Group-oriented fair exchange of signatures

Optimistic Fair Exchange (OFE) of digital signatures allows two parties to exchange their signatures in a fair manner so that a third party, called the arbitrator, gets involved only when there is a dispute. Previous work on OFE considers the two parties as individuals and there is no formal study on the scenario where the two parties are two groups of users. In this paper, we formalize this new variant and call it a Group-oriented Optimistic Fair Exchange (GOFE). GOFE allows two users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. We formalize the notion by providing the first set of security models for GOFE, and show that it is closely related to Ambiguous OFE (AOFE) proposed by Huang et al. in Asiacrypt 2008. In particular, we propose a generic transformation which converts a GOFE to an AOFE. We also give an efficient and concrete GOFE construction and prove its security under the security models we defined. The security of the scheme relies on the decision linear assumption and strong Diffie-Hellman assumption in the random oracle model.     

Accumulable optimistic fair exchange from verifiably encrypted homomorphic signatures

Let us consider a situation where a client (Alice) frequently buys a certain kind of product from a shop (Bob) (e.g., an online music service sells individual songs at the same price, and a client buys songs multiple times in a month). In this situation, Alice and Bob would like to aggregate the total transactions and pay once per month because individual payments are troublesome. Though optimistic fair exchange (OFE) has been considered in order to swap electronic items simultaneously, known OFE protocols cannot provide such aggregate function efficiently because various costs are bounded by the number of transactions in the period. In order to run this aggregation procedure efficiently, we introduce a new kind of OFE called accumulable OFE (AOFE) that allows clients to efficiently accumulate payments in each period. In AOFE, any memory costs, computational costs, and communication complexity of the payment round must be constant in terms of the number of transactions. Since a client usually has just a low power and poor memory device, these efficiencies are desirable in practice. Currently, known approaches (e.g., based on verifiably encrypted signature scheme) are not very successful for constructing AOFE. Thus, we consider a new approach based on a new cryptographic primitive called verifiably encrypted homomorphic signature scheme (VEHS). In this paper, we propose a generic construction of AOFE from VEHS and also present a concrete VEHS scheme over a composite-order bilinear group by using the dual-form signature techniques. This VEHS scheme is also of independent interest. Since we can prove the security of VEHS without random oracles, our AOFE protocol is also secure without random oracles. Finally, we implemented our AOFE protocol, and it is efficient enough for practical use.     

Sakai–Ohgishi–Kasahara identity-based non-interactive key exchange revisited and more

Identity-based non-interactive key exchange (IB-NIKE) is a powerful but a bit overlooked primitive in identity-based cryptography. While identity-based encryption and signature have been extensively investigated over the past three decades, IB-NIKE has remained largely unstudied. So far, there are only few IB-NIKE schemes in the literature. Among them, Sakai–Ohgishi–Kasahara (SOK) scheme is the first efficient and secure two-party IB-NIKE scheme, which has great influence on follow-up works. However, the SOK scheme required its identity mapping function to be modeled as a random oracle to prove security. Moreover, its existing security proof heavily relies on the ability of programming the random oracle. It is unknown whether such reliance is inherent. In this work, we intensively revisit the SOK IB-NIKE scheme and present a series of possible and impossible results in the random oracle model and the standard model. In the random oracle model, we first improve previous security analysis for the SOK IB-NIKE scheme by giving a tighter reduction. We then use meta-reduction technique to show that the SOK scheme is unlikely proven to be secure based on the computational bilinear Diffie–Hellman assumption without programming the random oracle. In the standard model, we show how to instantiate the random oracle in the SOK scheme with a concrete hash function from admissible hash functions (AHFs) and indistinguishability obfuscation. The resulting scheme is adaptively secure based on the decisional bilinear Diffie–Hellman inversion assumption. To the best of our knowledge, this is the first adaptively secure IB-NIKE scheme in the standard model that does not explicitly require multilinear maps. Previous schemes in the standard model either have merely selective security or require programmable hash functions from multilinear maps. At the technical heart of our scheme, we generalize the definition of AHFs and propose a generic construction which enables AHFs with previously unachieved parameters. This might be of independent interest. In addition, we present some new results about IB-NIKE. Firstly, we propose a generic construction of multiparty IB-NIKE from extractable witness PRFs and existentially unforgeable signatures. Secondly, we investigate the relation between semi-adaptive security and adaptive security of IB-NIKE. Somewhat surprisingly, we show that these two notions are polynomially equivalent.     

