门限密码及相关安全应用的研究
|
摘要
随着计算机网络技术的飞速发展,各种网络服务已经渗透到人们生活的各个领域,一方面给人类活动带来了巨大的便利和好处,同时也带来了前所未有的威胁。由于一些重要数据在网络上的传送,所以其保密性、完整性和可用性必须得到保证,采用信息安全技术则是解决这一问题的有效方法。密码技术是网络信息安全的核心技术,密码体制大体分为对称密码和非对称密码两种,非对称密码体制在信息安全中担负起密钥协商、数字签名、消息认证等重要角色,已成为最核心的密码。
门限密码学是密码学的一个重要分支,是门限方案与密码方案的有机集成,可以包括各种类型的密码方案,比如说用来加密的对称或者非对称密码体制,或者用来电子签名的数字签名方案等等,都可以跟一个门限方案有机集成在一起变成门限密码方案。秘密共享和门限密码的主要思想是将一个密钥分割成若干份额分散存储于多个服务器成员,当需要重构密钥或使用它进行某种密码运算时,必须多于特定数量的成员联合才能共同完成,少于特定数量的任何成员组都不能计算得到此密钥。这种方法直接降低了密钥泄漏的可能性,它也是密码学中的一个重要组成部分。门限密码有很多的应用领域如:构造入侵容忍的密钥管理中心、分布式对称密钥生成、多重密钥共享、密钥托管、群签名等。
动态安全的门限方法是为了降低服务器被攻破产生的危害,在门限密码中,只要被攻破的服务器少于特定的数值,系统就是安全的,但是攻击者拥有密钥整个生命周期的时间去攻破服务器,当服务器被攻破时,我们需要尽量减小其带来的危害。动态安全的主要思想是:每经过一定的时间都通过成员子密钥更新函数更新成员密钥,并删除旧密钥,但是共享的秘密保持不变。这样,攻击者必须在一定时段内攻破特定数量的服务器才能完成有效的攻击,如果当前的服务器成员子密钥泄漏了,敌手也不能知道以前时间段的成员子密钥,当然也无法完成门限密码系统的攻击。门限方法和动态方法结合可以构造安全层次更高的动态安全门限方案。本文对此领域中的热点问题进行探讨,并提出具有独特优势的动态安全的多重密钥共享方案。
前向安全的思想:将密钥的整个生命周期划分成T个时间阶段,每个时间阶段都通过单向的更新函数更新用户的私钥,并删除以前的私钥,这就使得即便当前的密钥泄漏了,敌手仍然不能伪造以前时间段的签名或者读取私有信息。前向安全的方法能够减小密钥泄漏的危害,而门限密码的方法则可以降低密钥泄漏的可能性,如果结合上述两种方法,就可能构造前向安全的门限方案。
在密钥托管技术的发展过程中,信任问题始终是困扰人们的一个关键问题。一方面,如何使托管机构确信用户托管的密钥确实是其使用的真实密钥;另一方面,如何保证托管机构不会滥用权力,窃取用户的秘密信息。多年以来,这两大问题始终在影响着密钥托管技术的发展。本文将采用门限密码技术给出一个新的前向安全的密钥托管方案来解决目前的信任和滥用职权问题。
在门限签名方案中,私钥由n个用户的群体共享,而不像普通签名中,私钥仅有单个用户持有,数字签名由一组用户群体产生而不是由个体产生。为了对给定的消息产生一个有效的签名时,只有当群签名小组中用户的数目大于或者等于门限值时才能生成群签名值,参与群签名的每个用户对消息产生部分签名,然后组合产生整体签名,任何签名验证者都可以使用群签名的公钥来验证签名值的正确性。多门限签名是本文的研究重点,区别于单门限群签名,多门限群签名可以解决存在多个特权集的群体签名问题。
本文的主要工作是对上述门限密码的安全应用进行研究,取得的主要研究成果归纳如下:
(1)研究分布式对称密钥生成方案,使用(k,n)秘密共享技术能够有效的解决对称密钥的产生和分配问题,使用多个分布式的KDC服务器并行提供密钥服务,其中任意k个授权的KDC服务器组合都能够完成K_(u,v)的计算,即使攻破了k-1个服务器仍然不能计算出K_(u,v)。采用双变量多项式构造(k,n)门限,能够实现实体名到对称密钥的映射,并且其密钥具有一致性,即任意k个授权的密钥服务器通过拉格朗日插值获得对称密钥都是相同的。方案采用零知识证明防止管理员欺骗和成员欺骗,具有高效性、稳定性、健壮性、可扩展性、健忘性、易于密钥更新等特点,可以有效地避免对称密钥分发的效率瓶颈,最后证明方案是可证安全的,并具有Proactive安全特性。
采用分布式对称密钥产生方案可以构造入侵容忍的KDC系统,在进行广播通讯密钥分配的网络安全协议中,保证KDC的安全并提供高效率的密钥服务是一个非常重要的课题,区别于目前的域分割和与服务器备份方案,本文构造的入侵容忍KDC系统在多个分布式KDC服务器上分发不同的伪随机数产生函数,只有超过特定数目的授权服务器联合才能计算出最终的对称密钥,保证少于一定数目的KDC服务器被攻击后不能对系统产生威胁,从而保证了分布式KDC的安全性,并且能够避免广播通讯密钥分配过程中的效率瓶颈和单点失败。
(2)给出了一种多重秘密共享的门限方案,在该方案中管理者可以安全有效的共享多个密钥,成员可以根据不同的共享密钥计算不同的子密钥,而且是可以认证的。所给的方案采用知识签名的方法能够有效的抵御管理者欺骗和成员欺骗,且该方案在新成员加入时具有良好的扩展性,无需改动已分配成员的子密钥。最后证明了方案的安全性和高效性。
(3)给出了一种动态安全的多重密钥门限共享方案,在该方案中成员可以安全有效的共享多个密钥,成员可以根据不同的共享密钥计算不同的子密钥,而且是可以认证的。所给的方案具有动态安全性,能够在不改变共享秘密的前提下,周期性更新成员的子密钥,攻击者需要在更新周期内完成攻击过程,采用可验证的秘密共享方法能够有效的抵御管理者欺骗和成员欺骗,最后证明了方案的安全性和高效性。
(4)给出一种前向安全的门限密钥托管方案,采用门限密码把用户的私钥分配给n个托管机构,托管机构的子密钥能够在设定的时间间隔内周期性的进行更新,在子密钥的更新周期内k个托管机构的联合可以恢复用户的密钥,对于没有定期进行更新或者被攻破的密钥托管者不能恢复出正确的用户私钥。在限制时段内托管机构拥有的子密钥能够自动更新,而更新之前的加密数据不能被本次攻击恶意破解,本文提出的门限密钥托管方案具有前向安全性。
(5)在基于离散对数安全机制的前提下给出一种无可信中心的多门限群签名方案,签名密钥对由用户共同产生,利用可验证的秘密共享方案发放子密钥,采用对私钥的“多重”分割方法,设计基于ElGamal签名类型的多门限群签名方案,任何满足所有门限要求的成员子集可以代表群体签名,所有参与群签名的成员生成部分签名,最终由签名服务机构完成群签名的生成。签名具有匿名性和可追查性,增加或者删除新成员时系统无需大规模变动,任何用户或者签名服务器都可以使用用户的公钥验证群签名的正确性。
上述这些工作的研究成果可广泛应用于:证书认证(CA)系统,密钥管理系统、电子商务中银行电子货币的签名系统,安全数据库系统,web网站认证系统,密钥托管系统,可撤销的电子现金系统,电子投票系统等许多领域。下一步的工作包括:研究前向安全性质,建立一个满足强前向安全的门限签名方案;将双线性配对推广到特殊数字签名体制中,建立各种基于双线性对的数字签名体制。
With the rapid development of internet techniques, more and more applications exchange information through internet, and now we can't imagine our life without internet. Internet brings much more convenience and advantage to us and it bring too much threat at the same time. Adversary can eardrop, modify and forge anything which broadcast on internet without being detected by the parties who take part in communication, so confidentiality, integrity and availability must be maintained in a secure application. Cryptography and network security are the most effective method to protect our network from attacker or hacker. Cryptography can be sorted in symmetric cipher and asymmetric cipher, symmetric cipher such as DES often be used to encrypt batch data, asymmetric cipher such as RSA usually be used to exchange symmetric key, digital signature and identity authentication etc, and it has become the core component of cryptography in fact.
