现代密码学(中山大学)Lecture14Lecture13.ppt

密码协议 承诺 零知识证明 不经意传输 安全多方计算 * * A signer who generates a ring signature computes a series of values from a message and other members’ public keys. And, the signer can connect the head and tail of series of values by using own secret key. A verifier computes series of values from members’ publickeys, and checks that a signature has a ring structure In the signature scheme , Anyone cannot distinguish a part of the signature which is used secret key. Therefore, anyone cannot distinguish the actual signer. 现代密码学Modern Cryptography 张方国 中山大学信息科学与技术学院 isszhfg@mail.sysu.edu.cn 第十三讲 特殊的数字签名 一次性签名 盲签名，部分盲签名，公平盲签名 群签名 不可否认签名 指定确认者签名 指定验证者签名 代理签名 聚合签名 。。。 One-time signature schemes Allow at most one message to be signed New public key to be generated for each message Signature generation – verification are efficient 一次性签名 Merkle’s one-time signature scheme Signature verification is not interactive Instead, a TTP is involved Signatures implemented via a tree-like scheme Merkle’s one-time signature scheme Each message to be signed corresponds to a node in the tree Each node has the corresponding verification parameters Number of messages limited by the size of the tree Fairly efficient scheme, since it involves only the use of hash functions 盲签名 电子现金和电子投票 一般数字签字中，总是要先知道文件内容而后才签署，这正是通常所需要的。但有时需要某人对一个文件签字，但又不让他知道文件内容，称此为盲签字(Blind Signature)，它是由Chaum[1983]最先提出的 * Application in E-commerce Blind Signature Schemes Two-party protocols between sender A and signer B A sends information to B, B signs it, and returns it to A A then extracts signature for the message B knows neither message nor the signature associated with it RSA Sign: Receiver Signer message m RSA Receiver Signer Sign: message m random blinding factor r blinded message m s m = m . re mod N m s s = e m mod N signature s s = e m mod N Signature s = s/r mod N blind 部分盲签名 Partially Blind Signature:signer, user and verifierKey Generation:Public information generation: Pa