Signcryption from randomness recoverable public key encryption

We propose a new generic construction for signcryption and show that it is secure under the security models which are comparable to the security against adaptive chosen ciphertext attacks for public key encryption and the existential unforgeability against chosen message attacks for signature. In particular, the security models also capture the notion of insider security. The generic construction relies on the existence of a special class of efficient public key encryption schemes which allow the encryption randomness to be recovered during decryption. We also propose two efficient instantiations for the generic construction and show that one of them has less message expansion and yields smaller ciphertext when compared with all the existing signcryption schemes.     

Algorithm substitution attacks against receivers

This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

     

REESSE 1公开密钥密码体制

本文给出了互素序列的定义和杠杆函数的概念，介绍了REESSE1公开密钥密码体制及其密钥生成、加密、解密、数字签名和身分验证五个算法。文章对加密和解密算法进行了有关推导和证明，对REESSE1公钥体制的安全性进行了初步分析。另外，作者还给出了一个用于公钥密码体制中求模逆元的新递归算法。     

A survey of certificateless encryption schemes and security models

This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext). We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that more research is needed before certificateless encryption schemes can be thought to be a practical technology.     

基于Niederreiter编码的混合加密方案的改进

基于编码的密码方案具有抗量子的特性和较快的加解密速度,是当今抗量子密码方案的备用方案之一。现有基于编码的混合加密方案已经达到选择密文攻击不可区分（IND-CCA）安全,其缺点是加密收发双方共享秘密密钥的公钥尺寸较大。针对基于Niederreiter编码的混合加密方案公钥尺寸大的的问题,首先对Niederreiter编码方案的私钥进行随机拆分,然后对Niederreiter编码方案的明文进行随机拆分,最后对Niederreiter编码方案的加解密过程进行了改进。经过分析得出,改进方案的公钥尺寸小于Maurich方案的公钥尺寸,在80比特的安全级下,改进方案的公钥从原方案的4801比特降低到240比特;在128比特的安全级下,改进方案的公钥从原方案的9857比特降低到384比特。虽然改进后的方案比原方案过程复杂,但其存储代价和计算代价变小,方案的实用性增强。     

基于身份密码学的安全性研究综述

目前IBE已经成为公钥加密领域的一个研究热点,而安全性是构建IBE方案的重要因素.在设计公钥加密方案时,通常主要考虑在各种攻击模型下所要达到的安全目标,使用安全目标与攻击模型相结合的方式来定义安全性.在对已提出的IBE方案进行归纳分析的基础上,概括了IBE安全性的形式化定义;总结了安全性所依赖的各种数学难题基础,对各种数学难题之间的强弱关系进行了分析;进而,基于这些强弱关系描述了IBE安全性之间的相互转化规律以及达到高安全性的转化方法,这些方法有一个共同点,就是在加密方案的构造过程中使用了某种测试;接下来,从安全性和效率的角度对比了已提出的典型IBE方案,指出低安全性向高安全性转化必然会带来额外开销,导致效率下降;最后,总结了IBE的缺点、未来研究趋势以及开放性问题.     

Ciphertext-policy attribute-based encryption supporting access policy update and its extension with preserved attributes

Attribute-based encryption (ABE) allows one-to-many encryption with static access control. In many occasions, the access control policy must be updated, but the original encryptor might be unavailable to re-encrypt the message, which makes it impractical. Unfortunately, to date the work in ABE does not consider this issue yet, and hence this hinders the adoption of ABE in practice. In this work, we consider how to update access policies in ciphertext-policy attribute-based encryption (CP-ABE) systems efficiently without encrypting each ciphertext with new access policies. We introduce a new notion of CP-ABE supporting access policy update that captures the functionalities of attribute addition and revocation to access policies. We formalize the security requirements for this notion and subsequently construct two provably secure CP-ABE schemes supporting AND-gate access policy with constant-size ciphertext for user decryption. The security of our schemes are proved under the augmented multi-sequences of exponents decisional Diffie–Hellman assumption. We also present a different construction in which certain attributes in an access policy can be preserved by the original encryptor, while other attributes can be revoked efficiently so that the ability of attribute revocation can be appropriately restrained.     

适应性安全的离线证据加密

离线证据加密通过将复杂的计算移到初始化算法提升加密算法的效率,相比证据加密具有更广泛的应用.然而,已有的离线证据加密方案大多满足选择安全性,即敌手在得到公共参数之前必须输出一对挑战明文(m₀,m₁)和一个命题实例x.Chvojka等人通过引入可穿孔加密构造了半适应安全的离线证据加密方案,该安全性允许敌手适应性选择挑战密文,但是敌手得到公共参数(ppe,ppd)之前需要输出挑战密文对应的命题实例x,将构造完全适应安全的离线证据加密方案作为“Open Problem”提了出来.首次构造了满足完全适应安全的离线证据加密方案.初始化算法输出一对公共参数(ppe,ppd),其中加密密钥ppe包含两个公钥,一个公共参考串和一个承诺,解密密钥ppd是一个混淆电路.该算法只需运行一次,公共参数可以使用任意多次.加密算法利用密钥封装机制和证据不可区分证明系统构造一个Naor-Yung形式的密文.通过提前选定封装的密钥解决在选择安全性中敌手需要提前输出挑战明文的问题.另外,所提构造可以直接转化为适应性安全的离线函数证据加密,密钥生成阶段将函数f嵌入到解密私钥中,...     

