RSA门限签名方案:无交互、安全与高效
需积分: 9 93 浏览量
更新于2024-09-02
1
收藏 144KB PDF 举报
"RSA门限签名方案"
这篇论文“RSA threshold signature”主要介绍了一种基于RSA公钥加密体系的门限签名方案。门限签名是一种分布式签名技术,它允许任何k个参与者(总数为l)中的任意子集生成一个有效的签名,但只有当至少k个参与者参与时才能创建有效签名。如果少于k个参与者(包括被恶意篡改的参与者)合作,他们不能生成一个有效的签名,从而保证了签名的安全性。
1. 安全性与随机预言机模型
该RSA门限签名方案在随机预言机模型下是不可伪造的,并且具有鲁棒性。这意味着,假设RSA问题(即因式分解大合数)是困难的,攻击者无法伪造签名。随机预言机模型是一个常用的理论工具,用于分析密码协议的安全性,它假设哈希函数可以像理想化的随机函数那样操作。
2. 非交互式签名与验证
在该方案中,签名份额的生成和验证过程完全是非交互式的。这意味着各个参与者可以在不直接通信的情况下完成各自的签名部分,极大地提高了效率和灵活性,尤其是在网络环境不稳定或者参与者之间存在信任问题时。
3. 签名份额的大小
个体签名份额的大小仅由RSA模数的大小决定,并且被限制在一个常数倍的范围内。这使得即使在处理大规模数据或大量用户时,签名的存储和传输成本也能保持在合理水平,有利于实际应用的部署。
1. 引言
门限签名的概念自提出以来已经得到了广泛的研究。在现实场景中,尤其是当一些参与者可能被恶意破坏时,一个有用的门限签名方案应该具备鲁棒性,防止被破坏的参与者阻止未被破坏的参与者生成有效的签名。这种特性对于分布式系统、云计算环境以及多机构协作等场景至关重要,因为它能够在保证安全性的同时,允许系统在部分节点失效或被攻击的情况下继续正常运行。
2. 历史背景与相关工作
门限签名的早期研究包括著名的DSS(Digital Signature Standard)和FDH(Fiat-Shamir-Heuristic)签名方案。这些早期工作为后来的RSA门限签名方案奠定了基础,通过不断地改进和创新,门限签名技术已经变得更加成熟和安全。
3. 实现与应用
论文可能会详细介绍如何实现这个RSA门限签名方案,包括密钥生成、签名份额的计算、签名的组合以及对抗不同类型的攻击策略。此外,还会讨论该方案在实际应用中的潜力,例如在分布式账本技术(如区块链)、多服务器认证、匿名通信网络等领域的应用。
这篇英语论文深入探讨了一个高效的RSA门限签名方案,它的设计考虑了安全性、效率和可扩展性,对理解和实现分布式签名技术有重要的参考价值。
Practical Threshold Signatures 211
We present another scheme, Protocol 2, for use in the more general setting
k ≥ t + 1. Protocol 2 can be be proven secure—again, in the random oracle
model—when k = t + 1 under the RSA assumption, and when k > t + 1 under
an additional assumption, namely, an appropriate variant of the Decision Diffie-
Hellman assumption.
As already mentioned, our proofs of security are valid in the so-called “ran-
dom oracle model,” where cryptographic hash functions are replaced by a ran-
dom oracle. This model was used informally by Fiat and Shamir [FS87], and
later was rigorously formalized and more fully exploited in Bellare and Rogaway
[BR93], and thereafter used in numerous papers.
For Protocol 1, we only need random oracles for robustness, if we assume that
ordinary RSA signatures are secure. In fact, Gennaro et al. [GJKR96a] present a
non-interactive share verification scheme that can be analyzed without resorting
to random oracles. One could use their verification scheme in place of the one
we suggest, thus avoiding random oracles in the analysis, but this would have
certain practical drawbacks, requiring a special relationship between the sender
and recipient of a share of a signature. Alternatively, one could use a simple
interactive share verification scheme. The resulting signature scheme would no
longer be truly non-interactive, but it would still not require any coordination
or synchronization among the players. We do not explore these alternatives in
any detail here, as they are quite straightforward.
The analysis of Protocol 2 makes use of the random oracle model in a more
fundamental way. Since this seemed inevitable, we took several liberties in the
design of Protocol 2, so that it is actually a bit simpler and more efficient than
Protocol 1. Thus, even if k = t + 1, Protocol 2 may be an attractive practical
alternative to Protocol 1.
We view a proof of security in the random oracle model as a heuristic argu-
ment that provides strong evidence that a system cannot be broken. All things
being equal, a proof of security in the random oracle model is not as good as
a proof of security in the “real world,” but is much better than no proof at
all. Anyway, it does not seem unreasonable to use the random oracle model,
since that is the only way we know of to justify the security of ordinary RSA
signatures.
Previous Work
Desmedt [Des87] introduces the more general notion of threshold signatures.
Desmedt and Frankel [DF89] present a non-robust threshold ElGamal scheme
[ElG85] based on “secret sharing,” [Sha79] i.e., polynomial interpolation over
a finite field. Their scheme has small share size, but requires synchronized in-
teraction. Harn [Har94] presents a robust threshold ElGamal scheme with small
share size, but again requires synchronized interaction. It seems that the security
of both of the above schemes can be rigorously analyzed in a satisfactory way,
although neither paper does this. Gennaro et al. [GJKR96b] present a robust
threshold DSS scheme with small share size that again requires synchronized
interaction; they also give a rigorous security analysis.
剩余13页未读,继续阅读
2022-05-04 上传
2023-06-01 上传
2023-06-08 上传
2023-04-19 上传
2023-06-07 上传
2023-05-13 上传
2023-07-08 上传
区块链之美
- 粉丝: 591
- 资源: 4
我的内容管理
展开
最新资源
- 建立拨号连接建立拨号连接
- 自己组建对等网现在让我们看看如何组建对等网
- 华为PCB内部资料(设置规则)
- E:\oracle教材\Oracle体系结构.txt
- Origin 拟合曲线教程
- 对等型网络一般适用于家庭或小型办公室中的几台或十几台计算机的互联,不需要太多的公共资源,只需简单的实现几台计算机之间的资源共享即可
- Database Porgramming With Jdbc And Java 2nd Edition
- Convex Optimiztion
- SHT11中文版datasheet.
- photoshop中按钮制作
- Vim用户手册中文版72
- Matlab神经网络工具箱应用简介.pdf
- thinking in java 台湾侯捷完整版
- Absolute C++
- 图论算法及其MATLAB程序代码
- 数字PID控制中的积分饱和问题
