Secure public-key encryption scheme without random oracles

Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer–Shoup’s scheme and its variants remained the only practical and secure public-key encryption scheme without random oracles until 2004. In 2004, Canetti et al. proposed a generic transformation from a selective identity-based encryption scheme to a public-key encryption by adding a one-time strongly signature scheme. Since then, some transformation techniques from a selective identity-based encryption scheme to a public-key encryption have been proposed to enhance the computational efficiency, for example, Boneh–Katz’s construction and Boyen–Mei–Waters’ scheme. These transformations have either traded-off the publicly verifiable properties or tightness of security reduction. In 2007, Zhang proposed another generic transformation by adding Chameleon hash functions. In this paper, we introduce another technique from the Boneh–Boyen’s selective identity-based encryption scheme to a public-key encryption which is publicly verifiable and is slightly more efficient than Zhang’s transformation. The proposed public-key encryption scheme is based on the decisional bilinear Diffie–Hellman assumption and the target collision resistant hash functions.     

基于仲裁者的身份加密方案研究

将基于仲裁的身份加密与无证书加密相结合,设计了一个基于仲裁的身份加密(V-MIBE)方案。新方案利用椭圆曲线上的双线性映射构造,通过无证书加密思想解决密钥托管的问题,通过引入仲裁机构解决密钥撤销的问题,新方案能够抵抗替换用户公钥的攻击。与现有的基于身份的加密方案相比,新方案的安全性能显著提高。     

非双线性映射下一种实用的和可证明安全的IBE方案

根据MOV归约理论,采用双线性映射构造的基于身份加密方案使得该方案不具有椭圆曲线高效的优点.针对这一点,参考组合公钥体制提出了一种非双线性映射下可证明安全的基于身份加密方案,并且通过采用Katz-Wang的双公钥思想,使得该方案在随机预言机模型下的安全性证明中具有"紧"的归约.为了说明提出方案具有较好的实用性,分析了该方案的归约程度和执行效率.为了使提出方案在具有大量用户的系统中同样具有实用性,提出了多域基本模型.     

基于SM2的无证书加密算法

无证书密码系统中无需证书来管理公钥,同时没有标识密码系统中的密钥委托功能.本文描述一种基于SM2加密算法构造的无证书加密算法,并在随机谕示和代数群模型下证明其安全性可以规约到Gap-Diffie-Hellman复杂性假设.因此构造的算法具有可证明安全性,并可基于已有SM2算法部件快速部署等优势.采用该算法的密码系统具有简洁的密钥管理、高效的算法实现,非常适合物联网等需要轻量级公钥算法的应用场景.     

一种新的不含随机预言模型的公钥加密方案

2004年的欧密会上,Canetti,Halevi和Katz提出了将Selectivre-ID安全的基于身份加密方案转化为选择密文安全的公钥加密方案的方法。但由于该方法需要用到一次性签名,给所基于的方案增加了明显的通信和计算负载。为了提高加密过程的计算效率,作者在本文中介绍了一种从Boneh-Boyen提出的选择性的基于身份的加密方案到公钥加密方案的转换方法,该方法是公开可验证的,其效率也有了提高。该方案是基于决定性双线性Diffie-Hellman假设和抗碰撞哈希函数的。     

Efficient bidirectional proxy re-encryption with direct chosen-ciphertext security

Proxy re-encryption (PRE) allows a semi-trusted proxy to convert a ciphertext originally intended for a user into another ciphertext of the same message intended for another user, and the proxy, however, cannot learn anything about the message encrypted. In previous papers, in order to achieve the CCA2-security, a common method for constructing PRE schemes was to apply the paradigm of using strongly-unforgeable one-time signature which transforms a selective-identity, CPA-secure identity-based encryption (IBE) scheme into a CCA-secure cryptosystem. In this paper, we propose a direct design of the bidirectional CCA-secure PRE scheme, which makes a direct use of the underlying IBE structure and does not need any auxiliary signature mechanism. Our construction is efficient and suitable for further designing multi-user PRE schemes. Its security is proved on the base of the decisional bilinear Diffie-Hellman assumption in the standard model.     

具有密文等值测试功能的公钥加密技术综述

作为解决云环境中多公钥加密计算问题的重要方法之一，密文等值测试技术可以实现对不同公钥加密的数据进行比较，使测试者在不对密文进行解密的前提下判断密文对应的明文是否相同。首先介绍了密文等值测试概念及其安全模型，总结了目前提出的6种授权模式所适用的场景以及对应的输入与输出；然后对比了密文等值测试技术与公钥可搜索加密技术的异同，阐述并分析了包括公钥、基于身份和基于属性在内的若干典型密文等值测试方案；最后讨论了密文等值测试的应用场景并对来来的研究进行展望。     

基于SM9的CCA安全广播加密方案

选择密文安全模型能有效刻画主动攻击,更接近现实环境.现有抵抗选择密文攻击的密码算法以国外算法为主,缺乏我国自主设计且能抵抗选择密文攻击的密码算法.虽然实现选择密文安全存在通用转化方法,代价是同时增加计算开销和通信开销.基于国密SM9标识加密算法,提出一种具有选择密文安全的标识广播加密方案.方案的设计继承了SM9标识加密算法结构,用户密钥和密文的大小都是固定的,其中用户密钥由一个群元素组成,密文由3个元素组成,与实际参与加密的接收者数量无关.借助随机谕言器,基于GDDHE困难问题可证明方案满足CCA安全.加密算法的设计引入虚设标识,通过该标识可成功回复密文解密询问,实现CCA的安全性.分析表明,所提方案与现有高效标识广播加密方案在计算效率和存储效率上相当.     

