Improvement of a proxy multi-signature scheme without random oracles
一种门限代理盲签名方案
一种门限代理盲签名方案戚艳军;冀汶莉【摘要】Example of an electronic election, the paper presents threshold proxy blind signature scheme using bilinear pairings based on the blind signature. This scheme combined proxy signature and threshold signature. The paper analyses the process of scheme and effectiveness, safety, blind, efficiency of the scheme in detail. By analyzing and proofing, we conclude that this scheme has feature of easier process and better efficiency.%以电子选举为例,在盲签名的基础上将双线性对作为工具,结合代理签名和门限签名,提出了基于双线性对的门限代理盲签名方案.详细分析了方案的实现过程,并对该方案的有效性、安全性、盲性和方案效率进行分析论证.通过分析及论证,得出该方案的实现过程简单,效率较高.【期刊名称】《现代电子技术》【年(卷),期】2012(035)009【总页数】3页(P70-72)【关键词】电子选举;双线性对;门限签名;代理签名;盲签名【作者】戚艳军;冀汶莉【作者单位】西北政法大学信息与计算机系,陕西西安710063;西安科技大学通信与信息工程学院,陕西西安710054【正文语种】中文【中图分类】TN918.91-340 引言数字签名是电子商务和电子政务中信息安全的核心技术之一。
如今,投票选举等许多传统的生活方式正在朝着网络化的方向发展,由于现实选举中选民的匿名性和少数服从多数的选举原则,使得电子选举在实现过程中也要实现上述这两个特性。
一种代理多重数字签名方案的安全性分析
l 引 言
最 近 ,Q 和 H m 提 出了一 种代 理 多重数字 签 名 方案 …。本 文对 Qj Ha 的代 理 多重 i a 和 m 数字签 名 方案 进 行 了分 析 ,提 出 了一 种伪 造攻 击 ,利用 这种 伪 造攻击 ,n 个 原始 签名 者 中 的 任 何 一个 签名 者 都能伪 造 出一个有 效 的代 理多 重数 字签 名 。并 对 Q 和 Ha 的代 理 多重数 字 i m 签 名方 案进行 了改进 ,提 出 了一种 新 的安 全 的代理 多 重数字 签 名方 案 。新 方 案不 仅能 抵抗 本 文提 出的伪 造 攻击 ,而 且还 保 留 了 Qi Ha 的代 理 多重 数字 签 名方 案 的优 点,增加 了可 收 和 m 回代 理权 的特 性 。
王 晓 明 ,符 方 伟
( .南 开 大 学 数 学 科 学 学 院 , 天 津 1 3 0 7 ;2 0 0 1 .青 岛 大 学 电 气 及 自动 化 工 程 学 院 ・ 山车 青 岛 26 7 ) 60 1
一
摘
要 :对 Qi Ha 的代 理 多 重 数 字 签 名 方 案 .提 出了 一种 伪 造攻 击 ,利 用 该 伪 造攻 击 , 原 和 m n个
始銎 名者 中任何一个签名者 都能伪造出一个 有效代理多重数字 签名 .并对 Qi H m 的代理多重 和 a
数 字 签名 方 案进 行 了改进 , 提 出 了一 种 新 的 安 全 的代 理 多重 数 字 签 名 方 案 。 关键 词 : 代理 多重 数 字签 名 ;伪 造 攻 击 ;公 钥 认 证 中图 分 类 号 :T l .2 Ng 1 2 文 献标 识 码 :A 文 章 编 号 : 1 0 - 6 2 0 )40 9 -5 0 043 X(0 20 - 0 80
理想格上基于身份的代理重签名方案
理想格上基于身份的代理重签名方案商玉芳;梁向前;孙意如【摘要】代理重签名作为密钥管理的一个重要工具,它不仅能够简化密钥管理、简化证书管理,还能够提供路径证明等功能.目前,针对基于大整数分解与离散对数的困难问题,在量子环境下代理重签名方案的不安全性,有人提出了一种能够抵抗量子攻击的代理重签名.利用理想格,以及基于理想格上的小整数解的困难性,构造了理想格上基于身份的代理重签名方案,该方案与其他的具有相同性质的基于身份的代理重签名方案相比,具有较短的签名和公钥、运算复杂度降低的优点.%As an important tool of key management, the proxy re-signature scheme can not only simplify the secret key management and certificate management, but also can be used to provide certificate path and so on. Currently, for the diffi-culty of integer factorizating and logarithm discretization and the insecurity of proxy re-signature schemes in the quantum environments, a proxy re-signature scheme that can resist the attack of quantum has been presented in the literature. The first identity-based proxy re-signature scheme over ideal lattice is constructed in this paper, by using ideal lattice and based on the difficulty of the Small Integer Solution(SIS)problem. Compared with other proxy re-signature scheme that has the same properties, this has a shorter signature, and public key, and the advantage of decreasing the computational complexity.【期刊名称】《计算机工程与应用》【年(卷),期】2017(053)021【总页数】6页(P110-114,156)【关键词】代理重签名;理想格;小整数解问题【作者】商玉芳;梁向前;孙意如【作者单位】山东科技大学数学与系统科学学院,山东青岛 266590;山东科技大学数学与系统科学学院,山东青岛 266590;山东科技大学数学与系统科学学院,山东青岛 266590【正文语种】中文【中图分类】TN91代理重签名的概念最早于1998年在欧密会上由Blaze,Bleumer等人[1]提出。
代理签名
代理签名的研究和发展1、引言在现实世界里,人们经常需要将自己的某些权力委托给可靠的代理人,让代理人代表本人去行使这些权力。
在这些可以委托的权力中包括人们的签名权。
委托签名权的传统方法是使用印章,因为印章可以在人们之间灵活地传递。
数字签名是手写签名的电子模拟,但是数字签名不能提供代理功能。
1996年,Mambo、Usuda和Okamoto提出了代理签名的概念,给出了解决这个问题的一种方法。
由于代理签名在实际应用中起着重要作用,所以代理签名一提出便受到广泛关注,国内外学者对其进行了深入的探讨与研究。
2、代理签名的概念、要求代理签名方案应满足以下六条基本性质:不可伪造性(unforgeabmty) 除了原始签名者,只有指定的代理签名者能够代表原始签名者产生有效代理签名。
可验证性(verifiability) 从代理签名中,验证者能够相信原始签名者认同了这份签名消息。
不可否认(undeniability) 一旦代理签名者代替原始签名者产生了有效的代理签名,他就不能向原始签名者否认他所签的有效代理签名。
可区分性(distinguishabmty) 任何人都可区分代理签名和正常的原始签名者的签名。
代理签名者的不符合性(proxy signer’s deviation) 代理签名者必须创建一个能检测到是代理签名的有效代理签名。
可识别性(identiflability) 原始签名者能够从代理签名中确定代理签名者的身份。
为了体现对原始签名者和代理签名者的公平性,Le、Kim和Kim对其中的一些性质给出了更强的定义:强不可伪造性(strong unforgeability) 只有指定的代理签名者能够产生有效代理签名,原始签名者和没有被指定为代理签名者的第三方都不能产生有效代理签名。
强可识别性(strong identifiability) 任何人都能够从代理签名中确定代理签名者的身份。
强不可否认性(strong undeniability) 一旦代理签名者代替原始签名者产生了有效的代理签名,他就不能向任何人否认他所签的有效代理签名。
改进的门限多代理多重共享验证签名方案
S h m ewih S a e rfc to c e t h r d Ve i a in i
YANG n - u, UN a -u, Yig h iS Y n r iYUAN -e g S Xi n , UN i - ig f Jn qn
( o l eo ce c , o te senUnv r t, h n a g 1 0 0 ) C l g f i e N r atr ie s y S e y n 1 0 4 e S n h i
改进方案。该 方案 能有效抵抗合谋攻 击 ,实现 签名 的共享验 证。利用拉格 朗 习插值 等相 关知识 证明了该方案的正确性。 关健词 :数字签名 ;门限代理 签名 ;共享验证 ; 谋攻击 合
I poe m r v d Thr s o d M u t- r x u t-i n t r eh l l - o y M li g a u e ip - s
1 概述
门限代理签名是一种很重要的数字签名 , 自从 1 9 9 7年文
2 . 秘密分享 的产生 .2 1 S C 选 取 2 个 秘 密 多 项 式 f()= n。+ D px X + …+
ap t
献[ 提 出门限代理签名 方案 以来 , 1 ] 人们对它进行 了广泛的研 究u J 0 4年 ,文献【] 出了一个不可否认 的门限多代理 。2 0 7提
第 3 卷 第2 期 4 3
IL 4 1 3 o
・
计
算
机
工程
20 年 l 08 2月
De e e 0 8 c mb r 2 0
No2 .3
Co p t rEn i e r n m u e gn e i g
安全技术 ・
文 编 : 0 _3 8o ) — l _ 3 文 标 码{ 章 号 l 0 4 (o 2 _ 7 _ o_ 22 8 3 o o o - 献 识 A
北理工考博辅导班:2019北京理工大学网络空间安全考博难度解析及经验分享 (2)
北理工考博辅导班:2019北京理工大学网络空间安全专业考博难度解析及经验分享一、专业介绍网络安全的人才多种多样,包括立法人才、治理人才、战略人才、技术和理论研发人才、安全规划人才、宣传和教育人才、运维人才、防御人才等。
与该专业相近的信息安全专业的培养内容强调信息本身及其环境的安全,因此,教学内容多偏重于安全技术,培养的人才大多从事信息安全的科学研究、技术开发、安全规划、运行维护、安全防御等和技术比较相关的工作;保密管理专业是教育部特殊专业、国家控制布点专业,开设院校很少,培养的人才大多数从事保密理论研究、保密技术开发、保密组织管理、保密法规制定等工作。
网络空间安全专业的人才培养目标是,培养具有扎实的网络空间安全基础理论和基本技术,系统掌握信息内容安全、网络安全法律、网络安全管理的专业知识,政治思想过硬,较强的中英文沟通和写作能力,有技术,懂法律,会谈判的复合型人才。
所培养的人才为网络空间安全的立法、治理、战略规划和舆情监管服务。
北京理工大学计算机学院的网络空间安全专业在博士招生方面,划分为2个研究方向:网络空间安全(083900)研究方向:01.网络攻防对抗技术03.密码学及应用安全此专业实行申请考核制。
二、选拔时间计算机学院将在2018年12月16-17日期间进行博士研究生招生工作。
三、考核内容学院考核以考察科研基本能力、考生外语水平和编程能力为主。
科研基本能力主要审核考生攻读硕士学位期间已经取得科研成果,包括录用获发表的学术论文、授权专利、研究生科技竞赛获奖等。
普通招考和硕博连读由于入学年限不同,需进行分别审核。
各学科方向以综合面试的形式考察学生科研创新能力和学术潜质为主, 各学科方向可以根据学科特点和培养需求,制定不同的面试内容。
综合面试小组的成员由本学院的博士生导师组成,人数不少于3人,每位成员根据考核情况对每位考生进行打分,计算每位考生的平均分。
四、申请材料(1)《北京理工大学2019年报考攻读博士学位研究生登记表》,打印出纸质版,考生本人签字。
Fortinet高级网络安全产品说明说明书
The ultimate combination of proactive mitigation, advanced threat visibility and comprehensive reporting.§Secure virtual runtime environment exposes unknown threats §Unique multi-layer prefilters aid fast and effective threat detection §Rich reporting provides full threat lifecycle visibility§Inspection of many protocols in one appliance simplifies deployment and reduces cost §Integration and automation with Fortinet threat prevention products enhances rather than duplicates security infrastructure §Independent testing and certification validates effectivenessengine, queries to cloud-based threat databases and OS-independent simulation with acode emulator, followed by execution in the full virtual runtime environment. Once a malicious code is detected, granular ratings along with key threat intelligence is available, a signature is dynamically created for distribution to integrated products and full threat information is optionally shared with FortiGuard Labs for the update of global threat databases.Actionable InsightAll classifications — malicious and high/medium/low risk — are presented within an intuitive dashboard. Full threat information from the virtual execution — including system activity, exploit efforts, web traffic, subsequent downloads, communication attempts and more — is available in rich logs and reports.DATA SHEETFortiSandbox ™Multi-layer proactive threat mitigationFortiGuard Security ServicesFortiCare Worldwide 24x7 