新的不使用冗余和Hash的安全认证加密方案

最近提出的一类新的认证加密方案首次将消息可恢复签名和对称加密有机结合,而且不需要使用Hash函数或Redundancy函数。但分析发现该方案不具有数字签名所要求的基本条件,不能抵抗消息接收者的伪造攻击。为此提出了一种新的认证加密方案,该方案的安全性以求解离散对数难题和双重模难题为基础,而且可以在发生纠纷时将认证加密的签名转化为普通的签名,任何人都可以验证签名的有效性。     

无Hash或冗余函数数字签密方案的分析与改进

对不使用Hash或冗余函数的数字签密方案进行分析,指出柏骏方案和于永方案均可被消息接收者伪造签名攻击,给出两种攻击方案,指出李方伟方案无前向安全和公开验证消息机密性。提出一个新的无Hash或冗余函数的数字签密方案,方案具有前向安全性和公开验证消息机密性,并进行了正确性和安全性分析。接收者无法进行伪造签名攻击,与已有方案比较,降低了算法复杂度。     

不使用Hash和Redundancy函数的有序多重数字签名方案

现有的有序多重数字签名方案都使用了Hash函数和消息冗余函数,这必将承受由Hash函数和消息冗余函数带来的安全威胁。首先指出了施方案（文献[1]）中存在的安全性问题,随后利用椭圆曲线密码算法设计了一个新的有序多重数字签名方案,该方案不使用Hash函数和消息冗余函数,减少了这方面所带来的安全威胁;取消了施方案里的签名中心,避免了该签名中心的参与导致计算瓶颈的产生;所有消息均公开,签名者可以共同通过验证来发现伪签名和成员内部的欺诈行为。该文方案能够克服施方案的安全问题,并且计算量小,结构简单,具有一定的实用价值。     

代理可转换认证加密方案

结合代理签名和可转换认证加密两种方案,提出了代理可转换认证加密方案和(t,n)门限代理方案。方案能够使一个代理人代理被代理人认证加密一个消息给某个特定的接收者。     

两个具有语义安全的可转换认证加密方案

提出了两个具有语义安全的可转换认证加密方案,方案具有以下性质:能够提供消息的语义安全——任何攻击者,即使获得了一个认证加密签名,也无法确定他所猜测的消息是否为真正的消息;收到签名后,接收者只用自己的私钥和签名者的公钥来恢复、验证消息;如果签名者后来否定签名,接收者可以通过恢复的消息和其它一些相关参数向任何第三方证明签名者的欺骗。     

辫群上的可转换认证加密方案

量子计算的快速发展给目前的公钥密码体制带来严重威胁,非交换的辫群为构造安全密码协议提供了新平台。基于辫群上共轭搜索问题和多重共轭搜索问题的难解性,提出一个可转换认证加密方案,只有指定的接收者才能恢复认证的原始消息;当发送者否认签名时,接收者不需要发送方的参与即可将收到的签名转换为一般签名,并向第三方证明发送者的不诚实。与基于交换代数的方案相比,该方案在抗量子攻击上更有优势。     

一种基于ElGamal签名体制的代理盲签名

在密码学中,使用Hash函数必然使签名方案因Hash函数的不安全性而遭受相关攻击,从而导致签名方案的安全性降低.提出一种新的基于ElGamal签名体制的代理盲签名方案.该方案不需要使用Hash函数,避免了使用Hash函数带来的威胁;而且新方案实现了电子交易中的不可伪造性和不可链接性,有效地防止了双方事后抵赖,且计算量较低.     

公开验证认证加密方案中的第三方验证

通过对两个认证加密方案中第三方验证的分析和改进，说明了在设计一个公开验证认证加密方案中的第三方验证时，为了防止来自接收者的攻击，加入接收者的身份信息和将消息与签名验证关联都是十分必要的。     

分工式门限认证加密方案

(t,n)门限认证加密方案允许t个以上签名方产生指定接收方的认证加密签名,使得只有指定的接收方能够恢复消息和验证消息的完整性,而其他人却无法做到这一点.最近,在Tseng和Jan的认证加密方案的基础上,Chung等构造了一个(t,n)门限认证加密方案.该方案运用了分工式签名技术,有效地减轻了签名方的负担.然而,该文作者对该方案的安全性仅进行了解释性说明.目前,文献中没有对分工式门限认证加密的形式化刻画,没有出现可证安全分工式门限认证加密方案.事实上,Chung等的分工式门限认证加密方案存在设计上的缺陷.文中给出了分工式门限认证加密方案的形式化模型和安全模型,基于双线性映射构造了一个新的分工式门限认证加密方案.在随机预言机模型下,证明了该方案对于适应性选择密文攻击是语义安全的,该方案对于适应性选择消息攻击是存在性不可伪造的.方案的安全性可规约到计算性Diffie-Hellman(CDH)困难假设和决定性双线性Diffie-Hellman困难假设(DBDH).     

无单向Hash函数的数字多签名方案

Shieh等人提出了一种适用于移动代码的并列多签名和顺序多签名方案,但是,Hwang、Chang分别对所依据的基本签名方案提出了伪造攻击.对Shieh的并列多签名方案提出一种伪造攻击,接着提出新的没有使用单向Hash函数和消息冗余模式的基本签名方案,并提出了新的顺序多签名和并列多签名方案.该方案既具有Shieh方案的优点又克服了其不足,还可抵抗已知的伪造攻击.     