Threshold cryptography is an important embranchment of cryptography, and it has many potential uses in the areas of information security. In particular, such a scheme can be used to ensure the secure implementation of a cryptographic secret in a multi-user network. A secret sharing scheme is a method to distribute a secret value into shares in such a way that only some authorized subsets of participants are able to recover the secret from their shares. Secret sharing schemes were first independently introduced by Shamir and Blakley. A secret sharing scheme (t, n) is called a threshold scheme if it has the following characteristics:①n participants in this scheme;②any t or more of the n participants are able to rebuild the secret;③any less than t-1 participants can't reveal the secret. Threshold cryptography has many potential usages, it can be integrated with encrypt scheme and signature scheme, so it will be very useful in constructing an intrusion-tolerated key management center, generating symmetric key in distributed, sharing multi-secret among a group of entities, key escrow and group signature etc.
The motivation of proactive security is to reduce the damage from compromised server in a thresh system. It is impossible for a server to be absolutely secure; therefore, we should do our best to reduce the damage when a server to be compromised. The protection provided by traditional secret sharing may be insufficient for sensitive and long-lived secrets, because the adversary has the entire life-time of secrets to attack enough number of servers in order to compromise secrets which sharing in a threshold scheme. A natural method is to periodically refresh the secrets; however, this is not always possible. That is the case of inherently long-lived secrets, such as cryptographic master keys, data files, legal documents, etc; imagine that one wants to protect a data file by encrypting it under an initial key and then periodically updates that key, he should decrypt the file with the old key and encrypt it with the new key every time when the key changes, such method doesn't protect the integrity of the file at all, and it also exposes the secrecy to adversary when the file is being decrypted. One effective solution is changing sub-secrets hold by participants periodically without changing the value of sharing secrets. Adversary can't get any information of the former or succeeding sub-secret from the current sub-secrets hold by participants, so it must compromise a certain number servers in a specified time span for getting useful information. Proactive secure threshold scheme can be constructed when we combine threshold scheme and proactive methods. In the following part of this paper, we will discuss some hot topics in this field and present several new schemes with particular advantages.
With the advance of our computerized society, information security raises many various demands, some of which can never be fully satisfied simultaneously. Strong ciphers, which protect privacy during communication by rendering tapping useless, have been pursued by many researchers. However, there is a strong demand for monitoring communication to combat crime. A common and practical solution for this problem is to use a trusted third party. In a key escrow scheme, users have to deposit their private keys with the escrow agency (EA), which is assumed to disclose the keys to the law enforcement party (LEP) only if lawfully requested. In this paper, we will give a new key escrow scheme using threshold cryptography in order to solve the balance between privacy and monitor requirement.
A group signature scheme allows members of a group to sign messages on behalf of the group. Signatures can be verified with respect to a single group public key, but they do not reveal the identity of the signer. Furthermore, it is not possible to decide whether two signatures have been issued by the same group member. However, there exists a designated group manager who can, in case of a later dispute, open signatures, i.e., reveal the identity of the signer. Group signatures could for instance be used by a company for authenticating price lists, press releases, or digital contracts. The customers need to know only a single company public key to verify signatures. The company can hide any internal organizational structures and responsibilities, but still can find out which employee (i.e., group member) has signed a particular document. The concept of group signatures was introduced by Chaum and van Heyst and they also proposed the first realizations. Using partial key escrow technique to construct a group signature scheme is a good idea for some environment where need a supper privileged manager, any group signature can't be formed without the supper manager sub-signature.
The main work in this paper is to research on the cryptosystem related to threshold cryptography above mentioned. The main contributions of this paper list as follows:
(1) Propose a secure distributed symmetric key generation scheme; in this scheme key management center is an important component for generating symmetric key without using public key cryptography. We use bivariate polynomials to construct threshold distributed pseudo-random function, distribute the bivariate polynomials across the key management center servers, only the authorized set of servers can associating computed the pseudo random for key. It ensure certain number of unauthorized server is compromised will not threaten the security of the whole network. So enhance the security of distributed key management center servers, and preventing bottlenecks or single points of failure. Scheme use zero-knowledge proof technology to avoid cheating from administrator and participants.
We can Construct an intrusion-tolerate key management center using our distributed symmetric key generation scheme, key management center is an important component for generating symmetric key in multicast communication without using public key cryptography. Keeping key management center security and providing efficient symmetric key service is very important. Different from the known partition to domain or replication solution, the scheme we present use bivariate polynomials to construct threshold distributed pseudo-random function, distribute the bivariate polynomials across the key management center servers, only the authorized set of servers can associating computed the pseudo random for key. It ensure certain number of unauthorized server is compromised will not threaten the security of the whole network. So enhance the security of distributed key management center servers, and preventing bottlenecks or single points of failure.
(2) Present a new multisecret sharing threshold scheme. In the scheme, the dealer can manage any set of multiple secrets for sharing and participants can compute sub-secret for different secrets efficiently and securely, and sub-secret hold by participant is Verifiable. The scheme use knowledge signature to against cheating by dealer and cheating by participants. Adding new participant to system will not change the sub-secrets which had assigned to participants formerly. At the end, it is demonstrated that the scheme is security and efficient.
(3) Propose a new proactive secure multisecret sharing threshold scheme. In the scheme, participants can share multiple secrets and compute sub-secret for rebuilding efficiently and securely, and sub-secret hold by participant is verifiable. The scheme use verifiable secret sharing technique to against cheating by dealer and cheating by participants. Our scheme is proactive secure, participants will update the sub-secret periodically without Dealer intervention, old sub-secret will be obsolete and adversary can' t get any useful information from these. At the end, it is demonstrated that the scheme is security and efficient.
(4) Propose a new forward secure threshold key escrow scheme. In our scheme, private key will be divided n parts using threshold technique, and distribute subkey to n key escrow agents. Every escrow agent can verify the sub secret by VSS scheme, and can update sub secret automatically in a setup time span. Any k escrow agent can recover private key cooperatively within a updating interval. Any updating failed or corrupt escrow agent couldn't reconstruct the correct private key. The former ciphertext can not be decrypt by the current private key even it is compromised by adversary. At last, our schem is forward secured.
(5) Propose a new multi-threshold group signature scheme without trusted -third-party. The signature key will be generated by user cooperatively, and verifiable sharing scheme will be used to distribute subsecret. We will use multi-partition techniques to construct a group signature scheme based on Elgamal signature scheme. Any subset of users which satisfying all requirement of threshold can generate valid signature. All attended user will compute a sub-signature, and signature center will combine these sub-signature to a group signature. In our scheme, signature is anonimous and auditable, adding or deleting new partipant needn't change system environment, and any entity in our scheme can verify the group signature by the group public key.
These results above mentioned can be widely applied to the area of certification authority (CA) system, signature systems of bank and e-cash in electronic commerce, secure database system, Web network authentication system, key escrow system, revocable electronic cash system, electronic voting system, user roaming system, etc. Our next works include: researching on the property of forward security, and building up a new threshold signature scheme that satisfy a strong forward security; expanding bilinear pairings to special signature schemes more deeply more widely, building up various signature schemes based on bilinear pairings.