SupportFortinet Security Fabric/sf2 DATA SHEET: FortiSandbox ™ADVANCED THREAT PROTECTION FRAMEWORKPrevent AttacksFortinet next generation firewalls, secure email gateways, web application firewalls, endpoint security and similar solutions use security such as antivirus, web filtering, IPS, and other traditional security techniques to quickly and efficiently prevent known threats from impacting an organization.Detect and Analyze ThreatsFortiSandbox and other advanced detection techniques step in to detect “Zero-day” threats and sophisticated attacks, delivering risk ratings and attack details necessary for remediation.Mitigate Impact and Improve ProtectionIn a Fortinet solution, detection findings can be used to trigger prevention actions to ensure the safety of resources and data until remediation is in place. Finally, the entire security ecosystem updates to mitigate any impact from future attacks through the strong, integrated threat intelligence research and services ofFortiGuard Labs.FORTINET SECURITY FABRICThe most effective defense against advanced targeted attacks is founded on a cohesive and extensible protection framework. The Fortinet framework uses security intelligence across an integrated solution of traditional and advanced security tools for network, application and endpoint security, and threat detection to deliver actionable, continuously improving protection.Fortinet integrates the intelligence of FortiGuard Labs into FortiGate next generation firewalls, FortiMail secure email gateways, FortClient endpoint security, FortiSandbox advanced threat detection, and other security products to continually optimize and improve the level of security delivered to organizations with a Fortinet solution.Fortinet is the only company with security solutions for network, endpoint, application, data center, cloud, and access designed to work together as an integrated and collaborative security fabric. Simply deploying security end to end is not enough. These solutions must work together to form a cooperative fabric that can scale to cover the entire network, with different security sensors and toolsthat are aware of each other and operate as a single entity, even when sourced from multiple vendors. Further components must collect, coordinate, and respond to any potential threat in real-time with actionable intelligence. This is where FortiSandbox and the broader Advanced Threat Protection solution set fits.3DATA SHEET: FortiSandbox ™DEPLOYMENT OPTIONSStandaloneThis deployment mode relies on inputs from spanned switch ports or network taps. It may also include administrators’ on-demand file uploads using the GUI. It is the most suitable infrastructure for adding protection capabilities to existing threat protection systems from various vendors.IntegratedVarious Fortinet products, namely FortiGate, FortiMail, FortiWeb and FortiClient can intercept and submit suspicious content to FortiSandbox when they are configured to interact with FortiSandbox. The integration will also provide timely remediation and reporting capabilities to those devices.* Not applicable to FortIWebDistributedThis deployment is attractive for organizations that have distributed environments, where FortiGates are deployed in the branch offices and submit suspicious files to a centrally-located FortiSandbox. This setup yields the benefits of lowest TCO and protects against threats in remote locations.File and URL SubmissionFortiSandboxOn-Demand InputEasy DeploymentFortiSandbox supports inspection of many protocols in one unified solution, thus simplifies network infrastructure and operations. Further, it integrates with FortiGate as a new capability within your existing security framework.The FortiSandbox is the most flexible threat analysis appliance in the market as it offers various deployment options for customers’ unique configurations and requirements. Organizations can also have all three input options at the same time.4 DATA SHEET: FortiSandbox ™FEATURES SUMMARYFEATURESAV Engine§Applies top-rated (95%+ Reactive and Proactive) AV Scanning. Serves as an efficient pre-filter.Cloud Query§Real-time check of latest malware information §Access to shared information for instant malware detectionCode Emulation§Quickly simulates intended activity §OS independent and immune to evasion/obfuscationFull Virtual Sandbox§Secure run-time environment for behavioral analysis/rating§Exposes full threat lifecycle informationCall Back Detection§Identifies the ultimate aim, call back andexfiltrationMulti-tiered file processing optimizes resource usage thatimproves security, capacity and performanceFile Submission input: FortiGate, FortiClient, FortiMail, FortiWeb File Status Feedback and Report: FortiGate, FortiClient, FortiMail, FortiWeb Dynamic Threat DB update: FortiGate, FortiClient, FortiMail – Periodically push dynamic DB to registered entities. – File checksum and malicious URL DB Update Database proxy: FortiManager Remote Logging: FortiAnalyzer, syslog serverWeb-based API with which users can upload samples to scan indirectly Bit9 end point software integrationAdvanced Threat ProtectionVirtual OS Sandbox: – Concurrent instances– OS type supported: Windows XP , Windows 7, Windows 8.1, Windows 10 and Android – Anti-evasion techniques: sleep calls, process and registry queries– Callback Detection: malicious URL visit, Botnet C&C communication and attacker traffic from activated malware – Download Capture packets, Original File, Tracer log and ScreenshotFile type support: .7z, .ace, .apk, .arj, .bat, .bz2, .cab, .cmd, .dll, .doc, .docm, .docx, .dot, .dotm, .dotx, .exe, .gz, .htm, html, .htmnojs, .jar, .js, .kgb, .lnk, .lzh, .msi, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps1, .rar, .rtf, .sldm, .sldx, .swf, .tar, .tgz, .upx, url, .vbs, WEBLink, .wsf, .xlam, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xz, .z, .zipProtocols/applications supported:– Sniffer mode: HTTP , FTP , POP3, IMAP , SMTP , SMB – I ntegrated mode with FortiGate: HTTP , SMTP , POP3, IMAP , MAPI, FTP , IM and their equivalent SSL encrypted versions– Integrated mode with FortiMail: SMTP , POP3, IMAP – Integrated mode with FortiWeb: HTTP – Integrated mode with ICAP Client: HTTP Customize VMs with support file types support Isolate VM image traffic from system trafficNetwork threat detection in Sniffer Mode: Identify Botnet activities and network attacks, malicious URL visit Scan SMB/NFS network share and quarantine suspicious files. Scan can be scheduled Scan embedded URLs inside document files Integrate option for third partyYara rulesOption to auto-submit suspicious files to cloud service for manual analysis and signature creation Option to forward files to a network share for further third-party scanning Files checksum whitelist and blacklist optionURLs submission for scan and query from emails and filesMonitoring and ReportReal-Time Monitoring Widgets (viewable by source and time period options): Scanning result statistics, scanning activities (over time), top targeted hosts, top malware, top infectious urls, top callback domains Drilldown Event Viewer: Dynamic table with content