摘要
当前,互联网上的各类应用已经成为现实生活中无所不在的事物,致使如何实现以匿名方式代表所属群体进行签名或者对群成员身份进行匿名认证成为一项具有挑战性的任务。在许多基于网络的应用中,经常需要为合法用户(即注册的群成员)授予某种特权。当行使权力时,用户需要通过展示签名或者与群权威执行认证协议来证明自己的合法身份。另一方面,用户开始对敏感的个人信息予以关注,并且逐渐地意识到隐私保护的重要性。因此,用户需要能用于将其真实身份隐匿在群体之中的有效机制。
在现代密码学的研究中,为了解决上述问题,要求以知识证明协议、分布式密码协议等为核心技术手段,同时以数字签名、公钥加密、群签名、匿名认证等本原为基本模块,从而构造各类面向群体的安全协议。本论文围绕面向群体的匿名协议的设计以及所得协议安全性的形式化分析展开了研究,并且在特殊群签名、k次匿名认证以及多重息票系统的研究领域取得了多项成果。
在面向群体的密码学中,群签名方案是一类有用的秘密认证工具。在此类本原的定义中,群成员能以匿名方式代表群体产生对任意消息的签名。任何人都能验证给定签名的有效性,但无法获得有关原始签名者的任何信息。此外,在计算上难以断定两个或多个群签名是否源自同一个群成员。负责为新成员颁发证书的群权威(GA)享有对群体的管理权。在特殊情况下(如捕获了非法行为),指定的追踪权威(TA)通过打开可疑签名实现对恶意签名者的身份追踪。当前,传统群签名的定义已经得到深入地研究并加以推广,提出了许多更为实用的变体,诸如层次群签名,自组群签名,隐匿的基于身份的签名,数据挖掘群签名,表达性子群签名,匿名代理签名,等等。
标准群签名方案通常采用以下两种方式打开签名:即(ⅰ)TA能独立地打开签名,但要求GA公开用户列表,即成员身份目录。(ⅱ)GA负责维护用户列表,TA必须在GA的协助下打开签名。最近,Kiayias等人指出群签名方案无法直接应用于匿名证书系统。原因在于,在情况(ⅰ)下,打开操作要求GA公开用户列表,而这显然将严重地损害用户的隐私。在情况(ⅱ)下,TA无法向服务供应商提供自己能打开争议签名的保证,从而导致后者对匿名系统的限制性使用。为此,Kiayias等人引入了称为隐匿的基于身份的签名(简称HIDS)的新颖概念。在此类方案中,TA能以独立于身份管理员IM(对应于GA)的方式打开签名,且IM无需公开匿名系统的用户列表。Kiayias等人设计了第一个利用双线性对构造的HIDS方案,但是容易遭受陷害攻击和选择密文攻击。同时,原始方案并未解决联合共享追踪私钥的问题。利用基于判定线性假设的Shacham加密方案,联合的随机可验证的秘密分享协议,联合的零知识的知识证明等技术,构造了两个改进方案。除了满足不可陷害性和选择密文攻击下的匿名性,第二个方案还支持对分布式追踪服务器的部署,并且能有效地抵抗具有较强攻击能力的动态攻击者。为此,首先利用Canetti-Goldwasser范例和Jarecki等人的无擦除门限技术设计了底层Shacham加密方案的门限版本。功能及效率分析可知,新方案满足更好的实用性和安全性。
典型的匿名认证方案允许用户在不泄露真实身份的情况下认证自己的身份。为此,匿名用户需要证明自己拥有成员证书。此外,在许多基于互联网的应用(如试用浏览,云存储服务等)中,应用提供者需要限制用户的访问次数。在ASIACRYPT2004会议上,Teranishi等人首次提出k次匿名认证(简称k-TAA)的概念。k-TAA方案中的实体包括群管理员,多个用户以及多个服务供应商(SP)。最初,用户应当与群管理员执行注册协议。然后,每个AP宣布用户能访问其应用或资源的最大次数。在执行匿名的访问过程之前,注册用户应当向AP认证自己的身份。需要强调的是,与群签名方案相比,k-TAA方案实现了更强的匿名性等级。换句话说,在k-TAA方案中,即使拥有很大权力的群管理员也无法撤销诚实用户的匿名性,条件是用户认证并访问服务的次数不超过预先设定的次数k。在AP看来,k-TAA方案实现了更强的可追踪性,因为任何实体都能根据公开的认证日志实现对不诚实用户(企图超过所允许的次数进行访问)的追踪,而在群签名方案下,只有群管理员拥有这种追踪能力。在ACNS2005会议上,Nguyen等人指出AP实际上希望能自行建立用户群体并对群体进行管理,即自己有能力授予或撤销用户的访问权利。为此,Nguyen等人引入了一个新的概念,即动态k-TAA方案。然而,Teranishi等人以及Nguyen等人方案的主要缺点是认证阶段的运算耗费为O(k)。此后,Nguyen与Teranishi等人又分别提出了认证协议的复杂度独立于k的改进方案。尽管实现了更为高效的认证过程,但为此付出的代价是使得AP公钥的存储耗费为O(k),而且要求AP必须保持诚实。在SCN2006会议上,Au等人提出了认证耗费为O(log(k))的动态k-TAA方案。最近,Emura等人强调,在已有的k-TAA方案中,k为固定的参数,这表明AP为所有用户设置了相同的最大访问次数。在某些应用中,若能根据用户支付的费用为其设置不同的访问次数上界则更为可取。为此,Emura等人提出了所谓的k-TRAA方案,即k次放宽的匿名认证。然而,该方案并不满足典型k-TAA方案要求的匿名性,因为与相同的AP产生的两个认证协议副本是可以相互关联的。
在已有的k次匿名方案中,尚存在以下两个未决问题:1)如何实现允许服务供应商为每个用户设置不同的访问次数上界,同时不能以损失用户的匿名性作为代价。2)如何防止恶意用户发动大规模的克隆攻击。为此,提出一个实用的改进方案。新方案使用了多个关键技术,包括关于“一个被承诺元素小于另一个被承诺元素”的知识证明,双线性群上的动态累加器和基于n次可展示令牌的克隆攻击检测技术等。改进方案在扩展的Teranishi-Furukawa-Sako模型下满足此类方案要求的全部性质,即正确性、可检测性、匿名性、用户的可开脱性、GM的可开脱性以及AP的可开脱性。此外,新方案的成员注册协议是并发安全的,因而适合于实际的异步网络环境(如互联网)。
息票通常是由制造商或销售商发布的,它们经常出现在报纸、杂志或传单中。息票是一种有效的广告和促销手段,方法是通过提供折扣或礼品以促使顾客购买某种商品。最近,互联网成为传统息票的发布媒介,即顾客可以自由下载并打印位于商家网站上的息票,并且采用与其他纸质息票类似的方式兑现商品。多重息票(简称MC)是新兴的电子息票的特殊形式,它是由多张普通电子息票构成的。在实际应用中,发布一张价值为m的MC远比独立地发布m张普通电子息票高效得多。实用的多重息票系统(MCS)必须满足两个重要性质,即不可分割性和无关联性。前者旨在保护商家的利益,即不允许两个顾客将一张MC分成多份,从而能以独立方式使用这些份额。后者的含义是,无论是在发布阶段,还是在兑现阶段,顾客都能保持匿名。需要强调的是,MCS并不等同于电子现金方案,因为前者无需提供银行参与以及追踪恶意用户的机制。
当前,MCS设计中的主要困难是如何设计能自由设置息票价值的发布协议且所得协议的复杂性并不依赖于该价值,以及如何为兑现协议提供高效、多样的兑现机制。为此,提出两个具备改进的效率与功能的系统。新系统分别利用Chaabouni等人的离散对数区间证明技术和Canard等人的关于被承诺元素的知识证明技术实现了对息票价值的灵活设置,并且利用Peng等人的批量零知识证明与验证技术对兑现协议的运算复杂度进行了优化。新系统在Nguyen的形式化模型下满足可证安全,而且首次满足了实际应用中的所有理想特性,即并发发布、紧凑性、成批兑现以及支持设置息票对象和过期日期。性能分析表明,新系统的通信与运算耗费显著低于已有的同类系统。
