R2)是消息验证码[10];5)Alice验证TA返回的消息验证码是否正确.至此,Alice与TA间以R1为AES密钥生成器的种子,建立会话密钥.其示意图如图1所示:Fig.1 Key exchange between TA and group member.图1 TA与群成员间的密钥交换2.2 群成员之间的密钥交换群成员间如果要进行保密通信,可借助TA完成双向的身份认证,在群签名系统中实现Diffie-Hellman密钥交换[10].假设Alice和Bob均为群成员.本文提出的群成员间的密钥交换协议描述如下:1)Alice选择随机数x,R1∈ZZp,计算H(X‖R1‖ID2)的短群签名s1,ID2是Bob的身份码;2)Alice选择随机数a,b∈ZZp,利用群公钥gpk中的u,v,h,按照式(1)线性加密R1,计算并向 TA发送X‖(ID2xor R1)‖LE(R1)‖s1;3)Bob选择随机数y,R2∈ZZp,计算Y=gy1,H(Y‖R2‖ID1)的短群签名s2,ID1 是Alice的身份码;4)Bob选择随机数c,d∈ZZp,利用群公钥gpk中的u,v,h,按照式(1)线性加密R2,计算并向 TA发送Y‖(ID1xor R2)‖LE(R2)‖s2;5)TA使用群管理员私钥gmsk,按照式(2),解密R1 和R2,通过计算(ID1xor R2)xor R2,(ID2 xor R1)xor R1得到ID1和ID2;6)TA验证s1和s2的合法性,TA仅接受通过验签的请求,并从签名中提取Alice和Bob的身份,判断是否与ID1和ID2匹配;7)TA分别向Alice和Bob返回Y‖H(Y‖R1)和X‖H(X‖R2).H(Y‖R1)和H(X‖R2)是消息验证码;8)Alice和Bob分别验证TA返回的消息验证码是否正确.至此,Alice和Bob经TA 完成了Diffie-Hellman密钥交换,建立了共享密钥gxy1.TA参与了密钥交换过程,但仍无法计算Alice和Bob间的共享密钥.其示意图如图2所示:Fig.2 Key exchange between group members.图2 群成员间的密钥交换3 安全性分析本节假设Trent为攻击者,Alice和Bob为合法群成员.Trent可获得群公钥gpk,但无法获得其他群成员的私钥和群管理员私钥gmsk.Trent可侵入信道,截获、篡改、丢弃或重发网络中的数据包,但无法控制群成员和TA.Trent尝试对本协议进行篡改攻击、伪装攻击、重放攻击和中间人攻击.Fig.4 Man-in-the-middle attack-2.图4 中间人攻击23.1 抵抗篡改、伪装和重放攻击若Trent篡改群成员发送至TA的数据包,会因验签失败而被TA发现.若Trent篡改TA发送至群成员的数据包,会因消息验证码错误而被群成员发现.因此,无论群成员还是TA都可发现消息被篡改,本协议可抵抗篡改攻击.Trent尝试伪装成群成员或TA对本协议进行伪装攻击.Trent因为没有发起通信的群成员的私钥,无法生成合法的短群签名,TA会因验签失败拒绝Trent的请求,所以无法伪装成群成员.Trent因为没有群管理员私钥,无法解密经线性加密的三元组(T1,T2,T3),更无法回复群成员,所以无法伪装成TA.综上分析,本协议可抵抗伪装攻击.群成员向TA发送的数据包中包含随机量,TA向用户回复时,需要根据用户加密提交的随机量生成消息验证码.因此,本协议抵抗重放攻击.3.2 抵抗中间人攻击本节假设Trent是群成员,以更有效的对本协议发动中间人攻击.情况1.Trent攻击群成员和TA的密钥交换.攻击模型如图3所示.Trent截获Alice发送至TA的LE(R1)‖s,自己选择随机数R,按照上述协议对R用自己的私钥签名并发送至TA,因Trent是群成员,可通过TA的验证,TA向Trent回复R2‖H(R‖R2),Trent无法解密LE(R1),只能向Alice回复R2‖H(R‖R2),但会因消息验证码出错而被Alice发现.Fig.3 Man-in-the-middle attack-1.图3 中间人攻击1情况2.Trent攻击群成员间的密钥交换.攻击模型如图4所示.Trent截获Alice发送至TA的X‖(ID2xor R1)‖LE(R1)‖s1,自己选择随机数R,按照上述协议对R用自己的私钥签名并发送至TA.TA会发现从Trent的签名中提取的身份与Bob请求中的ID2不符,双向认证失败,进而拒绝Trent的请求.综上所述,本协议可抵抗篡改攻击、伪装攻击、重放攻击和中间人攻击.4 结论本文所述的基于短群签名的密钥交换协议既可实现群成员与TA间的密钥交换,也可在TA的协助下,实现群成员间的密钥交换.本协议无需引入X.509证书,仅利用短群签名系统原有的参数,借助线性加密完成密钥交换,既保持了短群签名的条件隐私性,也未增加系统管理的难度.密钥交换仅需要两次通信,通信开销小,并可通过预计算降低运算开销.协议可抵抗篡改攻击、伪装攻击、重放攻击和中间人攻击.该协议完善了群签名体制,加入了密钥交换阶段,可为车载网络、可信计算和云计算等网络提供保密性.参考文献[1] Chaum D,van Heyst E.Group signatures[C]//Proc of the 10th AnnualInt Conf on Theory and Application of Cryptographic Techniques.New York:ACM,1991:257-265[2] Boneh D,Boyen X,Shacham H.Short group signatures[C]//Proc of the 24th Annual Int Cryptology Conference.New York:ACM,2004:41-55 [3] Kim D,Choi J,Jung S.Mutual identification and key exchange scheme in secure VANETs based on group signature[C]//Proc of the 7th Consumer Communications and Networking Conference.Piscataway,NJ:IEEE,2010:1-2[4] Guo J,Baugh J,Wang S.A group signature based secure and privacy-preserving vehicular communication framework[C]//Proc of 2007Mobile Networking for Vehicular Environments.Piscataway,NJ:IEEE,2007:103-108[5] Zhang J, Ma L, Su W, et al. Privacy-preserving authentication based on short group signature in vehicular networksC//Proc of the 1st Int Symp on DataPrivacy and E-Commerce.Piscataway,NJ:IEEE,2007:138-142[6] Liu Hui, Li Hui, Ma Zhanxin. Efficient and secure authentication protocol for VANET[C]//Proc of Int Conf on Computational Intelligence and Security(CIS).Piscataway,NJ:IEEE,2010:523-527[7] Othman H,Hashim H,et al.A conceptual framework providing Direct Anonymous Attestation(DAA)protocol in trusted location-based services(LBS)[C]//Proc of the 5th Int Conf for Internet Technology and Secured Transactions(ICITST).Piscataway,NJ:IEEE,2010:1-7[8] Daniel S,Stefan R.Anonymous but authorized transactions supporting selective traceability[C]//Proc of the 5th Int Conf on Security and Cryptography (SECRYPT).Piscataway,NJ:IEEE,2010:1-10[9] Jensen M,Schage S,Schwenk J.Towards an anonymous access control and accountability scheme for cloud computing[C]//Proc of Int Conf on Digital Object Identifier.Piscataway,NJ:IEEE,2010:540-541[10] Liu Jianwei,Wang work security-technology and practice[M].Beijing:Tsinghua University Press,2007:110-113(inChinese)(刘建伟,王育民.网络安全-技术与实践[M].北京:清华大学出版社,2007)。
