簡易檢索 / 詳目顯示
| 研究生: |
黃義雄 Yi-Hsiung Huang |
|---|---|
| 論文名稱: |
具隱私性之簽章及簽密系統研究 On the Research of Some Digital Signature Schemes and Signcryption Schemes with Privacy |
| 指導教授: |
顏嵩銘
Sung-Ming Yen |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
資訊電機學院 - 資訊工程學系 Department of Computer Science & Information Engineering |
| 畢業學年度: | 94 |
| 語文別: | 英文 |
| 論文頁數: | 87 |
| 中文關鍵詞: | 指定驗證者簽章系統 、提名簽章系統 、簽密系統 |
| 外文關鍵詞: | Designated Verifier Signature, Nominative Signature, Signcryption |
| 相關次數: | 點閱:10 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
在本論文中,研究主題在於具隱私性之簽章及簽密系統研究。傳統上所使用的數位簽章方法,並沒有辦法保護簽章簽署者或簽章接收者的隱私,原因在於一般數位簽章是可公開驗證的。為了保護簽章使用者的隱私,在密碼學研究上,學者也曾提出多種方法:1. 在保護簽章簽署者隱私方面,過去有指定驗證者簽章系統 (DVS)的提出;另一方面,為了保護簽章接收者的隱私,過去也有提名簽章系統 (Nominative Signature)的提出。
在指定驗證者簽章系統的研究中,目標在於設計出一個新的、可提供簽章不可否認性的指定驗證者簽章方法。方法是將Diffie-Hellman 金鑰加入變色龍簽章 (Chameleon Signature)中,以此概念設計出來的指定驗證者簽章系統不僅滿足了所有必須性質,更重要的,我們的方法提供了簽章不可否認性,並且簽章簽署權不會有轉移之疑慮。
在提名簽章系統的研究中,主要的研究在於對一個被提出的簽章方法及其攻擊,進行安全性分析。嚴謹地考量此簽章方法所提供的安全性保護,以及攻擊方法實際可達到的效果後,我們認為:1. 被提出的攻擊方法是不完全正確的;2. 被提出的簽章方法之安全度並不如作者所宣稱完整。此外,針對被提出方法及其攻擊不完整之處,採用Screening 之概念,為被提出簽章方法可應用之範圍,提供取捨準則。
除了簽章使用者隱私的研究,為保護明文之機密性,加密演算法是一般所採用之技術。然而,在某些情況必須同時對明文做簽署與加密動作時,為了效率考量,簽密(Signcryption)方法提供了一個有效率的選擇。在這部分研究中,我們發現過去大多數基於離散對數的簽密方法都不滿足Semantic Security,原因在於所使用簽章之雜湊函式洩漏了明文的相關資訊。針對這個弱點,我們在明文
之後串接一個隨機亂數,如此攻擊者在無法得知隨機亂數的情況下,明文機密性得以確保。
In this thesis, our researches focus on some digital signature schemes and signcryption schemes with privacy. Ordinary digital signature schemes do not protect the privacy of signature signers or recipients since they are public-verifiable. To enhance privacy of signature, several signature schemes are introduced. For the privacy of signer, designated verifier signature is a well-known primitive which provides rigorous definitions and properties. For the privacy of signature recipient, nominative signature provides a solution.
On the observation that most existing designated verifier signature schemes can not provide non-repudiation, our objective is to design a new strong DVS construction. With the help of chameleon signature and Diffie-Hellman key, the new DVS construction is proposed. This generic construction satisfies all required properties
of designated verifier signature, including a secure disavowal protocol. Moreover, the proposed construction is simple and does not suffer from the weakness of signing right delegatability.
In the research of nominative signature, the major work is on the security analysis of one introduced scheme and its cryptanalysis. After reconsidering the security of the introduced scheme and the claim of its cryptanalysis, we conclude that the cryptanalysis is incompletely correct; meanwhile, the previous schemes are not as strong as being claimed. Moreover, we adopt the concept of signature screening for the introduced scheme to precisely defines what scenario it can be applied for.
