公开追踪和CCA2安全的叛逆者追踪方案

提出一种新的k-resilient公钥叛逆者追踪方案。方案的追踪方式为公开黑盒追踪。假设DDH问题为困难问题,则方案能被证明是自适应选择密文攻击安全的,并且在撤销不超过k个叛逆者条件下仍然是自适应选择密文攻击安全的。与同类方案相比,该方案没有使用一次性消息认证码假设,并且有效降低了追踪时的计算复杂性。另外,方案满足非对称性。     

Efficient chosen ciphertext secure key encapsulation mechanism in standard model over ideal lattices

Key encapsulation mechanism (KEM) is an important key distribution mechanism that not only allows both sender and receiver to safely share a random session key, but also can be mainly applied to construct a hybrid public key encryption scheme. In this paper, we give an positive answer to the question of if it is possible to build an efficient KEM over lattices. More precisely, we design an efficient KEM scheme in standard model based on ideal lattices. We prove that the proposed scheme captures indistinguishability against active chosen ciphertext attacks (IND-CCA) under the ring learning with errors problem, or more formally, IND-CCA security. Compared with the current CCA secure KEM schemes based on lattices in the standard model, our scheme has shorter public key, secret key and encapsulation ciphertext. In addition, our KEM scheme realizes IND-CCA security in the standard model.     

Concurrently deniable ring authentication and its application to LBS in VANETs

Deniable ring authentication can be used to facilitate privacy-preserving communication since the receiver accepts authentication while cannot convince a third party that the fact of this authentication occurred. Besides that, the receiver cannot decide the actual sender as the sender identity is hidden among a group of participants. However, the concurrent problem has not been studied well in the interactive deniable ring authentication so far. In this work, we propose a deniable ring authentication protocol to handle concurrent scenario, which achieves full deniability. We construct a CCA2-secure (which is secure against Adaptive Chosen Ciphertext attack) multi-receiver encryption scheme to support this protocol and it requires only 2 communication rounds, which is round-optimal in fully deniable ring authentications. In addition, we observe that efficient fully deniable ring authentication can be applied to location-based service in VANETs to protect vehicle privacy.     

Multi-use and unidirectional identity-based proxy re-encryption schemes

In a proxy re-encryption scheme, a semi-trusted proxy is given special power that allows it to transform a ciphertext for Alice into a ciphertext for Bob without learning any information about the messages encrypted under either key. When a proxy re-encryption scheme is constructed in an identity-based setting, it means that a proxy converts a ciphertext encrypted under Alice’s identity into a ciphertext under Bob’s. Proxy re-encryption has become more and more popular these years due to the fact that it has many practical applications. In this paper, we present an IND-CCA2 secure identity-based proxy re-encryption scheme which has several useful properties, including, multi-use, unidirectionality, etc. Finding a unidirectional, multi-use, and CCA2-secure proxy re-encryption scheme is presented as an open problem by Green et al. Fortunately, our identity-based proxy re-encryption scheme is a solution to this problem. As a middleware for fulfilling our main goal, we also propose a new construction of identity-based encryption using random padding techniques. The security of our schemes is based on the standard decisional bilinear Diffie-Hellman assumption in the random oracle model.     

基于SM9的CCA安全广播加密方案

选择密文安全模型能有效刻画主动攻击,更接近现实环境.现有抵抗选择密文攻击的密码算法以国外算法为主,缺乏我国自主设计且能抵抗选择密文攻击的密码算法.虽然实现选择密文安全存在通用转化方法,代价是同时增加计算开销和通信开销.基于国密SM9标识加密算法,提出一种具有选择密文安全的标识广播加密方案.方案的设计继承了SM9标识加密算法结构,用户密钥和密文的大小都是固定的,其中用户密钥由一个群元素组成,密文由3个元素组成,与实际参与加密的接收者数量无关.借助随机谕言器,基于GDDHE困难问题可证明方案满足CCA安全.加密算法的设计引入虚设标识,通过该标识可成功回复密文解密询问,实现CCA的安全性.分析表明,所提方案与现有高效标识广播加密方案在计算效率和存储效率上相当.     

