【作者】 周德华；

【导师】 陈克非；

【作者基本信息】 上海交通大学 ， 计算机系统结构， 2013， 博士

【摘要】 代理重加密(Proxy Re-Encryption)是由密码学家Blaze, Bleumer和Strauss在Eurocrypt’98上提出的一个密码学概念。在代理重加密系统中，代理者(proxy)在获得由授权人(delegator)产生的针对被授权人(delegatee)的转换钥(即代理重加密密钥)后，能够将原本加密给授权人的密文转换为针对被授权人的密文，然后被授权人只需利用自己的私钥就可以解密该转换后的密文。代理重加密能够进一步保证：虽然代理者拥有转换钥，他依然无法获取关于密文中对应明文的任何信息。代理重加密在很多场合有着广泛的应用，如数字版权保护、分布式文件系统、加密垃圾邮件过滤、云计算等等。本文对代理重加密体制展开了深入的研究，取得了如下的研究成果：1.传统的代理重加密允许代理者对授权人的所有密文进行转换，因而无法较好地控制代理者的转换能力。为了解决这一问题，翁健等人提出了条件代理重加密(Conditional Proxy Re-Encryption，C-PRE)的概念，在C-PRE中，只有当密文符合某种条件时，代理才可以成功地对该密文进行转换。本文对条件代理重加密的形式化定义和安全模型作了进一步的研究，给出了更完善的形式化定义和安全模型，在此基础上提出了一个更加高效的选择密文安全的条件代理重加密方案。所提方案在随机预言机模型下达到了可证明安全，并在通信开销和运算代价两方面均具有较明显的优势。2.目前学界对条件代理重加密的研究大多局限于公钥基础设施环境中。本文探讨了如何构建基于身份的条件代理重加密(Identity-Based ConditionalProxy Re-Encryption，IBCPRE)方案，形式化地给出基于身份的条件代理重加密的定义和安全模型。在此基础上，成功构造了两个IBCPRE方案，分别在在标准模型下选择身份（selective-ID）安全和标准模型下完全（Adaptvie-ID）安全。3.目前的PRE方案大部分都是基于传统的公钥加密（PKE）和基于身份的加密（IBE）来构造的。为了克服PKI中的证书管理问题和基于身份公钥系统中的密钥托管问题(例如，可信第三方KGC可以解密任何IBE方案中的密文)。本文对无证书环境下代理重加密(Certifcateless ProxyRe-Encryption，CL-PRE)的安全模型做了进一步的研究，在此基础上，提出了具体的无证书代理重加密方案。并在随机预言机模型下证明了方案的安全性。更多还原

【Abstract】 In Eurocrypt’98, Blaze, Bleumer and Strauss introduced the concept of Proxy Re-Encryption (PRE). In a PRE system, the proxy is given a re-encryption key so thatit is able to transform a ciphertext under the public key of delegator into a ciphertextwhich is forwarded to another user. However, this proxy acquires no knowledge ofthese two ciphertexts both of which are encryptions of the same plaintext. There aremany practical applications of PRE in real life, such as digital rights management,distributed fle systems, outsourced fltering of encrypted spam, and cloud computing.In this paper, we study on proxy re-encryption schemes, and achieve the followingresults:1. Traditional PRE enables the proxy to convert all of delegator’s ciphertexts, with-out any discrimination, so it can not implement fne-grained delegation of de-cryption rights. To address this issue, Jian Weng and others introduced the no-tion of conditional proxy re-encryption (C-PRE), in such systems, ciphertextsare generated with respect to a certain condition, and the proxy can translate aciphertext only if the associated condition is satifed. In this paper we reformal-ize more rigorous defnition and security notions for C-PRE, and then propose amore efcient C-PRE scheme. Our scheme is, in the random oracle model, prov-able secure. Furthermore, the scheme has obvious advantages in communicationoverhead and computational cost.2. The existing conditions proxy re-encryption research is mostly limited to the en-vironment of a public key infrastructure.In this paper, we discuss how to con-structidentity-basedconditionalproxyre-encryption(IBCPRE)scheme, formal-ize the formal defnition and security model of identity-based conditional proxyre-encryptionandsecuritymodel, andthenproposetwoIBCPREschemes:oneis selective-ID security without random oracle model, and the other is adaptive-IDsecurity without random oracle model.3. Although, lots of PRE schemes have been proposed, the majority of them arebased on either traditional public key encryption (PKE) or identity-based en-cryption (IBE). However, it is well known that traditional PKE sufers from theproblems of certifcate management, like revocation, and IBE has inherent keyescrowproblem(forexample, theKeyGenerationCenter(KGC)candecryptanyciphertext in an IBE scheme). In this paper, we reformalize more rigorous secu-rity notions for certifcateless proxy re-encryption (CL-PRE), and then proposeCL-PRE scheme. Our scheme is, in the random oracle, provable secure.更多还原