【作者】 赵秀凤；

【导师】 徐秋亮；

【作者基本信息】 山东大学 ， 计算机应用技术， 2012， 博士

【摘要】 密码协议是两个或多个参与方之间为完成某个计算任务而进行的一系列交互过程。利用密码协议可以实现会话密钥协商/分发、身份与消息认证、以及安全电子商务/政务等目的。密码协议是保障网络安全最有效的手段之一,是信息与网络安全的关键技术。现实的网络环境是完全开放的,存在各种各样的攻击者和攻击方式,为保证协议参与者的信息安全,防止攻击者得到额外信息,需要设计安全有效的密码协议。可证明安全理论可以将密码协议/方案的安全性规约到某个密码学假设(例如一类数学问题的难解性,或者单向函数的存在性等),如果密码学假设成立,那么该密码协议/方案在当前计算条件下是安全的。因此,研究可证明安全的密码协议具有很强的现实应用背景和实际意义。本论文围绕认证及密钥协商协议的设计及构建密码协议的支撑理论进行了研究,在密码协议/方案的安全性分析、两方可否认认证协议的设计、非对称群组密钥协商协议的叛逆者追踪、安全函数计算的可实现性、多PKG环境下基于身份签密方案的设计及密钥管理方面做了重点研究,并取得了一些研究成果。一、密码协议/方案的安全性分析早期的密码协议设计和分析方法是启发式方法,由于新的密码分析技术的出现是不确定的,而任何新的分析技术都可能使得密码协议被破解,所以启发式方法很难确保一个密码协议的安全性。在这种情况下,密码协议的形式化分析成为研究热点。所谓形式化方法,指的是分析者通过建立安全模型,用基于计算复杂性,或者逻辑推理的形式化方法来分析协议的安全性。本文总结了密码协议安全性分析方法,归纳了计算复杂性方法中的证明技术；并分别对一个可否认认证协议、一个两方认证密钥协商协议和一个多PKG环境下基于身份的签密方案进行了安全性分析,分析结果表明这三个密码协议/方案都存在安全缺陷。二、两方可否认认证协议可否认认证协议能够使接收者确信认证者想要对消息m认证,但是接收者R不能向第3方证明消息的来源：同时,消息m的认证者也不能向第3方证明曾经向接收者提供了认证的消息m。可否认性强化了密码协议的保密特性,并在互联网密钥交换协议、电子选举系统、电子商务系统等许多领域应用。Cramer和Shoup于Eurocrypt2002上提出的哈希证明系统作为一个重要的密码学组件已成功用于可否认认证协议的设计。本文基于可抽取的哈希证明系统,提出了一个新的可否认认证协议,协议满足并发不可伪造性和受限条件下的可否认性,并且给出了协议的安全性证明,将协议的不可伪造性规约为困难查找问题(如大整数分解、CDH),而不是判断问题(如DDH、DCR)。三、叛逆者可追踪的非对称群组密钥协商群组密钥协商作为一种基本的密码学任务,其目标在于允许多个用户在公开的网络环境中建立一个共享密钥。从应用的角度来看,群组密钥协商的最终目的在于为多个用户提供一个秘密的信道。Eurocrypt2009, Wu等人首次提出了非对称群组密钥协商协议(Asymmetric Group Key Agreement, ASGKA)的概念。在非对称群组密钥协商协议中,群组成员协商出的不是一个共享的会话密钥,而是一个共享的加密密钥。这个加密密钥可以被敌手访问,而且对应多个不同的解密密钥,每个用户都可以计算出一个对应该加密密钥的解密密钥。ASGKA是一个全新的概念,它留下了很多开放性问题和继续研究的思路,例如,叛逆者可追踪的ASGKA协议,基于身份的ASGKA协议。本文提出了一个叛逆者可追踪的非对称群组密钥协商协议ASGKAwTT,协议满足标准模型下可证明安全性,并且对于恶意参与者,即叛逆者,泄露给外部敌手的解密密钥,群组中的每个成员通过验证关于身份的多签名就可以恢复出叛逆者的身份信息。四、多方安全函数计算的可实现性Crypt2008, Prabhakaran和Rosulek提出了密码学复杂性的概念,试图在特定的安全模型下,研究安全多方计算函数的可实现性,探讨安全实现各类功能函数的复杂度(难度)及其关系。密码学复杂性理论的研究,最重要的工作是考察安全多方计算任务的可实现性。在一个具体的安全模型下,能够安全实现的所有安全多方计算任务唯一确定了一个“密码学复杂性类”,称为可实现类,然而并不是所有的研究对象都能被安全实现。刻画函数在特定安全模型下可安全实现的本质,有助于划分函数复杂度层次,直观理解函数之间复杂性比较和分类。本文对多方函数计算可实现性的必要条件进行了分析,通过反例证明了这些必要条件并不是充分条件。基于这些分析结果,给出了多方函数计算可实现性的充要条件,并通过一个新的技术框架,称为可分离性(splitiability),给出了可实现性证明。五、多PKG环境下基于身份的签密方案签密能够在一个合理的逻辑步骤内同时完成数字签名和公钥加密两项功能,而其所花费的代价,要远远低于传统的先签名后加密的方法,因此它是实现既保密又认证的传输信息的较为理想的方法,并作为密码协议设计的有效支撑理论被广泛研究。多PKG环境下基于身份的签密机制能够很好地解决域间实体的安全认证和保密通讯问题。本文提出了一个新的多PKG环境下基于身份的签密方案,方案使用了Waters基于身份加密体制及现有的基于身份签密体制的构造思想,并利用“(?)”运算和抗碰撞Hash函数消除了签密密文与明文之间的对应关系,从而保证了方案的语义安全。方案实现了标准模型下的可证明CCA安全和存在不可伪造性；且当新方案退化为单个PKG环境时,与其他标准模型下的安全方案相比,该方案仍有稍高的效率。六、Ad Hoc网络密钥管理方案密钥是密码系统中最机密的信息,密钥的管理水平直接决定了密码的应用水平。为了增强密码管理的可靠性,避免单点失效引起安全隐患,通常采用秘密分享/门限技术来设计有效的密钥管理方案。门限技术的思想是把秘密信息(如密钥)或者某个敏感计算(如加密)分散在多个用户中,使得只有达到一定数量的用户合作可以重构秘密信息或者完成敏感计算,而少于门限数量的用户则无法完成。本文提出了一种新的基于门限秘密共享的Ad Hoc网络密钥管理方案。这个方案最大的特点是,采用了一种完全无交互的基于对称二元多项式的门限秘密共享机制,从而可以安全、高效地实现动态节点加入和恶意节点的可追踪性,以及密钥份额的更新和会话密钥的交换,适合大规模Ad Hoc网络结构的动态拓扑变化。更多还原

【Abstract】 A cryptographic protocol is an interactive procedure between two or multi players to carry out a computing task. Cryptographic protocol has a wide range of applications including session key agreement/distribution, identity and message authentication, and secure electronic business/government affairs etc. It’s the key technology as well as one of the most effective measures of ensuring information and network security.The real network is completely open, and there are varieties of attackers and attacks. In order to ensure the information security of the protocol participants, and to prevent an attacker from getting additional information, it’s necessary to design secure and effective cryptographic protocols. The theory of provable security enables one to reduce the security of a protocol/scheme to some cryptographic assumption (such as the intractability of a class of mathematical problems, or the existence of one-way functions etc.) such that, if the assumption holds then the underlining protocol/scheme is secure under current computing capability. Therefore, it is of great practicability to do a systematic research on provably secure cryptographic protocols.In