Except for the privacy of signature, a intuitive approach to protect messages is through encryption. In many cases, messages may need to be signed and encrypted simultaneously. For the consideration of efficiency, signcryption was introduced. In this vein of research, our goal is to provide a countermeasure for the weakness of
previous signcryption schemes. That is most existing signcryption schemes based on discrete-logarithm are not semantic secure. The reason is that the hash computing of signature scheme leaks information about the encrypted message. As response to this weakness, we propose our countermeasure by concatenating a message with a
random value. By the method the output of hash computing is indistinguishable to a third party, hence the confidentiality of message can be preserved.
[1] G. Ateniese, and B. de Medeiros, Identity-based chameleon hash and ap-
plications," In Financial Cryptography(FC''2004), LNCS 3110, pp. 164{180 ,
Springer-Verlag, 2004. (IACR ePrint Report 2003/167)
[2] G. Ateniese, and B. de Medeiros, On the key exposure problem in chameleon
hashes," IACR ePrint Report 2004/243, 2004.
[3] J. Baek, R. Steinfeld, and Y. Zheng, Formal Proofs for the Security of Sign-cryption," In Public Key Cryptography (PKC''2002), LNCS 2274, pp. 80{98,
Springer-Verlag, 2002.
[4] F. Bao and R. H. Deng, A signcryption scheme with signature directly verifiable by public key," In Public Key Cryptography (PKC''98), LNCS 1431, pp. 55~59, Springer-Verlag, 1998.
[5] M. Bellare, J. Garay, and T. Rabin, Fast batch verification for modular ex-
ponentiation and digital signatures," In Advances in Cryptology{ Eurocrypt
(EUROCRYPT''98), LNCS 1403, pp. 236{250, Springer-Verlag, 1998.
[6] M. Bellare, C. Namprempre, Authenticated encryption: relations among no-
tions and analysis of the generic composition paradigm," In Advances in Cryp-
tology { Asiacrypt (ASIACRYPT''2000), LNCS 1976, pp. 531{545, Springer-
Verlag, 2000.
[7] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for design
efficient protocols," In First ACM conference on computer and communications
security, pp. 62{73, ACM, 1993.
[8] M. Bellare, P. Rogaway, Optimal asymmetric encryption," In Advances in
Cryptology { Eurocrypt (EUROCRYPT''94), LNCS 950, pp. 92{111, Springer-
Verlag, 1995.
[9] M. Bellare, S. Micali, How to sign given any trapdoor permutation," In Journal of the ACM, 39(1), pp. 214{233, Journal, 1992.
[10] D. Boneh, The decision Diffie-Hellman problem," In Proceedings of the Third Algorithm Number Theory Symposium, LNCS 1423, pp. 48{63, Springer-Verlag,
1998.
[11] J. Camenisch, E±cient and generalized group signatures," In Advances in
Cryptology { Eurocrypt(EUROCRYPT''97), LNCS 1233, pp 465{479, Springer-
Verlag, 1997.
[12] D. Chaum and H. Van Antwerpen, Undeniable signatures," In Advances in
Cryptology { Crypto (CRYPTO''90), LNCS 435, pp. 212{216, Springer-Verlag,
1990.
[13] D. Chaum and H. Antwerpen, Undeniable signatures," In Advances in Cryp-
tology { Crypto (CRYPTO''89), LnCS 435, pp. 212{216, Springer-Verlag, 1990.
[14] D. Chaum, Designated con¯rmer signatures," In Advances in Cryptology {
Eurocrypt (EUROCRYPT''94), LNCS 950, pp. 86{91, Springer-Verlag, 1995.
[15] D. Chaum, ero-knowledge undeniable signature," In Advances in Cryptol-
ogy { Eurocrypt (EUROCRYPT''90), LNCS 473, pp. 458{464, Springer-Verlag,
1991.
[16] X. Chen, F. Zhang, and K. Kim, Chameleon hashing without key exposure," In
Information Security Conference (ISC''2004), LNCS 3225, pp. 87{98, Springer-
Verlag, 2004. (IACR ePrint Report 2004/038)
[17] Y. Desmedt, C. Goutier, and S.Bengio, Special uses and abuses of the Fiat-
Shamir passport Protocol," In Advances in Cryptology { Crypto (CRYPTO''87),
LNCS 293, pp. 21{39, Springer-Verlag, 1987.
[18] Y. Desmedt and M. Yung, Weaknesses with undeniable signature schemes," In
Advances in Cryptology { Eurocrypt (EUROCRYPTO''91, LNCS 547, pp. 205{
220, Springer-Verlag, 1991.
