数字签名算法的研究与设计
|
摘要
随着计算机网络通信技术和软件技术的迅猛发展,以及因特网的广泛应用,如何保证及加强信息安全性,保证电子信息的完整性已成为国际社会普遍关心的重大问题。数字签名算法应运而生。数字签名是公钥密码学领域最重要的发展方向之一,是在电子传输中提供数据的认证性、完整性和不可否认性的重要技术和理论保障,因而是信息安全的核心技术之一,也是实现安全电子商务和安全电子政务的关键技术之一。
数字签名是计算机通信网信息安全的基本内容之一,对它的研究有着重要的理论和实际意义。本文针对密码学数字签名领域的几个热点问题,研究并设计了一些有效并安全的数字签名方案,具体成果如下。
1.标准模型下有效群签名方案
效率和安全性是评估一个密码算法的两个重要指标。直到1999年,所有可证明安全的有效签名算法都基于随机预言模型(Random Oracle Model)[11]。而标准模型下签名方案因采用树结构,其可证明安全性以严重的牺牲效率作为代价,因此只具有重要的理论意义而不实用。在随机预言模型中,假定任何用户(合法用户和攻击者)都能访问某个理想化的随机预言机以获得一个随机数,但是这个理想的预言机在现实世界中并不存在,而通常以hash函数代替。文献[33]设计了这样的方案,其在随机预言模型下是安全的,但是在hash函数替代预言机后,方案却是不安全的。从而,满足标准模型下可证明安全的有效签名方案的设计仍是当前研究的热点和难点。
群签名[15]是一种可撤销匿名性的数字签名技术,具有如下的特点:
(1)只有特定群的成员可以签署消息;
(2)验证者能够验证签名的合法性但是不能获知签名者的身份;
(3)在有纠纷的情况下,签名者的身份可以由群管理员打开。群签名在管理,军事,政治以及经济等多个方面有着广泛的应用。
目前,已提出的标准模型下可证明安全的群签名主要有:Bellare,Micciancio和Warinschi[39]提出了第一个标准模型下可证明安全的群签名,但方案非常低效,不能在实际中应用;Ateniese等[41]所提出的方案基于一个新的过强的安全假设;Boyen和Waters[42,44]基于标准模型下的Waters签名[74],提出了目前最为有效的常数长度的群签名方案,但是由于Waters签名基于树结构,从而其群签名方案公钥长度过长,运算量较大。
2006年,Okamoto[28]提出了一个新的标准模型下可证明安全的签名方案,方案的安全性基于强Diflie-Hellman假设。本文中,基于Okamoto签名方案,我们提出了目前最为有效的不基于随机预言模型可证明安全的群签名方案。我们首先给出了Okamoto签名方案的一个改进方案,新方案隐藏了原方案的部分签名信息;然后利用Groth,Ostrovsky和Sahai[43]的非交互零知识证明的技巧来隐藏签名者的身份,以达到群签名匿名签名的目的。新方案基于强Diffie-Hellman假设和子群判断假设,与Boyen和Waters方案相比[44],所提方案所需公钥长度更短,而运算量也具有明显优势,具体比较如下:
(1.)Boyen和Waters群签名方案的公钥大约需要m+4个群G_1中的元素和1个群G_q中的元素,其中安全起见,m大约取值160;新方案需要4个G_1中的元素,1个G_q的元素。
(2.)新方案最终签名包括5个群G_1中的元素和1个Z_n中元素,Brent和Waters方案的签名包括6个G_1中元素。
(3.)就计算量而言,Brent和Waters方案平均需要m/2+10个群乘法运算(最坏情况需要m+10个),12个指数运算;新方案需要10个指数运算和9个乘法运算。
2.基于身份的可链接和可转换环签名
环签名[18]可以视为一种特殊的群签名,不同之处在于环签名没有可信中心,没有群的建立过程,从而也就不象群签名那样存在可以打开签名者身份的机构。签名者可以完全自主的构建一个环并匿名签名,验证者能够证明消息是由环中的某个成员签署的,但无法确认签名者的身份。环签名主要用于电子投票,电子现金,泄露隐私信息和认证通信等。
为了适应应用的需要,标准环签名概念被添加了一些额外的附加性质。如可链接性[45]和可转换性[47]。在可链接环签名中,验证者虽不知道具体的签名者,但是可以确认两个签名是否是同一个签名者所签;而可转换环签名为签名者提供了将环签名转换成一般签名的机制。而由于基于身份密码系统密钥生成的特殊性,PKI系统下为环签名添加可链接性的方法不能直接适用于基于身份密码系统中,如何构造基于身份的可链接环签名是2005年欧洲PKI会议[52]所提出的公开问题之一。
同时,环签名虽然具有简单的群构造过程,但是在通常的设计中,因为验证者需要知道整个环的描述,从而环签名的长度通常会随着环成员的增多而线性增长。从而需要大量空间存贮公钥信息,而验证也需要大量的运算,这大大限制了环签名的应用。为了设计有效的固定长度的环签名算法,研究者引入了许多新颖的设计思路。例如聚合器的引入为设计固定长度的环签名提供了不同以往的设计思想。
本文中,我们研究了在基于身份密码系统下为环签名添加可链接性和可转换性的问题。我们将可链接性分为弱可链接性和强可链接性。在弱可链接环签名中,不要求同一签名者的所有签名全部链接,而由签名者决定其想链接的签名,而强可链接性则要求同一签名者所签消息必须链接。我们分两步来解决该问题:
首先,对于基于身份的弱可链接环签名,我们可以利用PKI系统下可链接环签名的设计思想,由签名者自己生成链接标识,方案设计如下:如果一个身份为ID的签名者要链接两个消息的签名,其可随机选择r∈Z_p~*,并计算rP或者rH(ID)作为链接的标识,然后构建相应的知识证明系统设计环签名方案.我们以Zhang和Kim[49]的基于身份环签名为例,给出了一个具体的基于身份弱可链接环签名方案,然后提出了两个较为有效的方案,一个满足弱可链接性,一个同时满足弱可链接性和可转换性。所提方案满足完备匿名性和适应性选择消息攻击下的不可伪造性。
然后,从签名长度和强链接性出发,我们对方案的结果进行了进一步的扩展。在满足弱可链接性的方案中,链接签名的标识由签名者产生,由于基于身份密码系统的特殊性,此设计思想并不适用于基于身份强可链接环签名的设计。我们利用基于双线性对聚合器和基于知识证明签名的设计思想,给出了常数长度满足强可链接性环签名的设计方法。方案中,链接标识是在密钥生成算法中,由PKG利用分发给用户的两个私钥生成而分发给用户,而不是由用户自己产生,从而方案具有可追踪环签名的某些性质,即签名者的身份PKG是可以打开的。不足之处是方案只满足计算匿名性而不满足完备匿名性。最后,我们给出了一个具体的交互式知识证明方案,并证明方案满足一致性,零知识性和鲁棒性。基于该方案,我们可以构造一个具体的基于身份强可链接环签名。
3.基于身份的模糊签名
目前主流的公钥系统包括PKI密码系统和基于身份密码系统[21]。基于身份密码系统不需要象PKI系统那样花费额外的开销存储和管理公钥证书,也不需要花费额外的时间来验证公钥证书的真伪,从而,基于身份密码系统在许多方面比传统的PKI系统更具优势。以往的基于身份密码系统都将身份看作是与用户信息紧密相关的字符串,如电子邮件地址、姓名等。这里,我们将身份看作是对用户某个描述性属性的集合,例如指纹和虹膜等生物特征。在实际应用中,通常利用生物特征提取用户的私钥。而采用生物特征作为公钥更加符合基于身份密码系统的构架,其比传统的身份特征具有如下的优势:
(1.)生物特征是一个人固有的属性,并能被所有者随身携带;
(2.)生物特征是唯一的,不存在两个个体具有相同的生物特征。
但是由于生物特征的提取存在着一定的噪声,不同时刻提取的信息会存在差异,所以他们并不能被作为公钥而直接应用到目前的基于身份密码系统中。新设计的方案必须能够提供相应的抗公钥噪声差错的能力。Sahai和Waters[59]首先提出了基于身份的模糊加密概念,该方案中允许接收者用自身私钥解密用与生物特征有小出入的公钥加密的密文,也就是说一个密钥可以解密不同的公钥加密的密文,只要这两个公钥满足预先设定的假设条件。
本文中,我们提出了基于身份的模糊签名的概念(Zhenfu Cao等[83]同时也提出了该概念,并基于Waters签名提出了标准模型下的方案设计),在该方案中,只要公钥信息ω和ω′满足某个预先设定的条件,则验证者可以利用公钥ω′去验证用ω对应的私钥所签署的签名。利用秘密共享的方法,我们提出了一个基于身份的模糊签名方案,其中公钥的距离定义为集合重合度(Set-overlap)。我们的方案满足随机预言模型下适应性选择消息攻击的弱不可伪造性。
4.密钥托管问题
密钥托管问题是基于身份密码系统所固有的,也是该系统的一个很大的不利之处。因为PKG知道所有用户的私钥信息,从而其可以解密所有的加密文件或仿造用户进行签名。Boneh和Franklin[22]利用门限技术通过引入多个PKG来解决这个问题,但这样不可避免的会增加通信负担。目前提出许多方案结合传统的PKI系统和基于身份系统的优势[63,64,26],其中,无证书密码系统[26]最受关注。从该概念提出伊始,涌现了大量针对其攻击模型和具体加密签名方案构造方法的研究文章。
在一般的无证书的密码系统的密钥生成方案中,首先PKG利用用户身份信息为其生成一个私钥(sk),然后用户自身生成一个私钥/公钥对(sk_1/pk_1),PKG因不知道用户的私钥/公钥对而无法代替用户进行解密或签名操作。但这样的密钥生成方案造成用户自身生成的私钥/公钥对不唯一,当恶意PKG发布虚假的用户私钥/公钥对时,用户起诉PKG缺乏证据;而且,很多情况下,恶意PKG可以选择特殊的参数信息以获得用户自己选择的私钥。
在2007年美密会上,Goyal[73]引入了基于身份的Accountable AuthorityEncryption的概念以削弱密钥托管问题。在该方案中,如果PKG曾经恶意的生成并且散布一个解密密钥的话,那他就将面临被发现并被处罚的危险,因为在其方案中,用户的私钥/公钥对是唯一的,其在和PKG的交互中对自己生成的公钥做了委托而不能更改。
基于这样的思想,本文中,我们首先重新定义了无证书公钥系统的密钥生成算法,由用户首先生成私钥/公钥对(sk_1/pk_1),然后PKG利用用户的身份信息和公钥pk_1为其生成另一个私钥(sk),这相当于PKG对用户身份和公钥信息做了一个签名,而用户成功伪造一个合法签名的概率是可忽略的。然后,我们提出了两种可行的密钥生成算法。并基于其中一个算法分别提出了无证书加密方案和无证书签名方案。所提方案分别满足随机预言模型下的可证明安全性,并可以抵抗恶意PKG选择参数攻击。并且,在无证书的签名方案中,如果我们把用户自己生成的部分公钥pk_1也看作其签名的一部分,将其作为签名的一部分予以发布,则验证者在只需要用户ID信息的情况下便可以验证签名。通过这样的修改,无证书的签名方案可以转化成为一个完全的抗恶意PKG的基于身份签名方案。从而,基于身份的签名方案可以避免密钥托管问题。
One of the most important developments from the work on public key cryptography is the digital signature,which has many applications in information security,including authentication,data integrity and non-repudiation. It is the crutial technique and theoretical guarantee to realize secure ecommerce and e-government.
