实用全分布式签名:标准模型下的安全性证明
66 浏览量
更新于2024-07-15
收藏 501KB PDF 举报
"这篇研究论文‘Practical (Fully) Distributed Signatures Provably Secure in the Standard Model’探讨了在标准模型中实现实用且完全分布式的签名方案的安全性。该论文由多位来自中国顶尖大学和研究机构的专家共同撰写,涵盖了计算机科学、电子与信息工程、信息安全等多个领域。"
在这篇论文中,作者们主要关注的是分布式签名系统的设计和安全性证明。分布式签名是一种先进的密码学技术,它允许多个签署者共同参与一个签名过程,从而提供更高的安全性和可靠性。这种签名机制特别适用于多用户环境,例如区块链、分布式账本技术和云计算等,其中数据完整性、责任分担和防止欺诈是至关重要的。
在标准模型中,安全性的证明通常意味着不依赖于理想化的数学假设,如随机预言机模型,而是直接基于计算复杂度理论。这样,提出的协议能够更真实地反映实际应用中的安全性。论文的贡献在于,它提出了一种既实用又在标准模型下可证明安全的完全分布式签名方案。这意味着签名不仅在理论上是安全的,而且在实际应用中也能有效工作,同时考虑到效率和可扩展性。
论文可能包括以下几个关键点:
1. **新签名方案的构造**:作者可能提出了新的算法或协议,利用先进的密码学工具,如公钥基础设施(PKI)、哈希函数、椭圆曲线加密等,设计出一种可以抵御各种攻击的分布式签名方案。
2. **安全性分析**:论文会详细分析所提方案的抵御能力,包括模拟攻击、中间人攻击、合谋攻击等,并展示其在标准模型下的安全性证明。
3. **性能评估**:可能包含了对签名生成、验证时间和通信开销的实验分析,以证明其在实际环境中的高效性和可行性。
4. **对比现有方案**:论文可能会比较新方案与其他已知分布式签名方案的优劣,如效率、安全性、可扩展性等方面。
5. **应用和未来方向**:作者可能讨论了该签名方案在实际应用中的潜力,以及未来可能的研究方向,如优化性能、适应新环境或应对新威胁。
这篇论文对于密码学社区和相关领域的研究人员来说具有重要意义,因为它推动了分布式签名技术的发展,提高了实际系统的安全水平。通过深入理解并应用论文中的理论和方法,可以促进更加安全和可靠的分布式系统的实现。
146 Y. Wang et al. / Theoretical Computer Science 595 (2015) 143–158
which are proposed based on decisional linear assumption, the sizes of signatures increase linearly with the complexity of
the access structure. Another scheme for threshold case due to Herranz et al. [25] is constant-size, yet based on a non-static
assumption. More recently, a more general primitive, i.e., policy-based signature, was presented by Bellare and Fuchsbauer [5],
which allows a signer to generate signature on some message that fits in some policy, and simultaneously preserves the
privacy of the policy. Different from distributed signatures, a policy-based signature is produced by an individual signer
when the given message and the signer’s secret key meet the corresponding policy.
2. Definitions and security requirements
2.1. Secret sharing and monotone span program
A secret sharing scheme [7,42,30] allows a dealer to distribute the shares of some secret information to participants in
such a way that the secret can be recovered when a qualified set of participants pool their shares together. The collection
of all qualified sets is called an access structure, which satisfies the monotone increasing property, i.e., any set that contains a
qualified set is also qualified. This paper only involves perfect secret sharing schemes where unqualified sets cannot get any
information about the secret.
Notations. For a group of participants P ={p
1
, ···, p
n
}, let be a monotone access structure defined on P. It is easy to
see that there exists a collection of minimal qualified sets which denoted by min, such that their proper subsets are not
qualified, i.e., ∀A ∈ min and ∀B A, we have B /∈ . Also, we let = 2
P
\ be the collection of all unqualified participant
sets, where 2
P
is the power set of P . Clearly, is monotone decreasing, i.e., ∀A ∈ and ∀B ⊆ A, B ∈ . Similarly, let max
be the collection of all the maximal unqualified participant sets which are not contained in any other unqualified ones.
