A Fully Adaptively Secure Threshold Signature Scheme Based on Dual-Form Signatures Technology

Gan, Yuanju

doi:https://doi.org/10.1155/2021/6697295

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Image Security and Image Privacy Protection

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 6697295 | https://doi.org/10.1155/2021/6697295

A Fully Adaptively Secure Threshold Signature Scheme Based on Dual-Form Signatures Technology

Yuanju Gan¹

Academic Editor: Guodong Ye

Received31 Dec 2020

Revised06 Feb 2021

Accepted19 Feb 2021

Published09 Mar 2021

Abstract

In threshold signature schemes, any subset of participants out of can produce a valid signature, but any fewer than participants cannot. Meanwhile, a threshold signature scheme should remain robust and unforgeable against up to corrupted participants. This nonforgeability property is that even an adversary breaking into up to participants should be unable to generate signatures on its own. Existential unforgeability against adaptive chosen message attacks is widely considered as a standard security notion for digital signature, and threshold signature should also follow this accordingly. However, there are two special attack models in a threshold signature scheme: one is the static corruption attack and the other is the adaptive corruption attack. Since the adaptive corruption model appears to better capture real threats, designing and proving threshold signature schemes secure in the adaptive corruption model has been focused on in recent years. If a threshold signature is secure under adaptive chosen message attack and adaptive corruption attack, we say it is fully adaptively secure. In this paper, based on the dual pairing vector spaces technology, we construct a threshold signature scheme and use Gerbush et al.’s dual-form signatures technology to prove our scheme, which is fully adaptively secure in the standard model, and then compare it to other schemes in terms of the efficiency and computation.

1. Introduction

A simple communication model, in which there is a single pair, sender and receiver, has to be extended by allowing communication between groups. To meet the security requirements for such a model, group-oriented cryptography was invented by Desmedt [1]. Given a group of participants. A threshold signature is a cryptographic protocol that allows any subgroup of participants to collectively sign messages. On the other hand, any subgroup of participants (or smaller) is unable to generate a valid signature for any message. A threshold signature is called robust if misbehaving participants (who do not follow the protocol) are unable to prevent the honest participants from a successful execution of the signature protocol.

Goldwasser et al. studied the security of signatures in [2]. They introduced a security notion called existential unforgeability against chosen message attacks (EUF-CMA) and analysed it using an appropriate security game. In the game, an adversary can get a public key (for signature verification) and she can query a signature oracle a polynomial number of times for messages of her choice. She wins the game (and breaks the security) if she is able to come up with a valid signature for a message that has not been queried before. There are two flavours of the game: nonadaptive and adaptive. In a nonadaptive EUF-CMA, the adversary queries the signature oracle before she gets the public key. In an adaptive EUF-CMA, she gets the public key first and then she uses the signature oracle.

In group-oriented cryptography, there are two basic adversarial models: static and adaptive. In the static model, the adversary fixes a subset of participants that she wants to corrupt before the protocol starts [3, 4]. In the adaptive model, the adversary waits for an appropriate time during the protocol execution. She collects information from a protocol run and corrupts a specific subset of participants to maximise her chances of success [5–7]. Clearly, the adaptive adversary is strictly stronger than the static one. Besides, the adaptive model reflects better real-life adversaries and therefore it has attracted more attention from researchers. Needless to say, it is a more challenging task to design threshold signatures with EUF-aCMA security under the adaptive adversarial model (than under the static model).

In 2004, Abe and Fehr in their work [8] proposed threshold signatures secure against adaptive corruptions using the universal composability framework. Although reduced, there is still a need for interactions. Wang et al. [7] apply the Waters signatures [9] to construct threshold signatures secure against adaptive adversaries in the standard model. Their signatures still require interactions via secure point-to-point channels.

Libert and Yung [10] used the Lewko-Waters identity-based encryption [11] and bilinear mapping over groups of composite order to design threshold signatures secure against adaptive adversaries, where there is no need for interactions. However, Freeman [12] argued that, for the same security level, the Libert-Yung signatures are roughly 50 times slower than signatures in prime-order groups. Hwang et al. in their work [13] constructed threshold directed signatures that are existentially unforgeable under the chosen message attack under the assumption that the computational Diffie-Hellman problem is intractable. However, the security claims hold only when the adversary is static. Raman et al. in their work [14] proposed threshold proxy signatures based on the RSA assumptions. Both constructions [13, 14] are not secure against adaptive corruptions.

