可证安全的抗泄露无证书混合签密机制

传统的基于双线性映射的混合签密方案存在着计算效率较低的不足,同时,无法抵抗信息泄露对方案所造成的危害,针对上述不足,在不使用双线性映射的基础上,提出了安全、高效的抗泄露无证书混合签密机制,并在随机谕言机模型下,基于计算性Diffie-Hellman问题和离散对数问题对该机制的机密性和不可伪造性进行了证明.同时,分析了该方案的公开验证性、前/后向安全性和不可否认性等安全属性;与传统的无证书混合签密机制相比,该机制不仅具有更优的计算效率,而且在秘密信息存在一定泄露的前提下,依然保持其所声称的安全性,即该方案还具有抵抗秘密信息泄露的能力.     

可容忍信息泄露的指定验证者签名方案

指定验证者签名(DVS)克服了传统的数字签名中可公开验证的缺点,可防止验证者向第三方表明他获得了签名方发布的数字签名。但传统的密码方案的安全性依赖理想的假设,即攻击者不能获得保密的密钥的信息,而边信道攻击表明攻击者可以获得部分的秘密信息,因此有必要设计可以容忍信息泄露的指定验证者签名方案。基于“或”证明的技术,把Okamoto认证方案推广到指定验证者签名的情形,并在给定的泄露界下,证明了所提出的指定验证者签名方案在相对泄露模型下是安全的。     

一种无证书签名方案的分析与改进

分析张燕燕等人提出的基于离散对数问题的无证书签名方案(计算机工程与应用,2011年第12期),指出在该方案中,敌手通过替换公钥可以伪造任何签名人对任意消息的签名,并提出一个无需双线性对运算的改进方案。理论分析结果证明,改进方案在最强安全模型下是存在性不可伪造的,且签名和验证效率更高。     

Delegateable signatures based on non-interactive witness indistinguishable and non-interactive witness hiding proofs

A delegateable signature scheme （DSS） which was first introduced by Barak is mainly based on the non-interactive zero-knowledge proof （NIZK） for preventing the signing verifier from telling which witness （i.e., restricted subset） is being used. However, the scheme is not significantly efficient due to the difficulty of constructing NIZK. We first show that a non-interactive witness indistinguishable （NlWl） proof system and a non-interactive witness hiding （NIWH） proof system are easier and more efficient proof models than NIZK in some cases. Furthermore, the witnesses em- ployed in these two protocols （NlWl and NIWT） cannot also be distinguished by the verifiers. Combined with the E-protocol, we then construct NlWl and NIWH proofs for any NP statement under the existence of one-way functions and show that each proof is different from those under the existence of trapdoor permutations, Finally, based on our NlWl and NIWH proofs, we construct delegateable signature schemes under the existence of one-way functions, which are more efficient than Barak＇s scheme under the existence of trapdoor permutations.     

A new certificateless aggregate signature scheme

Aggregate signatures are useful in special areas where the signatures on many different messages generated by many different users need to be compressed. In this paper, we study aggregate signatures in certificateless public key settings. We first present the notion and security model of certificateless aggregate signature schemes. Then we give an efficient certificateless aggregate signature scheme. Our scheme is existentially unforgeable under adaptive chosen-message attacks assuming the computational Diffie–Hellman problem is hard.     

A note on an identity-based ring signature scheme with signer verifiability

Recently, Herranz presented an identity-based ring signature scheme featuring signer verifiability where a signer can prove that he or she is the real signer by releasing an authorship proof. In this paper we show that this scheme is vulnerable to a key recovery attack in which a user’s secret signing key can be efficiently recovered through the use of two known ring signatures and their corresponding authorship proofs. In addition, we present a simple method to fix this security vulnerability by slightly modifying the authorship proof. Our modified scheme simplifies the original scheme and improves performance. To show that the modified scheme is unforgeable, we define two types of unforgeability notions for both signatures and authorship proofs. In these notions an adversary has opening capability to confirm the real signers of ring signatures and thus can manipulate authorship proofs in an adaptive way. We then prove that our modified scheme is secure in terms of these unforgeability notions.     

完美前向安全的基于身份认证密钥协商方案

现有的基于身份的一轮认证密钥协商方案没能实现强的完美前向性.采用强不可伪造的签名算法对临时公钥进行签名,提出一种改进的基于身份认证密钥协商方案.首先,对Boneh和Boyen提出的强不可伪造的短签名方案进行改造,提出一种强不可伪造的基于身份签名方案;然后,将新签名方案与Ni等人提出的eCK安全的基于身份一轮认证密钥协商方案相结合,提出新的密钥协商方案.进一步,为了实现新方案的可证明安全性,在对比分析eCK-PFS模型和eCK模型的基础上,融合现有安全模型,定义了基于身份认证密钥协商方案分析的强安全模型ID-eCK-PFS.在ID-eCK-PFS模型下,通过安全性规约,证明了新提出的基于身份认证密钥协商方案实现了强安全性,包括抗密钥泄露伪装、抗临时秘密泄露和完美前向安全性等.     

