多用户环境下数字签名新构造与安全性的研究
|
摘要
数字签名往往会涉及到多用户环境。一方面,一个数字签名自身就是由多个用户共同产生的,这样的签名被称之为多用户签名;另一方面,一个数字签名虽然只是由一个用户生成,但有时需要考虑这个签名在多用户环境下的安全性。
多重签名、聚合签名和可验证加密签名是互有联系的三类多用户签名;它们在合同签署、数字证书颁发以及公平交换协议中有着极为重要的应用。本文研究了聚合签名、多重签名和可验证加密签名的新构造以及这三类签名和其他一些签名在多用户环境下的安全性。
本文的主要工作和创新成果如下:
(1).利用RSA构造出了一个安全的基于身份的序列聚合签名方案。已有的聚合签名、多重签名和可验证加密签名大多是基于椭圆曲线上的配对构造的。配对是近十几年才被引入密码学领域的,基于配对的难题不像RSA和离散对数(DLP)等数论难题历史悠久,因而人们对它的了解还不是很充分;此外现实中使用的密码学方案设计都是面向RSA和DLP等数论难题的,而不是面向配对的。因此,利用RSA或DLP构造上述三类签名及其变形是一个很有价值的课题。
(2).构造出了一个可抗量子计算机的序列聚合签名方案。我们知道,如果大规模的量子计算机能被制造出来,则所有基于配对、RSA以及离散对数的密码方案都是不安全的。因此已有的基于配对的聚合签名、多重签名和可验证加密签名都不能抵抗量子量子计算机。当前,如何构造抗量子计算机的数字签名是密码学界面对的一个紧迫任务。本文利用线性码的译码难题构造了一个可抗量子计算机的序列聚合签名方案
(3).构造出了一类新的签名方案。本文将可验证加密签名和多重签名融合,构造出了一类新的具有特殊功能的签名方案,我们称之为可验证加密多重签名方案。
(4).利用流氓密钥攻击分析了一些可验证加密签名的安全性。众所周知,多用户签名的一个已知安全要求是能抵抗流氓密钥攻击。本文指出Boneh等人在Eurocrypt'03和Lu等人在Eurocrypt'06提出的可验证加密签名不能抵抗流氓密钥攻击。
(5)指出一些签名方案不能抵抗密钥替换攻击。2004年,Menezes等人指出在多用户环境下,已有的关于数字签名的安全模型是不够的,同时提出了针对数字签名的一类新攻击,他们称之为密钥替换攻击。本文指出Courtois等人在Asiacrypt'01提出的CFS签名不能抵抗密钥替换攻击。
(6).指出在考虑可验证签名和多重签名的安全性时,密钥替换攻击可以带来破坏性的结果。多用户签名的一个已知安全要求是能抵抗流氓密钥攻击;但是,对于多重签名与可验证加密签名这两类多用户签名,是否需要考虑密钥替换攻击不得而知。本文指出在考虑可验证签名和多重签名的安全性时,密钥替换攻击可以带来破坏性的结果,从而得到已有的安全模型是不够的。作为例子,我们指出Zhang等人在Indocrypt'03提出的可验证加密签名以及Boldyreva在PKC'03提出的多重签名方案不能抵抗密钥替换攻击。
Signature schemes are always related to the multi-user settings. Firstly, a signature is generated by many users, such signature schemes are called multi-party signature schemes; secondly, we will consider the security of a signature scheme in the multi-user setting, although the signature is generated by only one user.
Multisignature schemes (MS scheme), aggregate signature schemes (AS scheme) and verifiably encrypted signature schemes (VES scheme) are related to each other, and all of them are multi-party signature schemes. MS schemes, AS schemes and VES schemes are very useful in the fields of Contract Signing, Digital Certificate Issue, and Fair Exchange Protocol etc. This dissertation studies the new constructions of MS schemes, AS schemes, and VES schemes; and also studies the security of these three schemes and other signature schemes in the multi-user setting.
The main contributions of the dissertation are as follows.
(1). We proposed a secure Identity-based sequential aggregate signature scheme from RSA. Most of the existing MS schemes, AS schemes, and VES schemes are based on pair-ings. Pairings were only recently introduced to the cryptography community, and are not understood as much as RSA and DLP by cryptographers; additionally, the in-use designs of cryptography schemes are not pairing oriented but RSA or DLP oriented. Hence, it is valuable to construct these three schemes and their modifications from RSA or DLP.
(2). We proposed a quantum-immune sequential aggregate signature. It is known that if large scale quantum computers can be realized, then all the cryptosystems which are based on Parings, RSA and DLP are not secure any more. Hence, all the the exist-ing MS schemes, AS schemes, and VES schemes which are based on pairings are not secure against quantum computers. Currently, it is very urgent for cryptographers to con-struct quantum-immune digital signatures. The dissertation proposed a quantum-immune sequential aggregate signature by using the problem of decoding of linear code.
(3). We proposed a new type of signature schemes. Combining the VES schemes and MS schemes, we propose a new type of signature schemes with additional functionalities, which we call verifiably encrypted multi-signature schemes.
(4). We analyzed the security of some VES schemes using rogue-key attacks. It is known that multi-party signature schemes should be secure against rogue-key attacks. The dissertation pointed out that the VES scheme proposed by Boneh et al. at Eurocrypt'03and the VES scheme proposed by Lu et al. at Eurocrypt'06are not secure against rogue-key attacks.
(5). We pointed out that some signature schemes are not secure against key substitu-tion attacks.2004, Menezes et al. pointed out that, in the multi-user setting, the existing security model for signature schemes is not sufficient, and proposed a new type of attacks which they called the key substitution attacks (KS attack). The dissertation pointed out that the CFS signature proposed by Courtois et al. at Asiacrypt'01is not secure against KS attacks.
(6). We pointed out that KS attacks can cause dangerous consequences when it comes to the security of MS schemes and VES schemes. It is known that multi-party signature schemes should be secure against rogue-key attacks; but is not known that, as to the se-curity of MS schemes and VES schemes, whether KS attacks is worth considering. The dissertation firstly pointed out that KS attacks can cause dangerous consequences when it comes to the security of MS schemes and VES schemes. As examples, we pointed out that the VES scheme proposed by Zhang et al. at Indocrypt'03and the MS scheme proposed by Boldyreva at PKC'03are not secure against KS attacks.