Libert et al. [15] employ the Pedersen distributed key generation protocol [16] to design two variants of threshold signatures that are adaptively secure against a static adversary. The efficiency of the first scheme is high, but the security proof is done in the random-oracle model. The second scheme is proven secure in the standard model using the Groth-Sahai arguments [17]. Unfortunately, the time price is low efficiency; for example, the time required for a partial signature is proportional to the length of the block message. Harn and Wang [18] have studied threshold signatures using the Chinese remainder theorem. Their designs are secure against adaptively chosen message attacks and static corruptions in the random-oracle model. Recently, Assidi et al. [19] have proposed an efficient code-based threshold ring signature. However, their scheme cannot withstand the adaptive corruptions attacks.

It turns out that the dual pairing vector space (DPVS) technique offers a powerful tool for constructing cryptographic algorithms such as identity-based encryption (IBE) and attribute-based encryption (ABE). We show that the technique can also be employed to design threshold signatures. The main contribution of our paper is the construction of threshold signatures that are EUF-CMA secure under adaptive corruption attacks in the standard model. Our construction is based on the Lewko identity-based encryption [20] and the Okamoto-Takashima DPVS technique [21, 22]. The security proof, however, applies dual-form signature arguments developed by Gerbush et al. in [23].

2. Preliminaries

Given a set . We denote by the fact that is drawn randomly and uniformly from . denotes the set cardinality and is the length of (or the number of bits in its binary form). If is the set of natural numbers, then denotes the string of ones; .

2.1. Bilinear Maps

Given two cyclic groups and of prime order , a bilinear map is a function such that, for any generator and any integers , the map satisfies the following properties [24]:(i)Bilinearity: (ii)Nondegeneracy: unless (iii)Computability: there exists an efficient algorithm that computes for

Note that is the set of integers modulo . Let us introduce the notation that will be used in the paper. Given a vector and an integer , we define the following shorthand notations:(i), where (ii)(iii), where for and (iv), where (v), where , is a bilinear map and

A group generation algorithm takes a requested security level parameter and returns , where is a large prime and is a generator of .

2.2. Dual Pairing Vector Spaces

Given two random bases and over , the bases and are called dual orthonormal if when and when , where . Note that, for a generator of , the following relation holds:

denotes the set of dual orthonormal bases [20, 21, 25].

2.3. Subspace Intractability Assumption

Given a group generator and a positive integer , the subspace assumption is defined as follows [20]. For a given security level , generate the parameters of an instance at random:

Calculate the following collection of vectors:where . Then calculate a vector such that

We assume that, for any probabilistic polynomial time (PPT) algorithm , the advantage in distinguishing vectors from vectors , where , is negligible in the security parameter or

3. Building Blocks

3.1. Target Collision Resistant Hash Functions

Given a security parameter , a -bit key , a group of prime order , and a family of keyed hash functions that is indexed by both the key and the security parameter, the family is target collision resistant (TCR) if, for any PPT adversary , her advantage in finding a collision is negligible in the security parameter or in other words (see also [26]):

TCR is a weaker requirement of collision resistance than the standard collision resistance of hash functions without keys. Therefore, it is a better match for the hashing used in practice.

3.2. Signatures

We recall the definition of digital signatures and their security models.

Definition 1. A signature scheme (SS) is a triplet KeyGen, Sign, Verify of PPT algorithms described as follows:(i)KeyGen: for a required security level , the algorithm returns a pair of keys of appropriate length. The key is public (for verification), while the key is secret (for signing)(ii)Sign: for an input, the secret key , and a message , the algorithm returns a signature of the message (iii)Verify: for an input, the public key , the message , and a string , the algorithm outputs if is a valid signature of . Otherwise, it returns

The adaptive chosen message attack (aCMA) model is stronger than the nonadaptive chosen message attack (naCMA) model. So, we only think about the EUF aCMA game.

