【作者】 徐鹏；

【导师】 崔国华；

【作者基本信息】 华中科技大学 ， 信息安全， 2010， 博士

【摘要】 1984年Shamir首次创造性地提出了基于身份密码体制的概念,即希望由用户的身份信息作为公钥实现公钥密码,但是直到2001年第一个实用的基于身份加密方案(简称为IBE方案)才被提出。与传统的公钥基础设施相比,IBE方案由于无需在线的可信任第三方,因此在根本上解决了传统公钥加密方案中可信第三方的性能瓶颈问题。目前,IBE方案还处于理论研究状态,虽然已有部分应用,但要实现全面地工业化还有很多问题需要解决,主要问题包括：IBE方案的可证明安全性和执行效率问题；IBE方案的密钥托管问题；IBE方案的匿名性问题；以及IBE方案创新性应用等。在已有知名IBE方案的基础上,通过分析影响可证明安全性和执行效率的主要因素,分别提出了两种不同类型的IBE方案：其一实现了标准模型下基于强安全性定义和弱困难性假设,具有更有效归约的可证明安全性,而且与同类IBE方案相比,该创新性方案在执行效率上具有目前最优的性能指标；其二通过避免使用时间复杂度较高的双线性映射,在常规的椭圆曲线群中实现了高效的IBE方案,而且该提出方案在随机预言机模型(简称为RO模型)下,同样基于强安全性定义和弱困难性假设,完成了“紧”的安全性归约,因此尽可能地减少了安全性退化,其执行效率与同类方案相比,不仅其密文长度更短、执行效率也更高。IBE方案的成功工业化不仅依赖于方案本身的安全性和效率,也依赖于其在实用中的适用性。由于IBE方案中私钥通常完全由第三方生成,因此其密钥托管问题很难适用于实际环境。虽然目前已有若干解决方案,但它们依然存在明显的缺陷。因此在已有工作的基础上,提出了一种更高效的第三方权利受约束的IBE方案,该方案不仅在标准模型下,基于更强的安全性定义和更弱的困难性假设,具有更“紧”的安全性归约；而且其性能方面,由于双线性映射单次计算的时间复杂度很大,因此通过降低该计算的次数为为常数次,使得该创新性方案具有了明显的性能优势,不仅如此,当某些参数的选取在一定范围内时,其综合计算效率也比已有方案要低。IBE方案作为一种全新的公钥加密方案,在实现保密传输的基础上,也被进一步扩展其功能。公钥加密方案的匿名性是目前应用中广受推崇的特性之一,关于该领域的研究虽已取得若干成果,但是要实现IBE方案的匿名性,其工作远比传统的公钥密码体制要复杂。基于匿名性的形式化定义,通过对匿名性的直觉性理解,提出了一次性加密密钥的思想,并作为一种实例将该思想用于实现传统离散对数体制的公钥加密方案的匿名性,与已有成果相比,一次性加密密钥思想仅需更少的充分条件,即可实现该实例的强匿名性；进一步推广一次性加密密钥思想到IBE方案中,从宏观角度提出了基于一次性加密密钥思想的IBE方案的形式化模型,并分析该模型中各主要函数为实现匿名性所应具有的性质,因此为其实例方案的提出提供了重要的指导。扩展IBE方案所采用的基于身份作为公钥的特点,国际上提出了基于具有匿名性的IBE方案构造可搜索公钥加密方案的新思路,并且随着研究地深入,具有更多新特性的可搜索公钥加密方案陆续提出,例如：具有临时关键字可搜索的公钥加密方案(简称为PETKS方案)。在已有PETKS方案的基础上,提出了针对执行性能方面的改进方案,并基于该创新方案进一步扩展其功能,分别实现了可搜索性在接收者指定时间内有效和发送者指定时间内有效的两个新方案。众多实用IBE方案的成功提出主要依赖于双线性映射的出现,而受IBE方案的启发,双线性映射也有了更多新的用途。针对Burmester和Desmedt提出的知名组密钥协商方案存在内部不同密钥攻击的缺陷,基于双线性映射提出了改进方案,与原有方案相比该改进方案不仅能抵抗该攻击,而且不会增加时间复杂性和通信量；与同类的其它改进方案相比,提出方案则具有明显的执行效率优势。IBE方案的研究是目前密码学领域的重要课题,随着研究地深入很多更新更好的方案将会被提出,同时它的研究也决不仅仅局限于方案本身,新的应用也将会出现,甚至会引发研究者们对一些深层次的数学问题的研究和发现。更多还原