In this dissertation,we focus on our research in the following directions of digital signatures:
1.Efficient Group Signature Scheme without Random Oracle
Security and efficiency are two crutial factors to evaluate a cryptographic schemes.Until 1999,all provably secure solutions for efficient digital signature schemes relied on the random oracle methodology[11].In the random oracle model(ROM),all parties(the legitimate ones as well as the adversaries) have black-box access to functions behaving like truly random functions, which are out of reach in the real world.The oracle is usually replaced by hash functions,so adversaries may exploit some weaknesses of the hash functions to attack the schemes.And even worse,many results[33]show separations between the random oracle scenario and standard model.As a consequence,a central line of research in modern cryptography is designing efficient schemes provably secure in the standard model.
Group signature[15]is a method for allowing a member of a group to anonymously sign a message on behalf of the group,it has the following properties:(1)only members of the predefined group can sign message;(2) anyone can verify the validity of a signature but no one is able to identify which member of the group signed it;and(3)in case of the dispute,the signature can be opened to reveal the identity of the group member who signed it.
There were a few group signature schemes provable secure in the standard model.Bellare,Micciancio and Warinschi[39]presented the first construction, but the scheme is too inefficient to be used in practice.Ateniese et.al.[41]proposed an efficient group signature scheme without random oracle under some new strong assumptions.Boyen and Waters[42,44]achieved a constant-size group signature scheme by combining a new NIZK proof techniques and the Waters signature in the standard model[74],but the public key length is too long to be utilized in practice.
In 2006,Okamoto[28]proposed a new efficient signature scheme secure in the standard model,whose security depends on the Strong Diffie-Hellman assumptions.Based on this scheme,we firstly give a variant signature scheme of[28]to hide some information,then we present an efficient group signature scheme in the standard model,combining the variant signature scheme with the technique used by Groth,Ostrovsky and Sahai[43]to hide the identity. The security of the new scheme is based on Strong Diffie-Hellman assumptions and Subgroup Decision Assumption.Compared with the scheme presented by Boyen and Waters[44]:
(1.)The public key PK in[44]contains about m+4 elements in group G_1 where m at least takes 160,and one element in group G_q,while the public key in our scheme includes 4 elements in G_1,1 element in G_q.
(2.)The signature in our scheme contains 5 elements in G_1 and one element in Z_n,while the final signature in[44]has 6 elements in G_1.
(3.)As to the computation,there are about m/2+10 on average multiplicative computation(m+10 at worst case),12 exponentiation computation in[44],while our scheme contains 10 exponentiation computation and 9 multiplicative computation.
2.Identity-based Linkable(Convertible)Ring Signature
Ring signature[18],is similar to group signature,with the exception that no one else can reveal the identity of the signer.A user can sign anonymously on behalf of a group on his own choice,while group members can be totally unaware of being conscripted in the group.
Considering the actual applications,the notion of the ring signature is extended,for example,linkable ring signature[45]and convertible ring signature[47].A linkable ring signature(LRS)additionally allows the signer to have the capacity to make anyone determine whether two ring signatures have been signed by the same group member while still remain the anonymity; and a convertible ring signature(CRS)allows the real signer to convert a ring signature into an ordinary one.In the PKI-based linkable ring signa- ture schemes,the signer can either link arbitrary messages he wants to link (we call it weakly linkable)or all the signatures signed by the same signer must be linked(we call it strongly linkable).Yet,how to construct linkable(convertible) ring signature schemes in the identity-based system is an open problem proposed in[52].
In addition,although ring signature has simple group formation,but in most ring signature scheme,the signature size linearly depends on the group size,as the verifier needs to know at least the group descriptions.Thus,the schemes need too much computation which will restrict their application. To deal with designing less complicated schemes,some interesting primitives were used broadly,among which,accumulator scheme is a powerful primitive, and it provides a new method to construct constant size group signature or ring signature schemes.
To construct identity-based ring signature with linkable and convertible requirements,we consider the problems in two steps:
In the first step,we consider identity based ring signature with weak linkability,i.e.the signer has the right to determine which signatures to link. We can construct the scheme in this way:If the signer with the identity ID wants to link the signatures of two messages,he can choose r∈Z_p randomly,and compute rP or rH(ID)as the identification,then construct the corresponding signature schemes based on proof of knowledge.
We take Zhang and Kim's identity-based ring signature scheme[49]as an example,and give a concrete scheme to show how to add linkability to some identity-based ring signatures.Then two efficient schemes are given, one satisfying weak linkability,and the other satisfying both linkability and convertibility.
In the second step,considering efficiency and strongly linkable requirement, we extend the work to construct a short constant-size scheme satisfying strongly linkable requirement using accumulator scheme.In our scheme,it is the PKG but not the signer as in the traditional scheme produced the identification. So,the scheme is signer anonymous to all the verifier except for the PKG,and the PKG has the power to open the identity of the signer. In addition,we propose a concrete scheme of Interactive Zero-Knowledge proof system,based on which,we can construct a concrete scheme using the method of Signature Based on Proof of Knowledge.
3.Fuzzy Identity-based Signature
Identity-based system can provide a more convenient way than the traditional PKI cryptosystem,for not maintaining a list of issued certificates. One common feature of all previous Identity-based systems is that they view identities as a string of characters,such as name or email address.Here,we view identity as a set of descriptive attributes,such as biometric identities, which fits the framework of identity-based system very well.
Using the biometric identities,such as the fingerprint,as the identity has the following advantages:
(1.)It is an inherent trait and will always be with a person;
(2.)It is unique if the underlying biometric is of a good quality.
Since biometric measurements are noisy,they can not be utilized in the existing identity-based system directly.The new construction must tolerant the error when extracting the identity each time.Sahai and Waters[59] presented the conception of Fuzzy Identity based Encryption to allow for a private key to decrypt a ciphertext encrypted with a slightly different measurement of the same biometric.In this dissertation,we bring forward of the conception of Fuzzy Identity-based Signature(At the same time,Zhenfu Cao et.al[83]also presented the same conception,and they presented a scheme in the standard model),which allows the verifier with the identity w' to verify the signature signed with the secret key for the identity w if and only if w and w' are within a certain distance of each other as judged by some metric.