3.3. Dual-Form Signatures

In 2012, Gerbush et al. [23] proposed the concept of dual-form signatures (DFSs), which is a useful framework for proving the security (existential unforgeability) of signatures from static assumptions. A dual-form signature is defined by the following algorithms [23]:(i)KeyGen: generates a public key and a private key for a security parameter (ii)Sign_A: returns a signature for a message and a secret key (iii)Sign_B: outputs a signature for a message and a secret key (iv)Verify : outputs TRUE if the signature is valid for the message and the public key . Otherwise, it returns FALSE

As one can see, dual-form signatures apply two variants of the signature algorithm, Sign_A and Sign_B. Both algorithms generate valid signatures. This means that they pass the verification algorithm Verify no matter which signature algorithm has been used. However, only one signing algorithm will be used in the real scheme. The other signature algorithm will be used in the security proof/game. To prove the security of dual-form signatures, Gerbush et al. [23] gave a general proof method that works as follows.

In a security game, forgeries can be categorised into two (disjoint) types: I and II. They correspond to the signatures obtained by Sign_A and Sign_B, respectively. The security proof involves a sequence of transformations of queries obtained from both signature variants Sign_A and Sign_B. In the proof, an adversary is asked to produce a valid signature that can be of a specific form. The following list details the required properties: A-I matching: an adversary is only given access to the oracle Sign_A. It is expected that it is harder for her to produce Type II forgeries B-II matching: an adversary is only given access to the oracle Sign_B. It is expected that it is harder for her to produce Type I forgeries Dual-oracle invariance: an adversary is given access to both oracles Sign_A and Sign_B. It is expected that the adversary has the same probability of success to generate Type I and Type II forgeries

A dual-form signature is secure if it satisfies the three properties listed above.

In [23], the author shows that, by the A-I matching property, it might have a noticeable probability of producing a Type I forgery but has only a negligible probability of producing any other kind of forgery, and show that must also be negligible. By the dual-oracle invariance property, the probability of producing a Type I forgery will be close to if gradually replacing the signing algorithm with Sign_B, one signature at a time. Once all of the signatures the attacker receives are from Sign_B, the B-II matching property implies that the probability of producing a Type I forgery must be negligible in the security parameter.

If Setup, Sign_A, Sign_B, Verify is a secure dual-form signature, then Setup, Sign_A, Verify is existentially unforgeable under an adaptive chosen message attack [23]. This proven technique has a great potential to be a useful tool in the analysis of other cryptographic primitives that use digital signatures.

3.4. Threshold Signatures

A threshold signature consists of the following five algorithms Setup, Share-sign, Share-verify, Combine, and Verify.(i)Setup takes as input a security parameter , a requested threshold , and the total number of participants , where . It outputs a set of parameters , where is the system public parameter, is the public key, is the vector of private keys, and is the corresponding verification key vector. The private key is given to the ^th participant via a secure channel .(ii)Share-sign is a randomised algorithm executed by . It takes the private key , a message , and a subset of size participants who want to sign a message . It outputs a signature share .(iii)Share-verify is a deterministic algorithm. It takes as input an identity of , its verification key , its signature share , and a message . It outputs valid or invalid depending on whether is considered to be a valid share or not.(iv)Combine takes as input the public key , a message , and a subset of size with pairs such that and is a signature share. This algorithm outputs either a full signature or if the set contains invalid signature shares.(v)Verify is a deterministic algorithm that takes as input a message , the public key , and a signature . This algorithm outputs valid or invalid depending on whether is a valid signature or not.

We assume that an adversary can corrupt up to participants (from all participants). can learn all the information stored by the corrupted participants and can listen to all their communication. We consider two types of adversaries: static and adaptive. A static adversary corrupts participants at the beginning of a protocol. An adaptive adversary corrupts participants during protocol execution and chooses the best time so it maximises her chances of compromising the security of noncorrupted participants. As the adaptive adversary captures real-life threats better, we are going to consider threshold signatures that guarantee EUF-aCMA security under adaptive corruption attacks. Consequently, the other case of static corruption attacks is going to be ignored in this work.

Given an adaptive adversary and a threshold signature , to evaluate the security of the signature in this setting, we need to develop an appropriate security notion. Fortunately, we can use the notion formulated by Libert and Yung in their work [LY13].

