基于SM9的匿名广播加密方案

广播加密允许数据拥有者通过不安全的公开信道将数据安全地发送给一组指定的用户, 只有组内用户（授权用户）利用自身私钥才能正确解密密文, 恢复出明文数据, 不在组内的用户（非授权用户）即使合谋也无法获取数据内容。标识加密是一种非对称加密体制, 可利用能够唯一标识用户身份的任意字符串作为用户的公钥, 消除了传统公钥体制中用于绑定用户公钥的证书。匿名标识广播加密不仅能充分继承标识加密的优点实现多用户数据的安全共享, 而且能有效保护接收者的身份信息。本文以国产商用标识密码算法SM9为基础, 采用多项式技术构造了首个基于SM9的匿名广播加密方案。方案具有与SM9加密算法相同的私钥生成算法, 用户私钥由一个群元素组成。方案的密文由(n+3)个元素组成, 与接收者数量(n)线性相关, 解密仅包含一次双线性对计算。基于q类型的GDDHE困难假设, 在随机谕言器模型中证明方案在静态选择明文攻击下具有不可区分的安全性且满足接收者匿名性。比较分析表明本文方案的计算开销和通信代价与现有高效匿名标识广播加密方案是可比的。最后, 对方案进行编程实验, 在相同安全级别下, 本文方案对比其他方案具有较优的密文长度, 实验结果表明本文方案是可行的。     

Fully CCA2 secure identity based broadcast encryption without random oracles

In broadcast encryption schemes, a broadcaster encrypts messages and transmits them to some subset S of users who are listening to a broadcast channel. Any user in S can use his private key to decrypt the broadcast. An identity based cryptosystem is a public key cryptosystem where the public key can be represented as an arbitrary string. In this paper, we propose the first identity based broadcast encryption (IBBE) scheme that is IND-ID-CCA2 secure without random oracles. The public key and ciphertext are constant size, and the private key size is linear in the total number of receivers. To the best of our knowledge, it is the first IBBE scheme that is fully CCA2 secure without random oracles. Moreover, our IBBE scheme is collusion resistant for arbitrarily large collusion of users.     

Cryptanalysis of an identity based broadcast encryption scheme without random oracles

Identity based broadcast encryption allows a centralized transmitter to send encrypted messages to a set of identities S, so that only the users with identity in S can decrypt these ciphertexts using their respective private key. Recently [Information Processing Letters 109 (2009)], an identity-based broadcast encryption scheme was proposed (Ren and Gu, 2009) [1], and it was claimed to be fully chosen-ciphertext secure without random oracles. However, by giving a concrete attack, we indicate that this scheme is even not chosen-plaintext secure.     

An Identity-Based Encryption with Equality Test scheme for healthcare social apps

It is tricky to determine whether two ciphertexts contain the same message when the messages are encrypted with different public keys. public key encryption with equality test (PKEET) addresses this problem without decryption. By integrating PKEET with identity-based encryption, identity-based encryption with equality test (IBEET) simplifies the certificate management in PKEET. In this paper, we first propose an IBEET scheme that can resist offline message recovery attacks (OMRA) and requires neither the dual-tester setting nor the group mechanism. With the help of some mathematical assumptions, we demonstrate the security of our scheme. Experiment results reveal that our scheme is efficient. From the perspective of usability, we explain why our scheme is more appropriate to be applied in healthcare social Apps than other OMRA-resistant schemes.     

Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority

The concept of accountable authority identity-based encryption was introduced as a convenient tool to reduce the amount of trust in authorities in identity-based encryption. In this model, if the Private Key Generator (PKG) maliciously re-distributes users’ decryption keys, it runs the risk of being caught and prosecuted. Libert and Vergnaud proposed an accountable authority identity-based broadcast encryption, which allows white-box tracing or weak black-box tracing. Their scheme was proved only secure in selective-ID model. We present a weak black-box accountable authority identity-based broadcast encryption scheme, which is proven as fully CCA2 secure against adaptive adversary with tight reduction. Our scheme achieves O(m) public keys size, O(m) private keys size, and O(1) ciphertext length, where m is the maximum number of receivers allowed in each broadcast.     