[19] W. Diffie and M. E. Hellman. New directions in cryptography." In IEEE Transactions on Information Theory, IT{22(6), pp. 644{654, 1976
[20] X. Du, Chameleon signature from bilinear pairing," IACR ePrint Report
2003/238, 2003.
[21] C. Dwork and M. Naor. An efficient existentially unforgeable signature scheme and its applications." In Advances in Cryptology { Crypto (CRYPTO''94),
LNCS 839, pp. 234{246, Springer-Verlag, 1994.
[22] T. ElGamal, A public key cryptosystem and a signature scheme based on
discrete logarithms," In IEEE Transactions on Information Theory, Vol. 30,
No. 4, pp. 469{472, 1985.
[23] S. Goldwasser, S. Micali, and A. Yao, Strong signature schemes," In Proc.
15yh ACM Symp. on Theory of Computing, pp. 431{439, ACM, 1983.
[24] S. Goldwasser, S. Micali, and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks," In SIAM J. Computing, Vol 17(2),pp. 281{308, 1988.
[25] L. Guo, G. Wang, and D.S. Wong, Further discussions on the security of a
nominative signature scheme," IACR ePrint Report 2006/007, 2006.
[26] H.F. Huang and C.C. Chang, An efficient convertible authenticated encryp-
tion scheme and its variant," In Information and Communications Security
(ICICS''03), LNCS 2836, pp. 382{392, Springer-Verlag, 2003.
[27] X. Huang, W. Susilo, Y. Mu, and F. Zhang Short (identity-based) strong
designated verifier signature schemes," In Information Security Practice and
Experience (ISPEC''2006), LNCS 3903, pp. 214{225, Springer-Verlag, 2006.
[28] Z.J. Huang and Y.M. Wang, Convertible nominative signatures," In Informa-
tion Security and Privacy (ACISP''2004), LNCS 3108, pp. 348{357, Springer-
Verlag, 2005.
[29] M. Jakobsson, K. Sako, and R. Impagliazzo, Designated verifier proofs and
their applications," In Advances in Cryptology { Eurocrypt (EUROCRYPT''96),
LNCS 1070, pp.143{154, Springer-Verlag, 1996.
[30] M. Jakobsson, Blackmailing using undeniable signatures," In Advances in
Cryptology { Eurocrypt (EUROCRYPT''94), LNCS 950, pp.425{427, Springer-
Verlag, 1994.
[31] A. Joux, A one round protocol for tripartite Diffie-Hellman," In Proceedings of ANTS IV 2000 (ANTS''2000), LNCS 1838, pp.385{394, Springer-Verlag, 2000.
[32] S.J. Kim, S.J. Park, and D.H. Won, ero-knowledge nominative signatures,"
In International Conference on the Theory and Applications of Cryptology
(PragoCrypt''96), Proceeding in PragoCrypt, pp. 380{392, 1996.
[33] H. Krawczyk and T. Rabin, Chameleon signatures," Proc. of Network and Dis-
tributed Systems Security Symposium (NDSS''2000), Internet Society, pp. 143{
154. (IACR ePrint Report 1998/010)
[34] K. Phani Kumar, G. Shailaja, and A. Saxena Identity based strong designated verifier signature scheme," IACR ePrint Report 2006/134, 2006.
[35] Y. Li, H. Lipmaa, and D. Pei, On delegatability of four designated veri-
fier signature schemes," In Seventh International Conference on Information
and Communications Security (ICICS''2005), LNCS 3783, pp. 61{71, Springer-
Verlag, 2005.
[36] F. Laguillaumie and D. Vergnaud, Designated verifier signature: anonymity
and efficient construction from any Biliner Map," Fourth Conference on Secu-
rity in Communication Networ (SCN''04), LNCS 3352, pp. 107{121, Springer-
Verlag, 2004.
[37] F. Laguillaumie and D. Vergnaud, Multi-designated verifier signatures," Information and Communication Security (ICICS''2004), LNCS 3269, pp.495{507,
Springer-Verlag, 2004.
[38] H. Lipmaa, G. Wang, and F. Bao, Designated verifier signature schemes:
attack, new Security notions and a new construction," The 32nd Interna-
tional Colloquium on Automata, Language and Programming (ICALP''2005),
LNCS 3580, pp.459{471, Springer-Verlag, 2005.
