Black-Box Trace&Revoke Codes

We address the problem of designing an efficient broadcast encryption scheme which is also capable of tracing traitors. We introduce a code framework to formalize the problem. Then, we give a probabilistic construction of a code which supports both traceability and revocation. Given N users with at most r revoked users and at most t traitors, our code construction gives rise to a Trace&Revoke system with private keys of size O((r+t)logN) (which can also be reduced to constant size based on an additional computational assumption), ciphertexts of size O((r+t)logN), and O(1) decryption time. Our scheme can deal with certain classes of pirate decoders, which we believe are sufficiently powerful to capture practical pirate strategies. In particular, our code construction is based on a combinatorial object called (r,s)-disjunct matrix, which is designed to capture both the classic traceability notion of disjunct matrix and the new requirement of revocation capability. We then probabilistically construct (r,s)-disjunct matrices which help design efficient Black-Box Trace&Revoke systems. For dealing with “smart” pirates, we introduce a tracing technique called “shadow group testing” that uses (close to) legitimate broadcast signals for tracing. Along the way, we also proved several bounds on the number of queries needed for black-box tracing under different assumptions about the pirate’s strategies.     

Cryptanalysis of an identity based broadcast encryption scheme without random oracles

Identity based broadcast encryption allows a centralized transmitter to send encrypted messages to a set of identities S, so that only the users with identity in S can decrypt these ciphertexts using their respective private key. Recently [Information Processing Letters 109 (2009)], an identity-based broadcast encryption scheme was proposed (Ren and Gu, 2009) [1], and it was claimed to be fully chosen-ciphertext secure without random oracles. However, by giving a concrete attack, we indicate that this scheme is even not chosen-plaintext secure.     

基于Ad hoc网的身份型广播加密方案

考虑到动态Ad hoc网的安全性及效率难以兼顾的问题,提出一种有效的基于动态网络的广播加密方案,并给出严格的安全性证明。该方案建立在标准模型下,当用户之间通过广播方式传递信息时,采用双线性对运算对任意数量无状态用户可实现完全杭串谋攻击。在密钥提取过程中,通过引入身份随机数并利用撤销用户身份集合进行加密,使得新用户可以动态加入群却不改变加解密密钥和密文的长度,其大小不超过O(1)。同时,所有有效操作过程在O(r)时间内完成,不依赖于用户总人数二,从而大大提高了算法的传输及存储效率。安全性验证表明,该方案在GD-DHE假设下是杭静态敌手INI}IN-CPA安全的。     

Intrusion-resilient identity-based signature: Security definition and construction

Traditional identity-based signatures depend on the assumption that secret keys are absolutely secure. Once a secret key is exposed, all signatures associated with this secret key have to be reissued. Therefore, limiting the impact of key exposure in identity-based signature is an important task. In this paper, we propose to integrate the intrusion-resilient security into identity-based signatures to deal with their key exposure problem. Compared with forward-secure identity-based signatures and key-insulated identity-based signatures, our proposal can achieve higher security. The proposed scheme satisfies that signatures in any other time periods are secure even after arbitrarily many compromises of base and signer, as long as the compromises do not happen simultaneously. Furthermore, the intruder cannot generate signatures pertaining to previous time periods, even if she compromises base and signer simultaneously to get all their secret information. The scheme enjoys nice average performance. There are no cost parameters including key setup time, key extract time, base (signer) key update time, base (signer) key refresh time, signing time, verifying time, and signature size, public parameter size, base (signer) storage size having complexity more than O(log T) in terms of the total number of time periods T in this scheme. We also give the security definition of intrusion-resilient identity-based signature scheme and prove that our scheme is secure based on this security definition in the random oracle model assuming CDH problem is hard.     

一个安全公钥广播加密方案

消息的发送者使用广播加密算法通过广播信道将消息发送给用户.公钥加密算法和追踪算法结合在一起,可构成一个公钥广播加密方案.提出了一个完全式公钥广播加密方案.在以往公钥广播加密方案中,消息发送中心替每个用户选择解密私钥,分配解密私钥.而在完全式公钥广播加密方案中,用户的解密私钥是由用户自己所选择的.用户可以随时加入或退出广播系统.当消息发送者发现非法用户时,不要求合法用户作任何改变,就能够很方便地取消这些非法用户.此外,证明了方案中加密算法在DDH假设和适应性选择密文攻击下是安全的.     

