Study On The Public Key Cryptosystem Secure Against Chosen Ciphertext Attack

Security is one of the most important problem in the communication and information system, while the cryptography is the basis for the security.In the public key cryptosystem (PKC) , the attacker can get the public encryption key, so he can freely encrypt some plain-text chosen adaptively, i.e., he could choose plain-text attack. But, in the open network, the attacker can also send some message, which may be some ciphertext chosen adaptively. Then, the attacker can interact with the participator, and get back the plain-text of the ciphertext. To deal with this active attack, Rackoff and Simon introduced the notion of secure against adaptive chosen ciphertext attack (i.e., CCA security) in 1991. Informally, according to this definition, the attacker can obtain decryptions of some ciphertexts of its choice. Then, the attacker is given the ciphertext he should challenge. Next, the attacker could continue to get the decryptions of some ciphertexts adaptively chosen, with the only restriction that the challenge ciphertext itself could not be decrypted. Then, this security requests that attacker could not get any partialinformation about the corresponding plain-text of the challenge ciphertext.The cryptosystem secure against adaptively chosen ciphertext attack is very powerful cryptographic primitive. It is essential in designing protocols that are secure against active adversaries. For example, this primitive is used in protocols for authenticated key exchange, key escrow, and fair exchange.In this thesis, from chapter 2 to chapter 5, the study is focused on two points: one is to design some new provable secure PKC schemes; the other is to give the formal proof for some existing PKC schemes. The contributions are summarized as following:In chapter 2, two new (non threshold) CCA secure public key encryption (PKE) schemes in the standard model are constructed from two special identity based encryption (IBE) schemes. Particularly, one is constructed from the Selective-ID secure IBE of Boneh and Boyen, the other is constructed from the Adaptive-ID secure IBE of Waters. In addition, a new CCA secure Key Encapsulation Mechanism (KEM) is proposed from the BB IBE scheme, which is more efficient than the one directly obtained from PKE based on the BB scheme. All the new proposals in this chapter are much more efficient than those can be obtained from the Canetti-Halevi-Katz general transform method, and can be comparable to (for the decryption, the new schemes areeven more efficient) those from the Boneh-Katz method.In chapter 3, CCA secure threshold public key encryption systems are constructed based on the non threshold schemes from CHK scheme (here, for simplified, CHK scheme denotes as the resulting scheme of applying the CHK method to the BB scheme, BK scheme denotes in the same sense) and the new proposals in chapter 2. Before this, most of CCA secure threshold public key encryption systems could only be proved secure in the Random Oracle model, only the Canetti-Goldwasser scheme could be proved CCA secure in the standard model , but since it is interactive, it could not be used in the asynchronous public network. However, all the new threshold schemes not only could be proved secure in the standard model, but also are non-interactive. Next, CCA secure threshold identity based encryption systems in the standard model are constructed. Before this, the first and only CCA secure threshold identity based encryption system, could only be proved secure in the Random Oracle. The results of this chapter also indicate that our schemes in chapter 2 not only enjoy the efficiency of the BK scheme, but also can be used in threshold CCA secure systems like CHK. But since the BK scheme could not be verified publicly, it does not suit for constructing threshold CCA secure system.In chapter 4, the security analysis is given for an existing scheme. It is rigorously proved to be secure against chosen ciphertext attack under the Gap Diffie-Hellman assumption in the Random Oracle model. Before this, it could only be proved in the Generic Group and Random Oracle model. In the Generic Group model, the attacker could not make use of the special code and algebra structure property from the group, in other words, the group is assumed to be ideal. But, the new proof only needs the Random Oracle, that is to say, only the Hash function is ideal. Since, in the Generic Group and Random Oracle model, both the group and the Hash function are ideal, the new proof gives more security confidence than that of previous related work.In chapter 5, two new publicly verifiable encryption schemes in the Random Oracle model are proposed. The proposals are more efficient than the one proposed by Baek and Zheng in 2003. The CCA security of the first one is relative to the Strong Diffie-Hellman problem, while the security of another one is related to the Linear Diffie-Hellman problem.