Generic construction of an $$\mathrm {}$$-secure key exchange protocol in the standard model

LaMacchia, Lauter and Mityagin presented a strong security model for authenticated key agreement, namely the \(\mathrm {eCK}\) model. They also constructed a protocol, namely the NAXOS protocol, that enjoys a simple security proof in the \(\mathrm {eCK}\) model. However, the NAXOS protocol uses a random oracle-based technique to combine the long-term secret key and the per session randomness, so-called NAXOS trick, in order to achieve the \(\mathrm {eCK}\) security definition. For NAXOS trick-based protocols, the leakage of per session randomness modeled in the \(\mathrm {eCK}\) model is somewhat unnatural, because the \(\mathrm {eCK}\) model leaks per session randomness, while the output of the NAXOS trick computation remains safe. In this work, we present a standard model \(\mathrm {eCK}\)-secure protocol construction, eliminating the NAXOS trick. Moreover, our protocol is a generic construction, which can be instantiated with arbitrary suitable cryptographic primitives. Thus, we present a generic \(\mathrm {eCK}\)-secure, NAXOS-free, standard model key exchange protocol. To the best of our knowledge this is the first paper on generic transformation of a \(\mathrm {CCA2}\)-secure public-key encryption scheme to an \(\mathrm {eCK}\)-secure key exchange protocol in the standard model.     

Generic Certificateless Encryption Secure Against Malicious-but-Passive KGC Attacks in the Standard Model

Despite the large number of certificateless encryption schemes proposed recently, many of them have been found insecure under a practical attack, called malicious-but-passive KGC (Key Generation Center) attack. In this work we propose the first generic construction of certificateless encryption, which can be proven secure against malicious-but-passive KGC attacks in the standard model. In order to encrypt a message of any length, we consider the KEM/DEM (key encapsulation mechanism/data encapsulation mechanism) framework in the certificateless setting, and propose a generic construction of certificateless key encapsulation mechanism (CL-KEM) secure against malicious-but-passive KGC attacks in the standard model. It is based on an identity-based KEM, a public key encryption and a message authentication code. The high efficiency of our construction is due to the efficient implementations of these underlying building blocks, and is comparable to Bentahar et al.’s CL-KEMs, which have only been proven secure under the random oracle model with no consideration of the malicious-but-passive KGC attack. We also introduce the notion of certificateless tag-based KEM (CL-TKEM), which is an extension of Abe et al.’ s work to the certificateless setting. We show that an efficient CL-TKEM can be constructed by modifying our CL-KEM scheme. We also show that with a CL-TKEM and a data encapsulation mechanism secure under our proposed security model, an efficient certificateless hybrid encryption can be constructed by applying Abe et al.'s transformation in the certificateless setting.     

云计算中的标准模型下基于证书混合加密方案

随着云计算的快速发展,数据安全已成为云安全的一个关键问题,尤其是云中存储和传输的数据量巨大,对安全性要求较高。另一方面,基于证书密码体制克服了传统公钥密码体制的证书管理问题及基于身份密码体制的密钥托管问题,为构造安全高效的PKI提供了新的方法,但现有基于证书加密方案大都采用双线性对构造,计算效率较低。针对云计算环境,基于判定性缩减Diffie-Hellman难题,提出了一个不含对运算的基于证书混合加密方案,分析了安全性和效率。该方案是建立在密钥封装算法、对称加密算法、消息认证码算法基础上的一次一密型加密方案。分析表明,该方案在标准模型下可以抵抗适应性选择密文攻击,计算效率较高,适合于对云计算中安全性要求较高的长消息的加密。     

基于椭圆曲线离散对数的无证书混合加密

基于椭圆曲线离散对数困难问题,结合KEM-DEM混合加密结构,提出一个新的无证书混合加密方案。采用椭圆曲线签名算法保证用户自主生成公钥的不可伪造性,利用用户公钥生成的会话密钥以对称加密算法加密明文,保证明文的机密性,对明文空间的大小没有严格限制。该方案主要涉及椭圆曲线上的点运算,与原有无证书加密方案中采用双线性对计算相比具有更高的执行效率。     

广域分布式环境中面向服务的文件管理系统

基于椭圆曲线离散时数困难问题,结合KEM-DEM混合加密结构,提出一个新的无证书混合加密方案.采用椭圆曲线签名算法保证用户自主生成公钥的不可伪造性,利用用户公钥生成的会话密钥以对称加密算法加密明文,保证明文的机密性,对明文空间的大小没有严格限制.该方案主要涉及椭圆曲线卜的点运算,与原有无证书加密方案中采用双线性对计算相比具有更高的执行效率.     

