强安全可调加密方案的两个密码特性

该文在同时具备选择明文攻击和选择密文攻击的条件下,给出了可调加密方案的分类攻击安全和广义分类攻击安全的概念,并证明了二者的等价性;证明了抗基本区分攻击安全和抗左右不可区分攻击安全的可调加密方案一定是分类攻击安全和广义分类攻击安全的,从而揭示了强安全可调加密方案一定具有分类攻击安全和广义分类攻击安全这两个密码特性。     

Multirecipient Encryption Schemes: How to Save on Bandwidth and Computation Without Sacrificing Security

This paper proposes several new schemes which allow a sender to send encrypted messages to multiple recipients more efficiently (in terms of bandwidth and computation) than by using a standard encryption scheme. Most of the proposed schemes explore a new natural technique called randomness reuse. In order to analyze security of our constructions, we introduce a new notion of multirecipient encryption schemes (MRESs) and provide definitions of security for them. We finally show a way to avoid ad hoc analyses by providing a general test that can be applied to a standard encryption scheme to determine whether the associated randomness reusing MRES is secure. The results and applications cover both asymmetric and symmetric encryption.     

带消息恢复的可证明安全自证书签名方案

To solve the key escrow problem of the identity-based cryptosystem, Girault introduced the notion of a self-certified public key, which not only eliminates the need to authenticate a public key but also solves the key escrow problem. This paper proposes a Self-Certified Signature (SCS) scheme with message recovery and two variants without using bilinear pairings: one is the authenticated encryption scheme in which only the designated receiver can verify the signature, and the other is the authenticated encryption scheme with message linkage that deals with large messages. These three SCS schemes are provably secure in the random oracle model and are more efficient than previous schemes.     

A Forward-Secure Public-Key Encryption Scheme

Cryptographic computations are often carried out on insecure devices for which the threat of key exposure represents a serious concern. Forward security allows one to mitigate the damage caused by exposure of secret keys. In a forward-secure scheme, secret keys are updated at regular periods of time; exposure of the secret key corresponding to a given time period does not enable an adversary to "break" the scheme (in the appropriate sense) for any prior time period. We present the first constructions of (non-interactive) forward-secure public-key encryption schemes. Our main construction achieves security against chosen-plaintext attacks in the standard model, and all parameters of the scheme are poly-logarithmic in the total number of time periods. Some variants and extensions of this scheme are also given. We also introduce the notion of binary tree encryption and construct a binary tree encryption scheme in the standard model. Our construction implies the first hierarchical identity-based encryption scheme in the standard model. (The notion of security we achieve, however, is slightly weaker than that achieved by some previous constructions in the random oracle model.)     

Two-Key Triple Encryption

In this paper we consider multiple encryption schemes built from conventional cryptosystems such as DES. The existing schemes are either vulnerable to variants of meet-in-the-middle attacks, i.e., they do not provide security corresponding to the full key length used or there is no proof that the schemes are as secure as the underlying cipher. We propose a variant of two-key triple encryption with a new method of generating three keys from two. Our scheme is not vulnerable to the meet-in-the-middle attack and, under an appropriate assumption, we can show that our scheme is at least about as hard to break as the underlying block cipher. Received 22 June 1995 and revised 11 October 1996     

Random ciphering bounds on a class of secrecy systems and discrete message sources

The problem of enciphering a stationary finite discrete message so that a cryptanalyst is unlikely to decrypt an intercepted cryptogram is considered. Additive-like instantaneous block (ALIB) encipherers are studied that employ a list ofe^{nr}keywords of lengthn, called the cipher. An ALIB encipherer produces a cryptogram word of lengthnfrom a message word and a key word of the same length by combining corresponding message letters and key-word letters. Certain technical restrictions sure placed on the combining function. The decipherer uses a decoder which combines a letter from the key word used in enciphering with a letter from the cryptogram to form a letter of the decoded message. cryptanalyst also decodes letter by letter with an identical decoder; however, he uses a keyword that is not necessarily that used in enciphering. For a given message source and combiner, the design of the cipher consists in choosing the block lengthn, the key rater, and the set ofe^{nr}key words. These are to be chosen so thatp_{w}, the probability of correct decryptment of the message word, andp( Delta), the probability that the per letter nonzero Hamming distance between the decrypted message and the true message is smaller thanDelta, are very small for every cryptanalyst. A set of pairs( Delta,r)for which there exist ciphers with key ratersuch that,p_{w}andp( Delta)can be made arbitrarily small for every cryptanalyst is determined using the concepts of random ciphering and exponential bounding.     

