具訊息還原功能的門檻數位簽章機制

Abstract

門檻數位簽章(threshold signature)技術在資訊時代扮演很重要的角色，因為在某些應用環境中，我們可能需要對真正參與簽章的人的身份加以保密或者允許參與者達到一個法定人數以上時就可以代表群體作出簽章。然而目前的門檻數位簽章機制都是將數位簽章連同簽署的訊息一併送給驗證者，這種機制有訊息膨脹率大且訊息無法隱藏等弱點。而具有訊息還原功能的簽章(signature with message recovery)技術可以將訊息內容藏於簽章內而不增加簽章大小，需要驗證時再由簽章中將訊息還原，這樣的數位簽章不但可以節省傳送頻寬，還可以整合到一些加密機制(encryption scheme)或換鑰協定(key agreement protocol)中。在現有的一些群體導向的數位簽章機制中，有些是屬於門檻簽章機制但是缺乏訊息還原的功能，有些則是屬於多重簽章(multisignature)機制，無法提供對參與簽章者身份的保密以及使用上的彈性。此外，他們還有一些其他弱點，比如簽章的訊息膨脹率(message expansion rate)較高或是花費的運算代價較高等。 在本論文中，我們分別提出一個多重簽章機制與一個門檻簽章機制。兩個機制都可以將訊息藏於簽章之中，並且與其他類似的多重簽章機制或門檻簽章機制具有相同的安全度。此外，我們所提出的機制擁有較小的訊息膨脹率並花費較低的運算代價。

Threshold signature schemes play an important role in our modern electronic society. For some applications, the identities of really participators need to be kept secret. Moreover, in other situations, it is convenient to allow a group-oriented signature can be generated from a quorum of the group. However, in general threshold signature schemes, the digital signature is appended to the signed message when transmission. These schemes have some weakness: large message expansion rate, no protection for message contents…etc. The signature scheme with message recovery allows original message to be hidden into digital signature without increasing the size of signature. The signed message can be recovered from signature when verifying. Signature scheme with message recovery can reduce transmission bandwidth and directly integrate the scheme into other encryption schemes or key agreement protocol. The previous group-oriented digital signature schemes are either threshold signature schemes without message recovery capability or multisignature schemes which cannot provide participator anonymity and application flexibility. Furthermore, they have some weakness such as higher message expansion rate and computation cost…etc. In this thesis, we propose a multisignature scheme and a threshold signature scheme. Both of our schemes provide message recovery capability and have the same security level of other similar schemes. Moreover, our schemes have lower message expansion rate and take less computation cost.