219388575_VANETs_中一种隐私保护的高效批认证协议
σ ij } , 计 算 MAC 标 签 为 τ( GK ;Msg ij ) , 将 τ( GK ;
Msg ij ) 、Msg ij 发送给 RSU。
RSU 收到信息时,获取当前时间戳,与收到的时
间戳 tr ij 进行比较。 若两者相差的绝对值大于定义的
阈值,RSU 丢弃该消息。。 一
RSU) 和密钥生成中心( Key Generation Center,KGC) 。
密签名信息。
本文针对 VANETs 提出了一种高效的隐私保护
性。 方案主要包括以下两点内容:( 1) 该方案使用假
的隐私保护,能够支持批量验证。 ( 2) 该方案使用安
全的密钥推导函数 [9] 实现组密钥更新。 在组密钥更
图 1 系统模型
消息完整性:由于无线网络的开放性,通信消息
容易被恶意攻击者窃听、截取甚至篡改。 因此,通信
消息需要加密传输,以保证消息的完整性。
隐私保护:方案的隐私保护主要包括数据的隐私
保护和车辆身份的隐私保护。 身份的隐私保护需确
保通信实体身份的匿名性,数据的隐私保护需确保数
据仅对拥有数据访问权限的实体可见。
可追踪 性: 方 案 需 确 保 消 息 发 送 者 身 份 的 可
追踪。
1. 3 基础知识
密 钥 推 导 函 数 ( Key Derivation Function,
KDF) [9] :在密码体系中,KDF 可以利用伪随机函数计
算多个密钥,也可以输出固定长度的密钥,同时满足
消息完整性认证和源身份认证。 消息完整性认证指
(1) 当车辆 ID i 向 RSU 请求认证、发送消息时,该
= t ij ·P。
车辆首先选取随机值 t ij ∈ Z ∗
安全的无可信PKG的部分盲签名方案
第31卷第1期通信学报V ol.31No.1 2010年1月Journal on Communications January 2010 安全的无可信PKG的部分盲签名方案冯涛1,2,3,彭伟1,马建峰3(1. 兰州理工大学计算机与通信学院, 甘肃兰州 730050;2. 福建师范大学网络安全与密码技术重点实验室, 福建福州 350007;3. 西安电子科技大学计算机网|络与信息安全教育部重点实验室, 陕西西安 710071)摘要:利用gap Diffie-Hellman(GDH)群,在部分盲签名机制的基础上,提出了一个有效的基于身份的无可信私钥生成中心(PKG,private key generator)的部分盲签名方案。
方案中PKG不能够伪造合法用户的签名,因为它只能生成一部分私钥。
在随机预言模型下,新方案能抵抗适应性选择消息攻击和身份攻击下的存在性伪造,其安全性依赖于CDHP问题。
该方案满足正确性和部分盲性,与Chow方案相比具有较高的效率。
关键词:基于身份的签名;密钥托管;双线性对;部分盲签名中图分类号:TP309 文献标识码:A 文章编号:1000−436X(2010)01-0128-07Provably secure partially blind signature without trusted PKGFENG Tao1,2,3,PENG Wei1,MA Jian-feng3(1.School of Computer and Communication, Lanzhou University of Technology, Lanzhou 730050, China;2. Key Lab of Network Security and Cryptology, Fujian Normal University, Fuzhou 350007, China;3. Ministry of Education Key Laboratory of Computer Networks and Information Security, Xidian University, Xi’an 710071, China)Abstract: Using gap Diffie-Hellman groups, based partially blind signature scheme, an efficient ID-based partially blind signature scheme without trusted private key generator (PKG) was proposed. In this scheme, PKG was prevented from forging a legal user’s signature because it only generated partial private key. Under the random oracle model, the pro-posed scheme was proved to be secure against existential forgery on adaptively chosen message and ID attack. The secu-rity of scheme relied on the hardness of the computational Diffie-Hellman problem (CDHP). The proposed scheme satis-fies security properties: correctness and partial blindness. Compared with the Chow et al.’s scheme, the new scheme needs less computational cost and is more efficient.Key words: ID-based signature; key escrow; bilinear pairing; partially blind signature收稿日期:2009-09-02;修回日期:2009-12-21基金项目:国家高技术研究发展计划(“863”计划)基金资助项目(2007AA01Z429);国家自然科学基金资助项目(60972078);甘肃省高等学校基本科研业务费基金资助项目(0914ZTB186);甘肃省自然科学基金资助项目(2007GS04823);兰州理工大学博士基金资助项目(BS14200901);网络安全与密码技术福建省高校重点实验室开放课题(09A006)Foundation Items: The National High Technology Research and Development Program of China (863 Program)(2007AA01Z429); The National Natural Science Foundation of China(60972078); Universities Basic Scientific Research Operation Cost of Gansu Prov-ince(0914ZTB186); The Natural Science Foundation of Gansu Province (2007GS04823); The Ph.D. Programs Foundation of Lanzhou University of Technology (BS14200901); Funds of Key Lab of Fujian Province University Network Security and Cryptology (09A006)第1期冯涛等:安全的无可信PKG的部分盲签名方案·129·1引言传统的基于PKI的密码体制中,用户的公钥与其身份之间的绑定关系是通过数字证书形式来获得的,证书管理过程需要很大的计算量和较强的存储能力。
