面向多方的密码学方案研究
|
摘要
随着计算机网络的迅速发展,人们在网络上进行的活动越来越多、越来越复杂,许多活动体现出多方性与群体性,因而面向多方的密码体制具有重要的理论与实际意义。
在面向多方的密码学背景下,一些传统的安全要求,如保密性、完整性、认证性及不可否认性等等,将会产生新的变化;同时面向多方的应用场景也带来了新的安全要求,如匿名性、可追踪性、公平性等等。面向多方的密码学是一个极为广泛的研究领域,包括面向多方的加密方案,如门限加/解密、广播加密、面向群体的加密、群加密;面向多方的签名,如门限签名、聚合签名、群签名、环签名、并发签名;以及面向多方的密钥协商/管理等等。本论文主要对一部分面向多方的密码学方案进行了研究,在门限密码学、前向安全密码体制、广播加密方案及公平合同签署/并发签名协议方面,取得了一些研究成果。
门限密码体制是一种比较经典的多方密码系统,其思想是为了保护敏感的数据(或计算)而将它们以一种容错的方式分布于一组合作的参与方之中。门限密码学的基础是门限秘密共享。一个门限秘密共享方案可以将一段秘密信息分布于几个参与方之间,达到(1)少于门限值数量的参与方不能计算出秘密信息;(2)达到门限值数量的参与方能够合作计算出秘密信息。秘密共享的一个有用的扩展就是函数计算的共享,它的思想就是对于某些高度敏感的操作,如解密及签名,可以按照一种门限的方式来完成,使得少于门限值的参与方合作不能完成该操作,而且当需要完成该操作时,也没有人能阻止大于等于门限值的参与方合作完成该操作。门限密码学的研究十分广泛,本文在门限代理签名及门限环签名的研究中取得了3个研究成果。
1.构造了第一个安全有效的RSA门限代理签名方案。在所构建的方案中,没有使用可信权威,所有的秘密参数都是由参与者分布式产生的。
2.指出Tzeng等人提出的针对Hwang等人的“已知签名者的不可否认代理签名方案”的改进方案是一个不成立的方案,并针对Hwang等人原始方案中存在的原始签名人伪造问题,提出了我们的新改进方案。
3.提出一个高效的基于身份的门限环签名方案,并在标准模型下证明了该方案的安全性。
在面向多方的密码系统中,密钥的安全仍然十分重要,在一个密码系统中,如果用户的密钥被泄露,那就意味着失去了所有的安全性保证。除了使用门限秘密分享技术来保护用户私钥之外,还有一种称为前向安全的密码体制可以减轻密钥泄露带来的损失。在一个前向安全的密码体制中,整个有效时间周期被分成若干阶段,其中公钥在整个有效时间周期内都保持不变,而每个阶段的用户私钥都由上一阶段的私钥演化而来并仅用于当前时间阶段,在每个时间段结束时,属于当前阶段的用户私钥被永久删除。密钥演化过程是不可逆的,由当前阶段的私钥推算前一阶段的私钥是困难的。在一个前向安全的密码系统中,当某个时间阶段的密钥泄露之后,必须废除那一时间段的密钥并停止密钥演化。但是,如何发现密钥泄露,在前向安全方案中并没有被研究。Itkis等人提出了一个密码学篡改证据的概念并构建了一个带篡改证据的签名方案。一个带有篡改证据的签名方案具有一个额外的过程Div,可以检测密钥篡改:给定两个签名,Div可以判断是否其中一个是由伪造者生成的。此时,并不能说明哪个签名是由合法签名者生成的,哪个签名是伪造的,但是它提供了密钥被篡改的证据。针对前向安全加密及前向安全签名方案,本文分别得到2个结果。
1.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全加密”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且达到了抵抗选择密文攻击下的安全性。
2.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全签名”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且在选择消息攻击下是强不可伪造的。
数据传输的机密性是信息安全最基本的要求之一,在面向多方的应用环境下,最常见的需求是一方向多方发送加密的数据,典型的例子如付费有线电视,数字内容的分发等等。广播加密是指消息的广播者可以向消息的接收者的任意子集发送加密消息,而只有这特定子集中的接收者才可以解密消息,其他用户则不能。在广播加密体制的研究中,我们得到1个研究成果。
我们提出了一个基于身份的动态广播加密方案,在随机预言模型中证明了该方案的安全性,并将之同以往的基于身份的广播加密方案进行了比较。同之前的方案相比,我们的方案具有明显的优越性,首先它不需要预先确定一个最大的潜在接收者集合,并且它的公钥长度,私钥长度,密文长度都是一个常量;其次,它的加密/解密开销都小于以往方案;最后,它可以高效的进行新接收者的加入及旧接收者的移出操作。因此,我们的方案对于动态的大的接收者群组来说是高效实用的。
在一些商务事务上总是需要多个参与者,通常这些参与者互不信任,公平性是这些商务活动的基础。一个公平的系统必须保证一方不能从一个合法的参与方占到任何便宜。合同签署是最常见的商务活动,在网络中的数字合同签署问题比在现实生活中的情形远远复杂。为了解决这类公平合同签署的问题,有两类方法。第一类使用公平交换协议,这类方案中最高效的一种称为“乐观合同签署”。在乐观合同签署协议中,一个可信第三方只有在发生问题比如一方试图欺骗或者网络发生错误的情况下才干预协议。另一类方法称为“并发签名”。一个并发签名协议允许两方以特定的方式产生签名,他们的签名从一个第三方验证者角度来看,是无法辨认真正的签名者的,直到某个称为“关键参数”的秘密值被释放之后,两个签名才能同时与它们实际的签名者绑定。我们在解决公平合同签署问题的研究中得到3个结果。
1.指出Huang等人构建的并发签名方案不安全,第一,参与的两方A和B都有能力在并发签名产生之后,伪造一个对新消息的签名;第二,A与B都有能力独自伪造AB双方的并发签名。为了防止上述的漏洞,我们提出了一个改进方案,并证明了它的其安全性。
2.在已有的并发签名协议中参与方的地位是不平等的,一个参与方被称为初始签名者,他负责关键参数信息的选择并且首先发送他的不确定签名者的签名,另一方称为匹配签名者,他使用相同的关键参数信息生成自己的不确定签名者的签名以回应初始签名者。这种工作模式可能带来一些不公平。在本文中,我们提出了一个对称参与者的完美并发签名协议。在我们提出的协议中,参与者的地位是对称的,关键参数由双方共同决定,并且不确定签名者的签名的发送没有先后顺序之分。
3.基于一个可控的环签名方案,我们提出了一个不使用可信第三方的公平合同交换协议,并证明了它的安全性。同以前的乐观合同签名协议相比,我们提出的协议有两个优点,(1)不使用可信第三方,并达到弱公平性;(2)在并发签名方案中,参与双方得到的签名不是一个常规的签名形式,而在我们提出的这个公平交换方案中,参与方可以通过转化过程将签名转化为一个常规的签名形式。
With the rapid development of the computer network,the activities on the network are becoming more and more frequent and complicated;lots of activeties show the characters of multiparty and group.So it is of theoretical and practical significance on study in multiparty-oriented cryptosystems.
In the applications with multi participants,the tranditional secure requirments such as confidentiality,integrality,authentication and non-repudiable will have new meaning,and multiparty-oriented applications bring new secure requirements such as anonymity,traceable,fairness and etc.The research of multiparty-oriented cryptosystems is a wide area which includes multiparty-oriented encryption schemes (such as threshold encryption/decryption,broadcast encryption,group-oriented encryption and group encryption),multiparty-oriented signature schemes(such as threshold signatures,aggregation signatures,group signatures,ring signatures and concurrent signatures),and multiparty-oriented key agreement/management and so on. We mainly work on some of these fields and get some results in threshold cryptography,forward secure cryptosystems,broadcast encryption,fair contact signing and concurrent signatures.
The idea of threshold cryptography is to protect the sensitive information(or computation) by fault-tolerantly distributing it among a cluster of cooperating parties. The fundamental problem of threshold cryptography is the problem of secure sharing of a secret.A secret sharing scheme allows one to distribute a piece of secret information among several parties in a way that meets the following requirements:(1) smaller than a given threshold of parties can not figure out what the secret is;(2) when it becomes necessary that the secret information be reconstructed,a large enough number of parties(a number larger than the threshold) can always do it.A very useful extension of secret sharing is function sharing.Its main idea is that a highly sensitive operation,such as decryption or signing,can be performed by a group of cooperating parties in such a way that less than threshold of parties can not to perform this operation,and none is able to prevent the more than threshold of parties from performing the operation when it is required.The contents of threshold cryptography are extensive.In this paper,we get three results in the research on threshold proxy signature schemes and the threshold ring signature schemes.
1.We construct the first efficient and secure RSA-based threshold proxy signature scheme.In our scheme,a Trust Authority(TA) is not needed and all of the secret parameters are generated in a distributed way.
2.We point out that there is an error in Tzeng et al's improved scheme to Hwang et al's "non-repudiable threshold proxy signature scheme with known signers".To overcome the problem that the original signer can forge the proxy signature in Hwang's scheme,we give out a new improvement and prove its security.
3.We construct an efficient ID-based threshold ring signature scheme,which has provable security under the standard model.
The security of the secret key is still important in multiparty-oriented cryptosystems.The exposure of secret keys can be devastating attack on a cryptosystem since such an attack typically implies that all security guarantees are lost. Beside the threshold secret sharing,there is a notion of forward secure can solve this problem.In a forward-secure cryptosystems,the lifetime of the system is divided into T time periods,with a different secret key for each time period,and there is only one public key which remains the same through all the time periods.Each secret key is used only during a particular time period and to compute a new secret key at the end of that time period and then erased.The evolution of the secret key is irreversible,it is difficult to compute the key of privioues time priod from current key.In a forward-secure cryptosystems,when the key is exposed in a time period,we must revoke the key of that time period and stop the key evolution.But how to detect the key exposure in a forward-secure scheme is not mentioned in previous works.Itkis proposed a new notion of cryptographic tamper evidence and constructed the tamper-evident signature schemes.A tamper-evident signature scheme provides an additional procedure Div which detects tampering:given two signatures,Div can determine whether one of them was generated by the forger.In this case,it might be impossible to tell which signature is generated by the legitimate signer and which by the forger,but at least the fact of the tampering will be made evident.According to farward secure encryption and farward secure signature,we get two results respectively.
1.Based on the Tamper Evidence,we define a new notion of Forward-Secure Public-Key Encryption Scheme with Tamper Evidence(TE-FEnc) and propose a general method to build a TE-FEnc scheme.We also give out a concrete instance at last.In the standard model,we prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and achieve security against chosen ciphertext attacks.
2.Based on the Tamper Evidence,we define a new notion of Tamper Evidence Forward Secure Signature scheme(TE-FSig) and propose a general method to build a TE-FSig scheme.We also give out a concrete instance at last.We prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and strongly unforgeable under the chosen-message attack.
