标准模型下抗CPA与抗CCA2的RSA型加密方案

RSA型加密系统（RSA加密系统及其改进系统的统称）至今仍然被广泛应用于许多注重电子数据安全的电子商务系统中.然而对现有的RSA型加密方案分析发现：（1）只有在随机谕言机模型下抗CCA2攻击的RSA型加密方案,还没有在标准模型下实现IND-CCA2安全的RSA型概率加密方案;（2）没有在标准模型下实现抗CPA且保持乘法同态性的RSA型同态加密方案,而同态性是实现安全多方计算和云计算安全服务的重要性质之一;（3）在实现密文不可区分方面,这些方案除HD-RSA外都是通过一个带hash的Feistel网络引入随机因子的,从而导致这些方案只能在随机谕言机模型下实现IND-CCA2安全.针对以上问题,本文在RSA加密系统的基础上,通过增加少量的有限域上的模指数运算,设计了一个标准模型下具有IND-CPA安全的RSA型概率同态加密方案和一个具有IND-CCA2安全的RSA型概率加密方案.这两个方案在实现密文不可区分时,都不再通过明文填充引入随机因子.此外,本文还提出一个RSA问题的变形问题（称作RSA判定性问题）.     

An IND-CCA2 Secure Certificateless Hybrid Signcryption

This article proposes a hybrid certificateless signcryption scheme that is secure against adaptive chosen ciphertext adversary in the random oracle model. The scheme combines an asymmetric encryption which is one way against chosen plaintext attack and any One-Time secure symmetric encryption scheme, combined using Fujisaki–Okamoto transformation. Uncommon to many Fujisaki–Okamoto based constructions which ensure message integrity alone, this scheme provides entity authentication in addition. By the choice of a hash function that utilizes the advantage of sponge based construction, the scheme enables the user to incorporate any One-Time secure symmetric encryption by re-configuring the input/output parameters. Fujisaki–Okamoto transformation, which is currently a standard in hybrid constructions, guarantees the indistinguishability against adaptive chosen ciphertext attack. The provision for choosing symmetric encryption in the scheme enables it to be implemented in all sort of cryptographic requirements including those in wireless communication.

     

Immunizing public key cryptosystems against chosen ciphertextattacks

Three methods for strengthening public key cryptosystems in such a way that they become secure against adaptively chosen ciphertext attacks are presented. In an adaptively chosen ciphertext attack, an attacker can query the deciphering algorithm with any ciphertext except for the exact object ciphertext to be cryptanalyzed. The first strengthening method is based on the use of one-way hash functions, the second on the use of universal hash functions, and the third on the use of digital signature schemes. Each method is illustrated by an example of a public key cryptosystem based on the intractability of computing discrete logarithms in finite fields. Security of the three example cryptosystems is formally proved. Two other issues, namely, applications of the methods to public key cryptosystems based on other intractable problems and enhancement of information authentication capability to the cryptosystems, are also discussed     

How to signcrypt a message to designated group

In an open network environment, the protection of group communication is a crucial problem. In this article, a novel broadcast group-oriented signcryption scheme is presented for group communication scenarios in distributed networks. Anyone in this scheme can signcrypt a message and distribute it to a designated group, and any member in the receiving group can unsigncrypt the ciphertext. The ciphertext and public key in the scheme are of constant size. In addition, this new scheme offers public verification of the ciphertext. This property is very important to the large-scale group communication since the gateway can filter the incorrect ciphertext and alleviate the receiver's workload. Finally, a proof in the random oracle model is given to show that the scheme is secure against chosen ciphertext attack and existential forgery.     

Certificate‐Based Signcryption Scheme without Pairing: Directly Verifying Signcrypted Messages Using a Public Key

To achieve confidentiality, integrity, authentication, and non‐repudiation simultaneously, the concept of signcryption was introduced by combining encryption and a signature in a single scheme. Certificate‐based encryption schemes are designed to resolve the key escrow problem of identity‐based encryption, as well as to simplify the certificate management problem in traditional public key cryptosystems. In this paper, we propose a new certificate‐based signcryption scheme that has been proved to be secure against adaptive chosen ciphertext attacks and existentially unforgeable against chosen‐message attacks in the random oracle model. Our scheme is not based on pairing and thus is efficient and practical. Furthermore, it allows a signcrypted message to be immediately verified by the public key of the sender. This means that verification and decryption of the signcrypted message are decoupled. To the best of our knowledge, this is the first signcryption scheme without pairing to have this feature.     