无证书并行密钥隔离加密体制

无证书公钥加密体制不仅避免了公钥加密体制中复杂的公钥证书管理,同时也解决了基于身份加密体制里的密钥托管问题。本文在无证书公钥加密体制里融合了并行密钥隔离体制的方案,提出了一种新的无证书并行密钥隔离加密(CL-PKIE)体制。这种新的体制满足了恶劣复杂的实际应用环境的安全性要求,减轻了密钥泄露问题。文中给出了CL-PKIE体制的具体结构并证明了在随机预言机模型下方案的IND-CCA2安全性。     

Updatable Identity-Based Hash Proof System Based on Lattices and Its Application to Leakage-Resilient Public-Key Encryption Schemes

Identity-based hash proof system is a basic and important primitive. It is widely utilized to construct cryptographic schemes and protocols that are secure against key-leakage attacks. In this paper, we introduce the concept of updatable identity-based hash proof system, in which the related master secret key and the identity secret key can be updated securely. Then, we instantiate this primitive based on lattices in the standard model. Moreover, we introduce an application of this new primitive by giving a generic construction of leakage-resilient public-key encryption schemes with anonymity. This construction can be considered as the integration of the bounded-retrieval model and the continual leakage model. Compared with the existing leakage-resilient schemes, our construction not only is more efficient but also can resist much more key leakage.     

A biometric identity-based signcryption scheme

Signcryption is a high performance cryptographic primitive that fulfills both the functions of digital signature and public key encryption simultaneously, at a cost significantly lower than that required by the traditional signature-then-encryption approach. In this paper, we introduce biometrics into identity-based signcryption. We formalize the notion of biometric identity-based signcryption and propose an efficient biometric identity-based signcryption scheme that uses biometric information to construct the public key. We prove that our scheme satisfies confidentiality and unforgeability in the random oracle model. We show that both the computational costs and the communication overheads of our scheme are lower than those of the signature-then-encryption approach.     

Certificateless and identity-based authenticated asymmetric group key agreement

Group key agreement (GKA) is one of the traditional ways to guarantee the subsequent secure group communications. However, conventional GKA protocols face two limitations, i.e., they require two or more rounds to establish secure channels and are sender restricted. Asymmetric group key agreement (AGKA) eliminates above two limitations of GKA. It allows a group of users to establish a public group encryption key and a different secret decryption key of each group member in one round. Any user who knows the group encryption key can encrypt to the group members. This paper studies authenticated AGKA in certificateless and identity-based public key cryptosystems. We formalize the security model of certificateless authenticated asymmetric group key agreement and realize a one-round certificateless authenticated asymmetric group key agreement protocol to resist active attacks in the real world. We also investigate the relation between certificateless authenticated AGKA and identity-based authenticated AGKA. We propose a concrete conversion from certificateless authenticated AGKA to session key escrow-free identity-based authenticated AGKA.     

New Constructions for Identity-Based Unidirectional Proxy Re-Encryption

We address the cryptographic topic of proxy re-encryption (PRE), which is a special public-key cryptosystem. A PRE scheme allows a special entity, known as the proxy, to transform a message encrypted with the public key of a delegator (say Alice), into a new ciphertext that is protected under the public key of a delegatee (say Bob), and thus the same message can then be recovered with Bob’s private key. In this paper, in the identity-based setting, we first investigate the relationship between so called mediated encryption and unidirectional PRE. We provide a general framework which converts any secure identity-based unidirectional PRE scheme into a secure identity-based mediated encryption scheme, and vice versa. Concerning the security for unidirectional PRE schemes, Ateniese et al. previously suggested an important property known as the master secret security, which requires that the coalition of the proxy and Bob cannot expose Alice’s private key. In this paper, we extend the notion to the identity-based setting, and present an identity-based unidirectional PRE scheme, which not only is provably secure against the chosen ciphertext attack in the standard model but also achieves the master secret security at the same time.     