The confidentiality of data transfer is one of the most important requeriment in the information security.In the case of multiparty applications,it usually requires a sigle party sending ciphertext to multiparty,such as pay TV,distribution of digital contents and so on.Broadcast Encryption schemes are cryptosystems that enable senders to efficiently broadcast ciphertexts to a large set of receivers such that only the chosen receivers can decrypt them.We get one result in research on the broadcast encryption.
We propose a new efficient dynamic identity-based broadcast encryption scheme (DIBBE),and prove its security in Random Oracle model.We also compare our scheme with the previous work and show that our scheme has a great advantage. Firstly,the proposed scheme need not to setup a max potential receivers set in advance,and it has constant size of the public key,private key and header of cipertext. Secondly,the computational costs of encryption and decryption in our scheme are also constant size.At last,it is easy to add or remove receivers.So our scheme is efficient and practical for dynamic and large receivers set.
The commercial transactions always involve multiple players.Usually,the players mutually distrust one another.The fairness is the basement of the commercial behaves.A fair system must ensure that other players will not gain any advantage over the correctly behaving player.Contract signing is the most common commercial transaction.The problem of digitally contract signing over a network is more complicated than signing a contract in the real world.To solve the fair contact signing problem,there are two methods.The first one uses the fair exchange protocol and the more efficient scheme is called "optimistic contact signing".In such a protocol,a Trust Third Party(TTP) intervenes only when a problem arises,e.g.,a signer is trying to cheat or a network failure occurs at a crucial moment during the protocol.The second way is called "concurrent signature".A concurrent signature protocol allows two entities to produce two signatures in such a way that,the signer of each signature is ambiguous from any third party's point of view until the release of a secret,known as the keystone.Once the keystone is released,both signatures become binding to their respective signers concurrently.We get three results in solving the fair contact signing.
1.We point out that the concurrent signature protocol proposed by Huanget.al is unsafe.At first,both the participants A and B can forge a signature about a new mesaage after the protocol completed.And second,both A and B have the ability to forge the concurrent signature of the both parties.To correct these problems,we propose an improved protocol and prove its security.
2.In the previous concurrent signature schemes,the roles of participants are asymmetrical,one party which is called initial signer who needs to create the keystone fix and sends the first ambiguous signature,the other party which is called matching signer who responds to this initial signature by creating another ambiguous signature with the same keystone fix.This work mode may be bring some unfair.In this paper,we construct a perfect concurrent signature protocol for symmetric participants and prove its security.In our concept,the roles of participants are symmetrical.The keystone can not be decided by any participant and the two ambiguous signatures can be published in any order.
3.Based on the controllable ring signature scheme,we construct a fair contract signing protocol without TTP,and prove its security.Compare with the previous optimistic contact signing protocols,our protocol has two advantanges:(1) our protocol uses no TTP and achieves the weak faimess;(2) in the concurrent signature protocols,the form of the signature is unregular, but in our protocol,the players can convert the signature into a regular form.
在面向多方的密码学背景下,一些传统的安全要求,如保密性、完整性、认证性及不可否认性等等,将会产生新的变化;同时面向多方的应用场景也带来了新的安全要求,如匿名性、可追踪性、公平性等等。面向多方的密码学是一个极为广泛的研究领域,包括面向多方的加密方案,如门限加/解密、广播加密、面向群体的加密、群加密;面向多方的签名,如门限签名、聚合签名、群签名、环签名、并发签名;以及面向多方的密钥协商/管理等等。本论文主要对一部分面向多方的密码学方案进行了研究,在门限密码学、前向安全密码体制、广播加密方案及公平合同签署/并发签名协议方面,取得了一些研究成果。
门限密码体制是一种比较经典的多方密码系统,其思想是为了保护敏感的数据(或计算)而将它们以一种容错的方式分布于一组合作的参与方之中。门限密码学的基础是门限秘密共享。一个门限秘密共享方案可以将一段秘密信息分布于几个参与方之间,达到(1)少于门限值数量的参与方不能计算出秘密信息;(2)达到门限值数量的参与方能够合作计算出秘密信息。秘密共享的一个有用的扩展就是函数计算的共享,它的思想就是对于某些高度敏感的操作,如解密及签名,可以按照一种门限的方式来完成,使得少于门限值的参与方合作不能完成该操作,而且当需要完成该操作时,也没有人能阻止大于等于门限值的参与方合作完成该操作。门限密码学的研究十分广泛,本文在门限代理签名及门限环签名的研究中取得了3个研究成果。
1.构造了第一个安全有效的RSA门限代理签名方案。在所构建的方案中,没有使用可信权威,所有的秘密参数都是由参与者分布式产生的。
2.指出Tzeng等人提出的针对Hwang等人的“已知签名者的不可否认代理签名方案”的改进方案是一个不成立的方案,并针对Hwang等人原始方案中存在的原始签名人伪造问题,提出了我们的新改进方案。
3.提出一个高效的基于身份的门限环签名方案,并在标准模型下证明了该方案的安全性。
在面向多方的密码系统中,密钥的安全仍然十分重要,在一个密码系统中,如果用户的密钥被泄露,那就意味着失去了所有的安全性保证。除了使用门限秘密分享技术来保护用户私钥之外,还有一种称为前向安全的密码体制可以减轻密钥泄露带来的损失。在一个前向安全的密码体制中,整个有效时间周期被分成若干阶段,其中公钥在整个有效时间周期内都保持不变,而每个阶段的用户私钥都由上一阶段的私钥演化而来并仅用于当前时间阶段,在每个时间段结束时,属于当前阶段的用户私钥被永久删除。密钥演化过程是不可逆的,由当前阶段的私钥推算前一阶段的私钥是困难的。在一个前向安全的密码系统中,当某个时间阶段的密钥泄露之后,必须废除那一时间段的密钥并停止密钥演化。但是,如何发现密钥泄露,在前向安全方案中并没有被研究。Itkis等人提出了一个密码学篡改证据的概念并构建了一个带篡改证据的签名方案。一个带有篡改证据的签名方案具有一个额外的过程Div,可以检测密钥篡改:给定两个签名,Div可以判断是否其中一个是由伪造者生成的。此时,并不能说明哪个签名是由合法签名者生成的,哪个签名是伪造的,但是它提供了密钥被篡改的证据。针对前向安全加密及前向安全签名方案,本文分别得到2个结果。
1.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全加密”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且达到了抵抗选择密文攻击下的安全性。
2.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全签名”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且在选择消息攻击下是强不可伪造的。
数据传输的机密性是信息安全最基本的要求之一,在面向多方的应用环境下,最常见的需求是一方向多方发送加密的数据,典型的例子如付费有线电视,数字内容的分发等等。广播加密是指消息的广播者可以向消息的接收者的任意子集发送加密消息,而只有这特定子集中的接收者才可以解密消息,其他用户则不能。在广播加密体制的研究中,我们得到1个研究成果。
我们提出了一个基于身份的动态广播加密方案,在随机预言模型中证明了该方案的安全性,并将之同以往的基于身份的广播加密方案进行了比较。同之前的方案相比,我们的方案具有明显的优越性,首先它不需要预先确定一个最大的潜在接收者集合,并且它的公钥长度,私钥长度,密文长度都是一个常量;其次,它的加密/解密开销都小于以往方案;最后,它可以高效的进行新接收者的加入及旧接收者的移出操作。因此,我们的方案对于动态的大的接收者群组来说是高效实用的。
在一些商务事务上总是需要多个参与者,通常这些参与者互不信任,公平性是这些商务活动的基础。一个公平的系统必须保证一方不能从一个合法的参与方占到任何便宜。合同签署是最常见的商务活动,在网络中的数字合同签署问题比在现实生活中的情形远远复杂。为了解决这类公平合同签署的问题,有两类方法。第一类使用公平交换协议,这类方案中最高效的一种称为“乐观合同签署”。在乐观合同签署协议中,一个可信第三方只有在发生问题比如一方试图欺骗或者网络发生错误的情况下才干预协议。另一类方法称为“并发签名”。一个并发签名协议允许两方以特定的方式产生签名,他们的签名从一个第三方验证者角度来看,是无法辨认真正的签名者的,直到某个称为“关键参数”的秘密值被释放之后,两个签名才能同时与它们实际的签名者绑定。我们在解决公平合同签署问题的研究中得到3个结果。
1.指出Huang等人构建的并发签名方案不安全,第一,参与的两方A和B都有能力在并发签名产生之后,伪造一个对新消息的签名;第二,A与B都有能力独自伪造AB双方的并发签名。为了防止上述的漏洞,我们提出了一个改进方案,并证明了它的其安全性。
2.在已有的并发签名协议中参与方的地位是不平等的,一个参与方被称为初始签名者,他负责关键参数信息的选择并且首先发送他的不确定签名者的签名,另一方称为匹配签名者,他使用相同的关键参数信息生成自己的不确定签名者的签名以回应初始签名者。这种工作模式可能带来一些不公平。在本文中,我们提出了一个对称参与者的完美并发签名协议。在我们提出的协议中,参与者的地位是对称的,关键参数由双方共同决定,并且不确定签名者的签名的发送没有先后顺序之分。
3.基于一个可控的环签名方案,我们提出了一个不使用可信第三方的公平合同交换协议,并证明了它的安全性。同以前的乐观合同签名协议相比,我们提出的协议有两个优点,(1)不使用可信第三方,并达到弱公平性;(2)在并发签名方案中,参与双方得到的签名不是一个常规的签名形式,而在我们提出的这个公平交换方案中,参与方可以通过转化过程将签名转化为一个常规的签名形式。
With the rapid development of the computer network,the activities on the network are becoming more and more frequent and complicated;lots of activeties show the characters of multiparty and group.So it is of theoretical and practical significance on study in multiparty-oriented cryptosystems.
In the applications with multi participants,the tranditional secure requirments such as confidentiality,integrality,authentication and non-repudiable will have new meaning,and multiparty-oriented applications bring new secure requirements such as anonymity,traceable,fairness and etc.The research of multiparty-oriented cryptosystems is a wide area which includes multiparty-oriented encryption schemes (such as threshold encryption/decryption,broadcast encryption,group-oriented encryption and group encryption),multiparty-oriented signature schemes(such as threshold signatures,aggregation signatures,group signatures,ring signatures and concurrent signatures),and multiparty-oriented key agreement/management and so on. We mainly work on some of these fields and get some results in threshold cryptography,forward secure cryptosystems,broadcast encryption,fair contact signing and concurrent signatures.
The idea of threshold cryptography is to protect the sensitive information(or computation) by fault-tolerantly distributing it among a cluster of cooperating parties. The fundamental problem of threshold cryptography is the problem of secure sharing of a secret.A secret sharing scheme allows one to distribute a piece of secret information among several parties in a way that meets the following requirements:(1) smaller than a given threshold of parties can not figure out what the secret is;(2) when it becomes necessary that the secret information be reconstructed,a large enough number of parties(a number larger than the threshold) can always do it.A very useful extension of secret sharing is function sharing.Its main idea is that a highly sensitive operation,such as decryption or signing,can be performed by a group of cooperating parties in such a way that less than threshold of parties can not to perform this operation,and none is able to prevent the more than threshold of parties from performing the operation when it is required.The contents of threshold cryptography are extensive.In this paper,we get three results in the research on threshold proxy signature schemes and the threshold ring signature schemes.