Definition 2. A threshold signature scheme is existentially unforgeable under adaptively chosen message attacks and adaptive corruption attacks (EUF-aCMA-DCA) if no PPT adversary has a nonnegligible advantage in the following game between a challenger and an adversary .(i)Initialisation: runs Setup. The challenger sends public parameters to the adversary. In other words,(ii)Queries: can adaptively invoke an arbitrary number of queries. Each query must be either a corruption query or a signing query. The two types are defined below.(i)Corruption query: If wants to corrupt the th participant, then No more than private keys can be obtained by in the whole game.(ii)Partial signature query: If the adversary asks for patrial signature on an arbitrary message on behalf of a participant , then(iii)Signing query: asks for a signature on an arbitrary message and then We have that is a signature of . Forgery: outputs a message and a signature . She wins if(i) was never submitted to the partial signature query or signing query;(ii) did not obtain more than private key shares in the whole game;(iii)Verify = valid.

4. Construction

In this section, we present a threshold signature based on dual pairing vector spaces. The security of the proposed scheme is proven under the subspace assumption. The algorithms of the signature are as follows. Setup : Given the parameters , , and , the following steps are executed:(i)Compute group parameters by running the algorithm : Select a hash function , where is a target collision-resistant hash function.(ii)Set and sample a pair of random dual orthonormal bases. Let denote the elements of and let denote the elements of , where and , for .(iii)Choose random values and a random polynomial of degree (where is the threshold value and for , and ) and compute the partial decryption keys and verification key for , where .(iv)Publish the public parameters , public key , and verification key on the bulletin board. Partial private key is privately given to , for . Share-Sign: Denote the currently active set of participants by . selects at random and computes its partial signature (or signature share) using according to where , and then sends to the combiner. Share-Verify : Given ’s verification key and the partial signature of the message , the combiner verifies by checking if If the above equality holds, is valid. Otherwise, the combiner declares that is corrupted. Combine : Given the set , the public key , the message , and valid shares , the combiner computes the signature as Verify : For a signature of a message with respect to a public key , the algorithm outputs valid (or 1) if the following equation holds: Otherwise, it returns invalid (or 0).

4.1. Correctness

We are going to show that the two verification algorithms Share-Verify and Verify always accept the well-formed shares and the final signatures. The Share-Verify algorithm accepts the input if equation (17) holds. We start from the left-hand side of the equation and run through a sequence of transformations, so we arrive at the right-hand side of equation (17).

The Verify algorithm uses equation (19) to check if the signatures are valid. In a similar vein, we start from the left-hand side of equation (19) and show how to arrive at the right-hand side of the equation.where , , and let , so we have that

5. Security

Theorem 1. Given our threshold signature = Setup, Share-sign, Share-Verify, Combine, and Verify, assume that the subspace intractability assumption holds; then the signature scheme is EUF-aCMA-DCA secure (or can withstand existential forgeries under adaptive chosen message and adaptive corruption attacks).

We prove the theorem using the hybrid argument for a sequence of games similar to [23]. Like [23], our proof makes use of normal signatures and semifunctional semisignatures. Type I signatures are normal signatures of : where . Type II signatures are semisignatures of :where .

We apply the dual-form signature technique to prove the security of our threshold signatures. We start from a real security game, denoted by followed by the sequence , …, and .(i)Game₀ is identical to the EUF-aCMA-DCA game, an adversary produces a Type I signature as a forgery, and the advantage of adversary is defined accordingly. Game₀ is played between a challenger and an adversary as follows. Initialisation: runs Setup to get (PP, PK, SK, VK), where Queries: adaptively makes a number of queries. Each query can be either a corruption one or a signing one. cannot make more than t−1 corruption queries. gets also valid signatures for messages of her choice. Forgery: outputs for a message that has not been queried. wins the game if Verify.(ii)Game_J is like , except that the challenger answers the first signing query by returning Type II signatures, and the last signing queries are answered using Type I signatures. The process is as follows. Initialisation: runs Setup to get , where Queries: adaptively makes a number of queries. Each query can be either a corruption one or a signing one. cannot make more than t−1 corruption queries. gets Type II signatures of the first signing queries and gets Type I signatures of the last q−J signing queries for messages of her choice. Forgery: outputs for a message that has not been queried. wins the game if Verify and the probability is the same for the Type I and Type II forgeries.(iii)Game_final is identical to , except that the challenger answers the corruption query by returning the private key shares which contain random , signing the query by returning Type II signatures, and needs to output a forgery of the same type. The process is as follows. Initialisation: runs Setup to get (PP, PK, SK, VK), where Queries: adaptively makes a number of queries. Each query can be either a corruption one or a signing one. She cannot make more than corruption queries. gets the secret key (where ) when she corrupts the participant . gets Type II signatures of signing queries for messages of her choice. Forgery: outputs for a message that has not been queried. wins the game if Verify and the forgery signature is Type I.