Privacy-preserving identity-based broadcast encryption

Broadcast encryption enables a broadcaster to encrypt messages and transmit them to some subset S of authorized users. In identity-based broadcast encryption schemes, a broadcasting sender typically encrypts a message by combining public identities of receivers in S and system parameters. However, previous identity-based broadcast encryption schemes have not been concerned about preserving the privacy of receivers. Consequently, all of the identities of broadcast receivers in S are exposed to the public in the previous schemes, which may be subject to attacks on user privacy in lots of pragmatic applications. We propose a novel privacy-preserving identity-based broadcast encryption scheme against an active attacker. The proposed scheme protects the privacy of receivers of broadcasted messages by hiding the identities of receivers in S. Additionally, it achieves less storage and computation costs required to encrypt and decrypt the broadcast message, compared to the previous identity-based broadcast encryption schemes that do not provide user privacy.     

基于SM9的匿名广播加密方案

广播加密允许数据拥有者通过不安全的公开信道将数据安全地发送给一组指定的用户, 只有组内用户（授权用户）利用自身私钥才能正确解密密文, 恢复出明文数据, 不在组内的用户（非授权用户）即使合谋也无法获取数据内容。标识加密是一种非对称加密体制, 可利用能够唯一标识用户身份的任意字符串作为用户的公钥, 消除了传统公钥体制中用于绑定用户公钥的证书。匿名标识广播加密不仅能充分继承标识加密的优点实现多用户数据的安全共享, 而且能有效保护接收者的身份信息。本文以国产商用标识密码算法SM9为基础, 采用多项式技术构造了首个基于SM9的匿名广播加密方案。方案具有与SM9加密算法相同的私钥生成算法, 用户私钥由一个群元素组成。方案的密文由(n+3)个元素组成, 与接收者数量(n)线性相关, 解密仅包含一次双线性对计算。基于q类型的GDDHE困难假设, 在随机谕言器模型中证明方案在静态选择明文攻击下具有不可区分的安全性且满足接收者匿名性。比较分析表明本文方案的计算开销和通信代价与现有高效匿名标识广播加密方案是可比的。最后, 对方案进行编程实验, 在相同安全级别下, 本文方案对比其他方案具有较优的密文长度, 实验结果表明本文方案是可行的。     

一种基于多线性映射的身份类广播加密方案*

利用多线性映射具有随机化编码的特点来构造密码方案是近几年研究的热点之一。本文针对Delerablee在随机预言机模型下提出的动态广播加密方案中选择明文攻击安全性问题,提出了标准模型下具有选择密文攻击安全的基于身份广播加密。首先建立多线性映射改进了私钥提取算法;然后在方案中加入消息验证码机制;最后,在标准模型下证明了该方案是不可区分静态选择密文攻击安全(indistinguishable-static ID-chosen ciphertext attack ,IND-sID-CCA)。分析表明,本文提出的方案保留了动态特性并提高了安全性。     

一种基于商密SM9的高效标识广播加密方案

广播加密允许发送者为一组指定的用户同时加密数据,并通过公开信道传输密文.只有加密时指定的授权用户才能正确解密,非授权用户即使合谋也无法获得明文数据.得益于这些优点,广播加密被广泛用在云计算、物联网等应用中,实现多用户数据共享和秘密分享.SM9标识加密算法是我国自主设计的商用密码,用于数据加密,保护数据隐私,但只适用于单...     

基于身份的新型广播签密方案

为了适应当前信息传输环境的多样性及多变性,保证传输信息的机密性及权威性,通过借鉴签密方案的优势并结合广播加密模型,提出一种新的身份型广播签密方案。该方案使用哈希运算、环和运算、双线性对运算等多种运算形式,使得新方案中公、私钥长度保持不变,密文长度等于接收用户的个数加1,签密过程与解签密过程均无需双线性对运算,因此具有较低的运算代价及存储代价。详细的安全性证明显示该方案的机密性可归约为弱的BCDH问题,不可伪造性可归约为PSG签名问题,从而使该方案能应用于安全性和实用性要求较高的环境。     

Accountable authority key policy attribute-based encryption

We present an accountable authority key policy attribute-based encryption (A-KPABE) scheme.In this paper,we extend Goyal’s work to key policy attribute-based encryption setting.We first generalize the notion of accountable authority in key policy attribute-based encryption scenario,and then give a construction.In addition,our scheme is shown to be secure in the standard model under the modified Bilinear Decisional Diffie-Hellman (mBDDH) assumption.     

