In Shamir’s(t,n) threshold of the secret sharing scheme, a secret is divided into n shares by a dealer and is shared among n shareholders in such a way that (a) the secret can be reconstructed when there are t or mor...In Shamir’s(t,n) threshold of the secret sharing scheme, a secret is divided into n shares by a dealer and is shared among n shareholders in such a way that (a) the secret can be reconstructed when there are t or more than t shares;and (b) the secret cannot be obtained when there are fewer than t shares. In the secret reconstruction, participating users can be either legitimate shareholders or attackers. Shamir’s scheme only considers the situation when all participating users are legitimate shareholders. In this paper, we show that when there are more than t users participating and shares are released asynchronously in the secret reconstruction, an attacker can always release his share last. In such a way, after knowing t valid shares of legitimate shareholders, the attacker can obtain the secret and therefore, can successfully impersonate to be a legitimate shareholder without being detected. We propose a simple modification of Shamir’s scheme to fix this security problem. Threshold cryptography is a research of group-oriented applications based on the secret sharing scheme. We show that a similar security problem also exists in threshold cryptographic applications. We propose a modified scheme to fix this security problem as well.展开更多
In this paper we present a designated verifier-set signature(DVSS),in which the signer allows to designate many verifiers rather than one verifier,and each designated verifier can verify the validity of signature by h...In this paper we present a designated verifier-set signature(DVSS),in which the signer allows to designate many verifiers rather than one verifier,and each designated verifier can verify the validity of signature by himself.Our research starts from identity-based aggregator(IBA)that compresses a designated set of verifier’s identities to a constant-size random string in cryptographic space.The IBA is constructed by mapping the hash of verifier’s identity into zero or pole of a target curve,and extracting one curve’s point as the result of aggregation according to a specific secret.Considering the different types of target curves,these two IBAs are called as zeros-based aggregator and poles-based aggregator,respectively.Based on them,we propose a practical DVSS scheme constructed from the zero-pole cancellation method which can eliminate the same elements between zeros-based aggregator and poles-based aggregator.Due to this design,our DVSS scheme has some distinct advantages:(1)the signature supporting arbitrary dynamic verifiers extracted from a large number of users;and(2)the signature with short and constant length.We rigorously prove that our DVSS scheme satisfies the security properties:correctness,consistency,unforgeability and exclusivity.This is a preview of subscription content,log in to check access.展开更多
文摘In Shamir’s(t,n) threshold of the secret sharing scheme, a secret is divided into n shares by a dealer and is shared among n shareholders in such a way that (a) the secret can be reconstructed when there are t or more than t shares;and (b) the secret cannot be obtained when there are fewer than t shares. In the secret reconstruction, participating users can be either legitimate shareholders or attackers. Shamir’s scheme only considers the situation when all participating users are legitimate shareholders. In this paper, we show that when there are more than t users participating and shares are released asynchronously in the secret reconstruction, an attacker can always release his share last. In such a way, after knowing t valid shares of legitimate shareholders, the attacker can obtain the secret and therefore, can successfully impersonate to be a legitimate shareholder without being detected. We propose a simple modification of Shamir’s scheme to fix this security problem. Threshold cryptography is a research of group-oriented applications based on the secret sharing scheme. We show that a similar security problem also exists in threshold cryptographic applications. We propose a modified scheme to fix this security problem as well.
基金The work was supported by the National Key Technologies R&D Programs of China(2018YFB1402702 and 2017YFB0802500)the“13th”Five-Year National Cryptographic Development Foundation(MMJJ20180208)+1 种基金NSFC-Genertec Joint Fund For Basic Research(U1636104)the National Natural Science Foundation of China(Grant Nos.61572132,61972032 and U1705264).
文摘In this paper we present a designated verifier-set signature(DVSS),in which the signer allows to designate many verifiers rather than one verifier,and each designated verifier can verify the validity of signature by himself.Our research starts from identity-based aggregator(IBA)that compresses a designated set of verifier’s identities to a constant-size random string in cryptographic space.The IBA is constructed by mapping the hash of verifier’s identity into zero or pole of a target curve,and extracting one curve’s point as the result of aggregation according to a specific secret.Considering the different types of target curves,these two IBAs are called as zeros-based aggregator and poles-based aggregator,respectively.Based on them,we propose a practical DVSS scheme constructed from the zero-pole cancellation method which can eliminate the same elements between zeros-based aggregator and poles-based aggregator.Due to this design,our DVSS scheme has some distinct advantages:(1)the signature supporting arbitrary dynamic verifiers extracted from a large number of users;and(2)the signature with short and constant length.We rigorously prove that our DVSS scheme satisfies the security properties:correctness,consistency,unforgeability and exclusivity.This is a preview of subscription content,log in to check access.
