通用可复合的ElGamal型广播多重签密协议
|
摘要
多重签密是指2个以上参与方对同一则消息进行签密,并且要求签密结果不能因为签密者数目增多而呈线性增长.普通的ElGamal型多重签名虽然具有不可伪造性,但不能抵制多个签名者的联合攻击.为了克服现有ElGamal型多重签名的缺点,将ElGamal型多重签名和公钥签密组合在一起研究.提出了一种新的ElGamal型广播多重签密(ElGamal broadcasting multi-signcryption, EBMSC)协议,并给出了该协议的算法定义和安全模型,也在随机预言模型中证明了该协议在离散对数和计算性Diffie-Hellman假设下是语义安全的;然后在通用可复合框架下定义了ElGamal型广播多重签密协议的理想函数和现实协议,进而证明了现实协议能够实现广播多重签密协议的理想功能,同时还证明了现实协议是满足选择消息攻击下的不可伪造性;最后给出了ElGamal型广播多重签密协议与其他协议的效率比较.结果表明:该协议不仅在效率上要优于现有方案,而且在通用可复合框架下实现了多重签密功能.该协议适合应用在电子商务、合同签署、网上交易和财务出账等方面.
Multi-signcryption means two or more parties sign the same message, moreover, the length of signcryption cannot linearly increase for the increasing of the number of signers. Although ordinary ElGamal multi-signature satisfies the unforgeability, however, it can't resist joint attack of multiple signers. In order to overcome the shortcomings of existing ElGamal multi-signature, the authors integrate the techniques of ElGamal multi-signature and signcryption to present a new ElGamal broadcasting multi-signcryption(EBMSC) protocol. We also describe its algorithm definition and security model, and prove its semantical security under the discrete logarithm(DL) and computation Diffie-Hellman(CDH) assumptions in the random oracle model(ROM). At the same time, we define the ideal function and the real protocol of EBMSC protocol under the universally composalble(UC) security framework, and then prove that the real protocol can realize the ideal function of EBMSC protocol. It also proves that the real protocol is unforgeable under unforgeability against adaptive chosen message attacks. Finally, the efficiency comparison between EBMSC protocol and existing protocols is given. Analysis results show our protocol not only is more efficient than existing protocols but also implements the function of multi-signcryption in UC security framework. Our protocol can be suitable for applications in e-commerce, contract signing, online transaction and financial accounting.
Multi-signcryption means two or more parties sign the same message, moreover, the length of signcryption cannot linearly increase for the increasing of the number of signers. Although ordinary ElGamal multi-signature satisfies the unforgeability, however, it can't resist joint attack of multiple signers. In order to overcome the shortcomings of existing ElGamal multi-signature, the authors integrate the techniques of ElGamal multi-signature and signcryption to present a new ElGamal broadcasting multi-signcryption(EBMSC) protocol. We also describe its algorithm definition and security model, and prove its semantical security under the discrete logarithm(DL) and computation Diffie-Hellman(CDH) assumptions in the random oracle model(ROM). At the same time, we define the ideal function and the real protocol of EBMSC protocol under the universally composalble(UC) security framework, and then prove that the real protocol can realize the ideal function of EBMSC protocol. It also proves that the real protocol is unforgeable under unforgeability against adaptive chosen message attacks. Finally, the efficiency comparison between EBMSC protocol and existing protocols is given. Analysis results show our protocol not only is more efficient than existing protocols but also implements the function of multi-signcryption in UC security framework. Our protocol can be suitable for applications in e-commerce, contract signing, online transaction and financial accounting.