Using the method of secret sharing,we construct a fuzzy identity based signature scheme in the random oracle model using set-overlap as a similarity measure between identities,while in[83],they presented a scheme in the standard model using the structure of Waters signature.Unlike the encryption scheme whose public key size grows linearly with the number of potential attributes, the public key in the signature scheme is simple and constant.And we prove our construction is weakly unforgeable against adaptively chosen message attack.
4.Key Escrow Problem
Key escrow problem has been rooted in the identity-based system since its introduction,and it is a significant disadvantage for PKG knows all the secret of the user.In[22],Boneh and Franklin solved this problem to a extent by the introduction of multiple PKGs using threshold techniques,but this inevitable involves extra communication.There are many schemes[63,64,26] to combine the best aspects of identity based cryptography and the public key infrastructure,among which the certificateless public key cryptography is the most noticeable.Since its introduction,a lot of work has been done to research on the attack model and construction methods.
In the key generation algorithm defined in the original paper on certificateless public key cryptosystem and followings,first PKG generate one partial secret key(sk)for the user corresponding to user's identity;then the user generate another partial secret/public key pair(sk_1/pk_1).This operation makes it impossible to sue the malicious PKG if it replaced the secret/public key pair of the user.In addition,the malicous PKG may choose some special parameters to deduce the secret key that the user set.
In CRYPTO 2007,Goyal[73]introduces the concept of Accountable Authority Identity based Encryption(A-IBE)to mitigate the key escrow problem. In his system,if the PKG ever maliciously generates and distributes a decryption key for an identity,it runs the risk of being found and prosecuted, for the user only has one possible decryption key.
We first introduced the idea of Goyal to certificateless public key cryptography, and change the operation position of the two secret keys generation, i.e.first the user generate the secret/public key pair(sk_1/pk_1),then PKG generate another secret key corresponding to pk_1 and user's identity.Thus, the user will only have one possible secret/public key pairs.
In addition,we propose two concrete key generation algorithms.Using one of the key generation algorithms,we construct a certificateless encryption scheme and signature scheme respectively,which are secure under the adaptively chosen ciphertext(message)attack in the random oracle modle. In addition,in the certificateless signature scheme,if we regard the public key rP as one of the identity of the user,which will be released as part of the signature,i.e.the verifier can verify the signature only use the ID information, then the scheme is indeed an identity-based signature scheme secure against malicious PKG.
数字签名是计算机通信网信息安全的基本内容之一,对它的研究有着重要的理论和实际意义。本文针对密码学数字签名领域的几个热点问题,研究并设计了一些有效并安全的数字签名方案,具体成果如下。
1.标准模型下有效群签名方案
效率和安全性是评估一个密码算法的两个重要指标。直到1999年,所有可证明安全的有效签名算法都基于随机预言模型(Random Oracle Model)[11]。而标准模型下签名方案因采用树结构,其可证明安全性以严重的牺牲效率作为代价,因此只具有重要的理论意义而不实用。在随机预言模型中,假定任何用户(合法用户和攻击者)都能访问某个理想化的随机预言机以获得一个随机数,但是这个理想的预言机在现实世界中并不存在,而通常以hash函数代替。文献[33]设计了这样的方案,其在随机预言模型下是安全的,但是在hash函数替代预言机后,方案却是不安全的。从而,满足标准模型下可证明安全的有效签名方案的设计仍是当前研究的热点和难点。
群签名[15]是一种可撤销匿名性的数字签名技术,具有如下的特点:
(1)只有特定群的成员可以签署消息;
(2)验证者能够验证签名的合法性但是不能获知签名者的身份;
(3)在有纠纷的情况下,签名者的身份可以由群管理员打开。群签名在管理,军事,政治以及经济等多个方面有着广泛的应用。
目前,已提出的标准模型下可证明安全的群签名主要有:Bellare,Micciancio和Warinschi[39]提出了第一个标准模型下可证明安全的群签名,但方案非常低效,不能在实际中应用;Ateniese等[41]所提出的方案基于一个新的过强的安全假设;Boyen和Waters[42,44]基于标准模型下的Waters签名[74],提出了目前最为有效的常数长度的群签名方案,但是由于Waters签名基于树结构,从而其群签名方案公钥长度过长,运算量较大。
2006年,Okamoto[28]提出了一个新的标准模型下可证明安全的签名方案,方案的安全性基于强Diflie-Hellman假设。本文中,基于Okamoto签名方案,我们提出了目前最为有效的不基于随机预言模型可证明安全的群签名方案。我们首先给出了Okamoto签名方案的一个改进方案,新方案隐藏了原方案的部分签名信息;然后利用Groth,Ostrovsky和Sahai[43]的非交互零知识证明的技巧来隐藏签名者的身份,以达到群签名匿名签名的目的。新方案基于强Diffie-Hellman假设和子群判断假设,与Boyen和Waters方案相比[44],所提方案所需公钥长度更短,而运算量也具有明显优势,具体比较如下:
(1.)Boyen和Waters群签名方案的公钥大约需要m+4个群G_1中的元素和1个群G_q中的元素,其中安全起见,m大约取值160;新方案需要4个G_1中的元素,1个G_q的元素。
(2.)新方案最终签名包括5个群G_1中的元素和1个Z_n中元素,Brent和Waters方案的签名包括6个G_1中元素。
(3.)就计算量而言,Brent和Waters方案平均需要m/2+10个群乘法运算(最坏情况需要m+10个),12个指数运算;新方案需要10个指数运算和9个乘法运算。
2.基于身份的可链接和可转换环签名
环签名[18]可以视为一种特殊的群签名,不同之处在于环签名没有可信中心,没有群的建立过程,从而也就不象群签名那样存在可以打开签名者身份的机构。签名者可以完全自主的构建一个环并匿名签名,验证者能够证明消息是由环中的某个成员签署的,但无法确认签名者的身份。环签名主要用于电子投票,电子现金,泄露隐私信息和认证通信等。
为了适应应用的需要,标准环签名概念被添加了一些额外的附加性质。如可链接性[45]和可转换性[47]。在可链接环签名中,验证者虽不知道具体的签名者,但是可以确认两个签名是否是同一个签名者所签;而可转换环签名为签名者提供了将环签名转换成一般签名的机制。而由于基于身份密码系统密钥生成的特殊性,PKI系统下为环签名添加可链接性的方法不能直接适用于基于身份密码系统中,如何构造基于身份的可链接环签名是2005年欧洲PKI会议[52]所提出的公开问题之一。
同时,环签名虽然具有简单的群构造过程,但是在通常的设计中,因为验证者需要知道整个环的描述,从而环签名的长度通常会随着环成员的增多而线性增长。从而需要大量空间存贮公钥信息,而验证也需要大量的运算,这大大限制了环签名的应用。为了设计有效的固定长度的环签名算法,研究者引入了许多新颖的设计思路。例如聚合器的引入为设计固定长度的环签名提供了不同以往的设计思想。
本文中,我们研究了在基于身份密码系统下为环签名添加可链接性和可转换性的问题。我们将可链接性分为弱可链接性和强可链接性。在弱可链接环签名中,不要求同一签名者的所有签名全部链接,而由签名者决定其想链接的签名,而强可链接性则要求同一签名者所签消息必须链接。我们分两步来解决该问题:
首先,对于基于身份的弱可链接环签名,我们可以利用PKI系统下可链接环签名的设计思想,由签名者自己生成链接标识,方案设计如下:如果一个身份为ID的签名者要链接两个消息的签名,其可随机选择r∈Z_p~*,并计算rP或者rH(ID)作为链接的标识,然后构建相应的知识证明系统设计环签名方案.我们以Zhang和Kim[49]的基于身份环签名为例,给出了一个具体的基于身份弱可链接环签名方案,然后提出了两个较为有效的方案,一个满足弱可链接性,一个同时满足弱可链接性和可转换性。所提方案满足完备匿名性和适应性选择消息攻击下的不可伪造性。
然后,从签名长度和强链接性出发,我们对方案的结果进行了进一步的扩展。在满足弱可链接性的方案中,链接签名的标识由签名者产生,由于基于身份密码系统的特殊性,此设计思想并不适用于基于身份强可链接环签名的设计。我们利用基于双线性对聚合器和基于知识证明签名的设计思想,给出了常数长度满足强可链接性环签名的设计方法。方案中,链接标识是在密钥生成算法中,由PKG利用分发给用户的两个私钥生成而分发给用户,而不是由用户自己产生,从而方案具有可追踪环签名的某些性质,即签名者的身份PKG是可以打开的。不足之处是方案只满足计算匿名性而不满足完备匿名性。最后,我们给出了一个具体的交互式知识证明方案,并证明方案满足一致性,零知识性和鲁棒性。基于该方案,我们可以构造一个具体的基于身份强可链接环签名。
3.基于身份的模糊签名
目前主流的公钥系统包括PKI密码系统和基于身份密码系统[21]。基于身份密码系统不需要象PKI系统那样花费额外的开销存储和管理公钥证书,也不需要花费额外的时间来验证公钥证书的真伪,从而,基于身份密码系统在许多方面比传统的PKI系统更具优势。以往的基于身份密码系统都将身份看作是与用户信息紧密相关的字符串,如电子邮件地址、姓名等。这里,我们将身份看作是对用户某个描述性属性的集合,例如指纹和虹膜等生物特征。在实际应用中,通常利用生物特征提取用户的私钥。而采用生物特征作为公钥更加符合基于身份密码系统的构架,其比传统的身份特征具有如下的优势:
(1.)生物特征是一个人固有的属性,并能被所有者随身携带;
(2.)生物特征是唯一的,不存在两个个体具有相同的生物特征。
但是由于生物特征的提取存在着一定的噪声,不同时刻提取的信息会存在差异,所以他们并不能被作为公钥而直接应用到目前的基于身份密码系统中。新设计的方案必须能够提供相应的抗公钥噪声差错的能力。Sahai和Waters[59]首先提出了基于身份的模糊加密概念,该方案中允许接收者用自身私钥解密用与生物特征有小出入的公钥加密的密文,也就是说一个密钥可以解密不同的公钥加密的密文,只要这两个公钥满足预先设定的假设条件。
本文中,我们提出了基于身份的模糊签名的概念(Zhenfu Cao等[83]同时也提出了该概念,并基于Waters签名提出了标准模型下的方案设计),在该方案中,只要公钥信息ω和ω′满足某个预先设定的条件,则验证者可以利用公钥ω′去验证用ω对应的私钥所签署的签名。利用秘密共享的方法,我们提出了一个基于身份的模糊签名方案,其中公钥的距离定义为集合重合度(Set-overlap)。我们的方案满足随机预言模型下适应性选择消息攻击的弱不可伪造性。
4.密钥托管问题
密钥托管问题是基于身份密码系统所固有的,也是该系统的一个很大的不利之处。因为PKG知道所有用户的私钥信息,从而其可以解密所有的加密文件或仿造用户进行签名。Boneh和Franklin[22]利用门限技术通过引入多个PKG来解决这个问题,但这样不可避免的会增加通信负担。目前提出许多方案结合传统的PKI系统和基于身份系统的优势[63,64,26],其中,无证书密码系统[26]最受关注。从该概念提出伊始,涌现了大量针对其攻击模型和具体加密签名方案构造方法的研究文章。