对一个高效无证书签名方案的安全性分析
来验证 D ID 的真实性, 因为只有 KGC 知道系统主密钥 s 。然 后, 生成用户的私钥对 ( x D ID) 。
3.6
签名算法
对于待签名的消息 m , 签名者 ID 利用系统参数 Params 和私钥对 ( x D ID) , 执行下列签名步骤: (1) 计算 Q ID = H1( ID||P ID) Î G1 ;
* h = H 2 (m||ID|| (2) 随机选择 t u Î Z q , 计算 U = e(t u P P pub) ,
满足下列性质, 则此映射称为双线性映射。 * 性质 1 (双线性性)对所有的 P Q Î G1 和所有的 a b Î Z q , 有 e(aP bQ) = e(P Q)ab 。 性质 2 (非退化性) 如果 P 为 G1 的生成元, 则 e(P P) 是
身份签名方案固有的密钥托管问题, Al-Riyami 等 于 2003 年 提出了第一个无证书签名方案.然而, Huang 等[2]证明了文献 [1]中提出的无证书签名方案在替换公钥攻击下是不安全的, 首次给出了无证书签名方案的安全模型, 提出了一个改进方 案并在随机预言机模型下证明了改进方案的安全性。后来, Zhang 等 指出 Huang 等给出的无证书签名方案安全模型是不
20
2011, 47 (2)
Computer Engineering and Applications 计算机工程与应用 (2) 验证 e(V P ID)e(- hQ ID P pub) = U 是否成立, 若等式成 立, 则接受该签名, 否则拒绝该签名。
似缺陷。
2
基础知识
设 G1 与 G 2 分别是阶为 q 的加法循环群和乘法循环群, 其中
e(V PK ID)e( - hQ ID P pub) =
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
STUDIA UNIV.BABES¸–BOLYAI,INFORMATICA,Volume XL VII,Number2,2002 AN EFFICIENT ID-BASED GROUP SIGNATURE SCHEMECONSTANTIN POPESCUAbstract.We present an efficient group signature scheme which make useof elliptic curves identity-based signature scheme.The performance of thegenerated group signature scheme is similar to the performance of the under-lying ID-based signature scheme.Keywords:Group Signature,ID-based Signature schemes,elliptic curves1.IntroductionThe concept of identity-based cryptography is due to Shamir[10].An identity based crypto-system[2,10]is a system that allows a publicly known identifier (email address,IP address,name)to be used as the public key component of a public/private key pair in a crypto-system.The scheme assumes the existence of a trusted authority whose sole purpose is to compute for each user the private key associated with the identifier they want to use as public key.The scheme is ideal for closed groups of users.Several ID-based signature schemes have been proposed in the last years[7,9,10].Some of these schemes use Elliptic Curve (EC)algorithms and are therefore particularly efficient.A group signature,introduced by Chaum and van Heyst[5],allows any member of a group to digitally sign a document such that a verifier can confirm that it came from the group but does not know which individual in the group signed the document.The scheme assumes the existence of a group manager whose sole purpose is to compute for each user a private key that the user should use when signing a message on behalf on the group.A user verifies a signature with the group public key that is usually constant and unique for the whole group(i.e. independent of the members).Many group signature schemes have been proposed [1,3,6,8,12].However all of them are much less efficient that regular signature schemes(such as DSA or RSA).Designing an efficient group signature scheme is still an open research problem.In this paper we show that ID-based signature schemes[7]can be used to implement an efficient group signature scheme.Such group signature has the same performance than the performance of the ID-based 2000Mathematics Subject Classification.94A60.1998CR Categories and Descriptors. D.4.6.