具隱私性之簽章及簽密系統研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：13

、訪客IP：18.118.26.227

姓名

黃義雄(Yi-Hsiung Huang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

具隱私性之簽章及簽密系統研究
(On the Research of Some Digital Signature Schemes and Signcryption Schemes with Privacy)

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 實體密碼攻擊法之研究	★ 商業性金鑰恢復與金鑰託管機制之研究
★ AES資料加密標準之實體密碼分析研究	★ 電子競標系統之研究
★ 針對堆疊滿溢攻擊之動態程式區段保護機制	★ 通用型數域篩選因數分解法之參數探討
★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器	★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究
★ 遮罩保護機制防禦差分能量攻擊之研究	★ AES資料加密標準之能量密碼分析研究
★ 小額電子付費系統之設計與密碼分析	★ 公平電子現金系統之研究
★ RSA公開金鑰系統之實體密碼分析研究	★ 保護行動代理人所收集資料之研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在本論文中，研究主題在於具隱私性之簽章及簽密系統研究。傳統上所使用的數位簽章方法，並沒有辦法保護簽章簽署者或簽章接收者的隱私，原因在於一般數位簽章是可公開驗證的。為了保護簽章使用者的隱私，在密碼學研究上，學者也曾提出多種方法：1. 在保護簽章簽署者隱私方面，過去有指定驗證者簽章系統 (DVS)的提出；另一方面，為了保護簽章接收者的隱私，過去也有提名簽章系統 (Nominative Signature)的提出。
在指定驗證者簽章系統的研究中，目標在於設計出一個新的、可提供簽章不可否認性的指定驗證者簽章方法。方法是將Diffie-Hellman 金鑰加入變色龍簽章 (Chameleon Signature)中，以此概念設計出來的指定驗證者簽章系統不僅滿足了所有必須性質，更重要的，我們的方法提供了簽章不可否認性，並且簽章簽署權不會有轉移之疑慮。
在提名簽章系統的研究中，主要的研究在於對一個被提出的簽章方法及其攻擊，進行安全性分析。嚴謹地考量此簽章方法所提供的安全性保護，以及攻擊方法實際可達到的效果後，我們認為：1. 被提出的攻擊方法是不完全正確的；2. 被提出的簽章方法之安全度並不如作者所宣稱完整。此外，針對被提出方法及其攻擊不完整之處，採用Screening 之概念，為被提出簽章方法可應用之範圍，提供取捨準則。
除了簽章使用者隱私的研究，為保護明文之機密性，加密演算法是一般所採用之技術。然而，在某些情況必須同時對明文做簽署與加密動作時，為了效率考量，簽密(Signcryption)方法提供了一個有效率的選擇。在這部分研究中，我們發現過去大多數基於離散對數的簽密方法都不滿足Semantic Security，原因在於所使用簽章之雜湊函式洩漏了明文的相關資訊。針對這個弱點，我們在明文
之後串接一個隨機亂數，如此攻擊者在無法得知隨機亂數的情況下，明文機密性得以確保。

摘要(英)

In this thesis, our researches focus on some digital signature schemes and signcryption schemes with privacy. Ordinary digital signature schemes do not protect the privacy of signature signers or recipients since they are public-verifiable. To enhance privacy of signature, several signature schemes are introduced. For the privacy of signer, designated verifier signature is a well-known primitive which provides rigorous definitions and properties. For the privacy of signature recipient, nominative signature provides a solution.
On the observation that most existing designated verifier signature schemes can not provide non-repudiation, our objective is to design a new strong DVS construction. With the help of chameleon signature and Diffie-Hellman key, the new DVS construction is proposed. This generic construction satisfies all required properties
of designated verifier signature, including a secure disavowal protocol. Moreover, the proposed construction is simple and does not suffer from the weakness of signing right delegatability.
In the research of nominative signature, the major work is on the security analysis of one introduced scheme and its cryptanalysis. After reconsidering the security of the introduced scheme and the claim of its cryptanalysis, we conclude that the cryptanalysis is incompletely correct; meanwhile, the previous schemes are not as strong as being claimed. Moreover, we adopt the concept of signature screening for the introduced scheme to precisely defines what scenario it can be applied for.
Except for the privacy of signature, a intuitive approach to protect messages is through encryption. In many cases, messages may need to be signed and encrypted simultaneously. For the consideration of efficiency, signcryption was introduced. In this vein of research, our goal is to provide a countermeasure for the weakness of
previous signcryption schemes. That is most existing signcryption schemes based on discrete-logarithm are not semantic secure. The reason is that the hash computing of signature scheme leaks information about the encrypted message. As response to this weakness, we propose our countermeasure by concatenating a message with a
random value. By the method the output of hash computing is indistinguishable to a third party, hence the confidentiality of message can be preserved.

