Research On Identity Based Cryptosystem

In the public key cryptosystem, whenever users encrypt a message, or verify a signature, they must use the public key of the other parties. Therefore, in this process, it is necessary to confirm that the public key is indeed the legitimate public key of the corresponding users. In the traditional public key cryptosystem, public and private key are generated in specific rules, generally in the form of seemingly random numbers. It is not any information can be used as public key. In order to ensure the legitimacy of the public key, public key infrastructures are needed. In the public key infrastructure system, there is a trusted party, called certification authority (CA). Its responsibility is to authenticate the user's public key and issue the corresponding public key certificate. Public key certificate can bind the user's identity and its public key. The corresponding public key will be identified if and only if the signature on public key certificate is legitimate. In this system, CA is an important sector, responsible for every processes of the public key certificate life cycle:generation, issuance, storage, maintenance, update, revocation, etc. Therefore, a lot of computing and storage resources are required.In order to simplify the management of CA in the traditional public key infrastructure, Shamir proposed the concept of identity-based cryptography in1984. The basic idea is to bind the users' identities and their public keys in the most natural way:users' identities are precisely their public key. In the identity-based cryptosystem, public key is replaced by identity information, so the certificate authority is no longer needed.In2000, three Japanese cryptographers, Sakai, Ohgishi and Kasahara, proposed the idea of designing identity-based encryption schemes, using the bilinear pairings on elliptic curve. In2001, Boneh, Sakai and Cocks independently proposed three identity-based encryption schemes, and the bilinear pairings were used in the first two schemes. The scheme proposed by Boneh and Franklin has a great influence, because it has better efficiency and a rigorous proof of security under chosen ciphertext attack. Since then, identity-based cryptography has become a hot topic of today's cryptography, and the bilinear pairing on elliptic curve has become an indispensable tool for designing cryptography schemes.Besides identity-based encryption and identity-based signature, the concept of hierarchical identity-based encryption, identity-based signcryption, identity-based broadcast encryption, identity-based key exchange, attribute-based cryptosystem and predicate cryptosystem have been proposed. They can be regarded as the branch or variation of the identity-based cryptosystem. Furthermore, using the identity-based cryptographic schemes to solve kinds of cryptography related problems has become the important research field of cryptography.In this thesis, the development status and hot topics of identity-based cryptosystem were deeply discussed. We got five results in the research on adaptive security of anonymous HIBE schemes, construction methods of hierarchical identity-based signcryption schemes, full anonymity of identity-based signcryption schemes, privacy of identity-based broadcast encryption schemes and construction of attribute-based key exchange protocols. They were introduced in five chapters:1. Anonymous HIBE scheme secure against full adaptive-ID attacksIn this chapter, we constructed a new anonymous IBE scheme, and expanded it to an anonymous HIBE scheme secure against full adaptive-ID attacks. We provided these systems in composite order groups, which have four prime order subgroups. To achieve the anonymity, we blinded the public parameters and ciphertexts using the random elements of same subgroup. Moreover, we used the random elements of different subgroup to construct secret key for properly decryption. This idea is inspired by the related work, which proposed by Seo et al. in PKC2009. To obtain full security, we applied the new techniques for dual system encryption recently introduced by Lewko and Waters in TCC2010. Like the techniques used in their paper, we also used the semi-functional structures, and employed a hybrid argument using a sequence of games in the security proof. Furthermore, we employed an additional dummy semi-functional structure to overcome the difficulty in the proof of the anonymity. Our new anonymous HIBE scheme has short ciphertexts, and can be proven in the full-ID model using static assumptions.2. Research on construction methods of hierarchical identity-based signcryptionIn many situations we want to enjoy confidentiality, authenticity and non-repudiation of message simultaneously. The general encryption schemes can not guarantee the authenticity and non-repudiation. A traditional method to solve this problem is to digitally sign a message then followed by an encryption (signature-then-encryption) that can have two problems:low efficiency and high cost of such summation, and the case that any arbitrary scheme cannot guarantee the security. Signcryption is a relatively cryptographic technique that is supposed to fulfill the functionalities of digital signature and encryption in a single logical step and can effectively decrease the computational costs and communication overheads in comparison with the traditional signature-then-encryption schemes. In this chapter, we proposed a generic method to construct hierarchical identity-based signcryption scheme. Using this method, a hierarchical identity-based signcryption scheme can be converted from any hierarchical identity-based encryption scheme. Then, we gave a concrete instantiation, which is a constant-size fully secure hierarchical identity-based signcryption scheme in the standard model. Furthermore, our scheme can achieve CCA2security level without using any additional cryptography primitive.3. Research on full anonymity of identity-based signcryptionAnonymity of user is an important property in the cryptographic schemes, to protect the privacy of the participants. In many practical applications, the users want to prove themselfs as belonging to a particular group, but do not want to reveal their true identities. The ring signature scheme can meet this security requirement. If they also want to transfer the secret information at the same time, they can use ring signcryption scheme. However, in this process, the anonymity of the recipient has not been considered. In this chapter, we proposed a new primitive, fully anonymous signcryption, which provide anonymity of both sender and receiver along with the advantage of traditional ring signcryption (only provides anonymity of sender) scheme. We also constructed a fully anonymous identity-based signcryption scheme in the standard model. The proposed scheme satisfies the semantic security, unforgeability and full anonymity.4. Privacy-preserving broadcast encryptionIn the study of broadcast encryption scheme, efficiency and confidentiality are important requirement. However, it's not enough that a broadcast encryption scheme only meet high efficiency and strong confidentiality. In many practical applications, the user's privacy is more important than the confidentiality of content, but the traditional broadcast encryption schemes often overlooked that. In this chapter, we considered the privacy-preserving problem in the context of broadcast encryption. We provided a security definition for privacy-preserving broadcast encryption, and constructed a new scheme. To achieve privacy-preserving, we blinded the ciphertexts using the random factors. Moreover, we used a pair of orthonormal bases to construct secret key and ciphertexts for proper decryption. Our privacy-preserving broadcast encryption scheme can be proven in the adaptive model without random oracle. The key technique used to obtain our result is an elaborate combination of the dual system encryption proposed by Waters and a new approach on bilinear pairings using the notion of dual pairing vector spaces (DPVS) proposed by Okamoto and Takasima.5. Attribute-based authenticated key exchange (AB-AKE) protocolThe aim of authenticated key exchange is to share a common session key between the authenticated parties. However, in many applications, participants do not need to know the specific identity of each other. They only need to authenticate each other to meet certain attributes. The concept of attribute-based authenticated key exchange protocol is proposed in order to meet this requirement. In this chapter, we proposed a generic method to construct AB-AKE protocol. Using this method, a AB-AKE protocol can be converted from any attribute-based key encapsulation mechanism scheme. Then, we presented a new two-party attribute-based authenticated key exchange protocol for a wide class of relations, which are specified by non-monotone access structures combined with inner-produce relations.