【作者】 张波；

【导师】 徐秋亮；

【作者基本信息】 山东大学 ， 计算机应用技术， 2010， 博士

【摘要】 在传统的公钥密码体制中,公钥的使用首先依赖于被称为认证中心(CA,Certificate Authority)的可信第三方为用户颁发公钥证书。公钥证书中CA的签名将用户身份和看似随机的公钥信息联系起来,只有经过CA签名的用户身份和公钥才是合法的,因而CA机构是这种架构下的核心部门,负责用户公钥证书生命周期的每一个环节。这些证书的使用需要耗费巨大的计算和存储开销,管理工作比较复杂,对作为系统中心的CA机构要求较高,系统负担较重。为简化证书管理工作,1984年,著名密码学家Shamir提出了基于身份密码学(IBC, Identity-Based Cryptography)的思想,基本想法就是将用户的身份与其公钥以最自然的方式捆绑在一起：用户的身份信息即为用户公钥,用户的私钥则由被称为私钥生成中心(PKG, Private Key Generator)的可信第三方产生后发送给用户。在基于身份的公钥体制架构下,不需存放公钥或证书目录,简化了公钥证书的管理过程,公钥的使用方式也更直接,从而降低了计算和存储开销。本文围绕基于身份的密码体制进行研究,特别是标准模型下基于身份密码方案的设计与分析,侧重于方案的安全模型建立和形式化可证安全性,对基于身份密码体制下的强指定验证者签名、签密、多签密、多接收者匿名签密以及面向群组的加密和签密、安全密钥分发协议等密码学方案的安全性定义和具体实现做了重点研究,力图设计高效的可证安全的基于身份密码体制。基于身份的密码体制大部分都是使用双线性对构造的,减少双线性对运算的次数是提高基于身份密码方案效率的关键。最近,李继国等人提出了一个新的基于身份的签名方案,其验证算法比Paterson等人的方案减少了一个双线性对运算,效率显著提高。在第三章,我们对该方案进行了分析,遗憾地发现该方案存在安全弱点,不能抵御已知私钥或已知签名的存在性伪造攻击。在现实世界中,为实现对签名的完全控制,防止签名滥用,人们希望能指定签名的验证者,只有被指定的验证者可以验证并接受签名内容,非指定验证者则无法确定签名者的身份。根据验证算法中是否需要使用验证者私钥,指定验证者的签名可以分为指定验证者签名和强指定验证者签名两种。在第四章,我们在随机预言模型下提出了一个可证安全的强指定验证者代理签名方案和一个基于身份的强指定验证者代理签名方案,方案同时满足代理签名和强指定验证者签名的安全特性,可以有效防止签名滥用和签名内容的泄露。另外,我们还提出了首个标准模型下可证安全的基于身份的强指定验证者签名方案。加密和签名是能够获得保密性和认证性的最基本的密码学工具,1997年,Zheng提出了签密这一新的密码学概念,使得能够在公开信道中使用单个逻辑步骤完成加密和签名两种操作,实现信息传递过程中的保密性和认证性,同时降低传统的先签名后加密方法的计算和通信费用。基于身份的签密方案是签密研究领域的热点之一,本文在基于身份签密方案的研究中取得了以下成果：1.在第三章我们对首个在标准模型下构造的基于身份签密方案进行了安全性分析,指出其存在的安全问题并进行了改进,改进后的方案满足自适应选择密文攻击下的密文不可区分性和选择消息攻击下的密文存在性不可伪造性。2.在第五章我们完善了基于身份多签密方案的安全模型,提出了首个标准模型下可证安全的基于身份多签密方案,对接收者来说,合法的签密密文表示所有签名者对明文消息的认可。方案具有较高的效率,即使在退化情况下(只有一个签密者)较现有的单签密者签密方案在效率上也有所提高。3.在第五章我们首次给出了基于身份多接收者匿名签密方案的形式化定义和完备安全模型,并在标准模型下构造了一个具体方案,方案可以实现签密者身份的无条件匿名性,提高面向多接收者信息传递过程中的计算和传输效率。某些网络应用需要将同样的消息向多个实体进行发送,最简单的方式就是发送者将消息分别加密多次进行点对点传送,显然,这种方法在接收群组规模较大时效率是非常低的,必会产生极大的计算量与通信量。为解决将数字内容向接收者群组进行有效广播的问题,Fiat等人于1993年提出了广播加密的概念,信息广播者对信息进行加密,只有获得认证的用户可以解密密文获得有效信息,广播者同时可以对信息接收者进行子群划分,从而将不同的信息发给指定子群用户,子群外的用户不能获得广播信息的内容。基于身份的广播签密方案也大量出现,这些方案实现了群组通信过程中的信息私密性和认证性,然而在获得这些优点的同时,如何获得常数规模的系统参数一直是该领域研究的难点问题。另一个问题是已有方案在建立阶段必须固定一个大的接收者群组,广播者必须清楚地知道群组成员的个体公钥,但在某些应用中,信息发布者可能并不清楚信息接收者的信息,而且接收者也有可能是动态增加的。在第六章,我们首次提出了基于身份的面向群组加密和签密的概念,并给出了具体构造。新方案中的系统参数和密文长度均为常数,信息发送者仅需使用接收群组的身份信息就能产生签密密文,信息接收群组中成员可独立解密密文并验证签名的合法性,新方案在基于身份选择密文攻击以及选择消息攻击下是可证安全的。在基于身份的密码系统中,PKG为用户产生私钥,然后通过安全信道将私钥传送给用户。因为PKG对用户私钥的完全掌握,必须要求所有用户对其是完全信任的。然而,在现实生活中,这样的可信实体一般不容易找到,特别是在基于身份密码系统刚刚开始应用,基础设施并不完善的初级阶段,存在出现恶意PKG的可能,这样的PKG或者出售用户私钥或者解密用户密文或者伪造用户签名,甚至在完成恶意行为后,也不会被察觉,这是因为无法区分这些行为造成的结果(私钥泄露、加密消息泄露及签名伪造等)是由用户自己故意或无意导致的,还是确实是由PKG恶意完成的。这种PKG完全掌握用户私钥的问题被称为“密钥托管”问题,是基于身份密码体制的固有问题,妨碍了基于身份密码系统的广泛应用。在第七章,我们对密钥托管问题进行了研究,对已有解决方案在PKG主动攻击行为下的特点进行了分析,结果表明,单次认证方式不能真正解决密钥托管问题,在综合已有解决方案的优点后,我们提出了新的基于身份密钥分发机制,可以有效抵御PKG发起的主动攻击,避免PKG对用户私钥的完全掌握。更多还原

【Abstract】 In traditional public key cryptosystems, user’s public key is a random string unrelated to his identity. When Alice wants to send a message to Bob, she must first obtain Bob’s authenticated public key. Typical solutions to this problem involve public key directories which are maintained by a trusted third party named Certificate Authority (CA). Problems with the traditional Public key cryptosystems are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities.Identity-based cryptosystems were introduced by Shamir in 1984. Its main idea is that the public keys of a user can be easily derived from arbitrary strings corresponding to his identity information such as name, telephone number or email address. A Private Key Generator (PKG) computes private keys from a master secret and distributes them to the users participating in the scheme. This eliminates the need for certificates as used in a traditional public key infrastructure. Identity-based systems may be a good alternative for certificate-based systems from