一个动态门限的基于属性签密方案

签密能同时实现加密与签名,并且代价小于传统的先签名再加密。该文在Li等人(2010)签名方案的基础上提出了一个动态门限的基于属性签密方案,除具有一般签密方案的保密性和认证性外,还同时具有签密者属性隐私安全性和多接收者特性。在随机预言机模型下,利用判定双线性Diffie-Hellman (DBDH)问题和计算Diffie- Hellman (CDH)问题的困难性,证明了该方案满足在适应性选择密文攻击下的不可区分性及适应性选择消息下的不可伪造性。     

基于身份的多接收者匿名签密改进方案

对庞等提出的首个考虑发送者和接收者双重匿名性的基于身份的多接收者匿名签密方案进行安全性分析,结果表明该方案不满足选择密文攻击下的密文不可区分性,在现有安全模型下,攻击者可以区分不同消息的签密密文。提出一个在随机预言模型下选定身份安全的改进方案,新方案在CDH和Gap-BDH困难问题假设下分别满足密文的存在不可伪造性和不可区分性。     

标准模型下安全的无证书签名方案

随机预言模型下的证明能够为无证书签名方案提供基本的安全保证,但随机预言机的实现方式可能会导致方案不安全。一些标准模型下的方案在提出后被证明无法抵抗公钥替换攻击。为了解决这一问题,构造了一个标准模型下安全的无证书签名方案,基于NGBDH和Many-DH困难问题,证明所提出的方案对自适应选择消息攻击是存在性不可伪造的。此外,提出的方案具有计算代价和通信代价较低、能够抵抗密钥替换攻击等优点。     

Efficient threshold public key encryption with full security based on dual pairing vector spaces

Most robust and noninteractive threshold public key encryption (PKE) schemes have only been proven secure against chosen‐ciphertext attacks under the static corruption model; yet, the dynamic corruption model is more reasonable. In this paper, on the basis of bilinear groups of prime order and dual pairing vector spaces, we propose a threshold PKE scheme that is noninteractive, robust and, secure against adaptive chosen‐ciphertext attacks under the dynamic corruption model without random oracles. Moreover, our scheme is shown to be more efficient than currently existing fully secure threshold PKE schemes. Copyright © 2013 John Wiley & Sons, Ltd.     

OAEP Reconsidered

The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard ``black box' security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+ , along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out—essentially by accident, rather than by design—that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.     

标准模型中非交互抗选择密文攻击门限密码方案

提出两个抗选择密文攻击的门限密码系统.第一个方案的密文由应用Canetti-Halevi-Kazt的方法到Boneh-Boyen的基于身份加密而得到.第二个方案中的密文与Waters的基于身份加密的密文基本相同,唯一的区别是这里的"身份"是密文的前两部分的hash值.由于服务器在提供解密碎片之前可以公开验证密文的合法性,而合成者又可以公开验证解密碎片的合法性,使我们的两个方案都具有非交互性.二者的安全性都在标准的决定性双线性Diffie-Hellman假设下被证明.     

一种新的基于身份的门限签名方案

 门限签名能够分散签名权力,比普通单人签名具有更高的安全性.目前大多数门限签名都是随机预言模型下可证明安全的.本文利用椭圆曲线上的双线性对,以Paterson签名方案为基础,提出了一种无随机预言的基于身份的门限签名方案.该方案需要一个可信任的私钥生成中心来生成和管理私钥.在标准模型下对该方案进行了安全性证明,表明该方案是健壮的,并且能够抵抗适应性选择消息攻击.     

Towards an Efficient Certificateless Access Control Scheme for Wireless Body Area Networks

Wireless body area networks have become popular due to recent technological developments in sensor technology. A sensor can be used to collect data from different environments of interest, process and communicate the data to other nodes in a network. By its very nature, a sensor node is limited in resource usage. Due to these limitations, numerous security challenges have emerged in their applications, hence the need for more efficient and secure cryptosystems. In this paper, we give an efficient certificateless pairing-free signcryption scheme then design a secure access control scheme that can satisfy both the properties of ciphertext authentication and public verifiability using the signcryption scheme. A formal security proof of our scheme in random oracle model is provided. In addition, we compare the efficiency of our access control scheme with other existing schemes that are based on signcryption scheme. The analysis reveals that our scheme achieves better trade-off for computational and communication cost.

     

A ring signature scheme over braid groups

Quantum algorithms bring great challenges to classical public key cryptosystems, which makes cryptosystems based on non-commutative algebraic systems hop topic. The braid groups, which are non-commutative, have attracted much attention as a new platform for constructing quantum attack-resistant cryptosystems. A ring signature scheme is proposed based on the difficulty of the root extraction problem over braid groups, which can resist existential forgery against the adaptively chosen-message attack under the random oracle model.     

