摘要: |
对于一个密码方案而言,如何在安全证明中降低归约损失、实现紧归约是一个重要的问题。因为一般来说归约损失越大,就需要更大的参数来保证方案的理论安全强度,而在部署一个紧安全的密码方案的时候,则不需要牺牲效率来弥补归约损失。在这篇文章中,我们关注紧安全的环签名构造。环签名在2001年由Rivest等人首次提出,它允许用户在隐藏自己身份的同时进行签名,任何人都不能破坏环签名的匿名性,同时敌手不能冒充任意一个环成员生成相应的有效签名。虽然目前已有多种环签名的构造方案,但证明过程中的归约损失是高效实现的一大阻碍。在本文中,我们基于DDH假设在随机预言机模型下提出了一种环签名方案,其中安全证明的归约损失仅为常数,因此称为紧安全的环签名构造。在构造中,我们令每个用户的公钥由两个子公钥构成,用户私钥为其中一个子公钥对应的子私钥,再基于Goh与Jarecki提出的紧安全的EDL签名方案,我们利用标准的CDS变换构造了一个1/N-DDH非交互零知识证明系统,从而证明用户拥有有效的私钥,得到相应的环签名方案。得益于这种特殊的构造,在安全证明中我们不必使用分叉引理,也不必猜测敌手的目标公钥,从而实现了紧安全归约。此外,我们的方案可以用来构造附加其他性质的环签名方案,如可链接环签名,同时对于其他匿名签名方案的紧安全设计也具有启发意义。 |
关键词: 环签名 可证明安全 紧安全归约 DDH假设 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.05.03 |
投稿时间:2019-10-16修订日期:2020-02-24 |
基金项目:本课题得到国家自然科学基金(No.61872359,No.61936008)资助。 |
|
Tightly-secure Ring Signature Construction |
QIU Tian,TANG Guofeng,LIN Dongdai |
State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Trusted Computing and Information Assurance Laboratory, Institute of Software Chinese Academy of Sciences, Beijing 100190, China |
Abstract: |
In real-world cryptography, reducing security loss and achieving tight security are increasingly gaining importance, as larger reduction loss must be compensated by larger parameters if we want to choose these parameters in a theoretically-sound way. However, when we implement a tightly-secure cryptographic scheme, there is no need to sacrifice efficiency. In this paper, we focus on the constructions of tightly-secure ring signature. Ring signature was introduced by Rivest et. al. in 2001. It allows users to sign messages anonymously. Nobody could break this anonymity and the adversary cannot forge a valid ring signature. Although there are many ring signature constructions, their reduction loss hinders efficient implementations. In this paper, we propose a tightly-secure ring signature scheme in the random oracle model based on the DDH assumption and the reduction loss is just a constant factor in the security proof. In our construction, user's public key consists of two base public keys and the secret key consists of a random secret key for one of two base public keys. Then we design a 1/N-DDH non-interactive zero-knowledge proof system by applying standard CDS transformation (CRYPTO'94) on the tightly secure EDL signature scheme proposed by Goh and Jarecki (EUROCRPYPT'03). Using this proof system, users prove the ownership of one of N secret keys and we obtain a ring signature scheme. Due to this special construction, we do not use forking lemma and do not need to guess adversary's targeted public key, thus we achieve tight security. In addition, our scheme can be used to construct other ring signature schemes with additional properties such as linkable ring signature, and it is an important inspiration to design other privacy-preserving signature schemes. |
Key words: ring signature provable secure tight secure reduction Decisional Diffie-Hellman(DDH) assumption |