标准模型下高效的基于身份匿名广播加密方案

针对现实中广播加密的安全问题,提出一种标准模型下高效的基于身份匿名广播加密方案。匿名广播加密中广播者加密数据通过广播信道发送给用户,其中只有授权用户能够解密获得数据,同时任何人不能分辨出加密数据是发送给哪个用户的,从而保护了接收者用户的隐私。所提方案利用双系统加密技术,基于合数阶双线性群提出。同时,该方案基于静态假设,在标准模型中证明方案是选择明文安全的,密文和密钥取得了固定长度。和对比方案相比,所提方案密钥长度仅需2个群元素,同时方案满足匿名性。     

可追踪并撤销叛徒的属性基加密方案

属性基加密(ABE)是一种有效地对加密数据实现细粒度访问控制的密码学体制.在ABE系统中,存在恶意用户(或叛徒)泄露私钥生成盗版解码器,并将其分发给非法用户的问题.现有的解决方案仅能追查到密钥泄漏者的身份,但不能将其从ABE系统中撤销.文中提出了一种既可追踪又可撤销叛徒的属性基加密方案(ABTR).首先,给出一个具有扩展通配符的属性基加密方案(GWABE),基于3个3素数子群判定假设,采用双系统加密方法证明该GWABE方案是完全安全的.然后,利用完全子树构架将GWABE转化成ABTR方案,并证明该ABTR方案是完全安全的,且用户私钥长度是固定的.而此前的可追踪叛徒的ABE方案仅满足选择安全性.     

基于SM9的CCA安全广播加密方案

选择密文安全模型能有效刻画主动攻击,更接近现实环境.现有抵抗选择密文攻击的密码算法以国外算法为主,缺乏我国自主设计且能抵抗选择密文攻击的密码算法.虽然实现选择密文安全存在通用转化方法,代价是同时增加计算开销和通信开销.基于国密SM9标识加密算法,提出一种具有选择密文安全的标识广播加密方案.方案的设计继承了SM9标识加密算法结构,用户密钥和密文的大小都是固定的,其中用户密钥由一个群元素组成,密文由3个元素组成,与实际参与加密的接收者数量无关.借助随机谕言器,基于GDDHE困难问题可证明方案满足CCA安全.加密算法的设计引入虚设标识,通过该标识可成功回复密文解密询问,实现CCA的安全性.分析表明,所提方案与现有高效标识广播加密方案在计算效率和存储效率上相当.     

Lattice-based certificateless encryption scheme

Certificateless public key cryptography (CL-PKC) can solve the problems of certificate management in a public key infrastructure (PKI) and of key escrows in identity-based public key cryptography (ID-PKC). In CL-PKC, the key generation center (KGC) does not know the private keys of all users, and their public keys need not be certificated by certification authority (CA). At present, however, most certificateless encryption schemes are based on large integer factorization and discrete logarithms that are not secure in a quantum environment and the computation complexity is high. To solve these problems, we propose a new certificate-less encryption scheme based on lattices, more precisely, using the hardness of the learning with errors (LWE) problem. Compared with schemes based on large integer factorization and discrete logarithms, the most operations are matrixvector multiplication and inner products in our scheme, our approach has lower computation complexity. Our scheme can be proven to be indistinguishability chosen ciphertext attacks (IND-CPA) secure in the random oracle model.     

