中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
群签名的研究
作者: 周苏静
答辩日期: 2008-01-14
授予单位: 中国科学院软件研究所
授予地点: 软件研究所
学位: 博士
关键词: 群签名, 成员认证, 匿名认证, 可信计算
其他题名: A Study on Group Signatures
摘要: 公钥密码系统的两大组件是电子签名和加密,其中电子签名的作用和人类社会通行多年的手写签名相仿, 用以昭信防伪, 见印如见人. 有些应用还需要见印如见多人, 比如古代的官印,现代的公章, 人变章不变; 还比如电子交易中,顾客必须给商家签署转帐的授权书, 同时又不愿意泄漏自己的身份, 也不愿意商家知晓自己进行的其他交易; 再比如电子选举中, 每张选票必须是合法的, 即选票发送人具有法定选举权,又不能泄漏选举人的身份, 还要防止选举人一票多投.支持这些应用的就是面向群组的数字签名技术,它是群组密码学的一个重要方向.根据不同的应用, 面向群组的数字签名有多种形式, 如群签名,环签名等.其中群签名(Group Signature)更是在电子商务, 电子政务等领域均有重要应用. 本文研究群签名的设计和实现. 内容包括: 探讨群签名安全模型中的匿名性问题.发现在设计和实现群签名的打开算法和公钥加密方案的解密算法时,先验证签名或密文的正确性至关重要, 对打开密钥,解密密钥的使用一定要谨慎, 不能滥用;否则不能达到预先设计的安全强度.并证明了ACJT群签名的强匿名性(ACJT 群签名是第一个实用的群签名, 基于RSA 问题, 由Ateniese, Camenisch, Joye和Tsudik在CRYPTO'00上提出). 使用了弱不可区分公钥加密的群签名, 如 ACJT,是否具有强的匿名性,在ASIACRYPT'04上的一篇文章中作为公开问题提出. 讨论使某些群签名既保留成员删除的高效算法, 又不增加群签名的长度.成员删除是群签名的一个重要问题,目前比较好的一种做法是通过动态累加器(dynamic accumulator)把所有现存成员累加到一起, 如Camenisch 等人对ACJT 群签名所做的;这样做的缺点是群签名长度和运算量几乎增加了一倍.Boneh等人也通过动态累加器为他们的短长度群签名实现了成员删除功能,不同的是那里的累加器是把所有被删除成员累加到一起,这种累加器我们称作逆向累加器. 本文给出逆向累加器的定义,把它应用于更多的群签名, 既保持原群签名的成员删除功能,又不增加签名长度和计算量, 并考虑了逆向累加器带来的一些额外问题,比如如何打开一个群签名.产生的原因是现存成员的证书可能已经随着成员的变动进行了更新,和追踪管理员开始保存的初始证书有可能不一致. 提出一个实用的基于成员身份(member ID-based)的群签名, 即追踪管理员不需要借助于存储成员信息的注册表,就可追踪到实际的签名者. 该方案在随机谕言模型(Random Oracle model,记作ROM) 下是可证安全的, 且可抗群管理员陷害, 即成员的个人私钥只有本人知道, 没有暴露给群管理员等, 就我们所知,这一点在所有已知的基于成员身份的群签名中是唯一的.该方案还可能是第一个关于Paillier提出的``部分''单向陷门函数的应用,一般情况下仅其单向陷门的性质得到应用. 提出一个新的基于椭圆曲线的计算假设和一个安全性可归约于该假设的本地验证删除状态的群签名(Vefifier Local Revocation, 记作VLR), 即具有被动式成员删除方法的群签名.其方案具有长度短, 计算量小的优点. 还提出若干 VLR-BU 群签名,即具有回溯不可联系性的 VLR群签名,其中一个方案具有不可陷害性和目前最短的签名长度, 最少的计算量. 根据提出的假设, 基于 Ateniese 等人在 EUROCRYPT'06 上提出的非ROM模型下可证安全的群签名, 还可得到一个长度更短,计算量更小的方案. 给出可用于高效群签名的随机化普通签名的正式定义及其特性. 确切地说,定义了不可联系的随机化签名, 间接可签的签名,Sigma-协议友好的签名.我们还发现目前已知的所有可实用的群签名其实都可归结为这些随机化签名,包括著名的 ACJT 群签名和Nguyen-Safavi-Naini群签名,而设计可实用的群签名可归结为寻找具有上述性质的普通签名. 给出Nguyen-Safavi-Naini群签名的随机化签名版本和两个新的随机化签名,并从中导出新的群签名.此外指出Camenisch和Lysyanskaya在CRYPTO'04提出的群签名方案其实是不安全的, 并给出修改.
英文摘要: Digital signature scheme is one of the major supports of public key crypto-systems. To have the function of the handwritten signatures, a digital signature is required unforgeable by any one otherwise the owner of the secret key. Extra properties are required of a digital signature in some particular scenarios. In electronic government affairs, officials want to keep their identities from outsiders when they sign on documents in the name of the official branches they are working for. In electronic business, consumers want to remain anonymous to the merchants when they sign on checks, and they also prefer their personal transactions untraceable by merchants. In electronic voting, valid votes should come only from legitimate citizens, and one vote per one person should be guaranteed. The techniques underlying these applications are group oriented digital signatures, which can be further subclassified into group signatures, ring signatures, etc. The topic of this dissertation is group signature. In particular, security model of group signatures, how to construct efficient group signatures, etc., are investigated. We discuss the anonymity of group signatures, show that there exists a misunderstanding or a neglect of an implied assumption about the anonymity. We prove the anonymity of ACJT group signature, which was a open problem proposed at ASIACRYPT'04. We integrate membership revocations with some group signatures to reduce their signature lengths by half with the help of reversed dynamic accumulators which are formalized for the first time. We propose a practical member ID-based group Signature, which is provable secure in random oracle model. The scheme has some unique characteristics in contrast with other ID-based group signatures, e.g., spared of the registration table storing members joining transcripts, secure against group manager framing. It is also the first application of the ``partial'' one-way trapdoor function since it was put forward by Paillier. We propose a new computational complexity assumption based on elliptic curves with bilinear maps, and some verifier-local revocation group signatures, with or without backward unlinkability, which traceabilities are reduced to the new assumption. The schemes have short signature lengths and less computation. A group signature even shorter than the practical scheme provable secure in the standard model proposed by Ateniese et. al. at EUROCRYPT'06 is also obtained. We formalize the characteristics of randomizable signatures that are required to build secure efficient group signatures, that is unlinkable randomization, indirectly signability, $\Sigma$-protocol friendliness. We show that all secure efficient group signatures known so far are actually in this line of utilizing the signatures mentioned above, and the observation is supported by the unlinkable randomizable version of a well known group signature based on $q$-SDH assumption for the first time. Designing efficient secure group signatures can then be boiled down to designing such ordinary signatures. We further propose two new unlinkable randomizable signatures, which will result in new efficient group signatures. We also point out that the efficient group signature proposed by Camenisch and Lysyanskaya at CRYPTO'04 is not secure and provide a fixed scheme.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/5862
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
10001_200418015029066周苏静_paper.pdf(1383KB)----限制开放-- 联系获取全文

Recommended Citation:
周苏静. 群签名的研究[D]. 软件研究所. 中国科学院软件研究所. 2008-01-14.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[周苏静]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[周苏静]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace