Secure public-key encryption scheme without random oracles

Since the first practical and secure public-key encryption scheme without random oracles proposed by Cramer and Shoup in 1998, Cramer–Shoup’s scheme and its variants remained the only practical and secure public-key encryption scheme without random oracles until 2004. In 2004, Canetti et al. proposed a generic transformation from a selective identity-based encryption scheme to a public-key encryption by adding a one-time strongly signature scheme. Since then, some transformation techniques from a selective identity-based encryption scheme to a public-key encryption have been proposed to enhance the computational efficiency, for example, Boneh–Katz’s construction and Boyen–Mei–Waters’ scheme. These transformations have either traded-off the publicly verifiable properties or tightness of security reduction. In 2007, Zhang proposed another generic transformation by adding Chameleon hash functions. In this paper, we introduce another technique from the Boneh–Boyen’s selective identity-based encryption scheme to a public-key encryption which is publicly verifiable and is slightly more efficient than Zhang’s transformation. The proposed public-key encryption scheme is based on the decisional bilinear Diffie–Hellman assumption and the target collision resistant hash functions.     

Compact public key encryption without full random oracles

Achieving shorter ciphertext length under weaker assumptions in chosen-ciphertext (CCA) secure public-key encryption (PKE) is one of the most important research topics in cryptography. However, it is also known that it is hard to construct a CCA-secure PKE whose ciphertext overhead is less than two group elements in the underlying prime-order group under non-interactive assumptions. A naive approach for achieving more compactness than the above bound is to use random oracles (ROs), but the full RO has various ideal properties like programmability. In this paper, we pursue how to achieve compact PKE only with a minimum ideal property of ROs. Specifically, only with observability, we can give three CCA-secure PKE schemes whose ciphertext overhead is less than two group elements. Our schemes are provably secure under standard assumptions such as the CDH and DDH assumptions. This study shows that ideal properties other than observability are not necessary to construct compact PKE beyond the bound.     

Threshold public key encryption scheme resilient against continual leakage without random oracles

Threshold public key encryption allows a set of servers to decrypt a ciphertext if a given threshold of authorized servers cooperate. In the setting of threshold public key encryption, we consider the question of how to correctly decrypt a ciphertext where all servers continually leak information about their secret keys to an external attacker. Dodis et al. and Akavia et al. show two concrete schemes on how to store secrets on continually leaky servers. However, their construc- tions are only interactive between two servers. To achieve continual leakage security among more than two servers, we give the first threshold public key encryption scheme against adaptively chosen ciphertext attack in the continual leak- age model under three static assumptions. In our model, the servers update their keys individually and asynchronously, without any communication between two servers. Moreover, the update procedure is re-randomized and the randomness can leak as well.     

Threshold public key encryption scheme resilient against continual leakage without random oracles

Threshold public key encryption allows a set of servers to decrypt a ciphertext if a given threshold of authorized servers cooperate. In the setting of threshold public key encryption, we consider the question of how to correctly decrypt a ciphertext where all servers continually leak information about their secret keys to an external attacker. Dodis et al. and Akavia et al. show two concrete schemes on how to store secrets on continually leaky servers. However, their constructions are only interactive between two servers. To achieve continual leakage security among more than two servers, we give the first threshold public key encryption scheme against adaptively chosen ciphertext attack in the continual leakage model under three static assumptions. In our model, the servers update their keys individually and asynchronously, without any communication between two servers. Moreover, the update procedure is re-randomized and the randomness can leak as well.     

A lattice-based signcryption scheme without random oracles

In order to achieve secure signcryption schemes in the quantum era, Li Fagen et al. [Concurrency and Computation: Practice and Experience, 2012, 25(4): 2112–2122] and Wang Fenghe et al. [Applied Mathematics & Information Sciences, 2012, 6(1): 23–28] have independently extended the concept of signcryption to lattice-based cryptography. However, their schemes are only secure under the random oracle model. In this paper, we present a lattice-based signcryption scheme which is secure under the standard model. We prove that our scheme achieves indistinguishability against adaptive chosen-ciphertext attacks (IND-CCA2) under the learning with errors (LWE) assumption and existential unforgeability against adaptive chosen-message attacks (EUFCMA) under the small integer solution (SIS) assumption.     