引文
[1]Itakura K,Nakamura K.A public-key cryptosystem suitable for digital multi-signatures[J].NEC Research & Development,1983,71(1):474- 480
[2]Zhang Jianhong,Wei Yongzhuang,Wang Yumin.Digital multisignatrues scheme based on RSA[J].Journal on Communications,2003,24(8):150- 154 (in Chinese)(张键红,韦永壮,王育民.基于RSA的多重数字签名[J].通信学报,2003,24(8):150- 154)
[3]Li Zichen,Yang Yixian.ELGamal’s multisignature digital signature scheme[J].Journal of Beijing University of Posts and Telecommunications,1999,22(2):30- 34 (in Chinese)(李子臣,杨义先.ElGamal多重数字签名方案[J].北京邮电大学学报,1999,22(2):30- 34)
[4]Burmester M,Desmedt Y,Doi H,et al.A structured ELGamal-Type multisignature scheme[G] //LNCS 1751:Proc of the 3rd Int Workshop on Practice and Theory in Public Key Cryptography.Berlin:Springer,2000:466- 483
[5]Zhang Qiupu,Ye Dingfeng.Cryptanalysis and improvemen of an identity-based multi-signcryption scheme[J].Acta Electronica Sinica,2011,39(12):2713- 2720 (in Chinese)(张秋璞,叶顶峰.对一个基于身份的多重签密方案的分析和改进[J].电子学报,2011,39(12):2713- 2720)
[6]Lu Langru,Zeng Junjie,Kuang Youhua,et al.A new multisignature scheme based on discrete logarithm problem and its distributed computation[J].Chinese Journal of Computers,2002,25(12):1419- 1420 (in Chinese)(陆浪如,曾俊杰,匡友华,等.一种新的基于离散对数多重签名方案及其分布式计算[J].计算机学报,2002,25(12):1419- 1420)
[7]Han Xiaoxi,Wang Guilin,Bao Feng,et al.An attack to multisignature schemes based on discrete logarithm[J].Chinese Journal of Computers,2004,27(8):1147- 1152 (in Chinese)(韩小西,王贵林,鲍丰,等.针对基于离散对数多重签名方案的一种攻击[J].计算机学报,2004,27(8):1147- 1152)
[8]Harn L.New digital signature scheme based on discrete logarithm[J].Electronics Letters,1994,30(5):396- 398
[9]Wu Tzongchen,Chou Shulin,Wu Tzongsun.Two ID-based multi-signature protocols for sequential and broadcasting architectures[J].Computer Communications,1996,19(9/10):851- 856
[10]Zheng Yuliang.Digital signcryption or how to achieve cost (signature and encryption) cost (signature)+cost (encryption)[C] //LNCS 1294:Proc of the 17th Annual Int Cryptology Conf.Berlin:Springer,1997:165- 179
[11]Baek J,Steinfeld R,Zheng Yuliang.Formal proofs for the security of Signcryption[C] //LNCS 2274:Proc of the 5th Int Workshop on Practice and Theory in Public Key Cryptosystems.Berlin:Springer,2002:80- 98
[12]Fan Jia,Zheng Yuliang,Tang Xiaohu.A single key pair is adequate for the Zheng signcryption[C] //LNCS 6812:Proc of the 16th Australasian Conf on Information Security and Privacy.Berlin:Springer,2011:371- 388
[13]Zhou Kai,Peng Changgen,He Jianqiong,et al.Provable secure trajectory privacy protection scheme for continuous queries in location-based services[J].Netinfo Security,2017,17(1):43- 47 (in Chinese)(周凯,彭长根,何建琼,等.可证明安全的LBS中连续查询的轨迹隐私保护方案[J].信息网络安全,2017,17(1):43- 47)
[14]Yu Huifang,Yang Bo.Identity-based hybird signcryption scheme using ECC[J].Journal of Software,2015,26(12):3174- 3182 (in Chinese)(俞惠芳,杨波.使用ECC的身份混合签密方案[J].软件学报,2015,26(12):3174- 3182)
[15]Zhou Yanwei,Yang Bo,Wang Qinglong.Provable secure leakage-resilient certificateless hybird signcryption scheme[J].Journal of Software,2016,27(11):2898- 2911 (in Chinese) (周彦伟,杨波,王青龙.可证明安全的抗泄露无证书混合签密机制[J].软件学报,2016,27(11):2898- 2911)
[16]Shi Min,Ye Weiwei,Ou Qingyu.Identity-based authenticated protocol without bilinear pairing[J].Netinfo Security,2016,16(10):21- 27 (in Chinese)(矢敏,叶伟伟,欧庆于.不需双线性对的基于身份的认证密钥协商协议[J].信息网络安全,2016(10):21- 27)