多重签名、聚合签名和可验证加密签名是互有联系的三类多用户签名;它们在合同签署、数字证书颁发以及公平交换协议中有着极为重要的应用。本文研究了聚合签名、多重签名和可验证加密签名的新构造以及这三类签名和其他一些签名在多用户环境下的安全性。
本文的主要工作和创新成果如下:
(1).利用RSA构造出了一个安全的基于身份的序列聚合签名方案。已有的聚合签名、多重签名和可验证加密签名大多是基于椭圆曲线上的配对构造的。配对是近十几年才被引入密码学领域的,基于配对的难题不像RSA和离散对数(DLP)等数论难题历史悠久,因而人们对它的了解还不是很充分;此外现实中使用的密码学方案设计都是面向RSA和DLP等数论难题的,而不是面向配对的。因此,利用RSA或DLP构造上述三类签名及其变形是一个很有价值的课题。
(2).构造出了一个可抗量子计算机的序列聚合签名方案。我们知道,如果大规模的量子计算机能被制造出来,则所有基于配对、RSA以及离散对数的密码方案都是不安全的。因此已有的基于配对的聚合签名、多重签名和可验证加密签名都不能抵抗量子量子计算机。当前,如何构造抗量子计算机的数字签名是密码学界面对的一个紧迫任务。本文利用线性码的译码难题构造了一个可抗量子计算机的序列聚合签名方案
(3).构造出了一类新的签名方案。本文将可验证加密签名和多重签名融合,构造出了一类新的具有特殊功能的签名方案,我们称之为可验证加密多重签名方案。
(4).利用流氓密钥攻击分析了一些可验证加密签名的安全性。众所周知,多用户签名的一个已知安全要求是能抵抗流氓密钥攻击。本文指出Boneh等人在Eurocrypt'03和Lu等人在Eurocrypt'06提出的可验证加密签名不能抵抗流氓密钥攻击。
(5)指出一些签名方案不能抵抗密钥替换攻击。2004年,Menezes等人指出在多用户环境下,已有的关于数字签名的安全模型是不够的,同时提出了针对数字签名的一类新攻击,他们称之为密钥替换攻击。本文指出Courtois等人在Asiacrypt'01提出的CFS签名不能抵抗密钥替换攻击。
(6).指出在考虑可验证签名和多重签名的安全性时,密钥替换攻击可以带来破坏性的结果。多用户签名的一个已知安全要求是能抵抗流氓密钥攻击;但是,对于多重签名与可验证加密签名这两类多用户签名,是否需要考虑密钥替换攻击不得而知。本文指出在考虑可验证签名和多重签名的安全性时,密钥替换攻击可以带来破坏性的结果,从而得到已有的安全模型是不够的。作为例子,我们指出Zhang等人在Indocrypt'03提出的可验证加密签名以及Boldyreva在PKC'03提出的多重签名方案不能抵抗密钥替换攻击。
Signature schemes are always related to the multi-user settings. Firstly, a signature is generated by many users, such signature schemes are called multi-party signature schemes; secondly, we will consider the security of a signature scheme in the multi-user setting, although the signature is generated by only one user.
Multisignature schemes (MS scheme), aggregate signature schemes (AS scheme) and verifiably encrypted signature schemes (VES scheme) are related to each other, and all of them are multi-party signature schemes. MS schemes, AS schemes and VES schemes are very useful in the fields of Contract Signing, Digital Certificate Issue, and Fair Exchange Protocol etc. This dissertation studies the new constructions of MS schemes, AS schemes, and VES schemes; and also studies the security of these three schemes and other signature schemes in the multi-user setting.
The main contributions of the dissertation are as follows.
(1). We proposed a secure Identity-based sequential aggregate signature scheme from RSA. Most of the existing MS schemes, AS schemes, and VES schemes are based on pair-ings. Pairings were only recently introduced to the cryptography community, and are not understood as much as RSA and DLP by cryptographers; additionally, the in-use designs of cryptography schemes are not pairing oriented but RSA or DLP oriented. Hence, it is valuable to construct these three schemes and their modifications from RSA or DLP.
(2). We proposed a quantum-immune sequential aggregate signature. It is known that if large scale quantum computers can be realized, then all the cryptosystems which are based on Parings, RSA and DLP are not secure any more. Hence, all the the exist-ing MS schemes, AS schemes, and VES schemes which are based on pairings are not secure against quantum computers. Currently, it is very urgent for cryptographers to con-struct quantum-immune digital signatures. The dissertation proposed a quantum-immune sequential aggregate signature by using the problem of decoding of linear code.
(3). We proposed a new type of signature schemes. Combining the VES schemes and MS schemes, we propose a new type of signature schemes with additional functionalities, which we call verifiably encrypted multi-signature schemes.
(4). We analyzed the security of some VES schemes using rogue-key attacks. It is known that multi-party signature schemes should be secure against rogue-key attacks. The dissertation pointed out that the VES scheme proposed by Boneh et al. at Eurocrypt'03and the VES scheme proposed by Lu et al. at Eurocrypt'06are not secure against rogue-key attacks.
(5). We pointed out that some signature schemes are not secure against key substitu-tion attacks.2004, Menezes et al. pointed out that, in the multi-user setting, the existing security model for signature schemes is not sufficient, and proposed a new type of attacks which they called the key substitution attacks (KS attack). The dissertation pointed out that the CFS signature proposed by Courtois et al. at Asiacrypt'01is not secure against KS attacks.
(6). We pointed out that KS attacks can cause dangerous consequences when it comes to the security of MS schemes and VES schemes. It is known that multi-party signature schemes should be secure against rogue-key attacks; but is not known that, as to the se-curity of MS schemes and VES schemes, whether KS attacks is worth considering. The dissertation firstly pointed out that KS attacks can cause dangerous consequences when it comes to the security of MS schemes and VES schemes. As examples, we pointed out that the VES scheme proposed by Zhang et al. at Indocrypt'03and the MS scheme proposed by Boldyreva at PKC'03are not secure against KS attacks.