一种基于商密SM9的高效标识广播加密方案

广播加密允许发送者为一组指定的用户同时加密数据,并通过公开信道传输密文.只有加密时指定的授权用户才能正确解密,非授权用户即使合谋也无法获得明文数据.得益于这些优点,广播加密被广泛用在云计算、物联网等应用中,实现多用户数据共享和秘密分享.SM9标识加密算法是我国自主设计的商用密码,用于数据加密,保护数据隐私,但只适用于单...     

智慧城市中隐私保护性广播加密算法

现代化城市公共部门和市民社交网络会产生大量的数据,这些海量数据的使用和处理主要依赖现代化信息通信技术和网络技术。为了保护用户隐私和数据安全,在数据传输过程中采用加密算法对数据进行加密,广播加密是多用户环境下最有效的方法。传统算法中,基于身份的广播加密密文可以广播到一组接收方,接收方的身份包含在密文中,当多个接收方解密密文时会泄露其他用户的身份信息。为了保护接收方用户之间的身份隐私,提出一种基于身份的隐私保护性广播加密算法,实现了接收方用户之间的匿名性。此外,考虑了如何从匿名广播的密文中撤销指定目标的接收者,根据数据访问控制策略决定用户的数据访问权限,为用户提供密文撤销操作,撤销过程不泄露明文和接收者的身份信息。在随机预言模型下,基于BDH困难性问题证明了该算法的安全性,并通过实际数据集的仿真实验验证了算法的有效性和可行性。     

New constructions of OSBE schemes and their applications in oblivious access control

Oblivious signature-based envelope (OSBE) schemes have demonstrated their potential applications in the protection of users privacy and rights. In an OSBE protocol, an encrypted message can only be decrypted by the receiver who holds a valid signature on a public message, while the sender (encrypter) does not know whether the receiver has the signature or not. Our major contributions in this work lie in the following aspects. We improve the notion of OSBE so that a valid credential holder cannot share his/her credential with other users (i.e., all-or-nothing non-transferability). We clarify the relationship between one-round OSBE and identity-based encryption (IBE) and show that one-round OSBE and semantically secure IBE against the adaptively chosen identity attack (IND-ID-CPA) are equivalent, if the signature in the OSBE scheme is existentially unforgeable against adaptively chosen message attacks. We propose an oblivious access control scheme to protect user privacy without the aid of any zero-knowledge proof. Finally, we also highlight some other novel applications of OSBE, such as attributed-based encryption.     

广播加密方案的一个注记

广播加密方案是一种应用广泛的群组通信方案,在视频音频网络直播、视频会议和证券实时行情发布等场合具有良好的应用前景。该支分析了4种广播加密方案,在分析的基础上提出了一个改进的广播加密框架和改进后的方案。新方案具备用户扩展能力,并且在消息长度上和同等用户规模的现有方案相仿。     

Efficient bidirectional proxy re-encryption with direct chosen-ciphertext security

Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for a user into another ciphertext of the same message intended for another user, and the proxy, however, cannot learn anything about the message encrypted. In previous papers, in order to achieve the CCA2-security, a common method for constructing PRE schemes was to apply the paradigm of using strongly-unforgeable one-time signature which transforms a selective-identity, CPA-secure identity-based encryption (IBE) scheme into a CCA-secure cryptosystem. In this paper, we propose a direct design of the bidirectional CCA-secure PRE scheme, which makes a direct use of the underlying IBE structure and does not need any auxiliary signature mechanism. Our construction is efficient and suitable for further designing multi-user PRE schemes. Its security is proved on the base of the decisional bilinear Diffie-Hellman assumption in the standard model.     

一个安全公钥广播加密方案

消息的发送者使用广播加密算法通过广播信道将消息发送给用户.公钥加密算法和追踪算法结合在一起,可构成一个公钥广播加密方案.提出了一个完全式公钥广播加密方案.在以往公钥广播加密方案中,消息发送中心替每个用户选择解密私钥,分配解密私钥.而在完全式公钥广播加密方案中,用户的解密私钥是由用户自己所选择的.用户可以随时加入或退出广播系统.当消息发送者发现非法用户时,不要求合法用户作任何改变,就能够很方便地取消这些非法用户.此外,证明了方案中加密算法在DDH假设和适应性选择密文攻击下是安全的.     