[17]Li Jianmin,Yu Huifang,Zhao Chen.Self-certified blind signcryption protocol with UC security[J].Journal of Frontiers of Computer Science and Technology,2017,11(6):932- 940 (in Chinese)(李建民,俞惠芳,赵晨.UC安全的自认证盲签密协议[J].计算机科学与探索,2017,11(6):932- 940)
[18]Yu Huifang,Yang Bo.Provably secure certificateless hybrid signcryption[J].Chinese Journal of Computers,2015,37(4):804- 813 (in Chinese)(俞惠芳,杨波.可证安全的无证书混合签密[J].计算机学报,2015,37(4):804- 813)
[19]Yu Huifang,Yang Bo.Low-computation certificateless hybrid signcryption scheme[J].Frontiers of Information Technology Electric Engineering,2017,18(7):928- 940
[20]Zhou Caixue.Cryptanalysis and improvement of some signcryption scheme[J].Computer Engineering and Science,2016,38(11):2246- 2253 (in Chinese)(周才学.几个签密方案的密码学分析与改进[J].计算机工程与科学,2016,38(11):2246- 2253)
[21]Canetti R.Universally composable security:A new paradigm for cryptographic protocols[C] //Proc of the 42nd IEEE Symp on Foundation of Computer Science.Los Alamitos,CA:IEEE Computer Society,2001:136- 145
[22]Canetti R,Lindaell Y,Ostrovky R,et al.Universally compusable two-party and multi-party secure computation[C] //Proc of the 34th Annual ACM Symp on Theory of Computing.New York:ACM,2003:219- 233
[23]Kristian G,Lillian K.Universally composable signcryption[C] //LNCS 4582:EuroPKI 2007.Berlin:Springer,2007:346- 353
[24]Canetti R,Dachman D,Vaikuntanathan V,et al.Efficient password authenticated key exchange via oblivious transfer[C] //LNCS 7293:Proc of the 15th Int Conf on Practice and Theory in Public Key Cryptograhy.Berlin:Springer,2012:449- 466
[25]Feng Tao,Li Fenghua,Ma Jianfeng,et al.A new method for concurrent deniable authentication of UC Security[J].Science in China Series F:Informations Sciences,2008,38(8):1220- 1233 (in Chinese)(冯涛,李风华,马建峰,等.UC安全的并行可否认认证新方法[J].中国科学F辑:信息科学,2008,38(8):1220- 1233)
[26]Su Ting,Xu Qiuliang.UC secure signcryption protocol with public verifiability[J].Journal of Southeast University:Natural Science Edition,2008,38(Suppl):55- 58 (in Chinese)(苏婷,徐秋亮.可证明安全的UC安全签密协议[J].东南大学学报:自然科学,2008,38(增刊):55- 58)
[27]Zhang Zhong,Xu Qiuliang.Universal composable grouping-proof protocol for RFID tags in the Internet of things[J].Chinese Journal of Computers,2011,34(7):1188- 1194 (in Chinese)(张忠,徐秋亮.物联网环境下UC安全的组证明RFID协议[J].计算机学报,2011,34(7):1188- 1194)
[28]Tian Youliang,Ma Jianfeng,Peng Changgen,et al.Universally composable mechanism for group communication[J].Chinese Journal of Computers,2012,35(4):645- 653 (in Chinese)(田有亮,马建峰,彭长根,等.群组通信的通用可组合机制[J].计算机学报,2012,35(4):645- 653)
[29]Tian Youliang,Peng Changgen,Ma Jianfeng,et al.Universally composable secure multiparty computation protocol with fairness[J].Journal on Communications,2014,35(7):54- 62 (in Chinese)(田友亮,彭长根,马建峰,等.通用可组合公平安全多方计算协议[J].通信学报,2014,35(7):54- 62)
[30]Zhang Xinghua.A new multi-proxy multi-signature scheme based on discrete logarithm problem[J].Computer Applica-tions and Software,2014,31(2):317- 320 (in Chinese)(张兴华.一个新的基于离散对数问题的多重代理多重签名方案[J].计算机应用与软件,2014,31(2):317- 320)
[31]Cao Yang.ElGamal multiple digital signature scheme based on identity[J].Bulletin of Science and Technology,2015,31(5):197- 199 (in Chinese)(曹阳.基于身份的ElGamal多重数字签名方案[J].科技通报,2015,31(5):197- 199)
[32]Wang Caifen,Jianghong,Yang Xiaodong,et al.Multi-message and multi-receiver hybrid signcryption scheme based on discrete logarithm[J].Computer Engineering,2016,42(1):150- 155 (in Chinese)(王彩芬,姜红,杨小东,等.基于离散对数的多消息接收者混合签密方案[J].计算机工程,2016,42(1):150- 155)
[33]Hu Jianghong.A certificateless broadcasting multi-proxy signature scheme based on RSA[J].Computer and Modernization,2016(6):113- 116 (in Chinese)(胡江红.基于RSA的无证书广播多重代理签名方案[J].计算机与现代化,2016(6):113- 116)
