【作者】 孙迅；

【导师】 李建华；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2009， 博士

【摘要】 在传统公钥密码体制中,由于用户的公钥是由用户自身随机生成的并且与用户的身份无关,为了确保公钥与其所有者之间的关系,证书中心(CA)需要以自己的数字签名的形式为用户的公钥颁发一张证书。这样一来,每个用户在验证签名之前必须要获得并且验证证书。基于证书的PKI系统由于需要提供证书查询、证书申请、证书撤销等诸多服务,造成系统结构过于复杂,建设和维护成本过高。公钥密码体制的这种证书管理制度往往会限制它的使用。为了缓解公钥密码体制中证书管理带来的问题,在1984年的密码学年会上,Shamir提出了基于身份的密码(Identity-based cryptosystem)的概念。在基于身份的密码方案中,用户的公钥可以由用户的身份信息(如实名,电子邮件地址等)直接计算出来,私钥由私钥生成器(PKG)生成并秘密传送给对应的用户。由于不必再用证书绑定公钥和身份,从而避免了证书管理造成的开销。基于身份的密码学主要包括基于身份的加密(IBE)和基于身份的签名(IBS)两个部分。近年来,国内外许多学者对基于身份的密码学作了深入的研究。然而,对丁基于身份密码学的研究还不够完善。因此,本文的研究重点为通过形式化的方法解决基于身份签名体制研究中的若干问题。本文的主要研究成果如下:1.设计了一个在标准模型下可证明安全且具有较短公开参数的基于身份的签名方案。与目前为止唯一的一个标准模型下直接构造的IBS方案相比较,该方案的公开参数的长度大约缩短了一半,从而降低了存储开销。方案的安全性基于计算Diffie-Hellman问题。2.签密是同时进行加密和签名的一种有效方法。2007年,Yu等学者提出了第一个标准模型下基于身份的签密方案。本文分析了该方案的安全性,指出该方案不满足语义安全性,提出了一个安全的基于身份的签密方案,并在标准模型下给出了安全性证明。进而,本文设计了一个基于身份广播签密方案。3.有向签名适用于税务单,法院传票等场合。然而,基于身份的有向签名体制还没有被系统地研究过。因此,本文对基于身份的有向签名体制进行了形式化定义,并提出一个在随机预言机模型下可证安全的基于身份的有向签名体制。4.在目前被广泛接受的基于身份的门限签名模型中,存在两个可信中心(一个是私钥牛成器PKG,另外一个是私钥分发者),因此在该模型下的具体方案也存在两个单点失效。为了获得更高的健壮性,本文提出了无可信中心的基于身份的门限签名的形式化定义和安全性模型,并提出了一个在标准模型下可证明安全的具体方案。该方案的签名阶段是非交互的,因此在通信效率方面优于其他的基于身份的门限签名方案。5.无证书公钥密码体制是基于身份密码体制的后续概念。本文提出了一个新的无证书门限签名方案,并从健壮性和不可伪造性两方面证明了方案地安全性。新方案在计算和通信效率方面都优于已有的方案。更多还原

【Abstract】 In traditional public key cryptosystems,the public key is usually a "random" string picked by the user that is unrelated to the user’s identity.To bind the public key to its legitimate owner,a certificate authority(CA) needs to digitally sign a certificate claiming this relationship between the public key and the user.As a result,any verifier must obtain and verify the corresponding certificate before performing signature verification.Nowadays,certificate management(including revocation,storage and distribution) and the computational cost of certificate verification incur the main complaint against traditional public key cryptosystems. To eliminate the burden of certificate management,Shamir introduced the notion of identity-based cryptography in 1984.In an identity-based cryptosystem,a user’s public key is just his publicly available identity(e.g.real name,email address,or IP address), hence no extra effort is necessary for ensuring the authenticity of a public key,the complexity of the certificate management is released.Recently,many researchers have conducted deep research in the area of identity-based cryptosystems,including signature schemes and encryption schemes.However,as far as we know,the research on identity-based signature schemes is not ideal enough.Thereby our point in this thesis is to study and design a series of identity-based signature schemes systematically via formalization means.Our main achievements are as follows:1.Up to now,the only known direct construction of identity-based signature(IBS) scheme which is secure in the standard model is proposed by Paterson and Schuldt in 2006.The main problem of their scheme is that the public parameters include about n_u+n_m group elements,where n_u is the binary length of the identities and n_m is the binary length of the messages.In this thesis,we propose an IBS scheme with reduced public parameters which is also proven secure in the standard model.The public parameters of our scheme consist of max(n_u,n_m) group elements.Security of our scheme is reduced to the CDH problem in the underlying group.2.The notion of digital signcryption was proposed to perform the functionality of signature and encryption simultaneously and efficiently.Recently,Yu and Yang presented the first identity-based signcryption scheme without random oracles.In this thesis, however,we show that the scheme is actually not semantically secure.Then we devise an identity-based signcryption scheme without random oracles,improving on Yu and Yang’s scheme.We also propose an identity-based broadcast signcryption scheme based on our identity-based signcryption scheme.3.Directed signature schemes are suitable for applications such as bill of tax and bill of health.As far as we know,directed signatures in the identity-based setting have not been formally studied yet.In this thesis,we fill this gap.We propose a reasonable formal model for identity-based directed signatures,and present a concrete scheme provably secure in this model.4.In the widely accepted model of identity-based threshold signature schemes,there are two trusted authorities(one is the private key generator PKG,the other is the private key distributor).Therefore all schemes proposed in this model have two single points of failure.To provide better robustness in practice,we propose the notion and security model of identity-based threshold signature schemes without a trusted authority,and propose a concrete construction.The signing phase of our scheme is non-interactive, therefore it is better than other identity-based threshold signature schemes in terms of communication efficiency.5.Certificateless cryptography is a sibling notion of identity-based cryptography.We propose a new certificateless threshold signature scheme,and prove it secure in terms of robustness and existential unforgeability.Our scheme improves on existing scheme in terms of both computation and communication efficiency.更多还原