【作者】 罗喜召；

【导师】 钱培德；

【作者基本信息】 苏州大学 ， 计算机应用技术， 2010， 博士

【摘要】 自上世纪70年代Diffie与Hellman的“密码学的新方向”开创性的工作以来,现代密码学无论在理论研究还是在实际应用方面均已取得了极大的成功,产生了各种各样密码学原型的定义和构建,例如数字签名,公钥加密,基于身份的加密等以及基于不同的密码学原型的运用。然而,随着时代发展和科技进步,现代密码学也面临新的挑战：1.基于现代密码学通用的计算模型：安全计算理论,尤其是两方安全计算以及多方安全计算是否只要能够防范最强的恶意攻击者就能满足实际需要?2.现代密码学的重要前提：密钥完备保密。然而当保密密钥遭受到威胁,如各种各样的边信道攻击时,原来可证安全的安全系统是否仍然安全?上述这两个问题在近年来引起了计算机领域中理论研究工作者,尤其是密码学家的广泛关注。本文分别针对上述两个问题中的基本问题：理性与抗泄漏问题进行研究,主要取得如下研究成果：本文对Halpern与Pass提出的问题,即能否运用具有计算成本的计算博弈理论模型,对计算具有成本的惩罚博弈与防范秘密攻击的两方安全计算建立联系的问题做出了肯定的回答。我们提出威慑度为1/2的防范秘密攻击的安全计算是错误可忽略的计算具有成本的惩罚博弈的调解人的通用实现,并给出了严格的理论证明。自从Yao提出两方安全计算以及Goldweich等人提出多方计算等安全计算理论以来,围绕解决不同情形尤其是防范不同攻击者的安全计算等问题,研究者提出了防范半诚实攻击者、恶意攻击者以及秘密攻击者等有效的解决方案。然而,上述诸多方案在遇到现实情形中总想最大化其个人利益的攻击者,即理性攻击者时便不再保持其原来具有的安全性。在首届国际计算理论创新会议(ICS’10)上Halpern与Pass提出具有计算成本的计算博弈理论建立起了具有计算成本的计算博弈与安全计算之间的联系。直观上讲,具有惩罚的博弈模拟了参与者进行欺骗但又不想被抓住,也即安全计算中防范秘密攻击者的情形。如果参与者均诚实的提供其输入并输出调解人的响应,则其均能获得效用为1/2；然而如果其中一个参与者输出了“punish”,则另外一个参与者获得的效用将为0；因为参与者以1/2的概率被抓住从而被惩罚,因此其欺骗的期望效用为1/2×1+1/2 x0=1/2,将不会比诚实的提供其输入并输出调解人的响应所获得效用大,而这正对应威慑度为1/2的安全计算。因此本文在该理论框架的基础上,从计算具有成本的计算博弈的角度表明威慑度为1/2的防范秘密攻击的安全计算是具有可忽略错误的调节人的通用实现,并给出了严格的理论证明。根据抗泄漏的基于身份的哈希证明系统密码原型,本文提出基于确定性双线性Diffie-Hellman(DH)困难性假设的抗泄漏的基于身份的哈希证明系统；基于该系统,提出了抗泄漏的基于身份的加密方案。同时,在基于带错误学习(LWE)的困难性假设的基础上,提出标准模型下抗泄漏的基于身份的哈希证明系统；并在该证明系统的基础上,提出了抗泄漏的基于身份的加密方案。现代密码学的研究前提是保证密钥的安全性。然而随着各种各样的边信道攻击的出现,许多已有的可证安全的密码系统不再保持其安全性,因此研究抗泄漏的密码原型以及抗泄漏的安全方案的构建成为目前安全研究领域迫切的任务,目前已经提出大量的抗泄漏的密码原型及抗泄漏的安全方案。Naor与Segev在Crypto’09上首次提出基于哈希证明系统的抗泄漏的公钥加密方案,Alwen等人又对其推广到身份环境,提出了抗泄漏的基于身份的哈希证明系统的密码原型。基于该抗泄漏的密码原型,本文在基于确定性双线性DH困难性假设的基础上,提出了抗泄漏的基于身份的哈希证明系统；同时又基于确定性带错误学习的困难性假设,提出了标准模型下的基于身份的哈希证明系统。上述两个抗泄漏的基于身份的哈希证明系统,均比已有的方案的所基于的假设更加简单和实用,因此也取得了更加高效的性能。最后,基于上述两种不同困难性假设的抗泄漏哈希证明系统的构建,本文又提出了抗泄漏的基于身份的加密方案。更多还原