一种新的一阶段加密认证模式

 在信息安全的许多实际应用中往往需要同时提供私密性和认证性,通常采用加密模式和消息认证码的组合来实现这一目的,但这种实现方式须对同一消息分加密和认证两阶段进行处理,不仅密钥使用量大,而且效率低下.本文基于CBC加密模式设计了一种新的一阶段加密认证方案OXCBC,能够同时提供私密性和认证性,且仅使用一个密钥和一个Nonce,与同类型的加密认证方案相比具有较高的效率.在分组密码是强伪随机置换的假设下,证明了该方案的认证性.     

基于短消息实现无线密钥分发的研究

针对无线传真保密通信中遇到的密钥分配的难题,文中提出了利用短消息实现无线密钥分发的方案,该方案先利用公钥密码算法对待发的密钥进行加密,然后生成PDU模式的短消息,在AT指令的控制下由GSM无线模块发送。文章详细介绍了PDU模式、短消息的控制、编码方式和公钥加密的内容,并给出了整个系统的实现流程。     

多用户环境下无证书认证可搜索加密方案

可搜索加密技术的提出使用户能够将数据加密后存储在云端,而且可以直接对密文数据进行检索。但现有的大部分可搜索加密方案都是单用户对单用户的模式,部分多用户环境下的可搜索加密方案是基于传统公钥密码或基于身份公钥密码系统,因此这类方案存在证书管理和密钥托管问题,且容易遭受内部关键词猜测攻击。该文结合公钥认证加密和代理重加密技术,提出一个高效的多用户环境下无证书认证可搜索加密方案。方案使用代理重加密技术对部分密文进行重加密处理,使得授权用户可以利用关键字生成陷门查询对应密文。在随机预言模型下,证明方案具有抵抗无证书公钥密码环境下两类攻击者的内部关键词猜测攻击的能力,且该方案的计算和通信效率优于同类方案。     

Identity Based Broadcast Encryption Scheme with Shorter Decryption Keys for Open Networks

In Broadcast Encryption schemes, a sender can broadcast the encrypted message securely in a threatening network to a set of legitimate system users only. In IBE scheme any sender can encrypt the desired message using his/her identity without attaining the public key certificate. Here, we have presented an efficient ID-based broadcast encryption scheme (IBBE) for open networks. In this scheme, desired messages can be broadcasted to any subset of the users by any sender but only authorized receivers are capable in retrieving the encrypted messages. This scheme has shorter decryption keys in comparison with other primitive of IBBE scheme for open networks. Moreover, the proposed scheme intends to achieve the lower cost for computation as well as transmission in comparison to earlier existing IBBE schemes.

     

用于一种反取证目的的可伪装对称加密方案

In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt an encrypted file to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is caught by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes.     

Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors

We study the problem of information-theoretically secure encryption in the bounded-storage model introduced by Maurer. The sole assumption of this model is a limited storage bound on an eavesdropper Eve, who is even allowed to be computationally unbounded. Suppose a sender Alice and a receiver Bob agreed on a short private key beforehand, and there is a long public random string accessible by all parties, say broadcast from a satellite or sent by Alice. Eve can only store some partial information of this long random string due to her limited storage. Alice and Bob read the public random string using the shared private key, and produce a one-time pad for encryption or decryption. In this setting, Aumann et al. proposed protocols with a nice property called everlasting security, which says that the security holds even if Eve later manages to obtain that private key. Ding and Rabin gave a better analysis showing that the same private key can be securely reused for an exponential number of times, against some adaptive attacks. We show that an encryption scheme with such nice properties can be derived immediately from any strong randomness extractor, a function which extracts randomness from a slightly random source, so that its output and its seed together are almost random. To have an efficient encryption scheme, one needs a strong extractor that can be evaluated in an on-line and efficient way. We give one such construction, which yields an encryption scheme that has the nice security properties as before but now can encrypt longer messages using shorter private keys.     

