【作者】 梅其祥；

【导师】 何大可；

【作者基本信息】 西南交通大学 ， 通信与信息系统， 2005， 博士

【摘要】 安全问题是通信与信息系统中核心问题之一。密码技术是信息安全的基础。 在公钥密码系统(PKC,public key cryptosystem)中,攻击者拥有加密公钥,他可以自由地用该公钥进行选择明文加密,即进行选择明文进行攻击。但是,在开放的网络环境中,攻击者还可以向网络中注入信息,而这种信息可能是一些加密的密文。然后,攻击者可以通过与参与方的交互,获得该密文的明文信息。为此,Rackoff和Simon在1991年提出抗选择密文攻击安全性(即,CCA安全性)概念。大致地说,根据这个定义,攻击者可以获得一些他所选择密文的解密;然后,攻击者被给定一个挑战密文;之后,攻击者还可以继续获得一些他所选择密文的解密,唯一的限制是不能直接获得挑战密文的解密;安全性要求攻击者最后不能获得挑战密文中的明文的任何部分信息。 抗选择密文攻击安全密码系统是一个很强的密码元件。它在设计抗主动攻击的密码学协议中起着重要的作用。如,它可以用来设计认证的密钥交换、密钥托管、公平交换等协议。 本论文从第2章至第5章就两个方面进行研究,一是设计新的PKC方案,并给出严格的证明;另一个是对已有的PKC方案的安全性进行证明。具体创新性工作如下: 在第2章,我们分别以两类特殊的基于身份加密方案—Boneh、Boyen提出的Selective-ID安全的基于身份加密方案和Waters提出的Adaptive-ID安全的基于身份加密方案为基础,建立了新的标准模型下的抗选择密文攻击的(非门限)公钥加密方案。另外,基于BB方案,我们还构造了一个新的CCA安全的密钥封装机制,该封装机制比由新的基于BB方案的加密方案直接得到的封装机制效率更高。这些方案都比直接运用Canetti-Halevi-Katz的方法得到的方案的效率高出很多,而接近于用Boneh-Katz方法得到的方案的效率(对解密而言,新方案的效率更高些)。 在第3章,我们建立了抗选择密文攻击的门限公钥加密方案,他们分别由CHK方案(为简单起见,我们用CHK方案来表示将CHK方法应用到BB方案所得到的方案,而BK方案也表示类似的含义)和我们在第2章中建立的非门限方案转化而得更多还原

【Abstract】 Security is one of the most important problem in the communication and information system, while the cryptography is the basis for the security.In the public key cryptosystem (PKC) , the attacker can get the public encryption key, so he can freely encrypt some plain-text chosen adaptively, i.e., he could choose plain-text attack. But, in the open network, the attacker can also send some message, which may be some ciphertext chosen adaptively. Then, the attacker can interact with the participator, and get back the plain-text of the ciphertext. To deal with this active attack, Rackoff and Simon introduced the notion of secure against adaptive chosen ciphertext attack (i.e., CCA security) in 1991. Informally, according to this definition, the attacker can obtain decryptions of some ciphertexts of its choice. Then, the attacker is given the ciphertext he should challenge. Next, the attacker could continue to get the decryptions of some ciphertexts adaptively chosen, with the only restriction that the challenge ciphertext itself could not be decrypted. Then, this security requests that attacker could not get any partialinformation about the corresponding plain-text of the challenge ciphertext.The cryptosystem secure against adaptively chosen ciphertext attack is very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authenticated key exchange, key escrow, and fair exchange.In this thesis, from chapter 2 to chapter 5, the study is focused on two points: one is to design some new provable secure PKC schemes; the other is to give the formal proof for some existing PKC schemes. The contributions are summarized as following:In chapter 2, two new (non threshold) CCA secure public key encryption (PKE) schemes in the standard model are constructed from two special identity based encryption (IBE) schemes. Particularly, one is constructed from the Selective-ID secure IBE of Boneh and Boyen, the other is constructed from the Adaptive-ID secure IBE of Waters. In addition, a new CCA secure Key Encapsulation Mechanism (KEM) is proposed from the BB IBE scheme, which is more efficient than the one directly obtained from PKE based on the BB scheme. All the new proposals in this chapter are much more efficient than those can be obtained from the Canetti-Halevi-Katz general transform method, and can be comparable to (for the decryption, the new schemes areeven more efficient) those from the Boneh-Katz method.In chapter 3, CCA secure threshold public key encryption systems are constructed based on the non threshold schemes from CHK scheme (here, for simplified, CHK scheme denotes as the resulting scheme of applying the CHK method to the BB scheme, BK scheme denotes in the same sense) and the new proposals in chapter 2. Before this, most of CCA secure threshold public key encryption systems could only be proved secure in the Random Oracle model, only the Canetti-Goldwasser scheme could be proved CCA secure in the standard model , but since it is interactive, it could not be used in the asynchronous public network. However, all the new threshold schemes not only could be proved secure in the standard model, but also are non-interactive. Next, CCA secure threshold identity based encryption systems in the standard model are constructed. Before this, the first and only CCA secure threshold identity based encryption system, could only be proved secure in the Random Oracle. The results of this chapter also indicate that our schemes in chapter 2 not only enjoy the efficiency of the BK scheme, but also can be used in threshold CCA secure systems like CHK. But since the BK scheme could not be verified publicly, it does not suit for constructing threshold CCA secure system.In chapter 4, the security analysis is given for an existing scheme. It is rigorously proved to be secure against chosen ciphertext attack under the Gap Diffie-Hellman assumption in the Random Oracle model. Before this, it could only be proved in the Generic Group and Random Oracle model. In the Generic Group model, the attacker could not make use of the special code and algebra structure property from the group, in other words, the group is assumed to be ideal. But, the new proof only needs the Random Oracle, that is to say, only the Hash function is ideal. Since, in the Generic Group and Random Oracle model, both the group and the Hash function are ideal, the new proof gives more security confidence than that of previous related work.In chapter 5, two new publicly verifiable encryption schemes in the Random Oracle model are proposed. The proposals are more efficient than the one proposed by Baek and Zheng in 2003. The CCA security of the first one is relative to the Strong Diffie-Hellman problem, while the security of another one is related to the Linear Diffie-Hellman problem.更多还原