We will prove that Theorem 1 is true through a sequence of claims.

5.1. Claim 1

In , adversary has a negligible chance of outputting a Type II signature if the subspace assumption with and holds.

Proof. We construct an algorithm that, on the input of an instance , decides or .
Initialisation: To compute the system public parameters and the participant’s private key, first selects a random invertible matrix and a TCR hash function . The public parameter is .
defines the dual orthonormal bases and by sets , where and ( denotes the transpose of ). So, we have that , for , and , . By Lemma 1 in [20], and are a pair of properly distributed dual orthonormal bases and reveal no information about .
picks random values and a random polynomial with degree and implicitly sets , and . computes the public key as follows:Since , we have that , and we also can get that by using the same method. selects (for ) and computes ’s partial decryption key:Finally, sends , and to adversary .
Query. Since knows all , it can perfectly answer corruption queries and signing queries.
produces a forgery signature , where . Firstly must check that Verify = 1; if not, then will abort. In addition, must verify that it has not received a Type I forgery signature. Notice that needs the output of to be a Type II forgery signature in order to defeat the subspace assumption with and . To do this, can check whether or not. If so, the forgery signature is a Type I signature, and then will abort. Otherwise, uses the forgery signature to determine what subspace is in. Since knows the value , it can simply check whether or not. If so, . Otherwise, .

5.2. Claim 2

The adversary outputs a Type I forgery with negligibly different probabilities in and if the subspace assumption with and holds.

Proof. begins by taking an instance . ’s task is to decide or , . Recall that must obtain Type II signatures from the first signing queries and Type I signatures at the last queries. The query will be a Type I signature or Type II signature depending on which subspace of is in.
Initialisation: To compute the public key, participants’ partial decryption key, and the verification key, first picks a random invertible matrix and a TCR hash function . The public parameter is ; defines the dual orthonormal bases and . implicitly sets , , , and . So can generate , , , and and also can generate , , , and . picks a random value and a random polynomial with degree and sets . computesas well as ’s partial decryption keyfor . Finally, sends to adversary .
Query: can perfectly answer private key queries (since it knows ) and answer signing queries depending on the value of . Case : to generate a signature share on a message on behalf of , chooses and computes a Type II signature share . Case : in this case, chooses and computes a Type I signature share . Case : in this case, generates a signature share . It is easy to see that, in the situation will be a Type II signature when , or a Type I signature when . sends a forgery signature to . Firstly, must check that Verify = 1; if not, then will abort. In addition, must identify which type of forgery signature it is. To do this, will check whether or not. If so, the forgery signature is a Type I signature. Otherwise, it is a Type II signature. At this stage, returns 0 (meaning that it believes that ) if is a Type I signature. If is a Type II signature, returns 1 and bets that .

5.3. Claim 3

In , adversary cannot output a Type I forgery signature as long as the subspace assumption holds with and .

Proof. begins by taking an instance . ’s task is to decide or .
Initialisation: picks a TCR hash function . The public parameter is . implicitly defines the dual orthonormal bases and asWe note that are properly distributed dual orthonormal bases, and can generate and but cannot generate . picks random values and a random polynomial with degree and sets . computes picks random values and sets . computes ’s partial decryption key:where and , for .
Finally, sends to adversary .
Query. Since knows all , it can perfectly answer corruption queries and signing queries.
produces a forgery signature . Firstly, must check that Verify = “true”; if not, then will abort. In addition, must verify that it has not received a Type II forgery signature. To do this, can check whether or not. If not, the forgery signature is a Type II signature; then will abort. Notice that needs the output of to be a Type I forgery signature in order to defeat the subspace assumption with and . Finally, uses the forgery signature to determine what subspace is in. can simply check whether or not. If so, . Otherwise, .
It comes that ’s advantage is thus negligible if the subspace assumption with and holds.
According to Claims 1, 2, and 3, the signature scheme is EUF-aCMA-DCA secure.