the viewpoint of efficiency and convenience. So it is of theoretical and practical significance on study in identity-based cryptosystems.This dissertation investigates the design and security analysis of identity-based schemes, including identity-based signcryption, identity-based multi-signcryption, identity-based anonymous signcrypiton for multiple receivers and the secure key issuing protocols. The contributions of this dissertation can be summarized as following:Bilinear pairing computations are used in almost all of the concrete identity-based schemes. Reduce the number of pairing computations is the key to increase the efficiency of these schemes. Recently, Li et al proposed a new identity-based signature scheme, in which the verification algorithm reduced a pairing computing than Paterson’s scheme, and efficiency has been improved significantly. In chapter 3, we analyse this scheme and find out that there are some security weaknesses in the scheme. The scheme can not resist the existence forgery attack if the attacker has some private keys or some valid signatures already.In real world, in order to achieve the complete control of signatures, people want to specify the verifier. Only the designated verifier can verify and accept the signatures. Non-designated verifier can not determine the identity of the signer. In chapter 4, we propose a strong designated verifier proxy signature and an identity-based strong designated verifier proxy signature in the random oracle model respectly. The schemes satisfied all security requirements of proxy signature and strong designated verifier signature. We also propose the first identity-based strong designated verifier signature in the standard model.Two fundamental tools of Public Key Cryptography (PKC) are privacy and authenticity, achieved through encryption and signature respectively. In 1997, Zheng proposed a new cryptographic primitive:signcryption, which can perform digital signature and public key encryption simultaneously at lower computational costs and communication overheads than sign-then-encrypt way to obtain private and authenticated communications. Signcryption is a very important technology in message security and the sender’s identity authentication for communication in the open channel. In this paper, we get three results in the research on identity-based signcryption scheme:1. Recently, Yu et al. proposed the first identity-based signcryption scheme in standard model. However, in chapter 3, we show that the scheme still has some security weaknesses. Further, we propose a corrected version of the scheme and formally prove its security under the existing security model for identity-based signcryption.2. Adapted to multi-user settings, in chapter 5, we define the security model of identity-based multi-signcryption scheme and propose the first identity-based multi-signcryption scheme without random oracles based on Waters’ identity-based encryption scheme. The scheme is proved secure against adaptive chosen ciphertext attacks and adaptive chosen message attacks under decisional bilinear Diffie-Hellman assumption and computational Diffie-Hellman assumption respectively. Even after being changed to a one-signcrypter scheme, the new one also has higher efficiency compared with the existed one-signcrypter scheme.3. Anonymous signcryption is a novel cryptographic primitive which provides anonymity of the sender along with the advantage of traditional signcryption scheme. In chapter 5, we define the fully secure model of identity-based anonymous signcryption and propose the first concrete scheme in the standard model. The proposed scheme satisfies