在一般的无证书的密码系统的密钥生成方案中,首先PKG利用用户身份信息为其生成一个私钥(sk),然后用户自身生成一个私钥/公钥对(sk_1/pk_1),PKG因不知道用户的私钥/公钥对而无法代替用户进行解密或签名操作。但这样的密钥生成方案造成用户自身生成的私钥/公钥对不唯一,当恶意PKG发布虚假的用户私钥/公钥对时,用户起诉PKG缺乏证据;而且,很多情况下,恶意PKG可以选择特殊的参数信息以获得用户自己选择的私钥。
在2007年美密会上,Goyal[73]引入了基于身份的Accountable AuthorityEncryption的概念以削弱密钥托管问题。在该方案中,如果PKG曾经恶意的生成并且散布一个解密密钥的话,那他就将面临被发现并被处罚的危险,因为在其方案中,用户的私钥/公钥对是唯一的,其在和PKG的交互中对自己生成的公钥做了委托而不能更改。
基于这样的思想,本文中,我们首先重新定义了无证书公钥系统的密钥生成算法,由用户首先生成私钥/公钥对(sk_1/pk_1),然后PKG利用用户的身份信息和公钥pk_1为其生成另一个私钥(sk),这相当于PKG对用户身份和公钥信息做了一个签名,而用户成功伪造一个合法签名的概率是可忽略的。然后,我们提出了两种可行的密钥生成算法。并基于其中一个算法分别提出了无证书加密方案和无证书签名方案。所提方案分别满足随机预言模型下的可证明安全性,并可以抵抗恶意PKG选择参数攻击。并且,在无证书的签名方案中,如果我们把用户自己生成的部分公钥pk_1也看作其签名的一部分,将其作为签名的一部分予以发布,则验证者在只需要用户ID信息的情况下便可以验证签名。通过这样的修改,无证书的签名方案可以转化成为一个完全的抗恶意PKG的基于身份签名方案。从而,基于身份的签名方案可以避免密钥托管问题。
One of the most important developments from the work on public key cryptography is the digital signature,which has many applications in information security,including authentication,data integrity and non-repudiation. It is the crutial technique and theoretical guarantee to realize secure ecommerce and e-government.
In this dissertation,we focus on our research in the following directions of digital signatures:
1.Efficient Group Signature Scheme without Random Oracle
Security and efficiency are two crutial factors to evaluate a cryptographic schemes.Until 1999,all provably secure solutions for efficient digital signature schemes relied on the random oracle methodology[11].In the random oracle model(ROM),all parties(the legitimate ones as well as the adversaries) have black-box access to functions behaving like truly random functions, which are out of reach in the real world.The oracle is usually replaced by hash functions,so adversaries may exploit some weaknesses of the hash functions to attack the schemes.And even worse,many results[33]show separations between the random oracle scenario and standard model.As a consequence,a central line of research in modern cryptography is designing efficient schemes provably secure in the standard model.
Group signature[15]is a method for allowing a member of a group to anonymously sign a message on behalf of the group,it has the following properties:(1)only members of the predefined group can sign message;(2) anyone can verify the validity of a signature but no one is able to identify which member of the group signed it;and(3)in case of the dispute,the signature can be opened to reveal the identity of the group member who signed it.
There were a few group signature schemes provable secure in the standard model.Bellare,Micciancio and Warinschi[39]presented the first construction, but the scheme is too inefficient to be used in practice.Ateniese et.al.[41]proposed an efficient group signature scheme without random oracle under some new strong assumptions.Boyen and Waters[42,44]achieved a constant-size group signature scheme by combining a new NIZK proof techniques and the Waters signature in the standard model[74],but the public key length is too long to be utilized in practice.
In 2006,Okamoto[28]proposed a new efficient signature scheme secure in the standard model,whose security depends on the Strong Diffie-Hellman assumptions.Based on this scheme,we firstly give a variant signature scheme of[28]to hide some information,then we present an efficient group signature scheme in the standard model,combining the variant signature scheme with the technique used by Groth,Ostrovsky and Sahai[43]to hide the identity. The security of the new scheme is based on Strong Diffie-Hellman assumptions and Subgroup Decision Assumption.Compared with the scheme presented by Boyen and Waters[44]:
(1.)The public key PK in[44]contains about m+4 elements in group G_1 where m at least takes 160,and one element in group G_q,while the public key in our scheme includes 4 elements in G_1,1 element in G_q.
(2.)The signature in our scheme contains 5 elements in G_1 and one element in Z_n,while the final signature in[44]has 6 elements in G_1.
(3.)As to the computation,there are about m/2+10 on average multiplicative computation(m+10 at worst case),12 exponentiation computation in[44],while our scheme contains 10 exponentiation computation and 9 multiplicative computation.
2.Identity-based Linkable(Convertible)Ring Signature
Ring signature[18],is similar to group signature,with the exception that no one else can reveal the identity of the signer.A user can sign anonymously on behalf of a group on his own choice,while group members can be totally unaware of being conscripted in the group.
Considering the actual applications,the notion of the ring signature is extended,for example,linkable ring signature[45]and convertible ring signature[47].A linkable ring signature(LRS)additionally allows the signer to have the capacity to make anyone determine whether two ring signatures have been signed by the same group member while still remain the anonymity; and a convertible ring signature(CRS)allows the real signer to convert a ring signature into an ordinary one.In the PKI-based linkable ring signa- ture schemes,the signer can either link arbitrary messages he wants to link (we call it weakly linkable)or all the signatures signed by the same signer must be linked(we call it strongly linkable).Yet,how to construct linkable(convertible) ring signature schemes in the identity-based system is an open problem proposed in[52].
In addition,although ring signature has simple group formation,but in most ring signature scheme,the signature size linearly depends on the group size,as the verifier needs to know at least the group descriptions.Thus,the schemes need too much computation which will restrict their application. To deal with designing less complicated schemes,some interesting primitives were used broadly,among which,accumulator scheme is a powerful primitive, and it provides a new method to construct constant size group signature or ring signature schemes.
To construct identity-based ring signature with linkable and convertible requirements,we consider the problems in two steps:
In the first step,we consider identity based ring signature with weak linkability,i.e.the signer has the right to determine which signatures to link. We can construct the scheme in this way:If the signer with the identity ID wants to link the signatures of two messages,he can choose r∈Z_p randomly,and compute rP or rH(ID)as the identification,then construct the corresponding signature schemes based on proof of knowledge.
We take Zhang and Kim's identity-based ring signature scheme[49]as an example,and give a concrete scheme to show how to add linkability to some identity-based ring signatures.Then two efficient schemes are given, one satisfying weak linkability,and the other satisfying both linkability and convertibility.
In the second step,considering efficiency and strongly linkable requirement, we extend the work to construct a short constant-size scheme satisfying strongly linkable requirement using accumulator scheme.In our scheme,it is the PKG but not the signer as in the traditional scheme produced the identification. So,the scheme is signer anonymous to all the verifier except for the PKG,and the PKG has the power to open the identity of the signer. In addition,we propose a concrete scheme of Interactive Zero-Knowledge proof system,based on which,we can construct a concrete scheme using the method of Signature Based on Proof of Knowledge.
3.Fuzzy Identity-based Signature
Identity-based system can provide a more convenient way than the traditional PKI cryptosystem,for not maintaining a list of issued certificates. One common feature of all previous Identity-based systems is that they view identities as a string of characters,such as name or email address.Here,we view identity as a set of descriptive attributes,such as biometric identities, which fits the framework of identity-based system very well.
Using the biometric identities,such as the fingerprint,as the identity has the following advantages:
(1.)It is an inherent trait and will always be with a person;
(2.)It is unique if the underlying biometric is of a good quality.
Since biometric measurements are noisy,they can not be utilized in the existing identity-based system directly.The new construction must tolerant the error when extracting the identity each time.Sahai and Waters[59] presented the conception of Fuzzy Identity based Encryption to allow for a private key to decrypt a ciphertext encrypted with a slightly different measurement of the same biometric.In this dissertation,we bring forward of the conception of Fuzzy Identity-based Signature(At the same time,Zhenfu Cao et.al[83]also presented the same conception,and they presented a scheme in the standard model),which allows the verifier with the identity w' to verify the signature signed with the secret key for the identity w if and only if w and w' are within a certain distance of each other as judged by some metric.
Using the method of secret sharing,we construct a fuzzy identity based signature scheme in the random oracle model using set-overlap as a similarity measure between identities,while in[83],they presented a scheme in the standard model using the structure of Waters signature.Unlike the encryption scheme whose public key size grows linearly with the number of potential attributes, the public key in the signature scheme is simple and constant.And we prove our construction is weakly unforgeable against adaptively chosen message attack.
4.Key Escrow Problem
Key escrow problem has been rooted in the identity-based system since its introduction,and it is a significant disadvantage for PKG knows all the secret of the user.In[22],Boneh and Franklin solved this problem to a extent by the introduction of multiple PKGs using threshold techniques,but this inevitable involves extra communication.There are many schemes[63,64,26] to combine the best aspects of identity based cryptography and the public key infrastructure,among which the certificateless public key cryptography is the most noticeable.Since its introduction,a lot of work has been done to research on the attack model and construction methods.
In the key generation algorithm defined in the original paper on certificateless public key cryptosystem and followings,first PKG generate one partial secret key(sk)for the user corresponding to user's identity;then the user generate another partial secret/public key pair(sk_1/pk_1).This operation makes it impossible to sue the malicious PKG if it replaced the secret/public key pair of the user.In addition,the malicous PKG may choose some special parameters to deduce the secret key that the user set.
In CRYPTO 2007,Goyal[73]introduces the concept of Accountable Authority Identity based Encryption(A-IBE)to mitigate the key escrow problem. In his system,if the PKG ever maliciously generates and distributes a decryption key for an identity,it runs the risk of being found and prosecuted, for the user only has one possible decryption key.
We first introduced the idea of Goyal to certificateless public key cryptography, and change the operation position of the two secret keys generation, i.e.first the user generate the secret/public key pair(sk_1/pk_1),then PKG generate another secret key corresponding to pk_1 and user's identity.Thus, the user will only have one possible secret/public key pairs.
In addition,we propose two concrete key generation algorithms.Using one of the key generation algorithms,we construct a certificateless encryption scheme and signature scheme respectively,which are secure under the adaptively chosen ciphertext(message)attack in the random oracle modle. In addition,in the certificateless signature scheme,if we regard the public key rP as one of the identity of the user,which will be released as part of the signature,i.e.the verifier can verify the signature only use the ID information, then the scheme is indeed an identity-based signature scheme secure against malicious PKG.
引文
[1] Diffie W and Hellman M. New directions in cryptography. IEEE Transactions on Information Theory, 1976, 22(6), pp.644-654.
[2] Rivest R, Shamir A and Adleman L. A method for obtaining digital signatures and public key cryptosystems. Communications of ACM, 1978, 21(2), pp. 120-126.
[3] ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 1985, IT-31(4), pp.469-472.
[4] Schnorr C P. Efficient identification and signatures for smart cards. In: Advances in Cryptology - CRYPTO'89, LNCS 435. Berlin: Springer-Verlag, 1990, pp.239-252.
[5] National Institute of Standards and Technology, NIST FIPS PUB 186, Digital Signature Standard, U.S. Department of Commerce, May 1994.
[6] Fiat A and Shamir A. How to prove yourself: practical solutions to identification and signature problems. In: Advances in Cryptology - CRYPTO'86, LNCS 263. Berlin: Springer-Verlag, 1986, pp. 186-194.
[7] Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation, 1987, 48(177), pp.203-209.
[8] Miller V S. Use of elliptic curve in cryptography. In: Advances in Cryptology - CRYPTO'85. LNCS 218. Berlin: Springer-Verlag, 1986, pp.417-426.
[9] ANSI X9.62. Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm(ECDSA), 1999.
[10] Shafi Goldwasser, Silvio Micali and Ronald L. Rivest. A digital signaure scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2), pp.281-308, 1988.
[11] Mihir Bellare and Phillip Rogaway. Random oracle are practical: a paradigm for designing efficient protocols. In CCS'93: Proceedings of the 1st ACM conference on Computer and Communications Security, pp. 62-73, 1993. ACM Press.
[12] Chaum D. Blind signatures for untraceable payments. In: Advances in Cryp-tology - Proceedings of Crypto'82. New York: Prenum Publishing Corporation, 1982, pp. 199-204.
[13] Chaum D, Antwerpen H. Undeniable signatures. In: Advances in Cryptology - Proceedings of Crypto'89. LNCS 435. Berlin: Springer-Verlag, 1990, pp.212-216.
[14] Desmedt Y, Prankel Y. Shared generation of authentication and signature. In: Advances in Cryptology - CRYPTO'91, LNCS 576. Berlin: Springer-Verlag, 1991, pp.457-469.
[15] David Chaum and Eugene van Heyst. Group signatures. In advances in Cryptology-EUROCRYPT 1991, Springer-Verlag, LNCS 547, pp.257-265, 1991.
[16] Chaum D. Designated confirmer signatures. In: Advances in Cryptology -Proceedings of EUROCrypt'94. LNCS 950. Berlin: Springer-Verlag, 1994, pp.86-91.
[17] Mambo M, Usuda K and Okamoto E. Proxy signature. In: Proceedings of the 1995 Symposium on Cryptography and information security(SCIS'95). Inuyama, Japan, pp. 147-158, Jan, 1995.
[18] Rivest R, Shamir A, Tauman Y. How to leak a secret. In: Advances in Cryptology - AsiaCrypt'01, LNCS 2248. Berlin: Springer-Verlag, 2001, pp.552-565.
[19] Lysyanskaya A, Ramzan Z. Group blind digital signatures: A scalable solution to electronic cash. In: Financial Cryptography(FC98), LNCS 1465, Berlin: Springer-Verlag, 1998, pp. 184-197.
[20] Zhang K. Threshold proxy signature schemes. In: Information Security Workshop (ISW'97), LNCS 1396. Berlin: Springer-Verlag, 1997, pp.191-197.
[21] A. Shamir. Identity based cryptosystems and signature schemes. In Advances in Cryptology - EUROCRYPT 1984, LNCS 196, pp. 37-53. Springer, 1984.
[22] D. Boneh and M. Franklin. Identity based encryption from the weil pairing. In Advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229. Springer, 2001.
[23] Zhang F, Safavi-Naini R, Susilo W. An efficient signature scheme from bilinear pairings and it's applications. In: PKC 2004, LNCS 2947. Berlin: Springer-Verlag, 2004, pp.277-290.
[24] Zhang F, Kim K. ID-based blind signature and ring signature from pairings. In: Advances in Cryptology - ASIACRYPT 2002, LNCS 2501. Berlin: Springer-Verlag, 2002, pp.533-547.
[25] Sherman S.M.Chow, S.M. Yiu and Lucas C.K. Hui. Efficient identity based ring signature. Applied Cryptography and Network Security - ACNS 2005, LNCS 3531, pp.131-138.
[26] Sattam S. Al-Riyami and Kenneth G. Paterson. Certificateless public key cryptography. In Chi-Sung Laih, editor, ASIACRYPT, LNCS 2894, pp. 452-473. Springer, 2003.
[27] Bellare M. Practical-Oriented provable-security. In: Modern Cryptology in Theory and Practice. LNCS 1561. Berlin: Springer-Verlag, 1999, pp. 1-15.
[28] Tatsuaki Okamoto. Efficient blind and partially blind signatures without random oracles. In: Theory of Cryptography (TCC 2006), LNCS 3876, pp.80-99, Springer-Verlag, 2006.