已有的MCS并未明确地考虑并发执行的情况,而且它们都是在随机预言模型下设计的。此外,已有系统的底层签名方案都是基于q-SDH (the q-Strong Diffie-Hellman)假设或SRSA (the Strong RSA)假设。然而,q-SDH假设存在安全隐患,且基于SRSA假设的系统通信效率不高。为此,提出两个并发安全的改进系统。第一个系统是利用关于两个被承诺值的准确区间证明和2轮并发零知识论证的Sigma协议编译器对底层的Blanton方案进行扩展得到的。第二个系统(即前一个系统的增强版本)利用直线提取技术实现了更为高效的安全性归约过程,并借助基于同态加密的非交互零知识论证避免了对随机预言机的使用。与其他的同类系统相比,第一个系统具有更高的通信效率,且第二个系统的安全性并不依赖于随机预言机。
Nowadays, diversified applications over the Internet become ubiquitous in people's daily lives. This fact makes it a challenging task that how to sign anonymously on behalf of the group or authenticate incognito one's group membership. In many web-based applications, some kind of privilege is often assigned to valid users, i.e., registered group members. When exercising their rights, users need to convince others that they have authentic membership by showing certain digital signatures to the designated verifier or carrying out authentication protocols with the group authority. Meanwhile, users are gradually concerned with their sensitive personal information and become aware of the importance of privacy protection. As a result, they need effective means to hide their real identities in the group.
From the viewpoint of modern cryptography, the above problems can be solved by employing the key techniques of the proof of knowledge, distributed cryptographic protocol, etc. Moreover, digital signature schemes, encryption schemes, anonymous authentication protocols are fundamental cryptographic primitives which are adopted as useful building blocks in the construction of various group-oriented secure cryptosystems. This dissertation investigates the design method of group-oriented anonymous protocols as well as the formal analysis of the resultant protocols. As the contribution, several schemes are proposed which pertain to the active research field of special group signatures, k-times anonymous authentications and multi-coupon systems.
Group signatures are a kind of powerful private authentication tool in group-oriented cryptography. In the definition of this primitive, group members can anonymously sign arbitrary messages on behalf of the group. Anyone can check the validity of the given signature, but cannot obtain any information about the original signer. Moreover, it is computationally intractable to determine whether two or more signatures originate from the same group member. The group authority (GA), who has the ability of issuing membership certificates to new members, takes charge of the group. In special circumstance (e.g. when illegal behavior is caught), the designated tracing authority (TA) can revoke anonymity of the malicious signer by opening the suspectable signature. To date, the traditional definition of group signature has been further studied and it has been generalized to many variants, such as hierarchical group signatures, ad hoc group signatures, hidden identity-based signatures, data mining group signatures, expressive subgroup signatures, anonymous proxy signatures, etc.