[Software]:Operating Systems–Security and Protection.2930CONSTANTIN POPESCUsignature scheme it is derived from.This makes our proposal very attractive since it is probably the most efficient group signature scheme that exists today.2.Identity-Based Signature SchemeAn identity based crypto-system[2,10]is a system that allows a publicly known identifier to be used as the public key component of a public/private key pair for the purposes of digital signature[7,9,10],encryption[2]and key agreement[11]. The private key component is computed by the trusted authority and sends to the corresponding node via a secure and authentic channel.Definition1.An identity based signature scheme is a digital signature scheme specified by the following four algorithms:SETUP:An algorithm,executed by the trusted authority,that takes a random parameter l as input and generates from it system parameters and master key. System parameters is publicly known,while master key is only known to the trusted authority.EXTRACT:An algorithm,executed by the trusted authority,that takes as input system parameters,master key and an arbitrary ID i∈{0,1}∗,provided by a user,U i,and returns a private key x i.ID i is an arbitrary string that is used as a public key and x i is the corresponding private key.SIGN:An algorithm that takes as input system parameters,x i and a message, m∈{0,1}∗and returns a signatureσ.VERIFY:An algorithm that takes as input a message m∈{0,1}∗and its signatureσ,the system parameters and a public key ID i.VERIFY outputs0if the signature is invalid and1if the signature is valid.A secure ID-based signature scheme must at least satisfy the following proper-ties:Correctness:Signatures produced by a user using SIGN must be accepted by VERIFY.Unforgeability:It is computationally hard for everyone that do know the secret key x i of U i to forge his signatures.As a consequence,it must be computationally hard for everyone to retrieve from system parameters the corresponding master key.Coalition-resistance:A colluding subset of users,that have received their pri-vate key from the same trusted authority and system parameters,cannot generate a valid signature that the trusted authority cannot link to one of the colluding users.3.ID-based Signatures from Pairings on Elliptic CurvesIn this section we review the ID-based signature scheme from[7]which makes use of bilinear pairings on elliptic curves.AN EFFICIENT ID-BASED GROUP SIGNATURE SCHEME31 3.1.Setup.We use the same notation as in[7]:(1)We let G1be an additive group of prime order q and G2be a multiplica-tive group of the same order q.(2)We assume the existence of a bi-linear map e from G1×G1to G2withthe property that the discrete logarithm problems in both G1and G2are hard.Typically,G1will be a subgroup of the group of points on anelliptic curve over afinitefield,G2will be a subgroup of the multiplica-tive group of a relatedfinitefield and the map e will be derived from theWeil or Tate pairing on the elliptic curve.(3)We also assume that an element P∈G1satisfying e(P,P)=1G2isknown.We refer to[2,7]for a fuller description of how these groups, maps and other parameters should be selected in practice for efficiency and security.(4)We let ID i be a string denoting the identity of a user U i and H1,H2andH3be public cryptographic hash functions.We require H1:{0,1}∗→G1,H2:{0,1}∗→Z q and H3:G1→Z q.(5)A trusted authority chooses a random integer s∈Z q which is a system-wide master secret.(6)We also assume that the value P pub=s·P is publicly known.3.2.Extract.A user’s public key for signature verification is Q IDi =H1(ID i),while his secret key for signature generation is D IDi =s·Q IDi.These keys are thesame as in the encryption scheme of[7].If desired,encryption and signature keys can be separated simply by concatenating the string ID i with extra bits which identify the keys’intended functions.3.3.Sign.To sign a message m∈{0,1}∗,a user U i uses the following algorithm:•Chooses a random k∈Z∗q.