關鍵字(中)

★ 指定驗證者簽章系統
★ 提名簽章系統
★ 簽密系統

關鍵字(英)

★ Designated Verifier Signature
★ Nominative Signature
★ Signcryption

論文目次

1 Introduction 1
1.1 Overview of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Provable Security on Digital Signature 5
2.1 Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Provable Security on Signature Schemes . . . . . . . . . . . . . . . . 7
2.3 Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 The Diffie-Hellman Problem . . . . . . . . . . . . . . . . . . . . . . . 9
3 A New Designated Verifier Signature Construction 12
3.1 Introduction to Designated Verifier Signature . . . . . . . . . . . . . . 12
3.1.1 Definition and Security Assumptions of Designated Verifier
Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Previous Designated Verifier Signature Schemes . . . . . . . . . . . . 16
3.2.1 JSI Designated Verifier Signature Scheme . . . . . . . . . . . . 16
3.2.2 SKM Designated Verifier Signature Scheme . . . . . . . . . . . 17
3.2.3 Non-repudiation issue of Designated Verifier Signature . . . . 18
3.3 Other Signature Schemes with Non-transferability . . . . . . . . . . . 19
3.3.1 Ring Signature . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2 Chameleon Signature . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.3 Remark on Ring Signature and Chameleon Signature . . . . . 23
3.4 Our Proposed New Strong DVS Construction . . . . . . . . . . . . . 24
3.4.1 The Proposed Modified Chameleon Hash . . . . . . . . . . . . 25
3.4.2 The Proposed Generic Strong DVS Construction . . . . . . . . 25
3.5 Security Analysis of Proposed DVS Construction . . . . . . . . . . . 27
3.5.1 Security Analysis of Proposed Chameleon Hash . . . . . . . . 27
3.5.2 Security Analysis Proposed DVS Construction . . . . . . . . . 28
3.5.3 Secure Disavowal Protocol . . . . . . . . . . . . . . . . . . . . 31
3.5.4 Non-delegatability . . . . . . . . . . . . . . . . . . . . . . . . 31
3.6 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
3.6.1 ID-based Strong DVS construction . . . . . . . . . . . . . . . 32
3.6.2 The Adopting Chameleon Hashing Scheme . . . . . . . . . . . 35
4 Security of Huang-Wang Nominative Signature Scheme{Revisited 37
4.1 Introduction to Nominative Signature . . . . . . . . . . . . . . . . . . 37
4.2 Previous Nominative Signature Schemes . . . . . . . . . . . . . . . . 39
4.2.1 KPW Nominative Signature Scheme . . . . . . . . . . . . . . 39
4.2.2 HW Nominative Signature Scheme . . . . . . . . . . . . . . . 40
4.3 Analysis of Susilo and Mu's Cryptanalysis against HW Scheme . . . . 41
4.3.1 Susilo and Mu's Cryptanalysis . . . . . . . . . . . . . . . . . . 41
4.3.2 Reconsideration of Susilo and Mu's Cryptanalysis . . . . . . . 42
4.3.3 Screening of HW Nominative Signature . . . . . . . . . . . . . 43
4.4 Remarks on the Security of HW Scheme . . . . . . . . . . . . . . . . 44
4.4.1 Unforgeability of Nominative Signature Schemes . . . . . . . . 44
4.4.2 Verification Untransferability . . . . . . . . . . . . . . . . . . 47
4.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5 On The Semantic Security Issue of Signcryption Schemes 53
5.1 Introduction to Signcryption . . . . . . . . . . . . . . . . . . . . . . 53
5.2 The Development and Design Principle of Signcryption . . . . . . . . 54
5.2.1 Review of Zheng's Signcryption Scheme . . . . . . . . . . . . . 54
5.2.2 Review of Bao & Deng's Signcryption Scheme . . . . . . . . . 56
5.2.3 Review of SC-DSA+ Signcryption Scheme . . . . . . . . . . . 57
5.2.4 ConfidentialityWeakness of HC Signcryption Scheme and WBMC
Signcryption Scheme . . . . . . . . . . . . . . . . . . . . . . . 59
5.3 Semantic Security on HC Scheme and WBMC Scheme . . . . . . . . 62
5.4 Our Countermeasure . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.4.1 Proposed Modified-HC Signcryption Scheme . . . . . . . . . . 63
5.4.2 Proposed Modified-WBMC Signcryption Scheme . . . . . . . . 64
5.4.3 Security Analysis of Modified-HC and Modified-WBMC Sign-cryption Scheme . . . . . . . . . . . . 65
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6 Conclusions 70
6.1 Brief Review of Main Contributions . . . . . . . . . . . . . . . . . . . 70
6.2 Further Research Topics and Directions . . . . . . . . . . . . . . . . . 71
Bibliography · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · 74