Generally, there are two ways for the opening of a standard group signature, i.e.,(ⅰ) the TA is able to revoke the anonymity of any signature, but it is required that the GA publish the list of users, i.e., membership directory;(ⅱ) the list of users is secretly maintained by the GA, and the TA can only open an offending signature with the help of the GA. Recently, Kiayias et al. pointed out that group signatures cannot be directly applied to anonymous credential systems. The reason is that, in case (ⅰ), publishing the membership directory would seriously violate the users'privacy; in case (ⅱ), the TA cannot assure a service provider that it can open an offending signature, which leads to restricted use of the anonymous system. For this reason, Kiayias et al. introduced a novel concept of hidden identity-based signatures (abbreviated asHTDS). InHIDS, the TA is independent of the IM (which corresponds to the GA in group signature schemes) for its opening operation and the IM does not have to publish a list of users of the anonymous system. Kiayias et al. firstly proposed the HIDS from bilinear pairings. Unfortunately, their scheme is vulnerable to the framing attack and the chosen ciphertext attack. Furthermore, the original scheme does not support the joint sharing of the tracing key. Two improved schemes were put forth by employing the techniques of the Shacham encryption based on the linear assumption, the joint random VSS (Verifiable Secret Sharing) protocol, the simultaneous zero-knowledge proof of knowledge, etc. Besides no framing and anonymity under the chosen ciphertext attack, the second new scheme achieves the deployment of distributed tracing servers and the resistance of the powerful dynamic attacker at the same time. To meet this goal, the threshold version of the underlying Shacham encryption was firstly provided by using the Canetti-Goldwasser paradigm and the erasure-free threshold protocols by Jarecki et al. Functionality and efficiency analysis indicates that the new schemes achieve the higher level of practicability and security.
Typical anonymous authentication schemes allow the authentication of users without disclosing their real identities. In such schemes, anonymous users authenticate themselves by demonstrating the possession of membership credentials. Moreover, in many applications on the Internet (such as trial browsing of content, cloud storage services, etc), the application provider need to put restrictions on the number of times users can access. In ASIACRYPT2004, Teranishi et al. firstly proposed the notion of k-times anonymous authentication (abbreviated as k-TAA). The entities in k-TAA include a group manager, many users, and several service providers (SP). Initially, users should carry out a registration protocol with the group manager. Then, each AP announces the maximum number of times that users can access their application or resource. Before the process of anonymous access, the registered users should authenticate themselves to certain AP. To note that, compared with group signature schemes, k-TAA scheme can achieve a higher anonymity level. In other words, in k-TAA schemes, even the powerful group manager cannot revoke the anonymity of honest users, i.e., they authenticate themselves and enjoy the service provided by AP within the predetermined number (i.e., k). From AP's standpoint, k-TAA schemes provide stronger version of traceability, which means that any entity can make tracks for the dishonest user (who attempts to access the service more than he is allowed for) with the public authentication log without the help of the group manager or AP, while in group signature schemes only the group manager has this tracing ability. In ACNS2005, Nguyen et al. pointed out that in reality, APs would like to setup user group and manage the group on their own, i.e., they are able to grant or revoke users' access right. Activated by this motive, Nguyen et al. introduced a new concept, namely dynamic k-TAA. Unfortunately, the main problem with the schemes of Teranishi et al. and Nguyen et al. is that the computational cost of authentication phase is of order O(k). Later on, Nguyen and Teranishi et al. respectively suggested their revised schemes, in which the complexity of authentication protocol is independent of k. But their advantages in efficiency over authentication protocol were obtained at the sacrifice of the storage cost of AP's public key, i.e., O(k). In addition, their schemes required that AP must keep honest. In SCN2006, Au et al. put forth a dynamic k-TAA scheme with the authentication complexity of O(log(k)). Very recently, Emura et al. stressed that in previous k-TAA schemes, k is a fixed parameter, which implies that all users have the same maximum number for access. In some applications, it appears preferable to grant different maximum number for each user according to the money they has paid. To this end, Emura et al. put forward a k-TRAA scheme, which means k-times relaxed anonymous authentication. However, their scheme does not satisfy the property of anonymity required by typical k-TAA schemes, because two transcripts of authentication protocol generated with the same AP can be linked with each other.
In previous works of k-times anonymous authentication, two problems have not been properly solved:1) how to allow application providers to assign different maximal numbers of access for each user without weakened anonymity, and2) how to protect against massive clone attacks mounted by malicious users. To overcome these obstacles, a revised scheme was proposed. It incorporated several crucial tools including the proof that a committed value is less than another committed value, dynamic accumulator, the method of cloning detection based on n-times show e-tokens, etc. The revised scheme is proved secure in the extended Teranishi-Furukawa-Sako model, i.e., correctness, total anonymity, exculpability of users, exculpability of the GM, exculpability of APs and detectability. Moreover, the registration protocol of the new scheme is concurrently-secure, so it is fit for the deployment in realistic asynchronous network setting (e.g., Internet).
Coupons are usually issued by manufacturers or vendors and they often appear in newspapers, journals, or flyers. Coupons are effective means for advertisement and sales promotion. They push customers to buy certain merchandise by providing appealing discount prices or gifts. Nowadays, coupons can be distributed over the Internet, which means customers can freely download and print coupons placed on vendor's web site and use them as other paper-based coupons. Multi-coupons (MC) are special form of emerging e-coupons, and they can be viewed as a collection of e-coupons which can be redeemed only once. In practice, issuing a multi-coupon with the value of m is more efficient than issuing m regular e-coupons independently. A secure multi-coupon system (MCS) should fulfill two crucial properties, i.e., unsplittability and unlinkability. The unsplittability aims to protect the benefit of vendors, i.e., two customers cannot split a MC into multiple shares, so that they can redeem the shares independently. The unlinkability means customers should keep anonymous during the process of issuing or redeeming. It is worth noting that MCS is not equal to e-cash schemes, because MCS needs not provide the mechanisms for the participation of bank and the tracing of malicious users.