of actions, malware name, rating, type, source, destination, detection time and download path Logging — GUI, download RAW log fileReport generation for malicious files: Detailed reports on file characteristics and behaviors – file modification, process behaviors, registry behaviors, network behaviors, vm snapshot, behavior chronology chart Further Analysis: Downloadable files — Sample file, Sandbox tracer logs, PCAP capture and Indicators in STIX format5Dashboard widgets — real-time threat statusFile Analysis ToolsReports with captured packets, original file, tracer log and screenshot provide rich threat intelligence and actionable insight after files are examined. This is to speed up remediation and updated protection.RemediationFortinet’s ability to uniquely integrate various products with FortiSandbox offers automatic protection with incredibly simple setup. Once a malicious code is determined, the analyzer will develop and forward the dynamically generated signature to all registered devices and clients. These devices then examine subsequent files against the latest DB.FortiGuard LabsFile submission for analysis, results returned12a 3a Optionally share analysis with FortiGuard3b Quarantine devices, block traf fi c by fi rewall2b fi le or device by2c 2d QueryMitigate4Update6 AV Scanning (Files/Hour)Hardware dependent–Number of VMs4 to 54 (Upgrade via appropriate licenses)–* Based on the assumption that 1 blade will be used as master in HA-cluster mode. ** By adding 3 more SAM-3500D nodes to the same chassis.*** 8 Windows VM licenses included with hardware, remaining 48 sold as an upgrade license.FortiSandbox 1000D FortiSandbox 3000DFortiSandbox 3500DFortiSandbox 3000EGLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne 06560Alpes-Maritimes, France Tel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary and may be significantly less effective than the metrics stated herein. Network variables, different network environments and other conditions may negatively affect performance results and other metrics stated herein. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet and any such commitment shall be limited by the disclaimers in this paragraph and other limitations in the written contract. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests, and in no event will Fortinet be responsible for events or issues that are outside of its reasonable control. Notwithstanding anything to the contrary, Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.FST -PROD-DS-FSAFSA-DAT -R18-201609DATA SHEET: FortiSandbox ™1 GE SFP SX Transceiver Module FG-TRAN-SX 1 GE SFP SX transceiver module for all systems with SFP and SFP/SFP+ slots.1 GE SFP LX Transceiver ModuleFG-TRAN-LX 1 GE SFP LX transceiver module for all systems with SFP and SFP/SFP+ slots.10 GE SFP+ Transceiver Module, Short Range FG-TRAN-SFP+SR 10 GE SFP+ transceiver module, short range for all systems with SFP+ and SFP/SFP+ slots.10 GE SFP+ Transceiver Module, Long RangeFG-TRAN-SFP+LR10 GE SFP+ transceiver module, long range for all systems with SFP+ and SFP/SFP+ slots.INTEGRATION MATRIXFSA Appliance and VMFile Submission *FortiOS V5.0.4+FortiClient for Windows OS V5.4+FortiMail OS V5.1+FortiWeb OS V5.4+File Status Feedback *FortiOS V5.0.4+FortiClient for Windows OS V5.4+FortiMail OS V5.1+FortiWeb OS V5.4+File Detailed Report *FortiOS V5.4+FortiClient for Windows OS V5.4+FortiMail OS V5.1+–Dynamic Threat DB Update*FortiOS V5.4+FortiClient for Windows OS V5.4+FortiMail OS V5.3+FortiWeb OS V5.4+FortiSandbox CloudFile Submission *FortiOS V5.2.3+–FortiMail OS V5.3+FortiWeb OS 5.5.3+File Status Feedback *FortiOS V5.2.3+–FortiMail OS V5.3+FortiWeb OS 5.5.3+File Detailed Report *FortiOS V5.2.3+–––Dynamic Threat DB Update*FortiOS V5.4+–FortiMail OS V5.3+FortiWeb OS 5.5.3+*some models may require CLI configurationORDER INFORMATION。
高效的基于身份的代理签密方案
高效的基于身份的代理签密方案陈善学;周淑贤;姚小凤;李方伟【期刊名称】《计算机应用研究》【年(卷),期】2011(28)7【摘要】代理签密使原始签密人可以将其签密权力委托给代理签密人,然后代理签密人代表原始签密人签密指定的消息.为了更好地实现代理签密的公开验证性和前向安全性,利用椭圆曲线上双线性对提出一个基于身份的代理签密方案.分析表明,在ECDLP问题和CDH问题是困难的假设下,该方案是安全的.方案既保持了基于身份签密的优点,又具有代理签名的功能,只有指定的接收者才能从密文中恢复消息.并且同时具有前向安全性和公开验证性,适合于应用.%Proxy signcryption is useful when an original signcrypter needs to delegate his or her signcrypting capability to a signcrypter, and the proxy signcrypt messages on behalf of the original signcrypter. To solve the problem of no forward security and public verifiability, this paper proposed an identity-based proxy signcryption scheme from bilinear pairings. Analysis shows that the scheme is secury, assuming that ECDLP and GDH problem are hard. The new scheme not only has the function of proxy signature scheme, but also has the advantage of identity based signcryption scheme. Only the intended recipient can recover the plaintext from the ciphertext. What' s more, the scheme provided forward security and public verifiability and it is more propitious to applications in society.【总页数】3页(P2694-2696)【作者】陈善学;周淑贤;姚小凤;李方伟【作者单位】重庆邮电大学通信学院,重庆400065;重庆邮电大学通信学院,重庆400065;重庆邮电大学通信学院,重庆400065;重庆邮电大学通信学院,重庆400065【正文语种】中文【中图分类】TN918;TP309【相关文献】1.基于身份的签密和代理签密方案 [J], 冀会芳;韩文报;赵龙2.基于身份的可快速撤销代理权的代理签密方案 [J], 禹勇;杨波;李发根;孙颖3.一个高效的基于身份的代理签密方案 [J], 杨萱;余昭平4.高效的基于身份的代理签密 [J], 张学军;王育民5.标准模型下安全基于身份代理签密方案 [J], 明洋;冯杰;胡齐俊因版权原因,仅展示原文概要,查看原文内容请购买。
标准模型下基于格的身份代理部分盲签名方案
doi:10.3969/j.issn.1671-1122.2021.03.005标准模型下基于格的身份代理部分盲签名方案周艺华,董松寿,杨宇光(北京工业大学信息学部,北京 100124)摘 要:基于格的身份代理盲签名被广泛用于电子商务、电子政务以及软件安全等领域。
针对基于格的代理盲签名中存在的主密钥泄露、恶意用户攻击、签名伪造等问题,文章提出一种标准模型下基于格的身份代理部分盲签名方案。
该方案采用矩阵级联技术构造签名公钥,解决了已有方案中的主密钥泄露问题;采用部分盲签名技术解决了全盲签名方案中恶意用户攻击问题。
安全性分析表明,该方案不仅可以实现代理签名和盲签名的功能,还具有抵抗主密钥泄露攻击、抵抗恶意用户攻击以及自适应选择消息攻击条件下存在不可伪造性(EUF-CMA)等安全特性。
关键词:盲签名;代理签名;格;漏洞;抗量子中图分类号:TP309 文献标志码: A 文章编号:1671-1122(2021)03-0037-07中文引用格式:周艺华,董松寿,杨宇光.标准模型下基于格的身份代理部分盲签名方案[J].信息网络安全,2021,21(3):37-43.英文引用格式:ZHOU Yihua, DONG Songshou, YANG Yuguang. A Lattice-based Identity-based Proxy Partially Blind Signature Scheme in the Standard Model[J]. Netinfo Security, 2021, 21(3): 37-43.A Lattice-based Identity-based Proxy Partially Blind SignatureScheme in the Standard ModelZHOU Yihua, DONG Songshou, YANG Yuguang(Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China)Abstract: A lattice-based identity-based proxy partially blind signature scheme is widely used in E-business, E-government, software security, and many applications. Considering theproblems of master key leakage, malicious user attack and signature forgery in lattice-basedproxy blind signature, a lattice-based identity-based proxy partially blind signature schemeunder the standard model is proposed, which constructs the public key of signature by usingmatrix cascade technology rather than matrix multiplication technology. It solves the problemof master key leakage in the existing schemes, and uses partial blind signature technology tosolve the problem of malicious user attack in the fully-blind signature scheme. The analysisof security shows that the scheme not only realizes the functions of proxy signature and blindsignature, but also contains some security features such as preventing the disclosure of themaster private key, resisting the attacks from malicious user and existential unforgeabilityunder adaptive chosen message attacks(EUF-CMA).Key words: blind signature; proxy signature; lattice; vulnerability; anti-quantum基金项目:国家自然科学基金[62071015]作者简介:周艺华(1969—),男,北京,副教授,博士,主要研究方向为网络与信息安全、多媒体信息检索与内容安全、密码学;董松寿(1996—),男,河南,硕士研究生,主要研究方向为抗量子密码;杨宇光(1976—),女,北京,教授,博士,主要研究方向为信息安全。