參考文獻

[1] G. Ateniese, and B. de Medeiros, Identity-based chameleon hash and ap-
plications," In Financial Cryptography(FC'2004), LNCS 3110, pp. 164{180 ,
Springer-Verlag, 2004. (IACR ePrint Report 2003/167)
[2] G. Ateniese, and B. de Medeiros, On the key exposure problem in chameleon
hashes," IACR ePrint Report 2004/243, 2004.
[3] J. Baek, R. Steinfeld, and Y. Zheng, Formal Proofs for the Security of Sign-cryption," In Public Key Cryptography (PKC'2002), LNCS 2274, pp. 80{98,
Springer-Verlag, 2002.
[4] F. Bao and R. H. Deng, A signcryption scheme with signature directly verifiable by public key," In Public Key Cryptography (PKC'98), LNCS 1431, pp. 55~59, Springer-Verlag, 1998.
[5] M. Bellare, J. Garay, and T. Rabin, Fast batch verification for modular ex-
ponentiation and digital signatures," In Advances in Cryptology{ Eurocrypt
(EUROCRYPT'98), LNCS 1403, pp. 236{250, Springer-Verlag, 1998.
[6] M. Bellare, C. Namprempre, Authenticated encryption: relations among no-
tions and analysis of the generic composition paradigm," In Advances in Cryp-
tology { Asiacrypt (ASIACRYPT'2000), LNCS 1976, pp. 531{545, Springer-
Verlag, 2000.
[7] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for design
efficient protocols," In First ACM conference on computer and communications
security, pp. 62{73, ACM, 1993.
[8] M. Bellare, P. Rogaway, Optimal asymmetric encryption," In Advances in
Cryptology { Eurocrypt (EUROCRYPT'94), LNCS 950, pp. 92{111, Springer-
Verlag, 1995.
[9] M. Bellare, S. Micali, How to sign given any trapdoor permutation," In Journal of the ACM, 39(1), pp. 214{233, Journal, 1992.
[10] D. Boneh, The decision Diffie-Hellman problem," In Proceedings of the Third Algorithm Number Theory Symposium, LNCS 1423, pp. 48{63, Springer-Verlag,
1998.
[11] J. Camenisch, E±cient and generalized group signatures," In Advances in
Cryptology { Eurocrypt(EUROCRYPT'97), LNCS 1233, pp 465{479, Springer-
Verlag, 1997.
[12] D. Chaum and H. Van Antwerpen, Undeniable signatures," In Advances in
Cryptology { Crypto (CRYPTO'90), LNCS 435, pp. 212{216, Springer-Verlag,
1990.
[13] D. Chaum and H. Antwerpen, Undeniable signatures," In Advances in Cryp-
tology { Crypto (CRYPTO'89), LnCS 435, pp. 212{216, Springer-Verlag, 1990.
[14] D. Chaum, Designated con¯rmer signatures," In Advances in Cryptology {
Eurocrypt (EUROCRYPT'94), LNCS 950, pp. 86{91, Springer-Verlag, 1995.
[15] D. Chaum, ero-knowledge undeniable signature," In Advances in Cryptol-
ogy { Eurocrypt (EUROCRYPT'90), LNCS 473, pp. 458{464, Springer-Verlag,
1991.
[16] X. Chen, F. Zhang, and K. Kim, Chameleon hashing without key exposure," In
Information Security Conference (ISC'2004), LNCS 3225, pp. 87{98, Springer-
Verlag, 2004. (IACR ePrint Report 2004/038)
[17] Y. Desmedt, C. Goutier, and S.Bengio, Special uses and abuses of the Fiat-
Shamir passport Protocol," In Advances in Cryptology { Crypto (CRYPTO'87),
LNCS 293, pp. 21{39, Springer-Verlag, 1987.
[18] Y. Desmedt and M. Yung, Weaknesses with undeniable signature schemes," In
Advances in Cryptology { Eurocrypt (EUROCRYPTO'91, LNCS 547, pp. 205{
220, Springer-Verlag, 1991.
[19] W. Diffie and M. E. Hellman. New directions in cryptography." In IEEE Transactions on Information Theory, IT{22(6), pp. 644{654, 1976
[20] X. Du, Chameleon signature from bilinear pairing," IACR ePrint Report
2003/238, 2003.
[21] C. Dwork and M. Naor. An efficient existentially unforgeable signature scheme and its applications." In Advances in Cryptology { Crypto (CRYPTO'94),
