改进的无证书广义指定验证者聚合签名方案  

作　　者：胡小明[1] 马闯[1] 斯桃枝[1] 蒋文蓉[1] 许华杰[2] 谭文安[1] HU Xiao-ming MA Chuang SI Tao-zhi JIANG Wen-rong XU Hua-jie TAN Wen -an(College of Computer and Information Engineering, Shanghai Second Polytechnic University, Shanghai 201209, China School of Computer and Electronic Information, Guangxi University, Nanning 530004, China)

机构地区：[1]上海第二工业大学计算机与信息工程学院,上海201209 [2]广西大学计算机与电子信息学院,南宁530004

出　　处：《计算机科学》2017年第8期168-175,共8页Computer Science

基　　金：上海市教育委员会科研创新基金重点项目(14ZZ167);国家自然科学基金资助项目(61103213;61272036;61672022);广西自然科学基金项目(2014GXNSFAA11838-2);上海第二工业大学校级重点学科计算机科学与技术(XXKZD1604)资助

摘　　要：无证书广义指定验证者聚合签名(CTL-ASWUDV)能有效解决签名者的隐私保护问题。针对最近指出的张玉磊等学者的CTL-ASWUDV方案构造无效且不满足两类敌手攻击的问题,提出了一个改进的CTL-ASWUDV方案(CTL-ASWUDV-1)。该方案在保持了原方案中聚合签名长度和双线性配对数固定的优点的同时,有效克服了两类敌手的攻击。进一步提出了一个更加高效的CTL-ASWUDV方案(CTL-ASWUDV-2)。在随机预言机模型下,证明该方案的安全性可规约为CDH问题。同时,该方案与目前已有的同类方案相比具有如下优势:单个签名和聚合签名无需双线性配对运算,而且聚合签名验证所需的双线性配对数量与签名人数无关,与单个签名验证数量相当,都是1个配对运算;聚合签名长度和指定验证者签名长度与签名人数无关,与单个签名长度相当,都是固定的1个元素,大大节省了网络带宽。Certificateless aggregate signature scheme with universal designated verifier（CTL-ASWUDV）can effectively solve the problem of protecting the privacy of the signer.An improved CTL-ASWUDV scheme（CTL-ASWUDV-1）was proposed according to the problems existing in Zhang et al.＇s CTL-ASWUDV scheme on the invalid construction and two types of adversary attacks.The improved scheme not only keeps the advantages of constant aggregate signature length and constant bilinear pairing operation number,but also overcomes the attacks from two types of adversaries.This paper further proposed a highly efficient CTL-ASWUDV scheme（CTL-ASWUDV-2）.In the random oracle model,the security of the second improved scheme can be reduced to computational Diffie-Hellman problem.At the same time,compared with the existing similar schemes,the proposed second scheme has the following advantages.It has no bilinear pairing operation in both single signature and aggregate signature,and the number of bilinear pairing operation needed by the aggregate signature verification is independent on the number of signers and it is equivalent to the number of a single signature verification,i.e.one pairing operation.The length of an aggregate signature and the length of a designated verifier signature are both independent on the number of signers and they are equivalent to the length of a single signature verification,i.e.one element,which largely saves the network bandwidth.

关 键 词：网络安全 无证书签名 聚合签名 指定验证者签名 双线性配对 

分 类 号：TP301[自动化与计算机技术—计算机系统结构]