•Computes(R,S)∈G1×G1,whereR=k·PS=k−1(H2(m)·P+H3(R)·D IDi).Here k−1is the inverse of k in Z∗q.•Output the signature(R,S).3.4.Verify.Checking whether a pair(R,S)is a valid signature on a message m∈{0,1}∗with respect to the public key Q IDican be done as follow:•Computes e(U,V),where(U,V)is a purported signature on message m.•Check whether e(U,V)= e(P,P)H2(m)· e(P pub,Q IDi)H3(R).•The signature is accepted if these values in G2match and rejected oth-erwise.32CONSTANTIN POPESCU4.Group Signature SchemeA group signature,introduced by Chaum and van Heyst[5],allow any mem-ber of a group to sign on behalf of the group.Group signatures are publicly verifiable and can be verified with respect to a single group public key.Only a designated group manager,can revoke the anonymity of a group signature andfind out the identity of the group member who issued a given signature.Furthermore, group signatures are unlinkable which makes it computationally hard to establish whether or not multiple signatures are produced by the same group member.At the same time,no one,including the group manager,can misattribute a valid group signature.Group signature schemes are defined as follows.(See[4]for more details).Definition2.A group signature scheme is a digital signature scheme comprised of the following:(1)Setup:On input of a security parameter1l this probabilistic algorithmoutputs the initial group public key P K and the secret key SK for thegroup manager.(2)Join:An interactive protocol between the group manager and a userthat results in the user becoming a new group member.(3)Sign:An interactive protocol between a group member and a user wherebya group signature on a user supplied message is computed by the groupmember.(4)Verify:An algorithm for establishing the validity of a group signaturegiven a group public key and a signed message.(5)Open:An algorithm that,given a signed message and a group secretkey,determines the identity of the signer.A secure group signature scheme must satisfy the following properties:(1)Correctness:Signature produces by a group member using Sign mustbe accepted by Verify.(2)Anonymity:Given a signature,identifying the actual signer is compu-tationally hard for everyone but the group manager.(3)Unlinkability:Deciding whether two different signatures were computedby the same group member is computationally hard.(4)Unforgeability:Only group members are able to sign messages on behalfof the group.(5)Exculpability:Even if the group manager and some of the group memberscollude,they cannot sign on behalf of non-involved group members.(6)Traceability:The group manager can always establish the identity of themember who issued a valid signature.(7)Coalition-resistance:A colluding subset of group members cannot gen-erate a valid group signature that cannot be traced.AN EFFICIENT ID-BASED GROUP SIGNATURE SCHEME335.Our Group Signature Scheme from a ID-based SignatureIn this section we present how a ID-based signature scheme[7]can be used to implement an efficient group signature scheme.If we consider that,in the ID-based signature scheme[7],all users that get a private key(from their ID)from the same system and master key parameters form a group,the concepts of ID-based signatures and group signatures are very similar.In this description,the group manager is also a trusted authority.5.1.The scheme.•Setup:The group manager executes the steps from the subsection3.1.The initial group public key isP K=(q,P,P pub,Q IDi,H1,H2,H3, e)and the secret key is SK=s.