Tight chosen ciphertext attack （CCA）-secure hybrid encryption scheme with full public verifiability

In this paper, we propose a new ＂full public verifiability＂ concept for hybrid public-key encryption schemes. We also present a new hybrid public-key encryption scheme that has this feature, which is based on the decisional bilinear Diffie-Hellman assumption. We have proven that the new hybrid public-key encryption scheme is secure against adaptive chosen ciphertext attack in the standard model. The ＂full public verifiability＂ feature means that the new scheme has a shorter ciphertext and reduces the security requirements of the symmetric encryption scheme. Therefore, our new scheme does not need any message authentication code, even when the one-time symmetric encryption scheme is passive attacks secure. Compared with all existing publickey encryption schemes that are secure to the adaptive chosen ciphertext attack, our new scheme has a shorter ciphertext, efficient tight security reduction, and fewer requirements （if the symmetric encryption scheme can resist passive attacks）.     

一种概率型非对称公钥密码体制的设计和实现

在分析传统公钥密码体制的基础上,设计并实现了一种基于Diffie Hellman判定问题,辅以抗碰撞的Hash函数和公钥证书进行加密和解密,安全性可证明的概率型非对称密码系统.它比基本Cramer-Shoup体制具有更高的效率,且同样具有抵抗自适应选择密文攻击的能力.     

标准模型下的高效强安全混合加密方案

如何设计标准模型下满足适应性选择密文安全（IND-CCA2）的高效加密方案,是公钥密码学领域的一个重要研究课题。基于判定型双线性Diffie-Hellman问题,提出了一个高效、短公/私钥长度、强安全的,基于对称加密算法、消息认证码算法、密钥分割算法等基础算法的一次一密型混合加密方案,分析了方案的安全性和效率。方案在标准模型下被证明具有IND-CCA2安全性,支持公开的密文完整性验证,与同类方案相比计算效率高。     

Group key agreement for secure group communication in dynamic peer systems

Self-organizing group key agreement protocols without a centralized administrator are essential to secure group communication in dynamic peer systems. In this paper, we propose a generic construction of a one-round self-organizing group key agreement protocol based on the Chinese Remainder Theorem. In the proposed construction, all group members contribute their own public keys to negotiate a shared encryption public key, which corresponds to all different decryption keys. Using his/her own secret key, each group member is able to decrypt any ciphertext encrypted by the shared encryption key. Following the generic construction, we instantiate a one-round self-organizing group key agreement protocol using the efficient and computationally inexpensive public key cryptosystem NTRU. Both the public key and the message in this protocol are secure against the known lattice attacks. Furthermore, we also briefly describe another concrete scheme with our generic idea, based on the ElGamal public key cryptosystem.     

适用于3G网络的无证书的短签密方案

短签密方案实现了在一个逻辑步骤内同时完成了加密和数字签名二者的功能,并且所花费的代价,包括计算时间和消息扩展率两方面,要远远低于传统的先签名后加密的方法。然而目前大部分的短签密方案都不具有可信公钥以及签名验证阶段发生在解签密阶段之后,降低了签密消息的可靠性与伪造签密消息的处理效率。一种新型的基于无证书密码系统的短签密方案被提了出来,相应的安全模型也被定义。该方案计算量小,仅需一次对运算,而且还具有可信公钥以及临时密钥安全性。经过分析及实现验证,该方案可以在消息保密性的基础上实现3G网络信息在传播路径上的认证,从而防范垃圾信息的传播。     

基于Niederreiter密码体制的抗量子签密方案

针对后量子时代的网络通信安全问题,对编码密码中的Niederreiter密码体制进行研究,将基于改进Niederreiter密码的双公钥加密方案与Xinmei签名方案相结合,构造一种抗量子签密方案。安全性分析结果表明,该方案能够满足IND-CPA与EUF-CMA安全,并可实现对直接译码攻击以及ISD攻击的良好防御,相比先签名后加密的签密方法,其密文量下降50%,能够为后量子时代用户的网络通信提供机密性与不可伪造性的安全防护。     

三接收方公钥密码系统

提出一种三接收方公钥加密方案,该方案中发送方对消息进行加密,而三接收方均能够使用各自的私钥对消息进行解密。基于双线性映射,构造出两个安全性不同的三接收方公钥加密方案。形式化证明如果间隙双线性Diffie-Hellman问题和计算性Diffie-Hellman问题是困难的,则所提的两个方案分别具有选择明文攻击安全和适应性选择密文攻击安全。所提方案仅增加了一项指数运算和一项哈希运算,就实现了3个独立的接收方,因此该方案效率较高。分析表明,该方案能够提高 TLS 协议的安全性并应用于分级监管公钥密码系统。     

可证明安全的基于身份的聚合签密方案

为了更有效地保护网络信息的安全,需要同时实现消息的机密性和认证性。签密方案能够在一个逻辑步骤内同时实现对消息的签名和加密。为了提高当前已存在的签密方案的安全性和算法效率,结合聚合签名的思想,提出一种基于身份的聚合签密方案。在随机语言模型中证明了该方案具有适应性选择密文攻击下的不可区分性,在适应性选择消息攻击下是存在性不可伪造的,其安全性归约为计算椭圆曲线离散对数问题和双线性Diffie-Hellman问题的困难性。与目前效率较高、密文长度较短的几个方案进行比较的结果表明,新方案的签密和解签密过程分别仅需1次双线性对运算,具有计算成本低、密文长度短的优良特性。     

