【作者】 蒋瀚；

【导师】 徐秋亮；

【作者基本信息】 山东大学 ， 计算机应用技术， 2008， 博士

【摘要】 随着计算机网络的迅速发展,人们在网络上进行的活动越来越多、越来越复杂,许多活动体现出多方性与群体性,因而面向多方的密码体制具有重要的理论与实际意义。在面向多方的密码学背景下,一些传统的安全要求,如保密性、完整性、认证性及不可否认性等等,将会产生新的变化;同时面向多方的应用场景也带来了新的安全要求,如匿名性、可追踪性、公平性等等。面向多方的密码学是一个极为广泛的研究领域,包括面向多方的加密方案,如门限加/解密、广播加密、面向群体的加密、群加密;面向多方的签名,如门限签名、聚合签名、群签名、环签名、并发签名;以及面向多方的密钥协商/管理等等。本论文主要对一部分面向多方的密码学方案进行了研究,在门限密码学、前向安全密码体制、广播加密方案及公平合同签署/并发签名协议方面,取得了一些研究成果。门限密码体制是一种比较经典的多方密码系统,其思想是为了保护敏感的数据(或计算)而将它们以一种容错的方式分布于一组合作的参与方之中。门限密码学的基础是门限秘密共享。一个门限秘密共享方案可以将一段秘密信息分布于几个参与方之间,达到(1)少于门限值数量的参与方不能计算出秘密信息;(2)达到门限值数量的参与方能够合作计算出秘密信息。秘密共享的一个有用的扩展就是函数计算的共享,它的思想就是对于某些高度敏感的操作,如解密及签名,可以按照一种门限的方式来完成,使得少于门限值的参与方合作不能完成该操作,而且当需要完成该操作时,也没有人能阻止大于等于门限值的参与方合作完成该操作。门限密码学的研究十分广泛,本文在门限代理签名及门限环签名的研究中取得了3个研究成果。1.构造了第一个安全有效的RSA门限代理签名方案。在所构建的方案中,没有使用可信权威,所有的秘密参数都是由参与者分布式产生的。2.指出Tzeng等人提出的针对Hwang等人的“已知签名者的不可否认代理签名方案”的改进方案是一个不成立的方案,并针对Hwang等人原始方案中存在的原始签名人伪造问题,提出了我们的新改进方案。3.提出一个高效的基于身份的门限环签名方案,并在标准模型下证明了该方案的安全性。在面向多方的密码系统中,密钥的安全仍然十分重要,在一个密码系统中,如果用户的密钥被泄露,那就意味着失去了所有的安全性保证。除了使用门限秘密分享技术来保护用户私钥之外,还有一种称为前向安全的密码体制可以减轻密钥泄露带来的损失。在一个前向安全的密码体制中,整个有效时间周期被分成若干阶段,其中公钥在整个有效时间周期内都保持不变,而每个阶段的用户私钥都由上一阶段的私钥演化而来并仅用于当前时间阶段,在每个时间段结束时,属于当前阶段的用户私钥被永久删除。密钥演化过程是不可逆的,由当前阶段的私钥推算前一阶段的私钥是困难的。在一个前向安全的密码系统中,当某个时间阶段的密钥泄露之后,必须废除那一时间段的密钥并停止密钥演化。但是,如何发现密钥泄露,在前向安全方案中并没有被研究。Itkis等人提出了一个密码学篡改证据的概念并构建了一个带篡改证据的签名方案。一个带有篡改证据的签名方案具有一个额外的过程Div,可以检测密钥篡改:给定两个签名,Div可以判断是否其中一个是由伪造者生成的。此时,并不能说明哪个签名是由合法签名者生成的,哪个签名是伪造的,但是它提供了密钥被篡改的证据。针对前向安全加密及前向安全签名方案,本文分别得到2个结果。1.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全加密”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且达到了抵抗选择密文攻击下的安全性。2.基于篡改证据的概念,我们定义了一个新的“带有篡改证据的前向安全签名”的概念并提出了它的一般化构造方法,同时还给出了它的一个具体的构建。在标准模型下,我们证明该方案是前向安全的,强前向篡改证据安全的,并且在选择消息攻击下是强不可伪造的。数据传输的机密性是信息安全最基本的要求之一,在面向多方的应用环境下,最常见的需求是一方向多方发送加密的数据,典型的例子如付费有线电视,数字内容的分发等等。广播加密是指消息的广播者可以向消息的接收者的任意子集发送加密消息,而只有这特定子集中的接收者才可以解密消息,其他用户则不能。在广播加密体制的研究中,我们得到1个研究成果。我们提出了一个基于身份的动态广播加密方案,在随机预言模型中证明了该方案的安全性,并将之同以往的基于身份的广播加密方案进行了比较。同之前的方案相比,我们的方案具有明显的优越性,首先它不需要预先确定一个最大的潜在接收者集合,并且它的公钥长度,私钥长度,密文长度都是一个常量;其次,它的加密/解密开销都小于以往方案;最后,它可以高效的进行新接收者的加入及旧接收者的移出操作。因此,我们的方案对于动态的大的接收者群组来说是高效实用的。在一些商务事务上总是需要多个参与者,通常这些参与者互不信任,公平性是这些商务活动的基础。一个公平的系统必须保证一方不能从一个合法的参与方占到任何便宜。合同签署是最常见的商务活动,在网络中的数字合同签署问题比在现实生活中的情形远远复杂。为了解决这类公平合同签署的问题,有两类方法。第一类使用公平交换协议,这类方案中最高效的一种称为“乐观合同签署”。在乐观合同签署协议中,一个可信第三方只有在发生问题比如一方试图欺骗或者网络发生错误的情况下才干预协议。另一类方法称为“并发签名”。一个并发签名协议允许两方以特定的方式产生签名,他们的签名从一个第三方验证者角度来看,是无法辨认真正的签名者的,直到某个称为“关键参数”的秘密值被释放之后,两个签名才能同时与它们实际的签名者绑定。我们在解决公平合同签署问题的研究中得到3个结果。1.指出Huang等人构建的并发签名方案不安全,第一,参与的两方A和B都有能力在并发签名产生之后,伪造一个对新消息的签名;第二,A与B都有能力独自伪造AB双方的并发签名。为了防止上述的漏洞,我们提出了一个改进方案,并证明了它的其安全性。2.在已有的并发签名协议中参与方的地位是不平等的,一个参与方被称为初始签名者,他负责关键参数信息的选择并且首先发送他的不确定签名者的签名,另一方称为匹配签名者,他使用相同的关键参数信息生成自己的不确定签名者的签名以回应初始签名者。这种工作模式可能带来一些不公平。在本文中,我们提出了一个对称参与者的完美并发签名协议。在我们提出的协议中,参与者的地位是对称的,关键参数由双方共同决定,并且不确定签名者的签名的发送没有先后顺序之分。3.基于一个可控的环签名方案,我们提出了一个不使用可信第三方的公平合同交换协议,并证明了它的安全性。同以前的乐观合同签名协议相比,我们提出的协议有两个优点,(1)不使用可信第三方,并达到弱公平性;(2)在并发签名方案中,参与双方得到的签名不是一个常规的签名形式,而在我们提出的这个公平交换方案中,参与方可以通过转化过程将签名转化为一个常规的签名形式。更多还原

【Abstract】 With the rapid development of the computer network,the activities on the network are becoming more and more frequent and complicated;lots of activeties show the characters of multiparty and group.So it is of theoretical and practical significance on study in multiparty-oriented cryptosystems.In the applications with multi participants,the tranditional secure requirments such as confidentiality,integrality,authentication and non-repudiable will have new meaning,and multiparty-oriented applications bring new secure requirements such as anonymity,traceable,fairness and etc.The research of multiparty-oriented cryptosystems is a wide area which includes multiparty-oriented encryption schemes (such as threshold encryption/decryption,broadcast encryption,group-oriented encryption and group encryption),multiparty-oriented signature schemes(such as threshold signatures,aggregation signatures,group signatures,ring signatures and concurrent signatures),and multiparty-oriented key agreement/management and so on. We mainly work on some of these fields and get some results in threshold cryptography,forward secure cryptosystems,broadcast