[2]Zhang Jianhong,Wei Yongzhuang,Wang Yumin.Digital multisignatrues scheme based on RSA[J].Journal on Communications,2003,24(8):150- 154 (in Chinese)(张键红,韦永壮,王育民.基于RSA的多重数字签名[J].通信学报,2003,24(8):150- 154)
[3]Li Zichen,Yang Yixian.ELGamal’s multisignature digital signature scheme[J].Journal of Beijing University of Posts and Telecommunications,1999,22(2):30- 34 (in Chinese)(李子臣,杨义先.ElGamal多重数字签名方案[J].北京邮电大学学报,1999,22(2):30- 34)
[4]Burmester M,Desmedt Y,Doi H,et al.A structured ELGamal-Type multisignature scheme[G] //LNCS 1751:Proc of the 3rd Int Workshop on Practice and Theory in Public Key Cryptography.Berlin:Springer,2000:466- 483
[5]Zhang Qiupu,Ye Dingfeng.Cryptanalysis and improvemen of an identity-based multi-signcryption scheme[J].Acta Electronica Sinica,2011,39(12):2713- 2720 (in Chinese)(张秋璞,叶顶峰.对一个基于身份的多重签密方案的分析和改进[J].电子学报,2011,39(12):2713- 2720)
[6]Lu Langru,Zeng Junjie,Kuang Youhua,et al.A new multisignature scheme based on discrete logarithm problem and its distributed computation[J].Chinese Journal of Computers,2002,25(12):1419- 1420 (in Chinese)(陆浪如,曾俊杰,匡友华,等.一种新的基于离散对数多重签名方案及其分布式计算[J].计算机学报,2002,25(12):1419- 1420)
[7]Han Xiaoxi,Wang Guilin,Bao Feng,et al.An attack to multisignature schemes based on discrete logarithm[J].Chinese Journal of Computers,2004,27(8):1147- 1152 (in Chinese)(韩小西,王贵林,鲍丰,等.针对基于离散对数多重签名方案的一种攻击[J].计算机学报,2004,27(8):1147- 1152)
[8]Harn L.New digital signature scheme based on discrete logarithm[J].Electronics Letters,1994,30(5):396- 398
[9]Wu Tzongchen,Chou Shulin,Wu Tzongsun.Two ID-based multi-signature protocols for sequential and broadcasting architectures[J].Computer Communications,1996,19(9/10):851- 856
[10]Zheng Yuliang.Digital signcryption or how to achieve cost (signature and encryption) cost (signature)+cost (encryption)[C] //LNCS 1294:Proc of the 17th Annual Int Cryptology Conf.Berlin:Springer,1997:165- 179
[11]Baek J,Steinfeld R,Zheng Yuliang.Formal proofs for the security of Signcryption[C] //LNCS 2274:Proc of the 5th Int Workshop on Practice and Theory in Public Key Cryptosystems.Berlin:Springer,2002:80- 98
[12]Fan Jia,Zheng Yuliang,Tang Xiaohu.A single key pair is adequate for the Zheng signcryption[C] //LNCS 6812:Proc of the 16th Australasian Conf on Information Security and Privacy.Berlin:Springer,2011:371- 388
[13]Zhou Kai,Peng Changgen,He Jianqiong,et al.Provable secure trajectory privacy protection scheme for continuous queries in location-based services[J].Netinfo Security,2017,17(1):43- 47 (in Chinese)(周凯,彭长根,何建琼,等.可证明安全的LBS中连续查询的轨迹隐私保护方案[J].信息网络安全,2017,17(1):43- 47)
[14]Yu Huifang,Yang Bo.Identity-based hybird signcryption scheme using ECC[J].Journal of Software,2015,26(12):3174- 3182 (in Chinese)(俞惠芳,杨波.使用ECC的身份混合签密方案[J].软件学报,2015,26(12):3174- 3182)
[15]Zhou Yanwei,Yang Bo,Wang Qinglong.Provable secure leakage-resilient certificateless hybird signcryption scheme[J].Journal of Software,2016,27(11):2898- 2911 (in Chinese) (周彦伟,杨波,王青龙.可证明安全的抗泄露无证书混合签密机制[J].软件学报,2016,27(11):2898- 2911)
[16]Shi Min,Ye Weiwei,Ou Qingyu.Identity-based authenticated protocol without bilinear pairing[J].Netinfo Security,2016,16(10):21- 27 (in Chinese)(矢敏,叶伟伟,欧庆于.不需双线性对的基于身份的认证密钥协商协议[J].信息网络安全,2016(10):21- 27)
[17]Li Jianmin,Yu Huifang,Zhao Chen.Self-certified blind signcryption protocol with UC security[J].Journal of Frontiers of Computer Science and Technology,2017,11(6):932- 940 (in Chinese)(李建民,俞惠芳,赵晨.UC安全的自认证盲签密协议[J].计算机科学与探索,2017,11(6):932- 940)