群组内基于区块链的匿名可搜索加密方案

公钥可搜索加密技术不仅可以保护云存储中用户的数据隐私,还可以提供数据在不解密的条件下进行密态数据搜索的功能。针对群组内用户进行密文安全搜索的需求,本文以群组为单位使用基于身份的广播加密进行数据的加密与密钥封装,以基于身份的可搜索加密构造关键词密文及关键词陷门,提出了一种群组内的公钥可搜索加密方案,保证了只有群组内的授权用户才可以进行安全搜索并解密数据。此外,为保护用户的身份隐私,通过构造匿名身份,避免了因云服务器好奇行为而造成的用户身份泄露问题。同时,在按需付费的云环境中,为了防止云服务器向用户返回部分或不正确的搜索结果,文章结合区块链技术,使用区块链作为可信第三方,利用智能合约的可信性,在用户验证搜索结果正确后向云服务器支付搜索费用,解决了用户与云服务器之间的公平支付问题。并加入了违规名单机制,防止恶意用户对系统可用性造成影响。在安全性方面,通过基于判定性双线性Diffie-Hellman问题与判定性Diffie-Hellman问题进行安全性分析,证明了在随机谕言机模型与标准模型下方案满足关键词密文与关键词陷门的不可区分性。最后,通过功能对比表明本方案有较强的实用性,利用Charm-crypto密码库对方案进行效率对比,其结果表明本方案与其他相关方案相比具有较低的计算以及通信开销。     

标准模型下高效的基于身份匿名广播加密方案

针对现实中广播加密的安全问题,提出一种标准模型下高效的基于身份匿名广播加密方案。匿名广播加密中广播者加密数据通过广播信道发送给用户,其中只有授权用户能够解密获得数据,同时任何人不能分辨出加密数据是发送给哪个用户的,从而保护了接收者用户的隐私。所提方案利用双系统加密技术,基于合数阶双线性群提出。同时,该方案基于静态假设,在标准模型中证明方案是选择明文安全的,密文和密钥取得了固定长度。和对比方案相比,所提方案密钥长度仅需2个群元素,同时方案满足匿名性。     

格上基于RLWE难题的身份基代理重加密方案

针对目前基于格的身份基代理重加密方案存在的加/解密效率低和密文、密钥尺寸过长的问题,采用原像抽样和对偶加密技术,重新构造了一个基于格的身份基代理重加密方案。该方案采用原像抽样技术提取用户私钥,用对偶加密算法对消息进行加密,利用代理重加密密钥进行重加密,并用用户的私钥进行解密。安全分析表明,在标准模型下,基于ring learning with errors困难假设,该方案满足IND-aID-CPA安全。效率分析表明,该方案可以有效缩短密文和密钥尺寸,提高加/解密效率。     

指定服务器的基于身份加密连接关键字搜索方案

公钥加密关键字搜索(PEKS)允许用户发送关键字陷门给服务器,服务器可以通过陷门定位到包含用户搜索的关键字的密文。为了消除已有基于身份加密的关键字搜索(IBEKS)方案中服务器和接收者之间的安全信道,Wu等人提出了一种指定服务器基于身份加密的关键字搜索(dIBEKS)方案。可是,Wu等人提出的dIBEKS方案不满足密文不可区分性。为了克服Wu等人方案的不足,本文提出一种指定服务器基于身份加密的多关键字搜索方案。安全性分析表明,本文所提方案同时满足了密文不可区分、陷门不可区分和离线关键字猜测攻击的安全性。效率分析显示,本文的方案更高效。      

基于异构密码系统的混合签密方案

针对异构密码系统的签密算法大多采用的是公钥加密技术，不具有可加密任意长消息的特点，不符合现实的应用环境，而混合签密技术则可解决这一不足。提出了一个基于异构密码系统的混合签密方案。该方案是由基于身份的密码（Identity Based Cryptography，IBC）体制到无证书密码（Certificateless Cryptography，CLC）体制的异构签密方案。不但能使私钥生成器（Private Key Generator，PKG）和密钥生成中心（Key Generating Center，KGC）分别在IBC密码体制和CLC密码体制中产生自己的系统主密钥，同时，在随机预言模型下，方案在计算性Diffie-Hellman和双线性Diffie-Hellman困难问题下具有不可伪造性和不可区分性。     