无可信中心的(t,n)门限签名方案的安全性分析
无可信中心的(t,n)门限签名方案的安全性分析莫乐群;姚国祥【期刊名称】《计算机工程与设计》【年(卷),期】2009(030)021【摘要】It is pointed out that there is a weakness in the (t, n) Threshold signature scheme without a trusted party proposed by Wang and Li~[1], if several members collude together, they can deny that they had taken part in process of signing some messages with others. Furthermore, Chebyshev polynomial and the (t, n) threshold signature scheme are combined, and a new proxy multi-signature scheme based on Chevbyshev polynomial is proposed.%对Wang和Li提出的无可信中心的(t,n)门限签名方案[1]进行了安全性分析,指出该方案的群签名过程中存在一个严重的安全漏洞:即部分原始签名成员在生成密钥时合谋作弊,就能达到事后否认的目的,并对Wang和Li的代理多签名体制进行改进,将Chebyshev多项式与(t,n)门限签名体制相结合,提出了一种新的基于Chebyshev多项式的无可信中心(t,n)门限签名方案.【总页数】3页(P4861-4863)【作者】莫乐群;姚国祥【作者单位】广东交通职业技术学院,计算机工程学院,广东,广州,510650;暨南大学,信息科学技术学院,广东,广州,510632【正文语种】中文【中图分类】TP309【相关文献】1.一个改进的无可信中心门限签名方案 [J], 徐燕2.无可信中心的基于身份的门限签名方案 [J], 乔丹丹;王保仓3.一个无可信中心的(t,n)门限签名方案的安全性分析 [J], 郭丽峰;程相国4.抗合谋攻击的无可信中心门限签名方案 [J], 王玲玲5.对一个无可信中心(t,n)门限签名方案的安全性分析及改进 [J], 孙巧玲;姜伟;刘焕平因版权原因,仅展示原文概要,查看原文内容请购买。
blk一种高效的代理多重盲签名方案
—130— 一种高效的代理多重盲签名方案胡振鹏,钱海峰,李志斌(华东师范大学计算机科学技术系,上海 200062)摘 要:代理多重签名和盲签名在电子商务和电子现金系统中有着广泛的应用。
结合这两种方案的特点,基于Schnorr 签名和Chaum 盲签名体制,该文提出一种高效的代理多重盲签名方案。
该方案具有计算量小、效率高和安全性强等优点,且签名长度不随原始签名人的增加而增长,并能广泛应用于电子货币和电子投票等领域。
关键词:代理签名;盲签名;代理盲签名;代理多重盲签名Efficient Proxy Blind Multi-signature SchemeHU Zhen-peng, QIAN Hai-feng, LI Zhi-bin(Department of Computer Science and Technology, East China Normal University, Shanghai 200062)【Abstract 】Digital proxy multi-signature scheme and blind signature are very suitable for electronic commerce and payment. Based on the Schnorr signature and Chaum blind signature scheme, this paper presents an efficient proxy blind multi-signature scheme, which satisfies the security properties of both the blind signature scheme and the proxy multi-signature scheme. This scheme has advantages such as the low computation load,high efficiency and security, and the length of signature does not increase when the new original signers join in. It is very important in an electronic cash and electronic vote system.【Key words 】proxy signature; blind signature; proxy blind signature; proxy blind multi-signature计 算 机 工 程Computer Engineering 第34卷 第13期Vol.34 No.13 2008年7月July 2008·安全技术·文章编号:1000—3428(2008)13—0130—03文献标识码:A中图分类号:TP309.71 概述1983年,文献[1]提出了第一个盲签名方案,盲签名是一种特殊的数字签名技术,除了满足一般数字签名的基本特征外,盲签名还必须满足:(1)盲性签名者不知道所签文件或消息的具体内容。
基于身份部分盲签名方案的分析与改进
Abstract: The cryptanalysis of the IDbased partially blind signature scheme proposed by Li et al. ( LI M X, ZHAO X M, WANG H T. Security analysis and improvement of a partially blind signature scheme. Journal of Computer Applications, 2010, 30( 10) : 26872690) showed that the signature requester could change the negotiated information illegally. Therefore, an improved partially blind scheme was purposed to resist the tampering negotiated information attacks. The new scheme was proved to be existentially unforgeable against adaptive chosen message and identity attacks in random oracle model. Compared with other IDbased partially blind signature schemes, the new scheme has higher computational efficiency. Key words: blind signature; partially blind signature; bilinear pairing; IDbased; random oracle model
一个安全的短代理多重签名方案
权利。对一个安全的代理签名 方案来讲 , 如果能缩短它的签名长度 , 对一些带宽受限的应用场合 意义重 大。
基 于 BL 短 签 名 , 用椭 圆曲线 的 双线 性对 技 术提 出 了一个短 代 理 多重 签名 方 案 , S 利 并在 随机 预 言模 型 下证 明
1 c o l f c a i l lc o i Ifr t nE gne n . hn iesyo nn n eh oo y B in . h o hnc et nc& nomai n ier g C iaUnvri f S o Me aE r o i t MiigadT cn lg , e ig j
1 0 8 , ia 0 0 3 Ch n 2 S h o f mp t r ce c n e h o o y He a o y e h i i e st , io u , n n 4 4 0 , i a .c o l o Co u e in ea d T c S n l g , n n P l t c n cUn v r i Ja z o He a 5 0 0 Ch n y
Ab t a t r x l -i n t r sa x e so ft e b sc p o y sg a u e p m i v ,a d p r i wo o r s r c :P o y mu t sg au e i n e tn i n o a i r x in t r r t e n e t t rmo e i h i i m s o g n l i g r o d lg t ers n n o r e s m ep o y s e . t sg e t i n fc n h re el n t i r i a n e s ee a et i i i g p we st t a r x i r I i r a g iia t o s o tn t g h s t h g o h n g s t h e o e sg au e f r a s c r r x i n tr c e , s e i l rs me a p i ai n e e b n wi t sl t d ft i t r o e u e p o y sg a u e s h me e p cal f o p l to swh r a d d h i mi . h n yo c i e Ba e n BLS s o i n t r c e , t o s u t h r p o y mu t s n t r c e y b l e r ar g n e— sd o h r sg au e s h me i c n t c sas o t r x l —i au e s h me b i n a i n so l t r i g i p i
共享可验证的不可否认门限多代理多重签名方案
_
_
收稿 日期 : 0 .1 3 修 回日期 :0 0O .5 2 91- ; 0 2 2 1一 1 2
C m u r ni ei d p laos 算机 工程与应用 o p  ̄ g er g n A pi t n计 E n na ci
2Sa e a fNe ok g ad S t igT c . e ig U iesy o ot ad T l o .tt K y L b o t ri n wihn eh, in nv rt fP s n e cmmu i t n , e ig 10 7 , h a e w n c B j i s e nc i sB in 0 8 6 C i ao j n
C m ue n i eiga d p l ai s' o p tr gn r A p i t n ¥ 算机工程与应用 E e n n c o  ̄
共享 可验证 的不 可否认 门限多代理 多重签 名方案
王志波 李 , 雄 杜 , 萍
W ANG h b L o g , Z i o , I Xi n DU i g Pn
I o D
j
g。
( ) 个 G D 将 。通 过公 开 信 道发 送 给 授 权秘 书 3每 o∈ 。
( DC) 。
() C验 证 下 式 是 否 成 立 检 验 的 有 效 性 : = 4D g
∈ 与 ∈ , 并获得公钥 = mo p与 = o p g d g’ d m
( Y c e ) notn tl, e c e an trs tte frey at k ad i cn o civ e po e y o h e ei T H sh me . fr ae t i sh me cn o ei h og r t c ,n t an tahee t rpr fsa d v r U u y hr s a h t r -
一种多级门限代理签名方案
一种多级门限代理签名方案王建东;宋超【摘要】已有的(t,n)门限代理签名方案,只能实现在同一级门限下的代理签名。
本文利用离散对数和大数分解问题的困难性,提出一种多级门限代理签名方案。
该方案能在各代理签名人持有密钥不变的情况下,根据待签名文件的安全性要求,调整门限值,实现在多级门限下的代理签名。
该方案具有安全性高,灵活性强的特点。
%In a threshold proxy signature scheme, the proxy signature can only be generated in the same level threshold. A multi--level threshold proxy signature scheme based on the intractability of the discrete logarithm and integer factorization is proposed. In the scheme, each proxy signer keeps only one proxy key, the proxy signatures are generated in the multiple level thresholds according to the security level of the message. The scheme has advantage of higher secure reliability and flexibility.【期刊名称】《北京电子科技学院学报》【年(卷),期】2011(019)004【总页数】4页(P42-45)【关键词】门限代理签名;多级门限;代理签名;合谋攻击【作者】王建东;宋超【作者单位】石家庄经济学院信息工程系河北,石家庄中国050031;电子科技大学四川,成都中国610054【正文语种】中文【中图分类】TP3091 引言自1996年Mambo等人[1]提出代理签名的概念以来,代理签名的理论得到了广泛的研究。
基于离散对数上的多级多代理签名方案
基于离散对数上的多级多代理签名方案杨迎辉;任俊峰【摘要】通过对代理多重数字签名、多重代理数字签名和多级代理数字签名方案的深入研究,结合三者的思想,提出了一个基于离散对数上的多级多代理数字签名方案,前三者均可以看作该签名的特殊形式,即若Aij(1≤j≤ni)是Ai-1j信任的第i级代理签名人,当i=1,n0>1,n1=1时该签名就是代理多重签名;当i=1,n0=1,n1>1时该签名就是多重代理签名;当i>1,n0=1,…,ni=1是该签名就是多级代理签名.本方案不仅具有前三者签名类型的优点,而且更具有一般性,应用范围也更加广泛.【期刊名称】《计算机技术与发展》【年(卷),期】2010(020)012【总页数】4页(P181-184)【关键词】多级多代理;离散对数;数字签名【作者】杨迎辉;任俊峰【作者单位】河南理工大学,数学与信息科学学院,河南,焦作,454000;河南理工大学,数学与信息科学学院,河南,焦作,454000【正文语种】中文【中图分类】TP309.30 引言代理签名是一种特殊的数字签名,它是将原始签名人的签名权委托给代理签名人,让代理签名人代表原始签名人去行使签名权。
一个代理签名方案须满足以下基本性质:可区别性;不可伪造性;可验证性;可识别性;不可否认性。
自1996年Mambo、Usuda和Okamoto[1]首次提出了代理签名的概念以来,人们对它进行了广泛的研究[2~12],近来,伊丽江[2]等人与祁名、Harn[3]分别提出了一个新的代理签名方案:代理多重签名。
王晓明、符方伟[4]分别指出他们的方案是不安全的,并给出了相应的改进。