Strong unforgeability in group signature schemes

A signature scheme is strongly unforgeable if no adversary can produce a new valid signature σ on a message M even after seeing some signatures on M. We define strong unforgeability of group signature schemes and explain why the strong unforgeability of a group signature scheme is necessary. This relatively new security concept was not considered when Bellare–Micciancio–Warinschi established their security model, what we call the BMW security model, of group signature schemes. We show that a scheme proposed at Eurocrypt'06 that was proven secure in the BMW security model is not strongly unforgeable. We also present a method to convert this scheme into a strongly unforgeable group signature scheme preserving the security in the BMW security model.     

Cryptanalysis of a signcryption scheme with fast online signing and short signcryptext

Signcryption is functional combination of encryption and signature,efficiency higher than the separate signing and encrypting.Recently,Youn et al.presented a new signcryption scheme,which has fast online signing and short signcryptext,and is efficient enough for mobile applications.This scheme is claimed to be both existentially unforgeable and semantically secure.However,in this paper we shall show that it is not existentially unforgeable.     

Updatable Identity-Based Hash Proof System Based on Lattices and Its Application to Leakage-Resilient Public-Key Encryption Schemes

Identity-based hash proof system is a basic and important primitive. It is widely utilized to construct cryptographic schemes and protocols that are secure against key-leakage attacks. In this paper, we introduce the concept of updatable identity-based hash proof system, in which the related master secret key and the identity secret key can be updated securely. Then, we instantiate this primitive based on lattices in the standard model. Moreover, we introduce an application of this new primitive by giving a generic construction of leakage-resilient public-key encryption schemes with anonymity. This construction can be considered as the integration of the bounded-retrieval model and the continual leakage model. Compared with the existing leakage-resilient schemes, our construction not only is more efficient but also can resist much more key leakage.     

抗泄露的(分层)身份基密钥封装机制

在真实应用环境中,冷启动、边信道等物理攻击方式的出现,使得敌手能够获得参与者内部私有状态的泄露信息,从而导致传统可证明安全的密码机制在有泄露的环境下已无法继续保持其原有的安全性,因此更多的密码学研究者开始致力于抗泄露密码机制的研究.混合加密技术同时具备了对称加密和非对称加密的优势,由于身份基密钥封装机制(Identity-Based Key-Encapsulation Mechanism,IB-KEM)是身份基混合加密机制的重要组成部分,近年来得到了广泛关注.为满足真实环境的抗泄露性需求,抗泄露IB-KEM被提出;然而现有的构造在计算、传输和存储等方面均存在不足.针对上述不足,本文提出了选择密文攻击(Chosen-Ciphertext Attacks,CCA)安全的抗泄露IB-KEM的通用构造,并基于底层IB-KEM的选择明文攻击(Chosen-Plaintext Attacks,CPA)安全性对通用构造的CCA安全性进行了形式化证明.此外,为展示本文通用构造的实用性及普遍性,分别设计了 IB-KEM和分层身份的身份基密钥封装机制(Hierarchical Identity-Based Key-Encapsulation Mechanism,HIB-KEM)的具体实例,并在选择身份的安全模型下,基于判定的双线性Diffie-Hellman假设和双线性Diffie-H ellman指数假设对本文实例的CPA安全性分别进行了证明.最后,为了实现抵抗连续泄露攻击的目标,本文研究了各实例的密钥更新算法.相较于已有CCA安全的抗泄露IB-KEM,本文构造在计算、传输和存储等方面具有一定的优势.     

A provable secure fuzzy identity based signature scheme

To use biometrics identities in an identity based encryption system,Sahai and Waters first introduced the notion of fuzzy identity based encryption(FIBE) in 2005.Yang et al.extended it to digital signature and introduced the concept of fuzzy identity based signature(FIBS) in 2008,and constructed an FIBS scheme based on Sahai and Waters’s FIBE scheme.In this paper,we further formalize the notion and security model of FIBS scheme and propose a new construction of FIBS scheme based on bilinear pairing.The proposed scheme not only provides shorter public parameters,private key and signature,but also have useful structures which result in more efficient verification than that of Yang et al.’s FIBS scheme.The proposed FIBS scheme is proved to be existentially unforgeable under a chosen message attack and selective fuzzy identity attack in the random oracle model under the discrete logarithm assumption.     

一类可证安全的基于证书盲签名

在强安全模型下,结合基于证书签名体制和盲签名体制,提出了一类高效的基于证书盲签名方案,能抵抗适应性选择消息攻击和身份攻击下的存在性伪造,并且在随机预言模型下基于q强Diffie-Hellman难题(q-SDHP)和扩展的逆计算Diffie-Hellman难题(E-inv-CDHP)给出完整的安全性证明。结果表明,新方案具有较高的安全性,不仅简化了密钥管理过程,克服了密钥托管问题,而且整体性能比较高。     