So far, one main obstacle in constructing MCSs is how to devise an efficient issue protocol in which the value of the MCs can be chosen freely and the complexity of the resultant protocol is not dependent on the value of the MCs. Another obstacle is how to provide efficient and flexible mechanisms for redemption protocol. To overcome these problems, two revised systems with improved efficiency and functionality were put forth. In order to specify the value of MCs flexibly, the new systems employed the discrete logarithm based range proof by Chaabouni et al. and the knowledge proof of committed values by Canard et al. respectively. In addition, the computation complexities of redemption protocols were optimized by making use of the batch zero-knowledge proof and verification by Peng et al. It can be proved that the new systems are secure in Nguyen's security model for MCS. Moreover, the new systems for the first time achieve all the desirable features required in applications, i.e., concurrent issuing, compactness, batch redeeming, as well as supporting coupon's object and its expiration date. Furthermore, performance comparison shows that their communication and computation overheads are significantly lower than the previous systems of the same type.
Previous MCSs do not explicitly consider the circumstance of concurrent execution and they are all designed in the random oracle model. Furthermore, these systems are based on the q-SDH (i.e., q-Strong Diffie-Hellman) assumption or the SRSA (i.e. Strong RSA) assumption. However, the q-SDH assumption was recently found to have some weakness in security, while the systems built on RSA groups require expensive communication bandwidth. These obstacles were remedied by providing two improved systems with concurrent security. The first system was obtained by extending the underlying scheme of Blanton with the precise range proof of two committed values and the Sigma-compiler for two round concurrent zero-knowledge argument. The second system (i.e., the strengthened version of the first one) achieved more efficient security reduction by incorporating the straight-line extraction paradigm and removed random oracles by using the non-interactive zero-knowledge argument from homomorphic encryption. Compared with other strongly unsplittable systems, the first system has better communicational efficiency and the second one does not rely on random oracles.
引文
[1]M. Bellare, P. Rogaway. Random oracles are practical:a paradigm for designing efficient protocols. In:Proceedings of ACM CCS 1993, ACM Press,1993, pp.62-73.
[2]R. Canetti, O. Goldreich, S. Halevi. The random oracle methodology, revisited. In: Proceedings of STOC 1998, ACM Press,1998, pp.209-218.
[3]V. Shoup, R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. Journal of Cryptology,2002,15(2):75-96.
[4]M.-F. Lee, N.P. Smart, B. Warinschi. The Fiat-Shamir transform for group and ring signature schemes. In:Proceedings of SCN 2010, LNCS 6280, Berlin:Springer-Verlag,2010, pp.363-380.
[5]T. Nakanishi, H. Fujii, Y. Hira, et al. Revocable group signature schemes with constant costs for signing and verifying. In:Proceedings of PKC 2009, LNCS 5443, Berlin:Springer-Verlag, 2009, pp.463-480.
[6]R. Pass. Alternative variants of zero-knowledge proofs. Licentiate Thesis, Stockholm, Sweden, 2004.
[7]M. Blum, P. Feldman, S. Micali. Non-interactive zero-knowledge and its applications. In: Proceedings of STOC 1988, ACM Press,1988, pp.103-112.
[8]I. Damgard. Efficient concurrent zero-knowledge in the auxiliary string model. In:Proceedings of EUROCRYPT 2000, LNCS 1807, Berlin:Springer-Verlag,2000, pp.418-430.
[9]A. Kiayias, H.-S. Zhou. Concurrent blind signatures without random oracles. In:Proceedings of SCN 2006, LNCS 4116, Berlin:Springer-Verlag,2006, pp.49-62.
[10]B. Barak, R. Canetti, J. B. Nielsen, et al. Universally composable protocols with relaxed set-up assumptions. In:Proceedings of FOCS 2004, IEEE Computer Society,2004, pp.186-195.
[11]I. Damgard, N. Fazio, A. Nicolosi. Non-interactive zero-knowledge from homomorphic encryption. In:Proceedings of TCC 2006, LNCS 3876, Berlin:Springer-Verlag,2006, pp.41-59.
[12]C. Dwork, M. Naor, A. Sahai. Concurrent zero-knowledge. In:Proceedings of STOC 1998, ACM Press,1998, pp.409-418.
[13]J. Camenisch, M. Stadler. Efficient and generalized group signatures (extended abstract). In: Proceedings of EUROCRYPT 1997, LNCS 1233, Berlin:Springer-Verlag,1997, pp.465-479.
[14]M. Chase, A. Lysyanskaya. On signatures of knowledge. In:Proceedings of CRYPTO 2006, LNCS 4117, Berlin:Springer-Verlag,2006, pp.78-96.
[15]J. A. Garay, P. MacKenzie, K. Yang. Strengthening zero-knowledge protocols using signatures. Journal of Cryptology,2006,19(2):169-209.
[16]Y. Dodis. V. Shoup. S. Walfish. Efficient constructions of composable commitments and zero-knowledge proofs. In:Proceedings of CRYPTO 2008, LNCS 5157, Berlin:Springer-Verlag,2008, pp.515-535.
[17]M. Bellare, J. A. Garay, T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In:Proceedings of EUROCRYPT 1998, LNCS 1403, Berlin:Springer-Verlag, 1998, pp.236-250.