2006年金永明[5]等人利用双线性对提出了基于超椭圆曲线的多级代理签名方案。
文中结合代理多重签名和多级代理签名的思想,提出了一个基于离散对数上的多级多代理签名方案,该方案更具有一般性。
多重代理签名、代理多重签名、多级代理签名可以看作是该方案的特殊形式。
本方案在现实中的应用范围也更加广泛。
改进的代理环签名方案
改进的代理环签名方案张小萍;钟诚【期刊名称】《计算机应用研究》【年(卷),期】2011(028)009【摘要】对Luo提出的代理环签名方案分析发现该方案不具备不可伪造性,攻击者无须原始签名人的代理授权能够伪造出一个有效的代理环签名.为了防止这种伪造攻击,基于双线性对和GDH群,通过修正代理环签名的签名算法和相应的验证等式提出一个改进方案.安全分析表明改进方案克服了原方案的安全缺陷,满足代理环签名的所有安全要求,而且改进方案保持了原方案计算效率高的优点.%By analyzing the proxy ring signature scheme proposed by Luo,it was found that the scheme did not possess un-forgeability, because an accacker without the proxy authorzation of original signer could forge a valid proxy ring signarue. To prevent this forgery attack,by changing signataure algorithm and the corresponding verification equation of proxy ring signarue, this paper proposed an improved scheme based on bilinear pairings and gap Diffie-Hellman group. The security analysis proves that the imporved scheme overcomes the security defect of original scheme and satisfies all security requirements of proxy ring signarue. Furthermore, it retains the merit of high computing efficiency in the original scheme.【总页数】3页(P3505-3507)【作者】张小萍;钟诚【作者单位】广西大学计算机与电子信息学院,南宁 530004;广西大学计算机与电子信息学院,南宁 530004【正文语种】中文【中图分类】TP309【相关文献】1.对一个代理环签名方案的分析和改进 [J], 牛江品;张建中2.一种改进的代理环签名方案 [J], 吕小红;郎为民;夏婧3.一种改进的代理环签名方案 [J], 吕小红;郎为民;夏婧4.高效可证明安全的基于证书的代理环签名方案 [J], 吴晨煌;李慧敏;张金辉5.两个无证书代理环签名方案的攻击与改进 [J], 李慧敏; 宁华英; 梁红梅; 张金辉因版权原因,仅展示原文概要,查看原文内容请购买。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Improvement of a proxy multi-signature scheme without random oracles qYing Sun a,*,Chunxiang Xu a ,Yong Yu a ,Bo Yang ba School of Computer Science and Engineering,University of Electronic Science and Technology of China,Chengdu 610054,China bCollege of Information,South China Agricultural University,Guangzhou 510642,Chinaa r t i c l e i n f o Article history:Available online 10February 2010Keywords:Digital signature Proxy signature Bilinear pairing Security proofa b s t r a c tA proxy multi-signature scheme permits two or more original singers to delegate their signing powers to the same proxy signer.Recently,Liu et al.proposed the first proxy multi-signature that be proven secure in the standard model [Liu et al.(2008)[20]],which can be viewed as a two-level hierarchical signature due to Waters.However,because of the direct employment of Waters’signature,their scheme needs a relatively large number of public parameters and is not tightly reduced to the security assumption.In this paper,inspired by Boneh,Boyen’s technique and Waters’technique,we propose a new proxy multi-sig-nature scheme without random oracles,whose unforgeability can be tightly reduced to the CDH assump-tion in bilinear groups.The new scheme can be regarded as an improvement to overcome the weaknesses of Liu et al.’s pared with Liu et al.’s scheme,the improvement has three merits,tighter secu-rity reduction,shorter system parameters and higher efficiency.Ó2010Elsevier B.V.All rights reserved.1.IntroductionIn the last two decades,the science of cryptography has focused on the construction of provably secure digital signature schemes.A security proof of a digital signature scheme generally proceeds by a reduction showing how an adversary who can break the digital signature scheme in polynomial time can be used to solve some hard mathematical problems,such as discrete logarithm problem,RSA problem,and Computational Diffie–Hellman (CDH)problem.The ‘‘quality”of the reduction is given by the success probability of the adversary to break the underlying intractable problem.A reduction in which the difficulty of forging and the difficulty of solving the underlying hard problem are close is called tight ;otherwise,it is called loose .Naturally,‘‘close”,‘‘tight”and ‘‘loose”are imprecise terms and make more sense when used in comparison.Today,how to construct a digital signature scheme that can be tightly reduced to a weak security assumption is a hot topic in cryptography [1–4].In 1996,Mambo et al.[5]introduced the concept of a proxy sig-nature for signature delegation,which allows an original signer to delegate his signing capability to a proxy signer and then the proxy signer can create valid signatures on behalf of the original signer.Proxy signatures have been shown to be useful in a number of applications,including distributed shared object systems,gridcomputing and mobile agent environment.Moreover,proxy signa-tures have many variations,such as proxy blind signature [6,7],threshold proxy signature [9,8],multi-proxy signature [10–12],proxy ring signature [7,13],designated verifier proxy signature [14]and so on.Among of them,the concept of proxy multi-signa-ture was first introduced by Yi et al.[15].In this kind of primitive,a proxy signer can generate a signature for a message on behalf of two or more original signers.It can be used to solve the problem of signing a document for a corporation.For instance,a company releases a document that may involve the financial department,engineering department and program office,etc.The document must be signed jointly by these entities,or signed by a proxy signer authorized by these entities [15].Followed by Yi et al.’s work,sev-eral proxy multi-signature schemes have been proposed [16–21].To offer strong security guarantee,provable security is very essential for proxy multi-signature schemes.However,the early schemes did not provide formal security proofs,and therefore,most of them do not fully meet the desired security requirement and many schemes were found security flaws [16–19,21].In 2006,Wang and Cao proposed a new proxy multi-signature scheme [21]and pro-vided security proof in the random oracle model proposed by Bellare and Rogaway [22].This model replaces hash functions by truly ran-dom functions.Although the model is efficient and useful,it has re-ceived many criticisms that the proofs in the random oracle model are not perfect.Canetti et al.[23]showed that security in the random oracle model does not imply the security in the real world.Fortu-nately,by employing Waters’signature scheme [24],Liu et al.[20]proposed such a new scheme that can be proven secure without using the random oracle model in 2008.However,there are two drawbacks of this scheme.Firstly,it needs a relatively large number0140-3664/$-see front matter Ó2010Elsevier B.V.All rights reserved.doi:10.1016/com.2010.02.002qThis work was supported by the National 863High-Tech Program of China (No.2009AA01Z415),National Natural Science Foundation of China under Grants 60773175,60803133,60873233,the National Research Foundation for the Doctoral Program of Higher Education of China under Grant No.200806140010and the open fund of Youth Science and Technology Foundation of UESTC.