Practical continuous leakage-resilient CCA secure identity-based encryption

Leakage of private information including private keys of user has become a threat to the security of computing systems. It has become a common security requirement that a cryptographic scheme should withstand various leakage attacks. In the real life, an adversary can break the security of cryptography primitive by performing continuous leakage attacks. Although, some research on the leakage-resilient cryptography had been made, there are still some remaining issued in previous attempts. The identity-based encryption (IBE) constructions were designed in the bounded-leakage model, and might not be able to meet their claimed security under the continuous-leakage attacks. In the real applications, the leakage is unbounded. That is, a practical cryptography scheme should keep its original security in the continuous leakage setting. The previous continuous leakageresilient IBE schemes either only achieve chosen-plaintext attacks security or the chosen-ciphertext attacks (CCA) security is proved in the selective identity model. Aiming to solve these problems, in this paper, we show how to construct the continuous leakage-resilient IBE scheme, and the scheme’s adaptive CCA security is proved in the standard model based on the hardness of decisional bilinear Diffie-Hellman exponent assumption. For any adversary, all elements in the ciphertext are random, and an adversary cannot obtain any leakage on the private key of user from the corresponding given ciphertext. Moreover, the leakage parameter of our proposal is independent of the plaintext space and has a constant size.     

一种基于双重KGC的无证书短签名方案

为了解决无证书短签名方案中单KGC权力过于集中的问题,提出一种基于双重KGC的无证书短签名方案,其中双重KGC之间相互制约,有效地减少了单KGC主密钥泄露和被恶意操控带来的危害。随后在随机预言机模型、k-CAA和Inv-CDH问题困难性假设下,证明了签名方案在适应性选择消息攻击下是存在性不可伪造的。最后与其他无证书数字签名方案进行了比较,并用C语言实现了该方案.实验结果和分析表明该方案计算量较低,运行效率和安全性较高。     

Aleakage-resilient certificateless public key encryption scheme with CCA2 security

In recent years, much attention has been focused on designing provably secure cryptographic primitives in the presence of key leakage. Many constructions of leakage-resilient cryptographic primitives have been proposed. However, for any polynomial time adversary, most existing leakage-resilient cryptographic primitives cannot ensure that their outputs are random, and any polynomial time adversary can obtain a certain amount of leakage on the secret key from the corresponding output of a cryptographic primitive. In this study, to achieve better performance, a new construction of a chosen ciphertext attack 2 (CCA2) secure, leakage-resilient, and certificateless public-key encryption scheme is proposed, whose security is proved based on the hardness of the classic decisional Diffie-Hellman assumption. According to our analysis, our method can tolerate leakage attacks on the private key. This method also achieves better performance because polynomial time adversaries cannot achieve leakage on the private key from the corresponding ciphertext, and a key leakage ratio of 1/2 can be achieved. Because of these good features, our method may be significant in practical applications.     

New constructions of OSBE schemes and their applications in oblivious access control

Oblivious signature-based envelope (OSBE) schemes have demonstrated their potential applications in the protection of users privacy and rights. In an OSBE protocol, an encrypted message can only be decrypted by the receiver who holds a valid signature on a public message, while the sender (encrypter) does not know whether the receiver has the signature or not. Our major contributions in this work lie in the following aspects. We improve the notion of OSBE so that a valid credential holder cannot share his/her credential with other users (i.e., all-or-nothing non-transferability). We clarify the relationship between one-round OSBE and identity-based encryption (IBE) and show that one-round OSBE and semantically secure IBE against the adaptively chosen identity attack (IND-ID-CPA) are equivalent, if the signature in the OSBE scheme is existentially unforgeable against adaptively chosen message attacks. We propose an oblivious access control scheme to protect user privacy without the aid of any zero-knowledge proof. Finally, we also highlight some other novel applications of OSBE, such as attributed-based encryption.     

Security weaknesses of a signature scheme and authenticated key agreement protocols

At ACISP 2012, a novel deterministic identity-based (aggregate) signature scheme was proposed that does not rely on bilinear pairing. The scheme was formally proven to be existentially unforgeable under an adaptive chosen message and identity attack. The security was proven under the strong RSA assumption in the random oracle model. In this paper, unfortunately, we show that the signature scheme is universally forgeable, i.e., an adversary can recover the private key of a user and use it to generate forged signatures on any messages of its choice having on average eight genuine signatures. This means, that realizing a deterministic identity-based signature scheme in composite order groups is still an open problem. In addition, we show that a preliminary version of the authenticated key exchange protocol proposed by Okamoto in his invited talk at ASIACRYPT 2007 is vulnerable to the key-compromise impersonation attack and therefore cannot be secure in the eCK model. We also show that the two-party identity-based key agreement protocol of Hölbl et al. is vulnerable to the unknown key-share attack.     

An efficient CCA-secure cryptosystem over ideal lattices from identity-based encryption

We first construct an efficient IND-sID-CPA secure IBE cryptosystem from ideal lattices, and proceed with its security proof under the standard model in detail. Then with an asymptotically efficient strongly unforgeable one-time signature, we propose a new CCA secure public key encryption (PKE) scheme over ideal lattices by universal paradigm of IBE transformation. Performance of the resulting PKE system is very close to the underlying IBE scheme and its security can be tightly reduced to decisional R-LWE hardness assumption. Compared with known CCA secure PKE schemes from standard lattices, our new scheme is simpler and more efficient.