引文
[1]Stinson D. R. Cryptography:theory and practice, second edition [M]. CRC Press LLC,2002.
[2]Menezes A. J., Van Oorschot P. C., Vanstone S.A. Handbook of Applied Cryptography [M]. CRC Press,1996.
[3]Schneier B. Applied Cryptography, Protocols, Algorithms and Source Code in C, second edition [M]. John Wiley and Sons,1995.
[4]KAHN D. The Codebreakers [M]. Macmillan Publishing Company, New York,1967.
[5]SHANNON C.E. Communication theory of secrecy systems [J]. Bell System Technical Journal, 1949,28:656-715.
[6]Diffie W., Hellman M. New directions in cryptography [J]. IEEE Transactions on Information Theory,1976,22(6):644-654.
[7]Rivest R. L., Shamir A., Adleman L. A method for obtaining digital signatures and public key cryptosystems [J]. Commununications of the ACM,1978,21:120-126.
[8]Buchmann J., Coronado C., Doring M., Engelbert D., Ludwig C., Overbeck R., Schmidt A., Vollmer U., Weinmann R. P. Post-Quantum Signatures. Cryptology ePrint Archive,2004, Re-port 2004/297, http://eprint.iacr.org/.
[9]Ristenpart T., Yilek S. The power of proofs-of-possession:Securing multiparty signatures against rogue-key attacks [C]. Proc. of Eurocrypt'07, Lecture Notes in Comput. Sci.,2007, 4515:228-245.
[10]Menezes A., Smart N. Security of signature schemes in a multiuser setting [J]. Des., Codes and Cryptogr.,2004,33(3):261-274.
[11]Bellare M., Neven G. Multi-signatures in the plain public-key model and a general forking lemma [C]. Proc. of CCS'06, ACM,2006,390-399.
[12]Zhao M., Smith S., Nicol D. Aggregated path authentication for efficient BGP security [C]. Proc. of CCS'05, ACM,2005,128-138.
[13]Boneh D., Gentry C., Lynn B., Shacham H. Aggregate and verifiably encrypted signatures from bilinear maps [C]. Proc. of EUROCRYPT'03, Lecture Notes in Comput. Sci.,2003,2656: 416-432.
[14]Itakura K., Nakamura K. A public key cryptosystem suitable for digital multisignatures [J]. NEC Research & Development,1983,71:1-8.
[15]Okamoto T. A digital multisignature schema using bijective public-key cryptosystems [J]. ACM Transaction on Computer Systems,1988,6(4):432-441.
[16]Ohta K., Okamoto T. A digital multisignature scheme based on the Fiat-Shamir scheme [C]. Proc. of Asiacrypt'91, Lecture Notes in Comput. Sci.,1991,739:139-148.
[17]Harn L. Group-oriented (t,n) threshold digital signature scheme and digital multisignature [J]. IEE Proc. Computers and Digital Techniques,1994,141(5):307-313.
[18]Li C., Hwang T., Lee N. Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders [C]. Proc. of Eurocrypt'94, Lecture Notes in Comput. Sci.,1994.4515:228-245.
[19]Ohta K., Okamoto T. Multi-signature scheme secure against active insider attacks [J]. IEICE Trans. Fundamentals,1999, E87-A(1):21-31.
[20]Micali S., Ohta K. Reyzin L. Accountable-subgroup multisignatures [C]. Proc. of CCS'01, ACM,2001,245-254.
[21]Boldyreva A. Efficient threshold signature, multisignature and blind signature schemes based on the gap-Diffie-Hellman-group signature scheme [C]. Proc. of PKC'03, Lecture Notes in Comput. Sci.,2003,2567:31-46.
[22]Lu S., Ostrovsky R., Sahai A., Shacham H.. Waters B. Sequential aggregate signatures and mul-tisignatures without random oracles [C]. Proc. of EUROCRYPT06, Lecture Notes in Comput. Sci.,2006,4004:465-485.
[23]Bellare M., Neven G. Identity-based multi-signatures from RSA [C]. Proc. of CT-RSA'07, Lec-ture Notes in Comput. Sci.,2007,4377:145-162.
[24]Harn L., Ren J. Efficient identity-based RSA multisignatures [J]. Computer and Security,2008, 27:12-15.
[25]Lysyanskaya A., Micali S., Reyzin L., Shacham H. Sequential aggregate signatures from trap-door permutations [C]. Proc. of EUROCRYPT'04, Lecture Notes in Comput. Sci.,2004,3027: 74-90.
[26]Shamir A. Identity-based cryptosystem and signature scheme [C]. Proc. of CRYPTO'84, Lec-ture Notes in Comput. Sci.,1985,196:120-126.
[27]Cheng X., Liu J., Wang X. Identity-based aggregate and verifiably encrypted signatures from bilinear pairing [C]. Proc. of ICCSA'05, Lecture Notes in Comput. Sci.,2005,3483:1046-1054.
[28]Xu J., Zhang Z., D. Feng D. ID-based aggregate signatures from bilinear pairings [C]. Proc. of CANS'05, Lecture Notes in Comput. Sci.,2005,3810:110-119.
[29]Gentry C., Ramzan Z. Identity-based aggregate signatures [C]. Proc. of PKC'06, Lecture Notes in Comput. Sci..2006,3958:257-273.
[30]Wang Z., Chen H., Ye D., Wu Q. Practical identity-based aggregate signature scheme from bilinear maps [J]. Shangai Jiao Tong University Press,2008,13(6):684-687.
[31]Wen Y, Ma J. An aggregate signature scheme with constant pairing operations [C]. Proc. of CSSE'08,2008,830-833.
[32]Selvi S., Vivek S., Shriram J., Kalaivani S., Pandu Rangan C. Security analysis of aggregate signature and batch verification signature schemes. Cryptology ePrint Archive,2009, Report 2009/290, http://eprint.iacr.org/.
[33]Boldyreva A., Gentry C, O'Neill A. Yum D. Ordered multisignatures and identity-based aggre-gate signatures, with applications to secure routing [C]. Proc.of CCS'07, ACM,2007,276-285.
