改进的可证明安全无证书签名方案
|
摘要
给出樊爱宛等无证书签名方案的一个伪造攻击,攻击显示第Ⅰ类强攻击者能成功伪造任意用户对任意消息的有效签名.分析发现原方案不安全的原因在于,签名阶段选取的随机数没有与消息M关联起来,通过将签名阶段选取的随机数与消息M相关的Hash函数值进行绑定的方式给出了改进方案,其中安全性最优的方案在签名阶段只需1个点乘,在验证阶段需要4个点乘,可抵抗第Ⅰ类超级攻击者、第Ⅱ类超级攻击者的攻击;其余方案在签名阶段只需1个点乘,在验证阶段需要3个点乘,可抵抗第Ⅰ类强攻击者、第Ⅱ类超级攻击者的攻击,针对现实世界的攻击者是安全的.改进方案在椭圆曲线离散对数困难性假设下是可证明安全的.
A forgery attack on Fan Aiwan et al's certificateless signature scheme was presented. It is found that the strong type I adversary could forge any user's valid signature on any message. The reason of this problem is that the random number selected in the signature generation phase is not associated with the message M. To improve the original scheme's security,the improved schemes in which the random number selected in the signature generation phase is bound to the hash function value of message M was proposed. The most secure scheme proposed can resist both super type I and type II adversary,and it only needs one scalar multiplication in signature generation phase and four scalar multiplications in signature verification phase; the other schemes proposed can resist strong type I and super type II adversary and are secure against the attacker in the real world. In addition,they only need one scalar multiplication in signature generation phase,and three scalar multiplications in signature verification phase. The improved schemes are provably secure under the intractability of elliptic curve discrete logarithm problem.
A forgery attack on Fan Aiwan et al's certificateless signature scheme was presented. It is found that the strong type I adversary could forge any user's valid signature on any message. The reason of this problem is that the random number selected in the signature generation phase is not associated with the message M. To improve the original scheme's security,the improved schemes in which the random number selected in the signature generation phase is bound to the hash function value of message M was proposed. The most secure scheme proposed can resist both super type I and type II adversary,and it only needs one scalar multiplication in signature generation phase and four scalar multiplications in signature verification phase; the other schemes proposed can resist strong type I and super type II adversary and are secure against the attacker in the real world. In addition,they only need one scalar multiplication in signature generation phase,and three scalar multiplications in signature verification phase. The improved schemes are provably secure under the intractability of elliptic curve discrete logarithm problem.
引文
[1]Al-Riyami S S,Paterson K G.Certificateless public key cryptography[C]∥Laih C S.Proc.of the ASIACRYPT2003.LNCS 2894,Berlin:Springer-Verlag,2003:452-473.
[2]Huang Xinyi,Mu Yi,Susilo W,et al.Certificateless signature revisited[C]∥Pieprzyk J,Ghodosi H,Dawson E.Proc.of the ACISP 2007.LNCS 4586,Heidelberg:Springer-Verlag,2007:308-322.
[3]Al-Riyami S S,Paterson K G.Certificateless public key cryptography[C]∥Proc of Asiacrypt 2003.Berlin:Springer-Verlag,2003:452-473.
[4]曹雪菲,Kenneth G Paterson,寇卫东.对一类无证书签名方案的攻击与改进[J].北京邮电大学学报,2008,31(2):64-67.Cao Xuefei,Kenneth G Paterson,Kou Weidong.An attack on a certificateless signature scheme and its improvement[J].Journal of Beijing University of Posts and Telecommunications,2008,31(2):64-67.
[5]Gong Peng,Li Ping.Further improvement of a certificateless signature scheme without pairing[J].International Journal of Communication Systems,2012,27(10):2083-2091.
[6]Yeh K H,Tsai K Y,Kuo R Z,et al.Robust certificateless signature scheme without bilinear pairings[C]∥IT Convergence and Security(ICITCS),2013 International Conference on.[S.l.]:IEEE,2013:1-4.
[7]王圣宝,刘文浩,谢琪.无双线性配对的无证书签名方案[J].通信学报,2012,33(4):93-98.Wang Shengbao,Liu Wenhao,Xie Qi.Certificateless signature scheme without bilinear pairings[J].Journal on Communications,2012,33(4):93-98.
[8]王亚飞,张睿哲.强安全无对的无证书签名方案[J].通信学报,2013,34(2):94-100.Wang Yafei,Zhang Ruizhe.Strongly secure certificateless signature scheme without pairings[J].Journal on Communications,2013,34(2):94-100.
[9]樊爱宛,杨照峰,谢丽明.强安全无证书签名方案的安全性分析与改进[J].通信学报,2014,33(1):18-21.Fan Aiwan,Yang Zhaofeng,Xie Liming.Security analysis and improvement of strongly secure certificateless signature scheme[J].Journal on Communications,2014,33(1):18-21.
[10]Kim K S,Jeong I R.A new certificateless signature scheme under enhanced security models[J].Security and Communication Networks,2014,8(5):801-410.
[11]Pointcheval D,Stern J.Security proofs for signature schemes[J].Lecture Notes in Computer Science,1996,1070:387-398.
[2]Huang Xinyi,Mu Yi,Susilo W,et al.Certificateless signature revisited[C]∥Pieprzyk J,Ghodosi H,Dawson E.Proc.of the ACISP 2007.LNCS 4586,Heidelberg:Springer-Verlag,2007:308-322.
[3]Al-Riyami S S,Paterson K G.Certificateless public key cryptography[C]∥Proc of Asiacrypt 2003.Berlin:Springer-Verlag,2003:452-473.
[4]曹雪菲,Kenneth G Paterson,寇卫东.对一类无证书签名方案的攻击与改进[J].北京邮电大学学报,2008,31(2):64-67.Cao Xuefei,Kenneth G Paterson,Kou Weidong.An attack on a certificateless signature scheme and its improvement[J].Journal of Beijing University of Posts and Telecommunications,2008,31(2):64-67.
[5]Gong Peng,Li Ping.Further improvement of a certificateless signature scheme without pairing[J].International Journal of Communication Systems,2012,27(10):2083-2091.
[6]Yeh K H,Tsai K Y,Kuo R Z,et al.Robust certificateless signature scheme without bilinear pairings[C]∥IT Convergence and Security(ICITCS),2013 International Conference on.[S.l.]:IEEE,2013:1-4.
[7]王圣宝,刘文浩,谢琪.无双线性配对的无证书签名方案[J].通信学报,2012,33(4):93-98.Wang Shengbao,Liu Wenhao,Xie Qi.Certificateless signature scheme without bilinear pairings[J].Journal on Communications,2012,33(4):93-98.
[8]王亚飞,张睿哲.强安全无对的无证书签名方案[J].通信学报,2013,34(2):94-100.Wang Yafei,Zhang Ruizhe.Strongly secure certificateless signature scheme without pairings[J].Journal on Communications,2013,34(2):94-100.
[9]樊爱宛,杨照峰,谢丽明.强安全无证书签名方案的安全性分析与改进[J].通信学报,2014,33(1):18-21.Fan Aiwan,Yang Zhaofeng,Xie Liming.Security analysis and improvement of strongly secure certificateless signature scheme[J].Journal on Communications,2014,33(1):18-21.
[10]Kim K S,Jeong I R.A new certificateless signature scheme under enhanced security models[J].Security and Communication Networks,2014,8(5):801-410.
[11]Pointcheval D,Stern J.Security proofs for signature schemes[J].Lecture Notes in Computer Science,1996,1070:387-398.