this thesis, we investigate the design of authentication and key agreement protocols as well as the supporting theory of constructing cryptographic protocols, in which we focus on the security analysis of cryptographic protocols/schemes, the construction of two-party deniable authentication protocol, traitor-tracing in asymmetric key agreement protocol, the realizability of secure function evaluation (SFE for short), and the design and key management problems of identity-based signcryption schemes in the multi-PKG case, and achieve some results.1. Security analysis of cryptographic scheme/protocolsIn early literatures, the design and analysis of cryptographic protocols are shown in a heuristic way. However, the emergence of new cryptanalysis techniques is uncertain and any new technique is likely to make cryptographic protocols to be cracked, hence it is difficult to ensure the security of protocols based on the heuristic method. In this context, formal analysis is introduced and becomes one of the most interesting research areas. For formal analysis, the analyst first establishes the security model, and then applies the methods based on computational complexity or logical reasoning to analyze the security of the protocol. This thesis concludes the main analysis methods and the proof techniques based on computational complexity. Then we investigate a deniable authentication protocol, a two-party authenticated key agreement protocol and an identity-based signcryption scheme in the multi-PKG case respectively, and show that all of them have security flaws.2. Two party deniable authentication protocolsDeniable Authentication protocols allow a sender to authenticate a message for a receiver, in a way that the receiver cannot convince a third party the source of message; meanwhile, the sender cannot convince a third party that she has authenticated a message. Deniability strengthens the privacy of cryptographic protocols, and has wide applications in internet key exchange, electronic election, and electronic business etc. The hash-proof system introduced by Cramer and Shoup in Eurocrypt2002as a basic component in cryptography, has been incorporated in the constructions of deniable authentication protocols. This thesis present a new deniable authentication protocol based on extractable hash proof systems, which satisfies concurrent unforgability and restricted deniability. Furthermore, we show a formal security proof reducing unforgability to the hardness of search problems (e.g. integer factorization, CDH) instead of decision problems (e.g. DDH, DCR).3. Asymmetric group key agreement with traitor traceabilityAnother basic cryptographic task known as group key agreement enables multi participants to agree on a shared secret key in the open network. Considering from the application point of view, the goal of group key agreement is to establish a private communication channel between the participants. In Eurocrypt2009, Wu et al. first introduced the notion of asymmetric group key agreement (ASGKA for short) in which the final key obtained is not a secret session key but a public encryption key. This encryption key is available to the adversary, and is related to many different decryption keys such that every participant is able to compute one valid decryption key corresponding to the same encryption key. As ASGKA is a new research area, a lot of open problems and further research ideas are left, such as traitor-tracing ASGKA protocol. This thesis constructs an asymmetric group key agreement protocol called ASGKAwTT, which is provably secure in the standard model and enjoys the traitor-tracing property. That is, for any malicious player (i.e. the traitor) that leaks her secret key to an external adversary, her identity can be recovered by the group members through verifying the