6. Comparison

Now, let us proceed to compare our scheme to other related schemes. As a reference for a further efficiency discussion, we have chosen the Libert-Yung (LY) signature scheme [10] and the second signature scheme in [15]. Let us denote the computational cost needed to perform a single bilinear pairing by and the cost of a single modular exponentiation by . Recall that the cost of a single bilinear pairing of composite order is about 50 times more expensive than the cost of a single bilinear pairing of prime order [12]. In general, in terms of computational overhead, a single bilinear pairing is equivalent to four modular exponentiations (or ). The first column in Table 1 provides the name of signature (LY13, LJY16, and ours). Other columns detail the computational costs needed to set up signature scheme (Setup), generate shares of signature (Share-Sign), verify shares (Share-Verify), combine shares into a signature (Combine), and verify a signature (Verify).

In [15], the scheme mainly uses Groth-Sahai’s [17] proof systems technique, but our scheme mainly uses dual pairing vector spaces (DPVS) technique. The main difference of these two techniques is that the DPVS technique can effectively reduce computational complexity at the cost of slightly increasing storage space.

7. Conclusion

In this paper, we have proposed an efficient threshold signature scheme. Under the subspace assumption, we have proven that our scheme is secure against existential forgeries under adaptive chosen message attacks and adaptive corruption attacks in the standard model. Our scheme is more efficient than the LY13’s and LJY16’s threshold signature schemes.

Data Availability

The data supporting the findings of this study are available within the article.

Conflicts of Interest

The author declares that there are no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (61972103) and Project of Enhancing School with Innovation of Guangdong Ocean University (2019-233).