门限密码学是密码学的一个重要分支,是门限方案与密码方案的有机集成,可以包括各种类型的密码方案,比如说用来加密的对称或者非对称密码体制,或者用来电子签名的数字签名方案等等,都可以跟一个门限方案有机集成在一起变成门限密码方案。秘密共享和门限密码的主要思想是将一个密钥分割成若干份额分散存储于多个服务器成员,当需要重构密钥或使用它进行某种密码运算时,必须多于特定数量的成员联合才能共同完成,少于特定数量的任何成员组都不能计算得到此密钥。这种方法直接降低了密钥泄漏的可能性,它也是密码学中的一个重要组成部分。门限密码有很多的应用领域如:构造入侵容忍的密钥管理中心、分布式对称密钥生成、多重密钥共享、密钥托管、群签名等。
动态安全的门限方法是为了降低服务器被攻破产生的危害,在门限密码中,只要被攻破的服务器少于特定的数值,系统就是安全的,但是攻击者拥有密钥整个生命周期的时间去攻破服务器,当服务器被攻破时,我们需要尽量减小其带来的危害。动态安全的主要思想是:每经过一定的时间都通过成员子密钥更新函数更新成员密钥,并删除旧密钥,但是共享的秘密保持不变。这样,攻击者必须在一定时段内攻破特定数量的服务器才能完成有效的攻击,如果当前的服务器成员子密钥泄漏了,敌手也不能知道以前时间段的成员子密钥,当然也无法完成门限密码系统的攻击。门限方法和动态方法结合可以构造安全层次更高的动态安全门限方案。本文对此领域中的热点问题进行探讨,并提出具有独特优势的动态安全的多重密钥共享方案。
前向安全的思想:将密钥的整个生命周期划分成T个时间阶段,每个时间阶段都通过单向的更新函数更新用户的私钥,并删除以前的私钥,这就使得即便当前的密钥泄漏了,敌手仍然不能伪造以前时间段的签名或者读取私有信息。前向安全的方法能够减小密钥泄漏的危害,而门限密码的方法则可以降低密钥泄漏的可能性,如果结合上述两种方法,就可能构造前向安全的门限方案。
在密钥托管技术的发展过程中,信任问题始终是困扰人们的一个关键问题。一方面,如何使托管机构确信用户托管的密钥确实是其使用的真实密钥;另一方面,如何保证托管机构不会滥用权力,窃取用户的秘密信息。多年以来,这两大问题始终在影响着密钥托管技术的发展。本文将采用门限密码技术给出一个新的前向安全的密钥托管方案来解决目前的信任和滥用职权问题。
在门限签名方案中,私钥由n个用户的群体共享,而不像普通签名中,私钥仅有单个用户持有,数字签名由一组用户群体产生而不是由个体产生。为了对给定的消息产生一个有效的签名时,只有当群签名小组中用户的数目大于或者等于门限值时才能生成群签名值,参与群签名的每个用户对消息产生部分签名,然后组合产生整体签名,任何签名验证者都可以使用群签名的公钥来验证签名值的正确性。多门限签名是本文的研究重点,区别于单门限群签名,多门限群签名可以解决存在多个特权集的群体签名问题。
本文的主要工作是对上述门限密码的安全应用进行研究,取得的主要研究成果归纳如下:
(1)研究分布式对称密钥生成方案,使用(k,n)秘密共享技术能够有效的解决对称密钥的产生和分配问题,使用多个分布式的KDC服务器并行提供密钥服务,其中任意k个授权的KDC服务器组合都能够完成K_(u,v)的计算,即使攻破了k-1个服务器仍然不能计算出K_(u,v)。采用双变量多项式构造(k,n)门限,能够实现实体名到对称密钥的映射,并且其密钥具有一致性,即任意k个授权的密钥服务器通过拉格朗日插值获得对称密钥都是相同的。方案采用零知识证明防止管理员欺骗和成员欺骗,具有高效性、稳定性、健壮性、可扩展性、健忘性、易于密钥更新等特点,可以有效地避免对称密钥分发的效率瓶颈,最后证明方案是可证安全的,并具有Proactive安全特性。
采用分布式对称密钥产生方案可以构造入侵容忍的KDC系统,在进行广播通讯密钥分配的网络安全协议中,保证KDC的安全并提供高效率的密钥服务是一个非常重要的课题,区别于目前的域分割和与服务器备份方案,本文构造的入侵容忍KDC系统在多个分布式KDC服务器上分发不同的伪随机数产生函数,只有超过特定数目的授权服务器联合才能计算出最终的对称密钥,保证少于一定数目的KDC服务器被攻击后不能对系统产生威胁,从而保证了分布式KDC的安全性,并且能够避免广播通讯密钥分配过程中的效率瓶颈和单点失败。
(2)给出了一种多重秘密共享的门限方案,在该方案中管理者可以安全有效的共享多个密钥,成员可以根据不同的共享密钥计算不同的子密钥,而且是可以认证的。所给的方案采用知识签名的方法能够有效的抵御管理者欺骗和成员欺骗,且该方案在新成员加入时具有良好的扩展性,无需改动已分配成员的子密钥。最后证明了方案的安全性和高效性。
(3)给出了一种动态安全的多重密钥门限共享方案,在该方案中成员可以安全有效的共享多个密钥,成员可以根据不同的共享密钥计算不同的子密钥,而且是可以认证的。所给的方案具有动态安全性,能够在不改变共享秘密的前提下,周期性更新成员的子密钥,攻击者需要在更新周期内完成攻击过程,采用可验证的秘密共享方法能够有效的抵御管理者欺骗和成员欺骗,最后证明了方案的安全性和高效性。
(4)给出一种前向安全的门限密钥托管方案,采用门限密码把用户的私钥分配给n个托管机构,托管机构的子密钥能够在设定的时间间隔内周期性的进行更新,在子密钥的更新周期内k个托管机构的联合可以恢复用户的密钥,对于没有定期进行更新或者被攻破的密钥托管者不能恢复出正确的用户私钥。在限制时段内托管机构拥有的子密钥能够自动更新,而更新之前的加密数据不能被本次攻击恶意破解,本文提出的门限密钥托管方案具有前向安全性。
(5)在基于离散对数安全机制的前提下给出一种无可信中心的多门限群签名方案,签名密钥对由用户共同产生,利用可验证的秘密共享方案发放子密钥,采用对私钥的“多重”分割方法,设计基于ElGamal签名类型的多门限群签名方案,任何满足所有门限要求的成员子集可以代表群体签名,所有参与群签名的成员生成部分签名,最终由签名服务机构完成群签名的生成。签名具有匿名性和可追查性,增加或者删除新成员时系统无需大规模变动,任何用户或者签名服务器都可以使用用户的公钥验证群签名的正确性。
上述这些工作的研究成果可广泛应用于:证书认证(CA)系统,密钥管理系统、电子商务中银行电子货币的签名系统,安全数据库系统,web网站认证系统,密钥托管系统,可撤销的电子现金系统,电子投票系统等许多领域。下一步的工作包括:研究前向安全性质,建立一个满足强前向安全的门限签名方案;将双线性配对推广到特殊数字签名体制中,建立各种基于双线性对的数字签名体制。
With the rapid development of internet techniques, more and more applications exchange information through internet, and now we can't imagine our life without internet. Internet brings much more convenience and advantage to us and it bring too much threat at the same time. Adversary can eardrop, modify and forge anything which broadcast on internet without being detected by the parties who take part in communication, so confidentiality, integrity and availability must be maintained in a secure application. Cryptography and network security are the most effective method to protect our network from attacker or hacker. Cryptography can be sorted in symmetric cipher and asymmetric cipher, symmetric cipher such as DES often be used to encrypt batch data, asymmetric cipher such as RSA usually be used to exchange symmetric key, digital signature and identity authentication etc, and it has become the core component of cryptography in fact.
Threshold cryptography is an important embranchment of cryptography, and it has many potential uses in the areas of information security. In particular, such a scheme can be used to ensure the secure implementation of a cryptographic secret in a multi-user network. A secret sharing scheme is a method to distribute a secret value into shares in such a way that only some authorized subsets of participants are able to recover the secret from their shares. Secret sharing schemes were first independently introduced by Shamir and Blakley. A secret sharing scheme (t, n) is called a threshold scheme if it has the following characteristics:①n participants in this scheme;②any t or more of the n participants are able to rebuild the secret;③any less than t-1 participants can't reveal the secret. Threshold cryptography has many potential usages, it can be integrated with encrypt scheme and signature scheme, so it will be very useful in constructing an intrusion-tolerated key management center, generating symmetric key in distributed, sharing multi-secret among a group of entities, key escrow and group signature etc.