1.We construct the first efficient and secure RSA-based threshold proxy signature scheme.In our scheme,a Trust Authority(TA) is not needed and all of the secret parameters are generated in a distributed way.
2.We point out that there is an error in Tzeng et al's improved scheme to Hwang et al's "non-repudiable threshold proxy signature scheme with known signers".To overcome the problem that the original signer can forge the proxy signature in Hwang's scheme,we give out a new improvement and prove its security.
3.We construct an efficient ID-based threshold ring signature scheme,which has provable security under the standard model.
The security of the secret key is still important in multiparty-oriented cryptosystems.The exposure of secret keys can be devastating attack on a cryptosystem since such an attack typically implies that all security guarantees are lost. Beside the threshold secret sharing,there is a notion of forward secure can solve this problem.In a forward-secure cryptosystems,the lifetime of the system is divided into T time periods,with a different secret key for each time period,and there is only one public key which remains the same through all the time periods.Each secret key is used only during a particular time period and to compute a new secret key at the end of that time period and then erased.The evolution of the secret key is irreversible,it is difficult to compute the key of privioues time priod from current key.In a forward-secure cryptosystems,when the key is exposed in a time period,we must revoke the key of that time period and stop the key evolution.But how to detect the key exposure in a forward-secure scheme is not mentioned in previous works.Itkis proposed a new notion of cryptographic tamper evidence and constructed the tamper-evident signature schemes.A tamper-evident signature scheme provides an additional procedure Div which detects tampering:given two signatures,Div can determine whether one of them was generated by the forger.In this case,it might be impossible to tell which signature is generated by the legitimate signer and which by the forger,but at least the fact of the tampering will be made evident.According to farward secure encryption and farward secure signature,we get two results respectively.
1.Based on the Tamper Evidence,we define a new notion of Forward-Secure Public-Key Encryption Scheme with Tamper Evidence(TE-FEnc) and propose a general method to build a TE-FEnc scheme.We also give out a concrete instance at last.In the standard model,we prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and achieve security against chosen ciphertext attacks.
2.Based on the Tamper Evidence,we define a new notion of Tamper Evidence Forward Secure Signature scheme(TE-FSig) and propose a general method to build a TE-FSig scheme.We also give out a concrete instance at last.We prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and strongly unforgeable under the chosen-message attack.
The confidentiality of data transfer is one of the most important requeriment in the information security.In the case of multiparty applications,it usually requires a sigle party sending ciphertext to multiparty,such as pay TV,distribution of digital contents and so on.Broadcast Encryption schemes are cryptosystems that enable senders to efficiently broadcast ciphertexts to a large set of receivers such that only the chosen receivers can decrypt them.We get one result in research on the broadcast encryption.
We propose a new efficient dynamic identity-based broadcast encryption scheme (DIBBE),and prove its security in Random Oracle model.We also compare our scheme with the previous work and show that our scheme has a great advantage. Firstly,the proposed scheme need not to setup a max potential receivers set in advance,and it has constant size of the public key,private key and header of cipertext. Secondly,the computational costs of encryption and decryption in our scheme are also constant size.At last,it is easy to add or remove receivers.So our scheme is efficient and practical for dynamic and large receivers set.
The commercial transactions always involve multiple players.Usually,the players mutually distrust one another.The fairness is the basement of the commercial behaves.A fair system must ensure that other players will not gain any advantage over the correctly behaving player.Contract signing is the most common commercial transaction.The problem of digitally contract signing over a network is more complicated than signing a contract in the real world.To solve the fair contact signing problem,there are two methods.The first one uses the fair exchange protocol and the more efficient scheme is called "optimistic contact signing".In such a protocol,a Trust Third Party(TTP) intervenes only when a problem arises,e.g.,a signer is trying to cheat or a network failure occurs at a crucial moment during the protocol.The second way is called "concurrent signature".A concurrent signature protocol allows two entities to produce two signatures in such a way that,the signer of each signature is ambiguous from any third party's point of view until the release of a secret,known as the keystone.Once the keystone is released,both signatures become binding to their respective signers concurrently.We get three results in solving the fair contact signing.
1.We point out that the concurrent signature protocol proposed by Huanget.al is unsafe.At first,both the participants A and B can forge a signature about a new mesaage after the protocol completed.And second,both A and B have the ability to forge the concurrent signature of the both parties.To correct these problems,we propose an improved protocol and prove its security.
2.In the previous concurrent signature schemes,the roles of participants are asymmetrical,one party which is called initial signer who needs to create the keystone fix and sends the first ambiguous signature,the other party which is called matching signer who responds to this initial signature by creating another ambiguous signature with the same keystone fix.This work mode may be bring some unfair.In this paper,we construct a perfect concurrent signature protocol for symmetric participants and prove its security.In our concept,the roles of participants are symmetrical.The keystone can not be decided by any participant and the two ambiguous signatures can be published in any order.
3.Based on the controllable ring signature scheme,we construct a fair contract signing protocol without TTP,and prove its security.Compare with the previous optimistic contact signing protocols,our protocol has two advantanges:(1) our protocol uses no TTP and achieves the weak faimess;(2) in the concurrent signature protocols,the form of the signature is unregular, but in our protocol,the players can convert the signature into a regular form.
引文
[1].Shamir A.How to share a secret.Communications of the ACM,Vol 24,No 11,Nov 1979,612-613.
[2].Blakley G R.Safeguarding cryptographic keys.Proceedings of the National Computer Conference,1979,American Fedration of information processing societies,vol 48,1979,313-317
[3].Asmuth C,Bloom J.A modular approach to key safeguarding.IEEE transaction on information theory,vol IT-29,no 2.Mar 1983,208-210
[4].Karnin E.D,Green J.W,Hellman M E.On sharing secret system.IEEE transactions on information theory,vol IT-29,1983,35-41
[5].Desmedt Y,Frankel Yair.Threshold cryptosystems.Advances in Cryptology-CRYPTO'89,Lecture Notes in Computer Science,vol.435,ed.G Brassard.Springer-Vedag,Berlin,307-315.
[6].De Santis A.,Desmedt Y,Frankel Y,Yung M.How to share a function securely.Proceedings of the Twenty-Sixth Annual ACM Symposium.Theory of Computing(STOC),May 23-25,1994,Montreal,Quebec,Canada,ACM Press,1994,522-533.
[7].Gennaro R,Jarecki S,Krawczyk H,Rabin T.Robust threshold DSS signatures.Advances in Cryptology-EUROCRYPT'96,Zaragoza,Spain,May 12-16,Lecture Notes in Computer Science,vol.1070,ed.U.Maurer.Springer-Verlag,Berlin,354-371.
[8].Langford S.K.Threshold DSS signatures without a trusted party.Advances in Cryptology-CRYPTO'95,Santa Barbara,CA,August 27-31,Lecture Notes in Computer Science,vol.963,ed.D.Coppersmith.Springer-Verlag,Berlin,397-409.
[9].Shoup V.Practical threshold signatures.Advances in Cryptology-EUROCRYPT 2000,Bruges,Belgium,May 14-18,Lecture Notes in Computer Science,vol.1807,ed.B.Preneel.Springer-Verlag,Berlin,207-220.
[10].King B.Improved methods to perform threshold RSA.Advances in Cryptology-ASIACRYPT 2000,December 2000,Kyoto,Japan,Lecture Notes in Computer Science,vol.1976,ed.T.Okamoto.Springer-Vedag,Berlin,359-372.
[11].Frankel Y,Desmedt Y.Parallel reliable threshold multisignature.Tech.Report TR-92-04-02,Dept.of EE & CS,University of Wisconsin-Milwaukee,ftp://ftp.cs.uwm.edu/pub/techreports/desmedt-rsa-threshold 92.ps
[12].Reiter M.K,Birman K.P.How to securely replicate services.ACM Transactions on Programming Languages and Systems,16(3),986-1009.
[13].Frankel Y,Gemmell P,Yung M.Witness-based cryptographic program checking and robust function sharing.Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing,ACM Press.May 22-24,499-508.
[14].Gennaro R,S Jarecki,H Krawczyk,Rabin T.Robust and efficient sharing of RSA functions.Advances in Cryptology--CRYPTO'96,Santa Barbara,CA,August 18-22,Lecture Notes in Computer Science,vol.1109,ed.N.Koblitz.Springer-Vedag,Berlin,157-172.
[15].Feldman P.A practical scheme for non-interactive verifiable secret sharing.In:Proceedings of the 28th IEEE Symposium on Foundations of Computer Science.Washington:IEEE Computer Society Press,1987.427-437.
[16].Pedersen T.Non-Interactive and information-theoretic secure verifiable secret sharing.In:Feigenbaum,J.,ed.Advances in Cryptology Crypto'91.Berlin:Springer-Verlag,1991.129-140.
[17].Ben-Or M.Goldwasser and Wigderson.Completeness theorems for noncryptographic fault-tolerant distributed computation.Proceeding of the 20th Annual ACM Symposium on Theory of Computing.Chicago,I11,May 2-4.ACM,Newyork,pp.1-10.
[18].Chaum D,Crepeau C,Damgard I.Multiparty unconditional secure protocols.ACM STOC 1988.11-19,1988.
[19].Goldreich O,Micali S,Wigderson A.How to play any mental game.STOC 1987,218-229,1987.
[20].Yao A.How to generate and exchange secrets.FOCS 1986.162-167,1986.
[21].Boneh D,Franklin M.Efficient generation of shared RSA keys.Advances in Cryptography-CRYPTO '97,Springer-Verlag LNCS 1233,425-439,1997.
[22].Boneh D,Franklin M.Efficient Generation of shared RSA keys.Journal of the ACM,2001,48(4):702-722.
[23].Rabin T.A simplified approach to threshold and proactive RSA.Advances in Cryptology-CRYPTO '98,Springer-Verlag LNCS 1462,89-104,1998.
[24].徐秋亮,李大兴.新的门限RSA密码方案。山东大学学报自然科学版,1996年6月,第34卷第2期,149-154。
[25].徐秋亮。改进门限RSA数字签名体制。计算机学报,2000年5月,第23卷第5期,449-453。
[26].Hoang Long Nguyen.Partially Interactive Threshold RSA Signatures.Cryptography and Coding.Institute of Mathematics and its application,IMA.Unpublished,2005.
[27].Desmedt Y Society and group oriented cryptography:A new concept.Advances in Cryptology-CRYPTO'87,Santa Barbara,CA,August 16-20,Lecture Notes in Computer Science,vol.293,ed.C.Pomerance.Springer-Verlag,Berlin,120-127.
[28].Frankel Y,Gemmell P,MacKenzie P.D,Yung M.Proactive RSA.Advances in Cryptology-CRYPTO'97,Santa Barbara,CA,August 17-21,Lecture Notes in Computer Science,vol.1294,ed.B.S.Kaliski.Springer-Vedag,Berlin,440-454.