[18]Yu Huifang,Yang Bo.Provably secure certificateless hybrid signcryption[J].Chinese Journal of Computers,2015,37(4):804- 813 (in Chinese)(俞惠芳,杨波.可证安全的无证书混合签密[J].计算机学报,2015,37(4):804- 813)
[19]Yu Huifang,Yang Bo.Low-computation certificateless hybrid signcryption scheme[J].Frontiers of Information Technology Electric Engineering,2017,18(7):928- 940
[20]Zhou Caixue.Cryptanalysis and improvement of some signcryption scheme[J].Computer Engineering and Science,2016,38(11):2246- 2253 (in Chinese)(周才学.几个签密方案的密码学分析与改进[J].计算机工程与科学,2016,38(11):2246- 2253)
[21]Canetti R.Universally composable security:A new paradigm for cryptographic protocols[C] //Proc of the 42nd IEEE Symp on Foundation of Computer Science.Los Alamitos,CA:IEEE Computer Society,2001:136- 145
[22]Canetti R,Lindaell Y,Ostrovky R,et al.Universally compusable two-party and multi-party secure computation[C] //Proc of the 34th Annual ACM Symp on Theory of Computing.New York:ACM,2003:219- 233
[23]Kristian G,Lillian K.Universally composable signcryption[C] //LNCS 4582:EuroPKI 2007.Berlin:Springer,2007:346- 353
[24]Canetti R,Dachman D,Vaikuntanathan V,et al.Efficient password authenticated key exchange via oblivious transfer[C] //LNCS 7293:Proc of the 15th Int Conf on Practice and Theory in Public Key Cryptograhy.Berlin:Springer,2012:449- 466
[25]Feng Tao,Li Fenghua,Ma Jianfeng,et al.A new method for concurrent deniable authentication of UC Security[J].Science in China Series F:Informations Sciences,2008,38(8):1220- 1233 (in Chinese)(冯涛,李风华,马建峰,等.UC安全的并行可否认认证新方法[J].中国科学F辑:信息科学,2008,38(8):1220- 1233)
[26]Su Ting,Xu Qiuliang.UC secure signcryption protocol with public verifiability[J].Journal of Southeast University:Natural Science Edition,2008,38(Suppl):55- 58 (in Chinese)(苏婷,徐秋亮.可证明安全的UC安全签密协议[J].东南大学学报:自然科学,2008,38(增刊):55- 58)
[27]Zhang Zhong,Xu Qiuliang.Universal composable grouping-proof protocol for RFID tags in the Internet of things[J].Chinese Journal of Computers,2011,34(7):1188- 1194 (in Chinese)(张忠,徐秋亮.物联网环境下UC安全的组证明RFID协议[J].计算机学报,2011,34(7):1188- 1194)
[28]Tian Youliang,Ma Jianfeng,Peng Changgen,et al.Universally composable mechanism for group communication[J].Chinese Journal of Computers,2012,35(4):645- 653 (in Chinese)(田有亮,马建峰,彭长根,等.群组通信的通用可组合机制[J].计算机学报,2012,35(4):645- 653)
[29]Tian Youliang,Peng Changgen,Ma Jianfeng,et al.Universally composable secure multiparty computation protocol with fairness[J].Journal on Communications,2014,35(7):54- 62 (in Chinese)(田友亮,彭长根,马建峰,等.通用可组合公平安全多方计算协议[J].通信学报,2014,35(7):54- 62)
[30]Zhang Xinghua.A new multi-proxy multi-signature scheme based on discrete logarithm problem[J].Computer Applica-tions and Software,2014,31(2):317- 320 (in Chinese)(张兴华.一个新的基于离散对数问题的多重代理多重签名方案[J].计算机应用与软件,2014,31(2):317- 320)
[31]Cao Yang.ElGamal multiple digital signature scheme based on identity[J].Bulletin of Science and Technology,2015,31(5):197- 199 (in Chinese)(曹阳.基于身份的ElGamal多重数字签名方案[J].科技通报,2015,31(5):197- 199)
[32]Wang Caifen,Jianghong,Yang Xiaodong,et al.Multi-message and multi-receiver hybrid signcryption scheme based on discrete logarithm[J].Computer Engineering,2016,42(1):150- 155 (in Chinese)(王彩芬,姜红,杨小东,等.基于离散对数的多消息接收者混合签密方案[J].计算机工程,2016,42(1):150- 155)
[33]Hu Jianghong.A certificateless broadcasting multi-proxy signature scheme based on RSA[J].Computer and Modernization,2016(6):113- 116 (in Chinese)(胡江红.基于RSA的无证书广播多重代理签名方案[J].计算机与现代化,2016(6):113- 116)