The motivation of proactive security is to reduce the damage from compromised server in a thresh system. It is impossible for a server to be absolutely secure; therefore, we should do our best to reduce the damage when a server to be compromised. The protection provided by traditional secret sharing may be insufficient for sensitive and long-lived secrets, because the adversary has the entire life-time of secrets to attack enough number of servers in order to compromise secrets which sharing in a threshold scheme. A natural method is to periodically refresh the secrets; however, this is not always possible. That is the case of inherently long-lived secrets, such as cryptographic master keys, data files, legal documents, etc; imagine that one wants to protect a data file by encrypting it under an initial key and then periodically updates that key, he should decrypt the file with the old key and encrypt it with the new key every time when the key changes, such method doesn't protect the integrity of the file at all, and it also exposes the secrecy to adversary when the file is being decrypted. One effective solution is changing sub-secrets hold by participants periodically without changing the value of sharing secrets. Adversary can't get any information of the former or succeeding sub-secret from the current sub-secrets hold by participants, so it must compromise a certain number servers in a specified time span for getting useful information. Proactive secure threshold scheme can be constructed when we combine threshold scheme and proactive methods. In the following part of this paper, we will discuss some hot topics in this field and present several new schemes with particular advantages.
With the advance of our computerized society, information security raises many various demands, some of which can never be fully satisfied simultaneously. Strong ciphers, which protect privacy during communication by rendering tapping useless, have been pursued by many researchers. However, there is a strong demand for monitoring communication to combat crime. A common and practical solution for this problem is to use a trusted third party. In a key escrow scheme, users have to deposit their private keys with the escrow agency (EA), which is assumed to disclose the keys to the law enforcement party (LEP) only if lawfully requested. In this paper, we will give a new key escrow scheme using threshold cryptography in order to solve the balance between privacy and monitor requirement.
A group signature scheme allows members of a group to sign messages on behalf of the group. Signatures can be verified with respect to a single group public key, but they do not reveal the identity of the signer. Furthermore, it is not possible to decide whether two signatures have been issued by the same group member. However, there exists a designated group manager who can, in case of a later dispute, open signatures, i.e., reveal the identity of the signer. Group signatures could for instance be used by a company for authenticating price lists, press releases, or digital contracts. The customers need to know only a single company public key to verify signatures. The company can hide any internal organizational structures and responsibilities, but still can find out which employee (i.e., group member) has signed a particular document. The concept of group signatures was introduced by Chaum and van Heyst and they also proposed the first realizations. Using partial key escrow technique to construct a group signature scheme is a good idea for some environment where need a supper privileged manager, any group signature can't be formed without the supper manager sub-signature.
The main work in this paper is to research on the cryptosystem related to threshold cryptography above mentioned. The main contributions of this paper list as follows:
(1) Propose a secure distributed symmetric key generation scheme; in this scheme key management center is an important component for generating symmetric key without using public key cryptography. We use bivariate polynomials to construct threshold distributed pseudo-random function, distribute the bivariate polynomials across the key management center servers, only the authorized set of servers can associating computed the pseudo random for key. It ensure certain number of unauthorized server is compromised will not threaten the security of the whole network. So enhance the security of distributed key management center servers, and preventing bottlenecks or single points of failure. Scheme use zero-knowledge proof technology to avoid cheating from administrator and participants.
We can Construct an intrusion-tolerate key management center using our distributed symmetric key generation scheme, key management center is an important component for generating symmetric key in multicast communication without using public key cryptography. Keeping key management center security and providing efficient symmetric key service is very important. Different from the known partition to domain or replication solution, the scheme we present use bivariate polynomials to construct threshold distributed pseudo-random function, distribute the bivariate polynomials across the key management center servers, only the authorized set of servers can associating computed the pseudo random for key. It ensure certain number of unauthorized server is compromised will not threaten the security of the whole network. So enhance the security of distributed key management center servers, and preventing bottlenecks or single points of failure.
(2) Present a new multisecret sharing threshold scheme. In the scheme, the dealer can manage any set of multiple secrets for sharing and participants can compute sub-secret for different secrets efficiently and securely, and sub-secret hold by participant is Verifiable. The scheme use knowledge signature to against cheating by dealer and cheating by participants. Adding new participant to system will not change the sub-secrets which had assigned to participants formerly. At the end, it is demonstrated that the scheme is security and efficient.
(3) Propose a new proactive secure multisecret sharing threshold scheme. In the scheme, participants can share multiple secrets and compute sub-secret for rebuilding efficiently and securely, and sub-secret hold by participant is verifiable. The scheme use verifiable secret sharing technique to against cheating by dealer and cheating by participants. Our scheme is proactive secure, participants will update the sub-secret periodically without Dealer intervention, old sub-secret will be obsolete and adversary can' t get any useful information from these. At the end, it is demonstrated that the scheme is security and efficient.
(4) Propose a new forward secure threshold key escrow scheme. In our scheme, private key will be divided n parts using threshold technique, and distribute subkey to n key escrow agents. Every escrow agent can verify the sub secret by VSS scheme, and can update sub secret automatically in a setup time span. Any k escrow agent can recover private key cooperatively within a updating interval. Any updating failed or corrupt escrow agent couldn't reconstruct the correct private key. The former ciphertext can not be decrypt by the current private key even it is compromised by adversary. At last, our schem is forward secured.
(5) Propose a new multi-threshold group signature scheme without trusted -third-party. The signature key will be generated by user cooperatively, and verifiable sharing scheme will be used to distribute subsecret. We will use multi-partition techniques to construct a group signature scheme based on Elgamal signature scheme. Any subset of users which satisfying all requirement of threshold can generate valid signature. All attended user will compute a sub-signature, and signature center will combine these sub-signature to a group signature. In our scheme, signature is anonimous and auditable, adding or deleting new partipant needn't change system environment, and any entity in our scheme can verify the group signature by the group public key.
These results above mentioned can be widely applied to the area of certification authority (CA) system, signature systems of bank and e-cash in electronic commerce, secure database system, Web network authentication system, key escrow system, revocable electronic cash system, electronic voting system, user roaming system, etc. Our next works include: researching on the property of forward security, and building up a new threshold signature scheme that satisfy a strong forward security; expanding bilinear pairings to special signature schemes more deeply more widely, building up various signature schemes based on bilinear pairings.
引文
[1] Jennifer Seberry, Chris Chames, Josef Pieprzyk, Rei Safavi-Naini Crypto Topics And Applications Ⅱ, In Chapters of the Algorithms and Theory of Computation Handbook, CRC Press, 1999, 2~6.
[2] Y. Desmedt, Y. Frankel. Threshold Cryptosystems. Advances in Cryptology-Crypto'89, LNCS 435, G. Brassard ed., pp. 307-315, Berlin: Springer-Verlag, 1990.
[3] T. P. Pedersen. A threshold cryptosystem without a trusted party. Advances in Cryptology, Advances in Cryptology-Eurocrypt'91, LNCS 547, D. W. Davies ed., pp. 335-356, Berlin: Springer-Verlag, 1979.
[4] D. Boneh and M. Franklin. Efficient generation of shared RSA keys. Advances in Cryptology-Crypto'97, LNCS 1294, B. S. Kaliski ed., pp. 425-439. Berlin: Springer-Verlag, 1997.
[5] Desmedt Yvo. Some Recent Research Aspects of Threshold Cryptography. In E.Okamoto, G. Davida and M. Mambo, editors, Information Security, Proceedings, LNCS 1396. Berlin: Springer-Verlag, 1997. 158~173.
[6] Shamir A.. How to Share a Secret. In Communications of the ACM, 1979, vol. 22, no.11: 612~613.
[7] Blakley GR. Safeguarding cryptographic keys. In: Merwin RE, Zanca JT, Smith M, eds. Proceedings of the National Computer Conference. Montvale, NJ: AFIPS Press, 1979. 313~317.
[8] Asmuth C, Bloom J. A modular approach to key safeguarding. IEEE Transactions on Information Theory, 1983, Vol. 29, No. 2: 208~210.
[9] Kamin E. D., Greene J.W., Hellman M. E. On secret sharing systems. IEEE Transactions information Theory, 1983, Vol. IT-29, No. 1: 35~41.
[10] Ito M., Saito A., Nishizeki T.. Secret Sharing Scheme Realizing General Access Structure. In Proceedings of the IEEE Global Telecommunications Conference, Giobecom 87,Tokyo, Japan, 1987, 99~102.
[11] Benaloh J. C., Leichter, J.. Generalized Secret Sharing and Monotone Functions. In Proceeding of CRYPTO'88 Proceedings, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Vol. 403, 1989, 27~35.
