【作者】 胡国政；

【导师】 洪帆；

【作者基本信息】 华中科技大学 ， 计算机软件与理论， 2009， 博士

【摘要】 随着计算机和计算机网络的快速发展，信息安全已经成为信息社会急需解决的问题。认证体制是保障信息安全的重要手段之一，可以提供认证性、不可否认性和数据完整性等安全服务，是实现安全电子商务和安全电子政务的关键技术。尽管很多学者对认证体制开展了大量的研究工作，取得了丰硕的研究成果，但是仍存在一些问题有待解决，值得进一步深入研究。可证安全性是数字签名方案的基本要求。大多数现有的比较有效的数字签名方案都是在随机预言模型中可证安全。可是，理想化的随机预言模型存在一定的局限性，即理想的随机函数不能在实际环境中实现。因此，如何设计在标准模型下可证安全且有效的数字签名方案是一个重要问题。利用双线性对技术构造了一个在标准模型下可证安全且有效的数字签名方案。基于强Diffie-Hellman假设，在标准模型中证明了该数字签名方案在适应性选择消息攻击下是强存在性不可伪造。在这个签名方案中，生成签名不需要配对运算，验证签名只需要两次配对运算。作为普通数字签名的一种变形，代理签名允许原始签名者把签名权利委托给代理签名者，具有广泛的应用。但是现有的代理签名方案大多存在不足，有的代理签名方案只有启发式分析，没有形式化安全模型和严格的证明，有的只是在较弱的安全模型中可证安全，这些弱安全模型没有考虑实际中存在的适应性选择密钥和选择授权书攻击。为了克服这些弱点，提出了两个新的加强型代理签名安全模型，一个是加强型注册密钥模型，另一个是选择密钥模型，在此基础上利用双线性对构造了两个代理签名方案，一个在加强型注册密钥模型下可证安全，另一个在选择密钥模型下可证安全。这两个代理签名方案中的普通签名和代理签名都是短签名，即只用一个群元素表示。在强安全模型下给出了这两个代理签名方案的形式化安全证明，将它们的安全性直接归约为基本签名方案的安全性。聚集签名方案是一种支持把多个签名压缩成单个短签名的数字签名方案，聚集有助于减少带宽和存储。为了减少实施普通签名和代理签名的存储量和验证这些签名的计算量，提出了一种新的聚集签名，称为无限制混合聚集签名，并给出了形式化定义和安全模型。利用双线性对技术构造了一个无限制混合聚集签名方案UHAS。与以前的聚集签名方案不同的是，UHAS支持把普通签名和代理签名通过聚集算法聚集成一个短签名。更重要的是，不要求这些签名的签名者是不同的，也不要求待签名的消息是不同的。单个聚集签名就能使验证者确信，所有的签名者的确已经对相应的消息签名。基于计算性co-Diffie-Hellman假设在随机预言模型中证明了方案UHAS的安全性。无证书数字签名是一种新型的数字签名，它既能克服传统数字签名中的证书管理问题，又能避免基于身份的签名体制中的密钥托管问题。可是，很多无证书签名方案存在安全漏洞。分析了一些基于双线性对的无证书数字签名方案，包括普通无证书签名方案、无证书代理签名方案、带安全中介的无证书签名方案、标准模型下可证安全的无证书签名方案，证明了这些无证书签名方案对于密钥替换攻击和恶意KGC攻击是不安全的，指出了产生安全漏洞的原因，并给出了防止措施和改进方案。现有身份认证协议的安全性大多是在随机预言模型这一理想模型中证明的。利用在标准模型中可证安全的数字签名方案构造了两个高效和可证安全的基于ID的身份认证协议，分析了这两个基于ID的身份认证协议的安全性，基于强Diffie-Hellman假设在标准模型中证明了一个在被动攻击下可防止冒充安全，另一个在主动和并行攻击下可防止冒充安全。更多还原