[29] J.-H. An, Y. Dodis and T. Rabin. On the security of joint signature and encryption. In Advances in Cryptology - Eurocrypt'02, LNCS 2332, pp.83-107. Springer, 2002.
[30] J. Benaloh and M. de Mare. One-way Accumulators: A decentralized Alternative to Digital Signatures. EUROCRYPT 1993, Springer-Verlag, LNCS 765, pp.274-285, 1993.
[31] N. Baric and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. EUROCRYPT 1997, Springer-Verlag, LNCS 1233, pp.480-494, 1997.
[32] L. Nguyen. Accumulators from bilinear pairings and applications. Cryptogra-phers'Track, RSA(CT-RSA) 2005, Springer-Verlag, LNCS 3376, pp.275-292, 2005. Its full version is "Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation".
[33] R. Canetti, O. Goldreich and S. Halevi. The random oracle methodology, revisited. J. ACM, 51(4), pp.557-594, July 2004.
[34] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Proceedings of Crypto 2000, LNCS 2880, Springer-Verlag, 2000, pp.255-270.
[35] D. Boneh, X. Boyen, and H. Shacham. Short group signature. In Advances in Cryptology-CRYPTO 2004, LNCS 3152, Springer-Verlag, 2004', pp.41-55.
[36] D. Boneh and H. Shacham. Group signature with verifier-local revocation. In Proceeding of ACM CCS 2004, ACM Press, 2004, pp.168-177.
[37] J. Camenisch. Efficient and generalized group signatures. In Advances in Cryptology-EUROCRYPT 1997, LNCS 4004, Springer-Verlag, 1997, pp.465-479.
[38] A. Kiayias and M. Yung. Group signatures with efficient concurrent join. In Advances in Cryptology-EUROCRYPT 2005, LNCS 4175, Springer-Verlag, 2005, pp. 198-214.
[39] M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In Advances in Cryptology-EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003, pp.614-29.
[40] Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In ASIACRYPT 2006, LNCS 4146, pp. 444-459, 2006.
[41] Giuseppe Ateniese, Jan Camenisch, Susan Hohenberger and Breno de Medeiros. Practical group signature without random oracles. Cryptology ePrint Archive, Report 2005/385, 2005. http://eprint.iacr.org.
[42] X. Boyen and B. Waters. Compact group signatures without random oracles. In Advances in Cryptology-EUROCRYPT 2006, LNCS 4004, Springer-Verlag, 2006, pp.427-444.
[43] J. Groth, R. Ostrovsky, and A. Sahai. Perfect non-interactive zero knowledge for NP. In advances in Cryptology-EUROCRYPT 2006, LNCS 4004, Springer-Verlag, 2006. pp.339-358.
[44] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signature. In Public Key Cryptography (PKC 2007), Springer-Verlag, LNCS 4450, pp.1-15, 2007.
[45] Liu J K, Wei V K and Wong D.S. Linkable Spontaneous Anonymous group signature for ad-hoc groups (Extended Abstract). In: ACISP'04, LNCS 3108. Berlin: Springer-Verlag, 2004, pp.325-335.
[46] Mao Ho Au, Sherman S.M. Chow, Willy Susilo and Patrick P. Tsang. Short linkable ring signatures revisited. In: EuroPKI 2006, LNCS 4043, pp.101-115, 2006.
[47] Lee K C, Wen H A and Hwang t. Convertible ring signature. IEE Proc-Commun., 2005, 152(4), pp.411-414.
[48] Bresson E, Stern J, Szydlo M. Threshold ring signatures and applications to ad-hoc group. In: Crypto 2002, LNCS 2442. Berlin: Springer-Verlag, 2002, pp.465-480.
[49] Fangguo Zhang and Kwangjo Kim. ID-based blind signature and ring signature from pairings. Advances in Cryptology - AsiaCrypt 2002, LNCS 2501, pp.533-547.
[50] Javier Herranz and German Saez. New identity-based ring signature schemes. International Conference on Information and Communications Security -ICICS 2004, LNCS 3269, pp.27-39.
[51] Sherman S.M.Chow, S.M. Yiu and Lucas C.K. Hui. Efficient identity based ring signature. Applied Cryptography and Network Security - ACNS 2005, LNCS 3531, pp.27-36.
[52] Chow S S M, Liu R W C, Hui L C K, Yiu S M. Identity-based ring signature: why, how and what next. In: EuroPKI 2005, LNCS 3545. Berlin: Springer-Verlag, 2005, pp.144-161.
[53] Uriel Fiege, Amos Fiat and Adi Shamir. Zero knowledge proofs of Identity. In STOC'87: 19th Annual ACM conference on Theory of Computing. New York, USA, 1987, pp.210-217. ACM Press.
[54] Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups (extended abstract). In CRYPTO 1999, LNCS 1294, pp.410-424. Springer-Verlag, 1997.
[55] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi and Victor Shoup. Anonymous identification in ad hoc groups. In EUROCRYPT 2004, LNCS 3027, pp.609-626. Springer-Verlag, 2004.
[56] Fabian Monrose, Michael K. Reiter, Q. Li, Daniel Lopresti and Chilin Shih. Towards voice generated cryptographic keys on resource constrained devices. In proceedings of the 11th USENIX security symposium, 2002, pp.381-387.
[57] Xavier Boyen. Reusable cryptographic fuzzy extractors. In ACM Conference on Computer and Communications Security-CCS 2004, pp.67-75, 2004.
[58] Danfeng Yao, Nelly Fazio, Yevgeniy Dodis and Anna Lyayanskaya. Id-based encryption for complex hierarchies with applications to forward security and broadcast encryption. In ACM Conference on Computer and Communications Security-CCS 2004, pp.45-56, 2004.
[59] A. Sahai and B. Waters. Fuzzy identity-based encryption. In Advances in Cryptology - Eurocrypt, LNCS 3494, pp.457-473. Springer, 2005.
[60] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. ACM Conference on Computer and Communications Security 2006, pp. 89-98
[61] A. Beimel. Secure schemes for secret sharing and key distribution. Phd thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.
[62] A Shamir. How to share a secret. Commun. ACM, 22(11), pp. 612-613, 1979.
[63] Craig Gentry. Practical identity-based encryption without random oracles. EUROCRYPT 2006, LNCS 4004, pp. 445-464. Springer, 2006.
[64] Byoungcheon Lee, Colin Boyd, Ed Dawson, Kwangji Kim, Jeongmo Yang and Seungjae Yoo. Secure key issuing in id-based cryptography. In James M. Hogan, Paul Montague, Martin K. Purvis and Chris Steketee, editors, ACSW frontiers, volume 32 of CRYPT, pp. 69-74. Australian Computer Society, 2004.
[65] Bessie C.Hu, Duncan S. Wong, Zhenfeng Zhang and Xiaotie Deng. Certificate-less signature: a new security model and an improved generic construction. Des Codes Crypt(2007) 42, pp.109-126.
[66] Bessie C.Hu, Duncan S. Wong, Zhenfeng Zhang and Xiaotie Deng. Key replacement attack against a generic construction of certificateless signature. L. Batten and R. Safavi-Naini Editors: ACISP 2006, LNCS 4058,. pp.235-246, 2006.
[67] B. Libert and J.J. Quisquater. On constructing certificateless cryptosystems from identity based encryption. In 9-th International Conference on Theory and Practice in Public Key Cryptography. LNCS 3958, pp.474-490. Springer, 2006.
[68] A. W. Dent. A survey of certificateless encryption schemes and security models. Cryptology ePrint Archive, Report 2006/211, 2006. http://eprint.iacr.org/2006/211
[69] Xinyi Huang, Willy Susilo, Yi Mu and Futai Zhang. Certificateless designated verifier signature scheme. Proceedings of the 20th International Conference on Advanced Information Networking and Applications(AINA'06). pp.234-240.
[70] Sherman S.M. Chow and Wun-She Yap. Certificateless ring signatures. Cryptology ePrint Archive: Report 2007/236. http://eprint.iacr.org/2007/236.
[71] D. H. Yum and P. J. Lee. Generic construction of certificateless encryption. LNCS 3043, pp. 802-811, Springer Verlag. Berlin, 2004.
[72] Dan Boneh and Xavier Boyen. Efficient selective-id secure identity based encryption without random oracles. In Proceeding s of the International Conference on Advances in Cryptology, LNCS 2174, pp.37-46. Springer Verlag, 2004.
[73] Vipul Goyal. Reducing trust in the PKG in identity based cryptosystems. In Advances in Cryptology - CRYPTO 2007, LNCS 4450, pp. 430-447. Springer, 2007.
[74] Brent Waters. Efficient identity-based encryption without random oracles. In Advances in Cryptology-EUROCRYPT 2005, Springer-Verlag, LNCS 3494, pp.114-127, 2005.
[75] D. Boneh and Xavier Boyen. Short signatures without random oracles. In Christian Cachin and Jan Camenisch, editor, CRYPTO 2001, LNCS 3152, pp.56-73, Springer, 2004.
[76] J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. In Technology Report 260, Institute for Theoretical Computer Science, ETH Zurich, 1997.