*Corresponding author.E-mail address:yingsun@ (Y.Sun).of public parameters and secondly,its security reduction is loose. Therefore,tofind a new proxy multi-signature scheme secure in the standard model with a tighter security reduction and shorter public parameters is an interesting research problem.1.1.Our contributionIn this paper,we would like to propose a new construction of proxy multi-signature scheme,whose security relies on the hard-ness of the CDH problem in the standard model.In fact,the new scheme can be viewed as an improved version of Liu et al.’s scheme [20].We divide the potential adversaries into three kinds according to their attack power,and in Huang et al.’s security model[27,28], prove that the improved scheme is unforgeable against all kinds of adversaries in the standard pared with Liu et al.’s scheme[20],the new scheme has three advantages.Firstly,it achieves a tighter security reduction than Liu et al.’s scheme.Sec-ondly,the size of public parameters is only about one half of that of Liu et al.’s scheme,andfinally,the new scheme is more efficient in computation.1.2.RoadmapThe remainder of this paper is organized as follows.Some pre-liminary works are given in Section2.The formal models of proxy multi-signature scheme is described in Section3.Our proxy multi-signature scheme and the comparison between our scheme and Liu et al.’s scheme is presented in Section4.We give a formal security proofs in the standard model in Section5.Finally,conclusions are given in Section6.2.PreliminariesIn this section,we will review some fundamental backgrounds used in this paper,including bilinear pairings,complexity assump-tions and Waters signature.2.1.Bilinear pairingsLet G and G T be two cyclic multiplicative groups of prime order p and g be a generator of G.The map e:GÂG!G T is said to be an admissible bilinear pairing if the following conditions hold true[29].(1)e is bilinear,i.e.eðg a;g bÞ¼eðg;gÞab for all a;b2Z p.(2)e is non-degenerate,i.e.eðg;gÞ–1GT.(3)e is efficiently computable.plexity assumptionDefinition1(Computational Diffie–Hellman(CDH)Problem in G).Given g;g a;g b2G for some unknown a;b2Z p,compute g ab2G.The success probability of a polynomial algorithm A in solving the CDH problem in G is denoted asSucc CDHA ¼Pr A g;g a;g bÀÁ¼g ab:a;b2R Z p ÂÃDefinition2(Computational Diffie–Hellman(CDH)Assumption inG).Given g;g a;g b2G for some unknown a;b2Z p;Succ CDHA isnegligible.2.3.Waters signatureIn Eurocrypt2005,Waters[24]presented an efficient identity based encryption scheme secure in the standard model and he also showed how to derive a signature scheme from his encryptionscheme.Let us review Waters signature schemefirstly.Let G be a group of prime order p.e:GÂG!G T is a bilinear pairing and g is the corresponding generator.Setup.A secret a2Z p is chosen at pute g1¼g a and choose g2randomly in G.Additionally,choose a random value u02G and a random vector U¼ðu1;u2;ÁÁÁ;u nÞ,whose elements are chosen at random from G.The public key isg;g1;g2;u0;UðÞand the secret key is g a2.Signing.Let M be an n-bit message to be signed and M i denote the i th bit of M,and M#f1;ÁÁÁ;n g be the set of all i for which M i¼1.A signature is generated as follows.First,a random r2Z p is chosen and then a signature is constructed asr M¼g a2u0Yi2Mu i!r;g r!:Verification.r¼ðr1;r2Þis a valid signature on a message M if eðg;r1Þ¼eðg1;g2Þe r2;u0Yi2Mu i!:Waters[24]showed that his signature scheme is existentially unforgeable,however,the reduction is not tight with long public key size.Moreover,just as Tan[25]claimed,Waters signature is malleable.It means that an adversary is able to produce a different valid signature on the same message without knowing the private key.In Waters signature,given a signature r¼ðr1;r2Þon a mes-sage M,anyone can construct another signature on the same mes-sage as follows.First.choose a random r02ZÃpand computer1¼r1u0Qi2Mu iÀÁr0;r2¼r2g r0.It can be checked that r1;r2ðÞis a valid signature on M.The malleability of Waters signature im-plies that it is not strongly unforgeable[26].Liu et al.’s proxy mul-ti-signature[20]is a2-level hierarchical Waters signature, therefore,it is also malleable and is not strongly unforgeable.3.Definitions and attack modelIn this section,we will give the outline of a proxy multi-signa-ture scheme and its security model.3.1.Outline of proxy multi-signature schemesThere exists three parties in a proxy multi-signature scheme,a set of original signers L¼f U1;U2;ÁÁÁ;U l g,a proxy signer U p desig-nated by all original signers and a verifier.A proxy multi-signature scheme consists of the following algorithms.Setup:Given a security parameter k,this algorithm outputs the system parameters.KeyGen:It takes as input the security parameter k and outputsthe secret–public key pairðsk i;pkiÞfor each party.DelegationGen:Given the system’s parameters,the original sign-er’s private key and a warrant W to be signed,this algorithm outputs the delegation r W.In a warrant-based proxy multi-sig-nature,the delegation is the original signers’standard signature on the warrant which contains the original signers’identities, the proxy signer’s identity,a period of validity,the restrictions on the class of messages for which the warrant is valid and so on.DelegationVerify:This is a deterministic verification algorithm to verify the delegation signing by all the original signers on the warrant W.It takes as input the delegation of the original signer258Y.Sun et al./Computer Communications34(2011)257–263on the warrant W and the public key of the original signer,this algorithm outputs>if the delegation is valid,otherwise returns \if the delegation is invalid.ProxyMulSign:This algorithm takes as input the system parame-ters,the warrant W and all delegations r W,the secret key of the proxy signer and a message M to be signed,and generates a proxy multi-signature r on M.ProxyMulVerify:A deterministic algorithm that inputs a message M,a warrant W,a proxy multi-signature r,the public key of all the original signers and the proxy signer,returns>if the signa-ture is valid,and returns\indicating the signature is invalid.3.2.Security notionsIn2001,Lee et al.[30]defined some properties that a proxy sig-nature should provide,but their precise meaning is unclear.Wang and Cao[21]as well as Cao and Cao[16]presented the formal security model for proxy multi-signature schemes in2006,which are adapted versions of the model of proxy signature due to Bold-yreva et al.[31]in2003.However,their model is complicated and just as Schuldt et al.pointed out[32],warrants are not explicitly modeled in Boldyreva et al.’s model and their scheme suffers from proxy key exposure attack.In[28],Huang et al.proposed a new model of proxy signature,which is a better one since the classifica-tion of adversaries makes the security model clearer.We will use this model to prove the security of our scheme.There are three types adversaries in the system.Type1This type adversary A1only has the public key of the ori-ginal signers and the proxy signer.Type2This type adversary A2has the public key of the original signers and the proxy signer,he additionally has thesecret key of the proxy signer and lÀ1original signers.In the following,without loss of generality,we assumethat A2has the private key of all the original signersexcept the original signer U1.Type3This type adversary A3has the public key of all the origi-nal signers and the proxy signer,he additionally has thesecret key of all the original signers.We canfind that if a proxy multi-signature scheme is unforge-able against Type2and Type3adversary,it