基于ElGamal的新型分布式前向安全门限公钥体制

门限体制和前向安全体制是解决公钥加密体制和数字签名体制中密钥泄露问题的主要方法。将二者结合，必将极大提高系统密钥的安全性。利用HASH函数的单向性和分布式随机数产生算法，提出一种新型的分布式密钥产生、更新算法。应用于E1Gamal公钥体制，提出同时具有门限性和前向安全性的新型分布式E1Gamal公钥体制，并给出安全性证明。     

新的无随机预言的短群签名方案

在BBS短群签名方案的基础上,基于强Diffie-Hellman(SDH)假设和判定性线性Diffie-Hellman假设,提出了一种标准模型下的短群签名方案。并证明了方案的安全性满足完全匿名性和完全可追踪性。与目前较新的在标准模型下已证明安全的方案相比,该方案具有较短的签名长度和更高的运行效率,且允许新成员的加入。     

可抵御唯密文攻击的基于格的公钥加密

针对最新提出的对Cai-Cusick公钥加密方案的唯密文攻击进行研究, 提出了一个可抵御该攻击的新的公钥加密方案。通过对原始加密方案中某些参数的修改, 改变了公钥中向量长度, 从而实现对原始方案攻击的有效抵御, 并且通过程序模拟出新的加密方案。从数据分析可得, 随着实验次数的增加, 该方案抵御唯密文攻击的成功概率近似为百分之百。这说明了新的加密方案能有效抵御最新提出的唯密文攻击, 且由于该方案延续了原始加密方案的加密步骤, 其也具备了更少密文扩展的特性。今后将进一步研究语义安全的可抵御唯密文攻击的有效加密方案。     

CCA-secure unidirectional proxy re-encryption in the adaptive corruption model without random oracles

Up to now, it is still an open question of how to construct a chosen-ciphertext secure unidirectional proxy re-encryption scheme in the adaptive corruption model. To address this problem, we propose a new unidirectional proxy re-encryption scheme, and prove its chosen-ciphertext security in the adaptive corruption model without random oracles. Compared with the best known unidirectional proxy re-encryption scheme proposed by Libert and Vergnaud in PKC’08, our scheme enjoys the advantages of both higher effi...     

基于QC-LDPC码的双公钥Niederreiter密码方案*

基于编码的公钥密码体制作为抗量子攻击密码理论的重要研究内容,具有加解密复杂性低和安全性高的优异特性。针对Niederreiter公钥密码体制进行了研究,利用QC-LDPC码和双公钥的相关知识构造了一种新的Niederreiter加密方案。安全性分析表明,加密方案能抵抗常见攻击方法的同时满足随机预言机模型下的IND-CCA2安全。最后对方案的性能进行分析,较原有Niederreiter密码的公钥量减少63%和信息率提高47%的结论。     

标准模型下安全的基于身份的加密方案*

首先提出一个有效的多级基于身份的加密方案。在此基础上,结合强一次签名方案,构造一个具有较强安全性的基于身份的加密方案,并在标准模型下证明了方案的安全性可归约为双线性群中标准困难问题的难解性。该方案在自适应选择密文攻击下具有语义安全性,这是目前关于基于身份的加密方案最强的安全模型。     

Cryptanalysis and improvement of a certificateless encryption scheme in the standard model

Certificateless public key cryptography eliminates inherent key escrow problem in identity-based cryptography, and does not yet requires certificates as in the traditional public key infrastructure. In this paper, we give crypt-analysis to Hwang et al.’s certificateless encryption scheme which is the first concrete certificateless encryption scheme that can be proved to be secure against “malicious-but-passive” key generation center (KGC) attack in the standard model. Their scheme is proved to be insecure even in a weaker security model called “honest-but-curious” KGC attack model. We then propose an improved scheme which is really secure against “malicious-but-passive” KGC attack in the standard model.     

标准模型下高效安全的基于证书密钥封装机制

基于证书密码体制有机结合了传统公钥密码体制和基于身份密码体制,不仅克服了基于身份密码体制固有的密钥托管和密钥分发问题,而且简化了传统公钥基础设施中复杂的公钥证书管理,是一种颇受关注的新型公钥密码体制.基于证书密钥封装机制,将密钥封装机制与基于证书密码体制相结合,具备基于证书密码体制的优良特性.基于双线性对,提出了一个高效的并且可证明安全的基于证书密钥封装机制方案.在标准模型下基于判定性截断q-ABDHE问题和判定性1-BDHI问题的困难性,该方案被证明满足适应性选择密文攻击下的不可区分安全性,即满足选择密文安全性.与已有的标准模型下安全的基于证书密钥封装机制方案相比,该方案具有更高的计算效率和更低的通信带宽要求.     