A survey of certificateless encryption schemes and security models

This paper surveys the literature on certificateless encryption schemes. In particular, we examine the large number of security models that have been proposed to prove the security of certificateless encryption schemes and propose a new nomenclature for these models. This allows us to “rank” the notions of security for a certificateless encryption scheme against an outside attacker and a passive key generation centre, and we suggest which of these notions should be regarded as the “correct” model for a secure certificateless encryption scheme. We also examine the security models that aim to provide security against an actively malicious key generation centre and against an outside attacker who attempts to deceive a legitimate sender into using an incorrect public key (with the intention to deny the legitimate receiver that ability to decrypt the ciphertext). We note that the existing malicious key generation centre model fails to capture realistic attacks that a malicious key generation centre might make and propose a new model. Lastly, we survey the existing certificateless encryption schemes and compare their security proofs. We show that few schemes provide the “correct” notion of security without appealing to the random oracle model. The few schemes that do provide sufficient security guarantees are comparatively inefficient. Hence, we conclude that more research is needed before certificateless encryption schemes can be thought to be a practical technology.     

A new construction on randomized message-locked encryption in the standard model via UCEs

We present a new primitive of randomized message-locked encryption (MLE) in this paper and define a new security model for it. The new primitive, named message-locked encryption3 (hereafter referred as MLE3), is actually a variant of randomized message-locked encryption (Bellare et al. Eurocrypt’13). In order to prevent trivial attacks, our primitive admits a semi-trusted server, which is allowed to hold a secret key of public key encryption (PKE), to verify the correctness of a tag. The new security notion, called privacy chosen-distribution attacks3 (PRV-CDA3), requires that a ciphertext generated by encrypting an unpredictable message and another ciphertext (possible invalid) chosen randomly from a ciphertext space are indistinguishable. Compared with the priori proposed security notion, privacy chosen-distribution attacks (PRV-CDA) (Bellare et al. Eurocrypt’13), which requires that two ciphertexts generated by encrypting two unpredictable messages are indistinguishable, the security notion we propose is much stronger. Based on the new primitive, under the blackbox reductions, we put forward a novel construction which achieves both privacy chosen-distribution attacks3 (PRV-CDA3) and strong tag consistency (STC) securities in the standard model via universal computational extractors (UCEs) (Bellare et al. Crypto’13). In addition, our scheme also provides the validity-testing for ciphertext.     

一种有效的无证书环签密方案

环签密是一个重要的密码学术语,它结合了加密和环签名的功能,具有保密性、可认证性和匿名性等安全属性。目前已有的无证书环签密方案大都是在随机预言模型下提出的,然而在该模型下可证安全的方案在哈希函数实例化后有时却并不安全。针对这一问题,设计了一个标准模型下可证安全的无证书环签密方案,并通过计算DiffieHellman(CDH)困难问题假设和判定性Diffie-Hellman(DBDH)困难问题假设,证明了方案满足适应性选择密文攻击下的不可区分性以及适应性选择消息攻击下存在的不可伪造性,因而方案是安全有效的。     

标准模型下基于身份的环签密方案

签密是一个同时提供认证性和保密性的密码学术语,而与分别签名和加密相比,它却具有较低的计算成本.环签密除具有签密的一般属性外还具有匿名性,它允许任一用户代表一组用户进行签密,却不知道真正是谁生成了该签密.提出了一种有效的标准模型下基于身份的环签密方案,利用CDH问题和DBDH问题的困难性,证明了方案在适应性选择消息和身份攻击下的不可伪造性及在适应性选择密文攻击下的不可区分性.     

高效的适应性选择密文安全公钥加密算法

安全高效的公钥加密算法是信息系统安全的重要保障技术,文中利用陷门承诺函数的思想实现对密文完整性的保护,由此在标准模型下给出一个可证明适应性选择密文攻击安全的公钥加密算法.新算法与著名的CS98公钥加密算法相比公钥参数数量减少20%,私钥参数减少80%;与BMW05公钥加密算法比较,公、私钥参数数量大为减少且安全规约效率...     