【Abstract】 Since W. Diffie and M. Hellman published their groundbreaking work [22], great successes have been made in both theoretical research and practical applications about modern cryptography. Many kinds of cryptographic primitives and schemes, such as digital signature, public key encryption, and identity-based encryption, etc., are defined and constructed. Of course, there are also many efficient cryptographic applications which are based on different primitives above to be constructed. With developments of sciences and technologies, however, modern cryptography now faces many different new challenges. Specifically, we just mentioned here as follows:1. Is general model of computation based on modern cryptography, secure compu-tation, sufficient to meet the need in practice as long as it is against malicious adversaries?2. Are provable secure cryptographic systems still secure if the premise of modern cryptography in which private key used is perfectly secure is broken when the key is encountered with leakage by all kinds of different side attacks.Recently, much attentions are paid to the two challenges above from theoretical researchers, particularly, cryptographers. We made some contributions to two basic problems mentioned above as follows:We give positively an answer to one of questions proposed by Halpern and Pass which is whether or not, based on the framework of computational game-theoretical implementation for cryptography, we can build the relation between computational game with punishment and secure computation against covert ad-versaries. Namely, we give and prove strictly that secure two party computation with deterrent 1/2 above is a universal implementation of the mediator with negligible error in the computational game theory.Since general theory about secure computation is proposed by Andrew Yao and Oded Goldreich et al., respectively, researchers proposed many efficient schemes against semi-honest, malicious, and covert adversaries for different situations. However, many schemes constructed failed when they are against rational adver-saries which always make their utilities to be maximize. In ICS’10, Halpern and Pass proposed a framework of game-theoretical computation for cryptography. Intuitively, game with punishment models the situation in which players want to cheat, not to be caught, which corresponds to covert adversaries in secure two party computation. If players honestly provide their inputs to the mediator and get their output, the utilities they should get is exactly 1/2. However, if one of players outputs”punish”, another will get the utility with 0. If rational player is caught with probability 1/2 to be punished, at this point his expected utility is 1/2 x 1+1/2 x 0= 1/2, which is not higher than that honestly providing his input to the mediator, which exactly corresponds to secure two party com-putation with deterrent 1/2 against covert adversaries. Therefor, based on the framework, we strictly prove that secure two party computation with deterrent 1/2 against covert adversaries is a universal implementation of the mediator in game theory with punishment and costly computation.Based on a cryptographic primitive of identity-based hash proof system with resilient leakage, we propose two identity-based hash proof systems based on decisional bilinear Diffie-Hellman assumption and decisional learning with error assumption(dLWE), respectively. Particularly, it is constructed in the standard model, without random oracle for dLWE. Further according to the constructions above, we construct two identity-based encryption with resilient leakage:More-over, we give strict proofs to the schemes constructed above.One of the key premises of modern cryptography is to ensure private key perfectly secure. Under all kinds of side channel attacks, however, many cryptographic sys-tems which are provably secure now are not secure against these attacks. Hence it is urgent for researchers to construct cryptographic systems with resilient leakage. Fortunately, nowadays there are many excellent schemes with resilient leakage proposed. In Crypto’10, Naor and Segev proposed first public key encryption with resilient leakage based on hash proof system. Then Alwen et al. extended it to the identity-based situation. Namely, they proposed public key encryption with resilient leakage based on the primitive of identity-based hash proof system. According to the cryptographic primitive, that is, identity-based hash proof sys- tem, we construct two identity-based hash proof system based on different in-tractable assumptions, namely, decisional bilinear DH assumption and dLWE. Our schemes are more efficient and practical than those constructed by Alwen et al. since in our schemes one is based on a simple assumption (i.e., decisional bilinear DH), the other is based on dLWE in the standard model. Based on two constructions above, we further propose two identity-based encryption schemes with resilient leakage which are proved strictly through a series of games.更多还原