is also unforgeable against Type1adversary.3.3.Attack model3.3.1.Existential unforgeability against adaptive A2adversaryFollowing the work of[27],we provide a formal definition of existential unforgeability of a proxy multi-signature scheme against Type2adversary.The existential unforgeability of a proxy multi-signature scheme against Type2adversary requires that even the adversary A2obtains the keys of proxy signer and lÀ1 original signers except the only one original signer,to generalize, named U1,it is difficult for the adversary A2to forge a valid signa-ture on message M under a warrant W without getting the delega-tion of the warrant W.It is defined using the following game between an adversary A2and a challenger C.Setup:The challenger C runs the Setup algorithm to obtain sys-tem’s parameters,runs KeyGen algorithm to obtain the secret–public key pairsðsk i;pkiÞð16i6lÞ;ðsk p;pk pÞof all the original signers and the proxy signer,respectively.C then sends ðsk p;pk pÞ;ðpk1;ÁÁÁ;pk lÞandðsk2;ÁÁÁ;sk lÞto A2.Delegation queries:Proceeding adaptively,A2can request the delegation on a warrant W.The challenger C runs the Delegation-Gen algorithm to obtain r W and returns it to A2. ProxyMulSign queries:Proceeding adaptively,A2can request a proxy multi-signature on a message M under a warrant W.Inresponse,C runs DelegationGen algorithm to generate delega-tions of all the original signers on the warrant W.Then C runs the ProxyMulSign algorithm to obtain a proxy multi-signature r and returns it to the adversary A2.Output:Finally,A2outputs a proxy multi-signature rÃon the message MÃunder the warrant WÃsuch that(1)WÃhas not been requested as one of the Delegationqueries.(2)ðM;WÃÞhas not been requested as one of the ProxyMulSignqueries.(3)rÃis a valid proxy multi-signature on the message MÃunder the warrant WÃ.The success probability of an adversary A2wins the above game is defined as Succ A2.We say that a Type2adversary A2canðt;qw;qp; Þbreak a proxy multi-signature scheme if A2makesat most qwdelegation queries,qpProxyMulSign queries in time at most t and Succ A2is at least .3.3.2.Existential unforgeability against adaptive A3adversaryThe existential unforgeability of a proxy multi-signature scheme under a Type3adversary requires that it is difficult for the original signers to collaborate to generate a valid proxy mul-ti-signature on a message MÃthat has not been signed by the proxy signer.It is defined using the following game between the chal-lenger C and a Type3adversary A3.Setup:The challenger C runs the Setup algorithm to obtain sys-tem’s parameters,runs KeyGen algorithm to obtain the secret–public key pairsðsk i;pkiÞð16i6lÞ;ðsk p;pk pÞof all the original signers and the proxy signer,respectively.C then sends ðpk p;pk1;ÁÁÁ;pk l;sk1;ÁÁÁ;sk lÞto A3.ProxyMulSign queries:Proceeding adaptively,A3can request a proxy multi-signature on a message M under a warrant W.In response,C runs DelegationGen algorithm to generate delega-tions of all the original signers on the warrant W.Then C runs the ProxyMulSign algorithm to obtain a proxy multi-signature r and returns it to the adversary A3.Output:Finally,A3outputs a proxy multi-signature rÃwith the warrant WÃand the message MÃsuch that(1)ðM;WÃÞhas not been requested as one of the ProxyMulSignqueries.(2)rÃis a valid proxy multi-signature on the message MÃunder the warrant WÃ.The success probability of an adversary A3wins the above game is defined as Succ A3.We say that a Type3adversary A3canðt;qp; Þbreak a proxy multi-signature scheme if A3makes at most qpProxy-MulSign queries in time at most t and Succ A3is at least .4.Our schemeIn this section,we willfirstly describe our proxy multi-signa-ture scheme derived from Waters’scheme[24]and the BB04scheme[33],and then,we will give a comparison between ourscheme and Liu et al.’s scheme[20].4.1.Our proxy multi-signature schemeAs assumed earlier,there are three participants in the system,namely l original signers U1;ÁÁÁ;U l,a proxy signer U p and a verifier.Our scheme consists of the following algorithms.Y.Sun et al./Computer Communications34(2011)257–263259Setup:The system parameters are as follows.Let ðG ;G T Þbe bilinear groups where j G j ¼j G T j ¼p for some prime p ;g is a generator of G .e denotes an admissible pairing G ÂG !G T .Pick u 0;m 0;m 1;v 2G and vector ~u ¼ðu i Þof length n ,whose entries are random elements from G and a collision resistant hash function H :f 0;1g ÃÂG ÂG !Z p .The public parameters are G ;G T ;H ;p ;g ;e ;m 0;m 1;u 0;v ;~u ðÞ.KeyGen:Each original signer U i ð16i 6l Þpicks a random pair sk i ¼ðx i ;y i Þ2Z Ãp as his private key and computes the corre-sponding public key pk i ¼pk ix ;pk iy ÀÁ¼g x i ;g y i ðÞ.Similarly,theproxy signer U p picks randomly his private key ðx p ;y p Þ2Z Ãp,and then he computes his public key pk p ¼pk px ;pk py ÀÁ¼g x p ;g y p ðÞ.DelegationGen:Let W be an n -bit warrant to be signed by each original signer and w i denotes the i th bit of W .To con-struct a more flexible scheme which allows warrants of arbi-trary length,a collision resistant hash function H 0:f 0;1g Ã!f 0;1g n can be employed.The identities of the original signers and the proxy signer,the class of messages delegated,the per-iod of validity,and other delegation information are concluded in the warrant.Each original signer U i ð16i 6l Þpicks a ran-dom r i 2Z p and computes his delegation r W i ¼r W i 1;r W i 2ÀÁand sends it to the proxy signer U p ,where r W i 1¼g x i y i u 0Q n i ¼1u w i iÀÁr i;r W i 2¼g r i .DelegationVerify:After receiving all delegations,the proxy signer U p firstly checks the validity of all delegations on the war-rant W .For 16i 6l ;U p accepts r W i if the following equation holds:e ðr W i 1;g Þ¼e ðpk ix ;pk iy Þe u 0Y n i ¼1u wi i ;r W i 2!Otherwise,the proxy signer rejects it and requests from U i a new delegation.ProxyMulSign:If the proxy signer U p confirms the validity of all ðW ;r W i Þ,he computes the proxy key as follows.(1)U p picks a random r p 2Z p and computes k p ¼g r p .(2)U p computers r W ¼ðr w 1;r w 2Þ,wherer W 1¼Y l i ¼1r W i 1;r W 2¼Y l i ¼1r W i 2:(3)U p computes h ¼H M k W ;r W 2;k p ÀÁ.(4)After checking the value c 2f 0;1g of the rightmost bit of xcoordinate of r W 2and determining m c denoting m 0or m 1according to c ¼0or c ¼1;U p outputs the proxy multi-sig-nature r ¼ðr 1;r 2;r 3Þwherer 1¼r W 1g x p y p ðm c v h Þr p ;r 2¼r W 2;r 3¼k pProxyMulVerify:To check whether r ¼ðr 1;r 2;r 3Þis a valid proxy multi-signature on the message M under the warrant W ¼ðw 1;ÁÁÁ;w n Þ,a verifier examines the rightmost bit of x coordinate of r 22G is 0or 1to determine the valuec 2f 0;1g ,computes h ¼H M k W ;r W 2;r W 3ÀÁ,and accepts the proxy multi-signature if and only if the following equation holds:e ðr 1;g Þ¼Y l i ¼1e ðpk ix ;pk iy Þe u 0Y n i ¼1u wi i ;r 2!e pk px ;pk py ÀÁe m c v h ;r 3ÀÁ 4.2.CorrectnessBy bilinearity of the pairing e ,the correctness of the scheme is easy to verify.If the rightmost bit value c of the x coordinate of r 2was determined and h ¼H M k W ;r 2;r 3ðÞwas generated.e r 1;g ðÞ¼e g x p y pY l i ¼1g x i y i u 0Y n i ¼1u wii !r im c v h ÀÁr p;g!