实用全分布式签名：标准模型下的安全性证明

109 浏览量更新于2024-07-15 收藏 501KB PDF 举报

"这篇研究论文‘Practical (Fully) Distributed Signatures Provably Secure in the Standard Model’探讨了在标准模型中实现实用且完全分布式的签名方案的安全性。该论文由多位来自中国顶尖大学和研究机构的专家共同撰写，涵盖了计算机科学、电子与信息工程、信息安全等多个领域。" 在这篇论文中，作者们主要关注的是分布式签名系统的设计和安全性证明。分布式签名是一种先进的密码学技术，它允许多个签署者共同参与一个签名过程，从而提供更高的安全性和可靠性。这种签名机制特别适用于多用户环境，例如区块链、分布式账本技术和云计算等，其中数据完整性、责任分担和防止欺诈是至关重要的。在标准模型中，安全性的证明通常意味着不依赖于理想化的数学假设，如随机预言机模型，而是直接基于计算复杂度理论。这样，提出的协议能够更真实地反映实际应用中的安全性。论文的贡献在于，它提出了一种既实用又在标准模型下可证明安全的完全分布式签名方案。这意味着签名不仅在理论上是安全的，而且在实际应用中也能有效工作，同时考虑到效率和可扩展性。论文可能包括以下几个关键点： 1. **新签名方案的构造**：作者可能提出了新的算法或协议，利用先进的密码学工具，如公钥基础设施（PKI）、哈希函数、椭圆曲线加密等，设计出一种可以抵御各种攻击的分布式签名方案。 2. **安全性分析**：论文会详细分析所提方案的抵御能力，包括模拟攻击、中间人攻击、合谋攻击等，并展示其在标准模型下的安全性证明。 3. **性能评估**：可能包含了对签名生成、验证时间和通信开销的实验分析，以证明其在实际环境中的高效性和可行性。 4. **对比现有方案**：论文可能会比较新方案与其他已知分布式签名方案的优劣，如效率、安全性、可扩展性等方面。 5. **应用和未来方向**：作者可能讨论了该签名方案在实际应用中的潜力，以及未来可能的研究方向，如优化性能、适应新环境或应对新威胁。这篇论文对于密码学社区和相关领域的研究人员来说具有重要意义，因为它推动了分布式签名技术的发展，提高了实际系统的安全水平。通过深入理解并应用论文中的理论和方法，可以促进更加安全和可靠的分布式系统的实现。

146 Y. Wang et al. / Theoretical Computer Science 595 (2015) 143–158

which are proposed based on decisional linear assumption, the sizes of signatures increase linearly with the complexity of

the access structure. Another scheme for threshold case due to Herranz et al. [25] is constant-size, yet based on a non-static

assumption. More recently, a more general primitive, i.e., policy-based signature, was presented by Bellare and Fuchsbauer [5],

which allows a signer to generate signature on some message that ﬁts in some policy, and simultaneously preserves the

privacy of the policy. Different from distributed signatures, a policy-based signature is produced by an individual signer

when the given message and the signer’s secret key meet the corresponding policy.

2. Deﬁnitions and security requirements

2.1. Secret sharing and monotone span program

A secret sharing scheme [7,42,30] allows a dealer to distribute the shares of some secret information to participants in

such a way that the secret can be recovered when a qualiﬁed set of participants pool their shares together. The collection

of all qualiﬁed sets is called an access structure, which satisﬁes the monotone increasing property, i.e., any set that contains a

qualiﬁed set is also qualiﬁed. This paper only involves perfect secret sharing schemes where unqualiﬁed sets cannot get any

information about the secret.

Notations. For a group of participants P ={p

, ···, p

}, let  be a monotone access structure deﬁned on P. It is easy to

see that there exists a collection of minimal qualiﬁed sets which denoted by min, such that their proper subsets are not

qualiﬁed, i.e., ∀A ∈ min and ∀B  A, we have B /∈ . Also, we let  = 2

\  be the collection of all unqualiﬁed participant

sets, where 2

is the power set of P . Clearly,  is monotone decreasing, i.e., ∀A ∈  and ∀B ⊆ A, B ∈ . Similarly, let max

be the collection of all the maximal unqualiﬁed participant sets which are not contained in any other unqualiﬁed ones.