[12] Needham R, Schroeder M. Using encryption for authentication in large networks of computers. Communication of the ACM, 1978, 21 (12): 993~999.
[13] Otway D, Rees O. Efficient and timely mutual authentication. Operating Systems Review, 1987, 21(1): 8~10.
[14] Burrows M, Abadi M, Needham R. A logic of authentication. In: Proceedings of the Royal Society of London A, Vol 426. 1989: 233~271.
[15] Denning D, Sacco G. Timestamps in key distribution protocols. Communications of the ACM, 1981, 24, (8): 533~536.
[16] Woo T, tam S. A lesson on authentication protocol design. Operating systems Review, 1994, 28(3):24~37.
[17] Miller SP, Neuman C, Schiller Jl, Saltzer JH. Kerberos authentication and authorization system. Project Athena Technical Plan Section E.2.1, MIT,1987.
[18] Micali S. and Sidney R., A simple method for generating and sharing pseudo-random functions, with applications to clipper-like key escrow systems. Adv. In Cryptoiogy-crypto'95, Springer-Verlag, 1998, pp. 576-590.
[19] S. Micali, "Fair Public-Key Crypto-systems", Advances in Cryptology—CRYPTO'92, pp. 113-138.
[20] S. Micali, "Fair Crypto-systems", MIT/LCS/TR-579.b, MIT Laboratory for computer Science, Nov 1993.
[21] Shamir A. Partial key escrow: A new approach to software key escrow. In: Proceedings of the Key Escrow Conference. Washington, 1995.
[22] Lenstra AK, Winkler P, Yacobi Y. A key escrow system with warrant bound. In: Coppersmith D, ed. Proceedings of the Crypto'95. LNCS 963, Berlin: Springer-Vrelag, 1995. 197~207.
[23] Itakura K., Nakarnura K. A public-key cryptosystem suitable for digital multisignature. NEC J. Res. Dev., 71 edition, October 1983.
[24] Boyd C. Digital Multisignatures. In H. Beker and F. Riper, editors, Cryptography and Coding, Clarendon Press, 1989, 241~246.
[25] Lidong Zhou. Towards Fault-tolerant and Secure On-line Services. Comell University, Dissertation. 24~30, http://www.cs.cornell.edu/home/ldzhou/thesis.pdf,2001.
[26] Michael Malkin, Thomas Wu, Dan Boneh. Building Intrusion Tolerance Applications. In Proceedings of the DARPA Information Survivability Conference & Exposition-Volume 1, Hilton Head, South Carolina, 2000, 74~87.
[27] 荆继武,冯登国.一种入侵容忍的CA方案.软件学报.2002,Vol.13,No.8:1417~1422.
[28] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive Secret Sharing, or: how to cope with perpetual leakage, Advances in Crytptolgy-Crypto'95, LNCS 963, D. Coppersmith ed., pp. 339-352, Berlin: Springer-Verlag, 1995.
[29] R. Ostrovsky and M. Yung. How to withstand mobile virus attacks, Proc. Of the 10th ACM Symposium on the Principles in Distributed Computing, pp. 51-61, 1991.
[30] D. Chaum, and E. Heyst. Group Signatures. In: ed., Advances in Cryptology-Eurocrypt'91 Proceeding. LNCS 547, D.W. Davies ed., pp. 257-265, Berlin: Springer-Verlag, 1991.
[31] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung, Proactive Public Key and Signature Systems. In 1997 ACM Conference on Computers and Communication Security, pp. 100-110, 1997.
[32] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Robust Threshold DSS Signatures. Advances in Cryptology-Eurocrypt'96. LNCS 1070, U. Maurer ed., pp. 354-371, Berlin: Spinger-Verlag, 1996.
[33] Y. Frankel, P. Gemmell, P. Machkenzie, and M. Yung. Proactive RSA. Advances in Cryptology- Crypto'97, LNCS 1294, B. Kaliski ed., pp. 440-454, Berlin: Springer-Verlag, 1997.
[34] Y. Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Optimal resilience proactive Public-key cryptosystems. In Proc. 38th FOCS, pp. 384-393. IEEE, 1997.
[35] R. Rabin. A Simplified Approach to Threshold and Proactive RSA. Advances in Cryptology- CRYPTO'98, LNCS 1462, H. Krawczyk ed., pp. 89-104, Berlin: Springer-Verlag, 1998.
[36] S. Jarecki and N. Saxena. Further Simplifications in Proactive RSASignatures. TCC 2005, LNCS 3378, J. Kilian ed., pp. 510-528, Berlin: Springer-Verlag, 2005.
[37] R. Canetti, R.Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protection Against Break-ins. CryptoBytes, 3(1): 1-8, 1997.
[38] R Anderson. Two remarks on public key cryptology. Invited Lecture, 4th ACM Conference on Computer and Communications Security. Zurich, 1997.
[39] M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. Advances in Cryptology- Asiacrypt 2000, LNCS 1976, Okamoto Ted., pp. 116-129, Berlin: Springer-Verlag, 2000.
[40] H. Krawczyk. Simple forward-secure signatures for any signature scheme, Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 108-115, ACM Press 2000.
[41] G. Itkis and L. Reyzin. Forward-secure signatures with optimal signing and verifying. Advances in Cryptology- Crypto 2001, LNCS 2139, J. Kilian ed., pp. 499-514, Berlin: Springer-Verlag, 2001.
[42] A. Kozlov and L. Reyzin. Forward-secure signatures with fast key update. Security in Communication Network, LNCS 2576, S. Cimato,. C. Galdi, G. Persiano, eds., pp. 247-262, Berlin: Springer-Verlag, 2002.
[43] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Well pairing. Advances in Cryptology-Asiacrypt'01, LNCS 2248, C. Boyd ed., pp. 514-532, Berlin: Springer-Verlag, 2001.
[44] National Bureau of Stardards. Data Encrypton. FIPS PUB 46, National Bureau of Stardards, Washington, D. C Jan., 1977.
[45] http://www.nist.gov/aes/.
[46] R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 1978, 21(2): 120-126.
[47] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 1985, 31: 469-472.
[48] C. P. Schnorr. Efficient Signature Generation ofr Smart Cards. Journal of Cryptology, 1991, 4(30): 239-252.
[49] Digital Signature Standard(DSS). Federal Information Procee Sing Standards Pbulication (FIPS PUB 186). U. S. Department of Commerce/NIST, National Technical Information Service. Springfield, Virginia, 1994.
[50] M. O. Rabin. Digital Signatures and Public-key Functions as Factorization. MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212. Jan., 1979.
[51] X. Y. Wang. Collisions for Some Hash Functions MD4, MDS, HAVAL-128, RIPEMD, Crypto'04, 2004.
[52] Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Efficient Collision Search At- tacks on SHA-0,Crypto'05, 2005.
[53] Xiaoyun Wang, Yiqun Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1 Collision Search Attacks on SHA1, Crypto'05, 2005.
[54] X. Y. Wang, X. J. Lai etc, Cryptanalysis for Hash Functions MD4 and RIPEMD, Eurocrypto'05, 2005.
[55] X. Y. Wang, and Hongbo Yu, How to Break MD5 and Other Hash Functions, Eurocrypto'05, 2005.
[56] T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptography-CRYPTO, 1991, LNCS 576: 129~140.
[57] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. Proc. Of IEEE Fund. OfComp. Sci., 1987 pages 427-437.
[58] D. Chaum, and T. P. Pedersen. Transferred cash grows in size. Advance in Cryptology-Eurocrypt'92 Proceedings, LNCS 658, R. A. Rueppel ed., pp. 390-407, Berlin: Springer-Verlag, 1992.
[59] Ateniese G, Camenisch J, Joye M, Tsudik G A practical and provably secure coalition-resistant group signature scheme. In: Bellare M, ed. Proc. of the CRYPTO 2000. LNCS 1880, Berlin: Springer-Verlag, 2000. 255. 270.
[60] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pp. 62-73, 1993.
[61] A. Fiat and A. Shamir. How to prove yourself: Practical Solutions to identification and signature problems. Advance in Cryptology-Crypto'86 Proceedings, LNCS 263, A. Odlyzko ed., pp. 186-194, Berlin: Springer-Verlag, 1986.