LNCS 839, pp. 234{246, Springer-Verlag, 1994.
[22] T. ElGamal, A public key cryptosystem and a signature scheme based on
discrete logarithms," In IEEE Transactions on Information Theory, Vol. 30,
No. 4, pp. 469{472, 1985.
[23] S. Goldwasser, S. Micali, and A. Yao, Strong signature schemes," In Proc.
15yh ACM Symp. on Theory of Computing, pp. 431{439, ACM, 1983.
[24] S. Goldwasser, S. Micali, and R. L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks," In SIAM J. Computing, Vol 17(2),pp. 281{308, 1988.
[25] L. Guo, G. Wang, and D.S. Wong, Further discussions on the security of a
nominative signature scheme," IACR ePrint Report 2006/007, 2006.
[26] H.F. Huang and C.C. Chang, An efficient convertible authenticated encryp-
tion scheme and its variant," In Information and Communications Security
(ICICS'03), LNCS 2836, pp. 382{392, Springer-Verlag, 2003.
[27] X. Huang, W. Susilo, Y. Mu, and F. Zhang Short (identity-based) strong
designated verifier signature schemes," In Information Security Practice and
Experience (ISPEC'2006), LNCS 3903, pp. 214{225, Springer-Verlag, 2006.
[28] Z.J. Huang and Y.M. Wang, Convertible nominative signatures," In Informa-
tion Security and Privacy (ACISP'2004), LNCS 3108, pp. 348{357, Springer-
Verlag, 2005.
[29] M. Jakobsson, K. Sako, and R. Impagliazzo, Designated verifier proofs and
their applications," In Advances in Cryptology { Eurocrypt (EUROCRYPT'96),
LNCS 1070, pp.143{154, Springer-Verlag, 1996.
[30] M. Jakobsson, Blackmailing using undeniable signatures," In Advances in
Cryptology { Eurocrypt (EUROCRYPT'94), LNCS 950, pp.425{427, Springer-
Verlag, 1994.
[31] A. Joux, A one round protocol for tripartite Diffie-Hellman," In Proceedings of ANTS IV 2000 (ANTS'2000), LNCS 1838, pp.385{394, Springer-Verlag, 2000.
[32] S.J. Kim, S.J. Park, and D.H. Won, ero-knowledge nominative signatures,"
In International Conference on the Theory and Applications of Cryptology
(PragoCrypt'96), Proceeding in PragoCrypt, pp. 380{392, 1996.
[33] H. Krawczyk and T. Rabin, Chameleon signatures," Proc. of Network and Dis-
tributed Systems Security Symposium (NDSS'2000), Internet Society, pp. 143{
154. (IACR ePrint Report 1998/010)
[34] K. Phani Kumar, G. Shailaja, and A. Saxena Identity based strong designated verifier signature scheme," IACR ePrint Report 2006/134, 2006.
[35] Y. Li, H. Lipmaa, and D. Pei, On delegatability of four designated veri-
fier signature schemes," In Seventh International Conference on Information
and Communications Security (ICICS'2005), LNCS 3783, pp. 61{71, Springer-
Verlag, 2005.
[36] F. Laguillaumie and D. Vergnaud, Designated verifier signature: anonymity
and efficient construction from any Biliner Map," Fourth Conference on Secu-
rity in Communication Networ (SCN'04), LNCS 3352, pp. 107{121, Springer-
Verlag, 2004.
[37] F. Laguillaumie and D. Vergnaud, Multi-designated verifier signatures," Information and Communication Security (ICICS'2004), LNCS 3269, pp.495{507,
Springer-Verlag, 2004.
[38] H. Lipmaa, G. Wang, and F. Bao, Designated verifier signature schemes:
attack, new Security notions and a new construction," The 32nd Interna-
tional Colloquium on Automata, Language and Programming (ICALP'2005),
LNCS 3580, pp.459{471, Springer-Verlag, 2005.
[39] M. Michels and M. Stadler, Efficient convertible undeniable signature
schemes," In Proceedings of 4th Annual Workshop on Selected Areas in Cryp-