References

Y. Desmedt, “Society and group oriented cryptography: a new concept,” in Advances In Cryptology—CRYPTO ’87, pp. 120–127, Springer, Berlin, Heidelberg, 1988.
View at: Google Scholar
S. Goldwasser, S. Micali, and R. L. Rivest, “A digital signature scheme secure against adaptive chosen-message attacks,” SIAM Journal on Computing, vol. 17, no. 2, pp. 281–308, 1988.
View at: Publisher Site | Google Scholar
S. Kim, J. Kim, J. H. Cheon, and S.-H. Ju, “Threshold signature schemes for ElGamal variants,” Computer Standards & Interfaces, vol. 33, no. 4, pp. 432–437, 2011.
View at: Publisher Site | Google Scholar
V. Shoup, “Practical threshold signatures,” in Advances in Cryptology EUROCRYPT 2000, B. Preneel, Ed., Lecture Notes in Computer Science 1807, pp. 207–220, Springer, Berlin, Heidelberg, 2000.
View at: Google Scholar
X.-L. Huang, Y.-X. Dong, K.-X. Jiao, and G.-D. Ye, “Asymmetric pixel confusion algorithm for images based on RSA and Arnold transform,” Frontiers of Information Technology & Electronic Engineering, vol. 21, no. 12, pp. 1783–1794, 2020.
View at: Publisher Site | Google Scholar
B. Libert and M. Yung, “Adaptively secure non-interactive threshold cryptosystems,” in The 38^th International Colloquium on Automata, Languages and Programming (ICALP’2011), L. Aceto, M. Henzinger, and J. Sgall, Eds., Lecture Notes in Computer Science 6756, pp. 588–600, Springer, Berlin, Heidelberg, 2011.
View at: Google Scholar
Z. Wang, H. Qian, and Z. Li, “Adaptively secure threshold signature scheme in the standard model,” Informatica, vol. 20, no. 4, pp. 591–612, 2009.
View at: Publisher Site | Google Scholar
M. Abe and S. Fehr, “Adaptively secure feldman VSS and applications to universally-composable threshold cryptography,” in Advances in Cryptology-Crypto’2004, M. Franklin, Ed., Lecture Notes in Computer Science 3152, pp. 317–334, Springer, Berlin, Heidelberg, 2004.
View at: Google Scholar
B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology C EUROCRYPT 2005, R. Cramer, Ed., Lecture Notes in Computer Science 3494, p. 557, Springer, Berlin, Heidelberg, 2005.
View at: Google Scholar
B. Libert and M. Yung, “Adaptively secure non-interactive threshold cryptosystems,” Theoretical Computer Science, vol. 478, pp. 76–100, 2013.
View at: Publisher Site | Google Scholar
L. Allison and B. Waters, “New techniques for dual system encryption and fully secure HIBE with short ciphertexts,” in Theory of Cryptography’2010, D. Micciancio, Ed., Lecture Notes in Computer Science 5978, pp. 455–479, Springer, Berlin, Heidelberg, 2010.
View at: Google Scholar
D. Freeman, “Converting pairing-based cryptosystems from composite-order groups to prime-order groups,” in Advances in Cryptology—EUROCRYPT’2010, H. Gilbert, Ed., Lecture Notes in Computer Science 6110, pp. 44–61, Springer, Berlin, Heidelberg, 2010.
View at: Google Scholar
J. Y. Hwang, H. J. Kim, D. H. Lee, and B. Song, “An enhanced (t, n) threshold directed signature scheme,” Information Sciences, vol. 275, pp. 284–292, 2014.
View at: Google Scholar
R. Kumar, H. K. Verma, and R. Dhir, “Analysis and design of protocol for enhanced threshold proxy signature scheme based on RSA for known signers,” Wireless Personal Communications, vol. 80, no. 3, pp. 1281–1345, 2014.
View at: Publisher Site | Google Scholar
B. Libert, M. Joye, and M. Yung, “Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares,” Theoretical Computer Science, vol. 645, pp. 1–24, 2016.
View at: Publisher Site | Google Scholar
T. P. Pedersen, “A threshold cryptosystem without a trusted party,” in Advances in Cryptology-CRYPTO’2001, Lecture Notes in Computer Science 547, Springer, Berlin, Heidelberg, 2001.
View at: Google Scholar
J. Groth and S. Amit, “Efficient non-interactive proof systems for bilinear groups,” in Advances in Cryptology-EUROCRYPT 2008, N. Smart, Ed., Lecture Notes in Computer Science 4965, pp. 415–432, Springer, Berlin, Heidelberg, 2008.
View at: Google Scholar
L. Harn and F. Wang, “Threshold signature scheme without using polynomial interpolation,” International Journal of Network Security, vol. 18, no. 4, pp. 710–717, 2016.
View at: Google Scholar
H. Assidi, E. B. Ayebie, and E. M. Souidi, “An efficient code-based threshold ring signature scheme,” Journal of Information Security and Applications, vol. 45, pp. 52–60, 2019.
View at: Publisher Site | Google Scholar
L. Allison, “Tools for simulating features of composite order bilinear groups in the prime order setting,” in Advances in Cryptology—Eurocrypt’2012, D. Pointcheval and T. Johansson, Eds., Lecture Notes in Computer Science 7237, pp. 318–335, Springer, Berlin, Heidelberg, 2012.
View at: Google Scholar
T. Okamoto and K. Takashima, “Homomorphic encryption and signatures from vector decomposition,” in Pairing-Based Cryptography-Pairing’2008, S. Galbraith and K. Paterson, Eds., Lecture Notes in Computer Science 5209, pp. 57–74, Springer, Berlin, Heidelberg, 2008.
View at: Google Scholar
T. Okamoto and K. Takashima, “Some key techniques on pairing vector spaces,” in Progress in Cryptology—Africacrypt’2011, A. Nitaj and D. Pointcheval, Eds., Lecture Notes in Computer Science 6737, pp. 380–382, Springer, Berlin, Heidelberg, 2011.
View at: Google Scholar
M. Gerbush, L. Allison, O. N. Adam, and B. Waters, “Dual form signatures: an approach for proving security from static assumptions,” in Advances in Cryptology—ASIACRYPT’2012, Lecture Notes in Computer Science 7658, pp. 25–42, Springer, Berlin, Heidelberg, 2012.
View at: Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Advances in Cryptology-Crypto’2001, J. Kilian, Ed., Lecture Notes in Computer Science 2139, pp. 213–229, Springer, Berlin, Heidelberg, 2001.
View at: Google Scholar
T. Okamoto and K. Takashima, “Adaptively attribute-hiding (hierarchical) inner product encryption,” in Advances in Cryptology—Eurocrypt’2012, D. Pointcheval and T. Johansson, Eds., Lecture Notes in Computer Science 7237, pp. 591–608, Springer, Berlin, Heidelberg, 2012.
View at: Google Scholar
E. Kiltz, “Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie-Hellman,” in Public Key Cryptography—PKC 2007: Lecture Notes in Computer Science 4450, T. Okamoto and X. Wang, Eds., pp. 282–297, Springer, Berlin, Heidelberg, 2007.
View at: Google Scholar

Copyright

Copyright © 2021 Yuanju Gan. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

469

Downloads

742

Citations