【作者】 桑永宣；

【导师】 曾吉文；

【作者基本信息】 厦门大学 ， 基础数学， 2009， 博士

【摘要】 公钥密码体制以其自身的特点在现代信息安全中起着越来越重要的作用。公钥密码体制中每个用户都有一对公私钥。公钥密码体制要想充分发挥作用，必须让用户的公钥以一种可验证的和可信任的方式与用户的身份联系起来，即要解决公钥认证问题。传统的基于PKI的公钥密码体制采用证书的方式，任何人可通过验证证书中心的签名来验证用户公钥的真实性。这样虽然保证了公钥的真实性，但对证书的管理和支持及结构上的配置是传统公钥密码体制的比较复杂的问题之一。1984年，Shamir首先提出了基于身份的公钥密码体制，它以不同于传统公钥密码体制的方式处理公钥的问题。在基于身份的公钥密码体制中，用户的公钥直接从用户身份信息的某一方面获取，用户的私钥是由一个可信的第三方称为私钥生成中心生成。基于身份的公钥密码体制虽然避免了证书的使用，有效实现了用户公钥与其身份的绑定，但无法克服用户密钥托管问题并且需要安全信道传输私钥，因此，正如一些文献所述”基于身份的公钥密码体制只能在封闭的小群体中使用，或者在安全性要求不是很高的情况下使用”。2003年的亚密会议上，Al-Riyami和Perterson提出了一种新的公钥密码体制称为无证书的公钥密码体制。在无证书的公钥密码体制中，可信第三方和用户联合为用户生成公私钥，且只有用户自己知道自己的私钥。无证书的公钥密码体制既无证书问题又无密钥托管问题。从而效率比传统的公钥密码体制高，安全性比基于身份的公钥密码体制强。无证书的公钥密码体制因其既无证书管理问题又无密钥托管问题的显著特点，在实际网络中有着广泛的应用前景。在开放型的网络中，系统的信任和可靠运行是通过综合机密性、数据完整性、认证、授权这几个标准要素来建立的。因此涉及到的各主要关键技术包括密钥建立、加密技术、数字签名、身份认证等等。既要保证较高的计算和通信效率，又要保证安全性。本文在前人的研究基础上，主要做了以下几个方面的工作：首先，构建无证书的密钥协商协议。重点是无证书的非交互的认证密钥协商协议，它们在通信量和计算量上有着明显的效率优势：第一种协议里，每方只需计算一个双线性对。我们还提出一种具有完善前向保密性的交互的认证密钥协商协议。我们构造的无证书的密钥协商协议属于动态的密钥建立方案，并且后两种协议可以跨域(主密钥不同的域)实现，即不同密钥更新阶段加入系统(或不同系统)的成员之间可以协商会话密钥。其次，利用秘密共享方案构造了无证书的多个可信中心(KGC)的密钥生成方案。门限密钥生成方案是一种特殊的多中心的密钥生成方案。但是，在实际应用中，用户(或服务器)的重要性并不完全相同：不同的权利，计算资源或被攻击的概率等等。因此，我们主要研究一般存取结构下的密钥生成方案。引入多个子KGC来分担单个KGC的工作。只要有一定数量的子KGC可访问，用户就可以进行注册，获取部分私钥，有利于网络的扩展且避免了单点失效问题。最后，我们将Herranz和S(?)ez的分布环签名方案应用到无证书的环境下，利用两种不同的数学工具，基于两种不同的密码本原，分别构造了两种无证书的分布环签名方案。分布环签名将一般环签名中的单个成员(签名者和非签名者)全部放大为一个组织。即签名者是一个组织中的所有成员，环是由组织构成。其目的是增加消息的可信度和说服力!我们的无证书的分布环签名方案既保留了Herranz和S(?)ez的方案的优点，又达到了真正的不可伪造性。可应用于需要长期提供匿名性的场所。上述方案的安全性都是基于Diffie-Hellman问题(经典的Diffie-Hellman问题或双线性Diffie-Hellman问题)的多项式时间内的求解困难性。更多还原

【Abstract】 Public key authentication is a main component of public key cryptography. Themain difficulty today in developing secure systems based on public-key cryptographyis not the problem of choosing appropriately secure algorithms or implementingthose algorithms. Rather, it is the deployment and management of infrastructuresto support the authenticity of cryptographic keys: it is necessary toprovide an assurance to the user about the relationship between a public key andthe identity (or authority) of the holder, together with the corresponding privatekey. In a traditional Public Key Infrastructure (PKI), this assurance is deliveredin the form of certificate, essentially a signature by a Certification Authority(CA) on a public key. PKI is commonly considered to be expensive because ofthe issues associated with certificate management, including revocation、storageand distribution and the computational cost of certificate verification. Identitybasedpublic key cryptography (ID-PKC), first proposed by Shamir, tackles theproblem of authenticity of keys in a different way to traditional PKI. In ID-PKC,an entity’s public key is derived directly from certain aspects of its identity. Privatekeys are generated for entities by a trusted third party called a Private KeyGenerator (PKG). The direct derivation of public keys in ID-PKC eliminates theneed for certificates and some of the problems associated with them. However,the dependence on a PKG introduces key escrow to such a cryptosystem. Moreover,ID-PKC requires secure channels between users and PKG to deliver privatekeys. For these reasons, it seems that the use of ID-PKC may be restricted tosmall, closed groups or to applications with limited security and much efficiencyrequirements. Certificateless public-key cryptography (CL-PKC), introduced byAl-Riyami and Paterson in 2003, is intended to solve the key escrow issue whichis inherent in ID-PKC, while at the same time, eliminate the use of certificatesas in the conventional PKI. In CL-PKC, a user’s private key is comprised of twoparts: one generated by a Key Generation Center (KGC) and associated withher identity; another generated by the user herself, and unknown to any other parities (include the KGC). Knowing only one of them should not be able to impersonatethe user and carry out any of the cryptographic operations as the user.CL-PKC alleviates the key escrow problem as we have in ID-PKC, at the sametime, reduces the cost and simplifies the use of the technology when comparedwith conventional PKI.Some of the purpose for which public-key cryptography has been appliedare: key establishment, confidential message transmission, identification systems,authentications and non-repudiation. So we study these topics in certificatelesspublic-key cryptography. The main contributions of our paper are:Firstly, key agreement protocols are one of the fundamental primitives ofcryptography. We propose some new certificateless authenticated key agreementprotocols. The first two protocols are non-interactive, which have obvious advantagesin the amount of computation and communication. Another interactivekey agreement protocol with perfect forward secrecy is also proposed. The lasttwo protocols can be used to establish keys between members of distinct domains(with different master keys).Secondly, certificateless key issuing schemes, with multi-key generation centerare proposed, by using secret sharing schemes. Threshold key issuing schemesare very particular. However, in the real life, players (or serves) are usually havedifferent levels of importance: they can have different privileges or computationalre- sources, and enjoy different levels of protection against possible attacks, forexample. For this reason, it is important to design key issuing schemes withmulti-KGC that work properly in the case of general access structures, not onlyin the threshold case. Our schemes effectively solve the problem of single offailure and efficiency bottleneck, enhance the system’s robustness and security.Finally, we propose two certificateless distributed ring signature schemes.The first one can be used for general families of possible signing subsets, andthe second one is more efficient for threshold families of subsets. Our schemesretain the desirable properties of identity-based cryptography without key escrow,therefore actually possess the alleged unconditional unforgeability.The security of our schemes above rely on the Diffie-Hellman Problems (the Classic Diffie-Hellman Problems or the Belinear Diffie-Hellman Problems).更多还原