Simplet and its Application in Signal Encryption

We propose here a transform which is a new kind of multi-level subband signal decomposition and reconstruction scheme. It is called Simplet which stands for Simple transform and is simple, easy to understand and perfectly reconstructible. No decomposition or reconstruction filter is explicitly required in Simplet. Another advantage of this transform is that the length of the decomposed components in each level of decomposition is equal to the length of the input signal. Computationally, Simplet can be made a constant time transform. There are various forms of Simplet that can be used in various applications of signal and image processing. Simplet is of two types. One is useful for multiresolution signal analysis and the other for signal distortion. We use the later type here for an encryption scheme. In the existing transforms, even when there is noise in the decomposed components, the reconstructed signal is perceptually intelligible. However, in Simplet the reconstructed signal is perceptually unintelligible when the decomposed components have noise in them. This property is made use of in our encryption scheme which first uses Simplet to protect the distinguishable features of the signal by decomposing it into two or more distorted components and then encrypts them by using a special sequence of numbers. This sequence is called Meitei Lock Sequence (MLS) and is generated from a non-zero key vector of an arbitrary length. An MLS is unique for a key vector. Once a signal is encrypted with an MLS, it can be decrypted only with that particular MLS. As an MLS is generated from an arbitrary vector, the search space for finding a particular MLS is very large and hence gives very tight security in our encryption scheme. We have found that the empirical correlation coefficient between an original signal and a decrypted signal using any decryption key that is different from (even if very close to) the actual key, is sufficiently small. The encryption scheme is fast as both the Simplet and MLS are fast algorithms.     

Privacy‐preserving multireceiver ID‐based encryption with provable security

Multireceiver identity (ID) based encryption and ID‐based broadcast encryption allow a sender to use the public identities of multiple receivers to encrypt messages so that only the selected receivers or a privileged set of users can decrypt the messages. It can be used for many practical applications such as digital content distribution, pay‐per‐view and multicast communication. For protecting the privacy of receivers or providing receiver anonymity, several privacy‐preserving (or anonymous) multireceiver ID‐based encryption and ID‐based broadcast encryption schemes were recently proposed, in which receiver anonymity means that nobody (including any selected receiver), except the sender, knows who the other selected receivers are. However, security incompleteness or flaws were found in these schemes. In this paper, we propose a new privacy‐preserving multireceiver ID‐based encryption scheme with provable security. We formally prove that the proposed scheme is semantically secure for confidentiality and receiver anonymity. Compared with the previously proposed anonymous multireceiver ID‐based encryption and ID‐based broadcast encryption schemes, the proposed scheme has better performance and robust security. Copyright © 2012 John Wiley & Sons, Ltd.     

A General Construction of Tweakable Block Ciphers and Different Modes of Operations

This work builds on earlier work by Rogaway at Asiacrypt 2004 on tweakable block cipher (TBC) and modes of operations. Our first contribution is to generalize Rogaway's TBC construction by working over a ring and by the use of a masking sequence of functions. The ring can be instantiated as either GF or as . Further, over GF, efficient instantiations of the masking sequence of functions can be done using either a binary linear feedback shift register (LFSR); a powering construction; a cellular automata map; or by using a word-oriented LFSR. Rogaway's TBC construction was built from the powering construction over GF. Our second contribution is to use the general TBC construction to instantiate constructions of various modes of operations including authenticated encryption (AE) and message authentication code (MAC). In particular, this gives rise to a family of efficient one-pass AE modes of operation. Out of these, the mode of operation obtained by the use of word-oriented LFSR promises to provide a masking method which is more efficient than the one used in the well known AE protocol called OCB1.     

