基于SM9的指定验证者聚合签名方案

Designated verifier aggregate signature scheme based on SM9

聚合签名能够显著提升签名效率,减少签名者的计算代价,降低通信成本,并且能更好地保护签名者的隐私,因此,得到国内外学者的广泛关注。但聚合签名方案大多数采用国外密码算法设计,不符合我国密码技术自主可控的要求。SM9数字签名算法是国内自主研制的标识签名方案,其仅能实现一对一的签名和验证,无法满足多对一的签名和验证需求。针对上述问题,构造了基于SM9的指定验证者聚合签名(designated verifier aggregate signature,DVAS)方案。该方案利用假名和散列函数单向性,避免签名者个人信息泄露。在签名聚合阶段,通过制定验证者控制数据访问权限,实现了签名者的隐私保护。基于q-SDH(q-strong Diffie-Hellman)困难问题,所提方案在随机谕言机模型下证明了安全性。方案分析显示该方案能够避免签名者隐私泄露。理论分析和实验仿真结果表明,与现有聚合签名方案相比,所提方案在单个签名生成和验证方面性能更加优越,并且能有效降低签名批量验证的计算代价,同时具有较高的运算效率,更能适用于云服务等应用场景。

Aggregate signatures have been recognized for significantly improving signing efficiency,reducing the computational cost for signers,lowering communication costs,and better protecting the privacy of signers.Currently,many aggregate signature schemes have been designed using foreign cryptographic algorithms,which do not meet the requirements for independent and controllable cryptography technology in China.The SM9 algorithm,a domestically developed identity-based signature scheme in China,was only capable of achieving one-to-one signature and verification,failing to meet the requirements for multiparty signature and verification.To address these issues,a designated verifier aggregate signature(DVAS)scheme was proposed based on the SM9 signature algorithm.Pseudonyms and the one-way property of hash functions were utilized to prevent the leakage of the signer's personal information.The privacy of the signer was protected during the signature aggregation phase by controlling data access permissions for designated verifiers.The security of the scheme was proven under the random oracle model,based on the q-strong Diffie-Hellman(q-SDH)hard problem.Scheme analysis demonstrates that it could prevent the leakage of the signer's privacy.Theoretical analysis and experimental simulation show that,compared to other similar aggregate signature schemes,the proposed scheme exhibits superior performance in terms of signature generation and verification.The proposed scheme is capable of effectively reducing the computational cost of batch signature verification and offered higher computational efficiency,making it more suitable for applications such as cloud services.