Provably secure proxy-protected signature schemes based on RSA

The proxy signature schemes allow proxy signers to sign messages on behalf of an original signer, a company or an organization. Such schemes have been suggested for use in a number of applications, particularly in distributed computing, where delegation of rights is quite common. Most of proxy signature schemes previously proposed in literatures are based on discrete logarithms or from pairings. In 2003, Shao proposed the first two proxy signature schemes based on RSA. Though being very efficient, they have no formal security proofs. In this paper, we provide formal security proofs under a strong security model in the random oracle model after minor modification.     

A secure identity-based multi-proxy signature scheme

In a multi-proxy signature scheme, an original signer could authorize a proxy group as his proxy agent. Then only the cooperation of all the signers in the proxy group can generate the proxy signatures on behalf of the original signer. Plenty of multi-proxy signature schemes have been proposed under the certificate-based public key systems. Due to the various applications of the bilinear pairings in cryptography, many identity-based signature schemes have been proposed. In this paper, we give the first formal definition and security model of an identity-based multi-proxy signature scheme, then propose an identity-based multi-proxy signature scheme from bilinear pairings and prove its security in our security model.     

Threshold signature schemes for ElGamal variants

In this paper we present a generic construction of threshold ElGamal signature schemes. We classify ElGamal variants by two types according to ways of generating signatures. Then we develop the generic mechanism to convert a group of ElGamal variants into their threshold versions and prove unforgeability of constructed schemes. To demonstrate its application, we present threshold versions of two standard ElGamal variants, GOST 34.10 and KCDSA from our construction.     

Cramer–Damgård signatures revisited: Efficient flat-tree signatures based on factoring

At Crypto 96 Cramer and Damgård proposed an efficient, tree-based, signature scheme that is provably secure against adaptive chosen message attacks under the assumption that inverting RSA is computationally infeasible.

In this paper we show how to modify their basic construction in order to achieve a scheme that is provably secure under the assumption that factoring large composites of a certain form is hard. Our scheme is as efficient as the original Cramer Damgård solution while relying on a seemingly weaker intractability assumption.     

Public key signatures in the multi-user setting

This paper addresses the security of public key signature schemes in a “multi-user” setting. We bound the advantage of an adversary in producing an existential forgery on any one of a set of target public keys by the advantage of an adversary in producing an existential forgery on a single public key for any public key signature algorithm. We then improve the concrete security of this general reduction for certain specific discrete logarithm based signature algorithms such as that of Schnorr.     

Designing a secure e-tender submission protocol

This paper investigates the fundamental difference between a simple e-tender box and a traditional physical tender box, and highlights a series of security traps created by the functional differences. Based on our findings, we have defined the security requirements for an e-tender submission protocol. We also discuss functional limitations of cryptographic technologies. As a result, two secure e-tender submission protocols are proposed which enable a secure e-tender submission. Protocols are assumed to run under the condition that all tendering parties (principal and tenderers) are dishonest players. Our informal and formal security analysis show that these protocols meet their security goals under well known collusion scenarios. Because security is a process not a product, our approach will have broad industry application for developing secure electronic business processes in areas other than e-tendering.

可传递签名研究综述

可传递签名是由Micali和Rivest在2002年首先提出的,主要用于对二元传递关系进行签名。本文综述了可传递签名的研究现状,描述了可传递签名的定义、模型及其安全性,概括了现有的可传递签名方案,包括无向传递签名方案和有向传递签名方案。最后对可传递签名的研究前景进行了展望。     

Proxy signature schemes based on factoring

The proxy signature schemes allow proxy signers to sign messages on behalf of an original signer, a company or an organization. However, most of existing proxy signature schemes are based on the discrete logarithm problem. In this paper, the author would like to propose two efficient proxy signature schemes based on the factoring problem, which combine the RSA signature scheme and the Guillou-Quisquater signature scheme. One is a proxy-unprotected signature scheme that is more efficient. No matter how many proxy signers cooperatively sign a message, the computation load for verifiers would remain almost constant. The other is a proxy-protected signature scheme that is more secure. Finally, to protect the privacy of proxy signers, the author proposes a proxy-protected signature scheme with anonymous proxy signers.     

Cryptanalysis of the Wu-Varadhrajan fair exchange protocol

In this paper we present an attack on a fair exchange protocol proposed by Wu and Varadharajan. We show that, after two executions of the protocol, a dishonest participant can collect enough information in order to obtain some secret information of the other participant. This precisely allows him to compute the final signature of the other participant in all subsequent executions of the protocol, without disclosing his own signature.     

Cryptanalysis of certain variants of Rabin's signature scheme

Rabin's signature scheme is known to be susceptible to chosen cleartext attacks, and thus it is essential to perturb each message before it is signed. In this paper we show that certain natural perturbation techniques (including the addition of random prefixes or suffixes to the message) do not fully protect the scheme against a new type of chosen cleartext attack.     