the semantic security, unforgeability and signcrypter identity’s ambiguity. We also give the formal security proof on its semantic security under the hardness of Decisional Bilinear Diffie-Hellman problem and its unforgeability under the Computational Diffie-Hellman assumption.In some network applications, people have to distribute a same message to all n group members. A simple approach for achieving this goal is that the sender encrypts the message for each member of the group respectively. Obviously, the cost of using the approach in large group is very high. Broadcast encryption, which is first proposed by Fiat and Naor in 1993, considers this problem of broadcasting digital contents to a large set of authorized users. Such applications include paid-TV systems, copyrighted CD/DVD distributions, and fee-based online databases. The broadcaster encrypts the message and only the authorized users have the decryption keys to recover the data. In this type of scheme the sender encrypts a message for some subset of receivers and sends the ciphertext by broadcast over Internet. Any receiver in the designated subset can use his private key to decrypt the ciphertext. However, nobody outside the subset can get any information about the contents of the broadcast. Broadcast encryption has lots of advantages. However, these advantages make the broadcast encryption scheme much more complicated. It is very difficult to make the schemes satisfy so many advantages while keep the ciphertext and keys constant size simultaneity. Another problem is that the broadcast encryption schemes must fix a max receiver’s set in the system setup phase and the broadcaster should know everyone’s identity in the receiving group clearly. But in many applications, the member is unknown to the message sender. In chapter 6, we formalize the notion of identity-based broadcast group-oriented encryption and signcryption scheme and propose a concrete construction based on Gentry’s IBE scheme. In our new scheme, the broadcaster could encrypt the message using the designated receiving group’s identity and any receiver in the designated group can independently decrypt the ciphertexts. The newly proposed scheme has the following merits:Every member of the receiving group needs to keep only one private key. Both ciphertexts and system parameters are of constant size. A sender can send a secure message just by using the receive group’s identity information, even before the receiver in the designated group obtains his private key from a PKGIn identity-based cryptosystem, user’s private key is computed by PKG from a master secret. Therefore, the PKG can decrypt any ciphertext or forge signature on any message. This inherent problem of identity-based cryptosystems is named as "key escrow", i.e. PKG knows the user’s private key, resulting in no user privacy and authenticity. So PKG must be trusted as a trusted third party. But in the real world, the trusted third party is not easily found. Another criticism is that identity-based cryptosystems require a secure channel for private key delivering between the users and the PKG Due to these inherent problems, identity-based cryptosystems are considered to be suitable only for closed user networks with lower security requirements. Therefore, eliminating these problems in identity-based cryptosystems is essential to make it more applicable in the real world. In chapter 7, we show that the existed schemes solving key escrow still have some security weaknesses under the PKG active attacks. Furthermore, we present a new key issuing mechanism which is undeniable and secure against PKG’s active attacks.更多还原