[18]K. Peng, C. Boyd, E. Dawson. Batch zero knowledge proof and verification and its applications. ACM Transactions on Information and System Security,2007,10(2):1-28.
[19]K. Peng, F. Bao. Batch ZK proof and verification of OR logic. In:Proceedings of INSCRYPT 2008, LNCS 5487, Berlin:Springer-Verlag,2009, pp.141-156.
[20]K. Peng, F. Bao. Batch range proof for practical small ranges. In:Proceedings of AFRICACRYPT 2010, LNCS 6055, Berlin:Springer-Verlag,2010, pp.114-130.
[21]R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Secure distributed key generation for discrete-log based cryptosystems. In:Proceedings of EUROCRYPT 1999, LNCS 1592, Berlin: Springer-Verlag,1999, pp.295-310.
[22]刘木兰,张志芳.密钥共享体制和安全多方计算.电子工业出版社,2008.
[23]徐秋亮.改进门限RSA数字签名体制.计算机学报,2000,23(5):449-453.
[24]R. Canetti, R. Gennaro, S. Jarecki, et al. Adaptive security for threshold cryptosystems. In: Proceedings of CRYPTO 1999, LNCS 1666, Berlin:Springer-Verlag,1999, pp.98-116.
[25]S. Jarecki, A. Lysyanskaya. Adaptively secure threshold cryptography:introducing concurrency, removing erasures. In:Proceedings of EUROCRYPT 2000, LNCS 1807, Berlin: Springer-Verlag,2000, pp.221-242.
[26]B. Libert, M. Yung. Adaptively secure non-interactive threshold cryptosystems. In: Proceedings of ICALP 2011, LNCS 6756, Berlin:Springer-Verlag,2011, pp.588-600.
[27]J.C. Benaloh, M. de Mare. One-way accumulators:a decentralized alternative to digital signatures (Extended Abstract). In:Proceedings of EUROCRYPT 1993, LNCS 765, Berlin: Springer-Verlag,1993, pp.274-285.
[28]J. Camenisch, A. Lysyanskaya. Dynamic accumulators and application to efficient revocation of anonymous credentials. In:Proceedings of CRYPTO 2002, LNCS 2442, Berlin: Springer-Verlag,2002, pp.61-76.
[29]L. Nguyen. Accumulators from bilinear pairings and applications. In:Proceedings of CT-RSA 2005, LNCS 3376, Berlin:Springer-Verlag,2005, pp.275-292.
[30]J. Lapon, M. Kohlweiss, B. D. Decker, et al. Performance analysis of accumulator-based revocation mechanisms. In:Proceedings of SEC 2010, IFIP AICT 330,2010, pp.289-301.
[31]D. Boneh, X. Boyen, H. Shacham. Short group signatures. In:Proceedings of CRYPTO 2004, LNCS 3152, Berlin:Springer-Verlag,2004, pp.41-55.
[32]J. Camenisch, S. Hohenberger, A. Lysyanskaya. Compact e-cash. In:Proceedings of EUROCRYPT 2005, LNCS 3494, Berlin:Springer-Verlag,2005, pp.302-321.
[33]D. Boneh, X. Boyen. Efficient selective-ID secure identity-based encryption without random oracles. In:Proceedings of EUROCRYPT 2004, LNCS 3027, Berlin:Springer-Verlag,2004 pp. 223-238.
[34]J. Camenisch, A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In:Proceedings of CRYPTO 2004, LNCS 3152, Berlin:Springer-Verlag,2004, pp.56-72.
[35]P. Bichsel, J. Camenisch, G. Neven, et al. Get shorty via group signatures without encryption. In:Proceedings of SCN 2010, LNCS 6280, Berlin:Springer-Verlag,2010, pp.381-398.
[36]M. Bellare, A, Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In:Proceedings of CRYPTO 2004, LNCS 3152, Berlin: Springer-Verlag,2004, pp.227-232.
[37]S. Arita. A straight-line extractable non-malleable commitment scheme. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,2007, E90-A(7): 1384-1394.
[38]D. Chaum, E. van Heyst. Group signatures. In:Proceedings of EUROCRYPT 1991, LNCS 547, Berlin:Springer-Verlag,1991, pp.257-265.
[39]G. Ateniese, J. Camenisch, M. Joye, et al. A practical and provably secure coalition-resistant group signature scheme. In:Proceedings of CRYPTO 2000, LNCS 1880, Berlin:Springer-Verlag, 2000, pp.255-270.
[40]A. Kiayias, M. Yung. Group signatures:provable security, efficient constructions and anonymity from trapdoor-holders. Cryptology ePrint Archive, Report 2004/076,2004.
[41]M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures:the case of dynamic groups. In:Proceedings of CT-RSA 2005, LNCS 3376, Berlin:Springer-Verlag,2005, pp. 136-153.
[42]Z. Cao. Analysis of one popular group signature scheme. In:Proceedings of ASIACRYPT 2006, LNCS 4284, Berlin:Springer-Verlag,2006, pp.460-466.
[43]G. Ateniese, J. Camenisch, M. Joye, et al. Remarks on "analysis of one popular group signature scheme" in ASIACRYPT 2006. Cryptology ePrint Archive, Report 2006/464,2006.
[44]J. Camenisch, A. Kiayias, M.Yung. On the portability of generalized schnorr proofs. In: Proceedings of EUROCRYPT 2009, LNCS 5479, Berlin:Springer-Verlag,2009, pp.425-442.
[45]G Ateniese, B. Medeiros. Efficient group signatures without trapdoors. In:Proceedings of ASIACRYPT 2003, LNCS 2894, Berlin:Springer-Verlag,2003, pp.246-268.