基于Bloom Filter的混合云存储安全去重方案

针对现有云存储系统中数据去重采用的收敛加密算法容易遭到暴力破解以及猜测攻击等不足,提出一种基于布隆过滤器的混合云存储安全去重方案BFHDedup,改进现有混合云存储系统模型,私有云部署密钥服务器Key Server支持布隆过滤器认证用户的权限身份,实现了用户的细粒度访问控制。同时使用双层加密机制,在传统收敛加密算法基础上增加额外的加密算法并且将文件级别去重和块级别去重相结合实现细粒度去重。此外,BFHDedup采用密钥加密链机制应对去重带来的密钥管理难题。安全性分析及仿真实验结果表明,该方案在可容忍的时间开销代价下实现了较高的数据机密性,有效抵抗暴力破解以及猜测攻击,提高了去重比率并且减少了存储空间。     

Tight chosen ciphertext attack （CCA）-secure hybrid encryption scheme with full public verifiability

In this paper, we propose a new ＂full public verifiability＂ concept for hybrid public-key encryption schemes. We also present a new hybrid public-key encryption scheme that has this feature, which is based on the decisional bilinear Diffie-Hellman assumption. We have proven that the new hybrid public-key encryption scheme is secure against adaptive chosen ciphertext attack in the standard model. The ＂full public verifiability＂ feature means that the new scheme has a shorter ciphertext and reduces the security requirements of the symmetric encryption scheme. Therefore, our new scheme does not need any message authentication code, even when the one-time symmetric encryption scheme is passive attacks secure. Compared with all existing publickey encryption schemes that are secure to the adaptive chosen ciphertext attack, our new scheme has a shorter ciphertext, efficient tight security reduction, and fewer requirements （if the symmetric encryption scheme can resist passive attacks）.     

Universally composable anonymous password authenticated key exchange

Anonymous password authenticated key exchange (APAKE) is an important cryptographic primitive, through which a client holding a password can establish a session key with a server both authentically and anonymously. Although the server is guaranteed that the client in communication is from a pre-determined group, but the client’s actual identity is protected. Because of their convenience, APAKE protocols have been widely studied and applied to the privacy protection research. However, all existing APAKE protocols are handled in stand-alone models and do not adequately settle the problem of protocol composition, which is a practical issue for protocol implementation. In this paper, we overcome this issue by formulating and realizing an ideal functionality for APAKE within the well-known universal composability (UC) framework, which thus guarantees security under the protocol composition operations. Our formulation captures the essential security requirements of APAKE such as off-line dictionary attack resistance, client anonymity and explicit mutual authentication. Moreover, it addresses the arbitrary probabilistic distribution of passwords. The construction of our protocol, which utilizes SPHF-friendly commitments and CCA2-secure encryption schemes, can be instantiated and proven secure in the standard model, i.e., without random oracle heuristics.     

Practical chosen-ciphertext secure Hierarchical Identity-Based Broadcast Encryption

We focus on practical Hierarchical Identity-Based Broadcast Encryption (HIBBE) with semantic security against adaptively chosen-ciphertext attacks (CCA2) in the standard model. We achieve this goal in two steps. First, we propose a new HIBBE scheme that is secure against chosen-plaintext attacks (CPA). Compared with the existing HIBBE scheme that is built from composite-order bilinear groups, our construction is based on prime-order bilinear groups. The much better efficiency of group operations in prime-order bilinear groups makes our proposed HIBBE scheme more practical. Then, we convert it into a CCA2-secure scheme at the cost of a one-time signature. Instead of extending one user hierarchy in the Canetti–Halevi–Katz approach from CPA-secure (\(l+1\))-Hierarchical Identity-Based Encryption [(\(l+1\))-HIBE] to CCA2-secure \(l\)-HIBE, our construction merely adds one on-the-fly dummy user in the basic scheme. We formally prove the security of these two schemes in the standard model. Comprehensive theoretical analyses and experimental results demonstrate that the proposed HIBBE schemes achieve desirable performance.     

格上具有完全前向安全的0轮往返时间密钥交换协议

0-RTT密钥交换协议允许客户端在零往返时间发送加密保护的有效载荷和第一条密钥交换协议消息,具有非交互、可离线等优点。为了降低密钥交换往返时间,基于穿透加密思想提出一种格上0-RTT密钥交换协议。首先利用一次性签名算法和分级身份基密钥封装机制构造可穿透前向保密密钥封装方案,然后使用可穿透前向保密密钥封装方案设计0-RTT密钥交换协议。协议只需客户端对服务器进行单向认证,并且能够有效抵抗量子攻击和重放攻击。与同类协议相比,所提协议具有可穿透的完全前向安全,减少了通信轮数,提高了通信效率。     