【Abstract】 With the fast development of computer and networks, information security has become one of the most important problems in the information society. Authentication schemes are one of the most useful and fundamental primitives in public key cryptography which applies cryptographic methods to achieve the security services such as authenticity, integrity and nonrepudiation. Digital signatures and identification protocols are the crucial techniques to realize the secure e-commerce and secure e-government. Many researchers do much work on authentication schemes, and obtain great achievement. However, some issues on authentication schemes are not resolved effectively. It is necessary to do further research on these issues.Provable security is the basic requirement of digital signature schemes. Most of existing digital signature schemes are provably secure in the random oracle model. However, the idealized random oracle model has certain limitations, that is, ideal random functions cannot be implemented in the standard model. Therefore, it is an important issue to design an efficient and provably secure in the standard model. A new and efficient signature scheme was presented, which was provably secure in the standard model from bilinear maps. The security of the proposed scheme is based on the strong Diffie-Hellman (SDH) assumption. The formal proof of security of the proposed signature scheme was showed under the SDH assumption in the standard model. The proposed scheme is practical. The generation of signatures needs not the calculation of bilinear maps and the verification just needs twice calculations of bilinear maps.As a variant of ordinary signature schemes, proxy signature schemes allow original signers to delegate their signing rights to proxy signers and are useful in many applications. However, there are some drawbacks in most of existing proxy signature schemes. Some schemes have only heuristic analysis, that is, they have no formal security models and rigorous security proofs; some schemes are provable secure only in the weak security models, which did not consider the real attacks such as chosen key attacks and chosen delegation warrant attacks. In order to overcome these flaws, two new enhanced formal model of security for proxy signature schemes are presented: one is the enhanced registered key model and the other is the chosen key model. Two proxy signature schemes are proposed from bilinear maps: one is provably secure in the enhanced registered key model and the other is provably secure in the chosen key model. In the two proposed proxy signature schemes, ordinary signatures and proxy signatures are all short signatures, i.e., each signature is represented only one element of the employed group. Security proofs of the two proposed proxy signature schemes were provided by reducing directly the security of the proxy scheme to the basic signature schemes.An aggregate signature scheme is a digital signature scheme which allows a collection of signatures to be able to be compressed into one short signature. Aggregation is useful to reduce bandwidth and storage. To reduce the amount of memory required to store standard signatures and proxy signatures, and the computational time required to verify their validity, a new notion called unrestricted hybrid aggregate signatures is introduced and formalized. Unlike previous aggregate signatures, unrestricted hybrid aggregate signatures can aggregate simultaneously standard signatures and proxy signatures into a single short signature, and more importantly it is not required that all the signers and/or all the messages are distinct. The single signature will convince the verifier that all the signers did indeed sign the corresponding messages. A concrete unrestricted hybrid aggregate signature scheme UHAS based on bilinear maps was proposed. The proposed scheme UHAS was showed that it was provable secure in the random oracle under the computational co-Diffie-Hellman assumption.Certificateless signatures are a new and attractive paradigm, which can eliminate the use of certificates as in the traditional PKI, while at the same time, solve the key escrow problem that is inherent in identity based cryptography. Unfortunately, many proposed certificateless signature schemes have security flaws. Several certificateless cryptosystems were analyzed which involved a certificateless signature scheme, a certificateless proxy signature schemes, a mediated certificateless signature scheme and a certificateless signature scheme provably secure in the standard model. It was showed that these certificateless signature schemes were all insecure against key replacement attacks and/or malicious KGC attacks. The reasons for these flaws were discussed and the defense measures and improved schemes were given.Most existing identification protocols are provably secure in the random oracle model. In this thesis, two efficient and provably secure ID-based identification schemes were presented, which are provably secure in the standard model based on the strong Diffie-Hellman assumption. It was showed in the standard model that one scheme was secure against impersonation under passive attack and the other scheme was secure against impersonation under active and concurrent attacks.更多还原