| Certification management is the key point in the practice of the public key cryptography. For resolving the certification management, public key infrastructure (PKI) is the widely solution. But PKI face some troublesome problems like management and valuable spending. For decreasing the management complexity of the public key cryptography because of the PKI, in 1984, Shamir bring forward the identity-based cryptography, but in the identity-based cryptography, there inevitably comes the authority trust problem.This paper has elaborately researched the authority trust problem in the identity-based encryption (IBE), making the discussed schemes stronger and more security, and also researched another security problem of the certificateless public key encryption (CL-PKE), which is the denial of decryption (DOD) attack. Through the DOD research, the CL-PKE not only can resist center forging attack but also can resist the DOD attack launched by key distribution center and outside users.So far, the most effective scheme for solving the problem of authority trust is CL-PKE proposed by Al-Riyami and Peterson. The thought of this encryption scheme is that the user private key is separated into two parts; one is generated by KGC as IBE scheme and the other by the user self. So by separating privacy the authority trust problem is settled.In above CL-PKE scheme, privacy separation makes the user and KGC generate half of the user private key. One part is generated by the user self, whereas it is random and senseless character string. So when the attacker replace this part of user public key, nobody can correctly decrypt the ciphertext encrypted by the replacement, including KGC and user self. This condition, in CL-PKE scheme, is called denial of decryption (DOD) attack.For resisting DOD attack, which caused by replacing the user's public key, the paper provides an encryption algorithm, not using the paring algorithm on the elliptic curves. And for improving the scheme security, the security model is chosen the standard model instead of the random oracle model. In IBE scheme, the outside attacker can launch DOD attack with replacing of public key generated by the user, but he has no possibility to compute the master key generated by KGC, which makes the attacker impossibly get the legal user private key. So the user only just needs a user public key signature with his legal user private key, while because of lacking the legal user private key, the outside attacker can not forge this signature. By this mean, DOD attack launched by outside attacker can be resisted. But, if DOD attack is launched by KGC, which holds the master key so as to compute the legal user private key, the user public key signature can be generated, so the method resisting DOD attack launched by outside attacker invalidate to DOD attack launched by KGC. For resisting both attacks launched by KGC and outside attacker, KGC should sign the user public key with its master key, but not the user private key. Then if the KGC launches DOD attack by forging signature and replacing the user public key, the user can sue the KGC with both the signature signed by the KGC before and the KGC forged signature as the evidence. So the research can not only resist the outside's DOD attack, but also the KGC's DOD attack. At the same time this scheme still has kept a good computing efficiency.CL-PKE scheme is not the real IBE scheme, because the user public key is composed with two parts:one is user's ID, and the other part is random generated by the users, which does not meet all the characters of real IBE scheme. The feasible solution is that the scheme not only can resist center attack, and at the same time, can have all features the IBE scheme gets. For this reason, Goyal proposed a new scheme meets above needs. The basic thought of his scheme is that when KGC distributes user private key, there is a key distribution protocol implemented between user and KGC, so the user private key has not only produced by KGC self as former IBE scheme. We define this kind of identity-based encryption scheme, which producing user private key relied on key distribution protocol, is accountable identity-based encryption (A-IBE).In A-IBE scheme, when implementing key distribution protocol, there is exponential user private key for every user, but could and only could one can be chosen, while KGC has no idea which one the user chosen. In A-IBE scheme, if KGC deceives, user can hold the private key distributed by protocol implementation and decryption black box generated potentially by another user private key to an authority, and then the authority can trace the real deceiver. However, if the user avoids cooperating kept his private key from showing, the authority has no way to trace the real deceiver. In addition, even if user would like to collaborate, and the deceiver is traced under the help of the decryption black box, the efficiency of A-IBE scheme is also extremely low due to much of pairing algorithm on elliptic curve.The paper improves the structure of original A-IBE scheme, a tracing authority aimed to trace the deceiver, is added in the scheme. When the user private key is generated, besides a key distribution protocol implemented between user and KGC, between user and tracing authority also has a protocol, which deliver the eigenvalue of user private key generated by key distribution protocol to tracing authority, so that when the user doesn't cooperate, the problem of tracing deceiver also can be handled. At the same time, owing to change the system structure, encryption scheme can avoid much bilinear pairing algorithm so as to enhance the efficiencyFor resisting centre forged attack of KGC in IBE scheme, it can be achieved not only by CL-PKE scheme, A-IBE scheme, as well as the simplest distributive key generation center scheme. However, from another point, if when KGC distributes user private key, it has no idea about ID of the user to which it has distributed and simultaneously the ciphertext revealed no information of the user ID. Under this condition, even if KGC can forge any user private key, it can not forge user private key for decrypting ciphertext.For achieving above target, we should think out a new way to generate user private key. In this way, KGC needs to provide master key of its own and user provides user ID, at the same time KGC must keep its master key from revealing to users and simultaneously users keep their user ID from being known by KGC, and at the end, user must acquire his user private key without being computed by KGC. Through analysis the security needs above, we find it highly accords with the definition of two-party security computation under the malicious model, so that we could take advantage of two-party security computation under the malicious model to realize the above needs of key distribution protocol. However, because of the high complexity of two-party security computation under the malicious model, we introduce the permutation projection method for improving the computation efficiency, even the entire efficiency of scheme. The security of two-party security computation can be proved by proof of knowledge and backtracing method and so on. In addition, for preventing the ciphertext from revealing the ID information, we prove that BB-IBE scheme has anonymous ciphertext indistinguishability relative to Key Generation Center (ACI-KGC). This encryption scheme not only keeps KGC from knowing user ID when user private key distributed, but also prevent ciphertext from revealing the user ID information. So using the anonymity also can resist the center forged attacks launched by KGC.Conclusion, the paper researches authority trust problem in identity-based encryption scheme with several methods, including CL-PKE, A-IBE and anonymity method, and even more discuss the DOD attacks in CL-PKE scheme. The target of all above methods is to enhance the security and improve the encryption schemes efficiency referenced.
|
PDF Full Text Request