基于纠错编码的多变量公钥加密方案

Advances in quantum computers pose potential threats to the currently used public key cryptographic algorithms such as RSA and ECC. As a promising candidate against attackers equipped with quantum computational power, Multivariate Public Key Cryptosystems (MPKCs) has attracted increasing attention in recently years. Unfortunately, the existing MPKCs can only be used as multivariate signature schemes, and the way to construct an efficient MPKC enabling secure encryption remains unknown. By employing the basic MQ trapdoors, this paper proposes a novel multivariate encryption scheme by combining MPKCs and code based public key encryption schemes. Our new construction gives a positive response to the challenges in multivariate public key cryptography. Thorough analysis shows that our scheme is secure and efficient, and its private key size is about 10 times smaller than that of McEliece type cryptosystems.     

支持同态算术运算的数据加密方案算法研究

针对在计算服务中,对用户信息加密以保护隐私时,无法对密文进行计算的问题,提出一种高效的支持密文四则算术运算的同态加密方案CESIL, 包括密钥生成、加密、解密及密文运算4个算法。该方案首先借助多项式环重新定义向量的加法和乘法运算,构建多项式系数向量环;然后利用理想格在向量环上划分剩余类,建立商环及其代表元集合;最后,将整数明文映射为代表元,并用代表元所在剩余类的其他元素替换该代表元,以对明文进行加密。商环的运算特性保证CESIL方案支持对密文的加法和乘法运算。在实现CESIL方案时,利用快速傅里叶变换(FFT)算法进一步提高运算效率、减少密钥长度。理论分析及实验结果表明,CESIL是语义安全的,且相比已有的一些同态加密方案,CESIL支持更多的运算类型,拥有较高的运行效率和较小的密钥及密文长度,能更好地满足实际应用需求。     

非对称双线性对下的基于身份的加密方案

基于身份的加密是一种直接以用户的身份作为公钥的加密方案。自提出以来,利用双线性对实现基于身份的加密方案的案例已经有很多,但是这些方案大都是采用对称的双线性对,即要求作为映射输入的两个群相同。这无疑缩小了映射中所选取的椭圆曲线的范围,将在一种更一般的条件下,即在非对称双线性对下,基于判定性双线性Diffe-Hellman（BDHE）难解问题在标准模型下构造出一种新型的基于身份的加密方案,并证明其在标准模型下具有不可区分的选择身份的选择明文（IND-sID-CPA）安全性。     

云存储中密文数据的客户端安全去重方案

云存储环境下,客户端数据去重能在本地进行文件重复性检测,有效地节约存储空间和网络带宽.然而,客户端去重仍面临着很多安全挑战.首先,由于将文件哈希值作为重复性检测的证据,攻击者很可能通过一个文件的哈希值获得整个文件;其次,为了保护数据隐私,收敛加密被广泛运用于数据去重方案,但是由于数据本身是可预测的,所以收敛加密仍不可避免地遭受暴力字典攻击.为了解决上述问题,本文首次利用盲签名构造了一个安全的密钥生成协议,通过引入一个密钥服务器,实现了对收敛密钥的二次加密,有效地预防了暴力字典攻击;并进一步提出了一个基于块密钥签名的拥有权证明方法,能够有效预防攻击者通过单一的哈希值来获取文件,并能同时实现对密文文件的文件级和块级去重.同时,安全分析表明本文方案在随机预言模型下是可证明安全的,并能够满足收敛密钥安全、标签一致性和抗暴力字典攻击等更多安全属性.此外,与现有方案相比,实验结果表明本文方案在文件上传和文件去重方面的计算开销相对较小.     

基于MP-WFRFT的物理层保密增强安全方案

针对战场无线网络全域开放性、广播特性以及实时移动性等特征带来的通信系统安全隐患,为保障战场网络内消息的安全有效传输,本文通过对物理层信号的安全分析研究,结合变换域通信手段与经典加密方法,在信道共享密钥的基础上提出了一种基于MP-WFRFT的保密增强安全方案。通过建立物理层安全加密模型,给出了信道探测与共享密钥生成方法,在扰乱星座方案加持下利用MP-WFRFT多加密参数的混合载波调制对传输信号星座进行扰乱处理。仿真分析表明,本方案能够提升战场无线网络内信号的星座熵,并且在系统误码率性能上相较以往方案存在大幅度提升,为战场无线网络整体性能提升提供了一种新型方案。