[77] Florian Hess. Efficient identity based signature schemes based on pairings. In Kaisa Nyberg and Howard M. Heys, editor, SAC, LNCS 2595, pp.310-324. Springer, 2002.
[78] Kenneth G. Paterson and Jacob C.N. Schuldt. Efficient identity-based signature secure in the standard model. ACISP 2006, LNCS 4058, pp.207-222. Springer, 2006.
[79] Wei Gao, Guilin Wang, Xueli Wang, and Dongqing Xie. Controllable ring signatures. The 7th International Workshop on Information Security Applications (WISA 2006), LNCS 4017, pp.175-181, Springer-Verlag, 2006.
[80] G.I. David, Y. Prankel and B.J. Matt. On enabling secure applications through off-line biometric identification. In IEEE Symposium on Privacy and Security, 1998.
[81] Junzuo Lai and Weidong Kou. Self-generated-certificate public key encryption Without Pairing. PKC 2007, pp.476-489. LNCS 4450, Springer Verlag, 2007.
[82] Jingwei Liu and Rong Sun and Weidong Kou and Xin-mei Wang. Efficient id-based signature without trusted PKG. http://mirror.cr.yp.to/eprint.iacr.org/2007/135
[83] Piyi Yang, Zhenfu Cao and Xiaolei Dong. Fuzzy identity based signature. http://mirror.cr.yp.to/eprint.iacr.org/2008/002
[84] Joonsang Baek and Yuliang Zheng. Identity-based threshold signature from bilinear pairings. ITCC(1) 2004, pp.124-128.
[85] Man Ho Au, Joseph K. Liu, Willy Susilo and Tsz Hon Yuen. Constant-size ID-based linkable and revocable-iff-linked ring signature. Progress in Cryptology - INDOCRYPT 2006, LNCS 4329, pp.364-378.
[2] Rivest R, Shamir A and Adleman L. A method for obtaining digital signatures and public key cryptosystems. Communications of ACM, 1978, 21(2), pp. 120-126.
[3] ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Information Theory, 1985, IT-31(4), pp.469-472.
[4] Schnorr C P. Efficient identification and signatures for smart cards. In: Advances in Cryptology - CRYPTO'89, LNCS 435. Berlin: Springer-Verlag, 1990, pp.239-252.
[5] National Institute of Standards and Technology, NIST FIPS PUB 186, Digital Signature Standard, U.S. Department of Commerce, May 1994.
[6] Fiat A and Shamir A. How to prove yourself: practical solutions to identification and signature problems. In: Advances in Cryptology - CRYPTO'86, LNCS 263. Berlin: Springer-Verlag, 1986, pp. 186-194.
[7] Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation, 1987, 48(177), pp.203-209.
[8] Miller V S. Use of elliptic curve in cryptography. In: Advances in Cryptology - CRYPTO'85. LNCS 218. Berlin: Springer-Verlag, 1986, pp.417-426.
[9] ANSI X9.62. Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm(ECDSA), 1999.
[10] Shafi Goldwasser, Silvio Micali and Ronald L. Rivest. A digital signaure scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2), pp.281-308, 1988.
[11] Mihir Bellare and Phillip Rogaway. Random oracle are practical: a paradigm for designing efficient protocols. In CCS'93: Proceedings of the 1st ACM conference on Computer and Communications Security, pp. 62-73, 1993. ACM Press.
[12] Chaum D. Blind signatures for untraceable payments. In: Advances in Cryp-tology - Proceedings of Crypto'82. New York: Prenum Publishing Corporation, 1982, pp. 199-204.
[13] Chaum D, Antwerpen H. Undeniable signatures. In: Advances in Cryptology - Proceedings of Crypto'89. LNCS 435. Berlin: Springer-Verlag, 1990, pp.212-216.
[14] Desmedt Y, Prankel Y. Shared generation of authentication and signature. In: Advances in Cryptology - CRYPTO'91, LNCS 576. Berlin: Springer-Verlag, 1991, pp.457-469.
[15] David Chaum and Eugene van Heyst. Group signatures. In advances in Cryptology-EUROCRYPT 1991, Springer-Verlag, LNCS 547, pp.257-265, 1991.
[16] Chaum D. Designated confirmer signatures. In: Advances in Cryptology -Proceedings of EUROCrypt'94. LNCS 950. Berlin: Springer-Verlag, 1994, pp.86-91.
[17] Mambo M, Usuda K and Okamoto E. Proxy signature. In: Proceedings of the 1995 Symposium on Cryptography and information security(SCIS'95). Inuyama, Japan, pp. 147-158, Jan, 1995.
[18] Rivest R, Shamir A, Tauman Y. How to leak a secret. In: Advances in Cryptology - AsiaCrypt'01, LNCS 2248. Berlin: Springer-Verlag, 2001, pp.552-565.
[19] Lysyanskaya A, Ramzan Z. Group blind digital signatures: A scalable solution to electronic cash. In: Financial Cryptography(FC98), LNCS 1465, Berlin: Springer-Verlag, 1998, pp. 184-197.
[20] Zhang K. Threshold proxy signature schemes. In: Information Security Workshop (ISW'97), LNCS 1396. Berlin: Springer-Verlag, 1997, pp.191-197.
[21] A. Shamir. Identity based cryptosystems and signature schemes. In Advances in Cryptology - EUROCRYPT 1984, LNCS 196, pp. 37-53. Springer, 1984.
[22] D. Boneh and M. Franklin. Identity based encryption from the weil pairing. In Advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229. Springer, 2001.
[23] Zhang F, Safavi-Naini R, Susilo W. An efficient signature scheme from bilinear pairings and it's applications. In: PKC 2004, LNCS 2947. Berlin: Springer-Verlag, 2004, pp.277-290.
[24] Zhang F, Kim K. ID-based blind signature and ring signature from pairings. In: Advances in Cryptology - ASIACRYPT 2002, LNCS 2501. Berlin: Springer-Verlag, 2002, pp.533-547.
[25] Sherman S.M.Chow, S.M. Yiu and Lucas C.K. Hui. Efficient identity based ring signature. Applied Cryptography and Network Security - ACNS 2005, LNCS 3531, pp.131-138.
[26] Sattam S. Al-Riyami and Kenneth G. Paterson. Certificateless public key cryptography. In Chi-Sung Laih, editor, ASIACRYPT, LNCS 2894, pp. 452-473. Springer, 2003.
[27] Bellare M. Practical-Oriented provable-security. In: Modern Cryptology in Theory and Practice. LNCS 1561. Berlin: Springer-Verlag, 1999, pp. 1-15.
[28] Tatsuaki Okamoto. Efficient blind and partially blind signatures without random oracles. In: Theory of Cryptography (TCC 2006), LNCS 3876, pp.80-99, Springer-Verlag, 2006.
[29] J.-H. An, Y. Dodis and T. Rabin. On the security of joint signature and encryption. In Advances in Cryptology - Eurocrypt'02, LNCS 2332, pp.83-107. Springer, 2002.
[30] J. Benaloh and M. de Mare. One-way Accumulators: A decentralized Alternative to Digital Signatures. EUROCRYPT 1993, Springer-Verlag, LNCS 765, pp.274-285, 1993.
[31] N. Baric and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. EUROCRYPT 1997, Springer-Verlag, LNCS 1233, pp.480-494, 1997.
[32] L. Nguyen. Accumulators from bilinear pairings and applications. Cryptogra-phers'Track, RSA(CT-RSA) 2005, Springer-Verlag, LNCS 3376, pp.275-292, 2005. Its full version is "Accumulators from Bilinear Pairings and Applications to ID-based Ring Signatures and Group Membership Revocation".
[33] R. Canetti, O. Goldreich and S. Halevi. The random oracle methodology, revisited. J. ACM, 51(4), pp.557-594, July 2004.
[34] G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Proceedings of Crypto 2000, LNCS 2880, Springer-Verlag, 2000, pp.255-270.
[35] D. Boneh, X. Boyen, and H. Shacham. Short group signature. In Advances in Cryptology-CRYPTO 2004, LNCS 3152, Springer-Verlag, 2004', pp.41-55.
[36] D. Boneh and H. Shacham. Group signature with verifier-local revocation. In Proceeding of ACM CCS 2004, ACM Press, 2004, pp.168-177.
[37] J. Camenisch. Efficient and generalized group signatures. In Advances in Cryptology-EUROCRYPT 1997, LNCS 4004, Springer-Verlag, 1997, pp.465-479.
[38] A. Kiayias and M. Yung. Group signatures with efficient concurrent join. In Advances in Cryptology-EUROCRYPT 2005, LNCS 4175, Springer-Verlag, 2005, pp. 198-214.
[39] M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In Advances in Cryptology-EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003, pp.614-29.
[40] Jens Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. In ASIACRYPT 2006, LNCS 4146, pp. 444-459, 2006.
[41] Giuseppe Ateniese, Jan Camenisch, Susan Hohenberger and Breno de Medeiros. Practical group signature without random oracles. Cryptology ePrint Archive, Report 2005/385, 2005. http://eprint.iacr.org.