An efficient secure proxy verifiably encrypted signature scheme

Verifiably encrypted signature is an important cryptographic primitive, it can convince a verifier that a given ciphertext is an encryption of signature on a given message. It is often used as a building block to construct an optimistic fair exchange. In this paper, we propose a new concept: a proxy verifiably encrypted signature scheme, by combining proxy signature with a verifiably encrypted signature. And we formalize security model of proxy verifiably encrypted signature. After a detail construction is given, we show that the proposed scheme is provably secure in the random oracle model. The security of the scheme is related to the computational Diffie–Hellman problem.     

Generic Certificateless Encryption Secure Against Malicious-but-Passive KGC Attacks in the Standard Model

Despite the large number of certificateless encryption schemes proposed recently, many of them have been found insecure under a practical attack, called malicious-but-passive KGC (Key Generation Center) attack. In this work we propose the first generic construction of certificateless encryption, which can be proven secure against malicious-but-passive KGC attacks in the standard model. In order to encrypt a message of any length, we consider the KEM/DEM (key encapsulation mechanism/data encapsulation mechanism) framework in the certificateless setting, and propose a generic construction of certificateless key encapsulation mechanism (CL-KEM) secure against malicious-but-passive KGC attacks in the standard model. It is based on an identity-based KEM, a public key encryption and a message authentication code. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs, which have only been proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attack. We also introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’ s work to the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM scheme. We also show that with a CL-TKEM and a data encapsulation mechanism secure under our proposed security model, an efficient certificateless hybrid encryption can be constructed by applying Abe et al.'s transformation in the certificateless setting.     

适应性选择密文安全的可公开验证加密方案

在密钥托管、电子公平交易、可公开分享和安全多方计算中,对可公开验证加密有广泛的应用需求,但是已有的可公开验证加密方案或者是选择明文安全的,或者是在随机预言机模下是选择密文安全的,显然不满足诸多复杂应用环境的安全需求。在对已有可公开验证方案的分析和现实应用需求的基础上,结合CS加密方案,利用非交互性零知识证明协议提出了一个新的可公开验证的加密方案,新方案使得除发送方和接收方外的任何第三方都可以验证密文的有效性,且不会泄露消息的其他任何信息。最后,相对于随机预言机模型,在标准模型下证明了新方案是适应性选择密文安全的。     

基于身份的可验证加密签名协议的安全性分析

利用Hess的基于身份的数字签名方案，Gu和Zhu提出了一个基于身份的可验证加密签名协议，并认为该协议在随机预言模型下是可证明安全的，从而可以作为基本模块用于构建安全的基于身份的公平交换协议．文章对该协议的安全性进行了深入分析，结果表明该协议存在如下的安全缺陷：恶意的签名者可以很容易地构造出有效的可验证加密签名，但是指定的仲裁者却不能把它转化成签名者的普通签名，因此不能满足可验证加密签名协议的安全需求；而且该协议容易遭受合谋攻击．     

Fair exchange protocol of Schnorr signatures with semi-trusted adjudicator

In this paper, we propose an optimistic fair exchange protocol of Schnorr signatures with a semi-trusted adjudicator. In this protocol, we enforce the adjudicator accountability in the protocol to relax excessive reliance on the trust of the adjudicator, so that the adjudicator only needs to be trusted by the signer. We present a security model and then show that the protocol is strong EUF–CMA secure under the standard Discrete Logarithm (DL) assumption in the random oracle model. Finally, we compare the performance of the fair exchange protocol of Schnorr signatures.     