Algorithm substitution attacks against receivers

This work describes a class of Algorithm Substitution Attack (ASA) generically targeting the receiver of a communication between two parties. Our work provides a unified framework that applies to any scheme where a secret key is held by the receiver; in particular, message authentication schemes (MACs), authenticated encryption (AEAD) and public key encryption (PKE). Our unified framework brings together prior work targeting MAC schemes (FSE’19) and AEAD schemes (IMACC’19); we extend prior work by showing that public key encryption may also be targeted. ASAs were initially introduced by Bellare, Paterson and Rogaway in light of revelations concerning mass surveillance, as a novel attack class against the confidentiality of encryption schemes. Such an attack replaces one or more of the regular scheme algorithms with a subverted version that aims to reveal information to an adversary (engaged in mass surveillance), while remaining undetected by users. Previous work looking at ASAs against encryption schemes can be divided into two groups. ASAs against PKE schemes target key generation by creating subverted public keys that allow an adversary to recover the secret key. ASAs against symmetric encryption target the encryption algorithm and leak information through a subliminal channel in the ciphertexts. We present a new class of attack that targets the decryption algorithm of an encryption scheme for symmetric encryption and public key encryption, or the verification algorithm for an authentication scheme. We present a generic framework for subverting a cryptographic scheme between a sender and receiver, and show how a decryption oracle allows a subverter to create a subliminal channel which can be used to leak secret keys. We then show that the generic framework can be applied to authenticated encryption with associated data, message authentication schemes, public key encryption and KEM/DEM constructions. We consider practical considerations and specific conditions that apply for particular schemes, strengthening the generic approach. Furthermore, we show how the hybrid subversion of key generation and decryption algorithms can be used to amplify the effectiveness of our decryption attack. We argue that this attack represents an attractive opportunity for a mass surveillance adversary. Our work serves to refine the ASA model and contributes to a series of papers that raises awareness and understanding about what is possible with ASAs.

     

Some (in)sufficient conditions for secure hybrid encryption

In hybrid public key encryption (PKE), first a key encapsulation mechanism (KEM) is used to fix a random session key that is then fed into a highly efficient data encapsulation mechanism (DEM) to encrypt the actual message. A well-known composition theorem states that if both the KEM and the DEM have a high enough level of security (i.e., security against chosen-ciphertext attacks), then so does the hybrid PKE scheme. It is not known if these strong security requirements on the KEM and DEM are also necessary, nor if such general composition theorems exist for weaker levels of security.Using six different security notions for KEMs, 10 for DEMs, and six for PKE schemes, we completely characterize in this work which combinations lead to a secure hybrid PKE scheme (by proving a composition theorem) and which do not (by providing counterexamples). Furthermore, as an independent result, we revisit and extend prior work on the relations among security notions for KEMs and DEMs.     

基于格式保留的敏感信息加密方案

格式保留加密具有加密后数据格式和数据长度不变的特点,不会破坏数据格式约束,从而降低改造数据格式的成本。分析现有敏感信息格式保留加密方案,均基于对称加密体制,存在密钥传输安全性低和密钥管理成本较高等问题。提出了身份密码环境下基于格式保留的敏感信息加密方案,与现有的格式保留加密方案相比,通信双方不需要传递密钥,通过密钥派生函数来生成加密密钥和解密密钥,利用混合加密的方式提高了敏感信息传输的安全性。并且证明了该方案满足基于身份的伪随机置换安全,在适应性选择明文攻击下具有密文不可区分性。     

Cryptanalysis and improvement of a certificateless encryption scheme in the standard model

Certificateless public key cryptography eliminates inherent key escrow problem in identity-based cryptography, and does not yet requires certificates as in the traditional public key infrastructure. In this paper, we give crypt-analysis to Hwang et al.’s certificateless encryption scheme which is the first concrete certificateless encryption scheme that can be proved to be secure against “malicious-but-passive” key generation center (KGC) attack in the standard model. Their scheme is proved to be insecure even in a weaker security model called “honest-but-curious” KGC attack model. We then propose an improved scheme which is really secure against “malicious-but-passive” KGC attack in the standard model.     

Fully CCA2 secure identity based broadcast encryption without random oracles

In broadcast encryption schemes, a broadcaster encrypts messages and transmits them to some subset S of users who are listening to a broadcast channel. Any user in S can use his private key to decrypt the broadcast. An identity based cryptosystem is a public key cryptosystem where the public key can be represented as an arbitrary string. In this paper, we propose the first identity based broadcast encryption (IBBE) scheme that is IND-ID-CCA2 secure without random oracles. The public key and ciphertext are constant size, and the private key size is linear in the total number of receivers. To the best of our knowledge, it is the first IBBE scheme that is fully CCA2 secure without random oracles. Moreover, our IBBE scheme is collusion resistant for arbitrarily large collusion of users.