[39] M. Michels and M. Stadler, Efficient convertible undeniable signature
schemes," In Proceedings of 4th Annual Workshop on Selected Areas in Cryp-
tology { (SAC''97), pp. 231{244, 1997.
[40] M. Naor and M. Yung, Universal one-way functions and their cryptographic
applications," In Proc. 21st ACM Symp. on Theory of Computing, pp. 33{43,
ACM, 1989.
[41] NIST, A proposed federal information processing standard for digital signature standard (DSS)," Federal Register Announcement August 30,1991. National Institute of Standards and Technology
[42] NIST, Digital signature standard," Federal Information Processing Standards Publication 186,1994. U.S. Department of Commerce/N.I.S.T.
[43] K. Nyberg and R. A. Rueppel, Message recovery for signature schemes based
on the discrete logrithm problem," In Advances in Cryptology { Eurocrypt (EU-
ROCRYPT''94), LNCS 950, pp. 182{193, Springer-Verlag, 1994.
[44] D. Pointcheval and J. Stern, Security proof for signature schemes," In Ad-
vances in Cryptology { Eurocrypt (EUROCRYPT''96), LNCS 1070, pp. 387{398,
Springer-Verlag, 1996.
[45] R. Rivest, A. Shamir, and Y. Tauman, How to leak a secret," Advances
in Cryptology { Asiacrypt (ASIACRYPT''2001), LNCS 2248, pp. 552-565,
Springer-Verlag, 2001.
[46] J. Rompel, One-way functions are necessary and sufficient for secure signatures," In Proc. Symp. on Theory of Computing, pp. 387-394, 1990. ACM.
[47] C. P. Schnorr, Efficient identification and signature for smart cards," In Advances in Cryptology { Crypto (CRYPT''89), LNCS 435, pp. 339{351, Springer-
Verlag, 1990.
[48] C. P. Schnorr, Efficient signature generation for smart cards," In Journal of Cryptology, 4(3): pp. 161{174, 1991
[49] R. Steinfeld, L. Bull, H. Wang and, J. Pieprzyk, Universal designated-
verifier signatures," Advances in Cryptology { Asiacrypt (ASIACRYPT''2003),
LNCS 2894, pp. 523{543, Springer-Verlag, 2003.
[50] R. Steinfeld, H. Wang, and J. Pieprzyk, Efficient extension of standard
Schnorr/RSA signature into universal designated-verifier signatures," Public
Key Cryptography (PKC''2004), LNCS 2947, pp. 86{100, Springer-Verlag, 2004.
[51] W. Susilo, F. Zhang, and Y. Mu, Identity-based strong designated verifier
signature schemes," Information Security and Privacy, 9th Australasian Con-
ference (ACISP''2004), LNCS 3108, pp.313{324, Springer-Verlag, 2004.
[52] S. Saeednia, S. Kramer, and O. Markovitch, An efficient strong designated
verifier signature scheme," The 6th International Conference on Information
Security and Cryptology (ICISC''2003), LNCS 2836, pp.40{54, Springer-Verlag,
2003.
[53] J. B. Shin, K. Lee, and K. Shim, New DSA-verifiable signcryption schemes,"
In Information Security and Cryptology { (ICISC''2002), LNCS 2587, pp. 35{47,
Springer-Verlag, 2003.
[54] W. Susilo and Y. Mu, On the security of nominative signatures," In Information Security and Privacy { (ACISP''2005), LNCS 3574, pp. 329{335, Springer-Verlag, 2004.
[55] G. Wang, F. Bao, C. Ma, and K. Chen, Efficient authenticated encryption
schemes with public verifiability," In Proc. of the 60th IEEE Vehicular Tech-
nology Conference (VTC 2004-Fall) { Wireless Technologies for Global Security,
IEEE Computer Society, 2004.
[56] F. Zhang, Reihaneh, and W. Susilo, ID-based chameleon hashes from bilinear
pairings," IACR ePrint Report 2003/208, 2003.
[57] Y. Zheng, Digital signcryption or how to achieve cost (signature & encryp-
tion) << cost (signature) + cost (encryption)," In Advances in Cryptology {
Crypto(CRYPTO''97), LNCS 1294, pp. 165{179, Springer-Verlag, 1997.