Certificateless signcryption scheme in the standard model

Certificateless public key signcryption scheme is an important cryptographic primitive in cryptography. Barbosa and Farshim proposed a certificateless signcryption scheme. However, their construction is proven to be secure in the random oracle model but not the standard model, and the scheme is also vunlerable to the malicious-but-passive key generation center (KGC) attacks. To overcome these disadvantages, we introduce a formal security model for certificateless signcryption schemes secure against the malicious-but-passive KGC attacks and propose a novel certificateless signcryption scheme. The proposed certificateless signcryption scheme is proven to be IND-CCA2 secure under the decisional Bilinear Diffie-Hellman intractability assumption without using the random oracles. The proposed scheme is also proven to be existentially unforgeable under the computational Diffie-Hellman intractability assumptions. Furthermore, performance analysis shows that the proposed scheme is efficient and practical.     

基于RSA密码体制构造一类新型的CEMBS

公平性是电子商务协议的基本安全要求之一，CEMBS是一种重要的用于构造公平交换协议的密码部件，分析了现有的CEMBS构造方法中存在的问题，首次提出了一种基于RSA密码体制的简洁、高效、安全的CEMBS构造方法，在此基础上，利用这一新型的CEMBS构建了一类重要的公平交换协议。     

A New Rabin-type Trapdoor Permutation Equivalent to Factoring

Public key cryptography has been invented to overcome some key management problems in open networks. Although nearly all aspects of public key cryptography rely on the existence of trapdoor one-way functions, only a very few candidates for this primitive have been observed yet. In this paper, we introduce a new trapdoor one-way permutation based on the hardness of factoring integers of p²q-type. We point out that there are some similarities between Rabin's trapdoor permutation and our proposal. Although our function is less efficient, it possesses a nice feature which is not known for modular squaring, namely there is a variant with a different and easy-to-handle domain. Thus it provides some advantages for practical applications. To confirm this statement, we develop a simple hybrid encryption scheme based on our proposed trapdoor permutation that is CCA-secure in the random oracle model.     

Efficient forward secure identity-based shorter signature from lattice

All regular cryptographic schemes rely on the security of the secret key. However, with the explosive use of some relatively insecure mobile devices, the key exposure problem has become more aggravated. In this paper, we propose an efficient forward secure identity-based signature (FSIBS) scheme from lattice assumption, with its security based on the small integer solution problem (SIS) in the random oracle model. Our scheme can guarantee the unforgeability of the past signatures even if the current signing secret key is revealed. Moreover, the signature size and the secret key size of our scheme are unchanged and much shorter. To the best of our knowledge, our construction is the first FSIBS scheme based on lattice which can resist quantum attack. Furthermore, we extend our FSIBS scheme to a forward secure identity-based signature scheme in the standard model.     

一种高效的同态时控承诺方案

Boneh和Naor在2000年美密会上提出了时控承诺机制,它能抵抗并行暴力攻击,且保留了强制打开承诺值的可能性。之后,时控承诺机制在密码学许多领域得到了大量应用,例如公平交换协议、公平多方安全计算及公平多方抛币协议。然而,在Boneh-Naor方案中,每次承诺均需要大量的模幂运算和网络带宽,效率很低。本文基于Pedersen承诺机制、GBBS假设和主时间线元素组技术,构造了一种高效的同态时控承诺方案。新方案中主时间线元素组仅在初始化阶段进行一次运算与证明,极大地节省了每次承诺的计算时间和网络带宽。其次,相比于其它方案,新方案具有另一重要特性:同态性。     

一个改进的无证书签名和盲签名方案

改进了Zhang等人的无证书签名方案,使新的无证书签名方案在签名和验证阶段只需两个双线性运算。新的无证书签名方案在随机预言模型下被证明是安全的。它的安全性建立在计算Diffie-Hellman问题的困难性之上。同时,基于新的无证书签名方案,还给出一个无证书盲签名方案。无证书盲签名方案的安全性归结到新的无证书签名方案的安全性。     