[62] Shoup, V. Practical threshold signatures. In: Proceedings of the Eurocrypt 2000. Bruges (Brugge): Springer-Verlag, 2000: 207~220.
[63] Frankel, Y., Gemmell, P., MacKenzie, P.D., et al. Optimal-Resilience proactive public-key cryptosystems. In: IEEE Symposium on Foundations of Computer Science. 1997: 384~393.
[64] McEliece R. J. and Sarwate D. V., "On sharing secrets and Reed-Solomon Codes", Comm. ACM, 1981, Vol. 24, No. 9: 583-584.
[65] R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. Advances in Cryptology-CRYPTO, 1994, LNCS 839: 425-438.
[66] Tompa M, Woll H. How to share a secret with cheaters. Journal of Crypto, 1988, 1(1):133~138.
[67] Stadler M. Publicly verifiable secret sharing. In: Advance in Cryptology EUROCRYPT'96, Berlin: Springer-Verlag, 1996.190~199.
[68] He J, Dawson E. Multistage secret sharing based on one-way function. Electronic Letters, 1994, 30(19): 1591~1592.
[69] He J, Dawson E. Multisecret-sharing scheme based on one-way function. Electronic Letters, 1995, 31 (2):93~95.
[70] Ham L. Efficient sharing(broadcasting)of multiple secrets. IEE Computersand Digital Techniques, 1995, 142(3): 237~240.
[71] Chang C C, Hwang R J. Efficient cheater identification method for threshold schemes. IEE Computers and Digital Techniques, 1997, 144(1): 23~27
[72] Karnin E D, Greene J W, Hellman M E. On secret sharing systems. IEEE Transa-tions on Informational Theory, 1983, IT-29(1):35~41.
[73] Mceliece R J, Sarwate D V. On sharing secrets and Reed-Soloman code. Communications of the ACM, 1981, 24(3): 583~584.
[74] Ateniese G, Camenisch J, Joye M, Tsudik G. A practical and provably secure coalition-resistant group signature scheme. In: Beilare M, ed. Proc. of the CRYPTO 2000. LNCS 1880, Berlin: Springer-Verlag, 2000. 255. 270.
[75] Ghodosi H, Pieprzyk J, Chaudhry G R, Seberry J. How to prevent cheating in Pinch's scheme. Electronic Letters, 1977, 33(17): 1453~1454.
[76] Chen L, Gollmann D, Mitchell C J, Wild P. Secret sharing withreusable polynomials. In: Proceeding of the 2nd Australasian Conference on Information Security and Privacy, Canberra, Australia, 1997. 183~193.
[77] Shi RH. A multisecret sharing authenticating scheme. Chinese Journal of Computers, 2003, 26(5): 552~556 (in Chinese with English abstract).
[78] Wang Gui-Lin. Analysis and improvement of a Multisecret Sharing Authenticating shceme. Journal of software,Vol. 17, No. 7, July 2006: 1627~1623.
[79] Yang Bo, Ma WP, Wang, YM. A new secret sharing threshold scheme and key escrow system. Acta Electronica Sinica, 1998, 26(10): 1~3 (in Chinese with English abstract).
[80] Nechvatal J. A public-key-based key escrow system. Journal of Systems Software, 1996, 35(1): 73~83.
[81] Denning DE. Description of key escrow system. 1997. http://www.cs.georgetown.edu/~denning/crypto/Appendix.html/.
[82] Desmedt Y, Frankel Y. Threshold cryptosystems. In: Brassard G, ed. Proceedings of the Crypto'89. LNCS 435, Berlin: Springer-Verlag, 1990. 307~315.
[83] Desmedt Y, Frankel Y. Shared generation of authenticators and signatures. In: Feigenbaum J, ed. Proceedings of the Crypto'91. LNCS 576, Berlin: Springer-Verlag, 1992. 457~469.
[84] Santis AD, Desmedt Y, Frankel Y, Yung M. How to share a function securely. In: Proceedings of the 26th ACM Symp. on Theory of Computing. ACM Press, 1994. 522~533.
[85] Gennaro R, Jarecki S, Krawczyk H, Rabin T. Robust and efficient sharing of RSA functions. In: Koblitz N, ed. Proceedings of the Crypto'96. LNCS 1109, Berlin: Springer-Verlag, 1996. 157~172.
[86] Cao ZF. A threshold key escrow scheme based on public key cryptosystem. Science in China (Series E), 2001, 44(4):441~448 (in Chinese with English abstract).
[87] Cao ZF, Li JG. A threshold key escrow scheme based on ElGamal cryptosystem. Chinese Journal of Computers, 2002,25(4): 346~350 (in Chinese with English abstract).
[88] 冯登国,陈伟东,对“两类强壮的门限密钥托管方案”的分析,计算机学报,27(9):1170-1175.
[89] R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, Robust Threshold DSS Signatures. Advances in Cryptology-Eurocrypto' 96, Springer-Verlag, 1996, 354-371.
[90] C. Boyd. Digital Multisignatures. Cryptography and Coding, 1989, 241-246.
[91] Y. Frankel, P. Gemmall and M. Yung, Witness-Based Cryptographic Program Checking and Robust Funciton Sharing. Proc. 22th ACM Symposium on Theory of Computing, 1996, ACM. 499-508.
[92] D. Boneh and M. Franklin, Efficient Generation of Shared RSA Keys Advances in Cryptology-Crypto'97, Springer-Verlag, 1997, 425-439.
[93] C. Cocks, Split Knowledge Generation of RSA Parameters. Cryptography and Coding, 6th IMA International Conference. Springer-Verlag, 1997, 89-95.
[94] G. Poupard and J. Stern, Generation of Shared RSA Keys by Two Parties. Advances in Cryptology-Asiacrypto'98, Springer-Verlag, 1998,11-24.
[95] N. Gillboa, Two Party RSA Key Generation. Advances in Cryptology-Crypto'99, Springer-Verlag, 1999, 116-129.
[96] 王宏,肖鸿,肖国镇,防欺诈的二方 RSA 密钥,软件学报,11(10):1326-1332.
[97] 徐秋亮,改进门限 RSA 数字签名体制,计算机学报,2000,23(5):449-453.
[98] Harn L. Group-Oriented (t,n)-threshold digital signature scheme based on discrete logarithms. IEEE Proc. Computers and Digital Techniques, 1994, 141(5): 307-313.
[99] Feng DG, Pei DY. Introduction to Cryptology. Beijing: Science Press, 1999. 235-236 (in Chinese).
[100] Nyberg K, Rueppel RA. Message recovery for signature schemes based on the discrete logarithm problem. In: De Santis A, ed. Advances in Cryptology— EUROCRYPT'94. LNCS 950, Berlin: Springer-Verlag, 1995. 182-193.
[101] Ateniese G, de Medeiros B. Efficient group signatures without trapdoors. 2002. http://eprint.iacr.org/2002/173/.
[102] Bellare M. Practice-Oriented provable-security. In: Damgard I, ed. Advances in Cryptology—Eurocrypt'99. LNCS 1561, Berlin: Springer-Verlag, 1999. 221-231.
[2] Y. Desmedt, Y. Frankel. Threshold Cryptosystems. Advances in Cryptology-Crypto'89, LNCS 435, G. Brassard ed., pp. 307-315, Berlin: Springer-Verlag, 1990.
[3] T. P. Pedersen. A threshold cryptosystem without a trusted party. Advances in Cryptology, Advances in Cryptology-Eurocrypt'91, LNCS 547, D. W. Davies ed., pp. 335-356, Berlin: Springer-Verlag, 1979.
[4] D. Boneh and M. Franklin. Efficient generation of shared RSA keys. Advances in Cryptology-Crypto'97, LNCS 1294, B. S. Kaliski ed., pp. 425-439. Berlin: Springer-Verlag, 1997.
[5] Desmedt Yvo. Some Recent Research Aspects of Threshold Cryptography. In E.Okamoto, G. Davida and M. Mambo, editors, Information Security, Proceedings, LNCS 1396. Berlin: Springer-Verlag, 1997. 158~173.
[6] Shamir A.. How to Share a Secret. In Communications of the ACM, 1979, vol. 22, no.11: 612~613.