[34]Hwang J., Lee D., Yung M. Universal forgery of the identity-based sequential aggregate signa-ture scheme [C]. Proc. of ASIACCS,2009,157-160.
[35]石兹松,何明星.基于配对函数的顺序相关多重数字签名[J].计算机工程与应用,2005年,20期:135-138.
[36]Asokan N.,Shoup V., Waidner M. Optimistic fair exchange of digital signature (extended ab-stract) [C], Proc. of Eurocrypt'98, Lecture Notes in Comput. Sci.,1998,1403:591-606.
[37]Ateniese G. Efficient verifiable encryption (and fair exchange) of digital signatures [C]. Proc. of CCS'99, ACM,1999,138-146.
[38]Ateniese G.Verifiable encryption of digital signature and applications [J]. ACM Transactions on Information and System Security,2004,7(1):1-20.
[39]Bao F., Deng R. H., Mao W. Efficient and practical fair exchange protocols with off-line TTP [C]. Proc. of symposium on security and privacy, IEEE,1998,349-354.
[40]Camenisch J., Damgard I. Verifiable encryption group encryption and their application to sepa-rable group signatures and signature sharing schemes [C]. Proc. of Asiacrypt'00, Lecture Notes in Comput. Sci.,2000,1976:331-345.
[41]Camenisch J., Shoup V. Practical verifiable encryption and decryption of discrete logarithms [C]. Proc. of Crypto'03, Lecture Notes in Comput. Sci.,2003,2729:126-144.
[42]Hess F. On the Security of the verifiably encrypted signature scheme of Boneh, Gentry, Lynn and Shacham [J]. Inform. Process. Lett.,2004,89:111-114.
[43]Zhang F., Safavi R., Susilo W. Efficient verifiably encrypted signature and partially blind sig-nature from bilinear pairings [C]. Proc. of Indocrypt'03, Lecture Notes in Comput. Sci.,2003, 2904:191-204.
[44]Zhang J., Liu C., Yang Y. An efficient secure proxy verifiably encrypted signaturescheme[C]. Journal of Network and Computer Applications,2010,33:29-34.
[45]Gu C., Zhu Y. An ID-based verifiable encrypted signature scheme based on Hess's scheme[C]. Proc. of CISC'05, Lecture Notes in Comput. Sci.,2005,3822:42-52.
[46]Goldwasser S., Micali S., Rivest R. A "paradoxical" solution to the signature problem [C]. Proc. of the 25th Annual Symposium on Foundations of Computer Science, IEEE,1984,441-448.
[47]Goldwasser S., Micali S., Rivest R. A digital signature scheme secure against adaptive chosen message attacks [J]. SIAM J. Comput.,1988,17(2):281-308.
[48]Cramer R., Shoup V. Signature schemes based on the strong RSA assumption [J]. ACM Trans-actions on Information and System Security,2000,3(3):161-185.
[49]Blake-Wilson S., Menezes A. Unknown key-share attacks on the station-to-station (STS) pro-tocol [J]. Proc. of PKC'99, Lecture Notes in Comput. Sci.,1999,1560:154-170.
[50]Gennaro R., Halevi S., Rabin T. Secure hash-and-sign signatures without the random oracle [C]. Proc. of Eurocrypt'99, Lecture Notes in Comput. Sci.,1999,1592:123-139.
[51]Tan C. H. Key substitution attacks on some provably secure signature schemes [J]. IEICE Trans. Fundamentals,2004, E87-A(1):226-227.
[52]Koblitz N., Menezes A. Another look at security definitions. Cryptology ePrint Archive,2011, Report 2011/343, http://eprint.iacr.org/.
[53]Bohli J. M., Rohrich S., Steinwandt R. Key substitution attacks revisited:Taking into account malicious signers [J]. Int. J. Inf. Secur.,2006,5:30-36.
[54]Sakumoto K., Tanaka K. Key-substitution attacks on group signature [C]. Research Reports on Mathematical and Computing Sciences,2007, C-237:1-20.
[55]Tan C. H. Key substitution attacks on provably secure short signature schemes [J]. IEICE Trans. Fundamentals,2005, E88-A(2):611-612.
[56]Tan C. H. On Waters'signature scheme [J]. IEICE Trans. Fundamentals,2005, E89-A(10): 2684-2685.
[57]夏琦,许春香.对一个可验证加密签名方案的安全性分析[J].计算机工程与应用,2009,45(30):13-14.
[58]明洋,王育民.两个可证安全短签名方案的密码学分析[J].计算机工程,2007,33(22):21-22.
[59]张振峰.基于身份的可验证加密签名协议的安全性分析[J].计算机学报,2007,29(9):1688-1693.
[60]Joux A. A one round protocol for tripartite Diffie-Hellman [C]. Proc. of ANTS IV, Lecture Notes in Comput. Sci.,2000,1838:385-394.
[61]Shor P. W. Polynomial-Tme algorithms for prime factorization and discrete logarithms on a quantum computer [J]. SIAM J. Computing,1997,26:1484-1509.
[62]Meziani M., Cayrel P. A Multi-Signature Scheme based on Coding Theory [J]. Engineering and Technology,2010,63:244-250.
[63]Katz J., Lindell Y. Introduction to cryptography [M]. CRC Press,2007.
[64]林东岱.代数学基础与有限域[M].北京:高等教育出版社,2006.
[65]Buchmann J. A. Introduction to cryptography [M]. Springer-Verlag,2001.
[66]冯登国,裴定一.密码学导引[M].北京:科学出版社,1999.
[67]Roman S. Coding and information theory [M]. Springer-Verlag, GTM 134,1992.
[68]MacWilliams F. J., Sloane N. J. A. The theory of error-correcting codes [M]. North-Holland Publishing Company,1977.
[69]Washington L. C. Elliptic curves:number theory and cryptography,2nd edition [M]. CRC Press, 2008.
[70]Shoup V. A computational introduction to number theory and algebra [M]. Cambridge Univer-sity Press,2005. Also available at http://www.shoup.net/ntb.
[71]Katz J. Digital signatures [M]. Springer-Verlag,2007.
