【作者】 杜红珍；

【导师】 温巧燕；

【作者基本信息】 北京邮电大学 ， 密码学， 2009， 博士

【摘要】 随着计算机网络、电子商务的飞速发展,信息安全的重要性与日俱增。数字签名技术可以在电子数据传输中提供认证性、完整性和不可否认性等安全服务,是信息安全的核心技术之一,也是安全电子商务和安全电子政务的关键技术之一。对数字签名技术的研究有着重要的理论和实际意义。基于身份的公钥密码体制简化了传统证书密码体制的密钥管理问题,对它的研究是目前的一个热点。本文围绕基于身份的数字签名方案的设计、安全性证明,以及如何解决该体制存在的密钥托管问题而展开,研究内容主要包括设计基于身份的短签名、基于身份的聚合签名、可追踪的基于身份的签名。另外还研究了无证书签名、无证书代理签名和无证书指定验证者签名。论文的主要研究成果如下:1.提出了一个基于身份的短签名方案,在k-CAA难题假设及随机预言机模型下是可证明安全的。该方案具备已有的基于身份的签名方案的优点,且它比已有方案的效率高,签名的长度仅有160比特,是目前最短的基于身份的签名。2.利用双线性对提出了一个新的基于身份的聚合签名方案。在随机预言机模型下给出了方案的安全性证明,其安全性可规约为计算Diffie-Hellman问题。与已有的基于身份的聚合签名相比,我们的方案更能提高签名验证与传输效率,因签名的验证只需计算3个双线性对,签名的长度只有320比特。另外,对Song-Kim-Lee-Yoon的聚合签名进行了安全性分析,指出该签名是可以普遍伪造的。3.密钥托管问题是基于身份的数字签名的主要缺陷。为了解决该问题,提出了可追踪的基于ID的签名(Traceable ID-Based Signature,T-IBS)的定义及安全模型,并构造了一个不需要双线性对的T-IBS方案,在随机预言机模型与椭圆曲线离散对数假设下该方案是可证明安全的。与已有的无密钥托管的签名方案相比,我们的方案实施效率高:签名算法只需要1个加法群上的标量乘运算,而验证算法仅需3个标量乘运算。4.无证书公钥密码学是近年来提出的一个好的密码学范例,它汲取了基于证书和基于身份的公钥密码学的优点,而避免了这两种体制的缺陷。在k-CAA和Inv-CDH困难假设下提出了一个可证明安全的无证书签名方案。该方案不仅具有同类方案的优点,且它的构造只用到普通的Hash函数,而避免了使用低效的MapToPoint函数。且该方案比已有的同类方案都高效,还有签名的长度仅有160比特,是目前最短的无证书签名,所以它非常适用于网络带宽受限的通信环境。5.提出无证书强代理签名的定义及安全模型,利用双线性对构造了一个无证书强代理签名方案。该方案能满足无证书公钥体制下强代理签名应具备的所有性质,且在构造过程中只用到普通的Hash函数,而避免使用效率低的MapToPoint函数。方案的签名与验证在线计算只需1个标量乘、2个指数和1个双线性对运算。6.利用双线性对构造了一个无证书的指定验证者签名方案,给出了方案的安全性证明及效率分析。另外,首次提出了无证书的指定验证者的代理签名方案的定义,构造了一个无证书的指定验证者的代理签名方案,且分析说明了该方案满足无证书密码系统中指定验证者的代理签名应具备的所有性质。更多还原

【Abstract】 With rapid development of computer network and E-commerce, information security has become more and more important. Digital signature, which can provide authentication, integrity and non-repudiation for data transfer, is one of the crucial techniques concerning information security and plays a very important role in E-commerce and E-governance. Hence, it’s significant and practical to research on digital signatures.ID-based public key cryptography simplifies key management process which is a heavy burden in traditional certificate-based cryptosystems, and it has been a hot topic in modern cryptography. This dissertation studies how to design an ID-based signature scheme, and how to prove its security and solve its drawback of key escrow. And we focus on ID-based short signatures, ID-based aggregate signatures, traceable ID-based signatures, certificateless signatures, certificateless proxy signatures and certificateless designated verifier signatures. The major contributions of the dissertation are as follows:1. We present a short ID-based signature (IBS) scheme that is proved to be secure in the random oracle model under the hardness assumption of k-CAA problem. The proposed scheme upholds all desirable properties of previous IBS schemes. Furthermore, our scheme requires less computational cost and is significantly more efficient than all known IBS schemes, and the size of signatures generated by our scheme is approximate 160 bits, which is the shortest ID-based signatures so far.2. We propose a new ID-based aggregate signature scheme from bilinear pairings. Its security proof is given in the random oracle model and it can be reduced to the computational Diffie-Hellman problem. Compared with the existing ID-based aggregate signature schemes, our scheme drastically improves the efficiency of signature communication and verification since the verification algorithm only requires 3 pairing evaluations and the size of the signature generated by our scheme is only about 320 bits. In addition, we cryptanalyze an ID-based aggregate signature scheme presented by Song, Kim, Lee and Yoon, and show that this scheme is universally forgeable.3. The inherent key escrow problem is a main disadvantage in IBS schemes. This paper introduces the concept and security model of traceable ID-based signature (T-IBS) which is a new approach to mitigate the key escrow problem in IBS schemes. We present a T-IBS scheme without pairing and give the security proof for our scheme under the elliptic curve discrete logarithm assumption in the random oracle model. Compared with the existing schemes without suffering from key escrow, ours achieves higher efficiency since the signing algorithm needs only one scalar multiplication in the additive group while the reverse operation requires only three scalar multiplications.4. Certificateless public key cryptography is a recently proposed attractive paradigm which combines the advantages of both certificate-based and ID-based cryptosystems as it avoids the usage of certificates and does not suffer from key escrow. We present a certificateless signature (CLS) scheme that is proved to be secure in the random oracle model under the hardness assumptions of k-CAA and Inv-CDHP. The proposed scheme upholds all desirable properties of previous CLS schemes, and requires general cryptographic hash functions instead of MapToPoint hash function which is inefficient. Furthermore, our scheme requires less computational cost and significantly more efficient than all known CLS schemes, and the size of signatures generated by our scheme is approximate 160 bits, which is the shortest certificateless signatures so far. So it can be used widely, especially in low-bandwidth communication environments.5. We first formalize the definition and the security model of certificateless strong proxy signatures (CLSPS), and then propose a novel CLSPS scheme from bilinear pairings. It proves that our CLSPS scheme satisfies all the requirements of strong proxy signatures in certificateless public key cryptography. Furthermore, our scheme is more efficient than the existing CLSPS schemes because it requires general cryptographic hash functions instead of MapToPoint function which is inefficient, and the signing algorithm and the verification algorithm online altogether require one scalar multiplication, two exponentiations and one pairing computation.6. We present a new pairing based certificateless designated verifier signature (CLDVS) scheme and provide the security proofs and efficiency analysis for our scheme. Moreover, as an application of our CLDVS, the first notion and construction of the certificateless designated verifier proxy signature (CLDVPS) scheme is proposed. It proves that our CLDVPS scheme satisfies all the requirements of the designated verifier proxy signature schemes in the certificateless cryptography.更多还原