encryption,fair contact signing and concurrent signatures.The idea of threshold cryptography is to protect the sensitive information(or computation) by fault-tolerantly distributing it among a cluster of cooperating parties. The fundamental problem of threshold cryptography is the problem of secure sharing of a secret.A secret sharing scheme allows one to distribute a piece of secret information among several parties in a way that meets the following requirements:(1) smaller than a given threshold of parties can not figure out what the secret is;(2) when it becomes necessary that the secret information be reconstructed,a large enough number of parties(a number larger than the threshold) can always do it.A very useful extension of secret sharing is function sharing.Its main idea is that a highly sensitive operation,such as decryption or signing,can be performed by a group of cooperating parties in such a way that less than threshold of parties can not to perform this operation,and none is able to prevent the more than threshold of parties from performing the operation when it is required.The contents of threshold cryptography are extensive.In this paper,we get three results in the research on threshold proxy signature schemes and the threshold ring signature schemes.1.We construct the first efficient and secure RSA-based threshold proxy signature scheme.In our scheme,a Trust Authority(TA) is not needed and all of the secret parameters are generated in a distributed way.2.We point out that there is an error in Tzeng et al’s improved scheme to Hwang et al’s "non-repudiable threshold proxy signature scheme with known signers".To overcome the problem that the original signer can forge the proxy signature in Hwang’s scheme,we give out a new improvement and prove its security.3.We construct an efficient ID-based threshold ring signature scheme,which has provable security under the standard model.The security of the secret key is still important in multiparty-oriented cryptosystems.The exposure of secret keys can be devastating attack on a cryptosystem since such an attack typically implies that all security guarantees are lost. Beside the threshold secret sharing,there is a notion of forward secure can solve this problem.In a forward-secure cryptosystems,the lifetime of the system is divided into T time periods,with a different secret key for each time period,and there is only one public key which remains the same through all the time periods.Each secret key is used only during a particular time period and to compute a new secret key at the end of that time period and then erased.The evolution of the secret key is irreversible,it is difficult to compute the key of privioues time priod from current key.In a forward-secure cryptosystems,when the key is exposed in a time period,we must revoke the key of that time period and stop the key evolution.But how to detect the key exposure in a forward-secure scheme is not mentioned in previous works.Itkis proposed a new notion of cryptographic tamper evidence and constructed the tamper-evident signature schemes.A tamper-evident signature scheme provides an additional procedure Div which detects tampering:given two signatures,Div can determine whether one of them was generated by the forger.In this case,it might be impossible to tell which signature is generated by the legitimate signer and which by the forger,but at least the fact of the tampering will be made evident.According to farward secure encryption and farward secure signature,we get two results respectively.1.Based on the Tamper Evidence,we define a new notion of Forward-Secure Public-Key Encryption Scheme with Tamper Evidence(TE-FEnc) and propose a general method to build a TE-FEnc scheme.We also give out a concrete instance at last.In the standard model,we prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and achieve security against chosen ciphertext attacks.2.Based on the Tamper Evidence,we define a new notion of Tamper Evidence Forward Secure Signature scheme(TE-FSig) and propose a general method to build a