Definition 1 (Perfect secret sharing [2]). Let be a monotone access structure defined on the participant set P. A secret
sharing scheme S realizing is perfect if the following two properties are satisfied:
• for any qualified set A ∈ , Pr[Rect(S
A
(k)) = k] = 1for every k ∈ F;
• for any unqualified set B ∈ , Pr[S
B
(k
1
) = (s
i
)
p
i
∈B
] = Pr[S
B
(k
2
) = (s
i
)
p
i
∈B
] for any two distinct secrets k
1
, k
2
∈ F, and a
list of any possible shares (s
i
)
p
i
∈B
;
where Rect(·) denotes the reconstruction algorithm of S and S
A
(k) denotes the secret shares of k that are distributed to the
participants in A.
In
this paper, we are only interested in the linear secret sharing schemes (LSSS), where the shares are generated using a
linear mapping and the secret information can be linearly represented by a qualified set of shares. In the upcoming sections,
LSSS are modelled by monotone span programs (MSP). MSP was introduced by Karchmer and Wigderson [31], while it was
implicitly used in constructing vector space secret sharing schemes by Brickell [9].
Definition
2 (Monotone span program [31,2]). Let P be a participant set, a and b be two positive integers. A monotone span
program is defined by a quadruple M = (F,
τ , M, ρ), where F is a field,
τ is a target vector in F
b
, M is an a × b matrix
over F and ρ :{1, 2, ···, a} → P labels each row of M by a participant in P. For any set P ⊆ P , there is a corresponding
sub-matrix M
P
of M that comprises all the rows labeled by the participants in P . If
τ can be spanned by the rows in M
P
,
then the set P is accepted by M. An access structure defined on P is accepted by M if and only if M accepts all the
elements P ∈ .
It
can be seen from the above definition that M not only defines a linear mapping from the matrix M to the participants
in P, but also defines a linear relationship between
τ and each sub-matrix M
P
(P ∈ ) because
τ can be spanned by the
rows of M
P
. As we known, each monotone access structure can be realized by an LSSS [45,26] and MSP is also equivalent
to LSSS [31,2]. This implies that every monotone access structure can be realized by an MSP. Note that there may be several
rows of M labeled to one participant of P. However, for simplicity of exposition in the upcoming sections, we assume there
is a one to one correspondence between the rows of M and the participants in P .
As
we described in a multipartite access structure, the participant set P can be divided into u disjoint groups G
i
(i ∈
[
1, u]), i.e., P =∪
u
i
=1
G
i
and G
i
∩ G
j
= ∅ if i = j. In addition, all the participants in the same group G
i
have the same power,
that is, if a participant p ∈ G
i
is in a qualified set P ∈ , then p can be replaced by any other participant in the same group
p
∈ G
i
\ P and the resultant set is also qualified.
It
is well-known that in a plain LSSS, the dealer is assumed to be honest and thus will not deviate from the system.
However, in complicated scenarios, the dealer may misbehave and deceive the other involved participants. Thus, the verifi-
able
secret sharing schemes (VSS) [19,37] are introduced, which allow the participants to verify the received information from
the dealer in such a way that the misbehavior of the dealer can be detected by the participants.
For
other details on secret sharing, the readers can refer to [2].
剩余15页未读,继续阅读
2022-01-03 上传
2021-02-11 上传
2021-01-20 上传
2021-02-08 上传
2021-02-20 上传
2019-04-25 上传
2021-05-13 上传
2021-02-22 上传
2009-05-28 上传
weixin_38631738
- 粉丝: 4
- 资源: 971
我的内容管理
展开
最新资源
- 高清艺术文字图标资源,PNG和ICO格式免费下载
- mui框架HTML5应用界面组件使用示例教程
- Vue.js开发利器:chrome-vue-devtools插件解析
- 掌握ElectronBrowserJS:打造跨平台电子应用
- 前端导师教程:构建与部署社交证明页面
- Java多线程与线程安全在断点续传中的实现
- 免Root一键卸载安卓预装应用教程
- 易语言实现高级表格滚动条完美控制技巧
- 超声波测距尺的源码实现
- 数据可视化与交互:构建易用的数据界面
- 实现Discourse外聘回复自动标记的简易插件
- 链表的头插法与尾插法实现及长度计算
- Playwright与Typescript及Mocha集成:自动化UI测试实践指南
- 128x128像素线性工具图标下载集合
- 易语言安装包程序增强版:智能导入与重复库过滤
- 利用AJAX与Spotify API在Google地图中探索世界音乐排行榜