一种基于前向安全的可公开验证签密方案

提出一种具有公开验证性和前向安全性的签密方案,弥补了已有签密方案大多数不能同时提供可公开验证性和前向安全性的不足。该方案中,只有指定接收者可以从签密密文中恢复出签密消息的明文;在公开验证中不需要接收者的私钥及消息明文;并且具备前向安全性,即使签密者的私钥泄露,攻击者也不能恢复本次及以前所签密消息的明文。同时该方案改变了传统上使用Hash函数或Redundancy函数的验证方法。最后对该方案的安全性进行了详细分析。     

一种有效基于身份的门限环签密方案

为了设计基于身份的门限环签密方案,利用秘密共享和双线性对技术,提出了一种在标准模型下基于身份的门限环签密方案,并对方案的安全性进行了分析。最后,利用CDH问题和DBDH问题的困难性,证明了方案在适应性选择消息和身份攻击下的不可伪造性以及在适应性选择密文攻击下的不可区分性。     

More efficient tightly-secure lattice-based IBE with equality test

Identity-based encryption with equality test (IBEET) combines public key encryption with equality test (PKEET) and identity-based encryption (IBE). In an IBEET scheme, a user with trapdoors is allowed to verify whether different ciphertexts encrypted under different identities correspond to equal plaintexts through the equality test algorithm. Recently, several IBEET schemes were constructed over lattices to resist the potential quantum threats, perhaps since the latticed-based candidates are the most favored ones in the current NIST PQC standardization. However, almost all of the schemes are developed from Lee et al.’s generic construction and hence double both public parameters and ciphertext sizes. In this paper, we propose a more efficient and tightly-secure IBEET scheme which not only achieves a tight reduction with the semi-adaptive security, but also reduces both public parameters and ciphertext sizes.     

Efficient attribute-based signature and signcryption realizing expressive access structures

This paper addresses the open problem of designing attribute-based signature (ABS) schemes with constant number of bilinear pairing operations for signature verification or short signatures for more general policies posed by Gagné et al. in Pairing 2012. Designing constant-size ABS for expressive access structures is a challenging task. We design two key-policy ABS schemes with constant-size signature for expressive linear secret-sharing scheme (LSSS)-realizable monotone access structures. Both the schemes utilize only 3 pairing operations in signature verification process. The first scheme is small universe construction, while the second scheme supports large universes of attributes. The signing key is computed according to LSSS-realizable access structure over signer’s attributes, and the message is signed with an attribute set satisfying the access structure. Our ABS schemes provide the existential unforgeability in selective attribute set security model and preserve signer privacy. We also propose a new attribute-based signcryption (ABSC) scheme for LSSS-realizable access structures utilizing only 6 pairings and making the ciphertext size constant. Our scheme is significantly more efficient than existing ABSC schemes. While the secret key (signing key or decryption key) size increases by a factor of number of attributes used in the system, the number of pairing evaluations is reduced to constant. Our protocol achieves (a) ciphertext indistinguishability under adaptive chosen ciphertext attacks assuming the hardness of decisional Bilinear Diffie–Hellman Exponent problem and (b) existential unforgeability under adaptive chosen message attack assuming the hardness of computational Diffie–Hellman Exponent problem. The security proofs are in selective attribute set security model without using any random oracle heuristic. In addition, our ABSC achieves public verifiability of the ciphertext, enabling any party to verify the integrity and validity of the ciphertext.     

Efficient chosen ciphertext secure key encapsulation mechanism in standard model over ideal lattices

Key encapsulation mechanism (KEM) is an important key distribution mechanism that not only allows both sender and receiver to safely share a random session key, but also can be mainly applied to construct a hybrid public key encryption scheme. In this paper, we give an positive answer to the question of if it is possible to build an efficient KEM over lattices. More precisely, we design an efficient KEM scheme in standard model based on ideal lattices. We prove that the proposed scheme captures indistinguishability against active chosen ciphertext attacks (IND-CCA) under the ring learning with errors problem, or more formally, IND-CCA security. Compared with the current CCA secure KEM schemes based on lattices in the standard model, our scheme has shorter public key, secret key and encapsulation ciphertext. In addition, our KEM scheme realizes IND-CCA security in the standard model.     

An efficient and provable secure identity-based ring signcryption scheme

ID-based ring signcryption schemes (IDRSC) are usually derived from bilinear parings, a powerful but computationally expensive primitive. The number of paring computations of all existing ID-based ring signcryption schemes from bilinear pairings grows linearly with group size, which makes the efficiency of ID-based schemes over traditional schemes questionable. This paper presents a new identity-based ring signcryption scheme, which only takes four pairing operations for any group size and the scheme is proven to be indistinguishable against adaptive chosen ciphertext ring attacks (IND-IDRSC-CCA2) and existentially unforgeable against adaptive chosen message and identity attacks (EUF-IDRSC-ACMA) under the random oracle model.     

基于Polar码改进的RLCE公钥加密方案

针对PolarRLCE方案不具有语义安全,易受到自适应选择密文攻击（IND-CCA2,adaptively chosen ciphertext attacks）的缺点。在RLCE（random linear code encryption）方案的基础上,利用RLCE方案的结构和Polar码的极化性质,将Polar码作为方案的底层编码,通过RLCEspad消息填充的方法,采用普通编码对密文进行编码,提出一种具有语义安全、可以达到IND-CCA2安全的改进的RLCE公钥加密方案。改进后的方案将公钥矩阵转为系统矩阵,减小了公钥存储空间;对部分私钥进行预计算,减小了私钥存储空间。通过分析,所提方案未改变PolarRLCE方案的结构,可以抵抗针对汉明循环码的结构化等攻击。在128 bit安全级别,相较于HermitianRLCE方案、GRSRLCE方案和GoppaMcEliece方案,所提方案的公钥尺寸分别减少了4%、46.5%、47.9%。