一种基于RSA的群签名方案

29550DChaumEvanHeyst[1]1991[1~5][4][3][5]2000HJKimJILimDHLee[5]RSACamenisch-MichelsRSAPKSLRSA1RSA1.1[6](1)(2)(3)(4)(5)(6)2005-06-22(10471078)(20040422004)(1974)RSA112(1.2768262.276826)[1,2,4,5,7,10][3][5]RSARSARSA;;;;TP393.08A1000-7024(2006)16-2955-03GroupsignatureschemebasedonRSALIFeng-yin1,YUJi-guo1,JUHong-wei2(1.InstituteofComputerScience,QufuNormalUniversity,Rizhao276826,China;2.DepartmentofAssetsManagement,QufuNormalUniversity,Rizhao276826,China)AbstractThecurrentgroupsignatureschemeeitherneglectstheproblem[1,2,4,5,7,10],orislowefficient[3],orisinsecure[5].ConsideringRSAisoneofthemostpopularpublickeycryptogramalgirithms,anewgroupsignatureschemecompletelybasedonRSAisproposed.Thenewschemesafelyaddordeletememberswhilekeepingthesecretkeysoftheotheravailablemembersunchanged,itefficientlyrealizetheaddordeleteprocess,itfitsbiggroupsanditssecurityreliesonthedifficultytodisassembleabignumber.KeywordsRSA;groupsignature;memberrevocation;publickeystatelist;proactive20068Aug.20062716Vol.27No.16ComputerEngineeringandDesign2956(1)(2)(3)(4)(5)(6)1.2RSARSARivestShamirAdlman(1)pq()n()=pq(n)()=(p-1)(q-1)e()gcd(e,(n))=1d()de1(mod(n))(e,n)d(2)mc=E(m)me(modn)(3)cm=D(c)cd(modn)(4)ms=h(m)d(modn)(5)h(m)se(modn)sh()Hash(SHA-1)1.3RSA4TSA1.3.1pqn=pqeZngcd(e,(n))=1ded1(mod(n))()(e,n)dHashhh(e,n)GMxM,yMxM,yMZnxM•yM1(mod(n))xM,yM,ydMmodnGMGMyM=(ydMmodn)e(modn)xM,yMxi,yiIDiyiIDiUixi,yi,ydimodnUiUiyi=(ydimodn)e(modn)xi,yiPKSLPKSLPKSL9999.12.31PKSLPKSLPKSL1.3.2Uixi,yim1Uisi=h(m)xi(modn)=m,si2UiyiTSA3TSAyiUiTTSASignTSA(,TTSA)UiTTSATSASignTSA()TSA4TTSASignTSA(,TTSA)SignTSA(,TTSA)TSAyiTTSASignTSA(,TTSA)21.3.3AliceyiTTSASignTSA(,TTSA)SignTSA(,TTSA)TSAyisyii(modn)(h(m)xi(modn))yi(modn)h(m)yiTTSASignTSA(,TTSA)1.3.4yiTTSASignTSA(,TTSA)yiIDi1.3.5nekBobxk+1Znxk+1•yk+11(mod(n))yk+1yk+1PKSLPKSLxk+1,yk+1dmodnBobIDk+1yk+1BobPKSL1.3.6UjiyiTi-startTi-end2957yjPKSLPKSLPKSLPKSL2TTSA1UiUixiRSA2UjUjxj1yjxjRSAxjUj31RSA2PKSLPKSL3PKSLPKSL45TSA6PKSLPKSL4RSA1234:[1]ChaumD,HeystVE.Groupsignatures[C].ProcofEUROCRYPT'91,547,LectureNotesinComputerScience,1991.257-265.[2]CamenishJ,StadlerM.Efficientgroupsignaturesforlargegroups[C].ProcofCRYPTO'97,1296,LectureNotesinComputerScience,1997.410-424.[3]CamenishJ,MichelsM.Agroupsignatureschemewithimpro-vedefficiency[C].ProcofASIACRYPT'98,1541,LectureNotesinComputerScience,1998.160-174.[4]AtenieseG,TsudikG.Someopenissuesandnewdirectionsingroupsignatures[EB/OL].~gts/pubs.html.[5]HyunJeongKim,JongInLim,DongHoonLee.Efficientandse-curememberdeletioningroupsignatureschemes[C].Procofthe3rdIntConferenceonInformationSecurityandCryptology-ICISC2000,2015,LectureNotesinComputerScience,2000.150-161.[6],,,.[J].,2004,32(7):1062-1065.[7],,.Camenisch[J].,2004,27(8):1115-1120.[8],.DSA[J].2004,25(3):323-326.[9],.RSA[J].,2005,26(5):1214-1216.