[29].Herzberg A,Jarecki S,Krawczyk H,Yung M.Proactive secret sharing. Advances in Cryptology-CRYPTO'95,Santa Barbara,CA,August 27-31,Lecture Notes in Computer Science,vol.963,ed.D.Coppersmith.Springer-Verlag,Berlin,339-352.
[30].Mambo M,Usuda K,Okamoto E.Proxy signatures for delegating signing operation.In:3rd ACM Conference on Computer and Communications Security,New Delhi,1996,48-57.
[31].Kim S,Park S,Won D.Proxy signatures,revisited.In:Information and Communications Security,Berlin,1997,223-232.
[32].Zhang K.Threshold proxy signature schemes.In:Information Security,Berlin,1997,282-290.
[33].Sun HM,Lee NY,Hwang T.Threshold proxy signatures.IEEE Proceedings Computes and Digital Technique,1999,146:259-263.
[34].Sun HM.An efficient nonrepudiable threshold proxy signature scheme with known signers.Computer Communications,1999,22(8):717-722.
[35].Hwang MS,Lin IC,Lu EJL.A secure nonrepudiable threshold proxy signature scheme with known signers.International Journal of Informatica,2000,11(2):1-8.
[36].Hsu CL,Wu TS,Wu TC.New nonrepudiable threshold proxy signature scheme with known signers.Journal of Systems and Software,2001,58(2):119-124.
[37].Hwang MS,Lu EJL,Lin IC.A Practical(t,n) threshold proxy signature scheme based on the RSA cryptosystem.IEEE Trans on Knowledge and Data Eng,2003,15(6),1552-1560.
[38].Wang GL,Feng B,Zhou JY,Deng Robert H.Comments on "A Practical(t,n)Threshold Proxy Signature Scheme Based on the RSA Cryptosystem".IEEE Transactions on Knowledge and Data Engineering(TKDE),2004,16(10):1309-1311.
[39].李继国,曹珍富.一个门限代理签名方案的改进.计算机研究与发展,2002,39(11):1513-1518.
[40].HWANG Min-Shiang,LIN Iuon-Chang,LU Eric Jui-Lin.A secure non-repudiable threshold proxy signature scheme with known signers.INFORMATICA,2000,11(2):137-144.
[41].Tzeng S.F,Hwang M.S.and Yang C.Y.An improvement of non-repudiable threshold proxy signature scheme with known signers.Computers and Security,2004,23(2):174-178.
[42].Rivest R,Shamir A,Tauman Y.How to leak a secret.In:Advance in Cryptology:ASIACRYPT 2001,Lecture Notes in Computer Science 2248,Berlin:Springer,2001,552-565.
[43].Fujisaki Eiichiro,Suzuki Koutarou.Traceable ring signature.In:Cryptology ePrint Archive:Report 2006/389,2006.http://eprint.iacr.org/2006/389/.
[44].Dodis Y,Kiayias A,Nicolosi A,Shoup V.Anonymous identification in Ad-Hoc groups.In:EUROCRYPT 2004,Lecture Notes in Computer Science 3027, Berlin: Springer, 2004, 609-626.
[45]. Bresson E, Stern J, Szydlo M. Threshold ring signatures and applications to ad-hoc groups. In: CRYPTO 2002, Lecture Notes in Computer Science 2442,Berlin: Springer, 2002,465-480.
[46]. Tsang Patrick P, Wei Victor K, Chan Tony K, Au Man Ho, Liu Joseph K,Wong Duncan S. Separable linkable threshold ring signatures. In: INDOCRYPT 2004, Lecture Notes in Computer Science 3348, Berlin: Springer, 2004, 384-398.
[47]. Chow Sherman S.M, Hui Lucas C.K, Yiu S.M. Identity based threshold ring signature. In: International Conference on Information Security and Cryptology-ICISC 2004, Lecture Notes in Computer Science 3506, Berlin: Springer, 2004,218-232.
[48]. Au M, Liu J. K, Tsang P. P, Wong D. S. A suite of ID-based threshold ring signature schemes with deferent levels of anonymity. In: Cryptology ePrint Archive, Report 2005/326, 2005.
[49]. Zhang F, Kim K. ID-based blind signature and ring signature from Pairings.In: ASIACRYPT 2002, Lecture Notes in Computer Science 2501, Berlin:Springer, 2002, 533-547.
[50]. Lin Chih-Yin and Wu Tzong-Chen. An identity-based ring signature scheme from bilinear pairings. In: The 18th International Conference on Advanced Information Networking and Applications - AINA 2004, Fukuoka, Japan, 2004,182-185.
[51]. Tang C.M, Liu Z.P., and Wang M.S. An improved identity-based ring signature scheme from bilinear pairings. In: MM Research Preprints, MMRC,AMSS, Academia, Sinica, Beijing, 2003, 231-234.
[52]. Herranz J, Saez G. A provably secure ID-based ring signature scheme. In:Cryptology ePrint Archive: Report 2003/261, 2003.
[53]. Awasthi Amit K, Sunder Lal. ID-based ring signature and proxy ring signature schemes from bilinear pairings. In: Cryptology ePrint Archive: Report 2004/184,2004.
[54]. Herranz J, Saez G. Distributed ring signatures for identity-based scenarios. In:Cryptology ePrint Archive: Report 2004/190, 2004.
[55]. Chow Sherman S. M, Yiu Siu-Ming, Hui Lucas Chi Kwong. Efficient identity based ring signature. In: Applied Cryptography and Network Security (ACNS 2005), Lecture Notes in Computer Science 3531,499-512.
[56]. Adida Ben, Hohenberger Susan, and Rivest Ronald L. Separable identity-based ring signatures: Theoretical foundations for fighting phishing attacks. In: DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service, Piscataway, NJ, USA, 2005.
[57]. Naor Moni. Deniable ring authentication. In: CRYPTO 2002, Lecture Notes in Computer Science 2442, Berlin: Springer, 2002, 481-498.
[58]. Lv J, Ren K, Chen X, Kim K. Ring authenticated encryption: A new type of authenticated encryption. In: The 2004 Symposium on Cryptography and Information Security,vol.1/2,Sendai,Japan,2004,1179-1184.
[59].Huang Xinyi,Willy Susilo,Mu Yi,Zhang Futai.Identity-based ring signcryption schemes:Cryptographic primitives for preserving privacy and authenticity in the ubiquitous world.In:The 19th International Conference on Advanced Information Networking and Applications - AINA 2005,Taiwan,2005,649-654.
[60].Tsang Patrick P,Wei Victor K.Short linkable ring signatures for E-Voting,E-Cash and Attestation.In:Information Security Practice and Experience(ISPEC 2005),Lecture Notes in Computer Science 3439,Berlin:Springer,2005,48-60.
[61].Ho Au Man,Chow Sherman S.M,Susilo Willy,Tsang Patrick P.Short linkable ring signature revisited.In:Third European PKI Workshop:theory and practice(EuroPKI 2006),Lecture Notes in Computer Science 4043,Berlin:Springer,2006,101-115.
[62].Shacham Hovav,Waters Brent.Efficient ring signatures without random oracles.In:Cryptology ePrint Archive:Report 2006/289,2006.http://eprint.iacr.org/2006/289/.PKc2007,pp166-180.
[63].Bender A,Katz J,Morselli R.Ring signatures:Stronger definitions,and constructions without random oracles.In:S.Halevi and T.Rabin,editors,Proceedings of TCC 2006,Lecture Notes in Computer Science 3876,Berlin:Springer,2006,60-79.
[64].Malkin M,Wu T,Boneh D.Experimenting with shared generation of RSA keys.In:Proceedings of the Internet Society's Symposium on Network and Distributed System Security,San Diego,1999,43-56.
[65].Fouque PA,Stern J.Fully distributed threshold RSA under standard assumptions.In:Proceedings of ASIACRYPT '01,Gold Coast,Australia,2001,310-330.
[66].Gunther.C.G An identity-based key-exchange protocol.Advances in Cryptology-Eurocrypt '89,LNCS(434),Berlin:Springer-Verlag,1989:29-37.
[67].Back A.Non-interactive forward secrecy,Posting to cypherpunks mailing list(6/9/1996),archived at http://cypherpunks.venona.com/date/1996/09/msg00561.html.
[68].Anderson R.Two remarks on Public Key Cryptology,Invited Lecture,ACM -CCS'97,1997.
[69].Krawczyk H.Simple forward-secure signatures from any signature scheme.In Proceedings of the 7th ACM Conference on Computer and Communications Security - CCS'00,108-115,2000
[70].Merkle R.C.A certified digital signature.Advances in Cryptology-CRYPTO '89,218-238,1990.
[71].Bellare M,Miner S.A forward-secure digital signature scheme.In Advances in Cryptology-CRYPTO '99,volume 1666 of Lecture Notes in Computer Science,pages 431-448.Springer-Verlag,15-19 Aug.1999.
[72].Fiat A,Shamir A.How to Prove Yourself:Practical Solutions to Identification and Signature Problems,Advances in Cryptology-Crypto'86,Lecture Notes in Computer Science 263,pp.186-194,Springer-Verlag,1986.
[73].Malkin T,Micciancio D,Miner S.Efficient generic forward-secure signatures with an unbounded number of time periods.In Advances in Cryptology,Proceedings of Eurocrypt 2002,Lecture notes in Computer Science vol.2332,Springer-Verlag,400-417.
[74].Itkis G Intrusion-resilient signatures:Generic constructions,or defeating strong adversary with minimal assumptions.In Third Conference on Security in Communication Networks(SCN'02).
[75].Szydlo M.Merkle tree traversal in log space and time.Proc.Eurocrypt 2004,LNCS vol.3027,pp.541-554.
[76].Jakobsson M,Leighton T,Micali S,Szydlo M.Fractal Merkle tree representation and traversal.Proceedings of RSA-CT'3,Lecture Notes in Computer Science 2612.Berlin:Springer-Verlag,2003:314-326.
[77].Abdalla M,Reyzin L.A new forward-secure digital signature scheme.In T.Okamoto,editor,Advances in Cryptology-ASIACRYPT 2000,volume 1976 of Lecture Notes in Computer Science,pages 116-129,Kyoto,Japan,3-7 Dec.2000.Springer-Verlag.
[78].Ong H,Schnorr C.P.Fast Signature Generation with a Fiat-Shamir-Like Scheme,Advanced in Cryptology-Eurocrypt'90,Lecture Notes in Computer Science 740,pp.432-440,Springer-Verlag,1990.
[79].Guillou L.C,Quisquater J.J.A "paradoxical" indentity-based signature scheme resulting from zero knowledge.In Proceedings of CRYPTO'1988.pp.216-231.
[80].Itkis G,Reyzin L.Forward-Secure Signatures with Optimal Signing and Verifying.Advances in Cryptology-Crypto'01,Lecture Notes in Computer Science 2139,pp.332-354,Springer-Verlag,2001.