[72]华东师范大学数学系编.概率论与数理统计[M].北京:高等教育出版社,1983.
[73]闵捌鹤,严十健.初等数论(第三版)[M].北京:高等教育出版社,2003.
[74]Tso R., Okamoto T. Okamoto E. Efficient short signatures from pairing [C]. Proc. of ITNG'09, IEEE,2009,417-422.
[75]Guillou L., Quisquater J. A "paradoxical" indentity-based signature scheme resulting from zero knowledge [C]. Proc. of CRYPTO'88, Lecture Notes in Comput. Sci.,1990,403:216-231.
[76]Cha J., Cheon J. An identity-based signature from gap Diffie-Hellman groups [C]. Proc. of PKC'03, Lecture Notes in Comput. Sci.,2003,2567:18-30.
[77]Bellare M., Rogaway P. Random oracles are practical:A paradigm for designing dfficient pro-tocols [C]. Proc. of CCS'93, ACM.1993,62-73.
[78]Joye M. Provable secure signature schemes [M].France:CIM-PACA,2000. [14]
[79]冯登国.可证明安全性理论与方法研究[J].软件学报,2005,16(10):1743-1756.
[80]Canetti R., Goldreich O., Halevi S. The random oracle methodology, revisited [J]. Journal of ACM,2004,51(4):557-594.
[81]关振胜.公钥基础设施PKI与认证机构CA[M].北京:电子工业出版社,2004.
[82]McEliece R.J. A Public-Key cryptosystem based on algebraic coding theory [R]. Jet Propulsion Laboratory DSN Progress Report,1978 42-44:114-116.
[83]Niederreiter H. Knapsack-type crytosystems and algebraic coding theory [J]. Prob. Contr. In-form. Theory,1986,15(2):157-166.
[84]Courtois N., Finiasz M., Sendrier N. How to achieve a McEliece-based digital signature scheme [C]. Proc. of Asiacrypt'01, Lecture Notes in Comput. Sci.,2001,2248:157-174.
[85]Cayrel P., Meziani M. Post-quantum cryptography:code-based signatures [C]. Proc. of AST/UCMA/ISA/CAN'10, Lecture Notes in Comput. Sci.,2010,6059:82-89.
[86]Overbeck R., Sendrier N. Code based cryptography, A chapter of Bernstein D. J., Buchmann J., Dahmen E., eds., Post-Quantum Cryptography [M]. Springer,2009.
[87]Finiasz M. Nouvelles constructions utilisant des codes correcteurs d'erreurs en cryptographie 'a clef publique [D]. INRIA-Ecole Polytechnique,2004.(in French)
[88]Sendrier N. Code-based one way functions. http://ecrypt-ss07.rhul.ac.uk/Slides/Thursday/sendrier-samos07.pdf,2007.
[89]Dallot L. Towards a concrete security proof of Courtois, Finiasz and Sendrier signature scheme [C]. Proc. of WEWoRC'07, Lecture Notes in Comput. Sci.,2008,4945:66-77.
[90]Finiasz M., Sendrier N. Security bounds for the design of code-based cryptosystems. Proc. of ASIACRYPT'09, Lecture Notes in Comput. Sci.,2009,5912:88-105.
[91]Boneh D., Franklin M. Identity-based encryption from the Weil pairing [C]. Proc. of Crypto'01, Lecture Notes in Comput. Sci.,2001,2139:213-229.
[92]Bender A., Katz J., Morselli R. Ring signatures:stronger definitions, and constructions without random oracles. Proc. of TCC'06, Lecture Notes in Comput. Sci.,2006,3876:60-79.
[93]Adams C., Farrell S., Kause T., Mononen T. Internet X.509 public key infrastructure certificate management protocols (CMP). Request for Comments (RFC) 4210, Internet Engineering Task Force (September 2005).
[94]Schaad J. Internet X.509 public key infrastructure certificate request message format (CRMF). Request for Comments (RFC) 4211, Internet Engineering Task Force (September 2005).
[95]RSA Laboratories:RSA PKCS # 10 vl.7: Certification Request Syntax Standard ftp://ftp.rsasecurity.com/pub/p kcs/pkcs-10/pkcs-10v17.pdf.
[96]Boneh D., Lynn B., Shacham H. Short signatures from the Weil pairing [C]. Proc. of Asi-acrypt'01, Lecture Notes in Comput. Sci.,2001,2248:514-532.
[97]Zhang F., Safavi R., Susilo W. An efficient signature scheme from bilinear pairings and its applications [C]. Proc. of PKC'04, Lecture Notes in Comput. Sci.,2004,2947:277-290.
[98]Ruckert M. Lattice-based Signature Schemes with Additional Features [D]. PhD thesis, TU Darmstadt (2011).
[99]Kent S., Lynn C., Seo K. Secure Border Gateway Protocol (Secure-BGP) [J]. IEEE J.Selected Areas in Comm.,2000,18(4):582-592.
[100]Asokan N., Shoup V., Waidner M. Optimistic fair exchange of digital signatures [J]. IEEE J. Selected Areas in Comm.,2000,18(4):593-610.
[101]Bellare M., Boldyreva A., Micali S. Public-key Encryption in a Multi-User Setting:Security Proofs and Improvements [C]. Proc. of Eurocrypt 2000, Lecture Notes in Comput. Sci.,2000, 1807:259-274.
[102]Coron J. On the exact security of Full-Domain-Hash [C]. Proc. of Crypto 2000, Lecture Notes in Comput. Sci.,2000,1880:229-235.
[103]Bellare M., Desai A., Pointcheval D., Rogaway P. Relations among notions of security for public-key encryption schemes [C]. Proc. of Crypto'98, Lecture Notes in Comput. Sci.,1998, 1462:26-45.
[104]Fiat A., Shamir A. How to prove yourself: Practical solutions to identification and signature problems [C]. Proc. of Crypto'86, Lecture Notes in Comput. Sci.,1986,186-194.
[105]Menezes A., Okamoto T., Vanstone S. Reducing elliptic curve logarithms to logarithms in a finite field [J]. IEEE Tran. on Info. Th.,1993,39:1639-1646.