TE-FSig scheme.We also give out a concrete instance at last.We prove that our scheme is Forward secure,strong Forward Tamper-Evidence secure,and strongly unforgeable under the chosen-message attack.The confidentiality of data transfer is one of the most important requeriment in the information security.In the case of multiparty applications,it usually requires a sigle party sending ciphertext to multiparty,such as pay TV,distribution of digital contents and so on.Broadcast Encryption schemes are cryptosystems that enable senders to efficiently broadcast ciphertexts to a large set of receivers such that only the chosen receivers can decrypt them.We get one result in research on the broadcast encryption.We propose a new efficient dynamic identity-based broadcast encryption scheme (DIBBE),and prove its security in Random Oracle model.We also compare our scheme with the previous work and show that our scheme has a great advantage. Firstly,the proposed scheme need not to setup a max potential receivers set in advance,and it has constant size of the public key,private key and header of cipertext. Secondly,the computational costs of encryption and decryption in our scheme are also constant size.At last,it is easy to add or remove receivers.So our scheme is efficient and practical for dynamic and large receivers set.The commercial transactions always involve multiple players.Usually,the players mutually distrust one another.The fairness is the basement of the commercial behaves.A fair system must ensure that other players will not gain any advantage over the correctly behaving player.Contract signing is the most common commercial transaction.The problem of digitally contract signing over a network is more complicated than signing a contract in the real world.To solve the fair contact signing problem,there are two methods.The first one uses the fair exchange protocol and the more efficient scheme is called "optimistic contact signing".In such a protocol,a Trust Third Party(TTP) intervenes only when a problem arises,e.g.,a signer is trying to cheat or a network failure occurs at a crucial moment during the protocol.The second way is called "concurrent signature".A concurrent signature protocol allows two entities to produce two signatures in such a way that,the signer of each signature is ambiguous from any third party’s point of view until the release of a secret,known as the keystone.Once the keystone is released,both signatures become binding to their respective signers concurrently.We get three results in solving the fair contact signing.1.We point out that the concurrent signature protocol proposed by Huanget.al is unsafe.At first,both the participants A and B can forge a signature about a new mesaage after the protocol completed.And second,both A and B have the ability to forge the concurrent signature of the both parties.To correct these problems,we propose an improved protocol and prove its security.2.In the previous concurrent signature schemes,the roles of participants are asymmetrical,one party which is called initial signer who needs to create the keystone fix and sends the first ambiguous signature,the other party which is called matching signer who responds to this initial signature by creating another ambiguous signature with the same keystone fix.This work mode may be bring some unfair.In this paper,we construct a perfect concurrent signature protocol for symmetric participants and prove its security.In our concept,the roles of participants are symmetrical.The keystone can not be decided by any participant and the two ambiguous signatures can be published in any order.3.Based on the controllable ring signature scheme,we construct a fair contract signing protocol without TTP,and prove its security.Compare with the previous optimistic contact signing protocols,our protocol has two advantanges:(1) our protocol uses no TTP and achieves the weak faimess;(2) in the concurrent signature protocols,the form of the signature is unregular, but in our protocol,the players can convert the signature into a regular form.更多还原