A note on optimal metering schemes

A metering scheme is a method by which an audit agency is able to measure the interaction between servers (e.g., web servers) and clients (e.g., browsers) during a certain number of time frames. Metering schemes involve distributing information to clients and servers. Obviously, such information distribution affects the overall communication complexity. A metering scheme is said to be optimal if the information distributed to clients and servers is the minimum possible.Optimal metering schemes have been proposed by Naor and Pinkas [Lecture Notes in Comput. Sci., Vol. 1403, pp. 576-590] and Masucci and Stinson [Lecture Notes in Comput. Sci., Vol. 1895, pp. 72-87). In this paper we show a construction for optimal metering schemes, called the vector space construction, that generalizes previous constructions for optimal metering schemes.     

Universal forgery on Sekhar's signature scheme with message recovery

Owing to the abundance of electronic applications of digital signatures, many additional properties are needed. Recently, Sekhar [Sekhar, M. R. (2004). Signature scheme with message recovery and its application. Int. J. Comput. Math., 81(3), 285–289.] proposed three signature schemes with message recovery designed to protect the identity of the signer. In this setting, only a specific verifier can check the validity of a signature, and he can transmit this conviction to a third party. In this note, we show that this protocol is totally insecure, as it is universally forgeable under a no-message attack. In other words, we show that anyone can forge a valid signature of a user on an arbitrary message. The forged signatures are unconditionally indistinguishable (in an information theoretical sense) from properly formed signatures.     

Ideal contrast visual cryptography schemes with reversing

A visual cryptography scheme (VCS) for a set of n participants is a method to encode a secret image, consisting of black and white pixels, into n transparencies, one for each participant. Certain qualified subsets of participants can “visually” recover the secret image by stacking their transparencies, whereas, other, forbidden, subsets of participants, cannot gain any information about the secret image.Recently, Viet and Kurosawa proposed a VCS with reversing, which is a VCS where the participants are also allowed to reverse their transparencies, i.e., to change black pixels to white pixels and vice-versa. They showed how to construct VCSs with reversing where the reconstruction of black (white, respectively) pixels is perfect, whereas, the reconstruction of white (black, respectively) pixels is almost perfect. In both their schemes there is a loss of resolution, since the number of pixels in the reconstructed image is greater than that in the original secret image.In this paper we show how to construct VCSs with reversing where reconstruction of both black and white pixels is perfect. In our schemes each participant is required to store a certain number of transparencies, each having the same number of pixels as the original secret image. Moreover, our schemes guarantee no loss of resolution, since the reconstructed image is exactly the same as the original secret image. Finally, compared to the schemes of Viet and Kurosawa, our schemes require each participant to store a smaller amount of information.     

Protocols useful on the Internet from distributed signature schemes

Distributed cryptography deals with scenarios where a cryptographic operation is performed by a collective of persons. In a distributed signature scheme, a group of players share some secret information in such a way that only authorized subsets of players can compute valid signatures. We propose methods to construct some computationally secure protocols from distributed signature schemes, namely, we construct metering schemes from distributed noninteractive signature schemes. We also show that distributed deterministic signature schemes can be used to design distributed key distribution schemes. In particular, we construct the first metering and distributed key distribution schemes based on the RSA primitive.     

Weaknesses in some multisignature schemes for specified group of verifiers

The author points out that Laih and Yen's multisignature scheme and Hwang, Chen and Chang's multisignature scheme do not satisfy their security requirements.     

Proxy-protected signature secure against the undelegated proxy signature attack

The proxy signature scheme enables an original signer to delegate his/her signing capability to a designated proxy signer, thereby the proxy signer can sign messages on behalf of the original signer. Recently, Zhou et al. proposed two proxy-protected signature schemes. One is based on the RSA problem and the other is based on the integer factorization problem. In this paper, however, we point out that Zhou et al.’s schemes are insecure against undelegated proxy signature attack because any user without the delegation of the original signer can generate a valid proxy signature. To solve this problem, an improved scheme is proposed and its security is analyzed.     

一个具有安全措施的CSCW系统

在ＣＳＣＷ系统的应用中，用户对于信息的安全性提出了很严格的要求。本文首先简要地给出了一个系统的总体介绍。然后对其所采用的安全措施作了详细的说明。     

Cryptanalysis of “an identity-based society oriented signature scheme with anonymous signers”

In this paper, we show that the identity-based society oriented signature scheme with anonymous signers proposed by Saeednia is insecure. If some members of a given group leave that group or if some new members join the group, their secret keys would be revealed. We also propose a simple way to fulfill the task of the identity-based society oriented signature scheme with anonymous signers.     

A one-time signature using run-length encoding

A one-time signature scheme using run-length encoding is presented, that in the random oracle model offers security against chosen-message attacks. For parameters of interest, the proposed scheme enables about 33% faster verification with a comparable signature size than a construction of Merkle and Winternitz. The public key size remains unchanged (1 hash value). The main price for the faster verification is an increase of the time for signing messages and for key generation.