[106]Frey G., Muller M., Ruck H. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems [J]. IEEE Tran. on Info. Th.,1999,45:1717-1718.
[2]Menezes A. J., Van Oorschot P. C., Vanstone S.A. Handbook of Applied Cryptography [M]. CRC Press,1996.
[3]Schneier B. Applied Cryptography, Protocols, Algorithms and Source Code in C, second edition [M]. John Wiley and Sons,1995.
[4]KAHN D. The Codebreakers [M]. Macmillan Publishing Company, New York,1967.
[5]SHANNON C.E. Communication theory of secrecy systems [J]. Bell System Technical Journal, 1949,28:656-715.
[6]Diffie W., Hellman M. New directions in cryptography [J]. IEEE Transactions on Information Theory,1976,22(6):644-654.
[7]Rivest R. L., Shamir A., Adleman L. A method for obtaining digital signatures and public key cryptosystems [J]. Commununications of the ACM,1978,21:120-126.
[8]Buchmann J., Coronado C., Doring M., Engelbert D., Ludwig C., Overbeck R., Schmidt A., Vollmer U., Weinmann R. P. Post-Quantum Signatures. Cryptology ePrint Archive,2004, Re-port 2004/297, http://eprint.iacr.org/.
[9]Ristenpart T., Yilek S. The power of proofs-of-possession:Securing multiparty signatures against rogue-key attacks [C]. Proc. of Eurocrypt'07, Lecture Notes in Comput. Sci.,2007, 4515:228-245.
[10]Menezes A., Smart N. Security of signature schemes in a multiuser setting [J]. Des., Codes and Cryptogr.,2004,33(3):261-274.
[11]Bellare M., Neven G. Multi-signatures in the plain public-key model and a general forking lemma [C]. Proc. of CCS'06, ACM,2006,390-399.
[12]Zhao M., Smith S., Nicol D. Aggregated path authentication for efficient BGP security [C]. Proc. of CCS'05, ACM,2005,128-138.
[13]Boneh D., Gentry C., Lynn B., Shacham H. Aggregate and verifiably encrypted signatures from bilinear maps [C]. Proc. of EUROCRYPT'03, Lecture Notes in Comput. Sci.,2003,2656: 416-432.
[14]Itakura K., Nakamura K. A public key cryptosystem suitable for digital multisignatures [J]. NEC Research & Development,1983,71:1-8.
[15]Okamoto T. A digital multisignature schema using bijective public-key cryptosystems [J]. ACM Transaction on Computer Systems,1988,6(4):432-441.
[16]Ohta K., Okamoto T. A digital multisignature scheme based on the Fiat-Shamir scheme [C]. Proc. of Asiacrypt'91, Lecture Notes in Comput. Sci.,1991,739:139-148.
[17]Harn L. Group-oriented (t,n) threshold digital signature scheme and digital multisignature [J]. IEE Proc. Computers and Digital Techniques,1994,141(5):307-313.
[18]Li C., Hwang T., Lee N. Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders [C]. Proc. of Eurocrypt'94, Lecture Notes in Comput. Sci.,1994.4515:228-245.
[19]Ohta K., Okamoto T. Multi-signature scheme secure against active insider attacks [J]. IEICE Trans. Fundamentals,1999, E87-A(1):21-31.
[20]Micali S., Ohta K. Reyzin L. Accountable-subgroup multisignatures [C]. Proc. of CCS'01, ACM,2001,245-254.
[21]Boldyreva A. Efficient threshold signature, multisignature and blind signature schemes based on the gap-Diffie-Hellman-group signature scheme [C]. Proc. of PKC'03, Lecture Notes in Comput. Sci.,2003,2567:31-46.
[22]Lu S., Ostrovsky R., Sahai A., Shacham H.. Waters B. Sequential aggregate signatures and mul-tisignatures without random oracles [C]. Proc. of EUROCRYPT06, Lecture Notes in Comput. Sci.,2006,4004:465-485.
[23]Bellare M., Neven G. Identity-based multi-signatures from RSA [C]. Proc. of CT-RSA'07, Lec-ture Notes in Comput. Sci.,2007,4377:145-162.
[24]Harn L., Ren J. Efficient identity-based RSA multisignatures [J]. Computer and Security,2008, 27:12-15.
[25]Lysyanskaya A., Micali S., Reyzin L., Shacham H. Sequential aggregate signatures from trap-door permutations [C]. Proc. of EUROCRYPT'04, Lecture Notes in Comput. Sci.,2004,3027: 74-90.
[26]Shamir A. Identity-based cryptosystem and signature scheme [C]. Proc. of CRYPTO'84, Lec-ture Notes in Comput. Sci.,1985,196:120-126.
[27]Cheng X., Liu J., Wang X. Identity-based aggregate and verifiably encrypted signatures from bilinear pairing [C]. Proc. of ICCSA'05, Lecture Notes in Comput. Sci.,2005,3483:1046-1054.
[28]Xu J., Zhang Z., D. Feng D. ID-based aggregate signatures from bilinear pairings [C]. Proc. of CANS'05, Lecture Notes in Comput. Sci.,2005,3810:110-119.
[29]Gentry C., Ramzan Z. Identity-based aggregate signatures [C]. Proc. of PKC'06, Lecture Notes in Comput. Sci..2006,3958:257-273.
[30]Wang Z., Chen H., Ye D., Wu Q. Practical identity-based aggregate signature scheme from bilinear maps [J]. Shangai Jiao Tong University Press,2008,13(6):684-687.
[31]Wen Y, Ma J. An aggregate signature scheme with constant pairing operations [C]. Proc. of CSSE'08,2008,830-833.
[32]Selvi S., Vivek S., Shriram J., Kalaivani S., Pandu Rangan C. Security analysis of aggregate signature and batch verification signature schemes. Cryptology ePrint Archive,2009, Report 2009/290, http://eprint.iacr.org/.
[33]Boldyreva A., Gentry C, O'Neill A. Yum D. Ordered multisignatures and identity-based aggre-gate signatures, with applications to secure routing [C]. Proc.of CCS'07, ACM,2007,276-285.