•Join:Suppose now that a user U i wants to join the group.We assumethat communication between the group member and the group manageris secure,i.e.,private and authentic.To obtain his membership certifi-cate,each user U i must perform the following protocol with the groupmanager:–The user U i sends ID i to the group manager.–The group manager computes S i=s·Q IDi and then S i is commu-nicated secretly to the user U i.•Sign:In our scheme,ID i is the public component of a RSA signature public/private key pair generated by the user itself.This public/private key pair will be referred as(ID i,d i)in the remainder of this paper.First, the user U i signs a message m∈{0,1}∗with its RSA private key d i and the corresponding RSA signature scheme:Si gRSA=m d i(mod n),where n is an RSA-like modulus.Then,the group member U i can gener-ate anonymous and unlinkable group signatures on a message m∈{0,1}∗as follows:–Chooses a random k∈Z∗q.–Computes(R,S)∈G1×G1,whereR=k·PS=k−1(H2(m)·P+H3(R)·S i),where k−1is the inverse of k in Z∗q.–The group signature Sig is then the concatenation of the previously generated signatures SigRSA,(R,S)with the U i’s public key ID i Sig=m d i(mod n)||x R||x S||ID i34CONSTANTIN POPESCUwhere x R is the x-coordinate of R and x S is the x-coordinate of S.•Verify:First,a user verifies that the signature was generated by thegroup by verifying using the algorithm specified in Section3.4that(R,S)is valid and therefore the user U i is an authorized member of the group:e(R,S)= ek·P,k−1(H2(m)·P+H3(R)·S i)= e(P,H2(m)·P+H3(R)·S i)= e(P,P)H2(m)· e(P pub,Q IDi)H3(R)where we have used the bi-linearity properties of e.Second,a user verifiesthat the signature was generated by U i and not by the group managerby verifying using the U i’s public key ID i and the corresponding RSAsignature that SigRSA is valid:m=Si gRSA ID i(mod n).Since the group manager does not know the private key d i it will not beable to generate a valid Si gRSA.•Open:The group manager knows for each ID j the identity of the userU j that is associated with it.This binding is established during the Joinphase.As a result,it is easy for a group manager,given a message anda valid group signature Sig,to determine the identity of the signer.5.2.Security Considerations.In this section,we access the security of the group signature scheme defined in Section5according to the security properties defined in Section4.Correctness:This property is guaranteed since the ID-based signature scheme [7]must guaranteed it too.Unforgeability:This property is guaranteed since the ID-based signature scheme [7]must guaranteed it too.Anonymity:In our scheme,a group signature is the concatenation of the iden-tity based signature with the user’s public key(i.e.ID).Therefore if the underlying identity based signature provides anonymity and if the user’s public key does not reveal any information about the user,anonymity is guaranteed by the group signature scheme.Unlinkability:In our scheme,a group signature is the concatenation of the identity based signature with the user’s public key(i.e.ID).As a result,all the signatures generated by a user will contains his public key.Therefore unlinkabil-ity is not provided.However if the underlying identity-based signature provides unlinkability and if a user uses a different public/private key pair for each signa-ture,unlinkability is then provided.This solution might not be very practical if the user has to sign a lot of messages(because it needs to get and store a lot of public/private key pairs)but is acceptable otherwise.AN EFFICIENT ID-BASED GROUP SIGNATURE SCHEME35 Exculpability:In