[81].Kozlov A,Reyzin L.Forward-Secure Signatures with Fast Key Update,In Proceedings of 3rd International Conference on Security in Communication Networks - SCN'02,Lecture Notes in Computer Science 2576,pp.341-356,Springer-Verlag,2002.
[82].Jakobsson M.Fractal hash sequence representation and traversal.In Proceedings of the 2002 IEEE International Symposium on Information Theory (ISIT'02),pages 437-444,July 2002.
[83].Coppersmith D,Jakobsson M.Almost optimal hash sequence traversal.In Proceedings of the Fourth Conference on Financial Cryptography(FC '02),volume 2357 of Lecture Notes in Computer Science,Hamilton,Bermuda,2002.International Financial Cryptography Association(IFCA),Springer-Verlag,Berlin Germany.
[84].Sella Y.On the computation-storage trade-o_s of hash chain traversal.In Proceedings of the Fourth Conference on Financial Cryptography(FC '03),Lecture Notes in Computer Science,Hamilton,Bermuda,2003.International Financial Cryptography Association(IFCA),Springer-Vedag,Berlin Germany.
[85].Hu F,Wu C.H,Irwin J.D.A New Forward Secure Signature Scheme Using Bilinear Maps,Available at http://eprint.iacr.org/2003/188.
[86].Kang B.G,Park J.H,Hahn S.G A New Forward Secure Signature Scheme,Available at http://eprint.iacr.org/2004/183.
[87].Vo D.L,Kim K.Yet Another Forward Secure Signature from Bilinear Pairings,In International Conference on Information Security and Cryptology-ICISC'05,Lecture Notes in Computer Science 3935,pp.441-455,Springer-Verlag,2005.
[88].Canetti R,Halevi S,Katz J.A forward-secure public-key encryption scheme.In E.Biham,editor,Advances in Cryptology-Eurocrypt 2003,volume 2656 of Lecture Notes in Computer Science.Springer,2003.
[89].Gentry C,Silverberg A.Hierarchical ID-based cryptography.In ASIACRYPT:Advances in Cryptology-ASIACRYPT:International Conference on the Theory and Application of Cryptology.LNCS,Springer-Verlag,2002.
[90].Boneh D,Franklin M.Identity-based encryption from the Weil Pairing.In J.Kilian,editor,Advances in Cryptology-CRYPTO'2001,volume 2139 of Lecture Notes in Computer Science,pages 213-229.International Association for Cryptologic Research,Springer-Verlag,Berlin Germany,2001.
[91].Boneh D,Franklin M.Identity-based encryption from the Weil pairing.SIAM Journal on Computing,32(3):586-615,June 2003.
[92].Krawczyk H.Simple forward-secure signatures from any signature scheme.In Seventh ACM Conference on Computer and Communication Security.ACM,Nov.1-4 2000.
[93].Bellare M,Yee B.Forward security in private key cryptography.In CTRSA:CT-RSA,The Cryptographers' Track at RSA Conference,LNCS,2003.
[94].Song D.X.Practical forward secure group signature schemes.In Eighth ACM Conference on Computer and Communication Security,pages 225-234.ACM,Nov.5-8 2001.
[95].Abdalla M,Miner S,Namprempre C.Forward-secure threshold signature schemes.In D.Naccache,editor,Progress in Cryptology-CT-RSA 2001,volume 2020 of Lecture Notes in Computer Science,pages 143-158.Springer-Verlag,Apr.8-12 2001.
[96].Tzeng Wen-Guey,Tzeng Zhi-Jia.Robust forward-secure signature schemes with proactive security.In PKC:International Workshop on Practice and Theory in Public Key Cryptography.LNCS,2001.
[97].Chu Cheng-Kang,Liu Li-Shan,Tzeng Wen-Guey.A threshold GQ signature scheme.In International Conference on Applied Cryptography and Network Security(ACNS),2003,137-150.
[98].Due Dang Nguyen,Cheon Jung Hee,Kim K wangjo.A Forward-Secure Blind Signature Scheme Based on the Strong RSA Assumption.In:Information and Communications Security(ICICS'03),LNCS 2836,pp.11-21.Springer-Verlag, 2003.
[99].Dodis Y,Katz J,Xu S,Yung M.Key-Insulated Public Key Cryptosystems,Advances in Cryptology-Eurocrypt'02,Lecture Notes in Computer Science 2332,pp.65-82,Springer-Verlag,2002.
[100].Dodis Y,Katz J,Xu S,Yung M.Strong Key-Insulated Signature Schemes.In Proceedings of the 6th International Workshop on Practice and Theory in Public Key Cryptography-PKC'03,Lecture Notes in Computer Science 2567,pp.130-144,Springer-Verlag,2003.
[101].Le Z,Ouyang Y,Ford J,Makedon F.A Hierarchical Key-Insulated Signature Scheme in the CA Trust Model.In Information Security - ISC'04,Lecture Notes in Computer Science 3225,pp.280-291,Springer-Verlag,2004.
[102].Deleito N.G,Markowitch O,Dall'Olio E.A New Key-Insulated Signature Scheme.In 6th International Conference on Information and Communications Security - ICICS'04,Lecture Notes in Computer Science 3269,pp.465-479,Springer-Verlag,2004.
[103].Guo X,Zhang Q,Tang C.On the Security of Two Key-Updating Signature Schemes.In Information Security and Privacy - ACISP'05,Lecture Notes in Computer Science 3574,pp.506-517,Springer-Verlag,2005.
[104].Itkis G,Reyzin L.SiBIR:Signer-Base Intrusion-Resilient Signatures,Advances in Cryptology-Crypto'02,Lecture Notes in Computer Science 2442,pp.499-514,Springer-Verlag,2002.
[105].Itkis G,Reyzin L.Intrusion-Resilient Signatures,or Towards Obsoletion of Certificate Revocation,The previous version of SiBIR:Signer-Base Intrusion-Resilient Signatures.
[106].Itkis G.Intrusion-Resilient Signatures:Generic Constructions,or Defeating Strong Adversary with Minimal Assumptions,In Security in Communication Networks - SCN'02,Lecture Notes in Computer Science 2576,pp.102-118,Springer-Vedag,2002.
[107].Zhou J,Bao F,Deng R.Validating Digital Signatures without TTP's Time-Stamping and Certificate Revocation,In Information Security Conference (ISC'03),Lecture Notes in Computer Science 2851,pp.96-110,Springer-Verlag,2003.
[108].Malkin T,Obana S,Yung M.The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures.Advances in Cryptology - Eurocrypt'04,Lecture Notes in Computer Science 3027,pp.306-322,Springer-Verlag,2004.
[109].Itkis.G.Cryptographic tamper evidence.Proceedings of the 10th ACM conference on Computer and communications security,New York:ACM Press,2003:27-30.
[110].Waters Brent.Efficient identity-based encryption without random oracles.In Ronald Cramer,editor,Proceedings of Eurocrypt 2005,volume 3494 of LNCS,pages 114-27.Springer-Vedag,May 2005.
[111].Boneh.D,Shen.E,Waters.B.Strongly Unforgeable Signatures Based on Computational Diffie-Hellman.Public Key Cryptography(PKC 2006),LNCS 3958,Berlin:Springer-Verlag,2006:229-240.
[112].Boneh D,Gentry C.Aggregate and verifiably encrypted signatures from bilinear maps.Biham.E.Advances in Cryptology-Eurocrypt'03,LNCS(2656),Berlin:Springer-Verlag 2003:614-629.
[113].Boneh D,Goh E.J,Nissim K.Evaluating 2-DNF formulas on ciphertexts.In Kilian J.editor,Proceedings of TCC 2005,number 3378 in LNCS,pages 325-41.Springer-Verlag,Feb.2005.
[114].Berkovits Shimshon.How to Broadcast A Secret.EUROCRYPT 1991:535-541
[115].Fiat Amos,Naor Moni.Broadcast Encryption.CRYPTO 1993:480-491
[116].Kreitz,G.Optimization of broadcast encryption schemes.Master's thesis,Royal Institute of Technology,2005.
[117].Naor M,Pinkas B.Efficient Trace and Revoke Schemes.Financial Cryptography '00,LNCS 1962.Springer-Verlag,New York.1-20.
[118].Yoo Eun Sun,Jho Nam-Su,Cheon Jung Hee,Kim Myung-Hwan.Efficient Broadcast Encryption Using Multiple Interpolation Methods.ICISC 2004:87-103.
[119].Kumar R,Rajagopalan S,Sahai A.Coding constructions for blacklisting problems without computational assumptions.Lecture Notes in Computer Science,Advances in Cryptology Heidelberg,Germany:Springer-Vedag,1999,vol.1666,pp.609-623.
[120].Naor D,Naor M,Lotspiech J.Revocation and Tracing Schemes for Stateless Receivers.Proc.of CRYPTO '01,Springer- Verlag LNC S,vol.2139,pp 41-62
[121].Halevy D,Shamir A.The LSD broadcast encryption scheme.Advances in Cryptology-CRYPTO'2002,LNCS2442,2002.47-60.
[122].Wong,C.K.,Gouda,M.,and Lam,S.Secure group communications using key graphs.In SIGCOMM '98:Proceedings of the ACM SIGCOMM '98conference on Applications,technologies,architectures,and protocols for computer communication(1998),ACM Press,pp.68-79.
[123].Goodrich M T,Sun J Z,Tamassia R.Efficient tree-based revocation in groups of low-state devices.Advances in Cryptology-CRYPTO 2004.Lecture Notes in Computer Science,vol.3152,Springer Verlag,New York.511-527.
[124].Boneh Dan,Gentry Craig,Waters Brent.Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys.CRYPTO 2005:258-275
[125].Cécile Delerablée.Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys.In proceeding of ASIACRYPT 2007:200-215
[126].Cécile Delerablée,Pascal Paillier,David Pointcheval.Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys.In T.Takagi et al.,editor,PAIRING 2007,volume 4575 of LNCS,pages 39-59.Springer-Verlag,Berlin,Germany,2007.
[127].Boneh Dan,Boyen Xavier,Goh Eu-Jin.Hierarchical Identity Based Encryption with Constant Size Ciphertext. EUROCRYPT 2005: 440-456.
[128]. Ben-Or M, Goldreich O, Micali S, Rivest R. L. A fair protocol for signing contracts. IEEE Transactions on Information Theory, 36(1):40—46,1990.
[129]. Boneh D, Naor M. Timed commitments and applications. In Proc.CRYPTO 'OO, pages 236-254,2000.
[130]. Damgard I. B. Practical and provably secure release of a secret and exchange of signatures. J. Cryptology, 8(4):201-222,1995.
[131]. Asokan N, Schunter M, Waidner M. Optimistic protocols for fair exchange.In Proc. 4th ACM Conf. on Computer and Communications Security, pages 7-17,1997.
[132]. Asokan N, Shoup V, Waidner M. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications, 18(4): 593-610,2000.
[133]. Juan A. Garay, Markus Jakobsson, Philip D. MacKenzie. Abuse-free optimistic contract signing. In Advances in Cryptology-Crypto 1999, volume 1666 of Lecture Notes in Computer Science. Springer-Verlag, 1999.
