1 Introduction
D based on the concept of Chaum, the blind signature scheme in 1982 is introduced. With this scheme, users can sign any message, because Chaum does not disclose any information about the formation or unforgeability of its signature part, the untraceability and unlinkability of the signature scheme.
In the production of coins, users ask banks to sign a coin blindly and adopt the blind signing scheme. The user has a valid coin, and the bank itself cannot identify and connect the user. Whenever a user cancels a coin through a valid branch, he needs the branch as a proxy blind signature to represent the demand of the signer bank application for proxy blind signature scheme.
Based on the Mambo concept of 1996, this scheme introduces proxy signature, and the original signer can sign any information about the identity of the proxy signer on behalf of another signer in such a way that the original signer and proxy signature can be verified and distinguished (proxy signature right). He also discussed two schemes: proxy protection (both the proxy and the original signer can generate effective proxy signatures) and proxy protection (only the proxy can generate effective proxy signature schemes to ensure these).
This paper introduces the latest terbium proxy blind signature scheme to ensure the security performance. This scheme, as well as the subject blind signature scheme and proxy signature scheme, are all based on Schnorr blind signature scheme ... This paper will introduce a new proxy blind signature scheme Mambo and so on. And our scheme is more efficient. We also discussed some Brownian schemes and attacks, which can be overcome by using our scheme.
This plan
Some additional symbols in system parameters and schemes
P: a big prime number; Q: A major factor; (p- 1 g: the order of an element; : The original signer of the key; : the original signer of the public key, there; H.): A secure hash function.
The operation of this protocol without 2. 1 proxy is as follows.
2. 1. 1 agency stage
1. (proxy), the original signer is randomly selected, and the simulation calculation is made.
R/s =( 1), (2) and (3).
Two. (agent delivery). The original signer sends (R), and the proxy signer B makes it public in a secure way.
Three. (proxy verification). After receiving the key (r) as the proxy signer, B checks the validity of the secret key (4)(r) as follows. If only this is satisfied, he will admit that it is valid, otherwise he will refuse ... The agent will ask for another key in the future, or simply stop the agreement.
2. 1.2 signing stage
1。 Select a random number b, calculate R = and send it to the receiver.
2。 (1). Randomly select C to calculate (5)
If he chooses another set; Otherwise, calculate (6).
(7) just use c to send e.
3。 Upon receipt, B calculates (8) and sends it to C.
4。 Now c calculates the proxy blind signature of the tuple of (9).
2. 1.3 audit stage
Calculation of proxy blind signature scheme of verifier or receiver (10)
The common value here is 1 step (2. 1.2) if and only if this tuple is a valid proxy signature.
Table 1: calculated load pairs of comparison schemes.
Stage scheme.
total
Agent,
Generation after generation signature verification signature
Tan 8E+7+23e 3 e++ poems, I am14e30,000 people++me.
4E Level 1 +2 Scheme 3E+3M+ Wo2e+M Development Center 900 million rural power network 900 million +6+ is not worthy.
22 protection of agents
If we want to generate a proxy signer with only valid proxy signature, we modify the previous protocol (2. 1.2) at the proxy stage as follows:
2.2. 1 agency stage
1. (proxy), the original signer is randomly selected and simulated, which is the key to publicity.
Two. (agent delivery). The original signer sent a proxy signer B to the public in a secure way.
Three. The validity of confirmation (proxy authentication and key change) is used to change the proxy key to B.
3 efficiency,
In this section, we show the Brownian equivalence of the efficiency of our scheme. Let e, m and I represent the calculation load, exponentiation, multiplication and inversion respectively. Then the calculation load and terbium of the comparison scheme are given in the table below.
In our scheme, the amount of calculation in each stage is less than that generated by the agent, which is a stage when the index calculation exceeds the calculation load and compromises. The application of some digital information can be adjusted to increase the calculation load once, more than once. In this case, our efficiency improvement times are feasible, and the further total cost is 900 million +6+ in our solution computing technology development center. I compare it with the computing load.
4 safety analysis
1。 In the signature verification stage, we only use the different validity checks of the original signature and proxy signature, so the original signature and proxy signature.
2。 An effective proxy signature scheme needs proxy protection ... which is impossible. Proxy signature is unforgeable through effective signature, understanding of wrinkles and s, or both. In addition, although it was created by the original signer, there is also unknown proxy protection, so the identity of the proxy signer does not deny that he created the proxy signature scheme.
3。 The public key calculation starts from the central point of the original signer's public key. The original signer cannot deny that the public key of his proxy signer also participates in the public key (such as proxy protection), so the identity of the proxy signer can identify the signature.
Aiming at some security attacks of this job, the scheme is being deleted ... These attacks are as follows:
Check Brownian equation and other schemes (1 1).
Make sure that both parties sign A and B, so tuple (m, U, South China, East China) is an effective proxy blind signature scheme. The key point here is that the only way for the public to sign is to realize that its proxy blind signer is forged for B, which may be a solution like terbium.
The receiver R may represent (M, U, South China, East China) that some other signatures F are valid proxy blind signatures, although F may not consider any of his signature rights. When the receiver R and "B" calculate (12) instead of (13), the following may happen.
There is no other equation, and it will be forged. Now this receiver can prove that tuple (m, U, South China, East China) is an effective proxy blind signature scheme. Through similar verification, the signer collected large-scale activities of the Leisure and Cultural Services Department (1 1): the equation is (14), ensuring participation, and the signer is Fahrenheit (.
In the second case, the receiver can prove that the signer has generated a valid single proxy blind signature to represent a verification, so he calculates (15) instead of eq( 13), thus verifying that eq( 1 1) is changed (16), ensuring that.
In order to overcome these errors, you should limit or move the total calculation in our equation, so that you won't think that our plan is safe for these types of errors.
Five conclusions
In this paper, a proxy blind signature scheme is proposed, in which the proxy can make the user proxy sign blindly, and the verifier can verify its very similar proxy signature scheme. Our scheme is based on Mambo protocol, and its computation is less than the latest scheme. In this paper, we also discuss some possible attacks, and our scheme is free.
6 further comments
Recently, our Sun and Hsich pointed out some security loopholes in the above scheme according to their views.
6 1 not suitable
For the identity of proxy signer, in order to determine the relationship between information, it reveals blind information and the identity of proxy signer. He has all the information records, such as R e, s'. A signature (m, after e) indicates the identity and calculation of the proxy signer. Finally, the identity of the proxy signer. Therefore, the identity of the proxy signer of the equation is unknown (S), and vitamin E is.
It was released. 62
Generally speaking, in order to verify that an agent's signature and agent's public key are obtained by calculation, instead of looking up the public key from the original signer, the relationship between the meanings of the agent's public key is calculated, and it is determined that the original signer and agent signer can obtain the agent's public key from the enemy according to Sun et al's scheme and reprint it again. Finally, the devil claimed to be the original signer. Therefore, the published proxy public key has security flaws, and the original signer cannot be verified.
63 our point of view
Observe the correctness of the above chapters and modify them. Every time the opponent reissues the agent's public key, the agent authorizes the protocol; If the execution fails, it will be verified and changed ... Another possibility is that the identity of the proxy signer can help the enemy. This is only when the proxy signer agrees to change the proxy key, which means that the last proxy signature does not represent the original signer and can be easily denied to be the real original signer. Similarly, in Section 3, we can use the original signer's public key and the compromised cost of 1 multiplication and 1 exponent.