改进的可证明安全无证书签名方案

摘要 给出樊爱宛等无证书签名方案的一个伪造攻击,攻击显示第Ⅰ类强攻击者能成功伪造任意用户对任意消息的有效签名.分析发现原方案不安全的原因在于,签名阶段选取的随机数没有与消息M关联起来,通过将签名阶段选取的随机数与消息M相关的Hash函数值进行绑定的方式给出了改进方案,其中安全性最优的方案在签名阶段只需1个点乘,在验证阶段需要4个点乘,可抵抗第Ⅰ类超级攻击者、第Ⅱ类超级攻击者的攻击;其余方案在签名阶段只需1个点乘,在验证阶段需要3个点乘,可抵抗第Ⅰ类强攻击者、第Ⅱ类超级攻击者的攻击,针对现实世界的攻击者是安全的.改进方案在椭圆曲线离散对数困难性假设下是可证明安全的.
A forgery attack on Fan Aiwan et al's certificateless signature scheme was presented. It is found that the strong type I adversary could forge any user's valid signature on any message. The reason of this problem is that the random number selected in the signature generation phase is not associated with the message M. To improve the original scheme's security, the improved schemes in which the random number selected in the signature generation phase is bound to the hash function value of message M was proposed. The scheme proposed can resist both super type Ⅰ and type Ⅱ adversary, and it only needs one scalar multiplication in signature generation phase and four scalar multiplications in signature verification phase; the other schemes proposed can resist strong type Ⅰ and super type Ⅱ adversary and are secure against the attacker in the real world. In addition, they only need one scalar multiplication in signature generation phase, and three scalar multiplications in signature verification phase. The improved schemes are provably secure under the intractability of elliptic curve discrete logarithm problem.