具有分布式打开权威的隐藏身份签名方案

基于双线性映射的隐藏身份签名方案不满足可开脱性和选择密文攻击(CCA)匿名性,而在RSA群上构造的隐藏身份签名方案具有较高的通信和运算耗费。为此,利用块消息签名技术实现了可开脱性,提出一个允许设置分布式打开权威的改进方案。改进方案通过将分布式密钥提取和可同时执行的知识证明技术应用于底层门限加密方案,有效地实现了对打开权威的权利分发。此外, 为了克服传统串行注册方式无法抵抗拒绝服务攻击的不足,利用承诺的知识证明技术将注册过程增强为满足并发安全性的协议。在随机预言模型下,改进方案可证满足所要求的所有安全性质。对比实验结果表明：改进方案的签名长度更短, 签名与验证算法开销更小,由可信服务器执行的门限解密过程是并发安全的且在自适应攻击者模型下满足可证安全性。     

基于身份的数字签名方案研究

基于身份的密码系统简化了公钥钥证书的管理,目前基于身份的数字签名已成为公钥加密的的一个研究热点,而安全性是构建基于身份的数字签名方案的重要因素。介绍了基于身份的数字签名技术,并给出了方案模型和安全模型。应用该模型可构建安全而又高效的基于身份的数字签名方案。     

Design of DL-based certificateless digital signatures

Public-key cryptosystems without requiring digital certificates are very attractive in wireless communications due to limitations imposed by communication bandwidth and computational resource of the mobile wireless communication devices. To eliminate public-key digital certificate, Shamir introduced the concept of the identity-based (ID-based) cryptosystem. The main advantage of the ID-based cryptosystem is that instead of using a random integer as each user’s public key as in the traditional public-key systems, the user’s real identity, such as user’s name or email address, becomes the user’s public key. However, all identity-based signature (IBS) schemes have the inherent key escrow problem, that is private key generator (PKG) knows the private key of each user. As a result, the PKG is able to sign any message on the users’ behalf. This nature violates the “non-repudiation” requirement of digital signatures. To solve the key escrow problem of the IBS while still taking advantage of the benefits of the IBS, certificateless digital signature (CDS) was introduced. In this paper, we propose a generalized approach to construct CDS schemes. In our proposed CDS scheme, the user’s private key is known only to the user himself, therefore, it can eliminate the key escrow problem from the PKG. The proposed construction can be applied to all Discrete Logarithm (DL)-based signature schemes to convert a digital signature scheme into a CDS scheme. The proposed CDS scheme is secure against adaptive chosen-message attack in the random oracle model. In addition, it is also efficient in signature generation and verification.     

标准模型下一种实用的和可证明安全的IBE方案

组合公钥方案是一种用于基于身份密码体制中生成用户加密密钥和私钥的知名方案.针对组合公钥方案存在合谋攻击的问题,通过仅扩展该方案的私钥生成过程,实现了扩展方案的抗合谋攻击性.在此基础上构建标准模型下基于Decisional Bilinear Diffie-Hell man假设可证明安全的一种新的基于身份加密方案.最后,为了说明所构新方案的实用性,分析了扩展组合公钥方案的用户加密密钥抗碰撞性;对比了新方案和同类的3个知名方案在安全性证明的归约程度方面、加解密的时间复杂度方面和密文的长度方面的性能,表明了新方案在以上3点上具有目前最优的指标.因此新方案是相对较实用的.     

Compact public key encryption without full random oracles

Achieving shorter ciphertext length under weaker assumptions in chosen-ciphertext (CCA) secure public-key encryption (PKE) is one of the most important research topics in cryptography. However, it is also known that it is hard to construct a CCA-secure PKE whose ciphertext overhead is less than two group elements in the underlying prime-order group under non-interactive assumptions. A naive approach for achieving more compactness than the above bound is to use random oracles (ROs), but the full RO has various ideal properties like programmability. In this paper, we pursue how to achieve compact PKE only with a minimum ideal property of ROs. Specifically, only with observability, we can give three CCA-secure PKE schemes whose ciphertext overhead is less than two group elements. Our schemes are provably secure under standard assumptions such as the CDH and DDH assumptions. This study shows that ideal properties other than observability are not necessary to construct compact PKE beyond the bound.     

Certificateless public key encryption: A new generic construction and two pairing-free schemes

The certificateless encryption (CLE) scheme proposed by Baek, Safavi-Naini and Susilo is computation-friendly since it does not require any pairing operation. Unfortunately, an error was later discovered in their security proof and so far the provable security of the scheme remains unknown. Recently, Fiore, Gennaro and Smart showed a generic way (referred to as the FGS transformation) to transform identity-based key agreement protocols to certificateless key encapsulation mechanisms (CL-KEMs). As a typical example, they showed that the pairing-free CL-KEM underlying Baek et al.’s CLE can be “generated” by applying their transformation to the Fiore–Gennaro (FG) identity-based key agreement (IB-KA) protocol.In this paper, we show that directly applying the Fiore–Gennaro–Smart (FGS) transformation to the original FG IB-KA protocol in fact results in an insecure CL-KEM scheme against strong adversaries, we also give a way to fix the problem without adding any computational cost. The reason behind our attack is that the FGS transformation requires the underlying IB-KA protocol to be secure in a model that is stronger than the conventional security models where existing IB-KA protocols are proved secure, and the FG IB-KA protocol is in fact insecure in the new model. This motivates us to construct a new generic transformation from IB-KA protocols to CLE schemes. In the paper we present such a transformation which only requires the underlying IB-KA protocol to be secure in a security model that is weaker than the existing security models for IB-KA protocols. We illustrate our transformation by generating a new pairing-free CLE scheme that is obtained by directly applying our transformation to the original FG IB-KA protocol.