格上基于身份的广播加密方案

针对Wang等(WANG J, BI J. Lattice-based identity-based broadcast encryption. https://eprint.iacr.org/2010/288.pdf.)在随机预言机下提出的格基广播加密方案安全性较低且实用性较差的问题,利用盆景树扩展控制算法和一次签名算法构造了一个标准模型下基于格上错误学习(LWE)问题的身份基广播加密方案。首先利用一个编码函数替换随机预言机,将方案置于标准模型下;然后运行盆景树扩展控制算法生成用户的私钥和广播公钥;最后在加密阶段加入一次签名算法,提高方案的安全性。分析表明,相对于已有同类方案,新方案安全性较高达到了适应性攻击下选择密文安全(IND-ID-CCA)且方案具有动态扩展特性,能够通过用户身份矩阵的伸缩来实现用户的添加或删除,因此实用性较强。     

Fully CCA2 secure identity based broadcast encryption without random oracles

In broadcast encryption schemes, a broadcaster encrypts messages and transmits them to some subset S of users who are listening to a broadcast channel. Any user in S can use his private key to decrypt the broadcast. An identity based cryptosystem is a public key cryptosystem where the public key can be represented as an arbitrary string. In this paper, we propose the first identity based broadcast encryption (IBBE) scheme that is IND-ID-CCA2 secure without random oracles. The public key and ciphertext are constant size, and the private key size is linear in the total number of receivers. To the best of our knowledge, it is the first IBBE scheme that is fully CCA2 secure without random oracles. Moreover, our IBBE scheme is collusion resistant for arbitrarily large collusion of users.     

具有短密文的多身份全同态加密构造框架

类似于多密钥全同态加密（Multi-key Fully Homomorphic Encryption,MFHE）,多身份全同态加密（Multi-id Identity-basedFully Homomorphic Encryption,MIBFHE）允许对不同用户的密文进行关于任意函数的同态计算,且后者因具有加密密钥易获取、密钥托管和密钥撤销易实现等特点,具有更深远的应用前景。
Canetti等人在PKC 2017上给出了一个框架,可将身份加密方案（Identity-based Encryption,IBE）和MFHE方案转换成MIBFHE方案。若用基于DLWE假设的IBE方案和Brakerski与Perlman的全动态^①MFHE方案（以下简称BP方案）,可得到全动态的MIBFHE方案,但密文规模较大,为O（n⁵log⁵q）,这里n,q是DLWE假设的参数,且紧致性相比于MFHE方案变弱。因密文规模是影响通信效率的主要因素,本文构造了一个密文规模较小和紧致性较强的MIBFHE方案框架,且仅用了MFHE这一个构件,然后用BP方案去实例化,得到了全动态的、选择性安全的MIBFHE方案,其密文规模为O（nlogq）.     

Access control scheme with tracing for outsourced databases

To manage dynamic access control and deter pirate attacks on outsourced databases, a dynamic access control scheme with tracing is proposed. In our scheme, we introduce the traitor tracing idea into outsource databases, and employ a polynomial function and filter function as the basic means of constructing encryption and decryption procedures to reduce computation, communication, and storage overheads. Compared to previous access control schemes for outsourced databases, our scheme can not only protect sensitive data from leaking and perform scalable encryption at the server side without shipping the outsourced data back to the data owner when group membership is changed, but also provide trace-and-revoke features. When malicious users clone and sell their decryption keys for profit, our scheme can trace the decryption keys to the malicious users and revoke them. Furthermore, our scheme avoids massive message exchanges for establishing the decryption key between the data owner and the user. Compared to previously proposed publickey traitor tracing schemes, our scheme can simultaneously achieve full collusion resistance, full recoverability, full revocation, and black-box traceability. The proof of security and analysis of performance show that our scheme is secure and efficient.     

An Identity-Based Encryption with Equality Test scheme for healthcare social apps

It is tricky to determine whether two ciphertexts contain the same message when the messages are encrypted with different public keys. public key encryption with equality test (PKEET) addresses this problem without decryption. By integrating PKEET with identity-based encryption, identity-based encryption with equality test (IBEET) simplifies the certificate management in PKEET. In this paper, we first propose an IBEET scheme that can resist offline message recovery attacks (OMRA) and requires neither the dual-tester setting nor the group mechanism. With the help of some mathematical assumptions, we demonstrate the security of our scheme. Experiment results reveal that our scheme is efficient. From the perspective of usability, we explain why our scheme is more appropriate to be applied in healthcare social Apps than other OMRA-resistant schemes.