[42] X. Boyen and B. Waters. Compact group signatures without random oracles. In Advances in Cryptology-EUROCRYPT 2006, LNCS 4004, Springer-Verlag, 2006, pp.427-444.
[43] J. Groth, R. Ostrovsky, and A. Sahai. Perfect non-interactive zero knowledge for NP. In advances in Cryptology-EUROCRYPT 2006, LNCS 4004, Springer-Verlag, 2006. pp.339-358.
[44] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signature. In Public Key Cryptography (PKC 2007), Springer-Verlag, LNCS 4450, pp.1-15, 2007.
[45] Liu J K, Wei V K and Wong D.S. Linkable Spontaneous Anonymous group signature for ad-hoc groups (Extended Abstract). In: ACISP'04, LNCS 3108. Berlin: Springer-Verlag, 2004, pp.325-335.
[46] Mao Ho Au, Sherman S.M. Chow, Willy Susilo and Patrick P. Tsang. Short linkable ring signatures revisited. In: EuroPKI 2006, LNCS 4043, pp.101-115, 2006.
[47] Lee K C, Wen H A and Hwang t. Convertible ring signature. IEE Proc-Commun., 2005, 152(4), pp.411-414.
[48] Bresson E, Stern J, Szydlo M. Threshold ring signatures and applications to ad-hoc group. In: Crypto 2002, LNCS 2442. Berlin: Springer-Verlag, 2002, pp.465-480.
[49] Fangguo Zhang and Kwangjo Kim. ID-based blind signature and ring signature from pairings. Advances in Cryptology - AsiaCrypt 2002, LNCS 2501, pp.533-547.
[50] Javier Herranz and German Saez. New identity-based ring signature schemes. International Conference on Information and Communications Security -ICICS 2004, LNCS 3269, pp.27-39.
[51] Sherman S.M.Chow, S.M. Yiu and Lucas C.K. Hui. Efficient identity based ring signature. Applied Cryptography and Network Security - ACNS 2005, LNCS 3531, pp.27-36.
[52] Chow S S M, Liu R W C, Hui L C K, Yiu S M. Identity-based ring signature: why, how and what next. In: EuroPKI 2005, LNCS 3545. Berlin: Springer-Verlag, 2005, pp.144-161.
[53] Uriel Fiege, Amos Fiat and Adi Shamir. Zero knowledge proofs of Identity. In STOC'87: 19th Annual ACM conference on Theory of Computing. New York, USA, 1987, pp.210-217. ACM Press.
[54] Jan Camenisch and Markus Stadler. Efficient group signature schemes for large groups (extended abstract). In CRYPTO 1999, LNCS 1294, pp.410-424. Springer-Verlag, 1997.
[55] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi and Victor Shoup. Anonymous identification in ad hoc groups. In EUROCRYPT 2004, LNCS 3027, pp.609-626. Springer-Verlag, 2004.
[56] Fabian Monrose, Michael K. Reiter, Q. Li, Daniel Lopresti and Chilin Shih. Towards voice generated cryptographic keys on resource constrained devices. In proceedings of the 11th USENIX security symposium, 2002, pp.381-387.
[57] Xavier Boyen. Reusable cryptographic fuzzy extractors. In ACM Conference on Computer and Communications Security-CCS 2004, pp.67-75, 2004.
[58] Danfeng Yao, Nelly Fazio, Yevgeniy Dodis and Anna Lyayanskaya. Id-based encryption for complex hierarchies with applications to forward security and broadcast encryption. In ACM Conference on Computer and Communications Security-CCS 2004, pp.45-56, 2004.
[59] A. Sahai and B. Waters. Fuzzy identity-based encryption. In Advances in Cryptology - Eurocrypt, LNCS 3494, pp.457-473. Springer, 2005.
[60] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters. Attribute-based encryption for fine-grained access control of encrypted data. ACM Conference on Computer and Communications Security 2006, pp. 89-98
[61] A. Beimel. Secure schemes for secret sharing and key distribution. Phd thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996.
[62] A Shamir. How to share a secret. Commun. ACM, 22(11), pp. 612-613, 1979.
[63] Craig Gentry. Practical identity-based encryption without random oracles. EUROCRYPT 2006, LNCS 4004, pp. 445-464. Springer, 2006.
[64] Byoungcheon Lee, Colin Boyd, Ed Dawson, Kwangji Kim, Jeongmo Yang and Seungjae Yoo. Secure key issuing in id-based cryptography. In James M. Hogan, Paul Montague, Martin K. Purvis and Chris Steketee, editors, ACSW frontiers, volume 32 of CRYPT, pp. 69-74. Australian Computer Society, 2004.
[65] Bessie C.Hu, Duncan S. Wong, Zhenfeng Zhang and Xiaotie Deng. Certificate-less signature: a new security model and an improved generic construction. Des Codes Crypt(2007) 42, pp.109-126.
[66] Bessie C.Hu, Duncan S. Wong, Zhenfeng Zhang and Xiaotie Deng. Key replacement attack against a generic construction of certificateless signature. L. Batten and R. Safavi-Naini Editors: ACISP 2006, LNCS 4058,. pp.235-246, 2006.
[67] B. Libert and J.J. Quisquater. On constructing certificateless cryptosystems from identity based encryption. In 9-th International Conference on Theory and Practice in Public Key Cryptography. LNCS 3958, pp.474-490. Springer, 2006.
[68] A. W. Dent. A survey of certificateless encryption schemes and security models. Cryptology ePrint Archive, Report 2006/211, 2006. http://eprint.iacr.org/2006/211
[69] Xinyi Huang, Willy Susilo, Yi Mu and Futai Zhang. Certificateless designated verifier signature scheme. Proceedings of the 20th International Conference on Advanced Information Networking and Applications(AINA'06). pp.234-240.
[70] Sherman S.M. Chow and Wun-She Yap. Certificateless ring signatures. Cryptology ePrint Archive: Report 2007/236. http://eprint.iacr.org/2007/236.
[71] D. H. Yum and P. J. Lee. Generic construction of certificateless encryption. LNCS 3043, pp. 802-811, Springer Verlag. Berlin, 2004.
[72] Dan Boneh and Xavier Boyen. Efficient selective-id secure identity based encryption without random oracles. In Proceeding s of the International Conference on Advances in Cryptology, LNCS 2174, pp.37-46. Springer Verlag, 2004.
[73] Vipul Goyal. Reducing trust in the PKG in identity based cryptosystems. In Advances in Cryptology - CRYPTO 2007, LNCS 4450, pp. 430-447. Springer, 2007.
[74] Brent Waters. Efficient identity-based encryption without random oracles. In Advances in Cryptology-EUROCRYPT 2005, Springer-Verlag, LNCS 3494, pp.114-127, 2005.
[75] D. Boneh and Xavier Boyen. Short signatures without random oracles. In Christian Cachin and Jan Camenisch, editor, CRYPTO 2001, LNCS 3152, pp.56-73, Springer, 2004.
[76] J. Camenisch and M. Stadler. Proof systems for general statements about discrete logarithms. In Technology Report 260, Institute for Theoretical Computer Science, ETH Zurich, 1997.
[77] Florian Hess. Efficient identity based signature schemes based on pairings. In Kaisa Nyberg and Howard M. Heys, editor, SAC, LNCS 2595, pp.310-324. Springer, 2002.
[78] Kenneth G. Paterson and Jacob C.N. Schuldt. Efficient identity-based signature secure in the standard model. ACISP 2006, LNCS 4058, pp.207-222. Springer, 2006.
[79] Wei Gao, Guilin Wang, Xueli Wang, and Dongqing Xie. Controllable ring signatures. The 7th International Workshop on Information Security Applications (WISA 2006), LNCS 4017, pp.175-181, Springer-Verlag, 2006.
[80] G.I. David, Y. Prankel and B.J. Matt. On enabling secure applications through off-line biometric identification. In IEEE Symposium on Privacy and Security, 1998.
[81] Junzuo Lai and Weidong Kou. Self-generated-certificate public key encryption Without Pairing. PKC 2007, pp.476-489. LNCS 4450, Springer Verlag, 2007.
[82] Jingwei Liu and Rong Sun and Weidong Kou and Xin-mei Wang. Efficient id-based signature without trusted PKG. http://mirror.cr.yp.to/eprint.iacr.org/2007/135
[83] Piyi Yang, Zhenfu Cao and Xiaolei Dong. Fuzzy identity based signature. http://mirror.cr.yp.to/eprint.iacr.org/2008/002
[84] Joonsang Baek and Yuliang Zheng. Identity-based threshold signature from bilinear pairings. ITCC(1) 2004, pp.124-128.
[85] Man Ho Au, Joseph K. Liu, Willy Susilo and Tsz Hon Yuen. Constant-size ID-based linkable and revocable-iff-linked ring signature. Progress in Cryptology - INDOCRYPT 2006, LNCS 4329, pp.364-378.