结构化公开加密密钥支撑群组密钥操作研究

加密解密协议中的单加密解密密钥结构不能满足群组密钥管理的性能需要,公开加密密钥更新导致全部解密密钥更新。针对这一问题,提出结构化公开加密密钥组织结构,满足密钥独立性的群组解密密钥集合成员具有有限修改公开加密密钥的能力,使得群组成员在无可信中心支持下采用自配置方式更新公开加密密钥,更新后的公开加密密钥不会破坏非更新成员解密密钥的合法性。给出的公钥结构丰富了解密密钥和加密密钥之间的关系,扩展了群组密钥操作,适合环境苛刻的网络群组密钥管理。     

Private Keyword-Search for Database Systems Against Insider Attacks

The notion of searchable encrypted keywords introduced an elegant approach to retrieve encrypted data without the need of decryption. Since the introduction of this notion, there are two main searchable encrypted keywords techniques, symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). Due to the complicated key management problem in SSE, a number of concrete PEKS constructions have been proposed to overcome it. However, the security of these PEKS schemes was only weakly defined in presence of outsider attacks; therefore they suffer from keyword guessing attacks from the database server as an insider. How to resist insider attacks remains a challenging problem. We propose the first searchable encrypted keywords against insider attacks (SEK-IA) framework to address this problem. The security model of SEK-IA under public key environment is rebuilt. We give a concrete SEK-IA construction featured with a constant-size trapdoor and the proposed scheme is formally proved to be secure against insider attacks. The performance evaluations show that the communication cost between the receiver and the server in our SEK-IA scheme remains constant, independent of the sender identity set size, and the receiver needs the minimized computational cost to generate a trapdoor to search the data from multiple senders.     

基于多比特全同态加密的安全多方计算

本文中,我们首先证明了李增鹏等人提出的多比特多密钥全同态加密方案(MFHE)满足密钥同态性质,利用此性质,可以通过门限解密得到最终解密结果.使用该方案,我们设计了一个在CRS模型下和半恶意攻击者模型下安全的三轮多方计算协议(MPC).该安全多方计算协议的安全性是基于容错学习问题(LWE)的两个变种问题Ferr-LWE和...     

叛逆者可追踪的非对称群组密钥协商协议

非对称群组密钥协商(Asymmetric Group Key Agreement, ASGKA)的概念在2009年欧密会上被首次提出,其协议结束时协商出来的只是一个共享的加密密钥。这个加密密钥可以被敌手访问,而且对应多个不同的解密密钥,每个群组用户都可以计算出一个对应该公钥的解密密钥。同时指出进一步研究的问题之一是如何实现叛逆者可追踪的ASGKA协议。设计了一个标准模型下可证安全的非对称密钥协商协议ASGKAwIT,该协议可以实现叛逆者追踪。     

可公开定责的密文策略属性基加密方案

属性基加密利用属性集和访问结构之间的匹配关系实现用户解密权限的控制,从功能上高效灵活地解决了“一对多”的密数据共享问题,在云计算、物联网、大数据等细粒度访问控制和隐私保护领域有光明的应用前景。然而,在属性基加密系统中(以密文策略属性基加密为例),一个属性集合会同时被多个用户拥有,即一个解密私钥会对应多个用户,因此用户敢于共享其解密私钥以非法获利。此外,半可信的中心存在为未授权用户非法颁发私钥的可能。针对属性基加密系统中存在的两类私钥滥用问题,通过用户和中心分别对私钥进行签名的方式,提出一个密文策略属性基加密方案。该方案支持追踪性和公开定责性,任何第三方可以对泄露私钥的原始持有者的身份进行追踪,审计中心可以利用公开参数验证私钥是用户泄露的还是半可信中心非法颁发的。最后,可以证明方案的安全性基于其依赖的加密方案、签名方案。     

基于虹膜生物特征信息的图像加密方法

针对目前图像加密中的密钥安全性问题,提出一种基于虹膜生物特征信息的图像加密方法。该方法一方面确保了密匙的安全性;另一方面,密匙的获取无须传送。它通过虹膜采集系统的在线认证,使得具有授权的用户方能正确获取密钥,实现图像解密。与此同时,着重强调当用同一生物特征信息对多幅不同图像进行加密时,采用独立变量分析法能有效分离出密钥信息或原图像。     

