Research On Two-Party Authenticated Encryption Against Bad Randomness

Most public key cryptographic primitives,including authenticated encryption,rely on the randomness source that can generate perfect randomness to ensure security.However,some incidents indicate that a randomness source may fail to generate good randomness due to software vulnerabilities,malicious subversion or various other reasons.We refer to such randomness source as bad randomness source.Several approaches protecting against bad randomness have been introduced,and the typical approaches include hedged public key cryptography(HPKC)and its variant nonce-based public key cryptography(NPKC).However,these approaches do not specifically focus on the study of two-party authenticated encryption scheme against bad randomness.In this paper,combined with HPKC and NPKC,we study the two-party authenticated encryption with unforgeability and traditional authentication(i.e.signcryption and 0-RTT two-party authenticated key agreement)in traditional PKI-based public key cryptosystem and certificateless public key cryptosystem(CL-PKC),and achieve the following results:(1)We proposed the first deterministic hedged signcryption scheme against bad Randomness.We extended the security notions in HPKC to the deterministic signcryption schemes,and presented the confidentiality/key privacy/unforgeability definition(s)for deterministic hedged signcryption schemes.Then we proposed a generic construction of deterministic hedged signcryption by combining a unique signature scheme that meets strong unforgeability against chosen message attacks(SUF-CMA)and a randomized public key encryption(PKE)scheme that meets the indistinguishability under chosen plaintext attacks(IND-CPA)and key privacy under chosen plaintext attacks(IK-CPA).We proved that the construction satisfies the traditional unforgeability and the confidentiality and key privacy against bad randomness in the random oracle model.(2)We proposed the first randomized hedged signcryption scheme against bad randomness.We extended the security notions in HPKC to the randomized signcryption schemes,and presented the confidentiality/key privacy/unforgeability definition(s)for randomized hedged signcryption schemes.Then we proposed a generic construction of randomized hedged signcryption by combining a unique signature scheme that meets SUF-CMA and a randomized PKE scheme that meets IND-CPA and IK-CPA.We proved that the construction not only satisfies the confidentiality and key privacy against bad randomness,but also the traditional confidentiality,key privacy and unforgeability in the random oracle model.In addition,we also gave two general results on the security of randomized hedged signcryption schemes.(3)We proposed the first two-party 0-RTT anonymous authenticated key agreement against bad randomness in CL-PKC.We extended the security notions in NPKC to the 0-RTT two-party authenticated key agreement,and defined the security model of nonce-based 0-RTT two-party authenticated key agreement protocol in CL-PKC.Then we proposed a concrete nonce-based 0-RTT two-party anonymous authenticated key agreement protocol against bad randomness in CLPKC.The concrete security analysis shows that the protocol not only realizes the traditional security attributes(e.g.,known-key security,unknown key-share)and user privacy,but also realizes the security against bad randomness in the random oracle model.Furthermore,the concrete performance analysis shows that the protocol is efficient.