[46]A. Miyaji, K. Umeda. A fully-functional group signature scheme over only known-order group. In:Proceedings of ACNS 2004, LNCS 3089, Berlin:Springer-Verlag,2004, pp.164-179.
[47]S. Zhou, D. Lin. Analyzing unlinkability of some group signatures. Cryptology ePrint Archive, Report 2005/178,2005. http://eprint.iacr.org/2005/178.
[48]M. Bellare, D. Micciancio, B. Warinschi. Foundations of group signatures:formal definitions, simplified requirements, and a construction based on general assumptions. In:Proceedings of EUROCRYPT 2003, LNCS 2656, Berlin:Springer-Verlag,2003, pp.614-629.
[49]J. Camenisch, J. Groth. Group signatures:better efficiency and new theoretical aspects. In: Proceedings of SCN 2004, LNCS 3352, Berlin:Springer-Verlag,2005, pp.120-133.
[50]J. Furukawa and H. Imai. An efficient group signature scheme from bilinear maps. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,2006, E89-A(5):1328-1338.
[51]L. Nguyen and R. Safavi-Naini. Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In:proceedings of ASIACRYPT 2004, LNCS 3329, Berlin: Springer-Verlag,2004, pp.372-386.
[52]A. Kiayias, M. Yung. Group signatures with efficient concurrent join. In:Proceedings of EUROCRYPT 2005, LNCS 3494, Berlin:Springer-Verlag,2005, pp.198-214.
[53]S. Zhou and D. Lin. Unlinkable randomizable signature and its application in group signature. In:Proceedings of INSCRYPT 2007, LNCS 4990, Berlin:Springer-Verlag,2007, pp.328-342.
[54]X. Huang, W. Susilo and Y. Mu. Breaking and repairing trapdoor-free group signature schemes from ASIACRYPT 2004. Cryptology ePrint Archive, Report 2005/122.
[55]X. Boyen and B. Waters. Compact group signatures without random oracles. In:Proceedings of EUROCRYPT 2006, LNCS 4004, Berlin:Springer-Verlag,2006, pp.427-444.
[56]B. Waters. Efficient identity-based encryption without random oracles. In:Proceedings of EUROCRYPT 2005, LNCS 3494, Berlin:Springer-Verlag,2005, pp.114-127.
[57]J. Groth, R. Ostrovsky, A.Sahai. Perfect non-interactive zero-knowledge for NP. In: Proceedings of EUROCRYPT 2006, LNCS 4004, Berlin:Springer-Verlag 2006, pp.339-358.
[58]X. Boyen, B. Waters. Full-domain subgroup hiding and constant-size group signatures. In: Proceedings of PKC 2007, LNCS 4450, Berlin:Springer-Verlag,2007, pp.1-15.
[59]G. Ateniese, J. Camenisch, S. Hohenberger, et al. Practical group signatures without random oracles. Cryptology ePrint Archive, Report 2005/385,2005.
[60]V Shoup. Lower bounds for discrete logarithms and related problems. In:Proceedings of EUROCRYPT 1997, LNCS 1233, Berlin:Springer-Verlag,1997, pp.256-266.
[61]J. Groth. Fully anonymous group signatures without random oracles. In:Proceedings of ASIACRYPT 2007, LNCS 4833, Berlin:Springer-Verlag,2007, pp.164-180.
[62]G. Ohtake, A. Fujii,G. Hanaoka, et al. On the theoretical gap between group signatures with and without unlinkability. In:Proceedings of AFRICACRYPT 2009, LNCS 5580, Berlin: Springer-Verlag,2009, pp.149-166.
[63]S. D. Gordon, J. Katz, V. Vaikuntanathan. A group signature scheme from lattice assumptions. In:Proceedings of ASIACRYPT 2010, LNCS 6477, Berlin:Springer-Verlag,2010, pp.395-412.
[64]M. Trolin, D. Wikstrom. Hierarchical group signatures. In:Proceedings of ICALP 2005, LNCS 3580, Berlin:Springer-Verlag,2005, pp.446-458.
[65]Q. Wu, W. Susilo, Y. Mu, et al. Ad hoc group signatures. In:Proceedings of IWSEC 2006, LNCS 4266, Berlin:Springer-Verlag,2006, pp.120-135.
[66]A. Kiayias, H.-S. Zhou. Hidden identity-based signatures. IET Information Security,2009, 3(3):119-127.
[67]A. Kiayias, S. Xu, M. Yung. Privacy preserving data mining within anonymous credential systems. In:Proceedings of SCN 2008, LNCS 5229, Berlin:Springer-Verlag,2008, pp.57-76.
[68]X. Boyen, C. Delerablee. Expressive subgroup signatures. In:Proceedings of SCN 2008, LNCS 5229, Berlin:Springer-Verlag,2008, pp.185-200.
[69]G. Fuchsbauer, D. Pointcheval. Anonymous proxy signatures. In:Proceedings of SCN 2008, LNCS 5229, Berlin:Springer-Verlag,2008, pp.201-217.
[70]B. Przydatek, D. Wikstrom. Group message authentication. In:Proceedings of SCN 2010, LNCS 6280, Berlin:Springer-Verlag,2010, pp.399-417.
[71]J. Furukawa, S. Yonezawa. Group signatures with separate and distributed authorities. In: Proceedings of SCN 2004, LNCS 3352, Berlin:Springer-Verlag,2005, pp.77-90.