Secure public-key encryption scheme without random oracles

Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer–Shoup’s scheme and its variants remained the only practical and secure public-key encryption scheme without random oracles until 2004. In 2004, Canetti et al. proposed a generic transformation from a selective identity-based encryption scheme to a public-key encryption by adding a one-time strongly signature scheme. Since then, some transformation techniques from a selective identity-based encryption scheme to a public-key encryption have been proposed to enhance the computational efficiency, for example, Boneh–Katz’s construction and Boyen–Mei–Waters’ scheme. These transformations have either traded-off the publicly verifiable properties or tightness of security reduction. In 2007, Zhang proposed another generic transformation by adding Chameleon hash functions. In this paper, we introduce another technique from the Boneh–Boyen’s selective identity-based encryption scheme to a public-key encryption which is publicly verifiable and is slightly more efficient than Zhang’s transformation. The proposed public-key encryption scheme is based on the decisional bilinear Diffie–Hellman assumption and the target collision resistant hash functions.     

Convertible multi-authenticated encryption scheme with one-way hash function

To send the message to the recipient securely, authenticated encryption schemes were proposed. In 2008, Wu et al. [T.S. Wu, C.L. Hsu, K.Y. Tsai, H.Y. Lin, T.C. Wu, Convertible multi-authenticated encryption scheme, Information Sciences 178 (1) 256–263.] first proposed a convertible multi-authenticated encryption scheme based on discrete logarithms. However, the author finds that the computational complexity of this scheme is rather high and the message redundancy is used. To improve the computational efficiency and remove the message redundancy, the author proposes a new convertible multi-authenticated encryption scheme based on the intractability of one-way hash functions and discrete logarithms. As for efficiency, the computation cost of the proposed scheme is smaller than Wu et al.’s scheme.     

Improvements of authenticated encryption schemes with message linkages for message flows

Recently, Tseng et al. proposed two authenticated encryption schemes (basic scheme and generalized scheme) with message linkages, which are efficient in terms of the communication and computation costs in comparison with all the previously proposed schemes. The basic authenticated encryption scheme suited for only after receiving the entire signature blocks, the recipient can then recover the message blocks. In order to allow the receiver to perform the receiving and the recovering processes simultaneously according to application requirements and the transmission efficiency of the network, the generalized authenticated encryption scheme was then proposed. In this paper, we show that both Tseng et al.’s authenticated encryption schemes do not achieve integrity and authentication. Improvements are then proposed to repair the weaknesses.     

Comment on Lee et al.’s group signature and e-auction scheme

Recently, Lee et al. used their new group signature with the function of authenticated encryption to design a sealed-bid auction scheme, and they claimed that their schemes are secure. In this paper, we show that if the group manager has a valid group signature of a member, without the member’s secret key, he can forge a group signature on arbitrary message on behalf of the member; then, if the registration manager (RM) and the auction manager (AM) conspired (with each other) in their auction scheme, they can forge a new bid on any goods on behalf of the bidder who has sent his/her bid to AM. Therefore, their group signature and auction scheme are insecure. Finally, we improve Lee et al.’s group signature scheme to overcome the modification attack and achieve the security requirements.     

基于身份的环认证加密方案的改进*

环认证加密方案是加密方案与环签名方案的融合,具有这两种方案的优点。但通过研究发现,有的环认证加密方案不具有环签名的无条件匿名性的性质。为此提出了一个改进方案,并分析了其性质。     

面向分布式查询认证的分层Hash链表

针对认证跳表、签名链等方案所存在的不足,对分布式查询认证展开研究.提出分布式查询认证的定义,给出其应满足的认证性的形式化描述.以认证跳表为基础,在考虑完备性和边界隐私保护的前提下,设计一种新的认证数据结构——分层Hash链表(hierarchical Hash list,HHL),给出了HHL的定义以及构建、认证和更新算法.通过对HHL中冗余Hash节点的分析,提出了效率更高的改进分层Hash链表(N-HHL),利用统计学方法和分层数据处理对HHL的代价进行分析,得出其拥有O(log n)代价.通过模拟敌手多种破坏数据认证性的手段,对HHL的安全性进行分析,结果表明HHL能够检测出多种破坏查询结果认证性的行为,从而证明其安全性.将HHL与已有的典型分布式查询认证方案——签名链方案——进行比较,实验数据表明HHL在认证代价方面优于签名链方案.     

Convertible multi-authenticated encryption scheme

A convertible authenticated encryption (CAE) scheme allows the signer to generate a valid authenticated ciphertext on his chosen message such that only the designated recipient can retrieve the message. Further, the recipient has the ability to convert the authenticated ciphertext into ordinary signature in case of a dispute or repudiation. The previous proposed CAE schemes can only allow one signer to produce the authenticated ciphertext. It might be inadequate for multiparty environments. In this paper, we elaborate on the merits of CAE and multi-signature schemes to propose a convertible multi-authenticated encryption scheme which has the following advantages: (i) The size of the generated authenticated ciphertext is independent of the number of total participating signers. (ii) Except for the designated recipient, no one can obtain the signed message and verify its corresponding signature. (iii) The signature is cooperatively produced by a group of signers instead of a single signer. (iv) In case of a later dispute on repudiation, the recipient has the ability to convert the authenticated ciphertext into an ordinary one for convincing anyone of the signers’ dishonesty.     

Authenticated encryption schemes with message linkages for message flows

Two efficient authenticated encryption schemes with message linkages are proposed. One is a basic scheme, that it has the better performance in comparison with the all previously proposed schemes in terms of the communication and the computation costs. However, it has a property as same as the previously proposed schemes, that the message blocks can be recovered only after the entire signature blocks have been received. Therefore, the basic scheme is applicable to encrypt all-or-nothing flow. Thus, we improve the basic scheme and also propose a generalized scheme, which allows the receiver to recover the partial message blocks before receiving the entire signature blocks. That is, the receiver may perform the receiving and the recovering processes simultaneously. Therefore, the generalized scheme is applicable to message flows. The generalized scheme requires smaller bandwidth and computational time as compared to the previously proposed authenticated encryption schemes with message linkages for message flows.