tology { (SAC'97), pp. 231{244, 1997.
[40] M. Naor and M. Yung, Universal one-way functions and their cryptographic
applications," In Proc. 21st ACM Symp. on Theory of Computing, pp. 33{43,
ACM, 1989.
[41] NIST, A proposed federal information processing standard for digital signature standard (DSS)," Federal Register Announcement August 30,1991. National Institute of Standards and Technology
[42] NIST, Digital signature standard," Federal Information Processing Standards Publication 186,1994. U.S. Department of Commerce/N.I.S.T.
[43] K. Nyberg and R. A. Rueppel, Message recovery for signature schemes based
on the discrete logrithm problem," In Advances in Cryptology { Eurocrypt (EU-
ROCRYPT'94), LNCS 950, pp. 182{193, Springer-Verlag, 1994.
[44] D. Pointcheval and J. Stern, Security proof for signature schemes," In Ad-
vances in Cryptology { Eurocrypt (EUROCRYPT'96), LNCS 1070, pp. 387{398,
Springer-Verlag, 1996.
[45] R. Rivest, A. Shamir, and Y. Tauman, How to leak a secret," Advances
in Cryptology { Asiacrypt (ASIACRYPT'2001), LNCS 2248, pp. 552-565,
Springer-Verlag, 2001.
[46] J. Rompel, One-way functions are necessary and sufficient for secure signatures," In Proc. Symp. on Theory of Computing, pp. 387-394, 1990. ACM.
[47] C. P. Schnorr, Efficient identification and signature for smart cards," In Advances in Cryptology { Crypto (CRYPT'89), LNCS 435, pp. 339{351, Springer-
Verlag, 1990.
[48] C. P. Schnorr, Efficient signature generation for smart cards," In Journal of Cryptology, 4(3): pp. 161{174, 1991
[49] R. Steinfeld, L. Bull, H. Wang and, J. Pieprzyk, Universal designated-
verifier signatures," Advances in Cryptology { Asiacrypt (ASIACRYPT'2003),
LNCS 2894, pp. 523{543, Springer-Verlag, 2003.
[50] R. Steinfeld, H. Wang, and J. Pieprzyk, Efficient extension of standard
Schnorr/RSA signature into universal designated-verifier signatures," Public
Key Cryptography (PKC'2004), LNCS 2947, pp. 86{100, Springer-Verlag, 2004.
[51] W. Susilo, F. Zhang, and Y. Mu, Identity-based strong designated verifier
signature schemes," Information Security and Privacy, 9th Australasian Con-
ference (ACISP'2004), LNCS 3108, pp.313{324, Springer-Verlag, 2004.
[52] S. Saeednia, S. Kramer, and O. Markovitch, An efficient strong designated
verifier signature scheme," The 6th International Conference on Information
Security and Cryptology (ICISC'2003), LNCS 2836, pp.40{54, Springer-Verlag,
2003.
[53] J. B. Shin, K. Lee, and K. Shim, New DSA-verifiable signcryption schemes,"
In Information Security and Cryptology { (ICISC'2002), LNCS 2587, pp. 35{47,
Springer-Verlag, 2003.
[54] W. Susilo and Y. Mu, On the security of nominative signatures," In Information Security and Privacy { (ACISP'2005), LNCS 3574, pp. 329{335, Springer-Verlag, 2004.
[55] G. Wang, F. Bao, C. Ma, and K. Chen, Efficient authenticated encryption
schemes with public verifiability," In Proc. of the 60th IEEE Vehicular Tech-
nology Conference (VTC 2004-Fall) { Wireless Technologies for Global Security,
IEEE Computer Society, 2004.
[56] F. Zhang, Reihaneh, and W. Susilo, ID-based chameleon hashes from bilinear
pairings," IACR ePrint Report 2003/208, 2003.
[57] Y. Zheng, Digital signcryption or how to achieve cost (signature & encryp-
tion) << cost (signature) + cost (encryption)," In Advances in Cryptology {
Crypto(CRYPTO'97), LNCS 1294, pp. 165{179, Springer-Verlag, 1997.

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2006-7-17

推文