[72]C. Delerablee, D. Pointcheval. Dynamic fully anonymous short group signatures. In: Proceedings of VIETCRYPT 2006, LNCS 4341, Berlin:Springer-Verlag,2006, pp.193-210.
[73]H. Shacham. A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074,2007. http://eprint.iacr.org/.
[74]R. Canetti and S. Goldwasser. An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack (Extended Abstract). In:Proceedings of EUROCRYPT 1999, LNCS 1592, Berlin:Springer-Verlag,1999, pp.90-106.
[75]R. Cramer, V. Shoup. Practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In:Proceedings of CRYPTO 1998, LNCS 1462, Berlin:Springer-Verlag, 1998, pp.13-25.
[76]R. Cramer, V. Shoup. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing archive,2004,33(1): 167-226.
[77]V. Shoup. Practical threshold signatures. In:Proceedings of EUROCRYPT 2000, LNCS 1807, Berlin:Springer-Verlag,2000, pp.207-220.
[78]D. Boneh, X. Boyen. Short signatures without random oracles. In:Proceedings of EUROCRYPT 2004, LNCS 3027, Berlin:Springer-Verlag,2004, pp.56-73.
[79]D. Boneh, B. Lynn, H. Shacham. Short signatures from the weil pairing. Journal of Cryptology,2004,17(4):297-319.
[80]A. L. Ferrara, M. Green, S. Hohenberger, et al. Practical short signature batch verification. In: Proceedings of CT-RSA 2009, LNCS 5473, Berlin:Springer-Verlag,2009, pp.309-324.
[81]I. Teranishi, J. Furukawa, K. Sako. K-times anonymous authentication. In:proceedings of ASIACRYPT 2004, LNCS 3329, Berlin:Springer-Verlag,2004, pp.308-322.
[82]鲁荣波,宣恒农,何大可.对一种高效群签名方案的安全性分析.通信学报,2007,28(4):9-12.
[83]M. H. Au, W. Susilo, S.-M. Yiu. Event-oriented k-times revocable-iff-linked group signatures. In:Proceedings of ACISP 2006, LNCS 4058, Berlin:Springer-Verlag,2006, pp.223-234.
[84]L. Nguyen, R. Safavi-Naini. Dynamic k-times anonymous authentication. In:Proceedings of ACNS 2005, LNCS 3531, Berlin:Springer-Verlag,2005, pp.318-333.
[85]I. Teranishi, K. Sako. k-times anonymous authentication with a constant proving cost. In: Proceedings of PKC 2006, LNCS 3958, Berlin:Springer-Verlag,2006, pp.525-542.
[86]I. Teranishi, J. Furukawa, K. Sako. k-Times Anonymous Authentication. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,2009, E92-A(1): 147-165.
[87]M. H. Au, W. Susilo, Y. Mu. Constant-size dynamic k-TAA. In:Proceedings of SCN 2006, LNCS 4116, Berlin:Springer-Verlag,2006, pp.111-125.
[88]L. Nguyen. Efficient dynamic k-times anonymous authentication. Cryptology ePrint Archive, Report 2007/006,2007. http://eprint.iacr.org/2007/006.
[89]L. Nguyen. Privacy-protecting coupon system revisited. In:proceedings of Financial Cryptography 2006, LNCS 4107, Berlin:Springer-Verlag,2006, pp.266-280.
[90]K. Emura, A. Miyaji, K. Omote. A selectable k-times relaxed anonymous authentication scheme. In:Proceedings of WISA 2009, LNCS 5932, Berlin:Springer-Verlag,2009, pp.281-295.
[91]I. Damgard, K. Dupont, M.(?). Pedersen. Unclonable group identification. In:Proceedings of EUROCRYPT 2006, LNCS 4004, Berlin:Springer-Verlag,2006, pp.555-572.
[92]P. Bichsel. Theft and misuse protection for anonymous credentials. Master's thesis, Zurich: Swiss Federal Institute of Technology, Switzerland,2007.
[93]J. Camenish. Protecting (anonymous) credentials with the trusted computing group's TPM vl.2. In:Proceedings of SEC 2006, IFIP 201, Berlin:Springer-Verlag,2006, pp.135-147.
[94]R. Impagliazzo, S. M. More. Anonymous credentials with biometrically-enforced non-transferability. In:Proceedings of WPES 2003, New York:ACM Press,2003, pp.60-71.
[95]C. Adams. Achieving non-transferability in credential systems using hidden biometrics. Security and Communication Networks,2011,4(2):195-206.
[96]M. Blanton, W. M. P. Hudelson. Bio metric-based non-transferable anonymous credentials. In: Proceedings of ICICS 2009, LNCS 5927, Berlin:Springer-Verlag,2009, pp.165-180.
[97]J. Camenisch, A. Lysyanskaya. An efficient system for non-transferable anonymous credentials with Optional Anonymity Revocation. In:Proceedings of EUROCRYPT 2001, LNCS 2045, Berlin:Springer-Verlag,2001, pp.93-118.
[98]L. Chen, A. Escalante, H. Lohr, et al. A privacy-protecting multi-coupon scheme with stronger protection against splitting. In:Proceedings of Financial Cryptography 2007, LNCS 4886, Berlin:Springer-Verlag,2008, pp.29-44.
[99]M. Blanton. Online subscriptions with anonymous access. In:Proceedings of ASIA-CCS 2008, New York:ACM Press,2008, pp.217-227.
[100]J. Camenisch, S. Hohenberger, S. M. Kohlweiss, et al. How to win the clonewars:efficient periodic n-times anonymous authentication. In:Proceedings of ACM-CCS 2006, New York:ACM Press,2006, pp.201-210.