Multi-message and multi-receiver heterogeneous signcryption scheme for ad-hoc networks

Security is a significant issue for ad-hoc networks. Heterogeneous signcryption schemes proposed in recent years satisfy privacy and authentication of messages and reduce cost of computation and communication in a logical step. In this article, we present a new efficient heterogeneous signcryption scheme that shifts between the public key infrastructure (PKI) and the identity-based cryptosystem (IBC). The proposed scheme is suitable for broadcast communication conditions in which senders can signcrypt multiple messages for multiple receivers simultaneously in the ad-hoc networks. This scheme is proved to satisfy confidentiality and unforgeability on the basis of the assumptions of bilinear Diffie-Hellman problem (BDHP), q-Diffie-Hellman inversion problem (q-DHIP), q-bilinear Diffie-Hellman inversion problem (q-BDHIP), and computational Diffie-Hellman problem (CDHP) in the random oracle model. We discuss the efficiency of our scheme theoretically. In the efficiency analysis phase, we show that our scheme is practical and efficient. In the performance analysis phase, we present additional tests, data, and explanations to prove that our scheme can be applied in ad-hoc networks. Finally, we apply our scheme to a simulated ad-hoc network.     

基于身份的一次性盲公钥方案

在现有方案的基础上,通过分析超椭圆曲线双线性对和基于身份的特点,给出了一个改进的基于身份的一次性盲公钥方案。该方案由用户和可信中心共同完成用户密钥的生成,克服了密钥托管问题,避免了由可信中心进行密钥管理所产生的安全隐患。新构造的方案能够抵抗伪造性攻击,具有不可欺骗性,又保证了一次性盲公钥的独立性,是安全可靠的。而且方案中用户在通讯时可以使用不同的公钥,解决了Internet通信中的匿名认证问题,实现了用户隐私的有效保护。     

An Efficient Authentication Scheme for Access Control in Mobile Pay-TV Systems

In a mobile pay-TV system, a large number of messages are exchanged for mutual authentication purposes. In traditional authentication schemes, with one-to-one delivery, one authentication message per request is delivered from a head end system to subscribers. This results in the delivery of a large quantity of messages and therefore is inefficient and costly. Moreover, since most traditional schemes use an RSA-based signature for identity validation and nonrepudiation of communication, they suffer from high communication costs. Due to its wireless nature, mobile pay-TV is vulnerable to attacks during hand-off. As traditional schemes do not support hand-off authentication, they are insecure during hand-off. With these shortcomings, they are not suitable for mobile pay-TV. In this paper, we propose an innovative authentication scheme, in which, by providing one-to-many facility, only one authentication message for multiple requests is broadcasted from the head end system to subscribers. By employing bilinear property of pairing and elliptic curve cryptography, our scheme provides one-to-many facility in the case of multiple requests for the same service in a short period of time. This new scheme achieves better broadcast efficiency and performance on communication costs than traditional ones. Additionally, this scheme provides a hand-off authentication mechanism to protect the access of services while preventing attacks during hand-off; therefore, the scheme is more secure to support access control. Moreover, to provide anonymous authentication for protecting identity privacy, the scheme adopts an identity-based scheme while traditional schemes do not apply. The scheme inherits advantages of the identity-based scheme that a public key does not need to be certificated, the certification authority mechanism will not be needed and the key exchange overhead can be reduced. With these advantages of our scheme, it is well suited for mobile pay-TV system.     

More efficient tightly-secure lattice-based IBE with equality test

Identity-based encryption with equality test (IBEET) combines public key encryption with equality test (PKEET) and identity-based encryption (IBE). In an IBEET scheme, a user with trapdoors is allowed to verify whether different ciphertexts encrypted under different identities correspond to equal plaintexts through the equality test algorithm. Recently, several IBEET schemes were constructed over lattices to resist the potential quantum threats, perhaps since the latticed-based candidates are the most favored ones in the current NIST PQC standardization. However, almost all of the schemes are developed from Lee et al.’s generic construction and hence double both public parameters and ciphertext sizes. In this paper, we propose a more efficient and tightly-secure IBEET scheme which not only achieves a tight reduction with the semi-adaptive security, but also reduces both public parameters and ciphertext sizes.