Provably Secure Length‐Saving Public‐Key Encryption Scheme under the Computational Diffie‐Hellman Assumption

Design of secure and efficient public‐key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as ElGamal‐type encryption schemes are concerned, some variants of the original ElGamal encryption scheme based on weaker computational assumption have been proposed: Although security of the ElGamal variant of Fujisaki‐Okamoto public‐key encryption scheme and Cramer and Shoup's encryption scheme is based on the Decisional Diffie‐Hellman Assumption (DDH‐A), security of the recent Pointcheval's ElGamal encryption variant is based on the Computational Diffie‐Hellman Assumption (CDH‐A), which is known to be weaker than DDH‐A. In this paper, we propose new ElGamal encryption variants whose security is based on CDH‐A and the Elliptic Curve Computational Diffie‐Hellman Assumption (EC‐CDH‐A). Also, we show that the proposed variants are secure against the adaptive chosen‐ciphertext attack in the random oracle model. An important feature of the proposed variants is length‐efficiency which provides shorter ciphertexts than those of other schemes.     

指定测试者的基于身份可搜索加密方案

对指定测试者的基于身份可搜索加密(dIBEKS)方案进行了研究。指出Tseng等人所提dIBEKS方案并不是完全定义在基于身份密码系统架构上,而且方案不能满足dIBEKS密文不可区分性。首次提出了基于身份密码系统下的指定测试者可搜索加密方案的定义和安全需求,并设计了一个高效的dIBEKS新方案。证明了dIBEKS密文不可区分性是抵御离线关键字猜测攻击的充分条件,并证明了新方案在随机预言模型下满足适应性选择消息攻击的dIBEKS密文不可区分性、陷门不可区分性,从而可以有效抵御离线关键字猜测攻击。     

Practical Second‐Order Correlation Power Analysis on the Message Blinding Method and Its Novel Countermeasure for RSA

Recently power attacks on RSA cryptosystems have been widely investigated, and various countermeasures have been proposed. One of the most efficient and secure countermeasures is the message blinding method, which includes the RSA derivative of the binary‐with‐random‐initial‐point algorithm on elliptical curve cryptosystems. It is known to be secure against first‐order differential power analysis (DPA); however, it is susceptible to second‐order DPA. Although second‐order DPA gives some solutions for defeating message blinding methods, this kind of attack still has the practical difficulty of how to find the points of interest, that is, the exact moments when intermediate values are being manipulated. In this paper, we propose a practical second‐order correlation power analysis (SOCPA). Our attack can easily find points of interest in a power trace and find the private key with a small number of power traces. We also propose an efficient countermeasure which is secure against the proposed SOCPA as well as existing power attacks.     

Proxy re-signature scheme based on isomorphisms of polynomial

Most of the existing proxy resignature schemes were based on the hardness of big integer factoring,discrete logarithm,elliptic curve.However,none of them can resist the attack by a quantum computer.Motivated by these concerns,a new proxy resignature scheme was proposed.By employing secret affine transformations and homogeneous polynomials,the proposed scheme could implement the signature transformation with high-efficiency,and meanwhile it was secure against the attack by a quantum computer.The results of analysis showed that the proposed scheme was correct and consistent,and had the unforgeability in the random oracle model.Compared with the existing schemes,the proposed scheme not only inherits the resistance to quantum attack and high efficiency from the multivariate public key cryptosystems,but also has the properties of multi-use,transparent and private proxy.     

一个高效的选择密文安全的分类代理重加密方案

分类代理重加密通过密码学手段为密文委托与分发提供了高效便捷的解决方案,同时使密文拥有者有能力实施更细粒度的委托控制.本文提出了一种新的分类代理重加密方案,方案在随机预言模型下可证明选择密文安全,相对于现有采用双线性对构造的分类代理重加密方案,我们的无双线性对方案拥有更好的效率,并具备主密钥安全性.     

A certificateless signcryption with proxy re-encryption for practical access control in cloud-based reliable smart grid

Cloud computing has proven to be applicable in smart grid systems with the help of the cloud-based Internet of things (IoT) technology. In this concept, IoT is deployed as a front-end enabling the acquisition of smart grid-related data and its outsourcing to the cloud for data storage purposes. It is obvious that data storage is a pertinent service in cloud computing. However, its wide adoption is hindered by the concern of having a secure access to data without a breach on confidentiality and authentication. To address this problem, we propose a novel data access control scheme that simultaneously accomplishes confidentiality and authentication for cloud-based smart grid systems. Our scheme can enable the storing of encrypted smart grid-related data in the cloud. When a user prefers to access the data, the data owner issues a delegation command to the cloud for data re-encryption. The cloud is unable to acquire any plaintext information on the data. Only authorized users are capable of decrypting the data. Moreover, the integrity and authentication of data can only be verified by the authorized user. We obtain the data access control scheme by proposing a pairing free certificateless signcryption with proxy re-encryption (CLS-PRE) scheme. We prove that our CLS-PRE scheme has indistinguishability against adaptive chosen ciphertext attack under the gap Diffie–Hellman problem and existential unforgeability against adaptive chosen message attack under elliptic curve discrete logarithm problem in the random oracle model.