[34]Hwang J., Lee D., Yung M. Universal forgery of the identity-based sequential aggregate signa-ture scheme [C]. Proc. of ASIACCS,2009,157-160.
[35]石兹松,何明星.基于配对函数的顺序相关多重数字签名[J].计算机工程与应用,2005年,20期:135-138.
[36]Asokan N.,Shoup V., Waidner M. Optimistic fair exchange of digital signature (extended ab-stract) [C], Proc. of Eurocrypt'98, Lecture Notes in Comput. Sci.,1998,1403:591-606.
[37]Ateniese G. Efficient verifiable encryption (and fair exchange) of digital signatures [C]. Proc. of CCS'99, ACM,1999,138-146.
[38]Ateniese G.Verifiable encryption of digital signature and applications [J]. ACM Transactions on Information and System Security,2004,7(1):1-20.
[39]Bao F., Deng R. H., Mao W. Efficient and practical fair exchange protocols with off-line TTP [C]. Proc. of symposium on security and privacy, IEEE,1998,349-354.
[40]Camenisch J., Damgard I. Verifiable encryption group encryption and their application to sepa-rable group signatures and signature sharing schemes [C]. Proc. of Asiacrypt'00, Lecture Notes in Comput. Sci.,2000,1976:331-345.
[41]Camenisch J., Shoup V. Practical verifiable encryption and decryption of discrete logarithms [C]. Proc. of Crypto'03, Lecture Notes in Comput. Sci.,2003,2729:126-144.
[42]Hess F. On the Security of the verifiably encrypted signature scheme of Boneh, Gentry, Lynn and Shacham [J]. Inform. Process. Lett.,2004,89:111-114.
[43]Zhang F., Safavi R., Susilo W. Efficient verifiably encrypted signature and partially blind sig-nature from bilinear pairings [C]. Proc. of Indocrypt'03, Lecture Notes in Comput. Sci.,2003, 2904:191-204.
[44]Zhang J., Liu C., Yang Y. An efficient secure proxy verifiably encrypted signaturescheme[C]. Journal of Network and Computer Applications,2010,33:29-34.
[45]Gu C., Zhu Y. An ID-based verifiable encrypted signature scheme based on Hess's scheme[C]. Proc. of CISC'05, Lecture Notes in Comput. Sci.,2005,3822:42-52.
[46]Goldwasser S., Micali S., Rivest R. A "paradoxical" solution to the signature problem [C]. Proc. of the 25th Annual Symposium on Foundations of Computer Science, IEEE,1984,441-448.
[47]Goldwasser S., Micali S., Rivest R. A digital signature scheme secure against adaptive chosen message attacks [J]. SIAM J. Comput.,1988,17(2):281-308.
[48]Cramer R., Shoup V. Signature schemes based on the strong RSA assumption [J]. ACM Trans-actions on Information and System Security,2000,3(3):161-185.
[49]Blake-Wilson S., Menezes A. Unknown key-share attacks on the station-to-station (STS) pro-tocol [J]. Proc. of PKC'99, Lecture Notes in Comput. Sci.,1999,1560:154-170.
[50]Gennaro R., Halevi S., Rabin T. Secure hash-and-sign signatures without the random oracle [C]. Proc. of Eurocrypt'99, Lecture Notes in Comput. Sci.,1999,1592:123-139.
[51]Tan C. H. Key substitution attacks on some provably secure signature schemes [J]. IEICE Trans. Fundamentals,2004, E87-A(1):226-227.
[52]Koblitz N., Menezes A. Another look at security definitions. Cryptology ePrint Archive,2011, Report 2011/343, http://eprint.iacr.org/.
[53]Bohli J. M., Rohrich S., Steinwandt R. Key substitution attacks revisited:Taking into account malicious signers [J]. Int. J. Inf. Secur.,2006,5:30-36.
[54]Sakumoto K., Tanaka K. Key-substitution attacks on group signature [C]. Research Reports on Mathematical and Computing Sciences,2007, C-237:1-20.
[55]Tan C. H. Key substitution attacks on provably secure short signature schemes [J]. IEICE Trans. Fundamentals,2005, E88-A(2):611-612.
[56]Tan C. H. On Waters'signature scheme [J]. IEICE Trans. Fundamentals,2005, E89-A(10): 2684-2685.
[57]夏琦,许春香.对一个可验证加密签名方案的安全性分析[J].计算机工程与应用,2009,45(30):13-14.
[58]明洋,王育民.两个可证安全短签名方案的密码学分析[J].计算机工程,2007,33(22):21-22.
[59]张振峰.基于身份的可验证加密签名协议的安全性分析[J].计算机学报,2007,29(9):1688-1693.
[60]Joux A. A one round protocol for tripartite Diffie-Hellman [C]. Proc. of ANTS IV, Lecture Notes in Comput. Sci.,2000,1838:385-394.
[61]Shor P. W. Polynomial-Tme algorithms for prime factorization and discrete logarithms on a quantum computer [J]. SIAM J. Computing,1997,26:1484-1509.
[62]Meziani M., Cayrel P. A Multi-Signature Scheme based on Coding Theory [J]. Engineering and Technology,2010,63:244-250.
[63]Katz J., Lindell Y. Introduction to cryptography [M]. CRC Press,2007.
[64]林东岱.代数学基础与有限域[M].北京:高等教育出版社,2006.
[65]Buchmann J. A. Introduction to cryptography [M]. Springer-Verlag,2001.
[66]冯登国,裴定一.密码学导引[M].北京:科学出版社,1999.
[67]Roman S. Coding and information theory [M]. Springer-Verlag, GTM 134,1992.
[68]MacWilliams F. J., Sloane N. J. A. The theory of error-correcting codes [M]. North-Holland Publishing Company,1977.
[69]Washington L. C. Elliptic curves:number theory and cryptography,2nd edition [M]. CRC Press, 2008.
[70]Shoup V. A computational introduction to number theory and algebra [M]. Cambridge Univer-sity Press,2005. Also available at http://www.shoup.net/ntb.
[71]Katz J. Digital signatures [M]. Springer-Verlag,2007.
[72]华东师范大学数学系编.概率论与数理统计[M].北京:高等教育出版社,1983.