【Abstract】 Shamir had creatively proposed the concept of Identity-Based cryptosystem in 1984, in which the identity of user was took as public-key, but until in 2001 the first efficient and provably secure identity-based encryption scheme (IBE) had just been proposed. In contrast with the widely used Public-Key Infrastructure (PKI), the IBE scheme can independently work without online trusted third part. Therefore it fully avoids the performance bottlenecks problem of the third part of PKI scheme. Currently the research of IBE scheme is mainly on the theoretic researches, such as the provable security, the key escrow, the anonymity problem and so on. And in practice, several applications based on it had been proposed, such as the Public-Key Encryption with Keyword Searchable scheme (PEKS).Basing on the informed well-known IBE schemes, we analyzed the main factors of affecting the provable security and the performance of them, and then creatively propose two improved IBE schemes that:one can achieve a tighter reduction of security, based on a strong security definition and a weak hardness assumption under the standard model. And with respect to the performace of this new sheme, by comparing with the informed congeneric IBE schemes, we can find that this new scheme has the best performance; the other one fully avoids the bilinear map to construct itself, and with the respect to the provable security, achieves the "tight" security reduction, based on a strong security definition and a weak hardness assumption under the random oracle model. At last, also compared with the other congeneric schemes, the second scheme not only has shorter ciphertext but also has better performance. In summary, these two proposed scheme, proposed in this paper, respectively achieve tighter reduction in security proof and more efficient performance.For successfully achieving the economization of IBE scheme, it not only needs to improve the provable security and the performance of IBE scheme, but also to adapt the practice is important, too. Currently, in the most of existing IBE schemes, it is irrational that the private-key of user were fully generated by the third part (this flaw was called the key escrow problem). So far there were some methods had been proposed to solve it, but they also had several flaws. Based on the work of Goyal’s in 2007, a more efficient accountable authority IBE scheme is proposed in this paper. With the respect of provable security, this new scheme has a tighter security reduction, based on a stronger security definition and a weaker hardness assumption under the standard model. In addition, for enhancing the performance, by contriving to reduce the times of the implementations of bilinear map as many as possible, only two times of this operation are needed in this new scheme. Furthuremore, when some system parameters in this new scheme are properly chosen, then the performance of it will be better than Goyal’s.Recently, following the development of cryptosystem, a public-key encryption scheme not only needs to achieve the data privacy, but also needs to protect the identity of the receiver of ciphertext, namely to keep the anonymity of reciever. The IBE scheme is a special public-key encryption scheme; and it is much harder to achieve its anonymity, compared with the other kinds of scheme. Therefore, for more efficiently solving the anonymity of IBE scheme, we were inspired from the rigorous definition of anonymity, and then creatively propose a new concept of anonymity. For verifying the avalidity of this new concept, we construct an instantiated technique for achieving the anonymity of traditional DL-based encryption scheme. Furthermore, for expanding this new concept to the IBE scheme, a macroscopically general framework is proposed for analyzing the requirements of a successful expansion. As a result, several requirements proposed in this paper can theoreticly guide the instantiation of this expansion for future research.Took advantage of the identity-based character in IBE scheme, PEKS scheme was invented based on the anonymous IBE scheme in 2004. And then an expansion of PEKS, called Public-Key Encryption with Temporary Keyword Searchable (PETKS) scheme, was proposed. Based on these informed researches, two new expanded schemes of PETKS are built to constrain the searchability respectively by the chosen time of receiver and sender.Refering to the first efficient IBE scheme, it should owe its success to the bilinear map. Currently, inspired by the IBE scheme, the bilinear map has been used in many other fields. For overcoming the internal different key attack in a well-known key agreement protocol, proposed by Burmester and Desmedt, in this paper an improved protocol is creatively constructed based on the bilinear map. Compared with the original protocol, this new protocol not only resists that attack, but also does not increase the time complexity and communications; furthermore, compared with other existing improved protocols, this new protocol is also more efficient than them.Indubitability, the IBE scheme is an important and current research field in cryptography. And following the development of research on it, the better IBE scheme should be proposed in future; and analogously to the PEKS scheme, the new application should also be introduced; and even that the new mathematic theorem may be discovered.更多还原