标准模型下基于身份的门限签名方案

在标准模型下（不使用随机预言模型）设计可证明安全的门限签名方案具有实际意义。利用L-J方案,设计了一个在标准模型下基于身份的安全的门限签名方案。该方案可容忍[t]小于[n/2+1]个成员被敌手破坏,门限密钥生成算法不需要可信中心,只需成员之间交互协商完成。在计算Diffie-Hellman问题（CDH问题）假设下,该方案是健壮的,且对适应性选择消息攻击是不可伪造的。     

无随机预言的完全匿名多服务订购系统

最近,Canard等(CANARD S, JAMBERT A. Untraceability and profiling are not mutually exclusive ［C］// TrustBus 2010: Proceedings of the 7th International Conference on Trust, Privacy and Security in Digital Business, LNCS 6264. Berlin: Springer-Verlag, 2010: 117-128)提出了多服务订购的概念以及几个实例化的系统。然而,这些系统仅满足较弱的可撤销的匿名性且不适合于“按次付费”的服务。为此,通过对Canard等的系统进行扩展而提出一个改进的多服务订购系统。新系统利用Liu等(LIU J K, AU M H, SUSILO W, et al. Enhancing location privacy for electric vehicles (at the right time) ［EB/OL］. ［2012-08-01］. http://eprint.iacr.org/2012/342)的匿名支付技术实现了对“按次付费”的支持,利用Peng-Bao小区间证明技术实现了对“账户余额足以为当前服务付费”的零知识证明。此外,通过将Cramer等的技术应用于底层∑协议,实现了新系统的构造过程所需的完全零知识的知识证明协议。相对于已有的典型系统,新系统的优势体现在安全性方面:首先,在标准模型下满足可证安全;其次,实现了3个关键性质的最强安全等级,即支付令牌的不可分割性、用户的匿名性和底层证明系统的零知识性。     

标准模型下群签名的批验证协议*

首次对标准模型下群签名的批验证协议进行了研究。利用小指数测试技术和双线性对映射的特殊性质,为目前效率较高的两个群签名方案按照多人签署相同消息和不同消息这两种情况,分别设计了相应的批验证协议。相较于单独验证,认证效率大大提高。     

基于ECC的组合公钥技术的安全性分析

分析了唐文等人提出的一种基于ECC(椭圆曲线密码体制)的组合公钥技术的安全性特点,给出了两种合谋攻击的方法。第1种方法称之为选择合谋攻击,一个用户与其选择的具有某些映射特点的w( 2)个用户合谋,可以得到2w-w-1个不同用户的私钥。第2种方法称之为随机合谋攻击,两个合谋用户首先计算其公钥的差值 和 ,然后在公开的公钥因子矩阵中任意选取组合公钥,通过计算所选取的公钥与两个合谋用户之一的公钥的差值是否等于 或 ,从而达到攻击的目标。     

标准模型下的高效强安全混合加密方案

如何设计标准模型下满足适应性选择密文安全（IND-CCA2）的高效加密方案,是公钥密码学领域的一个重要研究课题。基于判定型双线性Diffie-Hellman问题,提出了一个高效、短公/私钥长度、强安全的,基于对称加密算法、消息认证码算法、密钥分割算法等基础算法的一次一密型混合加密方案,分析了方案的安全性和效率。方案在标准模型下被证明具有IND-CCA2安全性,支持公开的密文完整性验证,与同类方案相比计算效率高。     

Self-generated-certificate public key encryption without pairing and its application

Recently, Liu et al. [26] discovered that Certificateless Public Key Encryption (CL-PKE) suffers the Denial-of-Decryption (DoD) attack. Based on CL-PKC, the authors introduced a new paradigm called Self-Generated-Certificate Public Key Cryptography (SGC-PKC) that captured the DoD attack and proposed the first scheme derived from a novel application of Water’s Identity-Based Encryption scheme [43]. In this paper, we propose a new SGC-PKE scheme that does not depend on the bilinear pairings and hence, is more efficient and requires shorter public keys than Liu et al.’s scheme. More importantly, our scheme reaches Girault’s trust level 3 [16] (cf. Girault’s trust level 2 of Liu and Au’s scheme), the same trust level achieved by a traditional PKI. In addition, we also discuss how our scheme can lead to a secure and self-organized key management and authentication system for ad hoc wireless networks with a function of user-controlled key renewal.     

Cryptanalysis of an identity based broadcast encryption scheme without random oracles

Identity based broadcast encryption allows a centralized transmitter to send encrypted messages to a set of identities S, so that only the users with identity in S can decrypt these ciphertexts using their respective private key. Recently [Information Processing Letters 109 (2009)], an identity-based broadcast encryption scheme was proposed (Ren and Gu, 2009) [1], and it was claimed to be fully chosen-ciphertext secure without random oracles. However, by giving a concrete attack, we indicate that this scheme is even not chosen-plaintext secure.