our group signature scheme,a group member can not sign on behalf of other members because it does not know the other members’private keys.The group manager knows each users’private key S i,but he do not knows the users’RSA private key d i.Therefore,exculpability is provided.Traceability:Since,in our proposal,the group manager generates each member private keys from their public keys,it can easily identify the actual signer of a valid signature by looking at the public key component in the group signature. Traceability is therefore provided.Coalition-resistance:This property is guaranteed since the ID-based signature scheme[7]must guaranteed it too.Our ID-based group signature scheme has a performance cost since it adds one RSA signature.Furthermore even with this extra cost,we believe that our scheme is still more efficient that any existing group signatures.6.ConclusionThis paper describes an efficient group signature scheme from an elliptic curves identity based signature scheme.The generated group signature can handle large groups since the group public key and parameters are constant and do not depend on the group members.The security of such a group signature depends on the security of the ID based signature scheme it was derived from.The generated group signature performance is similar to the performance of the underlying ID based signature scheme.References[1]G.Ateniese,J.Camenisch,M.Joye,and G.Tsudik,A practical and provably securecoalition-resistant group signature scheme,Advances in Cryptography,CRYPT02000,vol.1880,Lecture Notes in Computer Science,Springer Verlag,pp.255-270,2000.[2] D.Boneh and M.Franklin,Identity based Encryption from Weil pairing,Advances in Cryp-tography CRYPT02001,Springer-Verlag,Lecture Notes in Computer Science,vol.2139, pp.213-229,2001.[3]J.Camenisch,M.Stadler,Efficient group signature schemes for large groups,Advances inCryptology,CRYPTO’97,Lecture Notes in Computer Science,vol.1070,Springer-Verlag, 1296,pp.410-424,1997.[4]J.Camenisch and M.Michels,A group signature with improved efficiency,Advances inCryptography,ASIACRYPT’98,Springer-Verlag,Lecture Notes in Computer Science,vol.1514,pp.160-174,1998.[5] D.Chaum and E.Van Heyst,Group signatures,Advances in Cryptography,EURO-CRYPT’91,Springer-Verlag,Lecture Notes in Computer Science,vol.547,pp.257-265, 1991.[6]L.Chen and T.P.Pedersen,New group signature schemes,Advances in Cryptography,EUROCRYPT’95,Springer-Verlag,Lecture Notes in Computer Science,vol.950,pp.171-181,1995.[7]K.Paterson,Id-based signatures from pairings on elliptic curves,Tech.Rep.,IACR Cryp-tology ePrint Archive:Report2002/004,/2002/004/,2002.36CONSTANTIN POPESCU[8] C.Popescu,Group signature schemes based on the difficulty of computation of approximatee-th roots,Proceedings of Protocols for Multimedia Systems(PROMS2000),Poland,pp.325-331,2000.[9]R.Sakai,K.Ohgishi,and M.Kasahara,Cryptosystems based on pairing,Proceedings ofSymposium on Cryptography and Information Security,Japan,Okinawa,pp.26-28,2000.[10] A.Shamir,Identity-based cryptosystems and signature schemes,Advances in Cryptography,CRYPTO’84,Springer-Verlag,Lecture Notes in Computer Science,vol.196,pp.47-53,1984.[11]N.P.Smart,An Identity based Authenticated Key Agreement Protocol based onthe Weil Pairing,Tech.Rep.,IACR Cryptology ePrint Archive:Report2001/111, /2001/111/,2001.[12]Y.M.Tseng and J.K.Jan,A novel id-based group signature,Workshop on Cryptology andInformation Security,Tainan,pp.159-164,1998.University of Oradea,Department of Mathematics,Str.Armatei Romane5,Oradea, RomaniaE-mail address:cpopescu@uoradea.ro。