[73]闵捌鹤,严十健.初等数论(第三版)[M].北京:高等教育出版社,2003.
[74]Tso R., Okamoto T. Okamoto E. Efficient short signatures from pairing [C]. Proc. of ITNG'09, IEEE,2009,417-422.
[75]Guillou L., Quisquater J. A "paradoxical" indentity-based signature scheme resulting from zero knowledge [C]. Proc. of CRYPTO'88, Lecture Notes in Comput. Sci.,1990,403:216-231.
[76]Cha J., Cheon J. An identity-based signature from gap Diffie-Hellman groups [C]. Proc. of PKC'03, Lecture Notes in Comput. Sci.,2003,2567:18-30.
[77]Bellare M., Rogaway P. Random oracles are practical:A paradigm for designing dfficient pro-tocols [C]. Proc. of CCS'93, ACM.1993,62-73.
[78]Joye M. Provable secure signature schemes [M].France:CIM-PACA,2000. [14]
[79]冯登国.可证明安全性理论与方法研究[J].软件学报,2005,16(10):1743-1756.
[80]Canetti R., Goldreich O., Halevi S. The random oracle methodology, revisited [J]. Journal of ACM,2004,51(4):557-594.
[81]关振胜.公钥基础设施PKI与认证机构CA[M].北京:电子工业出版社,2004.
[82]McEliece R.J. A Public-Key cryptosystem based on algebraic coding theory [R]. Jet Propulsion Laboratory DSN Progress Report,1978 42-44:114-116.
[83]Niederreiter H. Knapsack-type crytosystems and algebraic coding theory [J]. Prob. Contr. In-form. Theory,1986,15(2):157-166.
[84]Courtois N., Finiasz M., Sendrier N. How to achieve a McEliece-based digital signature scheme [C]. Proc. of Asiacrypt'01, Lecture Notes in Comput. Sci.,2001,2248:157-174.
[85]Cayrel P., Meziani M. Post-quantum cryptography:code-based signatures [C]. Proc. of AST/UCMA/ISA/CAN'10, Lecture Notes in Comput. Sci.,2010,6059:82-89.
[86]Overbeck R., Sendrier N. Code based cryptography, A chapter of Bernstein D. J., Buchmann J., Dahmen E., eds., Post-Quantum Cryptography [M]. Springer,2009.
[87]Finiasz M. Nouvelles constructions utilisant des codes correcteurs d'erreurs en cryptographie 'a clef publique [D]. INRIA-Ecole Polytechnique,2004.(in French)
[88]Sendrier N. Code-based one way functions. http://ecrypt-ss07.rhul.ac.uk/Slides/Thursday/sendrier-samos07.pdf,2007.
[89]Dallot L. Towards a concrete security proof of Courtois, Finiasz and Sendrier signature scheme [C]. Proc. of WEWoRC'07, Lecture Notes in Comput. Sci.,2008,4945:66-77.
[90]Finiasz M., Sendrier N. Security bounds for the design of code-based cryptosystems. Proc. of ASIACRYPT'09, Lecture Notes in Comput. Sci.,2009,5912:88-105.
[91]Boneh D., Franklin M. Identity-based encryption from the Weil pairing [C]. Proc. of Crypto'01, Lecture Notes in Comput. Sci.,2001,2139:213-229.
[92]Bender A., Katz J., Morselli R. Ring signatures:stronger definitions, and constructions without random oracles. Proc. of TCC'06, Lecture Notes in Comput. Sci.,2006,3876:60-79.
[93]Adams C., Farrell S., Kause T., Mononen T. Internet X.509 public key infrastructure certificate management protocols (CMP). Request for Comments (RFC) 4210, Internet Engineering Task Force (September 2005).
[94]Schaad J. Internet X.509 public key infrastructure certificate request message format (CRMF). Request for Comments (RFC) 4211, Internet Engineering Task Force (September 2005).
[95]RSA Laboratories:RSA PKCS # 10 vl.7: Certification Request Syntax Standard ftp://ftp.rsasecurity.com/pub/p kcs/pkcs-10/pkcs-10v17.pdf.
[96]Boneh D., Lynn B., Shacham H. Short signatures from the Weil pairing [C]. Proc. of Asi-acrypt'01, Lecture Notes in Comput. Sci.,2001,2248:514-532.
[97]Zhang F., Safavi R., Susilo W. An efficient signature scheme from bilinear pairings and its applications [C]. Proc. of PKC'04, Lecture Notes in Comput. Sci.,2004,2947:277-290.
[98]Ruckert M. Lattice-based Signature Schemes with Additional Features [D]. PhD thesis, TU Darmstadt (2011).
[99]Kent S., Lynn C., Seo K. Secure Border Gateway Protocol (Secure-BGP) [J]. IEEE J.Selected Areas in Comm.,2000,18(4):582-592.
[100]Asokan N., Shoup V., Waidner M. Optimistic fair exchange of digital signatures [J]. IEEE J. Selected Areas in Comm.,2000,18(4):593-610.
[101]Bellare M., Boldyreva A., Micali S. Public-key Encryption in a Multi-User Setting:Security Proofs and Improvements [C]. Proc. of Eurocrypt 2000, Lecture Notes in Comput. Sci.,2000, 1807:259-274.
[102]Coron J. On the exact security of Full-Domain-Hash [C]. Proc. of Crypto 2000, Lecture Notes in Comput. Sci.,2000,1880:229-235.
[103]Bellare M., Desai A., Pointcheval D., Rogaway P. Relations among notions of security for public-key encryption schemes [C]. Proc. of Crypto'98, Lecture Notes in Comput. Sci.,1998, 1462:26-45.
[104]Fiat A., Shamir A. How to prove yourself: Practical solutions to identification and signature problems [C]. Proc. of Crypto'86, Lecture Notes in Comput. Sci.,1986,186-194.
[105]Menezes A., Okamoto T., Vanstone S. Reducing elliptic curve logarithms to logarithms in a finite field [J]. IEEE Tran. on Info. Th.,1993,39:1639-1646.
[106]Frey G., Muller M., Ruck H. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems [J]. IEEE Tran. on Info. Th.,1999,45:1717-1718.