[134]. Chen L, Kudla C, Paterson K. G Concurrent signatures. in: Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Computer Science, vol. 3027,Springer-Verlag, Berlin, 2004, pp. 287 - 305.
[135]. Susilo W, Mu Y, Zhang F. Perfect concurrent signature schemes, in: ICICS 2004, Lecture Notes in Computer Science, vol. 3269, Springer-Verlag, Berlin,2004, pp. 14 - 26.
[136]. Susilo W, Mu Y. Tripartite Concurrent Signatures. In: The 20th IFIP International Information Security Conference (IFIP/SEC 2005), pp. 425-441,Springer, 2005.
[137]. Chow S, Susilo W. Generic Construction of (Identity-Based) Perfect Concurrent Signatures, in: Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol. 3783, Springer-Verlag, Berlin,2005, pp. 194-206.
[138]. Nguyen K. Asymmetric Concurrent Signatures. In: Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol.3783, Springer-Verlag, Berlin, 2005, pp. 181-193.
[139]. Tonien D, Susilo W, Safavi-Naini R. Multi-party Concurrent Signatures. In:ISC 2006, Lecture Notes in Computer Science, vol. 4176, Springer-Verlag, Berlin,2006, pp. 131-145.
[140]. Huang Zhenjie, Huang Rufen, Lin Xuanzhi. Perfect Concurrent Signature Protocol. In: Eighth ACIS International Conference on Software Engineering,Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), pp. 467-472.
[141]. Gao Wei, Wang Guilin, Wang Xueli, Xie Dongqing. Controllable Ring Signatures. The 7th International Workshop on Information Security Applications (WISA 2006), LNCS. Springer-Verlag, 2006. Jeju Island, Korea; August 28-30, 2006.
[142].Pagnia H,Gartner F.C.On the impossibility of fair exchange without a trusted third party.Technical Report TUD-BS-1999-02,Darmstadt University of Technology,March 1999.
[143].Asokan N.Fairness in electronic commerce.Ph.D.thesis,University of Waterloo,Canada,1998.
[144].Kremer Steve.Formal analysis of Optimistic Fair Exchange Protocol.PhD thesis,Universite libre De Bruxelles.2003.
[145].Asokan N,Baum-Waidner Birgit,Schunter Matthias,Waidner Michael.Optimistic Synchronous Multi-Party Contract Signing.IBM Research Report RZ 3089(#93135) 12/14/1998,IBM Research Division,Zurich,Dec.1998.
[146].卿斯汉.电子商务协议中的可信第三方角色.软件学报,2003,14(11):1936-1943.
[2].Blakley G R.Safeguarding cryptographic keys.Proceedings of the National Computer Conference,1979,American Fedration of information processing societies,vol 48,1979,313-317
[3].Asmuth C,Bloom J.A modular approach to key safeguarding.IEEE transaction on information theory,vol IT-29,no 2.Mar 1983,208-210
[4].Karnin E.D,Green J.W,Hellman M E.On sharing secret system.IEEE transactions on information theory,vol IT-29,1983,35-41
[5].Desmedt Y,Frankel Yair.Threshold cryptosystems.Advances in Cryptology-CRYPTO'89,Lecture Notes in Computer Science,vol.435,ed.G Brassard.Springer-Vedag,Berlin,307-315.
[6].De Santis A.,Desmedt Y,Frankel Y,Yung M.How to share a function securely.Proceedings of the Twenty-Sixth Annual ACM Symposium.Theory of Computing(STOC),May 23-25,1994,Montreal,Quebec,Canada,ACM Press,1994,522-533.
[7].Gennaro R,Jarecki S,Krawczyk H,Rabin T.Robust threshold DSS signatures.Advances in Cryptology-EUROCRYPT'96,Zaragoza,Spain,May 12-16,Lecture Notes in Computer Science,vol.1070,ed.U.Maurer.Springer-Verlag,Berlin,354-371.
[8].Langford S.K.Threshold DSS signatures without a trusted party.Advances in Cryptology-CRYPTO'95,Santa Barbara,CA,August 27-31,Lecture Notes in Computer Science,vol.963,ed.D.Coppersmith.Springer-Verlag,Berlin,397-409.
[9].Shoup V.Practical threshold signatures.Advances in Cryptology-EUROCRYPT 2000,Bruges,Belgium,May 14-18,Lecture Notes in Computer Science,vol.1807,ed.B.Preneel.Springer-Verlag,Berlin,207-220.
[10].King B.Improved methods to perform threshold RSA.Advances in Cryptology-ASIACRYPT 2000,December 2000,Kyoto,Japan,Lecture Notes in Computer Science,vol.1976,ed.T.Okamoto.Springer-Vedag,Berlin,359-372.
[11].Frankel Y,Desmedt Y.Parallel reliable threshold multisignature.Tech.Report TR-92-04-02,Dept.of EE & CS,University of Wisconsin-Milwaukee,ftp://ftp.cs.uwm.edu/pub/techreports/desmedt-rsa-threshold 92.ps
[12].Reiter M.K,Birman K.P.How to securely replicate services.ACM Transactions on Programming Languages and Systems,16(3),986-1009.
[13].Frankel Y,Gemmell P,Yung M.Witness-based cryptographic program checking and robust function sharing.Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing,ACM Press.May 22-24,499-508.
[14].Gennaro R,S Jarecki,H Krawczyk,Rabin T.Robust and efficient sharing of RSA functions.Advances in Cryptology--CRYPTO'96,Santa Barbara,CA,August 18-22,Lecture Notes in Computer Science,vol.1109,ed.N.Koblitz.Springer-Vedag,Berlin,157-172.
[15].Feldman P.A practical scheme for non-interactive verifiable secret sharing.In:Proceedings of the 28th IEEE Symposium on Foundations of Computer Science.Washington:IEEE Computer Society Press,1987.427-437.
[16].Pedersen T.Non-Interactive and information-theoretic secure verifiable secret sharing.In:Feigenbaum,J.,ed.Advances in Cryptology Crypto'91.Berlin:Springer-Verlag,1991.129-140.
[17].Ben-Or M.Goldwasser and Wigderson.Completeness theorems for noncryptographic fault-tolerant distributed computation.Proceeding of the 20th Annual ACM Symposium on Theory of Computing.Chicago,I11,May 2-4.ACM,Newyork,pp.1-10.
[18].Chaum D,Crepeau C,Damgard I.Multiparty unconditional secure protocols.ACM STOC 1988.11-19,1988.
[19].Goldreich O,Micali S,Wigderson A.How to play any mental game.STOC 1987,218-229,1987.
[20].Yao A.How to generate and exchange secrets.FOCS 1986.162-167,1986.
[21].Boneh D,Franklin M.Efficient generation of shared RSA keys.Advances in Cryptography-CRYPTO '97,Springer-Verlag LNCS 1233,425-439,1997.
[22].Boneh D,Franklin M.Efficient Generation of shared RSA keys.Journal of the ACM,2001,48(4):702-722.
[23].Rabin T.A simplified approach to threshold and proactive RSA.Advances in Cryptology-CRYPTO '98,Springer-Verlag LNCS 1462,89-104,1998.
[24].徐秋亮,李大兴.新的门限RSA密码方案。山东大学学报自然科学版,1996年6月,第34卷第2期,149-154。
[25].徐秋亮。改进门限RSA数字签名体制。计算机学报,2000年5月,第23卷第5期,449-453。
[26].Hoang Long Nguyen.Partially Interactive Threshold RSA Signatures.Cryptography and Coding.Institute of Mathematics and its application,IMA.Unpublished,2005.
[27].Desmedt Y Society and group oriented cryptography:A new concept.Advances in Cryptology-CRYPTO'87,Santa Barbara,CA,August 16-20,Lecture Notes in Computer Science,vol.293,ed.C.Pomerance.Springer-Verlag,Berlin,120-127.
[28].Frankel Y,Gemmell P,MacKenzie P.D,Yung M.Proactive RSA.Advances in Cryptology-CRYPTO'97,Santa Barbara,CA,August 17-21,Lecture Notes in Computer Science,vol.1294,ed.B.S.Kaliski.Springer-Vedag,Berlin,440-454.
[29].Herzberg A,Jarecki S,Krawczyk H,Yung M.Proactive secret sharing. Advances in Cryptology-CRYPTO'95,Santa Barbara,CA,August 27-31,Lecture Notes in Computer Science,vol.963,ed.D.Coppersmith.Springer-Verlag,Berlin,339-352.
[30].Mambo M,Usuda K,Okamoto E.Proxy signatures for delegating signing operation.In:3rd ACM Conference on Computer and Communications Security,New Delhi,1996,48-57.
[31].Kim S,Park S,Won D.Proxy signatures,revisited.In:Information and Communications Security,Berlin,1997,223-232.
[32].Zhang K.Threshold proxy signature schemes.In:Information Security,Berlin,1997,282-290.
[33].Sun HM,Lee NY,Hwang T.Threshold proxy signatures.IEEE Proceedings Computes and Digital Technique,1999,146:259-263.
[34].Sun HM.An efficient nonrepudiable threshold proxy signature scheme with known signers.Computer Communications,1999,22(8):717-722.
[35].Hwang MS,Lin IC,Lu EJL.A secure nonrepudiable threshold proxy signature scheme with known signers.International Journal of Informatica,2000,11(2):1-8.
[36].Hsu CL,Wu TS,Wu TC.New nonrepudiable threshold proxy signature scheme with known signers.Journal of Systems and Software,2001,58(2):119-124.
[37].Hwang MS,Lu EJL,Lin IC.A Practical(t,n) threshold proxy signature scheme based on the RSA cryptosystem.IEEE Trans on Knowledge and Data Eng,2003,15(6),1552-1560.
[38].Wang GL,Feng B,Zhou JY,Deng Robert H.Comments on "A Practical(t,n)Threshold Proxy Signature Scheme Based on the RSA Cryptosystem".IEEE Transactions on Knowledge and Data Engineering(TKDE),2004,16(10):1309-1311.
[39].李继国,曹珍富.一个门限代理签名方案的改进.计算机研究与发展,2002,39(11):1513-1518.
[40].HWANG Min-Shiang,LIN Iuon-Chang,LU Eric Jui-Lin.A secure non-repudiable threshold proxy signature scheme with known signers.INFORMATICA,2000,11(2):137-144.
[41].Tzeng S.F,Hwang M.S.and Yang C.Y.An improvement of non-repudiable threshold proxy signature scheme with known signers.Computers and Security,2004,23(2):174-178.
[42].Rivest R,Shamir A,Tauman Y.How to leak a secret.In:Advance in Cryptology:ASIACRYPT 2001,Lecture Notes in Computer Science 2248,Berlin:Springer,2001,552-565.
[43].Fujisaki Eiichiro,Suzuki Koutarou.Traceable ring signature.In:Cryptology ePrint Archive:Report 2006/389,2006.http://eprint.iacr.org/2006/389/.