[7] Blakley GR. Safeguarding cryptographic keys. In: Merwin RE, Zanca JT, Smith M, eds. Proceedings of the National Computer Conference. Montvale, NJ: AFIPS Press, 1979. 313~317.
[8] Asmuth C, Bloom J. A modular approach to key safeguarding. IEEE Transactions on Information Theory, 1983, Vol. 29, No. 2: 208~210.
[9] Kamin E. D., Greene J.W., Hellman M. E. On secret sharing systems. IEEE Transactions information Theory, 1983, Vol. IT-29, No. 1: 35~41.
[10] Ito M., Saito A., Nishizeki T.. Secret Sharing Scheme Realizing General Access Structure. In Proceedings of the IEEE Global Telecommunications Conference, Giobecom 87,Tokyo, Japan, 1987, 99~102.
[11] Benaloh J. C., Leichter, J.. Generalized Secret Sharing and Monotone Functions. In Proceeding of CRYPTO'88 Proceedings, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Vol. 403, 1989, 27~35.
[12] Needham R, Schroeder M. Using encryption for authentication in large networks of computers. Communication of the ACM, 1978, 21 (12): 993~999.
[13] Otway D, Rees O. Efficient and timely mutual authentication. Operating Systems Review, 1987, 21(1): 8~10.
[14] Burrows M, Abadi M, Needham R. A logic of authentication. In: Proceedings of the Royal Society of London A, Vol 426. 1989: 233~271.
[15] Denning D, Sacco G. Timestamps in key distribution protocols. Communications of the ACM, 1981, 24, (8): 533~536.
[16] Woo T, tam S. A lesson on authentication protocol design. Operating systems Review, 1994, 28(3):24~37.
[17] Miller SP, Neuman C, Schiller Jl, Saltzer JH. Kerberos authentication and authorization system. Project Athena Technical Plan Section E.2.1, MIT,1987.
[18] Micali S. and Sidney R., A simple method for generating and sharing pseudo-random functions, with applications to clipper-like key escrow systems. Adv. In Cryptoiogy-crypto'95, Springer-Verlag, 1998, pp. 576-590.
[19] S. Micali, "Fair Public-Key Crypto-systems", Advances in Cryptology—CRYPTO'92, pp. 113-138.
[20] S. Micali, "Fair Crypto-systems", MIT/LCS/TR-579.b, MIT Laboratory for computer Science, Nov 1993.
[21] Shamir A. Partial key escrow: A new approach to software key escrow. In: Proceedings of the Key Escrow Conference. Washington, 1995.
[22] Lenstra AK, Winkler P, Yacobi Y. A key escrow system with warrant bound. In: Coppersmith D, ed. Proceedings of the Crypto'95. LNCS 963, Berlin: Springer-Vrelag, 1995. 197~207.
[23] Itakura K., Nakarnura K. A public-key cryptosystem suitable for digital multisignature. NEC J. Res. Dev., 71 edition, October 1983.
[24] Boyd C. Digital Multisignatures. In H. Beker and F. Riper, editors, Cryptography and Coding, Clarendon Press, 1989, 241~246.
[25] Lidong Zhou. Towards Fault-tolerant and Secure On-line Services. Comell University, Dissertation. 24~30, http://www.cs.cornell.edu/home/ldzhou/thesis.pdf,2001.
[26] Michael Malkin, Thomas Wu, Dan Boneh. Building Intrusion Tolerance Applications. In Proceedings of the DARPA Information Survivability Conference & Exposition-Volume 1, Hilton Head, South Carolina, 2000, 74~87.
[27] 荆继武,冯登国.一种入侵容忍的CA方案.软件学报.2002,Vol.13,No.8:1417~1422.
[28] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive Secret Sharing, or: how to cope with perpetual leakage, Advances in Crytptolgy-Crypto'95, LNCS 963, D. Coppersmith ed., pp. 339-352, Berlin: Springer-Verlag, 1995.
[29] R. Ostrovsky and M. Yung. How to withstand mobile virus attacks, Proc. Of the 10th ACM Symposium on the Principles in Distributed Computing, pp. 51-61, 1991.
[30] D. Chaum, and E. Heyst. Group Signatures. In: ed., Advances in Cryptology-Eurocrypt'91 Proceeding. LNCS 547, D.W. Davies ed., pp. 257-265, Berlin: Springer-Verlag, 1991.
[31] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung, Proactive Public Key and Signature Systems. In 1997 ACM Conference on Computers and Communication Security, pp. 100-110, 1997.
[32] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Robust Threshold DSS Signatures. Advances in Cryptology-Eurocrypt'96. LNCS 1070, U. Maurer ed., pp. 354-371, Berlin: Spinger-Verlag, 1996.
[33] Y. Frankel, P. Gemmell, P. Machkenzie, and M. Yung. Proactive RSA. Advances in Cryptology- Crypto'97, LNCS 1294, B. Kaliski ed., pp. 440-454, Berlin: Springer-Verlag, 1997.
[34] Y. Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Optimal resilience proactive Public-key cryptosystems. In Proc. 38th FOCS, pp. 384-393. IEEE, 1997.
[35] R. Rabin. A Simplified Approach to Threshold and Proactive RSA. Advances in Cryptology- CRYPTO'98, LNCS 1462, H. Krawczyk ed., pp. 89-104, Berlin: Springer-Verlag, 1998.
[36] S. Jarecki and N. Saxena. Further Simplifications in Proactive RSASignatures. TCC 2005, LNCS 3378, J. Kilian ed., pp. 510-528, Berlin: Springer-Verlag, 2005.
[37] R. Canetti, R.Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protection Against Break-ins. CryptoBytes, 3(1): 1-8, 1997.
[38] R Anderson. Two remarks on public key cryptology. Invited Lecture, 4th ACM Conference on Computer and Communications Security. Zurich, 1997.
[39] M. Abdalla and L. Reyzin. A new forward-secure digital signature scheme. Advances in Cryptology- Asiacrypt 2000, LNCS 1976, Okamoto Ted., pp. 116-129, Berlin: Springer-Verlag, 2000.
[40] H. Krawczyk. Simple forward-secure signatures for any signature scheme, Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 108-115, ACM Press 2000.
[41] G. Itkis and L. Reyzin. Forward-secure signatures with optimal signing and verifying. Advances in Cryptology- Crypto 2001, LNCS 2139, J. Kilian ed., pp. 499-514, Berlin: Springer-Verlag, 2001.
[42] A. Kozlov and L. Reyzin. Forward-secure signatures with fast key update. Security in Communication Network, LNCS 2576, S. Cimato,. C. Galdi, G. Persiano, eds., pp. 247-262, Berlin: Springer-Verlag, 2002.
[43] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Well pairing. Advances in Cryptology-Asiacrypt'01, LNCS 2248, C. Boyd ed., pp. 514-532, Berlin: Springer-Verlag, 2001.
[44] National Bureau of Stardards. Data Encrypton. FIPS PUB 46, National Bureau of Stardards, Washington, D. C Jan., 1977.
[45] http://www.nist.gov/aes/.
[46] R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 1978, 21(2): 120-126.
[47] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 1985, 31: 469-472.
[48] C. P. Schnorr. Efficient Signature Generation ofr Smart Cards. Journal of Cryptology, 1991, 4(30): 239-252.
[49] Digital Signature Standard(DSS). Federal Information Procee Sing Standards Pbulication (FIPS PUB 186). U. S. Department of Commerce/NIST, National Technical Information Service. Springfield, Virginia, 1994.
[50] M. O. Rabin. Digital Signatures and Public-key Functions as Factorization. MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212. Jan., 1979.
[51] X. Y. Wang. Collisions for Some Hash Functions MD4, MDS, HAVAL-128, RIPEMD, Crypto'04, 2004.
[52] Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Efficient Collision Search At- tacks on SHA-0,Crypto'05, 2005.
[53] Xiaoyun Wang, Yiqun Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1 Collision Search Attacks on SHA1, Crypto'05, 2005.
[54] X. Y. Wang, X. J. Lai etc, Cryptanalysis for Hash Functions MD4 and RIPEMD, Eurocrypto'05, 2005.
[55] X. Y. Wang, and Hongbo Yu, How to Break MD5 and Other Hash Functions, Eurocrypto'05, 2005.