Deﬁnition 1 (Perfect secret sharing [2]). Let  be a monotone access structure deﬁned on the participant set P. A secret

sharing scheme S realizing  is perfect if the following two properties are satisﬁed:

• for any qualiﬁed set A ∈ , Pr[Rect(S

(k)) = k] = 1for every k ∈ F;

• for any unqualiﬁed set B ∈ , Pr[S

) = (s

)

∈B

] = Pr[S

) = (s

)

∈B

] for any two distinct secrets k

, k

∈ F, and a

list of any possible shares (s

)

∈B

;

where Rect(·) denotes the reconstruction algorithm of S and S

(k) denotes the secret shares of k that are distributed to the

participants in A.

this paper, we are only interested in the linear secret sharing schemes (LSSS), where the shares are generated using a

linear mapping and the secret information can be linearly represented by a qualiﬁed set of shares. In the upcoming sections,

LSSS are modelled by monotone span programs (MSP). MSP was introduced by Karchmer and Wigderson [31], while it was

implicitly used in constructing vector space secret sharing schemes by Brickell [9].

Deﬁnition

2 (Monotone span program [31,2]). Let P be a participant set, a and b be two positive integers. A monotone span

program is deﬁned by a quadruple M = (F,



τ , M, ρ), where F is a ﬁeld,



τ is a target vector in F

, M is an a × b matrix

over F and ρ :{1, 2, ···, a} → P labels each row of M by a participant in P. For any set P ⊆ P , there is a corresponding

sub-matrix M

of M that comprises all the rows labeled by the participants in P . If



τ can be spanned by the rows in M

then the set P is accepted by M. An access structure  deﬁned on P is accepted by M if and only if M accepts all the

elements P ∈ .

can be seen from the above deﬁnition that M not only deﬁnes a linear mapping from the matrix M to the participants

in P, but also deﬁnes a linear relationship between



τ and each sub-matrix M

(P ∈ ) because



τ can be spanned by the

rows of M

. As we known, each monotone access structure can be realized by an LSSS [45,26] and MSP is also equivalent

to LSSS [31,2]. This implies that every monotone access structure can be realized by an MSP. Note that there may be several

rows of M labeled to one participant of P. However, for simplicity of exposition in the upcoming sections, we assume there

is a one to one correspondence between the rows of M and the participants in P .

we described in a multipartite access structure, the participant set P can be divided into u disjoint groups G

(i ∈

[

1, u]), i.e., P =∪

and G

∩ G

= ∅ if i = j. In addition, all the participants in the same group G

have the same power,

that is, if a participant p ∈ G

is in a qualiﬁed set P ∈ , then p can be replaced by any other participant in the same group



∈ G

\ P and the resultant set is also qualiﬁed.

is well-known that in a plain LSSS, the dealer is assumed to be honest and thus will not deviate from the system.

However, in complicated scenarios, the dealer may misbehave and deceive the other involved participants. Thus, the veriﬁ-

able

secret sharing schemes (VSS) [19,37] are introduced, which allow the participants to verify the received information from

the dealer in such a way that the misbehavior of the dealer can be detected by the participants.

For

other details on secret sharing, the readers can refer to [2].

剩余15页未读，继续阅读

weixin_38631738

粉丝: 4
资源: 971

实用全分布式签名：标准模型下的安全性证明

Iterative Distributed Model Predictive Control in the Presence o

Privacy-Preserving Machine Learning Using Federated Learning and Secure Aggregation

cobratoolbox显示Requested Model not present in the model directory.\n This is either due to the model not being downloaded, or not being part of the distributed models.

No module named torch.distributed.run

ERROR: Could not find a version that satisfies the requirement torch-distributed (from versions: none)

All the 5 fits failed. It is very likely that your model is misconfigured. You can try to debug the ...

When using the z test, why is it important t hat t he sampling distribution of the mean be normally distributed?

Executor：Running task 0.0 in stage 0.0 （TID 0）

Please initialize `TimeDistributed` layer with a `tf.keras.layers.Layer` instance. Received: 10

最新资源