[44].Dodis Y,Kiayias A,Nicolosi A,Shoup V.Anonymous identification in Ad-Hoc groups.In:EUROCRYPT 2004,Lecture Notes in Computer Science 3027, Berlin: Springer, 2004, 609-626.
[45]. Bresson E, Stern J, Szydlo M. Threshold ring signatures and applications to ad-hoc groups. In: CRYPTO 2002, Lecture Notes in Computer Science 2442,Berlin: Springer, 2002,465-480.
[46]. Tsang Patrick P, Wei Victor K, Chan Tony K, Au Man Ho, Liu Joseph K,Wong Duncan S. Separable linkable threshold ring signatures. In: INDOCRYPT 2004, Lecture Notes in Computer Science 3348, Berlin: Springer, 2004, 384-398.
[47]. Chow Sherman S.M, Hui Lucas C.K, Yiu S.M. Identity based threshold ring signature. In: International Conference on Information Security and Cryptology-ICISC 2004, Lecture Notes in Computer Science 3506, Berlin: Springer, 2004,218-232.
[48]. Au M, Liu J. K, Tsang P. P, Wong D. S. A suite of ID-based threshold ring signature schemes with deferent levels of anonymity. In: Cryptology ePrint Archive, Report 2005/326, 2005.
[49]. Zhang F, Kim K. ID-based blind signature and ring signature from Pairings.In: ASIACRYPT 2002, Lecture Notes in Computer Science 2501, Berlin:Springer, 2002, 533-547.
[50]. Lin Chih-Yin and Wu Tzong-Chen. An identity-based ring signature scheme from bilinear pairings. In: The 18th International Conference on Advanced Information Networking and Applications - AINA 2004, Fukuoka, Japan, 2004,182-185.
[51]. Tang C.M, Liu Z.P., and Wang M.S. An improved identity-based ring signature scheme from bilinear pairings. In: MM Research Preprints, MMRC,AMSS, Academia, Sinica, Beijing, 2003, 231-234.
[52]. Herranz J, Saez G. A provably secure ID-based ring signature scheme. In:Cryptology ePrint Archive: Report 2003/261, 2003.
[53]. Awasthi Amit K, Sunder Lal. ID-based ring signature and proxy ring signature schemes from bilinear pairings. In: Cryptology ePrint Archive: Report 2004/184,2004.
[54]. Herranz J, Saez G. Distributed ring signatures for identity-based scenarios. In:Cryptology ePrint Archive: Report 2004/190, 2004.
[55]. Chow Sherman S. M, Yiu Siu-Ming, Hui Lucas Chi Kwong. Efficient identity based ring signature. In: Applied Cryptography and Network Security (ACNS 2005), Lecture Notes in Computer Science 3531,499-512.
[56]. Adida Ben, Hohenberger Susan, and Rivest Ronald L. Separable identity-based ring signatures: Theoretical foundations for fighting phishing attacks. In: DIMACS Workshop on Theft in E-Commerce: Content, Identity, and Service, Piscataway, NJ, USA, 2005.
[57]. Naor Moni. Deniable ring authentication. In: CRYPTO 2002, Lecture Notes in Computer Science 2442, Berlin: Springer, 2002, 481-498.
[58]. Lv J, Ren K, Chen X, Kim K. Ring authenticated encryption: A new type of authenticated encryption. In: The 2004 Symposium on Cryptography and Information Security,vol.1/2,Sendai,Japan,2004,1179-1184.
[59].Huang Xinyi,Willy Susilo,Mu Yi,Zhang Futai.Identity-based ring signcryption schemes:Cryptographic primitives for preserving privacy and authenticity in the ubiquitous world.In:The 19th International Conference on Advanced Information Networking and Applications - AINA 2005,Taiwan,2005,649-654.
[60].Tsang Patrick P,Wei Victor K.Short linkable ring signatures for E-Voting,E-Cash and Attestation.In:Information Security Practice and Experience(ISPEC 2005),Lecture Notes in Computer Science 3439,Berlin:Springer,2005,48-60.
[61].Ho Au Man,Chow Sherman S.M,Susilo Willy,Tsang Patrick P.Short linkable ring signature revisited.In:Third European PKI Workshop:theory and practice(EuroPKI 2006),Lecture Notes in Computer Science 4043,Berlin:Springer,2006,101-115.
[62].Shacham Hovav,Waters Brent.Efficient ring signatures without random oracles.In:Cryptology ePrint Archive:Report 2006/289,2006.http://eprint.iacr.org/2006/289/.PKc2007,pp166-180.
[63].Bender A,Katz J,Morselli R.Ring signatures:Stronger definitions,and constructions without random oracles.In:S.Halevi and T.Rabin,editors,Proceedings of TCC 2006,Lecture Notes in Computer Science 3876,Berlin:Springer,2006,60-79.
[64].Malkin M,Wu T,Boneh D.Experimenting with shared generation of RSA keys.In:Proceedings of the Internet Society's Symposium on Network and Distributed System Security,San Diego,1999,43-56.
[65].Fouque PA,Stern J.Fully distributed threshold RSA under standard assumptions.In:Proceedings of ASIACRYPT '01,Gold Coast,Australia,2001,310-330.
[66].Gunther.C.G An identity-based key-exchange protocol.Advances in Cryptology-Eurocrypt '89,LNCS(434),Berlin:Springer-Verlag,1989:29-37.
[67].Back A.Non-interactive forward secrecy,Posting to cypherpunks mailing list(6/9/1996),archived at http://cypherpunks.venona.com/date/1996/09/msg00561.html.
[68].Anderson R.Two remarks on Public Key Cryptology,Invited Lecture,ACM -CCS'97,1997.
[69].Krawczyk H.Simple forward-secure signatures from any signature scheme.In Proceedings of the 7th ACM Conference on Computer and Communications Security - CCS'00,108-115,2000
[70].Merkle R.C.A certified digital signature.Advances in Cryptology-CRYPTO '89,218-238,1990.
[71].Bellare M,Miner S.A forward-secure digital signature scheme.In Advances in Cryptology-CRYPTO '99,volume 1666 of Lecture Notes in Computer Science,pages 431-448.Springer-Verlag,15-19 Aug.1999.
[72].Fiat A,Shamir A.How to Prove Yourself:Practical Solutions to Identification and Signature Problems,Advances in Cryptology-Crypto'86,Lecture Notes in Computer Science 263,pp.186-194,Springer-Verlag,1986.
[73].Malkin T,Micciancio D,Miner S.Efficient generic forward-secure signatures with an unbounded number of time periods.In Advances in Cryptology,Proceedings of Eurocrypt 2002,Lecture notes in Computer Science vol.2332,Springer-Verlag,400-417.
[74].Itkis G Intrusion-resilient signatures:Generic constructions,or defeating strong adversary with minimal assumptions.In Third Conference on Security in Communication Networks(SCN'02).
[75].Szydlo M.Merkle tree traversal in log space and time.Proc.Eurocrypt 2004,LNCS vol.3027,pp.541-554.
[76].Jakobsson M,Leighton T,Micali S,Szydlo M.Fractal Merkle tree representation and traversal.Proceedings of RSA-CT'3,Lecture Notes in Computer Science 2612.Berlin:Springer-Verlag,2003:314-326.
[77].Abdalla M,Reyzin L.A new forward-secure digital signature scheme.In T.Okamoto,editor,Advances in Cryptology-ASIACRYPT 2000,volume 1976 of Lecture Notes in Computer Science,pages 116-129,Kyoto,Japan,3-7 Dec.2000.Springer-Verlag.
[78].Ong H,Schnorr C.P.Fast Signature Generation with a Fiat-Shamir-Like Scheme,Advanced in Cryptology-Eurocrypt'90,Lecture Notes in Computer Science 740,pp.432-440,Springer-Verlag,1990.
[79].Guillou L.C,Quisquater J.J.A "paradoxical" indentity-based signature scheme resulting from zero knowledge.In Proceedings of CRYPTO'1988.pp.216-231.
[80].Itkis G,Reyzin L.Forward-Secure Signatures with Optimal Signing and Verifying.Advances in Cryptology-Crypto'01,Lecture Notes in Computer Science 2139,pp.332-354,Springer-Verlag,2001.
[81].Kozlov A,Reyzin L.Forward-Secure Signatures with Fast Key Update,In Proceedings of 3rd International Conference on Security in Communication Networks - SCN'02,Lecture Notes in Computer Science 2576,pp.341-356,Springer-Verlag,2002.
[82].Jakobsson M.Fractal hash sequence representation and traversal.In Proceedings of the 2002 IEEE International Symposium on Information Theory (ISIT'02),pages 437-444,July 2002.
[83].Coppersmith D,Jakobsson M.Almost optimal hash sequence traversal.In Proceedings of the Fourth Conference on Financial Cryptography(FC '02),volume 2357 of Lecture Notes in Computer Science,Hamilton,Bermuda,2002.International Financial Cryptography Association(IFCA),Springer-Verlag,Berlin Germany.
[84].Sella Y.On the computation-storage trade-o_s of hash chain traversal.In Proceedings of the Fourth Conference on Financial Cryptography(FC '03),Lecture Notes in Computer Science,Hamilton,Bermuda,2003.International Financial Cryptography Association(IFCA),Springer-Vedag,Berlin Germany.
[85].Hu F,Wu C.H,Irwin J.D.A New Forward Secure Signature Scheme Using Bilinear Maps,Available at http://eprint.iacr.org/2003/188.
[86].Kang B.G,Park J.H,Hahn S.G A New Forward Secure Signature Scheme,Available at http://eprint.iacr.org/2004/183.
[87].Vo D.L,Kim K.Yet Another Forward Secure Signature from Bilinear Pairings,In International Conference on Information Security and Cryptology-ICISC'05,Lecture Notes in Computer Science 3935,pp.441-455,Springer-Verlag,2005.
[88].Canetti R,Halevi S,Katz J.A forward-secure public-key encryption scheme.In E.Biham,editor,Advances in Cryptology-Eurocrypt 2003,volume 2656 of Lecture Notes in Computer Science.Springer,2003.
[89].Gentry C,Silverberg A.Hierarchical ID-based cryptography.In ASIACRYPT:Advances in Cryptology-ASIACRYPT:International Conference on the Theory and Application of Cryptology.LNCS,Springer-Verlag,2002.
[90].Boneh D,Franklin M.Identity-based encryption from the Weil Pairing.In J.Kilian,editor,Advances in Cryptology-CRYPTO'2001,volume 2139 of Lecture Notes in Computer Science,pages 213-229.International Association for Cryptologic Research,Springer-Verlag,Berlin Germany,2001.
[91].Boneh D,Franklin M.Identity-based encryption from the Weil pairing.SIAM Journal on Computing,32(3):586-615,June 2003.
[92].Krawczyk H.Simple forward-secure signatures from any signature scheme.In Seventh ACM Conference on Computer and Communication Security.ACM,Nov.1-4 2000.
[93].Bellare M,Yee B.Forward security in private key cryptography.In CTRSA:CT-RSA,The Cryptographers' Track at RSA Conference,LNCS,2003.