[56] T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptography-CRYPTO, 1991, LNCS 576: 129~140.
[57] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. Proc. Of IEEE Fund. OfComp. Sci., 1987 pages 427-437.
[58] D. Chaum, and T. P. Pedersen. Transferred cash grows in size. Advance in Cryptology-Eurocrypt'92 Proceedings, LNCS 658, R. A. Rueppel ed., pp. 390-407, Berlin: Springer-Verlag, 1992.
[59] Ateniese G, Camenisch J, Joye M, Tsudik G A practical and provably secure coalition-resistant group signature scheme. In: Bellare M, ed. Proc. of the CRYPTO 2000. LNCS 1880, Berlin: Springer-Verlag, 2000. 255. 270.
[60] M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, pp. 62-73, 1993.
[61] A. Fiat and A. Shamir. How to prove yourself: Practical Solutions to identification and signature problems. Advance in Cryptology-Crypto'86 Proceedings, LNCS 263, A. Odlyzko ed., pp. 186-194, Berlin: Springer-Verlag, 1986.
[62] Shoup, V. Practical threshold signatures. In: Proceedings of the Eurocrypt 2000. Bruges (Brugge): Springer-Verlag, 2000: 207~220.
[63] Frankel, Y., Gemmell, P., MacKenzie, P.D., et al. Optimal-Resilience proactive public-key cryptosystems. In: IEEE Symposium on Foundations of Computer Science. 1997: 384~393.
[64] McEliece R. J. and Sarwate D. V., "On sharing secrets and Reed-Solomon Codes", Comm. ACM, 1981, Vol. 24, No. 9: 583-584.
[65] R. Canetti and A. Herzberg. Maintaining security in the presence of transient faults. Advances in Cryptology-CRYPTO, 1994, LNCS 839: 425-438.
[66] Tompa M, Woll H. How to share a secret with cheaters. Journal of Crypto, 1988, 1(1):133~138.
[67] Stadler M. Publicly verifiable secret sharing. In: Advance in Cryptology EUROCRYPT'96, Berlin: Springer-Verlag, 1996.190~199.
[68] He J, Dawson E. Multistage secret sharing based on one-way function. Electronic Letters, 1994, 30(19): 1591~1592.
[69] He J, Dawson E. Multisecret-sharing scheme based on one-way function. Electronic Letters, 1995, 31 (2):93~95.
[70] Ham L. Efficient sharing(broadcasting)of multiple secrets. IEE Computersand Digital Techniques, 1995, 142(3): 237~240.
[71] Chang C C, Hwang R J. Efficient cheater identification method for threshold schemes. IEE Computers and Digital Techniques, 1997, 144(1): 23~27
[72] Karnin E D, Greene J W, Hellman M E. On secret sharing systems. IEEE Transa-tions on Informational Theory, 1983, IT-29(1):35~41.
[73] Mceliece R J, Sarwate D V. On sharing secrets and Reed-Soloman code. Communications of the ACM, 1981, 24(3): 583~584.
[74] Ateniese G, Camenisch J, Joye M, Tsudik G. A practical and provably secure coalition-resistant group signature scheme. In: Beilare M, ed. Proc. of the CRYPTO 2000. LNCS 1880, Berlin: Springer-Verlag, 2000. 255. 270.
[75] Ghodosi H, Pieprzyk J, Chaudhry G R, Seberry J. How to prevent cheating in Pinch's scheme. Electronic Letters, 1977, 33(17): 1453~1454.
[76] Chen L, Gollmann D, Mitchell C J, Wild P. Secret sharing withreusable polynomials. In: Proceeding of the 2nd Australasian Conference on Information Security and Privacy, Canberra, Australia, 1997. 183~193.
[77] Shi RH. A multisecret sharing authenticating scheme. Chinese Journal of Computers, 2003, 26(5): 552~556 (in Chinese with English abstract).
[78] Wang Gui-Lin. Analysis and improvement of a Multisecret Sharing Authenticating shceme. Journal of software,Vol. 17, No. 7, July 2006: 1627~1623.
[79] Yang Bo, Ma WP, Wang, YM. A new secret sharing threshold scheme and key escrow system. Acta Electronica Sinica, 1998, 26(10): 1~3 (in Chinese with English abstract).
[80] Nechvatal J. A public-key-based key escrow system. Journal of Systems Software, 1996, 35(1): 73~83.
[81] Denning DE. Description of key escrow system. 1997. http://www.cs.georgetown.edu/~denning/crypto/Appendix.html/.
[82] Desmedt Y, Frankel Y. Threshold cryptosystems. In: Brassard G, ed. Proceedings of the Crypto'89. LNCS 435, Berlin: Springer-Verlag, 1990. 307~315.
[83] Desmedt Y, Frankel Y. Shared generation of authenticators and signatures. In: Feigenbaum J, ed. Proceedings of the Crypto'91. LNCS 576, Berlin: Springer-Verlag, 1992. 457~469.
[84] Santis AD, Desmedt Y, Frankel Y, Yung M. How to share a function securely. In: Proceedings of the 26th ACM Symp. on Theory of Computing. ACM Press, 1994. 522~533.
[85] Gennaro R, Jarecki S, Krawczyk H, Rabin T. Robust and efficient sharing of RSA functions. In: Koblitz N, ed. Proceedings of the Crypto'96. LNCS 1109, Berlin: Springer-Verlag, 1996. 157~172.
[86] Cao ZF. A threshold key escrow scheme based on public key cryptosystem. Science in China (Series E), 2001, 44(4):441~448 (in Chinese with English abstract).
[87] Cao ZF, Li JG. A threshold key escrow scheme based on ElGamal cryptosystem. Chinese Journal of Computers, 2002,25(4): 346~350 (in Chinese with English abstract).
[88] 冯登国,陈伟东,对“两类强壮的门限密钥托管方案”的分析,计算机学报,27(9):1170-1175.
[89] R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin, Robust Threshold DSS Signatures. Advances in Cryptology-Eurocrypto' 96, Springer-Verlag, 1996, 354-371.
[90] C. Boyd. Digital Multisignatures. Cryptography and Coding, 1989, 241-246.
[91] Y. Frankel, P. Gemmall and M. Yung, Witness-Based Cryptographic Program Checking and Robust Funciton Sharing. Proc. 22th ACM Symposium on Theory of Computing, 1996, ACM. 499-508.
[92] D. Boneh and M. Franklin, Efficient Generation of Shared RSA Keys Advances in Cryptology-Crypto'97, Springer-Verlag, 1997, 425-439.
[93] C. Cocks, Split Knowledge Generation of RSA Parameters. Cryptography and Coding, 6th IMA International Conference. Springer-Verlag, 1997, 89-95.
[94] G. Poupard and J. Stern, Generation of Shared RSA Keys by Two Parties. Advances in Cryptology-Asiacrypto'98, Springer-Verlag, 1998,11-24.
[95] N. Gillboa, Two Party RSA Key Generation. Advances in Cryptology-Crypto'99, Springer-Verlag, 1999, 116-129.
[96] 王宏,肖鸿,肖国镇,防欺诈的二方 RSA 密钥,软件学报,11(10):1326-1332.
[97] 徐秋亮,改进门限 RSA 数字签名体制,计算机学报,2000,23(5):449-453.
[98] Harn L. Group-Oriented (t,n)-threshold digital signature scheme based on discrete logarithms. IEEE Proc. Computers and Digital Techniques, 1994, 141(5): 307-313.
[99] Feng DG, Pei DY. Introduction to Cryptology. Beijing: Science Press, 1999. 235-236 (in Chinese).
[100] Nyberg K, Rueppel RA. Message recovery for signature schemes based on the discrete logarithm problem. In: De Santis A, ed. Advances in Cryptology— EUROCRYPT'94. LNCS 950, Berlin: Springer-Verlag, 1995. 182-193.
[101] Ateniese G, de Medeiros B. Efficient group signatures without trapdoors. 2002. http://eprint.iacr.org/2002/173/.
[102] Bellare M. Practice-Oriented provable-security. In: Damgard I, ed. Advances in Cryptology—Eurocrypt'99. LNCS 1561, Berlin: Springer-Verlag, 1999. 221-231.