multi-signature on identities.4. The realizability of multi-party secure function evaluation The theory of cryptographic complexity, introduced by Prabhakaran and Rosulek in Crypto2008, studies the realizability of secure multi-party function evaluation and the inherent complexity of secure computing multi-party functionalities in specific security models and their relations. The most important step in this area is to investigate the secure realizability of multi-party tasks. Each concrete security model naturally defines a "cryptographic complexity class" consisting of the tasks which have secure protocols in that model, called the realizable class. However, not all the functionalities in consideration are realizable. Therefore, to abstract the combinatorial characterizations of protocols that can be secure realized under a specific security model, helps us in partitioning various cryptographic tasks into complexity levels and leads us to a better understanding and comparing of cryptographic complexity classes. This thesis analyze the necessary conditions that multi-party secure function evaluation (SEE) can be realized, and prove that these necessary conditions are not sufficient via counter examples. Based on the above result, we further show the sufficient and necessary conditions of realizable SFE functionalities, and exhibit a proof of realizability by introducing a new framework called splitability.5. Multi-PKG id-based signcryption schemeSigncryption is a cryptographic primitive that simultaneously performs the functions of both digital signatures and encryption schemes in a single step, while in a way that is more efficient than "encrypting-then-signing". Hence it is an effective method for private and authenticated message transmission, and has been extensively studied as a supporting theory in protocol designing. Identity-based signcryption scheme in the multi-PKG case provides a good solution to secure authentication and private communication between entities from different domains. This thesis present a new identity-based signcryption scheme in the multi-PKG case, which employs the ideas from Water’s identity-based encryption scheme and existing identity-based signcryption schemes, using the⊕operation as well as collision-resilient hash function to eliminate the correspondence between ciphertext and plaintext and ensure semantic security. This scheme achieves provable security in the standard model and existential unforgability. Moreover, when only single PKG is concerned, this scheme has a better efficiency compared with other schemes in the standard model.6. Ad Hoc key management schemeSince secret key is the core information in a cryptosystem, the key management level directly determines the application level of a cryptosystem. In order to strengthen the reliability of key management and get rid of the security risks caused by single-point failures, it is usually preferred to apply secret sharing/threshold cryptography to design effective key management schemes. The main idea behind threshold cryptography is to share the secret information (e.g. the secret key) or the sensitive computation among multi players such that, nothing but a certain number of players coordinating is able to reconstruct the secret information or complete the sensitive computation, while fewer players cannot. This thesis design a new Ad Hoc key management scheme based on threshold secret sharing. The highlight of this scheme lies in that, it employs a non-interactive threshold secret sharing scheme based on symmetric binary polynomial such that, it provides a secure and efficient implementation for dynamic node joining, malicious node tracing, key share updating and session key exchanging, which makes it more applicable to large-scale Ad Hoc network with a dynamically changing topology.更多还原