[94].Song D.X.Practical forward secure group signature schemes.In Eighth ACM Conference on Computer and Communication Security,pages 225-234.ACM,Nov.5-8 2001.
[95].Abdalla M,Miner S,Namprempre C.Forward-secure threshold signature schemes.In D.Naccache,editor,Progress in Cryptology-CT-RSA 2001,volume 2020 of Lecture Notes in Computer Science,pages 143-158.Springer-Verlag,Apr.8-12 2001.
[96].Tzeng Wen-Guey,Tzeng Zhi-Jia.Robust forward-secure signature schemes with proactive security.In PKC:International Workshop on Practice and Theory in Public Key Cryptography.LNCS,2001.
[97].Chu Cheng-Kang,Liu Li-Shan,Tzeng Wen-Guey.A threshold GQ signature scheme.In International Conference on Applied Cryptography and Network Security(ACNS),2003,137-150.
[98].Due Dang Nguyen,Cheon Jung Hee,Kim K wangjo.A Forward-Secure Blind Signature Scheme Based on the Strong RSA Assumption.In:Information and Communications Security(ICICS'03),LNCS 2836,pp.11-21.Springer-Verlag, 2003.
[99].Dodis Y,Katz J,Xu S,Yung M.Key-Insulated Public Key Cryptosystems,Advances in Cryptology-Eurocrypt'02,Lecture Notes in Computer Science 2332,pp.65-82,Springer-Verlag,2002.
[100].Dodis Y,Katz J,Xu S,Yung M.Strong Key-Insulated Signature Schemes.In Proceedings of the 6th International Workshop on Practice and Theory in Public Key Cryptography-PKC'03,Lecture Notes in Computer Science 2567,pp.130-144,Springer-Verlag,2003.
[101].Le Z,Ouyang Y,Ford J,Makedon F.A Hierarchical Key-Insulated Signature Scheme in the CA Trust Model.In Information Security - ISC'04,Lecture Notes in Computer Science 3225,pp.280-291,Springer-Verlag,2004.
[102].Deleito N.G,Markowitch O,Dall'Olio E.A New Key-Insulated Signature Scheme.In 6th International Conference on Information and Communications Security - ICICS'04,Lecture Notes in Computer Science 3269,pp.465-479,Springer-Verlag,2004.
[103].Guo X,Zhang Q,Tang C.On the Security of Two Key-Updating Signature Schemes.In Information Security and Privacy - ACISP'05,Lecture Notes in Computer Science 3574,pp.506-517,Springer-Verlag,2005.
[104].Itkis G,Reyzin L.SiBIR:Signer-Base Intrusion-Resilient Signatures,Advances in Cryptology-Crypto'02,Lecture Notes in Computer Science 2442,pp.499-514,Springer-Verlag,2002.
[105].Itkis G,Reyzin L.Intrusion-Resilient Signatures,or Towards Obsoletion of Certificate Revocation,The previous version of SiBIR:Signer-Base Intrusion-Resilient Signatures.
[106].Itkis G.Intrusion-Resilient Signatures:Generic Constructions,or Defeating Strong Adversary with Minimal Assumptions,In Security in Communication Networks - SCN'02,Lecture Notes in Computer Science 2576,pp.102-118,Springer-Vedag,2002.
[107].Zhou J,Bao F,Deng R.Validating Digital Signatures without TTP's Time-Stamping and Certificate Revocation,In Information Security Conference (ISC'03),Lecture Notes in Computer Science 2851,pp.96-110,Springer-Verlag,2003.
[108].Malkin T,Obana S,Yung M.The Hierarchy of Key Evolving Signatures and a Characterization of Proxy Signatures.Advances in Cryptology - Eurocrypt'04,Lecture Notes in Computer Science 3027,pp.306-322,Springer-Verlag,2004.
[109].Itkis.G.Cryptographic tamper evidence.Proceedings of the 10th ACM conference on Computer and communications security,New York:ACM Press,2003:27-30.
[110].Waters Brent.Efficient identity-based encryption without random oracles.In Ronald Cramer,editor,Proceedings of Eurocrypt 2005,volume 3494 of LNCS,pages 114-27.Springer-Vedag,May 2005.
[111].Boneh.D,Shen.E,Waters.B.Strongly Unforgeable Signatures Based on Computational Diffie-Hellman.Public Key Cryptography(PKC 2006),LNCS 3958,Berlin:Springer-Verlag,2006:229-240.
[112].Boneh D,Gentry C.Aggregate and verifiably encrypted signatures from bilinear maps.Biham.E.Advances in Cryptology-Eurocrypt'03,LNCS(2656),Berlin:Springer-Verlag 2003:614-629.
[113].Boneh D,Goh E.J,Nissim K.Evaluating 2-DNF formulas on ciphertexts.In Kilian J.editor,Proceedings of TCC 2005,number 3378 in LNCS,pages 325-41.Springer-Verlag,Feb.2005.
[114].Berkovits Shimshon.How to Broadcast A Secret.EUROCRYPT 1991:535-541
[115].Fiat Amos,Naor Moni.Broadcast Encryption.CRYPTO 1993:480-491
[116].Kreitz,G.Optimization of broadcast encryption schemes.Master's thesis,Royal Institute of Technology,2005.
[117].Naor M,Pinkas B.Efficient Trace and Revoke Schemes.Financial Cryptography '00,LNCS 1962.Springer-Verlag,New York.1-20.
[118].Yoo Eun Sun,Jho Nam-Su,Cheon Jung Hee,Kim Myung-Hwan.Efficient Broadcast Encryption Using Multiple Interpolation Methods.ICISC 2004:87-103.
[119].Kumar R,Rajagopalan S,Sahai A.Coding constructions for blacklisting problems without computational assumptions.Lecture Notes in Computer Science,Advances in Cryptology Heidelberg,Germany:Springer-Vedag,1999,vol.1666,pp.609-623.
[120].Naor D,Naor M,Lotspiech J.Revocation and Tracing Schemes for Stateless Receivers.Proc.of CRYPTO '01,Springer- Verlag LNC S,vol.2139,pp 41-62
[121].Halevy D,Shamir A.The LSD broadcast encryption scheme.Advances in Cryptology-CRYPTO'2002,LNCS2442,2002.47-60.
[122].Wong,C.K.,Gouda,M.,and Lam,S.Secure group communications using key graphs.In SIGCOMM '98:Proceedings of the ACM SIGCOMM '98conference on Applications,technologies,architectures,and protocols for computer communication(1998),ACM Press,pp.68-79.
[123].Goodrich M T,Sun J Z,Tamassia R.Efficient tree-based revocation in groups of low-state devices.Advances in Cryptology-CRYPTO 2004.Lecture Notes in Computer Science,vol.3152,Springer Verlag,New York.511-527.
[124].Boneh Dan,Gentry Craig,Waters Brent.Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys.CRYPTO 2005:258-275
[125].Cécile Delerablée.Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys.In proceeding of ASIACRYPT 2007:200-215
[126].Cécile Delerablée,Pascal Paillier,David Pointcheval.Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys.In T.Takagi et al.,editor,PAIRING 2007,volume 4575 of LNCS,pages 39-59.Springer-Verlag,Berlin,Germany,2007.
[127].Boneh Dan,Boyen Xavier,Goh Eu-Jin.Hierarchical Identity Based Encryption with Constant Size Ciphertext. EUROCRYPT 2005: 440-456.
[128]. Ben-Or M, Goldreich O, Micali S, Rivest R. L. A fair protocol for signing contracts. IEEE Transactions on Information Theory, 36(1):40—46,1990.
[129]. Boneh D, Naor M. Timed commitments and applications. In Proc.CRYPTO 'OO, pages 236-254,2000.
[130]. Damgard I. B. Practical and provably secure release of a secret and exchange of signatures. J. Cryptology, 8(4):201-222,1995.
[131]. Asokan N, Schunter M, Waidner M. Optimistic protocols for fair exchange.In Proc. 4th ACM Conf. on Computer and Communications Security, pages 7-17,1997.
[132]. Asokan N, Shoup V, Waidner M. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications, 18(4): 593-610,2000.
[133]. Juan A. Garay, Markus Jakobsson, Philip D. MacKenzie. Abuse-free optimistic contract signing. In Advances in Cryptology-Crypto 1999, volume 1666 of Lecture Notes in Computer Science. Springer-Verlag, 1999.
[134]. Chen L, Kudla C, Paterson K. G Concurrent signatures. in: Advances in Cryptology - EUROCRYPT 2004, Lecture Notes in Computer Science, vol. 3027,Springer-Verlag, Berlin, 2004, pp. 287 - 305.
[135]. Susilo W, Mu Y, Zhang F. Perfect concurrent signature schemes, in: ICICS 2004, Lecture Notes in Computer Science, vol. 3269, Springer-Verlag, Berlin,2004, pp. 14 - 26.
[136]. Susilo W, Mu Y. Tripartite Concurrent Signatures. In: The 20th IFIP International Information Security Conference (IFIP/SEC 2005), pp. 425-441,Springer, 2005.
[137]. Chow S, Susilo W. Generic Construction of (Identity-Based) Perfect Concurrent Signatures, in: Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol. 3783, Springer-Verlag, Berlin,2005, pp. 194-206.
[138]. Nguyen K. Asymmetric Concurrent Signatures. In: Information and Communications Security (ICICS 2005), Lecture Notes in Computer Science, vol.3783, Springer-Verlag, Berlin, 2005, pp. 181-193.
[139]. Tonien D, Susilo W, Safavi-Naini R. Multi-party Concurrent Signatures. In:ISC 2006, Lecture Notes in Computer Science, vol. 4176, Springer-Verlag, Berlin,2006, pp. 131-145.
[140]. Huang Zhenjie, Huang Rufen, Lin Xuanzhi. Perfect Concurrent Signature Protocol. In: Eighth ACIS International Conference on Software Engineering,Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), pp. 467-472.
[141]. Gao Wei, Wang Guilin, Wang Xueli, Xie Dongqing. Controllable Ring Signatures. The 7th International Workshop on Information Security Applications (WISA 2006), LNCS. Springer-Verlag, 2006. Jeju Island, Korea; August 28-30, 2006.
[142].Pagnia H,Gartner F.C.On the impossibility of fair exchange without a trusted third party.Technical Report TUD-BS-1999-02,Darmstadt University of Technology,March 1999.
[143].Asokan N.Fairness in electronic commerce.Ph.D.thesis,University of Waterloo,Canada,1998.
[144].Kremer Steve.Formal analysis of Optimistic Fair Exchange Protocol.PhD thesis,Universite libre De Bruxelles.2003.
[145].Asokan N,Baum-Waidner Birgit,Schunter Matthias,Waidner Michael.Optimistic Synchronous Multi-Party Contract Signing.IBM Research Report RZ 3089(#93135) 12/14/1998,IBM Research Division,Zurich,Dec.1998.
[146].卿斯汉.电子商务协议中的可信第三方角色.软件学报,2003,14(11):1936-1943.