[101]R. Cramer, V. Shoup. Signature scheme based on the strong RSA assumption. ACM Transactions on Information and System Security,2000,3(3):161-185.
[102]S. Canard, A. Gouget, E. Hufschmitt. A handy multi-coupon system. In:Proceedings of ACNS 2006, LNCS 3989, Berlin:Springer-Verlag,2006, pp.66-81.
[103]P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In: Proceedings of EUROCRYPT 1999, LNCS 1592, Berlin:Springer-Verlag,1999, pp.223-238.
[104]S. D. Galbraith, K. G. Paterson, N. P. Smart. Pairings for Cryptographers. Discrete Applied Mathematics,2008,156(16):3113-3121.
[105]J. Camenisch, A. Lysyanskaya. A signature scheme with efficient protocols. In:Proceedings of SCN 2002, LNCS 2576, Berlin:Springer-Verlag,2002, pp.268-289.
[106]D. Boneh, X. Boyen. Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology,2008,21 (2):149-177.
[107]Y. Dodis, A. Yampolskiy. A verifiable random function with short proofs and keys. In: Proceedings of PKC 2005, LNCS 3386, Berlin: Springer-Verlag, 2005, pp. 416-431.
[108]M. Jakobsson, P.D. MacKenzie, J. P. Stern. Secure and lightweight advertising on the web. Computer Networks, 1999, 31(11-16): 1101-1109.
[109]S. Cimato, A. De Bonis. Online advertising: secure e-coupons. In: Proceedings of ICTCS 2001, LNCS 2202, Berlin: Springer-Verlag, 2001, pp. 370-383.
[110]C. Blundo, S. Cimato, A. De Bonis. Secure e-coupons. Electronic Commerce Research, 2005,5(1): 117-139.
[Ill]Juniper Research. Mobile Coupons. 2008. Available at http://www.juniperresearch.com.
[112]S.-C. Hsueh, J.-M. Chen. Sharing secure m-coupons for peer-generated targeting via eWOM communications. Electronic Commerce Research and Applications, 2010, 9(4): 283-293.
[113]刘文远,张江霄,胡庆华,等.可直接计算的高效的可分电子现金系统.电子学报,2009,37(2):367-371.
[114]徐国胜,谷利泽,杨义先,等.新的可转移电子现金方案.通信学报,2008,29(5):1-5.
[115]L. Chen, M. Enzmann, A.-R. Sadeghi, et al. A privacy-protecting coupon system. In: Proceedings of Financial Cryptography 2005, LNCS 3570, Berlin: Springer-Verlag, 2005, pp. 93-109.
[116]F. Armknecht, B. A. N. Escalante, H. Lohr, et al. Secure multi-coupons for federated environments: privacy-preserving and customer-friendly. In: Proceedings of ISPEC 2008, LNCS 4991, Berlin: Springer-Verlag, 2008, pp. 29-44.
[117]柳欣,徐秋亮.实用的匿名订购协议.计算机工程与应用,2009,45(4):93-97.
[118]陈恺,张玉清,肖国镇.基于概率验证的可分电子现金系统.计算机研究与发展,2000,37(6):752-757.
[119]E. Hufschmitt and J. Traore. Fair blind signatures revisited. In: Proceedings of Pairing 2007, LNCS 4575, Berlin: Springer-Verlag, 2007, pp. 268-292.
[120]M. Belenkiy, M. Chase, M. Kohlweiss, et al. Compact e-cash and simulatable VRFs revisited. In: Proceedings of Pairing 2009, LNCS 5671, Berlin: Springer-Verlag, 2009, pp. 114-131.
[121]M. H. Au, W. Susilo, Y. Mu. Practical compact e-cash. In: Proceedings of ACISP 2007, LNCS 4586, Berlin: Springer-Verlag, 2007, pp. 431-445.
[122]R. Chaabouni, H. Lipmaa, A. Shelat. Additive combinatorics and discrete logarithm based range protocols. In: Proceedings of ACISP 2010, LNCS 6168, Berlin: Springer-Verlag, 2010, pp. 336-351.
[123]V. Wei. More compact e-cash with efficient coin tracing. Crypto logy ePrint Archive, Report 2005/411,2005.
[124]D. P. Le, A. Bonnecaze, A. Gabillon. Multisignatures as secure as the Diffie-Hellman problem in the plain public-key model. In:Proceedings of Pairing 2009, LNCS 5671, Berlin: Springer-Verlag,2009, pp.35-51.
[125]M. H. Au. Contribution to privacy-preserving cryptographic techniques. Wollongong: School of Computer Science and Software Engineering, University of Wollongong,2009.
[126]D. Jao, K. Yoshida. Boneh-Boyen signatures and the Strong Diffie-Hellman problem. In: Proceedings of Pairing 2009, LNCS 5671, Berlin:Springer-Verlag,2009, pp.1-16.
[127]L. Chen, P. Morrissey, N. P. Smart. Pairings in trusted computing. In:Proceedings of Pairing 2008, LNCS 5209, Berlin:Springer-Verlag,2008, pp.1-17.
[128]J. Furukawa. Efficiency enhancement of secure multi-party protocols for privacy and privilege protection. TOKYO:the University of TOKYO,2006.
[129]K. Chida, G. Yamamoto. Batch processing for proofs of partial knowledge and its applications. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,2008, E91-A(1):150-159.
[130]K. Gjosteen, L. Krakmo. Round-optimal blind signatures from Waters signatures. In: Proceedings of ProvSec 2008, LNCS 5324, Berlin:Springer-Verlag,2008, pp.112-126.