¼Y l i ¼1e g x i ;g y i ðÞe u 0Y n i ¼1u wi i ;g Pl i ¼1r i 0B@1C A e g x p ;g y p ðÞe m c v h ;g r pÀÁ¼Y l i ¼1e pk ix ;pk iy ÀÁe u 0Y n i ¼1u wi i ;g Pl i ¼1r i 0B @1C A e pk px ;pk py ÀÁe m c v h ;g r p ÀÁ¼Y l i ¼1e pk ix ;pk iy ÀÁe u 0Y n i ¼1u w i i ;r 2 !e pk px ;pk py ÀÁe m c v h ;r 3ÀÁparisonWe compare the security and efficiency of our scheme to thoseof Liu et al.’s scheme in [20].We denote Mul,Exp and ^e ,the mul-tiplication in G ,the exponentiation in G and the pairing computa-tion,respectively.We summarize the comparison of the two schemes in Table 1.Both our scheme and Liu et al.’s scheme [20]share the same compu-tation in KeyGen,DelegationGen and DelegationVerify phase,so we omit these comparisons.The Size column is the proxy multi-signa-ture size of group elements in G .The Params column gives the num-ber of group elements in G to be included in public parameters.SM specifies whether the security proof is in the standard model and TN shows the tightness of the reduction,i.e.the success probability of the adversary to break the underlying intractable problem,CDH problem.l denotes the number of original signers.n ,which can usu-ally be the output length of a secure hash function,denotes the length of the warrant W as a bit string.2n þ2group elements are re-quired as public parameters in Liu et al.’s [20]scheme while only n þ4group elements are needed in our scheme.From this point of view,the property of smaller size public parameters makes our scheme more suitable for low storage requirement of applications.Although the two schemes have the same signature size,our scheme has higher efficiency since the computational cost are reduced by 1Exp +(n +3)Mul in ProxyMultiSign algorithm and about 1^e þn =2Mul À1Exp in ProxyMultiVerify phase.Moreover,our scheme has a tighter security reduction than the scheme in [20].5.Security proofIn this section,we will prove that the new scheme is unforge-able against Type 2and Type 3adversaries in the standard model.Finally,we show that our scheme satisfies all the requirements of a strong and proxy-protected proxy signature [30].5.1.Unforgeability against Type 2adversaryTheorem 1.If there exists a Type 2adversary A 2who can ðt ;q w ;q ps ; Þbreaks our proxy multi-signature scheme,then there exists another algorithm B who can use A 2to solve an instance of the CDH problem in G with probabilitySucc CDH BP e16ðn þ1Þq w260Y.Sun et al./Computer Communications 34(2011)257–263in time t 06t þð4q w þ8q ps þ2n þ2l þ9Þt Exp þn 2þ2ÀÁq w þn 2þ4ÀÁq ps þÀn þ6Þt Mul where t Exp and t Mul denotes the time for an exponentiation and a multiplication in G ,respectively.Proof.Assume that B receives a random CDH problem instance g ;g a ;g b ðÞ2G ,his goal is to compute out g a b .B will run A 2as a subroutine and act as A 2’s challenger.B will response A 2’s queries in the following way.Note that this type of adversary A 2has the public key of all the original signers and the proxy singer,he also has the secret key of the proxy signer and all the original signers except the original signer U 1.Setup:B sets integers ‘¼4q w and chooses k uniformly at random between 0and n .Then it chooses a value x 0and a random n -vector,~x ¼ðx i Þwhere x 0;x i 2R Z ‘.Additionally,B chooses a value y 0and a random n -vector ~y ¼ðy i Þwhere y 0;y i 2R Z p ,anda ;b ;c ;d 2Z Ãp .These values are kept internal to B .Let W ¼ðw 1;w 2;ÁÁÁ;w n Þ,be a warrant,and p )ðn þ1Þ‘for any p ;n ;‘.Finally,B chooses a collision resistant hash function H :f 0;1g ÃÂG ÂG !Z p .For ease of analysis,we define three functions F ðW Þ;J ðW Þ;K ðW Þjust as in [24,28].(1)F ðW Þ¼ðp À‘k Þþx 0þPn i ¼1w i x i ,(2)J ðW Þ¼y 0þP ni ¼1w i y i ,(3)K ðW Þ¼0;if x 0þP n i ¼1w i x i 0ðmod ‘Þ;1;otherwise :&Then B sets the public keys of the participants and common parameters as follows.(1)B assigns the public key of the original signer U 1aspk 1x ¼g a ;pk 1y ¼g b ;where g a ;g bare the input of the CDH problem.(2)B chooses randomly l À1pairs ðx i ;y i Þ2Z Ãp and for 26i 6l ,sets the i th original signer’s private key and public key assk ix ¼x i ;sk iy ¼y i ;pk ix ¼g x i;pk iy ¼g y i:(3)B chooses randomly a pair ðx p ;y p Þ2Z Ãp and sets the proxysigner’s private key and public key assk px ¼x p ;sk py ¼y p ;pk px ¼g x p ;pk py ¼g y p :(4)B assigns u 0¼pk p Àk ‘þx 01y g y 0;u i ¼pk xi 1y g y i ;~u ¼ðu 1;u 2;ÁÁÁ;u n Þ.(5)B sets m 0¼g a ;m 1¼pk d 1y g b ;v ¼g c.Note that,at this time,u 0Y n i ¼1u w i i ¼pk F ðW Þ1y g J ðW Þ:B returns ðG ;G T ;e ;p ;g ;u 0;~u ;v ;m 0;m 1;H Þ,ðpk px ;pk py ;ÁÁÁ;pk lx ;pk ly Þand ðsk px ;sk py ;sk 2x ;sk 2y ;ÁÁÁ;sk lx ;sk ly Þto A 2.Delegation queries:Suppose A 2issues a delegation query for an n -bit warrant W on the original signer U 1.(1)If K ðW Þ¼0;B terminates the simulation and reports failure.(2)If K ðW Þ–0,which implies F ðW Þ–0ðmod p Þ[24],B can con-struct a delegation of this warrant by choosing a random r 12Z p and computing:r W 1¼ðr W 11;r W 12Þ¼pk ÀJ ðW ÞF ðW Þ1xu 0Y n i ¼1u wii !r 1;pk À1F ðW Þ1x g r 1!:Correctnessr W 11¼pk ÀJ ðW ÞF ðW Þ1xu 0Y n i ¼1u w ii!r 1¼pk ÀJ ðW ÞF ðW Þ1xpk F ðW Þ1y g J ðW Þr 1¼pk a 1y pk F ðW Þ1y g J ðW Þ Àa F ðW Þpk F ðW Þ1y g J ðW Þr 1¼pk a 1y pk F ðW Þ1y g J ðW Þ r 1Àa F ðW Þ¼pk a 1y pk F ðW Þ1y g J ðW Þ^r 1¼pk a1y u 0Y i ¼1u w i i !^r 1¼g a b u 0Y i ¼1u w ii !^r1r W 12¼pk À1F ðW Þ1x g r 1¼g ÀaF ðW Þg r 1¼g r 1ÀaF ðW Þ¼g ^r 1:Since the adversary A 2has the secret key of other original signers U i ð26i 6l Þ,he dose not need to request r W i since he can generate a delegation on any warrant using the secret key.ProxyMulSign queries:Suppose A 2issues a proxy multi-signature query for a message M under a warrant W ¼ðw 1;w 2;ÁÁÁ;w n Þ,B randomly chooses l values r 1;ÁÁÁ;r l 2Z p ,and computes g P li ¼1r i 2G .(1)If the rightmost bit of the x -coordinate of g P li ¼1r i is 1,Bchooses a random s 2Z p ,and computesh ¼H M k W ;g P li ¼1r i ;pk À1d 1x g s .Since A 2knows the secretekey of the proxy signer,he can calculate the proxy multi-sig-nature r ¼ðr 1;r 2;r 3Þwherer 1¼pk Àðb þch Þ1xg Pl i ¼2sk ix sk iyu 0Y n i ¼1u w ii!P li ¼1r igsk px sk pym 1vh ÀÁs;r 2¼g Pl i ¼1r i;r 3¼pk À1d1x g s ;Finally,B sends r ¼ðr 1;r 2;r 3Þto A 2.Correctnessr 1¼pk Àðb þch Þd1xÁðu 0Q n i ¼1u w i i ÞP l i ¼1r i Ág P l i ¼2sk ix sk iy Ág sk px sk py Áðm 1v h Þs¼pk a1y Áðpk Àa 1yÁpk Àðb þch Þ1xÞÁðu0Q n i ¼1u wi i ÞPl i ¼1r iÁg Pl i ¼2x i y iÁg x p y p Áðm 1v h Þs¼pk a1y Áðpk d1y Ág ðb þch ÞÞÀa dÁðu0Q n i ¼1u wi i ÞPl i ¼1r iÁg Pl i ¼2x i y iÁg x p y p Áðm 1v h Þs¼pk a1y Áðpk d1y Ág b Áðg c Þh ÞÀa dÁðu 0Q n i ¼1u wi i ÞPl i ¼1r iÁg Pl i ¼2x i y iÁg x p y p Áðm 1v h Þs¼pk a1y Áðm 1v h ÞÀaÁðu 0Q n i ¼1u wi i ÞPl i ¼1r iÁg Pl i ¼2x i y iÁg x p y p Áðm 1v h Þs¼pk a1y Áðu 0Q n i ¼1u wi i ÞPl i ¼1r iÁg Pl i ¼2x i y iÁg x p y p Áðm 1v h Þs Àa¼gx p y pÁQ l i ¼1g x i y i ðu 0Q n i ¼1u wi i Þri Áðm 1v h Þ^s;Table 1Efficiency comparisons of the two schemes.SchemeSize ProxyMulSignProxyMulVerify Params SM TNLiu et al.’s scheme 3j G j 5Exp þðn þ2l þ6ÞMul ðl þ4Þ^e þðn þ2ÞMulð2n þ2Þj G j Yes16q p ðq w þq p Þðn þ1Þ2Our scheme3j G j4Exp þð2l þ3ÞMulðl þ3Þ^e þ1Exp þðn =2þ2ÞMulðn þ4Þj G jYes16ðn þ1Þq wY.Sun et al./Computer Communications 34(2011)257–263261。