非对称加密算法在身份认证中的应用研究

随着计算机网络以及智能终端应用的不断普及,特别是网络金融以及二维码的快速普及,信息安全问题越来越突出。文中研究了对称加密算法数据加密标准DES,主要研究了公开密钥基础设施体系PKI,这是确保信息在传输过程中安全性的第三方平台,它主要负责颁发带有CA中心数字签名的证书以及管理RSA算法中需要的公钥和私钥;研究了几种非对称加密算法并分析了它们的性能;重点研究了CEE中基于有限域上的椭圆曲线离散对数算法和RSA非对称加密算法,提出了用私钥加密公钥解密方案来解决信息真伪鉴别即身份认证问题,编程实现了RSA的公钥生成以及信息的加密和解密,主要实现了RSA密钥生成器模块、加密模块和解密模块,设计了加解密图形界面,完成了文件路径加密和整个文件的加密。实验结果表明RSA算法的可行性和安全性是较高的。     

基于编码的抗量子广义签密方案

随着量子计算机的发展以及网络环境的日益复杂,传统的公钥密码为目前的通信环境所提供的安全保障面临着越来越大的威胁,抗量子密码能够有效抵抗量子计算机攻击而受到广泛关注.抗量子密码中的编码密码具有加解密简单、易于操作的特点而成为后量子时代优良的密码方案候选者之一.通过对编码密码进行研究,利用LEDAkem密钥封装机制中对信息进行加密的方法与CFS签名方案相结合,提出了一种基于QC-LDPC码的广义签密方案.新方案可以实现在签名、加密以及签密方案三者之间的自适应转换,由于采用的是LEDAkem的加密方法以及QC-LDPC码,新方案在密钥量方面具有一定优势.通过安全性分析证明新方案满足IND-CPA安全以及EUF-CMA安全,并进一步给出方案转换为IND-CCA2安全的方法,新方案能够适应越发复杂的网络通信,为后量子时代的网络环境提供可靠的安全保障.     

不可信更新的前向安全公钥加密方案：安全性模型和构造

已提出的不可信更新的前向安全公钥加密方案没有安全性证明,因此对方案的安全性存在质疑。对前向安全公钥加密方案进行扩展,给出首个具有可证明安全的不可信更新前向安全公钥加密方案。首先给出了不可信更新的前向安全公钥加密的方案定义和形式化安全性模型;根据方案定义,运用双线性映射技术以及高效的对称加密机制,提出一个不可信更新的前向安全公钥加密方案,并在随机预言机模型下证明了该方案的安全性。通过分析,该方案具有定长密文,定长私钥,固定加/解密开销,固定密钥更新开销的特点,具有一定的实用性。     

两个降低PKG信任级的基于身份的门限密码体制

在基于身份的公钥密码体制中PKG负责生成用户密钥,对PKG的信任级别过高,存在密钥托管问题.人们为解决此问题提出了很多方案但均有一定缺陷.Goyal提出了一种解决这类问题的新思路.基于该思路,提出了两种降低对私钥生成中心的信任级别的门限密码体制.在这两个体制中,利用了Goyal提出的基于身份的可追踪公钥加密体制的思想与公开可验证加密技术,有效解决了在基于身份的门限加密体制中,PKG对同一用户恶意生成多个私钥的追踪问题.对降低PKG信任级的基于身份的门限密码体制进行了形式化定义,并在所定义的形式化安全模型下证明了这两个方案可以对抗门限自适应选择密文攻击、密钥寻找攻击以及计算新密钥攻击.     

自适应安全的外包CP-ABE方案研究

属性基加密(attribute-based encryption, ABE)体制是身份基加密(identity-based encryption, IBE)体制的一种扩展,在ABE体制中,密钥产生中心根据用户拥有的属性为用户颁发密钥,加密者可以针对某个访问策略对消息进行加密,当且仅当用户拥有的属性满足相应的访问策略时,能够成功解密. 由于ABE体制可以实现对密文灵活的访问控制,因此有着良好的应用前景,尤其适用于保障云存储环境中信息的机密性. 然而,计算效率较低却一直是阻碍各类ABE方案被实际应用的主要问题. 针对这一问题,研究了借助外部资源降低ABE方案本地计算量的思想和方法,给出了外包ABE方案的形式化定义,并根据实际的敌手环境、安全目标制定了相应的安全模型. 随后,利用合数阶双线性群构造了一个具体的外包密文策略属性基加密(ciphertext-policy ABE, CP-ABE)方案,并利用双系统加密技术在标准模型下证明其满足自适应安全性.     

Breaking the Shin-Shin-Rhee remotely keyed encryption schemes

Remotely keyed encryption (RKE) schemes provide fast symmetric encryption and decryption using a small-bandwidth security module and a powerful host. Such schemes keep the key inside the security module to prevent key compromise.Shin, Shin, and Rhee proposed a length-preserving as well as a length-increasing RKE scheme that both use only a single round of interaction between host and security module. With the length-preserving scheme they claim to answer an open problem of Blaze, Feigenbaum, and Naor.However, in the present paper we show that both their schemes are completely insecure. Further, we present heuristic arguments on why a one-round length-preserving RKE scheme might be impossible.