Public key encryption without random oracle made truly practical

In this paper, we report our success in identifying an efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we focus our attention on a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto’92. Although Zheng and Seberry’s encryption scheme is very simple and efficient, its reductionist security proof has not been provided. We show how to tweak the Zheng-Seberry scheme so that the resultant scheme not only preserves the efficiency of the original scheme but also admits provable security against adaptive chosen ciphertext attack without random oracle. For the security proof, our first attempt is based on a strong assumption called the oracle Diffie-Hellman⁺ assumption. This is followed by a more challenging proof that employs a weaker assumption called the adaptive decisional Diffie-Hellman assumption, which is in alignment with adaptively secure assumptions advocated by Pandey, Pass and Vaikuntanathan.     

Certificate-based verifiably encrypted signatures from pairings

We propose a new verifiably encrypted signature scheme from pairings by choosing a certificate authority (CA) as an adjudicator. In this scheme, a certificate, or generally, a signature acts not only as the binding of the public key and its holder, but also as CA’s guarantee against partiality in adjudication. Under the CDH assumption and in the random oracle model, we show that the new scheme is EUF-CMA secure in a stronger security model. In this security model, there are three types of inside adversaries with more power than those in previous verifiably encrypted signature schemes. The proposed scheme can solve the authentication problem of public keys and relax excessive reliance on the trustworthiness of the adjudicator so that the adjudicator only needs to be trusted by the signer. Hence, the fair exchange protocols of signatures based on the new scheme is more trustworthy and practical than the previous ones.     

一个高效的可验证加密签名方案

利用椭圆曲线上的双线性对,构造一个新的可验证加密签名方案,该方案在随机预言模型下具有不可伪造性和不透明性。由于该方案只有两次对运算,所以运算效率很高。可验证加密签名常用来构造优化公平交换协议,在电子商务领域里有着广泛应用。     

具有强匿名性的网关口令认证密钥交换协议

网关口令认证密钥交换协议允许用户和网关在服务器的协助下建立起一个共享的会话密钥,其中用户和服务器之间的认证通过低熵的口令来完成.已有的网关口令认证密钥交换协议对用户的匿名性研究不足.该文基于Diffie-Hellman密钥交换提出了具有强匿名性的网关口令认证密钥交换协议,并且在随机预言模型下基于标准的DDH假设证明了协议的安全性.新协议可以抵抗不可检测在线字典攻击并且计算效率高,安全性和计算效率都优于已有的同类协议.     

安全的无双线性映射的无证书签密机制

无证书签密是能够同时提供无证书加密和无证书签名的一种非常重要的密码学原语.近年来,多个无证书签密方案相继被提出,并声称他们的方案是可证明安全的.但是,通过给出具体的攻击方法,指出现有的一些无证书签密机制并不具备其所声称的安全性.针对上述问题,提出一种无双线性映射的高效无证书签密方案,并在随机谕言机模型下,基于计算性Diffie-Hellman问题和离散对数问题对所提方案的安全性进行了证明.同时,该方案还具有不可否认性和公开验证性等安全属性.与其他传统无证书签密方案相比,由于未使用双线性映射运算,在具有更高计算效率的同时,该方案的安全性更优.     

Efficient strong designated verifier signature schemes without random oracle or with non-delegatability

Designated verifier signature (DVS) allows a signer to convince a designated verifier that a signature is generated by the signer without letting the verifier transfer the conviction to others, while the public can still tell that the signature must be generated by one of them. Strong DVS (SDVS) strengthens the latter part by restricting the public from telling whether the signature is generated by one of them or by someone else. In this paper, we propose two new SDVS schemes. Compared with existing SDVS schemes, the first new scheme has almost the same signature size and meanwhile, is proven secure in the standard model, while the existing ones are secure in the random oracle model. It has tight security reduction to the DDH assumption and the security of the underlying pseudorandom functions. Our second new scheme is the first SDVS supporting non-delegatability, the notion of which was introduced by Lipmaa, Wang and Bao in the context of DVS in ICALP 2005. The scheme is efficient and is provably secure in the random oracle model based on the discrete logarithm assumption and Gap Diffie–Hellman assumption.